(¯`·._.·[_One® R_]·._.·´¯)

iPhone will be 'primary target' for hackers in 2008

2007-12-13T00:10:00.000-08:00

Apple's iPhone will be a "primary target" for cybercriminals in 2008, a security company predicted today..

Arbor Network's Security and Engineering Response Team (ASERT) forecast that the iPhone will become "the victim of a serious attack" in 2008.

According to the firm, these assaults are likely to be in the form of drive by attacks - malware embedded into seemingly harmless information, images or other media that actually perform dangerous actions when rendered on the iPhone's web browser.

With the scrutiny the iPhone has received since its launch earlier this year over network lock-in, Arbor believes that hackers will be enticed by the possibility of attacking Apple users and the opportunity to "be the first" to hack a new platform.

The company also predicted a rise in 'Chinese on Chinese' cybercrime.

In the past year the team has seen a dramatic increase in the attention paid to Chinese-language specific software such as QQ Messenger and a number of malware samples focused on stealing users credentials. Arbor expects this trend to multiply in 2008 as more Chinese users come online, more software is written for the market and Chinese cybercriminals become increasingly more sophisticated and organised.

"2007 was the year of the browser exploit, the data breach, spyware and the storm worm. We expect 2008 to be the year of the iPhone attack, the Chinese Hacker, P2P network spammers and the hijacking of the Storm botnet," said Jose Nazario, senior security engineer at Arbor Networks.

Researchers warn of Microsoft Access Database exploit

2007-12-13T00:08:00.000-08:00

Targeted phishing emails are attempting to infect the machines of users' who are tricked into opening malicious Microsoft Access Database (MDB) files, US-CERT (United States Computer Emergency Readiness Team) said in a warning this week.

Targeted phishing emails are attempting to infect the machines of users' who are tricked into opening malicious Microsoft Access Database (MDB) files, US-CERTsaid in a warning this week.

The bogus files attempt to take advantage of a stack-based buffer overflow vulnerability that occurs when Microsoft Access processes specially crafted database files, according to the advisory. Should a user click on a corrupted file, their machines could be pounded with malicious software.

Microsoft considers MDB files, which allow for embedded script, unsafe.

"Various Microsoft applications prevent users from opening this type of file, or warns them before they open the file," a company spokesman told SCMagazineUS.com today in an email.

The spokesman confirmed that Microsoft was aware of public exploit reports.

Craig Schmugar, threat research manager for McAfee Avert Labs, told SCMagazineUS.com that the attacks likely take advantage of either of two unpatched Microsoft Jet Database vulnerabilities.

Researchers at McAfee have spotted the flaws being exploited in a limited manner, mostly targeting "entities related to government," he said.

Schmugar said socially engineered attacks hoping to leverage the flaw may succeed because users tend to trust certain files.

"People might think it's an Office document," he said. "They might be less apprehensive about accessing it."

Meanwhile, businesses should ensure they block MDB files at the email gateway, the US-CERT warning advised.

"While Microsoft treats them as unsafe, many companies may not," Schmugar said.

Codec flaws threaten Windows Media Player, Winamp

2007-12-12T02:02:00.000-08:00

Researchers today began noticing increased activity on ports directed to media players, a strong indication that attackers are actively screening machines for a new codec vulnerability reported over the weekend.

The "highly critical" vulnerabilities, according to Secunia, are located in 3ivx Technologies' MPEG-4 codec, a required compatibility program used to create and play back MP4 files. The bugs are caused by boundary errors that can lead to stack-based buffer overflows via a maliciously crafted MP4 file.

Experts have seen proof-of-concept code impacting Windows Media Player 6.4, Media Player Classic 6.4.9 and Winamp 5.32 – all older versions of the popular multimedia applications. But other versions are likely vulnerable as well, Ben Greenbaum, senior research manager in Symantec Security Response, told SCMagazineUS.com today.

"We see people that are looking for machines that have already been exploited in this fashion or are trying to connect to machines that they think have been successfully exploited," he said.

Greenbaum said that attackers are opting to exploit bugs in media players and the plugins that increase their functionality as organizations and vendors get better at securing operating systems and applications.

"These attacks can be placed on trusted websites and immediately exposed to hundreds of thousands of potential victims," he said. "Lots of websites allow users to incorporate their own content. It's an easy way for attackers to get their exploit up to a site that's going to have a lot of eyes."

The goal of these attacks is usually to drop a secondary payload, such as a bot or trojan, he added.

As users await a patch, businesses should ensure they have policy in place that permits employees to connect to media players only for work purposes, Greenbaum said. In addition, organizations should be running an up-to-date anti-virus solution, an intrusion detection system and endpoint security management tools to help identify and remove vulnerable software.

A spokesperson for 3ivx, which would be responsible for the fix, did not return a request for comment.

A spokesman for AOL, which owns Winamp, said users should update to the latest version.

"We encourage everyone to upgrade to [version] 5.5, which is actually not vulnerable to the attack," AOL spokesman Kurt Patat told SCMagazineUS.com today. "That's people's best bet if they want to avoid the vulnerability."

Mark Miller, director of security response for Microsoft, advised Windows Media Player users to do the same.

"The affected code does not ship in box with any version of Windows or Windows Media Player," he said.

AdultFriendFinder.com settles with FTC

2007-12-10T02:44:00.000-08:00

A website that promotes itself as “the world's largest sex and swingers personal community” has settled a complaint from the Federal Trade Commission.

AdultFriendFinder.com on Thursday agreed to a settlement barring it from sending sexually explicit online advertising to users who are not seeking adult content.

The website, and its parent company, Various, Inc., was accused of violating the FTC Act by using graphic ads and sexually explicit images in advertisements, without customer consent, to divert traffic.

Affiliates of AdultFriendFinder.com had displayed advertisements containing adult content, or graphic descriptions of sexual activity, to consumers using search terms to find flowers and travel information, according to the FTC.

Alex Eckelberry, Sunbelt Software president and CEO, said on his company's blog that AdultFriendFinder.com's affiliates use extremely aggressive tactics to drive traffic to the website.

“And any malware researcher has also seen AFF ads in spyware. Whether this is through affiliates or not, it is still the responsibility of the company to advertise through legitimate channels – not through malware,” he said. “Their advertisements have also been seen extensively in fake pages on social-networking sites, and there's been plenty of fake ‘friend' invites through these networks – which are only designed to feed the site with more subscribers. Again, this may or may not be done directly by AFF, but it's still their responsibility.”

Ira Rothkin, Various' attorney, told SCMagazineUS.com today that the company “agreed with the FTC's goals” to provide advertisements for non-consenting consumers without sexually explicit content.

“I would have to say that AdultFriendFinder.com is never happy to learn that some of its online affiliates have been violating its terms of use,” he said. “So when the FTC brought this to their attention, [Various] took prompt action.”

Attackers hack into Oak Ridge National Laboratory

2007-12-10T02:41:00.000-08:00

A targeted assault of phishing emails opened the door for hackers to glean the sensitive information of up to 12,000 visitors to the Oak Ridge National Laboratory, officials said Thursday.

But it appears the attackers' goals were actually much loftier.

According to a message from lab director Thom Mason to the organization's 4,200 employees, the recent attack on the Knoxville, Tenn.-based Oak Ridge was "part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country."

Peter Cassidy, secretary general of the Anti-Phishing Working Group, told SCMagazine.com today that his group has witnessed a dramatic rise in socially engineered phishing and crimeware attacks intended to steal trade secrets. Labs such as Oak Ridge, which conducts research for the Department of Energy in the areas of science, the environment and national security, are no exception.

"If they have specific questions about the research that Americans are organizing in those labs, it's kind of useful information," he said. "It allows them to respond with their own technology and to build on the ideas that are intercepted from their mining of the data through phishing attacks."

What these cybercriminals ended up stealing were the names, Social Security numbers and birth dates of every person who visited the lab from 1990 to 2004, Mason said. So far, there is no evidence any of the data has been used to conduct fraud.

The attackers delivered about 1,100 legitimate-looking emails to staff that tried to dupe them into opening a malicious attachment, Mason said. The bogus messages included one that notified the recipient about a complaint on behalf of the Federal Trade Commission; another announced an upcoming scientific conference.

Eleven employees clicked on the attachments, enabling "the hackers to infiltrate the system and remove data," Mason wrote.

That works out to a 0.1 percent success rate, Ken Dunham, director of global response for iSight Partners, a risk mitigation and mitigation company, told SCMagazineUS.com today.

"It takes only one – not even 11 – to compromise a network," he said. "It's clear that there were ongoing, multiple attempts here."

He said social engineering is the "cornerstone" of a successful phishing attack.

"Today it is very hard to tell truth from lie," Dunham said. "They are very legitimate appearing and they are very customized. These are personalized for you. It's your own Hallmark custom scam, just for you."

Mason said in his message to employees that they should never click on email attachments or links that appear in messages coming from unknown or untrusted parties.

"While our hope is that no one would fall for these kinds of tricks from hackers, we believe there is an ongoing benefit to re-emphasizing staff awareness about cybersecurity issues," Mason wrote.

Dunham said organizations must also build strong access control policies, which includes restricting the privileges of certain employees. So even if that person's machine were to be infected, the remote attacker could not launch the malicious code.

"If you can't do installs, you can't do installs," he said. "It doesn't matter if you're a virus or not."

Ted Julian, vice president of marketing and strategy at AppSecInc, a database security firm, said the lab breach highlights the ineffectiveness of protecting the entryways into an organization.

"As a result, companies need to focus on securing the valuable data directly," he said, adding that this includes assessing where it lies, performing vulnerability scans and applying encryption. "The notion of continuing to defend perimeters alone, it's just obviously not working."

Mason said the investigation promises to take weeks to complete.

"Each year the laboratory is forced to put in place new and more sophisticated security systems in an attempt to stop thieves who are equally determined to break into the cyber network," he wrote.

Child porn hacker sentenced to 110 years in prison

2007-12-08T19:21:00.000-08:00

A North Carolina man was sentenced to more than a century in prison after he seeded teens' computers with trojans and then demanded the victims provide him with nude photographs of themselves.

Ivory Dickerson, 33, was convicted of three counts of manufacturing child pornography, two counts of unlawful computer intrusions, and one count of possession of child porn, Robert O'Neill, U.S. attorney for the Middle District of Florida said Friday in a statement. Dickerson was sentenced to 110 years.

Authorities said Dickerson and an unnamed co-conspirator sent phishing emails or instant messages to female teens living in Brevard County, Fla., trying to trick them into opening a malicious file.

If the victims clicked on the file, a trojan was downloaded to their machine, which gave Dickerson and his accomplice remote access to the victims' PCs, authorities. They then attempted to persuade and force the victims "to manufacture child pornography that they could collect."

Dickerson was arrested after victims told law enforcement that their MySpace profiles had been hacked into, and the intruder demanded they send him erotic images of themselves, according to court records.

If the victims did not comply, Dickerson threatened to hurt their family members or post nude images of them on the web, authorities said.

