Roger's Security Blog : Cybercrime

COFEE freely downloadable on the Internet?

rhalbh — Tue, 10 Nov 2009 17:44:00 GMT

You definitely have heard of COFEE (Computer Online Forensic Evidence Extractor) which we make freely available to Law Enforcement through Interpol and NW3C. Now, the probably unavoidable happened and the tool leaked to the Internet. There was actually an interesting statement by ArsTechnica yesterday: Chances are you won't have any use for the tool, but pirates get a thrill from having something they shouldn't, and a forensics tool only distributed to police departments around the world is pretty high up on the list of things you shouldn't have on your computer.

To make our point clear, let me quote Richard Boscovich, senior attorney, Internet Safety at Microsoft Corporation:

We have confirmed that unauthorized and modified versions of Microsoft’s COFEE tool have been improperly posted to bit torrent networks for public download. We strongly recommend against downloading any technology purporting to be COFEE outside of authorized channels – both because any unauthorized technology may not be what it claims to be and because Microsoft has only granted legal usage rights for our COFEE technology for law enforcement purposes for which the tool was designed.

Note that contrary to reports, we do not anticipate the possible availability of COFEE for cybercriminals to download and find ways to ‘build around’ to be a significant concern. COFEE was designed and provided for use by law enforcement with proper legal authority, but is essentially a collection of digital forensic tools already commonly used around the world. Its value for law enforcement is not in secret functionality unknown to cybercriminals, its value is in the way COFEE brings those tools together in a simple and customizable format for law enforcement use in the field.

In cooperation with our partners, we will continue to work to mitigate unauthorized distribution of our technology beyond the means for which it’s been legally provided and, again, would strongly discourage people from downloading unauthorized versions of the tool. As always, law enforcement wishing to use COFEE can safely get the latest released version of the tool free of charge through the established channels with both NW3C and INTERPOL by contacting NW3C at www.nw3c.org or INTERPOL at cofee@interpol.int.

So, to be clear: It is not “only” illegal but it is modified as well. Do you really want to install that?

Roger

International Collaboration on Policies for Cybersecurity and Data Protection

rhalbh — Thu, 05 Nov 2009 20:41:43 GMT

Since a few years we are working with the Council of Europe in a partnership to help to drive a Cybersecurity treaty. We realize that a problem a lot of Law Enforcement agencies have is inconsistent legislation which makes is unbelievably hard to catch the criminals. The Council of Europe treaty is a great starting point and has been ratified not only by most of the member states of the Council of Europe but by a lot of additional countries around the globe.

Now, the European Union and the United States have agreed to treat such challenges as international issues and to develop joint policies based on shared values.

Unfortunately, the agreement is not too concrete but the fact that we have an agreement in place, should let us hope: EU-US Joint Statement on "Enhancing transatlantic cooperation in the area of Justice, Freedom and Security"

Roger

COFEE now distributed via a NW3C as well

rhalbh — Fri, 16 Oct 2009 09:15:00 GMT

COFEE is a tool available to Law Enforcement only to capture online evidence with a little training as possible. The idea behind the tool is, that there is little need for high-trained staff to be available during e.g. house searches and that a normal, much less trained officer can capture all the data. Until today, Interpol was the only channel for distribution. Now, the US National White Collar Crime Center is the second organization being able to distribute it.

If you are a Law Enforcement Agency/Officer and want access to the tool, you may contact Interpol or NW3C

Roger

The Africa Cable – A Chance for Africa! – A Threat for the Internet?

rhalbh — Wed, 07 Oct 2009 17:10:00 GMT

The development in Africa especially with the new broadband services to me is a huge chance for the whole continent.

I just found this map on the next two years:

source: IntelFusion

Even though I have not been in Africa over the last few months, I heard that in different cities fiber is brought directly to the household, which brings technology and opportunities I would love to see here in Western Europe, where we still have to rely on copper. So, if the governments in Africa are serious with this, I think this is an outstanding growth opportunities for those markets.

On the other hand, when I talk to customers and governments in Western Europe, there is a lot of dis-trust as well. Can we trust the governments? How much malware will be spread coming from this continent? Actually, the kick for this post was the following article just outlining this: Africa - home of the world’s largest cyber pandemic – which makes me think.

If I look at our Security Intelligence Report back in April (the new one will be coming soon) and look at the malware infection rate we see, it is not worse nor better than any other region:

However, the data we have available from Africa might not be as broad as in other regions.

Another thing came to my mind. I was in Kenya two years ago on a business trip and I learned one thing – the idea of shipping outdated PCs to Africa to help people there does not work as it requires them to run old and outdated software which makes them open for attacks. Simple, isn’t it?

Looking at my figures, it is a problem but not smaller or bigger than any other region on this globe. Additionally, one of the reasons, why our teams work so hard to get Microsoft Security Essentials out of the door for all countries is just to reduce this threat. Make a professional Anti-Malware solution available to people who cannot afford one free of charge.

Rather than being threatened, let’s welcome this continent on the “broadband Internet” and help them now to learn from our challenges and failures in the past.

Roger

Paper on Information Warfare

rhalbh — Thu, 09 Jul 2009 09:27:07 GMT

I often see a lot of discussions on Information Warfare. Today I just stumbled across a paper published by RAND called Strategic Information Warfare – A New Face of War – from my first impression definitely worth reading

Roger

Distributed Denial of Service – and how it works

rhalbh — Wed, 08 Jul 2009 14:30:43 GMT

I often get asked about Distributed Denial of Service (DDoS) attacks, how it works and what role we can play to prevent them.

So, let me start with the first part of it: Our Security Intelligence Report version 5 talked about the underground economy and actually explained what is happening before a DDoS takes place. Let’s recap this:

Often it starts with the plan of a criminal to build a botnet. So, this malicious person goes to an underground marketplace, buys a piece of malware, a bot and a control server software. In addition, he/she might even be able to buy an initial distribution of the bot by letting somebody infect a webpage (which might be unpatched or have a weak password or somehow else being unsecured) or any other distribution channel for malware you might know of (e.g. social engineering):

Now, the criminal is ready to go. He/she might own a certain number of PCs called Zombies. He can now offer his “services” on the same online black market, he initially purchased the malware from and might find “customers” like spammers, phishers, blackmailers or any other criminals:

Here you see the reason why we leverage our Malicious Software Removal Tool to go after the largest botnets. It is all about protecting the ecosystem.

So, I could basically rent a botnet to flood a web server with any kind of junk in order to take it offline – this is called a Distributed Denial of Service attack. I often compare this with spam – not for your Inbox but for your web server. The server is still up and running but kept busy sorting junk from legitimate traffic.

There are often different motivations behind this:

Remember the times of Al Capone? Where the criminals attacked shops and then offered them a service to protect them? The same can happen here: A criminal runs a DDoS against your website and takes it down for a few minutes. Then he lets it come up again and tells you that he can protect you from these attacks – I would call this blackmailing.
We often see such attacks with a political background. You see a conflict happening somewhere and one party (or both) is trying to take down the website of the other.
Sometimes it is more a “I do not like you” background. Microsoft has been attacked as well from time to time….

So, if you want to know more about DDoS, I can recommend you two sites:

On our Technet site, there is an article called Distributed Denial-of-Service Attacks and You, which is worthwhile reading and shows you some basic protection as well. This article is not too new but it even gives you some advice on how to protect yourself.
Wikipedia has a site, which can give you some history on it and shows you different types of the attacks: Denial-of-service attack

I hope this helps and clarifies some questions. Otherwise, do not hesitate to get in touch with me

Roger

How much does a lost Laptop cost?

rhalbh — Mon, 27 Apr 2009 15:14:25 GMT

I stumbled upon this study today commissioned by Intel and executed by Ponemon. They key findings were:

