The proliferation of mobile devices has created a firestorm of demand for Application Programming Interfaces (API) to act as data gateways between devices and services. But fire can also be a destructive force, and mis-managed APIs can hurt application performance, alienate developers and even lead to costly and damaging data breaches.

API Security Is Critical

Among other things, APIs serve as gateways to Web-based services like Twitter or Facebook. They are the specifications that let developers build applications that communicate directly with those services. You can think of APIs as doors; they let data in and out of a Web service. Just like physical doors, leaving APIs open can let anyone wander in, for whatever purpose.  

APIs are only as secure as they are written to be, explained Alistair Farquharson, chief technology officer for API-management vendor SOA Software. Smart developers make sure their APIs are open only for those people who have the authorized key.

What Problems Can APIs Cause?

The threat assessment for an API that isn't locked down isn't a pretty thing. Insecure APIs can fold under the artificial pressures of distributed denial of service (DDOS) attacks (which attempt to overwhelm a site or service with spurious requests in order to block legitimate access) , blocking the door through which data from a Web service is supposed to flow - perhaps bringing down the entire site. SQL script injections (which attempt to insert malicious code into a database), Farquharson added, could be used to re-route or copy data to outside servers operated by people who have no business looking at your data or your customers' information.

Because APIs enable very deep leveraging of a web service's features, they can be misused by hackers to spoof services, or even pretend to be entire websites, as web designer Feross Aboukhadijeh detailed last Autumn, when he discovered how the HTML5 Fullscreen API could be abused to appear like any legitimate site, such as a banking transaction web site. Aboukhadijeh works through how the fake web site could be created and fool many unsuspecting users, even down to a citation of a study on "change blindness," a psychological event where people can miss obvious changes.

And then there are the less subtle attacks, such as the 2008 security breach that took advantage of a bad Myspace-Yahoo services API and ended up gaining access to celebrity photos that were supposed to be privately stored.

These are the obvious malicious outcomes of APIs that aren't secured properly. But hacked APIs can also create perceptions of poor quality of service, which could erode customer confidence in a Web service.

The importance of getting APIs under control can't be overemphasized, contended identity-management vendor Xceedium's VP of Product Management, John Suit. "If the web interface is the front door to a company," Suit said, "then the API is the side door." And any door that lets in the wrong person - or the wrong code - can result in the same disastrous results.

Building A Better API Lock

Locking down APIs can tricky business. In these early days of the API boom, there are many different API standards being used by vendors to create the APIs through which applications will leverage Web services. Complicating that is the fact that there are a lot of different security standards, too.

This is a rich recipe for problems, since an effective API management system must allow authorized developers in to use the API, but not let anyone gain so much access they can subvert the API or use it as a doorway to the host service's internal data. Oh, and add to that mix the problem you have if APIs have to reside in a public cloud environment, outside your firewall.

Most security experts recommend using some sort of the strong authentication process in place when working with APIs. You need to make sure that the absolute correct person is accessing the API.

SOASoft's approach is a just-launched API Gateway virtual appliance that uses an OAuth server to work with many different existing security protocols. Playing to its strengths, Xceedium uses role-based identity systems to not only make sure the right person is connecting to the API, but that person should be accessing that API in the first place.

Things To Do Right Now

Even if you don't want to implement a formal identity and security management system for APIs, there are steps to take right now that will at least help mitigate potential problems.

If you want to prevent SQL injection attacks, then by all means sanitize the inputs in the API that connect to your internal databases. This will reduce the risk of a successful attack of this kind: 

API developers should also make sure that everything is transmitted through the Secure Socket Layer (SSL) - encrypted and transmitted by HTTPS - so that information like usernames and passwords are not captured in-process and then used to gain access to users' accounts or worse, the host organization's account. 

APIs are becoming increasingly important as so many new devices on the Internet generate and consume data via an ever-expanding list of Web services. While essential, those APIs also creating tempting targets for hackers. The need to lock down this growing vulnerability has never been a higher priority.

Lead image courtesy of Shutterstock, comic courtesy of XKCD.

Barrett Lancaster Brown, best known as the so-called former mouthpiece for the hacker collective Anonymous, is sitting in a jail cell in Texas. For the past eight months, Mansfield Law Enforcement Center has been home for the journalist and activist now known as Prisoner 45047177.

Three hots and a cot will continue to be his routine at least until September, when he is scheduled to stand trial on 17 charges, including allegations that he threatened an FBI agent and committed identity theft and credit card fraud.

The slightly built 31-year-old former heroin addict denies the charges. What he does admit is that he used his hacker connections to look under rocks and uncover what he considered evidence that the U.S. government was using private security companies to clip the wings of Internet activists and sympathetic journalists.

Brown: I Wasn't A Hacker

Brown's sometimes questionable behavior and affiliations make him a confusing and polarizing character. He claims he never hacked anything, and we'll probably never know with certainty exactly which details in his story stack up, or what involvement he had with Anonymous' core hackers.

There doesn't seem to be much evidence Brown was involved in any actual hacking, despite his connection to both Anonymous and his obsessive interest in federal security contractors. But his outspokenness, drug history and outlandish claims make him unsympathetic and hard to believe — an unlikely poster child for Internet freedom. And his unbalanced, over-the-top YouTube rants — more on those below — made him an easy target for the feds. 

What we do know is that in early 2011, Anonymous targeted a security contractor called HBGary Federal and its CEO Aaron Barr after Barr publicly claimed he'd infiltrated the hacker collective. When Barr threatened to reveal the identities of Anonymous members, the group hacked straight into HBGary's servers, stealing 70,000 company emails.

Brown, through his affiliation with Anonymous, then posted a link to those hacked company documents on a public website called Project PM and wrote about his findings for the U.K. Guardian. Brown, who seems to have been conducting an obsessive investigation of both HBGary Federal and Stratfor (another security contractor hacked by Anonymous), claimed the material proved that the companies were hired by the government to monitor and shut down various online activist groups. In particular, he alleged that HBGary was working with high-level government agencies to feed fake information to WikiLeaks.

In The Feds' Crosshairs

Brown, one of the few public figures available for authorities to target for the activities of Anonymous, is basically a fall guy for the hacker collective. He faces 100 years behind bars if found guilty on all counts. And right now he's stewing in a cell where he may be getting less than proper care. In a Pastebin message from last September, Brown claimed he did not receive appropriate medical attention for crushed ribs suffered during the FBI's raid of his home.

Between his connection to Anonymous and his obsession with digging up dirt on the national security state, Brown pinged up on the feds' radar pretty quickly. He was first indicted last year after allegedly threatening federal agents. He was arrested, then subsequently indicted a second time for allegedly linking to stolen documents from Stratfor that included credit card data.

The third indictment involves an obstruction charge of concealing evidence, wherein Brown allegedly hid two laptops when federal agents stormed his mother's home in a raid. The laptops were eventually found and confiscated. The alleged threats and credit-card charges led prosecutors to push for a life sentence. 

In some ways, Brown's muckraking wasn't all that different from what many journalists have always done, updated to employ digital tools. Reporting based on leaked documents — which, of course, aren't usually authorized for release — is as old as investigative journalism itself.

But Brown pushed the boundaries, and his drug history and proximity to the hacker community made him more vulnerable than other rabble rousers such as columnist Glenn Greenwald. Brown wasn't a staffer at a major publication, and his own blistering public statements and threats, on both television and YouTube, gave the government all the motivation it needed to take him down.

Barrett Brown's Incendiary Videos

Major news organizations like the New York Times and The Guardian both describe Brown as a victim of persecution. And in many ways he is, although some of his alleged actions are criminal by definition, such as threatening the life of a federal agent. 

Brown's legal troubles began when his mother's Dallas home was first raided in March of 2012. At that time, the feds confiscated his laptop, and by his account terrorized his mother and sent his life into a downward spiral.  

After the raid, Brown took to the Web to tell his side of the story. On Sept. 11, 2012, Brown posted a trio of videos lashing out at perceived enemies:

At around the 12:00 mark of video number 2, Brown says that the FBI views him as a bad guy, and that he's going to prove in the court system just how bad of a guy he is. About a minute later he demands that the FBI return his laptop, notebook and Xbox. 

