Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

USAToday stories

 

Surge of SpyEye attacks begins, as free, cheap hacking toolkits circulate

By Byron Acohido, USA TODAY 22Aug2011, p1B

SEATTLE — The odds that a cybergang will stealthily turn your PC into a bot this summer and use it to carry out all manner of cyberattacks just notched notably higher.

That’s the upshot of a premier hacker’s toolkit, called SpyEye, recently being made accessible to cybercriminals of all stripes.

Security analysts anticipate a surge in SpyEye attacks the rest of this year.

“Every level of criminal, from the lowest to the highest rungs, can now use one of the deadliest Swiss Army knife hacking toolkits in the world,” say Sean Bodmer, senior threat intelligence analyst and network security firm Damballa.

It’s been about a week since the keys to acessing SpyEye were publicly disclosed. So far 14 cyber rings have taken advantage, using SpyEye to send commands to tens of thousands of infected PCs in the U.S. and Europe, according to Damballa research findings.

In the first six months of the year, SpyEye was being used by 29 elite gangs that collectively commanded at least 2.2 million infected PCs worldwide. SpyEye normally sells for up to $10,000. But as of last week the latest, most potent version of SpyEye could be acquired for just $95, says Bodmer.

Advances in  cyber larceny

How this sudden discounting came to be — and the resultant security implications — highlight how complex  and dynamic larceny on the Web has become over the past few years.

SpyEye surfaced in late 2009 as a bigger, badder rival to ZueS, then the premier hacker’s toolkit.  SpyEye quickly surpassed ZeuS. By the end of 2010, it had evolved into a pricey, user-friendly software program, sold, updated and copyrighted, much like any legit business application.

Click here to see LW’s  profile of  ZueS creator A-Z

For a base price of $6,000, SpyEye put a sophisticated Internet-based management tool into the hands of the buyer. Optional plug-in programs pushed the price to … more

Mass SQL hacking attacks takes aim at smaller online businesses

By Byron V. Acohido

Criminals who infect websites are making the Internet much riskier for small business owners.

Editor’s note: This article originally appeared in USA TODAY’s print edition, on July 5, 2011, p. 1B.

Since early June, one gang has been using a uniquely insidious type of automated attack to inject malicious code on some 20,000 to 30,000 sites, many of them small businesses that rely on the Internet to reach customers, says Wayne Huang, chief technical officer at website security firm Armorize.

Many small business owners don’t realize about how intently profit-minded hackers are striving to wrest control of their websites to run scams, says Maxim Weinstein executive director of the non-profit StopBadware public awareness group.

“A sophisticated and evolved criminal underground is constantly trying to avoid being detected while spreading their malware ever more effectively,” says Weinstein.

Mass injection attacks begin with the bad guys obtaining the usernames and passwords for the administrator accounts of smaller websites. They can purchase logins from data thieves, steal it for themselves, or get them free from hacktivist groups that publicly post stolen account data.

After logging on as the site administrator, the hacker then injects a small program, called a script, that gives him full control of the website server.

Because mass injection can be automated, such attacks have become a staple of the cyberunderground. IBM’s X-Force security division monitored and blocked fewer than 10,000 such attacks per month in early 2008. By mid-2009 it blocked more than 500,000 per month, according to the most recent data.

Hackers target small business websites because they know those companies “do not have the resources for sophisticated security measures,” says Michael Lin, vice president at VeriSign, a division of Symantec.

Criminals use corrupted websites to spread infections to other PCs, thereby fueling data theft as well as scams to sell fake drugs, pitch worthless antivirus protection and steal from online bank accounts. “Your website essentially serves as … more

LulzSec declares hacktivist war on corporations & governments

By Byron Acohido

USA TODAY, 20June2011, P1B

LulzSec, the upstart hackitivist group, was busy over the weekend. First, it disavowed responsibility for the hacking of video game company Sega. In fact it added a new twist by offering to help Sega (once long ago a big name in video games) track down the perpetrators.

And this morning, the group announced that it was partnering with the long established hacktivist crew, Anonymous, in launching what the two headline-grabbing gangs dub: Operation Anti-Security.

