|
Information Security Newsletter Bulletins posted 04/21/2010 Gizmodo names Apple coder who lost iPhone 4G It was all due to beer, a simple human mistake, and a $5,000 payment Gizmodo has revealed that the person who lost the purported next generation iPhone, images of which created a buzz on the Web Monday, is a 27-year-old Apple software engineer named Gray Powell who probably will never again be as famous, or notorious, as he is right now. On Thursday night, March 18, Powell was enjoying apparently more than one imported beer at Gourmet Haus Staudt, a beer garden in Redwood City, Calif. Gizmodo's account: "He was happy. The place was great. The beer was excellent. 'I underestimated how good German beer is,' he typed into the next-generation iPhone he was testing on the field, cleverly disguised as an iPhone 3GS. It was his last Facebook update from the secret iPhone. It was the last time he ever saw the iPhone, right before he abandoned it on bar stool, leaving to go home." For more information about this article, please click on the following link. Bulletins posted 04/16/2010 DNS Trojan poses as iPhone unlocking utility iPhone application poses as a jailbreaking tool An application that offers to unlock iPhones is actually designed to hijack internet connections on compromised Windows PCs, security watchers warn. Spam messages direct potential victims to a domain called iphone-iphone.info that offers links to download a Windows executable called blackra1n.exe. The application claims to offer an unlock utility but instead it changes default DNS settings on infected Windows PCs, hijacking internet connections in the process.
The City of Seattle does not approve of jailbreaking the iPhone. If you do decide to jailbreak your iPhone, please be aware of the risks. Bulletins posted 04/08/2010 Facebook takes steps to deal with gift card scams The latest Facebook con game is fake gift cards and special offers. We've actually nearly fallen victim to a similar scam in my household. We got a "message" on FB, supposedly from a friend, about a free iPad. It was exactly this type of scam - give us your information, sign up for a bunch of marketing "special offers", and watch the SPAM roll in! In the past months, fan pages have popped up all over the social networking site, offering too-good-to-be-true gift cards. There's the $500 Whole Foods card, the $10 Walmart offer, and the $1,000 Ikea gift card. The Ikea page put these gift card scams on the map last month, when it quickly racked up more than 70,000 fans before being snuffed. Facebook has also taken down Target and iTunes gift card scam pages in the past few months. Many of these pages have fake posts suggesting that the giveaway offer worked, but the sites typically lead to affiliate marketing Web sites that try to collect data and generate Web traffic for advertisers, according to a Facebook spokesman. Because anyone can set up a fan page for virtually anything - and many pages do contain legitimate gift-card offers - it's a thorny problem for Facebook to solve. Right now, the company is playing the social networking version of whack-a-mole, with a team of engineers monitoring the problem and deleting groups, applications, and fan pages as quickly as it can find them.
At the least, these scams will cause the nuisance of piles of SPAM in your email box - at the worst they could potentially steal your personal information or compromise your accounts. So watch out for them and warn your friends and family - especially if they send you one of these on Facebook! ComputerWorld Security - by Robert McMillan Microsoft Patch Tuesday heads-up: 25 holes in Windows, Office Microsoft plans to release 11 security bulletins on Tuesday April 13, 2010 to fix 25 documented vulnerabilities that expose Windows users to remote code execution attacks. Five of the 11 bulletins will be rated “critical,” Microsoft’s highest severity rating. The flaws affect all versions of Windows, including the company’s newest Windows 7 operating system. The vulnerabilities will address security holes in Windows, Microsoft Office, and Microsoft Exchange, according to Jerry Bryant, a group manager in Redmond’s security response center.
We recommend applying these patches as soon as possible if you are using the affected Microsoft products. Bulletins posted 03/30/2010 ZeuS malware takes aim at tax season Security experts are warning of a flood of spam emails masquerading as U.S. tax documents in an attempt to spread the ZeuS malware. A SANS researcher reported that the organization had received several reports of unsolicited email claiming to come from the US Internal Revenue Service (IRS). The emails claim that the recipient has 'under-reported income' on their tax statements, and urges them to download and run a linked file. The file is an executable which infects the user with the ZeuS malware. The technique is not new. Citizens in the U.S. and the U.K. were targeted by social engineering malware attacks last year purporting to be documents from tax authorities.
The IRS does not send official notifications via email, and advises people to avoid any messages claiming to be from the agency. World Cup-themed PDF attack kicks off Miscreants have booted a World Cup-themed email malware attack onto the web, taking advantage of existing material on the tournament. Booby-trapped emails are doing the rounds, posing as messages from African Safari organizer Greenlife. The emails contain an attached PDF file claiming to provide a guide to the first African edition of football's most prestigious tournament. In reality, the attachment payload takes advantage of a recently patched Adobe Reader vulnerability (involving the handling of TIFF files and resolved with a patch on 16 February) to drop malware into machines running an unpatched version of Adobe reader. Hackers behind the attack have taken Greenlife's genuine guide (available on its website) and inserted exploit code instead of content related to this June's tournament and travel in South Africa. The poisoned version of the guide was sent to an unspecified "major international organization", email filtering outfit MessageLabs reports. The Symantec-owned hosted security operation adds that successful execution of the attack drops a rootlet and a backdoor Trojan on compromised machines.
As we constantly remind you - every news item (or sports story) will become fodder for the bad actors sooner rather than later. Always be wary of any email or search engine results about recent items in the news, as they are favorite attack vectors. Microsoft to release emergency IE fix today Microsoft has announced plans to release an out-of-sequence patch, designed to resolve a zero-day vulnerability in Internet Explorer. A cumulative update to Internet Explorer (MS10-018) plugs a security hole in IE 6 and IE 7 exploited by hackers over recent weeks. The latest version of Microsoft's browser, IE 8, is not vulnerable to the flaw, which Microsoft first acknowledged was a problem on 9 March. Microsoft said in a statement that it had taken the unusual but not unprecedented step of releasing a patch outside its regularly Patch Tuesday update cycle after monitoring the situation and reaching the conclusion that "an out-of-band release is needed to protect customers". The update also includes fixes for nine other vulnerabilities in IE that Redmond had initially planned to release on 13 April.
We highly recommend applying this patch as soon as possible to avoid being victimized by this exploit. Scores of flaws fixed in mammoth Apple security update Apple on Monday issued updates to Mac OS X Snow Leopard and Leopard. The updates affect client and server versions of Mac OS X 10.6 (Snow Leopard) and 10.5 (Leopard). The updates fix more than 90 flaws affecting many different operating system components, including AppKit, QuickTime, Disk Images, CoreAudio, Mail, SMB, FTP and several others, according to Mac security firm Intego. The update includes nine fixes for bugs in QuickTime affecting client and server versions of Snow Leopard, according to the advisory. In addition, there were four bugs fixed in iChat server. The vulnerability could have allowed an attacker to cause a denial-of-service attack, execute arbitrary code or cause chat messages to stop being logged. Another four bugs were fixed in ImagelO, which could have permitted an attacker with a maliciously crafted image or website to execute arbitrary code or cause data to be sent from web browser Safari's memory.
Apple recommends that all users running client and server versions of Mac OS X Snow Leopard update to 10.6.3. In addition to the security fixes, the update also includes general operating system fixes to enhance stability and compatibility. Bulletins posted 03/29/2010 Rogue Toolbars phish for Facebook Credentials Two rogue toolbars have been spotted in the wild by Sunbelt researchers. At first glance, they look legitimate enough. Purportedly enabling the user to cheat at popular Zynga games on Facebook, they contain various links and other teature usual for this kind of tool. Upon closer inspection, the toolbar is revealed to be a tool used to steal login credentials. If the user clicks on the "Facebook" button in the left top corner, he is taken to a Facebook look-alike phishing page: The domain on which the phishing page is hosted is constantly changing because in time every domain gets reported, detected and blocked by the browsers. The problem is that the toolbars - when they are not pointing towards the phishing page - point to the real Facebook URL, and the switch can happen anytime.
It is best to distrust "cheating" toolbars altogether, and access Facebook and other networks and services by typing in the URL yourself or following your own bookmark. New malware overwrites software updaters For the first time security researchers have spotted a type of malicious software that overwrites update functions for other applications, which could pose additional long-term risks for users. The malware, which infects Windows computers, masks itself as an updater for Adobe Systems' products and other software such as Java, wrote an analyst with Bach Khoa Internetwork Security (BKIS), a Vietnamese security company, on its blog. BKIS showed screen shots of a variant of the malware that imitates Adobe Reader version 9 and overwrites the AdobeUpdater.exe, which regularly checks in with Adobe to see if a new version of the software is available. Users can inadvertently install malware on computers if they open malicious e-mail attachments or visit Web sites that target specific software vulnerabilities. Adobe's products are one of the most targeted by hackers due to their wide installation base.
This is a very sobering attack, as many of us trust our automatic updating software. With this new attack we recommend not allowing automatic updates to run, but instead set them to notify you first, and if notified of an update, manually access the vendor's web site to check for updates. Bulletins posted 03/26/2010 iPhone, IE, Firefox, Safari get stomped at hacker contest IE, Firefox, and Safari hacked successfully at CanSecWest conference It was another grim day for internet security at the annual Pwn2Own hacker contest Wednesday, with Microsoft's Internet Explorer, Mozilla's Firefox and Apple's Safari and iPhone succumbing to exploits that allowed them to be remotely commandeered. Like dominoes falling in rapid succession, the platforms were felled in the fourth year of the contest, which has come to underscore the alarming insecurity of most internet-facing software. To qualify for the big-money prizes, the exploits had to attack previously undocumented vulnerabilities to expose sensitive system data or allow the remote execution of malicious code. Bulletins posted 03/24/2010 New software lets businesses track Facebook and Twitter activity Social Sentry, debuted at DEMO, detects confidential information in public posts Facebook and Twitter users should probably just assume that what they post publicly is being monitored by their employer. If your privacy settings don't limit content to friends only, anyone can search Google or the social networking sites themselves to see what you're writing. Granted, that can be a tedious process that an employer may not want to bother with - but now it's becoming easier for businesses to monitor social networking activity. At DEMO, a company called Teneros demonstrated a new software-as-a-service product called Social Sentry that automates the process of examining employee activity on social networking sites. Bulletins posted 03/22/2010 Look out for these 4 Census scams BBB warns of U.S. census scams The 2010 U.S. Census survey will be mailed to all U.S. residents in mid-March, opening the door to con artists who will use the program as an opportunity to swindle people out of their money and their identity. The U.S. Better Business Bureau, in Arlington, Va., warns consumers to be on guard for online and in-person Census fraudsters in the coming months, says spokeswoman Alison Southwick. The Census questionnaire asks 10 questions, none involving personal financial information such as bank account or credit card numbers or your Social Security number. "We are warning people to beware of phishing e-mails that purport to be from the Census Bureau, (as well as) phone calls, knocks on the door and mail, basically all forms of contact where people are asked for financially sensitive information such as their Social Security number or bank account numbers," says Southwick.
If you receive an email asking you to fill out a U.S. census form, delete it. The 2010 U.S. census form cannot be done online. For more information, please click on the link below. Energizer site still plagued by data-stealing trojan Downloadable trojan still available on website despite being notified two weeks ago. The maker of Energizer brand batteries is continuing to serve its customers a file laced with a data-stealing trojan more than 24 hours after the company was notified of the threat and almost two weeks after it promised to fix the problem. A spokeswoman for Energizer Holdings acknowledged receiving a voicemail Wednesday night informing her the trojan was being offered for download on one of the company's European websites. She said she didn't respond to the message because of the late hour at which it was left, and never saw an article reporting that two anti-virus firms had confirmed the site continued to offer the toxic file 12 days after the company promised to stamp it out.
If you use this site - we recommend avoiding it until further notice. For more information about this article, please click on the link below. The Register UK -By Dan Goodin Google patches Chrome days before hacking contest Only browser predicted to survive Pwn2Own gets 11 fixes Google has patched 11 vulnerabilities in the Windows version of Chrome, including one that earned its finder the first $1,337 check from the company's new bug bounty program. Like Apple, which updated Safari last week, Google beefed up the security of its browser just days before the Pwn2Own browser hacking contest was to kick off in Canada. For more information about this article, please click on the link below. Bulletins posted 03/18/2010 Facebook Users Targeted in Massive Spam Run Spam run hits millions of users over a two day period Facebook's 400 million users have been targeted by a spam run that could infect their computers with malicious software designed to steals passwords and other data, according to security researchers at McAfee. Over the last two days, millions of messages have been sent, which McAfee detected through customers running the company's security software, said Dave Marcus, McAfee's director of security research and communication.
Be aware of this scam and don't ever click on links in these types of emails. If you think your Facebook or other accounts may have been compromised, always type in your own URL or use your own bookmark to get to the site and check. Bulletins posted 03/17/2010 Web fraud losses more than double in 2009, says report Hoax emails claiming to be from the FBI most common form of web fraud in 2009 Losses related to cybercrime more than doubled from 2008 to last year, according to a report from the Internet Crime Complaint Center (IC3) The organization, a partnership between the National White Collar Crime Center and the FBI, received 336,655 complaints with a reported $559.7 million in losses. In 2008, IC3 received 275,284 reports with $265 million in reported losses. Hoax emails claiming to be from the FBI, but which actually were created to steal personal information from the recipient, represented 16.6 percent of all complaints submitted. The next most common complaints were undelivered merchandise, followed by advance-fee schemes, identity theft and overpayment fraud. For more information about this report, please click on the link below. Bulletins posted 03/16/2010 Microsoft Offers Fix for new IE Vulnerability Microsoft has issued a bulletin with workarounds to avoid being victimized by the latest IE vulnerability. Ongoing attacks targeting a new zero-day bug in Internet Explorer and the presence of exploit code on the Web prompted Microsoft March 12 to update its advisory which it had released earlier. It is only known to affect IE 6 and 7. To address the issue, the company has made a handful of workarounds available and updated the advisory today to add a Microsoft Fix It that automates a workaround for Windows XP and Windows Server 2003 users. Follow the link below to go to Microsoft's Advisory page Apple issues Safari 4.0.5 to fix 16 vulnerabilities Apple on Thursday issued an updated version of its Safari browser to address several vulnerabilities that could allow an attacker to obtain sensitive information or carry out other malicious actions. Safari 4.0.5 fixed 16 flaws, which computer security provider Secunia rated as "highly critical." The vulnerabilities could also be exploited by an attacker to bypass security restrictions or compromise a user's system, Secunia said. A flaw in WebKit, an open-source application framework, could be exploited to disclose sensitive information, Apple said in its security notes. Visiting a maliciously crafted website may reveal the protected content on another website because of an issue with the way WebKit handles style sheet requests. Safari hadn't been updated since November. Last year, the browser received six updates. For the full article and to learn more, follow the link: SC Magazine -Angela Moscaritolo Bogus Playstation emulators pack Trojan payload Retro gaming fans are being targeted in a new con designed to infect computers with a Trojan linked to scareware scams. Downloads posing as Playstation 2 emulators that allow games designed for Sony's console to be played on PCs instead deliver only a Trojan. Emulators offered via Appzkeygen(dot)com, for example, come packing the CodecPack-2GCash-Gen Trojan, Chris Boyd of Sunbelt software warns. So, apart from the dubious legality of emulators, gamers who search for the software packages risk being exposed to all manner of unpleasant scams.