In the third video, shot and released a day later, Brown brings up his heroin addiction and subsequent move to suboxone, a narcotic used to treat oppiate addiction. At around the 12:00 mark of this video, Brown warns that he is armed and has been trained to shoot, saying if any FBI agents come to his home, particlary one agent that really irked him for allegedly harassing his mother:

I will shoot them and kill them... I have no choice left but to defend my family, myself, my girlfriend, my reputation, my work, my activism, my ideas and the revelation that my friends are going to prison so we can have a chance to get out for other people. So they would matter. And frankly, you know, it was pretty obvious I was going to be dead before I was 40 or so, so I wouldn't mind going out with two FBI sidearms like a f***ing Egyptian pharaoh. Adios.

Hours later, while on a live feed on TinyChat, Brown's home was raided and he was arrested. The whole thing is captured in this almost surreal video: 

Since his arrest, Brown's mother Karen has also been targeted by authorities. She pled guilty to obstructing the execution of a search warrant, and now faces up to a year in jail and a $100,00 fine. Sentencing has not yet been scheduled. 

Brown has gotten some support from the Internet community, but nothing like the outpouring for the recently passed Aaron Swartz. Anonymous created a White House petition to stop his prosecution, but the reprieve didn't come close to getting the required 100,000 signatures by the April 20 deadline. Supporters have built several sites to educate the public about his plight, the timeline of his case and to help raise money for legal representation. 

Hard Times For The Fall Guy

Brown's supporters have raised about $20,000 for legal fees, and Brown has a new team of lawyers replacing his previous public defendants. But the court had up until last week frozen Brown's access to those funds, which meant that Brown's new legal team of Ahmed Ghappour and Charles Swift were essentially working pro bono. But that all changed last Wednesday when the court allowed the transfer of funds to pay for the lawyers' travel expenses and fees.

It's still a long way to Brown's September trial, which could end up conflated in public perception with two other prominent hacker prosecutions. There's the case of Matthew Keys, the journalist facing a $750,000 fine and jail time for allegedly feeding passwords to Anonymous members who then defaced the Los Angeles Times' website. Andrew Auernheimer, the hacker also known as Weev, is also appealing his sentence of more than 41 months in prison for his role in a 2010 hack of AT&T.

(See also Hacker Crackdown: Blame AT&T's Crappy Security, Not Weev.)

All of these cases are related to the much-maligned Computer Fraud and Abuse Act (CFAA) the outdated law that has led to a number of questionable prosecutions — often of activists like Aaron Swartz rather than actual computer criminals. By the time Brown's trial gets going, there could be government movement to reform the poorly constructed law.

(See also 'Aaron's Law' Promises To Reduce Hacker Penalties.)

Prosecuting Brown Won't Stop Hacking

The federal case against Brown, once you understand the details, doesn't pass the laugh test. It turns hyperlinking into a crime akin to breaking into secured computers and casts loose and admittedly unwise Internet soapboxing as criminal conspiracy against federal agents. And it turns one link into 11 separate charges of alleged identity theft.

Arresting hackers and fringe collaborators doesn't seem to be slowing the tide of cyberattacks. The last 12 months have seen some of the biggest cyber attacks on record. Denial of service attacks are up 12% since 2011, according to data from the security firm Arbor Networks. If the government really wants to stop hacking attacks, it needs to focus more on the actual perpetrators and less on show-trial prosecutions of peripheral figures like Brown. 

Which isn't to say that Brown himself deserves to get off scot-free, just that his proposed punishment should fit his alleged crime. No matter what the circumstances, once you threaten the FBI, the feds are pretty much guaranteed to come down on you. And even Barrett Brown should have known that.

Photos courtesy of Shutterstock, Twitter

Ah, public Wi-Fi. That magical tool that lets you surf the Internet at your favorite coffee house, bookstore or the mall. (Because nothing says cool like surfing at the food court.)

As much of a boon as using the Internet in public places can be, there are always risks involved whenever you are connected to a public network. Here are five steps you can take to help keep your public Web activities secure.

Beware Fake Wi-Fi

You sit down at the bookstore, fire up the laptop and lo and behold, you see the store's network name (SSID). But wait, what's this? An even stronger signal from an SSID that's wide open. Strong signal equals better connection, so that's the one you want, right?

Think again.

Known as a man-in-the-middle attack, that shiny new (and possibly free-of-charge) Wi-Fi signal may not belong to the store at all, but rather someone else in the store who has set up their own Wi-Fi router to attract people just like you. Once you're using their signal versus the store's, they can monitor all of your Internet traffic using special software that can easily discern things like login and password information.

I actually discovered someone doing this at the local Borders a few years back when there was a local Borders. The kid had even mimicked the store name with the SSID "Borders_1". But I knew the real SSID and started looking around the stacks until I found him right in the middle of the store just sitting with his laptop.

Cities are particularly bad about this kind of thing because everywhere you go, there's a Wi-Fi signal. My favorite: the "FREE-WIFI_Here" SSID my computer saw when staying at a Midtown hotel in Manhattan.

If you are not sure about what the store's Wi-Fi SSID is, just ask, or look for a sign. Better to be sure than surf on someone else's network.

You Don't Know Where That's Been

You grab a seat at the table, stealing coffee and a scone in hand. And on the floor under the table, you see a thumb drive. Ever the helpful citizen, you pick it up and boot your laptop with the intent to insert the drive and see if you can figure out who it belongs to.

Stop, helpful citizen.

That USB drive may in fact have been planted there, waiting for a Good Samaritan like you to pick it up and do exactly that. And instead of finding a file that says "This drive belongs to…" you will probably find trojan malware that will infect your machine so a hacker can get into it then, or later.

This is a method of breaking into your system that goes beyond public Wi-Fi, too. In 2011, the Department of Homeland Security conducted a study where they left USB drives and discs in the parking lots of government buildings. When found, 60% of the government workers - who really should have known better - plugged the drives into their office computer. If the thumb drive or CD case had an official logo, 90% of the workers would plug them in.

If you find a drive or CD somewhere public, and want to be helpful, turn it in to the nearest lost and found and let that be your good deed for the day.

Cowboy Up

In Westerns, the gunslinger always sits with his back to the wall - so as to avoid getting shot from behind when someone walked in the door spoiling for a fight.

That's not a bad plan, when it comes to public Wi-Fi. If at all possible, find a seat where there's no way someone can be behind you. You don't want anyone looking over your shoulder or worse, recording you when you are typing in critical information.

Don't Share Your Internet

Very occasionally, you may get someone who is desperate to use your computer or smartphone to check something on the Internet. Put your foot down and say no, even if they say it's an emergency.

First, if its really an emergency, they should be calling someone, not communicating with Facebook or email. Second, even if you watch them to make sure they insert nothing into your computer, all it takes is a quick visit to a known malicious site on another browser tab to get your machine infected.

Don't Login

I have a pretty standard rule of thumb about surfing in public: never conduct banking transactions or visit a credit card website account. If I absolutely have to, I will use my phone's cellular connection to get to the bank Web site, but never with Wi-Fi I am just visiting.

But beyond that, I don't sign into Facebook or Twitter in a public place, either. If I want to use those networks, or anything similar, I use an app on the phone that's already signed in. That way, there's nothing to spy on and see.

Surfing in public doesn't have to be dangerous to your online identity, but you should always take care about your personal safety in a public place, and that includes your online activities.

Image courtesy of Shutterstock.

Security researchers recently found gaping vulnerabilities in a wide variety of critical business and industrial equipment. It turns out that weak or absent passwords made it easy to break into more than 100,000 terminal servers used to provide their Internet connections. Fixing the problem is simple. Change the credentials dramatically reduces the risk. But for many companies, actually solving the problem is nearly impossible.

Vulnerable, But Hidden

The threats discovered by security firm Rapid7 exemplify the difficulties organizations face in plugging even known holes in critical gear. In this case, the affected systems include industrial control equipment, traffic-signal monitors, fuel pumps, retail point-of-sale terminals and building automation equipment such as alarms and heating and ventilation (HVAC) systems.

Rapid7 found more than 114,000 unprotected terminal servers, mostly from Digi International or Lantronix, that a hacker could use to take control of the underlying systems. Finding the serial ports on the server requires the use of a scanning tool, such as Nmap. Once an active port is found, a command-line program similar to what those used in 1980s vintage home computers is all that's needed to access a control panel or menu or capture data.

Fortunately, while tech-savvy saboteurs or terrorists would have no difficulty gaining access to the equipment, they most likely would not know who owns it or where it is located. Without that information, the find would not be very useful. "There's no telling who they are going to hurt, if they don't know where the device is," explained HD Moore, chief research officer for Rapid7.

