This Week in Cybercrime: Hackers Build Better Mousetraps

U.S. Military Wants Ability to Jump Air Gaps, Attack Isolated Systems

According to a 15 January report by Defense News, the U.S. Army is looking to create sophisticated new techniques in cyberwarfare that solve a problem created by a well-known moment of success. It is looking for a way to remotely penetrate the defenses of industrial control systems—even if they are supposedly isolated from the Internet by so-called air gaps. Stuxnet, a cyberwarfare tool unleashed by the United States and Israel, used multiple zero-day exploits to inject malicious code that caused centrifuges at Iran’s Natanz nuclear enrichment facility to spin out of control. But it wouldn’t have gotten in the door if someone hadn’t carried it in on a USB flash drive. In the wake of revelations about the cyberattack, operators of secure systems such as Natanz have stiffened their security. Among the new protocols are bans on connecting thumb drives and other external storage devices to ostensibly secure systems. So now the Pentagon is interested in new ways to infiltrate isolated computer systems without gaining physical access. Defense News cites sources familiar with the program who say that the Army’s Intelligence and Information Warfare Directorate (I2WD) met with representatives from about 60 organizations to start figuring out how to, for example, send malicious code through the air into an enemy facility from a van parked outside or a drone hovering far above. 

Pay Attention, Class

Speaking of security updates, administrators at an unnamed U.S.-based power plant clearly didn’t get the memo. The U.S. Computer Emergency Readiness Team (CERT) reported in a just-released quarterly report that the power generating facility was shut down after malware infiltrated its turbine control systems and engineering workstations. The agency, which is part of the U.S. Department of Homeland Security, wouldn’t reveal the name, location, or type of plant, but said that the malicious code was introduced by a contract employee using a USB drive to perform software updates. And get this: None of the computers were equipped with antivirus software. Why, you ask? The reasoning, at least until recently, was that because industrial control systems in such facilities aren’t connected to other networks, malware couldn’t get in.

The problem wasn’t discovered until the contractor noticed glitches in the operation of the USB drive. A cursory check by the IT staff at the power plant revealed that it was infected with a two different types of malware. CERT says it removed the malicious code from the control systems and workstations and offered some recommendations for tightening security there. I imagine the first recommendation was: Get a clue.

Is Your Identity Worth Stealing?

According to an old saying, beggars can’t be choosers. But it seems that thieves have no such governing principles. A Security Week article reports the discovery of a new phishing technique that courts a preselected group of victims and doesn’t bother infecting the machines of people who are not on the so-called “bouncer list.” According to researchers at EMC’s RSA Security division, attackers begin with a list of email addresses and assign each person on the list a unique user ID. When someone stumbles upon the Web page hosting the malware, the site first checks to see if the person has been assigned an ID number. If so, the browser is directed to the phishing page; if not, the user is shown a “404 page not found” message. Being selective, say security experts, allows the perpetrators of such schemes to attack many “quality” victims without setting off the alarms that would be triggered by casting a wide net. The RSA researchers say each of these schemes typically targeted 3000 people. “Obviously quality data fetches a higher price in the underground,” Daniel Cohen, RSA’s head of business for online threats, told Security Week. He added that these attacks are most likely the work of someone looking to sell the information for profit rather than an illicit end user.

Malware Comes Calling Via Skype

As if phishing schemes and other come-ons weren’t leading to enough online havoc, CSIS Security Group, a Denmark-based IT security firm, has reported in a blog post that Shylock, a malware program designed to steal credentials for online banking accounts, has been armed with a new propagation method. A new plug-in added to the program this week allows it to send messages and files through Skype, then cover its tracks by deleting them from Skype’s history folder. Addding to the plug-in’s stealth is its ability get in and out without triggering the warning and confirmation request that a user normally sees when a third-party program tries to connect to Skype. Researchers already knew that Shylock could copy itself to removable drives and local network shares

Observers suspect that the move to use Skype as a transmission mechanism is related to Microsoft’s announcement that it plans to scrap its MSN Messenger service on 15 March. Microsoft advised users to switch to Skype. Also important, from the cybercrook’s perspective, is the ability to use Skype to reach any point on the globe instead of being mostly limited to small regions because users of infected machines tended to connect with a limited circle of friends.

Hacker Prosecutors Face Scrutiny

On 11 January, Internet pioneer and activist Aaron Swartz committed suicide at age 26. He was facing the prospect of a 35-year prison sentence if convicted of violating the United States’ federal Computer Fraud and Abuse Act (CFAA).  In the wake of Swartz’s death, the prosecutors in the case—and MIT, whose systems Swartz used to pull off the misappropriation of thousands of subscription-based scholarly papers—have been tried in the court of public opinion. Swartz supporters and other observers say the potential punishment did not fit the crime.

In a petition on the White House's website started on 14 January, some legal experts indicated their desire to see the government initiate a review of the CFAA that would result in a more nuanced application of the 1986 law. The statute “makes it illegal to knowingly access a computer without authorization, to exceed authorized use of a system, or to access information valued at more than $5,000.” But the petitioners note that the law was originally intended to bring the hammer down on hackers aiming to steal for personal gain or to sabotage systems. Neither of those motives was behind Swartz’s caper, they point out. "The government should never have thrown the book at Aaron for accessing MIT's network and downloading scholarly research," the Electronic Frontier Foundation (EFF) said in a 14 January blog post. Hanni Fakhoury, staff attorney at EFF, told Computerworld that “Over the years, creative prosecutors have taken advantage of the law and applied it to situations that it was never meant to tackle.”