The average value of a lost laptop is $49,246. This value is based on seven cost components: replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses.
What makes a lost laptop costly to a company is the potential for a data breach to occur. In the cases we studied, the occurrence of a data breach represents 80% of the cost.
The second highest cost component is attributed to intellectual property loss. When the cost of a data breach is removed, intellectual property loss represents 59% of the total cost.
The faster the company learns that a laptop is lost, the lower the average cost. If a company discovers the loss in the same day, the average cost is $8,950. If it takes more than one week, the average cost rises significantly to approximately $115,849.
Lost productivity is not a significant cost to companies. When employees have down time due to losing their laptops, it represents only 1% of the total cost.
While lost laptop costs appear to be correlated to position in an organization, the most senior level respondents do not experience the highest average cost. The average cost of a lost laptop for a senior executive is $28,449 and the highest average costs are for manager and director, $60,781 and $61,040 respectively.

So, protecting the information on your Laptop is fundamental and could significantly reduce the cost of a stolen Laptop – say: Switch on Bitlocker…

The whole study can be found here: Cost of a Lost Laptop: A Study Conducted by the Ponemon Institute

Roger

Finjan reports world's largest Botnet

rhalbh — Fri, 24 Apr 2009 12:45:44 GMT

I guess you have read it in the meantime: There are a lot of reports out there, that Finjan found a Botnet affecting 1.9 Million computers. This is really bad – obviously. The press now started to cover this and I think we are already losing a little bit of focus in the discussion. I tried to understand what was going on based on the publically available information.

To me it seems like the Botnet was leveraging known vulnerabilities in browsers to download malicious Javascript. It then started to spread on the infected machines and downloaded a Trojan called Win32/Procesemes.A (The link leads you to our encyclopedia on this Trojan). We added the detection for this Trojan to our signature version 1.57.181.0 (so, since quite a while) and with that to all our products like Windows Live OneCare, Microsoft Forefront Client Security and Windows Live OneCare Safety Scanner.

What does this tell us? Well, is it not the same story as always? There are three things that went wrong here:

Machines were unpatched (and not only IE)
People are running as Admins
The AV-signature was/is not up-to-date. We even remove the Trojan if you are infected…

So, the Botnet is huge and therefore dangerous and it is definitely a criminal activity to infect people’s machines. But there are ways to protect…

As always, if you think that you are infected, report it to your local Law Enforcement. You may contact our support (free of charge for security incidents) on http://support.microsoft.com/security. And then follow the standard steps of the “Protect Your PC” guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software.

Roger

Security Intelligence Report: “Scareware” on the Raise

rhalbh — Wed, 08 Apr 2009 09:50:58 GMT

You know that we release our Security Intelligence Report twice an year: Today Version 6 is due.

Let me try to give you an overview of the “highlights” of the report from my point of view:

As I wrote in the title and as I blogged about this summer („Scareware“ on the Raise) one if the biggest growing threats we see is what I call “Scareware” or what we call in the report “Rogue Security Software”. I guess you know the feeling of visiting a website which then tells you that you are infected by malware and you should download a piece of software to protect you (or to clean your PC). Here you see a screenshot of how this can look like:

So, we have seen this growing over the last three periods and therefore we decided to feature a focus section on this growing threat.

A standard topic in the report is about vulnerability disclosures. Here you find the chart you are used to if you read our Security Intelligence Report, my blog or heard me talking recently:

So, looking at the chart there is good and bad news:

The good news is that vulnerability disclosures (industry-wide) is decreasing.
However, there are still more than 2500 vulnerabilities per 6 months (to be clear again: this is the whole industry, not us)
And, roughly 52% of all the vulnerabilities where high severity ones!

Looking at Microsoft’s vulnerabilities, this is the picture:

One thing I always mention, when I talk about this: If you are planning your Patch Management processes and you look at the figures above, make sure you cover your whole IT and not “just” Microsoft. In H2 2008 we had roughly 100 vulnerabilities out of 2500! So, think about patching the others as well (see 98% unpatched – and I am one of them :()

There are a few other charts in the report like the percentage of vulnerabilities responsibly disclosed or attacks on applications which I do not want to put in there (there has to be a reason you read the report J). But one thing I want to take up here as it was so important in H2, which is the PDF attacks as this underlines the statement I made above about Patch Management. Look at the exploits by months targeting Adobe Acrobat Reader:

To be crystal clear with the graph above: This is not finger-pointing at Adobe. We were working closely together to address this and for both vulnerabilities there are updates available today. What I wanted to show you is that you have to extend your risk management to applications outside Microsoft.

