Hacked by Chinese

“Anonymous” takes on child pornographers

2011-10-27T07:36:00.001-07:00

Say what you will about the past activities of hacker group Anonymous, but their latest crusade puts them firmly on the side wearing white hats as they run the child pornography posse out of Internet town.

“Our demands are simple. Remove all child pornography content from your servers,” Anonymous wrote in a statement. “Refuse to provide hosting services to any website dealing with child pornography. This statement is not just aimed at Freedom Hosting, but everyone on the internet. It does not matter who you are, if we find you to be hosting, promoting, or supporting child pornography, you will become a target.”

Previously known for taking on Bank of America and Sony, which garnered them both accolades and abuse, they’re sure to find much more support in their current battle.
Full story at BGR via Mashable.

FBI arrests man who hacked emails of more than 50 celebrities and stole nude photos from Scarlett Johansson

2011-10-13T03:13:00.001-07:00

Christopher Chaney, 35, of Florida faces up to 121 years in prison
Scarlett Johansson, Mila Kunis and Christina Aguilera named as victims in indictment; dozens of others remain anonymous and are ID'd by initials

The FBI has made an arrest as part of its phone hacking investigation weeks after nude photos of Scarlett Johansson were leaked
The FBI has made an arrest as part of its phone hacking investigation weeks after nude photos of Scarlett Johansson leaked.
A Florida man was charged with hacking into the emails of Christina Aguilera, Johansson and Mila Kunis in a computer invasion scheme that targeted Hollywood celebrities, federal authorities said Wednesday.
Christopher Chaney, 35, of Jacksonville was arrested without incident as part of a yearlong investigation of celebrity hacking that was dubbed 'Operation Hackerazzi.' Chaney, who was expected to appear in a Florida courtroom later Wednesday, was charged with 26 counts of identity theft, unauthorized access to a protected computer and wiretapping.
If convicted, he faces up to 121 years in prison. It wasn't immediately known if he had retained an attorney.
Authorities said Chaney was responsible for stealing nude photos taken by Johansson herself and were later posted on the Internet. Chaney offered some material to celebrity blog sites but there is no evidence that he profited from his scheme, said Steven Martinez, assistant director in charge of the FBI's Los Angeles office.
'Celebrity information is highly marketable,' said Martinez, who added his office continues to receive complaints about celebrities' having their personal information breached.
There were more than 50 victims, including Kunis, Aguilera and actress Renee Olstead.
Others were named only by initials and investigators wouldn't identify if they were famous, but said those who were named as victims in the indictment agreed to have the identities made public.

U.S. Attorney for the Central District of California Andre Birotte Jr answered questions after announcing the arrest of Christopher Chaney, 35, of Jacksonville, Florida, in Operation Hackerazzi

At a press conference on Wednesday the FBI showed how the celebrities, more 50 in total and many still anonymous, were hacked in six steps
'It helps get out the message that cyber-hacking is a real threat,' said U.S. Attorney Andre Birotte, who called those who engage in such activity as 'scum.'
Chaney hacked Google, Apple and Yahoo email accounts beginning last November through February, then hijacked the forwarding feature so that a copy of every email received was sent, 'virtually instantaneously,' to an email account he controlled, according to an indictment handed up Tuesday by a federal grand jury in Los Angeles.
He allegedly used the hacker names 'trainreqsuckswhat,' ''anonygrrl' and 'jaxjaguars911,' and also used the victims' identities to illegally access and control computers.

Celebrities who agreed to be named in the indictment included Mila Kunis, Christina Aguilera and lesser known actress Renee Olstead, who has a role on TV show The Secret Life of the American Teenager
Chaney is accused of damaging email servers that caused losses of at least $5,000 per instance.
Authorities wouldn't say whether Chaney was able to access email accounts via cell phones, but he was able to figure out secure passwords to various celebrity accounts through information that had been made public.
A message seeking comment was left on an answering machine for a Christopher Chaney in Jacksonville. There was no answer at a telephone listing for another Christopher Chaney.
Celebrities and people in the news have long been targets of privacy invasion but concerns have redoubled in the Internet age.

Rupert Murdoch, who closed the News of the World over hacking, giving evidence to the Culture, Media and Sport Select Committee on the News of the World phone-hacking scandal in July
In Britain, publisher Rupert Murdoch closed down the News of the World this year after contentions that the tabloid routinely hacked into people's phones in the hunt for exclusive stories.
The paper, which had published for 168 years, faced allegations of systematically intercepting private voicemail of those in the news — including a teenage murder victim.
Investigators said they hoped the celebrity-infused case will jumpstart those who don't value online security enough to protect their personal information and create more secure passwords that can't be easily figured out by would-be hackers.
'Taking these steps will go a long way in protecting yourself from the financial and emotional costs of having someone intrude on your private life and potentially steal your identity,' Birotte said.

Cyber criminals eye cellphones

2011-09-13T21:15:00.001-07:00

With more and more smartphones coming into the market with e-mail and data services, cyber criminals are increasingly targeting cellphones.
In the last one year, 17 per cent of Indians online have faced some form of cyber-attack on their phones. Mobile vulnerabilities went up by 42 per cent from 115 in 2009 to 163 in 2010, says a latest Symantec Internet security threat report.
Computer security expert Ankit Fadia said, “With most young people constantly sharing music, files and photos, criminals are now creating virus-infected mobile apps,” he added.
The number of cyber-crime victims across the country went up to about 30 million last year with losses amounting to $3.6 billion. Globally, cyber-crime frauds account for a whopping $114 billion every year, stated the Norton Cyber crime Report 2011.
Fourteen people are targeted by cyber criminals every second around the world and in India, four out of five people who are online are victims of cyber-crime.
However, Gaurav Kanwal of Symantec said that despite such threats, practices such as using data security software, regular review of credit card statements for fraud, using and changing complex passwords were still uncommon among Indians.
M. Sudhakar of the cyber crime cell, Chennai police, said, “With 3G and smartphones, this shift in focus was expected. But basic security measures should be taken and people should have some kind of restraint while sharing info on these gadgets.”

Hacker gets 6-years in 'sextortion' case

2011-09-02T01:12:00.001-07:00

Los Angeles: A Southern California man was sentenced on Thursday to six years in prison for infiltrating computers belonging to women and teenage girls where he found sexually explicit photos and threatening to put them online unless they provided him with more.
In sentencing Luis Mijangos, 32, of Santa Ana, US District Judge George King called the crimes a form of cyber-terrorism and warned other hackers they will meet stiff penalties for ruining people's lives.
"Society has to understand that if you engage in this type of behaviour, it's no joke," King said. "You are going to jail and going to jail for a long time."

AP Photo/Nick Ut

Mijangos, who pleaded guilty to one count each of computer hacking and wiretapping in March, grimaced when King handed down the sentence. Tears began to well in his eyes. Earlier, he apologized for what he had done.
"To all the victims I want to say that I'm sorry," said Mijangos, a Mexican citizen, from his wheelchair. "I'm ready to do the right thing and stay out of trouble."
Authorities said Mijangos sent malicious software disguised as popular songs or videos to his victims' computers that also were unwittingly sent by women and teenage girls to their friends and family. In all, Mijangos unlawfully accessed and could control more than 100 computers.
He read their emails, watched them through webcams without their knowledge and most damaging was his discovery of nude photos they had taken of themselves. Mijangos then threatened to post the images online unless his victims were willing to provide more racy photos or videos to him or if they went to police, according to court documents. He also posed as some of the victims' boyfriends to convince them to send him nude pictures.
Mijangos eventually followed through on his threat in at least one instance by posting naked pictures of a woman on her friend's MySpace page.
The 35-year-old woman, identified only by her initials GM, spoke at the sentencing, describing the torment inflicted upon her by Mijangos. The woman, who works as an auditor, said Mijangos threatened to release more photos to her employer and that each time she signed onto her computer at work, he would harass and threaten her.
"He haunts me every time I use the computer," she said. "You don't have to be in jail to feel trapped."
She added she no longer trusts anyone and will not pay her bills online or have conversations online.
Prosecutors sought a seven-year prison sentence for Mijangos, while a probation report recommended a two-year term. The maximum he could have faced for the two counts he pleaded guilty to was 10 years.
King said he saw the severity and sophistication of Mijangos's "personal crime wave" and the fact that the defendant decided to funnel his talents as a computer programmer to get sexually explicit material for his personal gratification.
"A lot of people suffered and suffered greatly in a real sense because of his actions," King said.
In arguing for leniency, deputy federal public defender Firdaus Dordi said his client wasn't the one who created the photos nor the virus that infected the computers.
Dordi also pointed out the medical condition of Mijangos, a paraplegic who was struck during a drive-by shooting when he was a teen. The gunman was never caught, Dordi said.

Nokia developer community hacked

2011-08-30T00:07:00.001-07:00

HELSINKI: Nokia Corp says hackers have breached the security on its developer community discussion site and accessed forum members' email addresses.

Nokia says the hacked database also included a few members' birth dates, home page URLs and usernames for Skype or Yahoo but no sensitive information such as passwords or credit card details.

The Finnish cellphone maker said Monday it had taken the community website offline as a precaution as it continues further investigations and security assessments.

Nokia's report comes amid a surge in high-profile cyber attack cases in recent months, including Citigroup, Sony Corp., and Lockheed Martin, as well as organizations such as the United Nations and the International Olympic Committee.

Now, hire hackers for $10 an hour: Report

2011-08-16T22:13:00.000-07:00

Getting a hit man is expensive and dangerous, but if you just want to launch an attack on a website, it's cheap, around 10 dollars per hour.

LONDON: Getting a hit man is expensive and dangerous, but if you just want to launch an attack on a website, it's cheap, around 10 dollars per hour.

Krebs on Security reports that for a few hundred dollars you can go to an underground forum and hire someone (evidently Russian and Chinese) to mount a distributed denial of service (DDoS) attack on a site.

DDoS attacks usually rely on botnets, or networks of computers that run malicious software that fire off requests to a website.

The owners of those computers are almost never aware that they are part of an attack, Discovery News reports.

When enough page requests are sent, the receiving site's server gets overwhelmed and crashes, shutting the site down at least temporarily. Larger, more-trafficked sites will have better defenses, but a larger network of computers can take those down too.

Evidently, one can hire a hacker to mount a DDoS for about five to ten dollars per hour. Prices vary, but for about 1,200 dollars one can hire a DDoS attacker for a month.

A number of underground forums even sell botnet software for do-it-yourselfers. The authors of the software (known as Darkness) claim that with 20,000 bots in the network it can take down just about any site. Like many good software packages there's even a version available for free.

Hackers' playbook: common tactics

2011-08-13T06:12:00.001-07:00

Once relegated to the shadows of the digital underground, hacking has gone mainstream. Hacking has become so prevalent that it has even been allegedly used by major news organizations in the United Kingdom for news gathering.
Although the major players are becoming more familiar, to many, their methods are as opaque as they've always been. In this slideshow, explore some of the techniques used by hackers to exploit and overcome cybersecurity vulnerabilities.

Eavesdropping and Other Passive Attacks
Denial of Service
Keylogging

Full story at Discovery News.

Anonymous: We're Gonna 'Kill Facebook' on Nov. 5

2011-08-10T00:18:00.001-07:00

Attack is in the name of privacy, says warning

Anonymous says it is planning to destroy Facebook, “the medium of communication you all so dearly adore." The hacktivist group has posted a warning on YouTube announcing its plan to "kill" the site on Nov. 5, Business Insider reports. (The video is in the gallery.) The reason? “Your own privacy,” it says. “Facebook has been selling information to government agencies and giving clandestine access to information security firms so that they can spy on people from all around the world."
“Everything you do on Facebook stays on Facebook regardless of your 'privacy' settings, and deleting your account is impossible," the message continues. “One day you will look back on this and realize what we have done here is right." Some members of the loosely affiliated group are publicly distancing themselves from the campaign, notes CNN. Still, Facebook vs. Anonymous: It could be the “Internet showdown of the year,” observes the Village Voice, which also has a transcript of the video. ZDNet has more context, factoring in the advent of Google+.

Massive Cyber-Spying Campaign Uncovered.. China 'The Most Likely' Origin

2011-08-03T01:04:00.001-07:00

Report identifies widespread cyber-spying

By Ellen Nakashima, Wednesday, August 3, 8:11 AM

A leading computer security firm has used logs produced by a single server to trace the hacking of more than 70 corporations and government organizations over many months, and experts familiar with the analysis say the snooping probably originated in China.
Among the targets were the Hong Kong and New York offices of the Associated Press, where unsuspecting reporters working on China issues clicked on infected links in e-mail, the experts said.

Other targets included the networks of the International Olympic Committee, the United Nations secretariat, a U.S. Energy Department lab, and a dozen U.S. defense firms, according to a report to be released Wednesday by McAfee, a security firm that monitors network intrusions around the world.
McAfee said hundreds of other servers have been used by the same adversary, which the company did not identify.
But James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies, said “the most likely candidate is China.” The target list’s emphasis on Taiwan and on Olympic organizations in the run-up to the Beijing Games in 2008 “points to China” as the perpetrator, he said. “This isn’t the first we’ve seen. This has been going on from China since at least 1998.”
Another computer expert with knowledge of the study, who spoke on the condition of anonymity out of reluctance to blame China publicly, said the intrusions appear to have originated in China.
The intruders were after data on sensitive U.S. military systems, as well as material from satellite communications, electronics, natural gas companies and even bid data from a Florida real estate company, McAfee said. Forty-nine of the 72 compromised organizations were in the United States.
“We’re facing a massive transfer of wealth in the form of intellectual property that is unprecedented in history,” said Dmitri Alperovitch, McAfee’s vice president of threat research. He would not name the private entities targeted, but said McAfee helped half a dozen of them investigate intrusions.
Some of the intrusions — such as one into the World Anti-Doping Agency in Montreal — are continuing, he said. Spokesmen for that organization and for the International Olympic Committee said they were not aware of the intrusions. A U.N. spokesman said technicians analyzing the logs have not seen evidence of stolen data. The Energy Department had no comment.
According to the report, which does not identify the AP by name, the organization’s New York office was targeted in August 2009 in an intrusion that lasted, on and off, for eight months. Its Hong Kong bureau was penetrated at the same time, in an intrusion that continued for 21 months.
AP spokesman Jack Stokes said the company was aware of the report. “We do not comment on network security,” he said.
The Associated Press has been targeted before. A March 2009 report by Canadian researchers about allegations of Chinese espionage against the Tibetan community found that computer systems in AP offices in Hong Kong and Britain had been compromised.
McAfee had been aware for years of a “command and control” server located in a Western country that was used to control malware deployed on target computers. But the firm just recently discovered that the hackers had made a tradecraft mistake, configuring the server to generate logs that identified every Internet protocol address the server had controlled since 2006.
Google’s disclosure early last year that hackers in China had broken into its networks and stolen valuable source code was a watershed moment: A major U.S. company volunteered that it had been hacked. Google also said that more than 20 other large companies were similarly targeted.
Scott Borg, chief economist at the U.S. Cyber Consequences Unit, a research group, has assessed the annual loss of intellectual property and investment opportunities across all industries at $6 billion to $20 billion, with a big part owing to oil industry losses. These firms spend hundreds of millions of dollars to explore oil fields before bidding on them, Borg said.
One measure of pain came recently when EMC Corp. disclosed that it had taken a $66 million charge to cover remediation costs associated with a March intrusion of its RSA division. That intrusion, which industry experts say appeared to have originated in China, resulted in the compromise of RSA’s SecurID computer tokens that companies and governments worldwide use to log on remotely to workplace systems.
As a result of the compromise, at least a dozen major financial institutions are switching to other vendors, said Gary McGraw, chief technology officer at Cigital, a security firm that works with banks. Stina Ehrensvard, chief executive of YubiKey in Palo Alto, Calif., said at least 25 firms have switched to YubiKey or are testing its token as a result of the RSA breach.

Staff researcher Julie Tate contributed to this report.

Nearly everyone in SOUTH KOREA HACKED IN ONE GO

2011-07-28T23:36:00.001-07:00

Local equivalent of Facebook hit: Fingers point at China

By John Leyden

Personal information on as many as 35 million users of a South Korean social network site may have been exposed as the result of what has been described as the country's biggest ever hack attack.
Local authorities were quick to blame hack attacks against the Cyworld social networking website and the Nate web portal – both of which are run by SK Telecom – on Chinese hackers, the BBC reports.

Names, phone numbers, email addresses, and other details may have been exposed through the Cyworld hack, which follows previous attacks against South Korean government sites and financial service firms. North Korea has been implicated in some of these hacks.

South Korean police are reportedly investigating the cyberattack against Cyworld – a social network with a SIMS-like environment featuring avatars and virtual apartments – and Nate, which offers webmail.

Mark Darvill, director at security appliance firm AEP Networks, commented: "By any standard this is a massive attack and one of many in recent months where the finger has been pointed at hackers based in China. It's too early to say whether this attack is politically motivated or merely an attempt to steal personal information for financial gain.

"It's now becoming increasingly difficult to differentiate between attacks on military, communications, financial, civilian or critical infrastructure targets," he added.

There are approximately 49 million people in South Korea in total, so it would appear that the great majority of them who are online at all may have been hacked.

Chinese hackers attack S Korean sites

2011-07-28T02:40:00.001-07:00

South Korea' communications regulator said hackers from China had attacked an Internet portal and blogging site.

SEOUL: South Korea' communications regulator said hackers from China had attacked an Internet portal and blogging site operated by SK Comms, accessing the personal information of up to 35 million users in what could be the country's biggest cyber attack so far.

The incident follows a series of hacking incidents at South Korean financial firms in recent months, exposing the vulnerabilities of networks in the world's most wired country.

The Korea Communications Commission said in a statement that hacking attacks Thursday morning targeted personal information including phone numbers, e-mail addresses, names and coded data of users of the Nate portal and Cyworld blogging sites, both operated by SK Comms.

Police are investigating the case and have yet to request the assistance of the Chinese authorities, an official at the commission said.

Accusations against China over hacking incidents have mounted in recent months, with allegations it intruded into the networks of Lockheed Martin and other U.S. military contractors and tried to gain access to the Google email accounts of US officials and Chinese human rights advocates.

South Korea recently drew up a cyber security master plan after a wave of hacking attacks against global agencies, companies and its own financial firms.

In April, government-funded Nonghyup, a large commercial bank, suffered a massive network failure that affected millions of users, and Seoul prosecutors said North Korean hackers were responsible for the attack.

In May, hackers breached the personal information of 1.8 million customers of Hyundai Capital, which is owned by Hyundai Motor and GE Capital International.
Shares in SK Comms , a unit of conglomerate SK Group, tumbled 6 per cent on Thursday.

The hacker family tree

2011-07-11T05:47:00.001-07:00

Via Geekosystem.

The LulzSec ship has sailed

2011-06-27T05:03:00.001-07:00

The Lulz Boat has sailed for the last time and it made sure to dump another load in the harbor of public domain before setting their course into the sea of legends.
Data from AT&T, AOL, Disney, Universal, EMI and the FBI were the targets of their last invasion, and their farewell release noted that they had succeeded in their goal of reviving the AntiSec movement during their fifty-day hacking spree, which included the CIA, Sony and the Arizona state government to name a few.
Their legacy has yet to be determined but they have high hopes that other hackers will venture into the void:

"We hope, wish, even beg, that the movement manifests itself into a revolution that can continue on without us… Together, united, we can stomp down our common oppressors and imbue ourselves with the power and freedom we deserve."

Full story at Mashable.

Brazen, publicity-hungry hackers on attack spree

2011-06-26T03:18:00.001-07:00

London: Can you be famous if no one knows your name? A new band of hackers is giving it its best shot, trumpeting its cyber-capers in an all-sirens-flashing publicity campaign.
Lulz Security has stolen mountains of personal data in a dozen different hacks, embarrassing law enforcement on both sides of the Atlantic while boasting about the stunts online.
The group, whose name draws on Internetspeak for "laughs," has about 270,000 followers on the messaging site Twitter. In an online interview via Skype with The Associated Press late Friday, one LulzSec member said the group's current hacking campaign was about attacking "the common oppressors" - which he identified as "banks, governments (and) law enforcement."

"Not all of them of course, but they know who they are," he said.
The hacker refused to reveal any personal details beyond identifying himself as male, but he proved membership in LulzSec by posting a prearranged message to the group's popular Twitter account following the interview. The hacker agreed to the online interview in response to an email request sent by the AP to the group's website registrant.
The group may cause serious damage, but its online persona often veers into wackiness. LulzSec's Twitter mascot is a black-and-white cartoon dandy that looks like a cross between Mr Peanut and The New Yorker magazine's monocle man. Its rambling messages are peppered with references to YouTube sensation Rebecca Black, the Dungeons and Dragons role playing game and tongue-in-cheek conspiracy theories.
One of LulzSec's victims says the group sets itself apart from the rest of the hacker underground with its posturing and bragging on Twitter.
"Most of the hacker groups that are pretty well known out there ... don't really like to flaunt their findings. They'll do it among their peers, but not typically the public," said Karim Hijazi, a security expert whose emails were ransacked by the hacking group last month.
LulzSec made its name by defacing the site of the U.S. Public Broadcasting Service, or PBS, with an article claiming that rapper Tupac Shakur was still alive. It has since claimed hacks on major entertainment companies, FBI partner organizations, a pornography website and the Arizona Department of Public Safety, whose documents were leaked to the Web late Thursday.
In the interview, the hacker promised more embarrassing leaks, saying LulzSec was already sitting on at least 5 gigabytes of government and law enforcement data from across the world, which it planned to release in the next three weeks. The claim couldn't be independently verified. In the past, the group has targeted U.S. and British government sites.
Many past attacks have yielded sensitive information including usernames and passwords - nearly 38,000 of them, in the case of Sony Pictures. Others appear to have been just for kicks. In a stunt last week, LulzSec directed hundreds of telephone calls to the customer service line of Magnets.com, a New Jersey-based manufacturer of custom refrigerator magnets.
LulzSec uses a similar technique to temporarily bring down websites, flooding them with bogus Internet traffic. This is an old hacker standby that doesn't require much sophistication. Members also break in to sites to steal data. That requires more skill and often involves duping employees into revealing passwords.
LulzSec's actions against government and corporate websites are reminiscent of those taken by the much larger, more amorphous group known as Anonymous. That group has launched Internet campaigns against the music industry, the Church of Scientology, and Middle Eastern dictatorships, among others.
An Anonymous member told the AP that he believed LulzSec was formed by people from the group who got tired of the time it took to reach consensus and launch hacking projects.
"They wanted to go on more adventurous, brazen hacking adventures and really get their names out there," he said. He spoke on condition that his name is withheld given the pressure being put on Anonymous members by law enforcement.
In the interview, the LulzSec hacker acknowledged that members of his group had participated in Anonymous operations in the past, such as attacks on Tunisian government websites during the country's revolution earlier this year. He said that there were six members of LulzSec altogether, working eight-to-10 hours a day, but declined to go into detail when pressed.
"We'd prefer not to be waterboarded, so for the foreseeable future we'll try our best to remain as anonymous as possible," he joked.
Authorities - and rival hackers - are trying hard to strip that anonymity away, although the hacker claimed not to be worried. On Tuesday, 19-year-old Ryan Cleary was arrested as part of a joint FBI-Scotland Yard investigation into hackings linked to both LulzSec and Anonymous. British Police Commissioner Paul Stephenson described Cleary's arrest as "very significant," but the hacker insisted he wasn't a member of the group.
"He hosted an IRC (a kind of chat room) we used, yes. But it wasn't our official meeting place, it was just a place for fans to gather," the hacker said.
The hacker declined to be drawn on the content of the material he said his group was planning to release, except to say that it was all related to "governments and law enforcement."
He added that, behind the scenes, the group's hacking attacks were ongoing.
"Every day our stash increases," he said.

Unmasked: The computer geek who boasted on Radio 4 about 'cyber-attack' that brought down MasterCard

2011-06-24T21:49:00.000-07:00

Teenager jokes online that laptop is now in police custody
Five males aged 15 to 26 arrested in January over the hacking attack

By Stephen Wright and Colin Fernandez
Sprawling on a mattress with his laptop, this is the baby-faced Briton at the centre of a global investigation into cyber-attacks which caused chaos on one of the busiest online shopping days of last year.
He is Chris Wood, aka Coldblood – the self-proclaimed spokesman of a shadowy group of ‘hacktivists’ called Anonymous which caused unprecedented mayhem before Christmas.
The 19-year-old computer geek, who went on Radio 4’s Today programme to boast about its activities, is among six young men aged 15 to 26 who have been arrested over cyber-attacks on MasterCard, as well as online payment network PayPal and a Swiss bank.

Nerdy: 19-year-old Chris Wood, aka, Coldblood, boasts that his laptop is now in a police evidence room after cyber-attacks on MasterCard that caused mayhem before Christmas
Thousands of shoppers worldwide were affected by the onslaught, which highlighted the vulnerability of the world’s computer systems.
It is thought just a few dozen hacktivists launched the ‘distributed denial of service’ (DDoS) attack, which was then taken up by supporters.

Scary: An image from Wood's Facebook page shows a masked man splattered with blood and smoking
It involved around 2,000 computers bombarding the MasterCard website’s host computers with requests for information, causing them to crash.
Anonymous acted after the arrest of WikiLeaks guru Julian Assange and the decision by credit card companies to cut off payments to the whistleblowing site.
On the internet, Wood makes light of his alleged involvement with Anonymous.
On one picture posted online he is reclining on a bed with a laptop and writes: ‘The funny thing is that computer is now in a police evidence room.’
Although he acted as frontman for Anonymous in interviews for BBC Radio 4 and other broadcasters, some in the hacking community believe he was set up by other members of the group after he broke its code of silence by talking to the media.
Before his arrest in January, he spoke to the Mail about how he and other hackers would continue their campaign. He insisted that what they were doing was not illegal, merely ‘a form of protest’.
Spotty and wearing a black tie with a skull and crossbones on it, he sipped a pint of lager in a pub in St Albans, Hertfordshire, as he outlined the objectives of Anonymous.
At the time he refused to give his real name. He has been identified after a Daily Mail investigation.
He said his group has ‘quite a few factions’ and added: ‘It’s about freedom of speech on the internet and keeping the internet open.’
Scotland Yard said five males aged 15 to 26 were arrested in January over offences under the Computer Misuse Act 1990, and remain on bail.

