The financial services industry view on cybercrime

I recently attended Jim Oakes’ “Cybercrime, Global Underground Economy Developments and Challenges” talk. All the hype about his 30-year service for the police, anti-fraud teams, financial services organisations yada yada made me very sceptical to begin with, but the session turned into a quite useful overview of the (depressingly many) ways you can be ripped off by criminals while doing business with/through your bank.

I let this draft lie for a few months now, as I wasn’t sure how to digest the hordes of information in Jim’s presentation into a more friendly, easily digestable message. Shall we just say it’s pretty bad out there?

Practical advice:

  • DO NOT use the same password for different websites. Use something like Oplop to generate passwords and a password manager to store them.
  • DO NOT do eBanking from your smartphone just yet. I have some reservations about the iPhone, but Android phones can certainly currently not be trusted.
  • If you need to do eBanking using a computer (laptop, desktop etc) then start the computer with a bootable CD or USB disk and then do your eBanking. Unless you are personally targeted by law enforcement or criminals, this should give you a computer you can trust. Don’t take my word for it – take Krebs‘ word for it. Computer security is in *such* a sad state.

The myth of the pimples-ridden malware author

Overheard in an Internet Cafe recently:

(guy storms in and purposefully walks towards the counter)

Distressed guy: “Hi, I have a virus on this USB stick and I can´t use it, can you clean it for me?”

Internet Cafe attendant: “…”

Distressed guy: “Look, I didn´t do anything funny, just because some little c*** has nothing better to do but write a virus I can´t access my files now!”

I take issue with this statement. It regurgitates the popular misconception that malware (also known as a virus, a worm, a trojan) is software written by someone who hates mankind. It is their effort to take blind revenge on the world, to mindlessly harm everyone for no real reason other than malice.

Er… no.

Malware takes effort to create. This means skill, patience, equipment and time. All this means money.

Slightly paraphrasing Mikko Hypponen, most malware is created for three reasons:

  1. Money via criminal activities. See Peter Gutmann’s figures in his “The Commercial Malware Industry” from years ago to glimpse at just how much money is involved in this global underground market.
  2. Idealism – which creates the composite term “hacktivism”. Groups like Anonymous fall in this category.
  3. Control – this is state-level information warfare waged either against other nation-states or against the state’s citizens.

Some years ago, malware might have been an annoying prank of kids who had a gripe against the world.

This is no longer the case. Things are far more serious now.

How I managed to donate to OpenStreetMap

Using Internet cafe computers while travelling can be a proper nightmare. I know of people who got so fed up with fighting to clean their USB sticks from viruses all the time that they bought a netbook to use while travelling.

As I have been travelling by bicycle for a few months now, I am very careful about what I carry. Weight and space is at a premium. So I have tried as hard as possible to keep myself from buying a netbook to avoid using Internet Cafes. I am well aware of the risks I am taking, but for the time being I am still finding using Internet Cafes borderline worthwhile. It also helps that my trip will finish in less than 2 months so by this point the investment in a new netbook is just not worth it.

So I use Internet Cafes around Chile and Bolivia. I have seen a couple of well maintained machines (the pinnacle of which are the Ubuntu machines in Rancagua´s bus terminal!), but the overwhelming majority of them is in an appalling state. Illegal copies of Windows XP, not receiving updates, with illegal copies of antivirus software not receiving updates, etc etc… all wrong. Using such machines feels like digging with your bare hands in a patch of mud right after you have seen a flock of sheep relieve themselves on it.

Such a machine gave my USB stick a virus that hid my folders and replaced them with executables. It replaced folder icons with its own shortcuts to ensure you were tricked into executing it with your current privileges every time you wanted to access a folder on the USB stick.

Tricking the user into executing script by double-clicking on a "folder" icon

The antivirus software of public machines proved useless – it did not even detect anything. I had no idea what this virus (call it malware, call it trojan, I don´t really care exactly what genre it falls in) actually does. But I will assume the worst. It eavesdrops on my every keystroke, steals my passwords, my credit card information etc.