Another standing set of graphs are world heatmaps. There are three of them in this Security Intelligence Report:

The “classic” malware infection rate based on the Malicious Software Removal Tool:

Even though we changed the way to determine where a computer is based (and therefore last report’s map cannot be compared with this one), EMEA does not look that bad. We have some challenges in the Middle East, Russias and – surprisingly to me – in Spain but the rest looks not great but ok.

But there is more. This time we look at the source of the malware based on infected websites and where they are hosted:

Here we have quite some green spots – which is good. It is interesting to see that Russia and Spain are red again here…

And last but not least the heatmap on where phishing sites are hosted:

If you take a different angle and look at it from a Windows perspective with regards to malware infection, it once more shows the progress we made with the different OSs:

This re-enforces the message I am delivering as often as possible: If I could give you one single advice from security person to security person (I am not measured on quota), this would be “stay on the latest version of your software – everywhere”. This includes Patch Management as well as Lifecycle management. Jus think about every piece of software you have (including embedded systems), think about when it was designed and then think about the threat landscape back then… Do you really have to think twice then?

If you want to hear Vinny Gullotto (General Manager, Microsoft Malware Protection Center) talk about the Security Intelligence Report, you can look at and interview he did with Tim Rains: Vinny and Tim show - SIR Volume 6 .

So, this and much more you can find in our Security Intelligence Report. Download it and have fun!

Roger

Additional Conficker Guidance

rhalbh — Sat, 07 Feb 2009 13:42:26 GMT

Yes, Conficker is far from being over. We still see a lot of infections. Therefore we decided to publish additional guidance for Conficker:

Microsoft Conficker guidance page for IT Professionals and those focused on security in the enterprise: http://technet.microsoft.com/en-us/security/dd452420.aspx

Microsoft Conficker guidance page for consumers and home users: http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

Roger

The Way to a Zero Day

rhalbh — Thu, 05 Feb 2009 11:10:00 GMT

No, sorry but this is not a tutorial

I just read this blog post on Websense which is pretty interesting: The way to a zero-day

Roger

After Estonia now Kyrgyzstan

rhalbh — Fri, 30 Jan 2009 15:49:52 GMT

There is definitely proof that during war times, armies add a virtual component to the “real life” war.

Additionally we have seen the attacks to Estonia, where nobody really knew where they originated from (I do not mean the country but whether a government was behind them of just a group of hackers).

Now, we see attacks on Kyrgyzstan – a country completely knocked off the Internet and this is scary! Think about the country you are living in: What would happen if you would be taken offline for a day – what would be the economical impact?

I quote from the article below:

Beyond the immediate effect on Kyrgyzstan, what's worrisome to Jackson is the speed with which this attack was mounted. "To put some perspective on this, it's been an escalating pattern from Estonia to Georgia to here," he said, referring to the 2007 and 2008 attacks against other former Soviet republics. "The attacks are more closely coinciding with events that are core to the Russian interest, with increasingly fast response and quick mobilization.

"When it once took days or weeks, now we're seeing it within hours," Jackson said.

Russian 'cybermilitia' knocks Kyrgyzstan offline

Cyberterrorism is definitely something we have to have a look at in the near future!

Roger

Comments on US-CERTs Advisory on Auto-Run

rhalbh — Thu, 22 Jan 2009 17:41:46 GMT

You might have seen the advisory of the US-CERT titled Microsoft Windows Does Not Disable AutoRun Properly – if not, you will definitely have seen one of the articles covering this issue and telling you that our advice on how to prevent Conficker is flawed.

