2014 is finally closed, long live 2015 - What Now!

2014 is finally closed, long live 2015 but what a year 2014 has been for the tech industry.

With some of the worst cyber attacks in history, it will be a year to forget for many, raising data security straight to the top of the agenda for most CIOs.

Cloud adoption has continued to increase, helped in no small way by the pricing wars between Amazon, Google and Microsoft.

When it comes to the public sector, there has been a simmering tension between Whitehall, consultants and large suppliers on the back of several large contract problems.

So what does 2015 hold in store for us? IT Pro asked analysts and industry experts for their views.

1. The Internet of Things will finally make sense

Bola Rotibi, research director at analyst house Creative Intellect Consulting (CIC), believes the hype around the Internet of Things (IoT) will deflate.

She says: "The industry and market will flounder in trying to grasp exactly the definition of IoT and why it really is different from what has been evolving from the machine to machine world.

"In fact the initial hype of IoT will quickly subside as the reality of the fact that it touches so many industries that it cannot be determined the difference of what is actually an IoT market and the general evolution of every other technology sector."

But colleague Clive Howard says that the Internet of Things (IoT) will start to make more sense for businesses as more industry use cases come out of it.

“IoT will continue to be big news but we will start to see a lot more sense coming through,” he says. “Less about vending machines and thermostats and more about industrial applications that provide real value. I think generally we’re going to see more tech stories in the enterprise space whether mobile or IoT.”

Forrester Research believes the IoT trend will help CIOs  focus on longer term business change rather than cost-saving exercises.

The research firm’s Frank Gillett says: “Though most early IoT implementations are driven by line-of-business executives seeking specific operational efficiency improvements, the CIO’s tech management teams will eventually be drawn in to help with security, networks, software integration, interoperability, and analytics.

“Over the longer term, CIOs need to anticipate where business leaders will go after achieving operational efficiency improvements and plan for technology and infrastructure to support engaging with customers in new ways, creating new revenue streams, and offering new business models.”

2. Beware the second coming of the systems integrator

Georgina O’Toole, of analyst group TechMarketView, believes that after two years of trying to break free of the shackles of Big IT providers, the government will turn to those with system integrators (SIs) again.

“From collectively being on the ‘naughty step’, the Cabinet Office has accepted that they require suppliers with deep knowledge of the public sector to guide them on what will be a difficult transformational journey over the next few years,” she predicts.

“In the world of ‘digital’, systems integrators will be the bolt that holds everything together and helps the public sector ‘Join the Dots’.

“The large SIs are taking this approach to developing their business outside of Whitehall as well – using their integration skills to, for example, take data analytics capabilities to the table and open up new opportunities.”

She believes this reliance on SIs will grow as more SMBs work as subcontractors for large IT firms handling a public sector contract.

3. Apple Pay will introduce new cyber threat opportunities

Security firm Trend Micro believes the much-awaited launch of Apple Pay, Apple’s mobile payments app, will bring huge risks to consumers using it, because it has not been trialled in the real world.

“Apple Pay is not alone in the market – other payment systems have or will be introduced by other companies and trade associations,” the firm says. “Not all of these payment systems have been thoroughly tested to withstand real-world threats, and we may see attacks targeting mobile commerce in 2015."

4. There will be an 80% chance you’ll suffer a cyber attack

As Sony Pictures knows, the price to pay for suffering a cyber attack that results in a data leak is high, the film studio has seen embarrassing emails, feature films and staff’s personal details enter the public domain.

It’s 'cancelled not-cancelled' anti-North Korea movie, The Interview after hackers threatened ‘9/11’ style retaliations.

But even with new EU Data Regulations set to charge up to five per cent of a firm’s annual turnover (or up to €100 million) for breaches,

Forrester still believes eight out of ten enterprises will suffer a breach next year, whether they find out or not.

It says: “Forrester believes that in the coming year, breaches of sensitive data such as intellectual property and customer records will continue.

Given that more S&R pros will invest in detection and response capabilities, more security teams will be in a better position to detect and respond to breaches.

“Thus, we feel confident that while at least 60 per cent of enterprises will discover a breach, the actual number of breached entities will be much higher, as high as 80 per cent or more.”

5. Newbie 'Containerisation' will disrupt IT departments

According to 451 Research, 2014 saw an “explosion of activity” around Docker, the young upstart company specialising in containerisation.

The open-source technology of Docker enables sysadmins and developers to automatically deploy applications inside software containers, allowing those processes to run in isolation.

“[We] anticipate disruption in IT departments in 2015 as they start to use Docker,” says 451 Research. “While containerisation technology has existed for years, Docker is a more modern, lightweight form that is widely viewed as a next-generation virtualization technology

“451 analysts believe Docker will be adopted by large enterprises to work alongside, as well as replace, traditional  virtual machines because of its management and efficiency advantages.