Dickerson was involved in the hacking of more than 100 computers, authorities said. In addition, his external hard drive contained hundreds of video and photo files of child porn, including some of him and his victims engaging in sexual acts.

Justin Timberlake, Hilary Duff, Tila Tequila MySpace profiles compromised to impress hacker group

2007-12-08T19:08:00.000-08:00

A person wanting to impress a hacker group broke into the popular MySpace profiles of several celebrities, including Justin Timberlake and model and MTV personality Tila Tequila, researchers said today.

The hacker, who uses the handle "Tesla," gained access late Wednesday into the profiles of Timberlake, Tequila and actress-singer Hilary Duff, and used the compromised accounts to blast out bulletins to the celebrities' tens of thousands of MySpace friends, said Chris Boyd, senior director of malware research FaceTime Security Labs.

The messages, which appeared to come from the Hollywood stars themselves, proclaimed support for a hacker group known as Kryogeniks.

One read: "Hey Tesla here. Justin Timberlake has been hacked by me. HTTP://kryogeniks[dot]org. Cheers [expletive]."

The website for Kryogeniks, a U.S.-based hacking group, was taken offline soon after, Boyd said. The site was back operating by mid-afternoon EST today.

"The whole thing seems to be really strange -- childish shout-outs to this hacking group," Boyd told SCMagazineUS.com today.

The motives for today's attacks are markedly different than a similar incident a month ago when the profile for singer Alicia Keys was compromised by malicious attackers.

In that case, visitors to Keys' profile were first targeted by an exploit that installed malware on unpatched PCs, then presented with a fake codec and told they needed to install it to view a music video.

It is likely hackers are using cross-site scripting vulnerabilities and phishing scams to perpetrate these attacks, which mostly are occurring on music pages that are heavily trafficked and contain dynamic content, Boyd said.

The administrator for Kryogeniks posted a bulletin today on one of the site's forums, denying the group had anything to do with the latest spate of MySpace attacks.

"Anyone posting anything illegal, such as phishing, will be banned instantly," he wrote. "No posting scams, or any personal information. What Tesla did has nothing to do with everyone [sic] in Kryogeniks."

Boyd said he thinks the MySpace hacker was not affiliated with the group and was instead trying to seek their approval.

"I'm sure they weren't too impressed when they woke up this morning to find [their] account suspended," he said.

A MySpace spokeswoman said the social networking site could not comment publicly on the attack. The pages were working normally as of this article's publication.

Symantec patches remotely exploitable flaw in Norton products

2007-12-08T19:00:00.000-08:00

Symantec on Wednesday patched a vulnerability in Norton Personal Firewall 2004 and Norton Internet Security 2004 that can be exploited for remote code execution.

The Cupertino, Calif.-based anti-virus giant advised users to employ LiveUpdate to patch the buffer overflow vulnerability in an ActiveX control used by the two programs.

CERT had notified Symantec of the vulnerability [WHEN], which occurs in the Get() and Set() functions used by ISAlertDataCOM, a function of ISALERT.DLL.

Symantec and US-CERT warned today that for successful exploitation, an attacker must dupe the victim into visiting a malicious website and clicking on a malicious document.

Symantec, in an advisory released on Wednesday, ranked the flaw’s risk impact as "medium." A Symantec spokesman today referred questions to the advisory.

Secunia reported in an advisory released today that researcher Will Dorman of CERT/CC discovered the flaw, which can be exploited to cause a stack-based buffer overflow via an overly long argument.

Secunia ranked the flaw as "highly critical," meaning it can be exploited from a remote location.

FrSIRT yesterday rated the vulnerability as "critical."[SC Magazine]

Estonian DDoS attacks ‘unlikely' in U.S., says expert

2007-12-08T18:58:00.000-08:00

Could U.S.-based organizations find themselves defending against the level of distributed denial of service (DDoS) attacks Estonian web servers have seen since early April? While saying there is no shortage of people with grudges against the U.S., a researcher at Arbor Networks' ASERT team said that it is an unlikely scenario.

The attacks, reportedly the result of a political squabble between Russian nationals and the newly elected Estonian government, have disrupted web services at numerous Estonian government agencies and financial institutions for weeks.

During a recent two-week period, ASERT's ATLAS web-tracking service saw 128 unique DDoS attacks on Estonian websites; of those, 115 were ICMP floods, four were TCP SYN floods and nine were generic traffic floods.

According to Jose Nazario, a senior security researcher with Arbor Networks' ASERT team, which investigates web-based threat activity, the attacks lasted from short, half-hour bursts to one lasting more than 10 hours. He noted that 10 of the attacks consumed 90 Mbps of bandwidth.

"All in all, someone is very, very deliberate in putting the hurt on Estonia," Nazario said. "This kind of thing is only going to get more severe in the coming years."

The DDoS attacks appear to have been initiated by Russians irked by a proposal by Andrus Ansip, Estonia’s newly elected prime minister, to relocate of a World War II memorial statue from downtown Tallinn to the outskirts of the city. Pro-Russians were reported to have considered the move to be a slur on their war dead and thus staged the DDoS attacks.

"Could [massive DDoS attacks] happen in the U.S.?" asked Nazario. "Certainly - there's no shortage of people with grudges against any country, and any geopolitical event could cause one."

That said, he doesn't foresee such an attack taking place on U.S. soil. "We track thousands of attacks a day - many against U.S. government sites - and they don't appear to have any substantial impact."

However, U.S. Rep. Tom Davis, R-Va., generally considered one of the most IT security-savvy members of Congress, has repeatedly warned that the nation could face a "cyber–Pearl Harbor" if it fails to shore up its infrastructure against web-based attacks.

A couple of issues are at work here, Nazario said. "Many U.S. government sites are more low profile - there are hundreds of departments within the U.S. Department of Defense and government that no one recognizes," he said.

More importantly, "All the major sites are very well protected in terms bandwidth and their ability to push back the attack traffic and keep legitimate traffic going."

Although Estonia is one of Eastern Europe's more technically advanced countries, its "infrastructure is not as robust, and they have fewer resources" than U.S. organizations, said Nazario. "They're savvy, and know what they're doing, and brought in help in right place so they're able to weather the attacks."

Websense: Google Pages hosting phishing attacks

2007-12-08T18:56:00.000-08:00

Researchers are warning internet users to be on the lookout for website scams appearing on Google Pages.

This month, experts at Websense reported a spike in the user-created sites hosting phishing schemes, such as one for eBay, Dan Hubbard, vice president of security research at San Diego-based Websense, told SCMagazine.com today.

Attackers are drawn to the Google Pages, which are hosted on Google servers, because they may evade web filters. The sites may not be blacklisted because "Google has a good reputation as a brand. It’s not a bad domain hosted in China or Eastern Europe," Hubbard said.

There are a number of other factors that may attract the malicious community to Google Pages, AJAX-enabled websites released in 2006 that offer users the ability to upload dynamic content.

"Google has a phenomenal infrastructure so the server is not going to go down," Hubbard said. "You can also do it anonymously. It’s free. There’s tons of space available."

He added that some attackers have created a script that allows them to automatically create these websites to be used in phishing attacks. Google needs to do a better job of scanning content, Hubbard said.

Google, in a statement today, said the search engine giant has defenses in place to prevent against its hosted websites being misused.

"We take user security and safety very seriously," the statement said. "As part of our efforts to protect users, we proactively check uploaded content for malware and viruses. In addition, when we are notified of phishing or other malicious or illegal content, we work quickly to remove it."

Last year, Websense reported that Google servers were being used to host malicious binary files that tried to infect users.

Hubbard said the new brand of phishing attacks is one of a variety of techniques scammers use. Others set up the attacks on their own servers, compromise legitimate sites or use bots.

Organizations should deploy solutions to scan possibly malicious websites and educate end-users to not click on unknown links in emails or instant messages.[SC Magazine]

Look out, Google and Yahoo; hacker to publish month of search engine bugs

2007-12-08T18:51:00.000-08:00

A hacker using the alias "Mustlive" announced this week that June will feature the next month-long vulnerability disclosure project, this one dedicated to search engine bugs.

"The purpose of this month of bugs is a demonstration of the real state with security in search engines, which are the most popular sites on the internet," the Ukrainian hacker wrote on his blog.

He added that he wants "to let users of search engines and the web community as a whole to understand all risks" associated with search engines.

Most disclosures during the Month of Search Engine Bugs (MOSEB) will be cross-site scripting (XSS) vulnerabilities, Mustlive said.

Many experts have criticized the ubiquitous "Month of…" projects, saying hackers should report their vulnerability discoveries to the vendor, not post them publicly. So far, there have been month-long initiatives to expose browser, kernel, Apple, MySpace, PHP and ActiveX vulnerabilities.

Microsoft "stands ready to address any potential vulnerabilities" affecting its MSN search engine, a company spokesman told SCMagazine.com today. But the software giant "encourages responsible disclosure of vulnerabilities to minimize risk to computer users," the spokesman said.

A Google spokesman said the search engine giant "takes security very seriously and integrates security protection into the overall product development process and follows commonly accepted industry best practices for vulnerability and incident response."

"We encourage security researchers who discover security issues with Google products to follow responsible disclosure practices and to contact us at security@google.com prior to publicly releasing vulnerability details," he added.

A representative from Yahoo could not immediately be reached for comment.

Ryan Russell, quality assurance manager for BigFix, told SCMagazine.com today these undertakings tend to blindside vendors.

"It puts the vendor on short notice," he said. "I respect people's rights to do it, but it probably would be better for everyone involved if you gave the vendor some knowledge. And in most cases, the vendor is the only person anyone is going to accept a fix or workaround from."

In the case of search engines, though, end-users will not have to take any action to receive the patches, Russell said. "You can fix it in one place, and it fixes everyone in the world," he said.

Former hacker Mark Loveless, now a security architect at Vernier Networks, said if they are done right, the month-of-bug projects can be humorous in a "thumbing-your-nose-at-the-man" kind of way.

"Anything that stirs the pot, I'm all in favor of," he told SCMagazine.com.

But, Loveless added, considering the number of easy-to-detect XSS flaws planned, this particular initiative may lack the technical muscle that previous projects have had.

"I'm really thinking that by the end of the month, they're going to be scraping the bottom of the barrel," he said. "They're going to be putting crap up. I think they're cheating. I'd like to see something else done that is just as creative and provocative...but something original."

Loveless said he would like to see a "Month of Vista Bugs."

Projects promising Vista and Oracle Database bugs never were launched this year.[SC Magazine]

Google sponsored advertising links lead to exploits

2007-12-08T18:49:00.000-08:00

A seemingly innocuous Google search could yield malware on advertising result links, security researchers warned this week.

Roger Thompson, CTO of Exploit Prevention Labs, said in a blog post Tuesday that his firm has identified exploits posing as legitimate URLs for the Better Business Bureau and cars.com in the "sponsored links" section that appears alongside search results.

Advertisers pay Google for the sponsored links to appear following specific search queries.

