Tuesday, December 9, 2008

Apple deletes Mac antivirus suggestion

Updated 7:45 p.m. PST with expert comment, at 7:20 p.m. PST with context on previous coverage, and at 7:08 p.m. PST with background.

Apple removed an old item from its support site late Tuesday that urged Mac customers to use multiple antivirus utilities and now says the Mac is safe "out of the box."

"We have removed the KnowledgeBase article because it was old and inaccurate," Apple spokesperson Bill Evans said.

"The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box," he said. "However, since no system can be 100 percent immune from every threat, running antivirus software may offer additional protection."

Apple's previous security message in its KnowledgeBase, which serves as a tutorial for Mac users, was: "Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult."

Security experts, while pleased that Apple would urge Mac users to install antivirus software, had warned that running multiple antivirus products could cause problems and recommended against it.

Apple's antivirus support note was initially published last year and was updated last month, despite reports that it was a new note.

One Apple expert speculated that Apple was merely removing a poorly worded support note and said it probably wasn't ever Apple's intention to tell Mac users they need antivirus.

"I bet you it was a low-level support note and it hadn't gone through the right approvals," said Rich Mogull, security editor of Apple news site TidBITS. "That's my guess."

To some, Apple's latest move will be seen as back-tracking given that it comes one day after those misleading reports circulated. The motive remains unclear, particularly because Apple didn't replace the previously published suggestion with an updated one.

The message that remains is that Mac users don't really need to take additional steps to protect against viruses and other malware. Telling customers they can run antivirus for "additional protection" could be interpreted as a way to protect against any liability.

There are no known viruses in the wild that exploit a vulnerability in the Mac OS, and Windows continues to be the overwhelming preference for malware writers to target their programs. But malware isn't just taking advantage of operating system weaknesses anymore. In fact, the majority of such threats now come from code that targets weaknesses in browsers and other applications that aren't platform specific.

Mogull said he doesn't recommend that the average Mac user install antivirus software because of the low-level of malicious software seen for Macs at this time.

To me, this new Apple statement poses more questions than it answers.

Regardless of the meaning of Apple's latest action, I'm pleased to now have open lines of communication with the company. Over the last few months, I have had an increasingly difficult time getting any response to my e-mails and phone calls. For instance, I got no response to my requests for comment on Monday's article about this topic. However, after talking to several Apple spokespeople on Tuesday about the matter I am confident that the situation has been cleared up.

I also was reminded of how much collective knowledge CNET readers have about Apple and would like to extend an invitation for people to feel free to contact me directly at elinor.mills@cnet.com with any feedback and tips related to Apple security issues. 

Ref :: http://news.cnet.com/8301-1009_3-10111958-83.html

Antivirus firms shrug at Microsoft's free security suite


Updated at 1:15 p.m. PST Wednesday with comment from Symantec and at 11:45 a.m. PST Thursday with comments from McAfee and Kaspersky.

For some security companies, Microsoft's decision to offer a free anti-malware product, code-named Morro, won't result in a dramatic change in how they do business.

Morro will be available in the second half of 2009 and will protect against viruses, spyware, rootkits, and Trojans, according to Microsoft.

"With OneCare's market share of less than 2 percent, we understand Microsoft's decision to shift attention to their core business," Joris Evers, director of worldwide public relations for McAfee, said in an e-mail.

As for confronting a free malware solution from a software giant, Evers said, "With more malware attacks than ever before, we believe our advanced technology, commitment to consumer education, superior protection, dedicated focus on security, and our 20-plus years in this business will provide consumers the confidence to choose McAfee as their trusted adviser and expert in security."

Justin Priestley, senior vice president of consumer sales at Kaspersky Lab's Americas division, also seemed not that concerned at the prospect of facing a free security solution from Microsoft.

"Having entered the U.S. consumer market at the same time as Microsoft, we initially viewed them as a formidable player. They've continued to hold a very low market share in the consumer market, and we don't expect the exit of OneCare to change the playing field drastically," Priestley said. "With the increasing threat malware and Web attacks pose, security is as important as ever, and we believe people will continue to choose antimalware software based on the quality of protection and will choose the highest-level product available."

Rowan Trollope, senior vice president of Symantec's consumer business, characterized the announcement as a "capitulation by Microsoft, and a reinforcement of the notion that it's simply not in Microsoft's DNA to provide high-quality, frequently updated security protection."

Read More ...


