by Ron Kelson, Pierluigi Paganini, Benjamin Gittins, David Pace
The military strategist Carl von Clausewitz stated:
“All war presupposes human weakness and seeks to exploit it.”
Malicious software (malware) is software that is explicitly designed to exploit vulnerabilities in computing devices and human users to the malicious advantage of the malware author or malware user. Malware comes in many forms, including computer viruses, worms, trojan, spyware, ransom-ware, ad-ware, root kits, and so on.
In 2008, the number of devices connected to the Internet exceeded the number of people on earth: Smartphones, tablets, industrial control systems, smart grids, medical devices, environmental sensors (vibration, temperature, light, video, audio) and so on. According to CISCO, by 2020 that number will grow to 50 billion devices. In the EU vision of an “ambient intelligence” world, devices will work in concert to support people carrying out their everyday life activities, tasks, and rituals, in an easy natural way, using information and intelligence that is hidden within the network connecting these devices. As these devices shrink, and become more connected and integrated into our environment, the technology disappears into our surroundings until only the user interface remains perceivable by users. If this trend continues, billions of these invisible devices will be vulnerable to attacks and will be trivially subverted covertly against us.
One can try arguing that we have lived with computer vulnerabilities without a major crisis in the past, so why start worrying now? The problem is that the value in attacking these devices is growing exponentially, while our dependence on them increases. As more personal and business transactions are performed online, there is a clearer “return on investment” for attacking these systems.
According to Symantec, in 2011, web based attacks increased by 36 per cent with over 4,500 new attacks each day. Four hundred and three million new variants of malware were discovered in 2011, a 41 per cent increase over 2010. Between Q1 2010 to Q1 2011, the number of malicious Android Application package files jumped from 139 to 3,063. Symantec blocked a total of over 5.5 billion malware attacks in 2011, an 81 per cent increase over 2010. In the last couple of years, the rate of known malicious software deployments exceeded the previous 20 years combined. And of course, our dependency on these networks and computing devices continues to grow, making the attacks even more profitable… and there are always attacks and malware that still remain undiscovered.
Protecting against the increase in malware attacks has an associated operational cost. According to the 2011 Cost Report compiled by the United States Information Security Oversight Office (ISOO), the cost to protect US government secrets reached more than $11 billion in fiscal year (FY) 2011, up 12 per cent from FY 2010 and more than double the cost in FY 2001.
Malware is deployed in malicious operations ranging from financially motivated cybercrime, politically motivated hacktivism, politically motivated cyberwar by both state and non-state actors, and invasive monitoring by various governments on civilians.
In this article, we will focus on cybercrime and monitoring.
Today, criminal organisations are very active in the development and diffusion of malware that can be used to execute complex fraud with minimal risks to the perpetrators. Criminal gangs, traditionally active in areas such as human or drug trafficking, have discovered that cybercrime is a lucrative business with much lower risks of being legally pursued or put in prison. Unethical programmers are profitably servicing that growing market. Because today’s ICT ecosystem was not built for security, it is easy for attackers to take over third party computers, and extremely difficult to track attacks back to their source. Attacks can be mounted from any country and hop through an arbitrary number of compromised computers in different countries before the attack reaches its target a few milliseconds later. This complicates attribution and international prosecution.
Malware can be used in many types of fraud. One common approach is to steal the personal and banking information of civilians, either directly from their computing devices, or through businesses that are entrusted with that information. The attack vectors for malware are numerous, ranging from exploiting vulnerabilities in social network sites, exploiting vulnerabilities in mail clients and operating systems through spam email, infecting third-party websites so they distribute malware that can hijack your web browser or infect your computer simply by you visiting those compromised web-pages using an insecure web browser.
Once your personal computer or mobile phone has been compromised, “secure” technologies for banking and online transactions can also be targeted and attacked. As some readers may be aware, the European Commission has proposed new rules to enable cross-border and secure electronic transactions in Europe using National e-ID schemes. It seeks to create an internal market for e-Signatures and related online trust services across borders, by ensuring these services will work across borders and have the same legal status as traditional paper-based processes. The role of the EU STORK platform is to “securely” identify a user who is in a session with a service provider and to send his data to this service. However, even with smart card based e-ID schemes, if the computer you are using is compromised, the security of e-ID transactions can also be trivially compromised. Any data you type on a compromised computer can be captured using “key loggers” and “screen capture” tools and forwarded to the attacker. Malware can misrepresent transactions on your screen, so you don’t know what transaction you are actually signing. In short, if your computer is compromised, you can’t achieve security in practice. According to Fabian Martins, a banking security expert at Scopus Technology in Brazil, even multi-factor authentication with two or three types of authentication is NOT enough to protect against malware that targets your online banking transactions.
