International Telecommunication Union   ITU
 
 
Site Map Contact us Print Version
 Monday, January 28, 2008

Net-Security.org recently interviewed Nitesh Dhanjani and Billy Rios, well-known security researchers that have recently managed to infiltrate the phishing underground. The interview gives readers a rundown on how Dhanjani and Rios saw an extraordinary amount of sensitive customer account information, obtained the latest phishing kits, located and examined the tools used by phishers, trolled sites buying and selling identities, and even social engineered a few scammers. They also expose on this interview the tactics and tools that phishers use, illustrate what happens when your confidential information gets stolen, discuss how phishers communicate and how they phish each other.

Read the full interview here.

Monday, January 28, 2008 1:07:00 PM (W. Europe Standard Time, UTC+01:00)  #     | 

Speech recognition technology has been an accelerating technological development and is now making its way to the mass market. Among these companies providing speech recognition technology is Vlingo Corporation. "Vlingo’s service lets people talk naturally, rather than making them use a limited number of set phrases. Dave Grannan, the company’s chief executive, demonstrated the Vlingo Find application by asking his phone for a song by Mississippi John Hurt (try typing that with your thumbs), for the location of a local bakery and for a Web search for a consumer product. It was all fast and efficient. Vlingo is designed to adapt to the voice of its primary user, but I was also able to use Mr. Grannan’s phone to find an address. The Find application is in the beta test phase at AT&T and Sprint." Other companies offering speech recognition technology to their customers include Nuance with its Nuance Voice Control system recently released last August, and Microsoft with its purchase of TellMe Networks last March. According to Opus Research, speech recognition has reached a $1.6 billion market in 2007, and they further predict an annual growth rate of 14.5 percent over the next three years. "Dan Miller, an analyst at Opus, said that companies that have licensed speech recognition technology would probably see faster revenue growth, as more consumers used the technology."

Speech recognition technology has also been available on personal computers since 2001 in applications like Microsoft Office but with a weaker following. It is also already used in high-end G.P.S. systems and luxury cars from Cadillac and Lexus, and is now spreading to less expensive systems and cars. The speech technology chief at I.B.M. Research, David Nahamoo, adds that the company has an automotive customer testing speech recognition to help drivers find songs quickly while driving. SimulScribe, on the other hand, uses speech recognition to convert voice mail into e-mail.

More on this article on the The New York Times.

Monday, January 28, 2008 11:15:19 AM (W. Europe Standard Time, UTC+01:00)  #     | 

According to Security experts at Sophos, 6,000 new infected webpages are discovered every day, 83 per cent of which belonging to innocent companies and individuals that are unaware of their sites being compromised. Sophos further reports that the well-known iFrame vulnerability in Internet Explorer remained the preferred vector for malware attacks throughout last year with China (51.4 per cent) and the US (23.4 per cent) leading in the net security firm's list of malware-hosting countries. According to PandaLabs, "around half a million computers are infected by bots every day... [and] approximately 11 percent of computers worldwide have become a part of criminal botnets, which are responsible for 85 percent of all spam sent."

Read the full article on The Register.
Read relevant article on Slashdot.

Monday, January 28, 2008 9:55:20 AM (W. Europe Standard Time, UTC+01:00)  #     | 
 Thursday, January 24, 2008

E360 Insight, LLC filed a complaint against Comcast Corporation on 15 January 2008 accusing the latter of unfairly blocking e360’s e-mail from reaching subscribers. According to e360, in one typical instance, e360 received an error message stating that it’s e-mail was blocked from reaching subscribers because Comcast’s filters determined that e-mail from e360’s servers had been "sent in patterns which are characteristic of spam." According to Direct magazine's report, "the complaint claims that Comcast’s alleged interference with e360’s business relationships cost the firm $4.5 million a year from 2005 through 2007. The complaint also accuses Comcast of sending e360 bogus bounce information, causing the marketer to remove e-mail addresses from its file that were still active. The suit claims the false bounce information cost it almost $2.5 million." E360 asks for more than $12 million in compensatory damages and $9 million in punitive damages from the accused.

Read the full complaint here.

Thursday, January 24, 2008 9:39:48 AM (W. Europe Standard Time, UTC+01:00)  #     | 
 Tuesday, January 22, 2008

The past week marks the one-year anniversary of the emergence of the spam-enabling Storm worm, a tenacious strain of malicious software that probably speaks more about the future of online crime than almost any other malware family circulating online today. A chronological account from security firm Trend Micro visually sums up Storm's evolution. Dmitri Alperovitch, director of Secure Computing, said federal law enforcement officials who need to know have already learned the identities of those responsible for running the Storm worm network, but that U.S. authorities have thus far been prevented from bringing those responsible to justice due to a lack of cooperation from officials in St. Petersburg, Russia, where the Storm worm authors are thought to reside. 

