Washingtonpost.com is running an interesting story about how SANS is really the only major player in the security community that is making any noise about this.
...(snip..)
...."But here's the rub: Symantec Corp., which maintains tens of thousands of "sensors" at various points around the Internet to pick up signs of Internet attacks, said it isn't seeing anything out of the ordinary with DNS attacks.
Dave Kennedy, director of research services at Herndon, Va.-based Cybertrust (formerly TruSecure), had this to say about the reports: "It's been nearly a month since SANS started ringing their alarm bells over this and maybe I'm not looking in the right places, but I'm grading this as hype until I see some independent support."
Russ Cooper, Cybertrust's chief technologist, put it this way: "In my opinion, our industry's creditiblity comes from further reports from multiple sources. We run a very large operation worldwide, and we've looked for signs of what SANS is talking about, but we're just not seeing it."
All of this may seem like an academic debate to those who claim to have been victimized by these attacks.
On March 24, Ken Goods, a computer network administrator for a mid-sized insurance company in Idaho, learned that the company's DNS servers had been attacked when employees began reporting that their Internet browsers were being redirected to a Web site hawking generic Viagra and other prescription drugs.
"I kept trying to go to Google to research the problem, but even though my Web browser said I was at Google.com, the only content that showed up was this pharmacy site," said Goods, who asked that his employer not be named because the company is still in the process of fixing the problem.
John, a systems administrator for a major U.S.-based manufacturing company, said a DNS poisoning attack like the one SANS described last month led to Internet problems for roughly 8,000 of his company's 20,000 employees. John asked that his surname and employer's identity be omitted from this story because the company is trying to determine if it is still vulnerable.
In the following weeks, several more attacks ensued that sent victims at John's company to Web sites advertising penis-enlargement pills.
Marcus Sachs, director of SANS and a former White House cyber-security adviser, said the security industry's response to their alerts about the attacks has been little more than a collective "yawn." Meanwhile, Sachs said, it appears the Internet connection at a San Diego hotel where the organization is holding its annual conference this week also was hit with a poisoning attack (the guy at the hotel who handles Web site security hasn't yet returned my calls.)
"People are waving this off and saying 'This is nothing new, we've seen this kind of thing before, let's move on.' But the consensus amongst the SANS folks is that something doesn't feel right here, and that there's more to this story than meets the eye. We feel like there's something deeper going on here, but the fact is there are not a lot of people out there in the security industry who are willing to dig deep and get to the bottom of this."
I have imaged the initial install of my Windows XP PC using a Norton-Ghost like product called Acronis Backup for the past year now. I've used it to reinstall the OS and a standard suite of my favorite apps twice now in the past year.
I can see this development forcing people who are using pirated versions of Windows to purchase a backup solution that allows them to image their current setup in case they need to reinstall somewhere down the road. I can honestly say that it has been a worthwhile investment.
I am reminded of the Witty Worm, which wrecked thousands of hard drives by seeking out PCs that were supposedly protected by Internet Security Systems' firewall products. The company had released a patch for its consumer products less than 24 hours before the attack was sprung.
If that's not proof enough that companies tend to patch only AFTER their products are directly threatened, I don't know what is.
seems like the author gets at this point with the following observation, which cites "automated" programs, a.k.a. "bots".:
Members of Spitzner's Honeynet Project spent several weeks studying IRC activity. The project found that the verified credit data appears to be automated by a program that is drawing information from e-commerce sites whose credit card records have been compromised. Thieves also can check the validity of a credit card by creating fake merchant accounts, services that legitimate businesses use to verify an account with the bank that issued the credit card.
you are right in suggesting that banks and e-commerce companies need to step up and require their customers to jump through at least one more hoop to verify their identity when transacting online.
But it is painfully clear that the amount of money the banks are losing from this type of fraud does not come close to what the banks figure it would cost - both in terms of actual costs and opportunity costs of those who just decide online commerce and e-banking (a big savings for the banks)has gotten too complex for them - to implement some sort of identity token system.
until that equation changes, my guess is you won't see the banks doing anything different.
the story suggests the scammers are just as busy scamming each other. my favorite quote:
Marcus Sachs, a former cyber-security adviser to the White House who now directs the Bethesda, Md.-based SANS Internet Storm Center, said that if the information posted by the IRC channel operators is legitimate, then they are likely working with people on the inside at the major credit card issuers.
