Scammers Scam Gmail Scam Filters

This amused me. A scam message got through Gmail’s eagle-eyed scam filters telling me to update my account details. That’s not unusual. But was it because the scammers added their own assurance that they had already done the filtering?

image

It says:

**************************************************************************
This footnote confirms that this email message has been scanned by New Google Mail-SeCure for the presence of malicious code, vandals & computer viruses.
**************************************************************************

Well that’s alright then.

Stuck on Stuxnet

By Jeremy Wagstaff (this is my weekly Loose Wire Service column for newspaper syndication)

We’ve reached one of those moments that I like: When we’ll look back at the time before and wonder how we were so naive about everything. In this case, we’ll think about when we thought computer viruses were just things that messed up, well, computers.

Henceforward, with every mechanical screw-up, every piston that fails, every pump that gives out, any sign of smoke, we’ll be asking ourselves: was that a virus?

I’m talking, of course, about the Stuxnet worm. It’s a piece of computer code–about the size of half an average MP3 file–which many believe is designed to take out Iran’s nuclear program. Some think it may already have done so.

What’s got everyone in a tizzy is that this sort of thing was considered a bit too James Bond to actually be possible. Sure, there are stories. Like the one about how the U.S. infected some software which a Siberian pipeline so it exploded in 1982 and brought down the whole Soviet Union. No-one’s actually sure that this happened–after all, who’s going to hear a pipeline blow up in the middle of Siberia in the early 1980s?–but that hasn’t stopped it becoming one of those stories you know are too good not to be true.

And then there’s the story about how the Saddam Hussein’s phone network was disabled by US commandos in January 1991 armed with a software virus, some night vision goggles and a French dot matrix printer. It’s not necessarily that these things didn’t happen–it’s just that we heard about them so long after the fact that we’re perhaps a little suspicious about why we’re being told them now.

But Stuxnet is happening now. And it seems, if all the security boffins are to be believed, to open up a scary vista of a future when one piece of software can become a laser-guided missile pointed right at the heart of a very, very specific target. Which needn’t be a computer at all, but a piece of heavy machinery. Like, say, a uranium enrichment plant.

Stuxnet is at its heart just like any other computer virus. It runs on Windows. You can infect a computer by one of those USB flash drive thingies, or through a network if it finds a weak password.

But it does a lot more than that. It’s on the look out for machinery to infect—specifically, a Siemens Simatic Step 7 factory system. This system runs a version of Microsoft Windows, and is where the code that runs the programmable logic controllers (PLCs) are put together. Once they’re compiled, these PLCs are uploaded to the computer that controls the machinery. Stuxnet, from what people can figure out, fiddles around with this code within the Siemens computer, tweaking it as it goes to and comes back from the PLC itself.

This is the thing: No one has seen this kind of thing before. Of course, we’ve heard stories. Only last month it was reported that the 2008 crash of a Spanish passenger jet, killing 154 people, may have been caused by a virus.

But this Stuxnet thing seems to be on a whole new level. It seems to be very deliberately targeted at one factory, and would make complex modifications to the system. It uses at least four different weaknesses in Windows to burrow its way inside, and installs its own software drivers—something that shouldn’t happen because drivers are supposed to be certified.

And it’s happening in real time. Computers are infected in Indonesia, India, Iran and now China. Boffins are studying it and may well be studying it for years to come. And it may have already done what it’s supposed to have done; we may never know. One of the key vulnerabilities the Trojan used was first publicized in April 2009 in an obscure Polish hacker’s magazine. The number of operating centrifuges in Iran’s main nuclear enrichment program at Natanz was reduced significantly a few months later; the head of Iran’s Atomic Energy Organization resigned in late June 2009.

All this is guesswork and very smoke and mirrors: Israel, perhaps inevitably, has been blamed by some. After all, it has its own cyber warfare division called Unit 8200, and is known to have been interested, like the U.S., in stopping Iran from developing any nuclear capability. And researchers have found supposed connections inside the code: the word myrtle, for example, which may or may not refer to the Book of Esther, which tells of a Persian plot against the Jews, and the string 19790509, which may or may not be a nod to Habib Elghanian, a Jewish-Iranian businessman who was accused of spying for Israel and was executed in Iran on May 9, 1979.

Frankly, who knows?

The point with all this is that we’re entering unchartered territory. It may all be a storm in a teacup, but it probably isn’t. Behind all this is a team of hackers who not only really know what they’re doing, but know what they want to do. And that is to move computer viruses out of our computers and into machinery. As Sam Curry from security company RSA puts it:

This is, in effect, an IT exploit targeted at a vital system that is not an IT system.

