Noted blogger John Battelle reports in his blog based on a couple of pieces...about who Google (NASDAQ:GOOG) is working with these days.

One example from HomeLandStupidity.us he references:

IT contractors and intelligence officials familiar with the arrangement confirmed to HSToday.us that Google had been providing assistance to the intelligence community, but would not say under what authority that assistance had been requested or provided.

The intelligence community appears to be interested in data mining Google's vast store of information on each user who uses Google's services. Google collects data on each user's search queries, which web sites users visited after making a query, and through its Google Analytics service, can also track users on cooperating web sites. It's not clear what level of access to or how much of this information has been made available to intelligence agencies.

John goes on to note:

This might be filed in the Tin Foil Hat category, or it might be something we look back on and wonder how we ever missed it. I don't have any idea which. That alone sort of scares me.

The story says that Google is working with the Govt. in the war on terror. It depends a lot on ex CIA agent Robert Steele, who may or may not be a trustworthy source.

I've seen this story all over the place this weekend, and it strikes me as possibly accurate on at least one level: If the CIA/Dept. of Homeland Security was NOT trying to secretly work with Google, it's even lamer than we might imagine. After all, the company has just about the best infrastructure in the world to help them do their job. Is it legal? Moral? Right? Another question entirely....

This is ironic for two reasons:

1) Chris Boyd (Microsoft Security MVP) and head of our Malware Research Labs (currently on hiatus preparing for our talk at the RSA show and something he want talk about called The Fourth Wall) and yours truly- Wayne Porter, also Microsoft Security MVP, Director of Special Research, currently working on e-commerce analysis....were recently, along with the Facetime Communication's team and our Security Labs team, noted publicly on Google's Security thank you page:

Google Thanks You People and organizations with an interest in security issues have made a tremendous contribution to the quality of the online experience. We are grateful for the responsible disclosure of security vulnerabilities in our software. On behalf of our millions of users, would like to thank the following individuals and organizations for going out of their way to improve the Google experience for everyone:

* Alex Shipp, Messagelabs
* Bryan Jeffries
* Castlecops
* H D Moore
* Jeremiah Grossman
* Johannes Fahrenkrug
* Martin Straka
* Team Cymru
* Yahoo! Paranoids
* Wayne Porter & Chris Boyd, FaceTime Communications
* Alex Eckelberry, Sunbelt Software
* Richard Forand

I add as an odd aside that after commenting on an article at ThoughtShapers on Google's move into podcasting/adsense and how they are tearing up top down media all kinds of people pinged me on whether I was one of the 'trusted sources" who leaked this to Jeff Molander. The answer is no. I made that clear in my personal blog notably here (The Google Rumor Mill Redux- Getting Details Straight) and an aside here Leaked Papers and Google Adsense.

Going back to John's observations though I have no idea how Google or to what capacity they are working with Homeland Security- I am just a cog. With their processing and information gathering power I would be hard pressed to say that it wouldn't make sense for DHS and / or the CIA not to want to do so.

Remember that GUID I talked about at Revenews? (Note: GUID is a Globally Unique Identifier. A GUID is often a pseudo-random number used in software applications. Each generated GUID is "statistically guaranteed" to be unique.)

For example, the concept of a GUID or the longer they use a service (even anonymously and in aggregate) makes it easier to determine who they are. Granted Google may not have any nefarious purposes for this, but what happens when other agencies do? You might be “anonymous” to Google, but when another agency plays connect the dots after obtaining access to your machine and subpoenas activity around a GUID- you aren’t so anonymous anymore. In reality, you become an online novel- I can perhaps establish your character by your queries. Of course, this risk exists with any tracking mechanisms, but a service as ubiquitous as Google, especially one that looks at queries, is all the more potent.

2) I do know that Homeland Security does pay attention to cyberthreats- as they should. I was surprised to find some of our research in their daily briefing reports, specifically around some notable worms. These reports a.k.a. The DHS Daily Open Source Infrastructure Report (Daily Report) is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. They divide it up by the critical infrastructure sectors and key assets defined in the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets.

