PC Tools Blogs
29 April 2009 | ThreatFire Research Blog
Another Acrobat Reader 0day PoC has been posted, this time targeting a boundary condition error (longhand for buffer overflow here) in the vulnerable ‘getAnnots()’ java-script function. We haven’t seen any ITW malcode targeting Windows versions of Reader, but based on past experience, ThreatFire will prevent exploits targeting this vulnerability when they arrive within a week or so.
Swine Flu and Canadian Pharmacies
28 April 2009 | ThreatFire
Not surprisingly, spammers are taking advantage of the current swine flu news topic to link to the very same Waledac-style Canadian pharmacy sites that we have presented in previous posts. This news event campaigning is reminscent of the Storm-cum-Waledac groups’ efforts over the past couple of years. Nothing new, nothing ancient here. We have not seen any client side exploit sites set up for this event just yet and speculate that the Waledac group’s botnet has reached an economy of scale.
LuckySpoilt Links Sent over Gaming Collaboration Clients
28 April 2009 | ThreatFire
Links to LuckySploit exploit pages are being sent over gaming collaboration tools with the end goal of installing rogueware/scareware Spyware Protect 2009, still being hosted at antiwareprotect.com: The arrival of a link in text is somewhat out of the ordinary, because most of these gaming tools are voice chat clients. But players of MMPORG online games like Counter Strike and World of Warcraft should be aware that links are being sent out via popular chat clients that redirect to LuckySploit hosting sites.
27 April 2009 | ThreatFire Research Blog
At the RSA Conference in San Francisco, Bruce Schneier opined on the media sensation that Conficker became. According to Iain Thompson, Schneier said that “it was a classic example of how the mainstream news media misunderstood the threat from malware and used it to make news to the detriment of security…such cases may have helped vendors sell more security products but in some ways they made the situation worse, since people became inured to virus stories and this might lead them to ignore future warnings.” Here is a case where the old excuse “if it raises awareness, it must be a good thing” is wearing thin.
Threat Update
28 April 2009 | Computer World by Gregg Keizer
Reports are emerging that Adobe’s PDF Reader contains a critical vulnerability, and the company has confirmed it is investigating. According to SecurityFocus, the most up-to-date versions, Reader 9.1 and Reader 8.1.4, are vulnerable. The Linux versions definitely have the bug, and other platforms – Adobe also provides Reader for Windows and the Mac – may be at risk as well. For its part, Adobe’s acknowledgement was brief. Related News: Adobe users imperiled by critical Reader flaw (28 April 2009 | The Register by Dan Goodin)
Scammers, Spammers Embrace Swine Flu News
27 April 2009 | Security Fix by Brian Krebs
There’s something vaguely diabolical about a form of unwanted communication named after a brand of canned, chopped pork that piggybacks on a public health scare involving a flu strain derived from swine. Yes, you guessed it: Spammers have seized upon public awareness around the Swine Flu epidemic to hawk knockoff prescription drugs. And we’re not talking about flu vaccines, either. (Comments by McAfee, F-Secure)
Related News: Spammers jump on swine flu bandwagon (27 April 2009 | Web User)
Spammers size on swine flu to pitch bogus meds (27 April 2009 | Computer World by Gregg Keizer)
Swine Flu Scam Site May Evolve Into Malware (27 April 2009 | PC Magazine by Larry Seltzer)
Phishing with Swine Flu as bait (28 April 2009 | CNET News by Elinor Mills)
Spammers capitalise on Swine flu crisis (28 April 2009 | PC Advisor by Carrie Ann Skinner)
Spam- now with added swine flu! (30 April 2009 | PC Authority)
Infosecurity 2009: Flaw in https blows hole in ecommerce security
28 April 2009 | Computer Weekly by Cliff Saran
A serious flaw in the way ecommerce sites implement secure internet access based though the secure HTTPS protocol could put customers’ credit card details at risk, it was claimed today Internet users are aware that they should only give their credit card details to sites that use HTTPS protocol to encrypt the transmission of user details over the internet But First Base Technologies has spotted a flaw in the way many web sites use HTTPS, that renders the encryption useless.
New CAPTCHA worm breaking Google’s defences
27 April 2009 | IT PRO by Asavin Wattanajantra
A new worm has been discovered, which a security company claims can break Google’s CAPTCHA to create Gmail accounts for spamming. Vietnamese company Bach Koa Internetwork Security (BKIS) has called the worm ‘W.32.Gaptcha.Worm’ and says it is able to break Google’s CAPTCHA defences. CAPTCHA (Completely Automated Public Turing Test to tell Computers and Humans Apart) is a defence used by email providers, which tries to ensure that computers are not automatically signing up for email accounts.