Alperovitch believes the majority of Storm worm victims are Microsoft Windows users who for whatever reason have ignored the best advice of security professionals by not running anti-virus software and/or regularly applying software security updates. Indeed, the infection statistics seem to support that analysis. According to Vincent Gullotto, head of Microsoft's security research and response team, Microsoft's "malicious software removal tool" -- shipped as part of its monthly patch updates -- has removed an average of 200,000 versions of the Storm worm from Windows systems each month since November, when the software giant first started shipping removal routines for Storm.

According to Trend, nearly 12,000 pieces of Storm-connected malware were unleashed online over the past year (this includes the Trojan that drops the payload, the Storm worm itself, as well as regular -- sometimes hourly -- updates pushed out to infected machines to stay a step ahead of any anti-virus software installed on the host system.) As big as Storm got this past year, Symantec's numbers help put things in a bit more perspective. Storm-related malware made up slightly more than one-quarter of one percent of all potential malicious code infections in 2007, Symantec said.

Read the full article on the Washington Post.

Tuesday, January 22, 2008 12:29:53 PM (W. Europe Standard Time, UTC+01:00)  #     | 

Romanian artist Alex Dragulescu, a research assistant at the Massachusetts Institute of Technology's Sociable Media Group, puts a face to threats such as Storm and Netsky. "Dragulescu created his so-called 'threat art' in conjunction with live malware intercepted by e-mail security firm MessageLabs. Each is disassembled into a dump of binary code and then run through a program Dragulescu wrote. That program spends a few hours crunching through all the data, looking for patterns in the code that will determine the shape, color and complexity of each piece of threat art."

According to the Washington Post's article, the configuration of these created organisms is driven largely by the botnets' actions. Dragulescu explains that if there is a repeated attempt to write to a system memory address, a particular Windows API call that tries to write to a file or [blast out e-mail], for instance, the program tracks that and looks for the prevalence, number and behavior of those occurrences. 

Dragulescu's other threat art include his "spam architecture," or his "spam plants," the latter of which take its form from rules that look at the ASCII values (computer code that represent the English alphabet) of each spam sample.

For more of Dragulescu's images, check out his Web site and the MessageLabs threat art page.
Read the full article on the Washington Post.

CYB | Cybersecurity | Botnets | Malware | Spam | Media
Tuesday, January 22, 2008 12:14:37 PM (W. Europe Standard Time, UTC+01:00)  #     | 
 Monday, January 21, 2008

Information Week reports that the CIA admitted on Friday at a New Orleans security conference that cyberattacks have caused at least one power outage affecting multiple cities outside the United States. According to Alan Paller, director of research at the SANS Institute, CIA senior analyst Tom Donahue confirmed that online attackers had caused at least one blackout. Information about which foreign cities were affected by the outage and other information related to the attack were not disclosed. According to Paller, a written statement from Donahue read, "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."

The conference was on sharing data about cyberattacks on critical utilities and resources, and methods of attack mitigation. Discussions also include the new SCADA, Supervisory Control And Data Acquisition, and Control Systems Survival Kit, a document of best practices for SCADA systems.

Read the full article here.

Monday, January 21, 2008 2:06:15 PM (W. Europe Standard Time, UTC+01:00)  #     | 
 Friday, January 18, 2008

FCW.com reports that "foreign hackers, primarily from Russia and China, are increasingly seeking to steal Americans’ health care records, according to a Department of Homeland Security analyst." Two cases of intrusions to the health care systems' servers have been recorded in the past year which alarmed security officials. In early 2007, a Centers for Disease Control and Prevention Web site was infected with a virus, and in April, a Military Health System server holding Tricare records was hacked. Mark Walker, who works in DHS’ Critical Infrastructure Protection Division, said the hackers are seeking to exfiltrate health care data probably for espionage. DHS is increasing its analysis staff to monitor threats in several industries, including health care, and will be issuing more alerts about cyberthreats to health care data, he said. He added further that DHS wants to build a database of health information system intrusions so it can better analyze the threats and develop countermeasures.

More on this report here.

