Apple's iPhone will be a "primary target" for cybercriminals in 2008, a security company predicted today..
Arbor Network's Security and Engineering Response Team (ASERT) forecast that the iPhone will become "the victim of a serious attack" in 2008.
According to the firm, these assaults are likely to be in the form of drive by attacks - malware embedded into seemingly harmless information, images or other media that actually perform dangerous actions when rendered on the iPhone's web browser.
With the scrutiny the iPhone has received since its launch earlier this year over network lock-in, Arbor believes that hackers will be enticed by the possibility of attacking Apple users and the opportunity to "be the first" to hack a new platform.
The company also predicted a rise in 'Chinese on Chinese' cybercrime.
In the past year the team has seen a dramatic increase in the attention paid to Chinese-language specific software such as QQ Messenger and a number of malware samples focused on stealing users credentials. Arbor expects this trend to multiply in 2008 as more Chinese users come online, more software is written for the market and Chinese cybercriminals become increasingly more sophisticated and organised.
"2007 was the year of the browser exploit, the data breach, spyware and the storm worm. We expect 2008 to be the year of the iPhone attack, the Chinese Hacker, P2P network spammers and the hijacking of the Storm botnet," said Jose Nazario, senior security engineer at Arbor Networks.
December 13, 2007
Researchers warn of Microsoft Access Database exploit
Targeted phishing emails are attempting to infect the machines of users' who are tricked into opening malicious Microsoft Access Database (MDB) files, US-CERT (United States Computer Emergency Readiness Team) said in a warning this week.
Targeted phishing emails are attempting to infect the machines of users' who are tricked into opening malicious Microsoft Access Database (MDB) files, US-CERTsaid in a warning this week.
The bogus files attempt to take advantage of a stack-based buffer overflow vulnerability that occurs when Microsoft Access processes specially crafted database files, according to the advisory. Should a user click on a corrupted file, their machines could be pounded with malicious software.
Microsoft considers MDB files, which allow for embedded script, unsafe.
"Various Microsoft applications prevent users from opening this type of file, or warns them before they open the file," a company spokesman told SCMagazineUS.com today in an email.
The spokesman confirmed that Microsoft was aware of public exploit reports.
Craig Schmugar, threat research manager for McAfee Avert Labs, told SCMagazineUS.com that the attacks likely take advantage of either of two unpatched Microsoft Jet Database vulnerabilities.
Researchers at McAfee have spotted the flaws being exploited in a limited manner, mostly targeting "entities related to government," he said.
Schmugar said socially engineered attacks hoping to leverage the flaw may succeed because users tend to trust certain files.
"People might think it's an Office document," he said. "They might be less apprehensive about accessing it."
Meanwhile, businesses should ensure they block MDB files at the email gateway, the US-CERT warning advised.
"While Microsoft treats them as unsafe, many companies may not," Schmugar said.
Targeted phishing emails are attempting to infect the machines of users' who are tricked into opening malicious Microsoft Access Database (MDB) files, US-CERTsaid in a warning this week.
The bogus files attempt to take advantage of a stack-based buffer overflow vulnerability that occurs when Microsoft Access processes specially crafted database files, according to the advisory. Should a user click on a corrupted file, their machines could be pounded with malicious software.
Microsoft considers MDB files, which allow for embedded script, unsafe.
"Various Microsoft applications prevent users from opening this type of file, or warns them before they open the file," a company spokesman told SCMagazineUS.com today in an email.
The spokesman confirmed that Microsoft was aware of public exploit reports.
Craig Schmugar, threat research manager for McAfee Avert Labs, told SCMagazineUS.com that the attacks likely take advantage of either of two unpatched Microsoft Jet Database vulnerabilities.
Researchers at McAfee have spotted the flaws being exploited in a limited manner, mostly targeting "entities related to government," he said.
Schmugar said socially engineered attacks hoping to leverage the flaw may succeed because users tend to trust certain files.
"People might think it's an Office document," he said. "They might be less apprehensive about accessing it."
Meanwhile, businesses should ensure they block MDB files at the email gateway, the US-CERT warning advised.
"While Microsoft treats them as unsafe, many companies may not," Schmugar said.
December 12, 2007
Codec flaws threaten Windows Media Player, Winamp
Researchers today began noticing increased activity on ports directed to media players, a strong indication that attackers are actively screening machines for a new codec vulnerability reported over the weekend.
The "highly critical" vulnerabilities, according to Secunia, are located in 3ivx Technologies' MPEG-4 codec, a required compatibility program used to create and play back MP4 files. The bugs are caused by boundary errors that can lead to stack-based buffer overflows via a maliciously crafted MP4 file.
Experts have seen proof-of-concept code impacting Windows Media Player 6.4, Media Player Classic 6.4.9 and Winamp 5.32 – all older versions of the popular multimedia applications. But other versions are likely vulnerable as well, Ben Greenbaum, senior research manager in Symantec Security Response, told SCMagazineUS.com today.
"We see people that are looking for machines that have already been exploited in this fashion or are trying to connect to machines that they think have been successfully exploited," he said.
Greenbaum said that attackers are opting to exploit bugs in media players and the plugins that increase their functionality as organizations and vendors get better at securing operating systems and applications.
"These attacks can be placed on trusted websites and immediately exposed to hundreds of thousands of potential victims," he said. "Lots of websites allow users to incorporate their own content. It's an easy way for attackers to get their exploit up to a site that's going to have a lot of eyes."
The goal of these attacks is usually to drop a secondary payload, such as a bot or trojan, he added.
As users await a patch, businesses should ensure they have policy in place that permits employees to connect to media players only for work purposes, Greenbaum said. In addition, organizations should be running an up-to-date anti-virus solution, an intrusion detection system and endpoint security management tools to help identify and remove vulnerable software.
A spokesperson for 3ivx, which would be responsible for the fix, did not return a request for comment.
A spokesman for AOL, which owns Winamp, said users should update to the latest version.
"We encourage everyone to upgrade to [version] 5.5, which is actually not vulnerable to the attack," AOL spokesman Kurt Patat told SCMagazineUS.com today. "That's people's best bet if they want to avoid the vulnerability."
Mark Miller, director of security response for Microsoft, advised Windows Media Player users to do the same.
"The affected code does not ship in box with any version of Windows or Windows Media Player," he said.
The "highly critical" vulnerabilities, according to Secunia, are located in 3ivx Technologies' MPEG-4 codec, a required compatibility program used to create and play back MP4 files. The bugs are caused by boundary errors that can lead to stack-based buffer overflows via a maliciously crafted MP4 file.
Experts have seen proof-of-concept code impacting Windows Media Player 6.4, Media Player Classic 6.4.9 and Winamp 5.32 – all older versions of the popular multimedia applications. But other versions are likely vulnerable as well, Ben Greenbaum, senior research manager in Symantec Security Response, told SCMagazineUS.com today.
"We see people that are looking for machines that have already been exploited in this fashion or are trying to connect to machines that they think have been successfully exploited," he said.
Greenbaum said that attackers are opting to exploit bugs in media players and the plugins that increase their functionality as organizations and vendors get better at securing operating systems and applications.
"These attacks can be placed on trusted websites and immediately exposed to hundreds of thousands of potential victims," he said. "Lots of websites allow users to incorporate their own content. It's an easy way for attackers to get their exploit up to a site that's going to have a lot of eyes."
The goal of these attacks is usually to drop a secondary payload, such as a bot or trojan, he added.
As users await a patch, businesses should ensure they have policy in place that permits employees to connect to media players only for work purposes, Greenbaum said. In addition, organizations should be running an up-to-date anti-virus solution, an intrusion detection system and endpoint security management tools to help identify and remove vulnerable software.
A spokesperson for 3ivx, which would be responsible for the fix, did not return a request for comment.
A spokesman for AOL, which owns Winamp, said users should update to the latest version.
"We encourage everyone to upgrade to [version] 5.5, which is actually not vulnerable to the attack," AOL spokesman Kurt Patat told SCMagazineUS.com today. "That's people's best bet if they want to avoid the vulnerability."
