Fake codecs continue to plague searches

Trojan horse programs dressed up like video decoders, or codecs, have become a popular way to attempt to infect the computers of unwary Web surfers.

Research by antispyware firm Sunbelt Software found that a number of sites hosted by blog service provider Blogger, a subsidiary of Google, contained fake video files that, if clicked on by a visitor, would prompt the victim to download and install a video helper application. In reality, the application is a Trojan horse program designed to infect the victim's PC, CEO Alex Eckelberry stated in the blog post.

"I wouldn't put this in the same league as the massive Google poisoning we saw last month -- that was an epic attack, using exploits and all kinds of nasty tricks," he said. "However, this is something to be aware of, and hopefully the good folks at Google will take them down lickety-split."

Some basic searches uncovered more than 30 blogs that hosted the files, the posting stated.

Video players have become a major vector for attacks against computer users over the past year. In October, the first significant Trojan horse aimed at users of the Mac OS X operating system masqueraded as a plug-in for playing video files. Security researchers have worried about the increasing use of video files as a means of attack for more than a year.

In November, Sunbelt Software found that fraudsters had attempted to poison Google's search rankings and put a large number of sites hosting fake codecs high up in searches for common words. Google regularly combs its search results for malicious sites.

Storm Worm offers coal for Christmas

Security firms warned users this week to watch out for the Storm Worm after online fraudsters revised the malicious software with a Christmas hook.

The fraudsters behind the crime-focused program began sending out a massive wave of e-mail messages over the weekend with subject lines such as "Season Greetings" or "Looking for something hot for this Christmas" but that, in reality, would lead to a hostile Web site, according to advisories by antivirus firm McAfee, security firm Symantec and other antivirus companies. The Web site, which sports a woman clad in revealing Christmas wear, attempts to infect the visitor's PC with the latest version of the Storm Worm, also known as Nuwar and Peacomm.

The program's authors continue to focus on adding exploits that take advantage of third-party applications, Roger Thompson, founder of Exploit Prevention Labs, stated on his blog.

"This is kind of interesting, and either means that Microsoft is patching faster than the exploits are coming out, or 3rd parties are not patching fast enough, or perhaps both," he wrote on Monday.

The Storm Worm caught the attention of antivirus researchers nearly a year ago and, due to ongoing development efforts by its authors, has continued to be an effective way to create and expand botnets. The program originally attempted to overwhelm antivirus software by creating so many variants -- releasing hundreds or thousands every week -- that virus analysts would be swamped. Later versions married the software to spam networks to more effectively find victims. The software authors have also built in a system that can attack back at investigators that attempt to find infected computers.

It's unknown whether the program's latest attack has been successful. Subject lines include “Merry Christmas To All,” “Warm Up this Christmas,” “Mrs. Clause Is Out Tonight!” and “The Twelve Girls Of Christmas."

The Storm Worm is called Nuwar by McAfee and Peacomm by Symantec, the owner of SecurityFocus.

Dutch police nab ABN Amro hackers

Dutch authorities have arrested 14 suspects accused of allowing their ABN Amro accounts to be used by cyber-criminals to store and transfer illegal funds.

According to reports, fraudsters based in Russia and Ukraine set up bogus ABN Amro websites to lure the bank's customers and harvest security details to access accounts and steal money.

Several of the sites were hosted on the Russian Business Network, an ISP which is alleged to host illegal and dubious businesses, including phishing and malware distribution sites.

The stolen funds were then allegedly placed in the bank accounts of the 14 ABN Amro customers, and these 'mules' subsequently transferred the money overseas to Russia and other countries.

"While these 14 suspects may not have actually carried out the phishing attacks themselves, they played a key role in the crime by allowing the fraudsters to use their bank accounts," said Mark Harris, global director of Sophos Labs.

"However, in these situations it can be tricky to prove the deliberate involvement of the account holder as it is quite easy for them to claim that they are simply the victim of identity theft."

Sophos experts noted a growing trend among cyber-criminals to recruit ordinary people to help them move their illegal profits around the world.

Sophos Labs detected an unusual 419 email scam this month which, instead of offering the typical promise of grant, lottery or prize money, purported to come from the American Red Cross.

The email offered the recipient a job as a 'donation collector', accepting and shipping donations to 'people in need' for various EU projects.