An Example- this was over the KMeth Worm, which I find interesting.

Kmeth Worm noted by DHS [PDF Document]

Most of these Daily Briefings- which are free and unclassified appear on the DHS.gov site, although to search them you need to use the FEMA.gov site...

Tin Foil Hats? I don't know. Safety and privacy and security are all different but related and require a delicate balance. Then you have to think back to the NSA wiretaping scandal. Did people really notice? Did they really care?

Take a look at Google Trends (given the questions is this a good place to validate this question?). Google trends is a fairly good indicator of search activity. It is an indirect reflection of what is going on online.

Here we see the terms: wiretapping, NSA scandal, wiretapping scandal, wire tapping

Click to See Chart

Interesting...there is some movement there.

Now: NSA scandal, wiretapping scandal, ATT scandal, NSA wiretapping, phone tapping

Click to See Chart

Nada, zilch. Not even if you analyze U.S. queries only- despite major press coverage. Try your own strings and see what turns up.

Of course per Google: "Google Trends aims to provide insights into broad search patterns. As a Google Labs product, it is still in the early stages of development. Also, it is based upon just a portion of our searches, and several approximations are used when computing your results. Please keep this in mind when using it."

Posted by Wayne Porter at 12:04 PM | Permalink

Mark Foley Scandal Rages On Over Instant Messages (IM)

Excepts and citations from the Wikipedia on the Foley Scandal. To learn more about what this means in terms of government and business and how IM documents should be treated as any other watch this Fox news segment from Kailash Ambwani, CEO of Facetime Communications...as he covers why words like "guarantee", "rumor" or incidents like the Mark Foley Scandal and not logging Instant Messenging can put a big business at a big risk.

Foley's e-mails to the former Congressional page in Louisiana, who was 16 at the time, said in part:

"I am in North Carolina...and it was 100 in New Orleans...wow that's really hot...well do you miss DC...it's raining here but 68 degrees so who can argue...did you have fun at your conference...what do you want for your birthday coming up....what stuff do you like to do,"

and

"I just emailed will...hes such a nice guy...acts much older than his age...and hes in really great shape...i am just finished riding my bike on a 25 mile journey..."
and

"how are you weathering the hurricane....are you safe…send me an email pic of you as well...."

The instant messages from 2003 that ABC obtained after its initial story were much more explicit than the e-mails from 2005 sent to the Louisiana page, and reportedly with a former page now employed in Oklahoma. According to several former congressional pages, the congressman used the screen name Maf54 on these messages. One exchange included:[

Maf54: do you really do it face down
Teen: ya
Maf54: kneeling
Teen: well i dont use my hand...i use the bed itself
Maf54: where do you unload it
Teen: towel
Maf54: really
Maf54: completely naked?
Teen: well ya
Maf54: very nice
Teen: lol
Maf54: cute butt bouncing in the air

In another exchange, Foley proposed to meet with a former page:

Maf54: I want to see you
Teen: Like I said not til feb…then we will go to dinner
Maf54: and then what happens
Teen: we eat...we drink...who knows...hang out...late into the night
Maf54: and
Teen: I dunno
Maf54: dunno what
Teen: hmmm I have the feeling that you are fishing here...
im not sure what I would be comfortable with...well see

An exchange that took place in April 2003 apparently reveals Foley engaging in cybersex with an eighteen-year-old former page as the House voted on an emergency supplemental appropriations bill to fund the Iraq War; the released portion does not contain the purported cybersex exchange:

Maf54: ok..i better go vote..did you know you would have this effect on me
Teen: lol I guessed
Teen: ya go vote…I don't want to keep you from doing our job
Maf54: can I have a good kiss goodnight
Teen: :-*
Teen:

In another exchange, Foley appeared to invite the same page to his apartment with a friend to consume alcoholic beverages:

Maf54: we will be adjourned ny then
Teen: oh good
Maf54: by
Maf54: then we can have a few drinks
Maf54: lol
Teen: yes yes ;-)
Maf54: your not old enough to drink
Teen: shhh…
Maf54: ok
Teen: that's not what my ID says
Teen: lol
Maf54: ok
Teen: I probably shouldn't be telling you that huh
Maf54: we may need to drink at my house so we don't get busted

- For another transcript visit ABC News (warning explicit language)

- Kailash Ambwani Video on Foley Incident and Instant Messenger auditing and control.