Related story: Who’s who in LulzSec

Essentially, LulzSec and Anonymous have just declared open cyberwarfare against big governments and giant corporations. An excerpt from LulzSec’s  declaration:

Welcome to Operation Anti-Security (#AntiSec) – we encourage any vessel, large or small, to open fire on any government or agency that crosses their path…Top priority is to steal and leak any classified government information, including email spools and documentation. Prime targets are banks and other high-ranking establishments.

The rapid ascension of the hacker group LulzSec, if sustained, could signal a revival of cyberattacks carried out primarily to humiliate companies and government agencies.

“We’ve got some very powerful hackers apparently showing the world they’re powerful enough to break into any organization they want to,” says Josh Shaul, CTO at Application Security. “So why are they doing that? The best answer is because right now they can. And who knows what they’re setting themselves up to do in the future.”

Recent targets

After twice disrupting the U.S. Senate’s website last week, then knocking the CIA’s website off line, LulzSec on Friday issued a press release via Twitter declaring: “This is the Internet, where we screw each other over for a jolt of satisfaction.”

It’s no idle rant. LulzSec — which appears to have splintered from the renowned hacktivist group, Anonymous — has also successfully hacked Sony several times, as well as the FBI, Fox, PBS, Nintendo and others.

The Sony hacks stemmed … more

Disclosure of IMF, Google hacks support cybersecurity legislation

By Byron Acohido, USA TODAY, 15June2011, P1B

The recent rash of disclosures about cyberspying — aimed at undermining the United States — comes as the White House is making its third attempt to push through a historic federal cybersecurity law.

The timing is no coincidence, some cybersecurity analysts say. After two previous bills went nowhere, the White House needs to garner public support for a new law that could equip America for cyberwarfare.

UPDATE -Click here: DHS has slightly reduced role in Langevin bill vs. White House and Senate versions

“The best way to do that is to get folks worried that we’re under attack from some foreign state like China or North Korea,” says Ed Adams, CEO of Security Innovation, which integrates security systems for government agencies. “Most people don’t realize how much of this is premeditated.”

Recent disclosures of cyberattacks against the International Monetary Fund, Google and several defense contractors coincided with an unprecedented pronouncement last week by CIA Director Leon Panetta, who warned a U.S. Senate panel that the U.S. needs to take “defensive measures as well as aggressive measures” to win at cyberwarfare.

The bill is gaining bipartisan support in Congress. It would establish a framework for distributing billions of dollars for new cybersecurity systems, while placing responsibility for securing cyberspace with the Department of Homeland Security.

In an op-ed piece Tuesday in The Hill, Rep. Jim Langevin, D-R.I., the bill’s chief sponsor, underscored the need to engage Americans “in a continuous dialogue about threats we face and steps taken to protect them.”

In that vein, the FBI will help investigate what’s believed to be the theft of e-mails and other documents related to the IMF’s role in stabilizing currency exchange rates and keeping global trade in balance.

“This is part of a wave of economic espionage putting additional pressure on the U.S. economy,” says Alan Paller, research director at SANS Institute, a cybersecurity think tank.… more

Androids, iPads, iPhones are creating panoply of corporate risks

By Byron Acohido, USA TODAY, 31May2011, P1B

Companies are grappling with unforeseen security, privacy and legal conundrums introduced by a host of cool mobile devices flooding into the workplace.

Executives eager to sport the hottest tech gear and workers accustomed to mixing social and work activities on the go are multitasking on personally owned mobile devices in record numbers.

Workers are bringing mobile devices to work at such a scale that company security technicians can’t keep up. “It’s an impossible task,” says Patrick Sweeney, product management vice president at network security firm SonicWall. “Control of these devices has become very complex because of the varying software and device types.”

Results of a recent survey of 1,400 technology professionals in 14 nations show 21% of companies have no restrictions on use of personal mobile devices, while 58% have lightweight policies, and only 20% have stringent guidelines. The poll was conducted by security firm McAfee, a division of Intel.

“A lot of organizations have yet to really lock down mobile access,” says Jamie Barnett, McAfee’s senior director of mobility products. “That tells me there is definitely an opportunity for security and compliance gaps.”

An obvious risk: employee-owned smartphones, tablets and e-readers containing work-related materials that turn up missing. Some 40% of organizations responding to McAfee’s survey reported mobile devices lost or stolen, often involving the loss of critical business data.

