The National Institute of Standards and Technology recently released a request for comment from the public regarding ways to enhance cybersecurity while sustaining innovation:

The Department of Commerce’s Internet Policy Task Force is conducting a comprehensive review of the nexus between cybersecurity challenges in the commercial sector and innovation in the Internet economy. The Department seeks comments from all stakeholders, including the commercial, academic and civil society sectors, on measures to improve cybersecurity while sustaining innovation.

The full details of the NIST request can be downloaded here (PDF). (Responses are due by September 13th, 2010 so there is still time to contribute.)

Cyveillance has submitted the following response.

Threats to national cyber infrastructure do not always come in the form of malware, viruses, or unpatched software. Domestic and international organized crime depends on the internet as a significant revenue source, enabling their further growth in cyberspace and “real world” influence.

One particularly active arena of illicit activity online is illegal sale of pharmaceutical drugs. Illegal online pharmacies do not require the mandated face-to-face meeting between patient and caregiver before sending prescription medication to the buyer. The risks to consumers who use online pharmacies are many:

• without appropriate professional medical oversight of the access to powerful presciption drugs, there is a higher risk of prescription drug abuse or death
• the prescription medications may be produced in unregulated factories overseas by manufacturers that are not FDA approved, increasing the chances of substandard or ineffective medications being received
• the “medications” received by the consumer may be counterfeit, causing harm not only because they do not treat the medical condition they were purchased to improve, but because they may be composed of harmful chemicals

The examples above are more than possibilities; documented cases exist of American consumers who were customers of illegal online pharmacies and died as a result. Many more undocumented cases are sure to exist.

Today we will examine illegal online pharmacies and the complicity of American companies which enable their crimes, discuss the risks they pose to American consumers and overall cybersecurity, and make recommendations to make it harder for such criminals to put Americans at risk.

Hosting Companies

Whenever an internet user wants to visit a website, a computer server answers the request and delivers that website to the internet user. These servers can be located anywhere in the world. If you run a website you normally pay a hosting company so that its servers will deliver your website to internet users.

The webmasters of illegal online pharmacies are like any other website owner and prefer hosting companies that are reliable and geographically close to their potential customers so that connections are generally quicker. Unfortunately, the highly competitive hosting market and lack of consequences for aiding and abetting these criminal operations result in many American hosting companies which are all too ready to offer them hosting services.

There are servers in the United States which host hundreds of illegal online pharmacies. While these companies will accurately respond that their terms of service prohibit such activity, it is the experience of Cyveillance and its peers in the fight for a safer internet that the verbiage in those terms of service are merely window dressing and are very rarely enforced. While there are companies like GoDaddy which will move quickly to cancel or suspend services to illegal online pharmacies, the majority of the hosting industry either does not respond to takedown requests for these unlawful websites or will move so slowly in their response that months can pass before action is taken, allowing the illegal online pharmacies to continue harming consumers. Their general attitude is that the hosting company is not responsible for the content housed on their systems, despite the fact that this position enables illegal activity that causes physical harm.

SSL Certificate Vendors

Secure Sockets Layer (SSL) is a technology which encrypts the communication between an internet user’s browser and a website. This makes it safer for internet users to go shopping online, because their credit card information is hidden when it is sent to the website for payment. Webmasters purchase SSL certificates to enable this functionality and this gives consumers the sense that the website is run by a sound merchant to do business with.

Illegal online pharmacy webmasters know that internet users prefer to do business with sites which have SSL enabled. They will pay SSL certificate vendors for certificates that result in the “little lock” icon appearing in the internet user’s browser when conducting a purchase. While the presence of the little lock icon may indeed mean that the consumer’s credit card information is protected on its way to an illegal online pharmacy, this does not change the alarming fact that the actual act of purchasing prescription medication from illegal online pharmacies is very dangerous, AND legitimate users’ credit card credentials find their way to these criminal companies.

Like hosting companies, SSL security vendors generally disclaim any responsibility for the illegal activity they are enabling. A typical phone call to an SSL certificate vendor which requests that the vendor cancel or suspend its service to the illegal pharmacy website will result in the response, “We are not in control of what’s on the website; if they meet the criteria for the SSL certificate, we provide it to them”. Cyveillance has anecdotal and documented evidence of this behavior, which is unfortunately the norm even among SSL certificate vendors based in the United States.

