Graham Cluley’s blog

Windows 7 security - A great leap forward or business as usual?

Hackers steal information from Climate Research Unit

The UK-based Hadley Climate Research Unit (CRU), at the University of East Anglia in Norwich, is reported to have sufferered a security breach which has resulted in many confidential emails and files being uploaded to the internet.

A 61MB zip file containing information stolen from one of the world's leading climate research centres, was posted onto an anonymous FTP server in Russia, accompanied by a note saying:

We feel that climate science is, in the current situation, too important to be kept under wraps.

We hereby release a random selection of correspondence, code, and documents

In total it is believed that the unknown hacker accessed 1079 emails (some of which are marked as "Highly Confidential") and over 3800 documents. A spokesman for the Climate Research Unit confirmed the hack to the BBC.

Climate change bloggers are feverishly discussing the contents of the emails, some of which - they claim - detail how members of the CRU discussed hiding the truth about climate change.

However much the Hadley Climate Research Unit may have wished their communications to have remained private, the truth is now that the genie is out of the bottle. Interested parties around the world have grabbed the archive of documents - so even if the Russian FTP site is shut down, others will be able to share the data to other interested parties.

Indeed, it appears that the data is already been distributed via peer-to-peer file-sharing networks.

Clearly climate change is a topic which raises strong passions - but I can't remember an instance of either side resorting to cybercrime and hacking to gather information on the other before.

Whether you are sympathetic to Hadley CRU's views on global warming or not, it shouldn't be forgotten that they are victims of a criminal hack. Personal information, including the email addresses of scientists working at the organisation, is now in the public domain.

There is a real danger that some ne'er-do-well could use that information to spam or send targeted attacks against individuals who would have understandably expected their communications to have been held securely.

Details of how the hack occurred aren't yet apparent, but this security breach may serve as a timely reminder to other organisations to ensure that they have put the necessary security in place to reduce the risk of something similar happening to them.

Posted on November 20th, 2009 by Graham Cluley, Sophos
Filed under: Data loss, Identity Theft

                                         

Scientology website attacker sent to jail

A 19-year-old man has been sentenced to a year and a day in prison after instigating a distributed denial-of-service attack (DDoS) against websites belonging to the highly controversial Scientology organisation.

Dmitriy Guzner, of Verona, New Jersey, played a key role in an attack in January 2008 which crippled Scientology websites by flooding them with internet traffic, making them inaccessible to the outside world.

Guzner, a student at Quinnipiac University, admitted his involvement in the attack a year ago, but has denied being a member of the Anonymous group which believes Scientology to be a dangerous cult, and who have staged protests around the world wearing distinctive Guy Fawkes masks.

Judge Joseph Greenaway sentenced Guzner to a year and one day in prison, followed by two years of probation. In addition, Guzner has been ordered to pay $37,500 to the Scientology organisation (a lot less than the $119,500 that it was said Scientology paid to mitigate the attacks).

On October 28th, a Los Angeles federal grand jury indicted 20-year-old Brian Thomas Mettenbrink, for his alleged part in the same denial-of-service attack.

It's well known that many people are concerned by the Scientology movement (for instance, it was convicted of fraud in France last month), but both Scientologists and the Anti-Scientology movement have sometimes done themselves damage by the way they have carried themselves on the internet.

As I've said before, though, Even if you feel passionately and earnestly that Scientology is harmful to society, it does not make illegal action (such as an internet attack) against them acceptable.

Posted on November 20th, 2009 by Graham Cluley, Sophos
Filed under: Botnet, Law and Order, WWW

                                         

Guest blog: Evil Maid wanted, B.S. in Computer Science a plus

Guest blogger Michael Alfred Schmidt is worried that next time room service tidies his hotel room they might do something rather more sinister than make the bed and refresh the mini-bar. Discover more about the "evil maid" threat and how you can reduce the risks of your laptop's sensitive data being compromised. Over to you Michael..

Some weeks ago, Polish researcher Joanna Rutkowska published an attack on the TrueCrypt Full-Disk Encryption (FDE) software, which allows an attacker with access to an unattended PC to install a password sniffer in a first strike, and to steal the PC including the FDE password in a second strike.

