Slashdot Mirror
Web Browsers Under Siege From Organized Crime
An anonymous reader writes "IBM has released the findings of the 2007 X-Force Security report, a group cataloging online-based threat since 1997. Their newest information details a disturbing rise in the sophistication of attacks by online criminals. According to IBM, hackers are now stealing the identities and controlling the computers of consumers at 'a rate never before seen on the Internet'. 'The study finds that a complex and sophisticated criminal economy has developed to capitalize on Web vulnerabilities. Underground brokers are delivering tools to aid in obfuscation, or camouflaging attacks on browsers, so cybercriminals can avoid detection by security software. In 2006, only a small percentage of attackers employed camouflaging techniques, but this number soared to 80 percent during the first half of 2007.'"
Are they saying that antispyware software misses 80% of the spyware?
Okay, I admint I have not (yet) read the article, but experience tells me that 80% likely involves IE at 90 percent or better.
Ignorance is curable, stupid is forever.
It seems to me that the moment that organized crime found a way to make money off security vulnerabilities (Spam, ID theft, Ransomware, etc...) the writing was pretty much on the wall (though I'm still trying to figure out what it says). It kind of reminds me of William Gibson's cyberspace: a free-for-all, hostile environment where it was pretty much up to individual users / corporations / governments / whatever to protect themselves through whatever means necessary.
Welcome to the wild, wild net.
The Digital Sorceress
Then why do I feel like it is so old and obvious that it needs a 'duh' tag?
Experience teaches only the teachable. -AH
Don't kid yourself. It's not that organized. --Cosmo
Why not plug it?
Beer is proof that God loves us and wants us to be happy.
Combined with the comment that camouflaging techniques are used in 80% - 100% of recorded attacks, I wonder if the number of attacks is really going up ( as it has been in the past 10 years ) but detection is getting worse.
A Human Right
Over the past 4 weeks I've noticed a rash of almost hourly attempted breakins to our servers.
::ffff:82.186.102.42 [::ffff:82.186.102.42] to ::ffff:192.168.10.26:21
Here's a sample:
ftp attempts for 5 hours straight:
Feb 12 10:27:02 localhost proftpd[24841]: localhost.localdomain (::ffff:82.186.102.42[::ffff:82.186.102.42]) - no such user 'Administrator'
Feb 12 10:27:02 localhost proftpd[24841]: localhost.localdomain (::ffff:82.186.102.42[::ffff:82.186.102.42]) - USER Administrator: no such user found from
Feb 12 10:27:02 localhost proftpd[24841]: localhost.localdomain (::ffff:82.186.102.42[::ffff:82.186.102.42]) - Maximum login attempts (3) exceeded
ssh attempts almost constant since last friday:
Feb 11 01:37:07 localhost sshd[13953]: pam_unix(sshd:auth): check pass; user unknown
Feb 11 01:37:07 localhost sshd[13953]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.31.37.13
Feb 11 01:37:07 localhost sshd[13953]: pam_succeed_if(sshd:auth): error retrieving information about user ajith
When I catch them, the majority of the IP #'s match up to systems which have been rootkitted. The stream of odd login names always catches me off guard, sometimes in english, sometimes japanese or chinese. Does anyone know of someone that keeps track of these things, so I can send my logfiles to?
Karma Whoring for Fun and Profit.
...It begs the question "how am I funny to you?"
You were critically hit for no damage. The bruise will look nice, and maybe the scars will make good party talk.
We've seen what kinda of profits spam brings in. I wonder how profitable this is.
Heck, spyware/adware, or some shady P2P programs could have something like this. Reminds me of what happened to http://www.shareaza.com/. It's claimed by a group that be like this. That address used to be shareaza's main site, and it easy for many to not know to go to http://shareaza.sourceforge.net/ for the new updates.
Here is the link to the source : http://www.iss.net/x-force_report_images/2008/index.html/
I didn't know IBM hired Rob Liefeld. Did they put Cable in charge of the investigation?
Organized crime, huh? When they hit your browser, does the screen just go black?
The problem is that no matter how well YOU protect yourself, other agencies have your personal information in their databases.
What happens if your employer loses a laptop with your SSN, name, etc on it?
Eventually, the criminals are just going to start building a database with whatever information they can find.
Then they'll use that database to take out a second mortgage on your home, purchase a new car and open a few credit cards under your name.
You'll lose more money than you have. And you'll never have a chance to prevent it. Because all the information will be "leaked" from 3rd parties.
Be a shame if sumfin' were to happen to it, like.
Kinda leads to interesting thoughts...perhaps it may behoove certain of us to act as "night watchmen" for our various neighbourhoods, in the interest of keeping that sort of thing away from our systems.