Mark Miller, director of security response for Microsoft, advised Windows Media Player users to do the same.
"The affected code does not ship in box with any version of Windows or Windows Media Player," he said.
December 10, 2007
AdultFriendFinder.com settles with FTC
A website that promotes itself as “the world's largest sex and swingers personal community” has settled a complaint from the Federal Trade Commission.
AdultFriendFinder.com on Thursday agreed to a settlement barring it from sending sexually explicit online advertising to users who are not seeking adult content.
The website, and its parent company, Various, Inc., was accused of violating the FTC Act by using graphic ads and sexually explicit images in advertisements, without customer consent, to divert traffic.
Affiliates of AdultFriendFinder.com had displayed advertisements containing adult content, or graphic descriptions of sexual activity, to consumers using search terms to find flowers and travel information, according to the FTC.
Alex Eckelberry, Sunbelt Software president and CEO, said on his company's blog that AdultFriendFinder.com's affiliates use extremely aggressive tactics to drive traffic to the website.
“And any malware researcher has also seen AFF ads in spyware. Whether this is through affiliates or not, it is still the responsibility of the company to advertise through legitimate channels – not through malware,” he said. “Their advertisements have also been seen extensively in fake pages on social-networking sites, and there's been plenty of fake ‘friend' invites through these networks – which are only designed to feed the site with more subscribers. Again, this may or may not be done directly by AFF, but it's still their responsibility.”
Ira Rothkin, Various' attorney, told SCMagazineUS.com today that the company “agreed with the FTC's goals” to provide advertisements for non-consenting consumers without sexually explicit content.
“I would have to say that AdultFriendFinder.com is never happy to learn that some of its online affiliates have been violating its terms of use,” he said. “So when the FTC brought this to their attention, [Various] took prompt action.”
AdultFriendFinder.com on Thursday agreed to a settlement barring it from sending sexually explicit online advertising to users who are not seeking adult content.
The website, and its parent company, Various, Inc., was accused of violating the FTC Act by using graphic ads and sexually explicit images in advertisements, without customer consent, to divert traffic.
Affiliates of AdultFriendFinder.com had displayed advertisements containing adult content, or graphic descriptions of sexual activity, to consumers using search terms to find flowers and travel information, according to the FTC.
Alex Eckelberry, Sunbelt Software president and CEO, said on his company's blog that AdultFriendFinder.com's affiliates use extremely aggressive tactics to drive traffic to the website.
“And any malware researcher has also seen AFF ads in spyware. Whether this is through affiliates or not, it is still the responsibility of the company to advertise through legitimate channels – not through malware,” he said. “Their advertisements have also been seen extensively in fake pages on social-networking sites, and there's been plenty of fake ‘friend' invites through these networks – which are only designed to feed the site with more subscribers. Again, this may or may not be done directly by AFF, but it's still their responsibility.”
Ira Rothkin, Various' attorney, told SCMagazineUS.com today that the company “agreed with the FTC's goals” to provide advertisements for non-consenting consumers without sexually explicit content.
“I would have to say that AdultFriendFinder.com is never happy to learn that some of its online affiliates have been violating its terms of use,” he said. “So when the FTC brought this to their attention, [Various] took prompt action.”
Attackers hack into Oak Ridge National Laboratory
A targeted assault of phishing emails opened the door for hackers to glean the sensitive information of up to 12,000 visitors to the Oak Ridge National Laboratory, officials said Thursday.
But it appears the attackers' goals were actually much loftier.
According to a message from lab director Thom Mason to the organization's 4,200 employees, the recent attack on the Knoxville, Tenn.-based Oak Ridge was "part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country."
Peter Cassidy, secretary general of the Anti-Phishing Working Group, told SCMagazine.com today that his group has witnessed a dramatic rise in socially engineered phishing and crimeware attacks intended to steal trade secrets. Labs such as Oak Ridge, which conducts research for the Department of Energy in the areas of science, the environment and national security, are no exception.
"If they have specific questions about the research that Americans are organizing in those labs, it's kind of useful information," he said. "It allows them to respond with their own technology and to build on the ideas that are intercepted from their mining of the data through phishing attacks."
What these cybercriminals ended up stealing were the names, Social Security numbers and birth dates of every person who visited the lab from 1990 to 2004, Mason said. So far, there is no evidence any of the data has been used to conduct fraud.
The attackers delivered about 1,100 legitimate-looking emails to staff that tried to dupe them into opening a malicious attachment, Mason said. The bogus messages included one that notified the recipient about a complaint on behalf of the Federal Trade Commission; another announced an upcoming scientific conference.
Eleven employees clicked on the attachments, enabling "the hackers to infiltrate the system and remove data," Mason wrote.
That works out to a 0.1 percent success rate, Ken Dunham, director of global response for iSight Partners, a risk mitigation and mitigation company, told SCMagazineUS.com today.
"It takes only one – not even 11 – to compromise a network," he said. "It's clear that there were ongoing, multiple attempts here."
He said social engineering is the "cornerstone" of a successful phishing attack.
"Today it is very hard to tell truth from lie," Dunham said. "They are very legitimate appearing and they are very customized. These are personalized for you. It's your own Hallmark custom scam, just for you."
Mason said in his message to employees that they should never click on email attachments or links that appear in messages coming from unknown or untrusted parties.
"While our hope is that no one would fall for these kinds of tricks from hackers, we believe there is an ongoing benefit to re-emphasizing staff awareness about cybersecurity issues," Mason wrote.
Dunham said organizations must also build strong access control policies, which includes restricting the privileges of certain employees. So even if that person's machine were to be infected, the remote attacker could not launch the malicious code.
"If you can't do installs, you can't do installs," he said. "It doesn't matter if you're a virus or not."
Ted Julian, vice president of marketing and strategy at AppSecInc, a database security firm, said the lab breach highlights the ineffectiveness of protecting the entryways into an organization.
"As a result, companies need to focus on securing the valuable data directly," he said, adding that this includes assessing where it lies, performing vulnerability scans and applying encryption. "The notion of continuing to defend perimeters alone, it's just obviously not working."
Mason said the investigation promises to take weeks to complete.
"Each year the laboratory is forced to put in place new and more sophisticated security systems in an attempt to stop thieves who are equally determined to break into the cyber network," he wrote.
But it appears the attackers' goals were actually much loftier.
According to a message from lab director Thom Mason to the organization's 4,200 employees, the recent attack on the Knoxville, Tenn.-based Oak Ridge was "part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country."
Peter Cassidy, secretary general of the Anti-Phishing Working Group, told SCMagazine.com today that his group has witnessed a dramatic rise in socially engineered phishing and crimeware attacks intended to steal trade secrets. Labs such as Oak Ridge, which conducts research for the Department of Energy in the areas of science, the environment and national security, are no exception.
"If they have specific questions about the research that Americans are organizing in those labs, it's kind of useful information," he said. "It allows them to respond with their own technology and to build on the ideas that are intercepted from their mining of the data through phishing attacks."
What these cybercriminals ended up stealing were the names, Social Security numbers and birth dates of every person who visited the lab from 1990 to 2004, Mason said. So far, there is no evidence any of the data has been used to conduct fraud.
The attackers delivered about 1,100 legitimate-looking emails to staff that tried to dupe them into opening a malicious attachment, Mason said. The bogus messages included one that notified the recipient about a complaint on behalf of the Federal Trade Commission; another announced an upcoming scientific conference.
Eleven employees clicked on the attachments, enabling "the hackers to infiltrate the system and remove data," Mason wrote.
That works out to a 0.1 percent success rate, Ken Dunham, director of global response for iSight Partners, a risk mitigation and mitigation company, told SCMagazineUS.com today.
"It takes only one – not even 11 – to compromise a network," he said. "It's clear that there were ongoing, multiple attempts here."
He said social engineering is the "cornerstone" of a successful phishing attack.
"Today it is very hard to tell truth from lie," Dunham said. "They are very legitimate appearing and they are very customized. These are personalized for you. It's your own Hallmark custom scam, just for you."
Mason said in his message to employees that they should never click on email attachments or links that appear in messages coming from unknown or untrusted parties.
