Oops

Chalk up another win for the bad guys. If you read “Computer spies breach fighter jet project” you’ll find the following:

“In the case of the fighter-jet program, the intruders were able to copy and siphon off several terabytes of data related to design and electronics systems, officials say, potentially making it easier to defend against the craft.”

Yup, you read that right, 7TB of data. Roughly 7,000GB! Where from? The Pentagon no less. You have also gotta love this:

“The spies inserted technology that encrypts the data as it’s being stolen; as a result, investigators can’t tell exactly what data has been taken”

Talk about a “prefect crime”!

What is clear these days is that the latest developments in technology are not only being used for good but also bad. Like most tools, the Internet is neutral but it provides a platform that can be used in many different ways, which many people seem to overlook in their rush to get systems ‘online’.

As the standard law of computer security goes:

Q. How many vulnerabilities do you have to defend against?

A. EVERY SINGLE ONE

Q. How many vulnerabilities does someone need to find to exploit your system?

A. ONE

The odds are certainly not in your favour. That’s why you have to keep working so hard to keep the bad guys out but with odds like that do we ever really stand a chance? It certainly doesn’t seem so does it?

Determining TCP activity

There a few ways that you can determine the TCP/IP activity on your system.

1. Netstat

Simply go to a command prompt and type netstat –an and you should see something like that shown above. You can see the protocol, local_ip_address:port, foreign_ip_address:port and the state.

This really only tells you the basics of which ports are connected to what IP addresses but it doesn’t actually tell you what programs are using those ports.

2. Fport

Fport is a free program that can be downloaded from :

http://www.foundstone.com/us/resources/termsofuse.asp?file=fport.zip

and when run in the command window will not only show the TCP ports but it will also show which program on your system is using that port, as shown above. For example we can see that iTunesHelper.exe is using port 1029 TCP is is process 3548.

Fport therefore provides a lot more information but it isn’t updated constantly and you need to run it in a command prompt.

3. Prio

Amoungst other things Prio can do what both netstat and fport do but do it as part of your task manager. You’ll find the free download Prio at:

http://www.prnwatch.com/prio.html

Once installed Prio will provide you with an additional tab in your task manager (accessed via Ctl-Alt-Del) called TCP/IP as shown above. In there you’ll see an up to date list of all the TCP connections and the programs using these ports.

So all 3 tools provide you with the ability to inspect what TCP/IP connections are taking place on your system. This can be of significant assistance when tracking down rogue applications accessing the Internet without your knowledge.

Another dud

Well April 1 has come and gone and the Conflicker worm didn’t destroy humanity. As “Worm chaos fails to strike” noted:

“there was no evidence it was doing anything other than modifying itself to be harder to exterminate.”

Like, duh! Why would it do anything else? As I noted in previous posts (here and here), the media does nothing to help the cause of IT security by using inflammatory articles. Why? Because they get ‘average’ users all apprehensive as to what will happen to their machines and then when nothing does (in this case again), users believe that it is all simply a case of ‘crying wolf’ and don’t change their online behaviour. This means their systems continue to remain unpatched and unsecured making it easier again for the bad guys.

There seems little doubt that the Conflicker worm is real and that it has many systems in its grasp but in the end it is all about money not about some sort of security statement or proof of concept attack.

The disjoint between informed IT security and the ‘average’ user simply grows when incidents like this occur. The lack of understanding and drive for sensationalism by the media simply makes the situation worse. In the end the only solution I can see is to force people to update their systems. You’re not allowed on the road with an unsafe car are you? Why are you allowed on the Information Superhighway with an unsafe PC? In the end regulation is the only way we can overcome this issue as I see it.

Till then, the bad guys just keep kicking goals.

Conflicker

Here’s some more media mania about Conflicker. “Defences bolstered ahead of Conflicker April Fools’ offensive” claims that:

The US Department of Homeland Security released a tool on Monday to detect whether a computer is infected by the Conficker worm.

When you go to the US-Cert site you only find the following “tool” (which isn’t really a tool):

Home users can apply a simple test for the presence of a Conficker/Downadup infection on their home computers. The presence of a Conficker/Downadup infection MAY [my emphasis] be detected if a user is unable to surf to their security solution website or if they are unable to connect to the websites, by downloading detection/removal tools available free from those sites:

http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm

http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx http://www.mcafee.com

If a user is unable to reach any of these websites, it MAY [my emphasis] indicate a Conficker/Downadup infection. The most recent variant of Conficker/Downadup interferes with queries for these sites, preventing a user from visiting them. If a Conficker/Downadup infection is suspected, the system or computer should be removed from the network or unplugged from the Internet – in the case for home users.

So if you can, or cannot surf to those web sites you may, or may not have Conflicker. So in other words you still not going to have any idea! As I keep saying, the bad guys are winning.

