Using a sample of this malware binary, identified as Win32.Daws, Cyveillance collected data about its behavior using the Cuckoo sandbox system. Cuckoo utilizes a virtualized environment where one can run malicious binaries and observe their behavior without risk of spreading the infection to other systems.

The Win32.Daws sample is alternatively known as “Sanny” from the email address that was used by the attacker. This particular piece of malware is interesting because of its intended target, Russia. Consistent with previous reports, language clues gleaned from sandbox analysis plus the identity of the command and control server, suggest that the attacker is based in South Korea. The C&C server the attacker used was a Korean language bulletin board system. All of the data that an infected node collected would be uploaded as an encoded post to this board along with the name of the infected machine and its IP address. The URL used to upload the victims data to this C&C server also contained a unique string “kbaksan”. We were able to use this string to determine that there are at least two different variants of this malware uploading data to the same location.

What we really wanted to determine is how successful this malware was infecting Russian targets. To do this we gathered all the data that was available from the C&C board. At that time, the data on the board was from a set of 37 unique IP addresses. Each of these IPs represents one infected node of the Sanny botnet. Graphing the geolocation of each IP address by country yielded the following map:

View Known “Sanny” Botted Nodes in a larger map

As far as this narrow sample of data demonstrates, Sanny was fairly sucessful in its targeting Russia. The overwhelming majority of infected computers are located somewhere in Russia. These numbers serve an another example of a recent trend in malware targeting a group or region of the world rather than any target of opportunity. Other recent examples of this would include Stuxnet and Flame. In addition to geographical data, we wanted to see who specifically Sanny infected. We cannot know the identities of any infected users, but from the IP data we can at least generalize about the owner of any particular IP address. Examining the IP owners yielded the following:

The largest group of IPs were with telecom companies that serve as home broadband providers. Two of the botted nodes are computers at the ITAR-TASS state news agency, two are located at Lomonosov Moscow State University (MGU), and one IP belongs to an Antivirus company in Czech Republic. The single mobile network IP address belongs to MTS, a Russian mobile network provider, and is most likely a private laptop connected to a hotspot or tethered to a phone. The lone cable company in the data set was based in the US, most likely a private home computer like the rest in Russia and elsewhere.

In conclusion, the Sanny / Win32.Daws was highly successful in its targeting of Russia and especially Russophones. This is a growing trend in malware and in this particular case, it was within the capabilities of a smaller bad actor rather than a large malware gang or state organization.

Shanshan Du, an ex-employee of automaker General Motors and her husband, Yu Qin, were convicted this past December of stealing trade secrets from the automaker and soliciting Chinese businesses to invest in their own company. According to the prosecution at their trial, Du positioned herself to work in GM’s hybrid-car division as an electrical engineer, a position she held for several years. After being offered a severance package due to poor performance, Du stole information about the hybrid’s motor controls and fed the stolen data to Qin, who was also an electrical engineer at a car part manufacturer. Armed with the stolen data, Qin solicited business ventures to sell the data to Chinese car companies and attempted to leverage the information to gain employment and investments.

The two were caught when Qin’s employer became suspicious that he was running a business that was in direct competition to their company and started to investigate his work area. Upon investigating some portable hard-drives, files believed to be the property of GM were identified. Qin’s employer notified GM who in turn notified the Federal Bureau of Investigation, which opened an investigation into the two.

Estimates given by GM placed the value of the information stolen by Du at near $40 million dollars. Both Du and Qin faced one count of conspiracy to possess trade secrets without authorization and two counts of unauthorized possession of trade secrets, as well as three counts of wire fraud. Following a trial, Du would be acquitted of the wire fraud charges but convicted of the three trade secret counts. Qin would be found guilty on all six counts as well as an obstruction of justice charge. The two will be sentenced this month but face 10 years for each count.

Given the tendency of data to “spill” sooner or later from an enterprise, organizations must tackle the issue with the short and long term in mind. Monitoring the Internet for leaked documents is not an option today. Cyveillance helps large enterprises protect themselves from data leakage so reach out to us if you’d like assistance at your organization. We also strongly recommend raising counterintelligence awareness locally by hanging posters like the one above, made available for free by the US Office of the National Counterintelligence Executive provides free posters. Make information protection a priority in 2013!

