Tuesday, June 30, 2009

Cybercrime spreads on Facebook

| Brett D. Arion |
BOSTON (Reuters) - Cybercrime is rapidly spreading on Facebook as fraudsters prey on users who think the world's top social networking site is a safe haven on the Internet.

Lisa Severens, a clinical trials manager from Worcester, Massachusetts, learned the hard way. A virus took control of her laptop and started sending pornographic photos to colleagues.

"I was mortified about having to deal with it at work," said Severens, whose employer had to replace her computer because the malicious software could not be removed.

Cybercrime, which costs U.S. companies and individuals billions of dollars a year, is spreading fast on Facebook because such scams target and exploit those naive to the dark side of social networking, security experts say.

While News Corp's (NWSA.O) MySpace was the most-popular hangout for cyber criminals two years ago, experts say hackers are now entrenched on Facebook, whose membership has soared from 120 million in December to more than 200 million today.

"Facebook is the social network du jour. Attackers go where the people go. Always," said Mary Landesman, a senior researcher at Web security company ScanSafe.

Scammers break into accounts posing as friends of users, sending spam that directs them to websites that steal personal information and spread viruses. Hackers tend to take control of infected PCs for identity theft, spamming and other mischief.

Facebook manages security from its central headquarters in Palo Alto, California, screening out much of the spam and malicious software targeting its users. That should make it a safer place to surf than the broader Internet, but criminals are relentless and some break through Facebook's considerable filter.

The rise in attacks reflect Facebook's massive growth. Company spokesman Simon Axten said that as the number of users has increased, the percentage of successful attacks has stayed about the same, remaining at less than 1 percent of members over the past five years.

By comparison, he said, FBI data shows that about 3 percent of U.S. households were burglarized in 2005.

"Security is an arms race, and we're always updating these systems and building new ones to respond to new and evolving threats," Axten said.

When criminal activity is detected on one account, the site quickly looks for similar patterns in others and either deletes bad emails or resets passwords to compromised accounts, he said. Facebook is hiring a fraud investigator and a fraud analyst, according to the careers section of its website.


But ultimately Facebook says its members are responsible for their own security.

"We do our best to keep Facebook safe, but we cannot guarantee it," Facebook says in a warning in a section of the site on the terms and conditions of use, which members may not bother to read. (www.facebook.com/terms.php)

"People implicitly trust social networking sites because they don't understand the real threats and dangers. It's like walking down the street and trusting everybody you meet," said Randy Abrams, a researcher with security software maker ESET.

Amy Benoit, a human resources manager in Oceanside, California, said she may stop using Facebook altogether after she became entangled in a popular scam: A fraudster sent instant messages to a friend saying that Benoit had been attacked in London and needed $600 to get home.

Yale University last week warned its business school students to be careful when using Facebook after several of them turned in infected laptops.

One of the most insidious threats is Koobface, a virus that takes over PCs when users click on links in spam messages. The virus turned up on MySpace about a year ago, but its unknown authors now focus on spreading it through Facebook, which is struggling to wipe it out.

"Machines that are compromised are at the whim of the attacker," said McAfee Inc (MFE.N) researcher Craig Schmugar.

McAfee, the world's No. 2 security software maker, says Koobface variants almost quadrupled last month to 4,000. "Because Facebook is a closed system, we have a tremendous advantage over e-mail. Once we detect a spam message, we can delete that message in all inboxes across the site," said Schmugar.

Facebook's Axten said the site does not know how many users have been infected by Koobface.

A new website that follows Facebook news, www.fbhive.com, recently identified a vulnerability that made it possible to access any user's private information using a simple hack. The loophole has since been closed.

"We don't have any evidence to suggest that it was ever exploited for malicious purposes," Axten said.

Hackers even find ways to get into accounts of savvy users like Sandeep Junnarkar, a journalism professor at City University of New York and former tech reporter. Last month he learned his account was hacked as he waited for a flight for Paris. He quickly changed his password before boarding.

"Am I surprised that it happened? Not really," he said.

