On day four and five of my first RSA Conference, I spent most of the day going to lectures about current and future hacks that are being launched against businesses by cyber criminals. I learned a lot, because, as I've said before, I'm pretty new to the information security domain. For instance, I went to one lecture given by David Barroso of S21sec about common browser hijacking techniques. This was a really interesting session wherein Barroso discussed the following attacks:
These are really dangerous attacks. All of them exploit only the Windows operating system; none of them target Mac, Linux, UNIX, or mobile devices (a characteristic I heard over and over this week). They are installed in drive-by attacks and via email. Sinowal even installs itself into the Master Boot Record (MBR), allowing it to load a driver into the kernel as the OS boots that it uses to hide its files and registry keys and to intercept certain Win32 API calls (e.g., to capture key strokes). Some will also kill the OS after they've stolen sensitive information from the victim (more on this later).
These malware are very clever and dangerous. They jump on the box when you go to some hacker's Web site (e.g., by clicking the link to the Web site of a new Twitter follower or by clicking the unsubscribe link in SPAM). After installing themselves, they wait for you to go to Web sites in their lists of sites they can alter with their own HTML. For instance, a certain SilentBanker variant may be configured to inject HTML into the standard Web page of banks X, Y, and Z. When the user of an infected machine browses to www.BankX.com, it will alter the HTML of it login form to include additional fields used to harvest sensitive data (e.g., mother's maiden name, SSN, first pet's name, DOB, etc.). It will also alter the page to submit the data to some bogus Web page that looks like the bank's saying that the login failed due to a system outage. The private data will be transmitted to a drop site, and the malware may then kill your OS.
After executing this crime, the attacker wants to erase all evidence of how he perpetrated it. To conceal his tracks, the Trojan will delete some system resources that are required for the system to run, effectively killing the OS. For example, the malware might delete ntdetect.com, ntldr, a bunch of device drivers, registry keys like HKCU, etc. After this the OS is totally unusable, the victim calls their IT department (or teenage child) and asks them to reinstall Windows. While doing so, the hard drive is reformatted and the evidence is lost.
So, the lesson here: If your bank asks for a different or large amount of sensitive data while logging in, don't provide it. If you do and your computer stops working shortly thereafter, don't reformat it; call the police and make sure their cyber forensics experts analyze it.
If there is anything I learned this week, it's that we are currently in the middle of a cyber war with virtual cartels and e-terrorist organizations. The civilized world is under attack from terrorist that are utilizing the Internet to rob us. Our children, friends, family, businesses, and governments are all soldiers in this war. Every software engineer is a sergeant with authority over at least a small platoon made up of his or her community. As software developers, we have the skills, duty, and ethical responsibility IMO to protect our families, friends, and employers from the cyber attacks of an immoral and determined advisory.
To this end, we must teach our children, for example, how to use MySpace not insist that they avoid it; they must be taught how to disarm the landmines while under our command or else they'll unknowingly step on them once they're not. We must ensure that we have virus protection software on our computers at all times. We need to insist that our employers prioritize pen testing, threat modeling, and security reviews. More of us engineers need to attend conferences like RSA, and we need to share what we learn at them with our communities. To this end, I will happily (with what little time I have and within reason) answer emails, phone calls, IMs, blog comments, invites to lunches or coffee, and meeting requests to share more about what I learned at RSA this week. You can find my contact info on my Web site if you'd like to take me up on this offer.