A distributed denial of service (DDoS) attack targets a computer system’s resources by flooding it with requests beyond its capacity in hopes of negatively impacting its functionality. Does society consider DDoS attacks a legitimate form of protest? When an anonymously posted petition appeared on the White House’s We the People page and advocated the legalization of DDoS attacks most commentators didn’t look to kindly at the idea. But liberal western-style constitutions tend to be biased towards a protected realm of personal liberty, especially when basic rights important for a functioning democracy like Freedom of Speech or Freedom of Assembly are involved.

From a website owner’s perspective, “DDoS attack” is a term that already implies someone with a black hat being well-deservedly marked for criminal and civil lawsuits. While the term “DDoS” may have a nerdy charm, “attack” is an obvious red flag word. Participants in DDoS attacks may use this label to describe their activity to add a certain rebellious image.

Taking this into account, not all political activists use the term DDoS attack to label their activity of mass-visiting a certain website, with or without the explicit intention of overpowering its processing capacity. Other searchable terms for this behavior might be Virtual Sit-In (a throwback to the student protest movement of the late 60’s), Online-Protest, or Online-Demonstration. And at this point a clear-cut criminal activity becomes something that might arguably contribute to the democratic experience and would be within the scope of constitutional protection.

German courts and the German government were forced to look behind the labels and determine what a DDoS attack is from the perspective of a society which has not fully adapted its legal framework to a world dominantly shaped by interconnected computers.

Three Examples in Germany

Lufthansa

The German government uses commercial airlines to fly a person into his home country or last transit country after application for asylum had been denied or – in cases where countries of origin or transit deemed safe from political persecution (e.g. any EU country) – even before the legal review would have been completed.

To protest the German government’s deportation policies, political interest groups Libertad! and kein mensch ist illegal (no person is illegal) focused their attention on Lufthansa and vowed to block the company’s website for two hours during a shareholder meeting. The organizers notified the City of Cologne’s Department of Public Safety of the upcoming demonstration and declared “www.lufthansa.com” as place of assembly. Just for clarification, since “all Germans have the right to assemble without prior notification or permission peaceably and without arms” (Art. 8 I of the German Constitution), the City of Cologne’s acceptance of the notification does not constitute approval or provide legal cover for the organizer’s activities.

13,000 internet users participated in the attack. Additionally, special software was used during the attack, too. The website was completely down worldwide for 10 minutes. It remained difficult to connect to the site until the attack later ceased.

Lufthansa filed a criminal complaint against some activists. The Frankfurt District Attorney’s Office agreed and pursued charges of Coercion and Public Invitation to Crime. However, the coercion charge requires either “force” or “threat of considerable harm” as means of coercion. The activists argued that a DDoS attack is nothing more than the virtual form of a Sit-In in front of any given facility, blocking physical access to that facility. The German Federal Constitutional Court (Bundesverfassungsgericht) decided back in 1995 that – if no special circumstances can be shown – blocking traffic or access to a place would in itself not qualify as physical force required for coercion. Referencing this ruling, the activists pleaded to be cleared of criminal charges. While the lower court in the DDoS case returned a conviction, a retrial ended with an acquittal. The requirements for coercion were not met due to lack of physical force or threat of considerable harm (the judges found that at least a two hour interruption would not suffice).

DDoS for Profit

More recently, a court in Düsseldorf convicted an individual in connection with a DDoS attack; not for coercion, though, but computer sabotage. The court didn’t spend too much effort on actually testing the legal requirements and received much criticism for it; but this DDoS attack was the pointy end of an extortion attempt, a purely for-the-pay criminal act. Since the offender was convicted of the much more serious offense of extortion, the court did not seem to care too deeply about the charge of computer sabotage and just handed out a two for one package.

GEMA

Even more recently, the executive branch of the German government received a so-called Kleine Anfrage, which is one form of parliamentary inquiry. One or more internet user with the alias “AnonLulz” took credit for a DDoS attack including use of the software tool known as Low Orbit Ion Cannon – LOIC – against a German copyright organization for the music industry called GEMA. Law enforcement raided homes of suspected participants, seizing hardware and collecting evidence. The parliamentary inquiry – as far as it is relevant to this blog post – asked the Executive whether a DDoS attack can be characterized as a virtual protest or Sit-in, and if it is within the scope of the constitutional protection.