Reblog this post [with Zemanta]

FBI Defends Disruptive Raids on Texas Data Centers

| Brett D. Arion |
The FBI on Tuesday defended its raids on at least two data centers in Texas, in which agents carted out equipment and disrupted service to hundreds of businesses.

The raids were part of an investigation prompted by complaints from AT&T and Verizon about unpaid bills allegedly owed by some data center customers, according to court records. One data center owner charges that the telecoms are using the FBI to collect debts that should be resolved in civil court. But on Tuesday, an FBI spokesman disputed that charge.

"We wouldn’t be looking at it if it was a civil matter," says Mark White, spokesman for the FBI’s Dallas office. "And a judge wouldn’t sign a federal search warrant if there wasn’t probable cause to believe that a fraud took place and that the equipment we asked to seize had evidence pertaining to the criminal violation."

In interviews with Threat Level, companies affected by the raids say they’ve lost millions of dollars in equipment and business after the FBI hauled off gear belonging to phone and VoIP providers, a credit card processing company and other businesses that housed equipment at the centers. Nobody has been charged in the FBI’s investigation.

According to the owner of one co-location facility, Crydon Technology, which was raided on March 12, FBI agents seized about 220 servers belonging to him and his customers, as well as routers, switches, cabinets for storing servers and even power strips. Authorities also raided his home, where they seized eight iPods, some belonging to his three children, five XBoxes, a PlayStation3 system and a Wii gaming console, among other equipment. Agents also seized about $200,000 from the owner’s business accounts, $1,000 from his teenage daughter’s account and more than $10,000 in a personal bank account belonging to the elderly mother of his former comptroller.

Mike Faulkner, owner of Crydon, says the seizure has resulted in him losing millions of dollars in revenue. It’s also put many of his customers out of business or at risk of closure.

The raids are the result of complaints filed by AT&T and Verizon about small VoIP service providers whom the telecoms say owe them money for connectivity services. But instead of focusing the raid on those companies, Faulkner and others say the FBI vacuumed up equipment and data belonging to hundreds of unrelated businesses.

In addition to Crydon, the data center of Core IP Networks was raided last week. Customers who went to Core IP to try to retrieve their equipment were threatened with arrest, according to an announcement posted online by the company’s CEO, Matthew Simpson. According to Simpson, the FBI is investigating a company that purchased services from Core IP in the past but had never co-located equipment at Core IP’s address. Simpson reported that 50 businesses lost access to their e-mail and data as a result of the raid. Some of those clients are phone companies, and the loss of their equipment has meant that some of their customers lost emergency 911 access.

"If you run a data center, please be aware that in our great country, the FBI can come into your place of business at any time and take whatever they want, with no reason," Simpson wrote.

Faulkner says the FBI seized about $2.5 million from Simpson’s personal bank account. Simpson did not respond to a request for comment.

Faulkner and others say that the FBI agent who led the raid, Special Agent Allyn Lynd from the Dallas field office, warned them not to discuss the raid with each other or with the press.

But a 39-page affidavit (.pdf) related to the Crydon raid provides a convoluted account of the investigation. It alleges that a number of conspirators, some of who may have connections to Faulkner, conspired to obtain agreements from AT&T and Verizon to purchase connectivity services with the telecoms. Several documents used to provide proof of business ownership and financial stability were forged, according to the affidavit. For example, the affidavit claims that one of the conspirators named Ronald Northern sent AT&T a bill from Verizon to show that he had a history of paying for services on time. The bill was allegedly forged with Verizon’s logo — which the company is claiming is a trademark infringement — and that the corporation number the conspirator used actually belonged to a different Verizon customer.

Northern could not be reached for comment.

The affidavit claims that Faulkner, Northern and others committed mail and wire fraud, criminal e-mail abuse (stemming from separate allegations of spamming), criminal copyright infringement and criminal use of fraudulent documents. The affidavit mentions several companies that Faulkner has been connected to including, Crydon, Premier Voice and Union Datacom.

