Feds prepare for Cyberwar

The White House is preparing a new initiative to protect against what it fears could be a crippling attack against the U.S. by computer, from overseas, and in particular, from China.

After a series of cabinet-level meetings this month at the White House, computer security analysts say the Bush administration is considering creating a new agency or cyberwar center to better protect the federal government’s computers and find ways to help private companies and public utilities fend off computer attacks.

Those attacks, which could be just a few key strokes away, could shut down U.S. power grids and communication and banking systems, security analysts warn.

“Basically we would find the lights go out, the dial tone stop and we have no ability to access our money,” Sami Saydjari, founder and president of the Cyber Defense Agency, told ABC News.

Internet security companies, such as Akamai in Boston, are currently tracking thousands of attacks against the U.S. government and corporate computer systems every day.

“We would not be in a good situation if we were to enter a cyberwar today,” Akamai co-founder and chief scientist Tom Leighton said.

On most days, the single biggest source of those attacks is China.

“A Chinese general has talked about how they would reach out through cyberspace and turn off the American electric power grid before any conflict with the United States,” said Dick Clarke, a former White House counterterrorism official and now ABC News consultant.

White House advisors say alarm bells sounded when this past June Chinese hackers got into the unclassified computers of Secretary of Defense Robert Gates.

“The intelligence community has come to the recognition that China and other foreign governments have free run of American computer networks,” Clarke said.

In addition to long-distance hacking, U.S. experts are concerned Chinese-made computer equipment could be sabotaged in ways that are undetectable, the so-called Trojan horse attack.

“My fear is that there are many, many Trojan horses, many, many malicious codes in a large number of our critical systems,” Saydjari said. “And that there are just waiting to be activated through some trigger at some time.”

The White House says it is asking for $6 billion in the latest budget to increase cybersecurity.

Read more »

Dot .name becomes cybercrime haven

The company that controls the .name registry is charging for access to domain registration information, a step that security researchers say frustrates their ability to police the internet and creates a haven for hackers who run internet scams.

When security researchers investigate spam and phishing activity on the internet, they rely on special Whois directories, which list the owner of a domain name, their hosting service and their contact information.

They can use the information to track down who is responsible for a particular scam and to notify innocent webmasters if a portion of their site has been hijacked by black-hat hackers.

ICANN, which sets the rules for the internet’s top-level domain names such as .com and .net, has traditionally required registrars to make Whois data publicly searchable as a condition of the companies’ right to sell domain names.

But Global Name Registry, or GNR, which administers domain names ending in .name (that are intended for use by individuals e.g., johndoe.name), won the right to create tiered levels of Whois access, where public searches show very little information beyond what registrar sold the name and what name servers the site uses.

The site sells five passwords, good for 24 hours only, for $2.

That’s $2 too much for security researcher Gadi Evron, one of the leading authorities on zombie computer networks. “What they have done is made sure the .name TLD is free haven for bad guys to lurk on,” Evron said. “If I need to report 1,000 domains, I’m not going pay $2,000.”

Paul Ferguson, a network architect at the security giant Trend Micro, said just this week he’s seen black hats finding ways to spread malware through name computers.

Swa Frantzen, a Belgian volunteer handler at the SANS Internet Storm Center, which monitors the net for threats, brought the policy to light on Saturday, after he was looking into some odd JavaScript reported to the center.

The domain name indicated that a legitimate .name site might have been hacked, but the .name portion of the domain name didn’t feel right, Frantzen said. The Whois information might have let him figure it out.

But Frantzen refused to pay.

“It feels like extortion,” Frantzen said. “No matter the small amounts involved, it becomes a problem as it means spending money, authorizations, purchases orders and having authorized users for credit cards. All sorts of things that slow it down dramatically.”

Whois data typically includes the name of the purchaser, a physical and e-mail address, as well as information about who hosts the site and what its name server is.

In recent years, registrars have been allowing veiled registrations so that domain-name owners can hide their identity, but still be contacted in case of an emergency or if they are served with legal papers.

Karen Lentz, ICANN’s domain registrar liaison, says that GNR is allowed to keep the data behind a paid firewall as part of its contract with ICANN, and to comply with British privacy laws.

“There is certain data that is minimal data that is free, and there is tiered access to more detailed information,” Lentz said. “One level involves paying a fee to get you access to more data for a limited period of time.”

“The whole point of having this service is to make it efficient,” Lentz said.

Another ICANN employee dismissed security researchers’ concerns about paying for the data.

“I don’t know why that matters,” she said. “Is this (reporter phone call) really worth $2 of your life?”

GNR did not reply to a request for comment by deadline.

But security researcher Evron says the move to a pay system demonstrates a larger truth about names and the internet.

“The domain name system has grown bigger than it was ever planned to be, is doing more than it was ever intended to do and does it proudly,” Evron said. “But the governance around it has become profit-based, and we have no fallback system to handle criminal organizations and countries that abuse domain names.”

Storm center volunteer Frantzen suggests that most domain name owners would benefit from making e-mail address available through the Whois system.