Related News: Worm solves Gmaiil’s CAPTCHA, creates fake accounts (24 April 2009 | IDG News Services by Jeremy Kirk)
Fresh Waledac Variant Promoting SMS Spying Software
24 April 2009 | SPAMfighter
Security researchers have posted an alert that Waledac, a computer virus, is spurring a fresh spam campaign. The e-mails in the campaign pose to offer a program with which a user could intercept other people’s ‘Short Messaging Service’ (SMS) messages. However, the program only installs a malware on the user’s computer. The e-mails lure recipients to click on the URLs provided in them by showing subject lines such as “You can read anyone’s SMS,” or “Does your partner truly love you?”
Conficker worm slowly begins its attack
25 April 2009 | Reuters by Jim Finkle
Conficker is slowly being activated, quietly creating a botnet out of infected computers to send spam and install spyware, security experts have claimed, weeks after a 1 April countdown in the worm worried millions. The worm started spreading late last year, infecting millions of computers and turning them into “slaves” that respond to commands sent from a remote server. Its unidentified creators started using those machines for criminal purposes in recent weeks by loading more malicious software onto a small percentage of computers under their control. (Comments by Symantec, Trend Micro)
Related News: Conficker activates, starts sending spam (25 April 2009 | Yahoo! Tech by Christopher Null)
Researchers Warn of Nasty Trojan
29 April 2009 | eWeek by Matthew Hines
Just as we’re finally being allowed to stop saying the C word (no, don’t make me say it!) experts are warning of a powerful new Trojan attack that could make some waves of its own, based on its ability to spread like a traditional virus and embed itself deeply into end users’ machines. In a blog post authored by longtime security guru Paul Henry, of Lumension, the expert contends that the emerging attack, identified as a variant of the Virut.CF Trojan by Symantec and labeled as Scribble-A by Sophos, could cause serious problems based on its mix of proliferation and infection techniques… just as, yep, Conficker has recently done.
Atlus.com Hacked, Embedded with Trojan
25 April 2009 | 1up.com by Kris Pigna
If you visited Atlus’ official website in the last 24 hours, you’ll probably want to hear about this. The publisher has revealed that their website, Atlus.com, was attacked by a hacker yesterday, who embedded a trojan virus onto it — and Atlus warns it’s possible it infected visitors’ computers (via Joystiq). The attack was done by a “third-party entity,” Atlus explained, and they’re urging recent visitors to run malware removal software just to be safe. Specifically, Atlus estimates exposure to the virus would have been most likely for anyone who visited the site between 9AM and 2.30PM PST on Friday.
Blunkett warns of cyber terrorist threat
27 April 2009 | VNUNet by Bryan Glick
Former home secretary David Blunkett has warned of the threat to the London 2012 Olympics posed by cyber terrorists, caused by a “woeful lack of awareness” of what such an attack could achieve. In excerpt from a speech Blunkett is due to give at the Infosec conference in London tomorrow, he is expected to highlight the threat to critical IT systems from organised crime. “Cyber attack can take the form of disrupting both cutting-edge and more traditional forms of communication.
Hack Against ISP Hijacks Bank, Google Adsense
24 April 2009 | Security Fix by Brian Krebs
Hackers hijacked a major Brazilian ISP this month in a sophisticated attack that silently served up malicious software and phishing scams to more than a million customers. According to Brazilian news outlet Globo.com, unknown attackers hijacked the domain name system (DNS) records for NET Virtua, a broadband provider that serves at least 1.4 million customers in the region. NET Virtua’s DNS records reportedly were hijacked on April 11, so that customers who visited any site that ran Google Adsense content were redirected to a site.
Windows 7 RC Torrents May Hide Malware
30 April 2009 | PC Magazine by Larry Seltzer
The release candidate of Windows 7 is out. You can see out hands-on evaluation here. Of course, every time a major release like this comes out it gets leaked on to BitTorrent, the open peer-to-peer network, and that has happened with Windows 7 as well. But downloading and installing these copies of it is inadvisable if you believe the Neowin report that these torrents have been infected with a trojan horse. They show an Avast generic detection of a trojan. “Oh yeah, sure it’s infected, they just want to trick us into not using it” you may be saying to yourself.
27 April 2009 | Web User
Cybercriminals have managed to hack into the email account of actress Salma Hayek.
Hayek, star of films such as From Dusk Till Dawn, had details of her communications leaked after hackers managed to reset the password on her MobileMe account. They were able to reset the password by guessing the answer to her ’secret question’ used to protect the account, according to reports.
