How a Surveillance State Becomes an Obedience State

When I was interviewing for a job at a large educational institution in South Korea, the Korean American administrator who interviewed me tried to sell the place by bragging that they had cameras in every classroom and every office. Cameras in my classroom? I didn’t feel this was a major selling point, for some reason. I mentioned that most American teachers wouldn’t feel comfortable with this arrangement, but he told me that the Americans working there had no problems with it. So I shrugged it off as a personal problem on my part.

However, when I began working there, I noticed that cameras were everywhere except for the office where the American teachers worked. Apparently, they had rebelled against the idea of being monitored while they were doing their jobs or idly chatting among themselves. We soon learned where the ‘dark spots’ were when we wanted to discuss something in private. These were often in storerooms. We also learned where the monitoring took place. Sadly, one place that could monitor any classroom at will was the office housing Korean teachers and Korean staff members. Any administrator could monitor any camera at any time. We had seen our emails being monitored as well. We learned to adjust to living in this microcosm of a surveillance society, but we weren’t happy about it.

According to most surveys, Americans are evenly divided on their ideas about government surveillance. The government’s position is that they need surveillance to protect Americans against terrorist attacks and, when these attacks occur, Americans tend to agree with them. Over time, Americans have accepted the fact that their communications are being monitored. In a Pew survey conducted in September, 70% of Americans believed that their calls and emails were being monitored; however, a Reuters survey conducted earlier in the year found that “75 percent of adults said they would not let investigators tap into their Internet activity to help the U.S. combat domestic terrorism.” So, like the Americans I worked with in South Korea, they realized their actions were being monitored but they didn’t like it. And this leads us to the most interesting of all statistics.

A remarkable 85% of Americans questioned in a recent Rasmussen survey said that freedom of speech was more important to them than being politically correct. Yet, only 28% believe that they have true freedom of speech, as 66% feel they must be careful about getting into trouble by saying something that is politically incorrect. This produces the sort of self-monitoring that I saw among my American colleagues in Korea when we knew cameras were nearby.

So, to put these statistics in perspective, freedom of speech seems to exist as an unattained ideal. Americans feel they are under surveillance by the government so they, in turn, must either monitor their online activity or take some precautions to prevent the government from gaining easy access to what they say or do. These precautions could be anything from using VPNs, using the Tor browser, or using encrypted email. In fact, 65% of Americans now use VPNs. But will VPNs be allowed in the future?

Across the globe, countries have been censoring more internet activities over time, as can be seen in the image below.

surveillance censoring

Add to this China’s recent ban on Skype and their imposition of more controls on Chinese-based social media sites, Baidu, Tencent, and Weibo. In addition, Russia plans to ban Facebook in 2018. Will other countries consider banning Tor or VPNs? We can’t be sure, but this is certainly the trend if government surveillance begins to triumph over personal privacy.

Occasionally, you see a U.S. reporter traveling to North Korea or China and asking some befuddled local what they think of a certain government policy. Do they really believe that these people will say what they honestly think, even if they are completely against the policy? If they did, it would be the last time they would be seen in public. That’s what surveillance descends into: surveillance leads to fear, which leads to self-monitoring, which leads to a loss of free speech. If the government prosecutes those who say things they do not like, under whatever pretext, oppression begins. Oppression leads to reluctant obedience. At some point, people fear they cannot express their true beliefs because of either implicit or explicit ramifications. When the government retains the right to re-brand free speech as subversive or hate speech, they risk becoming despotic.

According to Privacy International, “mass surveillance is the subjection of a population or significant component of a group to indiscriminate monitoring. It involves a systematic interference with people’s right to privacy. Any system that generates and collects data on individuals without attempting to limit the dataset to well-defined targeted individuals is a form of mass surveillance.” Yet, within the confines of mass surveillance, freedom of the press can still exist, at least in principle. In 2002, according to the Reporters Without Borders website, the U.S. ranked 17th in press freedom. This year, 2017, the U.S. has fallen to 43rd place, just below Burkina Faso and just ahead of Romania. No prizes for guessing who’s on the bottom of the list of 180 countries.

press freedom worst

There is probably little appreciable difference between the amount of surveillance in China and the U.S. The real difference is to how that surveillance is used. Chinese surveillance is used to control individual behavior (enforced obedience) while U.S. surveillance, at least for the most part, is used to monitor individual behavior. The problem is that the boundary between these two uses is somewhat diffuse and often overlaps. Are there sites you could visit that would trigger an alarm that would lead to physical intervention from government agencies? I would think that was highly likely.

Edward Snowden’s exposure of the PRISM surveillance system and the recent leak of the NSA’s Ragtime program which uses cell phone service providers to monitor the activities of American citizens, only serve to point out the slippery slope we are on. Defenders of surveillance will point out that, though Americans are guaranteed the right of free speech, they do not, constitutionally, have the right to privacy. It is in this gray area that the battle is being fought.

And that battle will take place in Congress very soon when Section 702 of the Foreign Intelligence Surveillance Act comes up for continuation and revision. It will, if not acted on, expire on December 31st.  In short, this bill will continue current surveillance activities until 2025 and may add an amendment that intelligence agencies can search through American conversations in search of ‘foreign intelligence information’ without the need for a warrant; something which is currently required. It is also feared that this bill could be linked to other important bills to guarantee it will be passed. For example, it could be linked to the budget bill wherein failing to agree to the new surveillance act could lead to a government shut down. It is through such cunning bureaucratic maneuvers that a surveillance state becomes an obedience state.