“Docker has not yet achieved parity with traditional VMs in some critical areas, including orchestration and security, and a large number of vendors are rapidly addressing this.”

6. Private IaaS providers will compete with Amazon

Forrester believes the saturated public cloud infrastructure market will continue to be popular with customers looking to scale and benefit from economies of scale.

However, it predicts that while smaller infrastructure-as-a-service (IaaS) providers cannot compete, they will try to offer rival deployments in the private cloud.

“Many other cloud IaaS providers are turning to the possibilities of hosted private cloud IaaS and on-premises private cloud IaaS as possible ways to compete, since they have gotten limited traction in the public cloud IaaS market,” it says.

“Offerings where the service is identical to the customer and operated uniformly, whether multitenant or single tenant, on-premises or in the provider's data centre — are potentially attractive to many customers.”

It sees this development as the only way customers with a requirement for on-premise infrastructure can go to the cloud.

Additionally, Forrester believes 2015 will see Microsoft’s cloud business overtake its on-premise division in profitability.

“Microsoft will generate more margin dollars from cloud-based services than its traditional on-premises applications and Windows,” the analyst house predicts. “Under Nadella’s mandate, commercial product development teams are focused on driving innovation into the cloud versions of its properties first (on-premises second).

“And its sales engines are all rewarded for pushing as much cloud into each enterprise license agreement as possible.”

7. Citizens will demand greater control over their own data

Consumers are becoming increasingly wary of how their data is used by companies, believes customer identity management platform Gigya.

Its own survey found 80 per cent of people have abandoned online registration pages because they did not like sharing the information they were being asked to share.

“Businesses must put transparency at the forefront of their data practices in 2015 and proactively address these privacy concerns by letting customers know upfront what data they want to collect, explaining how it will be used, and allowing them to easily opt in and out,” the company warns.

8. Wearables, in their current form, will fail

While the tech industry awaits the launch of the Apple Watch and Google Glass (still) expectantly, no wearable has changed the way we live yet.

EMC’s president of products, Jeremy Burton, predicts wearables will almost entirely die off in 2015, only surviving by serving niche markets.

“Apple fanatics worldwide expect wearables will go mainstream following the emergence of the Apple Watch, but I’m not so sure,” he says.

“Let’s face it, nobody under 35 wears a watch anymore – they rely on their smartphones for everything.  A lot of wearables will fail, with the guys wearing their Bluetooth ear piece all day propping up the market.

“Now, that said, not all wearable technology will end in abject failure. Standalone, niche wearables that shake up industries for the better – such as FitBits or Jawbones that monitor vitals or health activity – will continue to flourish and be incorporated into sports clothing, shoes and equipment. “

CIC’s Howard broadly agrees. He says: “A lot of the heat comes out of wearables [in 2015]. There will be many more devices released but I don’t see adoption sky-rocketing and I think vendors will start to temper their expectations.

“We’re already seeing this with Google Glass. Wearables are more of an industry product than consumer. Unless someone discovers that killer app.”

9. Data scientists will become 'popular' as industry specialists

As firms wake up to the potential of big data, the role of data scientists has been a big topic of conversation in 2014.

And Hitachi Data Systems CTO for EMEA, Bob Plumridge, believes firms will start to hire them more and more as they discover just how much technical expertise is required to make sense of – and use – big data.

“They will also need to understand the business value of the data being generated and analysed in a specific sector,” he adds.

“By 2020, all businesses will need their employees to have the technical skills we associate with a data scientist today. The problem we currently face is that there is a significant skills gap in the UK for workers with the advanced data skills to meet business needs.”

This will be a tough challenge to solve in only five years and the development of UK tech talent must continue to be high on the agenda for both the government and businesses alike.

Next year will also see firms classify data more clearly, Plumridge contends.

“The issue for IT teams [right now] is that they are going in data blind. Often data isn’t classified at the point of creation, leaving businesses with no way of knowing whether they are looking at HR, sales or customer data.

“With the majority of data holding little to no value, the importance of classification is paramount to ensure businesses retain the crucial 20 per cent.”

Eugene Kaspersky speaking about Cyber Attacks to Australian Press Club 2013

A speech by Eugene Kaspersky at the Press Club in Canberra, Australia. The broad talk was designed to bring non-tech journos up to speed on infosec issues.

In it, he said a engineer friend told him Stuxnet had 'badly infected' the internal network of a Russian nuclear plant after the sophisticated malware caused chaos in Iran's nuclear facilities in Natanz.

The malware, widely considered to have been developed by the US Government as a means to disrupt Iran's nuclear enrichment plans, had crossed a physically separated 'air-gapped' network in the Russian plant after it was carried across on a USB device.

FinSpy Spyware Appears in 10 Countries

It is one of the more elusive commercial cyber-espionage tools available.