1 May 2009 | IDG News Services by Robert McMillan
For the second time this year, a hacker claims to have gained administrative access to a Twitter employee’s account. On Wednesday, an anonymous hacker going by the name of Hacker Croll posted 13 screenshots to a French online discussion forum, apparently captured while logged into the Twitter account of Jason Goldman, a director of product management with Twitter According to the screenshots, Hacker Croll was able to access account information belonging to high-profile Twitter users such as Britney Spears and Ashton Kutcher.
Rigged Word docs exploit 2008 bug, says researchers
23 April 2009 | Computer World by Gregg Keizer
Attackers, probably based in China, are exploiting a December bug in Microsoft Word to hijack Windows PCs, Vietnamese security researchers warned today. According to Nguyen Minh Duc, manager of Hanoi-based Bach Khoa Internetwork Security’s (BKIS) application security department, rigged Word documents have begun to circulate as e-mail attachments. The malformed .doc files exploit one of the eight Word flaws fixed by Microsoft in December 2008 as part of the company’s biggest patch batch in five years.
Malware Compelled Franklin Savings Bank to Shutdown Website
25 April 2009 | SPAMfighter
The Franklin Savings Bank (Farmington, USA), which shutdown its marketing site for the 2nd time in a week, put online customers at inconvenience. However, early detection proved helpful in preventing a malware from spreading. On April 9, 2009, customers could not access the bank’s site, as the bank took it offline following the malware’s detection by their security mechanisms. The problem appeared again on April 15, 2009, resulting in another shutdown till the bank shifted site to some other Web host.
Phishing Scams
Phishers hit Facebook with scam messages 29 April 2009 | Computer World by Robert McMillan
Facebook users were hit today with a phishing attack that tried to steal names and passwords from users of the popular social network. In the attack, people are sent phony e-mail messages, appearing to come from Facebook Inc., that try to send them to a malicious Web site, Fbaction.net, which looks like a Facebook log-in page. The Fbaction.net Web site was live this afternoon, but Facebook is working to blacklist the domain and hopes to have the site shut down, according to a Facebook spokesman.
Facebook hit by phishing attacks for a second day (30 April 2009 | CNET News by Elinor Mills)
Facebook Among Top Phished Websites (29 April 2009 | Washington Post by Brian Krebs)
‘Phishing’ using Bresnan latest scam 24 April 2009 | Fort Morgan Times by Dan Barker
Beware “Kmart Payments Department” Phishing Scam 30 April 2009 | Security Watch
Industry News
Windows AutoRun gets a makeover to combat malware
28 April 2009 | ZDNet by Ryan Neraine
In direct response to Conficker and an increased wave of malware attacks targeting the dangerous Windows AutoRun mechanism, Microsoft today announced significant changes to the way the operating system operates when USB drives are used. The changes, detailed on Redmond’s Security Research & Defense blog, have been built into Windows 7 will be back-ported to Windows Vista and Windows XP in the near future.
Microsoft boosts Windows 7 security for USB drives (29 April 2009 | ZDNet by Elinor Mills and Ina Fried)
Microsoft cuts UAC prompts in Windows 7 (27 April 2009 | Computer World by Gregg Keizer)
Windows 7 hack opens OS to attackers (24 April 2009 | PC Advisor by Sumner Lemon)
Are security issues delaying adoption of cloud computing?
27 April 2009 | Network World by Ellen Messmer
“Yes, security is one of the concerns about cloud computing that is delaying its adoption,” says Eric Mandel, CEO of managed hosting services provider BlackMesh in Herndon, Va. “One of the biggest security concerns about cloud computing is that when you move your information into the cloud, you lose control of it. The cloud gives you access to the data, but you have no way of ensuring no one else has access to the data. How can you protect yourself from a security breach somewhere else in the cloud?”
Related News: IT chiefs: Security is biggest threat to cloud computing (28 April 2009 | Computer Weekly by Warwick Ashford)
Security researchers fret over Adobe PDF flaw
30 April 2009 | The Register by John Leyden
Adobe has warned that its Reader and Acrobat PDF software is vulnerable to an unpatched vulnerability. A pair of flaws in the java-script functions of the PDF reading application are behind the problem, prompting Adobe to advise surfers to disable java-script as a workaround, pending the availability of a patch. Even after a patch becomes available, the problem may hang around for months. The vulnerability is a cross-platform flaw that effects Windows, Macs and Linux machines running Adobe’s software. (Sophos, F-Secure)
MacBook Mini- does the Apple netbook already exist?
29 April 2009 | PC Authority
That new Vodafone portal for the iPhone has really cranked the Apple rumour mill into overdrive. We’ve now got two juicy tidbits to tide us over before WWDC in June. First up is chatter about the MacBook Mini. In spite of Tim Cook’s denial last week, a small Apple laptop has shown up in the stats for IM client Adium, according to those eagle–eyed chaps at TUAW. While this is innocent enough (anyone can change the name of their computer ID), this happens to be the exact same way the MacBook Air surfaced last January.
