Vast global spy network discovered!

Sounds like the stuff of fiction doesn’t it? Covert networks and unknown organisations, spying on hundreds of government offices, embassies, news/media organisations and personal computers around the world. But apparently its true. Unlike in the movies though this was discovered by a group of researchers based in a basement office at the University of Toronto.

Self confessed  computer geeks Ronald Deibert and Nart Villeneuve were asked by the office of the Dalai Lama, the exiled Tibetan leader, to examine its computers for signs of malicious software, or Malware. Using a combination of fieldwork, technical scouting, and laboratory analysis, during a ten month investigation, they not only found evidence of Maleware, but  discovered a far reaching network, spanning 1,295 infected computers in 103 countries, 30% of which could be described as high-value targets.

The Canadian researchers have been practicing what some term ‘Hacktivism’ from the Citizen Lab,  part of  Munk Center for International Studies at Toronto University for some time. Citizen Lab has a reputation for using technology to combat corporate and governmental attempts to control cyberspace, and say that the Malware found is remarkable both for its sweep and for its Big Brother-style capacities. What they’re referring to is, that it  is not been merely “Phishing” for random information, but has the ability to turned on the camera and audio-recording functions of an infected computer enabling them to see and hear what is going on in a room. The researchers were able to manipulate the code and infect a machine in their office, allowing them to monitor the commands given to the infected computers,  to see the names of documents retrieved by the spies.

A 53 page report into Ghost.net was published on-line under the ‘Information Warfare Monitor’ banner yesterday (29/03/09). The report is careful not to make any claims, as to who is behind the operation and in fact  is quick to say that the investigation has raised more questions than answers.

Two computer researchers at Cambridge University, Shishir Nagaraja and Ross Anderson, also worked with the Tibetans, and released released their report “The Snooping Dragon: Social Malware Surveillance of the Tibetan Movement” yesterday (29/04/09). The British report went much further in its accusations against the Chinese, and warned that other hackers could adopt the tactics used in the Malware operation.

While it has long since been assumed that various governments are running these kind of operations, this is by far the largest yet to be discovered, and its still currently active infecting around 14 new computers a day.

John Markoff of the New York times reports that a spokesman for the Chinese Consulate in New York dismissed the idea that China was involved. “These are old stories and they are nonsense,” the spokesman, Wenqi Gao, said. “The Chinese government is opposed to and strictly forbids any cybercrime.”

Like with any other piece of Maleware, machines can be infected when users either click on an email attachment or a website which installs code onto the client device, allowing commands to be sent to the machine remotely, temporarily taking control of it. As an IT manager, i am only too familiar with Maleware and have some idea of just how hard it can be to spot and remove, But i think i must watch to much TV, in that i assumed that embassies and such high profile organisations as NATO, and the office of the Dalai Lama would be running enough anti maleware and network intrusion software to prevent this type of attack.

Sources: Tracking Ghost net Report, Snooping dragon ReportThe New York Times, The Toronto Star

Related:FBI Honeytrap Darkmarket.ws is sprung, FBI protect us from terrorism by watching Warcraft?

Vast global spy network discovered!

The changing face of a computer virus.

This week an Anti-virus company proved a ‘proof of concept’, showing that in principle a worm, (a type of computer virus) could be spread using Twitter.  This is just the latest development in a 30 year game of cat and mouse between virus writers and anti-virus providers. So what exactly do we mean when we talk about computer viruses? In simple terms, it’s any computer programme or piece of code with the ability to copy itself and infect other computers or devices without the permission of the owner. A typical virus will have a purpose, (to damage your computer, network, data or reputation to use your computer to for its own purposes – attaching another computer, system or person, or to steal your information, data or identity) it will have a trigger (something that activates it, starting off  on its mission) and it will have a means of replicating itself (copying itself onto networked machines, memory sticks, or utilizing email, messaging services or social networks). What then is the difference between a virus and a trojan, netbot, or piece of malware? Essentially very little, but a virus has the ability to self-replicate without permission. The others can all cause just as much damage, and often trick the user into installing them, but essentially they do initially require some action to be taken. According to anti virus companies there are some 250,000 known viruses in existence. These virus are often split into a number of groups described by their chief characteristics including: Boot Sector (infect the boot sector of a hard drive or floppy disk), Macro (utilize macro commands, commonly used in word and excel for example), File Infecting (replace legitimate files with viruses),  Multi-partite (use a combination of techniques, boot sector and file infecting), Polymorphic (often difficult to detect as they use code that changes, along with the viruses’ appearance after each infection),  and Stealth viruses (hide themselves from a computers’ operating system and anti-virus products). The first known virus, “The Creeper”, was detected on ARPANET (the predecessor of the internet) in the early 70’s , it did little more that remotely access machines on the network and display the message , “I’m the creeper, catch me if you can!”. There have of course been far more harmful viruses since then, the Chernobyl virus was amongst the worst, attacking the boot sector and bios, rendering both the hardware and the data stored on it useless.  There have also been far more active viruses the W32/Mydoom virus was producing between 50,000 and 60,000 new copies of itself per hour at its peak (about 1 in 12 emails). Like their medical name sake computer virus are constantly changing. As technology (and the way we use it) changes, virus writer find new ways to utilize that technology to spread their viruses. In the 70’s it was Arpanet, in the 80’s it moved on to floppy disks and dial up modems, in the 90’s it shifted to micro viruses, this decade has seen email and the internet under attack, most recently it has bean a shift to social networking sites like ‘youtube’ and ’facebook’, and now it looks like it could be twitter’s turn. I recently spoke to an antivirus company and what scared them most was the idea of a super virus that could use the huge processing powers of today’s pc to hide within very complex algorithms, and could not only be targeted to a specific task, but could also be targeted to a specific victim, something that generic patent matching engines could not spot. They also spoke of the risk of a potential ‘perfect storm’ a virus that combined both the worst of destructive powers with the most efficient self-replication systems. At best a virus will cause you some inconvenience, slowing your computer and costing you time and effort to remove, at worst it could cost you the replacement cost of the hardware and loss of earning while you recover your data. It is estimated that 75% of businesses will suffer at least one viruses or malware attack a year and that collectively it costs billions of pound a year to but right the damage that they cause.

