Usually when the media talks about malware, the damage has already been done, with thousands of machines already infected.
Recently, though, discussions of malware have focussed on a program which doesn't even exist - the German goverment's Trojan, which I blogged about back in December. Whether or not the road to hell is paved with good intentions depends on your point of view. But there’s certainly a lot of discussion as to what effect government sanctioned malware will have on network security.
Since I last blogged, things have have moved on a bit. The German government has confirmed a 200,000 Euro budget for project costs and two developers. On Monday, the Federal Court of Justice handed down a ruling that an electronic search of premises would be illegal against current legislation. A lot of politicians, including the Minister of the Interior, are now campaigning for a change in the law demanding that this law should be changed so that the Trojan can finally be created.
If this happens, it will be the first time that the law has been changed in favour of malware.
A couple of days ago the Suddeutsche Zeitung (a German newspaper) reported on a new type of search tool which the German Federal Office of Criminal Investigation would like to make use of it in the future. Instead of having to go through the tedious formalities of requesting access to a suspect’s house and confiscating any computers there, a law enforcement agency will be able to remotely access and monitor a suspect’s machine.
Of course, there aren't any details given about how this will be done. How exactly access to data will be realized hasn’t been detailed. But regular readers of this blog might remember my post about its Swiss counterpart: spyware written for use by the authorities to track suspects. There wasn’t any further information given about how this software would be installed, either. Two possible methods would either be installation via unpatched vulnerabilities in operating systems or other software; or using the classic method of sending the program as an attachment to email, and banking on the user opening and launching the program.
So the Suddeutsche Zeitung article isn’t the first report we’ve seen about malware financed by the authorities, and it certainly won't be the last. If we assume that every country of a reasonable size is currently developing (or using) its own Trojan program, then it's only a matter of time before we get a sample of one of these things. And who knows - it could be that we’ve already got one without knowing exactly what it is. After all, a Trojan used by the authorities is hardly likely to send data it harvests to an easily identifiable police server...
The Swiss newspaper “Schweizer Sonntagszeitung” recently published an article on malware experiments conducted by the Swiss Department of the Environment, Transport, Energy and Communications. The full article, in German, can be found here.
The department is clearly considering the use of spyware that has been specifically developed for tapping into encrypted Voice-over-IP connections (e.g. Skype). It is still unclear whether using such a tool could be made legal. In any event, a judge would have to approve each case in advance, similar to the procedure for monitoring normal telephone calls.
The Swiss company that develops the program (and rather ironically offers installation services for antivirus software on their website) has made some interesting statements. They say that the spyware would only be given directly to the Swiss authorities, and that their program would be undetectable by any firewall or antivirus solution. Of course, the latter statement cannot be verified without a sample, but personally I don't believe it anyway. We all know, that not only signature-based methods can detect malware, but also heuristic and proactive technologies, which antivirus vendors are continuously improving.
On the other hand, even if the spyware could fool all antivirus solutions, it would be highly irresponsible to use such software “in the wild”, no matter what the reason. Sooner or later it would be discovered by other malware developers, and be modified and abused for illegal purposes.
So far this spyware is not in use, and hopefully, that will not change any time soon.
Once in a year, Kaspersky Lab organizes a security roundtable in Munich, Germany, followed by a visit to the Oktoberfest (probably Germany's most famous festival).
Last Thursday, a lot of journalists (mostly from IT publications) got together to gain an overview of malware development so far this year, as well as information about current trends and possible future threats.
We pointed out that fighting cybercrime (botnets, blackmail, theft of credit card data etc.) will require more and more effort in terms of working together. This doesn't just mean co-operating between antivirus companies, but improved communication with independent research facilities, universities, financial institutions and the relevant national and international law enforcement bodies.
We also made use of the Oktoberfest opportunity to swap information and opinions with the journalists. After a couple of beers it became clear that there weren't any questions left unsolved : )
A few days ago David wrote about ConsumerReports, which created around 5,500 new virus variants in order to test antivirus solutions. Like most antivirus companies, we weren't particularly impressed by this.
Recently a writer for heise.de, probably the best known German IT website, picked up on the topic, criticizing the reaction of antivirus companies: “[they] fail to notice that they sound like Mercedes dealers complaining about the 'elk test' – arguing that there are enough real accidents to analyze the safety measures of their cars.”
This comparison is specious: in the context of antivirus testing, the 'real accident' is a computer or network infected by in the wild malware, and the 'elk test' is controlled testing under laboratory conditions. We've got nothing against controlled testing, as long as it uses malware which exists in the same form in the wild. We're also in favour of testing solutions which have deliberately not been updated - old signatures mean that heuristics and proactive protection technologies can be fully tested.
