Wednesday, July 27, 2011

Australian Feds Unmask Evil

Australian Federal Police (AFP) have taken down notorious Aussie hacker 'Evil' after a 7 month operation (codenamed 'Operation Damara') during which they monitored his activity and traced him to the country town of Cowra, New South Wales, 330km from Sydney. The 25 year-old hacker, whose real name is David Cecil, turned out to be self-taught in the art of hacking, with no formal knowledge of IT, and was in fact an unemployed truck driver and father of two. He operated from a network of multiple computers setup in his home, cloaking his online identity by using IPv6 traffic obfuscation techniques.

His Motive
Said to be motivated by ego to prove his network security skills after complaining he could not get work in the IT sector, a quick scan of LinkedIn reveals that he lists his current position as "Computer & Network Security Professional". Sydney web developer, Glenn Evans, originally tracked Evil back in January to a chat room on EFnet, a major worldwide IRC network, and notorious meeting place for hackers. At the time, chat room operators on EFnet threatened Mr Evans with a cyber-attack for trying to contact Evil.

Tracking Him Down
Detective Superintendent Brad Marden provided some insight as to how the AFP identified Cecil. First they tracked his IP from IRC chat room logs. The IP was then found to be obfuscated by IPv6 tunneling via other compromised servers. They also used snippets of information that the hacker had unintentionally made public via forum posts. After identifying Cecil, the AFP then was able to monitor his internet connection and phone in order to gather live evidence of his hacking. According to Marden, Cecil showed considerable determination and self-taught knowledge in order to penetrate the Platform Networks server, which was likely achieved via brute force password cracking.

NBN Threat
Cecil is alleged to have hacked into a DNS server of Platform Networks, a wholesale supplier for Australia's new fibre-based National Broadband Network, and to have been busy casing their network, spending up to 20 hours per day hacking. The AFP alleged in court that his recent hacking could have potentially caused considerable damage to Australia’s national infrastructure, due to the upcoming roll out of the nascent National Broadband Network, which is worth US$40 billion.

Platform Networks Managing Director David Hooton has revealed some details of the attack, saying that the company became aware of anomalous traffic on some equipment hosted on their network late last year, which started as an infrequent occurrence, which they caught as part of standard daily log checks. “After a period of time we’d gathered enough intel to inform the AFP,” Hooton said. “It became very time consuming towards the end of the investigation, we got to spend some quality time with the AFP. We do see significant amounts of this sort of traffic floating around from time to time, just not on this scale.” He countered the view originally taken by the AFP by admitting, "The hack didn't affect the NBN and the impact wasn't major."

Malicious Hacking
Cecil is alleged to have previously defaced the University of Sydney website and also to have carried out the extremely destructive hack of website host Distribute.IT on 11-Jun-2011, which resulted in the permanent loss of 4080 websites and the forced closure of the attacked company. Distribute.IT, which was setup as a wholesale domain name supplier back in 2002, was not able to continue operating due to the permanent deletion of data on key servers, and was forced to sell their entire customer base to a large Australian domain registrar, NetRegistry. The attack affected more than 200,000 domains, both Australian and international. It severely affected the websites and email of more than 10,000 businesses. The attack did serve to demonstrate the importance of having offline and offsite backups, something which Distribute.IT didn't have, causing them to attract criticism from both their own customers and other IT industry professionals. NetRegistry has publicly called on David Cecil to apologize via their blog, “We call on “Evil” to apologise to all the businesses he ruined as a result of the targeted hacking attack.”

The AFP has charged David Cecil with the following offences:
  • One count of unauthorised modification of data to cause impairment, contrary to Section 477.2 of the Criminal Code Act 1995 (Cth). This offence carries a maximum penalty of 10 years in jail.
  • 48 counts of unauthorised access to, or modification of restricted data, contrary to Section 478.1 of the Criminal Code Act 1995 (Cth). This offence carries a maximum penalty of two years in jail. 

He has appeared in a local court briefly and has been refused bail, the court registrar having accepted the AFP's argument that, if freed, Cecil could potentially destroy evidence.