Using emulators is not a great idea for a lot of reasons - here's another one. See the article for more information. Top Google Search Items Under Siege Nearly 300 top search terms hit by 6,600 malicious URLs in past seven days. Search engine optimization (SEO) poisoning continues to be alive and well, with an unusually large wave of these attacks spotted during the past seven days targeting 284 of the top Google search terms. SonicWALL found 6,600 malicious URLs attacking the top search terms, including "what time do the oscars start 2010" and "disney princess half marathon." As many as nine of these terms are under attack at any one time. More than 60 malicious URLs for the princess query appeared on Google's top 30 search results between March 7 and 8, and 34 malicious URLs for the Oscars query.
This is an old, well worn scam that keeps being used because it works so well. Be very careful when you are using search engines, and watch for scams on the sites you go to from those searches. Bulletins posted 03/11/2010 Twitter to vet links with goal of curbing phishing attacks New service hopes to reduce the amount of phishing attacks Twitter on Tuesday launched a new service designed to curb phishing links delivered in the microblogging site's direct messages and email notifications. URLs will be checked against a blacklist of fraudulent sites, such as ones hosting phishing attacks, malware or bogus, spam-related merchandise, the company said. The links will be shortened using Twitter's new URL shortener service, twt.tl, so bad domains can be easily identified in the future. For more information, please click on the following link below. Bulletins posted 03/09/2010 Microsoft releases security advisory Flaw in Internet Explorer 6 and 7 allows remote code to be executed Microsoft is investigating new, public reports of a vulnerability in Internet Explorer 6 and Internet Explorer 7. Our investigation has shown that the latest version of the browser, Internet Explorer 8, is not affected. The main impact of the vulnerability is remote code execution. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue. For more information about this flaw, please click on the following link below. Bulletins posted 03/08/2010 SPAM E-Mail with subject - DPRK has carried out nuclear missile attack on Japan Email regarding nuclear attack on Japan comes with Zeus trojan attachment. We have received notice from the Washington State Computer Incident Response Center regarding the latest wave of email spam with a subject line saying Japan has been hit by a nuclear missile. An attachment has also been sent with the email that is named "report.zip". Once unzipped the file then becomes "report.exe" which is an installer file for the Zeus Trojan.
DO NOT open this attachment! If you have received this email, please delete it. If you opened the attachment you should notify your service desk or call for professional help to clean up your computer and change all of your passwords immediately. Bulletins posted 03/04/2010 Microsoft Warns: Don't Hit F1 in Windows XP Ignore sites that nag to press the Help key, says zero-day bug advisory. Microsoft told Windows XP users today not to press the F1 key when prompted by a Web site, as part of its reaction to an unpatched vulnerability that hackers could exploit to hijack PCs running Internet Explorer (IE). In a security advisory issued late Monday, Microsoft confirmed the unpatched bug in VBScript that Polish researcher Maurycy Prodeus had revealed Friday, offered more information on the flaw and provided some advice on how to protect PCs until a patch shipped.
If you are prompted to hit the F1 key while visiting a website, please do not hit it. For more information, click on the link below. ComputerWorld - By Gregg Keizer Bulletins posted 12/8/2009 Microsoft Warns Of Malware-Laced Counterfeit Software Complaints about counterfeit software infected with malware doubled in past two weeks Citing a rising tide of complaints from people who unknowingly bought counterfeit software infected with malware, Microsoft on Thursday announced the launch of educational initiatives and enforcement actions in over 70 countries to raise awareness of counterfeit software and to protect consumers. Such complaints have doubled in the past two years, according to the company, reaching 150,000, a fairly large number considering such reports are made voluntarily by consumers. Microsoft is calling its anti-piracy campaign Consumer Action Day. The event includes an intellectual property education program in schools across China, a club for software resellers in Germany to provide legitimate software, a course in counterfeit software risks offered by Mexico's consumer protection agency, an online safety program for children in Greece, and a business piracy impact study in Argentina. Microsoft claims that counterfeit software is becoming more dangerous. It cites a 2006 IDC study that found 25% of counterfeit software attempted to install unwanted or malicious code when downloaded. More recently, German anti-piracy company Media Surveillance found that among several hundred pirated copies of Windows and hacks, 32% contained malicious code. Companies using software that's either unlicensed or counterfeit are 73% more likely to suffer data loss or damage than users of legitimate software and 73% more likely to suffer computer failures lasting 24 hours or more, according to the Harrison Group. For more information this, please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. InformationWeek, Special to Dark Reading -By Thomas Claburn Could a rubber duck steal your identity on Facebook? With a $2 rubber duck they named Daisy Felettin, they created the profile of a 21-year-old single woman and sent out 50 friend requests to randomly-chosen strangers in the same age group.
Two years ago, I took a small plastic frog given to me by my nephew, and used it to demonstrate how easy it was to extract personal information from complete strangers on Facebook. Now, Sophos's Australian office has conducted the experiment again - and this time they found an even higher proportion of people were prepared to risk having their identity stolen. With a $2 rubber duck they named Daisy Felettin, they created the profile of a 21-year-old single woman and sent out 50 friend requests to randomly-chosen strangers in the same age group. With a picture of two cats on a rug they created 50-something housewife Dinette Stonily, and - again - sent out 50 friend requests to strangers in "her" age range. The results are, quite frankly, disturbing. For the results to this experiment please see the full article. When on any kind of social netwoking site never share personal information with someone you don't know. If you have fallen for this scam, notify your service desk immediately and change your passwords. Graham Cluley's blog -By Graham Cluley NASA sites hacked via SQL injection Two NASA sites recently were hacked by an individual wanting to demonstrate that the sites are susceptible to SQL injection. The websites for NASA's Instrument Systems and Technology Division and Software Engineering Division were accessed by a researcher, who posted to his blog screen shots taken during the hack. The researcher, using the alias "c0de.breaker," used SQL injection to hijack the sites, Gunter Ollmann, VP of research at security firm Damballa, who recently wrote about the hack, told SCMagazineUS.com on Monday. SQL injection is an attack process where a hacker adds additional SQL code commands to a page request and the web server then tries to execute those commands within the backend database, Ollman said. Vulnerable web applications process the extra SQL commands, which then cause the web application to leak additional information, such as user credentials, which can be used to log into the targeted application. The NASA hack yielded the credentials of some 25 administrator accounts, Ollman said. The researcher also gained access to a web portal used for managing and editing those websites. For more information please see the full article. www.scmagazineus.com -By Angela Moscaritolo Ratings scandal kills more than 1000 iPhone apps Bogus reviews have landed Chinese iPhone app developer Molinker in deep trouble, resulting in all 1000-plus of its apps being removed and banned from the App Store. This is great news for consumers who are tired of downloading subpar apps based on inflated reviews, and bad news for companies looking to shill their products with internal misdeeds. The discovery of the phony reviews was made by a frequent reader of iPhoneography, known only as SCW, who recognized a similar erratic and poorly-written tone to many 5-star reviews of Molinker apps. SCW wrote a (long) letter to Phil Schiller, senior vice president of Worldwide Product Marketing, revealing the major fraud. According to the e-mail, SCW "looked at 44 of the reviewers who posted reviews for this Molinker Inc app 'NightCam Pro' & EVERY Review except 2 of the 44+ are ALL FAKE 5 [star] reviews." The phony reviews didn't stop there. SCW posits that Molinker employees obtained and redeemed promo codes in order to access the US App Store and publish an "endless slew of fake postings." (Ever an opportunist, SCW also wrote: "I think I deserve a [sic] investigations reward for unearthing this blatant attempt at misleading & stealing from the public.") Schiller leapt to action and removed the apps. "Yes, this developer's apps have been removed from the App Store and their ratings no longer appear either," Schiller wrote to SCW and iPhoneography. Molinker claimed ignorance in a brief statement given to the appfreak blog. "We got [an] email from Apple yesterday [Sunday 6th] which told us our contract [has] changed to pending status. Actually, we do not know what's wrong so far. We had contacted Apple for such sudden changes, hope we can get quick response and actions from Apple." I think it's a safe assumption that Molinker's apps aren't the only ones with fake 5-star reviews. Hopefully given the size of Molinker's mishap—the developer's apps made up almost 1 percent of the entire App Store—Apple, and its customers, will become more diligent when it comes to exposing fraud. For more information please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Google Sues Over Work-at-home Schemes Google filed a lawsuit Monday against a U.S. company it alleges runs work-at-home scams that unnecessarily charge people's credit cards and spoof Google's brand name. Pacific WebWorks of Salt Lake City, Utah, is accused of offering for a small fee a toolkit to enable online work at home but then continually charges a person's credit card offering "little of value, or nothing at all, in return for their payments," reads the lawsuit, filed in the U.S. District Court for the District of Utah. The names of the kits include "The Home Business Kit for Google," "Google StartUp Kit" and "Google Adwork" among other variations. Google wants the company to stop using its trademarks in any promotional materials. It is asking for a jury trial, and wants Pacific WebWorks to pay damages and reveal a full accounting of its profits. For more information please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Bulletins posted 12/7/2009 Bank Phishing Attacks Snare Few Victims But Tally Major Damage Live phishing attack data on major banks shows just a small percentage of victims translates into big profits for bad guys and big losses for bank customers If you've ever wondered just how lucrative a phishing campaign against your bank can really be, then consider this: Phishers actually land a tiny percentage of victims, but the end result is big bucks -- to the tune of $2.4 million to $9.4 million a year, according to a new study that measured real phishing attacks on banks. Trusteer, which gathers phishing intelligence via its Rapport browser security plug-in, found only 0.47 percent of a bank's customers fall prey to phishing attacks each year, but the bad guys typically make about $2,000 on each customer's account they compromise. The company collected data during a three-month period from 10 large banks in the U.S. and Europe, and then for the report (PDF) normalized the data per 1 million users. Each phishing attack compromised about 0.000564 percent of online banking customers, and 45 percent of them who were redirected to a phishing Web page gave up their online credentials. The report found that each bank was targeted on average by 16 phishing Websites a week, which comes out to 832 phishing attacks per year per brand. When compared to the Anti-Phishing Working Group estimates that the average number of phishing URLs per brand in June was 190, Trusteer concluded that only one of 2.7 phishing URLs reaches its intended target. An average of 12.5 out of 1 million customers per bank visited each phishing Website. These are customers who may or may not have been targeted by the phishing attack, according to the report. For more information this, please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. DarkReading -By Kelly Jackson Higgins Beware Firefox mal-extensions, warns Symantec Malware writers are taking advantage of a Firefox mechanism that allows extensions to be loaded invisibly to the user, Symantec has warned. According to Symantec senior engineer Candid Wüest, the company has "recently observed an increase in malware that drops malicious BHOs, Firefox extensions, and even Opera user scripts... to maximize their impact on a user's machine." One avenue that's taken is to drop the malicious extension directly into Firefox's components directory. This means it will be automatically loaded with the browser, but will not show up in the Add-ons window Consequently, users are unlikely to know that the extension has been added, or see a mechanism to remove it. Wüest also noted that "all of the interesting information (such as credit card numbers or passwords) is usually entered through the browser, so it's a perfect playing field for attackers." While access to the components directory will be denied in Firefox 3.6 (requiring the packaging of add-ons as XPI [cross platform installer] files and forcing them to appear in the Add-ons window), that won't rule out the possibility of malicious extensions - it will just make it harder to create a stealthy mal-extension. Even if an extension does install in the conventional way, that doesn't mean it isn't malicious. For more information on Firefox extensions, please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. www.itwire.com -By Stephen Withers Thanksgiving Webcam promo leads to malware The $10 Webcam that Anna Giesman bought her daughter at Office Depot over the Thanksgiving weekend sounds like one of those deals that's too good to be true. And for her, it was. A week later, she's worried and upset because a CD that came with the camera contained a Web link that apparently infected her PC with fake antivirus software. Her story shows how easily malware can get onto the computers of unsuspecting consumers in an era when cyber-criminals are becoming expert at hacking legitimate Web sites to prey on their visitors. Giesman bought the camera in order to give her daughter a way to chat over the Internet with a friend who had just moved to Germany. When she put the CD that came with the Markvision Magnetic Webcam into her PC, a menu popped up offering her drivers as well as a link to Markvision's site. Wanting to learn more about the product, she clicked on the Web link, but she immediately knew something was wrong. The Web page was blank, and her PC immediately popped up a window telling her she needed to upgrade her Windows software. When she clicked on the red "X" to dismiss the window, another popped up that made it look like her computer was being scanned. That scan was blocked by her McAfee antivirus program, but Giesman was still worried. Panicked, she shut down the computer and called Office Depot. Their support technicians told her to try a free antivirus program -- Avast -- which then identified rogue antivirus files on her computer. That didn't sit well with Giesman, a Web designer based in Olympia, Washington. "I was really ticked," she said. "My life is on this computer." For more information on malware related webcams, please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. www.computerworld.com -By Robert McMillan Attack exploits just-patched Mac security bug If you haven't installed the latest security update for Mac OS X, now would be a good time. A security researcher has released a proof-of-concept attack that exploits critical vulnerabilities that Apple patched on Thursday. The vulns stem from bugs in the Java runtime environment that allow attackers to remotely execute malicious code. Sun Microsystems patched the flaws early last month. Finisterre said he read through the patch details and researched where in OS X he thought the bug would be located. He sent the exploit to Apple employees on November 6, three days after Sun released a Java patch for Windows, Linux, and Solaris. Now that Apple has finally fixed the bug, he has gone ahead and made the code public. The code will also exploit unpatched Windows machines, Finisterre said. Turns out Java's write-once-run-anywhere promise really is real. For more information on Mac security, please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. theregister.co.uk -By Dan Goodin BlackBerrys at risk from PDF flaw Research In Motion has pushed out patches for critical security issues in its Blackberry Enterprise Server middleware product. BlackBerry Enterprise Server (BES) suffers from multiple vulnerabilities in its attachment service, RIM said in a security advisory on Tuesday. The memory corruption flaws in BlackBerry Attachment Service could allow an attacker to send a malformed PDF to a smartphone. If the document is opened, it could crash the service or give the hacker unfettered access to a computer hosting the service, the company said. BlackBerry Attachment Service is a component of BES. The security holes affect PDF distillers in BES version 5.0.0 for Windows Server 2008, 2003, and 2000. The flaws on systems running BES 5.0.0 for Windows Server 2000 are more serious, said the handset maker, as Windows Server 2008 and 2003 have default security settings that mitigate the severity of the flaws. Vulnerabilities are also present in BES versions 4.1.3 to 4.1.7, and Blackberry Professional Software 4.1.4. RIM recommended that administrators upgrade to unaffected versions of BES — for example, for BES 5.0 for Exchange and Domino, they should move to 5.0.1. Alternatively, IT managers can apply interim security updates, according to the advisory. A workaround is to disable BAS. BlackBerry Attachment Service has suffered various vulnerabilities over several years. For example, it had a similar PDF distiller flaw in July last year. The component was last patched in May, and it has been patched five times this year. For more information on BlackBerry flaws, please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. news.zdnet.co.uk -By Tom Espiner Experts Not Surprised By iPhone Malicious App Report Malicious iPhone apps that Apple unwittingly approves could attack even non-jailbroken iPhones, according to a developer, but security experts say this isn't earth-shattering news. “If you understand the way the security of the iPhone works, I don't think this is a surprise,” said Charlie Miller, an analyst at Independent Security Evaluators who in July demonstrated an SMS vulnerability that could let hackers take over the phone. The data Seriot describes isn't a direct threat to your passwords or e-mails, but it could be of interest to marketers, spammers, thieves, competitors and law enforcement officials, he says. Obviously, Apple would never intentionally allow such an application into its App Store--Apple has said it rejects 10 percent of submissions for being “inappropriate,” in some cases because they try to steal personal data--except Seriot says it's possible to trick App Store reviewers. This could be accomplished by delaying spyware activation, encrypting payloads or changing things around at runtime, Seriot claims. “Largely, it's up to users to decide what experience they want,” Dai Zovi said. “Do they want the greater freedom with the greater risk of this type of spyware, or do they want the assurances--albeit imperfect assurances--provided by Apple looking over these applications For more information on iPhone apps, please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Bulletins posted 12/3/2009 McAfee, Inc. Reveals the Riskiest Web Domains to Surf and Search This report underscores how quickly cybercriminals change tactics to lure in the most victims and avoid being caught. Cameroon, a small African country that borders Nigeria, jumped to the number one spot this year with 36.7 percent of the .cm domain posing a security risk, but did not even make the list last year. Because the domain .cm is a common typo for .com, many cybercriminals set up fake typo-squatting sites that lead to malicious downloads, spyware, adware and other potentially unwanted programs. Following aggressive measures from .hk’s domain managers to clamp down on scam-related registrations last year, Hong Kong fell 33 spots from the most risky domain in 2008 to the 34th most risky domain in 2009. Now only 1.1 percent of .hk sites pose a risk, whereas last year nearly one in five .hk Web sites were risky. Among country domains, the People’s Republic of China (.cn) and Samoa (.ws) remained in the top five most dangerous places in the last two years.