But Sachs said he suspects that by "verifying" credit card information posted by other chat room members, those running the IRC channels are more interested in scamming the phishers.
"As evil as it all sounds, the people who know what they're doing in this area operate their phishing scams like a business," Sachs said. "They learn from their mistakes, they outsource, they consolidate, and they cut costs by automating things. But most of all, they profit by any means available."
Re:Knowing is half the battle
on
Gone Phishing?
·
· Score: 1
education is only part of the solution. you can educate people till you're blue in the face, but thousands of new internet users go online for the first time each day.
no, the real solution is mainly technological: the banks need to implement some kind of physical security for online banking. while you might say most people don't need smart cards or one-time access tokens, the fact is that it's what's necessary for both parties to be more sure that the person logging on to an account is who they say they are.
the fact is, the banks know this, but more than any other company they know their shareholders are keen on ROI - return on investment. And, as long as it costs the banks less to eat the losses from this type of fraud than it does to fix the problem, they won't change a thing.
but keep this in mind: the banks here in the US are far less invested in online banking than say those in Europe, which built their businesses upon e-banking and have the physical token side to go with it. Now, an online banking transaction costs a fraction of a percent of the amount it takes to have the same customer come in to see the bank teller about their transaction, except that far more people in the US still bank at their local branch than online. When that equation starts to tip siginificantly in the other direction, then - and only then - will you see the banks ALL start to make their customers take an extra step.
So far, only a handful of US banks require this - but for now they only require it of their corporate customers.
you may think so, but recently the phishers have started going after the smaller banks, b/c the bigger banks are now using loads of technology to combat these bastards.
one problem...
on
Gone Phishing?
·
· Score: 5, Informative
is that banks themselves are guilty of perpetuating this stuff.
got an email from Network Solutions the other day, complete with HTML graphics, etc. It said, Dear Customer, we periodically ask our customers to update their whois information....click here to access your account information....
then it said failure to keep your account info up to date could result in the suspension of your domain. turned out this was a legitimate email from NetSol, but it had all the signs of a phish - addressing me with no indication they knew who I was, a la "dear [fill in bank or company here] valued customer"; it urged me to click on a link - which by the way was a dotted IP address; and it threatened negative consequences unless I acted quickly.
Same thing happened to me with Citibank. I am a citibank customer, and the other day I received an email urging me to transfer my balances from other cards, blah, blah. Anyhow, it had all the right logos, and urged me to click on a link. When I did (with some trepidation), I was brought to a site called "accountonline.com", which as it happens, is in fact owned by Citibank.com. Again, turns out this was a legit email from Citibank (or its marketing dept.)
Yes, it is sad that we have gotten to the point where companies cannot use email as a legitimate means of marketing and communications with thier customers (and prospective customers), but banks and other major companies need to heed their own advice, and as far as I'm concerned, as long as these companies keep doing that sort of thing, they have only themselves to blame when their customers expect this sort of communication.
...to block bad things from installing themselves in to your system registry without your permission. Most of the nastiest spyware out there today gets its hooks into your system by writing values into your registry that allow it to start up whenever you reboot your computer. Ad Adware is free, but for a well-worth-it $20, Ad-Aware Plus comes with this feature. It has saved my bacon innnumerable times, though it can be a pain if you're installing video software (which loads like 12 different things into your registry, making you confirm each and every one).
fyi, I don't have a personal stake in Ad-Aware or anything to gain from this advice, I just wanted to pass on my experience.
excellent primer on using Knoppix to help recover from linux system problems. but at the risk of starting a flame war, I'd like to relate my own experience rescuing precious data from a hard drive with a Windows XP install.
after installing some video driver on my XP box, the dang thing refused to boot up. after it failed several diagnostics tests, I knew something was seriously wrong. I had already resigned myself to getting a new, fatter hard drive, but I wanted to get several important folders with photos, documents and addresses off of the dang thing before I trashed it, or reformatted.
i remembered that I had burned a copy of Knoppix-STD a few months earlier, and after booting up with it on the damaged box things went really smoothly from there. I managed to find a program that autodetected my DVD burner and without any configuration allowed me to burn two DVDs worth of data from my hard drive without any problems.