Local IT forum sites are split over the magnitude of sentence he deserves, from some posters asking for 50 years to others who believe the charges are a beat up by the police to justify additional spending on cyber-security.

Dr Asha Rao, RMIT University lecturer in information security, said people with no technical experience needed only a computer and devotion to wreak havoc. “All the tools are available online, it’s just a Google search away,” Dr Rao said. “It’s not hard, it just takes a lot of time. You need to basically not have a life.” Companies deploy layer upon layer of security with the hope of catching hackers before they get well inside the systems, she said. But there is only one way to completely protect personal or company computing systems; by disconnecting them from the Internet and switching them off. “You can never make your computer 100 per cent secure, that’s not possible,” Dr Rao said.

An AFP policewoman secures evidence at David Cecil's property
Further Arrests Likely
Australian Federal Police have said further arrests will likely result from Operation Damara, and could escalate to involve several international companies, outside of Australia. Trivia Note: The Damara is a hardy breed of sheep, popular in Australia due to their ability to withstand drought.

Update: Bail Hearing 29-Jun-2011
On Friday morning Cecil made a second appearance in Orange Local Court on 49 hacking charges. He did not apply for bail, after the prosecution alleged that he could potentially wipe evidence if given access to the Internet. During the bail hearing Cecil's partner was seen to be visibly upset. The case is now scheduled for Cowra Local Court next Wednesday, 3-Aug-2011.

Update: Bail Hearing 3-Aug-2011
Appearing in Cowra Local Court on Wednesday morning, once again David Cecil was refused bail. Cowra Local Court Magistrate Peter Dare said Cecil had “certainly demonstrated an ability to do things with computers”. The AFP are continuing investigations into Cecil's alleged access of up to 100 other computer servers,  the court heard. It was revealed that a warrant exists in Queensland for his arrest on unrelated matters in relation to a breach of a probation order for stealing a motor vehicle. The court was also told Mr Cecil had a criminal record in Queensland dating back to 2004. Despite the fact Cecil only moved to Cowra on June 1 this year, duty solicitor Stuart Ogilvy argued that his client was not a flight risk and was willing to enter into stringent bail conditions. Ogilvy also suggested that “He has been in Cowra for a couple of months and has strong ties to the community.” The magistrate adjourned the matters to Orange Local Court on September 20, and made a recommendation that Cecil appear on this occasion via audio visual link.

David Cecil, on the way to an appearance in Cowra local court, August  3, 2011.
Further Reading:

Sunday, July 24, 2011

Confessions of a Cyber-stalker: CA Criminal gets 4 years

A recent cyber-stalking case in a Californian court has highlited the weakness of password reset 'security questions' which can be easily guessed by the attacker when some basic details of the victim are already known or even already public on social media sites like Facebook.

George Bronk, of Sacramento, California, was sentenced to more than four years in prison after being convicted of computer intrusion and the cyber-stalking of 46 women across 17 states. He carried out the cyber-stalking for a total of 10 months, from December 2009 through to September 2010, when he was eventually caught. The case illustrates the vulnerability of all Internet users, said prosecuting attorney Robert Morgester of the state attorney general's office. "The victims we went to said `I had very robust passwords.'. But it didn't matter how robust the password was if the recovery question is easy." he said.

The method he used has revealed a major weakness in many password reset systems where a supposed secret question is posed to the account holder in order to recover a lost password. Such questions often include such basic choices as 'What is your favorite color?', 'Name of your high school?', 'Name of your first pet?', 'Town where you were born?'. Often, the answers to these questions can be quite easily gleaned from Facebook or other social network pages, which is exactly what Bronk did in this case.

His first step was to identify the email address of a potential victim on Facebook, and then try to determine the answer to their secret password reset question. After he changed their password and took over their email account, Bronk then searched email folders for nude or semi-nude photographs or videos they had sent to their husbands or boyfriends and then distributed them to the victims' contact list, prosecutors said.