That, if nothing else, is reason enough to look nostalgically back on the days when we didn’t wonder whether the machinery we entrusted ourselves to was infected.

The Trojan That Never Was

image

How not to handle a PR debacle, Part 767:

Avast, the free antivirus I’ve been using, and recommending, for while, has lost my confidence by a double whammy: mis-identifying pretty much every executable on my computer as a Trojan, and then not telling me about it.

Apparently an update to the software will misidentify a lot of files as containing the Trojan Win32:Delf-MZG, suggesting you do a boot scan to clear out infections. Do so, and you’ll likely find that Avast will be deleting a lot of major program files, including those in the Windows directory.

This is bad, because these are what are called false positives—i.e. not infected. An update to the Avast virus database created the error—and has, apparently, since been corrected with a further update. But not before hundreds, maybe thousands, of users, did what I did: boot scan and religiously delete
“infected” files.

You won’t, at the moment, know any of this from Avast.

Their blog hasn’t been updated since November 30. There’s nothing on their home page to suggest there’s a problem: the website lists the latest update and doesn’t indicate there’s been a problem.

But do a Google or twitter search and you get a sense of the frustration:

Twitter is throwing up a tweet every couple of minutes:

image

Yahoo! Answers is exhibiting similar frustrations. Even Avast’s own forums are lively with confusion.

The point here is that everyone makes mistakes. But Avast don’t seem to have helped their users to avoid panic by not only correcting the problem but in trying to ensure that their users find out about it easily and quickly.

This is not excusable in this era of the real time web. Twitter is the obvious choice, but there’s no sign of Avast on its official twitter feed since November 30. (see screenshot above.) Avast should be using all channels to reach its users.

Antirvirus is just an extreme example—it’s an industry that is used to updating its product on the fly. But security is also about informing its users—and Avast, sadly, is not much different from most companies that think they can brush over glitches and pretend they never happened.

A mea culpa is in order, and a promise that this isn’t going to happen. Crying wolf on viral infections is not a good security procedure.

Virus Grounds French Fighters

Here’s more evidence of how vulnerable armed forces are to software attacks, intended or not. The French navy’s fighter jets “were unable to download their flight plans after databases were infected by a Microsoft virus they had already been warned about several months beforehand,” according to the Telegraph:

However, the French navy admitted that during the time it took to eradicate the virus, it had to return to more traditional forms of communication: telephone, fax and post.

Naval officials said the “infection”‘ was probably due more to negligence than a deliberate attempt to compromise French national security. It said it suspected someone at the navy had used an infected USB key.

Last month, you may recall, a virus closed down the British Ministry of Defence.

French fighter planes grounded by computer virus – Telegraph

The Hazards of Recommending

image

Think twice before you agree to recommend someone on LinkedIn. They may be a logic bomber.

You may have already read about the fired Fannie Mae sysadmin who allegedly placed a virus in the mortgage giant’s software. The virus was a bad one: it

was set to execute at 9 a.m. Jan. 31, first disabling Fannie Mae’s computer monitoring system and then cutting all access to the company’s 4,000 servers, Nye wrote. Anyone trying to log in would receive a message saying “Server Graveyard.”

From there, the virus would wipe out all Fannie Mae data, replacing it with zeros, Nye wrote. Finally, the virus would shut down the servers.

Luckily the virus was found and removed. But what has yet to be removed is the suspect’s LinkedIn page which shows that since he was fired he has been working at Bank of America, something I’ve not seen mentioned in news covering the alleged incident.

(Apparently this piece mentions this fact but the information has since been removed. This raises other interesting points: What way is there for a company to police claims by people on networks like LinkedIn that they indeed worked at that company? Why was this information removed from the story or comments?)

image

What must also be a bit awkward is that the suspect, Rajendrasinh Makwana, has a recommendation on his LinkedIn profile from a project manager at AT&T, who says that

he was much more knowledgable at the subject matter than I was. He demonstrated leadership at times of crisis. He helped me learn the ropes. I would love to work with Raj again.

The recommendation is a mutual one; the person in question gets a recommendation from Makwana as well. But what adds to the awkwardness is that the recommendation was posted on October 25, 2008, which was, according to an affidavit filed by FBI Special Agent Jessica Nye, the day after Makwana’s last day of work—which was when he allegedly planted the virus:

“On October 24, 2008, at 2:53 pm, a successful SSH (secure shell) login from IP address 172.17.38.29, with user ID s9urbm, assigned to Makwana, gained root access to dsysadmin01, the development server. … IP address 172.17.38.29 was last assigned to the computer named rs12h-Lap22, which was [a Fannie Mae] laptop assigned to Makwana. … The laptop and Unix workstation where Makwana was able to gain root access and create the malicious script were located in his cubicle.”