How Security Gets Missed

Nevertheless, any hole that can provide access to critical equipment is worth plugging, but it's not likely to happen in many of these cases. Often, companies do not even know the terminal server exists, much less that it needs security updates.

How is that possible? Well, picture a vendor working with the facilities crew installing an HVAC system that uses a terminal server so the equipment can be monitored from a remote location. No one knows the server exists, and no one cares, as long as everything works. "A lot of times IT is not even aware of these systems," said Matthew Neely, director of research at risk management company SecureState.

Vendor marketing can also exacerbate the problem. Equipment is often sold as being "secured," when in fact it is only "capable of being secured." That means the buyer still has to add the technology or turn on and configure the security features.

This can get missed if the installers assume the equipment is "plug and play," said Joe Weiss, a security consultant for Applied Control Solutions. "It's like getting a toy for Christmas and you pull it out of the box expecting it to run, because the box doesn't tell you it needs two AA batteries," Weiss added.

Terminal servers, also called serial port servers, often get missed by electric utility companies because they are not covered under federal cybersecurity requirements. So the devices never make it on the utility's compliance checklist. "They don't even have to check these out to find out if they are or not secure," Weiss said.

This bizarre situation demonstrates that ensuring the security of critical equipment is never a matter of technology alone. True security requires people to pay attention, not just sweep everything under the rug.

Image courtesy of ShutterStock.

Cyberespionage is usually considered a threat to government agencies and large corporations such as defense contractors and banks. But a new Verizon report on data breaches finds that cyberspies are going after small organizations with the same enthusiasm they once reserved for big outfits.

It's A Small Cyberworld

Not surprisingly, 95% of the state-affiliated attacks aimed at stealing intellectual property, which included classified information, trade secrets and technical resources, originated from China last year, according to the 2013 Data Breach Investigations Report. No organization, no matter how small, was safe.

"The big surprise for us was that there were a lot of small organizations being targeted for cyberespionage," Jay Jacobs, senior analyst with the Verizon RISK team, told ReadWrite. The targets included manufacturing companies, computer and engineering consultants and professional services firms that were "relatively small, even under 10 employees kind of small."

The attackers went after small outfits using the same tactics waged against big companies. In a way, the hacker strategy parallels the way investigators go after the small players in a criminal enterprise, hoping to flip them in order to implicate higher-ups. Only in this case, the hackers are frequently targeting small companies to lay hands on the trade secrets of their larger partners.

Roughly one in five cyberattacks in 2012 were to steal intellectual property in order to further a country's national and economic interests. The most common mode of attack was spearphishing, which involves sending an email disguised as coming from a colleague of the recipient. The message typically contains a malicious link or attachment.

Chinese hacking of American computer networks has placed a damper on relations between China and the Obama administration, which has demanded the country curtail its hacker army. On Monday, Joint Chiefs of Staff chairman, Gen. Martin E. Dempsey, and Gen. Fang Fenghui of China met to discuss cybersecurity.

Other Attacks

Despite all the attention, cyberespionage was a distant second in terms of attacker motivation. Three quarters of data breaches committed last year was for financial gain, with the remaining 5% a result of hactivism, the report found. Verizon confirmed a total of 621 data breaches and more than 47,000 reported "security incidents," which included denial-of-service attacks.

Among the companies that suffered data breaches, 37% were financial services firms, 24% restaurants and retailers, 20% manufacturers, transportation organizations or utilities, and the remainder classified as "information and professional services firms." Malware was used in 40% of breaches. Three quarters of the compromises involved exploiting weak or stolen user names and passwords.

Discovering data breaches was not easy for most organizations. Verizon found that the time from compromise to discovery took months, and sometimes years.

Verizon worked with 18 organizations worldwide in gathering data for the report. The groups included national computer emergency response teams and law enforcement agencies.

No one found any cutting-edge methods used by attackers to break into networks, so organizations can go a long ways toward protecting themselves by focusing on the basics, such as stronger passwords and educating employees about bogus email.

Image courtesy of Shutterstock

Investigators in Australia have arrested the self-proclaimed leader of LulzSec, the hacker group and Anonymous offshoot that previously claimed responsibility for a slew of major hacks in 2011 including attacks on Sony Pictures, the UK tabloid The Sun, and the CIA's public website. All "just for the Lulz" — laughs, that is — of it.

On Tuesday night, police in Sydney took into custody Matt Flannery, a 24-year-old Australian IT professional who goes by the online moniker Aush0k. The alleged hacker faces up to 12 years behind bars for two counts of unauthorized modification of data to cause impairment and one count of unauthorized access to a restricted computer system.  

Australian Federal Police say their investigation began only two weeks ago when they discovered a government website had been compromised. Police apparently made the connection between Flannery and the recently targeted website because the multinational Tenable Network Security, where Flannery was allegedly employed, had access to specific Australian government information (a quick search on Google revealed a LinkedIn profile of Flannery claiming employment there).

However, representatives from Tenable contacted ReadWrite and informed us that Flannery was instead employed by Content Security, a security firm that subcontracted for Tenable. Still, it could explain just how he had access to such sensitive material. Tenable's Nessus software is used by clients such as the U.S. Department of Defense, Amazon and the American Red Cross for checking network security vulnerabilities. And determining weaknesses in networks is exactly what allowed LulzSec and similar hackers to pick their targets. 

Following the arrest, Content Security's Phil Kurth described Flannery as a low-level support tech already on 3 month probation, although the reason behind the suspension, and any tie-into these charges, was not specified. Kurth further pointed out that Flannery had no access to any type of customer data apart from support tickets, and that most of the activities Flannery was accused of were conducted on his home PC, and seldom on his work-issued laptop. 

Flannery's work computer has been seized by police.

Authorities claim Flannery asserted his LulzSec leadership in online forums monitored by police and visited by LulzSec members. They also claim Flannery admitted his leading role in the group directly to police. Some discussions in the hacker material stored at the online locker Pastebin also seems to support authorities' claims. 

"This man is known to international law enforcement and police will allege he was in a position of trust within the company with access to information from clients including government agencies," explained Glen McEwen, the AFP's federal police commander. 

Flannery isn't the first alleged member of LulzSec to face the wraith of law enforcement. Another reputed leader, Sabu, aka Hector Xavier Monsegur, turned states evidence and became an FBI informant after his 2011 arrest. Sabu may have been the hacker who ratted out former Reuters social media editor Matthew Keys, who was indicted for his role in the Anonymous infiltration of the Los Angeles Times website. Just 2 weeks ago, another former LulzSec member, Ryan Ackroyd, pleaded guilty to several cyberattacks in the UK. The 26 year-old Ackroyd faces sentencing next month. 

Flannery has already been released on bail, and now faces a May 15 court date. 

Photo courtesy of Twitter  

Guest author Catalin Cosoi is chief security strategist at Bitdefender.

Android malware seems to be spreading at a dizzying pace. In the second half of 2012 alone, Bitdefender found that Android malware spiked 292% from the first half of the year. This could pose a threat to millions of smartphone users worldwide.

Android malware is becoming harder to detect for the average smartphone user who pays little, if any, attention to security. Fortunately, most malware creators are not rocket scientists, and a user does not have to be a computer scientist to combat them.

Adding the following clues together could reveal the presence of malware:

1. Bad Battery Life

Android users who don’t perform a lot of battery straining activities have a good idea of how long their battery should last. Malware gives itself away when batteries mysteriously drain quicker than usual. That's usually due to adware, spam-like malware that shows app users an inordinate amount of ads. Continuously displaying aggressive adware will impact heavily on battery life.

Whether the malware is hiding in plain sight by pretending to be a regular application or trying to stay hidden from the user, abnormal battery drainage can often give away the presence of an Android infection.

2. Dropped Calls And Disruptions

Mobile malware can affect ongoing or incoming calls. Dropped calls or strange disruptions during a conversation could indicate the existence of mobile malware that is interfering. If you can't blame your mobile carrier, then some strand of mobile malware could be the culprit. Call your service provider to determine if the dropped calls are its fault. If it is not your carrier, it is possible that someone or something is trying to eavesdrop on conversations or perform other suspicious activities.

3. Inordinately Large Phone Bills

Android malware often infects devices and starts sending SMS (text) messages to premium-rated numbers. While these effects are easily seen in your phone bill, not all malware programs are obviously greedy. They may send an SMS message just once a month to avoid suspicions, or they may uninstall themselves after punching a serious hole in your budget. Whether you use a monthly plan or a pay-as-you-go subscription, checking your bill should make it easy to figure out such message-sending malware has found its way onto a device.