It should be noted that a hosting company or SSL certificate vendor may not be aware of the nature of their customers’ activity after the services are purchased. Often hosting services and SSL certificates are purchased through largely, if not completely, automated processes and no human may ever review the website where the unlawful activity would be visible. However, once a hosting company or SSL certificate vendor has been made aware of such activity, there is no excuse for the company to continue doing business with the illegal online pharmacy. The situation is even less pardonable because servers which house one form of illegal activity like online pharmacies may also host child pornography or online gambling operations.

Of course, the types of American companies which assist organized crime on the internet are not limited to hosting companies and SSL providers. For example, there are companies which offer online chat services for website visitors to converse with illegal online pharmacy personnel for customer service. Any regulatory and / or legal language to curb this sort of behavior should be written in such a manner to prevent any assistance organized crime may receive online from American companies.

Making Online Criminal Activity More Punishable

Cyveillance employees are not legal experts, but providing services to criminals that enable the commission of a crime would seem to meet the legal definition of what makes an accomplice. This determination would seem even easier to make when these entities are paid for their assistance. However, while morally unjustifiable, today there are virtually no consequences for companies that work with the criminals who sell prescription medications online without a prescription and the behavior of these companies suggest that they feel no pressure to change. While we did focus on illegal online pharmacies here, it is just one example of the bigger problem of American companies turning a blind eye to the illegal activity of their business partners online. We propose that:

1. In addition to federal law enforcement, civic agencies should aggressively pursue punishment for repeated complicity in illegal online activity by American companies. A “three strike rule” may be an adequate model for enforcement.
2. In the same manner that federal and local law enforcement offer “crime solvers hotlines” where citizens can report illegal activity for investigations, there should be a single clearinghouse whereby concerned citizens can report American companies that offer services to illegal activities online to law enforcement for speedy investigation.

Cyveillance understands that the hosting and SSL companies will resist efforts to regulate their activity. However, in the same manner that the Department of Transportation requires safety measures of car manufacturers, in the same way that the Environmental Protection Agency requires safety measures in industrial settings, and in the same way numerous other businesses are regulated to promote social well-being overall, taking measures to protect Americans from danger is not only a noble goal and moral imperative that companies should embrace, but a “low hanging fruit” from a regulatory perspective that will also enhance American cybersecurity. We look forward to further dialogue around what steps may be taken to eliminate cooperation with organized crime online by American companies.

The recent report from Cyveillance regarding AV detection lag-time rates has sparked some interesting responses and we welcome the discussion around the ever increasing threats on the Internet. Specifically, Randy Abrams  raises several interesting critiques about the methodology used in our report. The first weakness (in his view) is that ESET sees a lot more malware than we do at Cyveillance. This point may be true, though, in fairness, the paper was very clear about the “threats” covered, which is not “all malware”.  It is the Web-borne malware that Cyveillance predominantly sees being distributed and installed (without user consent i.e. by exploit/drive-by install) in real time as we visit live, infected and malicious Web pages on any given day. Of those threats, the results are accurate. While this may be less malware in a day than all the samples ESET analyzes, it is representative of the kinds of Web-delivered threats that users encounter as they surf the Web, click on links, download content, on that given day. We find it by emulating real user web surfing behavior.

The second point, and much more important, Randy raises as a flaw is that our methodology relies on the leading brands in the industry to say what is and isn’t malware. (I should note this is an admirable criticism to raise, since, at least within the specific lens used in our study, Randy’s company fared the best and may very well be the leading brand in the industry.) Still it is a methodological choice we had to make. We made it partly for objectivity and because if we relied solely on our own analysis of “what it does”, we would expect the industry response to be a chorus of “but what does Cyveillance know about analyzing malware? They’re not an anti-virus company!”

One key point we feel many readers of the paper may have missed is this study was intended to illustrate detection lag times by the leading AV companies. If you read the paper thoroughly, then you will see that the lag time stats in Figure 3 show how long each vendor takes to recognize those things and that each vendor eventually did identify as malware, i.e. the final chart displays the lag time between when we were infected with a malware in the wild – by a nasty Web page or malicious Tweet or PPC link or whatever – and when that vendor eventually recognized the threat.”