It is marketed as a way for governments to spy on criminals and for over a year, virus hunters unsuccessfully tried to track it down.

Now it is popping up across the globe, from Qatar to an Amazon server in the United States.

FinFisher is a spyware product manufactured by the Gamma Group, a British company that sells surveillance technology. It says its spyware offers “world-class offensive techniques for information gathering.”

According to FinFisher’s promotional materials, the spyware can be “used to access target systems, giving full access to stored information with the ability to take control of the target system’s functions to the point of capturing encrypted data and communications.”

Security researchers who studied the spyware last month said it can grab images of users’ computer screens, record their Skype chats, remotely turn on cameras and microphones, and log keystrokes.

The Gamma Group markets FinFisher as a way for government law enforcement and intelligence agencies to keep track of criminals, but the researchers’ findings suggested that it was being used more broadly.

The spyware first attracted attention in March 2011 after protesters in Egypt raided the country’s state security headquarters and found an offer to buy FinFisher for 287,000 euros, or $353,000.

Then in May of this year, pro-democracy Bahraini activists, one in London, another in Washington and one in the Bahraini capital, Manama, started receiving suspicious e-mails, which they passed to a Bloomberg reporter.

Read the full article here: Elusive FinSpy Spyware Pops Up in 10 Countries - NYTimes.com

The Evolution of Malware - An video Interview with Eugene Kasperksy

In the latest edition of the Lab Matters video series, Ryan Naraine talks with Eugene Kaspersky about the state of the malicious Web and the evolution of malware from:-

• intrusion; viruses and worms, through 
• Cyber crime; botnets to
• Cyber Warfare; Stuxnet and beyond.

Mariposa Botnet Authors and Distributors Caught

Three Spanish men were arrested last month for allegedly building an international network of more than 12 million hacked PCs that were used for everything from identity theft to spamming.

But according to Spanish authorities and security experts who helped unravel the crime ring, the accused may very well never see the inside of a jail cell even if they are ultimately found guilty, due to insufficient cyber crime legislation in Spain.

According to Spanish security firm Panda Security, the massive botnet, dubbed “Marioposa” (Spanish for “butterfly”), was rented out to criminals as a delivery platform for installing malicious software such as the data-stealing ZeuS Trojan and pay-per-install toolbars.

Panda said the gang, also stole directly from victim bank accounts, using money mules in the United States and Canada, and laundered stolen money through online gambling Web sites.

Panda said Mariposa helped crooks steal sensitive data from more than 800,000 victims, including home users, companies, government agencies and universities in at least 190 countries.

Spanish police estimate that at least 600,000 of the victimized PCs belong to Spanish citizens, and yet they concede it may be extremely challenging to put the men in jail if they are convicted at trial.

“It is almost impossible to be sent to prison for these kinds of crimes in Spain, where prison is mainly for serious crime cases,” said Captain Cesar Lorenzana, deputy head technology crime division of the Spanish Civil Guard.

“In Spain, it is not a crime to own and operate a botnet or distribute malware. So even if we manage to prove they are using a botnet, we will need to prove they also were stealing identities and other things, and that is where our lines of investigation are focusing right now.”

Spain is one of nearly three dozen countries that is a signatory to the Council of Europe’s cybercrime treaty, but Spanish legislators have not yet ratified the treaty by passing anti-cybercrime laws that would bring its judicial system in line with the treaty’s goals.

The Mariposa botnet takedown was orchestrated by a working group comprising Panda, the Georgia Tech Information Security Center, and Canadian security firm Defence Intelligence, which first detailed the workings of the bonnet in a white paper released in May 2009.

On Dec. 23, 2009, the working group was able to “sinkhole’ the botnet by hijacking the command and control networks that were being used to orchestrate the botnet’s activities. But according to Defense Intelligence CEO Christopher Davis, a few days later, the alleged ringleader of the Mariposa botnet gang who goes by the hacker alias “Netkairo,” bribed an employee at a Spanish domain name registrar that the gang had been using to register Web site names that helped them control the botnet.

Armed with those domains, Netkairo was able to rebuild the botnet, as the individual PCs enslaved by the Mariposa botnet were still programmed to regularly connect to those sites and download updated marching orders.

Davis said that on Jan. 22, the hacker launched a distributed denial of service attack against Defense Intelligence’s Web site, using more than a million PCs the gang had managed to corral back into the Mariposa botnet.

That assault, which forced the infected PCs to flood the company’s site with junk Web traffic, not only knocked Defense Intelligence offline, but took out networks of several other organizations that were using the same Internet service provider, including a local university and a few government agencies in Ottowa.

Lorenzana said the three men haven’t been named publicly because they haven’t yet been charged with a crime. Until that happens, which will probably be in a couple of weeks, the men are all free on their own recognizance.