But mixed in with these allegations is a separate tale that hints at the larger story behind the raid. AT&T and Verizon say they’re owed about $6 million in fees from VoIP service providers who used servers that were co-located at Crydon and the other data centers. The telecoms claim that these VoIP providers used up more than 120 million "physical connectivity minutes" without paying for them, and that attempts by AT&T and Verizon to collect on the debts proved fruitless.

"Based on my investigation and that of AT&T and Verizon," writes Special Agent Lynd in the affidavit, "I believe individuals associated with Lonestar Power and Premier Voice defrauded AT&T and Verizon out of hundreds of millions of minutes of physical connectivity service and significant revenue by means of the submission of false/fraudulent credit information and other false representations."

Faulkner, who was a part owner of Premier Voice before selling it about a year ago, acknowledges that Premier owed money to AT&T at one time — though he says he’s not certain it was for interconnection. He says that debt was assumed by the new owner when he sold the company. Either way, he says, this would be categorized as corporate debt, not fraud.

"There’s a big difference between stealing money and owing money," he says.

He says he often invests in troubled companies that are carrying debt when he buys them.

"Usually you settle the debt," he says. "But AT&T never contacted me about owing money. Verizon never contacted me."

Faulkner says the two telecoms have used the FBI to seize equipment to obtain evidence through a criminal investigation instead of pursuing the companies through civil litigation and the discovery process. And instead of targeting the investigation specifically at the VoIP companies, he says the FBI swept in everyone who had servers in the same place where the VoIP servers were located. As a result, all of Crydon Technology’s equipment was seized, as was the equipment of numerous businesses that had the bad luck to own servers running out of Crydon’s facility.

"They’re destroying more and more customers and it just doesn’t seem to make sense," Faulkner says. "They’ve done a horrible amount of damage and have been so barbaric in the way they’ve shut things down. If they just picked some random guy off the street to do this investigation, he could have done a better job than the FBI did."

Among more than 300 businesses affected by the raid on Crydon were Intelmate, which provides inmate calling services for prisons and jails and had about $100,000 in equipment seized in the raid; a credit card processing company that had just become PCI compliant and was in the process of signing on its first customers; Primary Target, a video game company that makes first-person shooters; a mortgage brokerage; and a number of VoIP companies and international telecoms that provided customers with service to the U.S. through servers belonging to a separate company Faulkner ran called Intelivox. These customers essentially lost connectivity to the U.S. after the raid, Faulkner says.

Faulkner says the FBI appears to have assumed that all the servers located at Crydon’s address belonged to him, and didn’t seem to understand the concept of co-location.

The seized data included transactional records for companies, which means the companies won’t be able to bill customers for services already rendered before the raid.

"All of our clients will have to refund their customers, and we’re in the hole now to refund our customers," says Faulkner. "I could tell the FBI agent had never even considered that. He just said, ‘Well, that’s your problem.’"

The owner of a credit card processing company who had servers at Crydon says he lost about $35,000 in equipment in the seizure, and that the survival of his company is at risk until he secures a new location. He asked that he and his company not be named because the company is in the process of securing business partners to launch its processing service. He fears that news about the disruption to his business operation could lead potential partners to avoid contracting with him. To keep his launch on track, he’s had to purchase about $32,000 in new equipment.

He said when he tried to explain to an FBI agent that some of the servers that were seized belonged to him and not to Faulkner, the FBI agent implied he was lying.

"We were treated like we were criminals," he said. "They assumed there was no legitimate business in there."

In addition to the transaction servers taken from Crydon’s facility, he also lost telephone service for his company after the FBI raided Core IP, which housed a business that was providing his company with VoIP.

FBI spokesman White says the equipment seizures were necessary.

"My understanding is that the way these things are hooked up is that they’re interconnected to each other," he says. "Company A may be involved in some criminal activity and because of the interconnectivity of all these things, the information of what company A is doing may be sitting on company B or C or D’s equipment."

White says the FBI is working with affected companies to provide them with copies of seized data they need to run their businesses.

"It’s not that we’re doing nothing to assist them," White says. "We’ve repeatedly asked the companies to call and provide us with the information we need so we can get the info they need back to them. It is a time-consuming process."