Posted by Wayne Porter at 08:36 AM | Permalink | Comments (1)

There has been quite a bit of controversy over the "Mark Foley Scandal".

From the Wikipedia:

Mark Adam Foley (born September 8, 1954 in Newton, Massachusetts) was an American Republican politician and a member of the United States House of Representatives from 1995 until 2006, representing the 16th District of Florida.

Foley resigned from the U.S. Congress on September 29, 2006 after it surfaced that he had sent sexually explicit instant messages[1] to former Congressional pages who were both under and over the age of 18.[2] [3][4]. He had previously been warned about "overly friendly" emails to former Congressional pages. As a result of the disclosures, the Federal Bureau of Investigation (FBI) and the Florida Department of Law Enforcement (FDLE) opened an investigation of the messages to find possible criminal charges

Given the government has put into effect all kinds of laws about digital messenging to protect people:

- Gramm-Leach-Bliley Financial Modernization Act (GLBA)

- Sarbanes-Oxley Act of 2002 (SOX)

- Health Insurance Portability and Accountability Act of 1996 (HIPAA)

One has to wonder who watches the government for oversight in the digital realm? That is beyond my scope of knowledge, but companies might think about what a scandal like this might mean to them.

So where do you start? First figure out how much instant messenging traffic is going on in your network. Facetime has a free tool called the RTMonitor that can help with this.

Also get educated. Establish some IM policies- don't let incidents establish you. Facetime sponsored this whitepaper from the ReymannGroup.

A little snippet:

"...With the increased privacy and security awareness among businesses, customers, and our elected officials, traditional best practices are being incorporated into new laws and regulations that define a higher security standard that all affected organizations must achieve. Information security is no longer only a prudent business decision, it is mandated!..."

It's free and has a handy checklist too.

Best Practices for Emerging Compliance Challenges: Electronic Messaging and Communications (ReymannGroup)
[Direct Download PDF]

Posted by Wayne Porter at 05:01 PM | Permalink

Last month, a particular Instant Messaging attack was infecting users via Yahoo Instant Messenger and causing all kinds of problems. This month, we've discovered a variant that's linked to a sophisticated piece of possible clickfraud (depending on how you define it). We often hear about Botnets in relation to this kind of scam - indeed, a common tactic which we've seen a number of times is to hijack the infected drones' homepage and fill it full of clickable adverts that bring in a return for the Botnet owner. Here, we have an attacker going one step further and doing away with the complicated aspect of the Botnet altogether, substituting it for a more straightforward scheme involving the worm mentioned above as a launchpad. Effectively, we have a Botnet without bots, and the potential for financial fraud is in some ways more severe, because of the ease with which this particular attack spreads. First, let's take a look at the technical aspects of this attack...

IM Clicks: Starting Positions

Usually, an Instant Messaging attack follows a familiar pattern - user is sent link, user clicks link and allows file to run on their system. At this point, they become infected and send dangerous links to their contacts.

Here, we have something different - an Instant Messaging attack launched by a webpage forcibly dumping executable files into a PCs temporary files directory, via some nifty VisualBasic scripting. As soon as this occurs, the infected PC will start to fire out infection messages to everyone on their contact list. What's more, the infection links themselves are extremely dynamic - it's possible to see seven or eight different messages in as many minutes.