For more information on safe websites, please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Malware Messes up India's Online Test for Business Schools The move by India's top business schools to take their CAT entrance test online turned embarrassing after malware-infected computers left a number of students unable to take the test Prometric, a Baltimore, Maryland, testing company hired to conduct the CAT (Common Admission Test), said this week that the testing labs faced technical difficulties mainly due to malware and viruses. It said on the CAT Web site that it has decided to reschedule the tests for the affected students. Over 240,000 candidates registered for the CAT 2009, which was scheduled to run from Nov. 28 to Dec. 7. While the written test was held on a single day in previous years, the online test this year was spread over 10 days, giving candidates the option to choose a date and center for the test. Prometric was to conduct the tests across labs in 32 cities in the country. The tests are continuing after the initial disruption. But on the first day of the test, computer viruses and malware prevented 47 testing labs from delivering the test to candidates as scheduled. For more information on online testing and the problems it has caused, please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. IDG News Service -By John Ribeiro A few insights on Twitter hackers and phishers And it seems Twitter's hackers agree, according to Michael Benidt, of Golden Compass, a Colorado-based computer training company that has studied the effects of Twitter hacking and how such incidents can damage the reputations of users. What led me to Benidt was dscriber.com's own small crisis: the site's Twitter profile (dscribers) was recently among an untold number to be hacked into by someone who sent out a message challenging dscriber followers to take an IQ test (read that story here). It could have been worse. The tweet could have been along the lines of one a hacker nefariously delivered on Britney Spears' account stating "Glory to Satan." Still, as dscriber back-tracked, apologizing to followers for the unsolicited message and responded to Twitter's requests that we change our password. It turned out we were victims of phishing, where a trusted Twitter friend's account was used to lure us to a site to obtain our personal information. Afterward, we were left with a few basic questions about this trend. So I turn back to Benidt, who in a Q&A session with dscriber offers some insights into Twitter hacking. To see the full interview, please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. dscriber.com -By Michael de Yoanna On the imminent Cyber Warfare, what’s Ghana’s preparedness? Conventional warfare as we know relies on tanks, troops, artillery, aircraft and a whole range of weapons systems. Nations strength and ability to defend themselves were therefore based on their collection of weaponry. However, in this age of Information and Communication Technology (ICT), Computers rather than chemical weapons, Mass Weapons of Destruction (WMDs) or missiles pose the biggest security threat of the future depending on nation’s ability to cripple rivals by using cyberwarfare. ! It is instructive to note that Cyber attacks are not new - websites were being hacked into and brought down during the Kosovo war 10 years ago. Cyber warfare which is seen right now as the modern warfare strategy requires a computer and an internet connection. Computer strikes could damage a country's infrastructure as well as a whole collection of defence equipment, cutting off communications, power supplies and military command systems. Imagine this happening in Ghana! Rather than sending in the marines or military persons, the act of just typing a command on a keyboard can have a devastating effect on computer systems and networks which at the moment are the main engine-rooms for running successful nations as well as corporate organisations. It is possible to bring an entire state or organisation to a standstil. For now, 30 countries have advanced and put in place aggressive programmes to wage war by computer. These programmes would certainly become a major scheme of a country’s arsenal over the next decade, especially highly computerized nations. Many nations are already preparing for a future in which conflict would be conducted via the internet and it is confirmed that five countries namely the UK, Germany, France, China and North Korea are arming to defend themselves in a cyber war and are developing their own capabilities. For more information on the cyber warfare, please see the full article. Bulletins posted 12/2/2009 DC businessman loses thousands after clicking on wrong e-mail Pay-per-click revenue in the online advertising business may be diminishing for traditional media publishers, but thieves increasingly are earning five- to seven-digit returns when victims click on a booby-trapped link or attachment sent via e-mail. The latest victim to learn this was Nigel Parkinson, president of D.C.-based Parkinson Construction, a firm with an estimated $20 million in annual revenue that has worked on some of Washington's top gathering places, including the new D.C. Convention Center and the Nationals baseball stadium. Parkinson said he had an expensive crash course in computer security, when on Nov. 24, he clicked a link in an e-mail purporting to be from the Social Security Administration warning him about potential errors on his Social Security statement. Parkinson fell for the ruse and ended up downloading a copy of the Zeus Trojan, a prolific family of malicious software that criminal gangs have used to great effect to steal tens of millions of dollars from victimized businesses so far this year. Zeus is primarily a password-stealing Trojan, and in short order the thieves had stolen the credentials Parkinson uses to administer his construction firm's bank account online. From there, the hackers sent $92,000 of Parkinson's cash to nine different money mules, accomplices hired through work-at-home job schemes who are instructed to withdraw the money and wire it overseas (typically minus an eight percent commission). Parkinson said his bank was able to block some of the transactions after being alerted by an anonymous tipster (perhaps a mule who suddenly realized what he or she was into?). All told, Parkinson said, the hackers made off with about $18,000, because just two of the mules succeeded in their assigned tasks. Never open emails and/or attachements from anyone you don't know. For more information on the Zeus trojan please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Security Fix Live -By Brian Krebs Three Tips to Avoid the Windows Black Screen of Death News that a Microsoft update is causing "millions" of PC's to experience a "black screen of death" is both exaggerated and wrong. Apparently, its much ado about nothing. Originally reported by security firm Prevx, the black screen of death issue was believed to have been caused by updates issued by Microsoft on the November Patch Tuesday. The combination of a headline like "Black Screen woes could affect millions on Windows 7, Vista and XP" and the fact that Prevx didn't bother to contact Microsoft about the issue suggest that Prevx was primarily interested in sensational publicity for itself. Microsoft investigated the issue and determined that its patches are not to blame. Prevx followed up with a post apologizing to Microsoft for the inconvenience, and admitting that the root cause that triggers the black screen of death is, in fact, not related to Microsoft's patches. The prevailing theory now is that it is related to a malware infection, most likely something from the Daonol family of Trojans. All FUD aside, there does seem to be an actual black screen of death issue, it just isn't impacting "millions" of Windows 7, Vista, and XP systems. More like thousands. Maybe hundreds. Here are three tips to help ensure your Windows PC doesn't become one of the afflicted: Prevx has stated that its fix does not work in all cases, but running the fix has a fair chance of fixing the issues within Windows that have been determined to trigger the black screen of death. Download the Prevx fix and give it a shot. If you are one of the "millions" already struck down by the black screen of death, downloading and running the Prevx fix can be problematic. Prevx has already thought of that and has provided step-by-step instructions for how to download and run the fix from an affected system. For more information or get a link to try this fix, please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. H1N1 Vaccination Profile – A path to infection On December 1st McAfee Labs detected an outbreak of a spam mail pretending to be from the CDC and using the H1N1 virus to facilitate the distribution of a Zeus Trojan executable. The email claims that the CDC is requiring all people to fill out a “vaccination profile” online.
The link is an executable that installs a VERY recent Zeus trojan variant. Zeus is an easy-to-use tool for constructing trojans and has been associated with numerous botnets. As of the time of this writing, McAfee is among only a handful of AV engines that detects this strain (7/41 engines detected it according to VirusTotal, and McAfee had 2 of those 7 engines). Never open emails or attachments from people you don't know. For more information please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. avertlabs.com -By Adam Wosotowsky Support World AIDS Day with (SHAZAM)RED iPhone app A reminder that today is World AIDS Day, a day that is dedicated to raising awareness of the AIDS pandemic caused by the spread of HIV infection. Shazam -- a leading mobile music discovery provider -- recently launched a Special Edition iPhone application called (SHAZAM)RED making it the first mobile application to link up with (RED). For each (SHAZAM)RED application purchased 20 per cent of the price is contributed to the global fund to fight AIDS, Tuberculosis and Malaria. Available from the Apple iTunes App Store, (SHAZAM)RED costs £2.99 (US$4.93) and requires the iPhone 3.0 Software Update or later. To get a link for the download or to find out more about World AIDS Day please see full article. Bulletins posted 12/1/2009 Zeus spreading through drive-by download The notorious information-stealing Zeus trojan is currently spreading via drive-by download, said security researchers at IT management software and solutions vendor CA. Those behind Zeus, or Zbot, recently began circulating spam claiming to come from the Internal Revenue Service (IRS), requesting users submit a “tax refund request form” by clicking on a link that is provided. Clicking takes victims to a website that attempts to perform a drive-by download, meaning users do not need to take any further action to be infected, Don Debolt, director of threat research at CA, told SCMagazineUS.com on Monday. If clicked, the link loads a browser window that looks blank but, in the background, is attempting to download malicious code and install a variant of Zeus, Mary Grace Gabriel, research engineer at CA's Internet Security Business Unit wrote in a recent blog post. The malicious website contains an IFRAME that points to another website containing obfuscated JavaScript code that points to yet another page where a PDF file attempts to exploit known -- but patched -- vulnerabilities in Adobe Reader to download and execute a Zeus variant. Previous spam campaigns used to spread Zeus have asked users to manually download and execute various reports, tools or statements seemingly coming from MySpace, Facebook, the IRS, Microsoft, the U.S. Social Security Administration and Verizon Wireless. This is the first IRS-themed drive-by campaign but it is not the first time Zeus authors have used the drive-by download technique, Debolt said. The spam messages used in this latest campaign use subject lines related to IRS refunds. The body of the email reads: “After the last annual calculations of your fiscal activity we have determined that you are eligible to receive 760.22$ tax refund under section 501© (18) of the Internal Revenue Code.” The IRS recently posted a notice, warning users about phony e-mail claiming to come from the agency. “The IRS does not send unsolicited e-mails to taxpayers about their tax accounts,” the agency said. “Anyone who receives an unsolicited e-mail claiming to come from the IRS should avoid opening any attachments or clicking on any links.” If you have fallen for this scam, notify your service desk immediately and change your passwords. www.scmagazineus.com -By Angela Moscaritolo US CERT warns of clientless SSL VPN vulnerability Clientless SSL VPN products, which give employees access to company servers via a Web-browser, operate in a way that could expose users to man-in-the-middle attacks, according to an advisory issued by the U.S. Computer Emergency Readiness Team (US CERT). The advisory lists dozens of affected vendors that provide SSL VPN products, including Cisco Systems, Juniper, 3com and others. Clientless SSL VPNs break fundamental browser security mechanisms, the advisory warned. "An attacker could use these devices to bypass authentication or conduct other web-based attacks." The SSL VPN vulnerability is serious because clientless VPNs often give users access to internal webmail servers, internal fileshares and remote desktop capabilities, giving attackers a way into sensitive company data. For more information please see full article or check out this link. There is no known fix to the vulnerability. If you have fallen for this scam, notify your service desk immediately and change your passwords. SearchSecurity.com -By SearchSecurity.com Staff New ransomware attack blocks Internet access Security researchers have stumbled upon a new piece of ransomware that blocks an infected computer from accessing the Internet until a fee is paid via SMS (text message). According CA researcher Zarestel Ferrer, the ransomware file is bundled with a program called uFast Download Manager. Once a machine is infected, a message is posted in Russian (see image above) demanding a ransom under the guise of activating the uFast Download Manager application. Here is a rough English translation: Internet access is blocked due to violation of the license agreement schedules of uFast Download Manager You must activate your copy Get a registration code by sending an SMS with the following code fw0004199 to number 7122 In response you will receive an activation message. Enter the activation message received from the SMS response ________ CA is offering an activation code generator for this particular ransomware variant. For more information or to see a screen shot, please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Windows Black Screen of Death: What You Need to Know But what you may not know is that there's a new contender in town: the Black Screen of Death. So what is this horrible-sounding thing, where did it come from, what's being done to fix it, and how bad is it? Here are five things you need to know about the Black Screen of Death. For more information on the black screen of death, please see full article. If you have recived the black screen of death, notify your service desk immediately and change your passwords. Hacker Attacks Iowa City's Website IOWA CITY – A hacker wreaked havoc on Iowa City's website this weekend. The attack forced the city to temporarily shut down the site. The city has repaired the damage to the website and everything is working fine now. But, now officials are taking steps to make sure this doesn't happen again. In the past, City Hall used to be the prime place where people went to get information. Now, more and more visit the virtual location online instead. "My understanding is we get quite a lot of hits on daily basis. People use it for a lot of different reasons...from paying bills to just getting general information,” Interim City Manager Dale Helling said. Even though the online site is convenient, it also creates some concerns. For example, this weekend a hacker broke into Iowa City's website and installed a program that could harm your computer. Google noticed the problem and blocked users from directly visiting the site. That's because the malicious program runs in the background and you may not even realize anything is happening "Many times, it's to establish a robot computer network that they can later do what they want to do with those infected computers,” Information Technology Services Coordinator Gary Cohn said Everything's repaired now and the city's working to prevent another attack. But, officials say this is a prime example of why people need to be careful when they click on any website. "You need to keep on top of your virus scanning software. Use a quality product. Make sure it's up to date,” Cohn said. If you stay on top of all the updates, experts say you can avoid most problems. People can pay for various bills and fines online through the city's website. However, the city says none of that information -- like credit numbers -- got into the hands of the hacker. For more information please see full article. Bulletins posted 11/30/2009 New Exploit Masquerades As Flash Player Upgrade Researchers have detected a new phishing attack that promises to enhance the security of the user's emailbox -- and then downloads a malicious Trojan instead. The email requests that recipients click on a link in the body of the email to update the "security mode" of their emailboxes, according to researchers at Red Condor, an email security tool vendor. Users who click on the link are taken to a Website that advises them to update to the latest version of the Macromedia Flash Player by downloading "flashinstaller.exe." This executable is actually a banking Trojan that is known to disable firewalls, steal sensitive financial data, and provide hackers with remote access capabilities, Red Condor says. The malware is more commonly known as Win32:Zbot-MGA (Avast), W32/Bifrost.C.gen!Eldorado (F-Prot), PWS-Zbot.gen.v (McAfee), or PWS:Win32/Zbot.gen!R (Microsoft), the researchers note. The spam campaign was detected late on Nov. 20; within the first six hours, Red Condor says it blocked more than 500,000 email messages. So far, the company says it has stopped more than 3.5 million messages belonging to this campaign. "Protecting inboxes is seen as business-critical, so it is no surprise that spammers and cybercriminals are playing off of email users' growing security concerns with security-focused junk mail," says Tom Steding, president and CEO of Red Condor. Hours after the spam campaign began, only about half of the antivirus products had begun to recognize and block it, Steding says. "Spam that suggests users update their Flash Player is a common type of scam during the holidays, but it is often associated with viewing a fake e-card or a viral video," Steding observes. "We encourage email users, particularly those returning to full inboxes after the Thanksgiving holiday, to immediately delete these messages and notify their IT administrators." Be on the look out for any emails telling you to upgrade your flash player. If you have fallen for this scam, notify your service desk immediately and change your passwords. China warns of mass Internet virus A computer worm that China warned Internet users against is an updated version of the Panda Burning Incense virus, which infected millions of PCs in the country three years ago, according to McAfee. The original Panda worm, also known as Fujacks, caused widespread damage at a time when public knowledge about online security was low, and led to the country's first arrests for virus writing in 2007. The new worm variant, one of many that have appeared since late 2006, adds a