The hacking method is similar to that of the famous Sarah Palin email hack, in which the hacker managed to reset her password simply by Googling for the answer to her secret question, which was “Where did you meet your spouse?”.

Academic research back in 2009 ran a user study to measure the reliability and security of the questions used by the four big webmail providers (AOL, Yahoo!, Microsoft and Google). They asked participants to answer these questions and then asked their acquaintances to guess their answers. Acquaintances were able to guess 17% of their answers on the first attempt. The researcher's conclusion was that the security of personal questions appears significantly weaker than passwords.

Another study showed that password recovery security questions are usually answered honestly. This study asked acquaintances of 32 webmail users to guess the answer to the secret question. Roughly 20% of these answers were guessed correctly.

The conclusion then is that password recovery security questions should probably not be answered honestly. Experienced users fill them out with password like characters which makes the answers significantly harder, and even more or less impossible to guess. These answers can then be stored in password managers as notes.

Further Reading:

Friday, July 15, 2011

The Global Battle Against Cybercrime

Some Recent Developments
  • Eugene Kaspersky, founder of Kaspersky labs and cybersecurity expert has used his blog to take a swipe at the state of current multilateral efforts combatting cybercrime. In his post he mentions that the Council of Europe Convention on Cybercrime is largely a waste of time and that the UN's IMPACT Alliance, which is based in Cyberjaya, Malaysia (and of which he is a member of the advisory board) is moving too slowly to be of any use. He has put his weight behind a newly launched non-profit organisation called the International Cyber Security Protection Alliance (ICSPA), which is based in London, and hopes that it can get things moving quickly. He points out that cybercriminals in most cases are beyond the borders of the country of their victims and that the mammoth task of bringing the majority of cybercriminals to justice will require joint efforts on a global scale.
  • On a more positive note, June 2011 did bring some notable successes for international law enforcement in the battle against cybercrime, with several successful operations resulting from joint efforts. The FBI and a team of international law enforcement organizations have shaken up two scareware (fake antivirus software) operations that infected nearly 1 million users worldwide and cost victims some US$74 million in losses, charging up to $129 to each victim for the fake software. The so-called Operation Trident Tribunal, an ongoing initiative fighting international cybercrime, has netted arrests of two Latvians and the seizure of some 40 computers and bank accounts, including 22 computers in the U.S. that supported the illegal operations. Another 25 systems overseas that were used by the scammers were shut down as well.  The Department of Justice, FBI, and authorities from Germany, Latvia, Cyprus, the Ukraine, Lithuania, France, The Netherlands, Sweden, Romania, and Canada teamed up in the operation. 
  • In Russia, Pavel Vrublevsky, the owner of ChronoPay, Russia’s leading payment processing provider, was arrested on charges of organizing a DDoS attack on a competing company, Also in Russia, researchers at Kaspersky Lab have discovered a new piece of malware targeting Russian users that silently runs a Bitcoin mining application on infected computers. The idea is to steal computer resources from infected computers to generate units of the valuable peer-to-peer virtual currency. The hacker behind the Trojan did not generate any riches from this attack however because the Bitcoin mining system detected the suspicious mining activity coming from multiple IPs and blocked the account.
  • In Brazil, cybercriminals used Amazon’s cloud to host and distribute malware that targeted Brazilian users and was designed to steal data from customers of nine large Brazilian banks. To improve its chances of success, the malware blocked the normal operations of Antivirus software as well as browser plug-ins that are supposed to make online banking secure. The malware also stole digital certificates and credentials from Microsoft Live Messenger.
  • In a sweeping move, Google has removed all of the sites hosted on domains from its search results, explaining that because such a large percentage of the sites on that sub-domain are low-quality and malware-ridden they decided to de-index all of them. The space is not an officially authorised second-level domain like or Instead, it is run independently by a Korean company ( that just happens to own the domain name The .cc top-level domain belongs to the Cocos (Keeling) Islands, a small Australian territory in the Indian Ocean. Regular .cc websites are unaffected by Google's changes.
  • The US Department of Defense released the DoD Strategy for Operating in Cyberspace (DSOC) - the first ever DoD unified strategy for cyberspace. “By sharing timely indicators about cyber events, threat signatures of malicious code, and information about emerging actors and threats, allies and international partners can increase collective cyber defense,” the document notes. “Cyberspace is a network of networks that includes thousands of ISPs [Internet Service Providers] across the globe; no single state or organization can maintain effective cyber defenses on its own.” As General James “Hoss” Cartwright told reporters, “This strategy talks more about how we are going to defend the networks, the next iteration will have to start to talk about here’s a strategy that says to the attacker, ‘If you do this, the price to you is going to go up. It’s not just free.’ Today, we are on a path that is way too predictable. It’s purely defensive. There is no penalty for attacking right now, we’ve got to figure out a way to change that.”
  • Microsoft has released a detailed report on Rustock, the take-down effort it led in March, and the impact of its anti-botnet campaign. The number of Windows PCs infected with the Rustock malware has dropped worldwide from 1.6 million at its peak, to just over 700,000 by June. In the U.S., an estimated 86,000 Rustock-infected PCs in March had been reduced to some 53,000 by June, a drop of 38%. Other countries saw even bigger reductions: In India, the March tally of 322,000 infected machines plummeted by 69% to approximately 99,000 in June.