Clicking on one of the malicious links, though, takes the user to the real website – but along the way they are unknowingly redirected to www.smarttrack.org, which hosts a Microsoft Data Access Components (MDAC) exploit that attempts to install a backdoor keylogger, said Thompson.

Cybecrooks then use the customized trojans to pilfer banking information from online customers of about 100 targeted banks from around the world, Thompson said. Because the keylogger is delivered as part of a browser-helper object, it "is part of the endpoint of any SSL transaction and can see everything in plain text, instead of encrypted," he said.

There is little unsuspecting users can do to avoid being duped, Thompson said.

"Lots of links in any search engine point to infective sites, so that’s not really a surprise, but this does highlight a significant issue," he said. "When you move the mouse over a normal, organic search result, Google shows you the URL you are about to navigate to if you click. If, however, you mouse over a sponsored result, no URL preview is shown. This means that a user has no clue where they are about to navigate to."

A Google spokesperson could not be reached for comment. But the search giant may have remediated the problem, Thompson said.[Source :SC Magazine]

McAfee SiteAdvisor: Safer searches on Google, Ask, AOL than Yahoo, MSN

2007-12-08T18:47:00.000-08:00

Although the five major online search engines have improved search safety, four percent of all search results link to dangerous websites, according to a report from McAfee's SiteAdvisor. Searches on Yahoo are the most risky, AOL the safest, the "The State of Search Engine Safety" report indicates.

With the exception of Yahoo, the percentage of risky sponsored links on all major search engines has improved, dropping from more than eight percent last year to about seven percent this year, according to the report. Google, in particular, has "taken small steps" to improve the safety of the sponsored links on its landing pages, said Mark Maxwell, a senior vice president with SiteAdvisor.

Hannah Rosenbaum, the SiteAdvisor analyst who wrote the report, attributed the improvement to safer sponsored results. However, sponsored results still contain 2.4 times as many risky sites as so-called "organic" results, the study noted.

With a 2.9 percent rate of risky results, searches on AOL returned the lowest number of "red1" or "yellow2" risky ratings. Searches on Yahoo returned the most red or yellow results - distinguishing levels of danger - at 5.4 percent.

McAfee’s SiteAdvisor defines red-rated sites as those that distribute adware, send a high volume of spam or make unauthorized changes to users' computers. Yellow-rated sites send a high volume of "non-spam" email, display many pop-up ads, or prompt a user to change browser settings.

Google, AOL and Ask have become safer since May 2006, when SiteAdvisor first surveyed the search engineers, with Ask showing the greatest improvement. Yahoo and MSN both saw safety decline, according to the study.

Maxwell attributed the overall improvements in sponsored-link safety primarily to Google. The company has "done a better check of their advertisers, in particular taking a look at landing pages," he said. "It has taken a more critical eye toward advertisers on its front pages, and has rejected some advertisers."

He said one theory on why Yahoo's sponsored-link safety has eroded is that some of the malware purveyors "have gone to Yahoo."

"We haven't seen the impact yet from Yahoo's new ad technology, Panama, so perhaps in six months we'll see if that has had an impact on Yahoo's sponsorship rating," he said.

Both Yahoo and Google responded to queries about the report from SCMagazine.com with prepared statements.

"It is not in our interest to deliver experiences that would erode the trust of our users and advertisers," said Reggie Davis, a vice president at Yahoo. "We will continue to improve our performance in this area by investing in technology and work with third parties to make the internet safe for consumers."

Google, for its part, said it "takes the safety of its users very seriously, and we've been taking a number of proactive steps to help protect them. This includes flagging potential malware URLs by warning users with an interstitial warning page and contacting webmasters directly when we believe an innocent site might have been 'hacked' to host malware."[SC Magazine]

Exploits released for zero-day Yahoo Messenger vulnerabilities

2007-12-08T18:45:00.000-08:00

A hacker named "Danny" has released two zero-day ActiveX exploits for Yahoo Messenger's Webcam application.

The hacker released the exploits on the Full Disclosure mailing list early today and late last night.

The flaws, ranked at the highest severity levels in security advisories, allow remote code execution and exist in Yahoo Messenger version 8 and earlier.

The first flaw is a boundary error within the Yahoo Webcam Upload ActiveX control, which can be exploited to cause a stack-based buffer overflow, according to a Secunia advisory released today.

The other vulnerability exists within the Yahoo Webcam Viewer ActiveX control and can also be exploited for a stack-based buffer overflow attack, according to Secunia, which ranked the flaws as "extremely critical," meaning they are unpatched, can allow remote code execution and exploits are in the wild.

eEye Digital Security warned in an advisory today that ActiveX zero-day flaws are especially dangerous because they can receive malicious payloads from any website.

The Ocean County, Calif.-based firm cautioned PC users that the flaws are "high" severity.

FrSIRT warned today that the vulnerabilities are "critical."

Yahoo spokesperson Terrell Karlsten said today that the company "began working towards a resolution and expect(s) to have a fix shortly."

Andrew Storms, director of security operations for nCircle, said today that one reason the flaws are dangerous is because instant messaging applications are widespread – and security professionals might not be aware how much so.

"The impact of this vulnerability is extensive because it could allow attackers to take complete control of a user’s system, and two public proof-of-concept exploits are available. This leaves many thousands of internet consumers at high risk," he said. "Enterprise users on Yahoo IM are particularly at risk because IM may not be a sanctioned application, but still be in wide use across networks. IT security teams must figure out where it is installed before they can take steps to protect the network."[SC Magazine]

The security implications of Web 2.0

2007-12-08T18:42:00.000-08:00

A car that has less options has fewer things that can break. Power steering, power locks, power seats, seat warmers, and the myriad of other car features provide a better experience, but they also have more items that require maintenance.

Michael Weider, CTO and Founder, Watchfire

The same complexities we see with a fully loaded car apply to web functionality. Web 2.0 has arrived, and the race to adopt it has brought with it collaborative online environments—socially driven content that is both redefining how web applications are developed and how they are used. The result is a richer, more fulfilling web experience. The consequence however is that the dynamic new Web 2.0 design principals open a host of new means for attack by which Web 2.0-based web applications are vulnerable.

With the explosion of Web 2.0 concepts powering more and more websites, the web is reaching new potentials for interactivity. But with that progress it becomes even more important to proactively address the heightened security and privacy vulnerabilities, as the same technologies that make for a more user-friendly web, can also make for less secure web applications.

This article will highlight the most common Web 2.0 vulnerabilities that privacy and security professionals need to be aware of, including better understanding for how Web services and AJAX can be exploited and the attacks that they can enable. Readers will also learn tips and best practices for securing next-generation applications that can be applied immediately as enterprises continue the push to deploy Web 2.0, ensuring they can meet both current and future online security challenges.

What is Web 2.0?
Web 2.0 carries a high profile and surrounding hype. There is increasing pressure on developers to quickly adopt this new second generation of dynamic, interactive and simple by design technologies. Web 2.0 can be described in two ways:

1) New ways to build rich web sites.
Often not characterized as Web 2.0, Asynchronous JavaScript (AJAX) and other new rapid application development techniques are en vogue to create rich web sites that are highly interactive and more easily deployed and used.

AJAX delivers a rich user interface by displaying more dynamic content. Another common technique is Real Simple Syndications feeds (RSS), an XML based standard that allows subscribers to promote information feeds. This is most commonly used to subscribe to blogs and news articles.

2) Socially driven content.
Think MySpace.com. The web experience is now defined by community and by content created and posted by web users. Websites are now amorphous entities, and their vitality is defined by the people who visit them.

In the last couple of years, the web has moved from a collection of static pages to a more interactive and dynamic environment. This shift has been heralded as Web 2.0 and has given more users more power. No longer is the web a place where only technical folks can produce content. Instead, with the click of a button non-technical users from children to seniors are able to upload information to personal or corporate sites, produce interactive pages or share content. Popular dynamic sites such as YouTube, MySpace and Flickr are the poster children for this new web world.

Why adopt Web 2.0 technologies?
Competition and ease-of-use are at the top of the list as reasons why Web 2.0 is attractive. Like viral marketing, more companies want to communicate more directly to their prospective and current customers. Building sites that include interactive messaging, commenting and user areas allow for more open communication gates. Users can interact with other users and company executives.

Price is also a consideration. Web applications have proven to be more cost effective than their clunky client-server counterparts. Web 2.0 applications, built with Rapid Application Development (RAD) techniques, are built faster and therefore require even less of an investment.

Web 2.0 dangers
With Web 2.0, the functionality and experience of the sites become the primary focus, and the technology empowering the dynamic content is hidden behind the scenes to the average user. Yet the web applications underneath the polished finish remain just as complex, and add a variety of new and often unproven or unsecured technologies to the back end.

In the rush to unveil more interactive sites developers are urged to release functional sites that often lack added security measures. Attackers have quickly learned to exploit the shortcomings in these codes. This has resulted in an urgent need to audit and assess these sites for security vulnerabilities. In order for Web 2.0 technologies to reach full potential, inherent security issues must be recognized and addressed and businesses must incorporate security best practices into application development.

In addition to structural security flaws, there are also user threats including the loading of malicious content. Sites that encourage end user postings typically have no way to stop the uploading of content that might distribute malicious code to other site visitors. In similar ways, other user-driven web sites, including blogs, podcasts and social networking sites, are prone to both security and privacy issues. While it seems as though democracy has come to the Internet, more freedom means increased potential for abuse and errors.

As in our car example, the new features create new avenues for exploit. The majority of Web 1.0 users interacted with single functions on single pages. Now AJAX programming allows any given page to have dozens of features and functions, running independently as well as interacting with each other. This means a fragmentation in communication and the possibility that web application vulnerabilities that have been around for years might increase exponentially. The most common vulnerabilities include SQL injection, cross site scripting (XSS), buffer and SOAP overflow and XML attacks.

The dependence on technology means the new vulnerabilities brought by Web 2.0 are inevitable. Back in the old days of the web—even three or four years ago—users could boost security levels by turning off JavaScript. Doing so now would all but render the website useless. In effect, the user would be disabling the exact tools that make the web useful and efficient.

Why does my organization need to worry about Web 2.0 safety?
Organizations of all sizes and in every market with an internet presence have been attacked. Media reports show regular coverage of the larger companies, such as MySpace suffering from a QuickTime XSS worm, Yahoo Mail recently being hit by a Yamanner worm attack, and even Google’s Gmail has had to overcome XSS problems.

As in any other case of negative publicity there is damage to the brand name and potential lost business if your web applications fail because of security threats. But a greater risk is that sensitive data could be compromised and with that comes everything from minor legal headaches to large and public lawsuits.

How do I protect my web applications?
One of the most effective solutions is to fix weaknesses before they are ever launched. While it sounds like a common sense suggestion, most applications are not built with security in mind.

Overworked developers, who are not trained in security, are not building application level security into the process. As stated, one of the benefits of web applications is the speed to market. But with this comes the downside that long development cycles, which normally include heavy QA and security testing, are discarded in favor of posting applications live as soon as they are functional.

