Spyware for Corporate Espionage 216
therufus writes "Late in July, an e-mail that hit employee in-boxes at a British credit card and finance company carried a secret payload--spyware capable of recording confidential corporate data and sending it over the Net."
Nothing new... (Score:5, Funny)
Valve? (Score:2)
Here is an idea. (Score:3, Insightful)
Re:Here is an idea. (Score:5, Insightful)
That line of defense fails when only 1 person forgets this fact (or as a permutation of the following) and the "virus/worm" spreads itself by having the from address of the newly infected person. Plus, it doesn't take a lot of effort to find out who the IT or some other higher up in a company is and use their name as the sender of the email.
BS !! (Score:5, Insightful)
Don't open Emails that you have no clue who they came from. This is just common sense
Come one, grow up, we're no longer 6 years old and there is no good reason why we should be forced to live in fear of our emails !!
If a email can do all kinds of bad stuff to your computer, it is the fault of the one who wrote the email software, period..
Don't try to blame the victim because he was simply using the software for what is it supposed to do ...
Re: BS !! (Score:2, Insightful)
You can't control virus writers. You can't prevent unknown parties from targeting your network.
You can, however, institute safeguards on your network. You can use an email client which is a well-known vector for worms. You can make it impossible for your users to accidentally execute an email worm. These things are under your control.
Not that any of these thin
Re:Here is an idea. (Score:3, Interesting)
Re:Here is an idea. (Score:2)
Except that most Outlook users use the "Preview Pane" feature, which means all the scripts/"tracking images" get executed as soon as you click on the message and it shows up in that Preview Pane. Since you can't delete the message without clicking, it's a catch-22.
For this reason, we're moving away from Outlook, and also purchasing Adaware Pro licenses for our workstations. We are a financial institution and having so
Re:Here is an idea. (Score:2)
Not that you shouldn't move away from Outlook, it's just that your reasoning is lame and contrived.
I call bullshit. (Score:2)
I need to read mails from unknown people, because those are... my new customers!
How about remove Outlook and Internet Explorer instead and installing a secure email infrastructure. I have never ever, not even once, felt the need to not open an email because it might be insecure.
Advocating not opening emails is even worse than running exploitware from Microsoft in the first place.
Re:Here is an idea. (Score:2)
Common sense? Not as common as you think. (Score:2)
I tried to e-mail to you, but I didn't get a reply...<bud-dum-dum> Thanks, I'm here all week.
For a while now, almost every e-mail worm sends out e-mail to addresses found in the victim's address book. In other words, a huge amount of viruses and worms are, or appear to be, coming from people that you know and trust.
Short of reviewing the Recieved: headers on every e-mail, you really have no clue who they cam
Re:Here is an idea. (Score:2)
Lesse, from my mail filtering rules,
allow \.t?gz$
allow \.bz2$
allow \.sit\.bin$
# Allow repeated file extension, e.g. blah.zip.zip
allow (\.[a-z0-9]{3})\1$
# Deny all other double file extensions. This catches any hidden filenames.
deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$
Here's our nightmare scenario in the military.... (Score:5, Interesting)
It's going to happen. Here's why it's troublesome and mod me down if you must but our operation has a blind allegiance to Redmond and the IM folks are not particularly bright. We have had network problems in the past. China has opted to bet the farm on Linux after seeing the Windows Source Code.
As one of the few Linux developers here, I fear a nightmare is coming. I would really welcome any ideas that anyone has about how we combat this or put our minds at ease.
Redmond related flames go to
Re:Here's our nightmare scenario in the military.. (Score:2, Insightful)
Re:Here's our nightmare scenario in the military.. (Score:3, Insightful)
Otherwise some administrator browses through someone's machine two months later, trying to figure out why it's so slow, and says "oh, shit..." - and then security clamps down like a {pick useful crude metaphor here}. It's far easier to slip in when noone's the wiser.