4. Data Plan Spikes

Malware that smuggles data from your device to a third-party can often be detected by an examination of your data plan bill. Significant changes in your download or upload patterns could be a sign that someone or something has control over your device. Setting up data meter quotas might help figure out if a device has been compromised by data broadcasting malware. It will also help dodge high phone bills.

5. Clogged Performance

Depending on device hardware specifications, malware infestation may cause serious performance problems as it tries to read, write or broadcast data from your smartphone. Anybody that has ever had a PC infected with malware should be familiar with this. Imagine rebooting a device several times a day because background-running malware consumes too much processing power to let apps work properly. Performance clogging is yet another sign that malware might be present on your device. Checking RAM (Random Access Memory) use or CPU load could reveal the presence of malware that’s actively running on the device. 

Stay Safe And Be Mindful

The Android versions most targeted by malware are the common ones - Gingerbread 2.3, Ice Cream Sandwich 4.0 and Jelly Bean 4.1. Android users with these builds have an 88% chance of having their mobile phone infected with malware according to the Android Developer Dashboard.

In the event that you do find yourself with malware on your Android, there are a couple of options. First, delete the offending app. Even if the app is deleted, malware may still linger. You may have to completely reset your smartphone by going into the settings menu and peforming a "factory reset," which will clear the memory of the device.

A variety of paid and free security apps are available in the Google Play Android app store to help prevent apps from doing bad things. If you use your Android smartphone for business, your IT department likely has security solutions to help you purge any malware. 

In general, it is wise to scrutinize each and every permission an Android app asks for – many apps ask for invasive permissions when they don’t need them. Even apps packed with aggressive adware have a knack for collecting more data than they would ordinarily need to perform adequately. Be sure to read your permissions before clicking “accept.”

Anonymous has called for an Internet blackout to protest CISPA, the much maligned cybersecurity bill that threatens your privacy more than it protects it. But without the support of Reddit, which co-sponsored last year's SOPA blackout, the Web isn't listening.

About 200 hundred sites have joined the #CISPABlackout today in protest of CISPA, which last week passed the House of Representatives. That may sound like a big number, but the list mostly consists of small sites within the hacker community. That's a big contrast to the last year's SOPA protests, which drew support from huge organizations like Google and Wikipedia.

Blackout your website: (requires some basic HTML/CSS knowledge): bit.ly/11dtXv6#CISPABlackout

— Anonymous (@YourAnonNews) April 22, 2013

Exceptions include the nonprofit Fight for the Future, which has tweeted solidarity but has not blacked out its site. Another is Stan Lee's Comikaze, the comic book convention backed by the former Marvel Comics head honcho, which has blacked out its site.

A Reddit Divided

Reddit itself appears conflicted over the CISPA blackout. Some Reddit sections, aka subreddits, have switched their background color to black and added a CISPA protest banner and link, but have stopped short of a full blackout that would inconvenience users by obscuring links. As of about 11am PT, subreddits including "pics," "politics," "funny," "askreddit" and "technology") have black backgrounds, although their listed links remain visible in the foreground. Reddit's front page and subreddits such as "news" and "worldnews" remain un-blackened.

It's a clear case of the hacker collective overestimating its influence, as my ReadWrite colleague Dan Rowinski suggested to me in chat earlier today. "Without Reddit, it is just Anonymous proclaiming something into its own echo chamber," he wrote.

It also doesn't help that Internet firms themselves are divided on CISPA. Microsoft and Facebook may have recently walked back their support for the bill — which, by the way, faces a veto threat from President Obama — but Google hasn't taken a position. And a rogue's gallery of telcos, ISPs and other tech firms support CISPA.

CISPA threatens our privacy by essentially giving the government a blank check to monitor all of our online communication, without a warrant. So a sign of solidarity blacking out the Web would be a good thing. But it seems the collective isn't as influential in garnering support as it is when its making cyberattacks. Which is too bad, because this mission would actually be a good thing.

Below is a video from Anonymous explaining more about the blackout:

If you want to contact your local senator or congressperson, check out this list of contact information from Anonymous. Here's some background on Anonymous' plans and how you can further support the blackout.

Lead image via Imgur, although it's circulating across the Internet and its provenance is unknown

The federal government appears ready to take dramatic action against U.S. wireless carriers that fail to protect Android smartphone buyers against malware — specifically by not pushing out timely operating-system updates. And the catalyst most likely to kick the feds into gear is an American Civil Liberties Union complaint filed Tuesday with the Federal Trade Commission.

Let The Market Decide

What the ACLU is asking is not difficult.  Rather than have the FTC order carriers to ship security updates to the Android operating system as soon as they are made available by Google, the ACLU wants customers to be told upfront that they won't be getting the updates needed to protect their personal data from hackers.

"We think the companies should be forthcoming about this," Christopher Soghoian, principal technologist and a senior policy analyst for the ACLU, said. "If consumers knew that certain phones weren't going to get updates, they might not buy those phones in the first place."

Rather than force carriers to spend a lot of money on automatic update services, the ACLU wants the market to fix the problem, a stand that many lawmakers in Congress should applaud.

"We want the market to work, but consumers are never going to get to vote with their wallets if they don't know which phones are secure and which phones are not secure," Soghoian said.

(See also: FTC To Carriers: Fix Security Or End Up Like HTC)

The ACLU complaint names AT&T, Verizon Wireless, Sprint Nextel and T-Mobile USA. AT&T declined comment, Sprint said it follows "industry-standard best practices," and Verizon said it works closely with manufacturers to provide "mandatory updates to devices as quickly as possible."

T-Mobile was the only carrier to say that it keeps Android customers up to date with the latest software. "T-Mobile takes security very seriously, and regularly provides security updates to our customers, including those using the Android operating system," a company spokesman said.

The FTC Plays The Heavy

If that is what T-Mobile does, then it is more in line with the FTC's thinking than its rivals. In a February settlement with smartphone manufacturer HTC, the agency pointedly emphasized the need to secure mobile devices.

Under FTC pressure, HTC agreed to a "comprehensive security program" that includes patching vulnerabilities that could be exploited by hackers and spammers. The agreement was significant because it outlined for all device manufacturers what the FTC considers best practices for security.

Keeping software up to date is a critical defense against hackers, who often target known vulnerabilities in software because so many users continue to run older, bug-ridden versions. In a blog post following the HTC settlement, FTC chief technologist Steve Bellovin made it clear that securing mobile devices was the responsibility of manufacturers and carriers, and they have to work together at getting updates out to customers.

"Bugs happen, ergo fixes have to happen," Bellovin said.

Android malware is a much larger problem outside the U.S., particularly in Asia and Eastern Europe. That's because people in those regions will download applications from third-party app stores, many of which distribute malware-infected software. In the U.S., most people get their apps from the Google Play store, which regularly checks for malicious software.

Nevertheless, 97% of new mobile malware is directed at Android devices, which comprise 72% of the smartphone market, according to security vendor Symantec's latest Internet Security Threat Report. While most infections today occur from downloading bad apps, experts say hackers are increasingly trying to compromise devices through spam that carries links to malicious Web sites.

Given the mood of the FTC, and trends in Android malware, it should be obvious to carriers that the status quo is unacceptable. If they aren't ready to make changes on their own, then they're likely to get an unfriendly shove from the feds.

Image courtesy of Shutterstock

You've installed antivirus software on your computers, configured your operating system to update its security automatically and password-protected your Wi-Fi. So your home network is safe against hackers, right?

Guess again. And then take a long look at your wireless router.

What Can Happen (Hint: It's Bad)

For years, manufacturers of home routers have all but ignored security issues, at least when it comes to making sure that consumers update their firmware to close exploitable vulnerabilities. Let's put it this way: Have you ever updated the firmware on your router? If not, odds are good that it's got one or more security holes through which a properly motivated hacker could slip.

Attacks on routers aren't common, partly for logistical reasons that make them uneconomical for hackers. But that could change as technology evolves, criminal incentives shift and security tightens up in other areas. One big potential trouble spot: the embedded Web servers that many routers use for managing their settings — including, of course, security.

Router manufacturers have done a lousy job informing users about firmware updates that would patch security flaws, and are even worse making it easy for users to obtain and install those updates. Such patches are seldom available through automatic services, forcing users to look up the fixes on manufacturer websites.