"While our hope is that no one would fall for these kinds of tricks from hackers, we believe there is an ongoing benefit to re-emphasizing staff awareness about cybersecurity issues," Mason wrote.
Dunham said organizations must also build strong access control policies, which includes restricting the privileges of certain employees. So even if that person's machine were to be infected, the remote attacker could not launch the malicious code.
"If you can't do installs, you can't do installs," he said. "It doesn't matter if you're a virus or not."
Ted Julian, vice president of marketing and strategy at AppSecInc, a database security firm, said the lab breach highlights the ineffectiveness of protecting the entryways into an organization.
"As a result, companies need to focus on securing the valuable data directly," he said, adding that this includes assessing where it lies, performing vulnerability scans and applying encryption. "The notion of continuing to defend perimeters alone, it's just obviously not working."
Mason said the investigation promises to take weeks to complete.
"Each year the laboratory is forced to put in place new and more sophisticated security systems in an attempt to stop thieves who are equally determined to break into the cyber network," he wrote.
December 08, 2007
Child porn hacker sentenced to 110 years in prison
A North Carolina man was sentenced to more than a century in prison after he seeded teens' computers with trojans and then demanded the victims provide him with nude photographs of themselves.
Ivory Dickerson, 33, was convicted of three counts of manufacturing child pornography, two counts of unlawful computer intrusions, and one count of possession of child porn, Robert O'Neill, U.S. attorney for the Middle District of Florida said Friday in a statement. Dickerson was sentenced to 110 years.
Authorities said Dickerson and an unnamed co-conspirator sent phishing emails or instant messages to female teens living in Brevard County, Fla., trying to trick them into opening a malicious file.
If the victims clicked on the file, a trojan was downloaded to their machine, which gave Dickerson and his accomplice remote access to the victims' PCs, authorities. They then attempted to persuade and force the victims "to manufacture child pornography that they could collect."
Dickerson was arrested after victims told law enforcement that their MySpace profiles had been hacked into, and the intruder demanded they send him erotic images of themselves, according to court records.
If the victims did not comply, Dickerson threatened to hurt their family members or post nude images of them on the web, authorities said.
Dickerson was involved in the hacking of more than 100 computers, authorities said. In addition, his external hard drive contained hundreds of video and photo files of child porn, including some of him and his victims engaging in sexual acts.
Justin Timberlake, Hilary Duff, Tila Tequila MySpace profiles compromised to impress hacker group
A person wanting to impress a hacker group broke into the popular MySpace profiles of several celebrities, including Justin Timberlake and model and MTV personality Tila Tequila, researchers said today.
The hacker, who uses the handle "Tesla," gained access late Wednesday into the profiles of Timberlake, Tequila and actress-singer Hilary Duff, and used the compromised accounts to blast out bulletins to the celebrities' tens of thousands of MySpace friends, said Chris Boyd, senior director of malware research FaceTime Security Labs.
The messages, which appeared to come from the Hollywood stars themselves, proclaimed support for a hacker group known as Kryogeniks.
One read: "Hey Tesla here. Justin Timberlake has been hacked by me. HTTP://kryogeniks[dot]org. Cheers [expletive]."
The website for Kryogeniks, a U.S.-based hacking group, was taken offline soon after, Boyd said. The site was back operating by mid-afternoon EST today.
"The whole thing seems to be really strange -- childish shout-outs to this hacking group," Boyd told SCMagazineUS.com today.
The motives for today's attacks are markedly different than a similar incident a month ago when the profile for singer Alicia Keys was compromised by malicious attackers.
In that case, visitors to Keys' profile were first targeted by an exploit that installed malware on unpatched PCs, then presented with a fake codec and told they needed to install it to view a music video.
It is likely hackers are using cross-site scripting vulnerabilities and phishing scams to perpetrate these attacks, which mostly are occurring on music pages that are heavily trafficked and contain dynamic content, Boyd said.
The administrator for Kryogeniks posted a bulletin today on one of the site's forums, denying the group had anything to do with the latest spate of MySpace attacks.
"Anyone posting anything illegal, such as phishing, will be banned instantly," he wrote. "No posting scams, or any personal information. What Tesla did has nothing to do with everyone [sic] in Kryogeniks."
Boyd said he thinks the MySpace hacker was not affiliated with the group and was instead trying to seek their approval.
"I'm sure they weren't too impressed when they woke up this morning to find [their] account suspended," he said.
A MySpace spokeswoman said the social networking site could not comment publicly on the attack. The pages were working normally as of this article's publication.
Symantec patches remotely exploitable flaw in Norton products
Symantec on Wednesday patched a vulnerability in Norton Personal Firewall 2004 and Norton Internet Security 2004 that can be exploited for remote code execution.
The Cupertino, Calif.-based anti-virus giant advised users to employ LiveUpdate to patch the buffer overflow vulnerability in an ActiveX control used by the two programs.
CERT had notified Symantec of the vulnerability [WHEN], which occurs in the Get() and Set() functions used by ISAlertDataCOM, a function of ISALERT.DLL.
Symantec and US-CERT warned today that for successful exploitation, an attacker must dupe the victim into visiting a malicious website and clicking on a malicious document.
Symantec, in an advisory released on Wednesday, ranked the flaw’s risk impact as "medium." A Symantec spokesman today referred questions to the advisory.
Secunia reported in an advisory released today that researcher Will Dorman of CERT/CC discovered the flaw, which can be exploited to cause a stack-based buffer overflow via an overly long argument.
Secunia ranked the flaw as "highly critical," meaning it can be exploited from a remote location.
FrSIRT yesterday rated the vulnerability as "critical."[SC Magazine]
Estonian DDoS attacks ‘unlikely' in U.S., says expert
Could U.S.-based organizations find themselves defending against the level of distributed denial of service (DDoS) attacks Estonian web servers have seen since early April? While saying there is no shortage of people with grudges against the U.S., a researcher at Arbor Networks' ASERT team said that it is an unlikely scenario.
The attacks, reportedly the result of a political squabble between Russian nationals and the newly elected Estonian government, have disrupted web services at numerous Estonian government agencies and financial institutions for weeks.
During a recent two-week period, ASERT's ATLAS web-tracking service saw 128 unique DDoS attacks on Estonian websites; of those, 115 were ICMP floods, four were TCP SYN floods and nine were generic traffic floods.
According to Jose Nazario, a senior security researcher with Arbor Networks' ASERT team, which investigates web-based threat activity, the attacks lasted from short, half-hour bursts to one lasting more than 10 hours. He noted that 10 of the attacks consumed 90 Mbps of bandwidth.
"All in all, someone is very, very deliberate in putting the hurt on Estonia," Nazario said. "This kind of thing is only going to get more severe in the coming years."
The DDoS attacks appear to have been initiated by Russians irked by a proposal by Andrus Ansip, Estonia’s newly elected prime minister, to relocate of a World War II memorial statue from downtown Tallinn to the outskirts of the city. Pro-Russians were reported to have considered the move to be a slur on their war dead and thus staged the DDoS attacks.
"Could [massive DDoS attacks] happen in the U.S.?" asked Nazario. "Certainly - there's no shortage of people with grudges against any country, and any geopolitical event could cause one."
That said, he doesn't foresee such an attack taking place on U.S. soil. "We track thousands of attacks a day - many against U.S. government sites - and they don't appear to have any substantial impact."
However, U.S. Rep. Tom Davis, R-Va., generally considered one of the most IT security-savvy members of Congress, has repeatedly warned that the nation could face a "cyber–Pearl Harbor" if it fails to shore up its infrastructure against web-based attacks.
A couple of issues are at work here, Nazario said. "Many U.S. government sites are more low profile - there are hundreds of departments within the U.S. Department of Defense and government that no one recognizes," he said.
More importantly, "All the major sites are very well protected in terms bandwidth and their ability to push back the attack traffic and keep legitimate traffic going."
Although Estonia is one of Eastern Europe's more technically advanced countries, its "infrastructure is not as robust, and they have fewer resources" than U.S. organizations, said Nazario. "They're savvy, and know what they're doing, and brought in help in right place so they're able to weather the attacks."
