Slowing down spammers via DNS

Security expert Paul Vixie has come up with an interesting technique for reducing spam and cyber crime. According to Vixie domains registered by cyber criminals can often be identified within 5 minutes by checking the WHOIS information and comparing the registrar against databases of known spammers. With this in mind Vixie proposes putting new domains in a ‘penalty box’ such that they are registered and exist for a few minutes before they can be used. This would give time for security organizations to scan the domain and determine the likelihood of it’s being safe. To take the concept even further the domain could be kept on a watch list for an hour or so and if it exhibits suspicious activity the registrar could be notified and the site could be taken down within a short amount of time.

http://www.darkreading.com/cloud/vixie-proposes-cooling-off-period-for-new-domains-to-deter-cybercrime/d/d-id/1320310?

~Drew Heintz

Data protection around the world

Data breaches are bad all around but they can be worse depending on where you are. Florida has some of the toughest data breach laws in the country and new laws are in the works for New York as well. But if you’re an international company they are much worse because international companies have to deal not only with U.S. data breach laws but also with the laws of other countries. Different countries have different laws regarding data breaches and the cost and complexities can rise dramatically the more countries a business operates in.

Although the U.S. has very heavy privacy laws we don’t have as many laws which protect the users’ rights to their data. One country which has interesting privacy laws is Argentina. In Argentina companies and individuals who want to store users private data must register their databases with the country’s government. Additionally users may demand to see their information and may demand it be changed if it is incorrect, a far cry from laws here where once a company has your data they can do almost anything they want with it. Apparently Argentina modeled their laws on Spain’s cyber laws.

data_breach_laws

http://www.securityweek.com/understanding-global-differences-data-breach-laws-critical-incident-response

http://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/International-Compendium-of-Data-Privacy-Laws.pdf

~Drew Heintz

John Carlin on Cyber-crime: “No Free Passes”

At this year’s RSA Conference, Assistant Attorney General for the Department of Justice, John Carlin touched on the issues of cyber-crime at a local level but focused more on the existing issue of dealing with international cyber-crime and espionage.
The Issue that exists with cyber-crime is that it can be accomplished remotely by an individual or group. cyber-crime can be committed internationally as the internet is a near global service. However, individual countries have their own policies on cyber-crime that usually differ from one another. If the attacker is committing espionage from an office in Germany to a business in England, who’s laws are to be followed in order to carry out punishment? If a large crime was committed, In most cases the nation who holds the criminal will indict and hopefully punish the criminal. This however is different in the case of nations like China, where cyber-crime is dealt with more leniently if dealt with at all. Carlin explained at the RSA Conference that this is what led to the issue with the People’s Liberation Army.
I believe we may begin to see stricter policy changes to how the united states deals with cyber-crime in the future: both nationally and internationally.
Sources:
http://www.darkreading.com/vulnerabilities—threats/advanced-threats/government-giving-no-more-free-passes-to-cybercriminals/d/d-id/1320117?
http://www.techrepublic.com/blog/it-security/what-makes-cybercrime-laws-so-difficult-to-enforce/
-Jacob Johncox

ISIS Hackers A Threat?

The Islamic State is making lots of headlines, from brutal executions to being suspected of trying to carry out an attack in Texas two days ago. They have also been taking the fight online. They have been mostly going after social media pages like the US Central Command, to Tesla motors. They have even managed to take down a French TV network which took multiple channels down and got into their social media accounts.

So far the most debilitating attack has been the French TV hack. The attack consisted of them taking down 11 channels and taking control of multiple social media websites. It happened on April 9th late at night. It took them a few hours to regain control of the TV station and websites. During that time they posted photos of IDs they claimed belonged to French soldiers families with messages towards the soldiers to stay away. This came just months after a deadly attack in Paris where 16 people were killed over a drawing of cartoons and it was suspected ISIS was involved.

The attack was unprecedented and sophisticated  compared to there usually hijacking of social media and websites. So where are these ISIS hackers coming from? Most are recruited into it for the thrill of it or their ideology. They have been able to manipulate social media to help spread their propaganda and spread word of their brutal killings and executions.

While they have a great propaganda strategy they are far from doing any major attacks. Many websites and twitter accounts are hijacked almost everyday they are far from getting in say CENTCOM’s actual computers or shutting down critical infrastructure. Their attacks can be described as vandalism in which they put their ideas somewhere everyone can gain access to them. This doesn’t mean they should be underestimated.

Zane Williams

http://www.foxnews.com/world/2015/04/09/french-tv-network-hacked-by-group-claiming-ties-to-isis/

http://www.theguardian.com/world/2015/apr/12/isis-cyber-caliphate-hacking-technology-arms-race

http://www.cnn.com/2015/01/12/politics/centcom-twitter-hacked-suspended/

http://www.theguardian.com/commentisfree/2015/apr/09/isis-hackers-tv5-monde-cyber

CareerBuilder Phishing Attacks

Once again, another popular website is facing the consequences of a phishing attack, although this time it is a little different. Normally when you think of a phishing attack you come to the conclusion that some clueless individual clicked a link in an email and corrupted the system, or gave away important information to a phony account and cost their business millions of dollars. The blame isn’t as easily directed on certain individuals this time around.

For anyone who doesn’t know what careerbuilder.com is or has never heard of it, it is a popular job searching service website. Tons of companies post job advertisements on this website such as open positions, then users can browse these job postings by area or category and apply. Generally you are able to just apply right from the website and upload your resume and attach it as a word document. Whenever a job seeker uploads their resume to a job posting, careerbuilder then notifies the company of the uploaded document. The people behind these attacks just simply title the document things such as “resume.doc” or “cv.doc” and employers open them as if it was just another typical resume. The employees download these attachments which on the surface appear to be just another applicant, but the files then go on to exploit a memory corruption vulnerability in Word RTF. This causes the infected machine to download a payload, which downloads a .zip file containing an image file which then drops a rootkit, Sheldor, on the machine. An image file is used because anti-virus programs tend to look past image files as they are expected to be nothing more than that. This is a dangerous peace of malware working its way into the organizations seeking new employees. Although the methods behind these attacks require a lot more work from the attackers due to having to find job posting and actually apply to them manually with their documents, the benefit is that it is very likely the majority of their attempts will indeed be successful. Typically, these kind of phishing attacks are just attempted with fake email accounts trying to fool people and is much less likely to work.

Researchers from a firm known as Proofpoint uncovered the information behind these malware attacks stating that the malicious documents were created in a program called Microsoft Word Intruder (MWI), a FireEye tool that was created in April of this year. This tool is sold on underground forums and serves up CVE-weaponized docs and costs around $2000-$3500 to purchase. Proofpoint also claims that careerbuilder took swift action against these attacks, but didn’t state exactly how. The bigger issue here is the fact that these attacks are always going to be a risk on job search websites and other alike websites with file attachments for attackers to parse out malware.

careerbuilder_malware

Sources:

https://threatpost.com/attackers-peddling-malware-via-careerbuilder/112553

http://www.tripwire.com/state-of-security/latest-security-news/new-malware-campaign-on-careerbuilder-com-blends-phishing-with-social-engineering/

Additional Information:

http://www.esecurityplanet.com/network-security/careerbuilder.com-leveraged-to-launch-phishing-attacks.html

http://www.toptechnews.com/article/index.php?story_id=0020002934CO

-Liam Ellis