Rossander’s Security Reader

For only $700, you too can become a hacker. New hacker tools are as easy to use and as well supported as any commercial software package. The Mpack toolkit is a particularly easy-to-use hacker kit being sold on Russian e-crime forums. It is "guaranteed to bypass all anti-virus programs at the time of purchase". Like many commercial software packages, it includes a year’s worth of free updates and support for the hacker in the price. Mpack is also disturbingly common. It has been discovered embedded in more than 10,000 web sites so far.

Between the increased availability of these tools and the sheer number of vulnerabilities that they are programmed to automatically exploit, it is vital that you keep your computer’s operating system and applications up-to-date and fully patched.

Regularly check for updates and immediately load them. Consider setting them to automatically update. And remember that you have to check for updates for every program you have on the computer, not just the Microsoft updates.

Shut down your computer every night. This limits your vulnerability to automated attacks against your computer. Depending on how your network is set up, it may also trigger your update process, making sure that the latest patches are loaded to your computer when you log on in the morning.

Mpack targets security holes in many common software programs including QuickTime media player, plug-ins for the Firefox web browser and Microsoft Windows. According to researchers at one anti-virus company, this toolkit uses simple yet very sophisticated web-based interfaces and allows the hacker to take control of the victimized computer to either steal information, install keyloggers or use your computer as a "zombie" to attack someone else. You can read this technical report for more about Mpack.

In the time it takes you to read this entry, two hackers will try to get into your computer.

The Hollywood stereotype of a hacker is a technically-savvy individual trying to get into a specific target computer – the spy trying to breach a military computer, the disgruntled employee vandalizing his former employer or the kid cracking a university system for bragging rights. In fact, most hackers today run brute force attacks using simple software-assisted techniques to randomly attack vast numbers of computers.

According to a Maryland Univ study, computers are attacked on average 2,244 times a day. That’s an attack every 39 seconds.

Researchers in this study set up weak security on four computers with internet access, then recorded what happened as the individual machines were attacked. The vast majority of attacks came from relatively unsophisticated hackers using “dictionary scripts,” software that runs through lists of common usernames and passwords trying to break into a computer.

The most commonly guessed usernames were root, admin, test, guest, info, adm, mysql, user, administrator and oracle. The most common password-guessing technique was to use variations of the username. About 43 percent of all attempts simply reentered the username. The username followed by 123 was the second most-tried choice. Other common passwords included blank (that is, no password set), 123456, password, passwd, 123, test, asdf, qwerty and variations based on the date (such as January07).

Once hackers gain access to a computer, they set up back doors so they can easily regain access later, turning the target computer into part of their botnet which they will later either use directly or lease to other hackers so they can send out spam, attack yet more computers, run distributed denial of service attacks, etc.

Never use the kinds of usernames and passwords identified in this research. If your computer came with a default administrator or guest account, change the accountname immediately.

Always choose longer, less obvious passwords with combinations of upper and lowercase letters and numbers that are not as obvious to brute-force dictionary attacks. If your system can handle it, whole sentences make very strong passwords that are still easy to remember and to type.

Right before Thanksgiving, we ran a Tip on "pump-and-dump" scam emails – emails containing fraudulent stock tips. A colleague forwarded an interesting variation of this scam. This message uses several different techniques in an attempt to circumvent the company’s spam filters.

As a scam, notice that the message is urgent and timed. “It’s going to explode on Monday Nov 13th”. This scammer probably dumped the stock right around that date. Looking at the stock’s trading history, this scam probably worked. On 13 Oct, this stock cost less than a penny a share. On the 13th, it spiked up to $1.14. One week later, it was at $0.65 and falling.

Note that the scam part of this message is included as a picture, not as text. It has a lightly tinted background and small little “threads” scattered through the image. To a human, they look like the tiny imperfections that you sometimes see in high-quality paper. We easily ignore them and read the text. Their real purpose is to disrupt the computer’s ability to conduct optical character recognition. Not being able to fully read the text, the message doesn’t earn as many “points” toward being recognized as spam by the filter.

Second, note that the message is crafted to appear to be a reply even though John has never sent anything to this person. The hacker is hoping that we have a “whitelist rule” that would exempt all return messages from filtering. (That’s a common rule for companies that have had problems with good messages getting blocked as false-positives.) Unfortunately, it is trivially easy to spoof an address in an email. With the right editor, you could make your emails appear to come from the President of the United States. And while that’s certainly unethical and sometimes illegal, it’s almost impossible to trace the culprit. Email was never designed as a secure communications channel.