Websense: Google Pages hosting phishing attacks
Researchers are warning internet users to be on the lookout for website scams appearing on Google Pages.
This month, experts at Websense reported a spike in the user-created sites hosting phishing schemes, such as one for eBay, Dan Hubbard, vice president of security research at San Diego-based Websense, told SCMagazine.com today.
Attackers are drawn to the Google Pages, which are hosted on Google servers, because they may evade web filters. The sites may not be blacklisted because "Google has a good reputation as a brand. It’s not a bad domain hosted in China or Eastern Europe," Hubbard said.
There are a number of other factors that may attract the malicious community to Google Pages, AJAX-enabled websites released in 2006 that offer users the ability to upload dynamic content.
"Google has a phenomenal infrastructure so the server is not going to go down," Hubbard said. "You can also do it anonymously. It’s free. There’s tons of space available."
He added that some attackers have created a script that allows them to automatically create these websites to be used in phishing attacks. Google needs to do a better job of scanning content, Hubbard said.
Google, in a statement today, said the search engine giant has defenses in place to prevent against its hosted websites being misused.
"We take user security and safety very seriously," the statement said. "As part of our efforts to protect users, we proactively check uploaded content for malware and viruses. In addition, when we are notified of phishing or other malicious or illegal content, we work quickly to remove it."
Last year, Websense reported that Google servers were being used to host malicious binary files that tried to infect users.
Hubbard said the new brand of phishing attacks is one of a variety of techniques scammers use. Others set up the attacks on their own servers, compromise legitimate sites or use bots.
Organizations should deploy solutions to scan possibly malicious websites and educate end-users to not click on unknown links in emails or instant messages.[SC Magazine]Look out, Google and Yahoo; hacker to publish month of search engine bugs
A hacker using the alias "Mustlive" announced this week that June will feature the next month-long vulnerability disclosure project, this one dedicated to search engine bugs.
"The purpose of this month of bugs is a demonstration of the real state with security in search engines, which are the most popular sites on the internet," the Ukrainian hacker wrote on his blog.
He added that he wants "to let users of search engines and the web community as a whole to understand all risks" associated with search engines.
Most disclosures during the Month of Search Engine Bugs (MOSEB) will be cross-site scripting (XSS) vulnerabilities, Mustlive said.
Many experts have criticized the ubiquitous "Month of…" projects, saying hackers should report their vulnerability discoveries to the vendor, not post them publicly. So far, there have been month-long initiatives to expose browser, kernel, Apple, MySpace, PHP and ActiveX vulnerabilities.
Microsoft "stands ready to address any potential vulnerabilities" affecting its MSN search engine, a company spokesman told SCMagazine.com today. But the software giant "encourages responsible disclosure of vulnerabilities to minimize risk to computer users," the spokesman said.
A Google spokesman said the search engine giant "takes security very seriously and integrates security protection into the overall product development process and follows commonly accepted industry best practices for vulnerability and incident response."
"We encourage security researchers who discover security issues with Google products to follow responsible disclosure practices and to contact us at security@google.com prior to publicly releasing vulnerability details," he added.
A representative from Yahoo could not immediately be reached for comment.
Ryan Russell, quality assurance manager for BigFix, told SCMagazine.com today these undertakings tend to blindside vendors.
"It puts the vendor on short notice," he said. "I respect people's rights to do it, but it probably would be better for everyone involved if you gave the vendor some knowledge. And in most cases, the vendor is the only person anyone is going to accept a fix or workaround from."
In the case of search engines, though, end-users will not have to take any action to receive the patches, Russell said. "You can fix it in one place, and it fixes everyone in the world," he said.
Former hacker Mark Loveless, now a security architect at Vernier Networks, said if they are done right, the month-of-bug projects can be humorous in a "thumbing-your-nose-at-the-man" kind of way.
"Anything that stirs the pot, I'm all in favor of," he told SCMagazine.com.
But, Loveless added, considering the number of easy-to-detect XSS flaws planned, this particular initiative may lack the technical muscle that previous projects have had.
"I'm really thinking that by the end of the month, they're going to be scraping the bottom of the barrel," he said. "They're going to be putting crap up. I think they're cheating. I'd like to see something else done that is just as creative and provocative...but something original."
Loveless said he would like to see a "Month of Vista Bugs."
Projects promising Vista and Oracle Database bugs never were launched this year.[SC Magazine]
Google sponsored advertising links lead to exploits
A seemingly innocuous Google search could yield malware on advertising result links, security researchers warned this week.
Roger Thompson, CTO of Exploit Prevention Labs, said in a blog post Tuesday that his firm has identified exploits posing as legitimate URLs for the Better Business Bureau and cars.com in the "sponsored links" section that appears alongside search results.
Advertisers pay Google for the sponsored links to appear following specific search queries.
Clicking on one of the malicious links, though, takes the user to the real website – but along the way they are unknowingly redirected to www.smarttrack.org, which hosts a Microsoft Data Access Components (MDAC) exploit that attempts to install a backdoor keylogger, said Thompson.
Cybecrooks then use the customized trojans to pilfer banking information from online customers of about 100 targeted banks from around the world, Thompson said. Because the keylogger is delivered as part of a browser-helper object, it "is part of the endpoint of any SSL transaction and can see everything in plain text, instead of encrypted," he said.
There is little unsuspecting users can do to avoid being duped, Thompson said.
"Lots of links in any search engine point to infective sites, so that’s not really a surprise, but this does highlight a significant issue," he said. "When you move the mouse over a normal, organic search result, Google shows you the URL you are about to navigate to if you click. If, however, you mouse over a sponsored result, no URL preview is shown. This means that a user has no clue where they are about to navigate to."
A Google spokesperson could not be reached for comment. But the search giant may have remediated the problem, Thompson said.[Source :SC Magazine]
McAfee SiteAdvisor: Safer searches on Google, Ask, AOL than Yahoo, MSN
Although the five major online search engines have improved search safety, four percent of all search results link to dangerous websites, according to a report from McAfee's SiteAdvisor. Searches on Yahoo are the most risky, AOL the safest, the "The State of Search Engine Safety" report indicates.
With the exception of Yahoo, the percentage of risky sponsored links on all major search engines has improved, dropping from more than eight percent last year to about seven percent this year, according to the report. Google, in particular, has "taken small steps" to improve the safety of the sponsored links on its landing pages, said Mark Maxwell, a senior vice president with SiteAdvisor.
Hannah Rosenbaum, the SiteAdvisor analyst who wrote the report, attributed the improvement to safer sponsored results. However, sponsored results still contain 2.4 times as many risky sites as so-called "organic" results, the study noted.
With a 2.9 percent rate of risky results, searches on AOL returned the lowest number of "red1" or "yellow2" risky ratings. Searches on Yahoo returned the most red or yellow results - distinguishing levels of danger - at 5.4 percent.
McAfee’s SiteAdvisor defines red-rated sites as those that distribute adware, send a high volume of spam or make unauthorized changes to users' computers. Yellow-rated sites send a high volume of "non-spam" email, display many pop-up ads, or prompt a user to change browser settings.
Google, AOL and Ask have become safer since May 2006, when SiteAdvisor first surveyed the search engineers, with Ask showing the greatest improvement. Yahoo and MSN both saw safety decline, according to the study.
Maxwell attributed the overall improvements in sponsored-link safety primarily to Google. The company has "done a better check of their advertisers, in particular taking a look at landing pages," he said. "It has taken a more critical eye toward advertisers on its front pages, and has rejected some advertisers."
He said one theory on why Yahoo's sponsored-link safety has eroded is that some of the malware purveyors "have gone to Yahoo."
"We haven't seen the impact yet from Yahoo's new ad technology, Panama, so perhaps in six months we'll see if that has had an impact on Yahoo's sponsorship rating," he said.
Both Yahoo and Google responded to queries about the report from SCMagazine.com with prepared statements.
"It is not in our interest to deliver experiences that would erode the trust of our users and advertisers," said Reggie Davis, a vice president at Yahoo. "We will continue to improve our performance in this area by investing in technology and work with third parties to make the internet safe for consumers."
