The Register has an interesting piece analysing how cybercrime botnets are connected and why they seem impervious to outside attack. It seems that the botnets are programmed to reconfigure themselves if one upstream provider goes down, and are each strongly interconnected, which creates a whole lot of redundancy:

“What they’ve worked really hard to do for themselves is build a spiderweb of connections to the outer ring if the outer ring were the internet at large,” Sean Brady, manager of RSA’s identity protection and verification group, told The Register. “As you start picking off threads, they work to reroute, to crawl along different threads.”

Needless to say, this redundancy is pretty attractive to botnet controllers (who typically seem to buy or lease access from malware creators). What’s really interesting, though, is that it turns out all the major botnets rely on about nine commercial ISPs, which are legitimate businesses. Take those ISPs offline — or require them to block botnet communications — and it will be much harder for botnet operators to re-establish contact with infected computers once the command and control link is severed (as recently happened with the Zeus botnet). This raises a very interesting legal question about whether those ISPs are, or should be, liable to block access.

According to Iranian news reports, Iranian intelligence forces have hacked into 29 human rights activism websites which they allege are a front for US espionage and intelligence agencies. The attack follows the finding of an Iranian domestic court that the websites were developed to spy on Iran’s nuclear programme, and for the purpose of ‘provoking sedition and illegal demonstrations and rallies through releasing unreal and unfounded news and reports after the June presidential elections … providing media and news support for the Jundollah terrorist group and the monarchist opposition groups.’ Apparently, the network also distributed American anti-censorship software.

Update: Following the attacks, Iranian security forces arrested dozens of people accused of being involved in the websites’ operation. However, Western media tells a very different story, with The Tech Herald now reporting that those arrested in the operation:

were tortured for their access to the various websites, and as such the sites were taken down by physical violence, and not hacking. They have 30 members of our group held hostage, including the sister of one of our members, who has nothing to do with this matter. Each of the 30 hostages is a human rights activist and nothing more. …

A report produced by the US–China Economic and Security Review Commission suggests that malicious attacks on United States military computer systems increased by 20 per cent in 2008, a figure that is projected to grow by 60 per cent in 2009. Experts attributed much of the increase to attacks originating in China:

“A large body of both circumstantial and forensic evidence strongly indicates Chinese state involvement in such activities,” the commission said in its 367-page report to Congress.

“China’s peacetime computer exploitation efforts are primarily focused on intelligence collection against US targets and Chinese dissident groups abroad.”

“China is changing the way that espionage is being done,” said Carolyn Bartholomew, who chaired the commission.

The report offers an alarming, though perhaps premature, conclusion:

China is likely using its maturing computer network exploitation capability to support intelligence collection against the US Government and industry by conducting a long term, sophisticated, computer network exploitation campaign. The problem is characterized by disciplined, standardized operations, sophisticated techniques, access to high-end software development resources, a deep knowledge of the targeted networks, and an ability to sustain activities inside targeted networks, sometimes over a period of months.  Read more »

See further

A number of news agencies are reporting that Daniel Goncalves, a 25 year-old law firm technician, is being prosecuted for the ‘theft’ of domain name P2P.com:

Attorney Paul Keating told DNN that most cases of domain theft recovery that he has dealt with have been complicated at best. The real problem stems from the fact that domain names aren’t considered property. “The laws do not specifically identify domains as property. That has been the subject of various court decisions. Not all courts have issued consistent decisions. For example, bankruptcy courts have no difficulty treating domains as property. The IRS treats domains as a form of intellectual property and allows amortization along the lines of a trademark though over a shorter period,” Keating said. Further complications come in to play when we look at the rulings in different states. “California is believed to treat them as property after the Sex.com case but that was a federal decision interpreting California law. The Eastern District of Virginia (where the Verisign registry is headquartered) clearly holds domains to be the subject of a license and thus not property. I have been involved in various state-level cases seeking recovery of stolen names or trying to specifically enforce a domain purchase agreement in California and the courts have always honored the claim.”  Read more »

See further

According to The Age, a fellow University of Melbourne alumnus has been convicted of three counts of commercial copyright infringement and fined $20 000 for running a duplication lab in (wait for it) his mother’s basement:

Jeffrey Lim, 28, converted the ground floor of his parents’ Doncaster home into a work office that held six hard drives, a computer flat screen, three printers, three DVD burners, three computer towers, four scanners and various printer cartridges.

Hmm, sounds like my living room, sans the printers. Lim apparently sold various console games for $4 each using an online mail order website. Ms Tickey for the Crown relied on a tipoff from a PwC investigator and evidence from a police raid of the premises:

The man, who deposited $714 in to Lim’s account, later found that none of the 138 Playstation2 games he received displayed any genuine features.

Gosh, how unexpected! $5 games turn out not to be originals. Unsurprisingly, Lim pleaded guilty. Mr Simpson for the defence argued in mitigation that the piracy business emerged after ‘repeated but failed attempts’ to gain employment in the computer industry. Guess a Melbourne BSc isn’t what it used to be.

