Graham Cluley’s blog

Windows 7 security - A great leap forward or business as usual?

Mossad hacked Syrian laptop before bombing nuclear facility

According to reports in Der Spiegel, agents working for the Israel's Mossad intelligence service planted a Trojan horse on a computer belonging to a senior official in the Syrian government, gathering information which lead to an air-raid on a nuclear project in Syria's eastern desert.

The attack on the partly-constructed Syrian nuclear facility occurred in September 2007, a year after a top Syrian official is said to have left his laptop in his room in a swanky hotel in Kensington, London.

According to Der Spiegel:

[The Syrian official] was under Mossad surveillance and turned out to be incredibly careless, leaving his computer in his hotel room when he went out. Israeli agents took the opportunity to install a so-called "Trojan horse" program, which can be used to secretly steal data, onto the Syrian's laptop.

The hard drive contained construction plans, letters and hundreds of photos. The photos, which were particularly revealing, showed the Al Kibar complex at various stages in its development. At the beginning -- probably in 2002, although the material was undated -- the construction site looked like a treehouse on stilts, complete with suspicious-looking pipes leading to a pumping station at the Euphrates. Later photos show concrete piers and roofs, which apparently had only one function: to modify the building so that it would look unsuspicious from above. In the end, the whole thing looked as if a shoebox had been placed over something in an attempt to conceal it. But photos from the interior revealed that what was going on at the site was in fact probably work on fissile material.

One of the photos showed an Asian in blue tracksuit trousers, standing next to an Arab. The Mossad quickly identified the two men as Chon Chibu and Ibrahim Othman. Chon is one of the leading members of the North Korean nuclear program, and experts believe that he is the chief engineer behind the Yongbyon plutonium reactor. Othman is the director of the Syrian Atomic Energy Commission.

The information gathered by the spyware Trojan horse appears to have lead to Israel knocking out Syria's nearly-completed nuclear reactor the following year.

Should we be surprised by these news reports? Probably not. In fact, I think it's likely that many countries around the world are using malware - and more specifically spyware Trojan horses - to spy upon each other.

Earlier this year, Seoul accused North Korea of having a specialist cyberwarfare brigade, stealing information from enemy countries and disrupting rival South Korean and American military networks with computer technology.

Back in September 2007, the Financial Times reported that the Chinese army were being blamed for an attack against a Pentagon computer in the office of US defense secretary Robert Gates. The FT reported that the People's Liberation Army (PLA) had been named as the likely perpetrators of the hacking attempt.

And last year I explained how the conflict between Russia and Georgia spilled into cyberwarfare, described how the German foreign intelligence service had been accused of spying on a ministry in Afghanistan, and described how the Belgian and Indian governments had pointed the finger at China for attacks against their systems.

Countries will use every dirty trick in the book to spy upon each other and grasp an advantage. We shouldn't be surprised if intelligence agencies like Mossad are also engaged in this kind of behaviour, and we shouldn't fool ourselves into thinking that our own countries aren't also using spyware for their own ends too.

And what's the lesson for those of us who aren't spies or Government agents? Well, if you have sensitive information on your laptop - make sure it is properly protected with security software and that any confidential information is encrypted.

Furthermore, maybe it wouldn't be a good idea to leave it unattended in your hotel room if the data contained upon it could be considered extremely sensitive.

Posted on November 6th, 2009 by Graham Cluley, Sophos
Filed under: Data loss, Malware

                                         

Just how much does Google know about you?

Google has announced a new product: Google Dashboard.

The search engine giant - who today changed its logo to celebrate the 40th birthday of "Sesame Street" - is attempting to respond to the concerns of some internet users that Google is gathering too much data about individuals through its various cloud services.

The thing is that you may have shared information with a Google service in the past, only to have forgotten about it in the mists of time. Dashboard makes it easy to recall all those Google services you may have signed-up for in the past (for instance, if you chose not to upload all your holiday snaps to Picasa or realised that you didn't want your friends to be able to see where you were 24 hours a day via Latitude after all) and may now wish to consign properly to the dustbin.

Hang on, let me rephrase that. Dashboard makes it easy to recall nearly all those Google services. Some, such as Google Wave, Google Groups, and Google Checkout, aren't currently incorporated fully into the Dashboard yet, but at least they are linked to from the bottom of the Dashboard page. Google says it plans in the future to integrate all Google services into the Dashboard.