If the sheer velocity of messages isn't impressive enough, the hackers take advantage of the "status message" functionality in Yahoo Instant Messenger - so even if the infected computer doesn't immediately send a link to their contact, they might see a message next to their name saying "check out my blog" and think it's perfectly innocent to do so. Remember - in this attack, you simply need to visit the offending webpage to become infected. There is NO need to physically allow a download or run a file.

So, how does this happen?

First of all, you need to visit an infection site using Internet Explorer - this exploit doesn't work in Firefox, for example. Due to the way these files are downloaded onto the PC, you can effectively make any site a potential threat and can scatter these files around wherever you like. You don't even need to bother with any social engineering to convince people to run them - a definite plus from a hacker's point of view.

The infection sites appear to be completely blank pages - to the casual end-user, nothing would seem amiss. However, if they happen to have Yahoo Instant Messenger up and running, they will quickly find a combination of error messages and chatboxes flashing up on the screen. What they won't see, is one of the randomly selected infection messages sent to their contact.

Sample Infection Message: Click to View Image

Additionally, they might notice that they suddenly have a new status message next to their name. The status messages are dynamic, and change often - reflecting the (randomly selected) infection links sent to their contacts. Everything from winning the lottery to famous footballers is thrown into the mix.

Sample Status Message: Click to View Image

While the automated IM messages are directing other users to the infection site, this particular attack hijacks the Internet Explorer homepage of an infected user to a webpage stuffed with advertisements - that specifically target a certain medical condition geared towards maximising the financial gain of the hacker.

At this point, I'll let Wayne Porter, Senior Director Special Research take over...

Financial Scenario: Elephant Words Attract Malware

The KMeth Worm invokes a webpage with a number of Google Adsense ads targeting the term Mesothelioma.

Hijacked IE Homepage: Click to View Image

Mesothelioma is a rare form of cancer commonly caused by prolonged exposure to asbestos and litigation later followed. The financial spends on these keywords are high, thus making this an "elephant word" or word with a high payout- a prime target for malware writers to exploit. Bids can range from $4.00 to $13.00 Per Click

What is Mesothelioma?
A rare form of cancer (about 1 in 1,000,000) that is almost always caused by previous exposure to asbestos. In this disease, malignant cells develop in the protective lining that covers most of the body's internal organs. Its most common site is the outer lining of the lungs and chest cavity, but it may also occur in the lining of the abdomen or the pericardium- a protective sac which surrounds the heart.

It is believed that most people who develop mesothelioma have worked on jobs where they inhaled asbestos particles, or have been exposed to asbestos dust and fibers in other ways, such as by washing the clothes of a family member who worked with asbestos, or by home renovation using asbestos cement products. There is no known association between mesothelioma and smoking.

Because of the asbestos link and that mesothelioma is usually an aggressive and deadly disease care is palliative (making the patient comfortable until death). Most of the cases are from exposure twenty to fifty years ago.

Litigation and the Bid Driven Economy

Because of the deadly nature of the disease it stands to reason that much litigation followed.

Companies liquidated holdings and produced asbestos substitutes, and started asbestos removal businesses. The pivotal decision was in June 1982, a retired boiler-maker, James Cavett, won a record award of $2.3 million compensatory and $1.5 million in punitive damages case.

As history illustrates the litigation around this type of cancer can net high returns for lawyers and those seeking damages- however these cases are rare. Thus the cost-per-click (CPC) can range quite a bit on bidding networks seeking these large litigation rewards. The bids may range from $4.00 to $13.00 per click and higher. This makes it a prime target for malware authors and worm writers who setup systems to either force or set-up a system to maximize clicks to these high paying keywords in order to gain their fee split.

It should be noted the Kmeth's target page seems to follow the Google Terms of Service in terms of number of ads allowed, etc. This tactic seems to be based on not arousing suspicion. The fraud is not perpetuated on the click, but on the mechanism of delivery- a worm. Addendum: Thus while click fraud could be debated, e.g. Google might call it an "invalid click" this is certainly "syndication fraud".

We can also observe the comment notation in the ad format: //2006-09-26: Mesothelioma

The notation leads us to believe the page has been created almost a week in advance of the KMeth Worm being unleashed.