The slope is getting more and more slippery and this may very well be the last chance the American public has to decide what sort of future it wants to live in. The Washington Post analyzed the files released by Edward Snowden and found that  “nearly half of the surveillance files, a strikingly high proportion, contained names, e-mail addresses or other details that the NSA marked as belonging to U.S. citizens or residents.” These included, “many other files, described as useless by the analysts but nonetheless retained, have a startlingly intimate, even voyeuristic quality. They tell stories of love and heartbreak, illicit sexual liaisons, mental-health crises, political and religious conversions, financial anxieties and disappointed hopes.” You will likely not hear much about this bill in the mainstream media. Nonetheless, we will see if the 85% of Americans who say they strongly support free speech will be fairly represented.



Posted in Uncategorized | Tagged , , , , | Leave a comment

New Banker Trojan is Designed to Leverage Facebook and Twitter Accounts

Bitdefender has exposed a dangerous new trojan, based on the now infamous ZeuS Banker Trojan. This trojan, named, Terdot, is designed to target social media and major email sites as well as banks. It is designed to gather credentials from Facebook, Twitter, Google Plus and YouTube and also targets email service providers such as Microsoft’s login page, Yahoo Mail, and Gmail. In short, Terdot’s complex structure gives it the ability to become a very dangerous threat.

Not surprisingly, Terdot begins its attack through an email and an attached file hiding behind a PDF icon. Many of the emails only contain the icon, which should be suspicious. However, the ‘PDF file’ may be given a legitimate looking name. If that file is subsequently opened, the malware takes over the victim’s computer and browser, monitoring all of the victim’s activities. In most cases, it writes itself into the registry to gain persistence. However, if it does not have the rights to do this, it will send the victim this message.

terdot changes

Notice that it claims to be a Window’s utility and that it is verified by Microsoft Windows. Most users would think that was proof enough of validity and simply allow the malware to proceed to rewrite the registry. If it is given this permission, the malware will then persist even after a reboot. It, then, becomes extremely difficult to remove. As one virus removal site noted, “removing Terdot manually may take hours and damage your system in the process.”

Once on a victim’s computer, the malware has numerous ways to update itself and execute its code. It is almost impossible to block. It is also almost impossible to detect.

Terdot operates primarily through a Man-In-the-Middle (MITM) attack. It secretly becomes part of your browser and watches everything you do and intercepts communications and diverts them to pages that will steal your login credentials or credit card numbers. A key component of the malware is its ability to trick the browser into accepting all connections requiring SSL certificates (HTTPS sites). This includes sites that would normally trigger some sort of untrusted certificate warning, such as the following.

terdot untrusted certificate

This means that even sites with the HTTPS designation are not safe. By accepting all certificates, the malware can direct the victim to legitimate-looking but nefarious sites that will gather login credentials or banking information. The exploit is deployed differently in Firefox and Microsoft browsers, but the result is the same.

Although Terdot is based on the architecture of the most infamous banking malware, ZeuS, it is designed to do much more. Yes, it does target banks. For the moment, it seems to be focusing on Canadian banks. That is, it leads victims to log into spoofed banking sites and, in so doing, captures their login credentials.

However, unlike ZeuS, according to Bitdefender, Terdot “can also eavesdrop on and modify traffic on most social media and email platforms.” It is designed to gather credentials from Facebook, Twitter, Google Plus and YouTube and also targets email service providers such as Microsoft’s login page, Yahoo Mail, and Gmail.

So what can Terdot do if it gains access to your Facebook page? It can exploit your friends/contacts for one. It can post links to infected pages or send your contacts infected files to open in order to create more victims. Since your contacts think the files are from you, they would be more likely to open them. In addition, if you or your friends have credit card information stored on their sites, that, too, can be stolen. If they wanted to, they could lock you out of your account completely, but they appear to use these social media sites mainly to gather information and propagate their attacks.

So what can you do? First of all, be suspicious of any PDF file that is sent to you via email, even if it comes from a contact or a friend. If you have any doubts, ask those contacts if they, indeed, have sent you this file. If you can’t contact them, copy the file and check it on a site like Virus Total.

Apparently, the malware also tries to use the SunDown Exploit Kit to infect computers. The Sundown Exploit Kit (which is free) is used to direct a victim to infected web pages. Though the Edge browser is able to detect the malware, it seems that the operators behind Terdot are trying to find new ways to infect Edge. Through the SunDown Exploit Kit, Terdot has been found to be directing users to infected websites that contains the malware hidden in image files in a technique known as, steganography (for an explanation and examples, see my post on How Terrorists Communicate). In some cases, it downloads a blank image file from these sites which hides the malicious code.

Terdot targets devices using the Windows operating system. It specifically targets older Windows formats. Edge automatically updates, so it is safe for now. If you are using an older browser or you are not allowing automatic updates on Windows 10, then you are exposed.

For the moment, certain countries seem more vulnerable than others, as can be seen in the following chart.

terdot countries

Since the code for this malware is available for anyone to use, it can be honed for particular needs. Recently, According to some sites, Terdot has been converted into a ransomware delivery package. It could also be used to target key individuals in important companies or institutions through sophisticated spearphishing attacks that use legitimate-looking contacts. So, at least for now, whenever you receive an email with an attachment, a little paranoia is a good thing.

Posted in Uncategorized | Tagged , , , | Leave a comment

The CIA Uses Kaspersky to Mask Its Cyber Operations

Attribution. That’s what makes most cyber attack investigations inconclusive. Attribution is what makes cybersecurity firms incapable of delineating the extent of Russian meddling in the 2016 U.S. election, if any. No matter what you may read, no one, not even cybersecurity firm, CrowdStrike, the only entity ever to get a glimpse of the DNC servers, will say they are 100% sure that Russia was behind the DNC hack. In short, the more attackers can obscure their origins, the safer they are from being linked to an attack. Who would be most concerned about attribution, and who would have the most money to spend on hiding their trail? The answer: nation-states.