Randy’s complaint appears to say “you shouldn’t call something malware and penalize me for having missed it because my competitors call it malware and I don’t.  Maybe I’m right and they’re wrong”. This is a fair comment. However, the central point of this study is to say that, “we’re not comparing you to the other guy. What the paper is actually saying is ‘for the things you, yourself said are malware, you didn’t say so until X days or weeks after I got infected with it.’”  That was the point of the study.

Regardless of the difference of opinion in the methodology used, as mentioned in the article, the conclusions in the report are on target – you can’t rely solely on signature based protection for today’s Internet threats. This is validated time and again by our corporate customers, who use these same leading security programs, and who spend significant resources cleaning and re-imaging company machines that are constantly being infected by the many threats that pass right through them.

If you don’t mow the lawn often enough, you may find unwelcome guests in your yard.
Image courtesy dnatheist.

Hosting companies are a major component of criminal resources online. Like all for-profit enterprises, cybercrime relies on solid, dependable infrastructure that will allow them to distribute viruses and other malware. While some hosting companies actively support cybercriminals by explicitly offer so-called “bullet proof hosting” environments to those looking for havens from law enforcement, many hosting companies simply turn a blind eye to cyber crime. After all, they are making profit and they are not getting in trouble for providing services to criminals, so why would they stop? A new report by HostExploit sheds light on hosting companies that likely are aware that criminals use their services to further their ends.

Of course, cybercriminals do not always pay for the services they use. A tried and true method used by online thieves is to borrow the resources of a server someone else is paying for.

How does one take over someone else’s server? The variety of techniques used are beyond the scope of this article but in the same manner a person’s home computer is likely to be infected by a virus if the software it uses is out of date, if a hosting environment is not keeping up with updates to software and applications it is running, it is more likely to be hijacked by cyber criminals because unpatched vulnerabilities exist. Just this week Google’s Matt Cutts discussed the growing threat of web server hacking in Google Webmaster Videos, saying:

I think web servers on the web are going to be exploited a lot more. The hackers are going to stop putting viruses and malware on individual people’s machines and they’re going to start attacking web servers across the entire world wide web.

So today we focus on those hosting companies that are negligent in updating their infrastructure, in essence opening the door for criminals to illicitly host their own content like illegal online pharmacies or to infect internet users’ computers. Once the users’ machines are infected, the criminals will steal banking passwords, use the computers to send spam or even participate in phishing attacks to steal money from victims’ bank accounts.

The Study

Profile of 100,000 Most Popular Websites

Cyveillance recently performed a scan of the 100,000 most popular websites on the entire internet, as defined by Alexa. (A daily listing of Alexa’s top 1 million websites can be downloaded from this page.) We simply requested the headers from each of the sites, which will return details about what systems the website’s hosting platform uses. This type of information is included virtually every time any web surfer visits any web page, so requesting it once from each site would not impose any burden on these 100,000 websites.

We then simply compared what versions of common hosting variables were used by these popular sites. We have used very conservative standards for what are acceptable, up to date versions. That being said, here’s what we learned…

Apache HTTP Server

Current Version: Version 2.2.15 is the current stable release, released four months ago according to Wikipedia.

What We Considered Out of Date and Why: Any version that was version 2.0.x is way out of date. Version 2.2 appears to have been released in the year 2007.

Internet Information Services (IIS)

Current Version: Version 7.5 was released in October 2009 and is the current stable release according to Wikipedia.

What We Considered Out of Date and Why: Anything using version 6.0 and older. Version 6.0 was released as part of Windows Server 2003.

PHP

Current Version: Version 5.3.2 was released in March 2010 and is the current stable release according to Wikipedia.

What We Considered Out of Date and Why: Anything using version 5.1 or older. Version 5.2.0 was released in November 2006. It’s hard to justify not upgrading in the last 3.5 years. Also note that PHP exploits are available through the software that is installed on a website (like forums, blogs, etc) and that PHP in and of itself is not a vector for attack. But PHP updates routinely include security fixes to prevent such abuse so running more recent versions is good hosting hygiene.

To recap:

Perhaps it’s also useful to know how what percentage of the top 100,000 have upgraded to the newest version.

So there is a very large percentage of sites not running up to date versions of these services. If your definition of safe is “must run the most recent version” then the web is very vulnerable indeed.

Caveats

A few items are worth mentioning.