"These are low-priced, low-power devices," Tod Beardsley, a researcher with application security vendor Rapid7, said. Manufacturers "may not have the margins on these devices to provide ongoing software support."

To see what can happen when a flaw remains unpatched, look no further than a major intrusion in Brazil in 2011, when hackers broke into 4.5 million home DSL modems over the Internet. The modems were reconfigured to send users to malware-carrying imposter websites, primarily so thieves could steal their online banking credentials.

From Brazil With Love

That exploit in Brazil was similar to one that application security tester Phil Purviance recently employed against a wireless Linksys EA2700, which was released about a year ago. Called a cross-site request forgery, the technique allowed Purviance to break into the router's embedded management Web site. Once in, Purviance found he could change the login information and remotely manage the hardware.

"What I found was so terrible, awful, and completely inexcusable!" Purviance wrote in his blog. "It only took 30 minutes to come to the conclusion that any network with an EA2700 router on it is an insecure network!"

Purviance found a total of five vulnerabilities in two Linksys routers, the EA2700 and WRT54GL. Separately, flaws recently found in Linux-based routers from D-Link and Netgear could enable a hacker on the network to gain access to the command prompt on the operating system, Rapid7 reported.

D-Link and Netgear didn't respond to requests for comment. Belkin, which bought Linksys from Cisco last month, said in an email sent to ReadWrite that the EA2700 was fixed in a firmware update released last June. Called Smart Wi-Fi, the firmware is available through an opt-in update service. 

What Hackers Want

Manufacturers have gotten away with sloppy security practices because breaking into wireless routers usually requires physical proximity. That made it far harder for hackers to bust into multiple computers, because they'd have to move from network to network in order to target them. Thus hackers have tended to favor blasting out malware-carrying spam from a single location over attacking individual wireless routers.

But that could change. Industrial control systems that run manufacturing operations, power grids and other critical infrastructure are increasingly under pressure from cyberespionage campaigns. Vulnerabilities in these systems are as bad as in home routers. You can see just how bad is is via the search engine Shodan,  which collects information on 500 million connected devices, such as routers, printers, webcams and servers, each month.

In time, hackers will develop better tools and malware for breaking into hardware, and this technology will eventually find its way into the criminal underground.

How To Safeguard Your Router

In other words, it makes sense to safeguard your router now. Here are a few steps you can take to make your home network a less inviting target:

• In your router security settings, make sure you've changed any default usernames and passwords. These will be the first things any hacker tries, much the way a burglar jiggles a doorknob to see if it's unlocked.
• Disable wireless access to your router's management console, which allows you to manage its settings by pointing a Web browser to an address such as 192.168.1.1. Disabling wireless access means you'll have to be physically plugged into the router in order to manage it, making it far more difficult to hack.
• If you're sufficiently technically minded, consider replacing your router's doubtless buggy internal software with an open-source alternative such as DD-WRT, Tomato or OpenWRT. While these options aren't particularly consumer friendly, their firmware is less likely to contain obvious vulnerabilities — and will probably offer you some cool new features, too.

Image courtesy of Shutterstock

Updated at 12:35pm PT to make clear that embedded Web servers, not embedded browsers, pose a security threat in many routers.

The White House doesn't support the amended version of CISPA, the controversial Cyber Intelligence Sharing and Protection Act that would let companies and the feds monitor and share your online communication without a warrant. But while President Obama remains opposed to the bill's latest iteration, he's apparently hedging on whether he'd veto it.

The bill, aimed at data sharing between the public and private sectors, is a security nightmare for its vagueness and privacy oversight. Last year, we heard the same pop shots from Obama, except that back then he promised to veto the law. This year he isn't making any promises, although White House rhetoric suggests that the polarizing bill still comes up short in the area of privacy concerns. 

White House's National Security Council spokeswoman Caitlin Hayden said in a statement:

We continue to believe that information sharing improvements are essential to effective legislation, but they must include privacy and civil liberties protections, reinforce the roles of civilian and intelligence agencies, and include targeted liability protections.... We believe the adopted committee amendments reflect a good-faith effort to incorporate some of the Administration's important substantive concerns, but we do not believe these changes have addressed some outstanding fundamental priorities.

These comments came a day after the House Intelligence Committee passed the bill on an 18-2 vote on Wednesday. New amendments to the bill require government agencies to strip away any private information they receive from companies participating in information sharing, prohibit companies from retaliating against alleged hackers or cyberattackers and backed away from a clause that would have allowed the use of threat information sharing arrangements for vague "national security" reasons. These sound like digital freedom wins, but most other privacy protections didn't make the cut. 

It's unclear which way Obama will tilt, but if this year's slew of major government targeted cyber attacks and the President's cyber mandate mean anything, it looks like he may lean (and be forced politically) towards more regulation, even if it's flawed.

Next week, the new version of the bill is expected to head to the House floor for a vote. If you want to help light a fire under the president and legislators, sign this petition from the privacy advocacy group Fight For The Future and check out this video from Reddit co-founder Alexis Ohanian to see why you should also hold tech companies accountable for their support of this poorly written law. 

Photo courtesy of Shutterstock

Guest author Corey Nachreiner, CISSP, is director of security strategy for WatchGuard Technologies.

Between agenda-pushing hacktivists, money-grubbing cyber criminals, and — more recently — belligerent nation states, there is no shortage of attackers breaking into networks, stealing trade secrets and generally wreaking havoc throughout IT infrastructure.

Even the U.S. government has noticed, with the latest National Intelligence Estimate (NIE) warning that the country is the target of a major cyber espionage campaign from China. In fact, network penetrations have become so commonplace that President Obama recently signed a cyber-security executive order in hopes of fortifying our defenses, and encouraging the government and critical private sector organizations to share intelligence.

(See also World War III Is Already Here - And We're Losing.)

Considering this deluge of aggressive and costly security breaches, it’s no wonder that some people are getting frustrated enough to contemplate striking back directly against our attackers. While giving cyber criminals a taste of their own medicine certainly sounds appealing, most forms of so-called "Strikeback" have no place in private business.

What Is Strikeback?

The idea of launching a counter attacks against cyber criminals is not new. Security geeks at information security conferences have been discussing counter-hacking and proactive defense for years.

After all, many in the cyber security community are just as capable of breaching systems as the enemy (if not more so). In fact, the “black hats” often leverage tools and code created by “white hat” security professionals. Lately, though, this idea of striking back against attackers has shifted from lighthearted fantasy to potentially disturbing reality - some that security companies have even begun offering strikeback solutions.

There are different ways companies have started approaching strikeback initiatives. They have loosely evolved into three general categories:

Legal Strikeback: This is the least offensive form of strikeback. It’s where organizations, in cooperation with the authorities, gather as much intelligence as possible about attackers — typically by following the money trail — and then use any legal maneuvering possible to try and prosecute attackers.

Passive Strikeback: This is essentially cyber entrapment. An organization installs a sacrificial system, baited with booby trapped files or Trojan-laced information an attacker might desire.

Active Strikeback: In this approach, an organization identifies an IP address from which the attack appears to be coming, and launches a direct counterattack.

What’s Wrong With Strikeback?

Unfortunately, direct strikeback measures have huge inherent risks:.

Targeting: The biggest problem with strikeback is that the Internet provides anonymity, making it very hard to know who’s really behind an attack. It's all too likely that strikebacks could impact innocent victims. For example, attackers have started to purposely plant false flags into their code, suggesting it came from another organization in order to sabotage that company.

Geography: Another key issue is that Internet crimes tend to pass through many geographies and legal jurisdictions. Domestic strikebacks invite potential legal problems, but cross-border actions have even wider ramifications.

Legal: Additionally, most strikeback activity is illegal. It is against the law for the average person to track down and punish a burglar who ransacked a house, and the same principles hold true for cybercrimes. If an organization uses a booby trapped document to install a Trojan on the attacker’s network, it is technically breaking the same type of computer fraud and abuse laws that the attacker broke to steal information in the first place.

Revenge: When it comes down to it, strikeback is simply revenge. If a network has already been breached, striking back against the attacker typically doesn’t recover stolen data or repair damage that has already been done. It's almost always better to pursue legal investigations and prosecutions through the proper channels.

Strikeback simply doesn’t belong in private business. It offers no real advantages to most organizations, and it carries serious risks that far outweigh the short-lived satisfaction of revenge. Instead, companies should focus their security strategies on well-implemented, carefully monitored, multi-layer defenses designed to keep cyber criminals from breaching their networks in the first place.

