Monthly Archives - August of 2011
 

Tuesday, August 30, 2011

 
DigiNotar Hacked by Black.Spook and Iranian Hackers Posted by Mikko @ 09:05 GMT

DigiNotar is a Dutch Certificate Authority. They sell SSL certificates.

DigiNotar

Somehow, somebody managed to get a rogue SSL certificate from them on July 10th, 2011. This certificate was issued for domain name .google.com.

What can you do with such a certificate? Well, you can impersonate Google — assuming you can first reroute Internet traffic for google.com to you. This is something that can be done by a government or by a rogue ISP. Such a reroute would only affect users within that country or under that ISP.

But why would anybody want to intercept Google? Well, this is not really about the search engine at www.google.com. This is about the Gmail servers at mail.google.com and Google Docs at docs.google.com and maybe Google+ at plus.google.com.

We saw a similar attack in May (via Certificate reseller instantssl.it in Italy). That case was tied to Iran. So is this one. It's likely the Government of Iran is using these techniques to monitor local dissidents.

Iran does not have its own Certificate Authority. If they did, they could just issue rogue certificates themselves. But since they don't, they need such certificates from a widely trusted CA. Such as DigiNotar.

How was DigiNotar breached? We don't know yet.

But here's something we just discovered.

This is a screenshot of the page online right now at https://www.diginotar.nl/Portals/0/Extrance.txt:

DigiNotar

DigiNotar's portal has been hacked. Somebody claiming to be an Iranian Hacker has gained access.

This would look like a smoking gun. Obviously this has to be connected somehow to the rogue certificate.

But if you keep looking, you'll find this page from https://www.diginotar.nl/Portals/0/owned.txt:

DigiNotar

Another Iranian hacker group?

If you keep digging deeper, you'll find that although these web defacements are still live right now, they are not new. Much worse: they were done years ago.

Here's another one, done in May 2009 by Turkish hackers at https://www.diginotar.nl/Portals/0/fat.txt:

DigiNotar

In fact, these hacks are so old, it's unlikely they are connected to the current problem. Or at least so we hope.

 

P.S. The news of the whole incident was first broken on Twitter by S. Hamid Kashfi (@hkashfi). He has blogged about man-in-the-middle attacks in Iran already in 2010. Here's his blog post from May 2010 (via Google Translate).

hkashfi

P.P.S. More on problems with SSL as a whole in one of our previous blog posts.

P.P.P.S. DigiNotar's public statement on the breach is out now. It raises more questions than answers. DigiNotar indeed was hacked, on the 19th of July, 2011. The attackers were able to generate several fraudulent certificates, including possibly also EVSSL certificates. But while DigiNotar revoked the other rogue certificates, they missed the one issued to Google. Didn't DigiNotar think it's a tad weird that Google would suddenly renew their SSL certificate, and decide to do it with a mid-sized Dutch CA, of all places? And when DigiNotar was auditing their systems after the breach, how on earth did they miss the Iranian defacement discussed above?

Updated to add: As September 5th, here's the list of known domains that the attacker managed to create fake certificates for:

*.*.com
*.*.org
*.10million.org
*.android.com
*.aol.com
*.azadegi.com
*.balatarin.com
*.comodo.com
*.digicert.com
*.globalsign.com
*.google.com
*.JanamFadayeRahbar.com
*.logmein.com
*.microsoft.com
*.mossad.gov.il
*.mozilla.org
*.RamzShekaneBozorg.com
*.SahebeDonyayeDigital.com
*.skype.com
*.startssl.com
*.thawte.com
*.torproject.org
*.walla.co.il
*.windowsupdate.com
*.wordpress.com
addons.mozilla.org
azadegi.com
friends.walla.co.il
login.live.com
login.yahoo.com
my.screenname.aol.com
secure.logmein.com
twitter.com
wordpress.com
www.10million.org
www.balatarin.com
www.cia.gov
www.cybertrust.com
www.Equifax.com
www.facebook.com
www.globalsign.com
www.google.com
www.hamdami.com
www.mossad.gov.il
www.sis.gov.uk
www.update.microsoft.com

In addition, the attacker created rogue certificates for these names:

Comodo Root CA
CyberTrust Root CA
DigiCert Root CA
DigiCert Root CA
Equifax Root CA
Equifax Root CA
GlobalSign Root CA
Thawte Root CA
VeriSign Root CA

 
 

 
 
Sunday, August 28, 2011

 
Windows Remote Desktop Worm "Morto" Spreading Posted by Mikko @ 13:23 GMT

We don't see that many Internet worms these days. It's mostly just bots and trojans. But we just found a new Internet worm, and it's spreading in the wild. The worm is called Morto and it infects Windows workstations and servers. It uses a new spreading vector that we haven't seen before: RDP.

RDP stands for Remote Desktop Protocol. Windows has built-in support for this protocol via Windows Remote Desktop Connection. Once you enable a computer for remote use, you can use any other computer to access it.

Morto RDP worm

When you connect to another computer with this tool, you can remotely use the computer, just like you'd use a local computer.

Morto RDP worm

Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port.

When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords:

 admin
 password
 server
 test
 user
 pass
 letmein
 1234qwer
 1q2w3e
 1qaz2wsx
 aaa
 abc123
 abcd1234
 admin123
 111
 123
 369
 1111
 12345
 111111
 123123
 123321
 123456
 654321
 666666
 888888
 1234567
 12345678
 123456789
 1234567890

Once you are connected to a remote system, you can access the drives of that server via Windows shares such as \\tsclient\c and \\tsclient\d for drives C: and D:, respectively. Morto uses this feature to copy itself to the target machine. It does this by creating a temporary drive under letter A: and copying a file called a.dll to it.