:-/
I know I'm probably going to have to make another scan of my landlady's computer...she falls for half the stuff that comes through, even after my lectures on "DON'T CLICK IT"
In Xanadu did Kubla Khan
A stately pleasure dome decree
The wall has two words on it: DITCH WINDOWS.
Care about electronic freedom? Consider donating to the EFF!
5%, 25%, 50%? 90%? Are there estimates for the "rate never before seen" that users are having their personal information stolen?
And what personal information is it? To extend the old saying "If it is on the internet, it is public". Well, *all* information you store the computer that you access the internet suffers from this lack of security.
A truly secure user experience would be managing personal data on an unconnected system (or even a private network of systems) and then transferring data from there that needs to make it to the Internet via the Sneakernet. This is how the Department of Defense guarantees the security of Secure Facilities, and it is (unfortunately) the only way to guarantee the security of your own personal information.
But for systems that are on the 'Net, using an OS that doesn't hide/obfuscate fundamental security models is a plus. For example, it is easier for me to shutdown outgoing ports/services on Linux than on Windows.
As far as browser exploits... one can only hope that developers close off the attack vectors faster than they open new ones.
Support the 30 Hour Work Week!!!
I've been saying this for years now: antivirus and firewalls cannot protect from sophisticated attacks.
There is only one solution: executable code must be embedded in hardware read-only media and must be reloaded after every session. [today reloading a virtual machine is a good approximation, but this method will succumb under sufficiently sophisticated attack; it really needs to be built into nonflashable rom]
Nobody wants to hear this. I'm not exacty sure why; a little thought should lead anyone with some knowledge of operating systems and hacking to the same conclusion.
Its just going to get worse, with botnets, blackmail and scammers gaining more and more power until we remove the ability of malignent code to survive.
Hand me your cache!
(Sorry - for humor I go for quantity, not quality.)
He's getting rather old, but he's a good mouse.
I did read the actual report, all 56 pages of it. As usual, Windows' total lack of security guarantees that any random blackhat with a minimum of skill can exploit it. Go ahead and mod me Troll again, you lameass Microsoft-fanboi moderators, but it won't change what the report says- Windows is the problem.
we will end no whine before its time
"In 2006, only a small percentage of attackers employed camouflaging techniques, but this number soared to 80 percent during the first half of 2007."
If they're going to hose my Windows boxen and install spurious applications of dubious intent, I find that I prefer if they camouflage their attempts so as not to bother me with constant popups from the system tray telling me to install their spyware to get rid of spyware.
No it doesn't.
http://en.wikipedia.org/wiki/Begging_the_question
Well, start small, anyway. The bank can afford to make itself secure, but if every computer in the neighbourhood is sending out Russian viagra ads, your bandwidth will suffer--so doing some basic cleaning and firewalling will benefit you bandwidthwise.
;-p
Hell, if you're feeling ambitious, you could set up some kind of neighbourhood LAN and get folks to chip in towards a big fat pipe, if you can prove they'll have a safer connection...
Come to think of it...does anyone know of any successful examples of a "co-op" pseudo-ISP like that that already exists?
In Xanadu did Kubla Khan
A stately pleasure dome decree
You have injured my soul with your foul racist muddy I am not a trole I am a humane beng. I hope that sxom day GOD will FORGAVE YOUI meanpresoin!!!!!!! :(
Is that all our resident NASA 'genius' has to say on the subject? Here I've got a research proposal you could use. Make sure you pass it around all the good colleges in the States: GET A JOB. Expand on it with as much waffle as you like (tip: I hear McDonald's is looking for some burger flippers in your area).
Well we use Firefox, ya hear? And you're gonna start usin' it too, or Vinnie here's gonna make you sleep with the fishes, see
That particular domain was basically taken over by the recording industry (the real story is longer), although I guess one could say that's organised crime too.
I've been saying since 1967 that if something is important, it should be in pen and paper, with NO electronics either necessary to access or modify it or which makes it POSSIBLE to access or modify it without a human physically turning the pages or moving the pen.
Yeah, I never did get in on upstart companies like MicroSoft, but I never went wrong with Wheat futures either, so your mileage may vary....
...after all, it was only a matter of time once rootkit source code was published for anyone to grab. From that time onwards, true stealth malware was possible to create without needing to be a security researcher. Combine the ease of integrating someone else's rootkit code into a payload with a vigorous open market for Windows vulnerability information ($25,000 gets you a brand new zero-day exploit) and you reach the situation we have today.