She coined the term "evil maid attack" for this kind of incident, as it specifically applies to scenarios in which a traveller leaves a portable PC unattended in a hotel room, and a person who has access, but not necessarily dedicated technical skills (e.g. a room maid) actually executes the attack.

Technically, this person (in the absence of any reliable data on popular names for room maids, let’s just call her Trudy) inserts a bootable medium (e.g. a CD-ROM or USB stick), turns the laptop on, and consequently the bootable malware code on the medium gets executed.

This code then installs a transparent key logger in the Master Boot Record (MBR) of the hard disk. Later, the unsuspecting owner turns on his laptop, enters the passphrase and boots up. Without his knowledge, the keylogger intercepts the passphrase and stores it on the hard disk.

Finally, Trudy only needs to steal the laptop and to hand it over to the person who targeted the victim. Both steps don't require any particular technical knowledge, and can be performed by a person instructed/bribed by the master attacker.

It's not only TrueCrypt which is susceptible to this kind of attack, but basically all pure software FDE products. These products don't employ any additional hardware (e.g. TPM chip) to maintain the integrity of the boot process.

Although Sophos engineers have invested a lot of time implementing several additional hurdles to make this type of attack a lot more difficult than with TrueCrypt, Sophos FDE products (as well as respective competitor products) are eventually affected. Product specialists have known about the general susceptibility of products to this kind of attack for quite some time, and preceding projects such as the Stoned Bootkit paved the way to finally implement it.

After all, it’s a somewhat philosophical question where the responsibility of a security software ends and where the owner’s responsibility to maintain the integrity of the respective hardware platform starts. Attackers who are able to gain full control over the hardware will always find a way to breach the security of the overall system - for instance, imagine a hardware keylogger hidden invisibly inside the case of a PC. It is important, however, that the user understands these risks and boundaries, and knows how to deal with them.

And yes, there are several ways to mitigate them quite efficiently:

Firstly, and most obviously, don't leave your laptop unattended. Alternatively, lock it away whenever this is possible.

Secondly, disable the possibility of booting from an external medium (such as USB stick or CD ROM) in the BIOS, or move such media to be after the hard disk in the boot sequence.

Subsequently, protect BIOS access with a password. On a Mac, simply activate the firmware password, which will implicitly do both jobs.

These steps are available on basically every laptop, and will require Trudy to dismount the hard disk from the device and to mount it in an external USB enclosure with (or directly in) another computer to infect it with the keylogger. This will most likely exceed the available time and skills of any average Trudy.

Thirdly, use biometric or two-factor authentication (e.g. a passphrase and a hardware token) to perform authentication with the FDE system.

These mechanisms will stop an evil maid gathering any easily interceptable and reusable logon credentials (such as a password), and will raise the bar for a successful attack even higher. An attacker will require advanced skills in reverse-engineering and cryptography, and several weeks (or even months) of preparation to mount an attack against a system with such an authentication device.

As already indicated, a more generic protection against this kind of attack requires hardware support to supervise the integrity of the boot process. Windows Bitlocker with TPM support is one product that optionally supports this approach.

However, not all notebooks have a TPM chip, and emergency recovery with such systems can become a complicated and expensive operation (just think of a broken motherboard and the following TPM key restoration procedure). Self-encrypting hard disks following the Opal standard (see my earlier blog which covered that) may improve this situation in the future, as they promise a fully protected pre- and early boot procedure.

With Sophos SafeGuard Enterprise, you have the option to use a variety of smart cards, fingerprint readers and other hardware devices as pre-boot authentication tokens that help you to counter this attack.

Beyond that, our engineers are carefully observing the development of hardware support in this area, and will come up with a solution for a fully protected pre-boot process with easy disaster recovery management as soon the technical preconditions are met. So stay tuned...

Posted on November 20th, 2009 by Michael Alfred Schmidt, Sophos
Filed under: Data loss, Encryption, Guest blog

                                         

Sarah Palin says email hack paralysed Presidential campaign

An email hack can ruin your chances of becoming Vice President of the United States.

That's the message that Sarah Palin appears to be sharing with the world in her new book, Going Rogue: An American Life, where according to media reports, where she describes that a hacker breaking into her personal Yahoo account "created paralysis" in her campaign camp, because it cut off easy communication with her colleagues in Alaska.