The infection will create several new files on the system including \windows\system32\sens32.dll and
\windows\offline web pages\cache.txt.

Morto can be controlled remotely. This is done via several alternative servers, including jaifr.com and qfsl.net.

We've seen several different samples. Some MD5 hashes include:

 0c5728b3c22276719561049653c71b84
 14284844b9a5aaa680f6be466d71d95b
 58fcbc7c8a5fc89f21393eb4c771131d

More discussion on the topic at Technet forums.

We detect Morto components as Backdoor:W32/Morto.A and Worm:W32/Morto.B.

Updated to add: here's a link to our description.

 
 

 
 
Friday, August 26, 2011

 
How We Found the File That Was Used to Hack RSA Posted by Mikko @ 09:29 GMT

RSA was hacked in March. This was one of the biggest hacks in history.

The current theory is that a nation-state wanted to break into Lockheed-Martin and Northrop-Grumman to steal military secrets. They couldn't do it, since these companies were using RSA SecurID tokens for network authentication. So, the hackers broke into RSA with a targeted e-mail attack. They planted a backdoor and eventually were able to gain access to SecurID information that enabled them to go back to their original targets and successfully break in. In the aftermath of the attack, RSA was forced to replace SecurID tokens for their customers around the world.

RSA / EMC hack

Already in April, we knew that the attack was launched with a targeted e-mail to EMC employees (EMC owns RSA), and that the e-mail contained an attachment called "2011 Recruitment plan.xls". RSA disclosed this information in their blog post. Problem was, we didn't have the file. It seemed like nobody did, and the antivirus researcher mailing lists were buzzing with discussion about where to find the file. Nobody had it, and eventually the discussion quieted down.

This bothered Timo Hirvonen. Timo is an analyst in our labs and he was convinced that he could find this file. Every few weeks since April, Timo would go back to our collections of tens of millions of malware samples and try to mine it to find this one file — with no luck. Until this week.

Timo wrote a data analysis tool that analyzed samples for flash objects. We knew the XLS file in question used a Flash object to take over the system. The new tool located several relevant samples. However, one of them was not an Excel file. It was an Outlook message file (MSG). When Timo opened it up, he knew he was onto something. The message file turned out to be the original e-mail that was sent to RSA on the 3rd of March, complete with the attachment 2011 Recruitment plan.xls.

After five months, we finally had the file.

And not only that, we had the original e-mail. Turns out somebody (most likely an EMC/RSA employee) had uploaded the e-mail and attachment to the Virustotal online scanning service on 19th of March. And, as stated in the Virustotal terms, the uploaded files will be shared to relevant parties in the anti-malware and security industry. So, we all had the file already. We just didn't know we did, and we couldn't find it amongst the millions of other samples.

RSA / EMC hack
The sample was uploaded on 19th of March as file-1994209_msg

So, what did the e-mail look like? It was an e-mail that was spoofed to look like it was coming from recruiting website Beyond.com. It had the subject "2011 Recruitment plan" and one line of content:

"I forward this file to you for review. Please open and view it".

The message was sent to one EMC employee and cc'd to three others.

RSA / EMC hack

When opened, this is what the XLS attachment looked like:

RSA / EMC hack

Here's a YouTube video that shows in practice what happens when you open the malicious Excel file.



In this video you can see us opening the e-mail to Outlook and launching the attachment. The embedded flash object shows up as a [X] symbol in the spreadsheet. The Flash object is executed by Excel (why the heck does Excel support embedded Flash is a great question). The Flash object then uses the CVE-2011-0609 vulnerability to execute code and to drop a Poison Ivy backdoor to the system. The exploit code then closes Excel and the infection is over.

After this, Poison Ivy connects back to its server at good.mincesur.com. The domain mincesur.com has been used in similar espionage attacks over an extended period of time.

RSA / EMC hack

Once the connection is made, the attacker has full remote access to the infected workstation. Even worse, it has full access to network drives that the user can access. Apparently the attackers were able to leverage this vector further until they gained access to the critical SecurID data they were looking for.

The attack e-mail does not look too complicated. In fact, it's very simple. However, the exploit inside Excel was a zero-day at the time and RSA could not have protected against it by patching their systems.

So, was this an Advanced attack? The e-mail wasn't advanced. The backdoor they dropped wasn't advanced. But he exploit was advanced. And the ultimate target of the attacker was advanced. If somebody hacks a security vendor just to gain access to their customers systems, we'd say the attack is advanced, even if some of the interim steps weren't very complicated.

Timo will be discussing his research on the topic in detail in the T2 Data Security conference in October in his talk titled
"How RSA Was Breached".

t2.fi

P.S. For those who are still looking for the sample:

MD5 of the MSG file: 1e9777dc70a8c6674342f1796f5f1c49
MD5 of the XLS file: 4031049fe402e8ba587583c08a25221a

 
 

Thursday, August 25, 2011

 
Chinese TV Program Censored Posted by Mikko @ 15:06 GMT

As we expected in our original blog post, it did not take long for the controversial TV program to disappear from CCTV 7's website.