Some people believe the largest botnets out there are ones built with the Storm Worm or other similar exploits. My bet would be that there are plenty larger out there, undetectable because they hide behind rootkits and don't do stupid stuff like turn the box into a spam cannon. And for people who think that the C&C (Command and Control) would be detected, think again: if a rootkit can conceal a file then it can also conceal a process, a named pipe, an interrupt handler, you name it.
The web is not just HTML at this point. Both QuickTime and RealPlayer have had notable exploits in the past few months. Acrobat and Flash have had major security holes as well. Just relying on the fact that you're using Firefox doesn't mean that you're not vulnerable.
How many ROM slots am I supposed to have on my desktop machine? Three, maybe four? So, let's see, I can listen to music, browse the web, have a chat program open, and if I've got a sweet computer, I can also use my calculator application! If I can find all the cartridges on my desk!
Software updates (er, hardware updates?) can now only be obtained conveniently at your nearest MicroCenter or Fry's. F/OSS software^Whardware^Wsecure-read-only-executable updates can be easily obtained by mailing a SAS, padded envelope to the appropriate developer (who now needs a commercial source of ROMs, and a machine to print them, along with the time to do so), who will happily mail you back your ROM just as soon as he or she gets around to it, for a small fee to cover the cost of the media (oops, I guess it's just OSS now!). Old copies of softw^Whardwa^Wwhatever can be conveniently recycled at almost no cost to the user by returning them to the developer.
Do embedded video players count as "executable code"? Congratulations, YouTube is now NetFlix. Welcome back, text-only Web pages. Goodbye, everything that makes the Web useful and interesting.
And you don't understand why nobody thinks it's a good idea?
Hmmm... Your ideas intrigue me and I'd like to subscribe to your newsletter. But, the only implementations I know of were at a municipal level rather than a neighborhood organization.
He's getting rather old, but he's a good mouse.
... secure your web browser. Many browsers are not secure out of the box, which puts you at risk of attack.
If you had one house in the neighbourhood that could get a fibre connection, you could hook up a router, put wireless access points in the various houses, and route the traffic that way.
Or do it wired, o'course, but that might be a bit more complicated, and probably really would only be practical for an apartment building.
In Xanadu did Kubla Khan
A stately pleasure dome decree
all this hacking of software supposedly developed by professionals is unacceptable. it wasn't like that when we had MVS and RACF.
the fundamental error in thinking is that documents are executable and that we do system updates on the fly
that entire concept needs to go in the junk bin
if you want me to update my system send me a zip
and make sure the enclosed programming is signed
NO SIGNATURE? NO EXECUTE.
>>Web Browsers Under Siege From Organized Crime
Why is this news? I thought the knowledge of M$s entry into the browser market with IE was so 90's.
oops... never mind
Now that Moe Green is out of the Tropicana, what else would we expect them to do?
"Joke" is to "Anonymous Coward" as "Anvil" is to...
A) Hammer
B) Forged Steel
C) Wile E. Coyote...
Bow-ties are cool.
Consider this hypothetical situation: I'm running Windows XP with no firewall and no antivirus. I'm on broadband and my ADSL modem/router does NAT with no port-forwarding rules set up. I'm fully patched and run out-of-the-box firefox. I don't run executables from untrusted sources, I understand how to treat email attachments, and I'm smart enough not to get caught by phishing.
How vulnerable am I? How likely is it that I will get compromised?
Does the answer change if I'm running fully-patched IE7?
Repton.
They say that only an experienced wizard can do the tengu shuffle.
Just a little observation having read part of the article - Is a Microsoft Tuesday more vulnerable for having the vulnerabilities announced or maybe because more are introduced?
blackmail and scammers gaining more and more power until we remove the ability of malignent code to survive
And therein lies the problem. Who decides what is malignent and what is not?
If we implement the "hard coded" solution you propose, then by default, we give ALL of the coding power to the companies that do that hard coding. Talk about lock-in! But if you leave it "open" and allow amateur's programs to run, then you have the malignancy problem you mention. The whole problem is that we do not have an automated way to determine "good" code from "bad" code. And that's not going to change because it is a subjective assessment.
Classic catch-22. Your most hated rootkit is my most prized Administrative tool. So who is right?
In turn this could fuel a new breed of cyber"bounty hunter" who could hunt down and physically sanction the criminals(nothing to do with the law of course)even ones presently behind bars could be made an example of. /. article on the first moron to "sleep with the phishes)
It could fall under the concept of avocation or even sport.
Hey,if you can think of it,someone will do it.(LOL, now we're all thinkin' it,so let's give it some energy and watch for that
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
IBM X-Force == ISS == lame ex-blackhats who couldn't make it as criminals.