malicious component meant to make infection harder to detect, said Vu Nguyen, a McAfee Labs researcher. "It has gotten more complex with the addition of a rootkit," said Nguyen. "It definitely makes it more challenging for users to clean up and even to know that their systems have been compromised." A rootkit burrows into a system to try to hide the existence of malware. The first Panda worm gained fame in China for switching the icons of infected files with an image of a panda holding three incense sticks. The same image would also flash across a victim's screen, but the worm's final goal was to install password stealing Trojan horses. The worm infected millions of PCs, according to Chinese state media. Its author was ordered to write a removal tool for the worm and later sentenced to four years in prison. China's national virus response centre warned about the updated worm earlier this week, but it dubbed the virus Worm_Piloyd.B and did not link it to Panda. The center said it had found a worm spreading online that infected executables and html files. The worm blocked a victim's PC from restoring infected files, turned off active antivirus software and directed the machine to websites to download Trojan horses and other malware, the centre said. The centre urged Internet users to step up defences on their PCs against unknown viruses. The new worm is unlikely to hit as many PCs as the first one. Chinese companies and Internet users are much more aware of malware than they were a few years ago, partly because of the wakeup call brought by the first Panda worm, said Nguyen. For more information on this virus please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. techworld.com -By Owen Fletcher Another ZBOT Spam Run Trend Micro threat analysts were alerted to the discovery of another ZBOT spam campaign. The emails bear subjects such as "your photos" and "some jerk has posted your photos." They inform the recipients that someone has posted their photos without their permission on a site and has sent the link to their friends. The recipient is intended to beleive that the "sender" is acting as a "good samaritan," emailing the one who supposedly posted the said pictures.The URL, of course, points to a website that distributes a malware detected by Trend Micro as TSPY_ZBOT.CJA. When executed TSPY_ZBOT.CJA connects to several websites to download another malicious file detected as TROJ_DROPR.KB. The spyware also has rootkit capabilities that enable it to hide its processes. ZBOT/ZeuS is one of the most notorious botnets with regard to identity, financial, and information theft. Users are strongly advised not to open emails from unknown sources. Trend Micro protects users from this attack via the Smart Protection Network, which blocks the spammed messages and prevents the download of the related malicious files. Watch out for any emails from people you don't know. If you have fallen for this scam, notify your service desk immediately and change your passwords. New Malware Scam Targets Twilight Fans PC Tools' Malware Research Center is warning web users of another online scam that hopes to piggyback on hype surrounding the new Twilight New Moon film. The security software developer says the latest trick tempts movie fans by promising them they can watch the film for free, before installing malware on their computer. PC Tools said fans are baited with the text websites, chat rooms and blogs that read: "Watch New Moon Full Movie." Meanwhile, comment posts are filled with related keywords to attract search engines. Then, when fans search for the film they find links to stolen images from the movie itself, convincing the fan the movie is only one click away. However, after clicking on the "movie player," users are told to run a "streamviewer" that installs malware on their computers. This is the second malware scam targeting Twilight New Moon in a week. Last week, PC Tools warned that malicious websites that claim to feature interviews with the author of the books, Stephanie Meyer, were ranking high in a number of search engines. Instead of providing a video clip of Meyer, those visiting the site were directed to a window informing them they were infected with malware and then encouraged to download an antivirus solution to clean their PC. Watch out when downloading anything from an unreliable source. If you have fallen for this scam, notify your service desk immediately and change your passwords. HO HO HO Santa has a virus for you This morning while triaging customer malware and spam samples I saw a variation on the typical click-the-link and get malware spam. This one was Christmas themed, normally we would expect Thanksgiving themed spam before the Christmas glut. The spam has a subject of “HO HO HO Santa has the best offer of the year for you” and contents of : HO HO HO Santa has the best offer of the year for you Hello, it’s me Santa Clause, I suppose you already know me, I have for you the most wanted offer of the year. If you make an account on: http://xxxx.xxx until the 5th December, you can choose one welcome gift from us for 50 Euros from http://xxxx.xxx and enter your validation code, which is: a91-valets-cloud-mad (Only until the 5th December availible.) This is our way to say Happy Holidays, take your chance to feel the Christmas Anticipation. Regards, Santa Clause The link if you were to follow it would attempt to install an EXE called santaclause.exe that is infected with W32/Parite-B an old Windows viruses whose only claim to fame is that it infected all 32-bit PE files. Watch out for deals that seem too good to be true because most of the time they are. If you have fallen for this scam, notify your service desk immediately and change your passwords. Early ecard Christmas malware cheers There are two major methods malware writers use to infect and take control over remote systems. The first one relies on exploiting unpatched vulnerabilities in software such as a web browser or configuration vulnerabilities such a weak passwords. The second method relies on vulnerabilities of the human condition. We, humans, have a need to be liked, by our friends, family and colleagues but also by complete strangers that often send us greetings for major holidays like Easter, Christmas or New Years Day. Social engineering has been proven to work and it remains a major weapon in the attacker’s arsenal. I was not too surprised today when I found this message today in one of our spam feeds. It was only a matter of time when Christmas related spam messages linking to malware would reappear.
I managed to download a relatively large Winrar self-extractable file which made me think that it could be one of the Zapchas variants. Zapchas usually contains several malicious components with a common purpose of recruiting the infected system into a botnet. My suspicions have been proved correct since the individual malicious components were already detected as Troj/Agent-FWS, Mal/Zapchas-C and Troj/Mirchack-A. I had some time for a quick analysis before I created detection for the dropper. Once run, the malware starts the Flash player showing a greeting animation unrelated to Christmas. The message is nice enough so I was willing to forgive the spelling mistake. The actual malicious activity occurs as soon as the animation is closed. The malicious components try to hide themselves by copying to the c:\RECYCLER folder and then connect to an IRC server hosted in USA. This is where nice greetings end and a reality of having to remove malicious components that recruited our computer into a botnet kicks in. As Christmas is getting closer we can certainly expect more Christmas themed attacks and we should all be especially cautious about electronic cards coming to our mailboxes in this period. I have added the detection for the dropper as Troj/Zapchas-EO. Watch out for any emails from people you don't know. To see a screen shot of the ecard, please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Bulletins posted 11/25/2009 New Banking Trojan Horses Gain Polish As banks improve their ability to detect and fight fraud, the Trojan horses that criminals devise become even more sophisticated.
Criminals today can hijack active online banking sessions, and new Trojan horses can fake the account balance to prevent victims from seeing that they're being defrauded. Traditionally, such malware stole usernames and passwords for specific banks; but the criminal had to access the compromised account manually to withdraw funds. To stop those attacks, financial services developed authentication methods such as device ID, geolocation, and challenging questions. Unfortunately, criminals facing those obstacles have gotten smarter, too. One Trojan horse, URLzone, is so advanced that security vendor Finjan sees it as a next-generation program. For more information on how different bank torjans please see full article. If you had fallen under attack, notify your service desk immediately and change your passwords. Antispam group outlines defenses to block botnet spam A major antispam organization is pushing a set of new best practices for ISPs (Internet service providers) to stop increasing volumes of spam from botnets. The guidelines, from the Messaging Anti-Abuse Working Group (MAAWG), were drawn up at a meeting in Germany last week and deal with forwarded e-mail and e-mail that is sent from dynamic IP (Internet Protocol) addresses. Many people forward their e-mail from one address to another, a relay that goes through their ISPs mail server. But many ISPs use automated tools that could begin blocking further e-mail to an address if a large volume of e-mail has come through. Legitimate messages would be blocked, too. ISPs can fix this by separating the servers that receive e-mail and ones that then forward e-mail. That way, ISPs can filter out spam coming into the accounts before forwarding, taking a look at the messages and spotting which ones came from dodgy domains, Cox said. Also, servers receiving forwarded e-mail can be confident that the server where mail was sent from is trusted and legitimate. As of now, only a few ISPs are taking steps to fix the forwarding problem, Cox said. MAAWG's second recommendation deals with the long-standing problem of PCs that have been infected with malicious software that send spam. For more information on these recommendations please see full article. If you had fallen under attack, notify your service desk immediately and change your passwords. IDG News Service -By Jeremy Kirk PayPal to block users with old browsers to cut back phishing PayPal, eBay’s electronic payment service, plans to take the dramatic step of locking out people using older versions of Web browsers in order to stem phishing attacks. PayPal said a “significant” group of people still use Microsoft’s Internet Explorer 3, released in 1996, and IE 4, which debuted in 1997. Those browsers lack a phishing filter, which can block users from accessing a reported phishing Web site. “In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts,” according to a paper released during the RSA security conference in San Francisco earlier this month. It also could mean eventual trouble for users of Apple’s Safari browser, which has no phishing filter. PayPal warned users in February to stay clear of Safari. "Apple, unfortunately, is lagging behind what they need to do, to protect their customers," Barrett said in an interview. "Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera." For more information on these recommendations please see full article. If you had fallen under attack, notify your service desk immediately and change your passwords. IDG News Service -By Jeremy Kirk Facebook Blocks Raunchy Worm Facebook has reportedly blocked an exploit propagating on the social networking site, which spreads when users click to see a revealing photo of a woman. Security firm AVG warned of the Facebook exploit that uses a suggestive female character to lure users into clicking on a URL, which will then post a link on their own Facebook wall, redirecting to the same page. AVG explains that in the past few days, some Facebook users encountered a photo of woman wearing a thong on their friends' profiles, along with the words "Want 2 C something hot? Click da button, baby!". Facebook has now blocked the URL associated with this site, and a company's spokesman told The Register that "the relatively few cases where it was posted" are being cleaned up. So far, there are no indications of the worm having other malicious effects besides reposting the woman's photo on affected users' profiles. For more information on the facebook problem please see the other article listed below or see the full article. If you had fallen under attack, notify your service desk immediately and change your passwords. Bulletins posted 11/24/2009 Importance of safe passwords Passwords are the first way to keep your information safe, whether it be a login for your office computer or a password for your email. The stronger your password the harder it will be for someone to crack it and the safer your identity will be online. Passwords should contain a combination of numbers, letters (upper and lower case), and special characters (!@#$&). An easy way to make a password harder to crack is to pick a name or a word that you will remember and insert numbers and special characters. For example, 'yogurt' becomes 'Y8ogu33rt'. Sometimes strong passwords and usernames can be hard to remember. Our website has a lot of good information, including tips on how to create a good password and solutions for remembering them all. For more information on how to see if your password is strong please visit our website. Microsoft: 'TaterF' Worm Top Malware Threat So Far This Month Microsoft's Malicious Software Removal Tool (MSRT) removed malware from more than 1.5 million machines just three days after it was updated on November's Patch Tuesday, and the software giant has detected two new fake antivirus threats on more than 110,000 machines. The latest statistics come on the heels of Microsoft's recently published Security Intelligence Report, which found worms jumped 98.4 percent to the number two threat, behind Trojans. Trojans include rogue antivirus software. One of the worm families Microsoft attributed that jump to was TaterF, which so far is also the most prevalent piece of malware MSRT has killed this month, according to Microsoft's latest statistics: The TaterF worm was found on 239,870 machines. TaterF is a worm that steals online gaming credentials and spreads via Microsoft's Autorun feature and has hit enterprises hard because users who play games at home infect their work machines via USB keys, for instance, according to Microsoft. According to the SIR report from earlier this month, the number of machines infected with TaterF has increased from 2 million machines in the second half of last year to 4.9 million in the first half of this year. This month, the top threats found by Microsoft's MSRT are mainly password-stealers like TaterF that grab online gaming credentials, online banking credentials, and other online user accounts. Rogue AV products and Trojan downloaders for them were also high on the list, as well as Trojan downloaders that typically infect machines via drive-by attacks. Koobface remains in Microsoft's top 25 malware list, but is no longer in the top 10. It's now No. 14 on the list, found in 36,300 machines. "Online Social Network sites such as Facebook continues to boost their security hardening to protect their customers and we welcome their actions," blogged Scott Wu, a member of the Microsoft Malware Protection Center. Other top malware threats this month so far are the Alureon family of Trojans that steal data and modify DNS settings (141,358 machines), the Bancos family of Trojans that steal passwords and online banking credentials (138,803), and the Renos family of Trojan dowloaders for rogue AV (115,970 machines). The MSRT also found 78,161 machines infected with the Cutwail spam bot, a family of Trojan downloaders. Microsoft this month added two new rogue AV families to the list of malware its tool detects -- Win32/FakeVimes and Win32/PrivacyCenter. And so far, Microsoft has cleaned up more than 110,000 machines infected with those two rogue programs. If you had fallen under attack, notify your service desk immediately and change your passwords. DarkReading -By Kelly Jackson Higgins New malware emerges for jailbroken iPhones A new worm targeting the iPhone was recently identified, and security experts believe it is the most sophisticated malware yet to target the popular smartphone. The malware, called iBotnet.A, attempts to steal online banking credentials and is capable of spreading across a network and hijacking the iPhone and iPod Touch for use in a botnet, according to Mac security vendor Intego, which issued a security memo on Monday. Like a separate iPhone worm identified in early November, users can only be infected with the new malware if they jailbreak their iPhone -- meaning they unlock the device to allow for the installation of unauthorized software -- and have SSH installed but have not changed the default password. The malware can change each infected device's root password and then give it a unique identifier so attackers can reconnect to the phone, according to Intego. The device connects to a web-based command-and-control server in Lithuania, where it can download new instructions and send data stolen from the infected iPhone back to hackers. In addition, if a victim attempts to visit the Dutch site for the online banking service ING, the malware redirects the user to a fake login screen that is used to harvest usernames and passwords, James said. The worm propagates by searching its local network for other devices to infect, he said. In addition, it scans about a dozen IP address ranges of internet service providers in the Netherlands, Portugal, Hungary and Australia for other jailbroken iPhones using those IP addresses, to which it can copy itself. The worm is not currently widespread and, for the most part, the infections have been limited to the Netherlands, Mikko Hyppönen, chief research officer at anti-virus vendor F-Secure, told SCMagazineUS.com on Monday. Researchers said it is unlikely that there are any infections in the United States at this time, but the worm could potentially spread to other regions of the world if the botmasters update the malware, or if an individual with an infected device were to travel to another country. If you had fallen under attack, notify your service desk immediately and change your passwords. www.scmagazineus.com -By Angela Moscaritolo Proof-of-concept for new IE flaw forebodes web danger Proof-of-concept (PoC) code that targets a new zero-day vulnerability in Internet Explorer (IE) currently is circulating, but so far, attackers have been unable to create an exploit capable of executing malicious code. The flaw is present in IE version 6 and 7 and involves the way in which the browser handles cascading style sheets, a style sheet language common on websites, Ben Greenbaum, senior research manager at Symantec Security Response, told SCMagazineUS.com on Monday. A PoC that appeared Friday on the BugTraq mailing list could be used to modify the browser's memory, which causes it to crash, Greenbaum said. However, successful attackers would need to leverage "heap spraying," a fairly unreliable exploit technique. Virus writers, though, likely are hard at work to develop a more functional and severe exploit, he said. "In order to run code of the attacker's choice, there would have to be a lot more work done than we're seeing in the proof-of-concept," he said. "Attackers know about this flaw and are going to be diligently working to make it reliable