The documentary program "Military Technology: Internet Storm is Coming" is still listed on Channel 7's index page:

CNTV

But when you follow the link, you get nothing:

CNTV

Other TV programs on the site work fine.

The critical snippet of the program can still be seen in our blog post.

Removal of the program by the authorities is only likely to increase the controversy.







 
 

 
 
Facebook to Prevent 3rd-party Apps From Seeing Your Information Via Your Friends? Posted by Sean @ 12:46 GMT

On Tuesday of this week, Facebook announced significant changes to their profile controls and sharing options. The roll out of these changes begins today, August 25th. You'll find an excellent summary of the changes by Jason over on our Safe and Savvy blog.

Meanwhile, we've been busy digging into the details and reading between the lines.

And there's lots of details to consider:

Dig Into the Details

Wait… there's more:

Dig Into the Details

Aha! Now this is interesting (Facebook buried a good lead here…):

Info accessible through your friends

"This setting has been replaced so that instead of just being about your friends, this now prevents anyone you shared something with from re-sharing it with applications."

If we are interpreting this correctly — Facebook will now prevent third-party applications from seeing your information via your friends. This is something that the American Civil Liberties Union (ACLU) took issue with already back in December 2009 (the last time that Facebook made similar changes).

ACLU Blog Of Rights

The ACLU even created an application to demonstrate just how much access applications have via your friends:

ACLU, What Do Quizzes Really Know About You?

And this is the information that is available by default:

Info accessible through your friends

Based on our polling, not many people realize the implications of this privacy setting.

And the only real way to be sure your friend's third-party applications are blocked is to completely disable Facebook's "platform".

Dig Into the Details

Facebook recently began offering refined privacy controls in its Application Settings for what your applications share with your friends. Each individual application's "App privacy" can be adjusted:

App privacy

But based on our reading of these new details, it looks as if Facebook is about to take this one step further and will simply prevent all third-party application access via Friends.

And that would be excellent news.

Still, if you have a Facebook account, don't wait, take the time now to examine your Privacy Settings and adjust the "Info accessible through your friends" in the "Apps, Games, and Websites" section, just to make sure that your settings reflect your personal preferences… before Facebook's changes are applied.

P.S. to the ACLU: You really should consider decommissioning your "Quizzes" application and delete its page.

The application doesn't work properly anymore, and you've allow the page to become overrun by spam.

Dig Into the Details

Regards.

Updated to add on September 5th: Unfortunately, we've now seen the new setting and our interpretation was far too optimistic.

Facebook claims it tries to use simple English… but this is clear as mud.

This is the language of the old setting:

"Info accessible through your friends: Control what information is available to apps and websites when your friends use them."

Here's the language of the new settings:

"How people bring your info to apps they use: People who can see your info can bring it with them when they use apps. Use this setting to control the categories of information people can bring with them."

In other words:

Info accessible through [anyone]: Control what information is available to apps and websites when [anyone] uses them.

It now appears to us that Facebook is doing the exactly the opposite of what we had hoped and is expanding the reach of applications to data mine from your account if Facebook's platform is enabled.

Here's the details from within the setting:

"People on Facebook who can see your info can bring it with them when they use apps. This makes their experience better and more social. Use the settings below to control the categories of information that people can bring with them when they use apps, games and websites."

So, the applications of anyone that can see your info can use it. If you don't want "anyone's" applications accessing your information — make sure that your important info isn't shared with "everyone", and deselect all of the categories from the setting.

Because otherwise… Facebook will share it almost all of it by default to anyone that asks for it.

 
 

 
 
Wednesday, August 24, 2011

 
Windows XP Posted by Mikko @ 06:48 GMT

Let's compare the major computer operating systems at the moment. We have Windows XP, Windows Vista and Windows 7. We have various Linux distributions. And we have Mac OS X.

Of these, obviously Windows XP has the weakest security, by far.

And Windows XP has the biggest market share, too. Globally close to half of all computers still run XP.

And today, Windows XP is ten years old.

Ten years is an eternity in this business. So it's no wonder XP's security architecture is not up to date.

As a result, attackers right now would be stupid to spend their time and money targeting any other operating system. That makes no sense as long as they have this huge, easy low-hanging fruit.

Obviously XP is going away. As we can see from this chart, Windows 7 will pass in XP in the near future and will become the most common operating system.

Operating system market shares (c) Statcounter

And when XP's market share drops low enough, attackers need to start looking around. Some will focus on Windows 7. Others will look at OS X, Android, iOS and so on.

The attackers have never had it so good. The easiest target is also the most common target. This can't change quick enough.

Do a good deed today. Uninstall an XP.

 
 

 
 
Tuesday, August 23, 2011

 
Chinese Government Launching Online Attacks Posted by Mikko @ 11:26 GMT

China is often blamed for launching online attacks, but the evidence is almost always circumstantial. Many of the targeted espionage trojans seem to come from China, but we can't actually prove it.

However, some new evidence has just surfaced.

On 17th of July, a military documentary program titled "Military Technology: Internet Storm is Coming" was published on the Government-run TV channel CCTV 7, Millitary and Agriculture (at military.cntv.cn).

The program seems to be a fairly standard 20-minute TV documentary about the potential and risks of cyber warfare. However, while they are speaking about theory, they actually show camera footage of Chinese government systems launching attacks against a U.S. target. This is highly unusual. The most likely explanation is that this footage ended up in the final cut because the editor did not understand the significance of it.

Here's the critical snippet from the program:

China's slip up...

