Internet Security – An Oxymoron?

Internet security warnings from my Tech Net News column in the last few days. This is only a small sampling of the hundreds of cyber criminal activities I’ve posted to Tech Net News so far this year.

Fake VirusTotal site serves malware

Hotmail flaw allows attackers to exfiltrate emails

LinkedIn security flaws allow account hijacking

Sony online store hacked and user information published

Black Hole Exploit Kit Available for Free

Cybercrime statistics show widespread phishing problem

Not Even Security Managers Immune to FakeAV Infection

Major weapons makers see networks breached by hackers

Apps with dangerous permissions pulled from Chrome Web Store

Security researcher finds ‘cookiejacking’ risk in IE

Norwegian Military Hit by Cyber Attack in March

Google Patches Critical Chrome Bugs

Newest MacDefender Scareware Installs Without a Password

The question:

Why should it be necessary for me to run FIVE  security applications on my home machine – including  Zemana AntiLogger, WinPatrol, Microsoft Security Essentials, PC Tools Firewall Plus, and ThreatFire – to guard against cyber crime ?  On top of that, in order to maximize security potential, I have to  run in a virtual environment (BufferZone Pro), while surfing the Net.

It doesn’t stop there though. In addition to all of the above, I have to load up my Browser (Firefox), with TEN security/privacy add-0ns including – Adblock Plus, Better Privacy, WOT, Ghostery, GoogleSharing,  HTTPS-Everywhere, NoScript, Perspectives, Qualys BrowserCheck, and Search Engine Security.

Reality:

The reality is – we are immersed in a mess that has reached virtually unmanageable proportions. We are now at a full blown crisis stage vis a vis Internet security.

The tech speak, which this situation engenders, reminds me in a sense of the political rhetoric we are constantly exposed to – everyone has identified the  problem/no one has identified the real problem; everyone has a problem solution/no one has a solution, everyone seems to discuss it/no one truly discusses it.

The end result? It appears as if no one seems to give a damn. So, we just keep on piling up the victims of cyber crime.

Finger pointing, and finger wagging, is the order of the day. It’s the developers fault; it’s the users’ fault; it’s the very nature of the backbone of  the Internet (as if the Internet was a parallel universe not subject to laws, or moral and ethical consideration); it’s the lack of effective law enforcement; it’s the lack of truly effective security applications; Internet security is a business, so it’s unlikely anyone is going to kill the goose that lays the golden egg; …………… Round and round it goes.

What a mess! Are you as tired of been forced to deal with this seemingly never-ending escalation in cyber crime, as I am?

Something to consider – cyber criminals are not the only ones who find Internet security a lucrative field. I’ll admit that I’m a cynic – but, I’ve never yet met a problem solver who worked himself out of a job. Something to think about the next time you purchase a security application, or appliance.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Are Mischievous Kids Responsible For Most DoS Attacks And Bots?

I frequently read the comments posted to other blogs, and tech forums. It’s an elementary way for me to keep in the loop on what others are thinking, relative to their computing experiences.

Often, I’ll find a bit of helpful wisdom in a comment – but, from time to time, I’ll come across a comment that just rubs me the wrong way.

For example – what’s wrong with the following point of view?

“Most of the Denial of Service attacks and other similar “bots” are written by 10 to 14 year old kids that are just being mischievous or looking for some acknowledgement from their peers”.

Other than the fact that’s it’s fanciful thinking (which is statistically unsupportable), it underplays, or ignores, more than a few basic realities:

Cyber crime has evolved dramatically from the days when it took little effort to be a hacker. The days when antimalware applications were either non-existent, or crude.

Organized crime is  the major player in the cyber criminal field. Money is the motivation – economic gain is the driver.

Cyber crime is a multi-billion dollar industry that encompasses identity theft, monetary theft, social and personal scams, extortion, industrial espionage, state-sponsored espionage, and more.

Today’s malware is sophisticated, extremely dangerous, difficult to identify and remove – and coded by experts who are as talented, if not more so in some cases, as any who are employed in legitimate enterprise.

On the face of it, you may think that this point of view is harmless – but that’s questionable. At the very least, this type of statement helps to perpetuate the myth that hacking, and cyber crime, is essentially an activity engaged in by “kids that are just being mischievous”.