Re:Here's our nightmare scenario in the military.. (Score:2, Insightful)
What would be scarier to you if you were in charge of machines with valuable data on them - a warning that said there was a potential breach, and check here, here and here to see if you were affected, or a warning that said there was a potential breach, howeve
Re:Here's our nightmare scenario in the military.. (Score:3, Interesting)
Well we know that a lot of these get around even secured networks because of the users. However, in most of these networks there is a competent admin who runs a firewall, but can't run ad-aware on every machine constantly (and if that were feasible, damage might already be done in one user session).
So here's my idea, which maybe is a
Re:Here's our nightmare scenario in the military.. (Score:2)
Re:Here's our nightmare scenario in the military.. (Score:5, Insightful)
I think that China choose Linux not because of Windows source code but because Windows is the product of an American company.
But maybe I'm wrong.
Re:Here's our nightmare scenario in the military.. (Score:4, Informative)
And if you're not talking about siprnet, then that machine/person/network just really isn't important enough to worry about - from a national security perspective.
Re:Here's our nightmare scenario in the military.. (Score:2)
Re:Here's our nightmare scenario in the military.. (Score:2)
Re:Here's our nightmare scenario in the military.. (Score:2)
Re:Here's our nightmare scenario in the military.. (Score:2)
Siprnet is rather closely watched, computers are audited for unauthorized applications, people get in serious trouble for installing unauthorized software on a secure network machine. It isnt connected to the internet. Ever.
You sir, are either ignorant or full of it. Not only is SIPRNET connected to the regular net, so are other more highly classified networks. Don't believe me? Go ask anyone that has worked in a SCIF for more than a year how many times their MS systems (on the "secure" network") have
what about SCADA? (Score:2)
offtopic wrt main topic but, what about SCADA [pbs.org] attacks?
PBS did an excellent show on CyberWarfare [pbs.org] highlighting that it's the points of weakness where attacks are most likely to occur. Milnet [ic.ac.uk], siprnet, etc may be secured but could any *western* city be without power for a period of 6 months? Think asymmetric [af.mil] not conventional and you can appreciate how real such threats are taken [pbs.org].
Re:Here's our nightmare scenario in the military.. (Score:3, Insightful)
Even worse, maybe China never intended to use Windows but just wanted the source so that they might discover more vulnerabilities.
Re:Here's our nightmare scenario in the military.. (Score:3, Insightful)
Priceless... (Score:3, Funny)
Bulk emailing said program: $35
Obtaining thousands of credit card numbers: Priceless
Stop Spyware at the Source (Score:4, Insightful)
Once again, the main technical problem lies with Windows. Spyware is just another form of malware, which takes advantage of defects in the operating system to gain access.
I would hope that the Consortium Of Anti-Spyware Technology Vendors would promote Linux, Mac and other operating systems that are better equipped to rebuff malware attacks.
Re:Stop Spyware at the Source (Score:3, Insightful)
Love the double standard. LOVE IT.
Re:Stop Spyware at the Source (Score:3, Informative)
Sorry, but I don't see the connection that you are trying to make between these two situations. The closest I can get is that some Microsoft products have subsurface design flaws that create opportunities for lawbreakers, while Kazaa is openly designed to offer opportunities to circumvent some laws in addition to other lawful uses. But I can't tie these sepa
Re:Stop Spyware at the Source (Score:3, Interesting)
Re:Stop Spyware at the Source (Score:2, Insightful)
If Kazaa started infecting people with viral code (outside of the spyware we all *know* it ships with) and people turned a blind eye, *then* there'd be a double standard.
-HubCity
Security, or Intellectual Property, you pick. (Score:3, Informative)
In the security context, Kazaa is actually much more to blame than Microsoft. Kazaa installs New.Net and other intrusive applications that compromise the privacy of their users. It is true that Microsoft Media Player and Windows Update also collect data on the habits of the userbase, but AFAIK their software isn't quite so intrusive.
In the context of preserving intellectual property, Kazaa is to blame to some extent, but perhaps less so than Microsoft, Cisco, the phone companies and other infrastructure p
Re:Stop Spyware at the Source (Score:2)
Kazaa functions as intended. This saves their users money.
Microsoft software does not. This costs their users money.
See the difference?
To put it another way...
Funny. Ford is to blame for gasoline explosions, but screwdrivers, et. al. aren't the problem when it comes to hotwiring.
