Vast global spy network discovered!

Sounds like the stuff of fiction doesn’t it? Covert networks and unknown organisations, spying on hundreds of government offices, embassies, news/media organisations and personal computers around the world. But apparently its true. Unlike in the movies though this was discovered by a group of researchers based in a basement office at the University of Toronto.

Self confessed  computer geeks Ronald Deibert and Nart Villeneuve were asked by the office of the Dalai Lama, the exiled Tibetan leader, to examine its computers for signs of malicious software, or Malware. Using a combination of fieldwork, technical scouting, and laboratory analysis, during a ten month investigation, they not only found evidence of Maleware, but  discovered a far reaching network, spanning 1,295 infected computers in 103 countries, 30% of which could be described as high-value targets.

The Canadian researchers have been practicing what some term ‘Hacktivism’ from the Citizen Lab,  part of  Munk Center for International Studies at Toronto University for some time. Citizen Lab has a reputation for using technology to combat corporate and governmental attempts to control cyberspace, and say that the Malware found is remarkable both for its sweep and for its Big Brother-style capacities. What they’re referring to is, that it  is not been merely “Phishing” for random information, but has the ability to turned on the camera and audio-recording functions of an infected computer enabling them to see and hear what is going on in a room. The researchers were able to manipulate the code and infect a machine in their office, allowing them to monitor the commands given to the infected computers,  to see the names of documents retrieved by the spies.

A 53 page report into Ghost.net was published on-line under the ‘Information Warfare Monitor’ banner yesterday (29/03/09). The report is careful not to make any claims, as to who is behind the operation and in fact  is quick to say that the investigation has raised more questions than answers.

Two computer researchers at Cambridge University, Shishir Nagaraja and Ross Anderson, also worked with the Tibetans, and released released their report “The Snooping Dragon: Social Malware Surveillance of the Tibetan Movement” yesterday (29/04/09). The British report went much further in its accusations against the Chinese, and warned that other hackers could adopt the tactics used in the Malware operation.

While it has long since been assumed that various governments are running these kind of operations, this is by far the largest yet to be discovered, and its still currently active infecting around 14 new computers a day.

John Markoff of the New York times reports that a spokesman for the Chinese Consulate in New York dismissed the idea that China was involved. “These are old stories and they are nonsense,” the spokesman, Wenqi Gao, said. “The Chinese government is opposed to and strictly forbids any cybercrime.”

Like with any other piece of Maleware, machines can be infected when users either click on an email attachment or a website which installs code onto the client device, allowing commands to be sent to the machine remotely, temporarily taking control of it. As an IT manager, i am only too familiar with Maleware and have some idea of just how hard it can be to spot and remove, But i think i must watch to much TV, in that i assumed that embassies and such high profile organisations as NATO, and the office of the Dalai Lama would be running enough anti maleware and network intrusion software to prevent this type of attack.

Sources: Tracking Ghost net Report, Snooping dragon ReportThe New York Times, The Toronto Star

Related:FBI Honeytrap Darkmarket.ws is sprung, FBI protect us from terrorism by watching Warcraft?

Advertisements
Vast global spy network discovered!

The changing face of a computer virus.

This week an Anti-virus company proved a ‘proof of concept’, showing that in principle a worm, (a type of computer virus) could be spread using Twitter.  This is just the latest development in a 30 year game of cat and mouse between virus writers and anti-virus providers. So what exactly do we mean when we talk about computer viruses? In simple terms, it’s any computer programme or piece of code with the ability to copy itself and infect other computers or devices without the permission of the owner. A typical virus will have a purpose, (to damage your computer, network, data or reputation to use your computer to for its own purposes – attaching another computer, system or person, or to steal your information, data or identity) it will have a trigger (something that activates it, starting off  on its mission) and it will have a means of replicating itself (copying itself onto networked machines, memory sticks, or utilizing email, messaging services or social networks). What then is the difference between a virus and a trojan, netbot, or piece of malware? Essentially very little, but a virus has the ability to self-replicate without permission. The others can all cause just as much damage, and often trick the user into installing them, but essentially they do initially require some action to be taken. According to anti virus companies there are some 250,000 known viruses in existence. These virus are often split into a number of groups described by their chief characteristics including: Boot Sector (infect the boot sector of a hard drive or floppy disk), Macro (utilize macro commands, commonly used in word and excel for example), File Infecting (replace legitimate files with viruses),  Multi-partite (use a combination of techniques, boot sector and file infecting), Polymorphic (often difficult to detect as they use code that changes, along with the viruses’ appearance after each infection),  and Stealth viruses (hide themselves from a computers’ operating system and anti-virus products). The first known virus, “The Creeper”, was detected on ARPANET (the predecessor of the internet) in the early 70’s , it did little more that remotely access machines on the network and display the message , “I’m the creeper, catch me if you can!”. There have of course been far more harmful viruses since then, the Chernobyl virus was amongst the worst, attacking the boot sector and bios, rendering both the hardware and the data stored on it useless.  There have also been far more active viruses the W32/Mydoom virus was producing between 50,000 and 60,000 new copies of itself per hour at its peak (about 1 in 12 emails). Like their medical name sake computer virus are constantly changing. As technology (and the way we use it) changes, virus writer find new ways to utilize that technology to spread their viruses. In the 70’s it was Arpanet, in the 80’s it moved on to floppy disks and dial up modems, in the 90’s it shifted to micro viruses, this decade has seen email and the internet under attack, most recently it has bean a shift to social networking sites like ‘youtube’ and ’facebook’, and now it looks like it could be twitter’s turn. I recently spoke to an antivirus company and what scared them most was the idea of a super virus that could use the huge processing powers of today’s pc to hide within very complex algorithms, and could not only be targeted to a specific task, but could also be targeted to a specific victim, something that generic patent matching engines could not spot. They also spoke of the risk of a potential ‘perfect storm’ a virus that combined both the worst of destructive powers with the most efficient self-replication systems. At best a virus will cause you some inconvenience, slowing your computer and costing you time and effort to remove, at worst it could cost you the replacement cost of the hardware and loss of earning while you recover your data. It is estimated that 75% of businesses will suffer at least one viruses or malware attack a year and that collectively it costs billions of pound a year to but right the damage that they cause.