While the Federal Government did not comment on the merits of specific cases, it is pointed out that not all overpowering of websites would be computer sabotage under German law, e.g. mass email protest would probably be viewed as free speech. Additionally, free speech guarantees would have to be considered when looking into any clearly politically motivated DDoS attacks. However, the government does not seem to share the position that the Right to Assembly would offer protection to activists due to a lack of a physical component needed for “assemble”. This also means that the narrow personal protection of the Right to Assemble, which is applicable in Germany only for Germans (at least on the constitutional level, as the level of simple parliament laws extent this right to aliens, too) can be avoided. Free speech constitutional protection does not depend on citizenship in Germany.

Looking Forward

The statement of the German Government does not set a legal precedent, but it might shape the general view in Europe. The EU Court in Luxemburg as well as the Court for Human Rights in Strasbourg both consider the protective scope of human rights in Member States when examining those rights on the European level, so the rulings in the above cases may influence the legal perception of DDoS activity in Europe in the future.

It is sadly very important to recognize and understand the types of post-incident behaviors and actions that will target victims, victims’ families, law enforcement… and in the case of the Sandy Hook Elementary School shooting, the school, teachers, and administrators. Regrettably in addition to working through the grief, uncertainty and pain of an event, victims, their families and others must protect themselves and become far more aware of their physical security and cyber security in a post-incident environment.

Based on disastrous events that have transpired over the last 2 years, Cyveillance has recognized a pattern of maliciousness which occurs following each event. Protect yourself, your family and your community by recognizing these 10 security concerns.

Fraudulent Campaigns

These email, Internet, social media, and/or text-messaging campaigns are designed by scammers to lure an audience to click on malicious links, contribute to phony fund raising efforts, or to post impersonated social media pages of victims/families. Some of the typical scams could include:

• Malware: Click here – “Exclusive photos from within the school”
• Theft Scam: Give to the victims of the shooting/hurricane/tsunami
• Solicitation of Money, Post False and Misleading Information: This (Twitter page, Facebook page, Website) is in “Memory of the Victim”

In some cases a fraudulent campaign could target the affected community and tailored to the surrounding areas. Other campaigns are more global in nature where the scammers take advantage of large numbers of people who are curiosity seekers or who legitimately want to help.

Issue Advocates and Extremists

Issue advocates and those with extreme viewpoints will try to use the incident to support their specific views. Numerous persons may infiltrate the community and take advantage of post-incident events (i.e., funerals, clean-up efforts, memorials) to further their cause. Some notable protesters, demonstrators, and harassers rally around topics such as:

• Religion
• Politics (i.e., gun control, global warming)
• Mental Illness
• Violence Against Children
• Violence in the Media (TV, movies, video games)

Some extremists could go “over the line” with victims’ families, law enforcement or others representing an opposing cause.

Identity Theft

Whenever there are deaths involved in an incident, identity thieves may try to profit from the expired identity. Following many tragic events, the names, ages, etc., of the victims are made public. While dealing with the aftermath, no one is going to think about this in the first days or weeks after a tragedy which makes it a perfect time for criminals to steal their IDs.

Spear-Phishing

Due to the media attention and publication of many of those people who are impacted by the incident, spear phishing of victims’ families, school administrators, law enforcement occurs based on particulars published in news reports.

Intruders

There are intruders or individuals who want to insert themselves directly into the lives and crisis of those who are impacted. Intruders are those people who want to desperately make contact with someone close to the incident through pretexting or unscrupulous means. The target could be a victim, a member of a victim’s family, law enforcement or a witness. The motivation for contacting and intruding upon victims could be:

• to solicit information for a sensationalized news story
• to gather “insider information” to post on social media
• to satisfy a curiosity seeker
• to offer services (i.e., psychics, ghost hunters)
• to social engineer information for criminal purposes
• to be near a person because of obsession

Some of these intruders may not only attempt to contact persons via phone, social media or through US mail, but may also be inclined to show up on their property/homes.

Vendor Overload

People directly involved with or impacted by a tragedy may be contacted by vendors – some legitimate, some scammers. Depending on the type of incident, different service offerings may be presented. In the case of a school shooting, the school, administrators and teachers may receive “scams” and legitimate vendors offering security services, surveillance, protective detail services, Xray machines, and security guards. While many of these services may be genuine, the volume of solicitors, marketing materials, and sales presentations could be overwhelming. It is also a difficult time to sort out the real services from the scams.