In order to ensure safe and working web applications companies should adhere to strict security testing standards from the development phase through the QA phase of the building cycle. This can be done through use of security scanning tools and penetration tests. And with such a dynamic nature, it’s important to continue periodic post-deployment security testing to monitor the live state of the web site and its ever-changing applications.

Another important but sometimes overlooked suggestion is to monitor metrics on web application vulnerabilities throughout the development cycle. Keep track of all vulnerabilities and fixes. Management can’t address issues they don’t know about.

Monitoring vulnerabilities across the development cycle has a huge impact on the educational front as well. To stop the cycle and reel in control over web application security, developers need to know what mistakes are made so they don’t continue to repeat them. Companies can also set limits on what types of content can be changed or uploaded. An organization’s users can be educated as well, let them know about dangers and how to prevent them while online.

While more user interaction may be the ultimate goal, it’s important to first design threat models in order to determine what levels of risks the company can assume. A retail company’s website, for example, can accept lower security standards for a web application designed to locate a retail store near the user, while a higher security standard is required for the actual e-commerce and credit-card processing applications.

Lastly, Web 2.0 is here to stay, at least until new technology ushers us into the Web 3.0 phase. The trend is racing towards more user interaction and more power to the masses. With that in mind be sure to use technology judiciously and learn how to manage risk with all your website applications.

-Michael Weider is CTO and founder of Watchfire.

clear float

Romanian NASA hacker appears in court

2007-12-08T18:40:00.000-08:00

A Romanian hacker accused of breaking into the networks of NASA and other federal agencies appeared in a Romanian court on Tuesday.

Victor Faur, 26, a native of the western Romanian town of Arad, faces trial there after arrest by state prosecutors in his home country. He faces a dozen years in prison, according to numerous published reports.

U.S. authorities have claimed $2 million in damages from the attack, which allegedly took place between November 2005 and September 2006 and targeted servers belonging to NASA, the U.S. Navy and the Department of Energy.

Federal authorities charged Faur with breaking into government computers last November. He has been indicted on 10 counts, including charges of conspiracy, unauthorized access to government computers and causing intentional damage to computers.

He will be brought to Los Angeles for trial after his Romanian proceedings conclude.

NASA’s computers are a familiar target for hackers. Last November, a Chilean gang called the "Byond Hackers Crew" were arrested and accused of cracking more than 8,000 websites, including those of NASA, the University of California, Berkeley, and the Chilean Finance Ministry.

In a much-publicized case, Gary McKinnon, a British hacker who broke into the Pentagon’s network more than five years ago, faces extradition to the U.S. and up to 70 years in prison if convicted.

Ron O’Brien, senior security analyst at Sophos, told SCMagazine.com today that because the federal government is under such cybersecurity scrutiny, hackers may increasingly target its networks.

"There’s been a lot of publicity lately about attackers being able to hack into federal agencies," he said. "There are hearings going on as we speak about the security at the [U.S. Department of Homeland Security] so anyone looking for the opportunity to hack into a PC would go after this."

O’Brien said it was possible that Faur could have been trying to outdo McKinnon or other hackers to establish a reputation.

"The hacker community is of a type that they all have such big egos, so it wouldn’t surprise me if there was an attempt to establish a renown beyond those who had gone before," he said. [SC Magazine]

Websense: Google Pages hosting phishing attacks

2007-12-08T18:39:00.000-08:00

Researchers are warning internet users to be on the lookout for website scams appearing on Google Pages.

There are a number of other factors that may attract the malicious community to Google Pages, AJAX-enabled websites released in 2006 that offer users the ability to upload dynamic content.

"Google has a phenomenal infrastructure so the server is not going to go down," Hubbard said. "You can also do it anonymously. It’s free. There’s tons of space available."

Google, in a statement today, said the search engine giant has defenses in place to prevent against its hosted websites being misused.

Last year, Websense reported that Google servers were being used to host malicious binary files that tried to infect users.

Hubbard said the new brand of phishing attacks is one of a variety of techniques scammers use. Others set up the attacks on their own servers, compromise legitimate sites or use bots.

Organizations should deploy solutions to scan possibly malicious websites and educate end-users to not click on unknown links in emails or instant messages, he said.[SC Magazine]

MySpace users warned of drive-by exploit attack

2007-12-08T18:32:00.001-08:00

Researchers are warning of a widespread MySpace drive-by exploit attack meant to compromise machines so more highly-profitable phishing schemes remain successful.

MySpace users become infected when they visit a profile page containing malicious JavaScript and then are silently redirected to an Internet Explorer exploit, which was patched in April, Johannes Ullrich, chief research officer of the SANS Internet Storm Center, told SCMagazine.com today.

The exploit installs a common proxy network bot, known as a flux bot, which is used to hide phishing sites behind constantly changing proxy servers, Ullrich explained. The cybercriminals, in other words, use their newly compromised PCs to hide the tracks of unrelated phishing scams targeting banks and other financial institutions.

"It’s lends some secrecy to the scam and it makes it harder to shut down," he said. "Now, the actual machine (the victim) is connected to get to the phishing site changes by the minute. You can’t easily block them. It’s not that obvious."

The botnets are also being used to send spam, Ullrich said.

Potentially thousands of MySpace pages could be infected with the malicious worm, but the infected profiles are "being shut down really quickly," he said.

A spokesperson for MySpace, which has more than 100 million members, could not immediately be reached for comment today.

Ullrich said cyberthieves traditionally tailor their worms for MySpace and other social networking sites because of the younger demographic that use them.

"It has a lot of non-technical users who do not patch their browsers," he said. "People are not that careful. They may visit MySpace thinking [it’s] a big a company and not realizing the content of the pages comes from the average user."

MySpace has been the victim of a number of attacks over the past year. Vincent Weafer, head of Symantec’s Global Security Response, said MySpace users are often easily duped into giving up their credentials.

"If I can get into your trusted group, I may be able to get information out of you," he said.

Colin Whittaker of Google’s Anti-Phishing Team wrote on the company’s security blog recently that many users are tricked into giving their usernames and passwords so crooks can send spam from their account or – worse – use that same log-in information to access their bank accounts. [SC Magazine]

FBI warns of three spam hoaxes

2007-12-07T01:30:00.000-08:00

The FBI is warning citizens to be on the lookout for three separate email scams — including one that attempts to infect users with malware and two others that seek personal and financial information.

The biggest threat is posed by widespread emails claiming to include a greeting card attachment from friends, co-workers or family members, but unsuspecting clickers are instead diverted to a malicious webpage that attempts to exploit a vulnerability and upload malware, according to a FBI statement issued Tuesday.

Menashe Eliezer, who heads the detection center at anti-virus and anti-spam firm Commtouch, told SCMagazine.com today web-borne threats are getting more sophisticated.

Two other scams claim to be coming from the FBI or a U.S. military official. In the FBI example, the spammers offer lottery endorsements or inheritance money in exchange for a modest up-front payment, the warning said. Emails said to be coming from military leaders allegedly attempt to dupe recipients out of funds that will be used to benefit soldiers stationed overseas.

Spammers use legitimate-looking content, such as pictures and letterheads, to make the emails look like the real thing, the warning said.

"It’s an illegitimate form of marketing, but [spammers] have to deal with the same issues [as real marketers] in terms of getting people to answer their call to action," Rebecca Herson, Commtouch’s senior director of marketing, told SCMagazine.com today. "They’re trying to improve the look and feel of their campaigns the same way legitimate marketers are."

The FBI recommends users delete the "hoax" emails.

"Consumers need to be wary of unsolicited emails that request them to take any action, even if that means just clicking on an attachment," the warning said, adding that clicking could allow viruses or keyloggers to be installed on users’ machines.

Zulfikar Ramzan, senior principal researcher at Symantec, told SCMagazine.com that users should maintain an updated internet security solution, keep patches up to date and avoid following unknown links.

"These spam scams are particularly dangerous as many consumers consider communication from government agencies as credible," he said.

The FBI’s announcement was prompted by a high number of complaints lodged with the Internet Crime Complaint Center. [SC Magazine]

New storm worm run called largest virus attack in two years

2007-12-07T01:28:00.000-08:00

The infamous ‘storm worm' virus attack began another run last week, this one called the largest in two years by messaging security vendor Postini.

The San Carlos, Calif.-based company, which Google announced intentions to acquire earlier this month, said this week that the storm worm attack that began July 16 generated 120 million messages by Friday.

Postini said that the attack is spreading through blended methods, using emails that contain links to malicious websites that exploit vulnerabilities.

The attack was named for the deadly European wind storms that occurred simultaneously with the first attacks this past January. Early attacks arrived with video EXE files with storm-related headings, such as "230 dead as storm batters Europe."

Researchers spotted a storm worm run earlier this month that used messages falsely informing recipients that they received a greeting card from a family member, admirer, classmate or colleague.

That storm worm run was the first of the kind to redirect recipients to a malicious website instead of using a malicious attachment.

The social engineering attack exploited a number of patched vulnerabilities, including ANI, QuickTime and WinZip – to add compromised machines to a botnet.

Adam Swidler, senior manager of solutions marketing at Postini, told SCMagazine.com today that the most recent storm worm attack is five times larger than the previous largest attack.

"[The attack’s] URLs are all using IP addresses instead of domain-based URLs, and that’s a flag we look out for," he said. "I think the biggest thing [about this attack] is the volume, the sustained nature, and it went on for nine days using the blended attack of email and the web to deliver the payload to the PC."

Joe Stewart, senior security researcher at SecureWorks, told SCMagazine.com today that his firm has seen storm worm spam mostly using an ecard as a lure.

"It’s the ecard ploy and the social engineering ploy, and if you go ahead and click on the ecard, it takes you to a page that can get some exploit code through the browser, and if that doesn’t work they prompt you to download the malware," he said.

VeriSign suffers data breach after July laptop theft

2007-12-07T01:20:00.000-08:00

VeriSign, the digital certificate vendor responsible for the internet's .com and .net domains, suffered a data breach last month when a laptop was stolen from an employee's vehicle.

An undisclosed number of current and former employees are at risk of identity theft after the burglary, which took place July 12 or 13 in a parking garage in northern California.

The laptop contained names, Social Security numbers, dates of birth, salary information, telephone numbers and home addresses of an undisclosed number of VeriSign employees, according to a notification letter sent to victims.

The Mountain View, Calif.-based company revealed that bank account numbers and password information were not stored on the device.

The breach was first reported on the wizbang blog on Friday.

VeriSign said today in a statement that the employee has left the company. The vendor said it is working to shore up its data-protection policies, which were not followed in this case.

VeriSign disclosed that it has "no reason to believe that the thief or thieves acted with the intent to extract and use this information. The local police have said the theft may be tied to a series of neighborhood burglaries."

"VeriSign is committed to making sure current and former employees whose personal information may have been on the stolen laptop have the support they need to monitor their credit and know how to respond if they identify any problems," VeriSign said today in a statement. "The company has a policy on how to manage laptops that contain sensitive information and company data — which in this case was not followed. That policy includes not leaving laptops in vehicles in plain view, keeping the amount of confidential and sensitive data stored on laptops to a minimum, and using data encryption tools to protect those sets of data that absolutely must be stored on a laptop. Going forward, we will continue to review our security procedures to prevent future human errors of this type."