This statement is not quite true the way it came out initially and US-CERT in the meantime already adjusted their advisory:

Our advice in http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91525.mspx?mfr=true works if you apply http://support.microsoft.com/kb/953252

US-CERT already updated their advisory:

Update:

Microsoft has provided support document KB953252, which describes how to correct the problem of NoDriveTypeAutoRun registry value enforcement. After the update is installed, Windows will obey the NoDriveTypeAutorun registry value. Note that this fix has been released via Microsoft Update to Windows Vista and Server 2008 systems as part of the MS08-038 Security Bulletin. Windows 2000, XP, and Server 2003 users must install the update manually. Our testing has shown that installing this update and setting the NoDriveTypeAutoRun registry value to 0xFF will disable AutoRun as well as the workaround described above.

Roger

Russian Roulette with your Network

rhalbh — Sun, 04 Jan 2009 15:17:00 GMT

First of all, before I really start, I hope that you all had a great start in 2009. Mine was actually pretty mixed. The good side was, how my year really started and what I saw when I looked out the window at January 1st (yes, I was on vacation skiing and this was how the view was almost each and every morning):

But honestly, this is not the only reason, why I wrote this post. There is another one which is much, much more serious:

Unfortunately there are still plenty of customers playing Russian Roulette with their network. This term was actually used by one of our security engineers – who was kind of upset to say the least – who had to work December 31st and January 1st because of customers still not having rolled out MS08-067 – and not just one! We ran to our limits with regards to support capacity in EMEA.

Just to remind you: This is the Out of Band security update we released back on October 23rd and which then was pretty soon attacked by Conficker.A. But it seems that a lot of customer did not care back then – they were not attacked, so why bother? In the last days of 2008 Conficker.B broke out and even though it was not spread too widely, the customers who were hit (or still are hit) are hit very, very badly. Account Lockouts all over the place, admin passwords that were grabbed (often the Domain Admins) etc – and we had some really upset engineers as they had to work instead of having off because some customers were not up to their duty (and this is what it is for me!).

And this is not the end of the story:

For quite a while, our Anti-Malware solution was the only one, which was able to remove the thing. And without an Anti-Malware solution it is close to impossible to actually get rid of it. As always, all the information about the malware was shared amongst VIA (Virus Information Alliance) to all the partners.
NT got infected as well and the calls came: What shall we do now? Well, there is not too much you can do. As you might know, Windows NT is out of support for a long time (since December 31st, 2004 - see our Lifecycle Page if you need more information). Isolate your Windows NT boxes (as you should have done a long time ago) and migrate away from it. I know that there are still a lot of machines with NT embedded – isolate them and work with the vendors to get to an up to date version of the OS.

Let me add a final comment: The story above is not a Microsoft-only story. The same processes and technologies around patch management have to be applied to each and every component of your environment. Back after the Blaster times, we start to tell the consumer to apply three things to their PC to protect it:

Switch on your Firewall
Keep your Software Updated
Run an Anti-Malware software and keep it updated

Guess what: If you would have applied 2 and 3 to your network, you would not have been hit by this problem.

Roger

Spying on Smartphones

rhalbh — Fri, 26 Dec 2008 19:04:45 GMT

I was recently at an event for Law Enforcement where one of the discussion points was how critical it is to protect Smartphones – actually it was more about how easy to would be to claim that my Smartphone was hacked and how proof can be found.

That you should run Anti-Malware software on phones, is nothing new (even though just very, very, very few people I know are actually running it) but I was stunned what kind of software is offered to be run on Windows Mobile/Symbian/Black Berry. Let me give you an example: There is a software called FlexiSpy. The sub-title of the product is “Protect Your Children | Catch Cheating Spouses”. I wanted to try this product once but I will never ever try to run this software on any phone with business data on. There is a demo on the page, let me give you some screenshots, what the product (once installed) is able to grab:

This is the overview over all events

Let’s look at an SMS:

So, it’s not “only” the recipient of the text, it is the content as well. The same it true for mails (!) as well.

Unfortunately the demo does not show one other key feature, which is the location tracking either via the cell you are in or via the built-in GPS…

The worst thing is that you do not see the software anywhere – neither in the installed software nor in any process running. The only thing somebody needs is brief access to your phone. So make sure, that you ran AV-software and have a PIN at your phone

Roger