In the meantime, they are free to hoover up as much stolen data as they please, as the Mariposa working group has not yet been able to shutter the Web sites that served as the repository for personal and financial data stolen from people whose systems were ensnared by the bot.

“The main problem is that even though the botnet itself has been taken down, these bots are all still infected, and these guys who operated the botnet can still go and download all the details of the data they have stolen,” Lorenzana said.

Juan Santana, CEO of Panda Security, said he hopes this case will spur Spanish lawmakers to amend the penal code to more specifically punish cyber crime activities.

“I don’t think these guys will go to jail, especially if it is the first time they have committed a crime,” Santana said. “The government needs to pass laws that are enforceable and enforced afterward.

In the vast majority of countries, malicious hackers do not fear that if they do get caught that they will go to jail, because the benefit for them is far higher than the risk right now.”

Security Manager's Journal: Conficker Worm Keeps on Coming

Security Manager's Journal: Conficker Worm Keeps on Coming

How did we get infected by Conficker? Computerworld has reported that this worm is infecting 50,000 computers every day and as of October had passed the 7 million-victim milestone. Some observers say that number will double by the end of this month. The worm takes advantage of a Microsoft security hole that, if not patched, leaves computers open to infection.

In my company, the use of USB thumb drives is prevalent, and the worm is infecting these portable storage devices and taking advantage of the autorun feature of Windows to spread. It then proceeds to take over the processor, shut down services and generally make the infected computer unusable. Of course, there's a patch for that (the worm has been around for over a year, and so has the patch), and Microsoft's (MSFT) removal tool for malicious software can clean it -- but as always, patching needs more attention in my company.

I still maintain that a good patching program would save us a lot of time and trouble, since we would have to expend only a little bit of effort upfront while avoiding a lot of work later in cleaning up problems. What's more, regular patching creates a generally more stable environment. But it will take time to get there. In the meantime, we have to deal with this outbreak.

The Conficker worm has gotten a lot of press, having infected some high-profile organizations such as military organizations and government agencies around the world. It uses some fairly sophisticated techniques to contact its controllers, avoid detection and spread itself, as well as random-seeming Web sites to update itself. It propagates via USB drives, networks and peer-to-peer software. It's easy to get, and hard to kill.

So, we've been chasing this annoying beastie, and cleaning it when we find it, but it keeps coming back. It's a persistent bug. Of course, when something like this happens, it helps my case by focusing attention on the importance of patching and proactive security measures, but that makes me feel slightly guilty, as if there should have been more I could have done to avoid the situation in the first place. I think it's unfortunate that it sometimes takes a security incident to get people to realize the risks the business is taking.

DDoS Attacks Are Back and Bigger Than Before

DDoS Attacks Are Back and Bigger Than Before

Distributed denial-of-service (DDoS) attacks are certainly nothing new. Companies have suffered the scourge since the beginning of the digital age. But DDoS seems to be finding its way back into headlines in the past six months, in thanks to some high-profile targets and, experts say, two important changes in the nature of the attacks.

The targets are basically the same -- private companies and government websites. The motive is typically something like extortion or to disrupt the operations of a competing company or an unpopular government. But the ferocity and depth of the attacks have snowballed, thanks in large part to the proliferation of botnets and a shift from targeting ISP connections to aiming legitimate-looking requests at servers themselves.

In fact, said Andy Ellis, CSO of Cambridge, Mass.-based Akamai Technologies (AKAM), the botnets launching many of today's DDoS attacks are so vast that those controlling them probably lost track of how many hijacked machines they control a long time ago. (Listen to the full interview with Ellis in The Long, Strange Evolution of DDoS Attacks.)

Ellis has been watching the trend from a pretty good vantage point. Many people use Akamai services without even realizing it. The company runs a global platform with thousands of servers customers rely on to do business online. The company currently handles tens of billions of daily Web interactions for such companies as Audi, NBC, and Fujitsu, and organizations like the U.S. Department of Defense and NASDAQ. There's rarely a moment -- if at all -- when an Akamai customer IS NOT under the DDoS gun.

"We see a lot less of the fire-and-forget malware-based attacks designed to bog down the machines that were infected," Ellis said, referring to old-school worm attacks like Blaster, Mydoom and Code Red. "Now the malware is used to hijack machines for botnets and the botnets themselves are used as the weapon."

In the last year, Akamai has seen some of the largest DDoS attacks in recent memory, which Ellis described as "huge attacks of more than 120 gigabytes per second." If you are on the receiving end of that much punch, Ellis said, "It's not a pleasant place to be."

Conficker worm hasn't gone away - Network World

Conficker worm hasn't gone away, Akamai says - Network World

Variants of the Conficker worm were still active and spreading during the third quarter, accounting for much of attack traffic on the Internet, according to Akamai Technologies.

