Web Browsers Under Siege From Organized Crime 168
An anonymous reader writes "IBM has released the findings of the 2007 X-Force Security report, a group cataloging online-based threat since 1997. Their newest information details a disturbing rise in the sophistication of attacks by online criminals. According to IBM, hackers are now stealing the identities and controlling the computers of consumers at 'a rate never before seen on the Internet'. 'The study finds that a complex and sophisticated criminal economy has developed to capitalize on Web vulnerabilities. Underground brokers are delivering tools to aid in obfuscation, or camouflaging attacks on browsers, so cybercriminals can avoid detection by security software. In 2006, only a small percentage of attackers employed camouflaging techniques, but this number soared to 80 percent during the first half of 2007.'"
80%...? (Score:2, Insightful)
Firefox? Opera? Safari? (Score:5, Insightful)
Re:Firefox? Opera? Safari? (Score:4, Interesting)
How is that a troll? He's stating the observation based on his experience.
I did read the article and can't tell, either. My experience coincides with yours. Funny articles are hesitant to spell out the distribution of vulnerabilities. I wonder if they get leaned on by Microsoft's legal department or one of their PR firms?
Just exactly how many of those vulnerabilities are Firefox running on Ubuntu? Or Safari? Or, as usual, is Windows and IE the most attractive attack vector?
Re:Firefox? Opera? Safari? (Score:5, Insightful)
Re:Firefox? Opera? Safari? (Score:5, Funny)
Re: (Score:3, Funny)
Re: (Score:2)
Re: (Score:2, Insightful)
I should say that using IE is wrong and stupid enough.
Re: (Score:2)
Re: (Score:2)
I should say that using IE is wrong and stupid enough.
Except some sites require it (ADP is the worst), and I can't convince management it's worth it to switch to a different company. Personally, I've been searching for a better on-line bank and after the passing the initial screening, one of the first questions I ask is, "Does your site support Firefox?". Most of the time I get a no, use IE. My most recent answer, Feb 11, 2008, states, "Apple Bank's website currently supports Mozilla Firefox version 1.0
Re: (Score:2)
Have you considered mailing every bank that requires IE and/or fails to support Firefox that you have decided not to become their client due to IE lock-in?
Send enough mails and you may see some improvement; the management is probably unaware that this may be an issue.
Re: (Score:2)
Re: (Score:2)
I have found that with Safari, whenever I get a message from a web site that it only works with IE, that this is because their server checks what browser is calling it. Most of the time, if I tell Safari to lie and tell that stupid site that it is being talked to by IE, everything works perfectly or is at least useable. The exceptions to this are few.
Re: (Score:3)
I'd like to see you have the nerve and belligerence to walk up to any of these people and say: "you're using IE so therefore you are wrong and stupid", when they are not actually at fault.
Putting aside the fact that I had been aiming for a Funny moderation instead of Insightful, this is one fine leap of logic you're suggesting, and some finely chosen words you're putting in my mouth.
While I did describe mere usage of IE as wrong and stupid, it would not do to assume I said IE users were wrong and stupid.
So please, suppress your righteous indignation.
Oh, BTW:
1. 30 - 50 year old couple with no technically competent friends or family (or kids) using a computer from Dell or a corner store. This is actually a pretty large fraction of 'Net users out there, and they use IE and windows through no fault of their own.
I should consider every usage of any device without proper level of competence wrong and stupid.
Just because people do not get
Re: (Score:2)
Wow. A bit elitist eh.
I should consider every usage of any device without proper level of competence wrong and stupid.
Just because people do not get injured or killed during untrained computer use doesn't mean that untrained use isn't irresponsible.
How do you suggest that my aforementioned demographic educate themselves if they don't even know that they 'need' education?? Especially when the market and the media do their best to tell people that computers are 'point and click' and require no education and training?
So, how is the user at fault?
Ignorantia legis neminem excusat.
While this is of course related to law, I see no reason not to apply it here.
Defective by design == wrong and stupid in my book.
Yeah, true. But some people have no choice. If you are required by your University or employer to access a government data repository that is Active X only, you're kinda fucked aren't you?
Again, how is the user at fault?
Did I say users were at fault? Please, do point out where I said that users were at fault in this instance.
And stop putting words in my mouth.
All I'm trying to say, is pissing on users who don't know any better, or are between a rock and a hard place is hardly helpful. You'd be more productive lobbying relevant parties, educating anyone you can, and boycotting technologies you disagree with.