Third, note that the spammer included a block of text at the bottom of the message. To a human, it’s incomprehensible nonsense. To a computer, those are real words in apparently reasonable order. Since the spam filter “weighs” the sales-like content in proportion to all the other content in the message, this nonsense has the effect of diluting the spam score of the message.

As we discussed last week, researchers estimate that there are 9-10 spam messages for every good message on the Internet. Most companies have good tools but at those volumes, some spam will always leak through. If it looks like spam, it probably is. Delete it (preferably without opening the message) and move on.

If it seems like you’re seeing a lot more spam lately, it’s not just you. During the past few months, the incidence of spam shot up around the world. In 2001, researchers estimated that about 5% of all Internet traffic was spam – one spam message for every twenty real messages. By 2003, researchers estimated that 50-60% of all traffic on the Internet was spam – one spam message for each good message. In September of this year, that number was up over 80% – 4 spam messages for every real message.

In the past month, two new computer viruses were released both of which are specially designed to generate spam messages. These viruses are very sophisticated and have been very hard for the anti-virus companies to block. (See this TechWeb article for details.) The latest estimates are that there are 9-10 spam messages for each good message on the Internet. All that means that the total volume of spam on the Internet is way, way up.

Good spam filters are generally 95-98% effective at identifying spam messages as spam. That’s actually a pretty good ratio and is about as good as any software package can get. Unfortunately, when you pump so much increased volume through a filter with a 2% leakage rate, more spam will inevitably leak through.

Some people have asked if they can tweak that filter to block more of the spam. The cost we generally pay for that effectiveness is that about 0.5% of good messages are incorrectly identified as spam. If you tighten the spam filter, you will get an increase in the false positives. Every company is constantly trying to make sure that they are at the right balancing point.

We are in an arms race with the spammers. Every time the anti-spam vendors come up with a technique to identify spam, the spammers adapt and find another way around the filters. It has been a story of incredible creativity and innovation.

While we are waiting for the spam-filter companies to release their next round in the arms race, there are some things that you can do to keep yourself off the spammers’ target lists. Remember that once you’re on one list, spammers will sell your address to other spammers. And once that happens, there’s little you can do except to wait until your address ages off their lists.

1. Never buy anything advertised in a spam message. If you do, you’ll jump straight to the top of their list.
2. Never respond to a spam email, even to complain or to attempt to get off their list. Any reply at all confirms to the spammer that you read the message. Even if you didn’t fall for their Viagra scam, they know you might fall for a mortgage scam. Never reply to a spammer. Do not attempt to "unsubscribe" from the list. More often than not, the unsubscribe link is a scam.
3. If you can, delete the spam message without ever opening it. Spammers use techniques such as web-bugs to track whether or not you opened the message. Again, they hope that even if you didn’t fall for one scam, if you’re the kind of person who opens spam, maybe you’ll fall for a different one.
4. Do not use your work email address for internet shopping, chat boards, etc. Sign up for a free email account like Yahoo or Hotmail.

The final recommendation is to remember that spam is just like the physical junk mail in your mailbox at home. We do what we can but at some point you just throw it in the trash and let yourself get on with your life.

For the past few weeks, we’ve been discussing "spear-phishing" attacks – targeted messages that are highly personalized in their attempts to con you into clicking on their link. This week, we will discuss variations on the “pump-and-dump” stock scam emails.

First, some background. Pump-and-dump scams have been around for as long as there have been stock markets. In this scam, the crook buys shares of some small, low-liquidity stock. He then starts rumors that this stock is “on it’s way up” and “about to explode on Monday”. The rumors are often crafted to appear to be insider tips. They play on the greed and vanity of the recipients. When the victims begin to invest in the penny-stock, the price does go up – temporarily. The scammer immediately sells his shares at the inflated price. After a few days, the price returns to normal and the victims are left holding shares of a stock worth only a fraction of what they paid.

One popular version of this scam is designed to look like a misdirected email. The message starts “Hi. I hope this is your email. It was great to meet you the other day and I hope you’re enjoying New York. The deal I was speaking about yesterday involves a company know as [company name]. It’s already headed up…”

Another opens “Hey, girlfriend. Remember that hot stock exchange guy that I’m dating?” before dropping the fraudulent tip. In both cases, the wording of the “tip” is designed to look like it was intended for someone else and that you got the message because the sender mistyped the email address. In fact, these are mass-mailed spam.

You can read more about this particular scam at www.nasd.com.

Never respond to an unexpected message and never follow the advice of a spammer. It doesn’t matter how good the alleged tip looks. If you’re going to invest in the market, do your homework. Invest in companies with good fundamentals whose business you understand. Don’t invest on “momentum” or insider tips.