Excess of Good Wishes

When an event attains prominence in the mass media and has a great deal of focus and attention, many very good hearted individuals and groups from around the US and the world come together to show support for the victims and those impacted. It is mostly assumed that those who appear to send good wishes, thoughts and prayers to the victims are actually doing a good thing…and they are. However, sometimes from the victim’s perspective, the overabundance of mail, email, phone calls, media attention, cards, teddy bears, candles, etc. can be extremely overwhelming and create more stress. In an instant a potentially unknown person or family is thrown into the spotlight and is getting massive attention from strangers… and strangers who seemingly know a lot about them.

Increase in Firearm Sales

Highly publicized violent crimes will always result in an upsurge of gun sales nationwide. The public should be made aware of the risks associated with purchasing and owning a firearm to include keeping it in a home with children and individuals with psychiatric disorders. Local law enforcement and gun clubs should be proactive and provide communities free and easy access to firearm safety / training classes and gun safety locks to reduce the possibility of additional gun-related deaths.

Copy-Cat Watch

Children (elementary, middle and high school) may be expressing sentiments of empathy with the shooter (“that was cool”, “maybe I’ll shoot-em up in my school”). Post-incident is a critical time to monitor for additional chatter (in person, voice, or social media) which may indicate that a child or adult is expressing sympathetic sentiments about the tragedy. While this may not indicate that the person is going to literally copy the shooter, it may be indicative that the person is having difficulties dealing with the emotion of the event and having psychological difficulties processing the meaning of the event.

Escalation of Deviants

The aftermath of a tragedy also increases the probability that deviant persons will surface with the desire to inflict more pain on an already traumatized victim or community. Individuals or groups may reach out personally via mail, email, phone, fax, or text with the intent to:

• prolong or exacerbate the hurt on victims and/or their families by sending inflammatory or explicit photos or messages
• stalk, cyber-stalk or harass those who were impacted
• blame the survivors; not only may victims’ families and members of law enforcement receive unwanted attention, but survivors of the incident maybe targeted (i.e., “this should have been your child,” “you were a terrible teacher, too bad the shooter didn’t get you…”)
• terrorize, scare, or torment by creating diversions or may be an act that follows the main incident, such as a bomb threat or a death threat after the primary incident.

Five Tips to Spot Promotional Scams and How to Ensure Your Promotion is Legal

Sweepstakes and promotional scams are a common method of defrauding people. “If it seems too good to be true… it generally is.” You receive an email asking you to sign up or telling you you’ve already won. The prize? Malware.

This phenomenon affects companies and individuals alike. Such social engineering scams are widely used by cyber criminals. With the goals of these scams being anything from quiet theft of information, outright system shut down, or garnering money companies must be aware of the threat posed to their infrastructure.

Here are a few signs that the promotion you received is a scam:

1. You won…but we need payment to send the prize to you. Legitimate sweepstakes do not require money to receive the prize.
2. You must act within the next 24 hour to claim your prize. Using a sense of urgency to get someone to act is a common tactic in promotional scams and phishing emails alike.
3. You have been sent a gift card, click here to redeem your prize. Be wary of gift cards where no sender is mentioned. If someone sent you a gift, they will identify themselves.
4. You have been randomly selected and won a prize from a major retailer, click here to get your prize. Before you click on that link, check with the retailer. Chances are it is a scam.
5. You are winner from bestbrandprizewin.com!!! Popular brands are often used to lure potential victims. Look out for misspelled brand names, brand names paired with other words, and multiple brand names grouped together.

There are numerous resources that can help distinguish scammers from real promotional contests. Listed below are a few websites that provide scam information. However, new scammers pop up every day so these sites are not exhaustive.

General scam websites: scam.com, scam-watch.com, scambusters.org, fraud.org, wiredsafety.org, snopes.com

Government websites: Onguardonline.gov, ic3.gov, ftc.gov, cybercrime.gov

Phone scam websites: 800notes.com, whocallsme.com, phoneowner.info, callhunter.com

Arming employees with the information necessary to recognize the warning signs of a sweepstakes scam will help your company avoid a scam. Employees must become knowledgeable enough to know how to tell legitimate wins from scams.