and to make it execute their code, and that's when we're going to see real problems." A Microsoft spokeswoman told SCMagazineUS.com on Monday that the software giant is aware of the published PoC and is investigating, though there are no reports of customer impact. The company next is scheduled to distribute security patches on December 8. In the meantime, Greenbaum said he suggests users visit only known websites and avoid clicking on untrusted links in emails. In addition, users can disable JavaScript, which would prevent malicious code from executing. If you had fallen under attack, notify your service desk immediately and change your passwords. www.scmagazineus.com -By Dan Kaplan NFL player David Clowney is Twitter-hacked David Clowney is not unusual in being a 24-year-old who is hooked on Twitter No, what makes David Clowney stand out from the crowd is that he's a talented American football player, who appears for the New York Jets. And now, like other celebrities before him, his Twitter account has been hacked. What is perhaps bizarre is that although David Clowney has acknowledged the hack on his Twitter account, he hasn't deleted the (somewhat fruity) postings made by the hacker. It's obviously damaging to the image of a person in the public eye to have their account hacked and abusive postings published to thousands of their fans. The problem is made even worse when the offending tweets aren't deleted, and are still being republished to the celebrity's official webpage. No details of how Clowney's account was compromised have been made available - but it would make sense for him to change his account password and make sure that he hasn't shared it with any other websites. Because of the rising tide of malware that sets out to steal credentials from users of social networking sites it would also do no harm at all if he scanned his computer with an up-to-date anti-virus. But for heaven's sake David, please delete the offending tweets. The hacker got a kick out of posting them up there - why continue to humour them by leaving them visible for all to see? To see a screen shot of what to look out for please see full article. If you had fallen under attack, notify your service desk immediately and change your passwords. Graham Cluley’s blog -By Graham Cluley Spoofed Trend Micro Email Leads to Phishing Site Trend Micro threat analysts recently unearthed spammed messages that purported to have come from Trend Micro. Targeting trusted organizations is not an uncommon technique, used by cyber criminals when carrying out spam campaigns. In this case, the phishing URL and domain are already inaccessible. The emails bear the subject, "Malware Blocking Tests put Trend Micro on Top" and inform users about the recent NSS Labs tests. They also describe how NSS Labs conducted the test, which was based on "socially engineered malware." Ironically, however, the emails were themselves a good example of socially engineered malware. When the user clicks any of the links within the email, they are redirected to a phishing site: http://l.trndmcro.com/rts/{BLOCKED}. As mentioned above, the phishing URL and domain are already inaccessible plus Trend Micro Web reputation blocks access to the URL involved. Based on Whois information, the domain was created last September 2009. Apart from this, however, the site did not hold any other information on the said domain. The attack also employed the so-called "genuine-looking URL" phishing technique wherein cybercriminals imitated the URL of the target company in order to steal user information. In such an attack, traditional spam filtering using patterns alone will no longer prove effective. On the other hand, the cloud computing technology utilized in the Trend Micro Smart Protection Network, easily protects users as it detects and blocks spammed emails and malicious URLs using reputation-based ratings. Readers are advised, as always, to pay close attention to the content of and URLs within emails. To see a screen shot of what to look out for please see full article. If you had fallen under attack, notify your service desk immediately and change your passwords. blog.trendmicro.com -By Menard Osena Facebookers hit with steamy clickjacking exploit 'Click da button, baby!' Facebook administrators have blocked a clickjacking exploit that displayed images of a scantily clad woman on profile pages without first prompting the user for permission. The attack began when a victim encountered the image of the near-naked woman on a friend's profile page along with the words "Want 2 C something hot? Click da button, baby!" Facebookers who took the bait - and were logged in to their accounts at the time - found their profile pages were updated to include the same image. The more people who fell for the come-on, the more the come-on was presented to new potential victims, giving the attack a viral quality. Researchers who first spotted the ruse attributed it to a CSRF, or cross-site request forgery, vulnerability on Facebook's site. A spokesman for the social networking site disputed that explanation, saying the attack was really the result of clickjacking. "This problem isn’t specific to Facebook, but we’re always working to improve our systems and are building additional protections against this type of behavior," Facebook spokesman Simon Axten wrote in an email. "We’ve blocked the URL associated with this site, and we’re cleaning up the relatively few cases where it was posted (something email providers, for example, can’t do)." "This problem isn’t specific to Facebook, but we’re always working to improve our systems and are building additional protections against this type of behavior," Facebook spokesman Simon Axten wrote in an email. "We’ve blocked the URL associated with this site, and we’re cleaning up the relatively few cases where it was posted (something email providers, for example, can’t do)." Clickjacking is a vulnerability at the core of the web that allows webmasters to trick users into clicking on a link they didn't intend to. The exploits are pulled off by superimposing an invisible iframe over a button or link. Virtually every website and browser is susceptible to the technique. Websites that accept user-generated content make especially potent launch pads for such attacks. This latest attack is a reminder that it's often impossible to know where a given link will lead, even for careful users. Indeed, Gadi Evron, one of the security researchers who first spotted the exploit, confessed to having his Facebook page briefly display the image after first encountering it on a friend's page. This shows that even experts can become complacent and trust systems when they really shouldn't," he wrote. If you had fallen under attack, notify your service desk immediately and change your passwords. www.theregister.co.uk -By Dan Goodin Facebook worm spreads with a lurid lure The worm posts an image on a victim’s Facebook Wall with a photo of a woman in a bikini and the message “click ‘da button, baby.” Wall posts are viewable by a Facebook user’s friends. If a friend clicks on the image and is logged into Facebook, the image is then is posted to their own Wall. Their Web browser will then open a Web page with a larger version of the same image. A further click on “da button” redirects the friend to a pornography site, according to Roger Thompson chief research officer for antivirus vendor AVG Technologies. Thompson posted a video of the attack on his blog. This shows that even experts can become complacent and trust systems when they really shouldn't," he wrote. The creators of the worm are likely making money by driving referrals to the pornography site, said Nick FitzGerald, a threat researcher for security vendor AVG. Researchers aren’t quite sure exactly how the worm works but believe it may be a cross-site request forgery attack (CSRF) or a clickjacking attack or a mix of both. A CSRF attack occurs when a victim’s credentials are used to perform some action but without their knowledge. In this case, the attacker fraudulently posts the image to the victim’s Facebook Wall, piggybacking on the fact the victim is logged into their account. Another possibility is clickjacking, where attackers use special Web programming to trick victims into clicking Web buttons without realizing it. For more information please see full article. If you had fallen under attack, notify your service desk immediately and change your passwords. IDG News Service -By Jeremy Kirk Five ways to lose your identity (and wallet) this holiday season The holiday season is almost here, and even in a recession huge numbers of people will likely be shopping online for gifts this year. The rush by shoppers to the Web makes the season a great time for online retailers. It's also a great time for hackers looking to steal data and money from the unwary millions expected to search for great deals online. The growth of holiday hackers has annually prompted security analysts, identity theft awareness groups and various government agencies to come up with lists of precautions that consumers can take to avoid becoming a victim of online fraud. Such lists can prove a benefit to consumers, but unfortunately some people ignore it. For those unwary consumers, Computerworld this year offers a handy list of tips that can help maximize the their exposure to online fraud. Good luck! For more information on the "how to" guide, please see full article. If you had fallen under attack, notify your service desk immediately and change your passwords. Bulletins posted 11/23/2009 Report: Cyberattacks against the U.S. "rising sharply" A new report prepared for Congress found that the number of cyberattacks against the U.S. government is “rising sharply” in 2009, and many of the attacks are coming from Chinese state and state-sponsored entities. During 2008, there were 54,640 total cyberattacks against the U.S. Department of Defense (DoD), according to the report, citing data provided by U.S. Strategic Command officials. The number of instances significantly increased in the first half of 2009, when there were 43,785 cyber incidents targeting the DoD, the report states. If this volume is maintained for the rest of the year, it will represent a 60 percent increase over 2008. The 367-page report, prepared by the U.S.-China Economic and Security Review Commission and released Thursday, details cyberattacks targeting the United States as part of a study of how China's activities impact U.S. national security. The number of cyberattacks steadily has been increasing during recent years, the report states. The amount of attacks increased 20 percent last year, from 43,880 in 2007 to 54,640 in 2008. For more information on the attacks please see full article. If you had fallen under attack, notify your service desk immediately and change your passwords. www.scmagazineus.com -By Angela Moscaritolo Older Microsoft Internet Explorer Vulnerable to Security Flaw Researchers at Symantec say exploit code for a zero-day security vulnerability has been uncovered in Internet Explorer 6 and 7. Proof-of-concept code for an attack targeting old versions of Microsoft Internet Explorer has made its way online. According to Symantec, someone posted the code Nov. 20 to the Bugtraq mailing list. The code targets a flaw tied to how Internet Explorer (IE) uses cascading style sheet ( CSS ) information. CSS is used in many Web pages to define the presentation of the sites’ content. The flaw is known to affect IE 6 and IE 7. The most current version of the browser, IE 8, is not thought to be impacted. IE 6 and IE 7 are still widely used however, and by one estimate account for roughly 41 percent of the Web browser market share. “The exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future,” Symantec researchers noted in a blog post Nov. 21. “When this happens, attackers will have the ability to insert the exploit into Web sites, infecting potential visitors. For an attacker to launch a successful attack, they must lure victims to their malicious Web page or a Web site they have compromised. In both cases, the attack requires JavaScript to exploit Internet Explorer.” Researchers at Vupen Security stated in an advisory that the issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS /STYLE objects via the "getElementsByTagName()" method. If exploited successfully, attackers could the browser or execute arbitrary code by tricking a user into visiting a malicious web page. As a fix, Vupen advised users to disable active scripting in the Internet and Local intranet security zones. Becareful if you are using IE 6 or 7. If you had fallen under attack, notify your service desk immediately and change your passwords. www.eweek.com -By Brian Prince Lightning strikes again: iPhone malware gets truly malicious The new worm is similar to the original Ikee worm (and the recently discovered iPhone hacking tool) in so much as it only infects jailbroken iPhones, where users have installed OpenSSH and not changed the default password ("alpine"). However, it is much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet. Furthermore, it appears to be designed to steal information from users of online banking services. Indeed, the BBC is reporting that ING Direct is briefing its call centres so workers can provide advice about the worm to Dutch customers. Two weeks is all it took for a jokey Rick Astley worm to be adapted into something which creates a criminal botnet and apparently designed to steal money from innocent users. Some may have thought that the Ikee iPhone worm was a one-off. Some people might have imagined that lightning wouldn't strike iPhones more than once - but they were wrong. And one thing is certain - you can be sure that if hackers find they can make money out of poorly-secured jailbroken iPhones, they will continue to attack them. So the (rhetorical) question for Clu-blog readers is this - do you still feel the author of the original Ikee worm did iPhone users a favour? After all, it was him who released the source code of the Ikee worm, and gave the authors of this latest financially-motivated variant the template for infection. Becareful if you are using your iphone. If you had fallen under attack, notify your service desk immediately and change your passwords. www.sophos.com -By Graham Cluley Botnet begins social networking spam run A major malware botnet has sprung to life and is making a huge spam run through social networking sites. Researchers at Symantec's MessageLabs branch said that the DonBot network has begun sending spam emails in large numbers, accounting for as much as four per cent of the total global spam load since 18 November. The messages advertise a 'work at home' programme which promises $300 (£180) a day for posting information online. Clicking on the spam image sends victims to one of any number of Twitter pages which contain links to a third-party site which asks the user to pay the 'trial fee'. Researchers believe that the operation uses hijacked and specially created spam accounts on Twitter. Some hijacked Facebook pages are also being used to spread the links. Social networking sites have become a favourite tool for scammers and malware writers of late. Attackers have used sites such as Facebook and Twitter to spread spam and infect new users. Becareful if you are using social networks. If you had fallen under attack, notify your service desk immediately and change your passwords. www.v3.co.uk -By Shaun Nichols More Facebooking, More Malware Security solutions firm F-Secure Malaysia says greater vigilance is needed as the use of social networking is gathering pace compared to e-mail. F-Secure Malaysia senior security response manager, Chia Wing Fei, said the company noted the significant shift from e-mail to instant communication channels provided by social networking sites. "This trend has important security implications as this means greater vigilance is required against links and messages sent from hacked accounts." "According to statistics from research firm Nielsen, the number of users on social networking and other community sites increased by 31 per cent in the period August 2008 -- August 2009, while e-mail use increased by 21 per cent," said Chia. "It may be too early to pronounce that e-mail is dead but the figures do highlight a growing trend." "Cyber criminals have already responded to the changing patterns of communication by focusing more activity on popular social networks," he said. For tips on how to be safe please see full article. If you had fallen under attack, notify your service desk immediately and change your passwords. iPhone worm hjacks ING customers The second worm to infect jailbroken iPhone users reportedly targets customers of Dutch online bank ING Direct Surfers visiting the site with infected devices are redirected to a phishing site designed to harvest online banking login details, the BBC reports. ING Direct told the BBC it planned to warn users' of the attack via its website, as well as briefing front line call centre staff on the threat. Mikko Hypponen, chief research officer at F-Secure, said the threat had in any case been neutralised. "It [the worm] was targeting ING. The websites it needed for this to work have now been taken down." Anti-virus analysts, still in the process of analysing the malware, caution that the attack is a bit more complex than simple phishing and seems to involve an attempt to snatch SMS messages associated with online banking transactions. We're yet to hear back from ING Direct on this point but we'll update this story as and when we hear more. What is clear is that the "Duh" or Ikee-B worm, like the earlier Rickrolling worm, exploits an SSH backdoor on jailbroken handsets in order to spread. Part of the process of jailbreaking iPhones to allow unofficial software to be installed can involve installing SSH (secure shell) remote access. Users who go through this step but fail to change the default root password of iPhones from alpine leave a backdoor that wide open to attack. Although Duh exploits the same SSH backdoor as the original Ikee worm, the latest malware is far more dangerous than its predecessor. Doh turns compromised devices into a botnet under the control of unidentified hackers. The Rickrolling ikee worm, by contrast, only changes users' wallpaper to an image of cheesy pop warbler Rick Astley. Duh also searches across a wider range of IP ranges than Ikee, which only ever affected Optus users in Australia. It includes IP ranges allocated to carriers in several countries, including The Netherlands, Portugal, Australia, Austria, and Hungary. All the infections reported thus far have happened in The Netherlands. The attack only came to light after a Dutch ISP noticed unusual traffic and began to investigate. As previously reported, compromised phones are left under the control of a botnet server in Lithuania. Duh changes the root password of compromised iPhones, allowing crooks to log into compromised units and carry out malicious further actions. SophosLabs researcher Paul Ducklin used a password cracking tool to discover the malware changes iPhone root passwords from 'alpine to 'ohshit'. In addition to the two iPhone worms, an earlier hacking/extortion attack (targeting iPhone users in the Netherlands) also exploited the default password SSH backdoor on jailbroken iPhones. Security experts strongly advise users of jailbroken phones to change their passwords from 'alpine' immediately to avoid further attacks along the same lines. If you had fallen under attack, notify your service desk immediately and change your passwords. www.theregister.co.uk -By John Leyden Tech Workers Dubbed the Unhealthiest Brits that work in IT have topped a poll of the most unhealthiest employees, says Fat Free Fitness.
