Tag Archives: computer security

More computer crime anatomy

Posted on by
144

So a while ago, I posted extensively about an underground network of computer virus distributors that I’d uncovered while pursuing American ISP iPower Web about their ongoing, chronic security problems which I first wrote about last December.

It seems that in the brave new world of the Intertubes, crime does pay. It pays very well indeed, in fact. The network I documented earlier has morphed and changed radically in the past few weeks, and become larger and more resilient. In addition, a new attack vector has emerged: attacks on old, outdated versions of WordPress weblog software.

I know that a lot of folks on my flist maintain their own WordPress blogs. Please, please, please, if you run WordPress or know somebody who does, update your WordPress software. It’s quick (takes about five minutes) and easy, and all versions of WordPress prior to 2.5 should be considered completely insecure.

In the past couple of weeks, I’ve noticed a huge surge in WordPress hack attacks, to the point where last Monday there were more hacked WordPress systems than hacked iPower Web sites that were being used to redirect folks to Eastern European virus downloaders. It seems quite likely that the hackers are using automated tools to find and automatically attack old WordPress installs, though one person I’ve spoken with says he believes his WordPress install was attacked through an insecure FTP username and password that was brute-force guessed as well.

The network that is being used to distribute viruses is being fed from a lot of different sources: hacked iPower sites (of course), hacked WordPress installations, Google Groups set up as malicious redirectors, custom attack domains piggybacked on top of legitimate Web URLs, and hijacked phpBB and phpNuke installs seem to be the most common. For an update on what’s going on in the seamy computer underground, and a new map of the computer distribution network:

Clicky the link! (We are going to get technical here)

Security is hard…

Posted on by
20

So I’m a regular reader, and contributor, to the MacFixit forums, technical computer troubleshooting forums for Mac users that are part of the larger MacFixIt Web site.

MacFixIt is a very large, highly active Macintosh troubleshooting site. It offers articles, advice, commentary, and tips for all things Macintosh. Among other things, it announces new Apple security updates, and recommends that users keep on top of security patches. Good advice, right?

Err…

The forums at MacFixIt run on Web forum software called UBB.threads. To be specific, they run on UBB.threads version 6.0.2, released in 2002.

Now, let’s think about that for a second.

A large, busy Web site–a Web site dedicated to, among other things, information about computer security updates–is running forum software it has not updated since 2002. I bet some folks will already be able to tell where this story is going.

Yesterday, I logged on to the forums to discover that the forum topics and message board lists had been replaced with long lists of racial epithets. A quick Google search turned up a security advisory dating back to 2005, or three years ago, reporting that versions of UBB.threads prior to 6.5.2 had a really, really big number of really, really serious security problems, including cross-site scripting vulnerabilities, SQL injection vulnerabilities1, and parameter inclusion vulnerabilities.

Turns out versions prior to 6.5.3 also have a posting vulnerability that can yield up complete control of the Web server to a malicious user.

Now, these are just the vulnerabilities that have been known and documented, and reported by UBB.threads itself, in the last three years. Even more recent versions still have some pretty significant vulnerabilities.

The current version, just for the record, is 7.2.

So I fired off an email to the administrator of the MacFixit forums, and for the last day and a half the forums have been “down for maintenance.”

D’oh.

Egg, meet face. How in the name of God, in this day and age, does anyone who runs any kind of sophisticated server software on the Internet not keep on top of security updates? For six years?

1 And in this day and age, anyone who does not sanitize user input to guard against SQL injection needs to be shot.

Including you, Microsoft.

Some thoughts on computer security and credulity

Posted on by
34

So recently Business Week magazine ran an article about keylogger software being used in espionage. Essentially, defense contractors are being tricked into infecting their computers with keylogger malware, sent in targeted emails that appear to come from the Pentagon and other governmental sources.

The thing I find interesting about this, and also about things like the Storm and Kraken worms, is that they don’t take advantage of security flaws or vulnerabilities. They don’t attack holes in a computer’s operating system or applications, and they don’t rely on technical exploits of programming errors. These attacks all rely on tricking the victim into deliberately, intentionally infecting himself.

For that reason, I don’t think there’s a technological solution. The solution to a human gullibility problem isn’t in better programming or more elaborate firewalls; it’s in user education. No matter how sophisticated and bulletproof a security system is, there’s no defense against a person who deliberately chooses to permit someone through it.

But when it comes to the Intertubes, folks don’t get that.

If we had a situation where a criminal walked into a bank and, without weapons or violence, tricked a security guard into opening the vault for him and handing him all the money inside, we would not say “Oh, we need to build bigger vaults with thicker doors and more complicated locks!” It’s obvious to anyone who thinks about something like that that a bigger door or thicker walls won’t prevent someone from tricking a gullible guard into unlocking the door.