Clu-blog readers will remember that in September 2008 hackers broke into Sarah Palin's Yahoo account and posted examples of her emails, addresses of her contacts, and family photos on Wikileaks.

Palin's mistake was to choose a very dumb (and easy-to-guess) password reminder. That's a faux pas that many have made in the past, making it easier for hackers to break into systems.

Here's a video I made last year, showing how both Paris Hilton and Sarah Palin have been caught out by the trick:

Sarah Palin & Paris Hilton - Sophos asks what's the connection? from SophosLabs on Vimeo.

So next time you hear about someone losing data or falling victim to hackers, why not tell them the sad story of Sarah Palin? Life can be worse - could have helped you miss your chance of having a shot at the White House.

Posted on November 19th, 2009 by Graham Cluley, Sophos
Filed under: Data loss, Identity Theft, Video, WWW

                                         

Facebook Easter Egg causes a flap

My mate Ben told me a story the other day which he thought I would find amusing.

He's a Facebook addict, and has been regularly cajoled for spending hours checking the social networking site for updates from his buddies instead of the biology job he's supposed to be busy doing..

The other day he stepped away from his desk for what Americans charmingly call a "comfort break", and returned to his desk to find bizarre red circles appearing like a lens flare on the Facebook page he was logged into.

In reality, he had fallen victim to an office prank - one of his colleagues had turned on a Facebook Easter Egg while Ben was away from his desk.

You could do this on Facebook too. You simply login and press:

UP UP DOWN DOWN LEFT RIGHT LEFT RIGHT B A ENTER

The problem was that Ben initially panicked, and thought his computer had been virus-infected. Fortunately the culprit owned up before Ben took things into his own hands to "remove the virus" and possibly make things much worse.

And that's the problem even with seemingly harmless pranks like this which don't involve you installing software on someone else's PC. You don't know how they're going to respond, and there's always the danger that they might over-react and do some real damage.

Ironically, it's pretty rare these days for malware to have such visual payloads as the Facebook Easter Egg. In olden times, virus authors were more like graffiti artists than bank robbers and some had visual payloads of cascading letters, scrolling moonscapes, skulls dripping in blood, etc..

The media still likes to present malware in this highly visual way, so you're likely to see viruses represented like this in movies and TV dramas for some time to come.

The truth, however, is that with a few notable exceptions (like the recent iPhone worm) the bad guys are designing their malware to be stealthy and invisible, and impossible to spot with the naked eye.

Easter eggs are a bit of fun for the programmers behind websites and software packages - but it's probably best if you trigger them for your own amusement rather than play a prank with them on someone else.

PS. If you think the Facebook easter egg is cool, just try the same sequence at jQuery.

Posted on November 19th, 2009 by Graham Cluley, Sophos
Filed under: Oddball, Video, Web 2.0

                                         

Couple arrested in connection with Zbot Trojan horse

A man and a woman have been arrested in Manchester by officers of the Greater Manchester Police and Metropolitan Police Central e-Crime Unit (PCeU) in connection with the Zbot family of Trojan horses.

Zbot is one of the most notorious pieces of malware of recent times. It's a data-stealing Trojan horse, designed to grab information from internet users which would help hackers break into online bank accounts and social networking sites such as Facebook and MySpace.

Of course, once a hacker has your bank account information they can login and potentially transfer money to other accounts. If they break into your Facebook page they could use that to spread spam and phishing messages to the compromised account's online buddies.

Typically versions of the Zbot Trojan horse have been spammed out to unsuspecting internet users, using a variety of social engineering tricks to try to trick the unwary into opening an attachment or clicking on a link to a website hosting malware.

One of the most recent Zbot-related attacks involved an email claiming to come from Vodafone or Verizon Wireless, saying that the recipient's credit balance was over the limit. Running the attached "Balance Checker Tool" infected the user's computer with a version of the Trojan horse.

But there's something else that Zbot does, and the clue is in the "bot" part of its name. Zbot hijacks your computer, making it part of a criminal botnet. Hackers control thousands of compromised computers around the world - using them as a zombie army to spew out spam, spread more malware and launch denial-of-service attacks.

It's worth bearing in mind, of course, that although the arrests have been in the UK, the Zbot family of malware is a problem that has been hitting computer users around the world - it is truly a global threat.