Related posts:  Viruses target Social Networks

The changing face of a computer virus.

Spotify loose user data

In a security notice posted on their blog on the 4th March, Spotify announced to users that an unknown group had managed to compromise their security protocols. The breach meant that the attackers had access to information that could allow testing of a very large number of passwords, possibly finding the right one.

Spotify is an internet based music service
Spofity in in internet based music service

Spotify is an internet based music serviceSpotify are quoted as saying “Along with passwords, registration information such as your email address, birth date, gender, postal code and billing receipt details were potentially exposed. Credit card numbers are not stored by us and were not at risk. All payment data is handled by a secure 3rd party provider ”.

All users that have accounts created on or before December 19th 2008 have been advised to change their Spotify passwords and strongly encourage to change passwords for any other services using the same password.
What this means in real terms is that a hacker (or group of hackers) managed to access a detailed description of how Spofity encode and send the passwords between the browser and their server.  (This is refered to as their Protocols).  The passwords them selves are not actually stored on the server (or transfer over the internet) instead a special mathematical code is applied to the password within the browser to a form a complex code that only the server can understand, (this is referred to as a  password hash) . It is almost impossible to convert back from a password hash to a password, so the passwords themselves have not been exposed, but hackers have been able to download these hashes. What this means is that the hackers are able to do brute force attacks, sending a every large number of possible passwords for example starting with the letter a then aa, ab, ac adding more and more letters and numbers and trying every number until 1 opens the account,  they then have access to your account, unless you have changed your account before they get the chance.

The next logical step for a hacker would be to see if you have used the same name and password for other services, especially on line bank or betting accounts etc. Even itunes accounts for example were they could purchase and song to sell them on. Once exposed the account information itself may even be sold to criminal gangs for use in identity theft.

So what can you do to protect yourself from this kind of exposure? Can can try only signing up to services that you would trust to protect your information, using complex password (8 charachers or more combining numbers letters and other charachters – if possible). Not using the same password for multiple accounts and never using words or names these are easily discovered with dictionary attacks – even if you switch letters for numbers that look the same,for example  s’s for 5’s).

Spotify loose user data

Data Corruption at ma.gnolia

This blog entry has taken me a while to post, largely because I really didn’t wanted not to have to post it at all.

I have been a huge fan of social bookmarking ever since i first heard of it. For me it just makes so much sense. I store all my bookmarks online, so whether i’m on my macbook, my office pc, my mobile phone or using someone else’s computer i have access to the sites i love.  But its more than that, i’ve signed up to a number of groups of like minded peers, and am now part of those communities. I can see the sites that my friends have discovered, and access those resources, quite often these sites that i come across in this slightly serendipitous way are the real gems.

magnolia logo

Having played with several social bookmarking sites i’d settled on ma.gnolia.com as the site that worked best for me. It was easy to use, worked graphically, had some nice tools, a great community, and i found Larry Halff the founder very likable.

Disasterously in early February magnolia’s suffered catastrophic data corruption. The database which was approaching half a terra bit (500gb) became corrupt. While backed up, the backup was simply backing up live data and not making archived duplicates go could not be roled back to an earlier version. After several attempts to recover the corrupt data, it was decided that there was no hope of recovery of the datastore. Larry managed to come up with some tools to recover individual users datastores from cached local and google data, and suggested other social bookmarking with good communities that users might migrate too.

Typically of Larry,  has been very open and very honest about the whole thing, sharing his experience so other people can learn from it. In the video below Larry Halff talks to Chris Messina of citizen’s garden about the history of magnolia, what happened with the data corruption and what the future holds for magnolia.

