|
Information Security News We have decided that you, our subscribers, would be better served if we simply update this news bulletin with timely and
important messages as they arise. New and significant threats don't tend to wait until we have time to publish our
newsletter! Recent bulletins are posted below. In case you missed our earlier ones they are still available in our
archives. Bulletins posted 11/19/2009 Zero-day vulnerabilities in Firefox extensions discovered One of the reasons behind Firefox's popularity is the availability of a vast library of extensions. Users use them to modify the browser to their liking and make their browsing experience easier and more pleasant. The problem is, unbeknown to them, these extensions are exposing them to risk.
Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension. Any Mozilla application with the extension system is vulnerable to same type of issues. Extensions vulnerabilities are platform independent, and can result in full system compromise. The researchers believe that the weakest link in the chain is the human factor. Many add-on developers do it for a hobby and are not necessarily aware of how dangerous a vulnerable extension can be. The extension reviewers don't need to have great knowledge about Web application security and follow guidelines on finding malicious extensions. This means vulnerable extensions can easily slip through. Researchers have found several bugs in popular Firefox extensions that have an estimate total amount of 30 million downloads from AMO (Addons Mozilla community site). Three 0days were also released at the SecurityByte & Owasp AppSec Asia 2009 conference. For more information or to view screen shots or a video, please see full article. If you had fallen for this before the patch came out, notify your service desk immediately and change your passwords. Dumb code could stop computer viruses in their tracks ON THE day a new computer virus hits the internet there is little that antivirus software can do to stop it until security firms get round to writing and distributing a patch that recognises and kills the virus. Their idea, which they are patenting, is to intercept every file that could possibly hide a virus and add a string of computer code to it that will disable any virus it contains. Their system chiefly targets emailed attachments and adds the extra code to them as they pass through a mailserver. A key feature of the scheme is that no knowledge of the virus itself is needed, so it can deal with new, unrecognised "zero day" viruses as well as older ones. Many mailservers already block attachments that will run as executable programs - such as PC files with a .exe suffix - in case they are viruses. But virus writers have tricks up their sleeve to get round this. For example, they can disguise files as an innocent Microsoft Word (.doc) or Adobe Acrobat (.pdf) file, and then fool unsuspecting users into converting them into an "executable" program file that will run on their computer. Qinetiq aims to prevent this by inserting a line of machine code - the raw code that microprocessor chips understand - into the header area of incoming files. This is the part of the file that holds the formatting data that defines such aspects as a document's layout and fonts. If the file is simply opened by another program, the code is ignored. But if someone attempts to run it as a program in its own right, Qinetiq's code will run first - and stop the rest of the program in its tracks, either by exiting or by sending it into an infinite loop. "This is not based on virus signature detection, so it is not something malware writers can imagine their way around," Wiseman says. Qinetiq, which has just acquired the military networking firm Boldon James, plans to exploit the trick in future secure mailservers. For more information, please see full article. www.newscientist.com -By Ryan Naraine IE8 bug makes 'safe' sites unsafe The latest version of Microsoft's Internet Explorer browser contains a bug that can enable serious security attacks against websites that are otherwise safe. The flaw in IE 8 can be exploited to introduce XSS, or cross-site scripting, errors on webpages that are otherwise safe, according to two Register sources, who discussed the bug on the condition they not be identified. Microsoft was notified of the vulnerability a few months ago, they said. Ironically, the flaw resides in a protection added by Microsoft developers to IE 8 that's designed to prevent XSS attacks against sites. The feature works by rewriting vulnerable pages using a technique known as output encoding so that harmful characters and values are replaced with safer ones. A Google spokesman confirmed there is a "significant flaw" in the IE 8 feature but declined to provide specifics. It's not clear how the protections can cause XSS vulnerabilities in websites that are otherwise safe. Michael Coates - a senior application security engineer at Aspect Security who has closely studied the feature but was unaware of the vulnerability - speculates it may be possible to cause IE 8 to rewrite pages in such a way that the new values trigger an attack on a clean site. "If the attacker can figure out a flaw in the way IE 8 is actually doing that output encoding and then create a specific string the attacker will know will be transformed into an actual attack, they could use that to input a value ... that actually results in an attack firing on the page," he said. "This could be a way to introduce an attack into a page that didn't have a vulnerability otherwise." For more information, please see full article. If you had fallen for this before the patch came out, notify your service desk immediately and change your passwords. Enterprise Security -By Dan Goodin Security Pro Says New SSL Attack Can Hit Many Sites A Seattle computer security consultant says he's developed a new way to exploit a recently disclosed bug in the SSL protocol, used to secure communications on the Internet. The attack, while difficult to execute, could give attackers a very powerful phishing attack. Frank Heidt, CEO of Leviathan Security Group, says his "generic" proof-of-concept code could be used to attack a variety of Web sites. While the attack is extremely difficult to pull off -- the hacker would first have to first pull off a man-in-the-middle attack, running code that compromises the