Provided by CommunityDNS, the information in this post consists of news items in the security-based Internet community.

China Expands Cyberspying in U.S., Report Says

A Congressional commission, formed in 2000 to investigate security implications of growing trade with China, found China’s efforts of extracting close to $40 to $50 billion worth of intellectual property from the US. The main target of this cyber espionage is that of defense technology.

Due to the sophisticated and targeted nature of the attacks, it is believed China is directly behind the effort as the information is specific and not something easily sold on the open market.

Click here for more information.

FBI and SOCA plot cybercrime smackdown

As reported in yesterday’s News Bits, the FBI, in conjunction with other foreign groups that deal with cyber crime are stepping up their efforts to curb organized cyber crime. The following story illustrates the extent to which cyber crime has become organized.

The Russian Business Network (RBN) was one such target. While eventually brought down it was discovered the RBN had, in its pocket, the local police, local judiciary and the local government of St. Petersburg. While surpassing all of the hurdles placed in their way the RBN was eventually brought down, however no prosecutions were made. The RBN is believed to have resurfaced under a different business model.

Click here for more information.

CRTC to allow telecoms to throttle web traffic but with new rules

Canadian views on Net neutrality are that it’s OK for network providers to throttle back traffic when necessary.

Under claims that telecoms used their power to throttle certain web usage the CRTC decided to implement stricter rules on when throttling may occur.

First of all, it is the CRTC’s preference that carriers invest in their network so capacity problems are not an issue. However, if capacity issues arise carriers can:

• Manage traffic by placing higher charges for heavy users of the Internet instead of limiting traffic.

• Throttling traffic only after retail customers receive at least 30 days notice while wholesale customers receive at least 60 days notice.

It was also noted that ISPs, who sell their broadband services in bulk to wholesalers can’t discriminate between the wholesaler and the ISP’s own customers.

Click here for more information.

Europe Paves Way for Three-Strikes Style ISP Disconnection Policy

The EU Parliament appears to be backing down to a more general form of legislation regarding illegal download of copyrighted material. The original, favored proposal was to have potential abusers disconnected from the Internet only after a judicial ruling. The new amendment drops the judicial ruling opening the way for ISPs to disconnect users without having a prior judicial review.

Click here for more information.

Pacnet addresses broadband demand in Asia

Connecting, through undersea cable, Hong Kong, China, Korea, Japan, Taiwan, the Philippines and Singapore, Pacnet is working to address the increased need for capacity by upgrading the Asian undersea cable network with an additional 3,600 Gbps of capacity.

The need for increased bandwidth comes from the increasing amount of digital content created in Asia. A 48% compound annual growth rate is expected between 2009 and 2015.

Click here for more information.

The broadband adoption dilemma

With approximately 96% of American households having access to broadband services, roughly 33% choose not to subscribe to broadband. The FCC would like to understand what is preventing people from converting to broadband. Of the 33% who choose not to subscribe, a sizable portion of those 33% who use the Internet do so through dialup.

Click here for more information.

Provided by CommunityDNS, the information in this post consists of news items in the security-based Internet community.

We’re losing the war on cybercrime

While news regarding the capture of Albert Gonzalez feeds the press machine for stealing over 130 million credit card information, he is considered “small fish” by those in the security business. The really large cybercriminals are the ones who have established businesses in other countries. Their businesses can rival the size of any of the Fortune 1000. They pay their taxes and operate legally, or at least with turned eye when it comes to the government under which the organizations operate. The Russian Business Network (RBN) is a classic example of this where they partake in spam, malware development, child pornography, large-scale denial of service attacks and BotNets.

Click here for more information.

Trojan zaps banking credentials via IM

To counter increased efforts to detect and prevent banking fraud, scammers are working with an ever increasing sense of immediacy. Zeus, a Trojan also known as Torpig and MeBroot, resides on a computer and looks for credentials for when one logs into banking or other financial services websites. Once detected the credentials are sent via instant message (IM) to the hackers. Hackers have thus reduced the amount of time from when malware captures credentials to then they can start using the credentials.

Click here for more information.

Whistleblower releases Skype snooping code

Rumors long held regarding how information can be leaked are proven by Swiss-born code. Working as a Trojan the code, after infecting a computer, can record Skype conversations and turn them into MP3 files. The code is being released in hopes that stronger defenses will be created.

