Security Watch

DDoS Attacks Decline As Hackers Get Smart

Plus: Bad backups at Business 2.0; stopping e-shoppers at the shopping cart; brandjacking; more.

According to Symantec, DoS extortion attacks dramatically declined during the last six months of 2006. Symantec attributed this to the belief that such attacks are not profitable to the criminal. The criminal must "come above the radar" to effect an original DoS attack, after which they demand payment. If payment is refused, the criminal must rise even further above the radar to make the attack devastating to the victim. The processes are now in better shape not only to thwart such attacks, but also to identify the network of bots performing the attack and possibly even the criminal behind them.

Symantec believes that spam-for-profit is where bot herders have moved as a safer -- and more lucrative -- criminal activity.

Following the money has been the easiest way to identify such criminals in the past, and it would seem to us that this is becoming even easier as time goes on. Ergo, whether or not the bots themselves are identified, if enough effort is put into following the money trail of any payment, the criminal should be caught.

It's worth noting that the methods to track and catch bot criminals can be used against spammers. If a product is being touted in spam, then somehow, someone is reaping the benefits. Efforts have been underway to follow that money, too, albeit with somewhat less success than other efforts. In addition, a lot of spam is really phishing, wherein the benefit comes directly from the victim visiting the spammed site. In this case, following the money is not as direct as in other case.

Business 2.0 Fails To Heed Own Tech Advice
The authors of Time's annual "101 Dumbest Moments in Business" list -- and the people who remind others that they need to do regular backups -- found themselves in somewhat of a dilemma. Their systems crashed and they lost the June issue of the magazine. (Read about it here.)

When they tried to retrieve their backups, they realized they had either not been backed up, or their backup servers weren’t functioning properly. In any event, their only backups turned out to be in e-mails -- minus all the page formatting and artwork.

"Eat your own dog food" is an expression that means to practice what you preach. Not only were they not ensuring that their backups were being done correctly, but they totally failed to practice disaster recovery.

Korean Internet Shoppers Find Bargains
Symantec is reporting that an e-commerce Web site in Korea is requiring its customers to install a software package which, among other things, includes a driver that hides processes named with a specific naming format. Symantec has added detection for it as SecurityRisk.Cashmoa. (Read about it here and here.)

Presumably, the site wants to protect its customers' transactions, although no explanation has yet been offered for the functionality it's invoking. Malware could simply name itself using the format that Cashmoa uses and hide itself via that driver. However, the driver does not hide files, so any such malware should still be obvious to anti-virus software.

In any event, the use of so-called "legitimate" rootkit functionality is very hard to get right, no matter what the motivation behind it.

Buzzword Monitor: Brandjacking, Kiting
Check out this article in BusinessWeek: MarkMonitor, a firm that purports to track brand name abuses on the Web, big-name companies have, on average, more than 11,000 domain names in existence which infringe on their copyrights. MarkMonitor calls this "brandjacking."

Another tactic involves the ability to register a domain name without actually having to purchase it. Here, the criminals register a domain name for a free five-day period, and do so anonymously. When the five days are up, they do it again, and then again. This can make determining who should be sued or contacted by the trademark holder difficult. MarkMonitor refers to this process as "kiting."

The problems are with the domain registration process and the steps that a brand holder has to go through to recover domains which are legally theirs. This problem isn’t going to be solved soon, but EV-SSL certificates do help by giving customers something more than a domain name to determine a site's legitimacy.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

Union Goes Dumpster Diving, Posts Evidence on YouTube
Members of the Service Employees International Union -- which represents security guards and janitors who work at Chase, and is currently in dispute over wages Chase pays -- shot video that shows unshredded sensitive documents pertaining to Chase customers in a trash bag outside a New York branch. The video was posted on YouTube with a warning to Chase customers that Chase wasn’t properly handling their sensitive information. (You can read the sordid details here.)

It’s amazing that nobody seems to be drawing the link between who discovered what and the dispute Chase is facing with that union. Sensitive documents are supposed to be sent for disposal within the branch. They are sent there whole, not shredded, but are put into a locked container outside the facility to be taken for shredding en-masse. Who do we think takes the whole documents to the bin for shredding? Probably it's the janitors, for the most part.

Not that we'd accuse them of illicit activity, but it’s not a stretch to imagine janitors, in dispute with their employers, not following company policy and pocketing the sensitive documents. It would then be trivial to put them in a bag, and then miraculously pull them out of a garbage can outside of a branch. If your dispute isn’t going in your favor, it might be a way to get yourself some leverage!

The video, and the comments posted with it, appear outwardly to be an attempt to extort Chase in its dispute with its union.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular