CyberSoft Computer Crime Report

CyberSoft Computer Crime Report – Issue February 20, 2012

By Peter V. Radatti CEO CyberSoft Operating Corporation www.cybersoft.com

Subtitle:  Congress, Thanks for Nothing!

I don’t know if I am angry with the Federal Government for skirting their responsibility to protect us on the Internet or happy that they are not messing it up.  It seems lately that most of the laws Congress has been trying to pass “for our protection” are aimed at protecting special interests such as the music industry and Hollywood.  Can’t say I will lose any tears for either of those guys.

The Federal Government has a responsibility to protect us and they are failing.  The Internet was invented by the Federal Government and given to the world.  A point for them, the Internet has been a world changer.  The bad part is that it has let criminals’ world wide into our homes, businesses and defense facilities.  It doesn’t require big resources to steal, only brains, an old computer and access to even the slowest of Internet connections.  Brains are in good supply in countries where the morals don’t match ours, where people are desperately poor and feel justified in stealing, where people just hate us and where the Wild West mentality has taken hold.

Having said the Federal Government has failed us there is one Federal organization that is working hard to protect us and that is the FBI.  The problem is that it is too big of a job and the FBI is under funded to tackle something of that size.  They can police it but they can’t fix it.  Congress is totally to blame for what is happening and the longer the problem festers the worse it will get.  It is like a cancer, take care of it while it is small and survive, ignore it until it is a big problem and the results may not be good.  In any case a small problem has less pain.  We are already past the small level and are rapidly moving into serious.  It is hurting our banking industry, defense industry and high technology industries.  The fact that we are ineffective is encouraging more attacks and more brazen attacks.  What is Congress doing about the real issues?  Nothing.

What could Congress do?  A great deal.  Congress could give authority to NIST or the FBI or any other Federal agency to create technical standards that protect us then use the power of the Federal Dollar to make sure that anyone who does business with the government implements them.  Of course it may not work out.  Look at the War on Cancer, the War on Hunger, and the War on Drugs!  The result is wasted money, wasted food and wasted lives.  That is why I am not sure if I am happy or not about the government’s failure to protect us.

If not the government then who will protect us?  First, if you have been reading these articles you know that in my opinion the first level of protect has to be yourself.  You have to develop the skills to be street smart in the Internet. I have been giving you those tools.  After that I believe in the power of the free market.  Business is getting tired of being ripped off and they are concerned that the Internet could become such a dangerous place that people will avoid it.  These are legitimate concerns.   Recently Google, Microsoft, AOL, Bank of America, American Greetings, Facebook, LinkedIn, Fidelity Investments and others have joined together to do the job that needs doing.  They created a new organization called Domain Based Message Authentication, Reporting and Conformance that is going after one of the most common and nastiest attacks on the Internet, phishing.  Phishing is an identity theft problem and affects everyone.  It drives up costs and damages trust.  DMARC believes that by creating and implementing standards on how email systems perform authentication and using common mechanisms already in place anyone will be able to tell a real message from a fake one sent by a criminal.   Not only will this mean that crooks will have to find a different way to scam the public but also it should help reduce unsolicited bulk email.   Expect DMARC to be implemented soon.  To learn more about DMARC visit their website at dmarc.org.  Now why couldn’t Congress have done that?

To read more CyberSoft Computer Crime Reports by Pete Radatti visit www.cybersoft.com/Blog

Today’s article contains some quirky news items that I use to illustrate some common problems that occur when technology is involved.

Lucian Constantin of the IDG News Service reports that a German police officer was concerned that his daughter was hanging out with a bad element.  In order to protect her he installed a parental control system in the computer that monitored her activity.  It appears that the father was correct in being worried because one of his daughter’s friends was a hacker who discovered the monitor and decided to break into the father’s private computer.  As most of us do, the father was doing some work at home on his personal computer. The father was a senior officer within the German Federal Police, which is the equivalent of the USA Federal Bureau of Investigation (FBI).  The father’s work involved monitoring GPS tracking of criminals and the hacker was able to find the father’s account and password to the monitoring server. The hacker then turned this information over to a German hacking group called No-Name-Crew who published significant information about the criminals involved.  Thinking about this, why would No-Name-Crew do such a stupid thing?  Was there any kind of political statement involved?  Did they care that the daughter’s father may have gotten in serious trouble, which had to affect the daughter?  Did they really think helping criminals was a smart idea?