• Sometimes a website has a bad day and for whatever reason did not return any response to our request for its headers. Stuff happens. Perhaps the site was offline, perhaps the site has a policy of not answering requests just for headers. We did not screen these out of the results because we wanted to preserve the integrity of the top 100,000 dataset. It would have been rather arbitrary to keep going deeper past the 100,000 site mark just to make up for some absentees.
• Some webmasters will modify their sites so that the headers do not reveal very much information about what systems they run. This is very clever because in the same way we scanned the sites to do a health check up on the most popular 100,000 sites, criminals will scan the web looking for out of date software to attack. The sites that did not offer any such information were not removed from our dataset.
• Also, there are certainly situations where the same “hosting environment” was found multiple times in the top 100,000 sites we polled. For instance, a good number of sites from blogspot.com, wordpress.com, etc were present. But again, we didn’t pull those out because we wanted to maintain the notion of the top 100,000 sites on the web.

Conclusion

As can be seen, a noteworthy percentage of hosting environments out there do not run very recent versions of important system components. And to reiterate, we have used generous allowances for what we considered unarguably out of date in general terms. This is especially surprising given the commercial value of sites in the 100,000 most popular sites on the entire internet. With the stiff competition to become highly-trafficked, we were surprised to see that so many of these sites have not kept up with such fundamental components to their software.

Of course, this certainly doesn’t mean that by going to these sites you will be infected with malware, or that you will visit a compromised server. What it does mean is that a significant portion of highly valuable sites are not as well protected as they should be, and that less popular sites even farther down the food chain may be even more risky because there is less monetary incentive for their owners to protect them.

We want to make clear that we are not calling out any individual site for not being up to date. There are many reasons a site may not be completely up to date with the most recent software out there. Maybe their web application was not future-proofed and would not run on newly updated versions, so they have not been able to bring things up to speed. That’s a business decision for the site owners. Maybe the site in question is a security researcher honeypot and is out of date on purpose! In any case, our aim is simply to paint a picture of the overall landscape.

What can be done?

Clearly, in the same way a computer owner regularly applies updates to the software running on his or her machine, hosting companies need to be very diligent about offering the most recent versions of the types of services we describe above. Webmasters should also only use hosting companies running up to date software. This will not only help keep the webmasters’ sites safe from hacks by cybercriminals, it promotes a healthier web for everyone if hosting companies know they lose business to more security-minded competitors.

Of course, in the same way that even a fully-patched, updated laptop can still be infected by malware, the most carefully maintained hosting environments can be compromised. Our intention is not to suggest that if a hosting company gets infected and is used to spread malware to internet users that it was negligent. Zero-day exploits are sadly not uncommon. We are suggesting that hosting environments which are not updated and get infected or compromised by cybercriminals are in fact making the internet a more dangerous place than it would be otherwise, and that action should be taken to correct the situation.

Let’s say you are travelling in your car and needed a place to eat. You come upon a town. If you knew that 10% of a town’s restaurants did not meet health code standards and that there was a nontrivial chance you could get food poisoning, would you want to eat in that town? No, we wouldn’t want to eat in that town either, and we hope for a time when the internet’s hosting environments are far safer than they are now.

Cyveillance has fought for many years against the seemingly endless barrage of counterfeit goods online, especially focusing on illegal online pharmacies (example, example, example) and even the US companies who support them.

It was especially encouraging to see the dangers of counterfeit goods covered this morning on NBC’s Today Show. Serious video coverage can also be found at CNBC. Consumer education about the dangerous risks in ordering medications online without a prescription, as well as the inferior quality of other counterfeit products is always welcomed.

While such crooks are traditionally found in the notorious 3 P’s (porn, poker, and pills) sometimes these criminals will diversify into other areas. One major illegal online pharmacy marketing group from Russia recently announced their intention to enter the fashion market:

The project is aimed at selling clothes, shoes and accessories of the most well-known brands like Gucci, Armani, Galliano, Diesel, Burberry, Calvin Klein, Gianfranco Ferre, Cartier, DelMaro, Prada, Dolce & Gabbana, Guess, Dsquared, Hugo Boss, Moschino, etc. (There are more than 100 (!) different brands presented at the site).

Because we think it unlikely that a group of illegal online pharmacy operators from Russia has signed distribution and marketing agreements with 100 legitimate brands, we believe the merchandise from this site and others in its network are most likely counterfeit.