I can't remember the exact name of the program on the STD disc (I think it was something like KD3) but it saved my life.
....it's a posting to an adult newsgroup, the kind that renders little thumbnails of nasty, farm animal love and other things that must not be mentioned here.
it has no other way of spreading. you have to be either moronically inquisitive or a seriously wacked pervert to get infected with this "virus," b/c you'd have to either click on a link taking you there (and "she-males-love-it-up-the-@$$" from alt.binaries.multimedia.erotica.transsexuals" is not a best-seller) or you must be a total sicko.
...Microsoft is basically just telling certain people whether it will release any patches, and if so whether any of them are deemed "Critical" patches so that sysadmins and IT depts can schedule folks to be on hand to take care of things. It's not giving these folks any intel about what the patches will fix or what vulnerabilities they address.
that said, I know of few IT professionals that rush out to install Msft patches when they first come out.
It should be noted that FCC counts all lines that exceed 200 kbs (so a little less than 4x the speed of a 56K connection) as "broadband." Verizon and other DSL providers offer such services at as low as $27.95 in some states, but I have a hard time seeing that as high-speed. My provider, Cox, consistently provides 1.5mbs - 2mbs for $40 a month.
Akamai says it's a bug in the software, not DDoS
on
Akamai Having Problems?
·
· Score: 5, Informative
A guy I spoke with this morning at Akamai said
this morning that the problem was NOT the result
of any outside attack on the company's servers.
Rather, he said, the problem stemmed from a bug within a tool that allows customers to purge old content and update their cache with new content. Akamai said the problem lasted about 90 minutes, and affected numerous Akamai customers. No response, though, as to why this bug suddenly reared its head.
If I recall, early versions of the 3.4 disc froze up quite a bit after installing to the hard drive. tried unsuccesfully to load the 2.6 kernel onto the filesystem and in each case it panicked, on two different laptops.
I googled the problem for weeks but no one seemed to know what the fix was. oh well, maybe i'll download another ISO and have a go at it again.
I wonder if this little nastygram might not have been a subtle jab at the British scientists who designed the doomed Beagle Mars Lander.
I could see a wily virus writer chuckling at the insertion of a calculator - as if to say, hey, brainiacs, if you had only done your calculations rights........just another paranoid theory.
hey, just because you're paranoid doesn't mean everyone isn't out to get you!
Slashdot Mirror
Sen. Dick Durbin from Illinois actually made reference to this guilty plea in Judge John Roberts' confirmation hearings in the Senate today.
What is this world coming to?
On an even lighter note, some of this kids' buddies - including AOL hacker YTcracker - have made up a pretty entertaining rap song about him.
"The book is remarkable in two ways. First, it presents a greater amount of hard data than I have ever seen on this topic before."
i bet.
RTFA! IF you RTFA, you'll see that the conversation between the UPENN guy and Diabl0 was PRE-ZOTOB - they were talking about a variant of Mytob.
...so it's only natural that Gates is complaining that there aren't enough really smart and talented techie people out there. eh.
...(snip..)
Dave Kennedy, director of research services at Herndon, Va.-based Cybertrust (formerly TruSecure), had this to say about the reports: "It's been nearly a month since SANS started ringing their alarm bells over this and maybe I'm not looking in the right places, but I'm grading this as hype until I see some independent support."
Russ Cooper, Cybertrust's chief technologist, put it this way: "In my opinion, our industry's creditiblity comes from further reports from multiple sources. We run a very large operation worldwide, and we've looked for signs of what SANS is talking about, but we're just not seeing it."
All of this may seem like an academic debate to those who claim to have been victimized by these attacks.
On March 24, Ken Goods, a computer network administrator for a mid-sized insurance company in Idaho, learned that the company's DNS servers had been attacked when employees began reporting that their Internet browsers were being redirected to a Web site hawking generic Viagra and other prescription drugs.
"I kept trying to go to Google to research the problem, but even though my Web browser said I was at Google.com, the only content that showed up was this pharmacy site," said Goods, who asked that his employer not be named because the company is still in the process of fixing the problem.
