The report contains what appears to be significant changes. The report includes mention of the FakeAv scams that have plaqued users over the past couple of years. Another friend just brought in a laptop screaming “Your system is infected!” yesterday, most likely due to a banner ad drive-by. At this point, it’s hard to believe that the fraud is not occuring on a large enough scale to quantify the criminal activity.

The report provides list of the most common complaints that the IC3 received in 2009, including spam, identity theft, credit card fraud, and computer damage, all things that an additional layer of protection like ThreatFire effectively helps protect your system against.

Complaints of internet crime, including spam and fraud, should be filed here, in addition to making other appropriate contacts. They can’t report on what is not filed.

“Indictments against Hung-Ming Chiu and Zhi Zhi Wang, both of China, and a person known only by the online nickname “Delpiero” were also unsealed in San Diego.”

Damages from the hack(s) were not estimated in 2008:  ‘”They used sophisticated computer hacking techniques that would allow them to breach security systems and install programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves,” Attorney General Michael Mukasey said at a news conference. “And in total, they caused widespread losses by banks, retailers, and consumers. Mukasey called the total dollar amount of the alleged theft “impossible to quantify at this point”‘, but the Bangkok Post article seems to cite an estimated $150 million for the ring’s take.

This year’s Cryptographer’s Panel discussed some interesting work on the new MD6 hash algorithm within the SHA-3 Competition, and MD5 as a ”dead hash algorithm”. This talk marked hopefully the last year of commercial Md5 use, in light of Md5’s fairly substantial and vulnerable use by vendors, webmasters and Certificate Authorities up through the beginning of 2009. May its death arrive quickly and a new, performance sensitive MD6 born soon.

Today, the Australian Parliament’s web systems are accessible over the web.

“Just as the government eventually stepped in to mandate seat belts in cars and safety standards for aircraft, says James A. Lewis, a computer security expert at the Center for Strategic and International Studies, the time has come for software.

Mr. Lewis, who advised the Obama administration about online security last spring, recalled that he served on a White House advisory group on secure public networks in 1996. At the time, he recommended a hands-off approach, assuming that market incentives for the participants would deliver Internet security.

Today, Mr. Lewis says he was mistaken. “It’s a classic market failure — the market hasn’t delivered security,” he said. “Our economy has become so dependent on this fabulous technology — the Internet — but it’s not safe. And that’s an issue we’ll have to wrestle with.”

Not exactly “hacked drones”, but poorly secured at the least.

SkyGrabber by SkySoftware

We are examining the binaries involved, and ThreatFire could have protected those systems from the bot, stopping its dropper, and in turn, prevented at least some of the DoS flood on these U.S. and the many South Korean web sites. The underlying code itself appears to be fairly unsophisticated.

One of the malicious DoS components is delivered unpacked, sets itself up as a service, and contains a handful of commonly used user agent strings to camoflage its GET and POST traffic. Interestingly, we find “Accept-Language: ko, UA-CPU: x86″ in the http headers. We are further looking into an unusual dependency on pcap for network traffic requests: pcap_open, pcap_sendpacket, and other functions are abused by this malware, but it uses common winsock calls to perform its network activity too.
Here it uses an extremely common registry editing technique to disable the compromised host’s Windows firewall:

In the meantime, government, network operators and web masters in both countries are working to tame this thing.

Considering that AlephOne’s article on “Smashing the Stack for Fun and Profit” was released in 1996, Iloveyou in 2000, CodeRed in 2001, the Slammer worm in 2003, the Witty worm event in 2004, the thousands of system intrusions and compromises since (reported and unreported), and the list goes on, the review seems around fifteen years late on delivery. But better late than never. It addresses badly needed subjects and planning in thoughtful and creative ways.

Some of the document is predictably clumsy. Chapter IV, “Creating Effective Information Sharing and Incident Response”, oddly starts out with a current example of Downadup/Conficker as impetus for action: “For example, despite advance warning and instructions on how networks could be protected, had the “Conficker [Downadup]”worm activated on April 1, 2009 with a malicious payload, some federal departments and agencies were not prepared to respond”. What malicious payload? Unprepared in what way? To infected machines within the federal and state governements? To a DDoS attack from the the majority of Downadup-infected systems across the ocean that actually were infected (and most just wound up with a FakeAv download)? Don’t leave me hanging, folks, what were they unprepared for?

Of note, some of the law enforcement agencies in attendance at the presentation have field offices with agents that don’t know what a URL is (which is much like reporting something to a police officer and hearing them respond “Sorry, I don’t know what a street address is, please tell someone else”). Based on that level of techno-savvy, the section on cyber-education is much needed, overdue, and significant: “Building Capacity for a Digital Nation”.

It’s a good read, especially the section addressing internationally co-ordinated efforts, “Partner Effectively With the International Community”.

Cheers to open dialog about cyber-security challenges!