Friday, January 18, 2008 11:49:15 AM (W. Europe Standard Time, UTC+01:00)  #     | 

A growing concern among security companies as well as the public this year is the burgeoning market for "protection racket." The computer security industry was said to have deteriorated with one sharing everything about newly discovered weaknesses to some within it involved in a protection racket. Researchers such as Paul Henry, vice-president of technology at Secure Computing, describe this trend as "a move by a small minority of security companies now paying hackers for exclusive access to newly discovered vulnerabilities. This ensures their customers are protected while the software vendor works out a solution and rolls out a patch, a process that can take weeks." This worries security experts because hackers are now being given a so-called legitimate route of selling vulnerabilities to a single company who then protect their own. "They don't have to run the risk of going to jail any more by actually using a vulnerability, they can just threaten you with it and they get paid. It's extortion," says Henry.

Security researchers are said to be drawn to this new practice due to bad treatment from well-known software companies. Henry explains that "there have been cases where people reporting vulnerabilities to software companies have been treated terribly and threatened with legal action because the vendors just don't want to look stupid. Security researchers that have found a vulnerability won't get paid by a vendor, and if they think they actually might end up talking to their lawyers and being threatened, then it's hardly surprising they end up selling vulnerabilities to security companies."

Read the full article on The Guardian.

Friday, January 18, 2008 11:33:53 AM (W. Europe Standard Time, UTC+01:00)  #     | 
 Thursday, January 17, 2008

The UN Department of Economic and Social Affairs recently released the UN e-Government Survey 2008: From e-Government to Connected Governance, which presents an assessment of the new role of the government in enhancing public service delivery, while improving the efficiency and productivity of government processes and systems. It comprises two parts including a section which presents the findings of the UN e-Government Survey 2008 and a section focusing on the ‘how to’ approach connected governance.

For more information on the survey, visit the Global E-Government Survey 2008 website.
Access the complete survey here.

Thursday, January 17, 2008 9:18:21 AM (W. Europe Standard Time, UTC+01:00)  #     | 
 Wednesday, January 16, 2008

A documentary, "The New Face of Cybercrime," created by Academy award nominated director Fredric Golding and presented by Fortify Software, provides a face to the criminals' intent on hacking into systems today. Candid interviews with many industry leaders and executives of large organizations taking steps against these attacks are also included, providing perspective on how they think about these threats and what they are doing about them throughout their companies.

Wednesday, January 16, 2008 9:24:11 AM (W. Europe Standard Time, UTC+01:00)  #     | 
 Tuesday, January 15, 2008

The Storm Worm botnet, using its huge collection of infected computers, is now sending out phishing emails directing people to fake banking sites that it also hosts on the computers it remotely controls, according to F-Secure and Trend Micro. Apparently, Storm has never been involved in phishing up to this point, however, the new campaign may indicate, according to F-Secure, that Storm's controllers have figured out how to divide the massive army into clusters which it is now renting out to others. F-Secure and Trend Micro both reported that the phishing scam was using a technique known as fast-flux DNS to keep the phishing site alive. Fast-flux works by constantly changing the IP address in the internet's phone book system (known as DNS) and having multiple computers in the botnet host the phishing site. This makes it very difficult to blacklist a IP address and since the site isn't being hosted by a company that researchers could contact to take down the site, the site lives longer.

According to Paul Ferguson, an advanced threat researcher for security giant Trend Micro, the spam emails were sent from a different segment of the botnet than the phishing sites were hosted. The site used for phishing was just registered on Monday. Anti-phishing filters, such as the ones bundled into Opera, Firefox and IE7, have gotten pretty good at quickly adding sites to their blocked list, however, "the issue becomes how do you work to take it down and find the perpetrators," said Ferguson.

Read Ferguson's article on this incident on Trend Micro's Malware Blog.
Read the full article on Wired Blog Network.

Tuesday, January 15, 2008 5:41:20 PM (W. Europe Standard Time, UTC+01:00)  #     | 

Pushdo trojan, a fairly new and prolific threat being circulated in fake "E-card" emails, is classified as a more sophisticated "downloader" trojan due to its control server. According to the analysis of Secureworks, when executed, Pushdo reports back to one of several control server IP addresses embedded in its code. The server listens on TCP port 80, and pretends to be an Apache webserver. Any request that doesn't have the correct URL format will be answered with the following content:

Looking for blackjack and hookers?

The Bender Bending Rodriguez text is simply misdirection to mask the true nature of the server - if the HTTP request contains the following parameters, one or more executables will be delivered via HTTP:

Typical Pushdo Request

The Pushdo controller is preloaded with multiple executable files - the one we looked at contained 421 different malware samples ready to be delivered. The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the malware loads from infecting users located in a particular country, or provides the ability to target a specfic country or countries with a specific payload.