John, a systems administrator for a major U.S.-based manufacturing company, said a DNS poisoning attack like the one SANS described last month led to Internet problems for roughly 8,000 of his company's 20,000 employees. John asked that his surname and employer's identity be omitted from this story because the company is trying to determine if it is still vulnerable.
In the following weeks, several more attacks ensued that sent victims at John's company to Web sites advertising penis-enlargement pills.
Marcus Sachs, director of SANS and a former White House cyber-security adviser, said the security industry's response to their alerts about the attacks has been little more than a collective "yawn." Meanwhile, Sachs said, it appears the Internet connection at a San Diego hotel where the organization is holding its annual conference this week also was hit with a poisoning attack (the guy at the hotel who handles Web site security hasn't yet returned my calls.)
"People are waving this off and saying 'This is nothing new, we've seen this kind of thing before, let's move on.' But the consensus amongst the SANS folks is that something doesn't feel right here, and that there's more to this story than meets the eye. We feel like there's something deeper going on here, but the fact is there are not a lot of people out there in the security industry who are willing to dig deep and get to the bottom of this."
I can see this development forcing people who are using pirated versions of Windows to purchase a backup solution that allows them to image their current setup in case they need to reinstall somewhere down the road. I can honestly say that it has been a worthwhile investment.
If that's not proof enough that companies tend to patch only AFTER their products are directly threatened, I don't know what is.
Members of Spitzner's Honeynet Project spent several weeks studying IRC activity. The project found that the verified credit data appears to be automated by a program that is drawing information from e-commerce sites whose credit card records have been compromised. Thieves also can check the validity of a credit card by creating fake merchant accounts, services that legitimate businesses use to verify an account with the bank that issued the credit card.
But it is painfully clear that the amount of money the banks are losing from this type of fraud does not come close to what the banks figure it would cost - both in terms of actual costs and opportunity costs of those who just decide online commerce and e-banking (a big savings for the banks)has gotten too complex for them - to implement some sort of identity token system.
until that equation changes, my guess is you won't see the banks doing anything different.
Marcus Sachs, a former cyber-security adviser to the White House who now directs the Bethesda, Md.-based SANS Internet Storm Center, said that if the information posted by the IRC channel operators is legitimate, then they are likely working with people on the inside at the major credit card issuers.
But Sachs said he suspects that by "verifying" credit card information posted by other chat room members, those running the IRC channels are more interested in scamming the phishers. "As evil as it all sounds, the people who know what they're doing in this area operate their phishing scams like a business," Sachs said. "They learn from their mistakes, they outsource, they consolidate, and they cut costs by automating things. But most of all, they profit by any means available."
no, the real solution is mainly technological: the banks need to implement some kind of physical security for online banking. while you might say most people don't need smart cards or one-time access tokens, the fact is that it's what's necessary for both parties to be more sure that the person logging on to an account is who they say they are.
the fact is, the banks know this, but more than any other company they know their shareholders are keen on ROI - return on investment. And, as long as it costs the banks less to eat the losses from this type of fraud than it does to fix the problem, they won't change a thing. but keep this in mind: the banks here in the US are far less invested in online banking than say those in Europe, which built their businesses upon e-banking and have the physical token side to go with it. Now, an online banking transaction costs a fraction of a percent of the amount it takes to have the same customer come in to see the bank teller about their transaction, except that far more people in the US still bank at their local branch than online. When that equation starts to tip siginificantly in the other direction, then - and only then - will you see the banks ALL start to make their customers take an extra step.
So far, only a handful of US banks require this - but for now they only require it of their corporate customers.
you may think so, but recently the phishers have started going after the smaller banks, b/c the bigger banks are now using loads of technology to combat these bastards.
is that banks themselves are guilty of perpetuating this stuff.
got an email from Network Solutions the other day, complete with HTML graphics, etc. It said, Dear Customer, we periodically ask our customers to update their whois information....click here to access your account information....
then it said failure to keep your account info up to date could result in the suspension of your domain. turned out this was a legitimate email from NetSol, but it had all the signs of a phish - addressing me with no indication they knew who I was, a la "dear [fill in bank or company here] valued customer"; it urged me to click on a link - which by the way was a dotted IP address; and it threatened negative consequences unless I acted quickly.