So how does the world’s most financially empowered nation-state agency, the CIA, obscure its attacks? Until Wikileaks gave the details of a program called, Hive, we had little idea.  Hive is the name given to an architecture the CIA used (or still uses) to make it nearly impossible for the victim of an attack to trace the attack back to the CIA.

There are basically three stages of a successful cyber attack. These could be named infection, persistence, and eradication. Government agencies use more sophisticated infection techniques because they have the money to do so. They don’t have to hope someone downloads an infected file included in a spam email. They can specifically target an individual in a network. They can infiltrate the supply chain or constellation of enterprises that work with the target enterprise and leverage this connection to get a file downloaded or a website visited. It is also more common for them to arrange for an insider to get the infection (malware) implanted. Eradication is the opposite of infection.  It refers to the removal of all evidence of an attack when the attack has accomplished its goal or is in danger of being exposed.

What this post is concerned with is the second stage of the hacking process, persistence. This is where any attribution is most likely to occur. This is where sophisticated masking is most necessary as this would allow the malware to operate undetected for enough time to accomplish the necessary gleaning of important information. Hive is a program designed for persistence. Here is a diagram of how it works. I added information to make this complex program somewhat easier to understand. Keep in mind that Hive uses normal, if boring, websites to mask its operations, so the architecture must be designed to separate normal web browsing interactions from interactions involving stolen data.


Information from the implanted malware authenticates itself on these innocent looking websites by using a fake certificate pretending to be associated with Kaspersky. Here is part of that code.

kaspersky fake certificate

Many writers on this topic seem to imply that this certificate is designed to ‘fool’ security software or security staff into thinking nothing suspicious is occurring on the network. These analysts claim that seeing outgoing traffic on a machine log with the name, Kaspersky, attached to it would raise no alarms. Really? What if that machine had no Kaspersky security products on it? Sure, it may fool software, but not trained IT staff. That is, of course, unless the machine had Kaspersky security software installed on it. This would bring up the possibility that the machine or network was scanned prior to the installation of the malware to determine whether Kaspersky products were being used.

Oddly, this is what Duqu 2.0 malware does. For those who don’t know, Duqu 2.0 was designed by Israeli intelligence to hack into Kaspersky. Kaspersky subsequently wrote a report on it. The malware was found to search for devices using Kaspersky antivirus as well as antivirus programs from other venders. It used these antivirus programs to harvest files that the attackers identified as holding important information. Thus, if the CIA used similar malware to scan for machines using Kaspersky products, outgoing traffic from these machines that used bogus Kaspersky certificates would not look suspicious and the malware would be able to persist for an extended period of time.

It should be noted that Kaspersky has been a thorn in the side of the U.S intelligence community for a long time. They seriously exposed and undermined actions of the Equation Group, which was the name Kaspersky gave to NSA espionage malware developers. When the Equation Group used Flame malware, their fake certificates were made to look like they came from Microsoft. Kaspersky subsequently sinkholed some C&C sites used by Flame, as seen in the page below. This interrupted the NSA’s intelligence gathering operations and must not have been looked upon fondly, to say the least.

kaspersky flame

It would, then, certainly have given U.S. intelligence some satisfaction to give Kaspersky a black eye by using false Kaspersky certificates. But this was but the first step in efforts to discredit the security firm. U.S intelligence has been casting doubts on Kaspersky and suggesting that it had links to the Russian government for some time. Recently, the final nail was put in Kaspersky’s coffin when its products were banned for use by government agencies.

Hive may or may not still be in operation. However, even if it is not, it is certain that something like it, but even more sophisticated, is being used to maintain persistence and impede attribution. It is also certain that these new programs will eventually be exposed through either insider leaks or the investigations of security firms.

Many cyber security firms have close relationships to governments. Check Point, for example, has been working with the U.S. government since at least 2013. It would be quite a surprise if Kaspersky was not doing some work for the Russian government, but just how much work remains the question.

All of this is more complicated by the actions of a hacking group called The Shadow Brokers which routinely tries to sell NSA hacking tools online. Edward Snowden believes The Shadow Brokers is a Russia-based group; “circumstantial evidence and conventional wisdom indicates Russian responsibility”. One cannot help but wonder where The Shadow Brokers is getting these tools. At first, it was believed the tools were leaked by an insider named Harold Martin III; however, the leaks continued after he was imprisoned. It has been suggested by more than one researcher that Kaspersky may have, inadvertently or not, been implicated in the actions of The Shadow Brokers. It simply doesn’t help their case that a Russian-based group is behind the sale of these NSA tools. There seems but one way out of this dilemma for Kaspersky. They need to put as much energy into uncovering the cyber operations of the Russian government as they did on the NSA, otherwise, they will never regain an unbiased position in the cybersecurity community.



Posted in Uncategorized | Tagged , , , , | 1 Comment

The Recent Increase in Email-based Blackmail and Extortion Scams

If you get an email that threatens to expose you to colleagues, contacts, or law enforcement agencies, don’t get overly concerned; unless, of course, you’re a criminal. These kinds of emails have been around for a while, but have recently been on the increase and, in some cases, they are using an upgraded attack methodology.

The Porn Site Scam

This scam seems to be spreading at a serious rate. Although it has been widespread in Australia and the Middle East, it has only recently been showing up in the U.S. It seems that the criminal behind it is exploiting a large database of email addresses. The basic scam is that he says he has proof (possibly photographic/video proof gleaned from your web cam) that the victim has recently visited a porn site he has compromised. Unless the victim pays in Bitcoins, he will send this proof to all of his/her contacts.

The email gets through filters by using actual (probably compromised) email addresses. Here is the header (victim’s address changed) from the most recent attacks as outlined in Dynamoo Blog.