The unassailable reality is – highly organized cyber criminal gangs ransack computers, and computer networks, for data that can be used for criminal purposes – not ten to fourteen year children, or older teenagers, seeking a badge of honor.

Surprisingly, it has been my experience that a lower level computer user is more likely to believe this myth, than not. Little wonder that cyber crime ( carried out by committed professional criminals), is rampant on the Internet, when the real perpetrators are seen by some computer users as little more than wispy netherworld figures that may – or may not – exist.

Something to think about – Do teenage hackers exist in any significant number? More to the point – do they constitute a threat to your security on the Internet?

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Panda Security’s Collective Intelligence Says 20 Million New Strains Of Malware In 2010

It may well be, that malware creators have discovered the same principal that countries involved in the the nuclear arms race have come to know – once you have enough weapons; you have enough.

According to Luis Corrons, technical director of PandaLabs – “so far in 2010, purely new malware has increased by only 50 percent, significantly less than the historical norm. It seems hackers are applying economies of scale, reusing old malicious code, or prioritizing the distribution of existing threats over the creation of new ones.”

Complacency though, is not in the cards , at least not yet, since Corrons went on to say –  “This doesn’t mean that there are fewer threats or that the cyber-crime market is shrinking. On the contrary, it continues to expand, and by the end of 2010 we will have logged more new threats in Collective Intelligence than in 2009.”

The evolution of malware – 2010:

The average number of new threats created daily has risen from 55,000 in 2009 to 63,000 in 2010 to date.

The average lifespan of 54% malware has been reduced to just 24 hours, compared to a lifespan of several months that was more common in previous years.

34% of all active malware threats were created this year.

20 million strains of malware have been created already this year; the same total for the year of 2009.

Many malware variants are created to infect just a few systems before they disappear. As antivirus solutions become able to detect new malware more quickly, hackers modify them or create new ones so as to evade detection.

Graphic courtesy of PandaLabs.

So, should these statistics hold any relevancy for you? Should you be preoccupied, or overly concerned, with these numbers? The answer, it seems to me, depends on how aware you are of the overall Internet security landscape, and where you fit into the following user groups.

• Those who know.
• Those who think they know.
• Those who don’t know, that they don’t know.

Hopefully, you are in that small group who can confidently say – “I know”.

About PandaLabs:

Since 1990, PandaLabs, the malware research division of Panda Security, has led the industry in detecting, classifying and protecting consumers and businesses against new cyber threats.

At the core of the operation is Collective Intelligence, a proprietary system that provides real-time protection by harnessing Panda’s community of users to automatically detect, analyze, classify and disinfect more than 63,000 new malware samples daily.

The automated classification is complemented by a highly specialized global team of threat analysts, each focused on a specific type of malware, such as viruses, Trojans, worms, spyware and other exploits, to ensure around-the-clock protection.

Learn more about PandaLabs and subscribe to the PandaLabs blog here. Follow Panda on Twitter and Facebook.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Internet Security? Who Really Gives A Damn!

I noticed this morning, that USA Today (TechnologyLive), had linked back to an article I wrote earlier this year on SlimWare Utilities ( tools designed to clean up, and maintain, computer systems).

At the risk of sounding ungrateful (which I’m not), I would have  much preferred that they had linked back to an article dealing with computer security. Allow me to draw an analogy to explain this – an article on “How to Upgrade Your Kitchen”, has limited value if crooks have just stolen the kitchen sink.

The reality is – we are immersed in a mess that has reached virtually unmanageable proportions. We are now at a full blown crisis stage vis a vis Internet security.

The tech speak, which this situation engenders, reminds me in a sense of the political rhetoric we are constantly exposed to – everyone has identified the real problem/no one has identified the real problem; everyone has a problem solution/no one has a solution, everyone seems to discuss it/no one truly discusses it. The end result? It appears as if no one seems to give a damn. So, we just keep on piling up the victims of cyber crime.

Finger pointing, and finger wagging, is the order of the day. It’s the developers fault; it’s the users’ fault; it’s the very nature of the backbone of  the Internet; it’s the lack of effective law enforcement; it’s the lack of truly effective security applications; Internet security is a business, so it’s unlikely anyone is going to kill the goose that lays the golden egg; …………… Round and round it goes.

I continue to shake my head in wonderment over the kafuffle caused by the BlackBerry conflict with Middle East countries requesting access to encrypted BlackBerry corporate email services.