victim's network -- it could have devastating consequences. The attack exploits the SSL (Secure Sockets Layer) Authentication Gap bug, first disclosed on Nov. 5. One of the SSL bug's discoverers, Marsh Ray at PhoneFactor, says he's seen a demonstration of Heidt's attack, and he's convinced it could work. "He did show it to me and it's the real deal," Ray said. The SSL Authentication flaw gives the attacker a way to change data being sent to the SSL server, but there's still no way to read the information coming back. Heidt sends data that causes the SSL server to return a redirect message that then sends the Web browser to another page. He then uses that redirect message to move the victim to an insecure connection where the Web pages can be rewritten by Heidt's computer before they are sent to the victim. This latest attack shows that the flaw could be used to steal all sorts of sensitive information from secure Web sites, Heidt said. Many high-profile banking and e-commerce Web sites will not return this 302 redirect message in a way that can be exploited, but a "huge number" of sites could be attacked, Heidt said. For more information, please see full article. If you had fallen for this before the patch came out, notify your service desk immediately and change your passwords. IDG News Service -By Robert McMillan Cisco's free iPhone app grabs security feeds Cisco has made available a free iPhone app that can be used to receive more than a dozen security-related information feeds in customizable form related both to Cisco products and to general security topics, such as newly detected threats. The Cisco SIO To Go iPhone application draws from the wealth of information continuously generated in Cisco's security intelligence operations (SIO) that monitor and consolidate information drawn from sensors and other sources about security threats worldwide. Michael Weir, manager of marketing for security, says the tool is Cisco's first iPhone app specifically for security; a few others were designed for use with Cisco's WebEx service and utilities. For network managers, customizable information feeds include Cisco Product Security Incident Response Team Alerts, IPS signatures, applied mitigation bulletins, as well as links to the Cisco security blog, cyber-risk reports, Twitter feeds and security podcasts. Until now, to obtain the same type of information it would be necessary to go to the public portions of Cisco’s SIO Web site to locate it. The free Cisco SIO To Go iPhone app can be found at the Apple iTunes store online. The free Cisco SIO To Go iPhone app can be found at the Apple iTunes store online. Network World -By Ellen Messmer Happiness on Facebook Cuts Canadian Woman's Health Care As social media evolves -- and the freedom of the Internet diminishes our self-censorship -- many have run into situations where Facebook has land them in trouble. Sometimes canned from a gig. It has been established that some companies scrutinize employee and potential employee Facebook pages to ensure what it's getting isn't tarnished by bad behavior such as playing hooky or being loose-tongued about one's feelings about work. The latest example is a little trickier: a Canadian woman saw her health benefits stripped away after the insurance company saw "happy" pictures of her on Facebook. Nathalie Blanchard, 29, took long-term sick leave from her job at IBM in Quebec after she was diagnosed with major depressive disorder in February 2008. Until this fall, Blanchard received monthly benefits from Manulife. Suddenly the checks stopped arriving, and when Blanchard called Manulife to inquire, the company claimed Blanchard was available to work because of photos she had posted on Facebook of her looking "happy" at a Chippendales bar show, at her birthday party, and on holiday. These snapshots evidently proved to Manulife that Blanchard was no longer depressed and therefore ineligible for health benefits. We live in a time where many get a false sense of security and freedom when it comes to the Internet. These social networking pages are ours -- or at least they feel like ours -- and it can come as a shock when the curtain is violently ripped back and our scaffolding is exposed. With the right mixture of inconspicuousness and second-guessing, many problems stemming from Facebook can be dodged, but perhaps at the expense of truly expressing our lives the way we'd like Be careful of what you post on social networking pages because you never really know who is going to be able to access it. Bulletins posted 11/19/2009 Mozilla locks out rogue Firefox add-ons Mozilla has made a significant tweak to this Firefox 3.6 code base to block rogue add-ons from loading in the browser’s application components directory. This will most certainly block developers and software vendors from silently installing Firefox add-ons without explicit user permission. It will also significantly reduce browser crashes linked to third-party add-ons, Mozilla said. The change will be introduced in Firefox 3.6to block third-party applications from adding their code directly to the “components” directory, where much of Firefox’s own code is stored. For more information, please see full article. If you had fallen for this before the patch came out, notify your service desk immediately and change your passwords. http://blogs.zdnet.com -By Ryan Naraine Viruses, Malware Creeping into Online Games Maker of online gaming protection software reveals why virus attacks on video games is a problem that has increased over 600 percent in the past year. Viruses and malware are words not normally linked to video games, that is until you talk to Michael Helander, VP of Sales and Marketing at Lavasoft. His software company has developed a new product, Ad-Aware Game Edition, that's designed to protect online gamers from viruses, a problem that's "increased over 600% in the last year," according to their website. In this exclusive interview, Helander and Malware Labs' Andrew Browne explained which games are most vulnerable to malware attacks, why viruses in online games is a much bigger problem today, and why consoles like the Xbox 360 and PS3 could be next in the crosshairs of people who create Trojans, worms and other forms of malware. Lavasoft: The difference is the way our virus protection software behaves. When you're playing video games, our antivirus program silently runs