Larry Halff Discusses ma.gnolia.com
Larry Halff discusses ma.gnolia.com past,present and future with Chris Messina

I simply can’t imagine how much pain magnolia must be feeling right now, having spend to much time and effort to build up the site and the community surrounding it. While to ma.gnolia’s credit  i’ve never heard them once blaming anyone else or coming up with excuses. as an IT manager i have some idea how much pressure there must have been from users to maximize running speed and performance even at the expense of back-end services like backup and recovery.

I was lucky in that i had a recent backup and i was mirroring my bookmarks on delicious, what i miss mos though is the sense of community. I hope that magnolia does make a recovery and comes back bigger and better than ever, and that i and the rest of the magnolia community get an opportunity to help in whatever way possible.

One lesson that maybe we could all learn from this, is that we all need reliable back up plans of our own, and shouldn’t rely on internet based services too much because you really dn’t know when disater can strike.

Data Corruption at ma.gnolia

I’ve been rated on blogged

I got an email from the people at blogged this afternoon, to say that they had recently rated my “World of  IT Blog” with a score of 8.3.  This means I made it into the top 10 in the Information Technology Section alongside sites like the awesome Tech Crunch.

image0011

The rating is based on frequency of updates, relevance of content, site design and writing style.

This is immensely flattering for me, not only because i’m human and everyone likes to hear that their peers appreciate their work, but also because I always struggled in English classes at school, (spelling was never my strength, in fact I failed my o’level english a couple of times before eventually passing).

I started the world of IT blog about a year ago, mainly to see how the technology worked and to experiment with various forms of social networking because it was becoming more and more important to my work in IT. But have kept it up because I kind of enjoy writing it (althouth lately I have not had time to update it as often as I would of liked). Hopefully this rating will be the motivation I needed to update more regularly.

During the last year have been asked to write a couple of pieces for technology section of the local paper (The Journal), I have enjoyed this immensely, its been great to work with pro writer and to get their feed back on my articles (my thanks to Lewis Harrison). I have also been lucky enough to get to preview and offer advice on a series of articles on web 2.0 by Justin Souter in b.daily , this was another enlightening process, watching how ideas grow and develop as we discussed them. I like to think that these experiences have helped improve my writing generally and are improving the experience for you the reader.

I’d like to finish by thanking Blogged for the rating, the many other Tech Bloggers out there (you’re doing a great job!) and of course you my audience for your support and feedback (do please leave a comment and let me know what you think of the blog and any improvements or change you’d like to see!)

I’ve been rated on blogged

Viruses target social networks

Last week i fell victim to a virus. More correctly i fell victim to  a piece of maleware / spyware. Being as i a work in IT it didn’t cause to much of a problem, but it did make me take another look at the whole spyware problem.

The first think that surprised me wass that my current anti virus/maleware software had not picked it up. I’m a bit of a security control freak and actually run online, gateway , server and desktop Av, none of which detected or matched the patterns in this virus. The virus managed to set up its own proxy server on my machine, bypass my own proxy server, disable my local Av software and  run a number of exe files that mimicked the windows alert modules telling me the system had detected a problem and offering to install software to help. In fact even when i ran deep scans with trend, and spybot search and destroy, 2 leading titles in anti maleware they reported that my system was running normally with to viruses found. It was obvious that i did have a problem, in that there were around 160 exe files running and a new windows explorer window appearing every couple of minutes. It didn’t take long to do a quick google search on the individual exe files and find something that could remove it.

The second thing that surprised me, how easily i almost fell for providing my credit card details on a machine i knew to be affected. After 2 days of working on my laptop, while the very time consuming deep scans ran on my workstation,  I was so pleased to have found something that promised to kill the virus for once and for all that i very almost, went ahead and payed the $30 for an online license.

The third thing worth mentioning is how i fell for getting the virus in the first place. I guess it was a cross between a social engineering attach and a straightforward maleware attack. I in short i got a message on facebook inviting me to view a movie clip from a friend, this then took me to what looked like that persons you tube account, but where you would expect to see the movie playing there was a message saying that my version of flash player was out of date and to click to continue, the usual warning popped up before installing. All of which i clicked through, as it look so similar to a genuine flash updater. Next think you know i’ve restarted and all sorts of pop ups are saying a virus has been detected and linking to software products to purchase to remove this.

When you think about it, this is genius. The latest generation of internet users are very into social networks, but are much less tech savvy when it comes to security, and protecting themselves. They are so used to clicking ‘yes’,  ‘install’, ‘accept’, ‘i agree’, without reading anything of what they are actually agreeing to that they are easy targets when it comes to installing harmful stuff, like maleware and viruses. I myself am a classic example, busy day in the office and a box pops asking me to agree to an update to software i trust from a person i know and i say yes without a second thought.

It would seem that i am nt the only one thought, cnet this week reported on the koobface virus currently hitting facebbok users, and there are no end of others popping up everyday.

Viruses target social networks