From:    Hannah Taylor []
To:    contact@victimdomail.tld
Date:    31 October 2017 at 15:06
Subject:    ✓ Tiскеt ID: DMS-883-97867 [contact@victimdomail.tld] 31/10/2017 03:35:54 Maybe this will change your life
Signed by:

Other subject headers have been: “You not first, you not last”, “I would not want you to be very upset”, and “All in your hands”. There are probably more.

Most of these begin with permutations of the following sentences: “I do not want to judge anyone”, “I do not want to judge you”, “I do not presume to judge anyone”, and, most recently, “I sincerely anticipate that I will not hurt ur feelings.” They all end with something like the following: “You can complain to cops for a help, but they wont search out me” or “I do not think that cops can find me”. You are then given a Bitcoin address and told that you have a limited amount of time to pay around $300.

Dynamoo traced the domain address to Russia and someone named Alexey Pokachalov. He discounted that this owner was the actual scammer because “you wouldn’t post real contact details on the WHOIS and then solicit anonymous payments through BitCoin”. True, but maybe the attacker was not as sophisticated as he thinks.

I traced the name through a number of Russian forums where the same gmail address was used. The poster used the nickname of, ‘legzzi”. Of course, the hacker may have used the nickname of the original owner to post on sites the owner already belonged to. But that doesn’t really matter. Only the topic of the posts would matter, especially the most recent posts. For those who may want to pursue this further, here are the contact details he is using.


He uses the name, legzzi, on forums and on one of these he complains, or so it seems, that he was unable to use card numbers that he bought, probably on the black market. It seems he wants to buy or sell things that he may have bought from legitimate markets with Bitcoins. In one post, he complains that Russian customs stopped his order.

scammer warned

In another post, it seems he has run into trouble with the Russian government and is asking for advice on how to avoid prosecution. He frequently asks for help in manipulating databases, leading one to believe that he has gotten his hands on a database with email addresses and wants to learn how to use it to send out spam emails.

A new wrinkle on this scam is that these blackmail emails have been showing up in corporate email inboxes. Maybe the hacker believes the threat of being exposed to work colleagues and management will make people pay up. But don’t bother. In short, this looks like a scam run by a low level, technologically inept Russian hacker who simply wants to make a few bucks or Bitcoins. The bottom line is that you can simply delete these emails without worrying.

DDoS Extortion

A distributed denial of service attack (DDoS) uses botnets to overpower a site’s server and effectively knock it offline. As I noted in a recent post, such attacks can be quite costly. Here, however, I’m referring to fake DDoS attacks that try to extort money from companies. Usually, someone in a company gets an email like this.

ddos scam

It is very difficult to tell if the threat is real or not. With the price of prevention relatively low (around $700 in the scam above), as compared to what the cost of a real DDoS attack would be ($2.5 million average), the attackers hope the companies will just pay up rather than take the risk.

In July, the FBI warned of such attacks that hide behind the names of successful DDoS hacking groups such as Anonymous and Lizard Squad. Recently, these scammers have appeared again posing as Armada Collective or Phantom Squad, as seen in the above email. Both groups have successfully launched DDoS attacks against companies in the past. Other names the fake attacks use are New World Hackers, LulzSec, and Fancy Bear.

There are a couple of ways that a company can determine whether this is a scam or not. First of all, the ransom demand is too low. Renting or buying a botnet large enough to bring down a major company for a destructive length of time costs a lot of money. This being the case, the attackers will not be settling for hundreds or even thousands of dollars.

Secondly, check with scam services, the Better Business Bureau, or simply type in an unusual sentence from the email on Google to see if others are being scammed in the same way. True operators behind a DDoS attack don’t have the resources to attack many companies at the same time. Usually, they can only organize a botnet to affect one company at a time. Attack warnings on numerous companies are generally the result of spamming attacks that hope to pick up some easy money from nervous companies.

If the above mentioned signposts are found, simply wait until the deadline (usually 24 hours) has passed. Most companies that have been threatened by these attacks and haven’t paid the ransom found that nothing happened. The attackers just went away.

Of course, it’s normal to be upset by such emails. Some companies have paid the ransom demanded which, of course, will inspire the criminals to keep going. Actual DDoS threats will sometimes do a demo takedown to prove their strength. This could also be a more elaborate scam as botnets are priced according to how long the attackers want the attack to continue. In such cases, it’s up to individual companies to determine whether they want to take the risk of ignoring the ransom demand or not. Just remember that these attackers can’t afford to continue these attacks forever.

The Plagarized Essay Scam

Pay $1500 or be exposed for using essay website to cheat”.

This somewhat elaborate scam is targeted at all the students who aren’t reading this post. However, because of its somewhat more intricate attack vector, it is worth looking at in some detail. Similar scams could eventually evolve that use this same template.

Most schools realize that plagiarism is a problem and, despite the warnings, they understand that students will continue to buy essays from essay writing services or copy material from online sites. This scam, which was exposed by a student at Curtin University in Australia, may be the beginning of a scam that could easily make its way around the globe.

It began with a student visiting an online forum for help with writing an essay. It was akin to offering yourself up as a victim. The student received advice from one forum member and was event sent a sample essay. Then the trap closed, The forum member who helped him now wanted “tutoring fees”. The student refused to pay, as there had been no previous talk of payment.

Probably because the student had given the scammer his email address to receive the sample essay or possibly from information on the forum, the scammer was able send numerous demands from different email addresses demanding $1500 for not telling the university that he had plagiarized an essay.

As it turned out, however, the student never used the essay he was sent because he felt it was unethical to do so. When he continued to refuse to pay, the scammer sent a fake email that pretended to be from the school’s vice chancellor. This email outlined the plagiary case against the student. One wonders what the student would have done had he actually used the essay or if this angle had already worked on others.