Click here for more information.

Hackers serve up pre-release malware to Mac fanboys

In the lead up to this Friday’s release of Apple’s new OS, Snow Leopard, hackers have established sites to exploit the OS’ vulnerabilities. Some sites, purportedly offering users the ability to download the OS will find themselves downloading a DNS changer Trojan that will direct users to various malicious sites.

Click here for more information.

Bill would give president emergency control of Internet

A bill, quietly making its way through Congress, would grant powers to the US President to declare a cyber emergency. Upon such a declaration private networks deemed critical to the US’ security and infrastructure would come under the control of the US government. In the bill, “Cyber” refers to anything dealing with the Internet, telecommunications, computers or computer networks.

Click here for more information.

By Andrew Nusca
February 2, 2009
ZDNet.com

This January marked “the third successful cyberattack against a country” — when suspected Russian attackers distributed a denial of service attack that overwhelmed three of the four Internet service providers in Kyrgystan, disrupting Internet access, reports DefenseTech.

The culprit? The IP traffic was traced back to Russian-based servers known for harboring cybercrime, and some are blaming the cyberattack on the Russian cyber militia and/or the Russian Business Network, which is thought to control the world’s largest botnet with between 150 and 180 million nodes.

“Reports go on to say that Russian Officials hired the technically capable group to do this. It is widely believed that this group also played a substantial role in the Estonia Attack in 2007 and the attack on Georgia in 2008. The mechanism of attack was a fairly large botnet with nodes distributed in countries around the world…One significant difference in the Kyrgyzstan attack is that most of the DDoS traffic was generated in Russia.”

According to DefenseTech, one source reports that this attack was commercial, “insinuating the civilian organization (attackers) may have been paid to carry this out” and helping the Russian government stay “an arm’s length away” from the act.

Are geopolitical disputes now fought with cyber weapons instead of conventional arms?

Continue reading…

Not entirely cyber warfare related but still a very interesting read, but according to the Global Trends 2025 report by the National Intelligence Council, irregular warfare, which cyber warfare is part of, will play a determinant part into the future of the United States:

“… expanded adoption of irregular warfare tactics by both state and nonstate actors, proliferation of long-range precision weapons, and growing use of cyber warfare attacks increasingly will constrict US freedom of action.[1]“

Unfortunately this is the only mention of cyber warfare in the report, which fails to go into further details. This shouldn’t come to a surprise to anyone though. We all know how reliant on technology everything is nowadays and the interconnection between every part of the modern society. Not only does the United States recognized that cyber warfare will be an important part of the upcoming conflicts, but also does China and Russia, which are stated to become heavyweights on the world stage:

“Few countries are poised to have more impact on the world over the next 15-20 years than China. If current trends persist, by 2025 China will have the world’s second largest economy and will be a leading military power.[2]“

Right now, even with her very large armed forces of 2 million active personnel[3], China is trying to modernize its military to be more mobile and efficient. In order to accomplish that modernization, it has explored many new avenues that western societies are still trying to grasp. In 1999, two Chinese Air Forces colonels discussed new ways to conduct war in a guide titled “Unrestricted Warfare”, where they describe the use of computers as new weapons for future warfare:

“With technological developments being in the process of striving to increase the types of weapons, a breakthrough in our thinking can open up the domain of the weapons kingdom at one stroke. As we see it, a single man-made stock-market crash, a single computer virus invasion, or a single rumor or scandal that results in a fluctuation in the enemy country’s exchange rates or exposes the leaders of an enemy country on the Internet, all can be included in the ranks of new-concept weapons.[4]“

Experts seem to agree that this kind of “new weapon” could do far more damage than one can imagine:

“If someone is able to attack information that is needed by decision makers, or that is crucial to organizing logistics and supply lines of an army on the ground, that means they can induce chaos in a nation[5]“ said Sami Saydjari, who worked as a Pentagon cyber expert for 13 years and now runs a private company, Cyber Defence Agency.