Rough translations of the texts shown in the dialog:

   People's Liberation Army Information Engineering University
   
   Select Attack Destinations
   
   Target IP
   
   List of Falung Gong sites
   
   Falun Dafa in North America
   Falun Dafa website
   Meng Hui website
   Witnesses of Falun Gong website 1
   Witnesses of Falun Gong website 2
   
   ATTACK   CANCEL


The targets listed in the tool are related to Falun Gong or Falun Dafa — a religious organization that is banned in China. In particular, the attack is launched against an IP address, 138.26.72.17, which belongs to a U.S. University. What kind of an attack is launched remains unclear. But already the existence of such software with such targets is breaking news.

The software is credited to have been written in the Information Engineering University of China's People's Liberation Army.

Information Engineering University of China's People's Liberation Army

You can see the segment for yourself by going to http://military.cntv.cn/program/jskj/20110717/100139.shtml and fast-forwarding to around 13 minutes in the video. However, we don't expect the program to stay online for long.

You can read more from Epoch Times. The Epoch Times is a newspaper from New York, published in Chinese and English, and is critical of the Chinese government.

 
 

 
 
Monday, August 22, 2011

 
Did you fall for a 419 scam? Get your money back! Or not. Posted by Mikko @ 13:15 GMT

People that have already fell for one scam are more likely to fall for another. That seems to be the logic behind the latest Nigerian advance-fee fraud scams.

They explain to you that if you've lost money in a Nigerian 419 scam, you can apply for compensation — after paying a suitable fee…

Here's a copy of the scam e-mail:

  From: "Ministry of Foreign Affairs Nigeria" (hr@wdzy.net)
  Subject: Swindled by Nigerian? Apply for compensation now!
  Reply-To: cn.verification@07168.cn
  
  Ministry of Foreign Affairs Federal Republic of Nigeria
  Maputo Street
  off Abidjan Street
  Wuse Zone 3,
  P.M.B. 130, Garki
  Abuja.
  
  Our Ref: FGN/WB/MFA/CitiBank/2011 (1/1)
  
  Dear Sir/Madam
  
  This is to announce to you that the Federal Government of Nigeria supported by the
  World Bank Group and International Monetary Fund (IMF) have allocated $50.000
  each for every scam victims for monetary loss and damages.
  
  The compensation funds were deposited at Citibank Nigeria (CN) and the funds will be
  transferred free of charge by Citibank Nigeria (CN) as instructed by the Federal
  Government of Nigeria so you do not need to pay any transfer fee or tax of any kind
  and the transfer will also be monitored by the Ministry of Foreign Affairs for confirmation
  reasons. The funds have been insured to avoid unnecessary deductions until they get
  to their various destinations.
  
  Take note that we have never held any scam victims compensation program in Nigeria.
  This is the First-Of-Its-Kind. Do not be deceived by anybody, any organization
  or any Ministry!
  
  If you have been scammed send your NAME and ADDRESS for verification to any of the
  two (2) email addresses listed below, the email addresses are set up by Citibank
  Nigeria (CN) for this compensation purpose only:
  
  Email1: cn-verification@07168.cn
  Email2: cn.verification@07168.cn
  
  The means of verification is via Western Union and MoneyGram, if truly you have
  sent money to Nigeria your name will be in their database
  
  Please do not respond to any email which asks you to send your username and password
  for any reason, if you have already done that kindly change your password immediately.
  
  Yours sincerely,
  Mrs. Irewolede Janet Michael
  (Public Relations Officer)
  Oversea Communication Department
  Ministry of Foreign Affairs (MFA), Nigeria.


Don't fall for these scams.

 
 

 
 
Friday, August 19, 2011

 
edocinU edirrevO tfeL ot thgiR gnisU erawlaM Posted by Sean @ 15:06 GMT

According to our friends at Commtouch, malware using Right to Left Override (RLO) Unicode tricks have "resurfaced extensively in the past week". Unicode character (U+202E) "reverses" text for languages that are traditionally read from right to left, and it's a feature that can be used to obfuscate file names.

We examined a sample a few days ago.

Here's the archive file viewed in Windows:

log_08.12.2011_P61602.zip

The Windows Compressed Folder view shows us that the extension is ".exe" and that the file type is an Application:

Compressed Folder

But once extracted, the file appears to have an extension of ".doc".

Windows Explorer recognizes the file as an application, but the malware is using a Word icon as part of its social engineering trickery.

Changelog_08.12.2011_Prophylexe.doc

Being curious, we decided to test some third-party archive managers.

Here's the malware as viewed in WinZip:

WinZip

Here's WinRAR:

WinRAR

And here's 7-Zip:

7-Zip

Surprisingly to us, 7-Zip doesn't display the file type even though it sorts by type.

In any case, be aware of this RLO trick, and carefully examine any archived attachments before extracting and/or opening them.

 
 

 
 
Wednesday, August 17, 2011

 
Are you running an old product? Get a free upgrade! Posted by Mikko @ 12:35 GMT

F-Secure Internet Security 2009, published in 2008

F-Secure has a long history in protecting it's customers. As a result, we have customers who have used our products for years and years.

And just like any other software vendor, we have to stop support for old legacy products at some stage.

Thus, we would like to remind our home users and corporate customers that antivirus updates for the F-Secure 8-series products will end on the 1st of January, 2012.