The truth of the matter is – on a broad scale, the number of people affected is miniscule, as compared to the number of people impacted by cyber crime EVERY day.  Yet, this is one story that won’t go away – one that is constantly updated by mainstream media.

Criminal activity, on the other hand, that has substantial impact on consumers, business, and government (think Stuxnet), continues to get short shift. Talk about reality displacement!

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

It’s Time We Called Cyber Criminals What They Really Are – Terrorists

While it may be true that cyber crime doesn’t fit neatly into the restrictive classical definition of terrorism, (motivation is a definitive factor), nevertheless, cyber crime’s effect on Internet users’ is  arguably similar  – intimidation, coercion (think Rogue software), and instilling fear.

Motivation be damned! Simply because a hacker’s motivation is money, rather than political gain, hardly changes the effect of the crime. Cyber criminals, by my definition, are terrorists.

Consider the following two points:

If a group, or an individual, dug holes in a highway in your community making it unsafe to use, (put the motivation aside for a moment), how would you refer to that person, or group, based on the impact on you? The reality is – cyber criminals, blow holes in the Internet highway on a daily basis.

If you couldn’t get to work today, because a criminal gang held the subway system to ransom – with a bomb threat, how would you, or more particularly, law enforcement officials, refer to that group? The reality is – cyber criminals hold individuals, and web sites, to ransom every day.

As Shakespeare said, in Romeo and Juliet , “That which we call a rose, by any other name would smell as sweet.”  The point being – it doesn’t matter what you call a thing; what matters is – what the thing is. Cyber crime though, is a misnomer – terrorism is not.

This morning, when I was editing my Tech Net News column, I included the following high profile cyber crime occurrences which were reported over this past weekend. I could easily have added a dozen more, all from the last few days, but I think the point was made.

Newest Social Net Scam: Stranded Friend – Analysis: Beware a common hoax involving a hijacked email account and a plea for quick cash from a familiar name.

Trojan attacks now almost solely from legitimate websites – According to reports, surfers are now almost always attacked from the hacked web sites of legitimate providers. Previously the general assumption was that malware was only found on sex sites and other shady web sites, but these days all you need to do is visit the site of your favorite newspaper to come under attack.

Reports of Possible YouTube Hack Light up Social Media Sites – Reports have surfaced on social media sites that YouTube may have gotten hacked and that Apple’s iTunes App Store may also be compromised.

App Store Hacked – Two iPhone App developers have spotted what appears to be a hacking of the App store rankings by a rogue developer. What’s more concerning is that it seems individuals iTunes accounts have been hacked to make mass purchases of that one developer’s apps.

Existing penalties for cyber crimes, including those mentioned above, are far less than adequate. So, calling cyber criminals what they are – terrorists; would open up a whole new spectrum of possibilities – including the application of criminal penalties, and sanctions, more in line with the true nature of the offense – terrorism.

I’ve always been curious as to why it is, governments and law enforcement agencies, protect us across a broad spectrum – from noisy neighbors, all the way to ensuring our safety while travelling on airplanes. And yet, these same governments and law enforcement agencies, leave it us, at an individual level, to deal with cyber crime.

This hands off policy has led to staggering costs to world economies – (a Trillion dollars or more, annually), and the impact on individuals, is immeasurable.

I suspect, that if cyber crime was referred to in a more appropriate manner – terrorism; we might find ourselves less alone in our daily struggle to stay safe on the Internet.

What do you think:

Are you tired and frustrated with having to deal with cyber crime on your own?

Should the nature of cyber crime be reflected in a more appropriate way, by calling it what it is – terrorism?

Should the penalties for cyber crime be set at a level commensurate with the true nature of the offense?

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

The Global Cyber Crime Marketplace

The buying and selling of hacking tools, e-crime kits, malware, and stolen credit card numbers, in a cyber crime flea market environment, may seem as if it stretches the bounds of reality. But, guest writer Paul E. Lubic, Jr., explains in this eye popping report, that this is in fact, a new cyber crime reality.

Here’s Paul’s report:

The global cyber crime marketplace is alive, real, and growing. In a recent article, Global Cyber Crime…, I alluded to the existence of a market for renting botnets, purchasing malware, and obtaining stolen personal information.

At that time, this market of buyers and sellers existed on a small number of black hat-type websites. However, now these brazen thieves have come out in the public to exchange their criminal wares.