-1 Overrated (Score:2)
The record companies have always been losing money to organized piracy rings. The only reason they're coming down so hard in the US and soon in Europe is because they managed to legislate themselves something other than civil remedies.
Oh, an
Re:Stop Spyware at the Source (Score:2)
Now, with Kazaa, whatever you want to share, is your business. As far as I know, it doesn't have any unintended side effects. (Except the spyware it comes with, but thats a different story.)
Anyway, I fail to see why this is a double standard, and why this post is +5 insightful.
Re:Stop Spyware at the Source (Score:2)
Kazaa allows people to knowingly
Re:Stop Spyware at the Source (Score:2)
Maybe I'm being overly cynical here, but would it not make much more sense for them to promote platforms where spyware is a problem? After all, it's the classical problem of any organization with an agenda: if the problem goes away, they become irrelevant themselves...
Re:Stop Spyware at the Source (Score:2)
True, but it's really not limited to them. Thus, if you install mozilla, it comes with java and javascript enabled by default. These may be a lot more secure that MS's scripting schemes, but they are channels for software that you might not want installed.
We really need education to help people understand why it's never a good idea to let software download code and run it automatically. Any scripting facility should be turned off. It should be of
Re:Definitions of terms (Score:2)
Strong Policy Required (Score:3, Interesting)
We also frown upon expedient use of inter-office e-mail for non-productive purposes. We found that the best way to rationalize our procedures is to make the frequent example of an employee who refuses to follow the rules.
Another point where we emphasize data security is in the discardation process of obsolete hardware. We make sure that any media has been de-magnetized (in case of floppies and CDs), exposed to ultraviolet light in case of Hard disk drives, or combusted for tape media.
So far our security record has been 100% according to our internal auditing firm.
Which is nice.
Re:Strong Policy Required (Score:3, Insightful)
Re:Strong Policy Required (Score:2)
We make sure that any media has been de-magnetized (in case of floppies and CDs)
De-magnetized CDs. That'll help.
Ah... D'Oh. (Score:2)
Re:Strong Policy Required (Score:4, Funny)
Your password is ji5ppii9
Your desktop wallpaper is that of a large blonde woman and 3 kids.
You spend 4 hours a day at slashdot.org, 2+ at espn.com and an hour at goatse.cx
The most used applications on your computer are SOL.EXE, IEXPLORE.EXE and MSWORD.EXE
You chronicaly respond to "Lenghten The Size Of Your Weed" and "See Her Naked" spam e-mails.
Your internal auditing firm is 100% useless.
Re:Strong Policy Required (Score:3, Interesting)
There was a myth busting style show on cable last mo
Re:Strong Policy Required (Score:2)
Wow, so you guys are doing absolutely nothing to a HDD then.....
hard drives write MAGNETICALLY. Ultraviolet light will do absolutely nothing, espically if you dont open the drive.
solution? wrap the drive in a degauss coil and leave it on for an hour, then put the drive in a drill press and drill 4-5 holes in through the platter.
unless they are the NSA or other government agency, they wont get your data.
Re:Strong Policy Required (Score:2)
Re:Strong Policy Required (Score:2)
also UV on a CD is also stupid. Put the thing in a CD crosscut shredder, cheaper, better and you have a known destructability.
Re:Strong Policy Required (Score:2)
So, you pay your cleaners more than minimum wage?
It's amazing what people can do with the passwords written on yellow sticky tape stuck to the bottom of your keyboard.. Or a keyghost [keyghost.com] for that matter.. Or even just having their kid hook up a wireless AP to your secure LAN hidden under a desk on bring-your-kid-to-work-day..
Good.... (Score:3, Interesting)
And it has to be more than the USA that makes these laws, we need Asia and Europe to follow and nail these people.
Sneaks (Score:4, Interesting)
My guess is that while we keep putting energy toward blocking spyware, and detecting it, the same energy is being put toward inventing it. Is this a battle between good and evil? It would seem so.