Here are my reasons for why No-Name-Crew should be named No-Brain-Crew.  First, they attacked the national police.  Not a good idea.  Secondly, they had to hurt their friend when her father was investigated and found to be the inadvertent source of the hackers invading the police’s server.  Thirdly the suspected leader of the crew and one other member was arrested.  There was no money involved for these guys but there was a huge amount of ego, self-confidence and most of all arrogance.  They just thought they were better than the police and could get away with doing what they wanted, even serious criminal activity.

Why should you care?  This exact thing can happen to you.  Maybe you don’t have access to national police servers but if you access servers at work from your personal computer or you access your bank account online this information is on your computer.  If someone steals your computer or a “guest” in your house comes across the computer they can potentially access these systems.  What can you do?  Use one of the free web browsers that allow you to encrypt the password file.  If the browser you want to use doesn’t have this feature then use one of the many password management programs that will.  If someone does get access to your computer this will slow them down enough to give you time to change passwords and notify appropriate people.  Secondly, treat your computer as if it were a pile of cash.  Criminals view your computer that way.  Would you leave a pile of cash on the desk?  Try to arrange to physically lock up your computer.  If you are using a full size computer then lock the room or the desk.  If you can’t, consider buying a removable drive device canister and have it installed.  Using this device, your hard drive can be removed after the computer is powered off.  All of the information is stored on the drive.  Drives are small and you could even lock it in a small metal box.  Finally, if none of this is practical consider whole disk encryption.  It will slow down your computer but if whoever steals your computer doesn’t know the decryption password they are not going to even boot the operating system.

The next story is another no-good-deed-goes-unpunished event.  The Associated Press reports that a Canadian man approached a US border officer wanting to enter the United States to drop off Christmas gifts.  The man, Martin Reisch, forgot his passport and by law should not have been granted entry with just his driver’s license, however Martin presented the officer with a scanned copy of his passport that he kept in his iPad.  The officer considered everything and made an exception to allow Martin to cross into the United States.  This became international news.  I can’t see this enhancing the employment of the officer involved.  Who do you think broke this news, the officer who could potentially lose his job or Martin who was given an early Christmas gift of being cut some slack?  Martin got the fame and paid for it with the officer’s pain.   I could be wrong on who did what here but my guess is that Mr. Reisch played the part of the Grinch this last Christmas.  How does this affect you?  At least part of what happened is that the guard may have been influenced by the fact that he was shown a scanned copy of the passport on a computer!  High technology devices tend to dazzle people and can cause them to lower their guard.  If the officer was presented with a photocopy of the passport I am sure he would have rejected it.  After all a piece of paper doesn’t have the dazzling effect of an Apple iPad.  What can you do about it?  Any time a computer is involved in your decision making ask yourself if you would do this if what is being displayed on the computer was on paper instead!  If the answer is no then don’t be impressed, use normal caution, and proceed with your decision making process.

Remember just because a computer is involved that doesn’t mean it is correct and the value of your computer is not its replacement cost but all the personal information and account access in it that a thief can steal.

A fantastic new opportunity is coming for Internet crooks.  ICANN is the organization, chartered by the US Commerce Department, to oversee the Domain Names for the Internet.  The organization is international in scope and wants to be more international by loosing the controls by the US government.   When you enter a domain name such as www.cybersoft.com it breaks down in the following way; the .com is the top or first level domain while CyberSoft is the second level and www is the third level.  It can be expanded from there.  When a company buys a domain they are buying the second level attached to a first level.  Most people are familiar with the .com, .mil, .net and other first level domains.  When you buy CyberSoft as a second level domain it is associated with only one first level domain.  If you want to protect the name CyberSoft from potential poachers then you need to buy the domain CyberSoft for every first level domain, assuming that you can.    There are currently about 22 topical first level domains and another 250 country code domains.  That means that a company that didn’t want any confusion and wanted to protect their name needs to buy 272 domains plus all common misspellings for those domains.  ICANN wants to expand this by another 1,000 top-level domains per year. One of the best arguments given to ICANN for not doing this is the fact that this is going to be a field day for Internet crooks.  Right now typo squatters are common.  Again, lets use the cybersoft.com domain.  A typo squatter may register sybersoft.com or sibersoft.com or some other common misspelling.  They can then use the site for crooked purposes while the users thought they were dealing with the CyberSoft company.  Consider that now the crooks don’t have to use a misspelling they can register some new domain.  Would you think cybersoft.con was still CyberSoft?  You might not even notice the letter M was replaced with the letter N!  Remember most people click on their links; they don’t enter them by hand.