I should say that those between a rock and a hard place are in a much better position to lobby than I am. Especially since I may not be on the same bloody continent.
I don't think I put anything in your mouth at all, I just interpreted your post as elitist drivel, and quite frankly so would someone who is a little insecure about their tech competence, who are also incidentally the IE using crowd.
Well, they wouldn't be reading /., now would they?
Read what is written; do not
Re: (Score:2)
<snip>
Hence my interpretation.
At least you admit these were not my words, but your interpretation.
Re: (Score:2)
Why does the government use a proprietary, special format? Is there no way such data can be stored and disseminated so ALL computers, such as Linux and Macs can access it equally well? It seems that the taxpayers ought not subsidize any one particular company's data format. Isn't that why there are standards open to all? I think this is the government's fault.
Re: (Score:2)
A government doing things that are wrong and stupid?
I'm positively shocked.
Re:Firefox? Opera? Safari? (Score:5, Interesting)
That is as far from the definition of a troll as can be imagined. Re-read the moderator guidelines about the difference between 'Flamebait', 'Troll', and 'Factually Incorrect'. Attitudes like yours make meta-moderation necessary.
On top of everything else, it's not necessarily even wrong. I can give you 'anecdotal' evidence based on servicing computers for a local user community of about 40,000 people. My observations haven't been formalised or codified in any way, so I can't make any claim to scientific observation, but I can tell you that what I see on a day-to-day basis is relevant and significant.
This is valid and useful information in my professional context. You're implication that anecdote is always based on feeling is, ironically, based on a hunch informed by your own bias.
If you're so bent on getting good data, by the way, you should know better than to blindly add up vulnerability announcement totals and call that analysis.
Re: (Score:3, Funny)
Re:Firefox? Opera? Safari? (Score:5, Funny)
Re: (Score:2, Redundant)
Got plugins? (Score:5, Insightful)
Re: (Score:2)
People See Plugins as Browser Components (Score:2)
Re: (Score:2)
QuickTime, Real Player, Acrobat, Flash, etc., etc., are all technologies that most people experience inside their browser. They're all just more stuff you need to download to get your browser to work. If the web was just HTML, it would be pretty boring. And Slashdot wouldn't exist.
Sure slashdot would exist. That was one of the better things slash allowed. Since the pages are served staticly after being modified on the server by a perl cgi script... or does your html-only world eliminate cgi as well?
Re: (Score:2)
Yes. People want executable content, they want to be able to "do stuff" inside their browser. CGI and Perl can't deliver that.
Re: (Score:2)
The minute that vulnerabilities were monitized... (Score:5, Interesting)
Welcome to the wild, wild net.
That's not the worst of it. (Score:5, Insightful)
The problem is that no matter how well YOU protect yourself, other agencies have your personal information in their databases.
What happens if your employer loses a laptop with your SSN, name, etc on it?
Eventually, the criminals are just going to start building a database with whatever information they can find.
Then they'll use that database to take out a second mortgage on your home, purchase a new car and open a few credit cards under your name.
You'll lose more money than you have. And you'll never have a chance to prevent it. Because all the information will be "leaked" from 3rd parties.
Re:That's not the worst of it. (Score:4, Insightful)
Side warning to the F/OSS community: That multitude of eyes may become even more important as we start to wonder, is the Godfather contributing? It doesn't even have to be in terms of direct backdoors, only has to be an exploitable bug which of course don't make the contributor look as bad.
Side warning to the closed source corporations: See above, biggest difference is your paying them too. Think you can hire that many eyes?
Side warning to businesses and individuals: Read the above, look around you, let the paranoia begin.
The internet maybe a highly efficient way of doing business, but it can be an extremely efficient way to steal too. Weigh the KNOWN risk factors, is it really worth it?
Organized crime is only the tip of the iceberg.
We may have to become stainless steel rats just to be free.
Re:That's not the worst of it. (Score:4, Insightful)
How do know that a low paid programmer at Microsoft hasn't been bribed by organized crime and if so how do you detect the code?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If the programmer is low paid their work is being reviewed via the QA process. Now say what you will and laugh all you want about the idea of Microsoft QA, but I can assure you that the odds of one single programmer being bribed and inserting malicious code into a core library is pretty low.
More like, by the time his code makes it through QA/review/standard revisions, it will be incomprehensible compared to what it was originally and his clever little trojan won't work anymore :D.
We hope...