According to the personal training website, just 19 percent of IT workers met the government's activity guidelines, which recommend half an hour of moderate exercise, five times a week. IT workers are closely followed by receptionists and sales people. When it comes to diet, IT workers are also unhealthy, with only 14 percent eating five portions of fruit and vegetables a day, while 50 percent said they drink energy drinks every day. On average IT workers consume 10 cups of coffee a day, which is more than your recommended daily allowance of caffine. "There is clearly a correlation between sitting at a desk or wheel all day and how active you're likely to be," said Rich Leigh, founder of Fat Free Fitness. The study did not address the many health and exercise applications that are showing up in PCs and, more recently, in mobile platforms.
Bulletins posted 11/20/2009 Zero-day vulnerabilities in Firefox extensions discovered One of the reasons behind Firefox's popularity is the availability of a vast library of extensions. Users use them to modify the browser to their liking and make their browsing experience easier and more pleasant. The problem is, unbeknown to them, these extensions are exposing them to risk.
Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension. Any Mozilla application with the extension system is vulnerable to same type of issues. Extensions vulnerabilities are platform independent, and can result in full system compromise. The researchers believe that the weakest link in the chain is the human factor. Many add-on developers do it for a hobby and are not necessarily aware of how dangerous a vulnerable extension can be. The extension reviewers don't need to have great knowledge about Web application security and follow guidelines on finding malicious extensions. This means vulnerable extensions can easily slip through. Researchers have found several bugs in popular Firefox extensions that have an estimate total amount of 30 million downloads from AMO (Addons Mozilla community site). Three 0days were also released at the SecurityByte & Owasp AppSec Asia 2009 conference. For more information or to view screen shots or a video, please see full article. If you had fallen for this before the patch came out, notify your service desk immediately and change your passwords. Dumb code could stop computer viruses in their tracks ON THE day a new computer virus hits the internet there is little that antivirus software can do to stop it until security firms get round to writing and distributing a patch that recognises and kills the virus. Their idea, which they are patenting, is to intercept every file that could possibly hide a virus and add a string of computer code to it that will disable any virus it contains. Their system chiefly targets emailed attachments and adds the extra code to them as they pass through a mailserver. A key feature of the scheme is that no knowledge of the virus itself is needed, so it can deal with new, unrecognised "zero day" viruses as well as older ones. Many mailservers already block attachments that will run as executable programs - such as PC files with a .exe suffix - in case they are viruses. But virus writers have tricks up their sleeve to get round this. For example, they can disguise files as an innocent Microsoft Word (.doc) or Adobe Acrobat (.pdf) file, and then fool unsuspecting users into converting them into an "executable" program file that will run on their computer. Qinetiq aims to prevent this by inserting a line of machine code - the raw code that microprocessor chips understand - into the header area of incoming files. This is the part of the file that holds the formatting data that defines such aspects as a document's layout and fonts. If the file is simply opened by another program, the code is ignored. But if someone attempts to run it as a program in its own right, Qinetiq's code will run first - and stop the rest of the program in its tracks, either by exiting or by sending it into an infinite loop. "This is not based on virus signature detection, so it is not something malware writers can imagine their way around," Wiseman says. Qinetiq, which has just acquired the military networking firm Boldon James, plans to exploit the trick in future secure mailservers. For more information, please see full article. www.newscientist.com -By Ryan Naraine IE8 bug makes 'safe' sites unsafe The latest version of Microsoft's Internet Explorer browser contains a bug that can enable serious security attacks against websites that are otherwise safe. The flaw in IE 8 can be exploited to introduce XSS, or cross-site scripting, errors on webpages that are otherwise safe, according to two Register sources, who discussed the bug on the condition they not be identified. Microsoft was notified of the vulnerability a few months ago, they said. Ironically, the flaw resides in a protection added by Microsoft developers to IE 8 that's designed to prevent XSS attacks against sites. The feature works by rewriting vulnerable pages using a technique known as output encoding so that harmful characters and values are replaced with safer ones. A Google spokesman confirmed there is a "significant flaw" in the IE 8 feature but declined to provide specifics. It's not clear how the protections can cause XSS vulnerabilities in websites that are otherwise safe. Michael Coates - a senior application security engineer at Aspect Security who has closely studied the feature but was unaware of the vulnerability - speculates it may be possible to cause IE 8 to rewrite pages in such a way that the new values trigger an attack on a clean site. "If the attacker can figure out a flaw in the way IE 8 is actually doing that output encoding and then create a specific string the attacker will know will be transformed into an actual attack, they could use that to input a value ... that actually results in an attack firing on the page," he said. "This could be a way to introduce an attack into a page that didn't have a vulnerability otherwise." For more information, please see full article. If you had fallen for this before the patch came out, notify your service desk immediately and change your passwords. Enterprise Security -By Dan Goodin Security Pro Says New SSL Attack Can Hit Many Sites A Seattle computer security consultant says he's developed a new way to exploit a recently disclosed bug in the SSL protocol, used to secure communications on the Internet. The attack, while difficult to execute, could give attackers a very powerful phishing attack. Frank Heidt, CEO of Leviathan Security Group, says his "generic" proof-of-concept code could be used to attack a variety of Web sites. While the attack is extremely difficult to pull off -- the hacker would first have to first pull off a man-in-the-middle attack, running code that compromises the victim's network -- it could have devastating consequences. The attack exploits the SSL (Secure Sockets Layer) Authentication Gap bug, first disclosed on Nov. 5. One of the SSL bug's discoverers, Marsh Ray at PhoneFactor, says he's seen a demonstration of Heidt's attack, and he's convinced it could work. "He did show it to me and it's the real deal," Ray said. The SSL Authentication flaw gives the attacker a way to change data being sent to the SSL server, but there's still no way to read the information coming back. Heidt sends data that causes the SSL server to return a redirect message that then sends the Web browser to another page. He then uses that redirect message to move the victim to an insecure connection where the Web pages can be rewritten by Heidt's computer before they are sent to the victim. This latest attack shows that the flaw could be used to steal all sorts of sensitive information from secure Web sites, Heidt said. Many high-profile banking and e-commerce Web sites will not return this 302 redirect message in a way that can be exploited, but a "huge number" of sites could be attacked, Heidt said. For more information, please see full article. If you had fallen for this before the patch came out, notify your service desk immediately and change your passwords. IDG News Service -By Robert McMillan Cisco's free iPhone app grabs security feeds Cisco has made available a free iPhone app that can be used to receive more than a dozen security-related information feeds in customizable form related both to Cisco products and to general security topics, such as newly detected threats. The Cisco SIO To Go iPhone application draws from the wealth of information continuously generated in Cisco's security intelligence operations (SIO) that monitor and consolidate information drawn from sensors and other sources about security threats worldwide. Michael Weir, manager of marketing for security, says the tool is Cisco's first iPhone app specifically for security; a few others were designed for use with Cisco's WebEx service and utilities. For network managers, customizable information feeds include Cisco Product Security Incident Response Team Alerts, IPS signatures, applied mitigation bulletins, as well as links to the Cisco security blog, cyber-risk reports, Twitter feeds and security podcasts. Until now, to obtain the same type of information it would be necessary to go to the public portions of Cisco’s SIO Web site to locate it. The free Cisco SIO To Go iPhone app can be found at the Apple iTunes store online. The free Cisco SIO To Go iPhone app can be found at the Apple iTunes store online. Network World -By Ellen Messmer Happiness on Facebook Cuts Canadian Woman's Health Care As social media evolves -- and the freedom of the Internet diminishes our self-censorship -- many have run into situations where Facebook has land them in trouble. Sometimes canned from a gig. It has been established that some companies scrutinize employee and potential employee Facebook pages to ensure what it's getting isn't tarnished by bad behavior such as playing hooky or being loose-tongued about one's feelings about work. The latest example is a little trickier: a Canadian woman saw her health benefits stripped away after the insurance company saw "happy" pictures of her on Facebook. Nathalie Blanchard, 29, took long-term sick leave from her job at IBM in Quebec after she was diagnosed with major depressive disorder in February 2008. Until this fall, Blanchard received monthly benefits from Manulife. Suddenly the checks stopped arriving, and when Blanchard called Manulife to inquire, the company claimed Blanchard was available to work because of photos she had posted on Facebook of her looking "happy" at a Chippendales bar show, at her birthday party, and on holiday. These snapshots evidently proved to Manulife that Blanchard was no longer depressed and therefore ineligible for health benefits. We live in a time where many get a false sense of security and freedom when it comes to the Internet. These social networking pages are ours -- or at least they feel like ours -- and it can come as a shock when the curtain is violently ripped back and our scaffolding is exposed. With the right mixture of inconspicuousness and second-guessing, many problems stemming from Facebook can be dodged, but perhaps at the expense of truly expressing our lives the way we'd like Be careful of what you post on social networking pages because you never really know who is going to be able to access it. Bulletins posted 11/19/2009 Mozilla locks out rogue Firefox add-ons Mozilla has made a significant tweak to this Firefox 3.6 code base to block rogue add-ons from loading in the browser’s application components directory. This will most certainly block developers and software vendors from silently installing Firefox add-ons without explicit user permission. It will also significantly reduce browser crashes linked to third-party add-ons, Mozilla said. The change will be introduced in Firefox 3.6to block third-party applications from adding their code directly to the “components” directory, where much of Firefox’s own code is stored. For more information, please see full article. If you had fallen for this before the patch came out, notify your service desk immediately and change your passwords. http://blogs.zdnet.com -By Ryan Naraine Viruses, Malware Creeping into Online Games Maker of online gaming protection software reveals why virus attacks on video games is a problem that has increased over 600 percent in the past year. Viruses and malware are words not normally linked to video games, that is until you talk to Michael Helander, VP of Sales and Marketing at Lavasoft. His software company has developed a new product, Ad-Aware Game Edition, that's designed to protect online gamers from viruses, a problem that's "increased over 600% in the last year," according to their website. In this exclusive interview, Helander and Malware Labs' Andrew Browne explained which games are most vulnerable to malware attacks, why viruses in online games is a much bigger problem today, and why consoles like the Xbox 360 and PS3 could be next in the crosshairs of people who create Trojans, worms and other forms of malware. Lavasoft: The difference is the way our virus protection software behaves. When you're playing video games, our antivirus program silently runs off screen, using minimum levels of your computer's resources, and does so without interrupting your game. Now here is the key: blocking detection is not suspended when someone starts gaming with the Ad-Aware Game Edition, but alternatively the handling of blocks and removal of malware is taken over directly by Lavasoft. Competitor products (there are two or three other products like this on market today) actually say that the protection is "suspended" while playing video games. This is not good for gamers. For more information, please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Health Insurer Loses 1.5 Million Patient Records A health insurer lost 1.5 million patient records last May but waited six months to disclose the incident. The data, which was stored on a portable disk drive that disappeared from the insurer’s office, was unencrypted and included patient Social Security numbers, bank account numbers and health data, according to the Hartford Courant. The disk also contained personal information on at least 5,000 physicians. Health Net discovered the loss in May but never informed patients, law enforcement or government entities, despite data breach laws in some states that require data spillers to notify victims and state officials when residents are affected by a breach. The insurer finally sent a letter to Connecticut’s attorney general and the state’s Department of Insurance this week. Health Net claimed it took six months to determine what data was on the missing disk. It said that data on the disk was compressed and stored in an image format that required special software to view, which was available only to HealthNet. “Another day, another data breach,” said Connecticut Attorney General Richard Blumenthal in a statement. “But companies still don’t get it: Personal information is like cash and should be guarded with equal care.” Blumenthal vowed to pursue an investigation and legal action against the insurer. About 450,000 of the patients affected by the data loss are residents of Connecticut, which has a breach notification law. Patients in Arizona, New Jersey and New York were also affected. For more information, please see full article. If you are a patient enrolled in the Medicate Advantage plan and a resident of any of the states liste above, notify your service desk or health care provider immediately and change your passwords. Fake Payment Request Attack Ramps Up A currently underway attack is attempting to trick victims with an e-mail that purports to request a verification for payment to a major company, but instead carries a Trojan. E-mail security company Cloudmark reports seeing more than 1.6 million of the attack e-mails, which bear a subject of "payment request from" followed by a company name such as eBay or J. P. Morgan Chase and Co. The body of the message says that to decline the payment, the recipient must download and install an attached "transaction inspector module." The .zip file attachment, of course, is no module, but a Trojan. In a post that includes screen shots of some attack samples, Trend lists the Trojan as TROJ_AGENTT.WTRA. As always, your best bet to guard against the malicious e-mail attachments used in these kinds of social-engineering attacks is to upload attachments to a site such as Virustotal.com, which will scan the attachment using 40-odd different antivirus engines. There's no guarantee that Virustotal.com will positively ID a threat, but you have much better odds with 40 engines than with the one used by your installed antivirus. Don't open email or download attachments from anyone you don't know. If you have fallen for this scam, notify your service desk immediately and change your passwords. www.pcworld.com -By Erik Larkin 3 Basic Steps to Avoid Joining a Botnet Banging the drum for security awareness never gets old. As much as CSOs try to get folks to bone up on safe practices (both online and in the office), there are always going to be some who need reminding. Online, the biggest battle these days is against botnets: networks of infected computers which hackers can use -- unbeknownst to the machine's owner -- for online crimes including sending out spam or launching a denial of service attack. Unfortunately, the black-hat techniques employed to snare users into a botnet web have evolved to a level that makes them often undetectable by even the most sophisticated security products. Combine that with a lack of user knowledge, and the threat of infection becomes very high. (See: Botnets: Why it's Getting Harder to Find and Fight Them). "The frustrating thing is they can make their chances of getting infected much, much smaller," said Steve Santorelli, who sees how users fall prey to easily avoidable traps every day. Santorelli, director