Generally, I run anti-spyware programs on a frequent basis, but is it enough? Likely not. A watchdog organization, at the governmental level, is required, not just a committee. Committees come and go, but their findings should go toward an ethical standards legal department, or some kind of funded watchdog that has a declaration of what an ethical software package is, and what crosses the line. Penalties involving more than fines are in order, too, or you get people who just want to break even or make some dough, but are willing to risk fines. Espionage is illegal. Maybe that law applies, but IANAL...
Re:Sneaks (Score:3, Insightful)
Re:Sneaks (Score:2)
Is anyone surprised? (Score:4, Insightful)
Re: (Score:3, Insightful)
Questions... (Score:5, Insightful)
Re:Questions... (Score:2)
1) If their CV looks "impressive" eg qualifications count more than experience
2) If they can bluff their way through an interview
3) If they have no clue whatsoever to do the job they're appointed to
In answer to your questions:-
1) A lazy or clueless sysadmin
2) See above answer
3) See above answer
4) Ha ha ha - most companies here aren't even running firewalls - the reason the firewall doesn't block outbound traffi
Re:Questions... (Score:2)
And this is different to anywhere else?
Re:Questions... (Score:2)
a) minimal
b) usually things nobody will ever use in their job unless they become teachers
c) taught by teachers who have a lower grasp of the subject than some of their students
d) computer courses are taken by people not interested in computers - but because they think it'll look good on their CV & they'll earn more money
e) was seen for a very long time as a "technical subject" and therefore received less attention than core National curriculum subjects & oth
Re:Questions... (Score:2)
Most places that have developers for one. Not saying this is right, but is almost always the case. And no, developers aren't that much smarter than the general population when it comes to not installing/executing things that maybe they shouldn't.
Which genius allows unrestricted access to confidential corporate data to its users
But if the
Re:Questions... (Score:5, Insightful)
The sys-admin who is told by the CEO to remove the e-mail blocks, because someone wants to e-mail him a self-extracing zip file (.exe).
What kind of idiot sys-admin would allow the corporate users , to run their PCs with admin previleges , so that any unwanted junk s/w be installed on their PCs ?
The sys-admin who gets in trouble when he yelled at Bobby the Intern (who happens to be the CTO's nephew) for installing Kazaa on his machine. Ditto for the sys-admin who was told to turn the PHB's account into an Administrator account so he could install MS Entertainment Pack.
Which genius allows unrestricted access to confidential corporate data to its users ?
The genius who tried to secure the confidential corporate data with X.509 certificates and/or passwords, but was then told to remove them, because the VIPs were complaining about having to remember too many passwords.
Why do the corporate firewalls not block out-bound traffic to all ports but a select few HTTP/SSL ect ?
Because then the PHB can't use AIM to chat with his friends.
Seriously, I worked as a sys-admin in an environment like this. You wouldn't believe the number of safety procedures that the CEO/CTO/PHB wanted to circumvent to make life easier for themselves. Unless you have a CTO who understands security and will stand up to the rest of the VIPs, you're doomed. Completely and utterly doomed.
I attempted to implement the passwd changing program with cracklib support to prevent users from picking stupid passwords. That lasted about a week before I was told to take it away.
There was a brief period of time where we went around and killed off IE on the desktop machines, because there were too many damn vulnerabilities. That lasted about 2 weeks before the CEO told us that the researchers couldn't use "this Netscape thing".
Repeat for many other events. Bottom line is anyone who is not a sys-admin knows two things: routine and usability. However, implementing propert security requires changing at least one of those, if not both. And therein lies the problem.
Re:Questions... (Score:2)
STRONG SECURITY || USABILITY
Take your pick... you can't have 'em both
Re:Questions... (Score:2)
Perhaps you meant
STRONG SECURITY ^ USABILITY
Re:Questions... (Score:5, Interesting)
Two years ago I was working for a major bank's international head office, and the security there was paranoidal. It was a sys-admins dream come true.
Re:Questions... (Score:2)
Twiddle your thumbs will all the free time you had not having to go clean up windows boxes?
Nice setup though. I wish microsoft great plains was that accomodating.
Steven V.