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:That's not the worst of it. (Score:5, Funny)
I got that one covered. I just haven't paid several bills for a long while now. If someone tries to get credit with my credentials, all they will get is people laughing and pointing at them
Are you mad? (Score:2)
Re: (Score:3, Insightful)
Re: (Score:2)
This is why the waiter never gets to touch my card, and hands the sole copy of the tape with its number on it directly to me. The copy he gets to put in the till hasn't got the number on it, the card reader is brought to my table, there are minimal opportunities here.
Ok, back in the real world.. half the restaurants still print the number all over the place, half the waiters take your card over to the machine instead of bringing the machine to you, the machine uses unencrypted wireless signals and there is
Re: (Score:3, Informative)
I call BS on this one. I've done a couple of POS implementations for restaurants and all they all used WPA encryption on the devices and the access points were setup to only accept connections from a pre-defined list of MAC addresses. Ya ya, MAC addresses can be spoofed but it is going to take an attacker a long time to hit a restaurant wireless network. The majority of restaurants still swipe the card at the hard wired terminal anyway. The restaurant indus
Re: (Score:3, Informative)
If you are paranoid like me you will have already called one of three major credit companies (not the free score but Equifax, Experian, or TransUnion) and put a freeze on your credit every 90 days with a fraud alert. Or you can pay one of their subsidaries a monthly fee for any notifications via email or SMS of any changes or requests in your credit (yeah it kind of feels like I'm paying them to solve a problem that is their fault).
Re: (Score:2)
And the banks who lent the money based on a number (that is not even supposed to private) would end up eating the loss. And the credit bureaus who base their business on this number would be run out of business by competitors with better ideas.
At least, that is how it would work in my kooky libertarian world. But I guess everyone likes this setup better.
Re: (Score:2, Insightful)
This is really important. There are a lot of people who argue that if you have nothing to hide, you don't need to worry about the government tracking your information. This argument tends to have the implicit assumption that the government has your best interests at heart and wouldn't [fill in your worst abuse here]. However, even if you believe this, clearly it is not true about criminals.
Re:The minute that vulnerabilities were monitized. (Score:2, Interesting)
I know I'm probably going to have to make another scan of my landlady's computer...she falls for half the stuff that comes through, even after my lectures on "DON'T CLICK IT"
Re:The minute that vulnerabilities were monitized. (Score:4, Insightful)
Re: (Score:2, Interesting)
Hell, if you're feeling ambitious, you could set up some kind of neighbourhood LAN and get folks to chip in towards a big fat pipe, if you can prove they'll have a safer connection...
Come to think of it...does anyone know of any successful examples of a "
Re: (Score:2)
Re: (Score:2)
If this is brand new... (Score:1)
If you know there's a hole . . . (Score:1)
Re: (Score:2)
I think you're confusing organized crime with the sex industry.
Drop in vulnerabilities... really? (Score:5, Interesting)
Combined with the comment that camouflaging techniques are used in 80% - 100% of recorded attacks, I wonder if the number of attacks is really going up ( as it has been in the past 10 years ) but detection is getting worse.
Explains the odd attempted breakins.. (Score:5, Interesting)
Here's a sample:
ftp attempts for 5 hours straight:
Feb 12 10:27:02 localhost proftpd[24841]: localhost.localdomain (::ffff:82.186.102.42[::ffff:82.186.102.42]) - no such user 'Administrator'
Feb 12 10:27:02 localhost proftpd[24841]: localhost.localdomain (::ffff:82.186.102.42[::ffff:82.186.102.42]) - USER Administrator: no such user found from
Feb 12 10:27:02 localhost proftpd[24841]: localhost.localdomain (::ffff:82.186.102.42[::ffff:82.186.102.42]) - Maximum login attempts (3) exceeded
ssh attempts almost constant since last friday:
Feb 11 01:37:07 localhost sshd[13953]: pam_unix(sshd:auth): check pass; user unknown
Feb 11 01:37:07 localhost sshd[13953]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.31.37.13
Feb 11 01:37:07 localhost sshd[13953]: pam_succeed_if(sshd:auth): error retrieving information about user ajith
When I catch them, the majority of the IP #'s match up to systems which have been rootkitted. The stream of odd login names always catches me off guard, sometimes in english, sometimes japanese or chinese. Does anyone know of someone that keeps track of these things, so I can send my logfiles to?
Re:Explains the odd attempted breakins.. (Score:5, Informative)
Re: (Score:3, Funny)
Sorry, my bad. Thought I was on my server...
