Spyware for Corporate Espionage

therufus writes "Late in July, an e-mail that hit employee in-boxes at a British credit card and finance company carried a secret payload--spyware capable of recording confidential corporate data and sending it over the Net."

Here is an idea.

[Omni+Magnus]

Don't open Emails that you have no clue who they came from. This is just common sense.

Re:Here is an idea.

[binaryDigit]

Don't open Emails that you have no clue who they came from. This is just common sense.

That line of defense fails when only 1 person forgets this fact (or as a permutation of the following) and the "virus/worm" spreads itself by having the from address of the newly infected person. Plus, it doesn't take a lot of effort to find out who the IT or some other higher up in a company is and use their name as the sender of the email.

Stop Spyware at the Source

[Ridgelift]

Dubbed the Consortium Of Anti-Spyware Technology Vendors and led by the creators of the popular Ad-Aware and Pest Patrol software programs, the group is trying to create standard definitions of "spyware," "adware" and other pests, and give best-practices recommendations to the companies that want to avoid being blocked by their software.(emphasis added)

Once again, the main technical problem lies with Windows. Spyware is just another form of malware, which takes advantage of defects in the operating system to gain access.

I would hope that the Consortium Of Anti-Spyware Technology Vendors would promote Linux, Mac and other operating systems that are better equipped to rebuff malware attacks.

Re:Stop Spyware at the Source

[Evil+Adrian]

Funny. Microsoft is to blame for spyware issues, but Kazaa, et. al. aren't the problem when it comes to piracy.

Love the double standard. LOVE IT.

Re:Stop Spyware at the Source

[Hub_City]

No double standard. Kazaa does exactly what it says it's going to do. Microsoft's platform has a whole bunch of unexpected (and harmful) side effects.

If Kazaa started infecting people with viral code (outside of the spyware we all *know* it ships with) and people turned a blind eye, *then* there'd be a double standard.

-HubCity

Is anyone surprised?

[blankinthefill]

I'm not. This is the logical conclusion (Or beginning) to the "virus age" that we've been experiencing. And I think the articale is wrong in some respects, like their thinking that the script kiddies and such are long gone. They are still here, and are having nore effect than ever as they modify already dangerous viruses, making it harder to block and stop them. And tell me, when has broad ranging legislation really helped anyone? Untill it's proven effective, I will remain wary of anything of the sort.

Re:Is anyone surprised?

[Shakrai]

And tell me, when has broad ranging legislation really helped anyone?

I don't see legislation being very effective at all. How will legislation stop the script kiddies? Are you going to drastically increase the punishments for releasing a virus into the wild? Two problems with that:

1) Should somebody really be sent up the hill for 20-30 years for releasing a computer virus? Moreso if it's a stupid kid that really ought to know better, but doesn't? (We all did stupid stuff as kids) At worst the punishment should fit the crime -- if the virus kills someone in a Hospital because it locked up the database server and they couldn't pull medical records and the patient had some sort of allergic reaction (or what not), then you could charge the kiddie (assuming you even catch him -- see point 2) with manslaughter or the equivalent. If all the virus does is annoy people and eat up bandwidth, does he really deserve to go away for the next 30 years?

2) How often are the actual authors behind viruses/worms caught anyway?

I guess my point as far as the "punish those rat bastards" idea goes is that it would probably be better to enforce existing laws rather then write new ones. Do we really trust Congress (home to such wonderful ideas as the DMCA, the Patriot Act, etc etc) to not screw this up?

As far as I see it, the solution is as it has always been. Security. A properly designed network with properly maintained/patched software and reasonably educated users is a pretty tough nut to crack. And as much as I dislike Microsoft I do have to admit that in the recent cases that gained fame (Blaster comes to mind) they did have patches out. People just ignored them. The home user has an excuse... the corporate user with a trained IT staff has none. Linux is hardly immune to this effect either -- if a flaw is discovered in OpenSSH, sendmail, or BIND, and you don't upgrade/patch it, you have nobody to blame but yourself when you get hosed. Saying you didn't know about the patch is a piss poor excuse -- it's your job to know.