off screen, using minimum levels of your computer's resources, and does so without interrupting your game. Now here is the key: blocking detection is not suspended when someone starts gaming with the Ad-Aware Game Edition, but alternatively the handling of blocks and removal of malware is taken over directly by Lavasoft. Competitor products (there are two or three other products like this on market today) actually say that the protection is "suspended" while playing video games. This is not good for gamers. For more information, please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Health Insurer Loses 1.5 Million Patient Records A health insurer lost 1.5 million patient records last May but waited six months to disclose the incident. The data, which was stored on a portable disk drive that disappeared from the insurer’s office, was unencrypted and included patient Social Security numbers, bank account numbers and health data, according to the Hartford Courant. The disk also contained personal information on at least 5,000 physicians. Health Net discovered the loss in May but never informed patients, law enforcement or government entities, despite data breach laws in some states that require data spillers to notify victims and state officials when residents are affected by a breach. The insurer finally sent a letter to Connecticut’s attorney general and the state’s Department of Insurance this week. Health Net claimed it took six months to determine what data was on the missing disk. It said that data on the disk was compressed and stored in an image format that required special software to view, which was available only to HealthNet. “Another day, another data breach,” said Connecticut Attorney General Richard Blumenthal in a statement. “But companies still don’t get it: Personal information is like cash and should be guarded with equal care.” Blumenthal vowed to pursue an investigation and legal action against the insurer. About 450,000 of the patients affected by the data loss are residents of Connecticut, which has a breach notification law. Patients in Arizona, New Jersey and New York were also affected. For more information, please see full article. If you are a patient enrolled in the Medicate Advantage plan and a resident of any of the states liste above, notify your service desk or health care provider immediately and change your passwords. Fake Payment Request Attack Ramps Up A currently underway attack is attempting to trick victims with an e-mail that purports to request a verification for payment to a major company, but instead carries a Trojan. E-mail security company Cloudmark reports seeing more than 1.6 million of the attack e-mails, which bear a subject of "payment request from" followed by a company name such as eBay or J. P. Morgan Chase and Co. The body of the message says that to decline the payment, the recipient must download and install an attached "transaction inspector module." The .zip file attachment, of course, is no module, but a Trojan. In a post that includes screen shots of some attack samples, Trend lists the Trojan as TROJ_AGENTT.WTRA. As always, your best bet to guard against the malicious e-mail attachments used in these kinds of social-engineering attacks is to upload attachments to a site such as Virustotal.com, which will scan the attachment using 40-odd different antivirus engines. There's no guarantee that Virustotal.com will positively ID a threat, but you have much better odds with 40 engines than with the one used by your installed antivirus. Don't open email or download attachments from anyone you don't know. If you have fallen for this scam, notify your service desk immediately and change your passwords. www.pcworld.com -By Erik Larkin 3 Basic Steps to Avoid Joining a Botnet Banging the drum for security awareness never gets old. As much as CSOs try to get folks to bone up on safe practices (both online and in the office), there are always going to be some who need reminding. Online, the biggest battle these days is against botnets: networks of infected computers which hackers can use -- unbeknownst to the machine's owner -- for online crimes including sending out spam or launching a denial of service attack. Unfortunately, the black-hat techniques employed to snare users into a botnet web have evolved to a level that makes them often undetectable by even the most sophisticated security products. Combine that with a lack of user knowledge, and the threat of infection becomes very high. (See: Botnets: Why it's Getting Harder to Find and Fight Them). "The frustrating thing is they can make their chances of getting infected much, much smaller," said Steve Santorelli, who sees how users fall prey to easily avoidable traps every day. Santorelli, director of global outreach with the non-profit security investigations firm Team Cymru, spends his days monitoring malicious online activity, particularly botnets. Santorelli notes that while just one strategy probably won't cover you, with several tools in the tool box, the rate of infection within an organization significantly drops. The average user doesn't necessarily have a lot of technological knowledge, said Santorelli. They might not realize the importance of working with IT to ensure they are up to date with patching and software upgrades. This problem may be especially prevalent among workers who are exclusively remote. Staying away from dubious sites and sticking to known brands used to offer reasonable online safety. Unfortunately, that's less and less foolproof. "Browsers are so much more secure now that so many of the holes that existed in these browsers have been patched. There is also a great deal of anti-phishing and anti malware that goes into them now. So if you try and go to a link that contains malware, your AV might not pick it up. But your browser will say: "Are you sure?" The good news is most browsers are free. You can download the latest version of Internet Explorer or Firefox fairly easily and quickly, too. "Don't just blindly click on things and rely on other people to protect your computer," noted Santorelli. "You've got to take some responsibility for your own security." Just because you receive the email from someone you know and trust, it doesn't mean it is safe. This includes friends and family, whose systems or accounts may have been compromised, and also well-known web sites you