This scam is a little more involved than most and takes a little more work for the scammer. However, the victims come to him on these essay forum help sites and all the scammer needs is their email address to begin the scam. The essay the scammer sends is probably one that they realize will be detected by plagiarism detecting software. They will then need to find the name of some authority at the school the person attends. They may have found this information on their social media sites, which they could have tracked down through their name or email address. Often, the victims are foreign students who may worry that their plagiarism will not only get them in trouble with their professors, but may get them kicked out of the country. Foreign students would be more likely to pay, especially if they used the sample essay. Therefore, if you are a foreign student and receive such emails, report them to the person that the attacker is pretending to be. And, don’t plagiarize.

I should note here that some paid essay writing sites are absolute frauds. This includes which has received 23 out of 23 one-star reviews for writing essays that appear to be cut and pasted together or written by uneducated nonnative speakers, most of whom, it is believed, live in Pakistan.

Students are not the only victims of targeted scams. There are a number of scams that target specific groups. One particularly sinister extortion email targets only Spanish speakers with threats to kill family members unless they pay a few hundred dollars. These emails are sent with pictures of family members that have been taken from the victim’s Facebook page.

Most scams are obvious and can just be ignored. Often the poor English gives them away. Many are filtered into the spam folder by your email provider, but, occasionally, some get through. If you are not sure if the email is legitimate or not, paste a unique sentence from the email into Google search and see if it leads you to similar scams. You can also check some scam information sites like (though I can’t seem to get their search engine to work for me). However, if you really feel like someone is trying to extort money from you for whatever reason, it’s time to contact law enforcement.

Posted in Uncategorized | Tagged , , , , | Leave a comment

Reaper Madness: The Enigmatic and Potentially Deadly Reaper Botnet

We don’t know where or when, but someday the Reaper will come for us all. I mean the Reaper botnet, of course. It is potentially the most dangerous botnet ever created and one of the most inept. It is a botnet that, at times, seems to be put together by a government committee and, at others, by innovative creators. But, because it contains elements that, if correctly used, can do great damage, we need to take it seriously.

Why do people want to create botnets anyway? No, it’s not always to bring down the internet. In fact, botnets often have more personal uses, like revenge on a hated employer or an ex-partner. Simply put, a botnet is a group of computers organized by attacker(s) to launch a coordinated attack. The attacker can control these computers remotely and make them do a number of things. They can be organized to send spam, send malware-infected spam, or participate in a DDoS (Distributed Denial of Service) attack. A DDoS  attack uses a large number of computers in a botnet to access and overwhelm a site’s servers, effectively shutting the site down. Though somewhat simple in principal, such an attack can be very costly to an internet-dependent site that is knocked offline. The average cost for a business brought down by a DDoS attack is $2.5 million. The Mirai botnet cost businesses at least $121 million. Insurer Lloyds of London, in a report on cyber attacks, estimated that extreme attacks on cloud services would cost between $15 billion and $120 billion. Attacks that take down major portions of the internet could produce even higher financial losses.

Here’s a financial breakdown by DDoS protection firm Neustar. Keep in mind that the totals are hourly.

neustarWhat most people don’t realize is that you can download software that will help you build your own botnet. You can also buy, rent, or even get free, some of the largest botnets available, like the Mirai botnet that brought down major portions of the internet. Some people buy botnets for their personal use but others build them in order to sell them to others. For a good way to visualize how fast botnets can grow, take a look at this website.

So where does this leave the Reaper botnet? We don’t know. All we’ve been able to discover is that someone has been trying to build an extensive botnet that has some characteristics not seen in other botnets. Whereas the Mirai botnet was formed by enslaving internet-connected devices that hadn’t had their default passwords changed, Reaper uses known exploits for targeted devices connected to the internet like routers and cameras. It uses known vulnerabilities that users have not yet patched. Through these, it takes control of the devices and uses them to transmit the malware to enslave other vulnerable devices, thus building the botnet.

Researchers were at first alarmed when security firm, Check Point, reported that a million devices may have been infected by Reaper. This is alarming because the notorious Mirai only used about 400,000 bots. Mirai only took over the devices while the device was online. A computer reboot removed the attacker. Reaper, however, seems to be more persistent and maintains control of the devices it infects unless the victim takes more serious actions, such as restoring factory settings to a router. However, if the attacker changes the username and password, even a reset can’t recover some devices. So far, from what I’ve been able to discover, Reaper hasn’t progressed this far. One of the firms that first discovered Reaper, Netlab 360, now estimates that only 28,000 devices are part of the botnet. Yet, lest you think a sigh of relief is appropriate here, it also said that as many as 2 million devices may be waiting in a cue to be processed for the botnet.

So what’s happening? This is where the amateurish nature of the botnet builders comes to the forefront. It seems to use a narrow range of IPs as its command and control (C2) centers. In other words, security software can easily block any attacks by simply blocking the IP address. So, when I entered the Reaper IP address on my computer, Malwarebytes blocked me from going to it.


On the other hand, the Reaper botnet hasn’t been activated yet, so it may be that the developers are in the “practice” phase; ironing out any bugs until the right moment. In other words, the amateur aspects of this botnet could suddenly disappear just before activation. If anything near the one million member botnet is activated, that’s when the trouble begins.

Some think this botnet may never be activated, or that it will be activated only after it is believed to be perfected. Maybe it is being designed to be sold to a wealthy buyer, like a nation state. Maybe a nation state is in the process of constructing it. That is certainly something to consider seriously. Such a powerful botnet in the hands of a rogue state could cause apocalyptic damage. I am not saying this lightly. Security firm F5 Labs made the following statement on the potential size of the Reaper botnet, “We have data that suggests it could include over 3.5 million devices and could be capable of growing by nearly 85,000 devices per day.” They arrived at this number in the following manner. (CVE stands for Common Vulnerabilities and Exposures.)

f5 diag

How serious this botnet could be will depend on how it is deployed. Sure, even if it is used as a simple DDoS attack on key internet nodes, it could cause havoc. But there are other vectors it could use. In June, the Department of Homeland Security warned that North Korea was setting up a botnet that targeted infrastructure. It is not clear how such an attack would work, but some speculate that a large botnet suddenly powering up all connected devices in a small area could stress the power grid to such an extent that it actually collapsed. Others claim that Russia is positioning itself to take out the power grids in several Baltic countries. Russia is not targeting the power stations directly with DDoS attacks, but the networked gateways that are used by power companies to control the grid.