Re:Explains the odd attempted breakins.. (Score:5, Informative)
It will automatically detect and block the attackers and optionally add them to a gobal block list.
Re: (Score:2)
Your looking for this for your SSH logs: http://denyhosts.sourceforge.net/ [sourceforge.net]
It will automatically detect and block the attackers and optionally add them to a gobal block list.
It's really more effective, in my opinion, to simply disable interactive logins altogether and use DSA key authentication. Brute force login attempts become a negligible threat, since attackers are not trying to spoof dsa private keys and even if they did the sheer number of possible dsa keys combined with the number of possible user names makes the chance of a successful breakin very very slim. Using denyhosts requires that the botted cracker machines out there be given a good chance to brute force their
Re: (Score:2)
These attacks are so common that no one tracks them anymore. SANS has a system that you can submit your firewall logs to but not the detailed syslog information. You can attempt to report the attacks to the appropriate par
Re: (Score:2)
Re:Explains the odd attempted breakins.. (Score:5, Informative)
Re: (Score:2)
Beware the"funny" moderation in Organized Crime... (Score:4, Funny)
Re: (Score:2)
A) Hammer
B) Forged Steel
C) Wile E. Coyote...
I wonder what the profits look liike. (Score:3, Interesting)
Heck, spyware/adware, or some shady P2P programs could have something like this. Reminds me of what happened to http://www.shareaza.com/ [shareaza.com]. It's claimed by a group that be like this. That address used to be shareaza's main site, and it easy for many to not know to go to http://shareaza.sourceforge.net/ [sourceforge.net] for the new updates.
Re:I wonder what the profits look like. (Score:2)
original report (Score:3, Informative)
Oooo! The X-Force! (Score:2)
Organized crime, huh? When they hit your browser, does the screen just go black?
Re: (Score:2)
well it is called the "Black Market"...
Dat's a nice browser yous got (Score:5, Funny)
Lack of Security of any System on the 'Net (Score:3, Insightful)
5%, 25%, 50%? 90%? Are there estimates for the "rate never before seen" that users are having their personal information stolen?
And what personal information is it? To extend the old saying "If it is on the internet, it is public". Well, *all* information you store the computer that you access the internet suffers from this lack of security.
A truly secure user experience would be managing personal data on an unconnected system (or even a private network of systems) and then transferring data from there that needs to make it to the Internet via the Sneakernet [wikipedia.org]. This is how the Department of Defense guarantees the security of Secure Facilities, and it is (unfortunately) the only way to guarantee the security of your own personal information.
But for systems that are on the 'Net, using an OS that doesn't hide/obfuscate fundamental security models is a plus. For example, it is easier for me to shutdown outgoing ports/services on Linux [uic.edu] than on Windows [windowsecurity.com].
As far as browser exploits... one can only hope that developers close off the attack vectors faster than they open new ones.
Re: (Score:2)
For example, critical US Department of Defense secrets have ended up in the hands of adversaries, despite extreme efforts to safeguard these secrets. And the same is equally true, of course, for other nations. Thus there is demonstrably not a condition of absolute security, even at the most secure end of the scale.
But we're talking here not about military security and state espionage but about web browser vulnerabilities. For the most part the
Re: (Score:2)
pressure by the insurance industry.
Snake oil? Software insurance? Can you actually sell this? Oh... sign me up.
Oh, I'm going to go file a patent for this....
To reply seriously...
The perception of value and risk for a consumer product is at a much lower point on the scale relative to a hardened military installation.
To say that users don't store information that has high value to them to be kept private is silly. I was *very seriously* suggesting a non-networked computer to give security. This would eliminate the opportunity for a *software failure* to cause the data to become
I've been saying this for a while now (Score:4, Interesting)
There is only one solution: executable code must be embedded in hardware read-only media and must be reloaded after every session. [today reloading a virtual machine is a good approximation, but this method will succumb under sufficiently sophisticated attack; it really needs to be built into nonflashable rom]
Nobody wants to hear this. I'm not exacty sure why; a little thought should lead anyone with some knowledge of operating systems and hacking to the same conclusion.
