Jump to Section
| Cyber Espionage | Virtual Criminology Reports | Memory Forensic Case Law | Malware In Memory |
Cyber Espionage
Academics Predict Growing Cybercrime Sophistication
October 16th, 2008 - Data -- even on platforms such as mobile phones -- will continue to be the primary motive for future cybercrime. That's one of the key findings in a survey released Wednesday by the Georgia Tech Information Security Center (GTISC). The report, called the GTISC Emerging Cyber Threats Report for 2009, outlined the top five areas of security concern and risk for consumer and enterprise internet users for the coming year. The GTISC said it expects threats to rise and evolve in the areas of malware, botnets, cyberwarfare, VoIP and movile devices. It also foresees the continued sophistication of the criminal underground economy, in which cybercrooks peddle malware-for-sale kits and other programs.
See full story here.
Four Security Lessons From the World Bank Breach
October 14th, 2008 - According to a report from Fox News, several servers at the World Bank Group, an organization that offers economic assistance to developing countries around the globe, were repeatedly compromised and breached over the course of the last year. Details are still emerging and it is unclear how much sensitive information, if any, was stolen. But the Fox report, which cites internal memos, claims the organization's computer network suffered six major intrusions, which included access to the bank's network for nearly a month in June and July, 2008.
See full story here.
World Bank Under Cyberseige in "Unprecedented Crisis"
October 10th, 2008 - The World Bank Group's computer network - one of the largest repositories of sensitive data about the economies of every nation - has been raided repeatedly by outsiders for more than a year, FOX News has learned. It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July. In total, at least six major intrusions - two of them using the same group of IP addresses originating from China - have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.
See full story here.
The Cybercrime Arms Race
September 23rd, 2008 - Our society has evolved to the point where many if not most of us spend a significant portion of our lives online. In many ways, this online virtual world mirrors our real world. Criminals, who are an unfortunate but integral part of our social structure, quite naturally have also appeared in the virtual world. The presence of cybercriminals has become more pervasive today because the freely growing online exchange of money and data has created an increasingly tempting target. Today the cybercrime ecosystem is close to maturity -- well-defined relationships and business models are already in place. A new class of cybercriminals freely and openly buys and sells malicious code. These cybercriminals range from petty fraudsters who steal small sums in large quantities to individuals who attempt to steal large sums of money at one time.
See full story here.
Romanian Cybercrime Ring Busted
July 18th, 2008 - Thanks to a joint effort between the FBI and Romanian police, 24 Romanians believed to be part of an organized cybercrime ring were arrested during the past week. Reports also state that the alleged ringleader, Romeo Chita, was arrested in the home of a Romanian elected official, Dumitru Puzdrea, who claims to have no relationship to the crime organization. The group allegedly was involved in a number of identity theft schemes involving credit cards and online auctions, stealing at least 400,000 Euros ($640,000) from foreign victims. According to a blog post by Gary Warner, director of research in computer forensics at the University of Alabama Birmingham, some of the electronic commerce sites targeted by the group included eBay, Equine.com and Craigslist. During the arrest, police seized mobile phones, SIM cards and funds from Europe and the United States.
See full story here.
Business Booms for Organized Cybercriminals
July 16th, 2008 - The days of the lone hacker are seemingly over, with cybercrime organizations now being run by bosses parading as business entrepreneurs, complete with criminal staff. The findings, made by Finjan Software's Malicious Code Research Center (MCRC), show that the "boss" does not commit crimes, rather leaves this to an "underboss" who provides trojans for attacks and also runs command and control functions'. Next in line are "campaign managers," who report to the so-called underboss and lead campaigns. They use their own affiliate networks as channels to perform attacks and steal data, which is then sold by individuals who are not directly involved in the attacks.
See full story here.