Same thing happened to me with Citibank. I am a citibank customer, and the other day I received an email urging me to transfer my balances from other cards, blah, blah. Anyhow, it had all the right logos, and urged me to click on a link. When I did (with some trepidation), I was brought to a site called "accountonline.com", which as it happens, is in fact owned by Citibank.com. Again, turns out this was a legit email from Citibank (or its marketing dept.)
Yes, it is sad that we have gotten to the point where companies cannot use email as a legitimate means of marketing and communications with thier customers (and prospective customers), but banks and other major companies need to heed their own advice, and as far as I'm concerned, as long as these companies keep doing that sort of thing, they have only themselves to blame when their customers expect this sort of communication.
...to block bad things from installing themselves in to your system registry without your permission. Most of the nastiest spyware out there today gets its hooks into your system by writing values into your registry that allow it to start up whenever you reboot your computer. Ad Adware is free, but for a well-worth-it $20, Ad-Aware Plus comes with this feature. It has saved my bacon innnumerable times, though it can be a pain if you're installing video software (which loads like 12 different things into your registry, making you confirm each and every one). fyi, I don't have a personal stake in Ad-Aware or anything to gain from this advice, I just wanted to pass on my experience.
after installing some video driver on my XP box, the dang thing refused to boot up. after it failed several diagnostics tests, I knew something was seriously wrong. I had already resigned myself to getting a new, fatter hard drive, but I wanted to get several important folders with photos, documents and addresses off of the dang thing before I trashed it, or reformatted. i remembered that I had burned a copy of Knoppix-STD a few months earlier, and after booting up with it on the damaged box things went really smoothly from there. I managed to find a program that autodetected my DVD burner and without any configuration allowed me to burn two DVDs worth of data from my hard drive without any problems.
I can't remember the exact name of the program on the STD disc (I think it was something like KD3) but it saved my life.
....it's a posting to an adult newsgroup, the kind that renders little thumbnails of nasty, farm animal love and other things that must not be mentioned here.
it has no other way of spreading. you have to be either moronically inquisitive or a seriously wacked pervert to get infected with this "virus," b/c you'd have to either click on a link taking you there (and "she-males-love-it-up-the-@$$" from alt.binaries.multimedia.erotica.transsexuals" is not a best-seller) or you must be a total sicko.
...Microsoft is basically just telling certain people whether it will release any patches, and if so whether any of them are deemed "Critical" patches so that sysadmins and IT depts can schedule folks to be on hand to take care of things. It's not giving these folks any intel about what the patches will fix or what vulnerabilities they address. that said, I know of few IT professionals that rush out to install Msft patches when they first come out.
yeah, washingtonpost.com had a breaking story about this more than three days ago.
...according to this story at washingtonpost.com The story says it was a distributed denial of service attack against Akamai, among others.
It should be noted that FCC counts all lines that exceed 200 kbs (so a little less than 4x the speed of a 56K connection) as "broadband." Verizon and other DSL providers offer such services at as low as $27.95 in some states, but I have a hard time seeing that as high-speed. My provider, Cox, consistently provides 1.5mbs - 2mbs for $40 a month.
A guy I spoke with this morning at Akamai said this morning that the problem was NOT the result of any outside attack on the company's servers. Rather, he said, the problem stemmed from a bug within a tool that allows customers to purge old content and update their cache with new content. Akamai said the problem lasted about 90 minutes, and affected numerous Akamai customers. No response, though, as to why this bug suddenly reared its head.
If I recall, early versions of the 3.4 disc froze up quite a bit after installing to the hard drive. tried unsuccesfully to load the 2.6 kernel onto the filesystem and in each case it panicked, on two different laptops. I googled the problem for weeks but no one seemed to know what the fix was. oh well, maybe i'll download another ISO and have a go at it again.
on just how widespread this attack really is. The story IS HERE
The sidebar included in the story on the Washingtonpost.com site DOES in fact tell you the symptoms of infection and what to do about it.
I wonder if this little nastygram might not have been a subtle jab at the British scientists who designed the doomed Beagle Mars Lander. I could see a wily virus writer chuckling at the insertion of a calculator - as if to say, hey, brainiacs, if you had only done your calculations rights..... ...just another paranoid theory.
hey, just because you're paranoid doesn't mean everyone isn't out to get you!