Dutch spyware makers fined $1.45 million

The Dutch telecommunications regulator OPTA has fined the two companies behind the DollarRevenue adware program €1 million ($1.45 million).

The company ran a professional adware and spyware operation, OPTA said. No criminal charges have been filed.

The two companies behind DollarRevenue infected more than 22 million computers. Only 1% to 2% of the victims resided in the Netherlands. Executives of the firms were fined up to €300,000 each, and their companies also received fines of €200,00 to €300,000. OPTA declined to disclose the names of the firms and their executives for legal reasons.

The DollarRevenue purveyors made more than €1 million from a botnet operation, according to documents seized by authorities. Even though revenue exceeded the fines, the regulator claimed that the fines were appropriate. "Part of those funds have been spent on day-to-day operations," argued Daan Molenaar, lead investigator for OPTA, at a press conference on Tuesday. "Besides, individual fines of several hundred thousand euros are unusually high and not very common."

OPTA claims that the fine marks the largest penalty ever issued in Europe for illegal adware and spyware operations. The DollarRevenue distributors have appealed the ruling.

The DollarRevenue distributors operated between October 2005 and November 2006. In the summer of 2006, OPTA ordered the companies to cease updating the software or face a fine. DollarRevenue ranked among the top 10 spyware applications worldwide. Users routinely complained about the application on discussion boards and in user forums because the software flooded their PCs with advertisements, effectively rendering them useless.

The malware makers pushed their wares by paying botnet herders, Web sites and other distributors a fee per installation. European installations were valued at €0.15 each, U.S. computers were valued at $0.25 and computers in third-world nations yielded only a few cents. The payouts reflect the size of e-commerce spending in each region, and therefore the effectiveness of online marketing campaigns, said Molenaar.

DollarRevenue sold advertising space to a plethora of firms, ranging from online pornography and gambling sites to companies like Jamba and HP. OPTA cautioned that those advertisers likely didn't know that they supported the service. "Legitimate firms typically end up on bad services through intermediaries," said Molenaar.

Molenaar typified the operators as "super-professionals of the highest class." The software would routinely change to prevent detection and removal by security software. A team of two government investigators spent one year to track down the companies and gather evidence.

In addition to installations through botnets, DollarRevenue also spread by promising consumers access to content such as images of tennis star Anna Kournikova or pirated software. Users who attempted to open the files were infected with the spyware instead of gaining access to the goods advertised. The DollarRevenue companies also pushed their wares through exploits in applications that allowed for software installations without the user's knowledge.

OPTA declined to say how it built its case. "We received a tip from abroad," said Molenaar. "We cooperate with numerous companies in organizations that case about security. Think about Spamhouse and Microsoft."

The case has put authorities on the trail of additional online criminals, including an 18-year-old botnet herder from New Zealand who was arrested earlier this year. The teenager controlled a botnet of 1.3 million PCs. "The people behind DollarRevenue maintained detailed payment records," Molenaar said.

The records also pointed to several Russian bot herders, but they have yet to be apprehended. "We don't have any cooperation deals with Russia," said Molenaar. "We are trying our best, but Russia has different rules and different legal priorities."

For more enterprise computing news, visit InfoWorld. Story copyright InfoWorld Media Group, Inc.

Russians close to prosecuting Pinch Trojan authors

Russia may soon prosecute the authors of the "Pinch" Trojan, an easy-to-use malicious software program available on the Internet that steals a variety of data.

Nikolay Patrushev, who heads Russia's Federal Security Services, said earlier this week that Pinch's authors had been identified and would be taken to court, according to a blog posting by Russian security vendor Kaspersky Lab.

Kaspersky said the arrest of the Pinch writers, identified as Ermishkin and Farkhutdinov, would be on the same level as the 2005 prosecution of German Sven Jaschan for creating the NetSky and Sasser worms, which caused thousands of infected computers to crash worldwide.

With Pinch, "it's impossible to estimate what financial losses have been caused over the years since this Trojan first saw the light of day," Kaspersky said.

Pinch's sellers would customize the program for buyers and offer support, illustrating a growing underground economy for hacking tools, Kaspersky said.

Thousands of versions of Pinch, which comes in Russian and English language versions, are still circulating on the Internet. Kaspersky said its security software can detect some 4,000 variants of Pinch, where the basic code is the same but aspects of the program have been modified in order to evade detection by security software.