The Emergence of Crimeware as a Service
July 8th, 2008 - As the malware threat landscape continues to evolve, hackers are constantly changing techniques to counteract detection technologies vendors develop. By using sophisticated methods to evade antivirus technologies, hackers continue to be relentless in their pursuit of damaging IT systems and gaining access to personal information. In the past, hackers used polymorphism and metamorphism as tactics to constantly generate new variants of worms. Essentially, through polymorphism, the virus would morph itself into different variations to bypass signature-based technologies. The antivirus industry eventually responded to polymorphism by creating emulation technologies to counteract this new breed of virus.
See full story here.
Internet criminals gaining ground, experts say
May 6th, 2008 - Criminal attacks against major Web sites have grown so common that Internet users have no reliable way to know which sites are safe to visit, no matter how well known those destinations are, security experts say. News of the latest attack comes from Finjan, an Israeli security firm, which is reporting today that last month it found a large cache of information - including confidential medical records, financial records and business e-mails - sitting unprotected on a computer network server in Malaysia. The data came from more than 40 major financial companies around the world, including the United States, and was stolen from computers belonging to doctors and home users conducting online banking and, in some cases, from machines inside corporate networks that the hackers managed to penetrate and infect.
See full story here.
Chinese Spy 'Slept' in U.S. for 2 Decades: Espionage Network Said to Be Growing
April 3rd, 2008 - Joel Brenner, the head of counterintelligence for the Office of the Director of National Intelligence said, "Espionage used to be a problem for the FBI, CIA and military, but now it's a problem for corporations. It's no longer a cloak-and-dagger thing. It's about computer architecture and the soundness of electronic systems."
Full story printed in The Washington Post, April 3, 2008, p. A1.
Corporate Espionage: Not If, But When
March 18th, 2008 - Corporate espionage is defined as the theft of commercially valuable information. This may be the secret formulation of a new product, but equally it could be the names and salaries of senior executives or simply the date of your next marketing initiative. This type of corporate crime costs the world's 1,000 largest companies in excess of US$45 billion every year, according to research from consulting firm PricewaterhouseCoopers. Some of the world's largest corporations have been targeted: for example, in 2000, Microsoft fell victim to what the company called "a deplorable act of industrial espionage" when hackers broke into the company's system and accessed Windows and Office source code. Hackers had access to the source code for up to three months.
See full story here.
CIA: Hackers to Blame for Power Outages
January 18th, 2008 - Hackers literally turned out the lights in multiple cities after breaking into electrical utilities and demanding extortion payments before disrupting the power, a senior CIA analyst told utility engineers at a trade conference. All the break-ins occurred outside the United States, said senior CIA analyst Tom Donahue. The U.S. government believes some of the hackers had inside knowledge to cause the outages. Donahue did not specify what countries were affected, when the outages occurred or how long the outages lasted. He said they happened in "several regions outside the United States." "In at least one case, the disruption caused a power outage affecting multiple cities," Donahue said in a statement. "We do not know who executed these attacks or why, but all involved intrusions through the Internet."
See full story here.
DOE Lab Break-in May Be Tip of the Iceberg
December 7th, 2007 - In what may be part of a larger series of cyberattacks on various U.S. laboratories and institutions, cybercriminals have broken into computers at the Department of Energy's Oak Ridge National Laboratory (ORNL), and also reportedly targeted Los Alamos National Laboratory and Lawrence Livermore National Laboratory. "This was not just a coincidence... someone finding a laptop that coincidentally had sensitive data on it," says Ted Julian, vice president of marketing and strategy for AppSecInc. "Someone was diligently searching for stuff of value. They didn't just stumble upon this."
See full story here.
Hackers Launch Cyberattack on Federal Labs
December 7th, 2007 - A "sophisticated cyberattack" has been detected at Oak Ridge National Laboratory over the last several weeks, and authorities suspect the hackers are based in China. The breach might have compromised the personal information of thousands of visitors to the lab, according to a communique sent to employees. The intrusion is under active investigation by multiple agencies.
See full story here.