Featured Freeware: Laptop Alarm


This simple program will sound an alarm through your laptop's speakers when certain activities occur, helping to thwart laptop theft. Laptop Alarm's four-check-box interface takes seconds to set. An option pop-up is as easily set to control mouse sensitivity and set a program password.

Operating Laptop Alarm is a snap. Users merely run the executable and set the alarm to sound if the laptop loses power the system is shut down or logged off, if the USB mouse is unplugged, or if the mouse moved. Testers found the program accurate with no false alarms. There's no method to alter the alarm sound, and users aren't given the opportunity to enter the program password before the alarm goes off.

Laptop Alarm performs well and as expected, but it doesn't run in the background and must be reset each time you want to use it. Leaving your computer is not an action we'd recommend, but this freeware may at least hurt the ears of a potential laptop thief.

 Ref :: http://www.download.com/8301-2007_4-10101869-12.html

 

Tuesday, September 9, 2008

EstDomains: A Sordid History and a Storied CEO


In this second part to an ongoing investigation into the notorious Web site host and domain name registrar EstDomains Inc., Security Fix examines the company's history, the legacy of its current chief executive, and its future prospects.

The "Est" in EstDomains is a nod to the company's origins: It was founded in Tartu, the second largest city in Estonia (although the corporation is officially registered in Delaware). The chief executive of EstDomains is 27-year-old Vladimir Tsastsin, pictured below.

Tsastsin also is named as the head of Rove Digital, a company that appears to encompass a domain auction service named Bakler.com, and a recently launched Web traffic-shaping service called Zmot.

Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

A Superlative Scam and Spam Site Registrar

Over the past week, a number of the Internet's largest data carriers have ceased providing online connectivity to Atrivo (a.k.a. "Intercage"), an ISP that security experts say is home to a huge number of scammers and spammers. This week, I'm turning the spotlight on EstDomains Inc., Atrivo's most important customer and the single biggest reason so many experts have condemned Atrivo.

According to RegistrarStats.com, EstDomains is the 49th largest domain name registrar, with more than 270,000 domains. Security Fix is still working on cataloging all of those domains, but for the purposes of this analysis we'll examine some 10,000 Web site names that are both registered through EstDomains and using the company's various domain name servers to route traffic to them.

I chose to focus on that particular subset of 10,000 domains mainly so that EstDomains could not simply disavow knowledge of the sites' activities by claiming it serves as nothing more than a registrar for those domains.


Turns out, at least one-third of those domains (.CSV) are currently blacklisted by SURBL.org, which tracks Web site names that are advertised in junk e-mail.

Have a look at the complete list of those 10,000 names -- which I've made available at this link here (.CSV file) -- and it should quickly become evident why so many are blacklisted.


Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

FBI Warns of Hit Man Scam Resurgence

The FBI is warning people not to be disturbed by an e-mail scam that threatens your life and orders you to pay up to avoid being the target of a hired hit man.

The FBI said its Internet Crime Complaint Center continues to receive thousands of reports concerning the hit man e-mail scheme. The FBI notes that while the content of the missive has evolved since similar hit man scams first surfaced in late 2006, the message remains the same, claiming the sender has been hired to kill the recipient.

In some cases, the use of names, titles, addresses, and telephone numbers of government officials and business executives, and/or the victims' personal information are used in an attempt to make the fraud appear more authentic, the FBI said.


Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

Sunday, September 7, 2008

Scammer-Heavy U.S. ISP Grows More Isolated



Last week, Security Fix published an analysis of Atrivo, a California based Internet service provider, also known as Intercage, that has proven to be a virtual magnet for cyber-criminal operations. Since that time, Atrivo's biggest network backbone provider decided it could no longer support the company, and stopped offering it direct connectivity.

I first got wind of this change while reading a post on the NANOG mailing list, which caters to professionals employed by ISPs and various network providers. Marcus Sachs, director of the SANS Internet Storm Center, had said it looked like Global Crossing had stopped handling long-haul Internet traffic for Atrivo/Intercage within hours after our story was published. I followed up with Marc, but he was unable to produce any conclusive data showing the change.

Fast forward to today, and with the help of Jose Nazario at Arbor Networks, I was able to pull together a view of what happened. Global Crossing has in fact "de-peered" from Atrivo/Intercage, so it is no longer providing direct Internet connectivity.

Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

Number of Bot-Infected PCs Skyrockets

The number of PCs compromised with software that lets cyber criminals control the machines from afar has more than quadrupled over the last quarter, security experts warn

The estimates come from Shadowserver, a group of volunteers that monitor activity from robot networks or "botnets," large armies of hacked personal computers used for spam, phishing and all kinds of criminal activity. Shadowserver saw a rise from roughly 100,000 botted PCs to about 400,000 over the past three months.

John Bambenek, an incident handler with the SANS Internet Storm Center, which tracks hacking trends, speculates that the spike is probably related to the massive numbers of Web sites that have been hacked by SQL attacks, and seeded with browser exploits.

While those numbers might seem high, they suggest more of a recent upward trend in bot counts rather than an accurate picture of just how many compromised PCs are out there. In fact, numerous other security experts this year have spotted single botnets that include upwards of 350,000 compromised PCs. And by nearly all accounts, there are thousands of distinct botnets out there today under the thumb of criminal groups and individual hackers.

Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

Monday, September 1, 2008

FBI Warns of Hit Man Scam Resurgence

The FBI is warning people not to be disturbed by an e-mail scam that threatens your life and orders you to pay up to avoid being the target of a hired hit man.

The FBI said its Internet Crime Complaint Center continues to receive thousands of reports concerning the hit man e-mail scheme. The FBI notes that while the content of the missive has evolved since similar hit man scams first surfaced in late 2006, the message remains the same, claiming the sender has been hired to kill the recipient.

In some cases, the use of names, titles, addresses, and telephone numbers of government officials and business executives, and/or the victims' personal information are used in an attempt to make the fraud appear more authentic, the FBI said.

I've heard about these scams before, but never actually seen one of the e-mails until today. Below is a copy of one of the scams making the rounds now.

"Dear Friend,
Goodday to you.
Am very sorry for you my friend, is a pity that this is how your life is going to end as soon as you don't comply. As you can see there is no need of introducing myself to you because I don't have any business with you, my duty as I am mailing you now is just to KILL/ASSASINATE you and I have to do it as I have already been paid for that.
Someone you call a friend wants you Dead by all means, and the person have spent a lot of money on this, the person also came to us and told me that he want you dead and he provided us with your name, picture and other necessary information's we needed about you. So I sent my boys to track you down and they have carried out the necessary investigation needed for the operation on you, and they have done that but I told them not to kill you that I will like to contact you and see if your life is Important to you or not since their findings shows that you are innocent.

Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

Report: Email Address Dictates Spam Volume

The first letter of your email address is one factor in your spam risk, a researcher says

By Kelly Jackson HigginsSenior Editor, Dark Reading

Everyone knows that some people get more spam than others, but new research shows that it may have something to do with the first letter of your email address.
Richard Clayton, a security researcher at the University of Cambridge in the U.K., says he found evidence that the more common the first letter in your email address is, the more spam you get: in other words, alice@company.com typically gets a higher volume of spam than quincy@company.com, or zach@company.com. He says that’s simply because there are more combinations of names that begin with “A” than with “Q” or “Z.”

Over an eight-week period, Clayton studied around 8.9 million emails at a U.K. ISP and found that the email addresses that began with “A” received 35 percent spam in their inboxes, while “Z’s” got about 20 percent -- after sorting out real emails versus invalid ones that had likely been generated by a spamming tool. Clayton says it’s likely that spammers using dictionary attacks could be the cause of this disproportionate distribution of spam.

Read more ...
Dark Reading.

Report Slams U.S. Host as Major Source of Badware

Last week, I examined a series of Web services that make profiting from cyber crime a point-and-click exercise that even the most novice hackers can master. Today, I'd like to highlight the activities of Atrivo, a Concord, Calif., based network provider that hosts some of these services.

Several noted security researchers are releasing a report today that stems from many months of investigating malicious activity emanating from Atrivo's customers. Security experts say that Atrivo, also known as "Intercage," has long been a major source of spyware, adware, viruses and fake anti-virus products.

The report is an exhaustive and well-researched analysis of Atrivo and its operations. Some of the statistics on active exploits cited in that report come from data sets I commissioned during my own investigation of Atrivo and later shared with Jart Armin, the principal author of the report and curator of the blog hostexploit.com.

Looking back several years, Atrivo's various networks were used heavily by the Russian Business Network, an ISP formerly based in St. Petersburg, Russia. RBN had gained notoriety for providing Web hosting services catering exclusively to cyber criminals. But after increased media attention, RBN dispersed its operations to other, less conspicuous corners of the Internet.