Pinch has a highly-developed user interface that can be used for sorting information it steals off other computers, according to F-Secure.

It can steal e-mail account passwords, pilfer other password information stored in the Internet Explorer, Firefox and Opera browsers, and snap screenshots.

That stolen information can also be encrypted before it is sent back to the hacker, according to Panda Security, another security vendor.

Pinch could also be customized to have the victimized computer join a botnet, or a network of computers set up to hide other malicious activity by the hacker. Botnets are often used to send spam or mount other hacking attacks.

AMD demos 4x4

Criticalmass writes: AMD's upcoming 4x4 gaming platform will cost "substantially" under $1,000 - for the processors at least. So said company VP Pat Moorhead, who showed off a prototype system in the US, though details of the system were kept under wraps.

AMD announced 4x4 last month. It's essentially a two-CPU motherboard rigged for ATI's CrossFire and Nvidia's SLI dual-GPU technology twice over to support four GPUs. Each CPU slot will hold a dual-core Athlon 64 FX processor, so that's four cores. Each chip gets 2GB of dedicated memory, for a total of 4GB. '4x4' is a codename, AMD insists.

The processor company has said it will push the 4x4 platform this coming Christmas. Moorhead said the platform would not be "limited" to hardcore gamers - presumably AMD will promote it to professional content creators too.

Indeed, there's nothing here that no quad-core system will be able to deliver - or, since AMD said this will be possible in due course - and octo-core rig either. AMD's quad-core CPUs will slot into a 4x4 board in place of the two dualies. The big benefit AMD stressed was the system's dual memory buses, one per processor, so there's no logjam at the memory controller as there might be with another chip maker's architecture.

AMD pitched the system as a way to run multiple, processor-hungry apps without degrading the performance of any one of them.

National labs hit with targeted attacks

Oak Ridge National Laboratory (ORNL) announced last week that more than a dozen employees fell prey to a "a sophisticated cyber attack," exposing a database containing visitors' personal information.

In an advisory posted on Thursday, the federally funded lab recommended that people who have visited the lab between 1990 and 2004 place fraud alerts on the credit reports. The attack, which first breached a computer at the lab on October 29, 2007, did not gain access to classified information, ORNL maintained.

"A hacker illegally gained access to ORNL computers by sending staff e-mails that appeared to be official legitimate communications," the advisory stated. 'When the employees opened the attachment or accessed an embedded link, the hacker planted a program on the employees' computers that enabled the hacker to copy and retrieve information."

ORNL also stated that the attacks were "part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country."

Federal agencies and the national laboratory system have had to weather criticism over a number of compromises in the recent past. This year, congressional committees have grilled the Departments of State, Commerce, Homeland Security and Energy over data breaches. In May, the House Committee on Homeland Security sent questions to the Nuclear Regulatory Commission about a "data storm" that resulted in the emergency shutdown of a nuclear reactor at Browns Ferry plant.

The attack at Oak Ridge National Laboratory came from servers located in China, according to a memo obtained by the New York Times. Several nations have accused the Chinese military of sponsoring attacks on sensitive computer systems owned by governments and industry.

Adobe releases critical Flash update

Software firm Adobe released a critical update for its Flash Player this week, fixing ten flaws that variously affected the Windows, Mac and Linux versions of its software.

Labeling the vulnerabilities as "critical," the company warned that the most serious flaws fixed by the patch could be exploited by a specially-crafted Flash (SWF) file to compromise vulnerable systems and urge users to apply the software fix. Adobe Flash has become a popular way to add interactivity to Internet sites and is installed on 98 percent of Internet-enabled PCs, according to the company.

The ubiquity of the Flash Player software has caught the attention of security researchers and online fraudsters. Earlier this year, Stanford University researchers used a Flash advertisement to show that an attacker could have infected 100,000 users in three days for less than $100. Apple patched a flaw in the handling of Flash content by its QuickTime player last week, after two researchers had used to flaw to demonstrate a proof-of-concept attack on players in the virtual world of Second Life.

Last month, Adobe patched flaws in its other popular desktop program, Acrobat.

The patches can be downloaded from Adobe's Download Center.