"Although mainstream and industry media coverage of the Conficker worm and its variants has dropped significantly since peaking in the second quarter, it is clear from this data that the worm (and its variants) is apparently still quite active, searching out new systems to infect," Akamai said in its State of the Internet report for the third quarter of 2009, released Thursday.

During the third quarter, 78 percent of Internet attacks observed by Akamai targeted port 445, up from 68 percent during the previous quarter. Port 445, which is used by Microsoft Directory Services, is the same port that Conficker targets, aiming to exploit a buffer overflow vulnerability in Windows and infect the targeted computer.

Most attacks originated from Russia and Brazil, which replaced China and the U.S., as the top two sources of attack traffic. Russia and Brazil accounted for 13 percent and 8.6 percent of attack traffic, respectively, Akamai said. The U.S., which came in at No. 3, accounted for 6.9 percent of attack traffic and No. 4 China accounted for 6.5 percent, it said.

Recession hit Cyber-crime just doesn't pay like it used to.

Recession hits Cybercrime! With botnets everywhere, DDoS attacks get cheaper $30 will buy a one-day DDoS attack now!

Security researchers say the cost of criminal services such as distributed denial of service, or DDoS, attacks has dropped in recent months. The reason? Market economics. "The barriers to entry in that marketplace are so low you have people basically flooding the market," said Jose Nazario, a security researcher with Arbor Networks. "The way you differentiate yourself is on price."

Criminals have gotten better at hacking into unsuspecting computers and linking them together into so-called botnet networks, which can then be centrally controlled. Botnets are used to send spam, steal passwords, and sometimes to launch DDoS attacks, which flood victims' servers with unwanted information. Often these networks are rented out as a kind of criminal software-as-a-service to third parties, who are typically recruited in online discussion boards.

DDoS attacks have been used to censor critics, take down rivals, wipe out online competitors and even extort money from legitimate businesses. Earlier this year a highly publicised DDoS attack targeted U.S. and South Korean servers, knocking a number of Web sites offline.

Are botnet operators having to cut costs like other businesses in these troubled economic times? Security researchers don't know if that's been a factor, but they do say that the supply of infected machines has been growing. In 2008, Symantec's Internet sensors counted an average of 75,158 active bot-infected computers per day, a 31 percent jump from the previous year.

DDoS attacks may have cost hundreds or even thousands of dollars per day a few years ago, but in recent months researchers have seen them going for bargain-basement prices.

Nazario has seen DDoS attacks offered in the US$100-per-day range, but according to SecureWorks Security Researcher Kevin Stevens, prices have dropped to $30 to $50 on some Russian forums.

And DDoS attacks aren't the only thing getting cheaper. Stevens says the cost of stolen credit card numbers and other kinds of identity information has dropped too. "Prices are dropping on almost everything," he said.

While $100 per day might cover a garden-variety 100MB/second to 400MB/second attack, it might also procure something much weaker, depending on the seller. "There's a lot of crap out there where you don't really know what you're getting," said Zulfikar Ramzan, a technical director with Symantec Security Response. "Even though we are seeing some lower prices, it doesn't mean that you're going to get the same quality of goods."

In general, prices for access to botnet computers have dropped dramatically since 2007, he said. But with the influx of generic and often untrustworthy services, players at the high end can now charge more, Ramzan said.

Cyber criminals can empty business accounts in minutes

Modern Methods to move and transfer Money, ensure that it moves fast and it can be equally fast going from your account with Automated Clearing House (ACH) fraud.

These criminals are not stupid. They knew what they were doing when they hit the US Western Beaver County School District and they knew when to strike.

They waited until school administrators were away on holiday, and then during a four-day period between Dec. 29 and Jan. 2, siphoned US$704,610.35 out of two of the school district's bank accounts. Western Beaver's financial institution, ESB Bank, managed to reverse some of the transfers, but the Pennsylvania school district was out more than $441,000.

On July 9, Western Beaver sued ESB to try and recover the money, but security experts say that it's just one of many organisations that have been hit in recent months by a disturbing new type of financial fraud that can often leave the victim holding the empty bag.

Fraudsters are taking advantage of the widely used but obscure Automated Clearing House (ACH) Network in order to pull off their attacks. This financial network is used by financial institutions to handle direct deposits, checks, bill payments and cash transfers between businesses and individuals.
In April, ACH fraudsters moved $1.2 million out of a Sugar Land, Texas, importer called Unique Industrial Products, according to a report in the Houston Chronicle. They did this by hacking into the company's computers and then authorising 39 transfers to move the money out of Unique Industrial's account. Although the bulk of the money was recovered, scammers made $150,000 from the attack -- not bad for 30 minutes of work.

Rejoice! Latvian ISP linked to online criminal activity booted out of Internet

IDG News Service — A Latvian ISP linked to online criminal activity has been cut off from the Internet, following complaints from Internet security researchers.

