Warning: Creating default object from empty value in /home/ict-forward/www-apps/wp-svn/wp-includes/ms-load.php on line 138
November « 2011 « The FORWARD project blog

Archive for November, 2011

SOPA’s latest threat: IP blocking, privacy-busting packet inspection

Monday, November 21st, 2011

According to the Stop Online Piracy Act (SOPA), a network provider can be ordered to prevent access by its US subscribers to allegedly piratical Web sites. That language did not appear in an earlier version, Protect IP Act.

Markham Erickson, head of NetCoalition, mentions that his company would cover IP blocking and it performs deep packet inspection.

Protect IP, on the other hand, doesn’t oblige the ISPs to block their customers from visiting the numeric IP addresses of off-limits web sites and doesn’t perform deep packet inspection.

The head of the Recording Industry Association of America (RIAA) supports the legislation, by suggesting SOPA to be used to force Internet providers to block by IP address and deny access to only the illegal part of a site.

SOPA is designed to respond to the rise of pirate-content  sites and it allows the attorney general to seek a court order against the targeted site that would be served on ISPs , causing the target to disappear.

An aide to the House Judiciary committee stated that IP address blocking and deep packet inspection could be necessary and it would be up to a judge to mark a site as blocked.

Deep packet inspection is the only way to block data from specific pages, and may cause privacy issues as it monitors customers’ browsing.

ISPs aren’t enthusiastic enough about SOPA. Verizon ISP has concerns about the legislation and is working with congressional staff to address them.

AT&T remains supportive of the general framework of the Senate bill (similar to SOPA), but when it comes to SOPA “it is working constructively with Chairman Smith and others toward a similar end in the House.”

Sonic.net says that it’s technically feasible for them to block a list of IP addresses provided by the government, even though it becomes more difficult as the list grows.

On the other hand, Jasper says that deep packet inspection wouldn’t be feasible:
“We have no capability to do this, so it would not be technically feasible, as it would require complete re-engineering and re-deployment of our network”.

According to SOPA, an ISP must take technically feasible and reasonable measures designed to prevent access by its subscribers located within the US to the blocked site that is subject to the order.

The RIAA says that SOPA is much more flexible than Senate bill, as it isn’t such specific. “Instead of setting a particular type of technological response in statue, the bill is flexible to allow an ISP to choose the best method, which today may be DNS blocking. If the ISP feels that any one method may have detrimental effect on the DNS system or on its network, or of technology changes, it is not locked in.”

Unlike SOPA, the Senate bill and Protect IP target DN system providers , financial companies and ad networks and not Internet Connectivity services.

Public Knowlede legal director, Sherwin Siy, stated that the obligations of an ISP receiving those orders are notar enough.

Seth Schoen characterizes as “surprising” the fact that SOPA is much broader than Protect IP.

If all of these apply, SOPA’s blacklists will start to make the US look like more repressive regimes.

Source: http://news.cnet.com/8301-31921_3-57328045-281/sopas-latest-threat-ip-blocking-privacy-busting-packet-inspection/?tag=mncol

 

DNSChanger attackers made profit of $14 million

Friday, November 18th, 2011

DNSChanger is a trojan that will change the infected system’s Domain Name Server (DNS) settings, in order to divert traffic to unsolicited, and potentially illegal sites. It is usually a small file that changes the ‘NameServer’ Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan. As a result of this change a victim’s computer will contact the newly assigned DNS server to resolve names of different webservers.

 

Six people, who made that attack and earned more than $14 million dollars ,were arrested in Estonia and Russia by the FBI.Accoriding to FBI When users of infected computers clicked on the link for the official Web site of iTunes, for example, they were instead taken to a Web site for a business unaffiliated with Apple Inc. that purported to sell Apple software

 

What the attackers also did ,was to replace legimate ads on sites with ads that gave illegal payments to them e.g they replaced an American Express ad on the Wall Street Journal home page with an ad for “Fashion Girl LA,” and an Internet Explorer 8 ad on Amazon.com with one for an e-mail marketing firm.Specifically,computers where affected by DSNChanger when they were visting certain web-sites or from downloading particular software,and also preventing in  the same time antivirus and operating systems from updating.

 

This hole operation has been shut down by an FBI two-year investigation so called “Operation Ghost Click”.And so what they did afterwards was to replace rogue DNS servers used in the operation with legitimate servers hoping that infected computers will still be able to access the Internet and aslo making owners of infected computers to clean the malware off their machines.

 

It is also provided a service that can inform you if your computer is infected or not just by visiting the FBI page.

http://news.cnet.com/8301-1009_3-57321844-83/seven-accused-in-$14-million-click-hijacking-scam/?tag=txt;title

http://krebsonsecurity.com/2011/11/malware-click-fraud-kingpins-arrested-in-estonia/

https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

RSA attack

Monday, November 7th, 2011

RSA attackers took the advantage of using phising e-mail and the exploitition  of a previously unpatched Adope Flash hole.

They were sending phising emails to low profile employees with a subject lined of  ”2011 Recruitment Plan”.One of the employess made the terrible mistake and opened the above email and ,so the attached Excel file that contained malware which could exploit a hole in Adobe Flash, installed a back door.From there on the attacker could remotely take control of the computer.

To do that remotely attackers used the Poison Ivy tool which let them to gather critical information using C&C connections.This type of  espionage attack is called ”Advanced Persistent Threat” (APT) and it is used to gather ,as i said ,critical information of the company being hit.Critical information such as knowledgement of the company’s high level operations, network, and info about expert IT employees and their roles in the company.

The next step of the attackers was to gather the data(asap becuse they were discovered by RSA) and exfilarate them in encrypted files over ftp to external compromised hosting provider.

By this type of attack (APT) ,which main characteristic is the persistent espionage of significant targets(stuxnet worm), may had been hit more companies around the globe (see links above).

 

http://krebsonsecurity.com/2011/10/who-else-was-hit-by-the-rsa-attackers/

http://news.cnet.com/8301-27080_3-20051071-245.html

https://secure.wikimedia.org/wikipedia/en/wiki/Advanced_persistent_threat