According to an article in the Register, Scotland Yard cuffs teens for role in cybercrime forum, a public forum of 8,000 attendees was held in London. The two teens who were involved in organizing the forum are not the story here. It’s the fact that there were vendors there, probably in show booths giving away trinkets for stopping by, that were selling hack-tools, e-crime kits, malware, and 65,000 credit card numbers.

I applaud Scotland Yard for arresting the teen organizers, but I don’t understand why they didn’t arrest those attendees and vendors who were trafficking in these crime-related tools and illegal credit card information. What is wrong with this picture? I don’t think it’s because of ignorance—Scotland Yard evidently knew laws were being broken or they wouldn’t have arrested the organizers.

Could it be that British computer laws don’t address the marketing of these products? Perhaps no one realized the gravity of the situation—they were selling Zeus, the malware that steals banking and credit card information and instructions on how to use it.

Maybe there were undercover agents making purchases and gathering evidence for future arrests. Or it could be all of the above; but the bottom line is that a lot of criminals and malware could have been taken off the street…but weren’t.

The message being sent to the cyber criminal community is that as long as the forum is in England, and you don’t get involved in the actual organization of the forum or conference, you’re free to ply your wares and sell or purchase tools with which to break laws and steal from the masses.

However, this forum, as disturbing as it might be, is just a harbinger of a much greater global cyber crime picture that concerns me. It should concern you too.

The messages we should be taking from this are:

1. The criminals are becoming emboldened, almost unafraid of being arrested. This is because there is so much money in cyber theft that it’s worth the risk; coupled with the fact that this is a new industry and the early participants will become the most rich.
2. The amount of cyber crime being committed is expanding at an alarming rate. Anyone is able to get into the cyber crime business for as little as a few hundred $US, and because of this, there is an explosion of cyber crime underway as we speak.
3. The world’s law enforcement community is woefully undermanned and under educated in cyber crime. This area of law enforcement needs to be funded at a much greater level than the present “handful” of cyber crime officers in each organization today.
4. We need to be afraid…very afraid of this problem. For all the reasons stated in items 1-3, we will remain the target of cyber crime for the foreseeable future.

Guest writer Paul E. Lubic, Jr. is a long time IT professional who has held the positions of programmer, IT Security Manager and Chief Information Officer.  His interests lie in the IT security area, but he writes on all categories of technology.

Paul is a mature and seasoned writer, with a rare ability to break down complex issues into an easy to understand format. Check him out at his Blog – Paul’s Home Computing.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Monster.com Hacked – Irresponsible Response

OK, so let’s say your Doctor’s (substitute a professional of your choice), office was burglarized and all medical records, including yours, were stolen.

Your Doctor, nice guy that he is, didn’t want to cause you unnecessary anxiety, so he didn’t advise you that your confidential records were now out in the wild blue.

Can’t, or won’t happen, you’re thinking. Think again.

Monster.com, a web site that bills itself as the “world’s leading career network” is a web site used by people looking for a new job. Information required to register with the site includes, user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data.

According to Patrick Manzo of Monster Worldwide, Monster.com suffered a database penetration (sometime this month – no date given), during which “certain contact and account data were taken”. So let me rephrase that for you – Monster was hacked and personal information stolen.

Simply put – if you have an account with Monster.com, your confidential information is now freely available to the vast hoards of cyber criminals who trade in this currency.

Your minimum expectations, if you are registered with Monster.com, should be that you would be notified of such a serious breech. Not too much to expect, I would suggest.

But no, Monster’s view is, since there is no direct evidence of misuse of the stolen information (yet), a small notice of this occurrence posted on their main page is sufficient notice. No other notification that your personal information is now at risk. Bizarre!

Note to Monster: Hey, don’t worry about this massive penetration of your data base – these cyber criminals just dropped in to have a look around your obviously under protected database environment.

Your attitude flies in the face of reality. Get real! You obviously need to be dragged, kicking and screaming into the real world of cyber crime.

As a consequence of this penetration, if you are a Monster.com customer, you need to do the following at once:

Change your password for ALL your accounts, not just Monster.com.

Be on guard against “phishing” fraudulent emails, and fraudulent telephone calls in the near term.

It’s not very often that I’m struck speechless by the shenanigans pulled by some of the larger Internet entities but this one; well it’s just too calculated, too condescending, too….. too damn stupid!