Rossander’s Security Reader

For only $700, you too can become a hacker. New hacker tools are as easy to use and as well supported as any commercial software package. The Mpack toolkit is a particularly easy-to-use hacker kit being sold on Russian e-crime forums. It is "guaranteed to bypass all anti-virus programs at the time of purchase". Like many commercial software packages, it includes a year’s worth of free updates and support for the hacker in the price. Mpack is also disturbingly common. It has been discovered embedded in more than 10,000 web sites so far.

Between the increased availability of these tools and the sheer number of vulnerabilities that they are programmed to automatically exploit, it is vital that you keep your computer’s operating system and applications up-to-date and fully patched.

Regularly check for updates and immediately load them. Consider setting them to automatically update. And remember that you have to check for updates for every program you have on the computer, not just the Microsoft updates.

Shut down your computer every night. This limits your vulnerability to automated attacks against your computer. Depending on how your network is set up, it may also trigger your update process, making sure that the latest patches are loaded to your computer when you log on in the morning.

Mpack targets security holes in many common software programs including QuickTime media player, plug-ins for the Firefox web browser and Microsoft Windows. According to researchers at one anti-virus company, this toolkit uses simple yet very sophisticated web-based interfaces and allows the hacker to take control of the victimized computer to either steal information, install keyloggers or use your computer as a "zombie" to attack someone else. You can read this technical report for more about Mpack.

In the time it takes you to read this entry, two hackers will try to get into your computer.

The Hollywood stereotype of a hacker is a technically-savvy individual trying to get into a specific target computer – the spy trying to breach a military computer, the disgruntled employee vandalizing his former employer or the kid cracking a university system for bragging rights. In fact, most hackers today run brute force attacks using simple software-assisted techniques to randomly attack vast numbers of computers.

According to a Maryland Univ study, computers are attacked on average 2,244 times a day. That’s an attack every 39 seconds.

Researchers in this study set up weak security on four computers with internet access, then recorded what happened as the individual machines were attacked. The vast majority of attacks came from relatively unsophisticated hackers using “dictionary scripts,” software that runs through lists of common usernames and passwords trying to break into a computer.

The most commonly guessed usernames were root, admin, test, guest, info, adm, mysql, user, administrator and oracle. The most common password-guessing technique was to use variations of the username. About 43 percent of all attempts simply reentered the username. The username followed by 123 was the second most-tried choice. Other common passwords included blank (that is, no password set), 123456, password, passwd, 123, test, asdf, qwerty and variations based on the date (such as January07).

Once hackers gain access to a computer, they set up back doors so they can easily regain access later, turning the target computer into part of their botnet which they will later either use directly or lease to other hackers so they can send out spam, attack yet more computers, run distributed denial of service attacks, etc.

Never use the kinds of usernames and passwords identified in this research. If your computer came with a default administrator or guest account, change the accountname immediately.

Always choose longer, less obvious passwords with combinations of upper and lowercase letters and numbers that are not as obvious to brute-force dictionary attacks. If your system can handle it, whole sentences make very strong passwords that are still easy to remember and to type.

If it seems like you’re seeing a lot more spam lately, it’s not just you. During the past few months, the incidence of spam shot up around the world. In 2001, researchers estimated that about 5% of all Internet traffic was spam – one spam message for every twenty real messages. By 2003, researchers estimated that 50-60% of all traffic on the Internet was spam – one spam message for each good message. In September of this year, that number was up over 80% – 4 spam messages for every real message.

In the past month, two new computer viruses were released both of which are specially designed to generate spam messages. These viruses are very sophisticated and have been very hard for the anti-virus companies to block. (See this TechWeb article for details.) The latest estimates are that there are 9-10 spam messages for each good message on the Internet. All that means that the total volume of spam on the Internet is way, way up.

Good spam filters are generally 95-98% effective at identifying spam messages as spam. That’s actually a pretty good ratio and is about as good as any software package can get. Unfortunately, when you pump so much increased volume through a filter with a 2% leakage rate, more spam will inevitably leak through.

Some people have asked if they can tweak that filter to block more of the spam. The cost we generally pay for that effectiveness is that about 0.5% of good messages are incorrectly identified as spam. If you tighten the spam filter, you will get an increase in the false positives. Every company is constantly trying to make sure that they are at the right balancing point.

We are in an arms race with the spammers. Every time the anti-spam vendors come up with a technique to identify spam, the spammers adapt and find another way around the filters. It has been a story of incredible creativity and innovation.

While we are waiting for the spam-filter companies to release their next round in the arms race, there are some things that you can do to keep yourself off the spammers’ target lists. Remember that once you’re on one list, spammers will sell your address to other spammers. And once that happens, there’s little you can do except to wait until your address ages off their lists.

1. Never buy anything advertised in a spam message. If you do, you’ll jump straight to the top of their list.
2. Never respond to a spam email, even to complain or to attempt to get off their list. Any reply at all confirms to the spammer that you read the message. Even if you didn’t fall for their Viagra scam, they know you might fall for a mortgage scam. Never reply to a spammer. Do not attempt to "unsubscribe" from the list. More often than not, the unsubscribe link is a scam.
3. If you can, delete the spam message without ever opening it. Spammers use techniques such as web-bugs to track whether or not you opened the message. Again, they hope that even if you didn’t fall for one scam, if you’re the kind of person who opens spam, maybe you’ll fall for a different one.
4. Do not use your work email address for internet shopping, chat boards, etc. Sign up for a free email account like Yahoo or Hotmail.

The final recommendation is to remember that spam is just like the physical junk mail in your mailbox at home. We do what we can but at some point you just throw it in the trash and let yourself get on with your life.

A survey by First Data Corp. in 2005 found 43% of US adults had received at least one fraudulent email, in most cases purporting to be a financial institution. Of those, about 1 in 20 – or 4.5 million people – provided the requested information and about half of those ended up being victims of theft or identity fraud. According to antiphishing.org, 89.3% of all phishing attacks target financial institutions.

Those are some large numbers but I have to admit that my first reaction was to ask “who are those lucky 57% who have not yet received a phishing email?” Many of them simply do not have email. For the remainder, unfortunately the question answers itself. They are the people who have not yet received their first phish.

Phishing emails attempt to trick the reader into believing that the message is from a trusted source and following their “convenient” link to a fraudulent site which looks and feels just like the official site but which is designed to steal the user’s private information. Even though this doesn’t fool most consumers, phishers rely on “spam economics” – they can make money even if only a fraction of a percent of their scams succeed.

Phishers are beginning to add to their tactics. Many are providing a fraudulent telephone number in the email rather than just a fraudulent hyperlink. The criminal then sets up his/her own IVR system to steal your information when you call in. Others are making increased use of trojan horses – programs which are covertly installed onto your computer and which either log all your keystrokes or install a backdoor through with the criminal can take control of your computer.

Never trust anything sent in an unsolicited email. Never directly answer any request for your private information. If you think the request might be legitimate, type the company’s address into your web-browser yourself. If this is a real request, expect it to be prominently displayed on your account page on the company’s real website. If you are going to call them by phone, get the phone number off of your last paper statement. Never trust the “convenient” number on the email. Finally, remember that no reputable financial institution will ever ask for your personal information via email.

Incidentally, in 2005 the Federal Trade Commission estimated that 9.93 million persons were affected by identity theft, causing a loss to financial institutions of $46.9 billion. Combining that with the statistics above, phishing accounts for only about one quarter of all identity theft cases. This is consistent with other studies which show that most ID theft is based on paper documents. We should still be vigilant against these kinds of scam messages but we should be even more vigilant about making sure that our paper waste is properly destroyed.