Of course the problem is getting those reasonably educated users and (if you work for a larger company) stopping the PHBs from interfering with your attempts to lock down the network. It's usually been my experience however that after a few rounds of viruses that rip apart the network and cost the company tons of money to deal with, the PHBs will start to listen to the IT staff. Of course, if the IT staff does too good of a job they may stop listening -- but that's the danger you face when working under a PHB. Fortunately I don't have to work for a clueless CTO or PHB -- but I have in the past, and I always managed to do a fairly good job at protecting them from themselves.

Questions...

[frodo+from+middle+ea]

Pardon my ignorance, but...

• What kind of stupid sys-admin allows .vbs, .js , .exe, .sws attachements thru the corporate email ?
• What kind of idiot sys-admin would allow the corporate users , to run their PCs with admin previleges , so that any unwanted junk s/w be installed on their PCs ?
• Which genius allows unrestricted access to confidential corporate data to its users ?
• Why do the corporate firewalls not block out-bound traffic to all ports but a select few HTTP/SSL ect ?

Re:Questions...

[jdreed1024]

What kind of stupid sys-admin allows .vbs, .js , .exe, .sws attachements thru the corporate email ?

The sys-admin who is told by the CEO to remove the e-mail blocks, because someone wants to e-mail him a self-extracing zip file (.exe).

What kind of idiot sys-admin would allow the corporate users , to run their PCs with admin previleges , so that any unwanted junk s/w be installed on their PCs ?

The sys-admin who gets in trouble when he yelled at Bobby the Intern (who happens to be the CTO's nephew) for installing Kazaa on his machine. Ditto for the sys-admin who was told to turn the PHB's account into an Administrator account so he could install MS Entertainment Pack.

Which genius allows unrestricted access to confidential corporate data to its users ?

The genius who tried to secure the confidential corporate data with X.509 certificates and/or passwords, but was then told to remove them, because the VIPs were complaining about having to remember too many passwords.

Why do the corporate firewalls not block out-bound traffic to all ports but a select few HTTP/SSL ect ?

Because then the PHB can't use AIM to chat with his friends.

Seriously, I worked as a sys-admin in an environment like this. You wouldn't believe the number of safety procedures that the CEO/CTO/PHB wanted to circumvent to make life easier for themselves. Unless you have a CTO who understands security and will stand up to the rest of the VIPs, you're doomed. Completely and utterly doomed.

I attempted to implement the passwd changing program with cracklib support to prevent users from picking stupid passwords. That lasted about a week before I was told to take it away.

There was a brief period of time where we went around and killed off IE on the desktop machines, because there were too many damn vulnerabilities. That lasted about 2 weeks before the CEO told us that the researchers couldn't use "this Netscape thing".

Repeat for many other events. Bottom line is anyone who is not a sys-admin knows two things: routine and usability. However, implementing propert security requires changing at least one of those, if not both. And therein lies the problem.

Re:Questions...

[Shakrai]

It is your responsibility as a sys admin NOT to do so, up to and including resigning your post

Actually your responsibility is to your family who might starve if you resign your post and can't get another job (all the moreso in our economy).

Sorry, but I took a bullet for an employer in the past and it got me nothing but a pink slip and a "Thank you for your loyalty" when layoff time rolled around. They also left me out hanging to defend myself when the shit started to hit the fan.

If a company tells me to do something stupid (as long as it isn't illegal) regardless of what I say, then I'm going to do it. I'll make sure I have a paper trail to cover my own ass (either within the company or without if it breaks down into some sort of outside audit/investigation), but I'm not going to resign to and go broke to defend a company that wouldn't listen to me in the first place. Even if you did resign, they'd just go hire somebody else who would do what they wanted.

Fortunately I work for a small Independent company without any PHBs who make me do stupid stuff. Should I ever have the misfortune to work for a PHB again though, I will not be taking bullets for him or the company.

Re:Questions...

[jc42]

If there isn't a browser window up and visible on the screen (software CAN detect this), why should it allow ANY 443 or 80 traffic through ?

So you would, for example, block all attempts to use the lynx browser (which runs in a terminal window)? Be a bit careful about answering, because in a lot of jurisdictions, there can be serious fine for knowingly discriminating against the visually impaired.

And, on a more general basis, port 80 is used by a lot of software other than browsers. If a file my app needs to use is available via some centralized web archive, why shouldn't my app be allowed to get at the data? It's easy enough to code. Just a TCP connection to port 80 on the archive machine, and an HTTP "GET" command. I've worked on any number of projects where data is provided across the whole LAN this way, because it's simple and convenient. This presents no danger at all of any spyware being installed and run.