... by 2025 China will have the world’s second largest economy and will be a leading military power

We don’t know how much of the concepts explained in this book as been accepted by the People’s Liberation Army (PLA), but events from the last decade can gave us clues as how much China has developed cyber warfare capacities based on the text of the two colonels. . Concretes realizations of these ideas may have happened as soon as four years after the publication of the guide during Operation Titan Rain in 2003. With a computer network of more than 3.5 million computers spread across 65 countries, the Pentagon faces many challenges against a strong and sophisticated attack and Operation Titan Rain proved this. According to an article on ZDNet[6], 20 hackers, based or using proxies based in China, successfully attacked American networks in a coordinated attack:

• At 10:23 p.m. PST, the Titan Rain hackers exploited vulnerabilities at the U.S. Army Information Systems Engineering Command at Fort Huachuca, Ariz.

• At 1:19 a.m., they exploited the same hole in computers at the Defense Information Systems Agency in Arlington, Va.

• At 3:25 a.m., they hit the Naval Ocean Systems Center, a Defense Department installation in San Diego, Calif.

• At 4:46 a.m., they struck the U.S. Army Space and Strategic Defense installation in Huntsville, Ala.

The results from this operation were the theft of several classified information:

“From the Redstone Arsenal, home to the Army Aviation and Missile Command, the attackers grabbed specs for the aviation mission-planning system for Army helicopters, as well as Falconview 3.2, the flight-planning software used by the Army and Air Force,” according to Alan Paller, the director of the SANS Institute[7].

Many other attacks have been suspected to originate from China afterwards. Attacks against most of the G7 countries such as France[8], UK and Germany[9], New Zealand[10] and India[11] have been reported by many medias.

Attacks against most of the G7 countries such as France, UK and Germany, New Zealand and India have been reported

Although evidence gathered shows that China is aggressively pursuing irregular warfare, Russia is also gaining a strong cyber warfare reputation on the world scene. Its attack against Estonia has won world coverage and succeeding attacks on Georgia gave the country experience in that domain. It is again unclear though if attacks from Russia are actually coming from government agencies or from criminal behaviour.

The first incident concerning Russia goes back to 1999, before the Chinese cyber attacks. American networks went under siege in what is now called Operation Moonlight Maze. Back then, FBI officials were investigating a breach into the DOD satellite control systems. Again, while the first accusations for the source of this attack were Russian authorities, it was soon shown that they were not implied in this attack[12]. The only certitude about this operation was that the attack went through a Russian proxy.

Nevertheless, Russia cyber warfare was displayed on Estonia in 2007. Once against, it was unclear if the government was involved or if Russian patriotism over the removal of the war memorial[13] caused Russian script kiddies and botnets to answer with a massive DDoS attack. Moscow always denied any involvement in that case. It is also well known that major botnets that are lurking on the net are often controlled by Russian cyber-criminal gangs such as the Russian Business Network. It’s quite possible that those cyber-gangs ordered their botnets to retaliate against Estonia, especially since the attack consisted mostly of a denial-of-service attack, and wasn’t not as sophisticated as a coordinated hacking attack on networks. Another plausible option would be that Russia’s cyber army is a mercenary force.

A repetition of the Estonia cyber attack then took place against Georgia during the Russia-Georgian conflict. The same kind of attack occurred and took down various governmental and commercial websites: HTTP floods were send to www.parliament.ge and president.gov.ge. Some other sites were hi-jacked and displayed fake information. The Georgian government had to put up a temporary website on Blogspot. This time, the Russian Business Network was openly suspected by many analysts to be behind the attacks[14].

HTTP floods were send to www.parliament.ge and president.gov.ge.

McAfee claims that 120 countries around the world are now developing cyber warfare strategies[15]. It is inevitable that countries without cyber warfare capacities will be at great disadvantage in any arising conflict, as disruption of communications will be the first objective of any belligerent. It’s crucial that a strong offensive and defensive cyber war force be developed in order to not only defend against cyber threats, but also wage war in cyberspace.