In practice, this means that products such as these will not get new antivirus updates anymore:

  •  F-Secure Internet Security 2009
  •  F-Secure Anti-Virus 2009
  •  F-Secure Client Security 8-series
  •  F-Secure Linux Security 7-series

There are other affected products as well. For a full list of affected consumer products, see here, and for a full list of affected corporate products, see here.

To reiterate: this doesn't just mean that these products are no longer supported (some of them have actually been out of support for quite a while). This means that the actual antivirus update signatures will no longer be shipped for these products.

So upgrade now:

  •  Home users
  •  Business users

There's no reason not to upgrade. The upgrade is free and will continue to work as long as you have a valid license/subscription.

If you are running a product you got through an Operator, the Operator will make sure you're running an up-to-date version.

Here's a link to a discussion thread on the topic in our community site.

 
 

Tuesday, August 16, 2011

 
Mobile Malware To Steal Photos From Your Phone Posted by Mikko @ 13:14 GMT

A good deal of this year's mobile malware is being developed in China. And Chinese mobile malware tends to include stuff such as backdoors, password stealers and spy tools.

Knowing that Chinese malware likes to spy, we've been keeping an eye out for various functions, such as photo scraping. Stealing photos from a phone could be used for harassment and blackmail.

We didn't have to look for long. A member our Threat Research team just found something interesting in a Symbian malware sample.

Photo

Here are our analyst's notes:

The code of Trojan:SymbOS/Spinilog.A includes a class named CMyCameraEngine which inherits and implements the Symbian class MCameraObserver. This enables the trojan to receive control when an image has been captured with the camera. Spinilog.A then encodes the raw bitmap to a JPG, which it saves to the phone's memory. This feature seems to still be unused and possibly incomplete as the constructor of the CMyCameraEngine class is not called in the code. Other data stolen by the trojan is more traditional such as the content and details of SMS and e-mail messages, phone call details and calendar and contact information.

So while this particular backdoor won't yet steal your photos, it's clear which direction we're headed to.

Here's the file's md5: b346043b4efb1e9834a87dce44d6d433

 
 

 
 
Monday, August 15, 2011

 
Anonymous Ops Britain and BART Posted by Sean @ 15:02 GMT

Here's a new maxim for politicians, policy makers and public administrators: curtail, censor or otherwise limit communications technology in the real-world — expect online reprisals.

Hacker collective Anonymous released a "press release" on Saturday announcing OpBritain, a reaction to UK Prime Minister David Cameron's suggestions that social media should be restricted in a time of crisis.

#OpBritain

And while Anonymous states that actions by rioters were "violent", they have no love for police authority, and so the enemy of my enemy is my friend.

Besides promising online hacks, Anonymous has called for rebellion peaceful real-world protests on October 15th.

Meanwhile in the USA, San Francisco Bay Area Rapid Transit (BART) authorities interrupted phone services at some BART stations on August 11th in a move to prevent protesters from disrupting travelers and creating in their words, "unsafe conditions".

Not surprisingly, or it shouldn't be, Anonymous announced OpBART, complete with its own modified Bartman logo.

#OpBART

And a hack of myBART.org, currently offline, followed in which names, e-mails, and passwords of myBART members where dumped to pastebin.com. OpBART also calls for a real-world peaceful protest at Civic Center station at 17:00 PST (approximately nine hours from now).

Of all places, San Francisco may well be the heartland of the Anonymous collective, so it should be interesting to see just how many people attend the gathering, and how it is reported by the USA and UK press.

If today's OpBART protest turns violent… expect the negative feedback loop to continue.

Updated to add reports from:

Elinor Mills: SF subway closes stations during Anonymous protest
Robert McMillan: Cell Phones Stay On, but Protesters Disrupt SF Subway







 
 

 
 
TED Talk Posted by Mikko @ 09:08 GMT

Video of my TED Talk is now available on TED.COM with subtitles in 14 languages.

Mikko Hypponen TED Talk

The languages are:

  •  Arabic
  •  Chinese
  •  Czech
  •  English
  •  Finnish
  •  French
  •  German
  •  Hindi
  •  Italian
  •  Polish
  •  Portuguese
  •  Romanian
  •  Spanish
  •  Turkish

There are at least 16 more translations underway, including Esperanto, Hebrew, Thai and Farsi.

More resources

CNN Interview about my TED Talk:
http://www.cnn.com/video/#/video/tech/2011/08/05/ted.hypponen.cyber.security.cnn

Questions and Answers on the TED blog:
http://blog.ted.com/2011/08/10/the-dangers-of-online-crime-qa-with-mikko-hypponen/

Ask Me Anything on Reddit:
http://www.reddit.com/r/IAmA/comments/itvu5/my_ted_talk_has_just_been_published_ama/

Commentary from TNW:
http://thenextweb.com/shareables/2011/07/20/mikko-hypponens-brilliant-ted-talk-on-fighting-online-crime/

Our generation will be remembered as the generation that got online.

Mikko

 
 

 
 
Thursday, August 11, 2011

 
I Can Has Update Rollup 1 for Windows XP SP3? Posted by Sean @ 12:12 GMT

Hello Microsoft,

A partner of ours is feeling some pain. He's located in Central Europe and some of his customers have limited hardware budgets, and so… he ends up doing a lot of Windows XP SP3 installations. (Yes, we know, Windows 7 is cool, but the customer is always right, and you have to give them what they want.)

And here's where the pain comes in — Windows/Microsoft Updates.