Some time back, I got a lot of geek points on a project by writing a makefile entry that created a particular .h file by using wget to fetch the latest copy of a particular man page from a standard org's web site, and feeding it to a little perl program. This program grovelled through the text, built #defines and C structs from data that it found, and wrote the .h file. "What, your program reads a man page and generates C?" "Well, yeah; you got a problem with that?"

Remember that the original function of the Web was for physicists who wanted to make their data files easily available to software on machines scattered around the Net. Browsers were added later. But the Web isn't only for browsers.

And on a lot of server machines, the windowing software isn't even installed, because there's no display. Requiring an open browser window would prevent any use of any Web software on such machines.

I for one wouldn't want to do without lynx and wget. And they are not sources of the sort of spyware being discussed here. Blocking their use wouldn't solve the problem at all.

Re:Strong Policy Required

[Gordonjcp]

What does UV light do to hard disks? Last time I looked, aluminium castings and pressed aluminium were pretty much UV-opaque. And, the oxide layers on the platters aren't UV sensitive either.

Re:Here's our nightmare scenario in the military..

[darkstar949]

I second that, it would not be too hard to either write the key logger or the logic bomb - for that matter it would not nessecary need to destroy the entire program, just anything that can be used to track back to the oginator. The biggest problem in preventing something such would be to control the vectors through which it could be introduced to the network (i.e. Users running e-mail attactments), because once the program is on the network the damage has been done.

BS !!

[AftanGustur]

Don't open Emails that you have no clue who they came from. This is just common sense

Come one, grow up, we're no longer 6 years old and there is no good reason why we should be forced to live in fear of our emails !!

If a email can do all kinds of bad stuff to your computer, it is the fault of the one who wrote the email software, period..

Don't try to blame the victim because he was simply using the software for what is it supposed to do ...

Re: BS !!

[Guido+von+Guido]

Sure the virus writers are ultimately to blame. In terms of what you actually have control over, however, the email software is the big culprit.

You can't control virus writers. You can't prevent unknown parties from targeting your network.

You can, however, institute safeguards on your network. You can use an email client which is a well-known vector for worms. You can make it impossible for your users to accidentally execute an email worm. These things are under your control.

Not that any of these things are easy, of course, especially if your users are addicted to Outlook.

Re:Sneaks

[Tuxedo+Jack]

Yes, it's becoming vaguely "Star Wars"-ish. Darth Gator versus PepiMK Skywalker... oy, there's something I never wanted to see. However, at the school district where I work, we're coming up with an interesting method of combating spyware: lawsuits against the companies. Since the spyware is often found on elementary school computers, and it's children who download it, the technical staff has considered lawsuits. IANAL, but it goes something like this: the children are obviously minors, and when they click the EULA for installing an ActiveX control or someone goes through the ByteVerify exploit, they do not create a legally binding contract, and as it's an elementary school, the advertisers are very obviously collecting data on people under 13, which violates the COPA. Hence, we sue. It made sense to the legal department, and they're now trying to take out Rightfinder and CoolWebSearch. Also, since the CWS group of spyware can be classified as Trojan horses/virii, aren't they in violation of some obscure section of the USC? I'd _swear_ that they were.

This happens quite a lot

[nodwick]

There's an article in Dvorak's column in this month's PC Magazine (near the middle) describing how a day trader used a key logger to steal someone's brokerage password via a similar scheme. From the article:

Using an alias, Dinh began prowling around in an online stock-chat forum, until he got the e-mail addresses of some of the traders. Using yet another alias, he then e-mailed these folks the key-logging backdoor, claiming in a long letter that he was beta-testing a new stock-charting software system and wondering whether they could help.

Apparently, one unsuspecting sucker executed the software and wasn't suspicious when it didn't really do anything. Now Dinh had a backdoor and simply key-logged until he found the guy's online brokerage information and password. He could buy and sell from the guy's account.

Apparently he used the other account as a dump for derivatives that he needed to offload quickly. Of course the person in the story should obviously have been more careful about clicking on attachments, but one lesson here is that as people become increasingly wired, the value of logins and passwords is becoming high enough that stealing those is as valuable or more than credit card numbers. This is especially true if you think about how much you can do financially online -- many people use the Internet almost exclusively for bill payments, stock transactions, money transfers, etc.

