Hot 'Hack' a noodles

BANGALORE, INDIA: We can't see them. But they are always around or rather inside, the machines or the dear old Internet that we are happily working or playing on. It's an occult but omnipotent world. Ready to strike, with every keystroke that our fingers casually embark on. The big black world of mala fide hackers is breathing well. Silently, but solemnly penetrating the Net and spreading the tumors. They come in all forms, satanic reptiles, as worms, as horses, as zombies, as viruses. The world of hacking runs parallel to the world we operate in.

Mal'volent

Security over the Internet is becoming increasingly critical, due to commercial implications as well as privacy and confidentiality issues, says Gireendra Kasmalkar, founder director, CEO, VeriSoft.

"It is not possible to have 100 per cent security and so smart hacks will hack – some for fun, but some definitely with malicious intent. The risks are higher because the users of on-line software applications more and more are non-technical people, who may not be aware of the precautions to be taken, and hence may fall prey easily to hacking," he says.

And as years pass, it's not hard to see that the online threat monster has grown and never aged. Monster.com, Orkut, ICICI Bank personal account password cracking using cross site scripting method are just some recent hot picks that illustrate the impact of cyber criminals in the opinion of Kasmalkar.

A Trend Micro threat research forecasted expansive growth in web threats in 2006. Organized crime continued to be key to identity theft, corporate espionage and extortion. Digital threats have increased at an average of around 163 per cent year-on-year.

H-commerce

The whole story probably has its roots from the numbers lotto racket, which gradually shaped into an organized crime terrain.

Pradeep Akkunoor, CFE Director, India Forensic Consultancy Services cites some research from Peter Gutmann from the University of Auckland.

The spam industry of today has got technically organized programmers working in tango with organized crime syndicates as per some news reports. And so most big plots and spam outbreaks are much more professionally organized than anyone may imagine. They are proper professional operations.

Interestingly, it was reported that in 2004, the proceeds from cyber crime were larger than the proceeds from sale of illegal drugs. Today's spam/phishing viruses are quite sophisticated and written by paid professional programmers and not by on-bench codies.

Take for instance, the Babylonia virus that used plug-in virus modules or the Hybris worm that used digitally signed encrypted updates.

The level of sophistication is increasing as we move ahead. Professional linguists are being employed to bypass filters by spammers, while phishers are using psychology graduates too. Surprisingly, the industry has well-paying jobs, as Guttmann’s study illustrates.

From $200, 0000 per year for a talented brain to $50 to 100,000 for simply remote zero root days, the moolah in hacking is getting phenomenal.

Today the malware business has spread inextricably and widely like a weed.

Interestingly, everything can be outsourced today, from buying hosts for a phishing scam, buying spam, the money-drop points, cashier payments, Kernel-mode root-kits from third-party developers, the list goes on.

“It's a full blown business,” reiterates Akkunoor referring to Gutmann.

Samples this, even zero days are being sold online. Hacker groups in Russia were selling the WMF exploits for $4000. And Windows Vista (-1) day was up for grabs for $50k before its release.

The business is getting very, very serious and thus quite a force to reckon with. The malware mafias are now exploring the affiliate model where they are paying others to spread Trojan or spy ware infections. And the rates are calculated per infected machine and are re-negotiable as per traffic. There's a big grey market coming up on its heels.

Now malware can also come sitting unnoticed on legitimate software. Forget SaaS, think of MaaS. Malware is emerging as a service from commercial vendors. In fact, you can even try-before-you-buy.

Kasmalkar could not agree more. "Earlier hacking was mainly done for two reasons, Fun and stealing confidential information. Lot of hackers wanted to prove or show-off their technical prowess. However, due to commercial use of the Internet, the stakes are much higher now. Public organizations can face huge liabilities. So they are spending a lot on security. In our business, we are seeing that there is a lot of premium for these services and even the professionals working in this area are technically top-notch and very much sought after," he says.

Moving Ahead – new species

Hackers and their formats have evolved over the past few years both in terms of scope and smartness. From viruses, destructive worms, network worms, botnets, spams and Trojans they have done it all.