The Kilo-Day threat and mundane security
29 April 2009 | Network World by Andreas M Antonopoulos
In the security business we spend a lot of time worrying about the “zero-day” threat that appears out of nowhere and immediately starts attacking a hereto unknown vulnerability. We imagine genius hackers probing software to discover new and unique ways of attacking our systems. We worry about the yet-undiscovered bugs that lie dormant in our operating systems. We worry so much that we overlook the vulnerabilities we already know about. The ones that have been hanging around on our systems, known but unaddressed, unpatched and wide open.
US military’s cyberwar rules ‘ill-informed’, says panel
29 April 2009 | The Register by Dan Goodin
The United States government has yet to form a coherent policy for engaging in warfare that involves attacks on a country’s electrical power grids and other critical infrastructure, according to a non-profit group of scientists and policy advisors. They called on policy makers to actively forge rules for how and when the military goes about mounting offensive and defensive acts of cyber warfare. “Today’s policy and legal framework for guiding and regulating the US use of cyberattack is ill-formed, undeveloped, and highly uncertain,” the report, published by the National Academy of Sciences, states.
New cybersecurity bill for electric grid readied (29 April 2009 | Computer World by Jaikumar Vijayan)
SANS Tells Congress: Feds ’Checkbook Is Cyberdefense ‘Weapon’ (28 April 2009 | Dark Reading by Kelly Jackson Higgins)
Cyberwar’s first causality: Your privacy (27 April 2009 | Computer World by Preston Gralla)
Internet warfare: Are we focusing on the wrong things? (27 April 2009 | Computer World by Jaikumar Vijayan);
The new ground zero in Internet warfare (27 April 2009 | Computer World by Julia King);
The eternal battlefield in unending cyberwars (27 April 2009 | Computer World by Gary Anthes)
Should the US Go Offensive in Cyberwarfare? (28 April 2009 | Slashdot by K Dawson)
International experts launch anti-cybercrime plan
29 April 2009 | ZDNet by Tom Espiner
An international group of security experts has launched an action plan against cyberthreats. The roadmap, launched on Wednesday at Infosecurity 2009 in London, was formulated by security specialists from organisations including the US Department of Homeland Security and the UK Ministry of Defence, and is designed to promote secure systems design. The Cyber Security Knowledge Transfer Network (KTN), a UK government-funded organisation that liaises between agencies around the world, co-ordinated the formulation of the roadmap.
Related News: Security must be built in from the start (30 April 2009 | iTnews Australia by Phil Muncaster)
Sensitive Company Data Ends Up on Facebook
28 April 2009 | PC Advisor by Carrie-Ann Skinner
Nearly two thirds of businesses think staff share too much sensitive information about a company on social networking sites, such as Facebook, says Sophos. Research by the security firm also revealed that one in five business are now more concerned about the security risks created by social networking, rather than staff productivity. A quarter of companies have also been a victim of spam, phishing or malware attacks that originated on social networking sites. (Comments by Sophos)
Mozilla re-patches Firefox after regression bug pops up
29 April 2009 | Computer World by Gregg Keizer
Mozilla Corp. Monday rushed out a new version of Firefox to fix a flaw it introduced with the 12-patch security update it shipped less than a week ago. Firefox 3.0.10, which the open-source browser maker called a “security and stability” release, follows Firefox 3.0.9 by just six days, and was necessary because of a new bug that slipped into last week’s update. Mozilla labeled the new bug a critical security vulnerability.
28 April 2009 | The Register by John Leyden
Infosec, the annual IT security trade show, kicked off in a new venue on Tuesday with 310 firms competing for attention and security spending. The conference has moved from Olympia, its location for over a decade, to Earls Court. The new venue should at least allow easier access than Olympia, although problems on the Piccadilly line are causing trouble for some showgoers. This year, Infosec follows directly after the RSA Conference in San Francisco and Black Hat Europe for the first time.
Related News: InfoSecurity 2009 : Welcome to the online fraud business (28 April 2009 | Computer Weekly by Cliff Saran)
15 easy fixes for Mac security risks
28 April 2009 | Computer World by Ryan Faas
One of the commonly touted advantages to using a Mac is that it’s more secure and less prone to malware than a PC running Windows. It’s easy to see where this attitude comes from: The prevalence of viruses and network attacks against Windows machines is greater by several orders of magnitude. In fact, a recent Trojan horse virus hidden in a pirated copy of iWork ‘09 that circulated on peer-to-peer file-sharing sites was big news because it was the first Macintosh virus to be widely circulated on the Internet,
BitLocker, TPM won’t defend all PCs against VBootkit 2.0
28 April 2009 | IDG News Services by Sumner Lemon
Trusted Platform Modules and BitLocker Drive Encryption can protect Windows 7 computers against a bootkit attack unveiled last week but these technologies won’t be available on a large portion of computers, leaving millions of users unprotected when Microsoft releases its next version of Windows. VBootkit 2.0 is proof-of-concept code that was unveiled by security researchers Vipin Kumar and Nitin Kumar, of NVLabs, at the Hack In The Box (HITB) security conference held in Dubai last week.