The portions of Atrivo most heavily used by RBN were Hostfresh -- which provides routing for Atrivo through Hong Kong and China -- and UkrTeleGroup (also known as Inhoster) out of Ukraine. These two networks remain core components of Atrivo's operation, and recent data suggests the company's reputation for supporting online criminals hasn't diminished since the disappearance of the RBN last year. As of last December, Atrivo boasted the largest concentration of malicious activity of any hosting company, according to a report released by security intelligence firm iDefense.

Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

Microsoft Patches 26 Security Holes

Microsoft today released updates to fix at least 26 security vulnerabilities in its Windows operating systems and other software. At least 17 of those flaws earned Microsoft's "critical" rating, meaning they could be exploited to break into vulnerable systems with little or no help from the victim.

The 26 vulnerabilities are the most Microsoft has addressed since it had 25 in August of 2006, which also included 17 rated as critical, according to anti-virus firm Symantec.

Microsoft patched two holes in that have already been used in targeted attacks against people browsing the Web with Internet Explorer 6 and 7. In addition to those two fixes, one bundle of critical updates plugs five other security holes in Internet Explorer, most of which Microsoft said are present all versions of the browser.

Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

Saturday, July 12, 2008

A Baker's Dozen of Security Updates for iPhone 2.0

As expected, the 2.0 version of iPhone released today includes a number of security updates, patching more than a dozen holes in the slimmed-down OS X operating system that powers the devices.

That means for those who already own Apple's mobile device, it's time to update.

As detailed in a column last week, a number of these patches are updates that Apple shipped earlier this year for Safari and/or the version of OS X designed for Mac desktop and laptop computers. iPhone 2.0 bundles some 13 security updates, five of which address previously undocumented security flaws.

Among the more notable (if not serious) patches: One fix for the gadget's Safari Web browser that was addressed by a number of other software makers (including Mozilla) back in June 2006. Another Safari update plugs a security hole that Apple sealed in its Microsoft Windows version of Safari last month. Another fix corrects a bug in the iPhone's innards that Apple said could allow remote attackers to reset a targeted iPhone by sending it a specially crafted packet. An exploit for this vulnerability has been available online since February.

The new software is available for iPhone 1.0 and iTouch 1.1 devices, through iTunes.

Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

Speeding In Maryland Could Be Hazardous to Your Identity

If you've ever received a traffic ticket in Maryland, your name, birthday, Social Security number and address may be posted on the Maryland state Web site for anyone to find, Security Fix has learned.

Reader Mark Webster from Annandale, Va., alerted me that the official Maryland court records Web site lists the personal data of countless citizens. The citations listed go back more than 30 years, and include records even for routine traffic stops that were ultimately dismissed.
The records with sensitive data in them appear to be limited to tickets issued to people who currently or at one time lived in a state that previously used the Social Security number as the default driver's license or customer number. [..]

Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

Thursday, April 3, 2008

April Fool's Day Warning, And Some Fun - Security Fix

April Fool's Day Warning, And Some Fun - Security Fix: "April Fool's Day Warning, And Some Fun

This post has been updated. Please read through to the end.

Original post:

The cyber criminal(s) behind the Storm worm want to make an April Fool out of you today.

The Storm worm author(s) likes to use holidays and other notable calendar occasions to launch new attacks. True to form, new versions of the Storm worm were blasted out yesterday as links in an e-mail that included a taunting image of an idiot in a fool's costume wearing a 'kick me' sign. Anyone foolish enough to follow the embedded directions telling recipients to 'click here, if your download doesn't start in 5 seconds,' will hand their PC over to the bad guys.

Image F-Secure.com

The security news on this first day of April isn't all hackers and viruses. In fact, you'd do well not to take anything you read online today too seriously. Below are a few of the more entertaining fake security news stories spotted so far today (hat tip to the SANS Internet Storm Center).

F-Secure: A new Trojan horse program that actually deposits money into your bank account.

Google: Introducing 'Gmail Custom Time.' Didn't send that presentation on time? No problemo! Now you can back-date your G-mail messages.

NASA: Giant Space Station Robot Turns on Crew (image)." [..]

Read more...
Brian Krebs on Computer Security. The Washington Post Company.

The Curious Case of Dmitry Golubov - Security Fix

The Curious Case of Dmitry Golubov - Security Fix: "The Curious Case of Dmitry Golubov

Earlier this month, Security Fix took a look at Dmitry Ivanovich Golubov, a Ukrainian politician once considered by U.S. law enforcement to be a top cybercrime boss.