use, like social networking sites or banks. See Five More Facebook, Twitter Scams to Avoid for examples of current attempts to exploit social media sites. And large banks, such as Bank of America, often find their name is used in email phishing scams where thieves send out messages warning that customers their account has been compromised with a link that leads to a fake, but very legitimate-looking login screen. If you happen to fall for any of these scams, notify your service desk immediately and change your passwords. Bulletins posted 11/18/2009 FBI says hackers targeting law firms, PR companies Hackers are increasingly targeting law firms and public relations companies with a sophisticated e-mail scheme that breaks into their computer networks to steal sensitive data, often linked to large corporate clients doing business overseas. The FBI has issued an advisory that warns companies of "noticeable increases" in efforts to hack into the law firms' computer systems — a trend that cyber experts say began as far back as two years ago but has grown dramatically. In many cases, the intrusions are what cyber security experts describe as "spear phishing," attacks that come through personalized spam e-mails that can slip through common defenses and appear harmless because they have subject lines appropriate to a person's business and appear to come from a trusted source. "Law firms have a tremendous concentration of really critical, private information," said Bradford Bleier, unit chief with the FBI's cyber division. Infiltrating those computer systems, he said, "is a really optimal way to obtain economic, personal and personal security related information." U.S. officials have been cautious about publicly linking cyber attacks to China. But recent government reports have described computer attacks believed to have originated in China, although it is unclear if the intrusions were conducted by, or with the endorsement of, any element of the Chinese government. As is often the case with cyber crime, Paller said it is difficult to tell whether hackers were working on behalf of the country's government, located in that country, or simply routing computer traffic through that country. The hackers going after law firms, said Paller, often target companies that are negotiating a major international deal — anything from seeking a patent on a sensitive new technology to opening a plant in another country. While opening a "spear phishing" e-mail itself does not pose a danger, they often contain Web links or attachments that when clicked on or opened will infiltrate the network or install malicious programs. For more information, please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. /www.google.com/hostednews -By LOLITA C. BALDOR Fake Facebook page steals login details A fake Facebook page which is designed to steal social networkers login details has been uncovered by PandaLabs. According to the security firm, the web page looks very similar to the real Facebook and when web users try to log-in to their account, they will be presented with an error page. However, the information they did attempt to enter will go straight into the hands of the hackers. "This fraudulent URL is probably being spread around through emails and through BlackHat SEO techniques," said Luis Corrons, technical director of PandaLabs. "In any event, once cyber-crooks have the user's details, they can take any action from the account including publishing spam comments with malicious links, sending messages to contacts, etc." PandaLabs urged web users not to reply or follow links form unsolicited emails and always check the URL before entering data to ensure it is legitimate. The security firm also said that social networkers that are concerned they may have entered their details onto the hoax page should change their passwords immediately. If you have fallen for this scam, notify your service desk immediately and change your passwords. PC Advisor UK -By Carrie-ann Skinner T-Mobile employees sold data from thousands of customers Information commissioner says "paltry fines" are not enough, only jail sentences will do A spokesman from T-Mobile confirmed today that the mobile operator had passed on data from thousands of customers amounting to millions of records. Information Commissioner Christopher Graham was alerted by T-Mobile, which admitted that brokers paid for the data which they subsequently sold on to other companies. These companies then used the data to call T-Mobile customers whose contracts were due to expire. Managing director of UK leading independent mobile phone comparison site www.rightmobilephone.co.uk Neil McHugh said that his advice for people worried about their personal data was to call their mobile phone operator and ask for confirmation that their contact information was safe. “Only people coming to the end of their mobile phone contracts are likely to be contacted as a result of the data leak, but if a network operator is responsible, I’m sure the consequences will be severe. Not just facing a potential fine but a huge decline in customer trust,” he added. T-Mobile’s spokesman said the data was sold, "without our knowledge". Graham’s team obtained search warrants to enter premises and are reported to have interviewed T-Mobile employees. A statement on the Information Commissioner's Office (ICO’s) web site said the following: “The existing paltry fines for Section 55 offences are simply not enough to deter people from engaging in this lucrative criminal activity. The threat of jail, not fines, will prove a stronger deterrent.” If you have fallen for this scam, notify your service desk immediately and change your passwords. Mobile Communications -By Dave Bailey Senate Panel: 80 Percent of Cyber Attacks Preventable If network administrators simply instituted proper configuration policies and conducted good network monitoring, about 80 percent of commonly known cyber attacks could be prevented, a Senate committee heard Tuesday. The remark was made by Richard Schaeffer, the NSA’s information assurance director, who added that simply adhering to already known best practices would sufficiently raise the security bar so that attackers would have to take more risks to breach a network, “thereby raising [their] risk of detection.” The Senate Judiciary Subcommittee on Terrorism, Technology and Homeland Security heard from a number