Support: Anonymous acted after the arrest of WikiLeaks guru Julian Assange
A sixth man, aged 22, was arrested in April. A spokesman added: ‘This investigation is being carried out in conjunction with international law enforcement agencies in Europe and the U.S.’
Last night Wood told the Mail he would not comment until the police dropped the ‘unfounded’ claims against him.
However, he denied he had lost his job as a programmer over the arrest and claimed that his boss had been ‘understanding and supportive’, as had his parents.
He insisted he did not speak on behalf of Anonymous. ‘What I tried to do was get the message out about what Anonymous was doing and more importantly why they where doing it,’ he declared. He also claimed the Met Police’s computer experts had struggled to understand his system.
‘From a technical point of view they were not all that knowledgeable in computers,’ he said.
Earlier this week Ryan Cleary, 19, of Wickford, Essex, was accused of carrying out a hacking attack on the website of the UK’s Serious Organised Crime Agency. He was remanded in police custody by City of Westminster magistrates.
Cleary was arrested as part of a Scotland Yard and FBI probe into LulzSec, a hacktivist group which has apparently broken away from Wood’s Anonymous.

FBI Takes Down Servers in Quest for LulzSec Hackers

2011-06-24T02:34:00.000-07:00

The FBI took some servers down.

Lulzsec is operating as normal…

they will have copies of their stuff everywhere…

taking away a few servers will not challenge people like Lulzsec… but it will challenge customers who depend on a single provider…

http://www.guardian.co.uk/technology/2011/jun/24/lulzsec-claims-attack-us-police-website

LulzSec Does British Police Site

2011-06-21T08:33:00.000-07:00

Attack is part of campaign on government, security sites

If Britain's Serious Organized Crime Agency wasn't already taking an interest in Lulz Security, it is now. The group of hackers has knocked the agency's website offline. The agency took its website offline after a denial of service attack, reports the BBC. Sensitive information was never at risk of falling into the hands of the group, whose other targets have included the CIA and the US Senate, officials insist.
The increasingly brazen group has declared that it is teaming up with Anonymous to take on governments and security firms. "Top priority is to steal and leak any classified government information, including email spools and documentation. Prime targets are banks and other high-ranking establishments," stated a LulzSec release.

Lots more coming it seems.......

Spies hacked US military computers with a flash drive

2010-08-25T22:37:00.001-07:00

WASHINGTON: An infected flash drive put in a US military laptop in 2008 set off the most significant cyberattack ever against the military by a foreign spy agency, according to a top US defence official.

The previously classified incident, which took place in 2008 in the Middle East, was disclosed by deputy defense secretary William J Lynn in an article titled "Defending a New Domain" posted on Foreign Affairs magazine's web site Wednesday.

This "most significant breach of US military computers ever" served as "an important wake-up call" that led to a new Pentagon counterattack strategy dubbed Operation Buckshot, he wrote in the article also released by the defence department.

"An enormous amount of foundational work remains, but the US government has begun putting in place various initiatives to defend the United States in the digital age," Lynn wrote.

"The flash drive's malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the US Central Command," his article said.

"That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control."

He continued: "It was a network administrator's worst fear: a rogue programme operating silently, poised to deliver operational plans into the hands of an unknown adversary."

Lynn's article provided no details on specific files lost or stolen in the attack, which he called one of countless attempts to intrude into US military networks.

Others also have succeeded, he said, with adversaries acquiring "thousands of files from US networks and from the networks of US allies and industry partners, including weapons blueprints, operational plans, and surveillance data."

In response, he wrote, the Pentagon has built layered defences around military networks and launched the new US Cyber Command to "integrate cyberdefence operations across the military."

"The Pentagon is now working with the Department of Homeland Security to protect government networks and critical infrastructure and with the United States' closest allies to expand these defences internationally," Lynn wrote.

Pentagon officials are also developing a cyber strategy document to be released in the fall. It will address, among other things, any statutory changes needed for cyber defence, and the capability for "automated defences," such as the ability block malware at top speed, he wrote.

Over 70,000 Blogs Mysteriously Shut Down

2010-07-20T01:35:00.000-07:00

Late last week, the Associated Press reported that "dozens of blogs by some of China's most outspoken users" had been "abruptly" closed in China, notorious for its strict Internet controls.
But less attention has been given to another blog blackout--this time in the US: As CNET reports, some 73,000 blogs hosted by WordPress blogging platform Blogetery.com, were shut down last week by BurstNet , Blogetery's web hosting company.
According to CNET "nobody seems willing to say why or who is responsible." What is known is that BurstNet informed Blogetery's operator, via email, that the its service had been terminated "by request of law enforcement officials, due to material hosted on the server."
"Please note that this was not a typical case, in which suspension and notification would be the norm. This was a critical matter brought to our attention by law enforcement officials. We had to immediately remove the server," BurstNet additionally told Blogetery (see quotes from the email exchange here).
A BurstNet representative told TorrentFreak that additional information on the shutdown of the blogs cannot be provided. “Simply put: We cannot give him his data nor can we provide any other details. By stating this, most would recognize that something serious is afoot,” the representative reportedly said.

Is this a copyright issue? TorrentFreak notes that Blogetery's owner does "admit to handling many copyright-related cease and desists in the past, albeit in a timely manner as the DMCA requires."
People on Twitter have voiced concerns over the shutdown of the blogs. One user, @Veribatim, tweeted, "I've been researching what happened. Either way tens of thousands of blogs who were not criminal were shut down. Not kosher." Another wrote, "70k+ blogs shut down for no reason, no appeal; and people want MORE gov. control of the internet? #fail"

Internet TVs new 'playground' for cybercrooks

2010-06-28T01:12:00.001-07:00

In an era where the use of non-PC Internet devices is "exploding", consumers now have more entry points to access the Web. These access points and the various devices used represent, in turn, multiple "playgrounds" for cybercriminals to exploit for financial gain, according to a security expert.
David Hall, regional consumer marketing manager for Symantec Asia-Pacific, said with the increase in entry points and users spending more time online, the opportunity for cyberattacks to occur increases significantly.
He illustrated the scope of the threat by citing an IDC report, which stated that there are over 10 billion non-PC devices that connect to the Internet today and the number is expected to grow to "almost 20 billion by 2014". These non-PC devices already outnumber PC workstations by "five to one", he noted in an e-mail.
Adding to the deluge of Web-enabled devices are Internet-enabled TVs such as the ones Google hopes to introduce in the near future.
The search giant announced its intentions to mesh both the Web with TVs, named Google TV, at its Google I/O conference last month. As early as March this year, Google was said to be collaborating with industry partners such as Sony, Intel and Logitech to deliver set-top boxes and TV sets that are Web-ready, powered by Google's Android mobile operating system (OS).
If Google succeeds with its foray into consumer electronics, it will increase the risk of cyberattacks occurring "any time, any place", warned Hall.
"We see that computing is expanding far beyond the PC as a platform as the connected devices market goes through a period of explosive growth," he said. "Now more than ever, it is critical for consumers to be protected beyond their PCs."
One particular area that could be a security risk is in the area of e-commerce, noted Hall. According to him, there is a "high chance" of cybercriminals stealing credit card details and other personal data through unsecured Web sites and phishing scams, as counterfeit shopping sites offering bogus promotions and low prices surface on non-PC platforms.
To combat this, companies such as Symantec are offering or planning to offer security solutions that look beyond conventional PC protection to other platforms including mobile devices, "smart devices" such as Blu-ray players, digital photo frames and TVs, he said. The protection, he added, could extend to the safeguarding of the user's Internet connection.
Another security expert, Anthony Ung, reckons that with the introduction of Web-enabled TVs, the risk of cybercrooks employing social engineering tactics will come to the fore.
The Country Manager for Southeast Asia at Trend Micro said that Google TV and other such Web-enabled media devices will make TV viewing "a more social experience", particularly in integrating social media elements with conventional broadcast content.
"Social engineering tactics, whether it is through users visiting risky sites and downloading malicious files or [divulging] too much information via their TVs, will surely come into play," said Ung.
He added that in the near future, consumers could possibly see bogus links to certain popular TV shows just to entice users who are fans of the programs to click on them.
Ung also pointed out that manufacturer attention to quality control is now "definitely a necessity" as cyberattacks take on new forms.
An earlier ZDNet Asia report indicated that cybercriminals are targeting non-conventional electronic appliances such as digital photo frames and battery chargers. Web-enabled TVs will no doubt be on their list of targets once such devices come into the market, said the Trend Micro executive.
Users need to understand threats
To better mitigate the threat, Ung called for manufacturers to implement and adhere to proper IT security policies as well as for users to understand the various threats that are currently active and take up proper measures against them.
Concurring with Ung's assessment, Symantec's Hall pointed out that online identity and data theft "equate closely" to the likes of robbery or murder in the physical realm, where individuals are likely to deal with the ramifications of such actions "for years" or experience "profound emotional impact".
He advised users to minimize the amount of personal or financial data they store on interconnected devices, as this limits their exposure in the event the devices are stolen. Additionally, consumers should be actively applying manufacturers' security updates as they become available.
Users should also remove all their data from the storage space of the device or multiple devices they plan to sell or give away before handing them over to the new owner, Hall added.

More than 114,000 Apple iPad users have email addresses exposed in massive hacking attack

2010-06-10T02:14:00.001-07:00

The email addresses of more than 114,000 Apple iPad users including celebrities and politicians have been exposed in a targeted hacking attack in the US.
The massive security breach leaves all of those affected open to spam and malicious hacking.
The vulnerability affected only iPad users who signed up for AT&T's 3G wireless internet service.
A hacker group that calls itself Goatse Security claims to have discovered the weakness by tricking AT&T's site into giving up the email addresses.
iPad users in the UK will not have been exposed as the breach was an issue with AT&T's security procedures rather than with Apple itself.

The pile of paper which contains more than 114,000 email addresses which was passed to website Gawker by a hacking group.

AT&T admitted today that a security weak spot involved an insecure way its website would prompt users when they tried to log into their AT&T accounts through their iPad.
The site would supply users' email addresses to make log-ins easier, based on unique codes contained in the SIM cards inside their iPads.
White House Chief of Staff Rahm Emanuel and New York Mayor Michael Bloomberg were among those listed.
The emails of CEOs and executives of companies like The New York Times, Time Inc. and Dow Jones as well as senior military personnel were also compromised.
The list was passed to Gawker's Valleywag technology website.
Gawker is part of the same group as Gizmodo, which has been in a running battle with Apple over the past few months after it picked up a prototype iPhone 4 which had been left in a bar by a member of Apple's staff.
A representative for the Goatse group said today they had contacted AT&T and waited until the vulnerability was fixed before going public with the information.

Apple's iPad has been at the centre of a security breach in the US

AT&T issued a statement which said: 'AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device.
'This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.
'The person or group who discovered this gap did not contact AT&T.
'We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.
'We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.'
Even though only emails have been exposed they can still be used to launch an attack.
Criminals could use that knowledge to trick them into opening emails that plant malicious software on their computers.
Apple refused to comment on the breach.
Apple has sold more than two million iPads since they went on sale two months ago.
The iPad comes in two different set-ups - one that only connects to the internet via wi-fi, and another that also can connect through AT&T's 3G network. The wi-fi-only models are not affected by the breach.

History of hacking

2010-05-30T07:49:00.001-07:00

Via: Online MBA

New DoS attack uses Web servers as zombies

2010-05-12T21:08:00.001-07:00

By Elinor Mills, CNET News.com

Imperva says Web server-based botnet offers more attack power than PC-based botnets.

Researchers have uncovered a botnet that uses compromised Web servers instead of the usual personal computers to launch denial-of-service (DoS) attacks.
Security firm Imperva said on Wednesday it uncovered a botnet of about 300 Web servers after one of its "honeypot" servers was used in an attack and based on a search of attack code via Google. Web servers were commonly used in such attacks a decade ago but had been replaced by the more ubiquitous Windows-based PCs, said Amachai Shulman, chief technology officer at Imperva.
In the DoS attack Imperva observed, two Web servers were targeting an unnamed hosting provider based in The Netherlands, he said. The hosting provider was aware of the situation, Shulman said.
It appeared that the Web servers were being compromised with code that exploits a vulnerability in PHP, a computer language used for processing Web pages, and it can affect servers running Apache, Microsoft Internet Information Services (IIS), or other server software, he said.
The attack employs a simple user interface that allows someone to specify the victim's IP address and port as well as the how long the attack should last. The information is submitted on a form that includes a message in Indonesian that says "don't use it on your friends," according to a screenshot provided by Shulman.
The attacker, identified as "Exeman," was hiding his or her whereabouts using the anonymity-providing Tor network, he said.
Using Web servers provides much greater bandwidth for an attack and thus requires fewer zombies than when personal computers are used and lessens the chance that the compromise will be discovered because Web servers don't typically run antivirus software, Shulman said.
"Instead of using 50 personal computers you can use a single server," he said. "To some extent, it's easier to maintain this kind of attack because there are fewer computers (involved) and there's less of a chance for the (attack) code to be detected."
Many DoS attacks are used to extort money out of Web site owners, Shulman said when asked what the motive for the attacks could be.
This article was first published as a blog post on CNET News.

Cyberattack on Google Said to Hit Password System

2010-04-20T01:19:00.001-07:00

Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications.

The program, code named Gaia for the Greek goddess of the earth, was attacked in a lightning raid taking less than two days last December, the person said. Described publicly only once at a technical conference four years ago, the software is intended to enable users and employees to sign in with their password just once to operate a range of services.
The intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making significant changes to the security of its networks after the intrusions. But the theft leaves open the possibility, however faint, that the intruders may find weaknesses that Google might not even be aware of, independent computer experts said.
The new details seem likely to increase the debate about the security and privacy of vast computing systems such as Google’s that now centralize the personal information of millions of individuals and businesses. Because vast amounts of digital information are stored in a cluster of computers, popularly referred to as “cloud” computing, a single breach can lead to disastrous losses.
The theft began with an instant message sent to a Google employee in China who was using Microsoft’s Messenger program, according to the person with knowledge of the internal inquiry, who spoke on the condition that he not be identified.
By clicking on a link and connecting to a “poisoned” Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.
The details surrounding the theft of the software have been a closely guarded secret by the company. Google first publicly disclosed the theft in a Jan. 12 posting on the company’s Web site, which stated that the company was changing its policy toward China in the wake of the theft of unidentified “intellectual property” and the apparent compromise of the e-mail accounts of two human rights advocates in China.
The accusations became a significant source of tension between the United States and China, leading Secretary of State Hillary Rodham Clinton to urge China to conduct a “transparent” inquiry into the attack. In March, after difficult discussions with the Chinese government, Google said it would move its mainland Chinese-language Web site and begin rerouting search queries to its Hong Kong-based site.
Company executives on Monday declined to comment about the new details of the case, saying they had dealt with the security issues raised by the theft of the company’s intellectual property in their initial statement in January.
Google executives have also said privately that the company had been far more transparent about the intrusions than any of the more than two dozen other companies that were compromised, the vast majority of which have not acknowledged the attacks.
Google continues to use the Gaia system, now known as Single Sign-On. Hours after announcing the intrusions, Google said it would activate a new layer of encryption for Gmail service. The company also tightened the security of its data centers and further secured the communications links between its services and the computers of its users.
Several technical experts said that because Google had quickly learned of the theft of the software, it was unclear what the consequences of the theft had been. One of the most alarming possibilities is that the attackers might have intended to insert a Trojan horse — a secret back door — into the Gaia program and install it in dozens of Google’s global data centers to establish clandestine entry points. But the independent security specialists emphasized that such an undertaking would have been remarkably difficult, particularly because Google’s security specialists had been alerted to the theft of the program.
However, having access to the original programmer’s instructions, or source code, could also provide technically skilled hackers with knowledge about subtle security vulnerabilities in the Gaia code that may have eluded Google’s engineers.
“If you can get to the software repository where the bugs are housed before they are patched, that’s the pot of gold at the end of the rainbow,” said George Kurtz, chief technology officer for McAfee Inc., a software security company that was one of the companies that analyzed the illicit software used in the intrusions at Google and at other companies last year.
Rodney Joffe, a vice president at Neustar, a developer of Internet infrastructure services, said, “It’s obviously a real issue if you can understand how the system works.” Understanding the algorithms on which the software is based might be of great value to an attacker looking for weak points in the system, he said.
When Google first announced the thefts, the company said it had evidence that the intrusions had come from China. The attacks have been traced to computers at two campuses in China, but investigators acknowledge that the true origin may have been concealed, a quintessential problem of cyberattacks.
Several people involved in the investigation of break-ins at more than two dozen other technology firms said that while there were similarities between the attacks on the companies, there were also significant differences, like the use of different types of software in intrusions. At one high-profile Silicon Valley company, investigators found evidence of intrusions going back more than two years, according to the person involved in Google’s inquiry.
In Google’s case, the intruders seemed to have precise intelligence about the names of the Gaia software developers, and they first tried to access their work computers and then used a set of sophisticated techniques to gain access to the repositories where the source code for the program was stored.
They then transferred the stolen software to computers owned by Rackspace, a Texas company that offers Web-hosting services, which had no knowledge of the transaction. It is not known where the software was sent from there. The intruders had access to an internal Google corporate directory known as Moma, which holds information about the work activities of each Google employee, and they may have used it to find specific employees.

oDaddy to stop registering domains in China

2010-03-25T10:24:00.002-07:00

At least one company is ready to follow Google's stance on doing business in China: GoDaddy.
During a congressional hearing Wednesday to discuss Internet freedom and China, GoDaddy executives plan to announce that they will stop registering domain names in China in response to a new government policy that requires extensive information about registrants, according to The Washington Post. Starting last December, individuals and businesses that wished to register a .cn domain name were being asked to submit a photograph of themselves as well as a serial number identifying their business license in China.
"This is the first time a registry has asked us to retroactively obtain additional verification and documentation of individuals who have registered a domain name through our company," Christine Jones, general counsel at GoDaddy, said in a copy of her prepared remarks provided by GoDaddy. The company will continue to manage existing registrations but will no longer offer new .cn domain names, she said.
Jones also told the committee that GoDaddy has faced increased numbers of DDoS (Distributed Denial of Service) attacks since the beginning of the year. "In the first three months of this year, we have repelled dozens of extremely serious DDoS attacks that appear to have originated in China, based on the IP addresses from which the attacks derived. Had our security systems not countered these attacks, the result would have been a widespread take-down of our customers' hosted Web sites," Jones said in her prepared testimony.
Google's Alan Davidson, director of public policy, also plans to speak before the hearing, coming two days after Google announced its decision to move its Chinese-language search engine from mainland China to Hong Kong in order to bypass government laws on Internet censorship.
"Internet censorship is a challenge that no particular industry--much less any single company--can tackle on its own," Davidson plans to say during his testimony, according to a copy of his prepared remarks posted on Google's public policy blog. "However, we believe concerted, collective action by governments, companies and individuals can help promote online free expression and reduce the impact of censorship."
For the most part, U.S. companies have reiterated plans to stay in China and adhere to their laws following Google's initial announcement in January and subsequent moves this week. Earlier this year, Secretary of State Hillary Clinton urged companies to do their part in pressuring governments to open up the Internet to their citizens, but many companies feel the issue is much more properly dealt with at the national level, according to trade group representatives.
This article was first published as a blog post on CNET News.

iPhone, Safari, IE 8, Firefox hacked in contest

2010-03-25T10:24:00.000-07:00

Researchers on Wednesday demonstrated that they could hack a non-jailbroken iPhone, Safari running on Snow Leopard and Internet Explorer 8 and Firefox on Windows 7 as part of the annual Pwn2Own contest at the CanSecWest security show here.
Charlie Miller, principal security analyst at Independent Security Evaluators, won US$10,000 after hacking Safari on a MacBook Pro without having physical access to the machine. Miller won US$5,000 last year by exploiting a hole in Safari, and in 2008 nabbed US$10,000 hacking a MacBook Air, all on the same computer.
Peter Vreugdenhil, an independent security researcher from the Netherlands, will receive US$10,000 for using his exploit to bypass security features in IE 8.
Also winning US$10,000 was Nils, head of research at UK-based MWR InfoSecurity, who targeted Firefox. He declined to provide his last name. As a computer science student at the University of Oldenburg in Germany last year he won US$15,000 for exploits he demonstrated in IE 8, Safari, and Firefox.
And finally, Ralf Philipp Weinmann, of the University of Luxembourg, and Vincenzo Iozzo, of German company Zynamics, hacked the iPhone and will share the US$15,000 prize. Because Iozzo was delayed en route to the contest, his Zynamics colleague Thomas Dullien, better known as Halvar Flake in the security community, served as his proxy, organizers of the contest sponsored by TippingPoint's Zero Day Initiative said.
Miller declined to provide details on his exploit, but said the target computer was compromised after visiting a Web site hosting the malicious code.
"I got an interactive shell (interface) on his box so I could run any commands I want," he said. "He had no idea and his machine was totally patched."
Miller wrote the exploit in less than a week. "It was very reliable," he said. "Some researchers say it's 'weaponized,' which means it always works."
To hack IE 8, Vreugdenhil said he exploited two vulnerabilities in a four-part attack that involved bypassing ASLR (Address Space Layout Randomization) and evading DEP (Date Execution Prevention), which are designed to help stop attacks on the browser. As in the other attacks, the system was compromised when the browser visited a Web site hosting the attack code.
The exploit gave him user rights on the targeted computer, which he demonstrated by running the calculator on the machine.
Nils said he exploited a memory corruption vulnerability and also had to bypass ASLR and DEP as a result of a weakness in Mozilla's implementation. "It's Mozilla's turn to fix this," he said. "If properly used, they can be good mitigators."
He said it took him only a few days to write the exploit, which was created to run the Windows calculator for the demo. But "I could have started any process," he said.
Asked to comment on the researchers' ability to bypass ASLR and DEP, a Microsoft representative said the company would investigate the vulnerabilities. "We're not aware right now of any attacks taking place," said Pete LePage, an IE product manager.
For the iPhone contest, Iozzo and Weinmann wrote an exploit in about two weeks that was designed to steal the contents of the SMS database on an iPhone.
To accomplish the attack the target iPhone was used to visit a Web site hosting exploit code. "The payload executes and uploads the local SMS database of the phone to the server we control," said Weinmann.
The exploit was written to bypass the digital code signatures used on the iPhone to verify that the code in memory is from Apple, he said. The exploit then looked for chunks in Apple's code that could be pieced together to accomplish the attack, according to Weinmann.
"Bypassing the code signing was a major issue," Flake said. The technique used has been known since 1997 but has not been used on an ARM processor until now, he added.
While the attack was used to grab just the SMS data, which would include deleted messages, it could be designed to access contacts, photos, and other data on the iPhone, and without the user having any idea an attack was underway, the researchers said.
TippingPoint shares information on the exploits with the affected vendors so they can work on patches.
This article was first published as a blog post on CNET News.

How the butterfly botnet was broken

2010-03-18T00:58:00.001-07:00

At its height, the Mariposa botnet consisted of about 13 million computers in 190 countries. A joint operation by researchers from Canadian security firm Defence Intelligence and Spain's PandaLabs, in conjunction with the U.S. FBI and the Guardia Civil, led to the arrest of three men in Spain earlier this month in connection with the Mariposa botnet.
The men, who had no specific computer training, are believed to have played a part in operating the command-and-control servers for the botnet, according to PandaLabs' technical director Luis Corrons, who spoke to ZDNet Asia's sister site ZDNet UK about "Mariposa"--which means butterfly in Spanish--following the arrest of the three men.
Q: When did security researchers start tracking the botnet?
A: It started in May 2008. Defence Intelligence noticed companies were getting infected and found a new botnet, which was Mariposa. They started an investigation and found links to Spain. They found that some of the command-and-control servers were located in Spain. Defence Intelligence was monitoring bots that were infected and were trying to connect. Different domains seemed to be located in Spain, so Defence Intelligence contacted us.
Read more of "How the butterfly botnet was broken" at ZDNet UK.

HP Broadcom Integrated NIC Has a Hole

2010-03-17T23:57:00.000-07:00

Title: HP Broadcom Integrated NIC Firmware Remote Command Execution Vulnerability (SSRT100022)
Date Published: March 17, 2010
Date of Last Revision: March 17, 2010
Threat Assessment: MEDIUM - Action Required by 2010-04-14

Target Audience: Administrators who manage any systems using HP Broadcom Integrated NIC Firmware versions 1.24.0.9 and earlier as well as 8.04 on the following hardware are affected:

HP Small Form Factor or Microtower PC with Broadcom Integrated NIC
Broadcom Integrated NIC Management Firmware versions impacted
Broadcom Integrated NIC Management Firmware version provided in sp47557

For information and bulletins to service customer-facing (trade) systems, please refer to the EDS Threat and Vulnerability Management Service ( http://esis.corp.hp.com/esis ).

OPERATING SYSTEMS AFFECTED

All Windows OS
APPLICATIONS AFFECTED

Broadcom NIC 1.X
Broadcom NIC 8.X
PROBLEM SUMMARY

Multiple HP devices running HP Broadcom Integrated NIC Firmware are prone to a remotely exploitable remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code with administrative privileges, resulting in a complete compromise of the affected computer.