Zbot (also known as Zeus) is a significant malware family - the many different variants of the Trojan in existence have been distributed in a variety of different disguises. If the police have made a positive step in unravelling the gang behind Zbot then that will be very good news for everyone interested in making the internet a safer place.

The names of the two people arrested under the Computer Misuse Act 1990 and the 2006 Fraud Act have not been released, but it is known both are aged 20 years old. They have now been released on bail pending further enquiries.

Posted on November 18th, 2009 by Graham Cluley, Sophos
Filed under: Banking, Botnet, Law and Order, Malware, Spam, Web 2.0

                                         

The Simon Ashton hacker hoax, spreading via email

A colleague from Sophos's finance department came down to my desk this morning. It's always a bit scary when someone visits you from the top floor - and I worried for a moment that maybe he wanted to know if I'd charged the life-size Doctor Who cutouts I have surrounding me on expenses..

But actually he wanted to know if I could shed any light on an email he had received:

Here's the full text of the email:

THIS IS NO JOKE

IF A PERSON CALLED SIMON ASHTON (SIMON25@HOTMAIL.CO.UK ) CONTACTS YOU THROUGH EMAIL DON'T OPEN THE MESSAGE. DELETE IT BECAUSE HE IS A HACKER!!

TELL EVERYONE ON YOUR LIST BECAUSE IF SOMEBODY ON YOUR LIST ADDS HIM THEN YOU WILL GET HIM ON YOUR LIST. HE WILL FIGURE OUT YOUR ID COMPUTER ADDRESS, SO COPY AND PASTE THIS MESSAGE TO EVERYONE EVEN IF YOU DONT CARE FOR THEM AND FAST BECAUSE IF HE HACKS THEIR EMAIL HE HACKS YOUR MAIL TOO!!!!!....

Anyone-using Internet mail such as Yahoo, Hotmail, AOL and so on. This information arrived this morning, Direct from both Microsoft and Norton. Please send it to everybody you know who has access to the Intern et. You may receive an apparently harmless e-mail titled 'Mail Server Report'

If you open either file, a message will appear on your screen saying: 'It is too late now, your life is no longer beautiful.'

Subsequently you will LOSE EVERYTHING IN YOUR PC, And the person wh o sent it to you will gain access to your name, e-mail and password.

This is a new virus which started to circulate on Saturday afternoon. AOL has already confirmed the severity, and the anti virus software's are not capable of destroying it .

The virus has been created by a hacker who calls himself 'life owner'..

PLEASE SEND A COPY OF THIS E-MAIL TO ALL YOUR FRIENDS, And ask them to PASS IT ON IMMEDIATELY!

Of course, this is all nonsense - and just the latest example of the many hoaxes we have seen spreading over the internet for some years.

To deal with the hoax point-by point:

• Adding someone to your email contact list does not allow them to hack into your email
• If a hacker did break into one of your friend's emails it doesn't mean they can also access your account.
• Microsoft and Norton did not issue a warning about this
• AOL has not confirmed the threat's severity, because the threat does not exist

Interestingly the hoax does make a vague reference to another hoax called "Life is Beautiful" and echoes the Bum_tn007 hoax which was unwittingly propagated by Facebook and MySpace users a couple of years ago.

Hoaxes like this never seem to die - there will always be someone who thinks it's better to be "safe than sorry" and forward the warning to all of their friends and family, thus giving it another burst of life. But if you receive a warning of a new virus, please take a few seconds to Google for more information - if it's a known hoax it's likely that it will already be discussed, and if the threat is genuine chances are that security companies have issued an advisory about it.

By the way, if you must know, the cut-outs by my desk are of a Dalek, Cyberman and David Tennant. If you ever visit the Sophos offices and are given the grand tour you now shouldn't find it too hard to work out where I sit.

Posted on November 18th, 2009 by Graham Cluley, Sophos
Filed under: Hoax

                                         

T-Mobile customers' personal data sold to rivals

The story dominating the British news this evening is the revelation that staff at one of the leading mobile phone company's sold the personal details of thousands of customers for "substantial sums".

Information Commissioner Christopher Graham refused to name the company concerned as it could prejudice a future prosecution, but told the media that the names, addresses, telephone numbers and information about customers' contracts was stolen and sold on to other competitors.