This week’s high-tech crime is a new twist on an old favourite: securities fraud. It recently emerged that one of India’s largest outsourcing firms, Satyam Computer, had ‘overestimated’ its cash reserves and asset values by around 50 billion rupees (AUD $1.38bn). According to the company founder and chairman, this was ‘purely on account of inflated profit over a period of several years’. The fraud came to light when a recent asset acquisition fell through, forcing the company to acknowledge the ‘attempt to fill fictitious assets with real ones.’ According to a taped confession to Indian police by the chief financial officer:

Srinivas said he suspected that something was wrong when the company was late with bills, but Satyam’s chairman and managing director forbade him from using fixed deposits to pay them. He was told to “manage” the bills with operational cash instead, he said. That situation occurred continuously for the past five or six years, he said. …

Srinivas said he believed the company’s fixed deposits were “unreal” and “managed” and that they were a result of an “understanding” between management and the “audit section.”

Price Waterhouse, the Indian division of PricewaterhouseCoopers, was the external auditor for Satyam. The firm has come under fire since the Satyam fraud came to light: India’s accounting board is investigating Price Waterhouse’s work on Satyam, and investors in the computer company are considering lawsuits against the auditor.

 Read more »

The Israeli Defence Force (IDF) has reportedly hacked into a Hamas television station as part of an ongoing war of information in Gaza. According to local media reports, the IDF took over the Al-Aqsa television station last weekend, and is using it to broadcast pro-Israeli military propaganda, including:

an animated clip of Hamas’ leadership being gunned down. “Time is running out,” the clip warned, in Arabic.

The day before, AFP reports, a “broadcast on Al-Aqsa television was interrupted with an image of a ringing phone that no one was answering.” ‘Hamas leaders are hiding and they are leaving you on the front line,’” a voice in “Hebrew-accented Arabic” said. Similar messages were sent out on Al-Aqsa radio, as well.

The Al-Asqa station was probably chosen because of its previous association with anti-semitic childrens’ cartoons. The station itself was also targeted and destroyed during aerial strikes last week.  Read more »

It should come as no surprise that 2008 was an eventful year for online security pundits. Record instances of data breaches, identity theft, vulnerability disclosures and hotfixes were seen throughout the year. Both state and non-state actors were involved — on the public side, cyberwar in Georgia and alleged Chinese cyber-espionage; in the private sector, new low-level DNS exploits, SSL flaws and routing bugs were uncovered.

In a series of posts, I summarise the eight top cybersecurity issues for 2008 and their likely outcome in 2009, beginning with data security.

• Data breaches up 69 per cent in 2008
  In July 2008, researchers at the Identity Theft Resource Centre reported 342 data breaches since January, up 69 per cent compared with 2007. Most breaches affected government or military entites, followed by education and business sectors.  Read more »

The president of Platte River Associates, a United States software development company, has pleaded guilty to charges of hacking into a competitor’s website and copying commercially sensitive files. The company develops specialist petroleum exploration software, and the target of the cyber-espionage was Zetaware, one of its chief competitors. It all smells rather suspect: the executive, a Mr Leonard, admitted to accessing a password-protected area of Zetaware’s website using a password he had been given, and then copying the files from an anonymous wireless hotspot in a Houston airport. When he mentioned the files in a Platte River staff meeting the following week, word leaked back to Zetaware and subsequently to the police. Leonard was sentenced to 12 months’ probation and a fine of USD $100 000.

One has to wonder about this case. Why were ‘sensitive documents’ left in an unencrypted format on a corporate website, protected only by a simple and widely-known password? How did Leonard happen upon the password? Perhaps there were information conduits on both sides — how else did word get back to Zetaware? Injury aside, is it possible Zetaware had a commercial motive of its own for ensuring Leonard was prosecuted? Although it’s unclear from the news reports whether the basis of the conviction was recorded under an anti-hacking or unfair competition statute, either avenue was potentially available to prosecutors. This is interesting because it reflects a growing overlap between subject-specific cybercrime legislation and generic norms of criminal conduct. This case is a timely reminder to businesses why private documents should never be entrusted to a public web server, whether or not protected by an .htaccess mechanism.

To combat deforestation of the Amazon rainforest, the Brazilian province of Pará has been using computer technology to administer a system of forestry permits. Unfortunately, the system has led to widespread abuse by logging companies that have allegedly hired hackers to issue fake permits:

Companies logging the rainforest for timber or charcoal production are only allowed to fell a certain amount of timber every year and this is controlled by the use of transport permits issued by the … computer system. … each shipment of timber requires one of these transport permits, and the volume of timber in each shipment is deducted from the total amount allowed under the company’s forest management plan. Once that amount is reduced to zero, no more transport permits are issued so there’s no profit in felling more trees.

At least, that’s what’s supposed to happen but today the public prosecutor will release details of how hackers employed by 107 logging and charcoal companies have compromised the system, falsifying the online records to increase the timber transport allocations for certain areas of the forest.

The government is seeking a US$833 million fine for the contraventions. A Greenpeace worker noted that “this method of controlling the transport of timber was subject to fraud,” and that “this is only the tip of the iceberg, because the same computer system is also used in two other Brazilian states.” It is unclear when the authorities plan to fix the security holes in this deeply flawed permit administration system