Trusted users pose significant security threats, survey finds

RSA survey data reveals innocent insiders create data exposures of extraordinary scope

It probably doesn't give security managers much comfort to hear that the majority of internal employees that pose a significant threat to network security are well-meaning, innocent offenders -- as opposed to those with malice on the mind.

But the results of a recent man-on-the-street survey of 126 people conducted by RSA in November and released Monday show that despite security managers best efforts, 35% of people polled said they need to work around their organization's security policies to get their job done. According to RSA, "These innocent insiders can unwittingly create data exposures of extraordinary scope and cost through their ordinary, everyday behavior, whether through carelessness, working around security measures or following inadequate security policies."

---

Specifically, some 63% of those surveyed said they frequently or sometimes send work documents to a personal e-mail account to more easily access the files from home. Others rely on remote access capabilities, such as VPNs or Web mail for 87% of people polled, to work from home.

Some mobile workers also put the company at risk when they access their work e-mail via a public wireless hotspot, for instance. According to RSA's survey, about 56% of respondents said they do just that and another 52% gain access via a public computer in an Internet café or at the airport. But RSA says often authentication beyond user name and password is needed to secure corporate data.

"Organizations must understand the types of information their employees and other insiders need to access, determine the sensitivity of that information and then protect it with security measures commensurate with the associated risk," said Sam Curry, vice president of product management and marketing at RSA, in a statement.

Close to two-thirds of respondents reported they frequently leave their workplace with a mobile device such as a laptop and 8% reported having lost such a device bearing corporate information -- leaving their organization susceptible to data loss.

Other innocent insiders simply trust their fellow human beings. In the survey, 34% reported having held a door open for someone they did not recognize. Forty percent reported being on the receiving end of such hospitality when they had forgotten their key card or access code. In addition, about 20% of the respondents who said their company provides wireless access (66%) said there are no security credentials required to gain access to the network.

As for data and application-level security, one-third of respondents reported that they have changed jobs internally and still maintain the same set of access rights. Close to one-fourth of respondents said they have "stumbled into an area of their corporate network to which they believe they should not have had access." The results prove that creating policies is not enough; security managers need to ensure insider behavior aligns with corporate security standards, RSA says.

"It is not enough to establish policy; actual insider behavior must be measured and tracked against established policy in order to keep security aligned with the business," said Christopher Young, vice president and general manager of the Identity and Access Assurance Group at RSA, in a statement.

Whole disk encryption is a must for mobile computers and devices

As more and more employee's use laptops, the chance for information loss increases. Many companies are looking to protect their data assets, and whole disk encryption is becoming more popular.

It’s almost like you can’t trust people these days. You’d think if someone broke into a house looking for valuables they’d at least leave the “work” stuff alone. But NO, the thieves have to go for the laptop, without any regard for how much “sensitive information” might be on it. No regard for the red tape it will put you through when it goes missing. The nerve! Why couldn’t they have just taken the kids’ iPod? It’s worth almost as much…

Folks, it’s all just becoming a bit too much for me, these breaches that could easily have been prevented. This one happened a bit closer to home for me (click HERE).

Service Canada is a branch of the Canadian Government that does a lot of “Government-to-Citizen” services, sort of like the “Customer Service” division of a company, but for a government. I know they take the “big picture” security issues seriously for their on-line applications. So, how do these “little things” fall through the cracks?

What went wrong?

A government employee took a laptop home that had Personally Identifiable Information (PII), such as Social Insurance Numbers, Bank Account Numbers, Credit Data and Birth Dates. A thief broke into the employee’s house and stole the laptop containing the PII (apparently without wiping the hard disk - how inconsiderate?).

What went wrong?

We think theft is rare. It never happens to us, and hardly ever happens to anyone we know personally. Laptops are so common these days, and getting more affordable. But that doesn’t mean they’re worthless.

In fact it surprises me that it’s only recently we’re hearing about laptop thefts. I don’t think it’s a new phenomenon, as laptops were worth a lot more 10 years ago, and probably had just as much sensitive information on them then. But we never heard about them. I believe the reason we hear about them now has to do with legislation on accountability, governance and disclosure. Most people think of these types of laws as being a deterrent safeguard in and of themselves. But until people make the connection, it’s more of an indirect consequence that is still happening too late to influence behaviour. Eventually, the law will make people think “Gee, I better protect this stuff if I don’t want to end up on the front page tomorrow” (or worse, in jail)!
So the problem here is the will at the top of an organization to address all breach risks in the proper context. People used to think of “infrastructure” breaches as being more critical than “individual” breaches involving a single user. If the user happened to be an employee with a laptop, the assumption was that a breach was a “single-user event”. However, these days, data is fast migrating out of database servers and into spreadsheets, reports, and word processing documents. This is happening without the knowledge of the executives or even the Chief Security Officer (CSO). But they should not ignore this new reality.