Further Reading on Social Engineering Attacks in the Office

• Brian Krebs: Espionage Hackers Target ‘Watering Hole’ Sites
• Washington Post: In Cyberattacks, Hacking Humans is Highly Effective Way to Access Systems

In response to the need for additional information, Cyveillance released a Social Media Policy Guidebook. The Guidebook provides recommendations and sample policy language to guide you as you draft your company’s social media policy to avoid the legal pitfalls of social media.

Top 5 Social Media Policy Recommendations:

1. Address employee use of social media during non-working hours for work-related purposes without prior approval – they could be entitled to compensation including overtime.
2. Establish a point of contact for questions and tips regarding social media usage. If there is a specific request procedure, outline it clearly.
3. Establish a training requirement. Training should focus on highlighting the requirements of your social media policy and general cyber safety awareness.
4. When designing a social media policy, consider it in full and ensure you do not violate the rights of your employees.
5. “Savings clauses” do not tend to cure overbroad and otherwise unlawful provisions in an employer’s social media policy, because employees would not understand from this disclaimer that protected activities are in fact permitted [McKesson Corp., Case 06-CA-066504].

Sample “savings clause”: This Policy will not be construed or applied in a manner that improperly interferes with employees’ rights under the National Labor Relations Act.

An increasing number of employers have found themselves in trouble for overbroad social media policies under the National Labor Relations Act (NLRA). As social media becomes a staple in company marketing and operations, companies must arm themselves with an effective and well-articulated social media policy to combat these potential liabilities.

The Acting General Counsel (the “AGC”) for the National Labor Relations Board (NLRB) has released a series of reports highlighting social media cases brought before the Board. The last of these reports, released May 30, 2012, reviews a number of policies and the AGC concluded that at least some of the provisions in the employers’ policies and rules were overbroad and, accordingly, unlawful, under the NLRA. The report identifies one policy as lawful, pointing to the policies substantial use of examples of allowed and proscribed behavior.

Action by the NLRB is not the only concern for social media savvy companies. Defamation, discrimination, and privacy are among other significant legal considerations. Social media policies, coupled with employee training, remain the best risk management technique. Employers must keep in mind that as social media grows and evolves, and as policies are reviewed and considered by regulatory bodies, policies and practices will need to be adapted and adjusted accordingly.

Cyveillance has recommended the adoption of corporate social media policies for some time. We encourage employers to review their existing social media policies in light of NLRB guidelines and other legal considerations. For more information on what you need to consider for your corporate social media policies, please click here to download the full Social Media Policy Guidebook.

Little did Greg know that the lessons in the lecture would be driven home that very day for a credit union Board Member. In the audience was Gerald Smith, Secretary of the Supervisory Committee for ORNL FCU – Gerald described what happened next, in an email to Greg:

Many thanks for your class today. Ironically, someone knew I was staying at this hotel, just like you mentioned, and called my room asking me for my credit card to be placed on file. I said “I’ll come down to the front desk” and they called back after a few seconds saying there was no need to come down.

Per your information, I thought it was strange so I went to the front desk anyway to check things out. They traced the call and I made a report to security. The hotel said they had originally transferred the call, so it was a little spooky thinking about what fraudsters can find out by making a simple phone call.

Cyveillance provides Cyber Safety Awareness Training to help employees understand the latest attacks – such as the one mentioned above – and how to protect against them. Social engineering can happen online and offline, so be sure to be on the lookout.

Related:

Cyveillance: How did the idea for ShodanHQ come to you?

Matherly: I thought scanning the entire Internet would be an interesting problem to solve – I thought it would be fun! I had just written a basic network scanner and as I started using it I realized that sharing and indexing those results might be interesting to others. It started as a hobby during college and have rewritten it over the years until I reached the version it’s at now. Originally, I envisioned Shodan as a service similar to Netcraft but it would cover more services and provide greater access to users. My expectation was that market researchers would enjoy Shodan as a source of empirical data on software usage. The security community picked it up instead, and since then it has developed into a global network of servers that collect data in real-time on a dozen services/ ports from devices around the world.

Cyveillance: Tell us about the scope of the data in ShodanHQ. If an average user comes along, how likely is it that the find what they’re looking for if it exists, and how recent would that data be?