Pushdo's detection of the physical hard drive serial number as a identifier not only provides a unique ID for the infected system, but can also reveal information such as whether the code is running in a virtual machine or not. This could be a way for the malware author to spy on anti-virus companies using automated tools to monitor the malware download points.

Another anti-anti-malware function of Pushdo is that it looks at the names of all running processes and compare them to a list of anti-virus and personal firewall process names. Instead of killing off these processes, however, Pushdo merely reports back to the controller which ones are running, by appending "proc=" and a list of the matching process names to the HTTP request parameters. This enables the authors to determine which anti-virus engines or firewalls are preventing the malware from running or phoning home, by their absence from the statistics. This way the Pushdo author doesn't have to maintain a test environment for each AV/firewall product.

Recently, an e-card email containing a newer variant of Pushdo was received. Apparently taking notice that the Bleeding Snort project had published a signature (sid 2006377) to detect the Pushdo request variables in transit, the author has now changed the request to be less fingerprintable. An example of the new request format is:

GET /40e800142020202057202d4443574d414c393635393438366c0000003c66000000007600000002 HTTP/1.0

Apparently, the author of Pushdo is intent on evading detection for as long as possible, in order to have the maximum amount of time to seed Cutwail spambots into the wild. Although it is unclear just how large the Cutwail botnet has become, the ambition of the project rivals that of other more well-known spam botnets, such as Storm.

Read the complete analysis on Pushdo here.
Read the blog entry detailing the trouble Sophos are having with the Pushdo trojan.

Tuesday, January 15, 2008 11:33:44 AM (W. Europe Standard Time, UTC+01:00)  #     | 

A new-generation worm-botnet known as Nugache, according to Dave Dittrich, might be the most advanced worm/botnet yet. It has no C&C server to target, has bots capable of sending encrypted packets and has the possibility of any peer on the network suddenly becoming the de facto leader of the botnet. However, despite numerous worms, viruses, bots and Trojans over the years having one or two of the features that Storm, Nugache, Rbot and other such programs possess, none has approached the breadth and depth of their feature sets. Rbot, with more than 100 features that users can choose from when compiling the bot, enables two different bots compiled from an identical source have nearly identical feature sets, yet look completely different to an antivirus engine.

A disturbing concern, experts say, is that there are several malware groups out there right now that are writing custom Trojans, rootkits and attack toolkits to the specifications of their customers, who are in turn using the malware not to build worldwide botnets like Storm, but to attack small slices of a certain industry, such as financial services or health care. A popular example of this is Rizo, a variant of Rbot. Like Nugache and Storm, Rizo has been modified a number of times to meet the requirements of various different attack scenarios. "Within the course of a few weeks, different versions of Rizo were used to attack customers of several different banks in South America. Once installed on a user's PC, it monitors Internet activity and gathers login credentials for online banking sites, which it then sends back to the attacker. It's standard behavior for these kinds of Trojans, but the amount of specificity and customization involved in the code and the ways in which the author changed it over time are what have researchers worried."

To read the full article on Nugache, click here.
More security related news at Schneier on Security.

Tuesday, January 15, 2008 10:12:09 AM (W. Europe Standard Time, UTC+01:00)  #     | 
 Thursday, December 20, 2007

The article, Beware, botnets have your PC in their sights, by New Scientist republished by TMCnet, provides a brief discussion of the cybersecurity situation in developing countries and how the current conditions may later evolve into an enormous cybersecurity problem in the coming years. Although hackers and cybercriminals tend to attack computers in developed countries at the moment due to more stable and consistent Internet connectivity, it is foreseen that developing countries may be next in line with the increasing technological developments and initiatives such as the One Laptop Per Child (OLPC) programme and Intel's low-cost Classmate computer. "If thousands of Classmates are distributed without adequate security, or if a previously unknown flaw in BitFrost, OLPC's security system, emerges, the new generation of cheap PCs will lead to problems... The ITU is assuming that attacks of this kind are a foregone conclusion and is organising a global effort to help developing countries fortify themselves against them." ITU, with its Botnet Mitigation Toolkit and Cybersecurity efforts, aims to increase international cooperation among states and provide the training and expertise needed to build CERTs in developing countries.

Read the full article here.

More information on ITU Cybersecurity related activities here.