Google, for its part, said it "takes the safety of its users very seriously, and we've been taking a number of proactive steps to help protect them. This includes flagging potential malware URLs by warning users with an interstitial warning page and contacting webmasters directly when we believe an innocent site might have been 'hacked' to host malware."[SC Magazine]
Exploits released for zero-day Yahoo Messenger vulnerabilities
A hacker named "Danny" has released two zero-day ActiveX exploits for Yahoo Messenger's Webcam application.
The hacker released the exploits on the Full Disclosure mailing list early today and late last night.
The flaws, ranked at the highest severity levels in security advisories, allow remote code execution and exist in Yahoo Messenger version 8 and earlier.
The first flaw is a boundary error within the Yahoo Webcam Upload ActiveX control, which can be exploited to cause a stack-based buffer overflow, according to a Secunia advisory released today.
The other vulnerability exists within the Yahoo Webcam Viewer ActiveX control and can also be exploited for a stack-based buffer overflow attack, according to Secunia, which ranked the flaws as "extremely critical," meaning they are unpatched, can allow remote code execution and exploits are in the wild.
eEye Digital Security warned in an advisory today that ActiveX zero-day flaws are especially dangerous because they can receive malicious payloads from any website.
The Ocean County, Calif.-based firm cautioned PC users that the flaws are "high" severity.
FrSIRT warned today that the vulnerabilities are "critical."
Yahoo spokesperson Terrell Karlsten said today that the company "began working towards a resolution and expect(s) to have a fix shortly."
Andrew Storms, director of security operations for nCircle, said today that one reason the flaws are dangerous is because instant messaging applications are widespread – and security professionals might not be aware how much so.
"The impact of this vulnerability is extensive because it could allow attackers to take complete control of a user’s system, and two public proof-of-concept exploits are available. This leaves many thousands of internet consumers at high risk," he said. "Enterprise users on Yahoo IM are particularly at risk because IM may not be a sanctioned application, but still be in wide use across networks. IT security teams must figure out where it is installed before they can take steps to protect the network."[SC Magazine]
The security implications of Web 2.0
A car that has less options has fewer things that can break. Power steering, power locks, power seats, seat warmers, and the myriad of other car features provide a better experience, but they also have more items that require maintenance.
The same complexities we see with a fully loaded car apply to web functionality. Web 2.0 has arrived, and the race to adopt it has brought with it collaborative online environments—socially driven content that is both redefining how web applications are developed and how they are used. The result is a richer, more fulfilling web experience. The consequence however is that the dynamic new Web 2.0 design principals open a host of new means for attack by which Web 2.0-based web applications are vulnerable.
With the explosion of Web 2.0 concepts powering more and more websites, the web is reaching new potentials for interactivity. But with that progress it becomes even more important to proactively address the heightened security and privacy vulnerabilities, as the same technologies that make for a more user-friendly web, can also make for less secure web applications.
This article will highlight the most common Web 2.0 vulnerabilities that privacy and security professionals need to be aware of, including better understanding for how Web services and AJAX can be exploited and the attacks that they can enable. Readers will also learn tips and best practices for securing next-generation applications that can be applied immediately as enterprises continue the push to deploy Web 2.0, ensuring they can meet both current and future online security challenges.
What is Web 2.0?
Web 2.0 carries a high profile and surrounding hype. There is increasing pressure on developers to quickly adopt this new second generation of dynamic, interactive and simple by design technologies. Web 2.0 can be described in two ways:
1) New ways to build rich web sites.
Often not characterized as Web 2.0, Asynchronous JavaScript (AJAX) and other new rapid application development techniques are en vogue to create rich web sites that are highly interactive and more easily deployed and used.
AJAX delivers a rich user interface by displaying more dynamic content. Another common technique is Real Simple Syndications feeds (RSS), an XML based standard that allows subscribers to promote information feeds. This is most commonly used to subscribe to blogs and news articles.
2) Socially driven content.
Think MySpace.com. The web experience is now defined by community and by content created and posted by web users. Websites are now amorphous entities, and their vitality is defined by the people who visit them.
In the last couple of years, the web has moved from a collection of static pages to a more interactive and dynamic environment. This shift has been heralded as Web 2.0 and has given more users more power. No longer is the web a place where only technical folks can produce content. Instead, with the click of a button non-technical users from children to seniors are able to upload information to personal or corporate sites, produce interactive pages or share content. Popular dynamic sites such as YouTube, MySpace and Flickr are the poster children for this new web world.
Why adopt Web 2.0 technologies?
Competition and ease-of-use are at the top of the list as reasons why Web 2.0 is attractive. Like viral marketing, more companies want to communicate more directly to their prospective and current customers. Building sites that include interactive messaging, commenting and user areas allow for more open communication gates. Users can interact with other users and company executives.
Price is also a consideration. Web applications have proven to be more cost effective than their clunky client-server counterparts. Web 2.0 applications, built with Rapid Application Development (RAD) techniques, are built faster and therefore require even less of an investment.
Web 2.0 dangers
With Web 2.0, the functionality and experience of the sites become the primary focus, and the technology empowering the dynamic content is hidden behind the scenes to the average user. Yet the web applications underneath the polished finish remain just as complex, and add a variety of new and often unproven or unsecured technologies to the back end.
In the rush to unveil more interactive sites developers are urged to release functional sites that often lack added security measures. Attackers have quickly learned to exploit the shortcomings in these codes. This has resulted in an urgent need to audit and assess these sites for security vulnerabilities. In order for Web 2.0 technologies to reach full potential, inherent security issues must be recognized and addressed and businesses must incorporate security best practices into application development.
In addition to structural security flaws, there are also user threats including the loading of malicious content. Sites that encourage end user postings typically have no way to stop the uploading of content that might distribute malicious code to other site visitors. In similar ways, other user-driven web sites, including blogs, podcasts and social networking sites, are prone to both security and privacy issues. While it seems as though democracy has come to the Internet, more freedom means increased potential for abuse and errors.
As in our car example, the new features create new avenues for exploit. The majority of Web 1.0 users interacted with single functions on single pages. Now AJAX programming allows any given page to have dozens of features and functions, running independently as well as interacting with each other. This means a fragmentation in communication and the possibility that web application vulnerabilities that have been around for years might increase exponentially. The most common vulnerabilities include SQL injection, cross site scripting (XSS), buffer and SOAP overflow and XML attacks.
The dependence on technology means the new vulnerabilities brought by Web 2.0 are inevitable. Back in the old days of the web—even three or four years ago—users could boost security levels by turning off JavaScript. Doing so now would all but render the website useless. In effect, the user would be disabling the exact tools that make the web useful and efficient.
Why does my organization need to worry about Web 2.0 safety?
Organizations of all sizes and in every market with an internet presence have been attacked. Media reports show regular coverage of the larger companies, such as MySpace suffering from a QuickTime XSS worm, Yahoo Mail recently being hit by a Yamanner worm attack, and even Google’s Gmail has had to overcome XSS problems.
As in any other case of negative publicity there is damage to the brand name and potential lost business if your web applications fail because of security threats. But a greater risk is that sensitive data could be compromised and with that comes everything from minor legal headaches to large and public lawsuits.
How do I protect my web applications?
One of the most effective solutions is to fix weaknesses before they are ever launched. While it sounds like a common sense suggestion, most applications are not built with security in mind.
Overworked developers, who are not trained in security, are not building application level security into the process. As stated, one of the benefits of web applications is the speed to market. But with this comes the downside that long development cycles, which normally include heavy QA and security testing, are discarded in favor of posting applications live as soon as they are functional.
In order to ensure safe and working web applications companies should adhere to strict security testing standards from the development phase through the QA phase of the building cycle. This can be done through use of security scanning tools and penetration tests. And with such a dynamic nature, it’s important to continue periodic post-deployment security testing to monitor the live state of the web site and its ever-changing applications.
Another important but sometimes overlooked suggestion is to monitor metrics on web application vulnerabilities throughout the development cycle. Keep track of all vulnerabilities and fixes. Management can’t address issues they don’t know about.