There's nothing new about what you can do with Google Dashboard - you always were able to manage your various Google assets by logging in to the individual product pages - but it does provide an easy one-stop-shop with a handy list of links to your different account management pages.

So, congratulations to Google on being more transparent and making it easier for individuals to manage the personal data that the company stores about them.

But it's worth remembering that this openness could come at some cost. For instance, putting this info all in one place could make it easier for a cybercriminal to learn more about you more quickly, should they manage to discover your Google password.

On similar lines, journalist Ian Paul has written about how he could tell his browser to remember his account password for future visits to Google Dashboard, leaving a worrying door open should his computer be hacked or stolen.

Posted on November 6th, 2009 by Graham Cluley, Sophos
Filed under: Data loss, WWW

                                         

Broken English email can lead to an infected PC

We've been seeing a fair number of emails in our traps today, written in rather poor English:

Hello, you remember me? We with you had a rest, here about which I told photos to you, see attach zip file

Attached to the email (which has the subject line "Greetings") is a file called document.zip.

If you're a regular reader of the Clu-blog then you should know the drill by now. It would be risky to open the email attachment as it's bound to contain malware, right?

Bingo. You got it. In this case Sophos identifies the Trojan threat as Mal/EncPk-LE or Troj/ZipMal-F.

But there are some folks out there, some of whom may be friends or business colleagues of yours, who don't have your Peter Parker-style spider-sense and don't have alarm bells ringing in their head when an unsolicited attachment arrives accompanied by some glaring grammatical errors.

Indeed, they might find the broken use of English endearing and compelling evidence that the message could be from an exotic stranger to your shores.

And that's one of the reasons why it's such a good idea to have all of your email systems, web gateways and desktop computers protected by anti-spam and anti-virus software. Sometimes your spider-sense will let you down when you need it most.

Posted on November 5th, 2009 by Graham Cluley, Sophos
Filed under: Malware, Spam

                                         

Mac shoot-em-up zaps your files - but is it game over for common sense?

There's something of a brouhaha happening at the moment regarding a Mac OS X shoot-em-up arcade game called "Lose/Lose".

The Galaga-like video game was first brought to my attention by Methusela Cebrian Ferrer over on the iThreats blog at the end of October (although it was being reported in the gaming press for at least a month before that).

Methusela advised users who saw the opening screen to immediately quit by pressing CMD+Q, before the game held true to its promise and began to delete your files.

Because that's exactly what it does. While you're having fun zapping aliens it (quite openly) deletes files from your Mac hard drive.

For us the choice was simple - the program was malicious (even if it did announce its intention), and it wasn't the kind of thing that our customers would want on their networks. So, as soon as the guys in our labs stopped trying to get on the high score chart, Sophos wrote detection for it as OSX/LoseGame-A at the end of last month.

Yesterday, though, a press release from Symantec (which they call OSX.Loosemaque) about the game stirred the media into a small frenzy. To my mind their pitch to the media downplayed the fact that the program announces what it is going to do in advance and that for anyone to be hit by it they would need to knowingly download it from the author's website (where he is equally upfront about what it does).

Should we detect it? Yes, of that I'm certain.

But there are a lot more serious Mac OS X malware threats out there than this - take the flood of bogus codecs planted on websites for instance. Focusing on a quirky piece of malware like this might just play into the hands of those who want to believe that the computer security industry is so desperate to hype up the Mac OS X threat that it will scrape the barrel with pathetic examples like this.

Posted on November 4th, 2009 by Graham Cluley, Sophos
Filed under: Apple, Malware, Scam, Web 2.0

                                         

Is this spam? If so, it's ironic who is sending it

Today I received the following email promoting an event all about data protection and privacy that is going to be held in Scotland later this month.

One of the star speakers is the Assistant Information Comissioner for Scotland, Dr Ken Macdonald.

Do you notice anything at all odd about the email?

Well, if you haven't spotted yet let me make it clearer.

The email was sent to klingon@sophos.com.

That's an email address we set up for anyone who has questions about the novelty Klingon Anti-Virus product we released earlier this year. (You might remember the amusing YMCA/Klingon mashup video we produced in its honour).

Now, I don't remember signing up to receive information from Data Protection Scotland with the email address klingon@sophos.com. Nor did I use shatner-response@sophos.com (which we set up for an April Fool stunt, and also received the email advert from Data Protect Scotland) or studio@sophos.com (which we use for feedback regarding our podcasts).