Avivah Litan, Gartner vice president and distinguished analyst, told SCMagazine.com today that laptop thefts have "zero impact on the bottom line," but said she was disappointed to see a security vendor suffer a breach.

"Certainly a missing or stolen laptop is common, but you don’t want to see that event at a managed security services provider," she said. "It lowers confidence in their abilities when they’re subject to the same breaches they’re helping their customers with."

Last month, Kingston Technology, a data security vendor, reported a breach initiated when thieves infiltrated a company computer two years ago. That hacking put the credit card files of 27,000 customers at risk.

Kingston has said that none of the financial information was misused.

IBM was the victim of a data loss incident in May, when a third-party vendor lost an undisclosed number of tapes while transporting them between an IBM location in Westchester County, N.Y., to a permanent storage facility.

Symantec says spam attachments up, image spam down

2007-12-07T01:18:00.000-08:00

Traditional image spam is again on the decrease, but attachment spam - containing images as part of Microsoft Office files - is on the upswing, according to Symantec's "State of Spam" report for August.

Image spam accounted for only eight percent of all spam during July, a drastic decrease from January, when it totaled 52 percent of junk email. However, the percentage of all spam at the SMTP layer, 66 percent of all email, was consistent with previous months.

Researchers said that PDF spam increased during July, accounting for between two and eight percent of all spam.

Doug Bowers, senior director of anti-abuse engineering at Symantec, told SCMagazine.com today that the stats contained "nothing that’s a huge surprise," but noted trends showing a drop in image spam and an increase in attachment spam.

"Of note, what we’re seeing is [an increase in] PDFs and the larger trend toward attachment spam," he said. "Last month, it wasn’t clear if spammers were going to stick with this. They seem to still be in the poking-and-prodding stage with other attacks."

Twenty-eight percent of all spam pitched products, ranking it as the most common spam category, followed by financial junk mail at 18 percent, internet pitches at 17 percent, health issues at 13 percent and scams at nine percent.

The Santa Clara, Calif.-based company also saw an increase in the use of spam containing Chinese top level domains.

Symantec reported that it captured 250 million copies of greeting card spam last month.

The content of the cards ranged from everyday greetings to holiday-specific messages, according to Symantec.

Researcher Kelly Conley said on the Symantec Security Response Weblog that some versions of greeting card spam lead to malware downloads.

"Greeting card spam containing links to viruses was seen at higher-than-usual numbers in July. More than 250 million Symantec customers were targeted with these message types. Around the Fourth of July, a particularly large outbreak was seen and blogged on," said Conley. "The content of the greeting cards consists of an exposed IP address in most cases, which is a very good indicator that the card is not genuinely good. These exposed IP address links were downloading trojans onto computers." [SC Magazine]

Microsoft delivers nine Patch Tuesday fixes

2007-12-07T01:15:00.000-08:00

Microsoft today plugged 14 vulnerabilities by distributing eight client-side patches, as well as a ninth fix that experts say foreshadows threats posed by virtualization.

Six of the patches fix critical flaws that could permit exploitation by malicious website. Among those was bulletin MS07-042, which corrects a vulnerability in Microsoft XML Core Services program that could lead to remote code execution.

This bug is particularly harmful because XML Core Services is a "core part of the operating system…and an underlying piece to the way a lot of Windows software works," Tom Cross, an X-Force researcher with IBM ISS, told SCMagazine.com today.

The security update – one of the largest of the year – also fixes a similar flaw, this one related to an error in object linking and embedding (OLE) technology that permits, for example, a user to copy a chart in Excel and paste it into a PowerPoint presentation, Amol Sarwate, manger of the vulnerability labs at Qualys, told SCMagazine.com.

The other critical patches fix vulnerabilities in ActiveX controls and cascading style sheets (CSS) in Internet Explorer (IE); in the graphics device interface (GDI); in Excel and in the vector markup language (VML) implementation.

The GDI bug "does not require any other application like IE or Excel or Media Player" to run, Sarwate said. "It can be exploited easily if someone downloads or views an image file."

Another two "important" bulletins fixed vulnerabilities in Windows Media Player and Windows Gadgets, a new feature that allows Vista users to, for example, display sports scores in a separate bar. In total, six of the patches affected the new operating system version but only the gadget flaw resulted from code written specifically for Vista.

None of the flaws exist in server-side issues, preventing any "wormable" exploits from occurring, Eric Schultze, chief security architect at Shavlik Technologies, told SCMagazine.com.

"Now you just have to worry about the masses running their desktops and visiting malicious websites," he said.

Experts agreed the most interesting bulletin was MS07-049, an "important" fix that repaired a vulnerability in Virtual PC and Virtual Server, which could permit privilege escalation. If successful, attackers can assume control of the host operating system, giving them access to virtual platforms running beneath the host, Cross said.

Flaws affecting these types of machines are likely to increase as more companies sign on to the cost-savings attraction of virtualization, he said. About 35 percent of U.S. and European firms employ virtualization, he said, citing statistics from Forrester Research. [SC Magazine]

46,000 job hunters victimized by malicious recruitment ads

2007-12-07T01:12:00.000-08:00

The personal information of approximately 46,000 job seekers have been stolen from major job hunting websites by hackers using the so-called Prg trojan.

"[The hackers] are injecting their ads with the trojan," said Don Jackson, the SecureWorks researcher who discovered the scheme as well as the original Prg trojan. "When a user views or clicks on one of the malicious ads, their PC is infected and all the information they are entering into their browser, including financial information being entered before it reaches the SSL protected sites, is being captured and sent off to the hacker's server in Asia Pacific."

He said that information stolen includes names, Social Security numbers, bank and credit card account numbers, online payment account user names and passwords.

SecureWorks discovered the names after developing countermeasures "to detect the network traffic" generated by the Prg trojan on infected systems, Jackson told SCMagazine.com.

"We deployed the [countermeasures] on clients’ systems, then watched where the network traffic was going and followed it to the server [in Asia]," he said. "This one server is still collecting stolen data, and at any one time, we’re seeing 9,000 to 10,000 victims sending information."

Jackson said that the aggregators who sold the hackers ads are apparently unaware that the ads contain links to malicious sites. The malware uses vulnerabilities in Windows, QuickTime, and ActiveX controls to infect users’ systems with executables that collect personable information, such as passwords.

"Anti-virus software has a hard time finding it because of way the way it hides itself and also because it changes executables so frequently – the hackers behind this scam are releasing a new variant every five days to a week on average, and sometimes even quicker," he said. "Once the anti-virus stops one version, another rolls in and gets through to vulnerabilities the user has not applied patches for."

Because anti-virus software solutions "are not good at catching this, the best way to protect yourself is to patch the operating system and everything else," Jackson said.

Computers infected with the Prg trojan will have a back door proxy server listening for connections on port 6081, according to Jackson.

"This port is in not assigned to legitimate services and is not hidden by the root kit functionality. If port 6081 is open on your computer, you are likely infected with the Prg trojan," said Jackson.

Victims whose anti-virus is not detecting the infection should boot the computer into Safe Mode and run an anti-virus scan. "If that fails, manual removal or reinstalling the operating system may be necessary," Jackson said.

AOL phisher pleads guilty in ID theft scheme

2007-12-07T01:07:00.001-08:00

A 23-year-old man accused of sending spam and phishing emails that targeted AOL subscribers pleaded guilty Wednesday in federal court, the U.S. Department of Justice (DOJ) announced.

Michael Dolan, who lists West Haven, Conn. and North Miami Beach, Fla. as previous addresses, agreed to plead guilty to a pair of criminal counts brought against him by the U.S. attorney in Connecticut. One count charges him with conspiracy to commit fraud, the second with aggravated identity theft.

From 2002 to 2006, Dolan worked with several other unidentified individuals to steal names, credit card and bank account numbers, and Social Security numbers via spam and phishing emails sent to AOL subscribers.

Dolan's scheme employed malicious software to collect AOL account names from chat rooms, authorities said. He then sent electronic greeting cards purporting to be from Hallmark.com to the AOL users; opening the card downloaded a trojan that prevented AOL subscribers from logging into their account without entering personal information, such as credit card and Social Security numbers.

Dolan used the harvested information to order products online and produce counterfeit debit cards, which were then used at ATM machines and retail stores, authorities said. On Sept. 26, 2006, Dolan was caught with the private and financial information of 96 individuals, according to the DOJ.

The plea agreement calls for Dolan to spend 84 months in prison, then remain on supervised probation for two to three years, and pay a fine of $250,000, plus other fees. Dolan must also make restitution to victims, including covering loss of income.

He is scheduled to be sentenced Nov. 14. [SC Magazine]

AOL phisher pleads guilty in ID theft scheme

2007-12-07T01:07:00.000-08:00

A 23-year-old man accused of sending spam and phishing emails that targeted AOL subscribers pleaded guilty Wednesday in federal court, the U.S. Department of Justice (DOJ) announced.

He is scheduled to be sentenced Nov. 14. [SC Magazine]

Hackers spread worm via Skype IM

2007-12-07T01:05:00.001-08:00

A worm posing as a link to glamour model images has been spread via the Skype IM chat system, it was reported today.

Hackers launched the Pykse-A worm via Skype instant messages. Any recipients that click on the link inadvertently infected their computer with a Trojan that downloads and installs the worm.

"Once it's up and running, the Pykse-A worm attempts to connect to a number of remote websites, presumably in an attempt to generate advertising revenue for them by increasing their number of 'hits'," said Graham Cluley, senior technology consultant for Sophos. "It's another example of the methods that malware authors can use to make money.”

Last year 63 per cent of system administrators said that blocking VoIP was essential in order to protect corporate networks, according to a poll conducted by Sophos. The survey also found that 86 per cent of respondents wanted the power to control the use of the internet telephony service in an attempt to protect their company systems.

Skype blames downtime on Patch Tuesday re-start, not hackers

2007-12-07T01:00:00.000-08:00

A simultaneous reboot of computers automatically installing the latest Microsoft patches set off a widespread Skype outage last week, the VoIP company announced today.

"The high number of re-starts affected Skype’s network resources," the company said on its Heartbeat blog. "This caused a flood of login requests, which, combined with the lack of peer-to-peer network resources, prompted a chain reaction that had a critical impact."

The company said normally the service can withstand this type of event through an "inbuilt ability to self-heal." However, the incident, which began Thursday, unearthed a vulnerability in the services’ network resource allocation algorithm, which prevented the self-healing component from working.

Skype’s announcement today dispelled rumors that hackers were responsible for the DoS attack. A poster on a Russian forum claimed the crash was caused by exploiting a buffer overflow vulnerability by sending malformed requests to Skype’s authorization server. The exploit code was posted on a Romanian website.

"We can confirm categorically that no malicious activities were attributed or that our users’ security was not, at any point, at risk," the company said, adding that it has instituted software improvements to prevent a similar incident from happening in the future.