Cyberwarfare Now 'Business as Usual'
November 29th, 2007 - After a year's worth of reports from regions such as Estonia, Russia, and China, it may not surprise you that security and terrorism experts consider international cyber-spying as the biggest threat for 2008. And the bad guys are going mainstream: Competition has gotten so stiff that malware suppliers are now offering customer service perks for bad guys who buy their wares. These, as well as cyber-spying trends, are among the many findings of McAfee's annual Virtual Criminology Report released today.
See full story here.
Jump to Top
Virtual Criminology Reports
Report: 60% of Businesses Hit by Cybercrime
September 18th, 2008 - A recent Department of Justice survey indicated that nearly 60 percent of American businesses have detected one or more cyberattacks. According to the Department of Justice's Bureau of Justice Statistics, in 2005 (the latest year studied), nearly 75 percent of businesses victimized by cybertheft said that insiders, such as employees, contractors or vendors working for the business, were responsible for the crimes. The survey, dubbed the National Computer Security Survey (NCSS), also revealed that 11 percent of the respondents detected actual losses from cyberthefts and that 24 percent had identified computer-related security incidents. Survey respondents represented 7,818 businesses of the 7.3 million businesses identified nationwide. The data collection was conducted over a seven-month period in 2006.
See full story here.
Cyber Crime: A 24/7 Global Battle
Cyber crime is a grim reality that's growing at an alarming rate, and no one is immune to the mounting threat. It is costing consumers, businesses, and nations billions of dollars annually, and there's no end in sight.
See full story here.
Jump to Top
Memory Forensic Case Law
Don't Forget Your Memory
December 2007 / January 2008 - Computer forensics is a field that is changing as fast as software can be written - and that's fast. For each new application a person uses, such as Skype, Instant Messaging, Media players, and new operating systems, computer forensic examiners have to learn how that application reads, writes, stores, and deletes data. This challenge is coupled with the fact that the perpetrators of criminal acts are becoming more computer-savvy. They are learning counter-forensic techniques to obfuscate, delete, encrypt, and simply leave little to no trace of their activities on computers. Therefore, computer forensic examiners, the individuals that scour the contents of hard drives for evidence, need to stay a few steps ahead in the technical arms race.
See full story here.
Decision to Produce RAM in Columbia Pictures Should Not Change Companies' E-Commerce Practices
September 24th, 2007 - In a federal Central District of California case recently, a magistrate judge ruled that the defendants, the TorrentSpy Web site operators, had to produce to plaintiffs information that would temporarily appear in the future in the defendants' Web servers' RAM ("random-access memory"), even though that information was never saved to a hard drive or other non-volatile form of memory (Columbia Pictures v. Bunnell, 2007 WL 2080419). Specifically, the information required to be produced in the future includes a list of the files that users requested from the TorrentSpy Web site. That information could have been recorded on a hard drive of the server, if the server-log function had been activated.
See full story here.
RAM and FRCP 34 Lock Horns
June 27th, 2007 - A recent e-discovery decision from the U.S. District Court for the Central District of California provides an opportunity to reflect a bit on the permanence of storage media. It has also inspired debate as to when temporarily stored information becomes "electronically stored information" that needs to be preserved and, where relevant, produced in response to discovery requests. The May 27, 2007, order directs defendants in an ongoing copyright infringement lawsuit to collect and produce information stored in the random-access memory of their servers.
See full story here.
E-Discovery Update - Discovery of Ephemeral Digital Information
July 27th, 2007 - On May 29, 2007, in the case of Columbia Pictures Indus. v. Bunnell et al. (C.D. Cal. May 29, 2007), Judge Jacqueline Chooljian entered an unprecedented Order in which Defendants were ordered to begin capturing and preserving Internet Protocol ("IP") addresses processed by their computer servers that were temporarily stored in volatile memory and not otherwise written to a permanent log file. Put another way, the court ordered Defendants to begin preserving digital information that resided on their computers for, at most, a few hours, after which it would normally be deleted or purged through an automatic process, and which would be instantly lost if the computer were restarted or turned off.