TECHNICAL DETAILS

An attacker can remotely exploit this issue over the network to execute commands with SYSTEM-level privileges. Successful exploits will completely compromise affected computers.
ADDITIONAL ISSUES

Remote Attack Possible: Yes
Administrative Privilege Gained: Yes
Attack Scripts Available: No
CORRECTIVE ACTION

Refer to the RESOLUTION section of each SSRT bulletin (listed in the REFERENCES section below) for additional details and instructions to fix the vulnerability.
REFERENCES

HPSBGN02511 SSRT100022 rev.2 - HP Small Form Factor or Microtower PC with Broadcom Integrated NIC Firmware, Remote Execution of Arbitrary Code
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02048471

HP SSRT Identifier:		SSRT100022
CVE Number:		CVE-2010-0104

Google to shut China search engine

2010-03-14T11:07:00.000-07:00

Google has drawn up detailed plans for the closure of its Chinese search engine and is now “99.9 per cent” certain to go ahead as talks over censorship with the Chinese authorities have reached an apparent impasse, according to a person familiar with the company’s thinking.
In a hardening of positions on both sides, the Chinese government also on Friday threw down a direct public challenge to the US search company, with a warning that it was not prepared to compromise on internet censorship to stop Google leaving.
The signs that Google was on the brink of closing Google.cn, its local search service in China, came two months after it promised to stop bowing to censorship there. But while a decision could be made very soon, the company is likely to take some time to follow through with the plan as it seeks an orderly closure and takes steps to protect local employees from retaliation by the authorities, the person familiar with its position said.
Google is also seeking ways to keep its other operations in China going, although some executives fear that a backlash from the Chinese authorities could make it almost impossible to keep a presence in the country.
When the search giant first promised to end censorship in response to what it claimed were a series of cyber-attacks mounted from inside China, many China-watchers warned that its public defiance of Beijing would provoke a stern response.
On Friday, Li Yizhong, minister for industry and information technology, said: “If [Google] takes steps that violate Chinese laws, that would be unfriendly, that would be irresponsible, and they would have to bear the consequences.”
One person close to the search company, meanwhile, said that its senior executives remained “adamant” about ending the censorship. The company has also ruled out keeping the search service going by handing majority control, or even the entire business, to a local player, this person said.
Google’s executives have made it clear that they still hope to stay in the country, whatever the fate of Google.cn. “It’s very important to know we are not pulling out of China,” Eric Schmidt, Google’s chief executive, told the Financial Times at the time. “We have a good business in China. This is about the censorship rules, not anything else.”
The company’s other operations, which pre-date the launch of Google.cn four years ago, include its research centre in Beijing and a sales force that sells advertising on the Chinese-language Google.com search service, based outside China, to advertisers inside the country.
Mr Li encouraged Google to continue its operations in the country. “[Google] has taken 30 per cent of the Chinese search market.
“If you don’t leave, China will welcome that, if you don’t leave, it will be beneficial for the development of the internet in China.”

RSA 1024-bits Key Encryption Cracked

2010-03-12T08:34:00.001-08:00

RSA Encryption method is used for almost every secured transactions and the RSA 1024 bit encryption is used in almost every banking sites and credit card transaction points. Some scientists from the University of Michigan have found that the code can be cracked in 100 hours which would otherwise take years in Brute force attacks.
The procedure makes the processor stressed with voltage regulations to the processor while it is using the keys to decode. The scientists tweaked the device’s power supply and the fluctuating voltages of the CPU generated single hardware error per clock cycle. This can cause the server to flip single bits of the private key at a time. The single pieces of the private key can now be gathered together to form the full password. They successfully hacked 1024 bits encryption using 104 hours of processing time from a small cluster of 81 Pentium 4 chips.
Now, the question arises, is this a real flaw in the RSA algorithm and do we need to worry seriously while making transactions in the websites? The direct answer would be, no. This fault is not a real fault of the RSA algorithm and we don’t need to worry about it because, to crack a password in this method one would need to plant a voltage tampering system within your system and it can’t be done remotely. This is a type of side channel attack that requires a physical access to the hardware involved with the cryptosystems. This means, unless a thief literally breaks into your house and plants a device within your computer, there is no need to worry!

Phishers target more global brands

2010-03-08T23:19:00.002-08:00

While financial institutions still top the phishing radar, cybercriminals are now moving beyond to top brands, with one of the recent victims being a hardware manufacturer, according to the latest Anti-Phishing Work Group (APWG) report.
Released Sunday, the APWG Phishing Activity Trends Report for the fourth quarter of 2009 revealed that 356 brands were hijacked in October, an increase of 4.4 percent over the previous high of 341 recorded last August. The study was compiled using data from APWG and its members MarkMonitor, Websense and Panda Security.
The organization noted that the number of unique phishing reports submitted to APWG had dropped nearly 29 percent against an all-time high of 40,621 in August, registering 28,897 in December following a steady decline throughout the quarter. However, member reports and reviews in the second half of 2009 indicated a substantial increase in phishing attempts geared at personnel with financial authority.
APWG Chairman Dave Jevans explained in the report: "Spear phishing and whale-phishing, which target individuals inside of corporations, or of high net worth, appear to be increasing.
"Phishers and malware attackers are sending e-mail to individuals in a highly-targeted fashion, attempting to gain access to corporate online banking systems, corporate VPNs (virtual private networks) and other online resources."
According to Jevans, the attacks do not contribute significantly to the overall volume of unique phishing e-mail because they are not broad-based or generic spam. Instead, the attackers customize the e-mail messages to specifically target individual users.
The number of unique phishing sites detected between last October and December remained steady, at between 45,000 and 46,500.
Despite the rise in the types of brands hijacked, cybercrime syndicates continued to focus on the financial services during the last quarter of 2009; financial institutions accounted for 39 percent of overall brands targeted. Thirty-three percent of the phishing attacks recorded during the period focused on payment services companies, while auction-related brands made up 13 percent.
The United States again led the world in Q4 for the number of phishing sites hosted, accounting for over 90 percent of the total in October and November. Asian economies Hong Kong, China and Korea were also ranked among the top 10, with China making it to No. 2 with a 5.2 percent share in December.
However, Patrick Runald, Websense's senior manager for security research, noted that going forward, China is likely to "disappear from the top 10 list" due to the tightened regulations the China Internet Network Information Center has introduced for the ".cn" top-level domain.

Backdoor found in Energizer USB battery charger

2010-03-08T23:19:00.000-08:00

Software that can be downloaded for use with the Energizer Duo USB battery charger contains a backdoor that could allow an attacker to remotely take control of a Windows-based PC, Energizer and US-CERT is warning.
"The installer for the Energizer Duo software places the file UsbCharger.dll in the application's directory and Arucer.dll in the Windows system32 directory," the U.S. Computer Emergency Readiness Team said in an advisory on Friday. "Arucer.dll is a backdoor that allows unauthorized remote system access via accepting connections on 7777/tcp. Its capabilities include the ability to list directories, send and receive files, and execute programs."
The Windows software was made available via a download with the Energizer Duo Charger, Model CHUSB, Energizer said in a statement.
The battery maker said it does not know how the Trojan got into the software. "Energizer has discontinued sale of this product and has removed the site to download the software," the statement said. "Energizer is currently working with both CERT and U.S. government officials to understand how the code was inserted in the software."
For systems with the software installed, US-CERT recommends removing the Energizer Duo software and Arucer.dll file, as well as blocking access to port 7777 via network perimeter devices or firewall software.
The Trojan may have been in the software since it was first offered three years ago, according to Symantec.
"We were interested in finding out how long this file had been available to the public. The compile time for the file is May 10, 2007. It is impossible to say for sure that this Trojan has always been in this software, but from our initial inspection it appears so," Symantec wrote in a blog post. "The Trojan still operates whether this device is found or not, so a USB charger doesn't need to be plugged in for the Trojan to be functioning."
If the Trojan does date back to 2007, that is around the same time that there were a rash of products like digital photo frames hitting U.S. shelves infected with malware, said Marcus Sachs, director of the SANS Internet Storm Center.
"This may simply be from that time frame when all the factories in China were not clean and many were putting malware onto stuff, not intentionally but because the hygiene wasn't good," he said in an interview on Monday.
"Who knows where the server (hosting the software) is located," he said. "It could have been exposed to the unclean conditions that were rampant there."

How Data Centers Handling Cyber Terrorism

2010-03-07T09:18:00.001-08:00

Jill Eckhaus , chief executive, AFCOM, the leading association of data center management professionals, said that today's IT managers are facing big challenges about how to handle cyberterrorism . AFCOM is going to hold a Data Center World show between March 7-11 in Nashville, Tenn where the participants will learn different upcoming menace for cyber terrorism and how to cope with that. The AFCOM officials briefed that cyberterrorism is much bigger threat than the threat from a hacker.

Recently, a survey was conducted by data center provider Digital Realty. It revealed that most of the data centers are in expanding mode in the next 2-3 years. They also found out of 300 North American Companies surveyed that 83% plan for data center expansions in the next two years because they need more power. Many companies are also consolidating their data center operations. The new data centers are coming in an area with cheap access to power and a climate that allows use of free cooling.

“A hacker might be a student just looking for a challenge,” Eckhaus says. “Cyber terrorists want to destroy the United States. That’s the difference.”

The recent AFCOM survey of 400 data centers revealed that only one-third have considered cyber terrorism as part of the disaster recovery plans, only one-quarter have policies and procedures manuals in place for cyberterrorism, and only one-fifth provide cyber terrorism employee training. Also, end users are keeping close eye on data centers because they are demanding more. They realized how important data centers are and they can not do good business without them. Customers also expect that the performance of data center never fails or slows down.
Additionally, going green for data centers is equally crucial now a days. All of the major corporates demand that data center should run in such a way that they can save power cost as well as looks environmental friendly to the users. That's why it is getting difficult day by day to provide enough power and cooling to the data centers. Simultaneously, data centers have to realize that demand for information services are growing day by day. Storage need will also increase due to global Internet traffic and use of mobile Internet devices. Additionally, many data centers are offering Cloud Computing models that require strict uptime enabled by redundancy.

The danger of complexity: More code, more bugs

2010-03-02T02:24:00.001-08:00

The old method of counting lines of code to judge programmer productivity may have helped contribute to the current deplorable state of software security.

Antoine de Saint-Exupery once said, "Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away." He lived from 1900 to 1944, before the job title of "software engineer" was even a twinkle in someone's eye.
Aside from being the inspiring author of a number of books including The Little Prince, he was also an aviator and an engineer, which may help explain how he produced such a timeless quote that is so very relevant to the world of software development today.
A more obvious, but more specialized, statement in that regard was made by Edsger W. Dijkstra: "My point today is that, if we wish to count lines of code, we should not regard them as 'lines produced' but as 'lines spent': the current conventional wisdom is so foolish as to book that count on the wrong side of the ledger."
Recent source lines of code (SLOC) reviews and estimates suggest that a very conservative guess would place the number of bugs in most modern software at the rate of about one per 1000 lines of extremely well-written source code with great attention to security detail. Most software is not written nearly this well, and I am sure my own bug rate is somewhat higher than this conservative estimate.
Writing code for patches intended to fix bugs surely does help reduce the number of bugs in a system, but most software systems get much more code added to them every year to add features than to eliminate bugs. Bug fixes help keep people happy with current versions of the software, but new features actually sell new versions. Worse yet, even bug fixes are certainly not immune to containing bugs.
According to some estimates, between ten and fifteen percent of security patches actually introduce new vulnerabilities. The implications of this are frightening.
If you have ever wondered how so many bugs are found in your software every year, wonder no more. In 2003, something on the order of five thousand new security vulnerabilities were reported to CERT, and that number per year has only grown since then. The reason we find all these bugs every year is simple: some of the most popular pieces of software in the world are freaking huge.
It gets even worse. Software does not only tend to be really, really big--it also tends to get bigger at an alarming rate. Consider the growth rate of Microsoft Windows operating systems that use the NT kernel over the years, for instance[1]:

Year	Operating System	SLOC (Millions)	Delta (Millions)	Delta Per Year (Millions)
1993	Windows NT 3.1	4.5	N/A	N/A
1994	Windows NT 3.5	7.5	+3	+3
1996	Windows NT 4.0	11.5	+4	+2
2000	Windows 2000	30	+18.5	+4.5
2001	Windows XP	40	+10	+10
2003	Windows Server 2003	50	+10	+5

This tells us that, if we are very kind with the numbers:

MS Windows Server was released with 50 million lines of code making up the behemoth piece of software. That's 50,000,000 lines of code. If you were to try to count that high, and could actually say the names of the numbers between one and fifty million at a steady rate of one per second (unlikely, given how long it takes to read 47,777,777 out loud), it would still take you more than 1.5 years to count that high without pausing to eat, drink, sleep, or even draw a very deep breath. Even counting at that rate to the 5,000,000 of NT 3.1 would take you about four months.
Given an extremely conservative estimate of one vulnerability per 1000 lines of code, NT 3.1 had 5000 security vulnerabilities, and Server 2003 was released with ten times that many.
MS Windows OSs using an NT-based kernel grew in size at a staggering rate. Averaging the rate of growth in the above table, we get more than 4.5 million per year, or 4,550,000 lines of code added per year.
The number of vulnerabilities introduced by all this additional code added to MS Windows systems based on the NT kernel, by the very conservative estimate I already provided, is one per 1000. This means that MS Windows was adding new bugs at a rate of about 4,550 per year. That means that MS Windows alone gained almost as many vulnerabilities as were actually discovered, for all software reported to CERT, in the year 2003. Given that MS Windows is actually a fairly small part of CERT's total database of bugs, the implications are dismaying. CERT's database shows 65 results for the year 2008 on a search under the term "Windows", which means that--if you take 2008 as representative--are being added about 65 times as quickly as they are being found.

It no longer seems surprising that vulnerabilities are discovered in software all the time. What seems surprising is that they are not being found more often.
If you want to produce secure software, you should focus on following the advice of people like Antoine de Saint-Exupery and Edsger W. Dijkstra. All else being equal, if you can find a way to eliminate lines of code without compromising the proper functioning of the software, you will probably improve the security of the software substantially.
Given how much more can be done per line of code when using higher-level languages, an argument might be made to use as high-level a language as you reasonably can for the task at hand, too.
Sometimes, the need to add more code to an application is unavoidable. Try to keep it to a minimum, though. When it comes to application security, complexity kills.
Notes
1: These numbers are estimates gleaned from Wikipedia's "Source lines of code" article. In some cases, Wikipedia's numbers are more vague than these. The numbers used here are actually meant to provide more specific, if not any more accurate, estimates for ease of calculation.

Microsoft to deactivate Botnets

2010-02-26T07:55:00.001-08:00

Software giant Microsoft Corp has won a US court approval to deactivate a global network of computers that the company accused of spreading spam and harmful computer codes, the Wall Street Journal said.

A federal judge in Alexandria, Virginia, granted a request by Microsoft to deactivate 277 Internet domains, which the software maker said is linked to a "botnet", the paper said.

A botnet is an army of infected computers that hackers can control from a central machine. The company aims to secretly sever communications channels to the botnet before its operators can re-establish links to the network, the paper said.

Microsoft on Monday filed a suit that targets a botnet identified as Waledac, the paper said.

Judge Brinkema's order required VeriSign Inc, an Internet security and naming services provider, to temporarily turn off the suspect Internet addresses, the paper said.

Microsoft could not be immediately reached for comment by Reuters outside regular US business hours.

On Feb. 18, Internet security firm NetWitness said in a report that a new type of computer virus is known to have breached almost 75,000 computers in 2,500 organizations around the world, including user accounts of popular social network websites.

Experts warn of catastrophe from cyberattacks

2010-02-25T06:07:00.001-08:00

Computer-based network attacks are slowly bleeding U.S. businesses of revenue and market advantage, while the government faces the prospect of losing in an all-out cyberwar, experts told U.S. Senators in a hearing on Tuesday.
"If the nation went to war today in a cyberwar, we would lose," said Michael McConnell, executive vice president of Booz Allen Hamilton's national security business and a former director of national security and national intelligence. "We're the most vulnerable. We're the most connected. We have the most to lose."
The United States will not be able to mitigate the risk from cyberattack until the government gets more actively involved in protecting the nation's network, which may not occur until after a "catastrophic event" happens, McConnell said in testimony during a hearing of the Senate Committee on Commerce, Science and Transportation.
"The government's role will change to become more active," he said. "We're going to morph the Internet from '.com' to '.secure'."
The subject of the hearing was the Cyber Security Act of 2009, which would regulate organizations and companies that provide critical infrastructure for the U.S., require licensing and certification for cybersecurity professionals, and provide funding for grant and scholarship programs. The U.S. House of Representatives passed its version of the Cyber Security Act earlier this month.
The bill is necessary and overdue, said James Lewis, a senior fellow at the nonprofit Center for Strategic and International Studies (CSIS). The U.S. is "under attack every day, losing every day vital secrets. We can not wait," he said. "We need a new framework for cybersecurity and this bill helps provide that."
"A cyberattack would be like being bled to death and not noticing it and that's kind of what's happening now," Lewis said when asked to define what a cyber attack is. "The cyberattack is mainly espionage, some crime," he added, noting as an example an attack in which $9.8 million was extracted from ATMs over a three-day weekend.
"I don't worry about terrorists (because)...terrorists are nuts. If they had the ability to attack us they would have used it," he said. "There are people who could attack us now: Russia, China, some others, our potential military opponents. And we know they've done reconnaissance on the electrical grid.
"Could they turn off the electrical grid in a conflict over Taiwan or Georgia? Sure. That's what it would look like," Lewis said.
Cyberattackers are stealing "massive" amounts of business information that is compromising U.S. companies and markets, according to Scott Borg, chief economist at the nonprofit U.S. Cyber Consequences Unit. "Cyberattacks are already damaging the American economy much more than is generally recognized," he said. "The loss is greater than losses due to identity theft and credit card fraud."
Mary Ann Davidson, chief security officer at Oracle, warned of the dangers of linking SCADA (Supervisory Control and Data Acquisition) systems for monitoring and controlling critical infrastructure with the Internet.
"We know the SCADA protocols used in control systems were not designed to be attack resistant. They were originally used in electro-mechanical systems where you had to physically access the system, turn the knob, and so on," he said. "Now we are increasingly moving to the IP-based control systems and connecting them to corporate networks that are in turn connected to the Internet.
"We know some smart grid devices are hackable," she said. "We know there are PDAs, digital assistants, that talk SCADA because it's just so expensive to send a technician to the plant. Dare I say move the control rods in and out of the reactor? There's an app for that."

Intel targeted in January attack

2010-02-24T02:07:00.001-08:00

Intel was targeted by a "sophisticated" attack in January, but no intellectual property was stolen and executives do not think it was linked with the attacks on Google and others that occurred around the same time, a spokesman said on Tuesday.
"We don't think it was similar" to the other attacks, Intel spokesman Chuck Mulloy told CNET. "The only connection is the timing and that it was a sophisticated attack."
Intel disclosed the attack as a risk factor, under potential theft or misuse of intellectual property, in its 10-K Securities and Exchange Commission filing on Monday.
"We regularly face attempts by others to gain unauthorized access through the Internet to our information technology systems by, for example, masquerading as authorized users or surreptitious introduction of software," the filing said. "These attempts, which might be the result of industrial or other espionage, or actions by hackers seeking to harm the company, its products, or end users, are sometimes successful. One recent and sophisticated incident occurred in January 2010 around the same time as the recently publicized security incident reported by Google."
Mulloy said that "to the best of my knowledge, no intellectual property was lost". "We routinely see people attempting to hack into our network," he said. "It's one of the challenges businesses face today."
He declined to provide further details of the attack.
Intel's disclosure about the attack--an event companies regularly endure but rarely publicize--could be the start of a trend in listing hack attacks as a risk factor, just as natural disasters and terror-related incidents have been factored into business risks.
This was the first time Intel had mentioned a hack attack in its public filings, according to Mulloy.
"Risk factors are not written in stone; they change. It's very dynamic," he said. "When you write them you look at the environment around you and clearly we've seen a lot more public attention on hacking, particularly in light of the Google attack."
Intel executives thought it was "prudent to point out that we do see attacks on a regular basis and that we work hard to prevent them," he added.
It's likely there has been some exchange of information about the attacks between Intel and Google given that Intel Chief Executive Paul Otellini serves on Google's board of directors.
Google announced in January that its intellectual property had been stolen in a targeted attack in mid-December that appeared to target 20 other companies and may have originated in China. Gmail accounts of human rights activists were targeted as well, Google said. Adobe has acknowledged that it had been targeted in an attack, while Yahoo, Symantec, Northrop Grumman, Dow Chemical, and Juniper Networks were among the other targets, according to multiple sources and reports.
As a result of the attacks, Google said it would stop censoring search results in China and could end up leaving the country entirely. The search giant and Chinese officials have resumed talks after a hiatus over the Chinese New Year, according to The Wall Street Journal.

Spies, hackers exploit world cyber rule void

2010-02-23T08:59:00.000-08:00

The best weapon against the online thieves, spies and vandals who threaten global business and security would be international regulation of cyberspace.

Luckily for them, such cooperation does not yet exist.

Better still, from a hacker's perspective, such a goal is not a top priority for the international community, despite an outcry over hacking and censorship and disputes over cyberspace pitting China and Iran against US firm Google.

Nations are thinking too parochially about their online security to collaborate on crafting global cyber regulation, an EastWest Institute security conference heard last week.

Policy statements from governments around the world are dominated by the need to heighten national cyber defences. As a result, too many cyber criminals are getting a free ride.

"Nations are in denial," Indian cyber law expert Pavan Duggal told Reuters, saying national legislation was of limited use in protecting users of a borderless communications tool.

"It may take a big shock of an event to wake people out of their complacency, something equal to a 9/11 in cyberspace", he said referring to the 2001 coordinated attacks on US cities.

With a quarter of humanity connected to the Internet, cyber crime poses a growing danger to the global economy.

TARGET THE PERPETRATOR
The FBI tallied USD 264 million in losses from Internet crime reported by individuals in the United States in 2008 compared to USD 18 million of losses from 2001: These were probably a fraction of the losses caused to companies and government departments.

The menace extends to many sectors including control systems for manufacturing, utilities and oil refining, since many are now tied to the Internet for convenience and productivity.

A priority for regulators is to find ways of tracking down criminals across borders and ensuring they are punished, a tough task when criminals can use proxy servers to remain anonymous.

"We cannot postpone the debate until we are in the midst of a catastrophic cyber attack," former US Homeland Security Secretary Michael Chertoff told the conference.

"We must formulate an international strategy and response to cyber attacks that parallels the traditional laws governing the land, sea, and air."

Security experts say the ability to conduct disastrous mass cyber attacks is the preserve of some governments, well beyond the capacity of militant guerrilla groups like al Qaeda.

But it cannot be assumed that international organised criminal networks, long practised at mass online fraud and theft, are not developing an interest in gaining this ability.

"Cyber crime is a very sophisticated crime with very sophisticated players and it takes a multinational effort to make sure we can enforce the law," Dell Services President Peter Altabef told Reuters.

"Once you have identified who is at fault you really want to make sure, as a deterrent, that you can go to those jurisdictions and enforce the laws on the books."

James Stikeleather, Dell Services Chief Technology Officer, told Reuters that tracking own criminals across borders could pose legal issues for drafters of multilateral regulation.

Giving an example, he said the more companies added the technology needed to give investigators the ability to attribute a crime, the more users' privacy and anonymity would be reduced.

"PLAYING WITH FIRE"
"Probably the sticking point among the governments will be 'where is the appropriate level of attribution versus anonymity or privacy for what people are doing (online)'."

Datuk Mohammed Noor Amin, chairman of the UN-affiliated International Multilateral Partnership Against Cyber Threats, said failure to regulate could perpetuate cyber "failed states".

He cited impoverished countries where customers can purchase unregistered SIM cards with mobile Internet capability, giving them the ability to commit online crime such as identify theft against people in rich nations without fear of being traced.

He said it was in the interest of rich nations to help poorer countries develop the capacity to crack down on this kind of abuse, because their own citizens were being targeted.

"Governments tend to look at their self-interest. But it's actually in their own interest to collaborate," he said.

Altabef said the growing rate and scale of international cyber attacks threatened to undermine the trust between nations, businesses and individuals that was necessary for economies and societies to act on the basis of the common good.

Complacency was also a problem, delegates said. "Nations take for granted the Internet is going to be 'on' for the rest of our lives. It may not necessarily be so," said Duggal.

"Imagine the Internet being down for two to four weeks," he said. This would "rain disaster" on online businesses as well as transport, industry and governmental surveillance systems.

"People have realise the Internet is an integral part of every country, politically, socially and business-wise."

"Not to focus on cybersecurity is playing with fire."

Chinese schools deny links to Google attacks

2010-02-22T00:34:00.001-08:00

Two days after a New York Times report linked two Chinese schools to hack attacks on Google and other Silicon Valley companies, both schools are denying those claims.
Security experts traced the attacks to computers at Shanghai Jiaotong University and Lanxiang Vocational School, The New York Times reported last week. But over the weekend, according to the Associated Press, China's official Xinhua News Agency cited a representative of the university calling the accusations "baseless" and an official from the vocational school saying its investigation turned up no evidence the intrusions originated on school machines.
Shanghai Jiaotong University is known for its computer science program. The Lanxiang Vocational School was established with military support, according to the Times, and trains computer scientists for the military.
Google announced January 12 that e-mail accounts belonging to human rights activists in China had been compromised in "a highly sophisticated and targeted attack" probably originating in China. The company said it discovered the attacks in mid-December.
The revelations led the search giant to announce that it would stop censoring search results in China and possibly back out of the Chinese market altogether--a proclamation that underscored the troubled history, and uncertain future, for Internet companies doing business in China.
After warning of strained U.S.-China relations, China denied involvement in the attacks, and investigations by experts including the National Security Agency have only led to servers in Taiwan, the Times says. Findings implicating the Chinese schools in the intrusions could be a breakthrough in the case, though they don't automatically mean the attacks came from the Chinese government (sources have said it is typically difficult to find evidence specifically leading back to Chinese officials in computer attacks)--or even from Chinese sources.
Li Zixiang, the Communist party official speaking for Lanxiang school, disputed the Times report that evidence linked the attacks to a specific computer science class taught by a Ukrainian. "We have never employed any foreign staff," Xinhua quoted Li as saying. Another school official challenged the Times' statement that Lanxiang has close ties to the military, saying that students may join the military after graduating but are not required to.