Its just going to get worse, with botnets, blackmail and scammers gaining more and more power until we remove the ability of malignent code to survive.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2, Interesting)
Because there's no reason to update software, ever? I know that I get security updates all the time which I'm happy to say I didn't have to replace a chip to apply. The fact that you can't modify c
It _is_ true that the NES is impervious to attack. (Score:2, Interesting)
How many ROM slots am I supposed to have on my desktop machine? Three, maybe four? So, let's see, I ca
Re: (Score:2)
Could be because it's an extreme position? Or because knowledgeable system designers don't see that it solves anything? Just a thought.
Danger Will Robinson! (Score:2)
And therein lies the problem. Who decides what is malignent and what is not?
If we implement the "hard coded" solution you propose, then by default, we give ALL of the coding power to the companies that do that hard coding. Talk about lock-in! But if you leave it "open" and allow amateur's programs to run, then you have the malignancy problem you mention. The whole problem is that we do not
Re: (Score:2)
There is only one solution: executable code must be embedded in hardware read-only media and must be reloaded after every session
Nobody wants to hear this. I'm not exacty sure why;
Because you completely fail to understand the idea of a Von Neumann architecture machine. There is no semantic difference between data and executable code. Want to run a spreadsheet? Those formulae are all executable code. Want to run a web browser? What do you think all of that JavaScript is? What about word processor macros? If you limited a computer to running locked software, you would dramatically reduce its usefulness.
You are also completely ignoring the fact that data persists even if prog
New form of stick-up? (Score:5, Funny)
(Sorry - for humor I go for quantity, not quality.)
Kick Windows off the Internet (Score:3, Insightful)
Re: (Score:2)
Windows is the problem.
I'm certainly no MS fanboy, I don't consider your original post a Troll, and I won't even argue your 90% speculation. But I can't blame Windows's security for this. When you have 76% of the market share [wikipedia.org], it doesn't seem unreasonable that the blackhats will target you 90% of the time. So, unless their security is head-and-shoulders better than the competition, they will still have the most breaches.
Re: (Score:2)
Re: (Score:3)
Yet another car analogy, but it works here.
Stealing cars and exploiting computer exploits are completely different situations. Imagine a city where 76% of the population drove Hondas. The other 24% drive a variety of cars of roughly the same value. Each make of car has a different security system. Now, if you can figure out how to get around Honda's security system, 76% of the cars in the city are yours for the taking. If you figure out how to get around Buick's security system, you have your choice of the handful of Buicks driving around.
Desp
Re: (Score:3, Insightful)
Re: (Score:2)
The old "more market share is why Windows is more attacked" has been so thoroughly debunked you should be ashamed of yourself for parroting it yet again. Please- educate yourself; you reveal that you know little about operating systems when you say that.
Wow, that was kind of nasty... Did my post somehow make it sound like I thought Windows was as secure as its competitors? The superior security is one of the many reasons I've got Slackware installed.
That said, Windows is attacked much more than the other OS's. It's more popular and, in general, its users are less computer-savvy. If I were a blackhat, Windows would certainly be my choice target for a variety of reasons - Even if it was on an even-footing security-wise with its competitors. I'm certain
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Fixed that for ya.
You know... (Score:5, Funny)
If they're going to hose my Windows boxen and install spurious applications of dubious intent, I find that I prefer if they camouflage their attempts so as not to bother me with constant popups from the system tray telling me to install their spyware to get rid of spyware.
This does not surprise me at all... (Score:3, Informative)
Some people believe the largest botnets out there are ones built with the Storm Worm or other similar exploits. My bet would be that there are plenty larger out there, undetectable because they hide behind rootkits and don't do stupid stuff like turn the box into a spam cannon. And for people who think that the C&C (Command and Control) would be detected, think again: if a rootkit can conceal a file then it can also conceal a process, a named pipe, an interrupt handler, you name it.
Redundancy.. (Score:2)
... which is why it's a good idea to ... (Score:4, Informative)
Re: (Score:2)
Go to Tools => Internet Options => Advanced => Disable "Enable third party browser extensions".
I've found it prevents quite a bit of spyware from running even if it has installed itself, and is a quick help for complaining friends & family who want you to do something about their slow computers.
How vulnerable am I? (Score:3)
Consider this hypothetical situation: I'm running Windows XP with no firewall and no antivirus. I'm on broadband and my ADSL modem/router does NAT with no port-forwarding rules set up. I'm fully patched and run out-of-the-box firefox. I don't run executables from untrusted sources, I understand how to treat email attachments, and I'm smart enough not to get caught by phishing.
How vulnerable am I? How likely is it that I will get compromised?
Does the answer change if I'm running fully-patched IE7?