Yet another crooked game the thieves can play isn’t illegal.  Lets say someone in another country registers coke.xyz or ibm.xyz.  They offer to sell the domain to the real Coke or IBM Company for $100,000, which is less, then the cost of fighting them.  This is nothing short of blackmail but it is being made possible by ICANN’s greed.

Why?  It is always about the money.  ICANN makes money-selling domain services and this is a great way to force people to buy more domains.  ICANN splits their operating costs between the domain registries, which are normally companies.  The more registries there are the higher their operating costs can be without complaints.  There has been a lot of people complaining to ICANN including business, people involved in trademark enforcement, Congressional hearings, etc. about this new plan.  ICANN doesn’t care.  ICANN is a nonprofit so it doesn’t have to pay taxes.

To be totally fair some expansion of the first level domains are needed.  Domains in other languages such as Chinese should have been allowed a long time ago but that is a far cry from what ICANN is proposing.  ICANN claims that they are putting in protections but personally, I think their protections are too little.  My guess is that this is going to hurt everyone except for big companies, crooks and ICANN.  What can you do?  Go to www.icann.org/en/contact and register a complaint about the expansion of first level domains.  If you use the form on the page click the button that says “New gTLDs” as the subject category.  I also suggest you write to your congressmen.  Finally, one last thought.  ICANN makes money simply because everyone has agreed to use their domain service.  There is no law saying you have to.  If ICANN becomes too greedy or the Internet becomes too dangerous because of their actions expect others to step up to the plate and create a competitor to ICANN.

CyberSoft Computer Crime Report – Issue January 30, 2012

By Peter V. Radatti CEO CyberSoft Operating Corporation www.cybersoft.com

Today I want to talk about computer security and common sense.  While there is a lot of truly clever attacks that take advantage of obscure knowledge on the Internet for the most part computer engineers are making the role of the attacker way too easy.  While the benefits computers can add to almost anything has huge advantages there is a dark side if the systems are connected to the Internet.  When you connect anything to the Internet you just invited the entire world inside your walls.  Yes, there are firewalls, antivirus, cryptographic integrity systems, automated update systems and a ton of security procedures but basically you just put a door in the wall.  Even if the door is closed and locked it can be opened.

Lets start with security issues that are about to happen and progress to what is happening right now.  We are in the beginning of the integration of humans with computers. This is not science fiction but a health issue.  In the past, most of the systems that integrated with the human body were health monitors in hospitals.  As computer technology became better, cheaper and more useful it started to be integrated into health technology that is implanted into the body.  It is rare today to find devices that do not or cannot benefit from digital enhancement.  Pacemakers can work better and record events for the doctor, insulin pumps are more effective; research into computer control of human muscles for paralyzed people is looking very good.  What is the common element in all of this?  Computers control all of these systems and computers can be infected with hostile software.  What would be the effect of hostile software infecting one of these systems?  The answer is it depends on what infected the system, what it was intended to do and if it creates damage as part of the infection phase.  In any case the system is no longer trustworthy.  The results can be anything from nothing to death.

The same thing can be said about online voting.  In this case the danger increases because not only is a computer involved but also it is connected to the world by the Internet.  As soon as voting systems are made available online the temptation to rig the vote by electronic means becomes a possibility.  Not just by the political opponents but also by foreign countries that has a preference for one candidate over another.

As with the above examples some municipalities have computerized stoplights, traffic control systems, water and sewer pumps, electrical grid controls and other basic systems of government.  When these are connected to the Internet you invite the world to take control of them.