See full story here.
Discovery Ruling Raises Significant Privacy and E-Discovery Concerns
June 20th, 2007 - In a recently unsealed order, Central District of California Magistrate Judge Jacqueline Chooljian ruled that data contained in a computer server's Random Access Memory (RAM) is "electronically stored information" for purposes of Federal Rule of Civil Procedure 34. She also ordered the defendant to begin logging the contents of certain servers' RAM and producing the logs. While Judge Chooljian's ruling raises potentially endless legal and metaphysical questions by opening the door to discovery of data in RAM, she attempted to limit her ruling to the facts in the case before her: The court emphasizes that its ruling should not be read to require litigants in all cases to preserve and produce electronically stored information that is temporarily stored only in RAM.
See full story here.
No Minimum Storage Time for Electronic Information Before it is Discoverable
June 20th, 2007 - The June 20, 2007, blog reported on the Magistrate's decision in Los Angeles District Court that held, for the first time, that the contents of a computer's Random Access Memory ("RAM") memory are discoverable. (The Magistrate's Order is Columbia Pictures Industries v. Bunnell, Case No. CV 06-1093 (FMC(JCx) (Doc. No. 176)). The Magistrate's discovery ruling was appealed to the District Court Judge, Florence-Marie Cooper. Multiple amiciappeared and advanced "weapon of mass discovery" type arguments, urging the court not to interpret "electronically stored information" ("ESI") under the rules to include RAM.
See full story here.
US ruling makes server RAM a 'document'?
June 15th, 2007 - If allowed to stand, the groundbreaking ruling may mean that anyone defending themselves in a civil suit could be required to turn over information in their computer's RAM hardware, which could force companies and individuals to store vast amounts of data, say technology experts. Roaming the Web anonymously was already nearly impossible. This ruling, which brings up serious privacy issues, could make it a lot harder. "I think that people's fears about a potential invasion of privacy are quite warranted," said Ken Withers, director of judicial education at The Sedona Conference, an independent research group. "The fear is that we're putting in the hands of private citizens and particularly well-financed corporations the same tools that heretofore were exclusively in the hands of criminal prosecutors, but without the sort of safeguards that criminal prosecutors have to meet, such as applying for search warrants."
See full story here.
MPAA accuses TorrentSpy of concealing evidence
June 11th, 2007 - The movie studios may have discovered a new and powerful weapon in their war on copyright infringement. The courts have for the first time found that the electronic trail briefly left in a computer server's RAM, or random access memory, by each visitor to a site is "stored information" and must be turned over as evidence during litigation, according to documents seen by CNET News.com. Jacqueline Chooljian, a federal judge in the Central District of California in Los Angeles, issued the decision while presiding over a court fight between the studios and TorrentSpy, the BitTorrent search engine accused of copyright infringement in a lawsuit filed last year by the film industry. On May 29, Chooljian ordered TorrentSpy to begin logging user activity, including IP addresses, and turn the data over to the Motion Picture Association of America (MPAA).
See full story here.
RAM and Server Log Files in E-Discovery
June 8th, 2007 - Does a defendant in litigation have an obligation to store, preserve, reduce to a more permanent form, and produce in electronic discovery data that is available only in transient RAM? According to an Order made available today - the answer is at least sometimes yes. The Order is being appealed and is stayed pending appeal. Indeed, the Federal Court in Los Angeles today granted Torrentspy.com's request for a stay of an e-discovery order pending appeal that in essence found that since user HTTP header information is in transient RAM on Torrentspy's servers that such data was tangible enough to be considered "documents" that needed to be "stored" in log files, preserved, and handed over in civil litigation e-discovery.
See full story here.