Real Host, based in Riga, Latvia was thought to control command-and-control servers for infected botnet PCs, and had been linked to phishing sites, Web sites that launched attack code at visitors and were also home to malicious "rogue" antivirus products, according to a researcher using the pseudonym Jart Armin, who works on the Hostexploit.com Web site.

"This is maybe one of the top European centers of crap," he said in an e-mail interview.

"It was a cesspool of criminal activity," said Paul Ferguson a researcher with Trend Micro.

The ISP was disconnected from the Internet by its upstream provider, Junik, on Monday, after its provider, TeliaSonera told it to stop servicing Real Host or face sanctions Armin said.

Real Host was considered a "bullet proof" hosting provider, that would allow customers to remain online even after they had been linked to malicious activity. It had been linked to the Zeus botnet-making software.

This isn't the first time this type of hosting provider has been knocked offline. In the past year, at least three U.S. ISPs: Atrivo, McColo and 3FN have been unplugged after security researchers built cases against them. Atrivo and McColo were also taken offline by their upstream providers. 3FN was shut down by the U.S. Federal Trade Commission.

But according to Armin, this may be the "first time an international group has achieved this across borders and in Eastern Europe."

In the past, these takedowns have had a serious affect on spam. And while some observers reported a noticeable drop in spam over the weekend, security experts say that this was probably not attributable to the Real Host takedown.

Observers expect to see the criminal activity linked to Real Host resume soon, but they say that the takedown puts some pressure on the bad guys and the networks that provide service to them. "The precedent that's being set right now is that you need to take some responsibility for your network," said Lawrence Baldwin, owner of security research firm Mynetwatchman.

"There actually are some consequences now for allowing an obviously heavy concentration of criminal activity on your networks. It's just not going to be accepted anymore."

Iran using more Sophisticated Tactics to Block Internet Access for Government Critics

Iran is using a number of new technologies to censor the Web. Some of these Government tools are simplistic and blunt, while others are more precise and surgical. Both are intended to stifle so-called dissidents.

One month after a disputed presidential election sparked widespread unrest in Iran, the country's government has initiated a cyber-crackdown that is challenging hackers across the globe to find new ways to help keep Iranian dissidents connected to the Web.

Iranian Government Strategy step-up
While the government's initial efforts to censor the Internet were crude and consequently ineffective, it has started employing more sophisticated tools to thwart dissidents' attempts to communicate with each other and the outside world. Iranian dissidents are not alone in their struggle, however, as several sympathetic hacker groups have been working to keep them online.

NedaNet
One such group is NedaNet, whose mission is to "help the Iranian people by setting up networks of proxy severs, anonymisers, and any other appropriate technologies that can enable them to communicate and organise."

NedaNet project coordinator Morgan Sennhauser, who has just written a paper detailing the Iranian government's latest efforts to thwart hackers, says that the government's actions have been surprisingly robust and have challenged hackers in ways that the Chinese government's efforts at censorship have not.

Chinese Internet censorship: An inside look
"China has several gigabytes per second of traffic to deal with and has a lot more international businesses," he says. "They can't be as heavy-handed with their filtration. The Iranians aren't as concerned about that, so they get to use all these fancy toys that, if the Chinese used them, could cripple their economy."

Here are five of the most commonly-used technologies the Iranian government has been using to stifle dissents, as outlined in Sennhauser's paper.

IP Blocking
IP Blocking is one of the most basic methods that governments such as Iran are using for online censorship. It simply prevents all packets going to or from targeted IP addresses. Sennhauser says that this was how the government banned access to the BBC's Persian news services and how it took down websites that were critical or in any way negative about the election.

While these operations are relatively simple to execute, they don't tackle the problem of individual communications between users, especially if the users have set up multi-hop circuits that, in themselves use multiple servers to create a proxy ring.

Traffic Classification (QoS)
QoS is a much more sophisticated method of blocking traffic than IP blocking, because governments can halt any file sent through a certain type of protocol, such as FTP. They can simply limit the bandwidth available on that port and throttle transfers because the government knows that FTP transfers are most often sent through TCP port 21.

Sennhauser says that this type of traffic shaping practice is the most common one used by governments today, as "it is not too resource intensive and is fairly easy to set up."

Shallow Packet Inspection
Shallow packet inspection is basically a blunter, broader version of the deep packet inspection (DPI) technique that is used to block packets based on their content. 'Shallow packet' inspection makes broad generalities about traffic, based solely on checking out the packet header, unlike DPI, which intercepts packets and inspects their fingerprints, headers and payloads.

Although shallow packet inspection can't provide the Iranian government with the same detailed traffic assessments as DPI, Sennhauser says that it is much better at handling volume than DPI.