Why Traffic Cleaner in Target Page?

The author goes a step further and displays some level of sophistication in the scenario by realizing that a fast propagating worm will not be country sensitive and thus bring traffic that will likely trigger fraud filters. This is worked around by using the TrafficCleaner service, a simple IP filtering service called through an IFrame.

When a visitor enters the website, the IFrame is loaded together. The IP address will be checked according to the person's "Filter settings". If the visitor is "allowed", nothing will be happen and the visitor can browse the intended site as normal- in this case a page with some information to trigger the high paying keywords and advertisements and search boxes all designed to have the user click-thru.

If, instead, the visitor is from a "Banned" country, he/she will be "filtered out" from the page and will be forwarded to the alternative URL the user has set in the "Filter settings". In either case a cookie will be placed on the visitors' computer, so no further checking will be necessary for that visitor if he returns or visits other pages in which the user also pasted the code, of course, until the cookie is deleted or has expired.

While this service has legitimate uses, for example a company who can only ship to the United States or does not wish to ship to certain countries, in this case the code is used to block certain visitors. The code is more than likely used to filter out traffic from known high fraud regions so the KMeth's worm delivery mechanism does not raise suspicion. By looking at the IP address of visitors it is possible to determine the country of origin and keep the "footprint" low.

The User Id of the traffic cleaner user is 893. TrafficCleaner, which does not appear to be involved, but merely a free service, is owned and operated by:

Blue Star Ltd.
Regensbergstr. 12.
CH-8157 Dielsdorf
Switzerland

MP3Pimping .com Connection

The KMeth Worm attempts to "launder" or deliver the traffic with pages showing ads through this Google publisher ID: pub-2609604811345695. We have linked this publisher ID with a site called www.mp3pimping.com. One cannot be 100% certain this is the party responsible as it could be a retaliatory attack.

Owned By:
Registrant:
Wiebe Weikamp
Eemnesserweg 58
Hilversum, New Hampshire 1221 CZ
Netherlands

Registered through: Mad Dog Domains and Cattle Company
Domain Name: MP3PIMPING.COM
Created on: 31-Dec-05
Expires on: 01-Jan-08
Last Updated on: 31-Dec-05

Administrative Contact:
Weikamp, Wiebe
Eemnesserweg 58
Hilversum, New Hampshire 1221 CZ
Netherlands
(062) 040-2685

Technical Contact:
Weikamp, Wiebe
Eemnesserweg 58
Hilversum, New Hampshire 1221 CZ
Netherlands
(062) 040-2685

Domain servers in listed order:
DNS1.MP3PIMPING.COM
DNS2.MP3PIMPING.COM

However, given some of the domains listed on the same box, or same "neighborhood", many with false registration credentials, dubious content, etc. It does raise certain red flags.

For a text list of of the domain list that reside on this machine Download text file here.

Example HTML snippet from target (index) page below:

script type="text/javascript">
--google_ad_client = "pub-2609604811345695";
google_ad_width = 728;
google_ad_height = 90;
google_ad_format = "728x90_as";
google_ad_type = "text_image";
//2006-09-24: Mesothelioma
google_ad_channel ="4060884470";
//--> /script
script = text/javascript">
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">

The party also codes the page to ensure that if the user hits or uses the [back] button they receive a 404 or, page not found. Overall the quality and value of this advertising chain is little to none given the user's interest is stimulated artificially via the propagation of the worm. WIth KMeth Google's Syndication serves up ads for low-value pages that are built around a keyword theme which can lead to further degradation of advertising returns as in the case of using the Yahoo! Publishers Network where ads are syndicated from Adsense to YPN!- commonly called "bidding arbitrage".