There's a ton of post-SP3 updates and it takes a great deal of time to install them. It cuts into his productivity, i.e., his profit.

We checked one of our virtual machine test images and it has 157 post-SP3 updates installed, and that's a very base installation (calculator isn't even installed).

Review_your_update_history

Service Pack 3 for Windows XP was basically an "Update Rollup" and we understand that "SP4" is probably not an option (for marketing reasons)…

Windows_XP_software_updates

But perhaps you would consider doing an Update Rollup 1 for Windows XP SP3? It would be very helpful for those that are working to build, configure, and maintain secure systems (within their means).

Windows XP's end of extended support is over two and half years away… and while its installed base is shrinking, we still have lots of customers around the world that use it. Please consider our request. It's a difficult economy at the moment, and small/medium sized business needs all the help you can give.

Thanks for the consideration,
F-Secure Labs

Updated to add: Few things generate comments and debate as does support for Windows XP. Tech journalist Larry Seltzer's comment to this post includes a link to his article: I want my Windows Update Rollup! That article now has more than 50 comments of its own. And among those comments are links to resources that others have found helpful.

Check them out, and join in the discussion. Cheers.

 
 

 
 
Wednesday, August 10, 2011

 
Can Germany's data protection laws forestall facial recognition? Posted by Sean @ 19:40 GMT

Facial recognition technology is a hot topic and this recently caught my attention: German authorities have suggested that Facebook's "facial recognition" feature is illegal. From Deutsche Welle:

Hamburg's data protection official Johannes Caspar claims that the software violates both German and European Union data protection laws and that Facebook users don't know how to delete the data that Facebook is gathering. "If the data were to get into the wrong hands, then someone with a picture taken on a mobile phone could use biometrics to compare the pictures and make an identification," Caspar told the Hamburger Abendblatt. "The right to anonymity is in danger."

The legal keyword appears to be "biometrics".

According to Caspar:

"A normal user doesn't know how to delete the biometric data. And besides, we have demanded that biometric data be stored with the subject's express consent."

Another keyword appears to be "stored" (though… Deutsche Welle's article also states that no data can be "collected" without consent). Collected or stored biometric data, which is it?

Is on the fly facial recognition analysis legal if the data isn't retained or stored after it's used?

In any case, having several self-tagged Wall photos, I decided to test the feature with my own personal Facebook account. (Existing tagged photos is a prerequisite, even if the user hasn't opted-out. No tagged photos, no biometric data will exist.)

Sean Sullivan

First, I re-enabled my "Suggest photos of me to friends" option in Facebook's privacy settings.

And then I uploaded a photo:

Faces

While Facebook's photo upload service "detected" two faces, neither of them were "recognized" and no tag suggestions where offered. So it would appear that there's no hidden biometric "faceprint" of me in Facebook's databases. Either none was collected between the time when the feature was introduced and I opted-out, or else they deleted what was stored after I disabled the feature.

I ask myself, is Facebook's biometric data really such a big deal?

Google Images recently released reverse image search. That feature is much more likely to be used in future photo comparisons than any Facebook data that falls "into the wrong hands". If you have an iPhone/Android device, try Google Goggles and then imagine the Google+ possibilities.

Then there's current camera technology to consider. My Canon S90 does a very decent job of detecting faces on its own. If a face is detected, the photo's EXIF metadata includes "SceneCaptureType – Portrait" and the faces are tagged.

Canon S90 Portait
Face Face

And that's just a start. Some vendors, such as Samsung, have "Smart Face Recognition", as demonstrated in this video from April 2009. It's not a far leap at all before our cameras are detecting, recognizing, and tagging faces in our photos at the moment they're taken. And that includes camera phones: Apple reportedly plans to include facial recognition features in iOS 5.

Mr. Caspar may indeed have legitimate concerns regarding Facebook's current biometric practices. But what happens if (when) it's no longer a matter of analysis? If consumers upload photos that contain facial tags, can Facebook then make the suggestion?

It should be noted that Facebook currently strips EXIF metadata from uploaded images. (Kudos.)

Germany (and the EU) has excellent data protection laws. But the law itself cannot hope to forestall the issue of facial recognition forever. The technology exists and policy makers need to address the issue and seek solutions as if biometric data is already freely available.

Because even if legitimate companies can be successfully regulated from storing this type of data, criminals won't be so restrained. Computing power is cheap, and getting cheaper. The worst case scenario could be unregulated black market search engines providing facial recognition services as a service.

It wouldn't be the first time such a business model developed.

Be seeing you,
Sean

See also:

Kashmir HillIf Everyone’s A Celebrity In The Internet Age, Shouldn’t We Expect To Be Recognized By Face?
Alessandro AcquistiFaces Of Facebook-Or, How The Largest Real ID Database In The World Came To Be

 
 

 
 
Tuesday, August 9, 2011

 
TeaMp0isoN Hacks RIM Blog Posted by Sean @ 15:34 GMT

There's social unrest underway in the UK and communities are bracing for a fourth night of looting and riots.

The "viral civil unrest" has been spreading for several days now, and reportedly, RIM's BlackBerry Messager (BBM) is one of the viral components would-be anarchists have used to organize themselves. As a result, RIM made a public statement that it would assist the UK authorities. And what happened next was rather predictable (at least to us).