Image courtesy of Shutterstock.

Good news: If you're running a local crime syndicate from your iPhone, the authorities are going to have a hard time reading your texts. That's because, as the DEA recently complained, the company's iMessage protocol is encrypted end-to-end, which prevents law enforcement from spying on users' messages, even with a court order.

This is good news for iOS-loving drug lords, but, more importantly, it's a big win for digital privacy. And from Apple, no less. 

With government requests for personal data on the rise, there are few guarantees in place that you or I won't have our private communications snooped through. Since the Fourth Amendment hasn't yet caught up with the lightning fast pace of technological change, some of the best privacy protections are often the ones implemented by tech companies themselves. 

A Rare Privacy Win For Apple 

Apple isn't exactly known as a champion of consumer privacy. It's not reckless either, but few people expect the company to defend users' privacy any more than they the law or consumer sentiment requires. 

For a company like Twitter, it's different. Principles like user privacy and free speech have become important enough to the service's core functionality that the company has no choice but to value and protect them. As a result, Twitter gets pretty high marks from privacy advocates.

Even Google, which has had its share of privacy snafus, is pretty good at being transparent and safeguarding its users' privacy generally. Apple? It's as mindful about privacy as it needs to be, but it's not a chief motivator for the company.

By architecting iMessage the way it did, Apple created a messaging protocol more secure and private than standard text messages, which is how millions of people communicate every day. As we fire those texts back and forth, we're all creating a digital trail that can be snooped upon or hacked more easily than we care to think about. But if they're being and sent and received from iPhones running iOS 5 or later, those messages are invisible to wiretaps by law enforcement or other prying eyes. 

Apple didn't have to build iMessage with end-to-end encryption. Gmail isn't encrypted this way, nor are the Facebook messages that are increasingly used like texts on mobile devices. Clearly, SMS text messages aren't particularly well-secured either. Whether winning privacy points was its motivation or not, Apple definitely racks up a few for this. 

Of course, Apple has had its own share of privacy controversies. Locationgate and Carrier IQ come to mind. Then there was the iMessage bug that accidentally exposed some users' private messages, an embarrassing screwup was fixed in iOS 6.  

Critics were rightfully quick to pounce on Apple for those things, but we need to be every bit as eager to applaud big tech companies when they get it right.

As the world waits with bated breath to see if Pyongyang will make good on its nuclear threats, the hacker collective Anonymous has made its own move in the increasingly cyber conflict between North Korea and the world. 

On Tuesday, the group claimed to have stolen 15,000 passwords from the communist nation as part of what it calls Operation North Korea. Late Wednesday, as tensions rose in Kaesong over the North's closure and seizure of a industrial park it shares with the South, along with repeated declarations of nuclear launch, Anonymous advanced its own chess pieces. The hackers allegedly seized control of North Korea's official Twitter and Flickr accounts, in the process defacing several related websites, and making the autocratic nation look extremely unprepared for cyber attack.  

Tango Down flickr.com/photos/uriminz…

— uriminzokkiri (@uriminzok) April 4, 2013

The Uriminzokkiri accounts on both the social media networks, which translates to "our nation," looked like anything but North Korea's after the strike. The Twitter account's avatar changed to a couple in Guy Fawkes masks tangoing, while the Flickr account filled up with less-than-flattering images of the supreme leader, Kim Jong Un. 

In addition, several sites hocking propaganda material have been hit by digital graffiti (visit Aindf.com to see a wanted poster of Kim Jong Un). North Korean state-run news site Uriminzokkiri.com has been knocked offline, possibly by related DDoS attack. The Next Web is reporting that a Pastebin note, allegedly from the hacktivists, claims that they have agents on the ground fighting off the North's "cyber army." Below is an excerpt from the latest Pastebin message, supposedly penned by Anonymous members, explaining the group's reasoning and m.o. for the attack:

1. ecause of North Korea's new threats today we are forced to
2. contact you again.
3. Within this release we also take the chance to set some things
4. straight about our goals, because it seems some web citizens
5. didn't really get it right. Here we go:
6.  
7. @ Kim Jong-un
8. You just went full retarded! Never go full retarded.
9. We feel really sorry for your suffering of TDS
10. (aka "tiny dick syndrome") but be assured, threatening the
11. world with your nukes won't make it any better at all.
12. If you had finally opened up your country for the
13. real internet, you would have already seen over 9000 ads for
14. products devoted to solve your problem.

If Kim Jong Un really does have thousands of soldiers in his cyber army, it's likely that this attack will soon be thwarted and things will go back to normal. Normal, of course, being a relative term as the bluffing situation escalates between the peninsula and the rest of the world. 

Will Anonymous' actions (in February it hacked the U.S. State Department) push the conflict over the edge and give the 30-year-old despot reason to hit the launch button and plunge the world into hot war? Who knows what this digital assault will do to the man's ego, since he is already eager to prove himself in the wake of his father's passing.

(See also South Korea Cyber Attack Heightens Tensions In Hair-Trigger Region and World War III Is Already Here - And We're Losing.)

When ex-NBA oddball Dennis "the Worm" Rodman seems to have more on-the-ground knowledge of the leader than every major intelligence agency combined, you know we're in a pickle, no matter how you cut it. Anonymous is pulling on the tail of a tiger. If this is the prelude to the end of the world, let's hope it has a viable plan for when the beast turns around and bares its fangs.

Image courtesy of Uriminzokkiri

Depending on who you believe, the week long Spamhaus-Cyberbunker cyberattack we covered Wednesday was either a threat to the Internet itself or hyped up by an overzealous security vendor. Either way, it was still serious business.

While much of the Internet disruption may have in fact been localized to Europe, and also potentially caused by tampering with underwater telecom cables in the Mediterranean, big DDoS attacks — that is, distributed denial-of-service assaults that aim to knock target computers off the Internet — are real, and have been on the rise since 2010. 

Dan Holden, the director of ASERT, Arbor Networks' security engineering and response team, has been monitoring DDoS attacks for more than 12 years. In 2012 his company released a Worldwide Infrastructure Report that reports attack sizes have been peaking at around 100Gbps (check out this detailed look at the report here). This week's attack was more than 300Gbps — way above the norm, in other words. 

That's because the attackers actually co-opted part of the Internet's basic infrastructure -- the Domain Name System, or DNS -- in such a way as to greatly amplify the firehose stream of data they were directing at target computers.

Here's how they work, according to Carlos Morales, Arbor Networks' vice president of global sales engineering and operations:

Attackers send DNS queries to a [DNS server] on the Internet but use the victim address as the source of the query. When the response goes back, a response that is usually multiple times the size of the initial query, the response goes to the victim. Multiple this by hundreds of thousands of requests from bots on the Internet spoofing the one victim address and you get a very large flood of traffic to the victim machine.

Holden says DNS is becoming an increasingly popular target for DDoS. As many as 27 million DNS servers across the Internet are "open" in a way that allows them to be hijacked this way. 

That means that while this week's attack may not have knocked us Americans off of the Web, the amount of localized disruption overseas was definitely large enough to cause serious reverberations. This may not have been the Web's D-Day, but these could definitely be the opening salvo of a hacker blitzkrieg. Let's hope the ISPs and powers that be don't Neville Chamberlain it. 

Photo courtesy of Shutterstock

The Internet is groaning today under the load of a huge cyberattack — one of the worst on record — that's clogged some of its most vital systems. And while you might be inclined to blame Spamhaus or Cyberbunker, two European outfits at the center of this online dustup, almost no one is talking about the real villains here: the world's Internet service providers.

First, some background on Spamhaus vs. Cyberbunker. Yes, that sounds like the lineup at a punk-rock show, but it's actually a virtual battle that began when the anti-spam group Spamhaus added the Dutch web hosting company Cyberbunker to a blacklist used to fight spam. That apparently stung the outlaws at Cyberbunker, which prides itself on hosting anything but "child porn and anything related to terrorism."

Seemingly insulted, on March 19 Cyberbunker allegedly launched a major distributed denial-of-service (DDoS) attack — that is, one that aims huge streams of data at target Web servers in an attempt to knock them offline — against Spamhaus. When that failed, the attackers pivoted to a much more serious attack, one that exploited a vulnerability in the Internet's Domain Name System (DNS). And in so doing, they almost broke the Internet.

Dissing the DNS

DNS is a core service that translates URLs like readwrite.com into the numerical Internet addresses used by computers (204.9.177.211 in the case of ReadWrite). Without it, traffic on the Internet goes nowhere.