Golubov took rather strong exception to the way he was characterized in that post, denying involvement in any type of cybercrime activity. The problem, Golubov claimed, is that the FBI confused him with someone else."

According to Golubov, he was the victim of identity theft. Someone gained access to his passport, scanned it and posted it online along with a note confessing his involvement in a multinational credit card theft ring. According to Golubov, the note read:

"I Dmitry Golubov, leading hacker, I hack banks, but I have nothing to fear because the police with me at the same time, and in order for you to believe me that I am not afraid I show you my passport, as well as my home address and home phone."

"I am not mentally sick; if I indeed engaged in such activities, you think I will write about this on the Internet?" Golubov wrote in an e-mail exchange with Security Fix.

It just so happened that a short time after I wrote about Golobuv's political activities, I heard from one of the FBI agents who worked on his case back in 2005. The agent traveled to Ukraine to visit Golubov while he was in prison there awaiting trial.



Read more...

Brian Krebs on Computer Security. The Washington Post Company.

Thursday, March 20, 2008

Google Reader (1000+)

Google Reader (1000+)

Spyware Horror Story: Antispyware bog-down | Software news, tips, and opinions from Download.com editors - Download.com

Spyware Horror Story: Antispyware bog-down | Software news, tips, and opinions from Download.com editors - Download.com

Published by Jack; Brisbane, Australia

I run Windows 2000 Professional and ran Ad-Aware SE with great success. Ad-Aware stopped updating this year, so had to then get Ad-Aware 2007. This did not work. It kept seizing up while scanning, so I got rid of it and then downloaded McAfee VirusScan from Download.com. This is when my worries began.

My PC just virtually seized up. Every task took 10 times longer to do. If I wanted to open a window or go onto the Internet, I had to click on the icon and go away for 5 minutes before it would come up. It was sooo frustrating. If I had maybe three programs running, then the machine would tell me that there wasn't enough memory and it would have to expand it. I checked the Task Manager and saw that the program running the most memory was "massrv.exe," which turned out to be McAfee. So, I've had to uninstall it. Even then it didn't want to be removed and it took three goes before it surrendered! Frustration!

Here's what I want to know: Is there any antispyware program around that works with 2KB without seizing up?


Editor's response

2KB, Jack? Two?! I hope you mean MB, for megabytes, because there are very few programs that do anything with fewer than even 20 kilobytes. In fact, in the antivirus category on CNET Download.com, there are precisely seven below 50KB in size.

You'd do better with a 2MB restriction. Zone Alarm Anti-virus and ProcessGuard are both high-rated products sliding in just shy of 2MB, and the new, promising Haute Secure just tops your upper limit at 3.45MB.

But really, this cute little scavenger hunt is beyond the point. Part of responsible PC ownership is investing in enough memory to support strong, smoothly functioning security. Period. Just check out some juicy Spyware Horror back stories to see the consequences.

But I won't leave you in a lurch. CNET Shopper is a great resource for pricing RAM before you buy, and there are certainly a few tricks on Download.com that can help you narrow your search for RAM-conscience apps with elusive Cinderella footprints. Every listings page on Download.com contains a drop-down menu for filtering a search; this includes OS, license (if the app is free or free to try,) and size. The memory requirements are also reproduced in the stats on every product page you open, so there's no excuse for downloading something too gargantuan for your computer to handle and then blaming the app for poor performance.


Using the silze filter on CNET Download.com can save you time finding apps with small footprints.

Read more ...
Posted by Jessica Dolcourt, Download Blog, Download.com

Set Internet Explorer and Firefox to maximize your security | Software news, tips, and opinions from Download.com editors - Download.com

Set Internet Explorer and Firefox to maximize your security | Software news, tips, and opinions from Download.com editors - Download.com

Set Internet Explorer and Firefox to maximize your security.

Modern browsers are much better than their predecessors at keeping your Web activity private and your data safe. Still, you may not have your browser configured to provide optimum security. Take a few minutes to give Internet Explorer 7 and Firefox 2 a safety check.