As it happens I really wanted to donate some money to the OpenStreetMap Hardware Upgrade Fund, but I didn´t want to jeopardise my credit card information. I needed to use a computer I could trust not to steal my credit card information. Here is how I created one:

  1. I found a computer with what seemed like a decent Internet connection with Mozilla Firefox installed. On Firefox, I installed my favourite download manager as an extension – DownThemAll!. Great, I can now make massive downloads easily.
  2. I downloaded the latest Ubuntu ISO file with DownThemAll. It´s a large file (700MB) so a download manager is necessary – otherwise you run the risk of the download hiccuping and getting corrupted if the network link goes down for a few seconds. It can also be faster to use DownThemAll, as it downloads multiple segments of the file at the same time.  After a couple of hours I had an Ubuntu ISO file on the (probably infected with malware) computer I was using.
  3. I then created a bootable Ubuntu USB drive following the instructions on . Unfortunately this did not help my cause because the public computers I could reboot and attempt to boot from USB where so old that they did not support booting from USB! (we are talking 2003-era hardware, not exactly top-end for its time either…) So my only remaining option was to burn the ISO to a CD. I bought a blank CD and burned the ISO on it, and then booted one of the computers I had access to with the CD.
  4. Success! I was now booted into an operating system I could trust not to be infected, since Windows viruses on the computer cannot jump into the Ubuntu Linux environment started from a CD. I was able to simply open a web browser and provide my credit card information for my OSM donation in confidence.

So there you have it. If you are travelling and concerned about your passwords or other sensitive information (and you should!) this is a method of getting a system you can trust. It does suppose that you have access to a computer you are allowed to restart and boot from removable media, but hotel/cafes around Chile seem to be quite laissez-faire about allowing people to restart their computers.

SMS 419 scams

I recently received my first SMS scam message on my ancient mobile phone:

From: +447549354914
FREE MSG: Our records indicate that you may be entitled to £3350 for the accident you had. To apply free reply CLAIM to this message. To opt out text STOP

Do not reply to such messages. Just delete them.

The +44 prefix looks like it originates from the UK (where I live, therefore local number, therefore safe) but it’s actually a “personal number” that could be routed anywhere in the world, incurring high fees even for a simple SMS reply.

More examples of such scams in this F-Secure weblog post.

Here come the “smart” phones

I’m very glad someone took the effort to prove this can be done, for all the denialists and optimists-to-the-point-of-criminal-negligence out there to get a grip:

“A team of security researchers has created a proof-of-concept Trojan for Android handsets that is capable of listening out for credit card numbers – typed or spoken – and relaying them back to the application’s creator.”

Source: ThinkQ article

This means that installing a single malicious “app” for your smartphone can turn it into the ultimate tool to steal any of your confidential information. Notice that anything you *say* over the phone is also suspect.

Blog post by Bruce Schneier with good links here.

The funny part with this is that the optimists will say “yeah, but it needs user permission!”, as if they know exactly where each and ever piece of software they installed on their computer/phone came from. Or as if automated remote installation of smartphone apps will not come knocking on our doors as it did for personal computers.

How do I clean up my computer after a virus infection?

Good question.

There is ample information on the Web chastising people for doing this and that wrong, for clicking on things, for being tricked into agreeing to install a “plugin update”… reams of articles saying “DON’T DO IT – whatever it is, JUST DON’T!”

But realistically, with drive-by malware attacks picking up and malware being created to specifically evade traditional antivirus programs, people don’t have much chance… it’s just too easy to get infected with malware.

What nobody out there seems to have an answer to, is the simple question: What do you do on the day after?

I am also unaware of a simple answer.

Microsoft publishes a Malicious Software Removal Tool every month. Commendable effort, but it doesn’t stand a chance against resident malware.

Online articles that advise you to “scan your computer with the latest antivirus software” are dangerous because they lead to a misinformed public. The truth is that there are simply too many ways to avoid detection and too much money to be made in the online crime industry. This means that highly skilled, organised and motivated people are writing malware to avoid all known safety nets. Malware has it much easier than all the defenders in the world – the attackers need only one way in, and they have control of your computer for good. And running all the antivirus scan in the world won’t change that.