Don't fear the kiddies....

[ajs]

As a sysadmin that has been dealing with security issues in financial and other corporate settings for well over a decade, I can tell you that the fear-factor on kiddies with their viruses starts to fade over time. However, what I've noticed happening is that people are coming to accept these relatively benign viruses, root-kits, etc as a fact of life, and they seem to be forgetting that where kiddie-hack-of-the-week can succede there WILL ALWAYS BE a small, but worrisome number of clueful people exploiting the opening.

Most often those people are insiders, so you have the added worry that things like firewalls are useless (do you sniff email for viruses on internal mail? do you have unpatched servers that only intenal users have access to?), and they may be able to convince others that you think you can trust to look the other way.

Security is one of those ugly balancing acts. Ultimately, it's a losing game because once a determined cracker with a clue sets their sights on you, you're done for. No amount of security is sufficient... really (yes, even a gasketted vault with armed guards CAN be cracked). The key is risk-vs-reward and always trying to make sure that some poor clueless bastard out there is an easier target than you.

Big Deal

The only thing that's news here is that someone caught it. God knows how much information is redistributed / modified this way (there are at least a dozen similar methods I can think of personally that any self-respecting spy, corporate or otherwise, must be using). That this one was caught just shows that people that aren't professionals are getting into the game.

I have the pessimistic view that anything you know that someone else knows must be public knowledge (certainly to any member of the public that cares to know). The trick is, if you know they know, how do minimize the damage from the notions of a "secret" or "confidentiality" becoming extinct?

God forbid we do develop telepathy like some sci-fi prophesied evolutionary advance.

idiots always open attachments...

[gamlidek]

*Yawn* So what? Idiots will always open email attachments from unknown recipients and ultimately execute some sort of hidden code on their machine mainly because they can't figure out how to turn that stuff off or stop clicking on everything they see. I'd love to blame M$ here, but it really is the techno-weenies that do it to themselves by pretending they know how to use a computer, yet no matter how many times they're told "don't open attachments" they do it anyway. I love it when the email software is set up to autoexecute this stuff by default so they don't even know about it. RTFM, people!

-gam

Re:Here's our nightmare scenario in the military..

[zeux]

China has opted to bet the farm on Linux after seeing the Windows Source Code.

I think that China choose Linux not because of Windows source code but because Windows is the product of an American company.

But maybe I'm wrong.

Re:Here's our nightmare scenario in the military..

[Hentai]

The advantage of completely wiping the key logger is that if you destroy the evidence that they've been hacked, they'll never raise their suspicions, and you're much more likely to get away with whatever you're going to use those passwords for.

Otherwise some administrator browses through someone's machine two months later, trying to figure out why it's so slow, and says "oh, shit..." - and then security clamps down like a {pick useful crude metaphor here}. It's far easier to slip in when noone's the wiser.

Re:Here's our nightmare scenario in the military..

[mc6809e]

We have had network problems in the past. China has opted to bet the farm on Linux after seeing the Windows Source Code.

Even worse, maybe China never intended to use Windows but just wanted the source so that they might discover more vulnerabilities.

Re:Here's our nightmare scenario in the military..

[babyrat]

I disagree...it is MUCH better to have the entire program destroyed and no trace left whatsoever that the key logger/trojan/whatever you want to call it was there. That way a post mortem could not determine whether a specific machine was compromised.

What would be scarier to you if you were in charge of machines with valuable data on them - a warning that said there was a potential breach, and check here, here and here to see if you were affected, or a warning that said there was a potential breach, however there is no way to determine whether you were affected or not? The latter situation certainly sounds scarier to me (if I acutally had anything that mattered on my PC)

I have the solution!

[gillbates]

to the MS Outlook virus-propagation problem.

It's simple - create an Outlook virus which emails a Windows activation-code cracking program to everyone in the victim's address book. Then the virus would redirect the user to the warez sites where they could download "free" copies of Windows.

I can just about guarantee that Microsoft would have a patch within days, if not hours. After that, auto-execute for email attachments would be a thing of the past.

Re:Here's our nightmare scenario in the military..

[cayenne8]

Send your stolen information encrypted to a USENET group, and pick it up there. No connection traceable that way. And no one but you can read it. And out of the millions of messages...who else would know were to find it. Especially if you bounced it through some nym servers or mixmaster servers around the world a few times.