Since Reaper has the ability to distribute malware, it could easily be armed with ransomware which it could distribute to vulnerable devices. Ransomware that encrypted key infrastructure components would work even better than a DDoS as it could disable them for a longer period of time. This actually happened when a ransomware attack took down the San Francisco metro system by shutting down all ticket machines (encrypting the hardware) until a ransom was paid. Hospitals are another frequent target of such attacks.

All we can do for now is to wait for the Reaper to appear. No one really knows the form it will take but it seems hard to believe that, after all the work put into it, it will turn out to be nothing more than an apparition.

reaper pic


Posted in Uncategorized | Tagged , | 3 Comments

Can Kaspersky Antivirus Be Trusted? The Case For and Against

This story is complex. That’s why, in this post, I will attempt to make it as simple as possible, but it will still be complex. The goal here is not to delineate the technical details of the specific malware involved. Instead, this will be the story behind the malware and its use. The aim will be to determine the extent, if any, of Kaspersky’s implication in hacking the NSA. I will stay as close to the facts as possible and let them speak for themselves.

This story, as is true of so many cybersecurity stories involving nation-states, begins with the development of the Stuxnet malware. This malware set new standards by, among other things, attacking physical machinery that was not connected to the internet. It specifically changed the operating parameters on Iran’s nuclear centrifuges, making them spin out of control until they destroyed themselves.

The important point of this story is that this malware was jointly developed by the U.S. and Israel. This meant that both countries had control over this malware if they needed to modify it for future uses. Unfortunately, those attacked by malware often end up with an understanding of the code behind it. Stuxnet was no exception. As the documentary about Stuxnet, Zero Days, claims, “ironically, the secret formula for writing the code for the virus software fell into the hands of Russia and Iran – the country against which it was developed.” Thus, by at least 2013, four countries controlled the code for this powerful malware.

In 2014, Israel used a Stuxnet variant, named Duqu 2.0, to spy on the ongoing nuclear talks between the PS5+1 nations (the U.S., U.K, France, China, Russia, and Germany) and Iran. Oddly, Israel was not invited to participate even though they had the most to lose. After all, Iran had previously vowed to wipe Israel off the face of the earth. The Duqu 2.0 spyware was used to infiltrate three luxury hotels that were sponsoring the talks. Once installed, the malware took control of the hotels’ networks and was able to obtain information on any device connected to it. They could also listen in on conversations and the actual negotiations themselves. The malware was so good at hiding that it was only discovered by Kaspersky in mid-2015 or, coincidentally (?) at approximately the same time that the nuclear deal was reached with Iran.

In fact, Kaspersky wouldn’t have known about the PS5+1 attacks at all had they not been attacked by the Duqu 2.0 malware themselves. Costin Raiu, director of the global research and analysis team at Kaspersky, said the attackers first targeted a Kaspersky employee in an office in the Asia-Pacific region, likely through an email that contained an attachment in which the virus was hidden. By opening the attachment, the employee inadvertently allowed the virus to infect his computer and, subsequently, the entire Kaspersky network.

But why would Israel make such an effort to target an antivirus firm like Kaspersky? Apparently, Israel wanted information on what Kaspersky had named, The Equation Group. Kaspersky had been targeting the actions of this hacking group for some time and, although they did not state it directly, it became common knowledge in the cyber espionage community that the Equation Group was, in fact, the U.S. National Security Agency (NSA).

The Equation Group had been targeting Iran and other Middle East countries.  The information from such attacks would be of especial interest to Israel. Learning how these attacks took place and getting access to these NSA tools could be very useful. At the time, US-Israeli relations were at an all time low, and the Israeli government couldn’t depend on getting updated information on Iran from U.S. intelligence. Such information was crucial to Israel because the U.S. and the other PS5+1 partners were on the verge of signing a nuclear agreement with Iran. So, why not hack into a firm that probably had this information and possibly some NSA hacking tools as well; Kaspersky.

The U.S., however, was spying on Israel and learned that, somehow, Israel had managed to get key documents concerning the upcoming Iran agreement. Alarmed by this finding, they warned Benjamin Netanyahu not to give details of the Iran agreement when he spoke to Congress in March of 2015. Netanyahu only partially complied. He did not give details but said, “This is a bad deal — a very bad deal. We’re better off without it.”

Meanwhile, Kaspersky was beginning to learn that someone, probably Israel, had hacked into their network. Interestingly, the Israeli’s Duqu 2.0 malware targeted Kaspersky’s antivirus programs and used them to infiltrate any network using them. In other words, the notion of using antivirus software as an information gathering agent was first used in 2014. This is the same vector that Kaspersky is accused of using against one of the employees of the NSA in 2015. (This particular attack, according to the Wall Street Journal story, was only identified in the spring of 2016.)

Probably realizing that they would be discovered by Kaspersky (or had already gotten everything they needed), Israel contacted the U.S. and informed them that, while they were within the Kaspersky network, they found evidence of Russian operants lurking there. They claimed that the Russian government was using Kaspersky software, such as its antivirus software, to gather information on U.S. intelligence. Was this a ruse? Was Israel the actual agent behind these attacks and were they trying to shift the focus to Kaspersky and Russia? This is still an open question. In any event, when the U.S. intelligence community learned about this, they set up honeypots to lure in any attacks that used Kaspersky software. These were probably set up before Kaspersky realized it had been attacked by Israel’s Duqu 2.0.