Monitoring vulnerabilities across the development cycle has a huge impact on the educational front as well. To stop the cycle and reel in control over web application security, developers need to know what mistakes are made so they don’t continue to repeat them. Companies can also set limits on what types of content can be changed or uploaded. An organization’s users can be educated as well, let them know about dangers and how to prevent them while online.
While more user interaction may be the ultimate goal, it’s important to first design threat models in order to determine what levels of risks the company can assume. A retail company’s website, for example, can accept lower security standards for a web application designed to locate a retail store near the user, while a higher security standard is required for the actual e-commerce and credit-card processing applications.
Lastly, Web 2.0 is here to stay, at least until new technology ushers us into the Web 3.0 phase. The trend is racing towards more user interaction and more power to the masses. With that in mind be sure to use technology judiciously and learn how to manage risk with all your website applications.
-Michael Weider is CTO and founder of Watchfire.
clear float
Romanian NASA hacker appears in court
A Romanian hacker accused of breaking into the networks of NASA and other federal agencies appeared in a Romanian court on Tuesday.
Victor Faur, 26, a native of the western Romanian town of Arad, faces trial there after arrest by state prosecutors in his home country. He faces a dozen years in prison, according to numerous published reports.
U.S. authorities have claimed $2 million in damages from the attack, which allegedly took place between November 2005 and September 2006 and targeted servers belonging to NASA, the U.S. Navy and the Department of Energy.
Federal authorities charged Faur with breaking into government computers last November. He has been indicted on 10 counts, including charges of conspiracy, unauthorized access to government computers and causing intentional damage to computers.
He will be brought to Los Angeles for trial after his Romanian proceedings conclude.
NASA’s computers are a familiar target for hackers. Last November, a Chilean gang called the "Byond Hackers Crew" were arrested and accused of cracking more than 8,000 websites, including those of NASA, the University of California, Berkeley, and the Chilean Finance Ministry.
In a much-publicized case, Gary McKinnon, a British hacker who broke into the Pentagon’s network more than five years ago, faces extradition to the U.S. and up to 70 years in prison if convicted.
Ron O’Brien, senior security analyst at Sophos, told SCMagazine.com today that because the federal government is under such cybersecurity scrutiny, hackers may increasingly target its networks.
"There’s been a lot of publicity lately about attackers being able to hack into federal agencies," he said. "There are hearings going on as we speak about the security at the [U.S. Department of Homeland Security] so anyone looking for the opportunity to hack into a PC would go after this."
O’Brien said it was possible that Faur could have been trying to outdo McKinnon or other hackers to establish a reputation.
"The hacker community is of a type that they all have such big egos, so it wouldn’t surprise me if there was an attempt to establish a renown beyond those who had gone before," he said. [SC Magazine]
Websense: Google Pages hosting phishing attacks
Researchers are warning internet users to be on the lookout for website scams appearing on Google Pages.
This month, experts at Websense reported a spike in the user-created sites hosting phishing schemes, such as one for eBay, Dan Hubbard, vice president of security research at San Diego-based Websense, told SCMagazine.com today.
Attackers are drawn to the Google Pages, which are hosted on Google servers, because they may evade web filters. The sites may not be blacklisted because "Google has a good reputation as a brand. It’s not a bad domain hosted in China or Eastern Europe," Hubbard said.
There are a number of other factors that may attract the malicious community to Google Pages, AJAX-enabled websites released in 2006 that offer users the ability to upload dynamic content.
"Google has a phenomenal infrastructure so the server is not going to go down," Hubbard said. "You can also do it anonymously. It’s free. There’s tons of space available."
He added that some attackers have created a script that allows them to automatically create these websites to be used in phishing attacks. Google needs to do a better job of scanning content, Hubbard said.
Google, in a statement today, said the search engine giant has defenses in place to prevent against its hosted websites being misused.
"We take user security and safety very seriously," the statement said. "As part of our efforts to protect users, we proactively check uploaded content for malware and viruses. In addition, when we are notified of phishing or other malicious or illegal content, we work quickly to remove it."
Last year, Websense reported that Google servers were being used to host malicious binary files that tried to infect users.
Hubbard said the new brand of phishing attacks is one of a variety of techniques scammers use. Others set up the attacks on their own servers, compromise legitimate sites or use bots.
Organizations should deploy solutions to scan possibly malicious websites and educate end-users to not click on unknown links in emails or instant messages, he said.[SC Magazine]
MySpace users warned of drive-by exploit attack
Researchers are warning of a widespread MySpace drive-by exploit attack meant to compromise machines so more highly-profitable phishing schemes remain successful.
MySpace users become infected when they visit a profile page containing malicious JavaScript and then are silently redirected to an Internet Explorer exploit, which was patched in April, Johannes Ullrich, chief research officer of the SANS Internet Storm Center, told SCMagazine.com today.
The exploit installs a common proxy network bot, known as a flux bot, which is used to hide phishing sites behind constantly changing proxy servers, Ullrich explained. The cybercriminals, in other words, use their newly compromised PCs to hide the tracks of unrelated phishing scams targeting banks and other financial institutions.
"It’s lends some secrecy to the scam and it makes it harder to shut down," he said. "Now, the actual machine (the victim) is connected to get to the phishing site changes by the minute. You can’t easily block them. It’s not that obvious."
The botnets are also being used to send spam, Ullrich said.
Potentially thousands of MySpace pages could be infected with the malicious worm, but the infected profiles are "being shut down really quickly," he said.
A spokesperson for MySpace, which has more than 100 million members, could not immediately be reached for comment today.
Ullrich said cyberthieves traditionally tailor their worms for MySpace and other social networking sites because of the younger demographic that use them.
"It has a lot of non-technical users who do not patch their browsers," he said. "People are not that careful. They may visit MySpace thinking [it’s] a big a company and not realizing the content of the pages comes from the average user."
MySpace has been the victim of a number of attacks over the past year. Vincent Weafer, head of Symantec’s Global Security Response, said MySpace users are often easily duped into giving up their credentials.
"If I can get into your trusted group, I may be able to get information out of you," he said.
Colin Whittaker of Google’s Anti-Phishing Team wrote on the company’s security blog recently that many users are tricked into giving their usernames and passwords so crooks can send spam from their account or – worse – use that same log-in information to access their bank accounts. [SC Magazine]
December 07, 2007
FBI warns of three spam hoaxes
The FBI is warning citizens to be on the lookout for three separate email scams — including one that attempts to infect users with malware and two others that seek personal and financial information.
The biggest threat is posed by widespread emails claiming to include a greeting card attachment from friends, co-workers or family members, but unsuspecting clickers are instead diverted to a malicious webpage that attempts to exploit a vulnerability and upload malware, according to a FBI statement issued Tuesday.
Menashe Eliezer, who heads the detection center at anti-virus and anti-spam firm Commtouch, told SCMagazine.com today web-borne threats are getting more sophisticated.
Two other scams claim to be coming from the FBI or a U.S. military official. In the FBI example, the spammers offer lottery endorsements or inheritance money in exchange for a modest up-front payment, the warning said. Emails said to be coming from military leaders allegedly attempt to dupe recipients out of funds that will be used to benefit soldiers stationed overseas.
Spammers use legitimate-looking content, such as pictures and letterheads, to make the emails look like the real thing, the warning said.
"It’s an illegitimate form of marketing, but [spammers] have to deal with the same issues [as real marketers] in terms of getting people to answer their call to action," Rebecca Herson, Commtouch’s senior director of marketing, told SCMagazine.com today. "They’re trying to improve the look and feel of their campaigns the same way legitimate marketers are."
The FBI recommends users delete the "hoax" emails.
"Consumers need to be wary of unsolicited emails that request them to take any action, even if that means just clicking on an attachment," the warning said, adding that clicking could allow viruses or keyloggers to be installed on users’ machines.
Zulfikar Ramzan, senior principal researcher at Symantec, told SCMagazine.com that users should maintain an updated internet security solution, keep patches up to date and avoid following unknown links.