of experts offering commentary on how the government should best tackle securing government and private-sector critical infrastructure networks. Larry Clinton, president of the Internet Security Alliance, told senators that public apathy and ignorance played as much a role in the current state of cyber security as the unwillingness of corporate entities to take responsibility for securing the public’s data. “Many consumers have a false sense of security due to their belief that most of the financial impact resulting from the loss of personal data will be fully covered by corporate entities like the banks,” he said. “In fact, much of these losses are transferred back to consumers in the form of higher interest rates and consumer fees.” As for corporate and government entities that collect and store the public data, they “do not understand themselves to be responsible for the defense of the data,” said Clinton, whose group represents banks, telecoms, defense and technology companies and other industries that rely on the internet. “The marketing department has data, the finance department has data, etc, but they think the security of the data is the responsibility of the IT guys at the end of the hall.” Philip Reitinger, director of the National Cyber Security Center at the Department of Homeland Security, said that end users also need to be made aware of the simple things they can do to protect themselves — such as keeping software and anti-virus up to date. For more information please see full article. Survey finds Mac, PC users are equal cybercrime victims Mac enthusiasts are just as likely to fall victim to a phishing attack as Windows users, according to a survey commissioned by security firm ESET. The survey of 1,003 people, conducted by Competitive Edge Research and Communications, concluded that most cybercrime losses are caused by phishing attacks, but that users are equally at risk to these ploys, no matter what operating system they leverage. "Phishing attacks are just as effective on Macs, Linux, Windows, Solaris and any operating system since they rely on tricking the user and not on malicious software or any software vulnerabilities," Randy Abrams, director of technical education at ESET, said Monday in a blog post. "The Mac offers no immunity to phishing attacks and so we see a virtually equal percentage of victim representation across the board." Avivah Litan, vice president and distinguished analyst at Gartner, said many Mac users believe they are better protected from the threat of malware than non-Apple users. And that generally is true because most trojans are tailored to run on Internet Explorer or Windows and therefore won't work on Macs. "But phishing is operating system independent," Litan told SCMagazineUS.com on Tuesday. "It doesn't matter how you operate your email, whether it's through a Mac or a PC." Granted, many phishing campaigns attempt to install malware on a victim's machine, but they also may be after login credentials, for example, she said. The survey found that less than 50 percent of respondents even knew what the socially engineered technique was. Perhaps the solution is to use different platforms. "Of note, we did find a lower rate of cybercrime victims among people who use both a Mac and a PC," Abrams said. "This is probably due to a higher level of computer and internet knowledge." Make sure whichever OS you are using that you keep your antivirus up to date. If you have fallen for this scam, notify your service desk immediately and change your passwords. www.scmagazineus.com -By Dan Kaplan The six greatest threats to US cybersecurity It’s not a very good day when a security report concludes: Disruptive cyber activities expected to become the norm in future political and military conflicts. But such was the case today as the Government Accountability Office today took yet another critical look at the US federal security systems and found most of them lacking. From the GAO: “The growing connectivity between information systems, the Internet, and other infrastructures creates opportunities for attackers to disrupt telecommunications, electrical power, and other critical services. As government, private sector, and personal activities continue to move to networked operations, as digital systems add ever more capabilities, as wireless systems become more ubiquitous, and as the design, manufacture, and service of information technology have moved overseas, the threat will continue to grow.“ From the GAO: Foreign intelligence services use cyber tools as part of their information gathering and espionage activities. There is an increased use of cyber intrusions by criminal groups that attack systems for monetary gain. Hackers sometimes crack into networks for the thrill of the challenge or for bragging rights in the hacker community. While remote cracking once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the Internet and launch them against victim sites. Hacktivism refers to politically motivated attacks on publicly accessible Web pages or e-mail servers. The disgruntled insider, working from within an organization, is a principal source of computer crimes. Insiders may not need a great deal of knowledge about computer intrusions because their knowledge of a victim system often allows them to gain unrestricted access to cause damage to the system or to steal system data. The insider threat also includes contractor personnel. Terrorists seek to destroy, incapacitate, or exploit critical infrastructures to threaten national security, cause mass casualties, weaken the U.S. economy, and damage public morale and confidence. Rather, a compelling act of terror in cyberspace could take advantage of a limited window of opportunity to access and then destroy portions of our networked infrastructure. The likelihood that such an opportunity will present itself to terrorists is increased by the fact that we, as a nation, continue to deploy new technologies without having in place sufficient hardware or software assurance schemes, or sufficient security processes that extend through the entire lifecycle of our networks,” Chabinsky said. For more information please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Bulletins posted 11/17/2009 Most Security Products Don't Initially Work As Intended, Study Says In certification tests, many products fail in functionality or