Matherly: Shodan currently includes data on the following services:

• HTTP(S)
• Alternate HTTP
• SSH
• SNMP
• SIP
• MySQL
• RDP
• FTP
• Oracle Web
• MongoDB Admin
• Telnet

Data is constantly collected and on average 5-9 million new records get added to the database each month. Shodan brute-forces the entire IP space to ensure uniform coverage of the Internet and make sure it doesn’t miss subnets due to any algorithm bias. If a device is connected to the Internet, Shodan should have it indexed.

Cyveillance: Would you describe ShodanHQ as a penetration testing tool?

Matherly: It was designed as an intelligence gathering tool, but it gained traction in the penetration testing community. As such I would consider it a penetration testing tool, though it’s best coupled with other tools that can consume Shodan data via the API (see FOCA).

Cyveillance: Let’s pretend I’m part of an information security team at a large corporation. What are the first three queries you recommend I make using Shodan to help protect my company?

Matherly:

1. Look at the Most Popular Searches on Shodan from your dashboard and select a few of them to get a feeling for how Shodan works.
2. Run a search using the ‘net’ filter, where your network IP range is provided as the argument (ex: net:123.123.123.0/24).
3. If your company provides a product that could be facing the Internet, search for it on Shodan. Depending on the product you can identify misconfigured devices, where they’re located and what version is most popular.

Cyveillance: Much has been written about internet-based vulnerabilities found in civil critical infrastructure environments like water and electrical power. Based on what you have seen in ShodanHQ, how real is the threat? How insecure are these SCADA systems?

Matherly: There are several issues of concern, but I will take a glance at the following: exposure and software vulnerability.

With regards to exposure, the majority of critical infrastructure devices aren’t connected to the Internet and aren’t subject to malicious online attacks. Unfortunately, a substantial amount of SCADA devices haven’t been properly configured as the research paper by Eireann Leverett has pointed out. And realistically this is a lower-bound on the potentially vulnerable computers, as Shodan at the time was mostly focused at looking for web servers. I suspect that scanning for SCADA-specific protocols, such as Modbus, would reveal a lot more devices.

The developers of SCADA products have a poor history of responding to security advisories by penetration testers. There are numerous incidents of security professionals being ignored repeatedly when contacting SCADA vendors about vulnerabilities in their software.

Cyveillance: The “internet of things” boils down to making everyday items connected to the internet, like one’s refrigerator or other appliances. This new generation of internet-enabled devices is being designed from the beginning with security in mind… no?

Matherly: You would hope so, but that is unlikely to be the case. For example, just a few days ago an exploit was posted that would let anybody control a Samsung TV that’s connected to the Internet This isn’t an isolated incident, and as more of them get connected to the Internet more people will try to find vulnerabilities. Many companies that develop appliances haven’t faced the security threats that the Internet opens them up to. As such, I doubt they will be prepared for the Internet of things that might be coming soon.

Cyveillance: What type of outreach do you offer to help organizations secure their exposed devices? I understand ShodanHQ has been working with some universities…?

Matherly: Yes! For universities and non-profit organizations I provide increased access to Shodan, greater API options and other custom features. I’ve written new filters and created new API plans to help security researchers get what they need out of the data. Often this results in them finding exposed devices, which then forward the Shodan data to the relevant CERT. And system administrators are using Shodan to make sure there aren’t internal systems exposed to the outside world. If you’re a student, professor or work in IT at a university send me an email!

Cyveillance: Does the inevitable increase in the number of systems using IPV6 present any problem to a system like ShodanHQ that visits systems based on their IP address?

Matherly: I foresee slight changes in the Shodan IP selection algorithm to accommodate the increased search space, but the scanning won’t change fundamentally. On the flipside, a lot of new devices will be exposed to the Internet that currently aren’t. I look forward to expanding Shodan to IPv6 and seeing what devices can be found.

Cyveillance: What’s next for ShodanHQ? Are there any new projects or features on the way anytime soon?

Matherly: Lots of stuff! The Shodan crawling software has received a major overhaul recently, and it has let me scale the architecture more effectively as well as add a lot more services to scan. Over the next year, I want to vastly expand the number of services/ software that Shodan indexes. And very importantly, I will begin storing data on ports that are open but don’t return any searchable data. At the moment, every service I scan has to return some form of text that users can search. In the future, it will be possible to find computers simply based on publicly visibile ports.