The owner of the card-processing company, however, says the FBI has been "completely unresponsive" to the needs of Crydon customers caught up in the raid. An agent gave him a fax number to send the FBI details about the equipment that belongs to him, but the fax number didn’t work. Then, he says, the agent in charge took a vacation.

"They were all unavailable after they effectively seized all of our equipment," he says.

An agent told the customer that no equipment would be released until agents could determine if it was used in criminal activity. And if it was used for criminal activity, it wouldn’t be released until after a trial.

"Our equipment could be there indefinitely," the customer said. "There’s been no due process…. I consider this to be an issue for anyone owning a data center right now. That they have this much power and can take anyone just because your equipment is inside a facility…. They’re supposed to limit their search and seizure to the owner of the equipment."

Faulkner says he’s managed to replicate mail servers and some functionality for some customers and is building up new business resources elsewhere — this time offshore in Panama, Mexico and Canada, where the FBI would have trouble seizing servers in the future. The Electronic Frontier Foundation has contacted him to investigate the FBI’s possible violation of due process.

Faulkner says when he visited the FBI’s office after the raid, he found numerous cubicles stacked full of servers seized in other raids that were waiting for someone to examine them. The irony, he says, is that in the case of his servers the data was all hardware encrypted.

"It would take a lot of NSA time to crack just one of them," Faulkner says.

Many of the allegations against Faulkner are based on claims from an unidentified informant who told the FBI that he used to work for Faulkner, and witnessed many criminal acts Faulkner committed. The witness told authorities he was "unaware of any legitimate business being run by Faulkner and that as far as he/she knew all of his income was derived from his illegal activities." The informant also claimed Faulkner used crack cocaine and methamphetamine and engaged in commercial spamming.

Faulkner says the unnamed informant is a former employee who was fired after failing to show up to work over an extended period.

"We paid him $70,000 to help us launch a VoIP business, and he never actually did anything," Faulkner says.

Faulkner says he doesn’t do drugs and he’s never conducted spamming nor been associated with spammers. He says when he has discovered spammers using ISP services he provided through companies he owned in the past, he would block their activities.

Trojan Swipes FTP Credentials for Major Companies in Malware Attack

| Brett D. Arion |
Security researchers are tracking a Trojan that has swiped as many as 88,000 FTP credentials for organizations such as Symantec, McAfee, Amazon, Cisco and the Bank of America. According to researchers at Prevx, the compromises are part of an operation that has been in business for more than two years.

Security researchers have uncovered a cache of stolen FTP credentials belonging to a variety of corporations, including Symantec, McAfee, Amazon and the Bank of America.

According to security vendor Prevx, a Trojan has swiped some 88,000 FTP credentials as of this morning. The FTP logins were discovered while the company’s researchers were investigating what Prevx CTO Jacques Erasmus described as a “prevalent in-the-wild infection.” During their investigation, they noticed the malware was sending out data to a Web server. After visiting the URL, the researchers found the cache of unencrypted FTP logins.

“We have contacted many of the organizations, and also handed the data over to US CERT; we have in the meantime made a Web page where people can go to check if their ftp logins are in the list,” he said. “The url for this is www.prevx.com/ftplogons.asp.”

Once on an infected computer, the Trojan harvests all FTP details it can find. The infection is randomized so different people will get different components based on where they are, software configuration and other criteria. According to Erasmus, this all appears to be part of an operation that has been morphing in different ways for more than two years.

“It doesn’t target the organizations, what it does do is when it infects a victim it grabs any stored FTP details from the form cache and sends it to their drop site,” Erasmus explained. “A typical example would be a developer working for amazon.com gets infected on his laptop which he used to upload some data to the ftp. The Trojan would steal his login details. In the case of Symantec – Mcafee – et al, what’s happened is partners and resellers who have privileged access to the ftp site for software downloads etc., have had their machines compromised, and their login details for these sites have been compromised.”

The Trojan is a variant of ZBot, which is reported to be receiving the uploaded FTP credentials in plain text. Recently, the ZBot Trojan was spammed out in an e-mail claiming to be a critical update for Microsoft Outlook. Once on the user’s system, ZBot accesses a Website to download a .bin file with information referring to where the Trojan can download an updated copy of itself, and where to send stolen data.