Indeed, here is one of their sites from this new effort:

A screenshot from a website that appears to sell all counterfeit goods.

The marketers for fake or “replica” clothing sites use the old fashioned spammy tactics often associated with online pharmacies to get the word out about their websites. In these next two screen shots, you can see the comment moderation panel for this very blog, where devious marketers of counterfeit goods have submitted comments to cyveillanceblog.com in the hopes that we will publish the comment and the accompanying link to their site. (Click the images to enlarge them).

As is clear, online criminals have no intention of slowing down their illegal tactics on the internet. We look forward to a public who is more informed about the serious risks involved in counterfeit products and will continue working hard to negate the threat posed to consumers by such cybercriminals.

Rogue online pharmacies offer prescription medications to consumers without requiring a prescription, and often sell medications that are not approved by the FDA. This leaves ample opportunity for dangerous, untested and even counterfeit products to be purchased and abused by consumers.

International Drug Mart is just such an rogue online pharmacy. They will sell a large number of prescription drugs to anyone with a credit card. LegitScript, an online pharmacy verification service used by Google, Yahoo!, and Bing, has confirmed that InternationalDrugMart.com is a rogue online pharmacy due to unlawful, unsafe, or deceptive practices.

In mid-May Cyveillance wrote that International Drug Mart had employed the services of noted certificate authority Thawte, which is based in South Africa. International Drug Mart did so to give the impression that it is a reputable business and that it cares about its customers’ wellbeing. However this is a ruse and does not change the fact that dependence-forming painkillers, powerful anticancer medications and other drugs are available from International Drug Mart to anyone with a credit card.

Shortly after our publication of this information, Thawte canceled its services to International Drug Mart. Cyveillance commends Thawte for doing the right thing and withdrawing support to a business that clearly endangers the health of consumers.

Thawte’s responsible behavior was promptly mirrored by two other peers in the SSL certificate industry:

• After being denied by Thawte, International Drug Mart procured an SSL certificate from a certificate authority in the United Kingdom. Upon being informed of the nature of International Drug Mart’s business, the British certificate authority immediately canceled its service to International Drug Mart.
• After being denied by the British certificate authority, International Drug Mart procured an SSL certificate from a certificate authority in Romania. Upon being informed of the nature of International Drug Mart’s business, the Romanian certificate authority immediately canceled its service to International Drug Mart.

Now International Drug Mart has gone to Secure Trust, also known as Trustwave for its SSL certificate. (It should be noted that for quite some time, International Drug Mart has also used Trustwave’s Trusted Commerce program as well). Trustwave is based in the United States.

Cyveillance has reached out to Trustwave on multiple occasions in recent weeks. On June 22 Cyveillance received an email from a Trustwave vice president who wrote, “We have reviewed our validation of this site and it does meet all criteria to demonstrate organization control of the web domain and therefore we will not revoke the certificate at this time.”

By the logic offered in Trustwave’s response, anything on the internet, no matter what the content, is fair game for Trustwave’s services as long as the site meets certain technical requirements.

Just this week, Vice President Joe Biden offered (emphasis ours):

I applaud Google, Yahoo and Bing for the steps they’ve taken in recent weeks to stop selling advertising to illegal Internet pharmacies. But — but — we need to go further. It’s time for others to step up to, it’s time to stop supporting ads for drugs sold illegally over the Internet — and for a simple reason: for the public health of American — of our population.

The same goes for companies who support illegal Internet pharmacies in ways other than advertising. When we look at International Drug Mart, we see a site that is in clear violation of federal law and has serious potential for physical harm. We are disappointed that Trustwave, unlike its peers, does not have a problem doing business with such an organization.

Link

A story by The Plain Dealer posted on www.cleveland.com last week sheds light on the numerous issues associated with social media and the workplace. Providing real life examples of problems experienced by companies such as Petland and Nestle, the story gives an excellent overview of many of the decisions that need to be made in the implementation of a company-wide social media strategy.

Companies can take proactive steps to strengthen their security posture and minimize potential damage from problems that arise in the social media environment. The steps start with addressing challenges effectively with a solid understanding of the authorized and vast numbers of unauthorized social media users within the company. Next, companies should have a formal education and training plan in place that meets the needs of all sides of the business. Further, documented social networking policies, ongoing monitoring and a strong organizational feedback structure are essential. For more information, see The Impact of Social Media on Corporate Security: What Every Company Needs to Know published by Cyveillance in Spring 2010.