TeaMp0isoN, a hacktivist group targeted The Official BlackBerry Blog.

blogs.blackberry.com/teamp0ison
Higher resolution

Here's the text:

This hack is a response to this statement by RIM:

“We feel for those impacted by this weekend’s riots in London. We have engaged with the authorities to assist in any way we can. As in all markets around the world Where BlackBerry is available, we cooperate with local telecommunications operators, law enforcement and regulatory officials. Similar to other technology providers in the UK we comply with The Regulation of Investigatory Powers Act and co-operate fully with the Home Office and UK police forces.”

Dear Rim;
You Will _NOT_ assist the UK Police because if u do innocent members of the public who were at the wrong place at the wrong time and owned a blackberry will get charged for no reason at all, the Police are looking to arrest as many people as possible to save themselves from embarrassment…. if you do assist the police by giving them chat logs, gps locations, customer information & access to peoples BlackBerryMessengers you will regret it, we have access to your database which includes your employees information; e.g – Addresses, Names, Phone Numbers etc. – now if u assist the police, we _WILL_ make this information public and pass it onto rioters…. do you really want a bunch of angry youths on your employees doorsteps? Think about it…. and don’t think that the police will protect your employees, the police can’t protect themselves let alone protect others….. if you make the wrong choice your database will be made public, save yourself the embarrassment and make the right choice. don’t be a puppet..

p.s – we do not condone in innocent people being attacked in these riots nor do we condone in small businesses being looted, but we are all for the rioters that are engaging in attacks on the police and government…. and before anyone says “the blackberry employees are innocent” no they are not! They are the ones that would be assisting the police

- TriCk – TeaMp0isoN -
- Greets To: iN^SaNe – Hex00010 – MLT – BlackHacker


Par for the course, Twitter was used to broadcast details of the hack.

http://twitter.com/teaMp0isoN_

After some attempts to remove the post, RIM eventually took the blog offline.

blogs.blackberry.com 503

 
 

 
 
Monday, August 8, 2011

 
Fight Cybercrime, But Keep The Net Free Posted by Mikko @ 11:24 GMT

By Mikko Hypponen, Special to CNN
August 7, 2011


(CNN) -- Geography used to matter in crime.

In the real world, you only have to worry about the criminals who live in your city. But in the online world, you have to worry about criminals who could be on the other side of the planet. Online crime is always international because the Internet has no borders.

Today computer viruses and other malicious software are no longer written by hobbyist hackers seeking fame and glory among their peers, but by professional criminals who are making millions with their attacks. These criminals want access to your computer, your Paypal passwords and your credit card numbers.

Criminal online gangs recruit people with high level computing skills but no job opportunities in the real-world economy. There is now a global market for sinister crimeware -- viruses, worms, trojans, spyware -- that is produced and sold on underground market sites on the Web.

The international community has failed to address the real nature and extent of the problem. National police forces and legal systems are finding it extremely difficult to keep up with the rapid growth of online crime. They have limited resources and expertise to investigate online criminal activity. The victims, police, prosecutors and judges rarely uncover the full scope of the crimes that often take place across international boundaries. Action against the criminals is too slow, the arrests are few and far between, and too often the penalties are very light, especially compared with those attached to real-world crimes.

We are sending the wrong message to the criminals and that's why online crime is growing so fast. Right now would-be online criminals can see that the likelihood of their getting caught and punished is vanishingly small, yet the profits are great.

If a gunman walks into a bank and demands cash, the police are ready to leap into action. If international borders are crossed during such a crime, the international police agencies become involved. If the gunman is caught, there is always a trial and the bank will push the prosecutor for the maximum penalties possible.

This is not the case with online crime. Virtual gunmen are free to roam with almost nobody to stop them. Online crime is always international but local police authorities usually only have their local resources to conduct the investigation. Online crime is easier to carry out than "offline" crime and costs less to get started.

Computer security companies are doing their best to protect their customers' computers but little can be done directly by non-governmental organizations to fight the criminals at the heart of the matter. Anti-virus companies are not law enforcement, nor should they be. Tackling online crime requires a serious investment of resources on the international level and expert law enforcement agencies need to follow criminals into the online world.

Traditionally, international law enforcement has focused on large international crimes such as drug trafficking or smuggling. Countries involved in investigations like these can easily see the value of catching such criminals.

However, online crime is typically composed of small individual crimes. The attackers don't hack the bank, they hack the bank's customers. One victim might have only lost few hundred dollars from his bank account. Starting an international investigation looks like an overkill and thus getting international cooperation might be difficult. The problem is, of course, that there is more than one victim. A banking trojan botnet might steal money from tens of thousands of people at the same time.

What we need is an international police force with the enforcement power to really target the organized crime that operates on the net. It would investigate the top of the crimeware food chain and track down the people who are running the online crime syndicates. Each member country would be required to co-operate with others, regardless of the apparent size of the crime.

Of course, establishing such a new force would mean a number of legal challenges. For example, malicious code is often created in countries where it is not even illegal or where the perpetrators are not prosecuted.

In my opinion, such an agency should focus only on fighting international malware crime gangs. If it would try to extend to other areas, such as fighting pirates or hactivists, things would get much more complicated. Nobody wants banking trojan gangs around, and we should focus on this problem. The last thing I'd want is some sort of a net police that would try to restrict the freedom of the net. This very freedom is the reason Internet has become as useful as it is.

But we need to take action now. If we don't, online crime will continue to grow stronger and we might risk losing all the great benefits the net has brought to us. Our generation is the first generation that got online. We should make sure this resource will stay around for future generations.