Peter Thermos, chief technology officer of Palindrome Technologies and a VoIP expert, told SCMagazine.com that he finds it odd that a buffer overflow exploit was revealed, but the outage was blamed on Microsoft security updates.

"If [a crash due to patch updates] happened, I’d assume it would happen when Skype was taking off, when they were beginning to become well-known as a peer-to-peer communications company," he said.

Since its launch about four years ago, Skype has faced its fair share of criticism from security experts. Last year, the Burton Group recommended enterprises should evaluate whether the closed-source Skype fits into their information protection posture.

In March, variants of the Stration worm used Skype as a vector to spread.

Experts have warned internet telephony is at risk to such threats as toll fraud, eavesdropping and phishing.

"This disruption was unprecedented in terms of its impact and scope," Skype said. "We would like to point out that very few technologies or communications networks today are guaranteed to operate without disruptions."

Skype, owned by eBay, reportedly has more than 200 million registered users.

Attackers steal Monster.com user information

2007-12-07T00:55:00.000-08:00

Was Monster.com hacked, or did someone take advantage of one of the popular website's fundamental business processes to harvest the personal data of hundreds of thousands of job hunters?

Security researchers at Symantec say the former. Kevin Mandia, a computer forensics expert, believes it might be the latter.

In any case, what is known is that a new trojan, called Infostealer.Monstres, was attempting to access the Monster.com online recruitment website.

"The trojan appears to be using the [probably stolen] credentials of a number of recruiters to login to the website and perform searches for resumes of candidates located in certain countries or working in certain fields," Symantec researcher Amado Hidalgo said in blog post.

"The trojan sends HTTP commands to the Monster.com website to navigate to the Managed Folders section," he added. "It then parses the output from a pop-up window containing the profiles of the candidates that match this recruiter's saved searches."

The trojan extracted personal information from the resumes and uploaded to a remote server, Symantec said. The researchers found 1.6 million pieces of compromised data on a single server. Separately, SecureWorks’ researchers found about a dozen smaller collections of stolen data, which included names and home and email addresses.

The perpetrators then used the collected email addresses to send phishing messages to job hunters whose information was stolen, SecureWorks said.

Mandia, chief executive officer of Mandiant, said he questions whether Monster.com was in fact "hacked."

"I don't see any evidence that Monster.com was hacked at all — it looks like a business process was compromised," he told SCMagazine.com today.

"I'm not convinced data theft is the right definition" for what occurred, he added. "This is a site that collects people's resumes that are publicly available. Monster.com is a site that people pay to find perspective employees, and someone used an account for data mining so they could send spam. I would imagine something like this could have been happening for years."

Symantec said it has told Monster.com of the problem so it can shut down the recruiter accounts stolen by the trojan.

A Monster.com spokesperson did not return a telephone call seeking comment.

source: SC Magazine

Monster takes down ‘pirate' server with stolen user information

2007-12-07T00:48:00.000-08:00

Monster.com, the job recruitment website that suffered a data breach triggered by the Infostealer.Monstres trojan, said it has closed a "pirate" server housing the personal information of hundreds of thousands of job hunters.

The server contained the names, addresses, phone numbers and email addresses of Monster.com job seekers "primarily located in the United States," Monster.com said in a prepared statement. The company did not say where the server was located.

Reports early in the week from security vendor Symantec said reseachers had located a server containing 1.6 million records of hundreds of thousands of Monster.com users. The company, however, said it was still working to pinpoint the exact the number of people affected by the breach and that it "will be contacting them as appropriate."

According to Symantec, unknown individuals stole the login information for companies looking for employees, then used that information to access Monster.com's job-seeker database. The automated Infostealer.Monstres trojan transmitted the job-seeker information to the server.

In the final step of the multi-stage attack, the Monster.com users were sent emails with links to at least two forms of malware. One attempts to harvest login details for financial sites, while the second tries to encrypt data on the user's PC, then demands a ransom to decode the data.

The company warned visitors to its website to "contact us to verify its legitimacy" should they receive an email asking them "to download a tool or update your account or access agreement."

It also urged visitors to "run an anti-virus application to remove anything that may have been installed on your computer, and contact a Monster representative to have your Monster account password changed," if they believe they clicked on a link in one of the fraudulent email messages.

"Regrettably, opportunistic criminals are increasingly using the internet for illegitimate purposes," Monster.com said. "This problem spans the web, particularly websites that receive heavy traffic and serve a variety of users. All online companies are susceptible to occasional scams. While Monster makes every effort to prevent this abuse, it is not immune to such activity."

Monster.com waited days before informing users of breach

2007-12-07T00:41:00.000-08:00

The employment website Monster.com, which suffered a huge malware attack this week, waited five days before informing its users that their personal data had been hacked, an executive at the company has revealed.

Patrick Manzo, vice president of compliance and fraud prevention at the New York-based firm, told the Reuters news agency yesterday that the company first learned of the hacking attack on 17 August, when security experts at Symantec told them of the data breach.

Monster.com subsequently posted an advisory notice on its website on 22 August to inform customers of the incident.

Researchers at the security vendor detected the Trojan, called Infostealer.Monstres, which accessed over 1.6 million entries of personal information belonging to several hundred thousand people, mainly based in the US, from the online recruitment site.

Monster.com has also revealed that it has shut down the server that was used to store the compromised information. The company traced the fraudulent servers used in the attack back to the Ukraine and they were closed down on Monday.

The hackers stole personal data including names, email addresses, home addresses and telephone numbers, in the assault which were then uploaded to the server.

The online recruitment company also said that it has started to contact all of the users whose personal data was taken during the attack.

Calum Macleod, European director for Cyber-Ark, believes things could get worse for Monster.com, as the hackers could use the personal details to commit identity theft crimes, which could lead to lawsuits against the company.

“By encrypting the details, even if the attackers succeeded in downloading the files, the fact they were protected would render the data unreadable and therefore unusable,” he said.

Source: SC Magazine

Attack on Monster.com affects 146,000 USAJobs.gov subscribers

2007-12-07T00:39:00.000-08:00

About 146,000 users of USAJobs.gov had their personal information compromised in recent attacks on Monster.com, the U.S. Office of Personnel Management (OPM) disclosed this week.

The breach affected approximately eight percent of the two million USAJobs.gov users, OPM announced in a news release on Wednesday.

Monster administrates the USAJobs.gov website for OPM, the agency in charge of the civil service.

Information breached in the attack includes names, email addresses and telephone numbers. No Social Security numbers were compromised, according to OPM.

The breach was part of a multi-layered attack on Monster, in which hackers used credentials to access the site, then spread a trojan to capture names, email addresses and telephone numbers of job seekers.

That stolen information was used to deliver spear phishing emails to job seekers, requesting financial details or recruiting individuals to join the scam.

Experts have told SCMagazine.com that such multi-layered attacks will become more common in the future.

OPM published a security notice on USAJobs.gov and reminded users that they will not be asked to provide personal information in unsolicited emails.

Users of the website who receive phishing emails should report them to mayday@fedjobs.gov, according to OPM.

OPM is sending letters to all affected subscribers.

OPM spokesman Peter Graves told SCMagazine.com that the agency should complete email notification of all 2 million users today. Monster officials said this week that they’re beefing up security measures in response to the recent data theft that exposed the personal information of 1.3 million subscribers.

Hijacked Bank of India website downloads malware

2007-12-07T00:29:00.000-08:00

The website of one of the leading Indian financial services companies is back online after U.S. researchers discovered it was downloading a wide range of malware to customer PCs.

Sunbelt Software discovered Thursday afternoon that the Bank of India's website had been compromised and was distributing about 30 types of malware, Alex Eckelberry, Sunbelt CEO, told SCMagazine.com. Sunbelt learned that the site had become compromised while researching another malware issue. The company contacted the Bank of India, which shut the site down about 2 a.m. EST Friday to clean the server, he said. The site is up and running again."We tracked communication with [the other malware] to the Bank of India site," Eckelberry said. "We're fairly certain this was done by the Russian Business Network (RBN), an underground criminal gang in Russia responsible for lot of bad things on the internet."The exploit appeared to be a malicious IFRAME, which took advantage of a Microsoft Windows 2003 server running the Bank of India site, he added. The IFRAME downloaded a wide variety of malware to PCs that have not been patched since August 2006, Eckelberry said.Among the distributed malware were variants of TSPY_AGENT.AAVG and Trojan.Netview, several rootkits and a Trojan.Pandex. The former steals information from active windows on vulnerable end-user PCs, as well as information collected by a keylogger, network configuration and user names and passwords from POP3 and SMTP email protocols.The collected files were uploaded to an FTP server in Russia, according to Sunbelt."Bank of India had a hole in its systems, and the Russians took the opportunity to insert code into the page," Eckelberry said. "The same thing happened to the Super Bowl site earlier this year."

Pentagon servers attacked, but by whom?

2007-12-07T00:27:00.000-08:00

Is the Chinese military responsible for recent attacks on Pentagon computers?

That's the question after numerous reports surfaced claiming that the People's Liberation Army of China hacked into a system in the office of U.S. Defense Secretary Robert Gates in June.

In a statement published Tuesday, Pentagon spokesman Bryan Whitman confirmed that a system in Gates' office was hacked in June.

He declined, however, to identify the origin of the attack.

China has denied any involvement in the attacks.

"Cyber- or non-kinetic type threats to military computer networks are viewed as just as real and just as significant as physical or kinetic threats," Whitman said in the statement. "The department aggressively responds to deter all intrusions to defend what is known as the GIG, the global information grid."

Herb Strauss, vice president and national security analyst at Gartner, told SCMagazineUS.com today that finding the origin of possible state-sponsored cyberattacks is no easy task.

"A number of attacks have emanated from China," he said. "This is just one in a series, and the question, the issue that makes it so hard, is answering when it's government-sponsored."

Many countries have developed what Strauss called "military capabilities in cyber-warfare." In addition, he believes that "every country with some form of IT is looking at how to protect itself and how to attack in the event of attack on itself. This was brought home by the Russian attacks on Estonia, which essentially took [Estonian financial institutions] offline.”

Strauss emphasized that just because the attack “originated in China doesn't necessarily make it a Chinese government attack.”

“It could be an attack managed from Bermuda that originated in servers in China," he said.

Strauss said these types of attacks are launched in response to major geo-political events. One such event occurred in April 2001 when a U.S. Navy surveillance plane collided in midair with a Chinese jet fighter.

“[It created a] big flurry of activity, and American citizens not with the government [were] trying to hack into Chinese government sites," he said.

Vulnerability uncovered within Yahoo Messenger

2007-12-06T00:39:00.000-08:00

A new vulnerability in Yahoo's instant messenger program can potentially cause unwanted code to run on a PC, according to security researchers.

Details of the vulnerability were first posted on a Chinese-language security forum and was later confirmed with Yahoo security officials, wrote Wei Wang, a researcher with McAfee's Avert lab in Beijing, on a company blog.
Read the latest WhitePaper - FTP Use on the Rise

So far, no exploit code has been published, wrote Karthik Raman, also of McAfee.