In this case, the attackers targeting Spamhaus turned to what's called a DNS amplification attack — one that basically tricks DNS servers into directing a huge flood of traffic at a target. This is relatively easy because many network providers and ISPs have left DNS servers (also called "resolvers") open and unprotected, meaning that they'll respond to requests from anywhere on the Internet.

All an attacker needs to do is to send a stream of forged DNS requests that appear to come from their target's computers. Open DNS resolvers do the rest, responding with automated messages that are much larger than the initial requests. The security company Cloudfare, which has assisted Spamhaus in its current fight, wrote that attackers can use DNS amplification to boost their initial DDoS data flood by a factor of 50 or more.

Which is exactly what Spamhaus's attackers appear to have done.

Why Your ISP Sucks

The big problem here, as you've probably already figured out, is that so many network operators have left their DNS resolvers open. It's fairly trivial to configure resolvers to filter out and ignore forged requests, but relatively few network operators have done so. The Open DNS Resolver Project, an Internet community initiative aimed at blocking this vulnerability, has catalogued more than 25 million open DNS resolvers around the world.

"If ISPs had fixed those issues, [which are] relatively simple, and [involve] very little cost, this kind of attack would have been impossible," Rodney Joffe, a senior vice president at the Virginia security firm Neustar, told me. 

How To Stop The Suckage

DNS resolvers are becoming an increasingly popular target for hackers. Dan Holden, a security official at Arbor Networks, told me that in a recent Arbor survey, a full quarter of respondents said they'd experienced serious DDoS attacks on their DNS servers in 2012 — double the number who acknowledged similar attacks in the previous year.

Fixing DNS vulnerabilities would be an ideal way to stop these attacks, says security expert Dan Kaminsky, who has helped shore up previous DNS problems. But he's skeptical that this will ever happen.

"If only everyone on the Internet made major changes at the same time, this wouldn't have happened," Kaminsky told me via email. Short of that, he said, the answer may lie in straightforward police work:

We stop DDoS by getting as close as possible to the source and doing something about it there, or by doing nothing and tolerating it. I prefer the former, in this case, by perhaps finding the person almost certainly responsible.

Photo courtesy of Shutterstock

Apple is beefing up its security for users of its iTunes, App Store and iBookstore consumers. Starting today, Apple is offering two-step verification for Apple ID, the authentication mechanism it uses for customers using iPhone, iPad and Mac computers.

The move is long overdue for Apple. Two-step verification is a security feature that requires users to verify their identity in more than one way. Previously, if you bought an app in the App Store, Apple would only ask you for your password. That's a one-step verification. Two-step verification adds another hurdle -- asking users to swipe a card, for instance, or to enter a PIN texted to their phone. The idea is that each additional factor used to authenticate a customer makes it that much harder for spammers and crooks to log in as someone they're not.

Apple is enabling two-step verification as an "optional security feature" for Apple ID. To set it up, you must register one or more trusted devices -- say, your smartphone (though technically any device you control that can receive 4-digit verification codes via SMS text or the “Find My iPhone” feature of iOS will do). Apple will also send users a 14 character “Recovery Code” you can print out and save as a way of getting back into your account should you lose your smartphone or forget your password.

The Importance Of Two-Step Authentication

Many companies use multi-factor authentication. Google has offered two-step authentication to all users for more than two years. Facebook also offers it. 

The biggest cautionary tale about Apple security and two-step authentication recently is that of technology reporter Mat Honan. Honan, now a senior writer at Wired, had many of his important accounts hacked, including his Twitter, Google and Apple ID. The hackers, who Honan said were after his three letter @mat Twitter account, were able to remotely erase his iPhone, iPad and MacBook after gaining access to his Apple account. 

Apple, which lacked two-factor authentication at the time, more or less allowed the hackers into Honan’s accounts after they had tracked some personal information about him through his Amazon account. If Apple ID had two-factor authentication at the time, the malicious attack might well have stopped dead when trying to dive into Honan’s Apple accounts.

How To Set Up Two-Factor Authentication

Go to Apple’s support page here and follow the directions. It's fairly simple. First, you want to sign in to your account with “Manage your Apple ID.” Then click on “Password and Security.” Click on “Two-Step Verification” and follow the onscreen instructions.

Many smartphone users are clueless on how much access their unique IDs allow them. Many people, such as Honan, have most of their gadget and social accounts tied through Apple ID or like services. To stay safe, best to make sure that:

• your passwords are unique;
• your accounts aren't tied together through a single service (so that if it gets hacked, they all do);
• you use two-step authentication whenever possible.

Lead image via Flickr user thisisanicephoto, CC 2.0

Another hacker bites the dust. This morning, Andrew Auernheimer — aka "Weev" — got handed a sentence of 41 months in prison, 3 years of supervised release and a $36,500 fine. All for basically exposing a major security hole at AT&T and publicly shaming the company that hadn't ever bothered to fix it.

Back in 2010, Auernheimer and his partner Daniel Spitler, part of a team calling itself Goatse Security, hacked into a public server owned by AT&T. That server housed hundreds of thousands of email addresses of customers who owned 3G iPads. Through trial and error and some ingenuity, group members discovered they could randomly guess iPad identification numbers and then use them to extract matching email addresses from that server.

AT&T's Security Loophole, Exposed

This security loophole on AT&T's site returned email addresses associated with ICC IDs, the unique serial numbers used to track and link SIM cards on mobile devices with specific subscribers. A PHP script that automated the process ended up harvesting a whopping 114,000 email addresses. Auernheimer then sent news of the group's work as an exclusive to Gawker.

(See also: U.S. Announces 120,000 iPad Users Had Their Data Stolen)

A day later in a blog post on the Goatse Security site, Auernheimer and company wrote:

I want to summarize this explicitly:

• All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration.
• The dataset was not disclosed until we verified the problem was fixed by the vendor.
• The only person to receive the dataset was Gawker journalist Ryan Tate who responsibly redacted it.

[...]

We did this to help you.

By its own account, AT&T responded with "swift action" to prevent additional intrusions: 

Within hours, AT&T disabled the mechanism that automatically populated the email address. Now, the authentication page log-in screen requires the user to enter both their email address and their password.

Problem solved, right? Wrong. A week later Auernheimer was arrested after the FBI raided his house. He was then charged with major computer crimes under the Computer Fraud and Abuse Act (CFAA), the same legal club prosecutors have used to go after Aaron Swartz and, last week, Reuters social editor Matthew Keys.

(See also: Reuters Social Editor Indicted Over Anonymous Hack; Internet's Jaw Drops)

During the trial, AT&T admitted the server was publicly accessible, yet claimed Auernheimer's access was unauthorized. Under the CFAA, unauthorized access is a crime. But the statute's ambiguity on that score has opened the door for egregious prosecutorial overreach in this and other cases.

On Nov. 20, 2012, a jury found Auernheimer guilty of one count each of identity theft and conspiracy to violate the CFAA. Today, Auernheimer was sentenced.

Fair Or Fanning The Flames?

Supporters of Auernheimer say what he did was not a crime. Maybe it wasn't smart to expose a major vulnerability at AT&T and then rub the company's nose, but stupidity shouldn't be a federal offense. Friends and colleagues point out that the point of hacking is to gain something from it — and in this case, there was no money involved and nothing else to gain but besides a measure of celebrity.

Australian journalist and hacktivist Asher Wolf wrote a poignant piece today arguing that's it's insane to publicly tar and feather someone who spurred a company to fix a problem, even if he didn't choose the most orthodox means of doing it:

Putting Weev behind bars is pointless and tragic. Jailing the most outspoken men and women amongst our generation won’t stop the leaks, the hacks, the news revelations, the whistleblowers — and most of all it won’t stop the rage of the malcontent, dispossessed youth from eventually tumbling down upon the heads of the bureaucrats who sold us out and then tried to lock us up when we complained.

Bees To Honey

AT&T's vulnerability was basically low hanging fruit — just too easy a target for hackers to ignore. But the question of whether AT&T was asking for it is more complicated.

Sure, poor security is asking for trouble. But playing with fire will get you burned no matter how righteous and ethical you claim to be. "Our conduct doesn't happen in a vacuum," hacker Adrian Lamo — the guy who allegedly dropped a dime on Bradley Manning — wrote on Twitter today. "I don't think 3+ years is warranted for Weev, but in totality of circumstances, it's understandable."