logging, ICSA/Verizon reports Nearly 80 percent of security products fail to perform as intended when first tested -- and most require two or more cycles of testing before achieving certification, according to a new report from ICSA Labs, which performs security product testing. According to the report, the main reason why a security product fails during initial testing is that it does not adequately perform as intended. Across seven product categories, core product functionality accounted for 78 percent of initial test failures -- for example, an antivirus product failing to prevent infection or an intrusion prevention system product failing to filter malicious traffic. The failure of a security product to completely and accurately log data was the second most common reason for test failure, according to the report. Fifty-eight percent of failures were attributed to incomplete or inaccurate logging of who did what -- and when, ICSA said. The report findings suggest some vendors and enterprise users consider logging a nuisance. According to the report, logging is a particular challenge for firewalls. Almost every network firewall (97 percent) or Web application firewall (80 percent) tested by ICSA experienced at least one logging problem. The third most significant reason for test failure was inherent security problems in the products themselves, including vulnerabilities that compromise the confidentiality or integrity of the system, ICSA said. The product categories studied were antivirus, network firewall, Web application firewall, network IPS, IPSec VPN, SSL VPN, and custom testing. For more information on how products pass or fail, please see full article. New Google SafeSearch Shows When Kids Are Protected Four colored balls now tell parents their children are protected against adult content while searching on Google. The balls appear at the top right of the screen when "strict" SafeSearch in enabled. "Today we're launching a feature that lets you lock your SafeSearch setting to the Strict level of filtering," said Pete Lidwell and Aaron Arcos in a post to the company's official blog. "When you lock SafeSearch, two things will change. First, you will need to enter your password to change the setting. Second, the Google search results page will be visibly different to indicate that SafeSearch is locked" That change is the appearance of the four colored balls at the top right of the page, a clear indication to parents and teachers that can easily been seen from across the room. If the balls appear, strict SafeSearch is enabled, if not, it can be easily re-enabled with a password. SafeSearch is Google's technology for blocking adult content and images from its search results. The company admits the technology is imperfect, but it still does an excellent job of filtering adult content and, especially, images from Google results. For more information on how Google SafeSearch works, please see full article. SSL Flaw Could Have Been Used to Hack Twitter A flaw in the protocol used to secure communications over the Internet could have been used to hack Twitter accounts, according to an IBM security researcher. Last week Anil Kurmus demonstrated how a flaw in the SSL (Secure Sockets Layer) protocol could be used to essentially trick victims into sending Twitter messages that contained their password information. For the flaw to be exploited, a hacker would first have to find a way to get onto the victim's network, launching what's known as a man-in-the middle attack, so it would be hard to affect a large number of Twitter users with this technique. The issue was soon patched by Twitter, but it has security experts wondering how many Web sites might suffer from a similar problem. A consortium of Internet companies has scrambled to fix the SSL issue since Nov. 5, when it was inadvertently made public on a discussion list. But there has been some debate about the seriousness of the flaw. Shortly after the bug was made public, IBM researcher Tom Cross said that, for the most part, major Web applications would not be affected by the issue. But Cross changed his mind, writing: "Unfortunately, the situation is worse than I thought." Webmail applications, in particular, may also be at risk from this attack. And security experts also worry that other applications -- databases, for example -- may be at risk. Twitter.com was susceptible to the bug because it did what's called client renegotiation under SSL. Client renegotiation gives the Web site a way to ask the Twitter user for an SSL certificate after a user is already connected to the site. It's a useful tool for sites that let users log on using smart cards or for sites that restrict access to a select group of predefined Web surfers, but until the flaw is fixed, client renegotiation also opens the door for SSL attacks. There are probably many sites such as Twitter that allow client renegotiation simply because it's built into the SSL protocol and its successor, TLS (Transport Layer Security), said Marsh Ray, one of the PhoneFactor developers who discovered the issue. "A lot of people didn't realize that they were doing it," he said. The good news is that many sites can simply disable it outright, which is apparently what Twitter has done. Twitter did not respond to a message asking for comment on this story. According to Ray, people should realize that while the SSL flaw is not catastrophic, "this is a serious bug and people need to patch it." For more information please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. IDG News Service -By Robert McMillan Yahoo Careers website patched to close SQL flaw Security researchers have helped to close up a blind SQL injection vulnerability on Yahoo's careers website. Through their normal surveillance of cybercrime forums, researchers at web application firewall provider Imperva noticed discussion about the flaw, present on careers.yahoo.com and which could allow attackers to extract database contents, including personal information. The researchers, though, did not see the cybercrooks attempting to exchange any stolen data. The vulnerability is different than a traditional SQL injection flaw, he told SCMagazineUS.com on Monday. Typically, to pull off a SQL injection exploit, attackers enter a specially crafted query into a web form, which tricks the database into returning the desired results, Shulman explained. In a blind