MIT Technology Review: Cyber Espionage Nightmare

An article featured on MIT Technology Review covers the disturbing state of corporate cyber espionage. According to the article, agents from China are wanted for allegedly hacking into networks at American companies, stealing emails about business strategy, documents and other information, all to benefit Chinese companies.

Although it seems unlikely that any arrests will be made in the case the US has made against these perpetrators, it does provide American companies with some valuable lessons. They are less likely to keep valuable information online, even if that information is “secured.” The most clear response is also the most drastic: unplug.

Read the full story at MIT Technology Review.

Thwarting APTs using NLPRank

An APT is an Advanced Persistent Threat, which is the term for a series of attacks occurring over a period of time, generally targeting one specific organization or type of organization. After infiltrating an organization’s network, attackers will use malicious sites in phishing campaigns against the organization. These install malware so the attackers can access systems containing sensitive data.

NLPRank stands for Natural Language Processing Rank, a technique developed by OpenDNS. In short, this technique is designed to prevent you from visiting a malicious website or fake domain.

OpenDNS can be set up on a home router, which takes effect across everything connected to a home network. This allows parents to set up content filtering on the network. The filtering occurs by checking against a community-driven list of sites suggested for blocking, providing a reputation ranking system for most existing web sites.

However, attackers rely on the time it takes for sites to gain a reputation ranking by rapidly registering new domains with scripted systems and then creating sites for them that look relatively legitimate.

NLPRank will detect and block sites without having to scan them first. It by-passes the reputation system of most security tools. NLPRank simply analyzes the domain itself for sketchiness. It looks for domain names and language that mimic what a company would use and then sees if the site was registered recently and if the domain is associated with that company’s IP address space.

Learn more in the news.

Security Predictions for 2014

Every year around this time, security professionals look at the year ahead and the changing threat landscape to predict what might be the biggest threats emerging on the Internet.

Trend Micro offers this interactive and easy to follow online pamphlet, with predictions for 2014 and beyond.

Their predictions include:

  1. Basic two-step verification will no longer work against mobile Man in the Middle (MitM) attacks.*
  2. More cyber criminals will use targeted attack methods to compromise machines and networks, using the weakest link in the chain: humans. They will also leverage proven vulnerabilities from the past.
  3. Malware infection count is likely to surge due to the end of support for various software and operating systems.
  4. Bad actors will increasingly use click jacking and watering hole tactics and new exploits.
  5. Attackers will target mobile device users even more, veering away from using email attachments for attacks.
  6. One major data breach will occur each month.
  7. Public distrust of privacy for individuals will continue.

Read the details online.

*NOTE: This particular attack is against two-factor authentication that works by sending SMS messages. Two-factor based on a hard token or a soft phone app are still strong. In particular the Duo Security soft tokens MIT has been working with are not susceptible to this attack vector. That said, soft tokens installed on phones are vulnerable to being directly attacked and their secret seeds stolen. Although we have not yet seen such attacks in the wild, Duo Security stores its secrets in a phones “secure element” when the phone is so equipped (for example a phone with an NFC chip, or the iPhone’s secure storage). [Thanks to Jeff Schiller, for this clarification.]

Hackers Exploiting Recent Breaking News Stories

Unfortunately, despite all the positive that can come out of a horrendous situation, there can also be some disturbingly negative responses. Cyber criminals were once again taking advantage of last week’s news stories to spread malware.

The criminals are using the population’s interest in finding information related to the Boston Marathon bombing and the explosion at the Texas fertilizer plant to catch you unawares. Links to videos on YouTube may seem harmless enough, but the web page attempts to suck in malicious content from another site, designed to infect your computer (see examples here and here).

The advice is to be careful when going online to search for information relating to news breaking events. Be sure to visit your regularly trusted news sources so that you can avoid web pages that contain malware and be sure to delete email messages from unknown sources that claim to have the latest news on the events.

The Value of a Hacked PC

An article from Krebs on Security provides an image of some interestingly prevalent malicious uses for a hacked PC.

As Krebs writes: “The project [a chart he put together for The Washington Post in 2009] was designed to explain simply and visually to the sort of computer user who can’t begin to fathom why miscreants would want to hack into his PC. ‘I don’t bank online, I don’t store sensitive information on my machine! I only use it to check email. What could hackers possibly want with this hunk of junk?’, are all common refrains from this type of user.”

Take a look. One of the ideas he tried to get across is that nearly every aspect of a hacked computer and a user’s online life can be and has been commoditized. If it has value and can be sold, a cyber criminal will monetize it.

Warning: Malware Installed Through Hotel Internet Connections

Earlier this month, the IC3 (Internet Crime Complaint Center) released an intelligence note stating a recent discovery by the FBI of malicious actors targeting travelers abroad through pop-up windows when they attempt an Internet connection to their hotel rooms. If a traveler attempts an Internet connection, he is presented with a pop-up window notifying him to update a widely-used and legitimate software product. If installed, malware is installed on the laptop.

Recommendation: Take your software updates right before traveling and don’t install any software while on the road, unless the vendor has been verified. To ensure protection while traveling, members of the MIT community can use the Cisco AnyConnect VPN client (, which establishes an encrypted connection to the Internet.

DNS Changer Follow Up

According to the FBI and this news article, hundreds of thousands of users may lose Internet access in July. You may remember the DNS Changer attack last year. Last November, the FBI and other authorities were preparing to take down the infrastructure of rogue servers put up by the cyber criminals responsible for the attack. When the FBI realized that taking down the servers would affect about 570,000 users worldwide, they decided to replace the servers temporarily until March of this year, giving victims the opportunity to clean their infected computers. A federal judge then extended the deadline until July.

The problem started with a vulnerability in Windows, which the criminals took advantage of and were able to convince users to install malicious software. The malware turned off anti-virus updates and changed the way computers reconcile website addresses behind the scenes on the Internet’s domain name system (DNS). The infected computers were reprogrammed to use the rogue DNS servers owned by the attackers. This allowed the attackers to redirect computers to fraudulent versions of any website.

When these replacement servers are taken down on July 9, the infected computers will lose Internet access, estimated to be around 360,000. Learn how you can detect if your computer has been infected with DNS Changer. MIT community members who need assistance with cleaning a computer of any virus infections, can contact the IS&T Help Desk.