I respect weev's reasons and even his means for their ethical consistency. But he got exactly what he planned to. He owns his outcome.

— Adrian Lamo (@6) March 18, 2013

Still, this is significant time for essentially not hurting anyone, as the British journalist Laurie Penny pointed out. By comparison, the Steubenville rapists were sentenced to just one year in juvenile jail.

Note that @rabite just got sent down for 3.5 years for computer violations. That's 1.5 years longer than the #steubenville rapists #freeweev

— Laurie Penny (@PennyRed) March 18, 2013

This isn't over. Auernheimer is appealing his conviction. And either another example will be made to hackers everywhere, or the sentence will be reduced.

At the end of the day, Weev and co. were nicer to AT&T than, say, hacker HD Moore — who published unpatched iPhone flaws and exposed another big bug in Apple's WiFi — was to Apple. But that doesn't seem to matter much in the boardrooms and courtrooms of America. In their view, all hackers are criminals.

Even many mainstream journalists think all hacking is a crime. Last night on 60 Minutes, for instance, Lara Logan basically accused Jack Dorsey's early work of bordering on just that. And even with the best of intentions, hackers' attempts to route around the system will likely never gain the benefit of the doubt with the public.

Instead, they'll just keep earning jail sentences, at least unless and until the courts — or Congress, though don't hold your breath — push back against prosecutorial overreach. And that, at least, will give them plenty of time to repent at leisure.

Lead image via Flickr user shane_curcuru, CC 2.0; image of Andrew Auernheimer via Wikimedia Commons

While media and government source continue to allude to China as the biggest source of cyber attacks hitting innocent servers on the Internet, recent evidence instead suggests it's actually the Russian Federation that's king of the cyber attack mountain.

The evidence comes from German telecommunications giant Deutsche Telekom (DT), which has set up a new portal to monitor real-time cyber attacks against its network. According to the data on the sicherheitstacho.eu (loosely translated as "security tachometer") site, Russia was responsible for 2.4 million attacks against DT last month.

The People's Republic of China, the current bugaboo of security mavens, ranked 12th on the same list, its 168,000 attacks coming in far behind nations like Germany, Ukraine and the United States. Curiously, it was Taiwan that held the number two slot, with 907,000 tracked cyber attacks, seemingly dispelling the notion that it's the Commies out to get Western corporate interests.

Security Whack-a-Mole

The monitored attacks are not actually hurting DT - at least, not directly. The incoming volleys are instead hitting a network of 97 sensored machines deliberately designed to be tempting targets on the Internet, a concept known as honeypots. According to DT, these honeypots are built to "feign weaknesses to provoke attacks and as such act as early warning systems."

"Our honeypot systems show that once attackers have identified weaknesses, they exploit them immediately," said Thomas Kremer, Board Member responsible for Data Privacy, Legal Affairs and Compliance in a statement to the press.

"If, for example, a provider announces an update for its operating system, attackers launch themselves at the old system to find the gap that the update is intended to close." Kremer said. "For this reason, customers should install updates immediately - this successfully prevents 90 percent of attacks. Apart from up-to-date virus protection, that is the most important security precaution for all IT users."

The honeypots are programmed to mimic a wide variety of Internet-facing systems, such as servers, desktops and even vulnerable smartphones.

Hardening Against 24/7 Attacks

The security tachometer site itself is definitely an eye-opener, even in DT's soothing trademark pink tones (DT is the parent company of U.S. carrier T-Mobile). According to the information provided by DT, most of the attacks are in the form of automated bots, which probe a potentially weak system for holes. If a human hacker wants to come back later and investigate further, they may, or the bot may simply call in other bots to further infiltrate the system.

Security experts won't find this map much of a surprise, since it's long been known that Russia remains a big source of cyber trouble - far more, in sheer numbers, than China. Of course, this map could be interpreted as contrarian evidence, too: perhaps the bot handlers in the other countries recognize the DT honeypots for what they are and have moved on to real targets. Or perhaps the targets presented simply aren't interesting.

Whatever the explanation, Deutsche Telekom's security tachometer makes it clear that the Internet is far from safe, and vulnerabilities on any platform - from any source - can be discovered at any moment.

Image courtesy of Deutsche Telekom.

Since 2002, when Microsoft launched its Trustworthy Computing initiative, security in the company's products have improved each year. But while the company has increasingly battened down Windows, Office and its other programs, the number of vulnerabilities in harder-to-patch third-party applications has grown dramatically, making overall security on the PC worse than ever.

More Risk In Third-Party Apps

Rather than go through the expense of battling Microsoft directly, many hackers now focus on low-hanging fruit, such as the Java and Adobe Flash browser plug-ins, which are often left un-patched even by users who conscientiously update Windows and Office. This trend was highlighted in a new study by Secunia.

The security vendor found Microsoft's highly effective automatic security updates now address only 8.5% of the vulnerabilities in a PC. The rest have to be patched through updates from various software developers, each with their own unique process. The complexity leads users who are not security savvy to forgo updates, vastly increasing their risk of infection.

"There is, to date, no one fix-it-all solution," warned Morten Stengaard, director of product management and quality assurance at Secunia, in the company's blog.

Theoretically, Microsoft could overhaul Windows to place each third-party application in its own container, making it more difficult for hackers to load malware in the operating system. However, such a massive change would require Windows software vendors to rebuild their own products, which would have a ripple affect on every corporate and consumer customer.

"Microsoft, to some extent, is hamstrung by legacy code and what they've done in the past," Jack Gold, analyst for J. Gold Associates, said. "They can't just rip everything up and start all over again very easily."

Fewer Flaws In Microsoft Apps

Ironically, the third-party threat is blossoming even as Microsoft continues to get its own house in order. In 2012, out of all the known vulnerabilities in the top-50 PC programs, Microsoft products accounted for only 14% of them, the study found. The rest were in other software. And the share of vulnerabilities on a Windows PC coming from third-party applications has been growing. In 2007, they accounted for 57% of the security flaws, compared to 86% last year, Secunia says.

"It's well known that they [Microsoft] have put great efforts into improving security of the operating system and the applications that they provide," Stengaard said in an interview. "What we're seeing is the long-term involvement and dedication is now paying off."

Windows, Office, Silverlight and other Microsoft products are not ironclad, of course. Given enough time, knowledgeable hackers can find their way in through these channels. But in the world of cybercrime, most hackers are not interested in a challenge. Instead, they look for the easiest way to break into as many PCs as possible, to enslave the machines into the many armies of remotely controlled botnets, or to steal credit-card numbers, social-security numbers and corporate intellectual property that will fetch a good price on the underground.

Including both Microsoft and third-party applications, the number of PC vulnerabilities has dropped by 5% since 2011, and by 10% among the top 50 applications. Since 2007, though, overall vulnerabilities are up 15%, Secunia found, and that jumps to a whopping 98% increase among the top 50 applications.

Where The Danger Lies

Applications most likely to provide an easy path into Windows machines include Java, Flash, Adobe Reader and Apple iTunes, according to Secunia. If these applications are not kept up to date, hackers can exploit known vulnerabilities that enable them to load their malware via the PC's system memory.

In addition, all these applications have very large user bases, which makes it easier for hackers to find targets.

Why PCs have so much outdated software varies. Sometimes it's because the update process is too cumbersome, so they don't bother. Other times, the vendor is slow in fixing flaws that hackers are already targeting. Updating Java, an open platform for running software on any operating, system has been a pain for a long time. However, Java steward Oracle is working to improve the process and is getting updates out quicker, most experts agree.

In 2012, Adobe had the worst record for updating applications, according to Secunia. The software maker released patches at a rate 80% slower than in 2011, based on the time it took the vendor to release updates of vulnerabilities reported by Secunia.

Overall, though, patch speed for third-party apps is increasing, Secunia said:

In fact, in 2012, 84% of vulnerabilities had patches available on the day of disclosure. In 2011, the number was only 72%. The most likely explanation for this improvement in ‘time-to-patch’ is that more researchers coordinate their vulnerability reports with vendors.

Patching Is Critical

The vendor based its study on 6 million PCs, mostly in the U.S. and Europe, running its freeware called Personal Software Inspector, which checks for application vulnerabilities. Microsoft products accounted for 35% of the programs on the PCs.

If you take Secunia's study seriously, then the takeaway is clear. Even if patching all your software is getting more complicated,  making sure everything is always up to date is more important than ever.

Image by Fredric Paul.