Wednesday, December 17, 2008

Time To Mobilize!

It is interesting to note that in the current down economy, physical crime rates are going up (as one might expect).

There are also indications that *cyber*-crime rates are following the same trend, and have also been going up as per McAfee's 2008 Virtual Criminology Report, and a Panda Labs study that found a correlation between stock market drops and the continued rise of malware. In addition, the New York Times reports that the bad guys are winning, in large part to the spread of malware.

While the global markets have been contracting, Symantec estimates that cyber-criminal economies are booming, and the Germans believe that cybercrime is likely to wreak as much havoc as the credit crisis in the coming years if international regulation is not improved.

So that's the bad news.

The good news is that the good guys are starting to mobilize! For instance, the FBI is reaching out beyond U.S. borders (as the Internet has no borders), and is helping organize law enforcement, academia and industry develop international solutions to the problem. This coming January 6 - 9, the FBI, together with Fordam University, have organized the first International Conference on Cyber Security (ICCS 2009) in New York City. In some of the conference sessions, Sandra Stanar-Johnson, a senior executive at the NSA, will be talking about the US Comprehensive National Cyber Security Initiative, and Darren Mott, special agent with the FBI Cyber-Division, will be talking about The Rise of Eastern European Organized Cyber Crime. I will also be giving a talk on Protecting Your Organization From Cybercrime to tie up the conference, so please feel free to register for the conference if it is something you might be interested in.

Also, StopBadware.Org, a joint partnership between the Berkman Center for Internet & Society and the Oxford Internet Institue, along with its industry partners (Google included), has been doing a great job of working to raise awareness of the problem and build community to address the problem.

Last but not least (for those of you that were not already aware), I have left my lofty post at Google to help. Together with two stellar co-founders, I have started Dasient, a company that is helping businesses with revenue loss problems that can arise as a result of cyber-criminal activity. I can't say too much more than that right now as we are in stealth-mode, but you can undoubtedly expect that there will be more news to come!

Sincerely,

Neil Daswani, PhD
http://www.dasient.com
http://www.neildaswani.com

Tuesday, November 11, 2008

Rampant Malware Drive-by-downloads

Hi Folks,

Drive-by-downloads are rampant. They infect your machine with malware when you simply visit a website. No clicking on links or user interaction is required; you simply get infected when your browser loads the page. Following is a link to an article about such a sample attack from last month:

http://www.theregister.co.uk/2008/11/10/drive_by_download_mass_attack/

And, the cybercrime economy is growing due to the economic downturn:

http://arstechnica.com/news.ars/post/20081023-malware-writers-ratchet-up-attacks-as-stock-market-tanks.html

http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml;jsessionid=Y132JJQO0YUMIQSNDLRSKH0CJUNN2JVN?articleID=212101494&cid=tab_art_int

Google is doing some great work in this area by flagging web sites that get infected so that you are protected while you are searching by displaying a message saying "This site may harm your computer" below infected links in their search results:











Google also provides the list of infected sites to Firefox and Chrome browsers, so that users can be protected not only while they are searching but can be protected wherever they happen to be browsing on the Internet.

Yahoo provides similar protections through a feature called SafeSearch that they have deployed in partnership with McAfee. Finally, Microsoft is also slated to provide anti-malware protection as part of the next version of Internet Explorer.

There is much good work that search engines and browsers are doing to help protect users! Detection systems are working to avoid false positives (when a web site gets blacklisted even though they are not really infected), potentially at the expense of false negatives (in which a web site does not get blacklisted even though it is infected). I hope that over time Google, Yahoo, and Microsoft crack down even more aggressively on this problem so that unsuspecting users don't get infected, and the growth of botnets resulting from such malware infections can be curtailed.

Thoughts? Comments? Questions?

Let's keep fighting the fight!

Sincerely,

-- Neil
http://www.neildaswani.com

Learn more about security from Stanford's Advanced Computer Security Certificate Program-- click on http://tinyurl.com/2286xw for more information.

My book, "Foundations of Security: What Every Programmer Needs To Know" is available at http://tinyurl.com/33xs6g

Sunday, April 13, 2008

Crimeware: It's out!

Over the past few years, one of the biggest shifts impacting security online has been that the attacks are no longer primarily conducted by teenagers writing viruses and worms to make a name for themselves, but instead are executed by financially motivated cybercriminals.

A book entitled Crimeware: Understanding New Attacks and Defenses by Markus Jakobsson and Zulfikar Ramzan (to be officially released this week) is the most comprehensive compilation to-date that I am aware of cataloguing the many different ways that cybercriminals manipulate web sites, software, and people to make money online. While the book is to be officially released on April 19, I was able to pick up a copy at the on-site bookstore at the RSA conference last week!

A chapter co-authored by yours truly and a distinguished team of Googlers on "Online Advertising Fraud" appears in the book, along with chapters on topics such as "Crimeware in the Browser" (Dan Boneh, et al.), "A Taxonomy of Coding Errors" (Gary McGraw), and "Technical Defense Techniques" (Peter Ferrie, et. al)





The chapters in the book provide deep dives into topics that not only describe the vulnerabilities that cyberattacks prey on, but also provide a guide to high-level defenses. As such, the book is a great read for CIOs and CSOs in addition to security researchers-- I highly encourage checking it out!

Sunday, January 20, 2008

CIA: Hackers Shook Up Power Grids


For those of you that saw the movie "Matrix Reloaded," you may (or may not) remember a 3-second scene in which Trinity, played by Carrie-Anne Moss, takes advantage of a buffer overflow exploit as part of an attack to shut down a power grid. (Matrix Reloaded was one of the first movies, I believe, to get some of the technical details right on the big screen-- see "Matrix Sequel Has Hacker Cred" at the Register for more details-- whereas most other movies show silly animations for cyberattacks.)

Well, it seems that the CIA tells us that attacking power grids via the Internet is possible, and has been attempted (albeit outside the U.S.). I'm not sure if the technical details have been disclosed (yet?), but there's some rumblings that the attacks required some insider information, which is not surprising but no less comforting, and that extortion has been the attackers' goal to date. Here's an article:

CIA: Hackers Shook Up Power Grids
http://blog.wired.com/defense/2008/01/hackers-take-do.html

(Similar articles are available at http://news.google.com/news?hl=en&ned=us&ie=UTF-8&ncl=1126553310 )

Saturday, January 12, 2008

Report: TSA Site Exposed Travelers To ID Theft

Report: TSA Site Exposed Travelers To ID Theft

Check out the following report on a TSA sponsored web site that exposed citizen's PII (personally identifiable information) including social security numbers to identity theft:

http://tinyurl.com/yp5j3e

-- Neil