Mindset change needed to work with Chinese developers

2010-02-22T00:30:00.001-08:00

Home to the world's largest population, China is undeniably a potentially lucrative market that most businesses from around the globe will want a slice of. But, whether most can succeed in doing so or not, remains debatable.

From conversations with industry contacts and friends, I've been told that the Chinese market isn't easy to penetrate--several foreign businesses have tried, and failed. Oft-cited reasons for the failure include how businesses deals in the country are inked based on relationships (or guan xi), so if an organization is new to the local community it'll face a tough time getting contracts. Others also cite the vast difference in culture and workstyle.

Here, Tech Podium guest blogger Chong Yew Meng discusses her experience working in China and is refreshingly frank as she reveals the challenges she faces in the country.

Yew Meng is product and solutions consultant at Singapore-based software integration company, In-One Technology, where she is also a co-founder. She is responsible for the development of product concepts and for managing software development projects. The company's range of services include Web app development and software testing and quality assurance.

The draw of China's lucrative software market holds true also for In-One, and Yew Meng has worked with software developers in the country on several projects.

It is through such collaboration that she realizes working with Chinese developers requires a change in mindset, where even the definition of "quality" as she's used to, is starkly different from what her peers in China is used to.

With that, I'll let Yew Meng take it from here.

A lot of companies happily venture into China with plans to tap one of the world's biggest software developer markets. Developing software at a fraction of their native country's costs and using Internet to deliver the software beyond physical boundaries seems to be a perfect business strategy.

But, the plan often falls apart--software quality seems to be non-existent. Even with the best project managers on-site to monitor the team, the project still falls apart in terms of quality.

So why does that happen?

I've worked with developers and testers from China and it took me years before I realized that apart from all of us sharing a few physical attributes, the similarity ends there.

We think differently, we act differently, we communicate differently. I had assumed that being bilingual, I would have an advantage over my American counterparts because I'd be able to "communicate" in the language Chinese developers and testers were familiar with.

However, being able to talk and write in Chinese does not mean I can understand my team from China any better than my American counterparts. In fact, I think it creates more misjudgment because I'll wrongly assume I know them.

So what is "quality"?
I once asked the director of a well-known testing company why he still conducts most of his critical application testing in Singapore. Why not perform the tests in China as it is much more cost-effective? He replied: "Quality is taken for granted there."

It is common for the China team to conduct quality tests for software, so the issue isn't that there tests aren't being carried out. Rather, the definition of "quality" is different. Most Chinese software teams define quality to be "as long as it meets the positive workflow required by the requirements".

Hence, it is common for software to pass internal tests with flying colors, but fail miserably during production.

Difference definition of "work completion"
Chinese developers want to deliver quickly, while others are trying to fight to deliver higher levels of quality at reasonable time.

For many Chinese developers, software is considered to be completed as long as the software runs without major problems. The goal is often to complete as soon as possible--speed of development seems to be the key. Program codes may be messy, where performance can actually be further optimized, but as long as the program runs without major problems, it is considered "completed".

Our local team tends to view a piece of work as completed only if the internals are developed neatly (even if it is not visible to the customers) and the optimum performance is achieved. At times, we may be viewed as "perfectionist" (probably a more polite way of saying we are too fussy) by our Chinese counterparts, while we see our Chinese team as being too laid back on "work completion".

Hence, we are always in constant conflict with our team in China when it comes to definition of "work completion".

Developers decide what final software should be
When I first started working with Chinese developers, I'd thought that after providing clear functional and design specifications, I would be able to relax and wait for my system to deliver in the shape I expect it to be.

However, instead of receiving the system according to my specification, I received one that had deviations from my requirements. I wasn't informed that the team had encountered technical difficulties implementing the specifications I wanted, resulting in the need to change the requirements to work around the technical issues.

It is common for developers in China to make unilateral changes to specifications without informing the person who stipulated the requirements. At times, it seems as if they made their decision on what the final software should be.

This can introduce an unquantifiable amount of risk, and companies have to guess where software performance may have been affected as a result of the changes.

Keeping quiet about problems
It is common not to hear about any problem from your development team in China during the implementation phase, but this may not be necessarily so.

Developers that produce software often know where the problem lies with their software, but they may not provide that information to their project manager or customer.

The rule seems to be "tell you the good news; but keep the bad news". However, it's important to know the bad news so the situation can be remedied.

Hence, a lot of projects fall apart at the last stage because it is simply too late to resolve the problems by then.

So is there a future for software collaboration?
I believe that very developing economy must first make junk before it can produce a quality product.

With more Chinese developers being educated overseas--to more mature markets--and returning to China to work, the situation should improve as they'll bring back the "quality" concept.

And with companies training local developers through numerous interactions on software development, the quality problem will only get better, not worse.

Most important, companies that want to operate in China should learn to understand how to work more effectively with local developers. Chinese developers are brilliant in terms of creativity and if deployed correctly, this creativity can produce brilliant software offering the best quality at low cost.

It was only after countless failures and much frustration that I realize we're "not the same".

It was only after spending time to understand how my China team thinks and why they act in a certain manner, that I started to see the puzzles fit and when we were able to deliver quality projects.

Security breach in Hotmail

2010-02-17T01:22:00.000-08:00

REDMOND: Microsoft Corp, whose Internet- identification service was partly shut down for an hour this morning, is looking into reports that a “limited number” of customers were able to gain access to other users’ accounts.

The breach occurred when users were trying to get into their own accounts using a mobile-phone Web browser, the company said in an e-mailed statement. It wasn’t clear if the security hole was related to the shutdown, Microsoft said.

“Microsoft takes customers’ privacy seriously, and immediately upon learning of these reports, we started an investigation,” the Redmond, Washington-based company said in the statement. “We will take appropriate action once we have completed the investigation.”

The outage occurred at about 12:30 p.m. New York time and affected Microsoft’s Windows Live ID system, preventing some customers from signing in to Hotmail free e-mail accounts and other services. More than 460 million users have online IDs that work with the system, according to Microsoft’s Web site.

Microsoft rose 55 cents to $28.35 at 4 p.m. New York time on the Nasdaq Stock Market. The shares have fallen 7 percent this year.

Unfamiliar inbox
Masato Kimura, a Hotmail user in Rockville, Maryland, said the security flaw began and ended at about the same time as the broader service failure. Kimura said he was trying to check his Hotmail messages from his LG Electronics Inc. Voyager phone when a different account popped up.

“All of a sudden, I saw an inbox that looked very unfamiliar to me,” he said. “I tried it again and got yet another inbox. I tried it several times and each time I would be getting a different inbox.”

Using a computer, Kimura wasn’t able to get to Hotmail at all. After Microsoft restored the service, Kimura was able to log in to his own account using his phone.

“It’s not a big deal if I can’t get into my own account for a few hours, the problem is if someone else can get into my account,” he said.

Infection may have triggered Blue Screens of Death

2010-02-16T22:00:00.001-08:00

A number of system error messages that followed Microsoft's latest round of updates may have been caused by an underlying infection on Windows systems, according to the company.
Microsoft said in a blog post last week that the system error messages, colloquially known as a Blue Screen of Death, happened after users applied the KB977165 patch in the MS10-015 advisory, and that this could have been caused by malware.
"In our continuing investigation into the restart issues related to MS10-015 that a limited number of customers are experiencing, we have determined that malware on the system can cause the behaviour," said a Microsoft blog post. "We are not yet ruling out other potential causes at this time and are still investigating."
Read more of "Infection may have triggered Blue Screens of Death" at ZDNet UK.

Early-adopter criminals embrace cloud computing

2010-02-12T02:36:00.002-08:00

Executives unsure of the viability of cloud computing need look no further than the criminal fraternity for a ringing endorsement of the technology, according to a security expert.
Cloud computing has been enthusiastically taken up by criminals for a range of activities, Rik Ferguson, senior security adviser at security firm Trend Micro, told delegates at a Westminster eForum on Wednesday.
"One of the things that persuades me personally that the cloud is absolutely a viable model and has longevity is that it has already been adopted by criminals," Ferguson said. "They are the people who are leading-edge adopters of technology that is going to work and going to stick around for a long time.
Read more of "Early-adopter criminals embrace cloud computing" at ZDNet UK.

Chip-PIN defense is 'broken', say researchers

2010-02-12T02:36:00.000-08:00

Chip-and-PIN readers can be tricked into accepting transactions without a valid personal identification number, opening the door to fraud, researchers have found.
Researchers at Cambridge University have found a fundamental flaw in the EMV--Europay, MasterCard, Visa--protocol that underlies chip-and-PIN validation for debit and credit cards.
As a consequence, a device can be created to modify and intercept communications between a card and a point-of-sale terminal, and fool the terminal into accepting that a PIN verification has succeeded.
Read more of "Chip and PIN is broken, say researchers" at ZDNet UK.

Fortinet: Malicious code hits record-high in Jan

2010-02-12T02:20:00.001-08:00

The amount of unique malware tracked by security vendor Fortinet, reached an all-time high in January.
Its distinct malware volume soared to over 9,000 last month, more than twice that in December, the company said in a statement Wednesday. Headquartered in Sunnyvale, Calif., Fortinet collects data from its FortiGate network security appliances and intelligence systems located globally, and compiles monthly threat statistics from the data.
Topping the charts were variants of Bredolab, accounting for more than 40 percent of all malware activity. The Bredolab downloader program, which has assumed the No. 1 position since November 2009, has been associated with the Gumblar attacks, said Fortinet.
Also highlighted in the report was the wave of attacks known as Operation Aurora--a major talking point following Google's threat last month to pull out of China. Fortinet said the attack, which uses a zero-day vulnerability in Microsoft's Internet Explorer browser, was ranked No. 4 on the list of top 10 attacks for January.
The peak volume of threat activity last month signaled that 2010 will likely be "another action-packed year", Derek Manky, Fortinet's project manager for cybersecurity and threat research, said in the statement.
"The amount of malicious code in the wild is increasing...while in-the-wild exploits and emerging zero-day attacks targeting very popular software, like Microsoft IE and Adobe PDF, create a vulnerable environment for users at every point of connectivity," he noted. "As the monetary gains of these threats continue to prove [valuable] to the criminals creating them, we'll only continue to see new and creative attacks take form."

Chinese govt takes Black Hawk down

2010-02-09T21:58:00.001-08:00

The Chinese government has shut down what it believes is the country's largest hacker training site, according to state-controlled media.

Police in Hubei province arrested three people behind Black Hawk Safety Net and seized 1.7 million RMB (US$248,880) worth of assets, the China Daily reported Monday. Among the equipment seized were Web servers, PCs and a car.

The trio were accused of offering online tools and Trojans to launch cyberattacks--an act that was recently added to the country's criminal legislation, according to China Daily.

Established in 2005, the Black Hawk site is recognized by the Hubei province as the largest hacker training portal, propagating hacking techniques via online tutorials, forums and software. It has recruited over 170,000 ordinary members, and collected more than 7 million RMB (US$1 million) in membership fees from 12,000 VIP registrants.

According to the provincial public security department of Hubei, the police were alerted to Black Hawk when they found its members among suspects caught for an online attack and virus dissemination case in Macheng city in 2007. As many as 50 police officers had been involved in the investigation, which eventually led to the arrest of the Black Hawk owners.

Citing China's National Computer Network Emergency Response Coordination Center of China, China Daily also said the country saw losses totaling an estimated 7.6 billion RMB (US$1.1 billion) as a result of hacking incidents last year.

A blogger from F-Secure Labs welcomed news that the Black Hawk site had been brought down, noting in a blog post: "Kudos to the Chinese authorities for shutting down an online hacker training operation known as the Black Hawk Safety Net."

Hackers Put TCS Website ‘tcs.com’ On Sale!

2010-02-09T09:36:00.000-08:00

The latest news is that the official website of the country's biggest IT services company Tata Consultancy Services (TCS) 'tcs. com' has been hacked.

The cyber-terrorist placed a "For Sale" message in English and French for a whole day. Moreover, the cyber-terrorists offered email identification, abed_uk@hotmail.com.

The hack is said to be a DNS hijack, like the cyber attack that Twitter had during the last year.

DNS hijacking is the practice of making an illicit modification to a DNS server, which directs a universal resource locator to a different internet site.

According to the company's representative, "The TCS website, www. tcs. com, was disrupted. Subsequently, it has been restored and is functioning fine. None of the servers were compromised. Initial investigation reveals a DNS (Domain Name Server) redirection at the domain name registrar's end. Further investigations are on."
The cyberpunks altered the domain name of the site to 205.178.152.154 from 216.15.200.140, re-directing the name server records of TCS's website. The cyber-terrorist had also set up a whos. among. us widget in order to exhibit how many visitors were on the website at any given point.

According to security professionals, internet sites can easily be hacked if the Web software is not advanced.

The latest episode has aroused questions regarding the level of security attentiveness TCS has, experts believe.

New Circumventor:

2010-02-08T23:11:00.000-08:00

http://www.pulseface.com/

(Remember you can access it with either http:// or https:// at the beginning.)

Mozilla yanks infected add-ons, warns users

2010-02-08T05:24:00.001-08:00

Mozilla pulled two programs from its Firefox browser add-on site for containing malware last Friday. Sothink Web Video Downloader 4.0 and all versions of Master Filer were found to contain Trojan horse code aimed at Windows users.
In a blog post, Mozilla stated that the Master Filer add-on was able to bypass AMO's security tests.
Mozilla user CatThief discovered the threat, it said. And when Mozilla added two more security checks to its vetting process and rescanned its entire catalog, it discovered that version 4 of the Sothink Web Video Downloader also contained a Trojan horse program. Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained Win32.Bifrose.32.Bifrose.
Master Filer was removed from Mozilla's Firefox add-on site on January 25, and the Sothink video downloader was removed last Tuesday. CNET Download.com ceased hosting the Sothink add-on last Friday before noon.
Sothink Web Video Download 5.5.90819 had been a mildly popular Firefox add-on at Download.com, receiving 697 downloads in the past week and 63,716 downloads since it was first added to the site in June 2007.
Because the Trojan horse programs are tied to Firefox, Mozilla warns, host computers won't be infected until Firefox started. Uninstalling either add-on is only part of the solution, if the infection has already attacked the host computer. Mozilla recommends that users who suspect that they are infected use one of the following security applications to sweep and clean their computers after uninstalling the threatening add-on:

Avast

AVG

Infected users should note that only Avast and AVG are free.
Mozilla did not immediately respond to requests for comment.

Merchants lose US$649K a year to online fraud

2010-01-28T00:54:00.001-08:00

UK merchants say online fraud is now the greatest threat they face, costing them on average 400,000 pounds(US$648,920) in annual losses, according to a survey published on Tuesday by CyberSource.
The payments processing provider's sixth annual to be fraudulent.

Online businesses rejected an average of 4.6 percent of orders on suspicion of being scams, a figure CyberSource said was worrying, partly because some of the rejected orders were likely to be valid.

Read more of "Merchants lose £400k a year to online fraud " at ZDNet UK.

Indian Income Tax dept Server Hacked

2010-01-26T06:51:00.000-08:00

NEW DELHI: All high value income tax refunds will go through intensive checks and its software system will be revamped, after its account was hacked and Rs 11 crore (roughly $2500000) was siphoned off, the government said on Monday.

At least Rs. 11 crore of refunds were discovered to have been stolen last week by hacking into the password of some assessing officers who are responsible for crediting the refunds. The refunds were credited to fake accounts for which the returns had been filed electronically.

"We have stopped the payment and have been able to prevent at least two cases. Also investigation and action has been initiated by the Directorate of Income Tax (Investigation), Mumbai to detect the bank accounts to which the refunds had been credited and the beneficiaries," the finance ministry said.

All high value refunds issued during the current financial year will be checked again. "The system of handling high value refunds will be replaced with a more robust and foolproof system," the finance ministry said.

Income tax refunds could get delayed, said an official. Refunds in 2009-10 have doubled from the last year at Rs 12,421 crore as many refunds were deferred. It was Rs 6,899 crore the previous fiscal.

The investigators have identified the bank accounts, beneficiaries and some of those involved in the scam, the finance ministry claimed.

Central Bureau of Investigation and the Mumbai police are looking for the beneficiaries.

Ransomware: Extortion via the Internet

2010-01-26T00:41:00.001-08:00

Ransomware got its start in 1989. Back then, it was relatively ineffective. That's changing, which is bad news for us.

One of my neighbors recently experienced ransomware first hand. Up until then, he had no idea it existed. Because of that, it seems important to revisit extortion malware, explain exactly what it is, and how to avoid it.
Ransomware made its debut with a trojan called PC Cyborg, the brainchild of Dr. Joseph Popp. The extortion begins with a vulnerable computer becoming infected. Once settled in, the malware hides all folders and encrypts file names on the C: drive. Next, a dialog box opens, proclaiming the victim needs to send PC Cyborg Corporation US$189, because the license had expired.
Until ransom money is received and the malware's activities are reversed, the victim has a non-working computer. Thankfully, the doctor's trojan had a weakness. It encrypted the file names using symmetric cryptography. Once experts had a chance to analyze the malcode and encrypted tables, it became simple to reverse and determine who created the ransomware.
It seems the doctor felt he was doing something worthwhile (eventually declared mentally unfit). At his trial, he mentioned that the ransom money was to be used for AIDS research.
Public key and cryptovirology
In 1996, two researchers Adam Young and Moti Yung fixed Dr. Popp's oversight, explaining how in the paper: Cryptovirology: Extortion-Based Security Threats and Countermeasures (PDF). I believe it's also where the term cryptovirology was coined.
Young and Yung figured out how to use public-key cryptography in ransomware, making reverse-engineering virtually impossible. The crypto-virus encrypts the victim's files using the malware writer's public key. The extortion comes into play when the victim is asked to pay ransom in order to obtain the private key for decrypting the files.
How it works
Young and Yung call this type of ransomware crypto-viral extortion. Giving the following definition:

"Crypto-viral extortion, which uses public key cryptography, is a denial of resources attack. It is a three-round protocol that is carried out by an attacker against a victim. The attack is carried out via a crypto-virus that uses a hybrid cryptosystem to encrypt host data while deleting or overwriting the original data in the process."

The three-round protocol is interesting. It consists of the following:

Crypto-virus is installed: Using any number of techniques, usually drive-by dropper platforms; the crypto-virus gets installed on vulnerable computers. When the virus activates, it creates a symmetric key and initialization vector (IV). The crypto-virus proceeds to encrypt data files using the symmetric key and IV. After which, the crypto-virus concatenates the IV with the symmetric key. Finally, the concatenated string is encrypted using the malware author's public key. With everything now in place, the crypto-virus pops open a window explaining the ransom demands to the victim.

Victim's response: If the victim decides to pay the ransom. There are several ways that can happen. We will look at those in a bit. The victim also has to send the encrypted concatenated string to the cybercriminal.

Attacker's response: The extortionist then decrypts the string using the private key, which discloses the symmetric key and IV. Finally, sending both back to the victim. Who will use them to decrypt the data files.

Covering their tracks
On their Web site, Young and Yung talk about the effort cybercriminals go through to protect themselves. They store the public and private keys on a smart card and do not personally know the bit representation of the private key:

"Ideally, the smart card will implement two-factor security: something the virus author knows (a PIN number) and something the virus writer has (the smart card that contains the private key). Also, the card will ideally be immune to differential power analysis, timing attacks, etc. to prevent the virus author from ever learning the bits of the private key."

The Web site goes on to explain why the extortionists do this:

"In the U.S. the virus author cannot be forced to bear witness against himself or herself (Fifth Amendment) and so the PIN can remain confidential. The purpose of this setup phase is to limit the effectiveness of seizing and analyzing the smart card under subpoena or warrant (competent evidence)."

Payment techniques
In the past, ransomware has not been the malware of choice. That's because cybercriminals are concerned about the money trail sending ransom funds creates. I mentioned earlier that many approaches have been tried. Here are some of them:

Trojan. Ransom-A declares that it will destroy one data file every 30 minutes unless US$10.99 is sent to a specified account via Western Union.

Trojan.Archiveus is a bit more creative. The ransom note declares the decryption password will be sent. If the victim purchases something from a specified Web site, typically in Russia.

Win32.Ransom uses a novel way to obtain ransom money. The crypto-virus blocks Internet access until the victim sends a premium SMS message. This approach is becoming the favored payment method.

Example
To help understand the entire process, let's look at what many consider cutting-edge ransomware. F-Secure has released information about Trojan:W32/DatCrypt. Here's how it works.
The Trojan makes its way onto the victim's computer. After which, it gives the illusion data files such as Office documents, music, audio, and video are corrupt. As shown in the following slide (courtesy of F-Secure):

In reality, the files have been encrypted by the Trojan. The next message opened by DatCrypt informs the victim to download specified file repair software. Notice how the window created by the malware appears to be a message from the Security Center (courtesy of F-Secure):

What is actually downloaded is Rogue:W32/DatDoc. Malware that gives the appearance of fixing the problem. But, only one file can be fixed with the free version (courtesy of F-Secure):

The attackers are trying to lull the victim into thinking the software actually works. They hope the victim will spend US$89.95 for the registered version. In reality, victims are paying ransom to get their own files back.
Solution
There is no magic formula to avoid crypto-viral extortion. It's just malware looking for vulnerable computers to exploit. Keeping operating system and application software up-to-date, along with a decent anti-virus application will offer protection. Also, having current backups of all important data is a good idea, just in case.
Final thoughts
Ransomware is making a resurgence. Hard-to-trace Internet payment methods are emboldening cybercriminals.
Two thoughts immediately come to mind. Once the extortionist has the money, why send back the decryption information? Also, what proof does the victim have that the whole process won't start over again?

Scareware 'one of biggest' cyberthreats

2010-01-26T00:35:00.001-08:00

Even though tricking users into downloading rogue security software, or scareware, is one of the oldest tricks up cybercriminals' sleeves, it continues to be one of the biggest threats in cyberspace, noted a security expert.
In an e-mail interview with ZDNet Asia, Danny Siew, Trend Micro's senior director for technical support in the Asia-Pacific region, said: "Given the fact that for most of last year, and up until today, we are seeing scareware taking advantage of hot search trends or news or events, its presence should be a concern not just in Asia but all over the world."
His observation is backed by findings released in December 2009 by the U.S. Federal Bureau of Investigation (FBI), which stated that aggressive scareware tactics led to an estimated loss of more than US$150 million to users.
McAfee attributed the success of scareware to social engineering. Vu Nguyen, Asia-Pacific and Japan manager for McAfee Labs' global threat response team, said many of these attacks tapped current news, such as the recent earthquake in Haiti, or specific terms to lure victims to open antivirus files.
"Why is this successful? It is based on scare tactics to get users to react and pay the money right away," noted Nguyen in an e-mail statement.
Trend Micro's Siew added that the traditional methods of getting Net users to download fake antivirus programs are evolving, with cybercriminals now looking to "lock up" victims' data by encrypting their files and holding it ransom until users pay to release them. This method of attack is also known as "ransomware".
In a blog post on the security vendor's TrendLabs Malware Blog site, Det Caraig explained that to recover these files, a user has to download a paid version of the fake antivirus program. "In reality, however, the paid version of the program fixes the problem that [was] created in the first place but only after the user has been forced to pay up," he added.
Evolving FAKEAV attacks
One of the more common scareware currently in circulation in Asia, as well as globally, is FAKEAV. Siew said that in 2009 alone, more than 50 FAKEAV-related attacks were reported. Attack methods were initially in the form of, for example, bogus LinkedIn profiles proliferating malicious URLs that consequently led to FAKEAV downloads.
However, over time, cybercriminals started to venture into ransomware and search engine optimization (SEO) poisoning, Siew noted. More recent developments also include the use of Google Trends and geolocation technologies that track Internet Protocol (IP) addresses, which "enabled cybercriminals to instigate more targeted and more successful attacks", he said.
Prevention better than cure
To prevent scareware attacks, the most basic rule is still to "avoid clicking any URL and executing any file that came from someone you do not know", Siew said. "Despite this oft-repeated warning, however, people still fall prey to their own curiosity and pay the price."
Other than encouraging users to install security software to safeguard their data, McAfee's Nguyen also advised users to use their common sense. "If something is too good to be true, then it probably is."

Google In China LIVE BLOG: Latest Updates On Google's Threat To Leave

2010-01-18T08:54:00.001-08:00

We'll be live-blogging developments pertaining to Google's recent actions in China.
Send reactions, tips, and news here.
MONDAY JANUARY 18 8:42 AM ET: Google is probing possible inside help on its attack, Reuters reports. Reuters writes,

Google is investigating whether one or more employees may have helped facilitate a cyber-attack that the U.S. search giant said it was a victim of in mid-December, two sources told Reuters on Monday. Google, the world's most popular search engine, said last week it may pull out of the world's biggest Internet market by users after reporting it had been hit by a "sophisticated" cyber-attack on its network that resulted in theft of its intellectual property.
The sources, who are familiar with the situation, told Reuters that the attack, which targeted people who have access to specific parts of Google networks, may have been facilitated by people working in Google China's office.

SUNDAY JANUARY 17
9:22 PM ET: In the war against the Internet, China is 'just a skirmish,' writes the New York Times. The New York Times warns,

But even Google, which has benefited more than any other company from the flourishing of content online, might be unable to fight the momentum of government restrictions, despite its move in China.

SATURDAY JANUARY 16 7:08 AM ET: China ecommerce giant Alibaba slams Yahoo's support of Google as 'reckless.'
Alibaba turned on Yahoo, one of its major shareholders, in a statement that criticized Yahoo's public support of Google's decision to stop censoring search results.
The AP reports,

"Alibaba Group has communicated to Yahoo! that Yahoo's statement that it is 'aligned' with the position Google took last week was reckless given the lack of facts in evidence," Alibaba spokesman John Spelich said Saturday. "Alibaba doesn't share this view."

1 2 3 4 5 6 7 8 Next Last »

Germany warns against using Microsoft Internet Explorer

2010-01-18T05:50:00.000-08:00

The German government has warned against using Microsoft's Internet Explorer to browse the web because of security flaws.