In the most recent defense of itself, Kaspersky claims, in a re-analysis of events at the time of the purported attack, that the last Kaspersky antivirus scan that found NSA-related malware/software on the NSA employee’s computer occurred in November of 2014. They claimed that they deleted the file when they realized it was part of the NSA’s software collection. They claim that no other files from the NSA have been collected since, inadvertently or not. They do claim, however, that they began discovering those aforementioned honeypots after February, 2015. Did they suspect that these honeypots were set up to catch them? They claim these honeypots were “loaded with various Equation-related samples” that they did not take.

That last claim seems unlikely considering the interest that Kaspersky had always had in the Equation Group. This is exemplified by the publication of Kaspersky’s report on the Equation Group in February, 2015. Knowing the group’s products as well as they did, it is possible that Kaspersky did recognize the honeypot files as fakes and ignored them. More likely, though, considering subsequent events, was that the NSA found that Kaspersky was, indeed, interested in these files and actually took some of them. Otherwise, why would they begin spreading the word that Kaspersky was not to be trusted? The subsequent finding of the victimized NSA employee one year later and the connection of the theft of NSA files from his computer to Kaspersky software simply sealed the deal in the minds of those in the NSA.

Throughout 2016, the U.S. intelligence community stepped up its focus on Russian meddling in the U.S. election. It is quite possible that Kaspersky, a Russian-based company, got caught up in this fervor and attracted more suspicion than it normally would have. In any event, by February of this year (2017), Kaspersky had become a real suspect. The U.S. intelligence community began publicly expressing serious doubts about Kaspersky software, according to secret documents prepared by the Department of Homeland Security (DHS). The release of information about this document began an avalanche of bad news that eventually buried Kaspersky.

In early May, the U.S. intelligence community told a Congressional committee that they were considering banning all Kaspersky software in use on government networks. Company founder, Eugene Kaspersky, countered with an offer to appear in person before the committee to answer any questions. His argument at the time was, “I’m very sorry these gentlemen can’t use the best software on the market because of political reasons.” In other words, he blamed the current anti-Russian sentiment for his company’s demise.

e kasperskyEugene Kaspersky

In June, the FBI interviewed a dozen Kaspersky employees in the U.S. In July, Bloomberg reported it had obtained emails proving that Kaspersky was working closer with the Russian government than they let on. So, with the walls closing in, Eugene Kaspersky made a surprising offer.  He would share the company’s source code with U.S. intelligence agencies. “Anything I can do to prove that we don’t behave maliciously I will do it, he said.” In addition, in late July, Kaspersky began giving away free versions of its antivirus software.

But it was too little, too late and, on September 13, the ax fell. The Department of Homeland Security ordered all federal executive branch agencies using Kaspersky software (approximately 22) to stop using Kaspersky products. They gave these agencies 90 days to remove the software. Although Kaspersky tried to downplay the importance of this decision, it was, in fact, a serious, perhaps even mortal, blow.

Kaspersky’s Defense Scenarios

 “Ask yourself one thing:  If these recent allegations are true, where’s the evidence? If there was any evidence that we’ve been knowingly involved in cyber-espionage, we’d be toast! No ifs or buts – it’d be game over. Eugene Kaspersky

 As I see it, there are three main scenarios that can explain the Kaspersky demise.

Scenario 1: Israel never found Russian operants in the Kaspersky network. They used this as a screen to use Kaspersky’s antivirus software to gather information on the NSA themselves. After all, according to the Kaspersky report on Duqu 2.0, the malware specifically sought out Kaspersky’s antivirus in order to exploit it. Israel told the NSA that Russia was in the Kaspersky network to take the spotlight off themselves. Since the U.S. intelligence agencies were already looking for Russian meddling, they readily accepted Israel’s information. Kaspersky was collateral damage.

For Kaspersky, the bad part of this scenario is that they failed to discover what Israel was up to for over a year. This does not help their reputation as a cybersecurity firm.

Scenario 2: The Russian government infiltrated Kaspersky’s network and gained access to any Equation Group files it had stored. It also made use of Kaspersky’s products to steal information from U.S. intelligence agencies. Kaspersky had no knowledge of this.

Again, this does not make Kaspersky look good. It would mean that two attackers had gained access to their network without them knowing it. In their most recent defense, Kaspersky said it found no other network intrusions after they found Duqu 2.0. However, this could mean that the Russian government, possibly realizing they had been discovered by Israel, activated a kill switch which removed every trace of its attack from Kaspersky’s network.

 Scenario 3: Kaspersky worked with the Russian government to infiltrate the NSA network and steal files and programs. A case could be made that the Russian government could threaten to close down Kaspersky if it didn’t comply with its demands.

Clearly, this would be the worst case scenario for Kaspersky. However, it wouldn’t make sense that the Russian government would continue to steal files from honeypots even after Kaspersky had discovered the files in these honeypots were fake. If they were working together, Kaspersky would have warned the Russian government to avoid touching these fake files. Yet, as I mentioned above, it seems the honeypots identified Kaspersky as a threat.

It may be too late for Kaspersky to salvage anything from this situation even if they are not complicit. Sure, many people will take advantage of their free antivirus and some loyal customers will stick with them. But 60% of the company’s sales come from the U.S. and Western Europe and these are certain to fall. Rebranding is not and should not be an option as the company has made numerous contributions to the cybersecurity community that should not be forgotten. However, something drastic needs to be done if Kaspersky is to repair its reputation. It may even mean having to relocate their headquarters outside of Russia.