Related posts:  Viruses target Social Networks

The changing face of a computer virus.

Spotify loose user data

In a security notice posted on their blog on the 4th March, Spotify announced to users that an unknown group had managed to compromise their security protocols. The breach meant that the attackers had access to information that could allow testing of a very large number of passwords, possibly finding the right one.

Spotify is an internet based music service
Spofity in in internet based music service

Spotify is an internet based music serviceSpotify are quoted as saying “Along with passwords, registration information such as your email address, birth date, gender, postal code and billing receipt details were potentially exposed. Credit card numbers are not stored by us and were not at risk. All payment data is handled by a secure 3rd party provider ”.

All users that have accounts created on or before December 19th 2008 have been advised to change their Spotify passwords and strongly encourage to change passwords for any other services using the same password.
What this means in real terms is that a hacker (or group of hackers) managed to access a detailed description of how Spofity encode and send the passwords between the browser and their server.  (This is refered to as their Protocols).  The passwords them selves are not actually stored on the server (or transfer over the internet) instead a special mathematical code is applied to the password within the browser to a form a complex code that only the server can understand, (this is referred to as a  password hash) . It is almost impossible to convert back from a password hash to a password, so the passwords themselves have not been exposed, but hackers have been able to download these hashes. What this means is that the hackers are able to do brute force attacks, sending a every large number of possible passwords for example starting with the letter a then aa, ab, ac adding more and more letters and numbers and trying every number until 1 opens the account,  they then have access to your account, unless you have changed your account before they get the chance.

The next logical step for a hacker would be to see if you have used the same name and password for other services, especially on line bank or betting accounts etc. Even itunes accounts for example were they could purchase and song to sell them on. Once exposed the account information itself may even be sold to criminal gangs for use in identity theft.

So what can you do to protect yourself from this kind of exposure? Can can try only signing up to services that you would trust to protect your information, using complex password (8 charachers or more combining numbers letters and other charachters – if possible). Not using the same password for multiple accounts and never using words or names these are easily discovered with dictionary attacks – even if you switch letters for numbers that look the same,for example  s’s for 5’s).

Spotify loose user data

Data Corruption at ma.gnolia

This blog entry has taken me a while to post, largely because I really didn’t wanted not to have to post it at all.

I have been a huge fan of social bookmarking ever since i first heard of it. For me it just makes so much sense. I store all my bookmarks online, so whether i’m on my macbook, my office pc, my mobile phone or using someone else’s computer i have access to the sites i love.  But its more than that, i’ve signed up to a number of groups of like minded peers, and am now part of those communities. I can see the sites that my friends have discovered, and access those resources, quite often these sites that i come across in this slightly serendipitous way are the real gems.

magnolia logo

Having played with several social bookmarking sites i’d settled on ma.gnolia.com as the site that worked best for me. It was easy to use, worked graphically, had some nice tools, a great community, and i found Larry Halff the founder very likable.

Disasterously in early February magnolia’s suffered catastrophic data corruption. The database which was approaching half a terra bit (500gb) became corrupt. While backed up, the backup was simply backing up live data and not making archived duplicates go could not be roled back to an earlier version. After several attempts to recover the corrupt data, it was decided that there was no hope of recovery of the datastore. Larry managed to come up with some tools to recover individual users datastores from cached local and google data, and suggested other social bookmarking with good communities that users might migrate too.

Typically of Larry,  has been very open and very honest about the whole thing, sharing his experience so other people can learn from it. In the video below Larry Halff talks to Chris Messina of citizen’s garden about the history of magnolia, what happened with the data corruption and what the future holds for magnolia.

Larry Halff Discusses ma.gnolia.com
Larry Halff discusses ma.gnolia.com past,present and future with Chris Messina

I simply can’t imagine how much pain magnolia must be feeling right now, having spend to much time and effort to build up the site and the community surrounding it. While to ma.gnolia’s credit  i’ve never heard them once blaming anyone else or coming up with excuses. as an IT manager i have some idea how much pressure there must have been from users to maximize running speed and performance even at the expense of back-end services like backup and recovery.

I was lucky in that i had a recent backup and i was mirroring my bookmarks on delicious, what i miss mos though is the sense of community. I hope that magnolia does make a recovery and comes back bigger and better than ever, and that i and the rest of the magnolia community get an opportunity to help in whatever way possible.

One lesson that maybe we could all learn from this, is that we all need reliable back up plans of our own, and shouldn’t rely on internet based services too much because you really dn’t know when disater can strike.

Data Corruption at ma.gnolia