People carry mobile devices (laptops, PDA’s, etc.) outside the organization on a regular basis. There’s no point in fortifying a server when large amounts of the sensitive data is replicated outside the office and corporate network boundary in waves every day. No firewalls can prevent this. Only good policies, enforcement and awareness across the board.

The Bottom Line

There is a fairly simple solution, when it comes to laptops. Encrypt the disks. Here are the main things to remember:

1. Passwords are NOT encryption. Just because a laptop requires password to log in does not mean the data on the disk is protected. Anyone can remove a laptop disk, place it in their own system and, abra-cadabra, the data appears.
2. Encryption using a government-approved algorithm (AES in the United States, and others such as Triple-DES in Canada and other countries) is the best way to scramble data so it is unusual.
3. Whole disk encryption is best for laptops. This means that, in contrast to products that encrypt only certain files or folders, NOTHING on the disk can be viewed without having the right password. The reason I say it this way is that solutions exist for scanning the unencrypted part of a disk for all printable character strings, and using them as the basis for dictionary-type attacks. When an attacker has the computer in his possession, he has all the time in the world to search for password fragments on the disk. If it’s all encrypted they can’t do this.
4. Stating that, “The chances of thieves using the PII on a stolen device to commit Identity Theft are low” is NOT a risk mitigation measure. It’s a PR statement aimed at calming people down. Using this as a sole response to a breach is an admission of ignorance when it comes to protecting information. You have no way of knowing what the chances are, especially when it is becoming clearer to everyone that the data is often worth a lot more than the hardware.
5. USB memory devices can also have their content encrypted. Lost and stolen USB devices are just as common as laptop thefts.
6. Remember, off-site backups of sensitive information is also a leading source of breaches. While off-site backups are absolutely essential for most businesses, many people forget that if they are not protected, they can result in large amounts of data loss. They should be encrypted, or heavily protected with physical security while in transit and in storage.

While there are many disk encryption solutions that may do the job well enough to actually reduce the risk of a breach, I use PGP Disk to protect my laptop. It’s been rated one of the best, and easiest to use. I feel much more secure carrying my laptop with customer data on it when I know it’s fully encrypted.

Spy court denies access to rulings

The secret U.S. government court that oversees the country's electronic surveillance efforts ruled on Tuesday that orders and legal papers issued by its judges regarding the Bush Administration's warrantless wiretaps will not be made public.

In its opinion, the Foreign Intelligence Surveillance Court (FISC) acknowledged that public access to the records could lead to better public understanding of the decisions, a more informed public debate over currently proposed amendments to the Foreign Intelligence Surveillance Act (FISA) under which the FISC was created, and additional safeguards against abuse of power. The court argued, however, that "the detrimental consequences of broad public access to FISC proceedings or records would greatly outweigh any such benefits." The potential consequences of the public release of its records? Allowing terrorists and foreign agents to learn more about the nation's methods of surveillance, outing the identity of information sources, revealing the targets of surveillance efforts, and possible damage to foreign relations, according to the court's 22-page opinion.

"All of these possible harms are real and significant, and, quite frankly, beyond debate," stated the ruling, penned by Judge John D. Bates.

The opinion, only the third ever released by the secretive court, was in response to a motion filed by the American Civil Liberties Union (ACLU), asking for the court to release recent legal cases that have influenced lawmaker's discussions over amending the Foreign Intelligence Surveillance Act (FISA). The ACLU is a plaintiff in one of the pending cases against the National Security Agency and the telecommunications companies that allegedly cooperated with U.S. intelligence services to eavesdrop on phone and e-mail conversations without a warrant from the Foreign Intelligence Surveillance Court.

Currently, Congress is debating how to amend FISA. In August, legislators passed the Protect America Act (PAA), a controversial stop-gap measure that dramatically expanded the government's powers to spy on U.S. citizens without a warrant. The law is set to expire in February 2008.