Yet with computer malware, we tend to jump on technological solutions. Someone in China tricks an American defense contractor into deliberately installing a key logger on his computer, and everyone says “We need tighter computer security and more computer defenses.” Which is as pointless and ineffectual as saying “we need thicker bank vault walls” if someone persuades the guard to intentionally, deliberately unlock the vault door and hand him the money.

What we need isn’t better computer security; better computer security will not and can not address this kind of problem. What we need is less gullible people.

A few weeks back, someone posted an ad on Craigslist saying that they were moving suddenly and they needed to get rid of everything in their house, including their horse. They said that the house would be unlocked and anyone who wanted to could come and take anything they liked. Hundreds of people showed up and ransacked the house, even taking light fixtures and plumbing fixtures.

Needless to say, the Craigslist ad was bogus. Some people had robbed the house earlier, then posted the ad to conceal the evidence of their robbery.

Of course, the police showed up, but what was most interesting was how indignant the folks who ransacked the house were. They were angry and upset that the police tried to stop them. Many of them waved printouts of the Craigslist ad around, as if it justified what they were doing. They genuinely, sincerely believed that the ad on Craigslist meant they were doing nothing wrong.

That’s the mentality a lot of folks–including folks who ought to know better, including defense contractors–have. They truly believe that if an email says it is from someone they know and they should download and run the attached program, it must be OK to do. They sincerely think that if they see it in an email, it can not possibly be false. And that gulllibility makes them easy to dupe.

These are not idiots. If a person walked up to them on a street and said “I live at 423 Main Street but I have to move in a hurry, so go into that house and take anything you like,” they’d be like “Yeah, right.” If someone walked into their office and said “I’m from the pentagon, take this CD and run the program that’s on it,” they’d never in a million years do it.

But because it’s on the Intertubes, somehow it gets past their bullshit filters, and they suspend their ordinary skepticism. And I think that’s really, really interesting.

One of my all-time favorite books is Why People Believe Weird Things: Pseudoscience, Superstition, and Other Confusions of Our Time, by Michael Shermer, who’s one of my personal heroes. I met him briefly at a science fiction convention last October, and he’s just as amazing in person as he is in print.

One of the things he talks about, and one of the things I’ve written about as well, is the idea of the brain as a “belief engine,” a tool for forming beliefs about the physical world. As a tool for survival, the brain works amazingly well, but survival pressures have tended to shape and mold it in such a way that its default state is to accept ideas uncritically rather than reject them. For our early hunter-gatherer ancestors, the consequences of accepting a false belief (“keeping this magic stone in my pocket will help me ward off evil spirits”) were generally less dire than the consequences of rejecting true beliefs (“a leopard is dangerous to me,” “keeping upwind of my prey will cause my prey to escape more often”), and so we have developed these amazing brains that find it much easier to accept than to reject ideas.

On top of that, our brains are so highly optimized for efficient and rapid pattern recognition that they can tend to see patterns even where none exist (“when I updated to OS X 10.4.11, my hard drive failed; the update was responsible for the failure”).

I wrote an essay about the belief engine a while back. I think that it applies to things like Internet hoaxes and Trojan-horse malware in part because we are wired by selective adaptation to accept ideas uncritically, but we are also taught from a young age when that kind of uncritical acceptance is dangerous.

Everyone (well, almost everyone) learns from an early age not to trust strangers. So if a stranger stopped us on the street and said “I live in the house at the end of the block but I have to leave, so walk on in and take whatever you like,” there’s no way we’d believe him. But we aren’t taught to distrust the Internet.

To make matters worse, I think the Internet confuses people by messing with the signs we have been taught to accept to mark trustworthy people and institutions. We are taught to separate folks within our sphere of trust from folks outside of it, but we are not taught that this trust doesn’t extend to the Internet.

So, for example, most of us trust our mothers. If we receive an email and it’s got Mom’s “from” address on it and claims to be a greeting card, we’ll likely download it and run it without a second thought, because we trust Mom. What we haven’t been taught is not to trust the From: address on any email. People don’t realize how easily that is faked; the email is trusted because it bears the mark of being from a person inside our sphere of trust, but that mark itself is untrustworthy.

Same deal for a defense contractor who receives an email that claims to be from his Pentagon contact. Because the email carries a mark of a person inside the sphere of trust, the email is accepted.

Phishing scams rely on that, too. We mostly trust our banks, and we are familiar with what our bank Web site looks like. So we associate things like the bank’s logo and the bank’s Web site layout, which are familiar and comforting, with that feeling of trust. We so strongly associate things like the bank’s logo witht he bank itself that just the appearance of the bank’s logo can make whatever it’s attached to seem trustworthy.