SQL scenario, hackers do not obtain query output. Instead they only receive an indication of whether the query was successful. "If you build queries correctly, you can extract one character of information at a time," he said. "It takes time. But once you automate the process, you don't really care." Attackers often target job sites because of the wealth of personal data contained on them. "I think people care more about when a job site gets hit because those tend to include a lot of personal information that is not necessarily meant to be public," he said. "I think mostly, [attackers] take the information out and sell it away to other individuals who make use of it. Depending on the type of information, it can be used for spam, phishing or identity theft." A Yahoo spokeswoman did not respond to a request for comment. This is not the first time a Yahoo site was victimized by a coding error. Last year, internet research firm Netcraft's toolbar detected a cross-site scripting bug in Yahoo's HotJobs search engine site that could be exploited to steal authentication cookies. If you have fallen for this scam, notify your service desk immediately and change your passwords. www.scmagazineus.com -By Dan Kaplan FAQ: Recognizing phishing e-mails If you received e-mail from your bank, PayPal, or Facebook urging you to immediately verify information or risk having your account suspended, it was undoubtedly phishing. Phishing attacks have spiked this year, according to recent reports. The Anti-Phishing Working Group reports that there were more than 55,600 phishing attacks in the first half of 2009 alone. Phishing is particularly dangerous because once criminals get a victim's password for one Web site they can often use it to get into other accounts where people have re-used the password. For screen shots and a full list of suggestions on how to protect yourself please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. InSecurity Complex -By Elinor Mills Working at Home: A Wi-Fi, H1N1, Family Survival Guide Bah Humbug!! 'Tis the season for stealing your parents' neighbor's Wi-Fi signal, struggling to set up a VPN connection while your flight gets delayed again, locking yourself in a closet to join a conference call, and trying to not catch the H1N1-type virus your sister's kid just sneezed all over your BlackBerry. It's just not possible for work not to invade your holiday activities and weeklong family sojourns: Such is life in the always-on 21st century, and most everyone (spouses not included) loves the lifestyle. But there are alternatives to the madness. Here's is CIO.com's guide to surviving the holiday season. For a list of links, FAQ's and other general information on how to work at home and make the most of your time, please see full article. Bulletins posted 11/16/2009 Fake Verizon 'balance-checker' Is a Trojan Cyber-criminals have started preying on Verizon Wireless customers, sending out spam e-mail messages that say their accounts are over the limit and offering them a "balance checker" program to review their payments. The e-mail messages, which look like they come from Verizon Wireless, are fakes; the balance checker is actually a malicious Trojan horse program. "If you run the tool, obviously, your computer is toast," said Nick Bilogorskiy, manager of antivirus research at SonicWall. "You get infected with a Trojan that SonicWall catches under the name Regrun." The scammers started sending out the messages around 11:30 a.m. Pacific on Friday, and they quickly flooded the Internet with their spam. Within a few hours, SonicWall had intercepted the messages at about 16 percent of its customers, Bilogorskiy said. That translates to about 200,000 messages per hour on SonicWall's sensors. "The volume of these e-mails is just huge," Bilogorskiy said. For more information please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. IDG News Service -By Robert McMillan Researcher finds "frighteningly bad" Adobe Flash flaw A researcher has discovered a new hacker point of entry in Adobe Flash, but the software company's product security director dismissed the research as "not news." The flaw allows attackers to infect any website which permits visitors to upload content, including such popular sites as Google's Gmail. No fix yet exists, but Brad Arkin, director of product security and privacy at Adobe, told SCMagazineUS.com on Friday that the issue is not patchable and instead requires webmasters to apply safeguards. The alarm was raised Thursday by Mike Bailey, senior researcher at Foreground Security, an information security services vendor, on the company's blog. He called the flaw a "frighteningly bad thing" because of the preponderance of sites that allow users to upload files. At that point, the hackers gain control of the targeted site, deposit a malicious Flash object on the web server, and then can execute malicious scripts in the context of that domain, thereby infecting visitors who visit that site. Be careful when going to any site that is using Adobe Flash even if you are not using it on your computer. For more information on suggestions of how to protect yourself, please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. http://www.scmagazineus.com -By Greg Masters Attack tool can hijack data off unlocked iPhones Hackers can steal data off jailbroken iPhones by leveraging the same vulnerability that currently is being used to spread a mischievous worm. The new exploit, spotted by researchers at Intego, a Mac security firm, allows attackers to siphon data off victim devices, including music, text messages, email, contacts and other personal information. The same vulnerability that an Australian hacker recently leveraged to launch a worm prank -- which changes the victim iPhone's wallpaper to a photo of 1980s pop star Rick Astley -- is the same one that can be used to steal data, James said. The attack occurs on an SSH-enabled jailbroken iPhone, meaning the device is unlocked so users can install software not available via iTunes, he said. If users fail to change their default password for SSH, which enables iPhones to remotely talk to each other over the internet, an attacker can gain root access to the device. "Anyone can connect to the iPhone using this password," James said. Attackers perpetrate the theft by installing a tool on their computer, and then waiting, such as at an internet