What’s more, the cyberunderground is adapting hacks and scams — proven to work profitably on desktops and laptops — to Internet-connected mobile devices, says Anup Gosh, founder of Web browser security firm Invincea.

Worldwide smartphone sales are on track to top 467 million units this year, tablet PC sales should approach 70 million, and e-readers, 14.7 million, according to research firm Gartner. Two years ago, smartphone sales rang in at 172 million units, tablets, zero and e-readers, 3 million.

“As mobile devices become a replacement for the desktop computers, the problem of … more

Corporate security shattered by use of personal mobile devices

By Byron Acohido, USA TODAY, 30May2011, P1B

Companies are grappling with unforeseen security, privacy and legal conundrums introduced by a host of cool mobile devices flooding into the workplace.

Executives eager to sport the hottest tech gear and workers accustomed to mixing social and work activities on the go are multitasking on personally owned mobile devices in record numbers.

Workers are bringing mobile devices to work at such a scale that company security technicians can’t keep up. “It’s an impossible task,” says Patrick Sweeney, product management vice president at network security firm SonicWall. “Control of these devices has become very complex because of the varying software and device types.”

Results of a recent survey of 1,400 technology professionals in 14 nations show 21% of companies have no restrictions on use of personal mobile devices, while 58% have lightweight policies, and only 20% have stringent guidelines. The poll was conducted by security firm McAfee, a division of Intel.

“A lot of organizations have yet to really lock down mobile access,” says Jamie Barnett, McAfee’s senior director of mobility products. “That tells me there is definitely an opportunity for security and compliance gaps.”

An obvious risk: employee-owned smartphones, tablets and e-readers containing work-related materials that turn up missing. Some 40% of organizations responding to McAfee’s survey reported mobile devices lost or stolen, often involving the loss of critical business data.

What’s more, the cyberunderground is adapting hacks and scams — proven to work profitably on desktops and laptops — to Internet-connected mobile devices, says Anup Gosh, founder of Web browser security firm Invincea.

Worldwide smartphone sales are on track to top 467 million units this year, tablet PC sales should approach 70 million, and e-readers, 14.7 million, according to research firm Gartner. Two years ago, smartphone sales rang in at 172 million units, tablets, zero and e-readers, 3 million.

“As mobile devices become a replacement for the desktop computers, the problem of … more

PR stunt to taint Gmail shows how eroding privacy can pay big

By Byron Acohido, USA TODAY, 10May2010, P1B

It’s not as if Google lacks privacy controversies to quell.

Yet Burson-Marsteller, a top-five public relations firm, is attempting to pile more on.

Burson last week stepped up a whisper campaign to get top-tier media outlets, including USA TODAY, to run news stories and editorials about how an obscure Google Gmail feature —Social Circle— ostensibly tramples the privacy of millions of Americans and violates federal fair trade rules.

Google said that Social Circle in fact allows Gmail users to make social connections based on public information and private connections across its products in ways that don’t skirt privacy.

Yet the PR stunt played out during a week in which Google was responding to a raid of its Seoul office by South Korean privacy regulators and was preparing for a U.S. Senate hearing today over the location-tracking feature in Android smartphones.

Pushed by two high-profile media figures — former CNBC news anchor Jim Goldman and former political columnist John Mercurio, both of whom recently joined Burson — the whisper campaign illustrates how privacy has become a lightning-rod issue. Goldman pitched the Social Circle issue as a huge privacy breach to Google users and an important story for consumers.

“Privacy issues are certainly complex,” says Maneesha Mithal, associate director of the Federal Trade Commission’s Division of Privacy and Identity Protection.

Burson’s efforts, on behalf of an unnamed client, also highlight the delicate balancing act Google, Microsoft, Facebook and Apple face as they rush to profit from cutting-edge Internet services that tap into consumer data. Several pioneering privacy rights bills are gaining steam in Congress and in California. And Sen. Al Franken, D-Minn., chairs today’s hearing, where he is expected to grill executives from Apple and Google about how iPhones and Android smartphones keep precise track of each user’s whereabouts every day.

The tech giants “need to ensure that consumers understand their data is being accessed … more