November, 15, 2011: The mysterious Duqu trojan horse has been in the news a lot lately. This is not malicious software which the individual user needs to worry about with respect to their own computer. But everyone needs to worry about who developed Duqu and for what purpose. Some security professionals believe there is a relationship between Duqu and the earlier Stuxnet trojan horse which was able to infect Siemens industrial control equipment that is used by Iran in their nuclear development process. Stuxnet was able to send false information to human controllers which allowed equipment and processes to be damaged and which it is believed to have set back Iranian nuclear development by months if not years. It is still unknown who is behind Stuxnet, though, it is believed to be either Israel and/or the United States. The real similarity between Stuxnet and Duqu is their sophistication. Based on an analysis to date, it appears that Duqu may have been under development for several years. It is targeted at vulnerabilities in the Windows kernel and thus works independent of a user profile and their associated permissions. The kernel exploit is introduced via an infected Microsoft Office Word document but it is believed that other attack vectors are used depending on the nature of the organization. Once Duqu is on a networked computer, it uses the network to migrate to other workstations. The purpose at this point appears to be to gather information, apparently about industrial control systems but that may not be its only purpose. So far, infected organizations have been identified in eight countries including the United States and it believed that there are several more countries are involved but not identified. Clearly Iran has been attacked again and they have stated that steps are being taken to remove Duqu from infected computers. But who is behind this? I am beginning to think that it is the United States and/or Israel again with the target being Iran and that non-Iranian organizations involved may be just to cloud and confuse the entire attack. If someone or some country other than the United States and/or Israel is the originator of Duqu, that is very scary. It means that someone is gathering information about industrial control systems used in utilities, oil field operations and critical infrastructure facilities.
-- Eric Rasmussen

November, 10, 2011: The FBI announced the indictment of six Estonians nationals for installing malware on 500,000 computers in the United States and illegally profiting from it. The six Estonians have been arrested in their country and the United States will be seeking their extradition. According to the FBI, the cybercrime gang infected over 4 million computers in more than 100 computers. In the United States, the infected computers belong to individuals, businesses and government agencies. The malware worked by redirecting browser selections to internet addresses such that the user ended up on an unintended website. The advertising generated by this redirection generated at least $14 million in revenue for the cybercrime gang according to the FBI. Estonia may be in Eastern Europe but is a member of the European Union, the Eurozone and NATO. This is obviously a lot different than places like Russia and Ukraine from an international law enforcement perspective. It was only a matter of time before the United States and the European Union caught these cybercriminals. These guys should have been operating across the border in Russia though that may have been at odds with Russian cybercrime organizations. In any case, at least there was a victory for today.
-- Eric Rasmussen

November, 09, 2011: At the Hacker Halted conference in Miami last month, researchers demonstrated how vulnerable American prisons are to hacking exploits. Apparently, it is possible for hackers to overload circuitry controlling prison doors and leave them in a permanent unlocked and open condition. In theory, industrial control systems should not be remotely accessible from the internet but rather should be a closed system. However, researchers have discovered that the industrial control system networks are often connected to other networks or devices that are connected to the internet and allowing hacker access. Even where there is no internet access, local access to a workstation via a USB flash drive can initialize the same type of attack. This is how the Stuxnet virus was uploaded onto Iranian systems used in their nuclear facilities. Hopefully, even if the prison cell doors are open, there is no way to open the front gates to a prison with a hacker exploit.

How worried should you be about identity theft? Very worried. Everyone needs to read the Krebs on Security article "How Much is Your Identity Worth?" posted on November 8. You will find a link on our Tech News page. This is a frightening article. Krebs relates his research into an identity data resale website, apparently hosted in Vietnam that has a database of over 330,000 American identity records, to which 300-400 new records are added daily. These records include names, addresses, social security numbers, driver's license numbers, bank account numbers, bank routing numbers, employer's name, number of years employed and other information. What is real frightening is that Krebs thinks that sources for the information may include credit reporting bureaus, state motor vehicle departments and real estate firms. I would not ignore this conclusion because Brian Krebs is one of the top internet security researchers in the country. The problem is, if he is correct, there is not really anything an individual can do about it. This is not information being accessed from a home computer but is rather in third-party databases. All you can do as an individual is to be aware of the risk and closely monitor bank and credit card activity.
-- Eric Rasmussen