Prabhat Singh, director, Development, Symantec India who is overseeing all the action in Symantec Security Response Lab in Pune agrees that the hacking story has changed a lot from 1986 to 2006. "Today the vulnerability and motive has shifted to fortune. In yesteryears, the motive to hack was fame, but not anymore."

The incidence of a host of new hacking avatars going up– crimeware, phishing frauds and zero day frauds, where the attacker needs to know about a specific vulnerability before the patch-up happens. "These threats continue to be on the forefront and new techniques are more or less popping up on these areas only. Hackers are inventing new ways to bypass the security mechanisms on a PC," he adds.

And currently it is PDF spam that is hot on their cards.

"Spammers love playing the cat-and-mouse game and so, in July Symantec observed that spammers were using other attachments to promote stock and pharmaceutical spam. Until lately, it was emails that the spammers were tapping for spread and speed. But solutions for scanning emails came out. However, while it is easy to scan a message, a body text or even an excel sheet, it is equally difficult to scan a picture, even as advertisements. Hence, spam is now coming up in formats like JIF or JPG files," Singh elaborates.

So are vendors ready to tackle PDF spams? "Yes, vendors have come up with image analysis and have come up to a large extent to challenge the attackers. Now they are embedding image in a PDF document. Still, the tendency to delete a PDF is low and it will take time before people become aware of this new form of spam," he informs.

The response lab from Symantec has the mandate to monitor all kinds of possible threats emanating from any part of the world and provide quick alerts, analysis and protection solutions to its customers. As per the report by Symantec messaging and web security, overall spam levels continue to inch upwards increasing by 1 per cent to 70 per cent of all email traffic. Overall spam levels at the SMTP layer in September increased slightly above average of 70 per cent of total email."

Spammers haven't spared the housing crisis either. There has been much talk of late about the slowdown in the U.S. housing market and the recent interest rate cut by the U.S. Federal Reserve.

Spammers have not ignored the uncertainty in the housing market. Recently, Symantec has observed a plethora of spam messages, which are trying to tap into the market uncertainty. The spam messages range from refinancing deals to offers houses to asking users if the "Equity" in their home. Also, from 'work at home' to 'Job Seekers wanted' continue to be the red herring in the spam world, the report notes.

Then there's the world of well-known brands to tap into.

"Black Visa cards, Universal Makeovers, History Channel magazine subscriptions, and Dominos pizza. These products and services can be linked by recent spam attacks. The spam messages "provide" gift cards for these products and services if the recipient completes a survey. The interesting thing about these spam messages is that the spammers are consistently reusing the same spammy URL links while offering gift cards from well known brands," points out Singh.

"While spammers continue to use Geocities URL links of the form geocities.com/abcd38/ in their spam emails, Symantec has recently observed spammers using URLs of the form geocities.com\/\/abc98\\\///.

Symantec saw a constant stream of medication spam emails using broken URLs. Spammers have long obfuscated URLs by using HTML tags in the middle of the link. When viewed in an HTML email, the URL looks normal to the end user and the URL is clickable. This month, JavaScript comments have been added and an attack of 400,000 messages was observed in a one-week. What more, we blocked over 12,000 copies of this Russian email in a four-day period. The content of the email is the curriculum vitae of an economics graduate looking for a job. A recent Russian phishing attack consisted of over 10,000 email messages in one day," he reveals.

Botnets also continue to be on the front burner.

According to the Trend Micro report, Botnets have emerged as a popular tool among attackers looking to carry out targeted attacks. Web-based threats have increased by almost 15 per cent since last December, accounting for almost half-a-million reports this year. Trend Micro recorded an average increase of 15 per cent since last December with more than 1,40,000 bots being flagged every month.

Knock-Knock: Who's there?

Anonymous proxies or anonymizers are the next hot hacker's favorite in the reckoning of Shailendra Sahasrabudhe, country manager, Aladdin Knowledge Systems.

"These are web sites or software that hides a user's real IP address, allowing them to connect to an external Web site and bypass restrictions against prohibited material on the local network. But anonymizers also allow content - and the malware infections that it often carries – to avoid filters in the gateway device and enter the network, where it can easily defeat traditional security measures," he says.

