FBI wants massive data-mining capability for social media

The FBI is asking industry for help in developing a far-reaching data-mining application that can gather and analyze intelligence from social media sites.

The FBI wants “to determine the capability of industry to provide an open source and social media alert, mapping, and analysis application”, the agency said in a request for information (RFI)

“The application must have the ability to rapidly assemble critical open source information and intelligence that will allow SIOC [Strategic Information and Operations Center] to quickly vet, identify, and geo-locate breaking events, incidents and emerging threats”, the RFI explained.

The application must be able to provide an “automated search and scrape capability of both social networking sites and open source news sites for breaking events, crisis, and threats.”

The FBI also wants the capability to analyze the social media data to provide early warning; detect credible threats or monitor adversarial situations; locate bad actors or groups and analyze their movements, vulnerabilities, limitations, and possible adverse actions; predict likely developments or future actions taken by bad actors; and develop databases on the information gathered from social media sites.

Nowhere in this detailed RFI, however, does the FBI ask industry to comment on the privacy implications of such massive data collection and storage of social media sites. Nor does the FBI say how it would define the “bad actors” who would be subjected this type of scrutiny.

Symantec: Source code stolen, users should disable pcAnywhere

Symantec has confirmed that a group has stolen source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool.

Although Symantec says the theft actually occurred in 2006, the issue did not come to light until this month when hackers said they had the source code and would release it publicly. Users of the Norton products in question are not at any increased risk of attack because of the age of the source code and security improvements made in the years since the breach, but the vendor acknowledged on Tuesday night that "Customers of Symantec's pcAnywhere have increased risk as a result of this incident."

Symantec released a patch fixing three vulnerabilities in pcAnywhere version 12.5 (the current version) on Monday, and said it will continue issuing patches "until a new version of pcAnywhere that addresses all currently known vulnerabilities is released."

Symantec pointed customers to a white paper that recommends disabling pcAnywhere, unless it is needed for business-critical use, because malicious users with access to the source code could identify vulnerabilities and launch new exploits. "At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks," the company said. "For customers that require pcAnywhere for business critical purposes, it is recommended that customers understand the current risks, ensure pcAnywhere 12.5 is installed, apply all relevant patches as they are released, and follow the general security best practices discussed herein."

As for Norton, Symantec said the source code stolen was from the 2006 versions of Norton Antivirus Corporate Edition, Norton Internet Security, and Norton SystemWorks. Earlier this month, Symantec said no products were at risk, but changed its message regarding pcAnywhere after further investigation.

Simply run updated software! Always keep your software up to date as the vendors of this software and others are constantly patching their software to prevent malicious behavior. Need an assessment? Contact High Desert Technology or visit our Update Solution page to get or check for vital updates.

Pacific Northwest train signals disrupted by hacker, says TSA

Hackers, possibly from abroad, attacked a Pacific Northwest railway company’s computer system, disrupting railway signals in December, according to the US Transportation Security Administration (TSA).

Train service of the unnamed railroad "was slowed for a short while" and rail schedules were delayed about 15 minutes on Dec. 1 as a result of the computer intrusion. The following day, shortly before rush hour, a "second event occurred" that did not affect schedules, according to a TSA document obtained by Nextgov. The memo summarized discussions TSA had with railroad industry representatives on Dec. 20 regarding the incident.

"Some of the possible causes lead to consideration of an overseas cyberattack", the memo stated. TSA investigators discovered two IP addresses used by the intruders on Dec. 1 and a third on Dec. 2, the document noted, but it did not say in which country the IP addresses were located. The TSA sent out notice of the incident, including the three IP addresses, to several hundred railroad companies and public transportation agencies.

However, Holly Arthur, a spokeswoman for the Association of American Railroads, denied that there was a recent computer hack of a US railroad. She told Nextgov that there was “no targeted computer-based attack on a railroad. Railroads closely monitor cyber security as a fully integrated part of both the industry's overall security plan, as well as individual company plans. Continuous coordination on cyber security occurs across the industry and with the federal government.”