Is it possible that in their enthusiasm to invite as many people as possible to an event about data protection and privacy, someone has scooped up a whole load of email addresses from the internet and spammed them?

For what it's worth, the website that the unsolicited emails links to appear to be legitimate and infection-free. The emails themselves don't look particularly spammy, and my guess is that the unsubscribe link probably works. However, is it unsolicited? Yes. Is it commercial? Yes. And it's definitely email. And it's been sent to email addresses that *never* requested communications like this.

Emails like these aren't in the same league as the hackers who spread malware via email, or the bad guys who promote dodgy online pharmacies - but it sure leaves a bad taste in the mouth that an organisation that is promoting data privacy and trust should be promoting its events in this manner.

Posted on November 4th, 2009 by Graham Cluley, Sophos
Filed under: Spam

                                         

Bogus lottery email carries fake anti-virus payload

Most of us with email addresses are probably familiar with the phenomenon of lottery scams.

An email arrives, claiming that you have won a substantial amount of money in a lottery you never participated in. Typically the email asks you to make contact - whereupon the scammer will try and derive your personal private information (such as bank account details) or demand an administration fee before the money can be sent to you.

In the latest spam campaign to arrive in our honeypots, things are a little bit different however, and take a sinister new twist.

Attached to the email, which has the subject line "You are a winner.", is a file called winner.zip.

Unfortunately for the recipient who believes that they are the lucky winner of a lottery, the attachment contains scareware (also known as fake anti-virus) - designed to frighten the unsuspecting user into believing that they have security issues on their computer, and to trick them into purchasing a solution.

Sophos detects the malware as Troj/FakeAV-AGU or Troj/ZipMal-D.

Interestingly the snail-mail address uses in the email ("28 Tanfield Road, Croydon") has been seen often in other lottery emails in the past - not just for the British National Lottery, but lotteries associated with well known brands such as Honda and Toyota - as anyone who spent a couple of minutes investigating with Google would discover.

Scareware has been one of the major security stories of 2009 - it is being used widely by cybercriminals and their affiliates. The sad truth is that it must be working, otherwise they wouldn't keep using the technique with such ferocity.

Here is a typical message we are seeing being sent out by the bad guys:

British National Lottery,
28 Tan Field Road,
Croydon,London.
Ref: UK/9420X2/68

Dear Winner,

This email is being sent from The British National Lottery HQ. You've been selected a winner in our online draw. You've been approved to claim a total sum of 2,764,866 Pounds (Two Million, Seven Hundred and Sixty Four Thousand, Eight Hundred and Sixty Six Pounds Sterling) from our Online lottery draw promo sponsored by the British Gaming Board, Microsoft International and the United Nations. This is from a total cash prize of 6,534,370 Pounds shared amongst the first Three (3) lucky winners.

PLEASE OPEN ATTACHED FILE AND READ DETAILS.

Congratulations.

Yours Truly,
Ray Bates.

FOR:
British National Lottery,
28 Tan Field Road,
Croydon,London.

You may not fool for a scam like this, but you might imagine it's safe to open the attachment. Always be careful about unsolicited email attachments, even if you think it's something you've seen a hundred times before. It could be a new twist on an old trick.

Posted on November 4th, 2009 by Graham Cluley, Sophos
Filed under: Malware, Scam, Spam

                                         

Sexy photos from a sweet girl? Too risky!

If a sexy girl mistakenly sends you photos, you'd be a fool not to take a peek, right?

Wrong.

Here are the details of the email that we are catching in our spamtraps today:

Subject line: how are you? or hi
Message body:

Hi,
I will like to know you more better but I am not always on dating website if you trully want to get to know me more better like i do then get back to me through my email adress and tell me more about yourself there and also send me some more pics of you and i will do the same i hope to read from you soon so we can exchange more email and sexy photos. Take good care of yourself... and send me an email to my email adress I'll talk to you later.
Your sweet girl :)

ps: I send my sexy photo for you :*

Attached to the email is a file called photo.zip which, surprise surprise, contains a Trojan horse. In this case it's Troj/Dloadr-CWG.

As in the "Hi friend" email attack I blogged about earlier today, malicious campaigns like this only work because the hackers are able to successfully socially engineer unsuspecting users into opening the dangerous file.

Posted on November 4th, 2009 by Graham Cluley, Sophos
Filed under: Malware, Spam

                                         

Hi friend? Beware the spammed Trojan horse

Many inboxes around the world will be seeing what appears to be an email from a friend this morning - and may be unaware that the attachment actually contains a malicious Trojan horse.