Ouch. If the FBI is right, the suspect was buffing his CV, seeking recommendations from former colleagues right after planting a script that could have deleted all of Fannie Mae’s data.

Lesson: Think hard before you recommend someone on LinkedIn. How well do you know this person?

Virus Hits British Defences

image

I wrote a couple of weeks ago about how KL’s airport information system had been infected by a virus. I shouldn’t have gotten so het up. Turns out that the UK’s air force and navy have bigger problems.

ITV News reported on Friday that the Ministry of Defence’s computer network has been shut down “because of a mysterious virus that is causing wholesale disruption of MoD sites.” Among those affected were Royal Navy ships including the Ark Royal and RAF [Royal Air Force] bases including Brize Norton.

The Register quotes a statement from the “MoD that [s]ince 6 Jan 09 the performance of the MOD IT systems in a number of areas was affected by a virus.” The Register says “no command or operational systems had been affected, though many of these are based on similar hardware. Spokespersons also stated that “no classified or personal data has been or will be at risk of compromise” due to “pre-existing security measures”.”

This is less than a month after the Royal Navy announced it had switched its nuclear submarines to a “customized Microsoft Windows system” dubbed, snappily, Submarine Command System Next Generation (SMCS NG).

In 1998 the USS Yorktown was “dead in the water” for about two and a half hours after a glitch in its new Smart Ship system, which used off-the-shelf PCs to automate tasks sailors traditionally did manually. The mishap sunk the Smart Ship initiative, which was quietly dropped a couple of years later.

A report in Portsmouth Today said the virus had affected 75% of the navy’s ships, preventing sailors from sending email and performing tasks (like finding out how many sailors are joining the ship at its next port of call). A blog on the Ministry of Defence’s website denied a report in The Sunday Times that ‘all email traffic from a number of RAF stations has been sent to a Russian internet server’ as a result of a ‘worm virus that entered MOD systems 12 days ago’. (The report makes it appear like it was a Russian attack, which is unlikely. But I’m not sure how the MoD can be so sure that emails were not diverted in that way.)

Neither do I know how they can be sure that it wasn’t a targeted attack. As Graham Cluley of Sophos points out, it’s more likely it was human error. But aside from the issues that raises—just how many MoD computers are hooked up to the Internet, and how smart is this? What kind of antivirus software do they have installed on the computers that are?—I would prefer the MoD not to jump to the conclusion that it’s not a targeted attack.

The reason? We need to stop thinking about cyberwar and malware as two different things. Governments rarely launch cyberattacks. But individuals and gangs do—and they usually do it for a mix of nationalistic and commercial motives. This case probably is just a screw-up. But it’s foolish to discount the notion that the information that may have been gleaned—accidentally, perhaps—would prove of value to a government or an agency.

(Image above is the result of my trying to search the Royal Navy website for the word “virus”. )

Articles | MoD computers attacked by virus – ITV News

KL’s Airport Gets Infected

image

If there’s one place you hope you won’t get infected by a computer virus, it’s an airport.

It’s not just that the virus may fiddle with your departure times; it’s the wider possibility that the virus may have infected more sensitive parts of the airport: ticketing, say, or—heaven forbid—flight control.

Kuala Lumpur International Airport—Malaysia’s main international airport—was on Friday infected by the W32.Downadup worm, which exploits a vulnerability in Windows Microsoft patched back in October. The worm, according to Symantec, does a number of things, creating an http server on the compromised computer, deletes restore points, downloads other file and then starts spreading itself to other computers.

image

Enlargement of the photo above. The notification says Symantec Antivirus has found the worm, but has not been able to clean or quarantine the file.

KL airport clearly isn’t keeping a tight rein on its security. The virus alert pictured above is at least 12 hours old and the vulnerability it exploits had been patched up a month before. Says Graham Cluley of UK-based security software company Sophos: “What’s disturbing to me is that over a month later, the airport hasn’t applied what was declared to be an extremely critical patch, and one which is being exploited by malware in the wild.”

What’s more worrying is that this isn’t the first time. It’s the first time I’ve noticed an infection on their departures/arrivals board, but one traveller spotted something similar a year and a half ago, with a Symantec Antivirus message popping up on one of the monitors. I saw a Symantec Antivirus message on one monitor that said it had “encountered a problem and needs to close”, suggesting that the worm had succeeded in disabling the airport’s own antivirus defences:

image

So how serious is all this? Cluely says: “Well, it’s obviously a nuisance to many people, and maybe could cause some disruption.. but I think this is just the most “visible” sign of what may be a more widespread infection inside the airport.  I would be more concerned if ticketing and other computer systems were affected by the same attack.”