The vulnerability affects Yahoo Messenger Version 8.1.0.413. It is triggered when a user accepts an invitation to use their Web camera. The type of vulnerability is called a heap overflow, where a piece of code can be executed with improper permissions, which can allow for further malicious behavior such as downloading other code, said Greg Day, a security analyst for McAfee.

McAfee is advising that people reject Web camera invitations until Yahoo issues a patch. Users can also block outgoing traffic on TCP Port 5100, which is affiliated with program's operation, Day said.

Yahoo could not be immediately reached for comment.

The top 10 reasons Web sites get hacked

2007-12-05T23:46:00.000-08:00

Web developers ignore security flaws at customers' peril

Web security is at the top of customers’ minds after many well-publicized personal data breaches, but the people who actually build Web applications aren’t paying much attention to security, experts say.

“They’re totally ignoring it,” says IT consultant Joel Snyder. “When you go to your Web site design team, what you’re looking for is people who are creative and able to build these interesting Web sites… That’s No. 1, and No. 9 on the list would be that it’s a secure Web site.”

The biggest problem is designers aren’t building walls within Web applications to partition and validate data moving between parts of the system, he says.

Security is usually something that’s considered after a site is built rather than before it is designed, agrees Khalid Kark, senior analyst at Forrester.

“I’d say the majority of Web sites are hackable,” Kark says. “The crux of the problem is security isn’t thought of at the time of creating the application.”

That’s a big problem, and it’s one the nonprofit Open Web Application Security Project (OWASP) is trying to solve. An OWASP report called “The Ten Most Critical Web Application Security Vulnerabilities” was issued this year to raise awareness about the biggest security challenges facing Web developers.

The first version of the list was released in 2004, but OWASP Chairman Jeff Williams says Web security has barely improved. New technologies such as AJAX and Rich Internet Applications that make Web sites look better also create more attack surfaces, he says. Convincing businesses their Web sites are insecure is no easy task, though.

“It’s frustrating to me, because these flaws are so easy to find and so easy to exploit,” says Williams, who is also CEO and co-founder of Aspect Security. “It’s like missing a wall on a house.”

Here is a summary of OWASP’s top 10 Web vulnerabilities, including a description of each problem, real-world examples and how to fix the flaws.

1. Cross site scripting (XSS)

The problem: The “most prevalent and pernicious” Web application security vulnerability, XSS flaws happen when an application sends user data to a Web browser without first validating or encoding the content. This lets hackers execute malicious scripts in a browser, letting them hijack user sessions, deface Web sites, insert hostile content and conduct phishing and malware attacks.

Attacks are usually executed with JavaScript, letting hackers manipulate any aspect of a page. In a worst-case scenario, a hacker could steal information and impersonate a user on a bank’s Web site, according to Snyder.

Real-world example: PayPal was targeted last year when attackers redirected PayPal visitors to a page warning users their accounts had been compromised. Victims were redirected to a phishing site and prompted to enter PayPal login information, Social Security numbers and credit card details. PayPal said it closed the vulnerability in June 2006.

How to protect users: Use a whitelist to validate all incoming data, which rejects any data that’s not specified on the whitelist as being good. This approach is the opposite of blacklisting, which rejects only inputs known to be bad. Additionally, use appropriate encoding of all output data. “Validation allows the detection of attacks, and encoding prevents any successful script injection from running in the browser,” OWASP says.

2. Injection flaws

The problem: When user-supplied data is sent to interpreters as part of a command or query, hackers trick the interpreter — which interprets text-based commands — into executing unintended commands. “Injection flaws allow attackers to create, read, update, or delete any arbitrary data available to the application,” OWASP writes. “In the worst-case scenario, these flaws allow an attacker to completely compromise the application and the underlying systems, even bypassing deeply nested firewalled environments.”

Real-world example: Russian hackers broke into a Rhode Island government Web site to steal credit card data in January 2006. Hackers claimed the SQL injection attack stole 53,000 credit card numbers, while the hosting service provider claims it was only 4,113.

How to protect users: Avoid using interpreters if possible. “If you must invoke an interpreter, the key method to avoid injections is the use of safe APIs, such as strongly typed parameterized queries and object relational mapping libraries,” OWASP writes.

3. Malicious file execution

The problem: Hackers can perform remote code execution, remote installation of rootkits, or completely compromise a system. Any type of Web application is vulnerable if it accepts filenames or files from users. The vulnerability may be most common with PHP, a widely used scripting language for Web development.

Real-world example: A teenage programmer discovered in 2002 that Guess.com was vulnerable to attacks that could steal more than 200,000 customer records from the Guess database, including names, credit card numbers and expiration dates. Guess agreed to upgrade its information security the next year after being investigated by the Federal Trade Commission.

How to protect users: Don’t use input supplied by users in any filename for server-based resources, such as images and script inclusions. Set firewall rules to prevent new connections to external Web sites and internal systems.

4. Insecure direct object reference

The problem: Attackers manipulate direct object references to gain unauthorized access to other objects. It happens when URLs or form parameters contain references to objects such as files, directories, database records or keys.

Banking Web sites commonly use a customer account number as the primary key, and may expose account numbers in the Web interface.

“References to database keys are frequently exposed,” OWASP writes. “An attacker can attack these parameters simply by guessing or searching for another valid key. Often, these are sequential in nature.”

Real-world example: An Australian Taxation Office site was hacked in 2000 by a user who changed a tax ID present in a URL to access details on 17,000 companies. The hacker e-mailed the 17,000 businesses to notify them of the security breach.

How to protect users: Use an index, indirect reference map or another indirect method to avoid exposure of direct object references. If you can’t avoid direct references, authorize Web site visitors before using them.

5. Cross site request forgery

The problem: “Simple and devastating,” this attack takes control of victim’s browser when it is logged onto a Web site, and sends malicious requests to the Web application. Web sites are extremely vulnerable, partly because they tend to authorize requests based on session cookies or “remember me” functionality. Banks are potential targets.

“Ninety-nine percent of the applications on the Internet are susceptible to cross site request forgery,” Williams says. “Has there been an actual exploit where someone’s lost money? Probably the banks don’t even know. To the bank, all it looks like is a legitimate transaction from a logged-in user.”

Real-world example: A hacker known as Samy gained more than a million “friends” on MySpace.com with a worm in late 2005, automatically including the message “Samy is my hero” in thousands of MySpace pages. The attack itself may not have been that harmful, but it was said to demonstrate the power of combining cross site scripting with cross site request forgery. Another example that came to light one year ago exposed a Google vulnerability allowing outside sites to change a Google user’s language preferences.

How to protect users: Don’t rely on credentials or tokens automatically submitted by browsers. “The only solution is to use a custom token that the browser will not ‘remember,’” OWASP writes.

6. Information leakage and improper error handling

The problem: Error messages that applications generate and display to users are useful to hackers when they violate privacy or unintentionally leak information about the program’s configuration and internal workings.

“Web applications will often leak information about their internal state through detailed or debug error messages. Often, this information can be leveraged to launch or even automate more powerful attacks,” OWASP says.

Real-world example: Information leakage goes well beyond error handling, applying also to breaches occurring when confidential data is left in plain sight. The ChoicePoint debacle in early 2005 thus falls somewhere in this category. The records of 163,000 consumers were compromised after criminals pretending to be legitimate ChoicePoint customers sought details about individuals listed in the company’s database of personal information. ChoicePoint subsequently limited its sales of information products containing sensitive data.

How to protect users: Use a testing tool such as OWASP’S WebScarab Project to see what errors your application generates. “Applications that have not been tested in this way will almost certainly generate unexpected error output,” OWASP writes.

Another tip: disable or limit detailed error handling, and don’t display debug information to users.

7. Broken authentication and session management

The problem: User and administrative accounts can be hijacked when applications fail to protect credentials and session tokens from beginning to end. Watch out for privacy violations and the undermining of authorization and accountability controls.

“Flaws in the main authentication mechanism are not uncommon, but weaknesses are more often introduced through ancillary authentication functions such as logout, password management, timeout, remember me, secret question and account update,” OWASP writes.

Real-world example: Microsoft had to eliminate a vulnerability in Hotmail that could have let malicious JavaScript programmers steal user passwords in 2002. Revealed by a networking products reseller, the flaw was vulnerable to e-mails containing Trojans that altered the Hotmail user interface, forcing users to repeatedly reenter their passwords and unwittingly send them to hackers.

How to protect users: Communication and credential storage has to be secure. The SSL protocol for transmitting private documents should be the only option for authenticated parts of the application, and credentials should be stored in hashed or encrypted form.

Another tip: get rid of custom cookies used for authentication or session management.

8. Insecure cryptographic storage

The problem: Many Web developers fail to encrypt sensitive data in storage, even though cryptography is a key part of most Web applications. Even when encryption is present, it’s often poorly designed, using inappropriate ciphers.

“These flaws can lead to disclosure of sensitive data and compliance violations,” OWASP writes.

Real-world example: The TJX data breach that exposed 45.7 million credit and debit card numbers. A Canadian government investigation faulted TJX for failing to upgrade its data encryption system before it was targeted by electronic eavesdropping starting in July 2005.

How to protect users: Don’t invent your own cryptographic algorithms. “Only use approved public algorithms such as AES, RSA public key cryptography, and SHA-256 or better for hashing,” OWASP advises.

Furthermore, generate keys offline, and never transmit private keys over insecure channels.

It’s pretty common to store credit card numbers these days, but with a Payment Card Industry Data Security Standard compliance deadline coming next year, OWASP says it’s easier to stop storing the numbers altogether.

..............]

Hacker breaks into eBay server, locks users out

2007-12-05T23:32:00.000-08:00

A malicious hacker broke into an eBay server on Friday and temporarily suspended the accounts of a "very small" number of members, the company said.

"We were able to block the fraudster quickly before any permanent damage had been done. At no point did the fraudster get any access to financial information or other sensitive information," eBay spokeswoman Nichola Sharpe said via e-mail.

EBay has "secured and restored" the affected accounts and is calling the affected users, she said, without specifying how many accounts the hacker accessed and tinkered with.

"The fraudster did this by accessing externally visible servers, not by hacking into the eBay site," Sharpe said.

She didn't immediately reply to followup questions from IDG News Service seeking clarification on what is an "externally visible" server and how it's different from an eBay site server.

EBay faces attacks to compromise its systems "every day," Sharpe said. "After learning of the recent situation, we quickly reacted to it," she said.

"As we continue to lock down on the traditional ways that bad guys have attempted to exploit our system, it is only natural that they will look for new ways to get in. It is an ongoing battle," she said.

The incident, first reported by e-commerce news site AuctionBytes, happened little over a week after someone used an eBay discussion forum to post confidential information about eBay users.

The previous incident led the e-commerce giant to shut down the forum, one that ironically was devoted to the discussion of security issues.

The perpetrator of that confidential data disclosure posted the names and contact information of 1,200 eBay members on the company's Trust & Safety discussion forum, along with credit card numbers that were later determined to be invalid.