‘Hackers Wanted’ Ad Fed Security Misconception
29 April 2009 | Computer World by Ira Winkler
I should never be surprised at things related to government security efforts, but I did think the concept of hiring hackers was pretty much dead in government circles. Then comes the recent headline, ” U.S. Looks to Hackers to Protect Cyber Networks.” Frankly, I think it set the security profession back at least three years. The story, widely quoted throughout the U.S. and the world, makes people think that hackers are superior to the best security professionals.
How Anonymous Hackers Triumphed Over Time
28 April 2009 | Threat Level by Ryan Singel
Anonymous, a motley crew of online troublemakers known for hacking Sarah Palin and inducing seizures in epileptics, pulled off an historic coup this week when it successfully rigged Time magazine’s online poll for the “Top 100 most influential people. The loose confederation of trolls managed to outwit the techies at Time to arrange the voting results so that the first letters in the top 21 entries spell out the inside joke: Marblecake Also The Game.
The UK needs to take the ‘e’ out of e-crime’
30 April 2009 | IT PRO by Asavin Wattanajantra
There is a real lack of understanding from politicians, police and the public about cyber crime, which is in danger of being treated less seriously than ‘traditional’ crime. That’s the conclusion made today at the Infosecurity 2009 show by a select panel of figures from the political, policing and security worlds who gathered together to discuss the British response to e-crime. Shadow Crime Reduction Minister James Brokenshire said that there were very few politicians focused on the threat of e-crime.
Related News: US and UK experts launch anti-cybercrime plan (30 April 2009 | ZDNet Asia by Tom Espiner)
How an FBI agent transformed Microsoft security
28 April 2009 | IT PRO by Asavin Wattanajantra
Edward Gibson, Microsoft’s chief security advisor in the UK, is more qualified than most to talk about the computer threats that we face today. Having held special positions as a FBI Special Agent for 20 years, he was also at one time assigned to the US embassy in London, in charge of the FBI’s hi-tech cyber terrorism work in the UK. Between 2000 and 2005, he was responsible for establishing strategic intelligence alliances between the FBI, UK police agencies, security services and private sector companies.
Europe funds secure operating system research
28 April 2009 | IDG News Services by Jeremy Kirk
A Dutch university has landed a European Research Council grant to continue work on a Unix-type operating system that aims to be more reliable and secure than Linux or Microsoft Windows. The EUR2.5 million (US$3.3 million) grant will fund three researchers and two programmers, said Andrew S. Tanenbaum, a computer science professor at Vrije Universiteit in the Netherlands. Tanenbaum developed Minix, an operating system based somewhat on Unix that has a small code base and implements strong security controls.
IE: Its Security is Worth the Download
28 April 2009 | PC World by Erik Larkin
Microsoft released Internet Explorer 8 in March, and whether to install it is likely your biggest update decision right now. The browser has plenty of new security features, such as expanded phishing-site blocking of known malware distributors. IE 8 also highlights the domain name in the URLs you visit, making it easier to recognize a phishing scam. New as well are a private browsing mode (called InPrivate Browsing) and behind-the-scenes tuning to help neutralize attack code on poisoned Web sites.
Estonia announces EU cyber-wargame plan
28 April 2009 | The Earth Times
The European Union will soon stage a simulated cyber-attack to test its online defences, Estonian Economy Minister Juhan Parts told an EU ministerial conference in the Estonian capital, Tallinn, on Tuesday. Speaking on the second day of a two-day gathering dedicated to Critical Information Infrastructure Protection (CIIP), Parts said the meeting would mark “a beginning of much needed common action at EU level in the area of CIIP policy. “Member states’ representatives supported the idea of organizing a common cyber-security exercise in the near future,” Parts said, adding that it would likely take place by 2010 at the latest.
Online share trader CommSec vulnerable to hackers
28 April 2009 | News.com.au by Nick Higginbottom and Stephen McMahon
SECURITY at the nation’s biggest online trader has been exposed as wide open to attack by computer hackers. Security flaws at CommSec potentially endangered accounts containing billions of dollars of mum-and-dad investors’ money. After a Herald Sun investigation, CommSec’s 1.7 million customers have been strongly urged to change their passwords. Had any hackers entered the system they would have been able to access the personal details of CommSec’s customer accounts and trade in other people’s share portfolios.