Cyveillance recently had the opportunity to interveiw Joseph Menn, the author of Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet, released in January 2010. Menn has reported on security and other technology issues for more than a decade at the Financial Times and the Los Angeles Times, mostly from his base in San Francisco. He is a two-time finalist for the Loeb Award, the most prestigious in financial journalism. Earlier, he won a “Best in Business” award from the Society of American Business Editors and Writers for tobacco coverage at Bloomberg News, where as legal editor he directed stories that revealed the landmark settlement talks between the cigarette companies and the states.

His latest nonfiction book follows two protagonists that were successful in bringing down a small group of cyber criminals. It also highlights the growing threat and active participation of organized crime syndicates in online criminal activity.

Cyveillance asked Menn for some comments on this serious problem.

Cyveillance: Your book covers a time frame from approximately 2000 through 2009. Based on the experiences of the book’s protagonists, what would you say the large scale trends in cyber crime during that time frame are?

Menn: It’s night and day. In 2000, hackers would knock down sites such as eBay and Yahoo for momentary fame. They were isolated teens or those with small circles of like-minded friends. In 2003, the first purely commercial viruses appeared, compromising tens of thousands of machines for illicit purposes. The initial motive for the people in charge was to make money by sending spam from addresses that would evade blacklists, which were growing more effective. But once they had the botnets, they began finding other ways of making money, including denial-of-service attacks for hire. They would take out a sponsor’s competitor for a price at first, but then the criminals became more enterprising and wiped out sites unless they were paid off, a freelance extortion gambit. The same gangs and bots are now engaged in mass identity theft and financial fraud against consumers and small businesses, as well as theft of trade and military secrets. By now, the vast majority of serious cyber crime is mob-related, and more than 90 per cent goes overseas.

Cyveillance: In the book both Barrett Lyon, an American citizen, and Andy Crocker, a British law enforcement officer, experienced frustration with domestic and international law enforcement’s ability to understand and take action against the cyber criminals they faced. Why do you think this is, and has the situation improved? If you think it has not improved, what do you think needs to change in law enforcement to more effectively take on sophisticated cyber crime?

Menn: Cyber crime cases are hard to prove. The Internet might as well have been designed with plausible deniability in mind. And law enforcement cooperation is hard to get even from allies, due to logistical issues, differing priorities and varying laws. But the overarching problem, which nobody in power wants to talk about, is that the worst of the worst are knowingly protected by corrupt governments or those that view the mobsters as intelligence assets or strategic weapons. The enforcement outlook has not improved substantially, while the crime has gotten much worse over the years. Britain, which during the period in the book was well ahead of US efforts overseas, has gone backward with the dismantling of the National Hi-Tech Crime Unit. The only ray of light is that people inside the Obama administration are paying more attention and thinking about the issue.

Cyveillance: How would you describe the connection between the cyber criminals described in your book and with traditional organized crime?

Menn: In Russia, both petty criminals and legitimate business owners typically need a “roof”, or mob patron, to whom they pay tribute in exchange for fending off other criminals and officials looking for bribes. So even independent hacking rings, once they got large, depended on traditional mobsters to perform such services. Once the old mob saw how lucrative Internet crime was, it began taking a more direct supervisory role, as it did with the Russian Business Network in St. Petersburg.

Cyveillance: The criminals in Fatal System Error were largely Russian in origin. What is it about Russia that seems to produce such sophisticated cyber criminals, and do you see that situation improving?

Menn: Russia has had first-rate math and computer education for decades. But there are limited legitimate career opportunities. In addition, crime isn’t viewed through the same moral lens we have in the West, it just isn’t seen as that bad a choice. The corruption is staggering. And now it is even worse, because the major criminal hacking groups have protection from intelligence and military wings of the national government. The same people are being used to attack Kremlin enemies, both internally and externally, including government and media sites in countries such as Estonia and Georgia.

Cyveillance: Based on your book’s findings and other accounts, there appears to be casual if not formal links between the Russian government and the online criminal enterprise known as the Russian Business Network. While botnets that are under the control of groups like the RBN are harmful by definition, is it your belief that the weaponization of criminal resources reportedly found here is an isolated incident, or is this a growing risk from other governments?