The Symantec site does have a nice video from 60 minutes in the US about Conflicker. It is well worth watching because it again highlights how the bad guys are beating the good guys hands down.

http://www.cbsnews.com/video/watch/?id=4901282n

Watch CBS Videos Online

In the video you’ll get an understanding of how much information the virus captures about your PC sessions (basically everything – browsing, keystrokes, passwords and so on). You’ll also see how CBS (the makers of 60 Minutes thought they were safe as it turned out they weren’t. Even worse, they still can’t be 100% sure they are clean because Conflicker could simply be lurking somewhere ready to re-infect. Again, bad guys win.

Interesting to see what tomorrow does bring.

Media hysteria

The media appears to be prepping us for the next Y2K technology disaster with the Conflicker worm on the first of April. Headlines like “Conficker worm threatens April Fools’ chaos” are not designed to be informative simply inflammatory. The media hasn’t been in the business of providing balanced reporting for a long time now. If you actually read the article you’ll find the following:

“But researchers who have been tracking Conficker say the date will probably come and go quietly.”

which doesn’t make for a very exciting headline does it? That certainly isn’t going to get people reading your paper is it now?

If you were a bad guy who controlled a whole swag of machines via the Conflicker worm why the hell would you want anyone to know? Simply put, it would spoil your revenue stream because cybercrime these days is much like any commercial business, it is all about making money!

It does however illustrate an interesting issue, where does the average PC user go to get information about keeping their technology secure? The prevalence of Conflicker worm seems to demonstrate that not many understand the need to update their system regularly, given that the patch to prevent Conflicker has been available since October. So where do they turn? The article fails to provide any links or explicit instructions as to what a user can do to even check their systems.

This again plays into the hands of the bad guys, more or less ensuring that their infections will continue to spread. I often wonder what sort of drag the effects of cybercrime have on the economy? The cost of lost time and productivity, the cost of cleaning up infections and potential cost of lost or compromised information. Pro-active security is always cheaper than reactive measures yet judging by the number of Conflicker infections that is the minority opinion.

Why? Where is the system failing? Why aren’t more people being made aware of the potential threats to their systems? Are people, in fact, choosing to ignore these warnings in the belief that it can never happen to them? Why has it become so difficult to protect even the most basic PC installation? Honestly, I don’t know the reasons but the potential end results of this ignorance are clearer everyday yet it seems the world become less and less secure with every machine that is connected to the Internet.

As I have said before, it’s a brave new world and you are the only one responsible for your security, because few out there, media included, are going to provide you with any meaningful or helpful information. Isn’t that nice to know when you’re swimming with the sharks? The only solution I can provide is knowledge. If you don’t understand the threat, learn. If you want to protect yourself and your information, learn. Luckily, that’s is one thing the Internet is good for – information.

Does nobody care?

A couple of posts ago I wrote about Facebook follies and the fact that some scammers were using Facebook as way to attract potential victims. Part of this involved a picture of a man standing next to a bright red sports car. In fact it turns out these pictures are taken from someone’s online photo album as detailed in “Facebook scam: Ferrari man’s true identity revealed”.

Now I don’t use Facebook that often but when I logged in recent I saw the following ad:

Now where have I seen that before? (Firstly, I gotta say if you think he’s standing next to a Lamborghini then you deserve everything you get, it’s a Ferrari Enzo). I clicked on the ad and up came the web site:

with a lovely photo of ‘Tom’ and the pitch about how much money I can make if I just sign up now.

It would seem clear by now that this offer is a scam, so why is it still running on Facebook? As the article says:

“There are numerous reports of people who fell for the scam and were charged hundreds of thousands of dollars after handing over their credit card details.”
So where’s the protection for the Facebook user? It certainly doesn’t appear that there is much. I always used to say that the stock market was the perfect vehicle for transferring wealth from the stupid to the intelligent but now I’m going to have to revise that to being the Internet.

The continuation of these sort of ads again confirm my belief that we are losing the battle against the bad guys. Some may say that what is happening here is not against any law, and that people should always be aware when purchasing ANYTHING from the Internet and I agree. However, the reason that our systems are constantly under threat from viruses and trojans is that most Internet users are totally unaware of how they should be protecting themselves and look at the global problems that has caused. It seems that when it comes to using the Internet, common sense goes right out the window.

Now scams like this are nothing new and they happen on other sites like Ebay and what not but it seems to me that technology is making this easier in so many ways. Every day technology makes it both easier to perpetrate crime and confuse the average user. It amazes me in this so called world of ‘Web 2.0’ interconnectivity that most people are being left to fend for themselves in a pool of sharks. The more connected we think we are the more isolated we become perhaps?

The moral is clearly, every person for themselves and if it seems too good to be true then generally it is.