UK outlines Facebook monitoring plans
27 April 2009 | ZDNet by Tom Espiner
The UK government wants communications service providers to record, retain and process details of all communications that take place over their networks, the home secretary said on Monday. Jacqui Smith was speaking at the launch of a consultation entitled Protecting the Public in a Changing Communications Environment. She said it was essential for such information to be easily accessible by public authorities, including the police, the Serious Organized Crime Agency (Soca), HM Revenue & Customs, and the intelligence agencies.
Is Twitter finally taking security too seriously?
27 April 2009 | ZDNet by Ryan Naraine
Now that Oprah’s all a twitter, it looks like everyone’s favorite micro-blogging tool is finally taking a hard look at security. According to a job listing posted online, Twitter is searching for software engineers to focus specifically on application and infrastructure security. The search for security personnel follows several high-profile worm attacks that exploited security vulnerabilities on Twitter’s Web site and public complaints that the company did not think about securing its service until it was too late.
A short history of hacks, worms and cyberterror
27 April 2009 | Computer World by Mari Keefe
1964 AT&T begins crackdown on “phreakers,” who use tone generators to make free phone calls. By 1970, it has achieved 200 convictions. 1978 Engineers at Xerox Palo Alto Research Center design a computer worm, a short program that searches a network for underused processors. Though built to improve computer efficiency, it is the genesis of the destructive, modern worm. The FBI busts young hackers known as the 414s, who use an Apple II+ and a modem to break into 60 computer systems, including one at Los Alamos National Laboratory.
How scared should you be about security statistics?
27 April 2009 | Network World by Ellen Messmer
Did you know the number of crimeware-spreading Web sites infecting PCs with password-stealing crimeware reached an all-time high of 31,173 in December, according to the APWG (formerly Anti-Phishing Working Group) coalition? Or that data breach costs rose to $6.6 million per breach last year, up from $6.3 million in 2007, according to the Ponemon Institute. Or that 3% to 5% of enterprise desktops and servers, mainly Windows, are apt to be infected with botnet code, according to security firm Damballa, based on an analysis of its customers’ network traffic?
Seven burning security questions
27 April 2009 | Network World by Ellen Messmer
There’s no shortage of burning questions about IT security these days, some sparked by nasty threats, others by economic concerns and some by growing use of social networking and cloud computing. We spoke to about two dozen experts – IT customers, analysts and vendors – to nail down some answers. What follows is a summary of the questions we addressed. Click on the hyperlinked questions to read more on each topic. The insider threat has always existed, but in an era of economic upheaval and uncertainty, the problem is only magnified.
The legal risks of ethical hacking
27 April 2009 | Network World by Jon Brodkin
When ethical hackers track down computer criminals, do they risk prosecution themselves? Security researchers at this week’s Usenix conference in Boston believe this is a danger, and that ethical hackers have to develop a uniform code of ethics for themselves before the federal government decides to take action on its own. One such researcher introduced himself by saying “Hi, I’m Dave Dittrich, and I’m a computer criminal.”
Call for European Mr Security guard Internet
27 April 2009 | IDG News Services by Paul Meller
Europe needs a “Mister cyber security” to take control in the event of an attack on Internet infrastructure, according to the EU’s telecommunications commissioner. Viviane Reding also accused European Union member states of being “negligent” for failing to take adequate precautions against the sort of attacks seen in Estonia, Lithuania and Georgia in recent years. She estimated there is a 10 percent to 20 percent chance of a similar such attack occurring in the EU over the next 10 years.
Related New: Reding demands Cyber Cop for Europe (27 April 2009 | The Register by Chris Mellor)
New York State raises the bar for end user security training
27 April 2009 | Network World by Lynn Haber
New York State is extremely concerned about phishing in general, and more specifically spear phishing, highly targeted phishing attacks designed to penetrate organizations, government agencies and groups. Beginning in 2005, the state Office of Cyber Security & Critical Infrastructure (NYS-CSCIC) along with the Anti-Phishing Working Group, AT&T, and the SANS Institute ran its first antiphishing pilot project. The goal was to raise employee awareness of the danger of phishing scams and to provide employees with information to help protect themselves and the agency.
Microsoft eliminates 23 vulnerabilities in Windows and Office
26 April 209 | Earth Times
Microsoft has eliminated 23 vulnerabilities in its Windows and Office products. Users of those programs should install the corresponding security updates as soon as possible, the German Federal Agency for Security in Information Technology (BSI) in Bonn, central Germany, is advising. This can be handled by activating automatic updates in the Windows Security Centre or visiting Microsoft’s update site at http://update.microsoft.com/microsoftupdate.