See also:

“Inside the Chinese Hack Attack”, “Nathan Thornburgh”, Time, August 25, 2005, http://www.time.com/time/nation/article/0,8599,1098371,00.html (accessed on November 21, 2008)

“Coordinated Russia vs. Georgia cyber attack in progress”, Dancho Danchev, August 11, 2008, http://blogs.zdnet.com/security/?p=1670 (accessed on November 21, 2008)

[2] Ibid. p. 29

[3] The Asian Conventional Military Balance in 2006: Overview of major Asian Powers”, Anthony H. Cordesman, Martin Kleiber, CSIS, June 26, 2006, p.24

[4] Translation from “Unrestricted Warfare”, Qiao Liang, Wang Xiangsui, PLA Literature and Arts Publishing House, February 1999. p. 25

[5] “China flexes muscles of its ‘informationised’ army”, Ed Pilkington, Bobbie Johnson, The Guardian, September 5, 2007, http://www.guardian.co.uk/technology/2007/sep/05/hacking.internet (accessed on November 21, 2008)

[6] “Security experts lift lid on Chinese hack attacks”, “Tom Espiner”, ZDNet, November 23, 2005, http://news.zdnet.com/2100-1009_22-145763.html (accessed on November 21, 2008)

[7] Ibid.

[8] “French government falls prey to cyber-attacks ‘involving China’”, Agence France-Presse, September 9, 2007, http://www.france24.com/france24Public/en/news/france/20070909-Internet-piracy-france-secuirty-china-hacker.php (accessed on November 21, 2008)

[9] “Chinese government at the center of five cyber attack claims”, Jeremy Reimer, September 14, 2007, http://arstechnica.com/news.ars/post/20070914-chinese-government-at-the-center-of-five-cyber-attack-claims.html (accessed on November 21, 2008)

[10] “New Zealand hit by foreign computer hacking”, Agence France-Presse, The Age, September 11, 2007, http://www.theage.com.au/news/Technology/New-Zealand-hit-by-foreign-computer-hacking/2007/09/11/1189276701773.html (accessed on November 21, 2008)

[11] “China mounts cyber attacks on Indian sites”, Indrani Bagchi, The Times of India, May 5, 2008, http://timesofindia.indiatimes.com/China_mounts_cyber_attacks_on_Indian_sites/articleshow/3010288.cms (accessed on November 21, 2008)

[12] “Russia hacking stories refuted”, Federal Computer Weekly, September 27, 1999, http://www.fcw.com/print/5_188/news/68553-1.html?page=1 (accessed on November 21, 2008)

[13] “Estonia hit by ‘Moscow cyber war’”, BBC News, May 17, 2007,  http://news.bbc.co.uk/2/hi/europe/6665145.stm (accessed on November 21, 2008)

[14] “Georgia: Russia ‘conducting cyber war’”, Jon Swaine, The Telegraph, August 11, 2008, http://www.telegraph.co.uk/news/worldnews/europe/georgia/2539157/Georgia-Russia-conducting-cyber-war.html (accessed on November 21, 2008)

[15] “China Disputes Cyber Crime Report”, Jordan Robertson, Washington Post, November 29, 2007, http://www.washingtonpost.com/wp-dyn/content/article/2007/11/29/AR2007112901588.html (accessed on November 21, 2008)

Here is an interesting post on Security Fix that highlights just how simple it is to artificially generate traffic to any website for the purpose of economic gain. 

Set up a free account at Robotraff and you’re ready to buy or sell Web traffic. Got 30,000 hacked personal computers under your thumb? Super! Now you can use those systems to generate a steady income just by pointing them at Web sites requested by a buyer.

Or maybe you’re just getting started and you can’t be bothered to build your own army of hacked PCs the old-fashioned way? No problem! Now you can set up a Web site that tries to exploit Web browser or browser plug-in vulnerabilities and simply buy all the traffic you need.

Robotraff is basically an exchange or a marketplace that puts traffic buyers in touch with traffic generators.  Traffic buyers are site owners who have relationships with various ad networks and can turn a profit by generating traffic to their site.  Traffic generators are bot or malware controllers who can direct thousands of “users” to any site at the right price.  As long as the price buyers pay for the traffic is less than the revenue they make from the ads on their site, its a guaranteed money tree (at the cost of the advertisers of course). 

At Anchor Intelligence, we’ve detected thousands of publishers who have been linked to programs such as these.  And the massive scale and sophistication of these operations is quite daunting. 