In contemporary society, this is intentional; businesses do a lot of work and spend a lot of money to associate things like logos with the business, and to attach the logo to our emotional response. But what that means is the logo and the familiarity of the Web site layout make us trust the fraudulent phishing site. These things are more important than, say, the padlock that shows a secure connection, or the URL of the site, because we have not been taught about those things but we have been taught to associate the logo with our feelings of trust in the bank, so that makes us fall for the scam Web sites, and we voluntarily turn over information that otherwise we would be unlikely to give to anyone.

So again what happens is that we see the Internet as a technological construction, and we seek technological solutions to security problems, when perhaps it might be more effective to see the Internet as a social construct, and teach people “never trust an email from anyone” or “never trust a Web site that does not show a padlock on it” the same way we teach people “don’t talk to strangers” and “don’t give your bank account number to people you don’t know.”

I’m not saying there’s no need for technological security, mind you. There are still folks who exploit technical flaws in computers, or who attack computers using technical attacks like DNS cache poisoning or DNS rebinding attacks. Securing computer networks is still a necessary thing to do, and on that score the Internet as it now exists gets pretty dismal marks.

But what gives the Internet its power is the way people use it, not the hardware that makes it up. It is a social construct; it’s essentially nothing more than a communication medium. And any time you have communication, you have the potential for cons and fraud. I really do think that we have not yet, as a society, learned to extend the same degree of distrust to the Internet as we have to things in “real life,” and as a result the natural tendency for us to believe rather than disbelieve is easily exploited on the Internet.

Anatomy of computer crime

Posted on by
1,014

Note: Followup to this entry at http://tacit.livejournal.com/240750.html

So apparently, Macintosh users are now the targets of Eastern European organized crime.

First, a bit of backstory. Last December, I wrote an article about how I had done a Google search for my name and uncovered a massive hacking attack against a Web hosting company called iPowerWeb. iPower, a company in Phoenix, Arizona, has trouble securing their Web servers, and Russian organized crime can hack any Web site hosted by iPower completely at will.

That was last December. Today, as I write this, iPower still has not fixed their server security; each day, a whole crop of new Web sites hosted by iPower is hacked, and the hackers plant redirectors on the site that are designed to snare unwary visitors and send them to servers in Eastern Europe that attempt to infect users with computer viruses.

For the past couple of months, I have been emailing iPower every day with new lists of hacked Web sites they’re hosting. Each day, I bug them to fix their computer security. Each day, they remove the virus redirectors that I tell them about, but they do not fix their server security; so the next day, more of their Web sites are hacked. Some poor sots who host Web sites with iPower have had their sites hacked over and over again.

In the past 48 hours, the nature of the hacks has changed. Between December and now, the hacks were all the same; the hackers would penetrate an iPower Web site, create a directory on the site named /her, create a directory on the site named /bad, and then create a directory with a one or two digit number as a name. The redirector pages would go in the numered directory. This made spotting hacked iPower Web sites trivially easy.

About two days ago, the hackers began changing the naming scheme of the directory. This led me on a path to discovering an entire network of compomised Web sites, feeding into an elaborate underground network of computers used to distribute computer viruses.

And they’re distributing Mac viruses now, too.

If this stuff interests you, read on! (We're about to get technical here.)

Another day, another iPowerWeb security breach

Posted on by
14

Last December, I was monkeying around on the Internet doing a Google search for my name, and I discovered a massive security breach at a major Web hosting company that eventually made it to The Register.

So today, I was monkeying around on the Internet doing a Google search for my name, and…

…wait for it…

…discovered that iPower has been hacked again, and hundreds more Web sites hosted by iPower have been penetrated by Russian organized crime and used to spread computer viruses. Want to know more?

More info on yesterday’s Russian Business Network nuttiness

Posted on by
38

Apparently, my LJ post yesterday freaked some folks out; I got contacted almost immediately after it went up by a startling number of people asking for more information. Softlayer.com was on top of the problem with remarkable swiftness, and as of today the intrusion into their servers appears to have been corrected–all the hacked domains I was able to identify on their network are fixed.

Cut for folks who don't much care for the technical details about this sort of thing…

‘Tis a productive morning!

Posted on by
20

So far today, I have created a new brochure for one of our distributors, found and fixed a very subtle and deeply-buried PHP bug in a commercial video sharing software package that a friend of mine bought, and discovered a massive Russian Business Network attack on the ISP softlayer.com in which thousands of Web sites hosted by them and their downstream customers have been compromised.

I also had a very tasty quesadilla for lunch. And it’s not even 1:00 yet.

Tonight, I think I’ll write some pr0n, track down another RBN hack attack I may have sniffed out against sites running phpBB, and try to level my warrior’s blacksmithing skill in World of Warcraft. Maybe I’ll document the security breach at Softlayer as well. Looks like a zero-day exploit against cPanel.