By Fiona Govan
Published: 7:00AM GMT 18 Jan 2010

The German government's caution applies to versions six, seven and eight of the world's most popular browser.

The Federal Office for Information (BSI) Security told Germans to avoid use of all versions of Explorer after a security hole led to attacks against Google and others by hackers in China.
Microsoft admitted last week that its browser was the weak link in recent attacks by hackers who pried into e-mail accounts of human rights activists. Following the attack, Google threatened to end its operations in China.

But Microsoft rejected the German government's warning as too strong and sought to reassure general users that the security threat was low.
"These were not attacks against general users or consumers," said Thomas Baumgaertner, a Microsoft spokesman in Germany, adding that the attacks on Google were carried out by "highly motivated people with a very specific agenda".
"There is no threat to the general user, consequently we do not support this warning," he said.
Microsoft claims the security risk can be limited by setting the browser's security zone to "high", although they admitted this limits functionality and blocks many websites.
But the BSI insisted that such measures were not sufficient and urged internet users to use alternative browsers.
"Using Internet Explorer in 'secure mode,' as well as turning off Active Scripting makes attacks more difficult, but cannot fully prevent them," it said in a statement.
Microsoft is urgently working on fixing the flaw but experts fear that in the meantime there could be a spate of attacks by copycat hackers.
Graham Cluley, of antivirus firm Sophos, said: "The way to exploit this flaw has now appeared on the internet, so it is quite possible that everyone is now going to have a go.
"We've been working with Microsoft to see if the damage can be mitigated and we are hoping that they will release an emergency patch," Mr Cluley said.
"One thing that should be stressed is that every browser has its security issues, so switching may remove this current risk but could expose you to another."
Last week, Microsoft said it had no plans to pull out of China, dashing hopes the software giant would support its rival Google in its stand against Chinese censorship of the internet.
Steven Ballmer, chief executive, questioned the sudden urgency of complaints about attempts to hack the Gmail accounts of human rights activists from inside China.

Chinese Cyber Attack on U.S. Law Firm

2010-01-18T04:59:00.000-08:00

A Los Angeles-based law firm says it's been the target of cyber attacks originating in China.

Gipson Hoffman & Pancione is representing a software company, Cybersitter—which is suing the Chinese government over software piracy.

The firm told the Wall Street Journal its attorneys started receiving Trojan emails on Monday—the day before Google announced it might withdraw from China because of cyber attacks.

Attorney Gregory Fayer says the attacks came from Chinese servers, and that the firm has reported the incident to the FBI.

Unpatched Adobe holes link Google and earlier attacks

2010-01-14T00:11:00.001-08:00

The targeted attacks on Google and more than 30 other U.S. companies late last year bear striking similarities to targeted attacks on 100 U.S. companies last summer, a security researcher familiar with the attacks said Tuesday.
Last July, workers at about 100 U.S. technology companies were targeted with e-mails containing malicious PDF files that exploited a zero-day vulnerability in Adobe Reader. The attacks were detected early and there were no serious consequences, said Eli Jellenc, head of international cyberintelligence at VeriSign iDefense.
In mid-December, Google, Adobe Systems, and a host of other Silicon Valley companies were targeted by attacks originating in China, prompting Google on Tuesday to say that it will stop censoring its Chinese search results and to threaten to pull out of that market. The latest attacks also involved malicious PDF files in e-mail attachments and the code was similar to the previous attack, Jellenc said.
Google said the companies targeted in the attack numbered more than 20, but iDefense put the number at 34, including Google. In many of the cases, the attack was successful, Jellenc said. The attacks were targeting source code repositories, according to iDefense.
Coincidentally, Adobe on Tuesday patched a zero-day vulnerability in Reader and Acrobat that was discovered in mid-December and was being exploited by attacks in the wild to deliver Trojan horse programs that install backdoor access on computers. Jellenc said he could not say for sure whether that was the vulnerability targeted in the attacks on Google and the others.
Reader was found to be one of the buggiest programs in 2009 and has been the target of numerous zero-day exploits in the wild.
The code samples obtained by iDefense from the two attacks are different but have very similar characteristics, he said. They contact two similar hosts for command-and-control communication to receive instructions from the attackers once the target machines are infected, according to iDefense. The servers used in both attacks employ the HomeLinux DynamicDNS provider and they both currently point to IP addresses owned by Linode, a U.S.-based company that offers virtual private server hosting, iDefense said. In addition, the IP addresses from both attacks are within the same subnet and they are six IP addresses apart, the company said in a statement.
"Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the Silicon Valley attacks have been compromised since July," iDefense said.
Jellenc said his company started helping some of the victimized companies with the investigation on Thursday night, providing information on characteristics of attacks launched by Chinese groups.
Examining the attacks
Google noticed the malicious code in its system in mid-December and then followed it back to the drop servers and determined that other companies--including at least two financial companies and one major defense contractor--had been targeted, Jellenc said citing sources familiar with the investigation.
Google also may have been able to see a target list of IP addresses in the code, he said. (Google has declined to provide more details about the attacks beyond what they have publicly stated.)
The attackers stored data acquired in the attacks at Texas-based hosting provider Rackspace and had command-and-control servers based in Taiwan that are commonly used by "actors out of the People's Republic of China," he said.
A Rackspace spokeswoman confirmed early Wednesday that a server at the company had been affected. "In this case, a server at Rackspace was compromised, disabled, and we actively assisted in the investigation of the cyberattack, fully cooperating with all affected parties," she said. The hosting company runs the servers and operating systems for its customers' Web sites, but customers run their own applications on the servers, she said.
Jellenc said that iDefense "confirmed with some clients and partners of ours in the defense contracting community that the IP addresses used to launch the attacks are known to be associated with previous attacks from groups that are either directly employed agents of the Chinese state or amateur hackers that are proxies for them that have attacked other U.S. companies in the past."
At Google, attackers not only wanted intellectual property, but they tried to access Gmail accounts of Chinese human rights activists, Google said. Only two Gmail accounts appear to have been accessed and only limited account information, and not e-mail contents, was visible, according to Google. In addition, accounts of dozens of Gmail users in the United States, China, and Europe who advocate human rights were accessed routinely by third parties, probably via phishing or malware located on the user's computer, Google said.
While attacks can be traced back to a country of origin, it's very difficult to prove that it was the work of a government agency, said John Bumgarner, chief technology officer of the U.S. Cyber Consequences Unit, which does independent research for the U.S. government.
The latest attacks are just the latest in a series of attacks from China on nonmilitary Web sites, according to Alan Paller, director of research at the SANS Institute. In November 2007, U.K. and U.S. companies doing business in China were targeted for proprietary information, he said. And in May 2008, Chinese entities hacked into organizations working for freedom in Tibet, he said.
"The interesting thing about this is somebody big is fighting back," Paller said.
These types of attacks happen every day, said George Kurtz, chief technology officer at McAfee. "What we're seeing is really the tip of the iceberg," he said. "This is going to be bigger than originally anticipated."
Jellenc and other security experts said they did not believe the targeted attacks were at all related to an attack Tuesday on Baidu, China's largest search provider. In that attack, visitors to the Baidu site were re-directed to a site where a group calling itself the "Iranian Cyber Army" claimed responsibility for the attack. The same group had taken credit for a similar attack on Twitter last month.
Dan Kaminsky, director of penetration testing at IOActive whose research has helped improve the security of the Internet infrastructure, predicted the attacks would prompt references to a Digital Pearl Harbor.
"I don't know how accurate or how fair that is but certainly something of note has occurred that has not occurred in previous years," he said.
"I think everybody is surprised by the utterly unambiguous response," Kaminsky added. "This definitely is 'shot heard round the world' territory, at least in our [security] community."

Microsoft, Yahoo to follow Google's lead in China?

2010-01-14T00:09:00.002-08:00

Now that Google has said it will stop censoring search results on its Chinese Web site, a key question is whether rivals Yahoo and Microsoft will do the same.
In the wake of a major cyberattack last month, Google said Tuesday that it will no longer censor its Google.cn site and may pull out of China entirely.
"We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all," Google said in a blog posting. "We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China."
If Google were to pull out, it could offer an opportunity for Yahoo and Microsoft to gain share in a huge market if they are willing to continue censoring their sites.
At the same time, doing so would likely subject either company to enormous bad publicity and a potential backlash elsewhere. Historically, the companies have all justified their moves as saying they are necessary to do business in China and argued that engagement is better than isolation.
We've asked both Yahoo and Microsoft to comment on whether they plan to change policy and will update as soon as we get a response. We're also checking whether Google's move will have any impact at Baidu--the leading search site in China.
And, speaking of Baidu, some are already posting their two cents on twitter, suggesting that it is Baidu's domination of Google in China, as opposed to the censorship issue that would be behind any pullout. I don't know the economics of the China search market that well, but it would seem to me that even a distant No. 2 spot in such a huge market would be worth keeping, all things being equal.
As for Microsoft's other online businesses in China, the company has about 8 million Hotmail accounts in China, although none of the data is stored there, according to a source familiar with the company's operations.
Microsoft came under fire in 2006 after censoring some blogs posted to MSN Spaces. At the time, general counsel Brad Smith defended Microsoft's actions.
"We certainly think it is better for us to be present around the world rather than not," Smith said. "I emphatically think it is good for us to be offering these services. Part of being present is the obligation to comply with local law."
What do you think Microsoft and Yahoo should do? And, is Google pulling out over morals or market share?

More firms securing mobiles with software

2010-01-14T00:09:00.000-08:00

The number of protected corporate mobile devices will more than triple over the next four years, jumping from 5.6 percent in 2008 to 18.6 percent in 2014, a new study has found.
In a statement Tuesday, Juniper Research said the number of handsets installed with third-party security software will reach 77.7 million in four years. The findings were newly extracted from a report it released at the end of last year.
The growth will take place despite the lack of an anticipated flood of malware targeting mobile platforms, the research analyst noted.
"Improvements to the underlying security of the mobile operating system, shorter replacement cycles and concerted efforts by the mobile industry to avoid the problems seen in the PC world, have so far kept the malware threat to the mobile device at bay," Anthony Cox, senior analyst at Juniper Research, said in the statement.
The report attributed the uptake of mobile security tools to the increasing value of information held on mobile devices. The research firm added that mobile security adoption is highest in Europe, followed by the United States, China and Southeast Asia.
Data protection legislation in Western markets was a significant driver for enterprise mobile device protection, according to Juniper Research. In a whitepaper, it cited a law in Massachusetts that mandates any enterprise conducting business with those within the U.S. state must use encryption to protect confidential information stored on handhelds and laptops, or transmitted wirelessly on public networks.
A study released last year by Symantec found that about one in five respondents in Asia did not have mobile antivirus software on their corporate handsets.
Juniper Research estimates that overall corporate IT security revenues will reach US$16.4 billion globally by 2014. Encryption is set to grow 26 percent to US$4.3 billion in the same period.
F-Secure's regional director for Southeast Asia, James Tan, concurred with Juniper Research's findings. In response to e-mail queries from ZDNet Asia, Tan noted that the company's mobile security offering, which enables users to lock down their devices, wipe them clean as well as back up data on the mobile phones, has been generating "much" interest from consumers and operators.
"Certainly in recent times, more and more mobile operators in this region have been approaching F-Secure to explore mobile security solutions as a service offering to subscribers, and also to seek out solutions to overcome network issues [experienced] as a result of 'corrupt' traffic," he said. "From a competitive perspective, we are also experiencing more and more mobile protection offerings entering the market from both established and new applications vendors."

China Expands Internet Controls: Register Or Be Blocked

2009-12-23T01:19:00.001-08:00

BEIJING — China has issued new regulations that expand its Internet controls by tightening procedures for domain name registration.
The Ministry of Industry and Information Technology posted the new rules over the weekend, part of a three-phase plan to target what it called pornography accessible through cell phones.
The regulations require telecom companies and Internet service providers to carry out "complete and thorough" checks to determine if Web sites are officially registered. Any Web sites that have not registered with the ministry should be taken off the Internet, the order says.
But the new rules have the potential to freeze out thousands of legitimate Web sites by creating a pre-approved "whitelist" of sites.
It also tightens the registration process for domain names. Any service provider must have a business license and the Web site itself must also have a business license or be registered – which would appear to prohibit sites set up by individuals.
It was unclear if the new rules would apply to foreign Web sites, though many sites have already been blocked by China's Internet authorities, including Youtube, Facebook, Twitter and host of other media and news Web sites.
Beijing's pervasive policing of cyberspace and attempts to block the Internet – among the world's most stringent – are often referred to as the "Great Firewall of China."
The communist government says the main targets of its Web censorship are pornography, gambling and other sites deemed harmful to society. Critics, however, say that often acts as cover for detecting and blocking sensitive political content.
Earlier this year, China had backed down from a requirement for new computers to be loaded with a controversial Internet-filtering software known as Green Dam Youth escort after a major outcry from Chinese citizens and computer companies. That software had also been introduced as a filter against porn.
___________
On the Net: (in Chinese) http://www.miit.gov.cn

Hackers Brew Self-Destruct Code to Counter Police Forensics

2009-12-15T09:09:00.001-08:00

Hackers have released an application designed to thwart a Microsoft-packaged forensic toolkit used by law enforcement agencies to examine a suspect’s hard drive during a raid.
The hacker tool, dubbed DECAF, is designed to counteract the Computer Online Forensic Evidence Extractor, aka COFEE. The latter is a suite of 150 bundled, off-the-shelf forensic tools that run from a script. Microsoft combined the programs into a portable tool that can be used by law enforcement agents in the field before they bring a computer back to their forensic lab. The script runs on a USB stick that agents plug into the machine.
The tools scan files and gather information about activities performed on the machine, such as where the user surfed on the internet or what files were downloaded.

Someone submitted the COFEE suite to the whistleblower site Cryptome last month, prompting Microsoft lawyers to issue a take-down notice to the site. The tool was also being distributed through the Bit Torrent file sharing network.
This week two unnamed hackers released DECAF, an application that monitors a computer for any signs that COFEE is operating on the machine.
According to the Register, the program deletes temporary files or processes associated with COFEE, erases all COFEE logs, disables USB drives, and contaminates or spoofs a variety of MAC addresses to muddy forensic tracks.
The hackers say that later releases of the program will allow computer owners to remotely lock down their machine once they detect that it has fallen into law enforcement hands. The hackers, however, have not released source code for the program, which would make it easy for anyone to see if the program contains malware that might also harm a computer or allow the attackers to take control of it.
Update: The developers of DECAF have taken issue with Threat Level referring to them as hackers. “We’re just two developers who support the free flow of information and privacy,” one of them wrote Threat Level in an anonymous e-mail. “You could say we’re just average joes.”
Photo: Jim Forest/Flickr

Google's reCAPTCHA busted by new attack

2009-12-15T09:08:00.001-08:00

Significant success rate

By Dan Goodin in San Francisco

A security researcher has devised a successful attack on a Google-owned system for blocking malicious scripts on web-based email services and other types of sites.

The attack, described in a paper released Saturday, uses a combination of OCR, or optical character recognition, techniques and other methods to break reCAPTCHA, a widely used security measure acquired by Google in September. Short for Completely Automated Public Turing test to tell Computers and Humans Apart, the CAPTCHA is designed to block automated scripts from carrying out certain tasks by first requiring users to solve an optical puzzles that aren't easily cracked by computers.

Jonathan Wilkins of iSEC Partners said the method had a total success rate of 17.5 percent against reCAPTCHA. The rate is significant because of the wide use of botnets by spammers and other miscreants. Even a modest-sized network of 10,000 infected machines with a success rate of 0.01 percent would yield 10 successes every second. That could translate into 864,000 new accounts every day, he said.

"Given this, the attacker doesn't have to rebuild a complete set of solutions, just enough to get this minimal success rate," Wilkins wrote.
A Google spokesman said the data collected in the report was collected in early 2008 and didn't reflect enhancements made to reCAPTCHA since then.
"Therefore, this study does not reflect the effectiveness of reCAPTCHA's current technology against machine solvers," the spokesman wrote in an email. "We've found reCAPTCHA to be far more resilient while also striking a good balance with human usability, and we've received very positive feedback from customers."
ReCAPTCHA is employed on a variety of websites when visitors want to create accounts or carry out other actions that are often exploited by malicious scripts. It presents users with two words scanned from text books, one that is recognized by OCR software and one that is not. Presentation is manipulated by warping the letters and adding lines. The result is text that is easy for humans to recognized but difficult for computer programs to parse.
One of reCAPTCHA's biggest weaknesses is that it uses English words that are usually found in a dictionary, giving crackers a readily available way to check the accuracy of their guesses. Also diluting its effectiveness, the system accepts "off-by-one" errors such as "lone" instead of "tone." Wilkins also found that the lines added to confuse OCR methods were easily eliminated using processes known as erode and dilate.
A technique known as separation was also key in breaking optical puzzles into their individual letters.
"Running against 200 challenges, this method solved 10 correctly. A success rate of 5 percent," Wilkins wrote. "It further got one word correct in 25 other cases. If we presume that in half of the cases the failed word would be the unknown word for reCAPTCHA, this gives us a total success rate of 17.5 percent."
ReCAPTCHA was designed by researchers from Carnegie Mellon University as a way to solve two problems at once - scanning books more accurately and preventing automated scripts from wreaking havoc on public websites. Scanned words that are unrecognizable by OCR software are included in the puzzles, along with a word that is known. If a user correctly types in the known word, reCAPTCHA assumes the entry for the unknown word is also correct.
Google has said it plans to apply the system to its ambitious book-scanning project that has come under criticism by some scholars and publishers. A PDF of Wilkins paper is here. ®
This article was updated to add comment from Google.

7 Most hacked software of 2009

2009-12-11T10:58:00.000-08:00

&lt;p&gt;&amp;amp;amp;amp;amp;lt;a target="_blank" href="http://netspiderads2.indiatimes.com/ads.dll/clickthrough?slotid=36087"&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;img alt="Advertisement" height="50" width="408" border="0" src="http://netspiderads2.indiatimes.com/ads.dll/photoserv?slotid=36087"&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;/a&amp;amp;amp;amp;amp;gt; &lt;/p&gt;

Which are the software that are top on hackers' hitlist? Applications and software that are most vulnerable and are the potential targets of scammers and hackers to install malicious codes into your PC?

Forbes recently released 2009's `Most-Hacked Software' list. The list names the software and applications that were biggest targets of hacker attacks in 2009. The software used most by hackers and other cyber criminals to sneak into your system and cause havoc.

Here's over to the 7 Most Hacked Software of 2009.

Adobe Reader

This year's Most hacked software belongs to (no not Microsoft) Adobe. Adobe Inc's popular software Adobe Reader is the most hacked software of the year. Security firm iDefense reportedly tracked as many as 45 bugs in the Adobe Reader programme this year. The number is up from 14 in 2008 and seven in 2007.

Security experts feel that Reader being a universally used programme makes it highly vulnerable. Also, its complex code base offers a high risk of flaws.

Internet Explorer

At No. 2 on the Most Hacked Software list is Microsoft's Internet Explorer. Little surprising that the browser with majority marketshare (almost 65%) is hot on hackers and scammers target list. According to the news report, IE's complex code base with no shortage of bugs helps hackers.

Security researchers found 30 bugs in IE this year, almost the same number as last year and way down from 49 found in 2007.

Mozilla Firefox

The open source browser Mozilla Firefox is the year 2009's third Most Hacked Software. Closest rival to Internet Explorer with approximately 25% marketshare, recorded an increase in vulnerabilities this year.

Researchers and cybercriminals found as many as 102 bugs in Firefox this year, an increase of 12 bugs vi-a-vis last year's 90 bugs. Wondering what makes its more vulnerable than IE which showed 30 bugs? Remember, the two cannot be compared directly as Firefox is an open-source programme and Mozilla publicly reveals all its bug finds.

Adobe Flash

At No. 4 on the Most Hacked Software list is Adobe's popular design software Flash, commonly used for viewing animations and movies. The report found 11 vulnerabilities in the programme this year, down 8 from 19 last year.

According to the report, the vulnerabilities pose a potential danger as the software used for viewing videos and animation requires no interaction with the user to infect the machine with malicious software.

Apple Quicktime

Next on the hit-list of hackers is Apple Quicktime, a multimedia framework used for handling various formats of digital video, media clips, sound, text, animation and music. Though Apple talks about immunity from bugs in its machines, however, security experts feel that relative security comes from its low marketshare and not careful coding.

According to the report, 26 bugs were found in Quicktime in 2009, down 10 from 36 found in 2008. The number looks high compared to mere 3 found in Windows Media Player.

Microsoft Office

At No. 6 is another Microsoft software, Microsoft Office. IDefense tracked 41 bugs in Microsoft's popular suite of apps in 2009, down from 44 in 2008. According to the report, hackers many a times use Microsoft Office applications like PowerPoint, Excel or Word document to plant malicious code

Windows

Another Microsoft software on Most Hacked Software list is at no. 7. The company's Windows-based operating system continue to be top on hackers radar. Experts believe that the fact that Windows vulnerabilities can be exploited without a user actually doing anything makes the software hacker-prone.

For example the Conficker worm spread to over 7 million PCs last year without requiring a user to visit a website, or open an attachment or actually do anything else, other than just leave their computers running.

Security firms dismiss English shellcode threat

2009-12-10T22:25:00.001-08:00

IT security experts have dismissed a research paper warning about malware that can be hidden within what appears to be plain English prose, noting that this threat is nothing new.
In a recent report titled "English Shellcode", the four authors wrote that their ability to automatically generate such code debunked "the common belief that components of polymorphic shellcode cannot reliably be hidden".
Shellcode, which refers to a set of machine instructions that acts as the payload of an exploit, is typically different from non-executable data such as plain text.
The researchers, the majority of whom hail from academic backgrounds, said shellcode, on the contrary, can be disguised as pseudo English language spam as some ASCII character strings and native machine instructions "have identical byte representations".
Security experts, however, told ZDNet Asia that the threat is not new and unlikely to make much of an impact on the security landscape.
Paul Ducklin, Asia-Pacific head of technology at Sophos, pointed out that "producing printable-yet-executable machine code isn't something new" and is similar to the Eicar (European Institute for Computer Antivirus Research) test file, which was created 20 years ago to validate the operation of antivirus software.
According to Ducklin, all shellcode can be hard to detect "not so much because of how it's encoded--whether as unobfuscated Intel instructions, Java bytecode or broken English--but because it can crop up at unexpected locations in malicious files".
"Shellcode is almost always in a part of a file that shouldn't need to be scanned at all," he explained. "So the complexity of detecting shellcode is almost always in how you take potentially dangerous files apart in the first place, rather than how you scan the taken-apart file for threats."
Effective antivirus tools are able to locate malicious or unwanted machine code embedded in a "possibly enormous" program consisting almost entirely of machine code, said Ducklin. "This, in my opinion, is a much trickier problem than detecting 'English' shellcode," he noted.
"Since we are already facing up to and dealing with a problem tougher than that of detecting 'English' shellcode, I don't think anyone needs to be worried by this new report.
"In short, I am afraid to have to say to the U.S. academics who wrote this paper, 'Guys, you've got too much time on your hands'," mused Ducklin.
Vitaly Kamluk, director of research at Kaspersky Lab, concurred that the report is unlikely to have an impact on the security landscape. "It is not a new type of threat, just a variation of an existing one," he pointed out.
Kamluk added that churning out such code is an extremely laborious task, and therefore, will not attract much attention from cybercriminals. "The complexity of this type of code is tremendous and the probable return is small," he said.
Ronnie Ng, Symantec's systems engineering manager for Singapore, added that issues associated with the technique made it "very unlikely to be practical and used in the wild".
Ng explained: "First, even if the sentence represents some machine code on a byte level, it will not be executed unless it is loaded and processed by the CPU as actual executable code. Otherwise, if the CPU understands the bytes simply as a representation of characters, it will just attempt to display the code as characters and no damage is actually executed.
"The other challenge is trying to find the words or word sequences that would execute what the attacker wants it to do… It would take a fair amount of computing power to find such strings."
Cybercriminals, he noted, generally target low-hanging fruit and more popular technologies so they are more likely to focus on methods that can produce maximum results with minimum effort.
Evolving security landscape
Danny Siew, Trend Micro's Asia-Pacific senior director for technical support, said the latest research is a reminder that users need to be adequately protected as the security landscape is constantly evolving and threats increasingly sophisticated.
"The major issue [here] is, at a single glance, it is hard to tell if a 'package' is malicious or not," he pointed out. "The creation and subsequent delivery of these threats underscore the need for users to employ a holistic, multilayered solution that protects them from the cloud to the endpoint."
Symantec's Ng added: "One thing is resoundingly clear: basic security protection is not good enough. An inflection point has been reached where new malicious programs are being created at a higher rate than good programs."
The variety and sophistication of threats are rendering traditional approaches to antivirus ineffective, he said. Instead of focusing solely on analyzing malware, security software scan software files using methods such as whitelisting and reputation-based security.
A co-author of the paper did not respond to e-mail queries from ZDNet Asia.

Scam Shopping Websites Shut After Major Swoop

2009-12-09T08:39:00.001-08:00

Police have been involved in a massive operation to close down hundreds of illegal internet shopping sites, Sky News can confirm.

Over recent weeks, officers from the Metropolitan Police e-Crime Unit have been working to identify more than 1,200 scam websites, which claimed to offer designer goods, jewellery and electronic items.
In reality, customers either received nothing, or were sent counterfeit products.
It is thought many thousands of people may have been caught up in the scam, which is believed to have netted organised criminal networks millions of pounds.
The officer in charge of the operation, Detective Superintendent Charlie McMurdie, told Sky News: "Fraudsters target the victim's desire to buy designer goods at reduced prices, particularly at this time of year.
"The risk begins when your desire to purchase blinds your judgement or leads you to illegal websites. If it looks too good to be true, it probably is."
Victims also ran the risk of the criminals stealing their identity, credit card and banking details for misuse elsewhere.
All of the sites involved had UK domain names, but the vast majority of them were based in the Far East.
Detectives worked closely with the internet registry body Nominet, which is responsible for issuing UK domain names to more than seven million companies and organisations.