What's interesting is that until now, anonymizers have been difficult to beat as anonymous proxy servers frequently change URL addresses, which fools traditional Web content filtering technologies, like URL filtering. "Moreover, new technologies can create an encrypted tunnel to the Internet by passing corporate perimeter guards that are blind to encrypted traffic. In short, your security is subject to employees' compliance with corporate Internet usage policy," explains Sahasrabudhe.

How does it affect on the ground?

"When employees use anonymizing tools and services their misuse of company resources turns into a threat. The worrisome surge in malware, estimated at a 1,300 per cent growth during the past year, is not just about annoying viruses. Malware can be used to steal information and damage computer systems – and who knows what the next generation of viruses will be able to do? Added to the fact that anonymizers can be used to access illegal Websites and considering new regulations affecting network security like CIPA and SOX, your potential liability is about much more than an unproductive employee. All it takes is one successful malware penetration to void your security efforts and investment. eSafe Anti-Anonymizers, which has three layers - a URL Filtering Solution, an access block and proxy authentication for tunnel blocks, is one way to defeat anonymizer technology,” adds Sahasrabudhe.

Dialing in

Desktops, to laptops, and now to mobiles, indeed the touch-points of hacking are permeating our lives quite a bit. Laptops are far more a security threat for corporates, says the Trend Micro report.

Machines that are plugged in after being outside network over a period of time affect about 80 per cent of servers.

Threat by laptops is increasing at an incremental rate of 10 to 15 per cent in the past few years.

As the buzz already hints, the next big pit stop for hackers is going to be mobiles. How?

Symantec's Singh explains. “In Internet, we have seen BOTS, where hackers infect many machines together and then these machines act as zombies, taking command from the insidious server. So, if this server instructs all these machines to send email to a certain system, the poor recipient will literally be flooded. Then, blackmailing is an easy way to make money out of it. Imagine the same scenario in case of mobiles. What if mobiles have some sort of BOT attack and a hacker instructs all these mobile zombies to dial premium services (like an e-commerce transaction or an expensive ring-tone download), the hacked user will either end up paying for all this or will have to satisfy the hacker's extortion threats."

What next after mobiles?

Can converged consumer electronics or any other new touch-point be the next hacking target? Why not? Singh answers, "Anything which is network enabled or anything which leads or is a form of money flow, is always a ripe target."

Check-up

While the hacking landscape has always been a tennis court with the ball traveling fast between the defense and offence sides, have the defense players moved up from being reactive to proactive in terms of rolling out solutions faster or at par with new hacking threats?

As Singh from Symantec admits, "This is a continuous challenge. In fact, we first need to define what proactive exactly is. Is it just about releasing signatures every hour? We define proactive ness as built-in readiness. That's why we have products with built-in behavior detection based techniques. So that a system is automatically ready to catch a malicious event."

He sees database security as one loophole area yet. "Corporates need to be careful specially enterprises in banking and Telco domains where threats and their impact can be paramount."

Kasmalkar from VeriSoft feels that although security measures will keep on improving, hackers will improve as well. "So the solution is not just technology, but also behavior norms getting established, and even the legal framework being in place. Companies like us take misbehavior on such accounts very seriously and take stern actions. The most effective solution is that the users themselves must take more precautions in protecting themselves. This is a huge challenge as the predominant percentages of users today are not technology-savvy necessarily. But this is possible over a period of time."

IAMAI or Internet and Mobile Association of India, on its part is lobbying and taking initiatives for amendment to the IT Act. It is also working on a website where members of the association and common public can congregate for awareness on the increasing threats of online frauds.

Murugavel Janakiraman, chairman of IAMAI, says the answer to cyber security issues lies in awareness rather than restrictions. "We will ensure that users are aware about the latest frauds and precautions to fight them on this website. Internet is an open medium and too much of restriction can be harmful for its growth."

For users, Singh has two major tips. "Use anti-virus software and keep an updated version always. There's no use of software with a stale signature." Kasmalkar adds, “Again, there is an analogy to credit cards. They are a huge convenience, but correspondingly a risk as well. The solution is not to stop using them. But evolve a multi-pronged approach of technology, laws, norms and guidelines for safe use."

So all Netizens out there - surf but watch out for the sharks around.