Menn: It is a pattern that is spreading. The second most serious threat comes from China. Hacking there has evolved the other way, beginning with state-sponsored and patriotic attacks and now with a major profit motive as well. Criminal outfits with bot networks may look for personal financial data first, but they share commercial and military goodies with the officials who protect them.

Cyveillance: If there is one lesson from Fatal System Error, what is it?

Menn: The internet as we have come to use it–for financial and business activities–cannot survive without drastic action that is highly unlikely to occur. We need to make the protection of criminals a major diplomatic priority, and we need massive funding for an opt-in protocol more secure than TCP/IP.

Cyveillance: Thank you for your time. Any other thoughts you would like to add?

Menn: I’ve covered cybersecurity for almost a dozen years at major newspapers. Since 2004, I’ve been convinced the topic needed a thorough but also entertaining book on the subject. I got very lucky in finding heroes like Barrett, who infiltrated both Russian and Gambino cyber-mob operations, and Andy, who was nearly killed while conducting the most successful West-Russian collaborative prosecution of hackers in history, yet had never told his story. With the New Yorker comparing Fatal System Error to Stieg Larsson’s trilogy and Slashdot saying it’s on par with The Cuckoo’s Egg, I feel I accomplished what I set out to do.

Many thanks to Menn for taking the time to answer our questions.

When technology and policy move forward they have the opportunity to make healthcare more efficient. But we must be prepared for the hijacking of legitimate healthcare efforts online by cyber criminals.

Two recent news articles feature topics that will quickly be abused by marketers for illegal pharmacies trying to make a buck.

• This May post New DEA rule touted as boost for e-prescribing from HealthCareITNews covered “the electronic prescription, also known as ‘e-prescribing’ of controlled substances”.
• On Sunday the New York Times discussed telemedicine in their article The Doctor Will See You Now. Please Log On. The piece describes communication using “face-to-face telemedicine, connecting doctors and patients by two-way video”.

Knowing that consumers will be searching more for terms like e-prescription and telemedicine as they become more commonplace, criminals will increasingly attempt to attract searchers to their sites. Their expertise in diverting traffic will mean that unknowing consumers will find themselves on sites where they can buy prescription medications with no prescription, some of which are not even approved by the FDA.

Cyveillance is hopeful about the increased efficiencies that technology can bring to medicine, however consumer education will be necessary as criminals will be eager to hijack the messaging around terms like ‘e-prescribing’ and telemedicine to further their rogue online pharmacy efforts. Organizations like the Food and Drug Administration and American Medical Association should increase their education efforts aimed at informing consumers about safe ways to take advantage of the internet for healthcare.

UPDATE: Thawte canceled its services to InternationalDrugMart.com in late May. Cyveillance commends Thawte for doing the right thing. More on the story here.

In our recent post covering the Canadian Health & Care Mall, we highlighted the great lengths to which illegal online pharmacies will go to present the illusion of legitimacy. Site like the Canadian Health & Care Mall will present false business locations, and falsified certificates of approval from the U.S. Food and Drug Administration to add credibility, and visitors will believe that they’ll be safe when they order medications from the site.

Another common tactic on sites like Canadian Health & Care Mall is to present fake Verisign Seals. While many consumers don’t know exactly what having a Verisign Seal means, they do know it increases the likelihood that transactions with that site are safe. So while some rogue pharmacies will go the extra step of creating fake Site Seals, unfortunately it appears that this is not always necessary, as some Site Seal issuers do not have a problem working with websites that illegally sell prescription drugs without a prescription.

This week International Drug Mart, a rogue online pharmacy that sells prescription drugs without a prescription from a medical professional, announced that it had “chosen Thawte, since it is a leading global certificate authority providing online security to millions all over the world”.

The Thawte Site Seal can be seen on the rogue online pharmacy site in this image:

…and the following image shows Thawte’s acknowledgement that International Drug Mart uses secure communications.

Unfortunately while the this rogue online pharmacy may appear to protect its customers’ payment information, the fact remains that it unlawfully and dangerously offers prescription medications to anyone with a credit card. It is surprising that a seemingly legitimate company would be knowingly associated with such a business, much less a company in the security industry. By doing so, it undermines their own credibility and diminishes consumer trust and confidence in their own site seal.

Cyveillance has reached out to Thawte for a response on the matter but has not yet received a reply. We welcome their comments.