In the Outlook scam, the Trojan logged keystrokes whenever the victim visited one of the monitored sites and saved the stolen information in a file and then sent the file to a dedicated server via HTTP POST.

“From what we can tell this group runs various exploit kits and infects a large amount of people on a daily basis,” Erasmus said. “By looking at their operation, we can see that they are not 'amateur' because of the level of bulletproof hosting they have and the sophistication they are using to infect people in a very effective way.”

With the details in hand, attackers can make a script that uses these login details to try to log in to each site and inject an iframe into each html page they find. This iframe could point to an exploit kit running on the malware distributor’s servers.

“When normal Web surfers visit the Website their browsing session would be redirected to the Exploit kit url where various types of exploits would be executed against their browser to try and automatically infect them,” Erasmus said. “So you might go to one of these sites looking to rent a house, but in the end, you’re getting a whole lot more.”

Thursday, June 4, 2009

Epok begins Marketing Vulnerability Analysys Tool Developed for NSA and DHS

| Brett D. Arion |
A vulnerability analysis tool used by the National Security Agency (NSA) and U.S. Department of Homeland Security is now commercially available for enterprises that want to either make sense of their reams of vulnerability data or trace an actual data breach.

The Cauldron tool, which was developed by George Mason University's Center for Secure Information Systems (CSIS) under a research grant by the NSA and Air Force Research Labs, automates the analysis of all of a network's potential attack paths, from the network to the application level. It takes in vulnerability data from scanners, aggregating and correlating that data with vulnerability databases.

The so-called Topological Vulnerability Analysis (TVA) technology also provides graphical representations of exploit sequences and paths that attackers can use to break into a network or application. "The [GMU] project looked at ways to improve on the efficiency of reviewing vulnerabilities and trying to focus on what vulnerabilities should be resolved first -- with tons of network scans and data," says Oscar Fuster, vice president of marketing for Epok, a software and integration firm that is offering Cauldron to its clients as well as for direct sale. "That's what the product does: It aggregates these globs of data and different scans, and correlates and maps it so you can visually see what an attack pattern might look like -- and not just an attack from the outside."

Vulnerability management isn't new. Vendors such as RedSeal and Skybox offer similar analysis, notes Ivan Arce, CTO for Core Security Technologies, which sells penetration testing tools. "[Cauldron] does [resonate] with what we have been saying for years: Attackers use multistep attacks and do not constrain themselves to single-attack vectors," Arce says.

But the approach used by Cauldron is based on data from third-party vulnerability scanners and IDSes, he says -- data that is "purely theoretical" when it comes to attacks. "Therefore, its quality is derived purely on the quality of the inputs and on whether their model is actually valid and realistic," Arce says. "To address this problem from a theoretical model is one thing, and it's another thing to have some real means of demonstrating when this or that happens or not...when trying to compromise a system. That's what penetration testing is good for."

Fuster says Cauldron is more specialized than related vulnerability analysis tools in the market because it focuses specifically on aggregating, correlating, and visualizing, he says. "How would someone attack my database server? It draws you all of the attack paths someone could take by exploiting all of those vulnerabilities [in the network]," he says.

Vulnerabilty data is imported into Cauldron via an XML-based tool so that enterprises can analyze how bugs could be used to attack their critical assets, enabling them to pinpoint and prioritize fixes, Fuster says. And it can also be used to illustrate all of the attack paths once a breach is under way, or to conduct forensics after an attack.

Epok is marketing the tool to other government agencies, as well as companies in financial services and pharmaceuticals, for instance, as part of integration projects. Cauldron is also available for direct sale from Epok, starting at $15,000 for up to four subnets, and up to several hundred thousands of dollars for larger networks.

According to Cauldron's creators, among other functions the tool also lets users compare possible resource expenditures in the network to determine the effect on security overall, as well as "immediately observe any changes to individual machine configurations that increase the overall risk to the enterprise," GMU researchers wrote in a paper about the technology.

Free Security Magazines