Over 1,200 sites have been closed

Lesley Cowley, chief executive, said: "We received clear instructions from the police to take down the .co.uk domain names, which have been under investigation for criminal activity.
"We worked closely with the police and our registrars to quickly carry out the instruction to shut down access to these sites.
"The vast majority of .co.uk domains are legitimate, but where there are investigations about improper or illegal activity, we work with law enforcement bodies such as the Metropolitan Police to help identify and then limit the number of illegal or fake websites."
Sky News has been told that Consumer Direct, Trading Standards, the Office of Fair Trading and many manufacturers also helped to identify the fraudulent web sites.
The operation concentrated on sites selling a number of designer items - including Ugg Australia Boots, GHD hair straighteners, and jewellery from Tiffany & Co and Links of London.
Because the vast majority of the sites were registered from Asia and mostly used false or misleading details, it made it almost impossible for victims to complain about poor quality, counterfeited items or goods not received.
It also made it difficult for Trading Standards or other law enforcement agencies to take action.
The operation is particularly pertinent now, as this time of year sees a massive increase in the number of people using internet shopping sites to purchase christmas gifts.
However, the many thousands already caught out by the scam websites have virtually no hope of getting their money back.
Commenting on the news, Consumer minister Kevin Brennan added: "Scam websites cost the UK consumer and the UK economy thousands of pounds each year.
"These sorts of website prey on consumers and, as you can see from the work of the Metropolitan police today, all agencies involved are working hard to make sure that this sort of con is stamped out.
"We already have 'scambusters' teams throughout the country and, as we announced earlier this year, we are planning to set up new internet enforcement teams to target online scams in order to protect consumers."

Avast false positive: Update

2009-12-03T08:31:00.000-08:00

Avast false positive was wrecking havoc on the developers when we caught up with it. Avast has started detecting all the binaries created with Delphi as malware. Those developers working on Delphi apps were the first to encounter the anomaly. Initially this looked like an isolated incident, but gradually spread like wild fire. Avast's user forum was flooded with threads of revelations on Avast false positives drawing a broader picture of the scene. It seems a sort of thing like SNAFU that hit iTunes a few months ago. It disturbed iTunes after an update. The problem was quickly fixed, and it was the same for Avast.
In case, you are one of the victims of Win32:Delf-MZG false positive, go for manual update and check to see the new bits are available. As of now, we could see on the Avast!web forum - Win32:Delf-MZG false positive was fixed in the latest VPS - 091203-1 for the update.

Update

To check the Avast false positive issue statement you may have a look at update.

5 security threats to watch in 2010

2009-12-03T04:16:00.001-08:00

Everyday Internet users will be a key target for cybercriminals looking to get people to download their malware, while the proliferation of social sites such as Facebook and Twitter will lead to an increase of possible fraud cases, reported Symantec.
At a media gathering Wednesday, the security vendor released a report outlining security threats enterprises and consumers should be mindful of in 2010. Of these, the security risk faced by everyday Internet users is likely to increase as criminals look to trick people into downloading malware through means such as an innocent-looking URL link or videos and pictures from unknown sources.
"[Users] could be opening themselves up to identity theft and other types of cybercrime," Symantec said in the report, adding that the number of attempted attacks using social engineering "is sure to increase" next year.
Also, as the popularity of Apple products continue to grow, Mac and iPhone users--two of the most popular products by Apple--should look to protect the content they place on their devices as "more attackers will devote time to create malware to exploit these devices", according to the report. With the increased use of smartphones, mobile security will also be an area of concern, added Symantec.
On the burgeoning social networking scene and the opportunities this affords cybercriminals, Symantec noted that continuing "unprecedented growth" of social sites will elicit a corresponding growth in fraud attempts.
Shortened URLs are another key area for security, as the links may direct people to undesirable sites filled with malware, said David Hall, regional product manager, consumer products and solutions, Symantec Asia-Pacific, at the gathering. Condensed URLs are popular on social networking sites and in particular, Twitter and Facebook, so users of these platforms should avoid clicking on URLs sent by unknown users. Such links are likely to be created by phishers peddling links to malicious sites, said Symantec.
"Scareware" or fake antivirus software are also expected to make a bigger presence next year, the security firm said. In such scenarios, users are tricked by scareware promoters into downloading the fake application, which could then lead to sensitive information being compromised. Computers may even be "hijacked" or rendered useless by cybercriminals, who control the machines until the owners pay a ransom fee.
A look back at 2009
Scareware is, incidentally, one of 2009's top security concerns, according to Symantec's report.
Another security headliner this year was the Conficker worm, which allowed its creators to remotely install software on computers globally. Though detected in November 2008, the worm started infecting computers in March and April 2009.
In addition, events such as the deaths of actor Patrick Swayze and pop icon Michael Jackson, as well as the inauguration of America's first African-American president Barack Obama, saw significant spikes in search queries. Cybercriminals latched on the respective opportunities to release their spam and malware onto the Web to trick unsuspecting users, said Symantec.
The company also reported more than 40 trillion spam messages in the past 12 months, with some of the popular subjects including festive occasions, cheap car discounts and fake Twitter invitations.

Top 10 most famous hackers

2009-11-30T04:31:00.000-08:00

We present the ten most famous hackers.

The former self-styled 'hacker poster-boy': Kevin Mitnick

1. Kevin Mitnick
Probably the most famous hacker of his generation, Mitnick has been described by the US Department of Justice as "the most wanted computer criminal in United States history." The self-styled 'hacker poster boy' allegedly hacked into the computer systems of some of the world's top technology and telecommunications companies including Nokia, Fujitsu and Motorola. After a highly publicised pursuit by the FBI, Mitnick was arrested in 1995 and after confessing to several charges as part of a plea-bargain agreement, he served a five year prison sentence. He was released on parole in 2000 and today runs a computer security consultancy. He didn't refer to his hacking activities as 'hacking' and instead called them 'social engineering'.

2. Kevin Poulson
Poulson first gained notoriety by hacking into the phone lines of Los Angeles radio station KIIS-FM, ensuring he would be the 102nd caller and thus the winner of a competition the station was running in which the prize was a Porsche. Under the hacker alias Dark Dante, he also reactivated old Yellow Page escort telephone numbers for an acquaintance that then ran a virtual escort agency. The authorities began pursuing Poulson in earnest after he hacked into a federal investigation database. Poulson even appeared on the US television Unsolved Mysteries as a fugitive – although all the 1-800 phone lines for the program mysteriously crashed. Since his release from prison, Poulson has reinvented himself as a journalist.

3. Adrian Lamo
Adrian Lamo was named 'the homeless hacker' for his penchant for using coffee shops, libraries and internet cafés as his bases for hacking. Most of his illicit activities involved breaking into computer networks and then reporting on their vulnerabilities to the companies that owned them. Lamo's biggest claim to fame came when he broke into the intranet of the New York Times and added his name to their database of experts. He also used the paper's LexisNexis account to gain access to the confidential details of high-profile subjects. Lamo currently works as a journalist.

4. Stephen Wozniak
Famous for being the co-founder of Apple, Stephen "Woz" Wozniak began his 'white-hat' hacking career with 'phone phreaking' – slang for bypassing the phone system. While studying at the University of California he made devices for his friends called 'blue boxes' that allowed them to make free long distance phone calls. Wozniak allegedly used one such device to call the Pope. He later dropped out of university after he began work on an idea for a computer. He formed Apple Computer with his friend Steve Jobs and the rest, as they say, is history.

5. Loyd Blankenship
Also known as The Mentor, Blankenship was a member of a couple of hacker elite groups in the 1980s – notably the Legion Of Doom, who battled for supremacy online against the Masters Of Deception. However, his biggest claim to fame is that he is the author of the Hacker Manifesto (The Conscience of a Hacker), which he wrote after he was arrested in 1986. The Manifesto states that a hacker's only crime is curiosity and is looked at as not only a moral guide by hackers up to today, but also a cornerstone of hacker philosophy. It was reprinted in Phrack magazine and even made its way into the 1995 film Hackers, which starred Angelina Jolie.

6. Michael Calce
Calce gained notoriety when he was just 15 years old by hacking into some of the largest commercial websites in the world. On Valentine's Day in 2000, using the hacker alias MafiaBoy, Calce launched a series of denial-of-service attacks across 75 computers in 52 networks, which affected sites such as eBay, Amazon and Yahoo. He was arrested after he was noticed boasting about his hack in online chat rooms. He was received a sentence of eight months of "open custody," one year of probation, restricted use of the internet, and a small fine.

7. Robert Tappan Morris
In November of 1988 a computer virus, which was later traced to Cornell University, infected around 6,000 major Unix machines, slowing them down to the point of being unusable and causing millions of dollars in damage. Whether this virus was the first of its type is debatable. What is public record, however, is that its creator, Robert Tappan Morris, became the first person to be convicted under the Computer Fraud and Abuse Act. Morris said his 'worm' virus wasn't intended to damage anything and was instead released to gauge the size of the internet. This assertion didn't help him, however, and he was sentenced to three years probation, 4000 hours of community service and a hefty fine. A computer disk containing the source code for the Morris Worm remains on display at the Boston Museum of Science to this day.

8. The Masters Of Deception
The Masters Of Deception (MoD) were a New York-based group of elite hackers who targeted US phone systems in the mid to late 80s. A splinter group from the Legion Of Doom (LoD), they became a target for the authorities after they broke into AT&T's computer system. The group was eventually brought to heel in 1992 with many of its members receiving jail or suspended sentences.

9. David L. Smith
Smith is the author of the notorious Melissa worm virus, which was the first successful email-aware virus distributed in the Usenet discussion group alt. sex. The virus original form was sent via email. Smith was arrested and later sentenced to jail for causing over $80 million worth of damage.

10. Sven Jaschan
Jaschan was found guilty of writing the Netsky and Sasser worms in 2004 while he was still a teenager. The viruses were found to be responsible for 70 per cent of all the malware seen spreading over the internet at the time. Jaschan received a suspended sentence and three years probation for his crimes. He was also hired by a security company.

Can Adobe beat back hackers?

2009-11-22T23:36:00.001-08:00

For years, Adobe Systems has occupied a quiet corner of the personal-computer industry. Photographers and designers use its software to clean up photos and set up Web sites. Workers everywhere trade electronic documents formatted with Adobe's programs, often without knowing the company behind the software.
Now Adobe is attracting the unwanted attention of hackers--and security experts are concerned the company isn't doing enough to repel assaults. So far this year, Adobe has released nine security updates for the current version of its Acrobat Reader software, up from four in 2008, said Moscow security firm Kaspersky Lab.
Adobe appears to have replaced Microsoft as the primary means by which hackers try to infect or take control of PCs. "Adobe at the moment is the main target," said Roel Schouwenberg, a Kasperky senior antivirus researcher in Woburn.
Historically, Adobe hasn't had to contend with attacks, so it hasn't been focused on potential weaknesses. But as Microsoft has toughened up its security, Adobe has become a more tempting prey. Its software, particularly Flash for Web video and Reader for documents, is loaded on virtually every personal computer.
Vulnerabilities in such widely used software can cause myriad problems. More than a dozen sites, including those of The New York Times, USA Today, and Nature, have been infected with fake ads that exploit Adobe software. In the case of the Times, if Web surfers clicked on an ad for antivirus software, malicious code would take control of their computers through Flash and direct them to a site infested with malware. Other attacks circulate via e-mail, with virus-laden PDF files that open in Acrobat Reader.
Scrambling to respond
Security specialists fret Adobe lacks the firepower to stop the attacks. With an estimated US$2.9 billion in sales this year, the company is one-twentieth the size of Microsoft, with a much smaller engineering staff. Microsoft issues monthly security patches for Windows and gives away antivirus software. Adobe said in May it would begin releasing regular quarterly security fixes for Reader in September and then missed that deadline by a month. A second update will be delayed until January. "So far there's been no consistency at all," said Chet Wisniewski, a security analyst at antivirus software maker Sophos.
Adobe conceded its popularity with hackers is growing but said it is gaining the upper hand. It has five times as many engineers working on security as two years ago and has trained its entire Reader team on safe programming practices. "We're over the hump of being reactive," said Chief Technology Officer Kevin M. Lynch. Adobe had sought security advice from Microsoft and Google.
If it gets a handle on its security problems, hackers will turn their attention elsewhere. Yahoo's instant messenger and Apple's iPhone, for example, are starting to see attacks.
The case of Adobe illustrates a conundrum for tech companies: They need to balance spending on new products, which brings in revenue, with spending on security, which doesn't. Adobe, though solidly profitable, laid off 680 people, 9 percent of its workforce, on Nov. 10. The need to step up security spending is "not an uncommon problem, but Adobe's going to have to get their arms around it", said Rob Enderle, president of consultant Enderle Group.

Hackers bypass Windows 7 activation

2009-11-16T23:09:00.000-08:00

Hackers have managed to find a way around one of the key antipiracy protections built into Windows 7.
Ordinarily, the operating system requires users to activate their copy of Windows 7 within 30 days. However, a recently outlined method allows the normal notifications to be turned off.
The software does not actually get confirmed as legitimate, but users are able to keep using the product indefinitely.
Microsoft confirmed last week it is aware of the technique, but said that it is working to shore up the activation procedure.
"We're aware of this workaround and are already working to address it," a Microsoft representative said in a statement, which also urged customers to only use genuine software, noting the fake stuff can contain malware and other bad things.
It is the latest in a long history of cat-and-mouse moves between the makers of Windows and those who would rather not have to pay for the privilege.

Framed for child porn — by a PC virus

2009-11-15T09:31:00.001-08:00

Of all the sinister things that Internet viruses do, this might be the worst: They can make you an unsuspecting collector of child pornography.
Heinous pictures and videos can be deposited on computers by viruses — the malicious programs better known for swiping your credit card numbers. In this twist, it's your reputation that's stolen.
Pedophiles can exploit virus-infected PCs to remotely store and view their stash without fear they'll get caught. Pranksters or someone trying to frame you can tap viruses to make it appear that you surf illegal Web sites.
Whatever the motivation, you get child porn on your computer — and might not realize it until police knock at your door.
An Associated Press investigation found cases in which innocent people have been branded as pedophiles after their co-workers or loved ones stumbled upon child porn placed on a PC through a virus. It can cost victims hundreds of thousands of dollars to prove their innocence.
Their situations are complicated by the fact that actual pedophiles often blame viruses — a defense rightfully viewed with skepticism by law enforcement.
"It's an example of the old `dog ate my homework' excuse," says Phil Malone, director of the Cyberlaw Clinic at Harvard's Berkman Center for Internet & Society. "The problem is, sometimes the dog does eat your homework."
The AP's investigation included interviewing people who had been found with child porn on their computers. The AP reviewed court records and spoke to prosecutors, police and computer examiners.
One case involved Michael Fiola, a former investigator with the Massachusetts agency that oversees workers' compensation.
In 2007, Fiola's bosses became suspicious after the Internet bill for his state-issued laptop showed that he used 4 1/2 times more data than his colleagues. A technician found child porn in the PC folder that stores images viewed online.
Fiola was fired and charged with possession of child pornography, which carries up to five years in prison. He endured death threats, his car tires were slashed and he was shunned by friends.
Fiola and his wife fought the case, spending $250,000 on legal fees. They liquidated their savings, took a second mortgage and sold their car.
An inspection for his defense revealed the laptop was severely infected. It was programmed to visit as many as 40 child porn sites per minute — an inhuman feat. While Fiola and his wife were out to dinner one night, someone logged on to the computer and porn flowed in for an hour and a half.
Prosecutors performed another test and confirmed the defense findings. The charge was dropped — 11 months after it was filed.
The Fiolas say they have health problems from the stress of the case. They say they've talked to dozens of lawyers but can't get one to sue the state, because of a cap on the amount they can recover.
"It ruined my life, my wife's life and my family's life," he says.
The Massachusetts attorney general's office, which charged Fiola, declined interview requests.
At any moment, about 20 million of the estimated 1 billion Internet-connected PCs worldwide are infected with viruses that could give hackers full control, according to security software maker F-Secure Corp. Computers often get infected when people open e-mail attachments from unknown sources or visit a malicious Web page.
Pedophiles can tap viruses in several ways. The simplest is to force someone else's computer to surf child porn sites, collecting images along the way. Or a computer can be made into a warehouse for pictures and videos that can be viewed remotely when the PC is online.
"They're kind of like locusts that descend on a cornfield: They eat up everything in sight and they move on to the next cornfield," says Eric Goldman, academic director of the High Tech Law Institute at Santa Clara University. Goldman has represented Web companies that discovered child pornographers were abusing their legitimate services.
But pedophiles need not be involved: Child porn can land on a computer in a sick prank or an attempt to frame the PC's owner.
In the first publicly known cases of individuals being victimized, two men in the United Kingdom were cleared in 2003 after viruses were shown to have been responsible for the child porn on their PCs.
In one case, an infected e-mail or pop-up ad poisoned a defense contractor's PC and downloaded the offensive pictures.
In the other, a virus changed the home page on a man's Web browser to display child porn, a discovery made by his 7-year-old daughter. The man spent more than a week in jail and three months in a halfway house, and lost custody of his daughter.
Chris Watts, a computer examiner in Britain, says he helped clear a hotel manager whose co-workers found child porn on the PC they shared with him.
Watts found that while surfing the Internet for ways to play computer games without paying for them, the manager had visited a site for pirated software. It redirected visitors to child porn sites if they were inactive for a certain period.
In all these cases, the central evidence wasn't in dispute: Pornography was on a computer. But proving how it got there was difficult.
Tami Loehrs, who inspected Fiola's computer, recalls a case in Arizona in which a computer was so "extensively infected" that it would be "virtually impossible" to prove what an indictment alleged: that a 16-year-old who used the PC had uploaded child pornography to a Yahoo group.
Prosecutors dropped the charge and let the boy plead guilty to a separate crime that kept him out of jail, though they say they did it only because of his age and lack of a criminal record.
Many prosecutors say blaming a computer virus for child porn is a new version of an old ploy.
"We call it the SODDI defense: Some Other Dude Did It," says James Anderson, a federal prosecutor in Wyoming.
However, forensic examiners say it would be hard for a pedophile to get away with his crime by using a bogus virus defense.
"I personally would feel more comfortable investing my retirement in the lottery before trying to defend myself with that," says forensics specialist Jeff Fischbach.
Even careful child porn collectors tend to leave incriminating e-mails, DVDs or other clues. Virus defenses are no match for such evidence, says Damon King, trial attorney for the U.S. Justice Department's Child Exploitation and Obscenity Section.
But while the virus defense does not appear to be letting real pedophiles out of trouble, there have been cases in which forensic examiners insist that legitimate claims did not get completely aired.
Loehrs points to Ned Solon of Casper, Wyo., who is serving six years for child porn found in a folder used by a file-sharing program on his computer.
Solon admits he used the program to download video games and adult porn — but not child porn. So what could explain that material?
Loehrs testified that Solon's antivirus software wasn't working properly and appeared to have shut off for long stretches, a sign of an infection. She found no evidence the five child porn videos on Solon's computer had been viewed or downloaded fully. The porn was in a folder the file-sharing program labeled as "incomplete" because the downloads were canceled or generated an error.
This defense was curtailed, however, when Loehrs ended her investigation in a dispute with the judge over her fees. Computer exams can cost tens of thousands of dollars. Defendants can ask the courts to pay, but sometimes judges balk at the price. Although Loehrs stopped working for Solon, she argues he is innocent.
"I don't think it was him, I really don't," Loehrs says. "There was too much evidence that it wasn't him."
The prosecution's forensics expert, Randy Huff, maintains that Solon's antivirus software was working properly. And he says he ran other antivirus programs on the computer and didn't find an infection — although security experts say antivirus scans frequently miss things.
"He actually had a very clean computer compared to some of the other cases I do," Huff says.
The jury took two hours to convict Solon.
"Everybody feels they're innocent in prison. Nobody believes me because that's what everybody says," says Solon, whose case is being appealed. "All I know is I did not do it. I never put the stuff on there. I never saw the stuff on there. I can only hope that someday the truth will come out."
But can it? It can be impossible to tell with certainty how a file got onto a PC.
"Computers are not to be trusted," says Jeremiah Grossman, founder of WhiteHat Security Inc. He describes it as "painfully simple" to get a computer to download something the owner doesn't want — whether it's a program that displays ads or one that stores illegal pictures.
It's possible, Grossman says, that more illicit material is waiting to be discovered.
"Just because it's there doesn't mean the person intended for it to be there — whatever it is, child porn included."

First iPhone worm spreading, warn security experts

2009-11-10T08:44:00.001-08:00

An Australian hacker claims to have written the first iPhone worm, though only for phones that have been "jailbroken".

Users who have not 'jailbroken' their phones are safe

The 21-year-old hacker, Ashley Towns, has written a worm - a type of self-replicating computer program similar to a virus, that changes the iPhone's wallpaper to show a picture of 80's pop singer Rick Astley and displays the message "ikee is never going to give you up".
Mr Towns told Australian television that he created the virus to make users aware of the danger of not changing the default password for their phone.

However, only iPhone users who have 'jailbroken' their phones will be affected by the worm. Jailbreaking an iPhone involves running a program that circumvents the official Apple operating system and allows users to run software on their phone that has not been approved by Apple. Apple doesn't support jailbroken phones and has tried to prevent jailbreaking through software updates. The company has also claimed that iPhone jailbreaking is illegal.
Writing on his blog, Mikko Hypponen of security company F-Secure said that source code had been released for four variants of the worm. Mr Hypponen wrote: "This means that there will quickly be more variants, and they might have nastier payload than just changing your wallpaper."
Users who have jailbroken their phones are vulnerable to Mr Towns's worm and those similar to it only if they are running a program called SSH, which allows people to connect to the phone remotely over the internet. Even then, users can remove the threat from the virus by changing their password from the default, which is "alpine".
Last week a Dutch hacker began accessing vulnerable phones and demanding money for instructions on how to fix the loophole.

Chinese officials ban Internet cafés

2009-11-05T00:19:00.001-08:00

Chengdu, China — All Internet cafés have been closed for more than two months in Guan County in China’s Shandong province, following a county government closure order, Chinese media revealed in October. No reason was given except that the action was “based on instructions from higher authorities.” This is really odd.
Previously, Chinese officials have blamed people who post comments online at Internet cafés for “causing social disorder.” But the Guan authorities’ shutting down all 21 local Internet cafés violates both the right to free speech guaranteed in the Constitution and the rules of the market economy.
More critically, the authorities’ handling of the shutdown shows their administrative incompetence. Frankly, this measure proves that the county government leaders are unqualified for their jobs.
Further, explaining their action with the unreasonable claim that they were following “instructions from higher authorities” is surely a violation of the country’s Open Government Information Act, which took effect on May 1, 2008. As taxpayers, both the owners of the Internet cafés and the netizens who are their customers have the right to know why the cafes were closed.
When government policies affect the people's livelihood, their background and legal basis should be clearly explained. Otherwise, individual political leaders could make decisions according to their whims and on the spur of the moment, resulting in ridiculous measures that are both illegal and against the people’s will.
In China there have been numerous cases of leaders making up their own policies and causing trouble for the people, leading eventually to conflicts between officials and citizens.
Judging from all the news articles related to the closing of the Internet cafés, it appears that the authorities’ action resulted from a local netizen’s compliant related to the government’s family planning rules. In my opinion, the posted statements should be investigated, rather than being labeled as “rumors” and blocked. Rumors do not stop the wise; instead they should prompt a search for more open and truthful information.
Removing the source of information and blocking access to the Internet serves only to prepare the soil for the spread of rumors. In fact, all kinds of talk, guesses and rumors have circulated during the two months of blocked access to the Internet. This was due to the officials’ contempt for the government information disclosure rules.
Confrontations between Chinese officials and people often come from various governments’ arrogance and indolence. In the case of Guan County, if officials encountered a problem related to Internet cafés, they should have investigated the issue instead of simply cutting off the problem at one stroke and shutting down all the cafés. Such a sweeping approach, often at the command of one man, is bound to cause trouble.
Further, the officials’ phobia toward Internet cafés is a reflection of their own lack of comprehension of the social reality. The Internet has been deeply changing Chinese society, and the authorities need to understand this powerful tool and develop the capacity to cope with it.
What they really fear is losing control of those who use cyber cafés – both adult netizens who go online to discuss current affairs and students who use the Internet to play games and chat with friends.
Those who oppose and demonize Internet cafés tend to have only a smattering of knowledge about them – characterizing them as places for citizens to criticize the government or for students to indulge in online games and make friends while abandoning their studies.
The trend toward dialogue, rationality, openness and tolerance of different views cannot be resisted. Individuals and nations that try to resist such trends will be excluded from this information era. In brief, the fear of new things, lack of tolerance and absence of an adventuresome spirit result in a lack of competitiveness and being out of tune with the times.
--
(Editor’s note: According to the China Internet Network Information Center, China had 338 million netizens as of July, 2009; 28 percent of them are rural dwellers. Internet penetration in Chinese cities was 35 percent, but less than 12 percent in rural areas. Thus, most Chinese access the Internet in public places such as cyber cafés.
Many officials are nervous due to increasing online revelations about official corruption and incompetence, which have gained nationwide attention. Regulations now require Internet cafés to check and record the identities of their customers, including setting up cameras at counters to take their photos. Customers under 18 are not allowed, but still many teenagers find their way into the cafés to play games.)
--
(Ran Yunfei is a noted critic on current affairs and an activist promoting civil society in China. This article is translated and edited from the Chinese by UPI Asia.com; the Chinese original can be found at http://www.my1510.cn/article.php?id=c2f98179215c1a84 ©Copyright Ran Yunfei.)