Saturday, July 9, 2011

Fake Anti Virus Software: A New Business Model Emerges

Researchers from the Departments of Computer Science and Economics of the University of California (Santa Barbara) have recently released the results of their yearlong investigation into three fake anti virus companies (named Fake AV1, AV2 and AV3). They were able to infiltrate and monitor the backend servers of the three companies, all of which were controlled by East European cybercriminals. Summarised daily and yearly sales figures below.

Total Sales per Day (USD)Total Sales per Year (USD)Infection¹ rate (no. users per day)Infection¹ rate (no. users per year)Purchase² rate (no. users per day)Purchase² rate (no. users per year)Average Selling Price (USD) Conversion Rate³
Fake AV1$123,288$45,000,00092,05533,600,000 2,209806,400$55.802.4%
Fake AV2$10,411$3,800,00013,5624,950,000 285103,950$36.552.1%
Fake AV3$132,603$48,400,000100,055 36,520,000 2,201803,440$60.242.2%
Total$266,302$97,200,000205,672 75,070,000 4,6951,713,790$56.712.3%
Source: Extrapolation of data contained in the UCSB research report over both a yearly and daily basis.
¹ Infection refers to users who have installed the Fake Anti Virus software trial, but not necessarily purchased it.
² Purchase refers to users who have both installed the Fake Anti Virus software trial, and then purchased a license for it.
³ Conversion Rate refers to the number of purchases as a percentage of the number of infections.

They uncovered a sophisticated method of flying under the radar of credit card fraud detection by minimising chargebacks (credit card refunds) which in turn meant that no suspicion would be raised by the victim's bank or credit card company. They did this simply by maintaining a 24/7 support hotline, thereby keeping a track of the customer's suspicions, and when necessary, issuing refunds directly back to the customer. Fewer than 10% of all victims asked for a refund, meaning that the cybercriminals could issue a full refund to all complainants, and still make massive profits. But in fact the criminals only issued enough refunds to keep their chargeback ratio under the suspicious limit (such as 3%) thereby squeezing the maximum amount of cash from their victims.
The flow of money in the Fake Anti Virus Business Model
The researchers were able to follow the money trail from the victim, on to the payment processing company, which happened to be exclusively ChronoPay, on to rouge merchant accounts at banks in Europe and Asia. From these merchant accounts, money was transferred back to the Fake AV affiliate members exclusively via a virtual electronic currency called WebMoney. The affiliate members, who provide the original victim's computer details to the controlling gang, are very highly rewarded, taking in anywhere from 30% to 80% commission on sales. The most successful affiliate was able to bank approx. US$30,000 per day from Fake AV1.

A typical Fake Anti Virus popup that leads to the initial infection
Follow @dodgy_coder

Subscribe to posts via RSS