Electronically Stored Information: The December 2006 Amendments to the Federal Rules of Civil Procedure
2006 - Earlier in 2006, in a federal court in New York City, a rather ordinary discovery dispute in a rather ordinary case was decided by a highly capable United States Magistrate Judge. The case was brought by a securities analyst who lost his job after being implicated in an alleged stock manipulation scheme. He was suing two of the companies he regularly analyzed for defamation and tortuous interference. The discovery dispute centered on three issues related to the topic of this article -- a motion for an order preserving documents potentially subject to discovery, a discovery "questionnaire" proposed by the plaintiff, and the method by which the defendant would locate responsive documents.
See full story here.
Collecting Evidence from a Running Computer
Inadvertent or accidental changing of evidence could be caused by simply looking through files on a running computer or by booting up the computer to "look around" or play games on it. This strict methodology has historically provided for original evidence that, if relevant, is difficult for defense counsel to successfully challenge when it is introduced in court. However, we must remember that every crime scene is changed by the action of law enforcement being there. In fact, the NIJ research report Crime Scene Investigation: A Guide for Law Enforcement acknowledges that contamination occurs, and describes methods to limit that contamination. It is important to note that potential evidence may be lost or destroyed if a running computer is encountered by law enforcement and seized as part of an investigation using the historical methodology described above. (A "running computer" is defined as a computer that is already "powered on" when encountered at a crime scene.)
See full story here.
Jump to Top
Malware in Memory
NPR's Diane Rehm Show
June 25th, 2008 - HBGary's world of computer threats is increasingly hitting the mainstream. You can listen to a 1-hour talk radio segment today on NPR's Diane Rehm show at this link. The show was broadcast on Wednesday, 6/25 and called "Cyber Threats".
See full story here.
DaisyDukes Brings Memory Sniffing to the Masses
May 28th, 2008 - Building off recent research that showed how to extract encryption keys from a computer's memory, a penetration testing company has unveiled a prototype of a tool that sniffs out passwords, documents, and other sensitive data in a matter of minutes. DaisyDukes is a series of scripts that operate on memory dumps that have already been taken or on live memory and can work alongside a USB-based memory dumper. A researcher can plug it into an unattended machine that is turned on but has been locked and reboot the machine off a compact operating system contained on the drive. Depending on the user's needs, the device can capture the entire contents of a computer's memory, or use DaisyDukes to sniff out and store only certain types of data - say a password to access the company network or a user's private encryption key.
See full story here.
New Tests Show Rootkits Still Evade AV
May 13th, 2008 - Rootkits are still a security scanner's worst nightmare: New rootkit detection tests recently conducted by AV-Test.org found that security suites and online Web scanners detected overall only a little more than half of rootkits. AV-Test.org, an indie security test organization based in Germany, ran two rootkit tests last month, one on Microsoft's XP Home Edition and another on Microsoft Vista Ultimate Edition, the results of which have been published in a paper now available on the group's Website. The XP test used 30 active rootkits and 30 pieces of malware using rootkit technologies. Not surprisingly, anti-rootkit tools did the best, detecting about 80 percent of the rootkits overall, while the security suites found over 66 percent, and online scanners, only 53 percent. Some tools crashed or hung up after completing the rootkit scans, and those were counted as "not detected."
See full story here.
Cyber Espionage Seen as Growing Threat to Business, Government
January 17th, 2008 - Cyber espionage is getting renewed attention as fresh evidence emerges of online break-ins at U.S. research labs and targeted phishing against corporations and government agencies here and abroad. It's no wonder that research firm SANS Institute has ranked cyber espionage No. 3 on its "Top Ten Cyber Menaces for 2008," just behind Web site attacks exploiting browser vulnerabilities and botnets such as the infamous Storm. "Economic espionage will be increasingly common as nation-states use cyber theft of data to gain economic advantage in multinational deals," SANS Institute claims. "The attack of choice involves targeted spear phishing with attachments, using well-researched social engineering methods to make the victim believe that an attachment comes from a trusted source."
See full story here.
Jump to Top