Reading the label on the packet
"It's a less refined tool, but it can also deal with a lot more traffic than true DPI." he explains. "Shallow packet inspection is more like judging a book by its cover. If a packet says that it's SSL (Secure Sockets Layer) in the header, then a shallow packet inspector takes it at face value."

However, this is a double-edged sword. If a user disguises their SSL packets as FTP packets in the header, the shallow packet inspector won't be able to tell the difference.

Packet Fingerprinting
This is a slightly more refined method of throttling packets than 'shallow packet' inspection, as it looks not only at the packet header but at its length, frequency of transmission and other characteristics to make a rough determination of its content.

Sennhauser says the government can use this technique to better classify packets and not throttle traffic sent out by key businesses.

Mix 'n Match
"A lot of things don't explicitly say what they are, e.g. a lot of VPN traffic is indistinguishable from SSH traffic, which means that it would be throttled if SSH was," he says. "but what if businesses relied on VPN connections? You'd move the system to fingerprinting, where the two are easily distinguishable."

Deep Packet Inspection / Packet Content Filtering
DPI is the most refined method that the government has for blocking Internet traffic. As mentioned above, deep packet inspectors examine not only a packet's header but also its payload. This gives governments the ability to filter packets at a more surgical level than any of the other techniques discussed so far.

"Viewing a packet's contents doesn't tell you much on its own, especially if it's encrypted," he says. "But combining it with the knowledge gained from fingerprinting and shallow packet inspection, it is usually more than enough to figure out what sort of traffic you're looking at."

DPI Downside
There are downsides to using DPI, of course: it's much more complicated to run and is far more labour-intensive than other traffic-shaping technologies. On the down side, Sennhauser says there is no magic bullet for getting around DPI. Users can usually only temporarily elude it by "finding flaws in their system." and even this won't help for long, as the government can simply correct their system's flaws once they're discovered.

"Once they fix the flaw, you've lost unless you can figure out some real way to circumvent it," Sennhauser notes.

Endgame still unclear
Sennhauser says that the government has employed these technologies very quickly and very smartly, despite being caught flat-footed by the initial furor after the election. Indeed, he thinks the only reason that Iran hasn't yet completely shut down dissidents' communications is that they've had to fight with an army of hackers who tirelessly search for flaws in their system.

"It really is like an arms race," he says. "They create a problem, we circumvent it, they create another, we get around that one. This continues on until the need to do so is removed. The circumstances which will end the competition aren't clear yet."

UK Investigation into Cyber Attack goes Global

UK authorities have launched an investigation into the recent cyberattacks that crippled Web sites in the U.S. and South Korea, as the trail to find the perpetrators stretches around the world.

On Tuesday, the Vietnamese security vendor Bach Khoa Internetwork Security (Bkis) said it had identified a master command-and-control server used to coordinate the denial-of-service attacks, which took down major U.S. and South Korean government Web sites.

Zombie PCs
A command-and-control server is used to distribute instructions to zombie PCs, which form a botnet that can be used to bombard Web sites with traffic, rendering the sites useless. The server was on an IP (Internet Protocol) address used by Global Digital Broadcast, an IP TV technology company based in Brighton, England, according to Bkis.

BKIS control
That master server distributed instructions to eight other command-and-control servers used in the attacks. Bkis, which managed to gain control of two of the eight servers, said that 166,908 hacked computers in 74 countries were used in the attacks and were programmed to seek out and download new instructions every three minutes, from designated random sites.

Miami Master Server
But the master server isn't in the U.K.; it's in Miami, according to Tim Wray, one of the owners of Digital Global Broadcast, who spoke to IDG News Service on Tuesday evening, London time.
The server belongs to Digital Latin America (DLA), which is one of Digital Global Broadcast's partners. DLA encodes Latin American programming for distribution over IP TV-compatible devices, such as set-top boxes.

VPN Connections

New programs are taken from satellite and encoded into the proper format, then sent over VPN (Virtual Private Network) to the U.K., where Digital Global Broadcast distributes the content, Wray said. The VPN connection made it appear the master server belonged to Digital Global Broadcast when it actually is in DLA's Miami data center.

Engineers from Digital Global Broadcast quickly discounted that the attacks originated with the North Korean government, which South Korean authorities have suggested may be responsible.

Digital Global Broadcast notified
Digital Global Broadcast was notified of a problem by its hosting provider, C4L, Wray said. His company has also been contacted by the U.K.'s Serious Organised Crime Agency (SOCA). A SOCA official said she could not confirm or deny an investigation.

Amaya Ariztoy, general counsel for DLA, said the company examined the server in question today and found "viruses" on it. "We are conducting an investigation internally," Ariztoy said.

Forensic Analysis

Investigators will need to seize that master server for forensic analysis. It's often a race against the hackers, since if the server is still under their control, critical data could be erased that would help an investigation.