Batten down IE7's hatches
The version of IE7 for Vista adds the Protected Mode, which allows Web sites to access only the Temporary Internet Files folder on your PC. According to Microsoft, this feature is on by default for the Internet, Intranet, and Restricted zones, but disabled for the Trusted Sites and Local Machine zones. On my machine it was enabled for all zones. You'll see "Protected Mode: On" in the status bar when it's active, or click Tools > Internet Options > Security, and make sure "Enable Protected Mode (requires restarting Internet Explorer)" is checked at the bottom of each zone.

Maximize security in IE7 for Vista by making sure Protected Mode is enabled.
(Credit: Microsoft)

There have been some reports of Protected Mode causing problems, so if a particular page won't load or run correctly, disabling this feature may solve the glitch, though I don't recommend keeping Protected Mode off. The Web's not getting any safer, and you need all the protection you can get.

Another great new feature in IE7--for XP and Vista alike--is the Phishing Filter. Why the filter is off by default I'll never know. To activate it, click Tools > Phishing Filter > Turn On Automatic Website Checking > OK. Unfortunately, choosing Tools > Phishing Filter > Phishing Filter Settings merely opens the Advanced Internet Options dialog box, where you can scroll down to the Phishing Filter section under Security, only to find that your only two options are to disable the filter, and to "turn off automatic website checking." But while you're in the Advanced Options settings, make sure "Automatically check for Internet Explorer updates" is checked in the Browsing section. Click OK when you're done. [...]

Read more ...

Posted by Dennis O'Reilly, Download Blog, Download.com

Sunday, March 16, 2008

A free and easy way to test your Wi-Fi security

If you’re wondering just how secure your home network is, here’s an easy way to find out. Pure Networks, makers of the popular Network Magic management tool for home networks, has a free diagnostic scan that will deliver a scorecard on your network’s security status.



The Pure Networks Security Scan tool, which works only with Internet Explorer 6 or later, is clearly bait for Network Magic. But it’s a fun download that can provide insight into your network security in just a few minutes.



Run the scan, and the resulting scorecard provides a summary status of network devices, the router and network, wireless security, and the computer on which you ran the scan. It advises you of the number of issues tested for each category, alerts you to any worrisome issues found. Click View and it gives you a detailed look within each category.

Some of the items it tests under Router and Network include whether you are running a hardware firewall, if your password is strong (and, of course, changed from the factory default), and whether your router firmware is up to date. Under the Wireless Security tab, the scan checks to ensure that you have changed the factory SSID, tells you what kind of wireless security you’re using, and whether there are any SSID name conflicts. [...]


Read more ...
Rik Fairlie, ZDnet.com

Six Degrees of E-Separation

If you've ever played the game "Six Degrees of Kevin Bacon," you know there's a lot of truth to it. It's based on the notion that any actor can be linked through his or her film roles to Mr. Bacon.
And if you've ever spent some significant time on social networking sites, it's pretty easy to see how this game can be applied to you or your friend's real connections.
So, it should come as no surprise that the same dynamic may work amongst victims of computer viruses.

I came up with the nutty idea for this experiment after stumbling upon a trove of data stolen by a single keystroke logger, which appeared to be in operation between June and September of 2007, according to the time- and date-stamped records. During that time, the criminal(s) responsible for distributing that keylogger ensnared some 10,000 victims, stealing more than 20 gigabytes worth of stored user names and passwords, as well as credentials passed when victims logged in to any sites that required credentials.

Security Fix has mined these types of data troves in previous posts, examining everything from the types of credit cards stolen to compromised businesses to mapping out victims by geographic region. In an effort to look at this data in a different light, I choose this time around to look at the relationships between all victims who had accounts with LinkedIn, a social networking site that caters to executives and the business community.

Out of those 10,000 victims, I was able to confirm that at least 100 were LinkedIn users. That is, only about 100 had either stored their LinkedIn credentials in Internet Explorer or had logged into their LinkedIn account while the keylogger resided on their PC. I was unable to positively identify about one-quarter of the 100 LinkedIn users in this set, most likely for one or more of the following reasons: their full name wasn't included in the rest of the stolen data; the victim's last name had changed since the data was stolen; they had closed their LinkedIn account since the data was stolen. [...]

Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

Wednesday, March 12, 2008

The Future of Anti-Virus Software

John Moore on March 11, 2008
Anti-virus software elicits a variety of responses from industry executives, analysts and users.
Some question the usefulness of the software and view signature-based offerings in a particularly dim light. Others cite the performance effects that anti-virus tools have on PCs. Anti-virus proponents, however, believe that the technology will endure as a component of a layered defense strategy, pointing to the addition of behavior-based scanning.