And this leads us to discussing invasive monitoring by governments. Wikileaks claims that mass interception of entire populations is not only a reality, it is a secret new industry spanning 25 countries. Wikileaks has published 287 files that describe commercial malware products from 160 companies (http://wikileaks.org/the-spyfiles.html). These files include confidential brochures and slide presentations these companies use to market intrusive surveillance tools to governments and law enforcement agencies. This industry is, in practice, unregulated. Intelligence agencies, military forces and police authorities are able to silently, and en masse, secretly intercept calls and take over computers without the help or knowledge of the telecommunication providers. Users’ physical location can be tracked if they are carrying a mobile phone, even if it is only on standby (think RFID).
To get a glimpse of the potential market size, the U.S government is required by law to reveal the total amount of money spent spying on other nations, terrorists and other groups. In 2010, the United States spent $80 billion on spying activities. According to the Office of the Director of National Intelligence, $53.1 billion of that was spent on non-military intelligence programmes. Approximately 100,000 people work on national intelligence. These figures do not include DARPA’s “Plan X” which seeks to identity and track the vulnerabilities in tens of billions of computers connected to the Internet, so they can be exploited.
It is increasingly common for governments to use monitoring tools, viruses and trojans to infect computers and attack civilians, dissidents, opponents and political oppositions. The purpose is to track the victim’s operation on the web, gather information about their activities and the identity of collaborators. In some cases, this can lead to those targeted being neutralised and even ruthlessly suppressed.
According to F-Secure “News from the Lab” blog, during the Syrian repression the government discovered that dissidents were using programmes like SkypeTM to communicate. After the arrest of a few dissidents, the government used their Skype accounts to spread a malware programme called “Xtreme RAT” hidden in a file called “MACAddressChanger.exe” to others activists who downloaded and executed the malware. The dissidents trusted the MACAddressChanger programme because other files with that name had been successfully used in the past to elude the monitoring system of the government. The Xtreme Rat malware falls into the “Remote Access Tool” category. The full version can easily be bought online for €100. The IP address of the command and control server used in those attacks belonged to the Syrian Arab Republic — STE (Syrian Telecommunications Establishment).
In the Trend Micro “Malware Blog”, experts at Trend Micro found that the Syrian government was also using the DarkComet malware to infect computers of the opposition movement. The malware steals documents from victims. It seems that it was also spread through Skype chat. Once executed, the malware tries to contact the command and control (C&C) server to transfer the stolen information and receive further instructions. It has been observed, in this example, that the C&C server is located in Syria and the range of IP addresses are under the control of the Government of Syria.
What the above partially illustrates is the very real conflict of interest in organisations and governments responsible for securing our digital world. The ICT Gozo Malta project promotes technology solutions designed to improve the security, robustness and resilience of many different types of ICT to at least reduce the range of actors who can exploit the known vulnerabilities in today’s systems at our expense. The direct costs incurred by security breaches, not to mention proposed EU Data Protection fines of up to €1 million, must be paid for by somebody. Typically, that person is you, as the losses are discreetly bundled into the cost of products and services you pay for.
Increasingly, malware of all types and purposes is all about you. Attacks will exploit human vulnerabilities and vulnerabilities in computing devices to compromise either your ICT system, or the ICT system of businesses you trust your personal data to. Today, more than ever, the application of best information security practice is critical to ensure you protect the legitimate interests of your personal, family and business relationships. Tell your politicians and major suppliers that you expect them to be diligently pursuing safety and security for our digital world. Be aware and take steps to be safer online! The ICT Gozo Malta website has more information on cyber security for all ages.
Pierluigi Paganini, Security Specialist CISO Bit4ID Srl, is a CEH Certified Ethical Hacker, EC Council and Founder of Security Affairs (http://securityaffairs.co/wordpress)
Ron Kelson is Vice Chair of the ICT Gozo Malta Project and CEO of Synaptic Laboratories Limited.
David Pace is project manager of the ICT Gozo Malta Project and an IT consultant
ICT Gozo Malta is a joint collaboration between the Gozo Business Chamber and Synaptic Labs, part funded in 2011 by the Ministry for Gozo, Eco Gozo Project, and a prizewinner in the 2012 Malta Government National Enterprise Innovation Awards. www.ictgozomalta.eu links to free cyber awareness resources for all age groups. To promote Maltese ICT, we encourage all ICT professionals to register on the ICT GM Skills Register to keep aware of developments, both in cyber security and other ICT R&D initiatives in Malta and Gozo. For further details contact David Pace on [email protected] .