The only thing you can do, is backup your important data (you do have backups, don’t you?), find your Operating System installation discs, erase your entire hard drive and then re-install everything from clean, trusted media, being extremely careful not to be re-infected by your old files or devices. E.g. infected USB sticks can re-infect the new installation.

To (hopefully) avoid this, follow these rules:

  1. First thing you do after reinstalling the Operating System: Connect the system to the Internet and immediately download and apply all critical updates. Don’t even check your emails.  Update, update and then update some more until everything is at the very latest version.
  2. Users of Windows, disable the automatic execution of stuff on USB sticks and disks. (KB967715 for details)
  3. Install *working* antivirus software. Not the cracked version of Kaspersky your cousin gave you on a CD and said “it’s okay, you don’t need to pay for it”. Not the nod32.exe you downloaded off some “free downloads” site. You may think such pieces of software protect you, but they don’t. They just lie to the users about operating properly and install malware behind your back. They are the enemy.No, you need to get a *legitimate* antivirus solution. See this blog post for free antivirus software that actually detects malware (or at least tries to).
  4. Only after you’ve successfully completed these first 3 steps, may you reconnect your old media (like USB sticks or disks) to restore your files. Before you touch any of those files, you will run an exhaustive scan (that will take hours) on the removable media you used. This will increase your chances of not getting re-infected straight away. After the scan, you may start restoring your files, reinstalling programs etc.
  5. At this point, you have a clean slate and your files back. You should proceed to follow safe computing practices, especially when you’re on the Internet, and hope that someone, some day, will actually improve this sad state of affairs of being unable to trust your own computer and having to be vigilant all the time to not be infected soon again.

Free antivirus software for Windows

As of January February July 2011, there are at least three four perfectly legitimate free antivirus products for Windows. In my order of preference they are:

  1. Microsoft Security Essentials
  2. Avast Free Antivirus
  3. AVG Free
  4. Avira Free (why?) (fallen from grace due to user pestering)

These are the ones I have used. There are at least 6 more to choose from.

Please note that the following products are NOT free to use:

  • Norton
  • Symantec
  • McAfee
  • NOD32
  • Sophos
  • Kaspersky
  • etc…

If you’re using one of them and not paying for it (unless of course your organisation has paid for it), you are at risk, as malware authors use warez and similar types of “freebies” and “cracked versions” and “key generators” to infect your computer with the very software you’re trying to defend against.

The only (temporary) exception to this is time-limited versions of antivirus software you usually get with brand new computers, but you must do something about those as soon as the gratis period expires: either buy the product or uninstall it and install one of the free ones.

Remember, an expired antivirus that is not updating its definitions is almost useless.

Spam email statistics

Symantec’s State of Spam report makes fascinating reading.

Did you realise that during a typical day in August 2010, around 200 billion spam emails were sent? In a single day!

I didn’t.

Apparently there is now reason to be optimistic, as the volume of spam over the past month (December 2010) has been hovering around 70 billion spam emails per day.

More about it on Symantec’s blog.

Free antivirus for Mac

Sophos recently made available a free antivirus application for Macintosh users. Haven’t tried it yet, but it looks promising and it fills a glaring gap.

For all you Mac users out there who think that “Macs don’t get viruses” – please wake up and smell the capuccino.

Grab the software from

We are losing

The arms race between online criminals and people trying to protect you from them is in full swing. But seeing that well-respected security researchers are desperate enough to suggest using bootable Linux systems for online banking is quite scary.

Yes, there is no other way of defending against a large class of attacks.

No, real people should never have to go through this ordeal to not be ripped off.

If  conducting secure online transactions has come to require such levels of effort and sophistication on behalf of end users, it’s a dangerous cancer for the dream of online commerce which must be recognised and addressed.

Criminals have an easier task than defenders, as security is only as good as its weakest link. Regardless, we can and must do better than this – dumping the cost on end users must stop.