CLICK STREAM SAMPLE SCENARIO

Antiry45 Sends Traffic via Google Syndication:


http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-2609604811345695&dt=
1159795672999&lmt=1159602852&prev_fmts=728x90_as&
format=728x90_as&output=html&channel=4060884470&pv_ch=4060884470%2B
&url=http%3A%2F%2Fantiry45.googlepages.com%2Findex.html&ad_type=text_image&cc=100
&u_h=768&u_w=1024&u_ah=740&u_aw=1024&u_cd=32&u_tz=-240&u_his=2&u_java=true&
u_nplug=7&u_nmime=16


Returns this page: ThinkTarget.com uses supplemental results via Yahoo's Publisher Network.


GET /pagead/adclick?sa=L&ai=BcUzB0BMhRd2oF5S2yQLCl_CwCrmj2BrF9K-JA8CNtwHA_BUQAxgHIOPp
4wYoBECKFkisOVDlhvfQ-f____8BmAGI1s0QoAG1tOL9A6oBCjQwNjA4ODQ0NzCyARhhbnRpcnk0NS5nb
29nbGVwYWdlcy5jb226AQk3Mjh4OTBfYXPIAQHaASBodHRwOi8vYW50aXJ5NDUuZ29vZ2xlcGFnZXMuY
29tL-ABApUCC1RSCg&num=7&adurl=http://search.thinktarget.com/portal/thinktarget/search.php%3Fp2%
3Dadmanager_3click_search,568448%26q%3Dmalignant%2Bpleural%2B
mesothelioma&client=ca-pub-2609604811345695&nm=9 HTTP/1.1


http://search.thinktarget.com/portal/thinktarget/search.php?p2=admanager_3click_search,568448&q
=malignant+pleural+mesothelioma

Notation: thinktarget.com resides at 69.8.177.5

6 Results for 69.8.177.5 (Thinktarget.com) also reside on this machine.
1. adverpages.com
2. funnieststuff.net
3. rxwebsearch.com
4. tamnetwork.com
5. targetedpages.com
6. thinktarget.com

Chris Boyd: In Conclusion...

Typically, financially-driven malware tactics use botnets to fraudulently increase traffic to specific online advertisements. In this case, the hackers have very cleverly borrowed tactics from botnet-creators to create a bot-less network of hijacked PC users to drive traffic to sites populated with these specific Google AdSense advertisements.

Introducing the human factor into the scenario makes these 'bot-less nets' much more difficult to detect - even sophisticated auto-clickers can usually be detected over time, but the creator(s) of this infection is banking on human unpredictability to see them through. After all, unlike the Botnet clicker drones, there is no guarantee a real-life human will actually click one of those adverts - it's a risk taken on the part of the creator, but all things considered, a rather small one...

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Technical Research: Peter Jayaraj, Manoj V Nair, FSL Threat Researcher
E-commerce Evaluation and Write-Up: Wayne Porter, Senior Director Special Research

Posted by Paperghost at 11:53 AM | Permalink | Comments (9) | TrackBacks (1)

Remember the modular Pipeline Worm the Facetime Security Labs Team uncovered recently? The W32.Pipeline Worm, which hit right before the really strange MSN HeartWorm.a...Thanks to the guys Twisted Pair at Network for the mention of the menace.

They also covered some nasty work via another Russian pron attack from our research friends at Sunbelt Software get.

The Pair note the Pipeline Worm, the rootkit element and the botnet menace and give a nice mention of our RTGuardian 500 device which won the Network World Choice Award also see here. We clocked in with a latency of zero milliseconds on executable and nonexecutable and an efficacy of 98.5%! Great job research and great job from engineering.

From the pre show blurb:

Jason and Keith talk about the winners in the Motorola-Symbol deal; more battery recalls involving Sony; a new AOL IM worm that has obvious red-flag warnings; Russian porn site security risks; Life is (Not) Good; iTunes million dollar movie week; and, the continuing HP spy saga. Plus Pigskin Pick'em! (32:39)

Streaming Podcast Page: Located Here

Are on the goal- grab the MP3 and pop it into your player of choice...or whatever you do with your MP3's!
.

Posted by Wayne Porter at 11:09 AM | Permalink | Comments (1)