of global outreach with the non-profit security investigations firm Team Cymru, spends his days monitoring malicious online activity, particularly botnets. Santorelli notes that while just one strategy probably won't cover you, with several tools in the tool box, the rate of infection within an organization significantly drops. The average user doesn't necessarily have a lot of technological knowledge, said Santorelli. They might not realize the importance of working with IT to ensure they are up to date with patching and software upgrades. This problem may be especially prevalent among workers who are exclusively remote. Staying away from dubious sites and sticking to known brands used to offer reasonable online safety. Unfortunately, that's less and less foolproof. "Browsers are so much more secure now that so many of the holes that existed in these browsers have been patched. There is also a great deal of anti-phishing and anti malware that goes into them now. So if you try and go to a link that contains malware, your AV might not pick it up. But your browser will say: "Are you sure?" The good news is most browsers are free. You can download the latest version of Internet Explorer or Firefox fairly easily and quickly, too. "Don't just blindly click on things and rely on other people to protect your computer," noted Santorelli. "You've got to take some responsibility for your own security." Just because you receive the email from someone you know and trust, it doesn't mean it is safe. This includes friends and family, whose systems or accounts may have been compromised, and also well-known web sites you use, like social networking sites or banks. See Five More Facebook, Twitter Scams to Avoid for examples of current attempts to exploit social media sites. And large banks, such as Bank of America, often find their name is used in email phishing scams where thieves send out messages warning that customers their account has been compromised with a link that leads to a fake, but very legitimate-looking login screen. If you happen to fall for any of these scams, notify your service desk immediately and change your passwords. Bulletins posted 11/18/2009 FBI says hackers targeting law firms, PR companies Hackers are increasingly targeting law firms and public relations companies with a sophisticated e-mail scheme that breaks into their computer networks to steal sensitive data, often linked to large corporate clients doing business overseas. The FBI has issued an advisory that warns companies of "noticeable increases" in efforts to hack into the law firms' computer systems — a trend that cyber experts say began as far back as two years ago but has grown dramatically. In many cases, the intrusions are what cyber security experts describe as "spear phishing," attacks that come through personalized spam e-mails that can slip through common defenses and appear harmless because they have subject lines appropriate to a person's business and appear to come from a trusted source. "Law firms have a tremendous concentration of really critical, private information," said Bradford Bleier, unit chief with the FBI's cyber division. Infiltrating those computer systems, he said, "is a really optimal way to obtain economic, personal and personal security related information." U.S. officials have been cautious about publicly linking cyber attacks to China. But recent government reports have described computer attacks believed to have originated in China, although it is unclear if the intrusions were conducted by, or with the endorsement of, any element of the Chinese government. As is often the case with cyber crime, Paller said it is difficult to tell whether hackers were working on behalf of the country's government, located in that country, or simply routing computer traffic through that country. The hackers going after law firms, said Paller, often target companies that are negotiating a major international deal — anything from seeking a patent on a sensitive new technology to opening a plant in another country. While opening a "spear phishing" e-mail itself does not pose a danger, they often contain Web links or attachments that when clicked on or opened will infiltrate the network or install malicious programs. For more information, please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. /www.google.com/hostednews -By LOLITA C. BALDOR Fake Facebook page steals login details A fake Facebook page which is designed to steal social networkers login details has been uncovered by PandaLabs. According to the security firm, the web page looks very similar to the real Facebook and when web users try to log-in to their account, they will be presented with an error page. However, the information they did attempt to enter will go straight into the hands of the hackers. "This fraudulent URL is probably being spread around through emails and through BlackHat SEO techniques," said Luis Corrons, technical director of PandaLabs. "In any event, once cyber-crooks have the user's details, they can take any action from the account including publishing spam comments with malicious links, sending messages to contacts, etc." PandaLabs urged web users not to reply or follow links form unsolicited emails and always check the URL before entering data to ensure it is legitimate. The security firm also said that social networkers that are concerned they may have entered their details onto the hoax page should change their passwords immediately. If you have fallen for this scam, notify your service desk immediately and change your passwords. PC Advisor UK -By Carrie-ann Skinner T-Mobile employees sold data from thousands of customers Information commissioner says "paltry fines" are not enough, only jail sentences will do A spokesman from T-Mobile confirmed today that the mobile operator had passed on data from thousands of customers amounting to millions of records. Information Commissioner Christopher Graham was alerted by T-Mobile, which admitted that brokers paid for the data which they subsequently sold on to other companies. These companies then used the data to call T-Mobile customers whose contracts were due to expire. Managing director of UK leading independent mobile phone comparison site www.rightmobilephone.co.uk Neil McHugh said that his advice for people worried about their personal data was to call their mobile phone operator and ask for confirmation that their contact information was safe. “Only people coming to the end of their mobile phone contracts are likely to be contacted as a result of the data leak, but if a network operator is responsible, I’m sure the consequences will be severe. Not just facing a potential fine but a huge decline in customer trust,” he added. T-Mobile’s spokesman said the data was sold, "without our knowledge". Graham’s team obtained search warrants to enter premises and are reported to have interviewed T-Mobile employees. A statement on the Information Commissioner's Office (ICO’s) web site said the following: “The existing paltry fines for Section 55 offences are simply not enough to deter people from engaging in this lucrative criminal activity. The threat of jail, not fines, will prove a stronger deterrent.” If you have fallen for this scam, notify your service desk immediately and change your passwords. Mobile Communications -By Dave Bailey Senate Panel: 80 Percent of Cyber Attacks Preventable If network administrators simply instituted proper configuration policies and conducted good network monitoring, about 80 percent of commonly known cyber attacks could be prevented, a Senate committee heard Tuesday. The remark was made by Richard Schaeffer, the NSA’s information assurance director, who added that simply adhering to already known best practices would sufficiently raise the security bar so that attackers would have to take more risks to breach a network, “thereby raising [their] risk of detection.” The Senate Judiciary Subcommittee on Terrorism, Technology and Homeland Security heard from a number of experts offering commentary on how the government should best tackle securing government and private-sector critical infrastructure networks. Larry Clinton, president of the Internet Security Alliance, told senators that public apathy and ignorance played as much a role in the current state of cyber security as the unwillingness of corporate entities to take responsibility for securing the public’s data. “Many consumers have a false sense of security due to their belief that most of the financial impact resulting from the loss of personal data will be fully covered by corporate entities like the banks,” he said. “In fact, much of these losses are transferred back to consumers in the form of higher interest rates and consumer fees.” As for corporate and government entities that collect and store the public data, they “do not understand themselves to be responsible for the defense of the data,” said Clinton, whose group represents banks, telecoms, defense and technology companies and other industries that rely on the internet. “The marketing department has data, the finance department has data, etc, but they think the security of the data is the responsibility of the IT guys at the end of the hall.” Philip Reitinger, director of the National Cyber Security Center at the Department of Homeland Security, said that end users also need to be made aware of the simple things they can do to protect themselves — such as keeping software and anti-virus up to date. For more information please see full article. Survey finds Mac, PC users are equal cybercrime victims Mac enthusiasts are just as likely to fall victim to a phishing attack as Windows users, according to a survey commissioned by security firm ESET. The survey of 1,003 people, conducted by Competitive Edge Research and Communications, concluded that most cybercrime losses are caused by phishing attacks, but that users are equally at risk to these ploys, no matter what operating system they leverage. "Phishing attacks are just as effective on Macs, Linux, Windows, Solaris and any operating system since they rely on tricking the user and not on malicious software or any software vulnerabilities," Randy Abrams, director of technical education at ESET, said Monday in a blog post. "The Mac offers no immunity to phishing attacks and so we see a virtually equal percentage of victim representation across the board." Avivah Litan, vice president and distinguished analyst at Gartner, said many Mac users believe they are better protected from the threat of malware than non-Apple users. And that generally is true because most trojans are tailored to run on Internet Explorer or Windows and therefore won't work on Macs. "But phishing is operating system independent," Litan told SCMagazineUS.com on Tuesday. "It doesn't matter how you operate your email, whether it's through a Mac or a PC." Granted, many phishing campaigns attempt to install malware on a victim's machine, but they also may be after login credentials, for example, she said. The survey found that less than 50 percent of respondents even knew what the socially engineered technique was. Perhaps the solution is to use different platforms. "Of note, we did find a lower rate of cybercrime victims among people who use both a Mac and a PC," Abrams said. "This is probably due to a higher level of computer and internet knowledge." Make sure whichever OS you are using that you keep your antivirus up to date. If you have fallen for this scam, notify your service desk immediately and change your passwords. www.scmagazineus.com -By Dan Kaplan The six greatest threats to US cybersecurity It’s not a very good day when a security report concludes: Disruptive cyber activities expected to become the norm in future political and military conflicts. But such was the case today as the Government Accountability Office today took yet another critical look at the US federal security systems and found most of them lacking. From the GAO: “The growing connectivity between information systems, the Internet, and other infrastructures creates opportunities for attackers to disrupt telecommunications, electrical power, and other critical services. As government, private sector, and personal activities continue to move to networked operations, as digital systems add ever more capabilities, as wireless systems become more ubiquitous, and as the design, manufacture, and service of information technology have moved overseas, the threat will continue to grow.“ From the GAO: Foreign intelligence services use cyber tools as part of their information gathering and espionage activities. There is an increased use of cyber intrusions by criminal groups that attack systems for monetary gain. Hackers sometimes crack into networks for the thrill of the challenge or for bragging rights in the hacker community. While remote cracking once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the Internet and launch them against victim sites. Hacktivism refers to politically motivated attacks on publicly accessible Web pages or e-mail servers. The disgruntled insider, working from within an organization, is a principal source of computer crimes. Insiders may not need a great deal of knowledge about computer intrusions because their knowledge of a victim system often allows them to gain unrestricted access to cause damage to the system or to steal system data. The insider threat also includes contractor personnel. Terrorists seek to destroy, incapacitate, or exploit critical infrastructures to threaten national security, cause mass casualties, weaken the U.S. economy, and damage public morale and confidence. Rather, a compelling act of terror in cyberspace could take advantage of a limited window of opportunity to access and then destroy portions of our networked infrastructure. The likelihood that such an opportunity will present itself to terrorists is increased by the fact that we, as a nation, continue to deploy new technologies without having in place sufficient hardware or software assurance schemes, or sufficient security processes that extend through the entire lifecycle of our networks,” Chabinsky said. For more information please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Bulletins posted 11/17/2009 Most Security Products Don't Initially Work As Intended, Study Says In certification tests, many products fail in functionality or logging, ICSA/Verizon reports Nearly 80 percent of security products fail to perform as intended when first tested -- and most require two or more cycles of testing before achieving certification, according to a new report from ICSA Labs, which performs security product testing. According to the report, the main reason why a security product fails during initial testing is that it does not adequately perform as intended. Across seven product categories, core product functionality accounted for 78 percent of initial test failures -- for example, an antivirus product failing to prevent infection or an intrusion prevention system product failing to filter malicious traffic. The failure of a security product to completely and accurately log data was the second most common reason for test failure, according to the report. Fifty-eight percent of failures were attributed to incomplete or inaccurate logging of who did what -- and when, ICSA said. The report findings suggest some vendors and enterprise users consider logging a nuisance. According to the report, logging is a particular challenge for firewalls. Almost every network firewall (97 percent) or Web application firewall (80 percent) tested by ICSA experienced at least one logging problem. The third most significant reason for test failure was inherent security problems in the products themselves, including vulnerabilities that compromise the confidentiality or integrity of the system, ICSA said. The product categories studied were antivirus, network firewall, Web application firewall, network IPS, IPSec VPN, SSL VPN, and custom testing. For more information on how products pass or fail, please see full article. New Google SafeSearch Shows When Kids Are Protected Four colored balls now tell parents their children are protected against adult content while searching on Google. The balls appear at the top right of the screen when "strict" SafeSearch in enabled. "Today we're launching a feature that lets you lock your SafeSearch setting to the Strict level of filtering," said Pete Lidwell and Aaron Arcos in a post to the company's official blog. "When you lock SafeSearch, two things will change. First, you will need to enter your password to change the setting. Second, the Google search results page will be visibly different to indicate that SafeSearch is locked" That change is the appearance of the four colored balls at the top right of the page, a clear indication to parents and teachers that can easily been seen from across the room. If the balls appear, strict SafeSearch is enabled, if not, it can be easily re-enabled with a password. SafeSearch is Google's technology for blocking adult content and images from its search results. The company admits the technology is imperfect, but it still does an excellent job of filtering adult content and, especially, images from Google results. For more information on how Google SafeSearch works, please see full article. SSL Flaw Could Have Been Used to Hack Twitter A flaw in the protocol used to secure communications over the Internet could have been used to hack Twitter accounts, according to an IBM security researcher. Last week Anil Kurmus demonstrated how a flaw in the SSL (Secure Sockets Layer) protocol could be used to essentially trick victims into sending Twitter messages that contained their password information. For the flaw to be exploited, a hacker would first have to find a way to get onto the victim's network, launching what's known as a man-in-the middle attack, so it would be hard to affect a large number of Twitter users with this technique. The