US-CERT warns about free BlackBerry spyware app

2009-10-27T23:03:00.001-07:00

The U.S. Computer Emergency Readiness Team warned BlackBerry users on Tuesday about a new program called PhoneSnoop that allows someone to remotely eavesdrop on phone conversations.
The PhoneSnoop application must be installed on the phone by someone who has physical access to it or by tricking the user into downloading it, the CERT advisory said.
The author of the app, Sheran Gunasekera, director of security for Hermis Consulting in Jakarta, Indonesia, says it wasn't written to do any actual harm, but rather to warn of the dangers that still exist with the BlackBerry.
The application can be used by anyone to spy on any BlackBerry user's phone. However, Gunasekera says it is not hidden on the device after it's installed, so users should be able to easily see it.
"My intention was to raise awareness that even though the BlackBerry is one of the more secure platforms, there are still means where its users can be spied upon," Gunasekera wrote in an e-mail on Tuesday. "I wanted to highlight that even with such technical security controls, the human element can be exploited through social engineering."
To aid BlackBerry users who asked him how they could protect themselves from being snooped on, he said he released on Tuesday another free tool called "Kisses" that will detect and display hidden programs on the device.
On his blog, Gunasekera explains how PhoneSnoop works.
"PhoneSnoop sets up a PhoneListener and waits for an incoming call from a specific number. Once it detects a call from that specific number, it automatically answers the victims' phone and puts the phone into SpeakerPhone mode," he said in the post.
US-CERT said BlackBerry users should only download applications from trusted sources and password protect and lock the devices to prevent someone from installing unwanted software.
The issue of BlackBerry snooping made headlines this summer when Etisalat, a carrier in the United Arab Emirates, sent SMS messages to BlackBerry subscribers encouraging them to download a patch that security experts said was spyware.
SMobile Systems did a technical analysis of the software and concluded that the "true nature of the spyware is to intercept BlackBerry users' e-mail messages and forward the messages to a monitoring agent inside the Etisalat network," according to the BlackBerry Cool blog.

China Expands Cyberspying in U.S.

2009-10-22T11:29:00.001-07:00

The Chinese government is ratcheting up its cyberspying operations against the U.S., a congressional advisory panel found, citing an example of a carefully orchestrated campaign against one U.S. company that appears to have been sponsored by Beijing.
The unnamed company was just one of several successfully penetrated by a campaign of cyberespionage, according to the U.S.-China Economic and Security Review Commission report to be released Thursday. Chinese espionage operations are "straining the U.S. capacity to respond," the report concludes.
The bipartisan commission, formed by Congress in 2000 to investigate the security implications of growing trade with China, is made up largely of former U.S. government officials in the national security field.
The commission contracted analysts at defense giant Northrop Gruman Corp. to write the report. The analysts wouldn't name the company described in the case study, describing it only as "a firm involved in high-technology development."
The report didn't provide a damage assessment and didn't say specifically who was behind the attack against the U.S. company. But it said the company's internal analysis indicated the attack originated in or came through China.

Time Warner Cable Exposes 65,000 Customer Routers to Remote Hacks

2009-10-21T02:39:00.001-07:00

A vulnerability in a Time Warner cable modem and Wi-Fi router deployed to 65,000 customers would allow a hacker to remotely access the device’s administrative menu over the internet, and potentially change the settings to intercept traffic, according to a blogger who discovered the issue.
Time Warner acknowledged the problem to Threat Level on Tuesday, and says it’s in the process of testing replacement firmware code from the router manufacturer, which it plans to push out to customers soon.
“We were aware of the problem last week and have been working on it since,” said Time Warner spokesman Alex Dudley.
The vulnerability lies with Time Warner’s SMC8014 series cable modem/Wi-Fi router combo, made by SMC. The device is one of several options Time Warner offers to customers who don’t want to install their own modem and router to use with the company’s broadband service. The device is installed with default configurations, which customers can alter only slightly through its built-in web server. The most customers can do through this page is add a list of URLs they want their router to block.
But blogger David Chen, writing at chenosaurus.com, recently discovered he could easily gain remote access to an administrative page served by the router that would allow him greater control of the device.
Chen, founder of a software startup called Pip.io, said he was trying to help a friend change the settings on his cable modem and discovered that Time Warner had hidden administrative functions from its customers with Javascript code. By simply disabling Javascript in his browser, he was able to see those functions, which included a tool to dump the router’s configuration file.
That file, it turned out, included the administrative login and password in cleartext. Chen investigated and found the same login and password could access the admin panels for every router in the SMC8014 series on Time Warner’s network — a grave vulnerability, given that the routers also expose their web interfaces to the public-facing internet.

All of this means that a hacker who wanted to target a specific router and change its settings could access a customer’s admin panel from anywhere on the net through a web browser, log in with the master password, and then start tinkering. Among the possibilities, the intruder could alter the router’s DNS settings — for example, to redirect the customer’s browser to malicious websites — or change the Wi-Fi settings to open the user’s home network to the neighbors.
The attacker would need the router’s IP address to conduct the attack. But Chen found a dozen customer SMC8014 series cable modem/Wi-Fi routers by simply running a port scan on a subnet of 255 Time Warner IP addresses. An evil hacker could easily automate a scanning tool to sweep through Time Warner’s address space and hack every SMC8014 it finds.
“From within your own network, an intruder can eavesdrop on sensitive data being sent over the internet and even worse, they can manipulate the DNS address to point trusted sites to malicious servers to perform man-in-the-middle attacks,” Chen wrote on his blog. “Someone skilled enough can possibly even modify and install a new firmware onto the router, which can then automatically scan and infect other routers automatically.”
Chen said he contacted Time Warner’s security department four weeks ago and was told that the company was aware of the security vulnerability but “cannot do anything about it.”
He says he’s relieved to hear the company is now addressing the problem.
It’s unclear if other Time Warner customers would be affected by the same issues.
Time Warner’s Dudley says the SMC8014 modem/routers are just a small portion of the 14 million devices its customers are using.
“We are working to determine if it affects other models,” he says.

S'pore looking to improve online security

2009-10-20T00:31:00.001-07:00

The Monetary Authority of Singapore (MAS) is exploring ways to enhance security for online purchases, according to an industry player, who adds that dynamic authentication will be a good step toward that direction.
Ingo Noka, Visa's Asia-Pacific head of data security and enterprise risk management, explained that dynamic authentication uses passwords that are generated every 10 seconds. This helps ensure passwords, even when stolen, will no longer be valid for use in online transactions after a time limit, Noka said in an interview with ZDNet Asia.
These passwords can be generated by a token or sent via SMS to the consumer, he added. The payment structure is similar to Internet banking transactions in Singapore, where local banks support dynamic passwords as part of the two-factor authentication process.
He said Visa is prepared to support this implementation, having spent efforts building an infrastructure it calls 3-D Secure (three domain secure), also known as Verified by Visa. Noka explained that this system will enable card-issuing banks to implement their own dynamic authentication without affecting the merchant's bank authorization process.
For the merchant, supporting the infrastructure would involve installing a plugin, he said. According to Visa, the plugin facilitates the delivery of authentication requests to an access control server, which then carries out the authentication policy as defined by the issuer bank.
Chipping at card security
The MAS is also exploring ways to beef up security for credit card payments and is closely looking at moving Singapore to chip-based cards, Noka said, adding that these offer better security than magnetic strips as data on chips is more difficult to clone.
He acknowledged that the deployment of chip cards have been touted for several years, but noted that it takes time for the necessary infrastructure to be rolled out, locally and globally, so payments can be supported regardless of where the consumers use the cards.
Asked what components are essential to safeguard against credit card fraud, he replied that it would take a combination of dynamic authentication for online transactions, chip cards to combat offline fraud and the deployment of Payment Card Industry (PCI) Data Security Standard (DSS).
Governed by the PCI Security Standards Council, the PCI DSS comprises a set of guidelines aimed at enhancing data security, combating fraud and eliminating security vulnerabilities for payments made by credit and debit cards.
Zoka added that merchants also play an important role in keeping credit card payments secured. "There is no point in giving customers a chip card when no merchants are installing the terminals [to support such payments]," he said.
He noted that credit card fraud related to lost or stolen cards is currently "kept very well under control" via various security policies, including what Visa calls advanced authorization. This system checks a transaction against a set of parameters, gives a score to indicate the risk of the transaction and sends that data to the card issuer.
"The issuer can take this into account. They might let that one transaction go through depending on the amount, for example, or they can call the cardholder immediately to ensure it is a legal transaction. If the cardholder says, 'That's not me', the issuer can block every subsequent transaction," said Noka.
Asked if hand-written signatures should be replaced as a form of authorization for credit card payments, Zoka said some customers remain "psychologically" attached to the signature. "They want to have the feeling [of assurance] that the transaction will only be charged to their card after they have signed on it," he said, adding that as such, signatures will likely remain a component of the authorization process.

Missing dot drops Sweden off the Internet

2009-10-15T12:17:00.001-07:00

What was essentially a typo last night resulted in the temporary disappearance from the Internet of almost a million Web sites in Sweden -- every address with a .se top-level down name.

According to Web monitoring company Pingdom, which happens to be based in Sweden, the disablement of an entire top-level domain "is exceptionally rare. ... Usually it's a single domain name that has been incorrectly configured or the DNS servers of a single Web host having problems. Problems that affect an entire top-level zone have very wide-ranging effects as can be seen by the .se incident. ... Imagine the same thing happening to the .com domain, which has over 80 million domain names."
The total blackout of .se lasted for about an hour and a half, Pingdom says, although aftershocks are expected to continue.
"The .SE registry used an incorrectly configured script to update the .se zone, which introduced an error to every single .se domain name," says Pingdom. "We have spoken to a number of industry insiders and what happened is that when updating the data, the script did not add a terminating '.' to the DNS records in the .se zone. That trailing dot is necessary in the settings for DNS to understand that '.se" is the top-level domain. It is a seemingly small detail, but without it, the whole DNS lookup chain broke down."
Sweden's Internet Infrastructure Foundation, which administers .se, issued this statement: "The cause was an incorrect software update, which, despite our testing procedures were not detected. Thanks to well-functioning surveillance system .SE discovered the error immediately and a new file with the DNS data (zone file) was produced and distributed within one hour. ... The false information that was sent out affected accessibility to all .se domains for a short time. However, there may still be some name servers that have not changed out of misinformation against the real."
A spokesperson for .se, Maria Eklund told a Swedish press outlet that the issues may not be completely resolved before Wednesday. "This little mistake is going to affect Internet traffic for two days," she told the newspaper.
"I suspect there will be ongoing discussions for weeks here in Sweden," Pingdom's Peter Alguacil told me this morning in an e-mail. "These things just can't be allowed to happen."
(Speculation that it's really the fault of newly "internationalized" ICANN begins in 3 ... 2 ... 1.)

Hacked Web mail accounts used to send spam

2009-10-11T23:56:00.001-07:00

There has been a marked increase in the amount of spam e-mail being sent from Yahoo, Gmail and Hotmail accounts, according to analysts at Websense Security Labs.
Websense said last week that personalized spam e-mail had been sent from the compromised accounts to all of each user's contacts. The e-mail contain links to fake shopping sites, intended to capture sensitive information from the reader.
Earlier this week, Microsoft acknowledged that 30,000 Hotmail accounts had breached, and suggested the passwords for the accounts had been obtained in a phishing scam.
However, some security experts believe that the password breach cannot be attributed to phishing. Amichai Shulman, chief technology officer for security firm Imperva, told ZDNet Asia's sister site, ZDNet UK last week that the information was likely to have been obtained through key logging.
"The quantity of people hit makes me think that it was key logging--the success rate for phishing is only about one in 1,000," said Shulman. "Secondly, when I went through the list of e-mail account credentials, there were entries with the same username, but a slightly different password, which suggests that they're typos."
"I don't think people would keep falling for a phishing scam and entering their details, it looks more like people are making mistakes and the key-logging software is recording them," he said.
Mary Landesman, senior security consultant at ScanSafe, said in a blog post last week that a data-theft Trojan is likely to have been used. Many of the victims appeared to be taking reasonable precautions with the length and complexity of their passwords, she said.
In addition, there were errors throughout the list that appeared to be the result of improper extraction of data, Landesman suggested.
Patrick Runald, security research manager at Websense, said that as yet, there is no proof to suggest it was either a phishing or key-logging scam, although he suspected it could be both. He added that considering the number of compromised accounts, the attack is likely to date back months.
"We've been looking through our systems to try and locate an e-mail that is credible enough to fool so many people, and so far we haven't found one," said Runald. "Generally phishing is declining and being replaced by key logging, and considering the number of compromised accounts, it could be a combination of both."
Runald urged users to change the passwords to their e-mail accounts, and any other accounts that the same password might be used for, on a six-monthly basis. Websense also encouraged people to check that Web sites are properly encrypted and start with the secure version of hypertext transfer protocol, 'https'.
Carole Theriault, senior security consultant at Sophos, said Sophos customers had experienced no significant increase in spam over the past four days. However, she said forum phishing attacks had taken place.
"Some of the most popular passwords that were posted were words like 'neopets', 'tigger' and 'princess'--words that children would use. So not only should parents change their account passwords, they should make sure their kids do, too," she said.

Businesses targeted by small botnets

2009-10-01T07:06:00.003-07:00

The majority of botnets in enterprises are small and targeted, according to security firm Damballa.
Enterprise botnets typically consist of a network of fewer than 100 machines, in contrast to botnets in the general internet population, according to Damballa researchers Gunter Ollmann and Erik Wu. For example, the Zeus botnet encompasses millions of machines, according to security researchers.
"While we often observe plenty of stats pertaining to just how big some of the largest internet-based botnets are (reaching in to the tens-of-millions), the spectrum of enterprise botnets appear to be different," Ollmann wrote in a blog post on Tuesday.
"Based upon Damballa's observations of some 600 different botnets encountered and examined within global enterprise businesses over three months, we found that botnets [with fewer than 100 bots] account for 57 percent of all botnets," Ollmann said.
Compromised networks of over 10,000 machines accounted for just five percent of those botnets found in large companies, according to the research. Attackers monitor the compromised machines to harvest high-value data such as source code or copies of customer databases, or to extract directly usable data such as authentication details for large money transfers.
Ollmann wrote that the majority of malicious code on the machines had been built using kits available on the internet, including the Zeus and Poison Ivy kits.
While most of the companies were likely to have become compromised through specially tailored, targeted attacks, Ollmann said that in some cases malicious employees could have deliberately installed the software in order to bypass corporate security.
"It looks to me as though these small botnets are highly targeted at particular enterprises [or vertical sectors], typically requiring a sizable degree of familiarity of the breached enterprise itself," Ollmann wrote. "I suspect that in some cases we're probably seeing the handiwork of employees effectively backdooring critical systems so that they can 'remotely manage' the compromised assets and avoid antivirus detection."
Thorsten Holz, a botnet researcher at the Vienna University of Technology, told ZDNet Asia's sister site, ZDNet UK on Wednesday that he had never heard of employees knowingly installing bots on their systems. However, he agreed it was feasible that most botnets in large companies were small, and that the machines had been targeted.
"If someone attacks a company, they want to stay below the radar," said Holz. "They would try to have a couple of hundred infections at most, so companies don't realize they are infected, antivirus companies don't get signatures, and attacks [to harvest information] can be more stealthy."
Holz added that, in a company with over 10,000 users, there is a good chance many users' systems would be infected with software that could make them part of a botnet. "Employees click on a malicious link, or use laptops at home, get infected and bring the machines back in," he said. "The threat is real."

BlackBerry smartphones open to SMS attack

2009-10-01T07:06:00.001-07:00

BlackBerry mobile devices are open to attack due to a certificate notification flaw in the smartphone's software, according to Research In Motion.
The problem lies in the BlackBerry Browser, specifically in the dialog box that alerts users if the URL they have clicked on does not match the domain they are being sent to, the company warned in an advisory on Monday.
To exploit the flaw, a hacker could craft a malicious website that spoofs a trusted website, then send users a link to that site using text messaging or email. If the malicious domain name contains a null character and the user chooses to access the site, the certificate-handling software on the device will note that there is a mismatch, but the warning dialog box will not display the null character in the link.
For example, the URL 'zd[null character]net.co.uk' will generate an alert, which will tell the user they are about to visit 'zdnet.co.uk'. BlackBerry users may ignore this alert, as malicious websites could appear benign, RIM said.
"RIM recommends that BlackBerry device users exercise caution when clicking on links that they receive in email or SMS messages," the company said in its advisory. "If a user visits a site that causes a BlackBerry Browser dialog box to warn the user about continuing the connection, the user should select Close connection."
BlackBerry Device Software from version 4.5 onwards is affected. RIM has provided a software update, available from the BlackBerry updates site, to mitigate the issue.

Banking Trojan steals money from under your nose

2009-09-30T05:43:00.001-07:00

Researchers at security firm Finjan have discovered details of a new type of banking Trojan horse that doesn't just steal your bank log in credentials but actually steals money from your account while you are logged in and displays a fake balance.
The bank Trojan, dubbed URLzone, has features designed to thwart fraud detection systems which are triggered by unusual transactions, Yuval Ben-Itzhak, chief technology officer at Finjan, said in an interview on Tuesday. For instance, the software is programmed to calculate on-the-fly how much money to steal from an account based on how much money is available.
The specific Trojan Finjan researchers analyzed targets customers of unnamed German banks. It was linked back to a command-and-control server in Ukraine that was used to send instructions to the trojan software sitting infected PCs. Finjan has notified German law enforcement authorities, Ben-Itzhak said.
"It's a next generation bank trojan," he said. "This is part of a new trend of more sophisticated Trojans designed to evade antifraud systems."
Finjan researchers were able to trace the communications from the code on an infected machine back to the command-and-control server, which was left unsecured, according to Ben-Itzhak. On that server, they saw the LuckySpoilt administration console and were able to see exactly what types of rules the Trojan was written to follow and statistics on victims.
About 90,000 computers visited the sites housing the malware and 6,400 of them were infected, a 7.5 percent success rate, he said. Of those whose computers had the Trojan installed, a few hundred had money stolen from their bank accounts, he added.
During the span of 22 days in mid-August, the criminals behind the Trojan stole the euro equivalent of nearly US$438,000, according to the security company.
Here's how the trojan works:
Potential victims get their computers infected either by opening an e-mail and clicking on a link to a Web site created to distribute malware or by visiting a site that has been compromised and malware hidden on it.
In this case the malware, a toolkit called LuckySpoilt, exploits a known security hole in the browser, affecting the major browsers, and installs the Trojan on the computer. When the Trojan notices the computer user visiting the site of a targeted bank it springs into action.
While the computer user goes about his or her business on the site, the Trojan looks at the available balance and figures out how much money to steal. The Trojan is given a minimum and a maximum range that is below the amount that triggers antifraud systems and to leave a certain percentage in the account, Ben-Itzhak said.
After performing the calculation, the Trojan then makes the transaction, communicating with the bank site through the browser without the computer user knowing.
"The Trojan is sending requests to the bank and getting replies that your browser doesn't display," Ben-Itzhak said. "You are looking at your account and you don't see any of it."
The Trojan has the money sent to the bank account of a money mule, someone who has an account set up to receive the funds. Money mules are typically people recruited online as "independent contractors" or "financial managers" whose sole purpose is to wire the money placed into their account to someone else, typically out of the country, in exchange for a commission. Because their accounts are used only once or twice, they often do not realize the ruse immediately, Ben-Itzhak said.
Meanwhile, the Trojan hides the theft by erasing it from the report of account activity displayed to the computer user and shows a fake balance--what the amount would be if not for the theft. The victim will not notice something is wrong until a different, uncompromised computer is used to access the account, an ATM is used, or a transaction is denied because of insufficient funds.
The Trojan also keeps a log of the victim's bank account log in credentials, takes screenshots, and snoops on the user's other Web accounts, such as PayPal, Facebook, and Gmail, according to the Finjan report.
This is the first Trojan Finjan has come across that hijacks a victim's browser session, steals the money while the victim is doing online banking, and then covers its tracks by modifying information displayed to the victim, all in real time, Ben-Itzhak said.
This article was first published as a blog post on CNET News.

Twitter phishing scam spreads via direct messages

2009-09-24T00:46:00.001-07:00

A new phishing scam is spreading through Twitter via direct messages, according to several reports.
Itamar Kestenbaum writes on his JewNews.net blog that he received a direct message on his Twitter account from someone he didn't know that said "rofl this you on here?" followed by a link to what appeared to be a video-related Twitter page.
The page looks like a legitimate Twitter log-in page but nabs your credentials if you type in your password, he warns.
Meanwhile, a posting on the Mashable blog said the site had received multiple reports of the new phishing scam and that someone there had even received one of the phishing-related direct messages themselves.
No word on this yet on Twitter's official blog or from a Twitter spokesperson. We'll keep you posted as we hear more.
In the meantime, if you clicked on the phishing link and typed in your credentials, you should change your password immediately.
Update at 5:30 p.m. PDT: Twitter acknowledged the phishing scam in a tweet on Wednesday that said "A bit o'phishing going on--if you get a weird direct message, don't click on it and certainly don't give your login creds!"

Why virus writers are turning to open source

2009-09-22T00:00:00.001-07:00

Malware developers are going open source in an effort to make their malicious software more useful to fraudsters.
By giving criminal coders free access to malware that steals financial and personal details, the malicious software developers are hoping to expand the capabilities of old Trojans.
According to Candid Wuest, threat researcher with security firm Symantec, around 10 percent of the Trojan market is now open source.
The move to an open source business model is allowing criminals to add extra features to their malware.
"The advantages are that you have more people involved in developing it, so someone who is into cryptography could add a cryptographic plug-in or somebody who does video streaming could add remote streaming of the desktop," Wuest said.
Releasing Trojans as open source dates back to 1999, when the Cult of the Dead Cow group released the source code for its Trojan called Back Orifice.
More recently, the developers of the Limbo Trojan published its source code in an effort to boost take-up following a slump in its use by fraudsters.
Following its release in 2007, the Limbo Trojan became the most widely used Trojan in the world but fell from favor in 2008 after the more sophisticated Zeus Trojan was released, according to security company RSA.
There is a big cash incentive to be the dominant Trojan, with infected machines and the financial and personal details they capture worth millions of dollars on the black market. The Limbo Trojan kit was previously sold to fraudsters for US$350 per time before it went open source, while the Zeus Trojan today sells for between US$1,000 to US$3,000.
However, head of new technologies at RSA, Uri Rivner, said the move to become open source had not reversed Limbo's decline in fortunes.
"It is a move to the same business model as that behind any open source project--to give away a basic version and sell more advanced versions, professional services or customizations.
"At the beginning of it going open source it was big news but people have since stopped investing in it.
"It is not the best Trojan any more but because it's open source you can try it as your first Trojan and it is still used in some places," he said.
Limbo's popularity continues to slump, despite numerous features in the basic version that allow criminals to add extra fields for PIN numbers into fake banking Web sites and capture the keystrokes and the files saved on an infected computer.
And while open source may not have boosted Limbo's fortunes, it also brings with it separate problems for the fraudsters: open sourcing code also places it in the hands of security professionals.
"If you make (the Trojan) open source, that means that a security company can find the source code and it is easier to make a general heuristic detection for it, as they know what could be in it," Symantec's Wuest said.
The majority of Trojan infections occur via drive-by downloads, where the malware is automatically downloaded after browsing an infected Web site, or messages sent via social networking sites that encourage people to download a Trojan masquerading as a legitimate security update, according to RSA's Rivner.
These infection methods are proving far more effective at getting Trojans onto machines than earlier techniques such as sending an e-mail with a link to an infected file or attachment.
RSA analysts say these new methods have fueled an exponential growth in the rate of infection, with the security firm detecting 613 Trojan infections in August 2008 compared to 19,102 in August 2009.

Websense: Beware user comments online

2009-09-17T08:26:00.001-07:00

Web 2.0 sites that allow users to create content, are increasingly used to carry out a wide range of attacks, according to a new security study.
Released Tuesday, Websense's State of Internet Security, Q1 - Q2, 2009 report noted that attackers are focusing their attention on interactive Web 2.0 elements. Some 95 percent of user-generated comments on blogs, message boards and in chatrooms are either spam or malicious, the security vendor warned.
"The very aspects of Web 2.0 sites that have made them so revolutionary--the dynamic nature of content on the sites, the ability for anyone to easily create and post content, and the trust that users have for others in their online networks--are the same characteristics that radically raise the potential for abuse," Websense said in its report.
Web 2.0 sites, the company added, comprise "many" of the most visited sites on the Internet. The top 100 most visited Web properties, tended to be classified as social networking or search sites. Nearly half, or over 47 percent, of the top 100 Web sites support user-generated content.
At the same time, sites that allow user-generated content make up the majority of the top 50 most active distributors of malware. Over 60 percent of the top 100 Web properties either hosted malicious content or redirected users to malicious sites without their knowledge.
"With their large user base, good reputations and support of Web 2.0 applications, these sites provide authors of malicious code with abundant opportunity to easily reach a wide number of victims with their attacks," the report continued.
Efforts to self-police Web 2.0 properties have, on the other hand, been "largely ineffective", Websense revealed. The security company said its research during the first six months of 2009 indicated that community-driven security tools, which enable users to report inappropriate content, on sites including YouTube and BlogSpot are 65 percent to 75 percent "ineffective in protecting Web users from objectionable content and security risks".
According to Websense statistics, the number of malicious sites between January and June grew 233 percent over the second half of 2008, and 671 percent compared to the same period last year.
The security firm also found that during the period, 78 percent of new Web pages with objectionable content such as pornography or gambling, contained at least one malicious link. Some 77 percent of Web sites with malicious code were compromised legitimate sites.