23 April 2009 | CNET News by Dave Rosenberg
I heard an interesting story from the guys at WildPackets, a provider of network and application performance monitoring, analysis, and troubleshooting that’s faced with an unexpected dilemma. More than 100,000 unique visitors a month–a large percentage of them, ne’er-do-well hackers–are downloading WildPackets’ free drivers for reasons other than their intended purpose, capturing wireless network traffic for monitoring and analyzing network and application performance.
FBI Spyware Could Look Like Your Average Trojan
23 April 2009 | eWeek by Larry Seltzer
For years the FBI has been using a Trojan horse program to spy on suspects’ computers.In response to a Freedom of Information Act request, the FBI has released some details and history of a spyware program it has used over the years to gather details on suspects’ computers, according to a recent article in Wired. Information on the CIPAV, or “Computer and Internet Protocol Address Verifier,” first came out in 2007. The documents recently released by the FBI discuss the cases in which the software was used and how it was introduced.
24 April 2009 | Computer World by Mark Gibbs
Security is an ugly business because when you have a problem there’s rarely an elegant, straightforward solution. What you usually wind up with is a solution that’s just “good enough.” I recently learned of a great example that nicely illustrates this point. A friend sent me a link to an amazing report titled “ATM Card Skimming and PIN capturing Awareness Guide”. This document was authored by a gentleman with the job title “protective security advisor” and was published by Commonwealth Bank, a large Australian financial services provider.
News of Mac Botnets Doesn’t Mean an Increased Threat (Yet)
24 April 2009 | PC World by Robert Vamosi
Writing in the latest issue of Virus Bulletin (registration required), two Symantec researchers report what they believe is the first evidence of a major botnet consisting of compromised Macs. However other experts aren’t so sure of the increased threat to Mac users.
Researchers Mario Ballano Barcena and Alfredo Pesoli found that Mac users who downloaded pirated copies of iWork 09 and Adobe Creative Suite 4 from P2P sites got more than the programs they intended. Added to the binaries were two malware variants–OSX.Iservice and OSX.Iservice.B. The malware executes a PHP script, running as root, that launches distributed denial of service (DDoS) attacks against sites. (Comments by ESET)
25 April 2009 | InformationWeek by J Nicholas Hoover
Most federal agencies get passing marks for meeting the Federal Information Security Management Act, the primary regulation dictating cybersecurity practices in the federal government. Even so, the ground rules for cybersecurity keep changing, and federal systems are anything but bulletproof. The Office of Management and Budget’s FISMA implementation report for fiscal 2008 gave 92% of major agencies satisfactory or better grades for the quality of their certification and accreditation processes. It noted high percentages of inventoried systems and systems with tested contingency plans and security controls, and said 84% of major agencies had “effective” cybersecurity plans.
Google Lets Web Users Create Facebook-Like Pages with Google Profiles
23 April 2009 | PC Advisor by Carrie-Ann Skinner
Google has launched a new tool that’s designed to help you perfect the results you and other web users see when they search for your name online. Let’s face it, we’ve all searched for ourselves on the web at some point, but the results may not always be what you hoped. Whether it’s the links to another person that shares your name, or just a record of an event you attended years ago that’s not very relevant now. However, with a Google Profile you can control what others see.
Doubt cast over ContactPoint security assurances
23 April 2009 | The Register by John Leyden
A UK government minister has issued assurances about the security of the government’s child protection database ContactPoint, but the minister’s assurances are incomplete, if not misguided, says one expert. The ContactPoint system is designed to give social workers, police and NHS staff access to case files on children, so that a full case history of potentially vulnerable kids is easily available to authorised parties.
Windows Bugs Never Truly Squashed
26 April 2009 | Computer World by Gregg Keizer
Hackers can successfully attack Windows PCs months — even years — after Microsoft Corp. fixes a flaw, a security expert said, because there’s always a pool of unpatched systems. According to data that Qualys Inc. culled from scans of more than 80 million machines, between 5% and 20% of all systems are never patched for any vulnerabilities, including those disclosed by Microsoft in its monthly security updates.
Security maven sics ‘special ops’ on botnet gangs
24 April 2009 | The Register by John Leyden
Sometimes fighting botnets, spam, and other online crime is like raking leaves on a windy day. Bag one operation and almost overnight there are a half-dozen more that take its place. It’s a story that’s all too familiar to Joe Stewart, director with SecureWorks’ Counter Threat unit. Now, he’s proposing members of the security industry borrow a new page. “Right now, we’ve got a very scattered approach,” he said during an interview at the RSA security conference in San Francisco.