issue was soon patched by Twitter, but it has security experts wondering how many Web sites might suffer from a similar problem. A consortium of Internet companies has scrambled to fix the SSL issue since Nov. 5, when it was inadvertently made public on a discussion list. But there has been some debate about the seriousness of the flaw. Shortly after the bug was made public, IBM researcher Tom Cross said that, for the most part, major Web applications would not be affected by the issue. But Cross changed his mind, writing: "Unfortunately, the situation is worse than I thought." Webmail applications, in particular, may also be at risk from this attack. And security experts also worry that other applications -- databases, for example -- may be at risk. Twitter.com was susceptible to the bug because it did what's called client renegotiation under SSL. Client renegotiation gives the Web site a way to ask the Twitter user for an SSL certificate after a user is already connected to the site. It's a useful tool for sites that let users log on using smart cards or for sites that restrict access to a select group of predefined Web surfers, but until the flaw is fixed, client renegotiation also opens the door for SSL attacks. There are probably many sites such as Twitter that allow client renegotiation simply because it's built into the SSL protocol and its successor, TLS (Transport Layer Security), said Marsh Ray, one of the PhoneFactor developers who discovered the issue. "A lot of people didn't realize that they were doing it," he said. The good news is that many sites can simply disable it outright, which is apparently what Twitter has done. Twitter did not respond to a message asking for comment on this story. According to Ray, people should realize that while the SSL flaw is not catastrophic, "this is a serious bug and people need to patch it." For more information please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. IDG News Service -By Robert McMillan Yahoo Careers website patched to close SQL flaw Security researchers have helped to close up a blind SQL injection vulnerability on Yahoo's careers website. Through their normal surveillance of cybercrime forums, researchers at web application firewall provider Imperva noticed discussion about the flaw, present on careers.yahoo.com and which could allow attackers to extract database contents, including personal information. The researchers, though, did not see the cybercrooks attempting to exchange any stolen data. The vulnerability is different than a traditional SQL injection flaw, he told SCMagazineUS.com on Monday. Typically, to pull off a SQL injection exploit, attackers enter a specially crafted query into a web form, which tricks the database into returning the desired results, Shulman explained. In a blind SQL scenario, hackers do not obtain query output. Instead they only receive an indication of whether the query was successful. "If you build queries correctly, you can extract one character of information at a time," he said. "It takes time. But once you automate the process, you don't really care." Attackers often target job sites because of the wealth of personal data contained on them. "I think people care more about when a job site gets hit because those tend to include a lot of personal information that is not necessarily meant to be public," he said. "I think mostly, [attackers] take the information out and sell it away to other individuals who make use of it. Depending on the type of information, it can be used for spam, phishing or identity theft." A Yahoo spokeswoman did not respond to a request for comment. This is not the first time a Yahoo site was victimized by a coding error. Last year, internet research firm Netcraft's toolbar detected a cross-site scripting bug in Yahoo's HotJobs search engine site that could be exploited to steal authentication cookies. If you have fallen for this scam, notify your service desk immediately and change your passwords. www.scmagazineus.com -By Dan Kaplan FAQ: Recognizing phishing e-mails If you received e-mail from your bank, PayPal, or Facebook urging you to immediately verify information or risk having your account suspended, it was undoubtedly phishing. Phishing attacks have spiked this year, according to recent reports. The Anti-Phishing Working Group reports that there were more than 55,600 phishing attacks in the first half of 2009 alone. Phishing is particularly dangerous because once criminals get a victim's password for one Web site they can often use it to get into other accounts where people have re-used the password. For screen shots and a full list of suggestions on how to protect yourself please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. InSecurity Complex -By Elinor Mills Working at Home: A Wi-Fi, H1N1, Family Survival Guide Bah Humbug!! 'Tis the season for stealing your parents' neighbor's Wi-Fi signal, struggling to set up a VPN connection while your flight gets delayed again, locking yourself in a closet to join a conference call, and trying to not catch the H1N1-type virus your sister's kid just sneezed all over your BlackBerry. It's just not possible for work not to invade your holiday activities and weeklong family sojourns: Such is life in the always-on 21st century, and most everyone (spouses not included) loves the lifestyle. But there are alternatives to the madness. Here's is CIO.com's guide to surviving the holiday season. For a list of links, FAQ's and other general information on how to work at home and make the most of your time, please see full article. Bulletins posted 11/16/2009 Fake Verizon 'balance-checker' Is a Trojan Cyber-criminals have started preying on Verizon Wireless customers, sending out spam e-mail messages that say their accounts are over the limit and offering them a "balance checker" program to review their payments. The e-mail messages, which look like they come from Verizon Wireless, are fakes; the balance checker is actually a malicious Trojan horse program. "If you run the tool, obviously, your computer is toast," said Nick Bilogorskiy, manager of antivirus research at SonicWall. "You get infected with a Trojan that SonicWall catches under the name Regrun." The scammers started sending out the messages around 11:30 a.m. Pacific on Friday, and they quickly flooded the Internet with their spam. Within a few hours, SonicWall had intercepted the messages at about 16 percent of its customers, Bilogorskiy said. That translates to about 200,000 messages per hour on SonicWall's sensors. "The volume of these e-mails is just huge," Bilogorskiy said. For more information please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. IDG News Service -By Robert McMillan Researcher finds "frighteningly bad" Adobe Flash flaw A researcher has discovered a new hacker point of entry in Adobe Flash, but the software company's product security director dismissed the research as "not news." The flaw allows attackers to infect any website which permits visitors to upload content, including such popular sites as Google's Gmail. No fix yet exists, but Brad Arkin, director of product security and privacy at Adobe, told SCMagazineUS.com on Friday that the issue is not patchable and instead requires webmasters to apply safeguards. The alarm was raised Thursday by Mike Bailey, senior researcher at Foreground Security, an information security services vendor, on the company's blog. He called the flaw a "frighteningly bad thing" because of the preponderance of sites that allow users to upload files. At that point, the hackers gain control of the targeted site, deposit a malicious Flash object on the web server, and then can execute malicious scripts in the context of that domain, thereby infecting visitors who visit that site. Be careful when going to any site that is using Adobe Flash even if you are not using it on your computer. For more information on suggestions of how to protect yourself, please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. http://www.scmagazineus.com -By Greg Masters Attack tool can hijack data off unlocked iPhones Hackers can steal data off jailbroken iPhones by leveraging the same vulnerability that currently is being used to spread a mischievous worm. The new exploit, spotted by researchers at Intego, a Mac security firm, allows attackers to siphon data off victim devices, including music, text messages, email, contacts and other personal information. The same vulnerability that an Australian hacker recently leveraged to launch a worm prank -- which changes the victim iPhone's wallpaper to a photo of 1980s pop star Rick Astley -- is the same one that can be used to steal data, James said. The attack occurs on an SSH-enabled jailbroken iPhone, meaning the device is unlocked so users can install software not available via iTunes, he said. If users fail to change their default password for SSH, which enables iPhones to remotely talk to each other over the internet, an attacker can gain root access to the device. "Anyone can connect to the iPhone using this password," James said. Attackers perpetrate the theft by installing a tool on their computer, and then waiting, such as at an internet cafe, for jailbroken iPhones to be present, he said. "It will suck down the data and save it," James said. He said he expects attacks targeting unlocked iPhones to rise in number and severity. James said users should avoid jailbreaking their phones, but if they do, they must remember to change the default SSH password, if the utility is running. Apple, he added, has no obligation to fix the issue. For more information, please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. http://www.scmagazineus.com -By Dan Kaplan DNS problem linked to DDoS attacks gets worse Internet security experts say that misconfigured DSL and cable modems are worsening a well-known problem with the Internet's DNS (domain name system), making it easier for hackers to launch distributed denial-of-service (DDoS) attacks against their victims. According to research set to be released in the next few days, part of the problem is blamed on the growing number of consumer devices on the Internet that are configured to accept DNS queries from anywhere, what networking experts call an "open recursive" or "open resolver" system. As more consumers demand broadband Internet, service providers are rolling out modems configured this way to their customers said Cricket Liu, vice president of architecture with Infoblox, the DNS appliance company that sponsored the research. "The two leading culprits we found were Telefonica and France Telecom," he said. In fact, the percentage of DNS systems on the Internet that are configured this way has jumped from around 50 percent in 2007, to nearly 80 percent this year, according to Liu. Though he hasn't seen the Infoblox data, Georgia Tech Researcher David Dagon agreed that open recursive systems are on the rise, in part because of "the increase in home network appliances that allow multiple computers on the Internet." "Almost all ISPs distribute a home DSL/cable device," he said in an e-mail interview. "Many of the devices have built-in DNS servers. These can sometimes ship in 'open by default' states." Because modems configured as open recursive servers will answer DNS queries from anyone on the Internet, they can be used in what's known as a DNS amplification attack. In this attack, hackers send spoofed DNS query messages to the recursive server, tricking it into replying to a victim's computer. If the bad guys know what they're doing, they can send a small 50 byte message to a system that will respond by sending the victim as much as 4 kilobytes of data. By barraging several DNS servers with these spoofed queries, attackers can overwhelm their victims and effectively knock them offline. For more information, please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. IDG News Service -By Robert McMillan Kaspersky Unveils Antivirus for Mac It is wrong to think that a Mac operating system is safe from malware. "Since 2005, there has been a marked increase in the number of vulnerabilities in the Mac OS which can be used to conduct an attack via the Internet," said Gun Suk Ling, managing director for Kaspersky Lab, Southeast Asia. Recently, secure content management solutions developer Kaspersky Lab announced the release of its latest product Kaspersky Anti-Virus for Mac. It shields the Mac OS against viruses, worms and Trojan as well as similar problems on other operating systems such as Windows and Linux. It has been observed that the introduction of Mac OS X has made known on a wide scale the usefulness of multi-platform computers, and thus created a room for Mac in corporate and home networks. The flipside of the coin, however, is that multi-platform feature also made the Mac, like any other computers in a network, prone to malware attack. "Just because they have not been infected in the past does not mean they are safe now," Gun said. "For example, a Mac machine may be compromised by Trojans or key loggers without the user being alerted to the presence of the threat." For more information on the feature that this will offer Mac users, please see full article. Job Search Scams: Protect Yourself Against Identity Theft As U.S. unemployment has increased, so too has the number of job search scams identity theft rings are perpetrating against desperate job seekers. "We have seen a large proliferation of these scams over the past six to nine months because of the employment situation," says Lyn Chitow Oaks, chief marketing officer of TrustedID, which provides identity-theft protection services to individuals, families and businesses. She notes that identity thieves are targeting job seekers because they're vulnerable and willing to share personal information as part of the job search process. Two types of job search scams are most common, according to Oaks. One is a phishing scam, where identity theft perpetrators e-mail would-be victims to tell them about potential jobs and opportunities to make extra money. The e-mails direct recipients to websites that identity thieves have created specifically for gathering personal information, just as if it were a job application, says Oaks. These fake applications request all the information job seekers would expect to provide, such as their name, address and phone number, as well as for information they may not expect to offer so early in the process, she adds, such as their Social Security number, permission to conduct a background check and bank account information. "They tell you they need your bank account information so they can make sure your check can be direct deposited," she says, adding that they'll sometimes go so far as to say that they'll place money in your account and then remove it just to make sure it works. "By allowing them to place money in your account and remove it, you let your bank know that this 'employer' can take money out of your account, and that's how they wipe out people's bank accounts," says Oaks. Never mind the fact that you'll never receive any information about any job from one of these e-mails. Oaks adds that the identity thieves buy e-mail addresses from legitimate businesses who don't realize they're selling people's information to the Internet black market. In the second scam, identity thieves pose as employers on legitimate job search sites. They post a generic job that would appeal to a large number of people, Oaks says, and in the course of talking to applicants, they ask for personal information. "There are identity thieves all over valid and existing job search websites who are posing as employers," she says. For a list of ways to protect yourself please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. www.networkworld.com -By Meridith Levinson Swine flu fears making millionaires out of Russian hackers As the number of reported swine flu cases climbs, it's time a strong message was sent out against buying Tamiflu over the internet. Panic-induced stockpiling by individuals who aren't officially classified as being at risk of contracting swine flu, and therefore anxious they won't receive Tamiflu from the NHS, will not only line cybercriminals' pockets with millions of pounds in cash but also grant them access to sensitive personal data to be used for other crimes. This year, Sophos has intercepted hundreds of millions of fake pharmaceutical spam adverts and fake pharmaceutical websites, promoted by affiliate members. Working day and night, thousands of affiliates use criminal methods including spam, adware and malware to drive as much traffic to their partners' stores as possible, which then sell high-profit illegal goods as part of a multi-million dollar industry. Once someone searches online for Tamiflu, they are directed to specific online pharmacies such as the Canadian Pharmacy to purchase a generic and very possibly counterfeit version of the drug. What most people don't know is that cybercriminals have often manipulated internet search engine results to drive as much online traffic as possible to these sites. Furthermore they bombard innocent users with adverts via spam email sent from hijacked botnet computers and hacked social networking accounts. The criminal gangs working behind the scenes at fake internet pharmacies are putting their customers' health, personal information and credit card details at risk. They have no problem breaking the law to promote these websites, so you can be sure they'll have no qualms in exploiting your confidential data or selling you medications which may put your life in danger. If you think you need medication contact your real doctor, and stay away from quacks on the internet. To see screen shots of these sites please see full article. Never order medicaion online without checking with your healthcare provider frist. If you have fallen for this scam, notify your service desk immediately and change your passwords. ---------------------------------------- |