Re:Questions... (Score:2)
It was generatede by one person , who then split it between 3 people. But root login was allowed only from terminals, (no root login over intranet , very strict policy, su command disabled). And the person , who generated the password, was not allowed anywhere near the terminals, he had no access the server rooms, so he couldn't use it .
it
Re:Questions... (Score:3, Interesting)
So just replace the attachment with a message stating that the attachment will be delivered in half an hour. If you get a call from the CEO then you'll know that the attachment was legit and you ca
The BOfH says... (Score:2)
If you have a $300 lock on a $200 door surronded by $10 wall panel, what are going to take the sledgehammer to?
This also leads to another point, if you do security well and nothing happens, then no one knows, but you end up pissing every one off. If you do not do it right, no one is pissed until something happens, then everyone knows.
User obliteration is the only way that I know of to remove insecure nodes from a network.
Re:Questions... (Score:2, Interesting)
And who is going to tell the CEO that he can't bring his laptop (that his kid infected twelve ways from Sunday last night) into the office? Or that he can't *send*
Likewise, VPNs are a *wonderful* tool. The convenience of being able to transparently access
Re:Questions... (Score:2)
It gets worse - some people I know work for a company whose stated policy is to enable mobile computing. Whenever an old desktop is aged out, it's replaced with a laptop that the user is expected to take home at the end of each day. Sure, corporate policy also dictates certain anti-virus and personal firewall software, but virus signatures are not always up to date, and the personal firewall almost certainly does
Re:Questions... (Score:3, Interesting)
2. After two managers complained that they couldn't install any of software that they wanted because they didn't have Admin priviledges, the PHBs decided that everyone should have Admin rights so they could install anything that they want "within reason."
I just felt like sharing.
Re:Questions... (Score:2)
Which translated, no doubt, into Kazaa, assorted IM programs and enough Spyware to cripple some machines and reduce avaiable network bandwidth by 70%.
Re:Questions... (Score:5, Informative)
I think any decent sized corporation with a firewall admin does this already. The problem starts when you have protocols designed to circumvent firewall security. SOAP is nothing really but rpc over http on port 80. You can block whatever ports you want but as long as you have an outbound port opening somebody can find a way to use it.
What kind of idiot sys-admin would allow the corporate users , to run their PCs with admin previleges , so that any unwanted junk s/w be installed on their PCs ?
Again it doesn't really matter. All the buffer overflow exploits that have happened recently didn't make a check to a security manager to see if they could install a piece of software. Nimda, code red etc just installed themselves.
What kind of stupid sys-admin allows
If you haven't seen the list of attachments outlook 2003 won't let you send you'll laugh your ass off when you do. Its basically any document that you can create with a Microsoft tool with a few of their competitors thrown in for good measure(pdf!?). I still think people will find ways to socially engineer their way around that one.
Which genius allows unrestricted access to confidential corporate data to its users ?
Doesn't really matter. If the pc of someone who is authorized to view that data is comprimised the cracker gets the keys to the kingdom.
Re:Questions... (Score:2)
Then there's programs like Omniform. It's the software package one department uses to manage all their electronic forms from the state departments. Thousands of documents are involved, and management on down is married to Omniform.
Problem is, you need to be running as an admin on the local machine for the poorly coded s
Re:Questions... (Score:2)
--jeff++
Re: (Score:3, Insightful)
Re:Questions... (Score:2)
first off all, I am very uncomfortable with a corporate LAN , which is on the internet. The least you can do is set up a gateway and NAT the local lan. And use a proxy server.
A periodic check of proxy-server log, should indicate any suspicious activity, and can be prevented in future.
Re:Questions... (Score:3, Insightful)
So you would, for example, block all attempts to use the lynx browser (which runs in a terminal window)? Be a bit careful about answering, because in a lot of jurisdictions, there can be serious fine for knowingly discriminating against the visually impaired.
And, on a more general basis, port 80 is used by a lot of software other than browsers. If a file my app nee
Conflict of Interest (Score:3, Funny)
See? Bad things do happen to bad people!