The emails, which have the subject line "hi friend", are short and to the point:

Attached to the emails is a file, t658657.zip, which contains the Mal/EncPk-LE Trojan horse.

Of course, anyone with common sense would never have opened the unsolicited attachment in the unsolicited email in the first place. But sadly common sense isn't very common when it comes to computer security - and chances are that there are people out there whose mouse finger will have got twitchy at the mere thought of an email, and opened the attachment in curiousity without thinking of the possible consequences.

Get smart about securing your computer and protecting your data - don't let a simple trick like this be exploited by cybercriminals to infect your PC.

Posted on November 4th, 2009 by Graham Cluley, Sophos
Filed under: Malware, Spam

                                         

Crikey! I'm a finalist in the Computer Weekly IT Blog awards

Crumbs!

Those awfully nice people at Computer Weekly have been in touch to tell me that I've not only been nominated for two awards, but I've actually made it as a finalist as well!

I imagined my @gcluley twitterings and rabid blogging about all things computer security-related might be just wafting into the ether.. but it appears some of you may have been getting some benefit from it, or at least enjoying it.

So thanks very much to whoever nominated me in the categories of "Best blog about IT security" and "IT Twitter user of the year".

I'll be honest with you - I don't stand a chance of winning either. There are some great security blogs that I am up against, and how can I hold a torch against the output of Twitter royalty like the BBC's Rory Cellan-Jones, The Guardian's Jack Schofield and national treasure Stephen Fry?

But it's still a great achievement for the Clu-blog even to get this far. This blog is a lot younger than some of the other respected blogs listed in the security category - and so I really do have to thank everyone who visits each day (or umpteen times a day when I'm feeling prolific!) for their continued support.

PS. There don't seem to be any rules on the Computer Weekly page regarding repeat voting, but I'm assuming that they set a cookie to stop people trying to influence the result. Even if they don't - everyone play fair, okay? No setting up botnets to choose the Clu-blog and @gcluley in their respective categories.. alright?

PPS. I forgot to give you the link if you did perhaps.. maybe.. who knows?... want to vote... ahem..

>>> Vote here <<<

Thanks again. :)

Posted on November 3rd, 2009 by Graham Cluley, Sophos
Filed under: Clu-blog, Competition, Shameless plug, Web 2.0

                                         

Hacked iPhones held hostage for 5 Euros

The importance of properly securing mobile devices has been underlined once again, after a Dutch hacker broke into jailbroken Apple iPhones and displayed a message demanding a 5 Euro ransom be paid.

According to media reports, the hacker used port scanning to identify jailbroken iPhones with SSH running on the T-mobile Netherlands network.

In this instance, the hacker changed the wallpaper on compromised iPhones so they displayed the following message:

Important Warning

Your iPhone's been hacked because it's really insecure! Please visit doiop.com/iHacked and dsecure your iPhone right now!

Right now, I can access all your files.. This message won't disappear until your iPhone's secure

A further message demanded that 5 Euros be paid to the hacker's PayPal account in order to receive instructions on how to remove the backdoor.

Many iPhone owners have jailbroken their devices to allow it to run unofficial code, avoiding Apple's official App Store. However, some users forget to change the default root password on their device (which is common to all iPhones) - opening a door for potential intruders.

Visiting the page linked to from the message displayed the following message:

If you don’t pay, it’s fine by me, but remember, the way I got access to your iPhone can be used by thousands of others-they can send text messages from your number (like I did), use it to call or record your calls, and actually whatever they want, even use it for their hacking activities! I can assure you, I have no intention of harming you or whatever, but, some hackers do! It’s just my advice to secure your phone.

Some have suggested online that the hacker intended no malice in breaking into the iPhones and displaying the messages. but let's not beat around the bush about this. Unauthorised access and unauthorised modification of data is an offence in many countries around the world.

Just because an individual has poorly protected their computer or mobile phone does not give anybody the right to break in without permission and essentially blackmail them into paying up for a fix.

The one piece of good news is that the Dutch hacker has now taken down his PayPal link, reportedly returned the money he earned and published free instructions on how to remove the backdoor.

Don't forget - if you're dead set on fiddling around with the internal workings of your iPhone that you're not compromising security at the same time.

Posted on November 3rd, 2009 by Graham Cluley, Sophos
Filed under: Apple, Mobile