Entries Tagged "extortion"

Page 3 of 3

Dutch Botnet

Back in October, the Dutch police arrested three people who created a large botnet and used it to extort money from U.S. companies. When the trio was arrested, authorities said that the botnet consisted of about 100,000 computers. The actual number was 1.5 million computers.

And I’ve heard reports from reputable sources that the actual actual number was “significantly higher.”

And it may still be growing. The bots continually scan the network and try to infect other machines. They do this autonomously, even after the command and control node was shut down. Since most of those 1.5 million machines — or however many there are — still have the botnet software running on them, it’s reasonable to believe that the botnet is still growing.

Posted on December 22, 2005 at 8:18 AMView Comments

Holding Computer Files Hostage

This one has been predicted for years. Someone breaks into your network, encrypts your data files, and then demands a ransom to hand over the key.

I don’t know how the attackers did it, but below is probably the best way. A worm could be programmed to do it.

1. Break into a computer.

2. Generate a random 256-bit file-encryption key.

3. Encrypt the file-encryption key with a common RSA public key.

4. Encrypt data files with the file-encryption key.

5. Wipe data files and file-encryption key.

6. Wipe all free space on the drive.

7. Output a file containing the RSA-encrypted, file encryption key.

8. Demand ransom.

9. Receive ransom.

10. Receive encrypted file-encryption key.

11. Decrypt it and send it back.

In any situation like this, step 9 is the hardest. It’s where you’re most likely to get caught. I don’t know much about anonymous money transfer, but I don’t think Swiss bank accounts have the anonymity they used to.

You also might have to prove that you can decrypt the data, so an easy modification is to encrypt a piece of the data with another file-encryption key so you can prove to the victim that you have the RSA private key.

Internet attacks have changed over the last couple of years. They’re no longer about hackers. They’re about criminals. And we should expect to see more of this sort of thing in the future.

Posted on May 30, 2005 at 8:18 AMView Comments

Sensitive Information on Used Hard Drives

A research team bought over a hundred used hard drives for about a thousand dollars, and found more than half still contained personal and commercially sensitive information — some of it blackmail material.

People have repeated this experiment again and again, in a variety of countries, and the results have been pretty much the same. People don’t understand the risks of throwing away hard drives containing sensitive information.

What struck me about this story was the wide range of dirt they were able to dig up: insurance company records, a school’s file on its children, evidence of an affair, and so on. And although it cost them a grand to get this, they still had a grand’s worth of salable computer hardware at the end of their experiment.

Posted on March 2, 2005 at 9:40 AMView Comments

Schneier: Microsoft still has work to do

Bruce Schneier is founder and chief technology officer of Mountain View, Calif.-based MSSP Counterpane Internet Security Inc. and author of Applied Cryptography, Secrets and Lies, and Beyond Fear. He also publishes Crypto-Gram, a free monthly newsletter, and writes op-ed pieces for various publications. Schneier spoke to SearchSecurity.com about the latest threats, Microsoft’s ongoing security struggles and other topics in a two-part interview that took place by e-mail and phone last month. In this installment, he talks about the “hype” of SP2 and explains why it’s “foolish” to use Internet Explorer.

What’s the biggest threat to information security at the moment?

Schneier: Crime. Criminals have discovered IT in a big way. We’re seeing a huge increase in identity theft and associated financial theft. We’re seeing a rise in credit card fraud. We’re seeing a rise in blackmail. Years ago, the people breaking into computers were mostly kids participating in the information-age equivalent of spray painting. Today there’s a profit motive, as those same hacked computers become launching pads for spam, phishing attacks and Trojans that steal passwords. Right now we’re seeing a crime wave against Internet consumers that has the potential to radically change the way people use their computers. When enough average users complain about having money stolen, the government is going to step in and do something. The results are unlikely to be pretty.

Which threats are overly hyped?

Schneier: Cyberterrorism. It’s not much of a threat. These attacks are very difficult to execute. The software systems controlling our nation’s infrastructure are filled with vulnerabilities, but they’re generally not the kinds of vulnerabilities that cause catastrophic disruptions. The systems are designed to limit the damage that occurs from errors and accidents. They have manual overrides. These systems have been proven to work; they’ve experienced disruptions caused by accident and natural disaster. We’ve been through blackouts, telephone switch failures and disruptions of air traffic control computers. The results might be annoying, and engineers might spend days or weeks scrambling, but it doesn’t spread terror. The effect on the general population has been minimal.

Microsoft has made much of the added security muscle in SP2. Has it measured up to the hype?

Schneier: SP2 is much more hype than substance. It’s got some cool things, but I was unimpressed overall. It’s a pity, though. They had an opportunity to do more, and I think they could have done more. But even so, this stuff is hard. I think the fact that SP2 was largely superficial speaks to how the poor security choices Microsoft made years ago are deeply embedded inside the operating system.

Is Microsoft taking security more seriously?

Schneier: Microsoft is certainly taking it more seriously than three years ago, when they ignored it completely. But they’re still not taking security seriously enough for me. They’ve made some superficial changes in the way they approach security, but they still treat it more like a PR problem than a technical problem. To me, the problem is economic. Microsoft — or any other software company — is not a charity, and we should not expect them to do something that hurts their bottom line. As long as we all are willing to buy insecure software, software companies don’t have much incentive to make their products secure. For years I have been advocating software liability as a way of changing that balance. If software companies could get sued for defective products, just as automobile manufacturers are, then they would spend much more money making their products secure.

After the Download.ject attack in June, voices advocating alternatives to Internet Explorer grew louder. Which browser do you use?

Schneier: I think it’s foolish to use Internet Explorer. It’s filled with security holes, and it’s too hard to configure it to have decent security. Basically, it seems to be written in the best interests of Microsoft and not in the best interests of the customer. I have used the Opera browser for years, and I am very happy with it. It’s much better designed, and I never have to worry about Explorer-based attacks.

By Bill Brenner, News Writer
4 Oct 2004 | SearchSecurity.com

Posted on October 8, 2004 at 4:45 PMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.