Giving up the source code to its products to prove that there are no hidden backdoors will not convince anyone who doesn’t trust Kaspersky. After all, Kaspersky may have removed the backdoors before they released the code. The cold truth, whether it is fair or not, is that Kaspersky will have to give up the idea of getting back on U.S. government networks at any time in the near future. The negative atmosphere surrounding Kaspersky will make individual users balk at installing their products even if they are not a political  target. So, can you trust Kaspersky? That’s something each person, each company, and each government will have to decide for themselves.





Posted in Uncategorized | Tagged , , , , | 1 Comment

Hacker Confessions: What do they think of themselves? What are their favorite targets?

At the recent Black Hat Conference, security firm, Bitglass, surveyed over 100 black hat and white hat hackers to learn what motivated them and what they looked for when attacking a network. Irrespective of their current hat color affiliation, 81% claimed that they had worked in corporate IT at some time in their careers. Here are some of the findings.

The Morality of Hacking

 To many, perhaps most, individuals, stealing is wrong, no matter what excuses are made to justify it. Most hackers steal. They either steal money or information. That’s just part of the game. The exception to this would be hackers who hack for political reasons. However, according to the survey, money is the main motivation for most hackers.

hacker motivation

How do they feel about that? 48% feel that hacking is either neutral or always good. Only 3.9% believe that hacking is always bad. It is not clear from the statistics if certain types of hacking are considered better than others on the morality scale.

What vulnerabilities are the easiest to exploit?

 Actually, the question was along the lines of which security tool was least effective. The study found that hackers thought that password protection of documents was the least effective security tool. The top 5 least secure tools (most easily circumvented) were agreed upon by over 80% of these hackers. Here is that list.

hackers security tools

It’s somewhat surprising that face recognition made the list as it is a relatively new tool. However, in early September, Samsung facial recognition was reportedly hacked with Facebook photos. In defense, Samsung did include a disclaimer for their facial recognition software, saying that “your phone could be unlocked by someone or something that looks like your image. Face recognition is less secure than Pattern, PIN, or Password.” Something that looks like your image? Would it be fooled by holding up an artichoke? Yeah, this seems pretty insecure to me.

MDM stands for ‘mobile device management’. It is a term that describes the policies corporate or institutional IT departments implement to protect the network from mobile devices connected to it. Apparently, hackers find such policies easy to circumvent, which should be bad news to these enterprises. Access controls may be physical or digital and their purpose is to limit who can use what resources. Hackers often circumvent these by infiltrating a connected endpoint (smartphone) and enabling administrative rights.

What is the best way to infiltrate a network?

 To many in the cybersecurity business, the answer to this question will be of no surprise. Almost 60% of hackers admit that phishing is the best way into a network. Phishing exploits the human component which has always been found to be the weakest point in any network. Appealing to the basic human emotions of greed, romance, sex, or fear can induce an emotional human to open an email that a logical human would never open. (See my post on Phishing with Naked Women and Romantic Lures ). A recent survey of executives, IT managers, and other cybersecurity experts found that 74% of them agree that employees were the most likely source for a criminal attack. The only thing preventing phishing from being much more deadly than it is is the notable lack of social skills possessed by most hackers. It’s their own social ineptness that often exposes them as hackers.

Malware came in second among hackers as a way to infiltrate a system, but this is somewhat misleading as most malware is introduced through an initial phishing attack. However, other methods of exploiting malware exist, such as bundling it with a trusted app and putting it on Google Play Store.

Since these first two methods of infiltration account for over 85% of all infiltration techniques, IT departments should focus primarily on them rather than more obscure vectors.

What network blind spots are the easiest to exploit?

 All corporate or institutional networks do their best to plug all possible holes, but, invariably, they will always overlook a few until they are successfully hacked. It is why some enterprises pay for the ‘privilege’ of being hacked by a competent hacker in what is known as ‘pentesting’.

So, the list basically sums up what vulnerabilities a hacker looks for before beginning an attack. Respondents could choose more than one category. Here is the chart.

hacker blindspots

Notice the concentration on endpoints, such as smartphones. Almost every hacker (97.6%) looked for blind spots/vulnerabilities involving endpoints that were either poorly managed or poorly protected. Clearly, IT teams have to find better ways to secure this weak point.

There is a good reason why some enterprises don’t have their software instantly updated. In fact, the larger the enterprise, the more difficult it is for it to keep its systems updated. Software or system updates usually aren’t implemented until they’ve been tested. This is because some updates may cause unpredictable behavior when installed on a network. But this testing takes time. It is during this testing period that a network is vulnerable to attack. Hackers know this and will often attack corporations as soon as they analyze the updates, hoping to get malware installed before the security hole is closed. Updates take place to repair security flaws. The explanation that accompanies updates details these flaws, meaning that hackers are given a known attack vector. Although not as effective as a zero-day attack, in which an unknown security flaw is used to attack a network, these so-called one-day attacks are successful more often than one might think.

Note also that data in the cloud is considered a blind spot. Many firms have the mistaken belief that their troubles are over when they store data in the cloud. It is basically passing the security buck to those who manage the cloud service. Hackers, apparently, aren’t convinced that the cloud is so safe.

The one overriding conclusion that can be drawn from these statistics is that IT departments have their work cut out for them. Any solution that can lower the burden on corporations or institutions in managing endpoints will be welcomed. Some newer solutions have appeared which allow endpoint users to be careless without this behavior affecting the network, but most enterprises keep trying to implement tired, time-worn, and frequently compromised policies and, in such an environment, we can all expect to hear about hackers breaching more and larger networks. Government networks, it appears, will be the most vulnerable if the statistics given above are true. Their sheer size, outdated operating systems, and slow response to updates leave them in a continuous state of vulnerability. In short, fearing neither moral or physical consequences and possessing predictable access to porous networks, hackers will continue to practice their increasingly complex skills and keep IT teams perpetually on the back foot.





Posted in Uncategorized | Tagged , , , | Leave a comment