"It's a tedious process and you want to do it as quickly as possible," said Jose Nazario, manager of security research for Arbor Networks.

Data Logs Audit

Data such as log files, audit trails and uploaded files will be sought by investigators, Nazario said. "The holy grail you are looking for are pieces of forensics that reveal where the attacker connected from and when," he said.

D-o-S MyDoom Variant

To conduct the attacks, the hackers modified a relatively old piece of malware called MyDoom, which first appeared in January 2004. MyDoom has e-mail worm characteristics and can also download other malware to a PC and be programmed to conduct denial-of-service attacks against Web sites.

The Evidence Trail

Analysis of the MyDoom variant used in the attacks isn't that impressive. "I still think the code is pretty sloppy, which I hope means they [the hackers] leave a good evidence trail," Nazario said.

Perpetrator Profile
It could also be that the perpetrator is either very confident that they will not be found, is trying to hide in the pseudo amateur world of the cyber geeks and cyber vandals, is not concerned or is immune from discovery.

Maybe, a virtual self destructive personality that is implementing a non fatal 'suicide' mission for yet to be revealed reasons.

Surf the Internet Freely and Safely: Care of Symantec

Everything you wanted to know about safety and security on the Internet but were afraid to ask!

Symantec have created a really friendly easy to use web page that provides basic information and advice on Internet and Credit card security, etc.

Chinese Hackers Exploit Microsoft Internet Explorer Weakness!

Symantec, Sunbelt Software and SANS' Internet Storm Center (ISC) increased their threat level warnings yesterday, after Microsoft announced that attackers were exploiting a bug in an ActiveX control used by Internet Explorer (IE) to display Excel spreadsheets.

There is no patch for the vulnerability, nor will Microsoft release one later today when it issues its July batch of patches.

Temporary Fixes
A temporary fix that sets the "kill bits" of the ActiveX control is available, but experts believe it's likely most users won't take advantage of the protection.

Threat Ranking
Symantec raised its ThreatCon ranking to the second of four steps. "We're seeing it exploited, but currently on a limited scale," said Ben Greenbaum, a senior researcher with Symantec security response.

Sunbelt Ranking raised
Sunbelt also bumped up its ranking, to high, the company noted today. "We just set the Sunbelt Threat Level to high since our researchers and at least two other major organizations have found in-the-wild exploit code," said Tom Kelchner, malware researcher with the Florida-based firm.

ISC at Condition Yellow
Meanwhile, the ISC went to condition Yellow after discovering numerous sites hosting attack code. The ISC reported both broad and targeted attacks using exploit code against the new zero-day. "[There was] a highly-targeted attack against an organization earlier today who received a Microsoft Office document with embedded HTML," said the ISC in a frequently-updated blog post. "This one was particularly nasty.... It was specifically crafted for the target, with the document being tailored with appropriate contact information and subject matter that were specific to the targeted recipient."

China sites Compromised
Broader attacks are originating from compromised sites in China, the ISC added. "A .cn domain [is] using a heavily obfuscated version of the exploit, which may become an attack kit (think MPACK), and is similar to recent DirectShow attacks," said the center.

Unpatched Microsoft Bug
Last week, Microsoft confirmed that hackers were exploiting an unpatched bug in an ActiveX control that's part of DirectShow, a component of the DirectX graphics platform within Windows.

McAfee confirm attack code targeting
McAfee echoed the ISC late on Monday, confirming that attack code targeting yesterday's ActiveX bug has been added to a Web exploit toolkit and is being distributed from hijacked Chinese sites. The toolkit also contained attack code for last week's DirectShow vulnerability. Some computers in Spain, the U.K. and Germany also showed evidence of compromises, McAfee researcher Haowei Ren said in an entry to the company's security blog.

Early Days
Symantec's Greenbaum added that while his company is seeing only a small number of attacks currently "It's not in the top 500 attacks," he said. This has the potential to get big, and big quickly. "It's the kind of attack that can be very easily hosted on a Web server, and meets all the criteria for large-scale attacks in the relatively near future," Greenbaum said.

The number and diversity of attacks will likely increase because working exploit code is publicly available, he said.

Microsoft Patch
Although Microsoft is working on a patch for the new vulnerability, it's unclear when it will be ready. Users will definitely not receive any automatic protection today, however.

"Unfortunately, the comprehensive update for this vulnerability is not quite ready for broad distribution," a company spokesman said yesterday afternoon. "We recommend that customers follow the automatic 'Fix It' workaround ... to help secure their environment against this vulnerability while we finish up development and testing of the comprehensive update."

Manually Steer Browser
Fix It requires users to manually steer their browser to Microsoft's support site and download, install and run the tool to disable the ActiveX control.

That means many users won't currently be protected. "Most users won't [manually] mitigate," agreed Greenbaum. The message is clear 'Don't be in this vulnerable group.'