QuickTime, Real Player, Acrobat, Flash, etc., etc., are all technologies that most people experience inside their browser. They're all just more stuff you need to download to get your browser to work. If the web was just HTML, it would be pretty boring. And Slashdot wouldn't exist.
-- Slashdot: When Public Access TV Says "No"
Symantec Guide to Home Internet Security. you can get it from Amazon.
/. I'm on every day
I think everyone should read at least something on this topic and this little guide is a good place to start.
One thing we are not thinking about: in additionto what we are losing in cash to these [] thugs how much are we losing in time and money and computer time on various preventions?
Hacking is a problem that we need to put an end to. most hacking works by getting un-authorized programs onto our computers which is why I say we need to DELETE the CAPABILITY of putting out executables on the flay as is done now.
I'm running STOPzilla and it just put a adware module named Vundo.F off my machine -- right after I loaded the latest updates fro STOPzilla.
at an absolute minimum turn on the firewall that comes with XP (It's on by default )
what the firewall does is prevents random remote computers from opening connection into your system. The XP fire wall is inbound only but a better ZoneAlarm will stop un-authorize outbound connections as well. This is important as it is a good way of knowing if you have a "BOT" running in your system that might be reporting in to some remote computer you don't know about but which might want to send your computer order to start sending out spam or some other ILLEGAL activity
anyone wanting to chat -- contact me over
There is no longer an easy way to protect yourself, since using an all cash system is impractical these days. Otherwise, I'd suggest just using all cash ;)
This is organized crime we're dealing with here. When you piss them off they'll send some hired goons around to your house to rearrange your finances.
Genesis 1:32 And God typed
I know of one, in Helsinki. Volunteer run non-profit association. Provides connectivity to individual houses and apartments around the area. I've been thinking of such an effort in my parts. It does require a bunch of tech-oriented people to keep it running.
I'm sorry if I haven't offended anyone
"Windows is the problem" - by EllynGeek (824747) on Tuesday February 12, @02:03PM (#22395338) Now, if you THINK Linux (or, even BSD, which recently showed up a security vulnerability that yields ROOT access priveleges mind you, yesterday) is "as secure as can be"?
... again, "wake up", start thinking FOR YOURSELF, instead of "reading & listening to the hype" out there, especially from the "Pro-*NIX" crowd online (which hugely congregates here @ /. no less)!
You are in for a RUDE AWAKENING... in fact, take a peek @ this:
HOW TO SECURE Windows 2000/XP/Server 2003 & VISTA - and, make it "fun" to do, via CIS Tool guidance:
http://forums.pcpitstop.com/index.php?s=5eb84a7566b0d26f285c22533a1660af&showtopic=150310
There, you will see quantified evidences of the DEFAULT SECURITY SETUPS of both Linux, and Windows XP &/or Server 2003!
(... & later see what they CAN/COULD be, out-of-the-box, hardened beyond their default policies (inclusive of SeLinux bearing distros like UBuntu, etc. as well)).
Oh, also: Windows is used more, it has no "security-by-obscurity" going for it, as does MacOS X, & other BSD variants, as well as Linux!
(Face it, this is truth - For example, were you a hacker/cracker, out to make money via phishing, email, or browser hijack? Wouldn't YOU target the "biggest mass" you could find?? That is Windows, period, as it runs on 95% of the world's systems from home users all the way up to Industrial Strength server environs!)
The MAIN problem today? It's not so much the OS' though!
Its the apps riding on them, this is what hacker/cracker types are focusing on now, because they have to - the OS' are fairly secured now, less & less holes show up period... & the more that get patched? The less of them there is @ the OS level... so, what to attack? Apps. Office suites, browsers, etc. et al.
Especially browsers!
See here for "proof" of my words:
http://it.slashdot.org/article.pl?sid=08/02/12/175213
Well well: That's THIS VERY TOPIC @ SLASHDOT no less! Want to have a more secure browser? Turn off IFrames, Java, Javascript usage on "all sites" & restrict it to those you only NEED to have it on, that demand it, for full functionality.
Ah, what's the use: I feel like Good Will Hunting, when he utterly shoots down the pompous fool picking on his pal in the pub, because he is MILES above the dolt on all levels, period.
Haha, really "funny" - well, in reply? There is NO DOUBT you're just another fool who spends his time on slashdot ALL DAY, instead of making money on a job, which is typical of "Linux Penguin fanboys" - your OS platform? Just does NOT have the sheer surface area & volume of usage that Windows NT-based OS' of today have, & thus, less job possibilities!
Keep working on your "forever behind the hardware support curve" & just as vulnerable as Windows Linux rigs... ok?? LOL...