"These spam scams are particularly dangerous as many consumers consider communication from government agencies as credible," he said.
The FBI’s announcement was prompted by a high number of complaints lodged with the Internet Crime Complaint Center. [SC Magazine]
New storm worm run called largest virus attack in two years
The infamous ‘storm worm' virus attack began another run last week, this one called the largest in two years by messaging security vendor Postini.
The San Carlos, Calif.-based company, which Google announced intentions to acquire earlier this month, said this week that the storm worm attack that began July 16 generated 120 million messages by Friday.
Postini said that the attack is spreading through blended methods, using emails that contain links to malicious websites that exploit vulnerabilities.
The attack was named for the deadly European wind storms that occurred simultaneously with the first attacks this past January. Early attacks arrived with video EXE files with storm-related headings, such as "230 dead as storm batters Europe."
Researchers spotted a storm worm run earlier this month that used messages falsely informing recipients that they received a greeting card from a family member, admirer, classmate or colleague.
That storm worm run was the first of the kind to redirect recipients to a malicious website instead of using a malicious attachment.
The social engineering attack exploited a number of patched vulnerabilities, including ANI, QuickTime and WinZip – to add compromised machines to a botnet.
Adam Swidler, senior manager of solutions marketing at Postini, told SCMagazine.com today that the most recent storm worm attack is five times larger than the previous largest attack.
"[The attack’s] URLs are all using IP addresses instead of domain-based URLs, and that’s a flag we look out for," he said. "I think the biggest thing [about this attack] is the volume, the sustained nature, and it went on for nine days using the blended attack of email and the web to deliver the payload to the PC."
Joe Stewart, senior security researcher at SecureWorks, told SCMagazine.com today that his firm has seen storm worm spam mostly using an ecard as a lure.
"It’s the ecard ploy and the social engineering ploy, and if you go ahead and click on the ecard, it takes you to a page that can get some exploit code through the browser, and if that doesn’t work they prompt you to download the malware," he said.
VeriSign suffers data breach after July laptop theft
VeriSign, the digital certificate vendor responsible for the internet's .com and .net domains, suffered a data breach last month when a laptop was stolen from an employee's vehicle.
An undisclosed number of current and former employees are at risk of identity theft after the burglary, which took place July 12 or 13 in a parking garage in northern California.
The laptop contained names, Social Security numbers, dates of birth, salary information, telephone numbers and home addresses of an undisclosed number of VeriSign employees, according to a notification letter sent to victims.
The Mountain View, Calif.-based company revealed that bank account numbers and password information were not stored on the device.
The breach was first reported on the wizbang blog on Friday.
VeriSign said today in a statement that the employee has left the company. The vendor said it is working to shore up its data-protection policies, which were not followed in this case.
VeriSign disclosed that it has "no reason to believe that the thief or thieves acted with the intent to extract and use this information. The local police have said the theft may be tied to a series of neighborhood burglaries."
"VeriSign is committed to making sure current and former employees whose personal information may have been on the stolen laptop have the support they need to monitor their credit and know how to respond if they identify any problems," VeriSign said today in a statement. "The company has a policy on how to manage laptops that contain sensitive information and company data — which in this case was not followed. That policy includes not leaving laptops in vehicles in plain view, keeping the amount of confidential and sensitive data stored on laptops to a minimum, and using data encryption tools to protect those sets of data that absolutely must be stored on a laptop. Going forward, we will continue to review our security procedures to prevent future human errors of this type."
Avivah Litan, Gartner vice president and distinguished analyst, told SCMagazine.com today that laptop thefts have "zero impact on the bottom line," but said she was disappointed to see a security vendor suffer a breach.
"Certainly a missing or stolen laptop is common, but you don’t want to see that event at a managed security services provider," she said. "It lowers confidence in their abilities when they’re subject to the same breaches they’re helping their customers with."
Last month, Kingston Technology, a data security vendor, reported a breach initiated when thieves infiltrated a company computer two years ago. That hacking put the credit card files of 27,000 customers at risk.
Kingston has said that none of the financial information was misused.
IBM was the victim of a data loss incident in May, when a third-party vendor lost an undisclosed number of tapes while transporting them between an IBM location in Westchester County, N.Y., to a permanent storage facility.
Symantec says spam attachments up, image spam down
Traditional image spam is again on the decrease, but attachment spam - containing images as part of Microsoft Office files - is on the upswing, according to Symantec's "State of Spam" report for August.
Image spam accounted for only eight percent of all spam during July, a drastic decrease from January, when it totaled 52 percent of junk email. However, the percentage of all spam at the SMTP layer, 66 percent of all email, was consistent with previous months.
Researchers said that PDF spam increased during July, accounting for between two and eight percent of all spam.
Doug Bowers, senior director of anti-abuse engineering at Symantec, told SCMagazine.com today that the stats contained "nothing that’s a huge surprise," but noted trends showing a drop in image spam and an increase in attachment spam.
"Of note, what we’re seeing is [an increase in] PDFs and the larger trend toward attachment spam," he said. "Last month, it wasn’t clear if spammers were going to stick with this. They seem to still be in the poking-and-prodding stage with other attacks."
Twenty-eight percent of all spam pitched products, ranking it as the most common spam category, followed by financial junk mail at 18 percent, internet pitches at 17 percent, health issues at 13 percent and scams at nine percent.
The Santa Clara, Calif.-based company also saw an increase in the use of spam containing Chinese top level domains.
Symantec reported that it captured 250 million copies of greeting card spam last month.
The content of the cards ranged from everyday greetings to holiday-specific messages, according to Symantec.
Researcher Kelly Conley said on the Symantec Security Response Weblog that some versions of greeting card spam lead to malware downloads.
"Greeting card spam containing links to viruses was seen at higher-than-usual numbers in July. More than 250 million Symantec customers were targeted with these message types. Around the Fourth of July, a particularly large outbreak was seen and blogged on," said Conley. "The content of the greeting cards consists of an exposed IP address in most cases, which is a very good indicator that the card is not genuinely good. These exposed IP address links were downloading trojans onto computers." [SC Magazine]
Microsoft delivers nine Patch Tuesday fixes
Microsoft today plugged 14 vulnerabilities by distributing eight client-side patches, as well as a ninth fix that experts say foreshadows threats posed by virtualization.
Six of the patches fix critical flaws that could permit exploitation by malicious website. Among those was bulletin MS07-042, which corrects a vulnerability in Microsoft XML Core Services program that could lead to remote code execution.
This bug is particularly harmful because XML Core Services is a "core part of the operating system…and an underlying piece to the way a lot of Windows software works," Tom Cross, an X-Force researcher with IBM ISS, told SCMagazine.com today.
The security update – one of the largest of the year – also fixes a similar flaw, this one related to an error in object linking and embedding (OLE) technology that permits, for example, a user to copy a chart in Excel and paste it into a PowerPoint presentation, Amol Sarwate, manger of the vulnerability labs at Qualys, told SCMagazine.com.
The other critical patches fix vulnerabilities in ActiveX controls and cascading style sheets (CSS) in Internet Explorer (IE); in the graphics device interface (GDI); in Excel and in the vector markup language (VML) implementation.
The GDI bug "does not require any other application like IE or Excel or Media Player" to run, Sarwate said. "It can be exploited easily if someone downloads or views an image file."
Another two "important" bulletins fixed vulnerabilities in Windows Media Player and Windows Gadgets, a new feature that allows Vista users to, for example, display sports scores in a separate bar. In total, six of the patches affected the new operating system version but only the gadget flaw resulted from code written specifically for Vista.
None of the flaws exist in server-side issues, preventing any "wormable" exploits from occurring, Eric Schultze, chief security architect at Shavlik Technologies, told SCMagazine.com.
"Now you just have to worry about the masses running their desktops and visiting malicious websites," he said.
Experts agreed the most interesting bulletin was MS07-049, an "important" fix that repaired a vulnerability in Virtual PC and Virtual Server, which could permit privilege escalation. If successful, attackers can assume control of the host operating system, giving them access to virtual platforms running beneath the host, Cross said.