He points to computer viruses affecting other airports in recent years: In 2003, Continental Airlines checkin desks were knocked out by the Slammer worm. A year later, Sasser was blamed for leaving 300,000 Australian commuters stranded, and BA flights were also delayed.

For me, the bottom line about airports and air travel is confidence. As a traveler I need to feel confident that the people deciding which planes I fly and when are on top of basic security issues. And that doesn’t mean just frisking me at the gate. It also means keeping the computer systems that run the airport safe. This is probably just sloppy computer habits but what if it wasn’t? What if it was a worm preparing for a much more targeted threat, aimed specifically at air traffic?

(I’ve asked KL International Airport and Symantec for comment.)

Updater Fever

image

I sometimes wonder what software companies—Apple, Google, Microsoft, Yahoo!, they’re all the same—want from their customers.

I spend enough time with novice users to know how confusing using computer software can be. Especially online: It’s a scary world out there (they’re right to be scared) but these companies, which should know better, make it more so. By trying to hoodwink into using their products they are undermining users’ confidence in using computers in the first place. If they keep on doing this, expect more people to use computers less—and certainly to install less software, or experiment in any way online or off.

Take what just happened. I use Windows Live Writer to blog: it’s an excellent program, by far the best things Microsoft has done in years, and today it prompted me that an update was available. I duly clicked on the link to download the Writer beta installer:

image

Only, of course, it wasn’t the installer but The Installer From Hell:

image

Prechecked are six programs, none of which I have on my computer right now. There’s no single button to uncheck those boxes, and most novice users may not even know they can (note the confusing text above it: “Click each program name for details” and “Choose the programs you want to install”—nothing to explain to novices that these choices have already been made for you, and how to unchoose them.)

It’s not as if Microsoft is trying to sell us smack. This is free software. But it’s very damaging in ways only someone who spends time with real people can understand. Even when the software is installed for example, you get this last little twist of the Knife of Befuddlement:

image

This might not seem like much, but if you’re an ordinary user, finding your home page all different and your search engine altered to something else can be as disorienting as coming home to find someone’s moved your furniture and the cooker is now in the bathroom. Well, not quite that much, but you get the idea.

Of course Microsoft’s not alone in this. Even Google’s been playing the game, and Yahoo! tries to bundle the toolbar in with pretty much every piece of software that’s ever been downloaded–which also alters the homepage, and default search engine, and probably moves the fridge around as well.

The problem is that the more these companies try to fool us, the easier it is for real scammers to scam us—because what they both do starts to look very similar.

Take this scam that I came across this morning. A splog (spam blog—a fake blog) had used some of my material so when I tried to access the page to find out why, I instead got this believable looking popup

sc565

This without me doing anything other than clicking on a link to a blog. A graphic in the background appeared to be checking the computer for viruses, and of course this window is nigh on impossible to get rid of. Try clicking on the red cross and you get this:

sc566

Try to get rid of that and you get this:

sc567

And then this:

sc568

It’s obviously a scam (it’s adware), but it’s darned hard to get rid of. And to the ordinary user (by which I mean someone who has a real life, and therefore doesn’t see this kind of thing as intrinsically interesting) there’s no real difference between the trickery perpetrated by these grammatically challenged scammers, and the likes of Microsoft et al, who try to inveigle their software and homepage/search engine preferences into your computer.

Either way, the ordinary user is eventually going to tire of the whole thing and say “enough!” and go out fishing or, if it’s that time of year, wassailing.

Let’s try to avoid that.

(And yes, the latest version Live Writer is good, though don’t use the spellchecker. Just a shame that it’s made by Microsoft.)

links for 2008-09-15

Anti-virus Vendor, Er, Hacked. Serves Up, Er, Viruses

The Japanese arm of antivirus vendor Trend Micro has announced its website had been hacked and its pages modified to service up viruses. In other words, if someone had visited their website chances are they’d have picked up a virus.

Not the sort of thing you expect from an antivirus manufacturer, and they’re not being very forthcoming about it, either. While the company has announced that some of their website pages are found to be modified from March 9th to 12th, this is so far only in Japanese, according to asiajin. And that was yesterday. Nothing on their U.S. website yet.

Gen Kanai suggests it was because the company is using Windows 2000, and rips into TrendMicro both for the length of the breach and the lack of transparency: “If a security services/software firm can’t keep their own web servers secured, and left their own hacked website up for 3 days, there’s no logical reason to expect that their own security services are any better.”

Not very reassuring. I’ve often recommended HouseCall but until this is sorted out and Trend Micro comes clean about this, I’m steering clear.