FBI issues a new warning about the Zeus variant called Gameover

The FBI has issued a new warning about a phishing campaign delivering a new variant of the Zeus financial malware dubbed Gameover. The campaign involves an email purporting to come from National Automated Clearing House Association (NACHA), the Federal Reserve or the Federal Deposit Insurance Corporation (FDIC).

The phishing email warns the recipient about a problem with a transaction and provides a link to a site that will supposedly help solve the issue. Instead, a malicious website downloads the Gameover malware. Gameover employs the traditional and configurable ‘man-in-the-browser’ injection technique where it can access the user’s bank details before they are encrypted and after they are decrypted. However, one of the main differences between Zeus and Gameover is that the latter is controlled via a distributed command and control infrastructure.

Following theft from the victim’s bank account, Gameover instigates a botnet-based denial of service attack (DDoS) against the bank’s servers. This serves two purposes: it deflects the bank’s attention away from the fraud and disrupts the bank’s fraud detection systems. 

“The combination of financial fraud and DDoS attack,” comments Amit Klein, CTO of browser protection specialist Trusteer, “is most disturbing indeed, as it cunningly draws attention to the more obvious issue (DDoS), which makes the fraud more easily missed. It raises the bar for defense systems and forces them to react to fraud in real time in order to remain effective.” A system that searches for fraud patterns after the event, he explains, will be subject to the disruptions caused by the DDoS attack and be rendered less effective.

According to the FBI, the stolen money may then be used to finance the purchase of expensive jewelry or watches. The money is wired into the store’s account and the goods collected by a ‘mule’ (an intermediary employed by the criminals) usually on the day after the fraud.

Zeus Bot blamed for theft of Salem County funds

SALEM — Computer hackers have broken in and stolen approximately $19,000 by way of an illegal wire transfer from a Salem County bank account that held over $13 million in funds.

The illegal transaction happened in mid-December and as of late last week Salem County Chief Finance Officer Douglas C. Wright said the county has yet to recoup the money that was stolen.

Wright said the county is working with law enforcement officials, who believe the county system was attacked by a computer virus called a “Zeus Bot.”

Zeus Bot is a “Trojan horse” computer virus that steals banking information by keystroke logging and form grabbing. It is spread mainly through drive-by downloads and computer network phishing schemes.

According to online data from Prevx Security, the virus that helped hackers get access to Salem County’s account has allegedly compromised over 74,000 accounts of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon and BusinessWeek.

Wright said the hacker was able to access the county’s online banking system through the Microsoft Exchange server.

Exchange is an email-based collaborative communications server for businesses.

“They were able to jump in our account and essentially blocked us from logging on,” said Wright. “When they were logged in, they wired out $19,000 to an account with JP Morgan Chase out in California.”

Exactly $19,380.70 was stolen from the county account.

In all the account that was entered held more than $13 million in county funds, so the county may be lucky the theft was not devastating.

Wright said unfortunately the Information Technology (IT) Department at the county was unable to trace the Zeus Bot back to its origins.

“The virus changes and become undetectable in your system,” Wright said. “It’s very difficult to catch.”

This is not the first time this has happened to a county government agency  in New Jersey. Wright said Monmouth County was hit last year.

“We have reached out to the other counties in the state and the local municipalities to inform them, so they can be aware,” said Wright of the hacking and theft incident.

As a precautionary measure, the county is no longer using its online banking system, CashLink, which is run by Fulton Bank of New Jersey.

Wright said the computer that was attacked with the virus has also been removed and sent to a crime lab for analysis.

The county will also be setting up a new secure computer solely for the use of bank transactions. This computer will have no email, public Internet access, no disk drive or USB ports.

“This system should be running sometime (this) week,” Wright said.
Wright said they are also working with Fulton Bank and the county insurance broker to find a way to recoup the moneys stolen by the hacker.