Hacker pleads guilty to ID thefts netting millions

2009-09-15T03:27:00.001-07:00

A 28-year-old Miami man who made millions breaking into computer networks and stealing credit card numbers pleaded guilty last week and agreed to forfeit more than US$2.7 million in restitution, as well as a condo, jewelry, and a car.
Albert Gonzalez, a former federal government informant and the alleged ringleader of one of the largest known identity theft cases in U.S. history, pleaded guilty (as expected) to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud, and aggravated identity theft related to theft of credit and debit card data from TJX Companies (owner of T.J. Maxx), BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, among other retailers.
Gonzalez, along with 10 others from the United States, Eastern Europe, and China, were accused in August 2008 of breaking into retail credit card payment systems using wardriving (searching for unsecured wireless networks while driving by with a laptop), and installing sniffer programs to capture data.
He also pleaded guilty to one count of conspiracy to commit wire fraud related to hacks into the network of the Dave & Buster's restaurant chain. He was indicted on that charge in New York in May 2008.
Gonzalez still faces charges in New Jersey of conspiring to steal credit card numbers from Heartland Payment Systems, 7-Eleven, and supermarket chain Hannaford Brothers following an indictment handed down against him and two unnamed Russians last month.
Gonzalez and his alleged co-conspirators sold the numbers to others and encoded the data onto magnetic stripes of blank cards and used the new cards to withdraw tens of thousands of dollars at a time from ATMs, according to the indictments. They concealed and laundered their proceeds by using anonymous Internet-based currencies within the United States and abroad, and by channeling money through bank accounts in Eastern Europe, court documents indicate.
Under the terms of the plea agreements, Gonzalez faces up to 25 years in prison for the Boston charges and up to 20 years on the New York charges and will serve the terms concurrently. He also faces fines of at least US$500,000.
As for restitution, Gonzalez has agreed to forfeit his Miami condo, a 2006 BMW 330i, a Tiffany diamond ring, Rolex watches, and more than US$1 million in cash that was buried in his back yard.
Sentencing is scheduled for December 8. Gonzalez' attorney, Rene Palomino, did not immediately respond to a request for comment.

Browser extensions may be used for attacks

2009-09-04T06:42:00.001-07:00

Browser extensions could soon become the new weapon in organized crime's armory, according to an industry expert.
Cybercriminals are likely to work on gaining the trust of users that download such extensions to enhance their Web experience, and only show their true colors much later, Doug Browne, general manager of Security-Assessment.com, said Wednesday in an interview with ZDNet Asia. The Auckland, New Zealand-based company is a wholly-owned subsidiary of Datacraft Asia.
"Initially, it will be just an extension you can use...[it] provides great functionality and therefore more and more people start using it," he explained. "In a later release--[in the form of an update]--it will load malicious code onto [the user's] machine."
Such a scenario could "easily" develop, Browne warned, adding that the tactic may already be in use. Crime syndicates can afford to pay developers to write "good extensions", he noted.
As it is, Firefox extensions are proving to be vulnerable, said Browne. Security-Assessment.com's recent study of "about nine or 10" extensions for the Mozilla browser have revealed all to be vulnerable to attacks. The extensions were among the highest ranked, and may even be "recommended" by the Mozilla site.
Firefox, he reported, has around 23 percent share of the browser population, and 80 percent of installations run extensions. According to Mozilla's Web site, over 1.5 billion extensions have been downloaded, of which around 160 million are in use.
Three of the vulnerabilities have already been publicly disclosed; the respective developers have been alerted to the remaining holes, said Browne. One of the extensions led to credit card numbers and online banking credentials being exposed, he noted.
As the creator and distributor of Firefox, Mozilla tests the functional aspects of an extension, not security, Browne pointed out. Even when the add-on appears to be "recommended from Mozilla", it has not been subject to any security testing.
"They don't actually see whether there's any malicious code--whether there's a vulnerability in the code that can be exploited to gain access to [users'] information," he said.
Mozilla's director of add-ons Nick Nguyen pointed out, however, that security "has always been a vital part" of the add-ons community.
"All public add-ons on add-ons.mozilla.org are code reviewed by an editor for code quality and security," he said in an e-mail. "We continuously improve the tools that our editors use to find security flaws in add-ons, and we work with our top developers to conduct code audits on reviewed add-ons and provide advice to developers to help improve existing code."
Nguyen added: "We continue to be closely attuned to our community and do our best to react quickly when issues are found."
The problem of extensions, Browne added, is not limited to browsers--social networking sites also are at risk.
To better protect against such attempts to steal data, companies ought to educate end users on "what they should or shouldn't be doing", said Browne. Organizations should also disallow the use of extensions, as well as limiting browsers--to the point of enforcing just one--to ease management of browser technologies and updates.

We're Flying This Hotmail Account to Cuba

2009-09-01T00:15:00.000-07:00

o you think your Web e-mail account is safe? Wrong. An increasing number of users, including some Redmond Report readers, are reporting that hackers are breaking into their accounts and using them to mail out worm-laden messages -- to their contacts! Most hackers use brute-force methods to crack your password, and then they're off and running.
Two Redmond Report readers reported such attacks. In one case, Microsoft was very responsive. The other got ignored like Bill Gates at a high school dance.

Beware fake Snow Leopard sites

2009-08-28T00:29:00.001-07:00

People eager to get a copy of the latest version of the Mac operating system, Snow Leopard, should be wary of sites offering free copies because they are likely to get some nasty malware instead, according to antivirus company Trend Micro.
Trend Micro said in a blog posting on Wednesday that it had discovered several fake Snow Leopard download sites that serve up a DNS (domain name system) changer Trojan dubbed OSX_JAHLAV.K instead.
The Trojan alters the DNS configuration and includes two additional IP addresses in its DSN server, the blog states. Users can then be redirected to phishing sites, some of which are reportedly hosting rogue antivirus software called FAKEAV, Trend Micro said.
Snow Leopard is due to be released to the public on Friday. Mac users should get Snow Leopard directly from Apple, Trend Micro said.

Why Katie Price is the most dangerous celebrity on the world wide web

2009-08-26T10:03:00.000-07:00

Katie Price has been named the UK's 'most dangerous celebrity in cyberspace' by internet security analysts.
Fans scouring the web for the latest gossip on the former glamour model's relationship with cage fighter Alex Reid have a one in six chance of clicking on a 'risky' website, a survey found.

Katie Price (r) has topped the chart of most 'dangerous celebrities' due to huge interest in her relationship with cagefighter Alex Reid (l)

In contrast her mild-mannered, ex-partner Peter Andre has been left far down the target list for cybercriminals. He sits in fourteenth position, with online users facing just a one in 20 chance of clicking on something risky.
Such sites use celebrities' names and images to lure surfers searching for the latest stories and screensavers to sites offering downloads laden with malware.

Spyware can be used to collect information about users without their knowledge, or infiltrate their computers with viruses, with the goal of making money and committing ID theft.
Jude Law, who was last month revealed to be fathering a child with actress and model Samantha Burke, had the second highest percentage of related websites targeted by cybercrooks.
Computer protection company McAfee looked at popular search engines such as Google and Yahoo! in assessing the risk by clicking on celebrity-related website links.
It found 16.3 per cent of Price-related websites/web-links had some sort of risky content attached.

Jude Law and Victoria Beckham were ranked second and third in the security survey

McAfee's principal security analyst Greg Day said: 'Week-in-week-out, we see online scams linked in to dodgy emails, websites and Twitter updates, which are closely linked to the latest celebrity gossip and high-profile news stories.
'A quick flick across the front pages of the latest popular newspapers and magazines offers a fairly reliable snapshot of where the criminals will focus their efforts next.'
Supermodel Kate Moss was also a popular choice, coming in at 4th, with party pal Lily Allen trailing eight places behind her.
Victoria Beckham's new role on American Idol and her husband David's fall out with LA Galaxy fans ensured the couple both scored top five positions, despite now living on the other side of the Atlantic.
In America actress Jessica Biel, who is in a high-profile relationship with singer Justin Timberlake, is the most dangerous celebrity. Almost half of the sites containing 'Jessica Biel screensavers' contained malicious downloads. She was followed by Beyonce and Jennifer Aniston.

Symantec airs dirty Web sites in public

2009-08-21T00:04:00.001-07:00

The "dirtiest" 100 Web sites have an average of 18,000 threats, with 40 of them each exceeding 20,000, according to security vendor Symantec.
"Worst of the worst" sites detected by its Norton Safe Web service are plagued mostly by malware, followed by security risks and browser exploits, the company said Thursday in a statement.
In addition, 75 percent of the dirtiest Web sites have distributed malware for more than six months.
Nearly half (48 percent) are sites with adult content, but there are also subjects ranging from purchasing electronics to figure skating and deer hunting. Simply visiting such sites--not downloading files or clicking on links--could put a user at risk of system infection; and worse, one's identity, personal and financial information may even land in the hands of cybercriminals, Symantec warned.
Among the blacklisted was aladelnet, a U.S. site found to carry 56,371 threats, including the Downloader Trojan.
Several Chinese sites--qsng.cn, stock888.cn and yt118.com--were included in Symantec's sample list of dirtiest sites.
"This list underscores what our research shows--there has been exponential growth in the number of online threats that are constantly evolving as cybercriminals look for new ways to target your money, identity or assets," Rowan Trollope, Symantec's senior vice president for consumer business, said in the statement. "In 2008, most new infections occurred while people were surfing the Web."

Is your smartphone secure? Survey says probably not

2009-08-18T23:28:00.001-07:00

A survey released Monday by Internet security firm Trend Micro found that smartphone users are more worried about losing their phones or the personal data on them is more alarming than the threat of Web infections or phishing software.
Consider these findings from the survey:

44 percent said that surfing the Internet on a smartphone (which may not be equipped with security software) is just as safe, if not safer, as surfing on a PC.
23 percent of smartphone owners use the security software already installed on their smartphone.
20 percent said they don’t think security software on their phones would be very effective because they see limited risk in smartphone surfing.

I have to admit that I haven't given much thought to my exposure to malware from my smartphone. I'm not a heavy mobile Web user--that is, I don't regularly launch a browser and tap in a URL. But I also recognize that even sending and receiving e-mail on my phone and using things like Google Maps on my phone is still Web surfing.
The study also revealed iPhone users are almost more susceptible because they do more with their Web-connected phones. According to the report, iPhone users are more likely to:

Surf the Web from their smartphones
Visit audio/video sharing sites, shopping, blogs and Web logs and social networking sites.
Send and receive email, as well as open an e-mail attachment or clink on a URL link in an e-mail.
Listen to music, watch videos, download music, use the GPS functionality, and visit online gaming sites.

From the Trend Micro press release that announced the findings:

Correlation doesn't always equal cause, but the sleek Web-browsing functionalities that make the iPhone so attractive to gadget lovers also make them more susceptible to Internet-related threats compared to other smartphone users. The most recently reported iPhone SMS vulnerability if unpatched, for example, could allow hackers to extract personal information and take control of the device if a user is on a malicious Web site or an unsecured 3G or WiFi connection.

Remember, that applies to Web-connected iPod Touches, too. As users download more apps to their iPod Touch and spend more time with smartphones, they ought to also be thinking more about security on a device that's really more like a portable, handheld computer.

New virus infects programs built with Delphi

2009-08-18T23:27:00.000-07:00

Researchers said on Tuesday that they are seeing something unusual in the malware world--a virus that targets a development environment.

The virus, dubbed Win32.Induc, was written to infect applications built with Delphi, according to Nick Bilogorskiy, manager of antivirus researcher at Sonicwall. Delphi is used to write Windows programs, including database applications.

When an infected program is run on a machine running Delphi, the virus infects any software that gets compiled on that machine. The virus spreads the executable file of itself as well as the source code. It looks for a compiler on the infected system and re-compiles the source code, inserting its code into any programs compiled on the system.

"This malware just spreads; it doesn't delete files or do anything malicious," he said. "But if you create software and you have this code in it, the software will be blocked by antivirus (technology)."

Developers whose systems are infected will pass the infection on to the programs they are creating, Bilogorskiy said.

Already, two free tools that are included in certain magazine CDs and are among the top 100 downloads on some portals--Any TV Free 2.41 and Tidy Favorites 4.1--have been infected, he said. "As many as 30 percent of developers who use Delphi have this," he added.

Sonicwall and a number of antivirus vendors have updated their software to block the virus.
Sophos has more details on its SophosLabs blog.

"Soupnazi" Albert Gonzales: Jailed Miami Man Hacked Into 130 Million Credit Card Accounts: Prosecutors

2009-08-18T08:48:00.000-07:00

WASHINGTON — Federal prosecutors on Monday charged a Miami man with the largest case of credit and debit card data theft ever in the United States, accusing the one-time government informant of swiping 130 million accounts on top of 40 million he stole previously.

Albert Gonzalez, 28, broke his own record for identity theft by hacking into retail networks, according to prosecutors, though they say his illicit computer exploits ended when he went to jail on charges stemming from an earlier case.

Gonzalez is a former informant for the U.S. Secret Service who helped the agency hunt hackers, authorities say. The agency later found out that he had also been working with criminals and feeding them information on ongoing investigations, even warning off at least one individual, according to authorities.

Gonzalez, who is already in jail awaiting trial in a hacking case, was indicted Monday in New Jersey and charged with conspiring with two other unnamed suspects to steal the private information. Prosecutors say the goal was to sell the stolen data to others.

How much of the data was sold and then used to make fraudulent charges is unclear. Investigators in such cases say it is usually impossible to quantify the impact of such thefts on account holders.

Prosecutors say Gonzalez, who is known online as "soupnazi," targeted customers of convenience store giant 7-Eleven Inc. and supermarket chain Hannaford Brothers, Co. Inc. He also targeted Heartland Payment Systems, a New Jersey-based card payment processor.

According to the indictment, Gonazalez and his two Russian coconspirators would hack into corporate computer networks and secretly place "malware," or malicious software, that would allow them backdoor access to the networks later to steal data.

Gonzalez faces up to 20 years in prison if convicted of the new charges. His lawyer did not immediately return a call for comment.
Story continues below

Gonzalez is awaiting trial next month in New York for allegedly helping hack the computer network of the national restaurant chain Dave and Buster's.

The Justice Department said the new case represents the largest alleged credit and debit card data breach ever charged in the United States, based on a scheme that began in October 2006.

Gonzalez allegedly devised a sophisticated attack to penetrate the computer networks, steal the card data, and send that data to computer servers in California, Illinois, Latvia, the Netherlands and Ukraine.

Also last year, the Justice Department announced additional charges against Gonzalez and others for hacking retail companies' computers for the theft of approximately 40 million credit cards. At the time, that was believed to be the biggest single case of hacking private computer networks to steal credit card data, puncturing the electronic defenses of retailers including T.J. Maxx, Barnes & Noble, Sports Authority and OfficeMax.

Prosecutors charge Gonzalez was the ringleader of the hackers in that case.

At the time of those charges, officials said the alleged thieves weren't computer geniuses, just opportunists who used a technique called "wardriving," which involved cruising through different areas with a laptop computer and looking for accessible wireless Internet signals. Once they located a vulnerable network, they installed so-called "sniffer programs" that captured credit and debit card numbers as they moved through a retailer's processing networks.

Gonzalez faces a possible life sentence if convicted in that case.

Restaurants are among the most common targets for hackers, experts said, because they often fail to update their antivirus software and other computer security systems.

Scott Christie, a former federal prosecutor now in private practice in New Jersey, said the case shows that despite the best efforts by companies to protect data privacy, there are still individuals capable of sneaking in.

"Cases like this do cause companies to sit up and take notice that this is a problem and more needs to be done," said Christie.

HSBC home banking Web site trojan 'false report', says bank

2009-08-18T01:01:00.000-07:00

A report on the U.K. Crypto security mailing list claims that HSBC's Personal Banking Web site had been infected by malware. However, the bank says that the fault lies in the AV software used to scan the site from the user's computer, not in any security breach.
According to list member Peter Tomlinson:
"Last week, HSBC's Personal Banking Web site has a Trojan that tries to download when you click 'Login' from the general HSBC portal page."
"Kaspersky reports Trojan.HTML.Agent.ce., "I found it at 10.10am. HSBC call centre didn't know at 10.30am--but the lady there found that she could not log in, went away, came back, told me that the company did know and is trying to fix it (one hour was suggested)... So why did they not just kill the site?"
"HSBC Business Banking (accessed from the same portal) is OK."
The same poster reported later that the Trojan had been removed:
"The HSBC site was indeed working again, and securely (at least Kaspersky software thought so), within the hour."
HSBC told ZDNet Asia's sister site, ZDNet UK this afternoon that "HSBC has not been hit by a Trojan, but the latest update to Kaspersky AV software is generating messages on some secure Web sites (including ours) when none is warranted".

Intel fixes SSD data-loss bug

2009-08-12T22:53:00.001-07:00

Intel has resumed shipping the latest generation of its solid-state drives after fixing a password bug that made users' data permanently inaccessible.
The fix is also available from Intel's website, in the form of a tool for updating the drives' firmware, for those who already have the SSD. The new drives being sent out by Intel already have the fix in place, the company said on Wednesday.
The bug affected Intel's X25-M and X18-M SSDs built using the 34nm manufacturing process, which is meant to make the drives faster and cheaper. The drives began shipping in July but the chipmaker was forced to stop selling them after the problem surfaced.
The bug affected users who set a BIOS password for the drive, Intel said when the problem surfaced in July.
"If a user has set a BIOS drive password on the 34nm SSD, then upon disabling or changing the BIOS drive password, followed by powering off/on the computer, the SSD becomes inoperable," the company said.
SSDs are generally much faster and more robust than their mechanical, hard-disk counterparts. However, they are also more expensive, although prices have been falling.
Intel's 160GB SSDs initially cost as much as US$945 each, depending on the quantity ordered by the laptop manufacturer. The price was cut to US$765 in February 2009, once the company's SSD production was fully up and running. With the introduction of the 34nm process on 21 July, the drive's price dropped further to US$440.

Security 101: Look back to advance

2009-08-11T22:10:00.000-07:00

The security landscape may be rapidly evolving, but the clue to standing a better chance in the fight against threats could be in looking back, not forward.
Chia Wing Fei, F-Secure's senior security response manager, pointed out in an e-mail interview, today's threats ring of themes such as stealth, sophistication and financial gain.
Eric Chong, regional marketing director at Trend Micro, said in an e-mail that cybercriminals have evolved their modus operandi not only in coming up with variants to penetrate existing security measures, but also by mirroring attacks "with the way users think about and use technology in day to day communication". For instance, attacks around a decade ago were via e-mail attachments; today, attackers have moved to shared devices and social networking platforms on the Web.
Yet, according to Paul Ducklin, Asia-Pacific head of technology at Sophos, "modern cybercriminals aren't as novel and inventive as we sometimes credit them with being".

Malware: The first signs

Paul Ducklin, Asia-Pacific head of technology at Sophos, highlights to ZDNet Asia some of the milestones, and interesting lessons, in the security landscape.
January 1975: Systems programmer John Warnock--who later found Adobe--tires of sending out tapes of his popular Univac computer game, Animal and instead sends out a self-replicating version. It soon turns up, as if by magic, on Univacs all around the United States. Technically, this was the first computer virus.
April 1989: Panama-registered PC Cyborg Corporation mails out more than 10,000 diskettes worldwide containing so-called Aids information software, which many people try out. But after 90 days, the program scrambles the hard disk and demands a US$378 licensing fee--marking the first widespread ransomware.
Users ought to set high trust standards before using software from an unknown publisher, and always read and understand the terms and conditions.
December 1987: A German prankster e-mails seasonal greetings to IBM mainframe users. The message contains a script virus--it appears to be an innocent draws a Christmas tree, it also forwards itself to the recipient's address book and contacts in his or her e-mail history. As a result, the EARN and BITNET IBM mainframe-based academic networks were temporarily overloaded with traffic. Indeed, booby-trapped e-mail messages have been around for over 20 years.
November 1988: Robert Morris releases a fast-spreading "blended threat" virus on the Internet. Using three different exploits, his code spreads so fast that the Net is almost crushed. Modern threats such as Conficker succeed by exploiting the same sort of holes--computers that have not been patched and poor passwords.

People, he noted in an e-mail, fail to learn from the past and end up falling victim to newer threats. "Modern threats like Conficker succeed by exploiting the same sort of holes, for example unpatched computers and poor passwords, as the earliest network malware," he pointed out.
Alwin Ow, Symantec's senior director of systems engineering in Asia-Pacific and Japan, concurred. "So far this year, Symantec has observed that older attack techniques have resurfaced and are part of the methods used in several recent and highly publicized threats such as Koobface, Conficker and Trojan.Dozer."
In an attempt to get a better hold of current and potential attacks, ZDNet Asia finds out from Trend Micro five cyberthreats perceived to be the most dangerous in the last decade, and why.
1. Conficker or Downadup
Termed as Downad by Trend Micro, the first variant of the worm appeared in November 2008, targeting the MS08-067 vulnerability. It spawned several other variants, with each new one an improvement over the last. New propagation avenues were added, including USB drives. The worm has successfully generated 50,000 domains, of which it has connected to 500, noted Chong.
Symantec's Ow added however, the first Conficker variant did not quite achieve the level of disruption it was capable of. The estimated infection was 500,000 "due to an aggressive infection routine and a sophisticated exploitation algorithm, which makes use of geolocation and OS fingerprinting", he explained.
2. Koobface
The Koobface worm first appeared in August 2008, targeting social networking sites such as Facebook by infecting user profiles. Koobface possessed a dynamic update capability, allowing it to spread to other social networking sites and perform more malicious routines.
3. Zbot
The Trojan variants infect machines via e-mail or Web exploits. Underground research and documented cases reveal Zbot to be a thriving business where infected computers give up their owners' personal information--including credit card data--to remote servers run by cybercriminals.
Zbot variants are especially damaging due to their ever-changing social engineering techniques, according to Trend Micro.
4. Slammer
The worm is notorious for drastically slowing down general Internet traffic in 2003 despite being a solitary packet worm in memory, attacking without a file system component. It exploits a patched buffer overflow bug in MS SQL Server and Desktop Engine, and its trickling effects are still observed in current times.
5. I Love You
The Loveletter virus, also known as Love Bug, plagued inboxes in 2000 and infected some 10 percent of computers worldwide, with each system harboring an average of 600 infected files. It had a destructive payload, overwriting files with multimedia file extensions.

Twitter, Facebook attack targeted one user

2009-08-07T00:22:00.000-07:00

A Russian activist blogger with accounts on Twitter, Facebook, LiveJournal and Google's Blogger and YouTube was targeted in a denial of service attack that led to the site-wide outage at Twitter and problems at the other sites on Thursday, according to a Facebookexecutive.
The pro-Georgian blogger, who uses the account name "Cyxymu," (the name of a town in the former Soviet Republic) had accounts on all of the different sites that were attacked at the same time, Max Kelly, chief security officer at Facebook, told CNET News.
"It was a simultaneous attack across a number of properties targeting him to keep his voice from being heard," Kelly said. "We're actively investigating the source of the attacks and we hope to be able to find out the individuals involved in the back end and to take action against them if we can."
Kelly declined to speculate on whether Russian nationalists were behind the attack, but said: "You have to ask who would benefit the most from doing this and think about what those people are doing and the disregard for the rest of the users and the Internet."
Twitter was down for several hours beginning Thursday evening, and suffered periodic slowness and time-outs throughout the day.
"The people who are coordinating this attack, the criminals, are definitely determined and using a lot of resources," Kelly said. "If they're asking our infrastructure to generate hundreds of pages a second, that's a lot of pages our users can't see."
Facebook and Google were able to minimize any impact to their sites. Facebook even managed to keep the Cyxymu account accessible to Web surfers from that region, Kelly said, although it was inaccessible to people in other geographic areas, including San Francisco.
This was the first coordinated attack on the sites, and all the companies involved were working closely on the investigation, he said. "My team and the teams that are working together at all these companies are doing a really good job very quickly and I'm proud and happy," he said.
Twitter and LiveJournal did not immediately return e-mails and calls seeking comment.
A Google spokesman offered this statement: "We are aware that a handful of non-Google sites were impacted by a DOS attack this morning, and are in contact with some affected companies to help investigate this attack. Google systems prevented substantive impact to our services."

New Firefox patches authentication security holes

2009-08-05T07:33:00.001-07:00

Mozilla on Monday released two new versions of Firefox, 3.5.2 and 3.0.13, to patch two critical security holes.
"We strongly recommend that all Firefox users upgrade to this latest release," Mozilla said in a blog posting about the security issue.
The first vulnerability could let an attacker run arbitrary code on a person's computer by sending specially crafted authentication information called certificate.
The second vulnerability, disclosed last week, involves a flaw in certificate authentication technology that could potentially let an attacker gain access to encrypted information or issue a bogus update to Firefox.

Twitter malware filter 'disappointing'

2009-08-05T07:19:00.000-07:00

Twitter's new malware filter is a sign the social media site is stepping up efforts to stem attacks, but the measure has its shortcomings, say security experts.
Twitter's filtering mechanism was highlighted by Mikko Hyponen, chief research officer of F-Secure, in a blog post Monday. When a user tries to submit a tweet with a suspect Web link, the following warning appears:

"Oops! Your tweet contained a URL to a known malware site!"

Twitter's latest security measure was a positive one, especially in light of the current threats directed at the site, Hyponen told ZDNet Asia in an e-mail interview. The site, he noted, has been "attacked in many ways" including spam, worms such as Mikeyy, and phishing, he noted.
"None of these problems are at epidemic levels yet, but it's great to see Twitter take real action on this," he said.
Hacking is another challenge the popular microblogging site faces. In May, Twitter confirmed its network was hacked and some individual account information were leaked.
Dancho Danchev, independent security consultant and cyber threats analyst, noted that the site's latest security move was an indication "Twitter is finally moving from reactive to proactive security practices". However, he pointed out in a blog post on ZDNet Asia's sister site ZDNet.com, that the malware filter was "clearly still in development" and showed "disappointing results".
Danchev pointed to how a MySpace phishing page used in a tweet triggered the security filter, but was eventually accepted by adding a "http://" or removing the "www".
He noted that the site also allowed tweets containing links to several known malicious sites listed in Stopbadware's database, which has identified over 380,000 sites identified as unsafe. While it would not prevent the abuse of Twitter in the longer term, the failure to integrate such databases listing known malware was a "missed opportunity", Danchev said.
Twitter did not respond to e-mail queries from ZDNet Asia at press time.