McAfee Labs today released the McAfee Threats Report: First Quarter 2013, which reported a significant spike in instances of the Koobface social networking worm and a dramatic increase in spam. McAfee Labs also saw continued increases in the number and complexity of targeted threats, including information-gathering Trojans and threats targeting systems’ master boot records (MBRs).
McAfee Labs found almost three times as many samples of Koobface as were seen in Continue reading
These ecrime meetings are always interesting and useful. -jsq
Press release of 29 March:
Containing the Global Cybercrime Threat is Focus of Counter eCrime Operations Summit (CeCOS VI) in Prague, April 25-27
CeCOS VI, in Prague, Czech Republic, to focus on harmonizing operational issues, cybercrime data exchange, and industrial policies to strengthen and unify the global counter-ecrime effort.
CAMBRIDGE, Mass.—(BUSINESS WIRE)—The 6th annual Counter eCrime Operations Summit (CeCOS VI) will convene in Prague, Czech Republic, April 25-27, 2012, as the APWG gathers global leaders from the financial services, technology, government, law enforcement, communications sectors, and research centers to define common goals and harmonize resources to strengthen the global counter-cybercrime effort.
CeCOS VI Prague will review the development of response systems and resources available to counter-cybercrime managers and forensic professionals from around the world.
Specific goals of this high-level, multi-national conference are to identify common forensic needs, in terms of the data, tools, and communications protocols required to harmonize cybercrime response across borders and between private sector financial and industrial sector responders and public sector policy professionals and law enforcement.
Key presentations will include:
However, in Figure 17 on page 25 they’ve got Cyber attacks as an origin risk, along with Massive incident of data fraud or theft and Massive digital misinformation. I think they’re missing the point, which is the real origin risk is poor infosec, and the origin of that is vendors like MSFT knowingly shipping systems with design flaws and people and organizations running them while hiding such problems.
Interesting comment on page 26: Continue reading
On April 25, 1997, millions of people in North America lost access to all of the Internet for about an hour. The hijacking was caused by an employee misprogramming a router, a computer that directs data traffic, at a small Internet service provider.The Pakistani incident is illustrated in the accompanying story and video by RIPE.
A similar incident happened elsewhere the next year, and the one after that. Routing errors also blocked Internet access in different parts of the world, often for millions of people, in 2001, 2004, 2005, 2006, 2008 and 2009. Last month a Chinese Internet service provider halted access from around the world to a vast number of sites, including Dell.com and CNN.com, for about 20 minutes.
In 2008, Pakistan Telecom tried to comply with a government order to prevent access to YouTube from the country and intentionally “black-holed” requests for YouTube videos from Pakistani Internet users. But it also accidentally told the international carrier upstream from it that “I’m the best route to YouTube, so send all YouTube traffic to me.” The upstream carrier accepted the routing message, and passed it along to other carriers across the world, which started sending all requests for YouTube videos to Pakistan Telecom. Soon, even Internet users in the U.S. were deprived of videos of singing cats and skateboarding dogs for a few hours.
In 2004, the flaw was put to malicious use when someone got a computer in Malaysia to tell Internet service providers that it was part of Yahoo Inc. A flood of spam was sent out, appearing to come from Yahoo.
This problem has been known for a long time. Why hasn’t it been fixed? Continue reading
When you take down a phishing domain or server, don’t just take it off the net: redirect it to this education page so victims of phishing can learn in the act of being suckered by a phisher that they should be more careful what they click on.
As someone in the audience pointed out, whatever you do don’t redirect phishing pages back to the actual sites being phished, i.e., if the phisher was pretending to be a bank, don’t take down the phisher’s redirect and replace it with a redirect to the bank itself. THat just teaches people the wrong thing, to follow a bad link.
Instead, link to the APWG/CMU landing page. Which could use a catchier name (how about Phishing: Fail!), but it’s already a really good service.
Throwing money at the issue of phishing actually works.MySpace’s anti-phishing forces include former law enforcement people, including a former federal and state prosecutor, a former L.A. D.A., and a former FBI agent. They have successfully sued spam king Scott “ringtones” Richter and his CPA empire.
MySpace does have an advantage in actually hosting all displays and messages. It’s good to be a many-hundred-million shopping mall. She didn’t say that; I did. She did say they use MySpace specific measures such as education via Tom’s profile. Tom was one of the founders of MySpace. Every new user gets Tom as a friend, so his online persona (pictured) has 240 million friends, so that’s a channel that reaches most of their users. She did say:
Education is just as important as technical measures.What works on MySpace will work on other social network sites.
But Shing’s theme of pro-active measures against phishing and spam is one other organizations could take to heart. Don’t think you can do nothing: you can.
Of course, if you have fewer than 200 million users, you may want to band together with other organizations, for example by joining APWG. Even MySpace does.
Japan: Pretending to be grandchild to get bank account transfer is popular. ATM scams are the most lucrative.
Russia: Second biggest global source of spam. Ecrime economy is ten times the si ze of the anti-ecrime industry, and that’s a problem.
Brazil: Most phishing is done locally. Is all organized crime.
I don’t want to go into too much detail, even though the bad guys don’t seem to need any help. APWG continues to climb the ecrimeware curve, catching up with th e miscreants.
The eBay-owned company, which runs a Web-based payment system that allows the transfer of funds between bank accounts and credit cards, said browsers that do not have support for blocking identity theft-related Web sites or for EV SSL (Extended Validation Secure Sockets Layer) certificates are considered “unsafe” for financial transactions.Now on the one hand, I think EV SSL is color-coded checklist security candy: Continue reading
“In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts,” said PayPal Chief Information Security Officer Michael Barrett.
Barrett only mentioned old, out-of-support versions of Microsoft’s Internet Explorer among this group of “unsafe browsers,” but it’s clear his warning extends to Apple’s Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates.
— BPayPal Plans to Ban Unsafe Browsers, By Ryan Naraine, EWeek.com, 2008-04-17
I painfully predicted a few years back that phishing and related identity theft would result in class action suits. I lost my bet as it didn’t happen fast enough, but a significant step has been taken (reported by Lynn) with the publication of a book that apparently blames the banks and the software manufacturers for identity theft.The book review iang quotes gets it about online crime not being amateur anymore: it’s organized. And it gets it about perhaps a more important point: Continue reading
— Signs of Liability: ‘Zero Day Threat’ blames IT and Security industry, Ian Grigg, Financial Cryptography, April 14, 2008
One of the cardinal rules of computer programming is to never trust your input. This holds especially true when your input comes from users, and even more so when it comes from the anonymous, general public. Apparently, the developers at Oklahoma’s Department of Corrections slept through that day in computer science class, and even managed to skip all of Common Sense 101. You see, not only did they trust anonymous user input on their public-facing website, but they blindly executed it and displayed whatever came back.But the best part is what it took to get the state to fix it: Continue reading
The result of this negligently bad coding has some rather serious consequences: the names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years.
— Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data, by Alex Papadimoulis in Feature Articles, The Daily WTF, 2008-04-15