“We are doing everything we can to get the $19,000 back,” he said.

Salem County Prosecutor John Lenahan said his office along with the New Jersey State Police are investigating the theft.

He could not provide any further information as the investigation is ongoing.

People not aware their participating in DDOS attacks

Anonymous has launched distributed denial-of-service attacks, designed to shut down Web sites, against government and corporate sites in the past. Typically, supporters download software called Low Orbit Ion Canon (LOIC) that directs their computer to repeatedly try to connect to a target Web site. So many digital knocks on the door, as it were, can shut a site down so no one can get in.

However, the source of the attack--the IP address for the individual computers attempting to access the site--can easily be traced when LOIC is used, putting participants at risk of prosecution. (Despite that threat, people have been downloading LOIC like mad since Wednesday, including more than 19,000 downloads in the last day, according to a blog post by security firm Imperva.)

So, Anonymous has come up with a way to allow people to participate without risking arrest. In protest of the Stop Online Piracy Act (SOPA), as well as yesterday's government takedown of file-hosting site Megaupload and the indictment of its operators, Anonymous launched DDOS attacks on more than a dozen sites and used a new tactic.

The group distributed Web links yesterday during its attacks on the Department of Justice, FBI, Universal Music and a host of other sites, that made joining the attacks as easy as clicking the mouse. The links led to Web pages with special JavaScript instructions that automatically redirected the visiting computer to a Web site being targeted for attack. The computer continues attempting to access the target site until the Web page is closed.

Another version of the tool, for people willing to participate, would direct computers to a Web page on which a visitor could type in the IP address to target and the page would automatically refresh in the background so the computer would continually try to access the target.

The tool relies on JavaScript being enabled, and given how many Web sites require JavaScript, it's likely most of the people who clicked the links were unwittingly drawn into the attacks.

It's likely that the tricky links increased the effectiveness of the attacks, which appeared to have impacted overall Internet traffic patterns, at least for a while, according to a real-time Web monitoring site operated by content delivery company Akamai. The site registered 218 attacks yesterday hours after the attacks started. Attack-related traffic was up 24 percent over normal, while general network traffic was up 14 percent.

The links were distributed on Twitter, IRC, Facebook, Tumblr, and other sites and there was no indication that they were potent. Some of the links led to sites similar to Pastebin, where Anonymous often posts its messages. Other links were obscured using Web address shorteners like Bitly.com.

"From the looks of things, this is on a scale we haven't seen before," said Graham Cluley, senior technology consultant at security company Sophos, who wrote a blog post about the tool. "We saw some Anonymous Twitter accounts gain hundreds of thousands of new fans overnight as word began to spread."

If you did happen to click one of the links, you aren't likely to get in trouble. For one, investigators might conclude that all the different IP addresses that hit the site during the attack were part of a botnet of compromised computers. And even if investigators suspected that the blasts from your IP address on the target site were conducted as part of the attack, it's unlikely that you would be singled out for a visit from the authorities, said Jennifer Granick, an attorney who has represented defendants accused of computer crimes.

"If you are an unwitting participant then technically you're not liable under the law because all criminal statutes, with some narrow exceptions, require some criminal state of mind," such as acting "knowingly" or "intentionally," she said.

"But even being part of a botnet could result in unwanted police attention anyway," Granick added. "That's probably unlikely, depending on how many computers are involved in the DDOS attack."

The situation is another story for the people distributing the attack-enabling links, however.

"If you are a distributor of malware that targets a site, you can be liable for all damage that occurs to that site as a result of the malware functioning," Granick said. "If you are distributing a program and intending to cause damage and that's what results, that is a violation under the law."

In computer crime cases, damage is usually defined broadly and includes resources needed to respond to an attack and return the system to normal, so damages can add up, she said.

Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed



US-CERT Latest Warnings

Latest US-CERT Released Warnings

Posted Articles