For security’s sake! Send your kid to hacker camp
23 April 2009 | The Register by Dan Goodin
A computer security expert has called on the United States government to train the nation’s youth in offensive and defensive cyber technologies so the country is less vulnerable to attacks on its critical infrastructure. “We need to really encourage young people, high school kids, college students, to embrace cyber security as a field,” said Ed Skoudis, founder and senior security consultant for InGuardians. “I’d like to see the United States from a policy perspective engage in…sponsoring hacking challenges to not make it seem like it’s an evil thing.
Google tackles severe Chrome security flaw
24 April 2009 | ZDNet by Stephen Shankland
Google released a new version of its Chrome browser Thursday to fix a high-severity security problem. The problem affects Google’s mainstream stable version of Chrome and is fixed in the new version 1.0.154.59. Google has built Chrome so it updates itself automatically with no user intervention, though the software must be restarted for the new version to run. The security problem, reported on 8 April by Roi Saltzman of the IBM Rational Application Security Research Group, allowed cross-site scripting attacks.
23 April 2009 | Slashdot
“I used to ignore spam but recently I have been using the opt-out feature. Now I get more spam than ever, especially of the Nigerian scam (and related) types. The latter has gone from almost none to several a day. Was I a fool for opting out? Is my email address being harvested when I opt out? Has anybody had similar experience?”
Security experts rate the world’s most dangerous exploits
24 April 2009 | The Register by Dan Goodin
Criminal hackers continue to penetrate many more company networks than most administrators care to admit, according to two security experts who offered a list of the most effective exploits used to gain entry. Topping the list is an attack dubbed super-flexible pivoting. It abuses Linux machines connected to a network’s DMZ, or demilitarized zone, to bypass corporate firewalls and access sensitive resources on an internal network. The technique has already been used to steal vast amounts of data, including “millions of credit cards,” said Ed Skoudis.
Up to 20% of PCs never install security patches
24 April 2009 | PC Advisor by Gregg Keizer
Hackers are exploiting software vulnerabilities months after they have been patched because not all PC users install the security updates, says Qualys. Hackers are exploiting software vulnerabilities months after they have been patched because not all PC users install the security updates, says Qualys. Qualys tracked four vulnerability bulletins issued by Microsoft in 2008 and in each case found that a sizable fraction of the PCs it scanned had not been patched, even though in some cases more than a year had passed since Microsoft issued fixes.
Beware Olympic cybercrime chaos, urges former UK politician
29 April 2009 | ZDNet Asia by Tom Espiner
Former U.K. home secretary David Blunkett has warned of an Internet attack on the 2012 Olympics, in a speech to delegates at the Infosecurity Europe 2009 conference in London on Tuesday. He said that those people defending disparate systems could be outsmarted by a coordinated attack on those systems, due to the distribution and number of different technologies that need to be defended. The former home secretary added that a coordinated attack on ticketing systems, the transport system, hotel bookings and communications could result in “chaos”.
30 April 2009 | The Register by John Oates
Mozilla Corporation has released a new version of Firefox in order to remove a bug found just a week after an updated version of the browser was released. Firefox 3.09 was released last Wednesday. It fixed nine security holes, one of which was considered “critical”. It was also meant to be more stable than previous versions. But within a week this has been replaced by Firefox 3.0.10. This fixes security bugs and a crashing issue when the browser is used to view page source code using certain extensions, particularly HTML Validator.
Everyone Gets Windows Security Updates
29 April 209 | Security Watch
There’s a myth out there that users whose license situation with Windows is not clear, or who perhaps have nakedly pirated the software, do not get security updates. Perhaps they think that by applying security updates they will get tracked down. This probably accounts for a large chunk of the population of those who don’t apply security patches and end up successfully compromised by Conficker and other exploits out there.
ElcomSoft posters provokes PGP apoplexy
29 April 2009 | The Register by John Leyden
A row broke out at the Infosec conference on Tuesday after PGP objected to the content of a poster on password recovery firm ElcomSoft’s stand, and lodged an objection with conference organisers Reed Exhibitions. The offending poster, which said “the only way to break into PGP” (a reference to ElcomSoft’s graphic card assisted password recovery tool), was pulled down by Reed on the eve of the show, without notification to ElcomSoft.
Gotcha!
Hacker behind P2P botnet gets no jail time 29 April 2009 | The Register by Dan Goodin
China arrests Web site attack who extorted money 29 April 2009 | IDG News Services by Owen Fletcher
eBay scammer gets four years in slammer 28 April 2009 | The Register by Dan Goodin
Ex-federal IT worker charged in alleged ID theft scam 27 April 2009 | IDG News Services by Robert McMillan