You can imagine just how attractive it would be for one mobile phone company to know when another phone operator's customers were approaching contract renewal.

Newshounds, ever keen to find out who might have been at the heart of the incident, approached Orange, Vodafone, 3, O2 and Virgin - all of whom said they were not being investigated. This left remaining operator T-Mobile in the uncomfortable position of confirming its involvement.

BBC News reports that a T-Mobile spokesman confirmed that it was their customers whose data had been sold to rival phone firms and that the information had been sold without their knowledge.

One of the central problems here is that many companies are not doing enough to secure the data they hold about every one of us. The cheapness and availability of devices like USB thumb drives has just made it easier than ever before to scoop up large databases and waltz out of the office without any suspecting a thing.

Technology does exist to help intercept and control the movement of personal data inside organisations - but many firms have still not taken even the most basic steps to halt it dead in its tracks.

I'm not saying that technology can help prevent any data leaks inside your company - after all, a bad guy in your call centre could write down customer details on paper and put them in his back pocket - but it's only sensible today to take all the precautions you can, and reduce the risk.

Certainly the authorities seem interested in doing what they can to fight this growing problem. For instance, Christopher Graham of the Information Commissioner's Office has questioned whether the current fines of £5,000 are really a sufficient deterrent for this kind of crime. In his opinion, the most serious offenders should face a spell in prison for deliberate data theft.

And I have to say that I agree with him - £5,000 is peanuts compared to the huge amount of money that can be earnt by stealing personal data from inside a large corporation.

One big question still remains, however. We know that it was T-Mobile who had the data stolen from them - but who was buying it?

Posted on November 17th, 2009 by Graham Cluley, Sophos
Filed under: Data loss, Identity Theft, Law and Order, Mobile, Video

                                         

"Payment request from" emails carry dangerous payload

Cybercriminals are up to their dirty tricks again, this time spamming out en masse a dangerous email carrying a Trojan horse.

The emails pretend to come from the "Customer Support" division of an online banking organisation and be in connection to payments requested from a variety of different organisations, using the subject line:

payment request from "[company name]"

Here's just a small sample of the possible subject lines:

Here's the text of a typical email, but remember that the company's name and the amount of money that they are requesting payment for can vary:

We recorded a payment request from "Time Warner Cable" to enable the charge of $66.10 on your account.

The payment is pending for the moment.

If you made this transaction or if you just authorize this payment, please ignore or remove this email message. The transaction will be shown on your monthly statement as "Time Warner Cable".

If you didn't make this payment and would like to decline it, please download and install the transaction inspector module (attached to this letter).

Attached to the email is a file called module.zip.

Sophos proactively detects the attached malware as the Mal/EncPk-LP Trojan horse.

It's clear that the hackers behind this attack are deliberately using a wide variety of company names and different payment amounts to try and make it harder to spread a warning about this threat. Remember to always be suspicious of unsolicited attachments.

If you panic and open the attachment thinking that you may be being billed in error, you could find that you have made a costly mistake.

Posted on November 17th, 2009 by Graham Cluley, Sophos
Filed under: Malware, Spam

                                         

Your mailbox has NOT been deactivated

SophosLabs is currently intercepting a widespread malware attack, being spammed out to innocent internet users under the disguise of a mailbox deactivation notice.

The emails, which have a subject line of "your mailbox has been deactivated", pretend to come from the recipient's domain. For instance, if your email address was john.smith@example.com the emails would pretend to be from notifications@example.com.

Subject:

your mailbox has been deactivated

Message body:

We are contacting you in regards to an unusual activity that was identified in your mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility.

Best regards, [domain name] technical support.

Attached to the emails is a zip file - utility.zip. Under no circumstances should you run the program contained inside the Zip file as it contains the Mal/EncPk-LP Trojan horse.

The clever thing about this attack, of course, is the social engineering. We've seen this trick before (of pretending to be from the administrators of your email system) but the reason why it is still being used is because it works. Users panic if they think they might be at risk of having their umbilical cord to the internet cut off and may race to open the attachment before thinking about the malice that might lie behind it.

Posted on November 17th, 2009 by Graham Cluley, Sophos
Filed under: Malware, Spam