“As long as viruses exist, anti-virus programs will be designed to help protect users from online threats,” said Tim Rains, security response communications lead for Microsoft.

Rains pointed to data stemming from Microsoft’s Malicious Software Removal Tool as supporting the importance of running anti-virus software. The tool removed malware from 1 out of every 217 computers in the first half of 2007, compared with 1 out of every 409 computers in 2006 and 1 out of every 359 computers in the second half of 2005.

Network Distribution

But there’s another anti-virus issue to consider: Will anti-virus software continue to evolve as a third-party product, or will it become a feature embedded in OSes?

Rob Enderle, principal analyst at Enderle Group, said he believes basic security should be part of the OS platform.

“With IBM mainframes, the core security came from IBM, and for Unix, core security was provided by the platform owners,” he said. “If you needed extra, that could come from a number of sources. But basic security — and anti-virus is basic security — should be part of the platform in my view.”

David Lawson, director of risk management at Acumen Solutions Inc., a business and technology consulting firm, has a different take on where the anti-virus function will reside. He believes that anti-virus tools may end up embedded in the network, noting that the centralization of anti-virus technology would provide an efficiency boost.

“I would suggest we pull [anti-virus] away from the desktop and centralize it more,” Lawson said. Lawson said that he sees anti-virus software moving to network devices as part of rule-based forwarding and on application servers.

Enderle, meanwhile, said that user demands at the OS level will alter the anti-virus landscape. “I think we are seeing a trend where people who use … Windows, Apple and Linux expect the folks who supply it to provide for their basic security needs,” he explained. “This will likely change the anti-virus market dramatically.”

Key Differentiators

However, [...]

Read more ...
IT Security.com

Microsoft Patches 12 Office Security Holes

Microsoft today issued four updates to fix at least a dozen security vulnerabilities in its Office software products. All of the updates earned Microsoft's "critical" label, meaning attackers could exploit the flaws to break into Windows systems with little or no help from users.

Included in today's Patch Tuesday roundup are fixes for just about every Office suite or stand-alone product that Microsoft currently supports -- going back to Office 2000 and including Office for Mac software and various Office Viewer components.

One of the updates, which mends at least seven flaws in different Office titles, patches a security hole that hackers were exploiting as early as last week, according to reports from US-CERT and the SANS Internet Storm Center.

Interestingly, that patch and one other address security holes found in Office 2007, a product that underwent rigorous code review in an attempt to minimize the kinds of security weaknesses that were found to be pervasive in older versions of Office.
Office users can grab the latest patches from Microsoft Update. Office 2000 users, however, can only obtain them from Microsoft's Office Update. Office 2000 users may also need to have their Office installation CD handy in order to install these updates. [...]

Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

Tuesday, March 11, 2008

When Ads Go Bad

A long-time trusted source recently alerted me that some inappropriate advertisements were running on Neopets.com, a Web site full of addictive Macromedia Flash games aimed at pre-teens. Surprisingly, the curators of Neopets.com -- major media conglomerate Viacom -- are disavowing responsibility for the racy ads, saying they did not exist on their network and instead were the result of adware or spyware on my source's computer.

Included is a screenshot taken of one of the multiple ads I found on the site, which linked back to Internet dating site True.com. A Neopets.com spokesperson said the ads could not have possibly have been served through its site, and that the ads must have been displayed by malicious software.

"This appears to be a 'malicious' software program and we are aggressively investigating its origin," the company said in an e-mailed statement. "We would never accept this type of ad on any of our company's sites as it doesn't meet any of Neopet's standards."
Neopets could not specify any particular adware or software in existence today that exhibits this type of ad-swapping behavior, but offered to put me in touch with an expert who could talk about how it would be theoretically possible for such malware to exist. Scans with several anti-spyware and anti-virus products returned a clean bill of health on my source's PC. [...]
Brian Krebs on Computer Security. The Washington Post Company.

Friday, March 7, 2008

The FDIC Computer Intrusion Report

Last week, Security Fix featured the highlights from a non-public report by the Federal Deposit Insurance Corp. (FDIC) that examined a huge recent spike in the cost of computer intrusions for banks and consumers. I chose not to publish the report itself at the time, but due in part to the large number of requests I've received from people inside the financial sector who claim to have never seen such figures from the government before, I've decided to release a slightly redacted version of it (the original version contained a number of case studies that included potentially sensitive data about ongoing law enforcement investigations).

