Pakistan and the cyber-jihad?

Wow, I have been out of touch with current events and have been playing catch up a little. I just read about Pakistan's own ISP PieNet taking down youtube. Apparently there has been a big battle of wills between the Pakistani government and sites like youtube, facebook, and our own beloved blogger.com. Well the Pakistani government mandated that these sites be blocked. So PieNet decided to send out BGP announcements for youtube, redirecting traffic to themselves....brilliant. aside from the stupidity of this approach( as they slammed themselves with all of the youtube traffic and then got cutoff by their upstream provider) this is pretty amazing. I am not aware of anything quite like this incident happening before.

An actual legitimate ISP has blatantly and purposefully launched a denial of service attack on one of the biggest sites on the Internet, over their views on censorship. They are basically committing an act of cyberwarefare in the closest sense that the term can be applied. Cyberwarfare, in my opinion, can't really be a part of true physical conflict. It is exactly this kind of scenario, a war of ideas. Pakistan's policy has become one of attacking the largest and easiest providers of free expression to the masses. A lot of these countries have always censored heavily, and done horrible things to keep the truth hidden. This is the first time i can think of where they do it on a global scale though. What happens if we see this behaviour continue? What are the large scale implications for the internet as a whole? There's some heavy stuff going on here. I will need more time to digest it all. In the meantime, what does everybody else think?

Who can you trust?

So by now, everybody has heard about the whole energizer DUO. Couple that with the news that vodafone shipped out some Android phones with Windows malware loaded on them. If you haven't ehard about this bit yet, I recommend reading here and here . The Zdnet post is especially nice because it include links to posts about other incidents just like this. You just have to ignore the linux vs windows flamewar, which I'm sorry to say I let myself get dragged into the middle of. I think it's a shame that the post devolved into that when there's a serious security concern brewing here. It has nothing to do with OSes are or even software. It has to do with trust.

We spend a lot of time talking about trust in the security world. "Don't download software from an untrusted source", "don't open emails from people you don't trust", "Don't plug untrusted usb devices into your computer." Then we get very condescending when people fail to obey these simple tenants of trust. What do we do when the trust betrays us though. These two most recent examples show cases where the users had every right to trust the infection vector. They downloaded software directly from energizer's site, why wouldn't it be safe? I just bought this phone, it's brand new. How could it possibly have malware on it? The phone example would be exactly the same as if you went to a store like staples, bought a thumb drive. Opened that horrid plastic bubble packaging, insert it in your computer, and then your antivirus starts setting off alarms like a 1940's air raid siren. The device was brand new, had not been tampered with in the store as far as you could tell, and came from a trusted source.

So now what if we take our hypothetical situation one step further. What if the malware isn't recognized by your AV. Now we have an infected computer. Your friend brings his usb drive over a couple days later to copy some files. It's his usb drive, he knows where it's been. He knows your a smart guy, so your computer should be safe. He takes the infected drive home, and now infects his machine. The cycle is obvious of course. Yes, of course these hypothetical people should have autorun turned off, we all know that by now, and so this example is not perfect. The issue is the trust factor though. In these situations, there is no "blame it on the user". They had every reason to trust these sources. It seems like the only answer is "don't trust anyone or anything". I'd love to see people's thoughts on this.

Defrauding the fantasy economy

There is an interesting story developing, about World of Warcraft account fraud. The original articles I found are over at Sunbelt Software and El Reg. Apparently, the latest round of WoW account hacks is using malware that intercepts the multi-factor authentication credentials, transmits them to a MitM server, and replays a failed login to the user. Meanwhile the MitM box replays the login data to the WoW authentication servers, and promptly empties their characters of their hard farmed gold. I would imagine that by the time the user successfully logged in, their characters would all be broke.

I feel that there are a couple of important take-aways from this story. The first, is one that plenty of other people have been saying for a long time now. The fraudsters are getting better. They are smart, they are dedicated, and they are engaged in an arms race with the Security Industry.  It raises serious concerns over our ability to stay on top of this arms race. Along those lines is the second point. This is nothing new either, but the end users are the weakest link. Yes, from a technical perspective the vector is a Trojan. Realistically though, it's a social engineering attack. The initial con where you get the user to download and install the new "add-on". Both sides of this attack vector are hard to stay on top of. Firstly, malware authors are very good at creating variants to escape AV definitions, so AV alone cannot be relied upon.  Secondly, how do you make sure users don't fall for these traps. Many would-be pundits will say it is the fault of "stupid users". In some cases this may be accurate, but let's be honest here, fraudsters have gotten VERY good at social engineering.

This is probably the biggest lesson of the over-hyped Aurora incident. Social Engineering can hit anyone. Users at google may not have had any reason to doubt the authenticity of the emails they received. They had no way to sense the  malignant payload carried in those innocent looking PDFs. Sure, intellectually we all know PDFs can have bad things in them. We also knew as kids that some people put razor blades in candy apples. I don't think most people tear apart their fruit before they eat it. Especially if it's someone they trust handing it to them. So how were these WoW users to know that this add-on was no good. There are known 'safe' repositories of add-on, you will undoubtedly say. We have seen how much of a fallacy even that can be. There is no reliable system of trust on the internet. It's a best guess effort. You might check around the forums to see if other people say anything about the add-on. You might do a google-search for the add-on and see what comes up, or even ask people in the game about it. If you're particularly in the know, you might even check the sites hosting it against something along the lines of Mcafee's Site Adviser . What do you do if all of these come up dry? Chances are, you're going to take a chance and install it. Conventional wisdom says, if you notice anything strange during the install, then you panic, remove it, and run an anti-virus. Malware authors are not so sloppy as to make it obvious anymore, though. So now you have installed software that, as far as you can tell, is exactly what it says it is. By the time you might realize you were wrong, it's already too late

So the question becomes, how do we fight this attack vector? There is no silver bullet answer. It is still just a best effort game. So we rely on the things that we know help protect us. We use only known trusted sources. We do some research on software before we install it. We might check Site Adviser, or upload the binary to Virus Total . We make sure our anti-virus is up to date, and our boxes are patched. Every once and a while, we may still get nailed.

There is a third take-away point in all of this, that I'd like to discuss briefly. This is perhaps the most bizarre piece of this. We have seen these sort of things all before. Spend a month reading the security blogs and new sites out there, and you'll be flooded with plenty of stories about targeted malware, and banking trojans. You'll see reports of botnets that stole millions of logins. What is truly strange about this particular case, at least to me, is the target. Remember that we are talking about World of Warcraft here, a video game. We are seeing the same amount of effort put into stealing video game logins as the people who break into bank accounts. People are breaking into a virtual world, committing fantasy identity theft, and using it to empty imaginary bank accounts of money that doesn't exist and cannot be sued outside of the confines of this imaginary world. And yet, they take this imaginary money, and they turn it into real money. It is all well rooted in the theory of supply and demand, I suppose. I, however, cannot shake the sensation that this is truly a strange situation we find ourselves in. It's rather like if we were playing a game of monopoly, and when you weren't looking I stole some of your play money. I then turn around and sell that play money to another player for $100. Is it just me, or does anyone else find this to be insane?