Flaws affecting these types of machines are likely to increase as more companies sign on to the cost-savings attraction of virtualization, he said. About 35 percent of U.S. and European firms employ virtualization, he said, citing statistics from Forrester Research. [SC Magazine]
46,000 job hunters victimized by malicious recruitment ads
The personal information of approximately 46,000 job seekers have been stolen from major job hunting websites by hackers using the so-called Prg trojan.
"[The hackers] are injecting their ads with the trojan," said Don Jackson, the SecureWorks researcher who discovered the scheme as well as the original Prg trojan. "When a user views or clicks on one of the malicious ads, their PC is infected and all the information they are entering into their browser, including financial information being entered before it reaches the SSL protected sites, is being captured and sent off to the hacker's server in Asia Pacific."
He said that information stolen includes names, Social Security numbers, bank and credit card account numbers, online payment account user names and passwords.
SecureWorks discovered the names after developing countermeasures "to detect the network traffic" generated by the Prg trojan on infected systems, Jackson told SCMagazine.com.
"We deployed the [countermeasures] on clients’ systems, then watched where the network traffic was going and followed it to the server [in Asia]," he said. "This one server is still collecting stolen data, and at any one time, we’re seeing 9,000 to 10,000 victims sending information."
Jackson said that the aggregators who sold the hackers ads are apparently unaware that the ads contain links to malicious sites. The malware uses vulnerabilities in Windows, QuickTime, and ActiveX controls to infect users’ systems with executables that collect personable information, such as passwords.
"Anti-virus software has a hard time finding it because of way the way it hides itself and also because it changes executables so frequently – the hackers behind this scam are releasing a new variant every five days to a week on average, and sometimes even quicker," he said. "Once the anti-virus stops one version, another rolls in and gets through to vulnerabilities the user has not applied patches for."
Because anti-virus software solutions "are not good at catching this, the best way to protect yourself is to patch the operating system and everything else," Jackson said.
Computers infected with the Prg trojan will have a back door proxy server listening for connections on port 6081, according to Jackson.
"This port is in not assigned to legitimate services and is not hidden by the root kit functionality. If port 6081 is open on your computer, you are likely infected with the Prg trojan," said Jackson.
Victims whose anti-virus is not detecting the infection should boot the computer into Safe Mode and run an anti-virus scan. "If that fails, manual removal or reinstalling the operating system may be necessary," Jackson said.
AOL phisher pleads guilty in ID theft scheme
A 23-year-old man accused of sending spam and phishing emails that targeted AOL subscribers pleaded guilty Wednesday in federal court, the U.S. Department of Justice (DOJ) announced.
Michael Dolan, who lists West Haven, Conn. and North Miami Beach, Fla. as previous addresses, agreed to plead guilty to a pair of criminal counts brought against him by the U.S. attorney in Connecticut. One count charges him with conspiracy to commit fraud, the second with aggravated identity theft.
From 2002 to 2006, Dolan worked with several other unidentified individuals to steal names, credit card and bank account numbers, and Social Security numbers via spam and phishing emails sent to AOL subscribers.
Dolan's scheme employed malicious software to collect AOL account names from chat rooms, authorities said. He then sent electronic greeting cards purporting to be from Hallmark.com to the AOL users; opening the card downloaded a trojan that prevented AOL subscribers from logging into their account without entering personal information, such as credit card and Social Security numbers.
Dolan used the harvested information to order products online and produce counterfeit debit cards, which were then used at ATM machines and retail stores, authorities said. On Sept. 26, 2006, Dolan was caught with the private and financial information of 96 individuals, according to the DOJ.
The plea agreement calls for Dolan to spend 84 months in prison, then remain on supervised probation for two to three years, and pay a fine of $250,000, plus other fees. Dolan must also make restitution to victims, including covering loss of income.
He is scheduled to be sentenced Nov. 14. [SC Magazine]
AOL phisher pleads guilty in ID theft scheme
A 23-year-old man accused of sending spam and phishing emails that targeted AOL subscribers pleaded guilty Wednesday in federal court, the U.S. Department of Justice (DOJ) announced.
Michael Dolan, who lists West Haven, Conn. and North Miami Beach, Fla. as previous addresses, agreed to plead guilty to a pair of criminal counts brought against him by the U.S. attorney in Connecticut. One count charges him with conspiracy to commit fraud, the second with aggravated identity theft.
From 2002 to 2006, Dolan worked with several other unidentified individuals to steal names, credit card and bank account numbers, and Social Security numbers via spam and phishing emails sent to AOL subscribers.
Dolan's scheme employed malicious software to collect AOL account names from chat rooms, authorities said. He then sent electronic greeting cards purporting to be from Hallmark.com to the AOL users; opening the card downloaded a trojan that prevented AOL subscribers from logging into their account without entering personal information, such as credit card and Social Security numbers.
Dolan used the harvested information to order products online and produce counterfeit debit cards, which were then used at ATM machines and retail stores, authorities said. On Sept. 26, 2006, Dolan was caught with the private and financial information of 96 individuals, according to the DOJ.
The plea agreement calls for Dolan to spend 84 months in prison, then remain on supervised probation for two to three years, and pay a fine of $250,000, plus other fees. Dolan must also make restitution to victims, including covering loss of income.
He is scheduled to be sentenced Nov. 14. [SC Magazine]
Hackers spread worm via Skype IM
A worm posing as a link to glamour model images has been spread via the Skype IM chat system, it was reported today.
Hackers launched the Pykse-A worm via Skype instant messages. Any recipients that click on the link inadvertently infected their computer with a Trojan that downloads and installs the worm."Once it's up and running, the Pykse-A worm attempts to connect to a number of remote websites, presumably in an attempt to generate advertising revenue for them by increasing their number of 'hits'," said Graham Cluley, senior technology consultant for Sophos. "It's another example of the methods that malware authors can use to make money.”
Last year 63 per cent of system administrators said that blocking VoIP was essential in order to protect corporate networks, according to a poll conducted by Sophos. The survey also found that 86 per cent of respondents wanted the power to control the use of the internet telephony service in an attempt to protect their company systems.
Skype blames downtime on Patch Tuesday re-start, not hackers
A simultaneous reboot of computers automatically installing the latest Microsoft patches set off a widespread Skype outage last week, the VoIP company announced today.
"The high number of re-starts affected Skype’s network resources," the company said on its Heartbeat blog. "This caused a flood of login requests, which, combined with the lack of peer-to-peer network resources, prompted a chain reaction that had a critical impact."
The company said normally the service can withstand this type of event through an "inbuilt ability to self-heal." However, the incident, which began Thursday, unearthed a vulnerability in the services’ network resource allocation algorithm, which prevented the self-healing component from working.
Skype’s announcement today dispelled rumors that hackers were responsible for the DoS attack. A poster on a Russian forum claimed the crash was caused by exploiting a buffer overflow vulnerability by sending malformed requests to Skype’s authorization server. The exploit code was posted on a Romanian website.
"We can confirm categorically that no malicious activities were attributed or that our users’ security was not, at any point, at risk," the company said, adding that it has instituted software improvements to prevent a similar incident from happening in the future.
Peter Thermos, chief technology officer of Palindrome Technologies and a VoIP expert, told SCMagazine.com that he finds it odd that a buffer overflow exploit was revealed, but the outage was blamed on Microsoft security updates.
"If [a crash due to patch updates] happened, I’d assume it would happen when Skype was taking off, when they were beginning to become well-known as a peer-to-peer communications company," he said.
Since its launch about four years ago, Skype has faced its fair share of criticism from security experts. Last year, the Burton Group recommended enterprises should evaluate whether the closed-source Skype fits into their information protection posture.
In March, variants of the Stration worm used Skype as a vector to spread.
Experts have warned internet telephony is at risk to such threats as toll fraud, eavesdropping and phishing.
"This disruption was unprecedented in terms of its impact and scope," Skype said. "We would like to point out that very few technologies or communications networks today are guaranteed to operate without disruptions."
Skype, owned by eBay, reportedly has more than 200 million registered users.
Subscribe to:
Posts (Atom)