Polyamory and crime on the Internet

Posted on by
230

Note: Followups to this entry at http://tacit.livejournal.com/238112.html (part 1) and http://tacit.livejournal.com/240750.html (part 2)

UPDATED 13-December-07 10:50 EST Updates indicated in text
UPDATED2 14-December-07 1:05 PM EST Updates indicated in text
UPDATED3 14-December-07 2:00 PM EST Updates indicated in text
UPDATED4 02-January-08 2:44 PM EST Updates indicated in text

So I recently decided, like many folks do, to Google my name. I do this periodically, because it’s always fun to see how many sites are linking to me (and I’m in the process of building a list of non-English mirrors of my polyamory site — it’s been translated into Polish, Hebrew, German, and a bunch of other languages, which is cool).

And in the process, I think I’ve discovered what might be one of the largest-scale cases of Web site hacking and virus distribution I’ve ever heard of.

A little background is in order. If you’ve used Google for any length of time, you probably know that when you Google popular keywords you’ll often run into “spam pages.” These are pages that are just stuffed full of keywords at random; in the Google search results, they will have titles like “tribadism fight scenes, free tribadism porn video Britney Spears, make money fast terrorism Iran big cock” and have excerpts that look like “she shoved it in and bridal hosiery wedding cake viagra fetish smurf Bible amateur transvestite video free vacation europe nymphomaniac ipod”. These are spam pages; they are filled with hundreds of keywords, and if you click on them, you will be redirected to the spammer’s site. They exist just to intercept popular Google searches and direct traffic wherever the spammers want it.

They are also popular with virus writers. Virus writers will create thousands of fake Web pages filled with popular keywords, then use those Web pages to servers that will attempt to automatically download viruses onto the computer of anyone running Windows who’s unwary enough to click on them.

Okay, so.

Yesterday, I did a keyword search for my name. Normally, I get about nine pages of results; but yesterday, I got 56 pages of results, over 200 in all.

Most of these pages look like this:

The polyamory news franklin veaux mitt was rigid enough to prevent me from either closing them too hard or opening polyfamilies polyamory for the practical them too far. She raised my left hand and fastened it in a similar polyamory weekly podcast manner, into a similar latex mitten.society for human sexuality polyamory info “I just wondered. You were standing there with a dazed polyamory open wedding vows look on your face playing with that cucumber and I thought something might world polyamory association presentations and workshops franklin veaux. Once inside, he polyamory san diego quickly stripped off his apron and polyamory cape coral unfastened his belt and pants. It was nearly as big as Mark’s, and open relationships polyamory that pleased her. Quickly unbuttoning her blouse to reveal her tits. page personal poly polyamory web He gently squeezed them, making her moan deep in her throat.

UPDATED3: I’ve looked at some of the random text on these pages, and it’s not really random at all–it’s a short porn story with random keywords seeded throughout it. It contains a number of statistically improbable phrases. One of these is “Ashley had always wanted to go there”–doing a Google search for that exact phrase results in 13,800 hits–nearly every single one of which is a spam redirector.

You get the idea. “Oh, well, this is interesting,” thought I, “polyamory, and my name, have become popular enough Google web searches that the spammers are including them in spam pages now.”

I clicked on some of these result links, curious to see who the spammer was and what site he was trying to direct traffic to.

And that’s when things started to get weird. What I found was a very large, highly organized campaign to direct Web traffic to servers hosted in Eastern Europe that would infect visitors with a computer virus, all orchastrated by a single person or group of people and all being done by what appears to be a massive breach of hundreds and hundreds of hacked Web sites, all hosted by the same ISP–the largest single Web site security breach I’ve heard of.

If you want to keep going down the rabbit hole: Follow me! Things are about to get very technical here.

Open source will save us all!

Posted on by
12

Or, err, perhaps not.

Consider the case of www.freehipaa.net, a Web site that advertises free, open-source HIPAA-cmpliant medical software. HIPAA is the US law that protects the privacy and security of patient medical records; it has, among other things, provisions specifying security standards for remote storage, use, and retrieval of sensitive patient information.

HIPAA compliance is a big deal; those who violate the standards can find themselves neck-deep in legal trouble, and anyone who is responsible for maintaining patient medical information is obligated to take security very seriously indeed.

Which is why it’s all the more amusing that I received a fake PayPal scam email in my mailbox today directing suckers to a phony Web page, where the hackers could steal their PayPal information. The hackers responsible for these scams first find vulnerable Web servers with outdated content management or ecommerce software, then hack these Web sites ad put up their phony phishing pages, and finally send out spam email directing the unwary to the hacked Web site for fleecing.

Today’s cracked Web site du jour? None other than http://www.freehipaa.net/icons/us/webscr.htm — yep, that’s right. The creators of HIPAA-complaint medical billing software can’t even secure their own Web server.

Hmm. I wonder if their software is any better…