FDIC Division of Supervision and Consumer Protection: Cyber Fraud and Financial Crime Report, November 9, 2007 (as of June 30, 2007) (Doc). For those who don't have Microsoft Word, a less attractive HTML version of the report is available here.

I should note that while the report centers on cyber fraud, there are other aspects of bank fraud detailed in this report that may be of interest for reporters or fraud analysts in other sectors. For example, the study includes data showing a sizable increase in new account fraud using completely fabricated identities, which are turn used for check kiting and fraud "bustout" fraud schemes. Also, the report includes recent figures on mortgage fraud rates. [...]


Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

The MonaRonaDona Extortion Scam


Online tech support forums are starting to light up over an increasing number of PCs sickened by something called the "MonaRonaDona virus," a piece of malware that threatens to trash host computers. As it happens, MonaRonaDona appears to be a relatively innocuous invader that was created to scare people into purchasing a fake new anti-virus product.

I first read about MonaRonaDona in a discussion thread over at the excellent DSL Reports Security Forum, where members traded tips on removing the bugger. Nobody seems to know how the thing wiggles into infected PCs in the first place, but the one thing that's clear is that this invader's primary purpose is to call as much attention to itself as possible (that kind of behavior is always a red flag, because most modern malware succeeds by being stealthy and unobtrusive). This piece of malware disables a number of programs on the victim's PC, changes the title of each Internet Explorer Window to include its name, and pops up the warning shown in the adjacent screenshot. [...]
Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

Thursday, February 28, 2008

An Opera Update And A Farewell to Netscape

A new version of the Opera Web browser fixes at least three security vulnerabilities in the software. Separately, a security patch from AOL marks the final update for the venerable Netscape browser.
The latest update from AOL will be the last for Netscape: AOL officially ends support for it on March 1, meaning it has no further plans to ship security updates for Netscape or otherwise maintain the browser.
While Netscape's share of the browser market today is practically negligible compared to that of Internet Explorer, Firefox and Opera, this final version is a bit of an unceremonious goodbye for a browser that helped introduce so many people to the World Wide Web back in the mid-1990s. In 1998, Netscape released the source code for the Netscape Communicator browser. By doing so, it helped formed the basis of the Mozilla.org project -- an open source initiative that laid the groundwork for Firefox (For more background on the storied relationship between Netscape, AOL and Mozilla, see these links here). [...]


Read More ...
Brian Krebs on Computer Security. The Washington Post Company.

When Blocking Porn Isn't Enough



Last year, Security Fix looked at a free service that helps parents and other network administrators block adult Web sites for all of the PCs they control, without installing any software. Now, the company and community that built that service has expanded it to allow administrators to filter a wide range of online content, from hate speech sites and social networking forums to sites promoting drugs and alcohol.

The service comes from OpenDNS, the company responsible for Phishtank.com, a community-based effort that collects data on phishing sites. Phishtank's data about scam sites is fed to anti-phishing features built into Web browsers like Firefox and Opera. [...]
Brian Krebs on Computer Security. The Washington Post Company.

Wednesday, February 27, 2008

YouTube Censorship Sheds Light on Internet Trust

If you happened to be searching for a video at YouTube.com Sunday afternoon, there's a good chance your browser told you it was unable to locate the entire Web site. Turns out, much of the world was blocked from getting to YouTube for part of the weekend due to a censorship order passed by the government of Pakistan, which was apparently upset that YouTube refused to remove digital images many consider blasphemous to Islam.

According to wire reports, Pakistan ordered all in-country Internet service providers (ISPs) to block access to YouTube.com, complaining that the site contained controversial sketches of the Prophet Mohammed which were republished by Danish newspapers earlier this month. The people running the country's ISPs obliged, but evidently someone at Pakistan Telecom - the primary upstream provider for most of the ISPs in Pakistan - forgot to flip the switch that prevented those blocking instructions from propagating out to the rest of the Internet.

To understand how a decision by bureaucrats in Islamabad could prevent the rest of the world from accessing arguably one of the Web's most popular destinations, it may first help to accept the basic notion that when the Internet was designed decades ago, everyone on the network pretty much knew and trusted one another. While the close-knit family of individuals responsible for keeping the Internet humming along has since grown into a larger community, it is still a fairly small community based largely on trust and everyone playing nice with one another. [...]

Read more ...
Brian Krebs on Computer Security. The Washington Post Company.