Thursday, December 20, 2007 12:26:39 PM (W. Europe Standard Time, UTC+01:00)  #     | 
 Wednesday, December 19, 2007

The OPTA Commission has imposed a fine of 1 million Euros on three Dutch enterprises, operating under the company name DollarRevenue, and their two directors, due to their unlawful installion of software on more than 22 million computers belonging to Internet users in the Netherlands and elsewhere. They primarily used misleading files, making Internet users believe that they were about to download apparently innocent files, whereas they actually contained DollarRevenue software. "They also used botnets, thereby installing files without user intervention. Each day 60,000 installations occurred on average. A total of more than 450 million program files were illegally placed on 22 million computers." With the enterprises and their directors having deliberately contravened provisions of the Universal Service and End Users Decree [Besluit universele dienstverlening en eindgebruikers], based on the Telecommunications Act [Telecommunicatiewet] and designed to promote safe Internet usage and to protect the privacy of Internet users, fines totalling 1 million Euros were imposed.

Read the full article on the OPTA website.

Wednesday, December 19, 2007 5:14:35 PM (W. Europe Standard Time, UTC+01:00)  #     | 
 Tuesday, December 18, 2007

ITU, in collaboration with the ictQATAR and Q-CERT, will be hosting a workshop 18-21 February 2008 entitled Regional Workshop on Frameworks for Cybersecurity and Critical Information Infrastructure Protection (CIIP) and a Cybersecurity Forensics Workshop. The workshops will be held in Doha, Qatar.

The description of the event, draft agenda, invitation letter, and registration form for meeting participants are available on the event website.

Contact cybmail(at)itu.int with any general queries you may have related to the workshop.

Tuesday, December 18, 2007 5:33:04 PM (W. Europe Standard Time, UTC+01:00)  #     | 
 Monday, December 17, 2007

A presentation on "Measuring National Cybersecurity Readiness" has been posted online today on the ITU-D ICT Applications and Cybersecurity Division (CYB) website. The presentation by Robert Shaw, head of the ICT Applications and Cybersecurity division, provides background information and resources on cybersecurity, information on related ITU-D activities and initiatives, and other relevant activities. For more information on CYB's activities involving cybersecurity, visit the division website.

Monday, December 17, 2007 5:25:52 PM (W. Europe Standard Time, UTC+01:00)  #     | 
 Friday, December 14, 2007

According to McAfee, the website of the French Embassy in Libya is currently under attack through IFRAME injection. With the visit by Libyan President Muammar Khadafi in the country, controversy is stirring up which has apparently triggered interest among people behind the attack. The iframe routes the victim to sites hosted through Hong Kong provider, then it redirects the victim to Russia and Ukraine where exploit and downloaders are used (Exploit-YIMCAM and downloader-AUD). McAfee warns people not to attempt reaching the site as it is still dangerous.

For more information, visit the McAfee Blog.

Friday, December 14, 2007 10:12:11 AM (W. Europe Standard Time, UTC+01:00)  #     | 
 Thursday, December 13, 2007

The International Telecommunication Union (ITU) highlighted the role played by information and communication technologies (ICTs) as both a cause and a potential cure for climate change at the UN Conference on Climate Change in Bali, Indonesia, on 12 December.

ICTs can be used for remote monitoring of climate change and the gathering of crucial scientific data such as using telemetry or remote sensing by satellite. Smart and emerging technologies can be integrated into energy-efficient products, notably in next-generation networks (NGN) where ITU's Standardization sector (ITU-T) is carrying out vital specialized work.

Activities at the ITU's Development Sector (ITU-D) refer to promoting a role for information and communications technologies in the protection of the environment, together with partners from other international organizations and the industry. ITU-D also provides assistance to developing countries in emergency telecommunications as well as in the area of e-waste.

At the UN Conference, ITU raised awareness on standby services of ICT equipment such as computers and PC screens, DVD players, TVs and battery chargers, which places a burden on energy consumption. "Always-on" services, like broadband or mobile phones on standby, have increased energy consumption compared with fixed-line telephones, which do not require an independent power source.

ITU underlined an active commitment to promote the use of ICTs as a positive force to reduce greenhouse emissions and to find ways to mitigate the effects of climate change. In this regard, ITU can support and facilitate scientific studies aimed at implementation of new measures against the negative effects of climate change. As part of a unified effort of the UN system, ITU can contribute in its areas of expertise to support Member States and to foster partnerships with the private sector to develop more energy-efficient technologies.

For more information, click here.

Thursday, December 13, 2007 12:59:57 PM (W. Europe Standard Time, UTC+01:00)  #     |