And I’m also developing a new website that will make it easier to analyze and create reports out of Shodan data. It’s fun to search Shodan and find devices, but it can be challenging sometimes to find exactly what you want. To solve that issue I’m working on a new project that has been designed from the ground up with knowledge of all the data Shodan contains. This means you can browse your search results on a Google Maps-style map, select areas in charts to filter down search results and perform analysis on aggregate search queries.

Cyber crime never quits. Just this week the DEA made the impressive announcement that it had arrested several individuals who it claims were responsible for selling LSD, ecstasy, ketamine, and other hard core illegal drugs using the Tor anonymity network at a destination called “The Farmer’s Market”. Technology-based schemes like these that put others at risk for serious physical and financial harm are a reminder that we can’t rest when it comes to fighting cyber crime.

One mechanism to help minimize online criminals’ chances of success is for actors in the private sector to band together across corporate lines. The Anti-Phishing Working Group is one such platform for collaboration. Cyveillance was one of the earliest members of the APWG and managed the development of translations for one of the APWG’s first operational projects called the Phishing Education Landing page. This program is now helping redirect tens of thousands of at-risk users to counter-ecrime resources every single month.

The APWG will soon hold the sixth annual Counter-eCrime Operations Summit (CeCOS VI) in Prague. Some of the presentations during the April 24-27th meeting include:

• How a Financial Institution Utilizes Cyber Intelligence to Reduce Risk
• Digital Crimes in Russia and Criminal Prosecution
• Mapping the Cyberfelons’ Homelands: The Most Criminogenic National Networks
• Budapest Convention on Cybercrime: Transborder Law Enforcement Access to Data

In the same way Cyveillance strongly encourages corporate security professionals to take part in organizations like the U.S. Secret Service’s Electronic Crimes Task Force, we can’t recommend participation at events like CeCOS enough. These small, trusted forums are where the rubber meets the road and meaningful teams can be formed to put a dent in the dangerous activity of criminals online. Together we are stronger.

Full details:

​
Anti-Phishing Working Group Counter-eCrime Operations Summit (CeCOS VI)

The focus of this year’s event is the shifting nature of cybercrime and the attendant challenges of managing that dynamic threatscape.

When:
April 24, 10:00AM—
April 27, 3:30PM

Where:
​
​Mövenpick Hotel Prague
​
Mozartova 1 150 00 ,
Prague,
Czech Republic

While the modification of content we view on the fly at a hotel so the hotel can profit (again!) from our use of their wifi is concerning, a more serious issue faces business and leisure travelers. Consider the image below.

This is a screenshot taken in January 2012 at the Marriott Marquis Times Square location (not the same site as mentioned above, but nearby) during the International Conference on Cyber Security held by the FBI and Fordham University. You can see the list of available wifi networks that are available to guests.

Which one should you join? The ones that are not password protected maybe? The one that mentions Marriott? The one that reads “Hotel Internet”?

The question is important because the traffic you send from your computer onto the internet at large can contain sensitive information like passwords, credit card numbers, and maybe even confidential documents. Attackers can set up fake wifi networks that may behave as if they’re simply allowing you access to the internet but are actually intercepting and collecting information you send.

What can you do to reduce the likelihood that your traffic is compromised?

• Make sure you join the network that is officially recommended by the hotel itself. There is generally one, and only one correct network you should use. Don’t be tempted by ones that don’t ask for passwords just because they seem free!
• Use a VPN when you are online to encrypt your online communications. That way if your traffic is intercepted, it will be difficult or impossible for attackers to read.
• Use browser plugins like HTTPS Everywhere to force your communications with certain websites to be encrypted. It doesn’t ensure that all your data is completely safe, but it will create a secure connection or “tunnel” between you and many popular destinations.

To be clear, the Marriott Marquis in Times Square is not in a position to prevent other wifi networks from being offered to their guests. Times Square is a very busy, crowded area where the large range of some wifi networks might “spill over” into their guests’ space. Nor are they able to block rogue wifi signals that may originate within their premises.

The onus is on internet users in such congested areas to be informed about safely connecting online. Consider yourself informed!