There is even concern in the computer security world about new moves to put things like electric meters on WiFi wireless networks so a truck can drive down the street and read all the meters.  This sounds secure except that anyone with a laptop and the knowledge of what to do will be able to read that specific type of meter.  What could be the harm?  That depends upon your specific activities.  Why are you using an unusual amount of electric between midnight and 1:00 AM every morning?  In addition, if the meter’s WiFi is compatible with and intersects with the Internet there is the potential for someone half a world away to read meters.   Why should you care?  Most people won’t but it is still an invasion of privacy and someone somewhere will find a way to make a buck on it even if it is just targeting high usage homes for marketing electrical suppliers.

Here is the common thread in all of the above.  Why would any of these systems be directly connected to the Internet?  Ease of use?  So someone can control something without having to drive into his or her office?  Just because it’s cool?  For the most part the benefits of putting control systems on the Internet is much less than the risks created by that action.  If the traffic lights are not on the Internet then someone in China can’t take control of them.  If there is a benefit to having systems on a network then use a private network that does not interface with the Internet.  Yes, that means that people who want to access the private network won’t have the convenience of using the Internet but then neither will some attacker sitting in a foreign country.

CyberSoft Computer Crime Report – Issue January 23, 2012

By Peter V. Radatti CEO CyberSoft Operating Corporation www.cybersoft.com

Subtitle:   A virus for all seasons

According to The Daily Yomiuri Online newspaper from Japan the Japanese Defense Ministry is developing a cyber defense virus!   You can read about it at http://www.yomiuri.co.jp/dy/national/T120102002799.htm

This system is supposed to be a new wonder defense that will be able to track attacks back to the original source of the attack and disable all systems involved along with gathering information on the attack.   Development work is said to be done by Fujitsu Ltd and started in 2008 so if this is real it is a major development effort.

Most countries don’t work on cyber defense very much.  The large effort is in cyber attack with defense being a side issue.  In a boots and bullets war the guy who attacks best wins.  Cyber wars are different in that the country that ends up not taking damage to their infrastructure wins.  The United States DoD has recently realized this and is now investing in cyber defense.

Why would Japan explore such a twisted road of using a virus for defense?  Japan has legal problems the rest of the world doesn’t have.  Their constitution only allows them to have a defense force, not an offensive force and cyber attacks are undefined.  They legally do not know if they can defend themselves against a cyber attack that involves an attack.  They can legally defend themselves on their on soil.  A virus is hard to control.  They can release it on Japanese soil but if it tracks the attack to a computer that is not in Japan it will attempt to defend itself against the attacking computer in the other country by disabling it.  Notice that the effect from attacking the enemy or defending from the enemy is the same in this case.

So why doesn’t everyone develop cyber defense viruses?  The simple reason is no one else in the world has the legal issues the Japanese had forced on them after World War II.  The rest of the world can use more straight forward, aggressive and generally successful methods of defense and attack.  A virus defense can be defeated by an antivirus program, it can be defeated by aggressive network monitoring of traffic, it can be disinfected and worse of all it can be turned into a double agent and used as part of an attack.  It is a clever idea but it will only work for the Japanese, if it works at all.

The SSL encryption system is how companies and individuals protect their private information on the Internet.  When you login to your bank or broker or even the shopping cart of an Internet store you are depending upon SSL encryption to protect you.  Without that protection lots of people will be able to read your info and potentially steal your identity.  In the past, I wrote that SSL is a lame duck and that there are many ways of getting around it.  No one is stepping up to solving the problem so we just keep using it.  Recently Chris Paoil of Government Computer News wrote an article about two security researcher named Thai Duong and Juliano Rizzo who will be demonstrating a new way of breaking the SSL protection.   What these men have found is new vulnerability that allows attackers to bypass web certificates to perform their attacks.  They stated that the flaw has been part of SSL from the beginning but that users who are using TLS 1.1 and 1.2 are immune to this attack.  Unfortunately many web browsers still use the older SSL systems.  If you are concerned about possible SSL attacks then make sure you are using a web browser that is using TLS instead of SSL and make sure it is up to date with the latest patches.