I can’t see any benefit in using newly created variants of existing malware in tests. And the argument that these new creations won't be made publicly available is irrelevant here. At the end of the day, such tests could lead to an atmosphere of open competition, with the testers attempting to trick as many antivirus solutions as possible by using more new and different malware. Of course, this would all be in the name of security... but it could decrease the amount of effort virus writers have to put in, with the burden ultimately being borne by end users.
Recently an attempt was made to blow up local trains in Germany. This reignited the discussion about how such threats could be foreseen and averted. In the course of these discussions, the subject of encryption came into the cross-hairs: after all, encryption makes it possible for terrorists to communicate with each other and to protect those communications from prying eyes.
However, not everyone who uses encryption is a terrorist. For your average user (home or business, take your pick), encryption is a method to ensure security, whether it's when transmitting confidential data over the Internet, or simply to ensure that data on a laptop will remain secure if the machine is stolen. Encryption isn't automatically evil - on the contrary, if someone uses encryption, it shows that s/he is both responsible and conscious of security issues.
Some German politicians are calling for encryption to be made illegal; or for it to be legal only if the state is provided with the key used. Such a stance clearly shows how far legislation can be from reality. After all, it’s illegal to blow up trains - but that doesn’t stop terrorists from doing this. Restricting the use of encryption in the name of anti-terrorism is a red herring; it won't stop terrorists, and it will seriously inconvenience home and business users who are taking responsibility for their data security into their own hands.
If it were to be suggested that people shouldn’t lock their front doors on the grounds of security, the media outcry would be huge. However, many politicians, as well as the population at large, seem to be stretching the idea of data security beyond all reasonable limits. This is muddying the waters, and gives rise to the fear that restrictions on encryption may soon find their way onto the statute books.
Malicious programs for computers have been around for more than 20 years. It was the birth of the Internet which really enabled these digital pests to make a breakthrough.
Until now, gaming consoles have been more or less immune to malware. Yes, there're been Trojans for the Nintendo DS console (Trojan.Nintendo.Taihen.a and .b) and for the Sony Portable Playstation (Trojan.PSP.Brick.a) but the number of victims has been small. This is because the user has to tweak the console in order for so-called homebrew software (i.e. software not certified by the console manufacturer) to run.
There's a Linux distribution available for the Sony Playstation 2 (which will also be available for Playstation 3) which just cries out for programming. However, any programs created will only run on Playstations which have the distribution installed.
Microsoft recently announced that in future, users will be able to purchase a development kit with a $99 a year registration fee - no Linux here. Programs developed using the kit will only run on Xboxes where the user has also paid the registration fee, and they can only be copied to another console as source code. From a security point of view, this is a wise decision.
I hope that things won't change much in the near future. If Sony, Microsoft , Nintendo or hackers made it possible to easily download programs developed by users via the Internet, Pandora's box would be opened. The combination of unprotected gaming consoles, the Internet and the possibility of previously unknown vulnerabilities would lead to gamers who had been immune to malware becoming a target for virus writers.
Last Friday, we came across an interesting site: a message board where stolen credit card numbers have been published since August 2005. The site included over 300 credit card numbers and additional information. On Friday more than 60 numbers were posted, showing that the site is definitely active.
It was clear that the information came from a variety of sources - the entries varied from basic (card number, three digit pin code, validity, name and address of the owner) to comprehensive (all the data above, plus phone number, email address, ATM pin code and account details).
Having looked at the site, we decided to call one of the victims to check that the information was authentic. Once he got over his surprise, he confirmed that the details we'd found were his. And that was the start of our telephonic odyssey.
15.30 - Telephoned the Bundeskriminalamt (German Federal Office of Criminal Investigation)
We were given the names of three people to talk to. After a few unsuccessful attempts to get through, it turned out that these three people were either on holiday, or had already gone home. We were finally told to send an email to firstname.lastname@example.org.
16.00 - Telephoned the Landeskriminalamt (German State Office of Criminal Investigation)
Our last phone call made it seem pretty likely that no-one would read our email (let alone do anything with it) before Monday. So we decided to call the local branch of the criminal investigation office - unfortunately, with the same lack of success. The result: we sent another email.
16.15 Telephoned the credit card companies
The situation wasn’t any better when we called Visa and Mastercard - we couldn’t get through to anybody. As a last resort, we called the customer emergency number:
"We’re calling from Kaspersky Lab, an IT security company; we've found a website which has hundreds of your customers' credit card numbers on. Could you please tell us who in your company we should contact?"
“Er - could you please give me your credit card number, Sir?”
In order not to waste any more time, we got our US local office involved. They contacted the credit card companies and the FBI. Meanwhile, our Russian office started the process of getting the website taken down.