Don’t open any E-Mail attached PDF-Documents! Especially, if they appear to be sent to you by the Unrepresented Nations and Peoples Organization (UNPO). Most propably that’s not the real orgin! As reported by F-secure, the PDF document drops a file called winkey.exe to C:\Program Files\Update\ and later executes it. Despite the fact, that it is placed under “Updates”, it is not something you would want to have on your PC for it is a keylogger. Well…that’s nothing new – thousends of infected mails drop by at every mail provider – this one though is a specielity:It is directly aimed at Pro-Tibetian Groups and Organisations! The PDF-document is a statement of solidarity to the Tibetian:

“UNPO condemms the draconian Chinese response that has led to substantial loss of life and countless detentions and beatings, and calls upon the Chinese authorities at all levels to enter into a constructive dialoque designed to end the violence and promote a return to peace within Tibet as soon as possible”

And since every Keylogger needs a Server, guess where the Server is located! Damm right: In China!!! xsz.8800.org, this server is allready quite known by internet security specalists: “8800.org is a Chinese DNS-bouncer system that, while not rogue by itself, has been used over and over again in various targeted attacks.“(F-Secure)

And that’s not it! There many more of these attacks going on right now! All of them have in common that the sender adress is spoofed to look like a trusted party and that they all have an infected file attached to it that has something to do with Pro-Tibeteriasm.

I do not know, if this is the doing of (recently growing) chinese intelligence services, some other politically/economically driven party or rouge black hat hackers (the later seems quite unlikely though). I guess, the chinese government wouldn’t hinder anyone doing just this kind of stuff. The fact, that this is acutally happening should be enough, to cause an international outcry!

There is another thing, that really concerns me: The Russian Business Network (RBN), one of the worst areas in the Internet in terms of cybercrime recently shut down it’s servers/lost connection to the rest of the internet. While there have been reports suggesting, the RBN re-opened it’s doors, there are RBN-like structures arising on chinese ground – perhaps even financed by the RBN. At the same time, Chinese government recently decided to form a military cyber-unit and international govermental agencies see themselves confronted with acts of chinese reconnaissance and sometimes even attacks. Of course, they are not directly traceable to the chinese government, still…Many security specialists believe, that china is kinda seeking worldwide cyber-dominance. All this suggests, that China does have the ressources to stop those RBN-derivates but nothing seems to happen! What does this mean? Propably China even likes the RBN to gain a foothold in China so they can pretend to be rouge hackers while attacking…let’s say the german Reichstag (as allready happend if I’m not mistaken). Of course, this is all a hypothesis, nothing real! But feel yourself warned: Secure your Computer! Hard times are to come!

Whoever it is, they are trying to spy on Pro-Tibetian groups and individuals. So if you get an unrequested mail by any party with any kind of attachement: double check, if the file is clean via antivirus-software and by sending (do not use the reply function but any known mail addy) a mail asking, if this mail really originates from the specified sender! Furthermore: Inform other Pro-tibetian Individuals/Groups of this new threat.

The spurs of shares, free downloads, blogs and social websites has become a perfect time for Zlob to infiltrate networks. Evidently, the increasing domain names and clicks have been utility for Zlob to stay visible in search engines.

Yes, all of this works in Windows until late this year (November), this trojan crosses over to Mac specifically OS X. Suddenly, a list of domain names is capable to download installers both for Windows and Mac users. Domain names hosting Zlob fake codec for Mac user does not sleep, it stays online 24×7 and it’s increasing in numbers. It’s out there in-the-wild!

These sites are smart enough to check if you are running in Windows or Mac. Then, it gives you the right installer either in Windows Executable (EXE) or Disk Image (DMG) for Mac.

Who’s behind Zlob? Let’s investigate its network connection …

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Web Site: http://codecdemo.com

A–>64.28.184.189–PTR->64.28.184.189-rev.cernel.net
NS–>ns1.codecdemo.com—A–>64.28.181.226–PTR->64-28-181-226-rev.cernel.net
NS–>ns2.codecdemo.com—-A–>64.28.181.227–PTR->64-28-181-227-rev.cernel.net
MX–>10mail.codecdemo.com–A–>64.28.184.164–PTR->64-28-184-164-rev.cernel.net

NET —-> gw1.cernel.net [ 64.28.176.1]–> AS27595
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::