“Just imagine you get a call from us telling you about a problem and offering help to fix it, versus you getting a call from your ISP informing you they shut down your server due to a breach of policy,” Frantzen said.

Read more »

Hollywood studios go after two piracy sites

The Motion Picture Assn. of America has filed suit against two Web sites that it claims are allowing Internet users to view pirated films, many of which are still in theaters.

The lawsuit, filed Wednesday on behalf of the major studios, seeks to shutter cinematube.net and ssupload.com from further infringing on the copyrights of the MPAA members.

The sites feature links to hundreds of titles, including such recent releases as “Resident Evil: Extinction,” “The Brave One” and “Good Luck Chuck.”

A “Who Is” domain search of the sites indicate both are registered as private, meaning the information on ownership and administrative contacts are not disclosed.

The domain search also indicated cinematube.net’s servers are located in Malaysia. The site averages more than 24,000 unique users each day who view more than 85,000 pages of content.

Servers for ssupload.com are located in Arizona and average 55,000 unique daily visitors who view more than 190,000 pages of content per day.

“We are putting illegal Web operators on notice that they are not above the law and will face serious consequences for their activities,” said John Malcolm, executive vp and director of worldwide anti-piracy operations at the MPAA.

The MPAA estimates that the industry lost $18.2 billion in 2005.

Read more »

UK PCs have least malware

An online malware measuring tool has unexpectedly rated U.K. PCs as having the lowest level of infection in Europe.

The Nanoscan tool, which can be downloaded as a plug-in from the site of owner Panda Software, put the U.K. in bottom spot last week, with only 8.1 percent of those scanned showing active malware. By a separate measure, that of ‘latent’ or inactive malware, however, the U.K. fared less well, reaching 20.7 percent.

Top of the infection list for active malware was France (28.2 percent), Mexico (23.1 percent), Brazil (18 percent), the U.S. (17.8 percent), and Argentina (17.4 percent).

The figures appear to show very high levels of infection, but the results only rate those who visited the site and asked to be scanned. These individuals would be expected to show a bias towards having infected PCs. The company has created its own global malware map from the data, which is collected from thousands of mostly consumer PCs every 15 minutes.

Interestingly, almost 8 percent of those scanned and who showed active threats also had anti-virus software installed, which appears to support the company’s controversial view that conventional signature-based malware detection is no longer enough to protect PCs.

“These figures prove that it must be complemented with online tools such as Nanoscan and Totalscan, which are capable of detecting more malicious codes than the solutions installed on users’ computers” said Luis Corrons of Panda Software.

Nobody knows for sure how many PCs are infected with malware at any one time, though last year Microsoft came up with the more optimistic figure of one in 300 Windows PCs in its own research.

Critics might point out that, flawed though anti-virus systems might be, they are no worse than online scanning tools, which are often promoted as marketing tools for paid-for products. This is the case with Nanoscan. Anyone passing the malware test with Nanoscan is invited to try the more advanced but paid-for Totalscan software.

Read more »

Mystery eBay ‘hack’ exposes 1,200 accounts

eBay is one of the most successful Internet-only ventures of all time, so it’s not surprising that it has come under near-constant attack by fraudsters and hackers. In the latest attempt, a hacker logged on to the eBay Trust and Security forums and pretended to post as 1,200 separate users, making it appear as if he had actually logged in with each user’s account. The posts contained the users’ names, contact information, and credit card numbers.

That done, the hacker posted a video of his exploits on YouTube to celebrate his “achievement” (the video has subsequently been taken down). In response, eBay and LiveWorld—the third-party software firm that operates eBay’s web-based forums—took the entire Trust and Security forum offline while they looked into the problem. The forum was taken down 90 minutes after the posts first hit the Web and was put back online later that day.

eBay issued an official statement on its eBay Chatter forum, stating that while the posts appeared to contain credit card information, the posted numbers did not correspond to credit card information that eBay had on file for those users. Nevertheless, the user names and contact information were accurate, and eBay claims they are attempting to get in contact by phone with each of the 1,200 users to ensure that they can protect themselves from any attempts at hijacking their accounts. At this time, eBay is unclear as to whether or not the accounts have been fully compromised. It is also not certain that only these 1,200 accounts are affected.

While the original posts and the YouTube video showing the list of names have been removed from the Web, an eBay member has grabbed as many of the account names as possible and posted them on a personal web site so that people can easily check to see if their account was one of the original 1,200. So far, the operator of this list has not been asked by eBay to take it down.

While this particular attack may not have revealed customers’ credit card information, there are plenty of fraudsters about who are trying their hardest to scam people out of their money: a helpful eBay forum member even posted a list of an astonishing 36 common scams currently being perpetrated against eBay users. Most of these involve social manipulation and phishing scams rather than direct attack, but clearly they are effective: videos of hacked accounts posting over 60,000 items for bid show what the bad guys are likely to do once they have your account information. It’s always a good idea to practice skeptical computing, but eBay users should take even greater care to ensure that they are not taken in by any of these scams.

An eBay representative did not return our request for a comment in time for publication.

Read more »