So everything’s been set in motion, but the whole thing still makes me a bit uneasy. If you lose your credit card, you’re obliged to inform the card issuer asap. And credit card companies do provide emergency numbers to make this easier. But the story above shows that if, like us, you come across more than 300 stolen numbers, it's going to be a bit more difficult. Yes, all of this happened on Friday afternoon, but criminals don’t take weekends off!
We’ll see how everything develops over the next couple of days and keep you posted. We'll also be publishing a short article about this case, with further details, in the very near future.
Back in the Middle Ages, a password was exactly what it said: a simple word that could be used to gain access to a castle, a secret meeting or any other closed area. These days it’s less likely to be a word, but rather a string of characters like “hTfd4Xz”.
There are situations where passwords don't need to be very complex, since the user will be forced to wait a couple of seconds after each attempt (e.g. when logging on to a server), or because the system will block further attempts after a wrong password has been entered several times (e.g. ATMs). This means that simply trying all possible variants (a brute force attack) isn’t going to be very useful.
However, the story’s very different for encrypted data devices – if they fall into the wrong hands, an attacker can just plug them into his computer and try out all passwords without any limitations.
Most encryption programs don't ask the user to enter the encryption key itself, but a password which is then used to generate the final key. Like any password, one for an encryption program should be relatively complex. A hundred years ago a password like "King Richard" would have been adequate. But today it could be cracked within seconds, using a dictionary attack.
Just ten years ago, 40 bit keys and passwords were seen as “secure enough”. But once again, today it would take just a couple of hours to try all the possible variations.
Nowadays, 128 bit should be the minimum and 256 bit is becoming the standard. This is where the problem lies: if the data itself is protected using a 256-bit-key, the password should be the same length, otherwise the high-level encryption itself is useless.
Let's assume that upper case, lower case and numbers are all valid password characters – that gives 62 possibilities per position. With 43 positions, there are about 1.18e+77 possible variants, which is close to a 256 bit key (1.15e+77 possibilities). But who can memorize a password with 43 characters- for example, "jZ85xfbgGjf52d2sS8gd43ahfFR5rG3qZ4wF425FfVf"? And who has enough time to even type such a random string of letters and numbers? And such passwords are hardly likely to motivate users to change them regularly, which is of course recommended.
So what other options are there? Tips like creating passwords using the initial letters of easy to memorize sentences (e.g. "My cat likes to bounce off my furniture" -> "Mcltbomf") aren’t very helpful – the statistical likelihood of certain letters occurring decreases the randomness of such a password, and therefore its usefulness. Such passwords might make the user feel better, but they don't provide any real security.
Let's face it: the power of today’s decryption technologies has overtaken our ability to memorize complex passwords. Until someone invents a way to extend human memory, a password stored on a USB token or other device is the only answer - with the associated risk that the device might be stolen together with your encrypted data.
It’s sad, but true - when it comes to data encryption, the password has had its day.
According to Wikipedia, Nigeria's main exports are cocoa and oil. But what you won't find in most travel guides is that Nigeria is also associated with 419 scams and Internet fraud in general. In Germany, this international crime ring is often called the Nigeria Connection.
Last Thursday the German police arrested a 34 year old in Berlin, who's presumably a member of the Nigeria Connection. He sold non existent items by on-line auction, and his more than 100 victims lost around 70,000 EUR. His victims transferred the money to illegally opened bank accounts - it was then withdrawn from the accounts using cashpoints that weren't monitored by cameras.
Working the other way round – as a bidder, not a vendor - is still on the daily agenda of the Nigeria Connection. How does this scam work? First, they bid on compact items like mobile phones and laptops, usually offering unreasonably high prices to ensure that their bids are accepted. They ask the vendor to send the item to Nigeria as soon as possible, often saying that it’s a birthday present for their children.
And usually they come up with the wildest stories - here are some excerpts from emails (with spelling and grammar errors typically found in Nigeria Connection messages) sent to the vendor following purchase:
“I live in australia, I'm interested in buying your item for my husband who went for christian program in nigeria.”
“Right now I'm in Osaka Japan a humanity programme. I want that item for my son in Nigeria.”
“I am Dr. Christy Ogieva, one of the Doctors currently in Turkey trying to put the Bird Flu under control. (...) for my son studing in Nigeria on the occasion of his birth day.”
The victim is told that they will receive full payment and money to cover additional shipping costs once the item has been sent. Usually the victims are asked to give their full address, phone number, email address and bank account information. There have been cases where vendors were told that the money would be delivered to them personally. Strange as it may seem, it looks as though there are people who believed this.
This scam has been around for a number of years now, but people keep falling for it. Members of the Nigeria Connection probably don't have as many children as they claim, but they do have a lot of imagination. And they’ll continue to use this to target unsuspecting on-line auction users.