EBay eventually concluded that the attacker obtained the information via a phishing scheme, tricking individual members into disclosing the data.

Friday's hack has quite a few eBay members rattled, judging by this long discussion forum thread about the incident.

In that thread, some affected eBay members report receiving e-mails from a hacker identified as Vladuz saying that he had targeted them for posting forum comments that were critical of him.

Vladuz has in the past reportedly stolen login information that has allowed him to post messages to eBay discussion forums as if he were an eBay employee.

In its article, AuctionBytes said Vladuz has been targeting eBay for about 10 months.

Sharpe didn't immediately reply to the question whether eBay knows who was behind Friday's attack.

7 things your IT department doesn't want you to know

2007-12-05T23:21:00.000-08:00

T staffers have good reasons for restricting your use of company systems. To guard your organization's PCs, data, and bandwidth, the pocket-protector crowd may frown on IM software on company PCs, ban unauthorized software use, and limit transfers of large files.
But you can still safely transmit files of many sizes, chat on your favorite IM client, and use unapproved but legal and harmless software.
Read the latest WhitePaper - NAC: Managing unauthorized computers

Transfer huge files

Most businesses impose a ceiling on the size of e-mail attachments they'll accept, but you needn't let that prevent you from receiving the files required for your work.

Box.net, SendSpace, SendThisFile, and YouSendIt offer free file-transfer services, low-cost premium plans for sending giant files, and password-protected transmission. For example, YouSendIt lets you send files of 100MB or less without requiring you to register (see the image below); other sites insist that you provide an e-mail address when you sign up. Recipients usually have a week to click the link in their e-mail to download a file from the service's server.

The YouSendIt online file-transfer service lets you send files in capacities of up to 100MB for free, without registering. You must supply an e-mail address in order to make a password-protected transfer, however.

If you want to chat...

Most companies discourage or prohibit IM software, citing security concerns and the strain it places on network resources. Unfortunately, the workaround--Web-based instant messaging--probably uses even more system bandwidth; but at least offerings such as AOL's AIM Express and Google's IM service work without needing any additional software.

If your company's IT staff hasn't blocked multiple-IM clients, you can use Trillian Basic for added privacy because it encrypts the communication. Alternatively, use a third-party IM enabler like Meebo, which lets you IM from its home page on the Web, with the option of logging on anonymously.

Run any app at work

Policies that forbid nonapproved software needn't prevent you from legally and safely using programs that help you with your job or that are otherwise harmless.If your company hasn't deactivated the external ports on its PCs, simply load whatever software you want onto a U3-enabled USB flash memory drive or portable hard drive. The apps and data on U3 drives remain independent of your system. When you remove the drive from the USB port, the files and applications vanish along with it.

PortableApps.com offers free open-source software that you can save to any external storage device; all of the files temporarily stored on your work PC while you use the software disappear when you unplug the drive.

Unblock company-prohibiteded Web sites

Aware of possible legal entanglements, most companies block porn, gambling, and known malware-compromised addresses. But along the way, excessively zealous IT departments may block access to Web mail, instant messaging, and other everyday sites.

Fear not. By surfing via a proxy--an unblocked third-party site--you can circumambulate this roadblock. Go to the home page of Proxy.org for links to hundreds of third-party proxy sites. The major downside of surfing via proxy is the delay in page loads that results from having your desired site's page info pass through the proxy's server before it gets relayed to you. Be prepared to surf at a slower pace, and check out the proxy site's credentials in advance, to avoid security risks. Most proxy sites are free and offer anonymous surfing, but some are open to malicious content. On the home page of Proxy.org, you'll find a full explanation of how proxies work.

Another way to unblock a site is to use Google's translation page. Though originally intended to translate foreign language pages into the language of your choice, this tool also functions as a proxy if you use it to translate from English to English.

In your browser's address bar, type: http://www.google.com/translate?langpair=en|en&u=www.site.com as a single line with no letter spaces (including after the question mark), but replace 'www.site.com' with the blocked Web address.

Store your work files online

Your boss may expect you to get your work done even if you're not at the office, but your company's computer security policy may not afford easy (or any) access to the files you need. One option is to save them to a USB or other portable storage device before you leave the office. Another is to upload the files you know you'll need to an online storage site such as Box.net or AOL's Xdrive. Most of these services provide at least a couple of gigabytes of free storage. Gmail, Yahoo Mail, Hotmail, and other Web mail services provide anywhere from 5GB to unlimited mail storage, so a third option is to e-mail the files to your personal e-mail account, where you can access them as attachments.

Get your company mail when you're away from the office

Because companies are (rightfully) fearful of intrusions into their e-mail servers, they may prevent employees from accessing their work accounts from outside the office. Others lack support for BlackBerrys and other phone-based e-mail devices, thus preventing their employees from receiving work mail on those devices.

One way to get around this message dam is to forward your e-mail while keeping it on the original server. In Outlook, select Tools, Rules and Alerts. With the E-Mail Rules tab selected, click the New Rule button and choose the Start from a blank rule button. The rules wizard window will pop up with the first two steps already filled in. Click Next, check sent only to me from the "conditions" offered. Click Next, and in the Select action(s) window choose forward to people or distribution list. In Step 2, click the people or distribution list link. In 'Specify whom to forward messages to' type the e-mail address you are forwarding to. Click OK and Finish.

In Outlook Express, select Tools, Message Rules, Mail. A four-step selection window appears. Choose the appropriate rule in each window. In Step 3, click the Forward it to people link, enter your forwarding e-mail address, and click OK. In Step 4, type a name for your new forwarding rule (such as Forward to Yahoo address) and click OK.
Now your mail will appear as usual in your company inbox as well as at your forwarded address. Just remember that if you reply to messages at your forwarded address, recipients will see that address, not your company address.

Keep your e-mail private

Whether you get your e-mail on a company network or through a Web mail service, your company has the legal right to monitor your incoming and outgoing messages.

But you can shut out corporate snoops by encrypting your messages. Of course, doing so may raise a red flag in the IT department, if staffers there detect it (and they may). So if you're concerned about sending e-mail that your employer may not approve of, consider waiting until you're back on your own personal PC before sending it.

To encrypt any e-mail message, all you need is a Digital ID certificate. Various companies, including VeriSign sell these; VeriSign's cost $20 a year. To obtain a Digital ID in Outlook 2003, select Tool, Options, Security and click the Get Digital ID button. Once obtained, the ID will automatically install itself in your Web browser or e-mail program. A Digital ID acts as an electronic substitute for a sealed envelope and handwritten signature. It lets you encrypt e-mail and attachments, protecting them from being read by online intruders. Only your intended recipient can decrypt them. Of course, you'll have to share your password with your recipient to make this possible.

For Web mail, a quick trick is to add an "s" after the "p" in the "http://" portion of the address bar; this will switch you to a secure, encrypted connection. For example, https://mail.aol.com or https://mail.google.com will connect you to each service in such a way that only you can read your incoming messages, and only the intended recipients can read your outgoing mail. Microsoft automatically encrypts messages in its Hotmail accounts, but the "https:" trick does not work for Yahoo Mail.

Windows flaw could steer IE to hackers

2007-12-05T21:59:00.000-08:00

Microsoft Monday said that a flaw in the way its Windows operating system looks up other computers on the Internet has resurfaced and could expose some customers to online attacks.
The flaw primarily affects corporate users outside of the U.S. It could theoretically be exploited by attackers to silently redirect a victim to a malicious Web site.
Read the latest WhitePaper - A Good Mobile Experience: Balancing IT Requirements While Giving End-Users the Mobile Experience They Want

Microsoft originally patched this flaw in 1999, but it was rediscovered recently in later versions of Windows and was then publicized at a recent hacker conference in New Zealand. "This is a variation of that previously reported vulnerability that manifests when certain client side settings are made," said Mike Reavey, a group manager at Microsoft's Security Response Center.

The bug has to do with the way Windows systems look for DNS information under certain configurations.

Any version of Windows could theoretically be affected by the flaw, but Microsoft issued an advisory Monday explaining which Windows configurations are at risk and offering some possible workarounds for customers. The company said it is working to release a security patch for the problem.

Here's how the attack would work: When a Windows system is specially configured with its own DNS Suffix it will automatically search the network for DNS information on a Web Proxy Auto-Discovery (WPAD) server. Typically this server would be a trusted machine, running on the victim's own network.

WPAD servers are used to cut down on the manual configuration required to get Windows systems working on the network. DNS suffixes are used to associate computers with certain domains of the network and to simplify administration.

To make it easier for the PC to find a WPAD server, Windows uses a technique called DNS devolution to search the network for the server. For example, if an IDG PC was given a DNS suffix of corp.idg.co.uk, it would automatically look for a WPAD server at wpad.corp.idg.co.uk. If that failed, it would try wpad.idg.co.uk and then wpad.co.uk. And that's where the problem lies: by looking for DNS information on wpad.co.uk, the Windows machine has now left the IDG network and is doing a DNS look-up on an untrusted PC

Reavey says that this problem only affects customers whose domain names begin with a "third-level or deeper" domain, meaning that even with the DNS suffix, users on networks like idg.com or dhs.gov are not affected.

source: networkworld.com

Webroot, Email Systems team for new e-mail security service

2007-12-05T21:53:00.000-08:00

Will include e-mail archiving, encryption, antivirus services

Webroot announced this week that will be teaming up with Email Systems, a software-as-a-service security provider, to deliver e-mail security services to enterprise users.

According to Webroot, the two companies will offer a comprehensive e-mail security service that will include such features as e-mail archiving, image scanning and encryption, antispam, antiphishing and antivirus services. Additionally, the service will provide Web security through http Web filtering and other Web-based communications. Webroot says that it will begin integrating its new e-mail protection services to its antispyware and antivirus programs.
Read the latest WhitePaper - The quest for competitiveness: Business mobility and the agile organisation

“Our customers will now be able to easily engage a multilayered security strategy that includes industry-leading endpoint and SaaS-based perimeter security in a unique and integrated package,” says Mike Irwin, COO of Webroot.

Email Systems has been providing e-mail protection and management services to businesses since 2002. Its current package of e-mail protection services includes custom filtering rules for content monitoring; end-to-end e-mail encryption that allows content checking; a disaster recovery mechanism that queues and buffers e-mails that have failed to connect to servers; and a filter that detects spam by continuously scanning unsolicited e-mails that are sent worldwide on a massive scale.

Email Systems CEO Neil Hammerton says that his company will benefit from Webroot’s broader global reach, thus enabling Email Systems to reach a wider group of customers. He also notes that the two companies’ products complement each other and that “we feel like we are poised to take full advantage of a technology sea change.”

Brian Burke, a program director for security products at the IDC market intelligence firm, says he expects the use of hosted messaging security services such as Webroot’s and Email Systems’ to grow exponentially in the near future. Overall, IDC projects worldwide spending on hosted messaging services to nearly quintuple over the next four years, reaching $1.4 billion by 2011.

source: networkwold.com