This column was first published on CNN.com

Mikko Hypponen on CNN cover page

CNN interview with Mikko

 
 

 
 
Saturday, August 6, 2011

 
Black Hat USA 2011 Posted by Mikko @ 03:48 GMT

It's the week of Black Hat and DEF CON and thousands of computer security experts have gathered to Las Vegas.

Black Hat 2011 DEF CON 2011

Hot topics this year include Siemens PLC security, revamping the SSL model and Mac laptop batteries.

Black Hat 2011 DEF CON 2011

Black Hat 2011 DEF CON 2011

Black Hat 2011 DEF CON 2011
Mikko keynoting in DEF CON 19

One talk which was highly anticipated was Riley Hassell's and Shane Macauley's "Hacking Android". For mysterious reasons both speakers never showed up for their own talk, leading to wild conspiracy theories on why this might have happened.

However, from antivirus point of view, the most interesting talk was Tavis Ormandy's talk titled "Sophail".

In the summer of 2010, Tavis Ormandy found a zero-day vulnerability from Windows Help and Support Center. Five days after informing Microsoft of the vulnerability, and before Microsoft had shipped a patch for it, Tavis publicly released proof-of-concept code. Days later, unknown malware authors integrated this code into drive-by-download exploits, which went on to infect tens of thousands of computers around the world.

Sophos experts vocally criticized Tavis for his action, and even nicknamed the patch that eventually followed to "Patch Tavis".

Fast forward to summer of 2011, and Tavis Ormandy released "A critical analysis of Sophos Anti-virus" in Black Hat.

Black Hat 2011 DEF CON 2011

In his highly unusual talk, Tavis explained that he had reverse engineered the Sophos antivirus engine and released tools to decrypt the protection systems of Sophos detection databases.

Shifting gears, it's good to note that connecting to a wireless network during DEF CON is really not recommended. There are simply too many hackers playing with the networks to make them safe. Even the official program pamphlet wishes you "good luck" in connecting to the party network. This is nicely illustrated by just looking at the list Wi-Fi hotspots that were available in the DEF CON hotel:

def con wifi

Signing off,
—BO

Black Hat 2011 DEF CON 2011

 
 

 
 
Friday, August 5, 2011

 
Gizmodo: Mikko's Brain Posted by Sean @ 17:15 GMT

Why do hackers hack?

Our Mikko Hypponen sat down with Gizmodo's Mat Honan earlier this week to discuss that question.

Mikko's Brain
Mikko's (copy of) Brain

Gizmodo:

Why do hackers hack? Why create a worm that sends out an email to everyone in your contact list, or a Trojan that deletes your term papers? Is it mischief, malice, money, or something else entirely?

This is the question that was on my mind when I met with Mikko Hypponen, a legendary computer security heavyweight who has been hunting viruses for 25 years—since Brain.a, the first PC computer virus.


Read more: Why Hackers Write Computer Viruses

 
 

 
 
Tuesday, August 2, 2011

 
Found: Bitcoin Mining Bot That is Controlled Via Twitter Posted by Mikko @ 13:24 GMT

Bitcoin is an electronic currency which is not tied in value to any other currencies. You can convert other currencies (like US dollars) to Bitcoins, or you can mine new Bitcoins by completing complex mathematical tasks.

This creates an incentive for botnet masters to use other people's computers to mine bitcoins for them. And we've seen a some examples of botnets that try to do this.

But now we've found a bot that uses Twitter as the control channel.

The bots are created with a generator. Generator sets a specific Twitter account to be the one which can be used to control the mining botnet.

SEKURITY TWEMINER

The commands follow a simple syntax.

SEKURITY TWEMINER

We detect bots generated with this generator as Trojan.Generic.KD.

 
 

 
 
Monday, August 1, 2011

 
Trojan:BASH/QHost.WB Posted by ThreatSolutions @ 03:17 GMT

We've come across a fake FlashPlayer.pkg installer (MD5: 1fc90b8f532028805d167b2b0ac9ce11) for Mac:

Install FlashPlayer

Once installed, the trojan adds entries to the hosts file to hijack users visiting various Google sites (e.g., Google.com.tw, Google.com.tl, et cetera) to the IP address 91.224.160.26, which is located in Netherlands.

The server at the IP address displays a fake webpage designed to appear similar to the legitimate Google site.

As an example, this is what Google.com.tw looks like on a normal, uninfected system:

clean google.tw

In contrast, this is what Google.com.tw looks like on an infected system:

infected google.tw

When a search request is entered, the remote server returns a fake page that mimics a legitimate Google search results page.

Here's a search request on the real Google.com.tw site on a clean system:

google.tw clean searches

And here's the same request on an infected system:

google.tw infected system searches

Even though the page looks fairly realistic, clicking on any of the links does not take the user to any other sites. Clicking on the links does however open new pop-up pages, which are all pulled from a separate remote server:

google.tw infected system search source

At the time of writing, the pop-up pages aren't displaying anything, though we presume they are ads of some sort. It appears that the remote server serving the pop-up pages is down.

The other remote server returning fake search requests appears to be still active.

We detect this trojan as Trojan:BASH/QHost.WB.

Analysis by — Brod

—————

Corrected on August 9th: The MD5 for the installer is as above; the previous MD5 cited (2ee750f19f2cb43968af78b0dd0be541) is for the BASH file in the PKG.

Updated to add on August 8th: The sample's MD5.