Keylogger prevention on OS X (Score:2)
Re:Keylogger prevention on OS X (Score:2)
If there are programs that you run normally, and you know the whole list, you could write a little daemon to keep track of the process list. If something else starts running, have it alert you. Sort of a less-sophisticated version of tripwire. Of course, the attacker could name his executable the same as yours, or overwrite yours, but it is better than nothing.
Re:Keylogger prevention on OS X (Score:3, Interesting)
This happens quite a lot (Score:4, Insightful)
No need to worry (Score:3, Funny)
Since we're 110% confident that all those dedicated knowledgeable MS administrators will be keeping up-to-date with all the patches, and that with the new focus, MS software will soon be completely immune to viruses, who cares about any of this stuff ?
Simon.
[removes tongue from cheek]
Confidential data (Score:3, Interesting)
It's also necessary to protect your data against your very own employees when they are not supposed to be able to see it. And I can say that often this is not the case.
Another important and necessary step is to instruct people using computers to work on security. And this is often not the case either.
Diego Rey
Don't fear the kiddies.... (Score:4, Insightful)
Most often those people are insiders, so you have the added worry that things like firewalls are useless (do you sniff email for viruses on internal mail? do you have unpatched servers that only intenal users have access to?), and they may be able to convince others that you think you can trust to look the other way.
Security is one of those ugly balancing acts. Ultimately, it's a losing game because once a determined cracker with a clue sets their sights on you, you're done for. No amount of security is sufficient... really (yes, even a gasketted vault with armed guards CAN be cracked). The key is risk-vs-reward and always trying to make sure that some poor clueless bastard out there is an easier target than you.
Corporate spyware detection? (Score:2)
Big Deal (Score:2, Insightful)
I have the pessimistic view that anything you know that someone else knows must be public knowledge (certainly to any member of the public that
Obligatory Spyware Blocking Software Post (Score:3, Informative)
Spybot S&D [safer-networking.org] It's free and it "innouculates." Regular updates too.
Spywareblaster [javacoolsoftware.com]. A little reduncancy, and it has a nice Flash killing tool as well.
Honorable mention:
Peer Guardian [xs.tech.nu]. In addition to RIAA IP address killing, it prevents loading of DoubleClick ads and snoopware. Regular blocklist updates, and IP addy's may be manually added.
idiots always open attachments... (Score:4, Insightful)
-gam
Flash drives? (Score:4, Interesting)
Vendors routinely give out free stuff at conferences, and one of the popular ones these days (actually halfway useful!) is a free 32mb USB key. And of course, every such key comes with plug-n-pray drivers so you can plug it in and start writing to it.
They could easily include some network code in the driver that sends every document you write on the key to the company that sold the device. Of course, obscure this process: send only during idle periods; encrypt the document; send the files to some anonymous file dump in Malaysia or something that's only known and accessible by the company...
Since these devices are routinely given freely to corporate representatives, this might net a high percentage of corporate documents, some of which might be valuable.
- David Stein
You know the vendors (Score:2)
The main differential is that virus writers are in many ways untracable and anonymous. Most of the people presenting at a conference should be traceable in some form, and thus accountable.
Who uses custom drivers? (Score:2)
I have the solution! (Score:2, Insightful)
to the MS Outlook virus-propagation problem.
It's simple - create an Outlook virus which emails a Windows activation-code cracking program to everyone in the victim's address book. Then the virus would redirect the user to the warez sites where they could download "free" copies of Windows.
I can just about guarantee that Microsoft would have a patch within days, if not hours. After that, auto-execute for email attachments would be a thing of the past.
I blame the anti-virus people (Score:2)
Of course many AV companies are scared to do this becuase of ligitation, but a line has to be drawn somewhere. Not to mention the AV program itself might be spyware if it sends data home about the user. Even "anonymous" data should be considered spyware.
Also, how about certification
Re:Amazing.. (Score:2)
It will, just wait for Timothy's dupe
Re:They wouldn't have this problem at all if (Score:2)
Why not? It may not be as easy as on a Windows box, but it's still possible. You can always send someone a perl script, and try to get the user to run it. The script can then try to exploit any number of local exploits to get root, as well as do something that appears to be useful. Many so called e-mail viruses today do exactly that, since the old Outlook bugs that allowed code to run without the user doin