cafe, for jailbroken iPhones to be present, he said. "It will suck down the data and save it," James said. He said he expects attacks targeting unlocked iPhones to rise in number and severity. James said users should avoid jailbreaking their phones, but if they do, they must remember to change the default SSH password, if the utility is running. Apple, he added, has no obligation to fix the issue. For more information, please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. http://www.scmagazineus.com -By Dan Kaplan DNS problem linked to DDoS attacks gets worse Internet security experts say that misconfigured DSL and cable modems are worsening a well-known problem with the Internet's DNS (domain name system), making it easier for hackers to launch distributed denial-of-service (DDoS) attacks against their victims. According to research set to be released in the next few days, part of the problem is blamed on the growing number of consumer devices on the Internet that are configured to accept DNS queries from anywhere, what networking experts call an "open recursive" or "open resolver" system. As more consumers demand broadband Internet, service providers are rolling out modems configured this way to their customers said Cricket Liu, vice president of architecture with Infoblox, the DNS appliance company that sponsored the research. "The two leading culprits we found were Telefonica and France Telecom," he said. In fact, the percentage of DNS systems on the Internet that are configured this way has jumped from around 50 percent in 2007, to nearly 80 percent this year, according to Liu. Though he hasn't seen the Infoblox data, Georgia Tech Researcher David Dagon agreed that open recursive systems are on the rise, in part because of "the increase in home network appliances that allow multiple computers on the Internet." "Almost all ISPs distribute a home DSL/cable device," he said in an e-mail interview. "Many of the devices have built-in DNS servers. These can sometimes ship in 'open by default' states." Because modems configured as open recursive servers will answer DNS queries from anyone on the Internet, they can be used in what's known as a DNS amplification attack. In this attack, hackers send spoofed DNS query messages to the recursive server, tricking it into replying to a victim's computer. If the bad guys know what they're doing, they can send a small 50 byte message to a system that will respond by sending the victim as much as 4 kilobytes of data. By barraging several DNS servers with these spoofed queries, attackers can overwhelm their victims and effectively knock them offline. For more information, please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. IDG News Service -By Robert McMillan Kaspersky Unveils Antivirus for Mac It is wrong to think that a Mac operating system is safe from malware. "Since 2005, there has been a marked increase in the number of vulnerabilities in the Mac OS which can be used to conduct an attack via the Internet," said Gun Suk Ling, managing director for Kaspersky Lab, Southeast Asia. Recently, secure content management solutions developer Kaspersky Lab announced the release of its latest product Kaspersky Anti-Virus for Mac. It shields the Mac OS against viruses, worms and Trojan as well as similar problems on other operating systems such as Windows and Linux. It has been observed that the introduction of Mac OS X has made known on a wide scale the usefulness of multi-platform computers, and thus created a room for Mac in corporate and home networks. The flipside of the coin, however, is that multi-platform feature also made the Mac, like any other computers in a network, prone to malware attack. "Just because they have not been infected in the past does not mean they are safe now," Gun said. "For example, a Mac machine may be compromised by Trojans or key loggers without the user being alerted to the presence of the threat." For more information on the feature that this will offer Mac users, please see full article. Job Search Scams: Protect Yourself Against Identity Theft As U.S. unemployment has increased, so too has the number of job search scams identity theft rings are perpetrating against desperate job seekers. "We have seen a large proliferation of these scams over the past six to nine months because of the employment situation," says Lyn Chitow Oaks, chief marketing officer of TrustedID, which provides identity-theft protection services to individuals, families and businesses. She notes that identity thieves are targeting job seekers because they're vulnerable and willing to share personal information as part of the job search process. Two types of job search scams are most common, according to Oaks. One is a phishing scam, where identity theft perpetrators e-mail would-be victims to tell them about potential jobs and opportunities to make extra money. The e-mails direct recipients to websites that identity thieves have created specifically for gathering personal information, just as if it were a job application, says Oaks. These fake applications request all the information job seekers would expect to provide, such as their name, address and phone number, as well as for information they may not expect to offer so early in the process, she adds, such as their Social Security number, permission to conduct a background check and bank account information. "They tell you they need your bank account information so they can make sure your check can be direct deposited," she says, adding that they'll sometimes go so far as to say that they'll place money in your account and then remove it just to make sure it works. "By allowing them to place money in your account and remove it, you let your bank know that this 'employer' can take money out of your account, and that's how they wipe out people's bank accounts," says Oaks. Never mind the fact that you'll never receive any information about any job from one of these e-mails. Oaks adds that the identity thieves buy e-mail addresses from legitimate businesses who don't realize they're selling people's information to the Internet black market. In the second scam, identity thieves pose as employers on legitimate job search sites. They post a generic job that would appeal to a large number of people, Oaks says, and in the course of talking to applicants, they ask for personal information. "There are identity thieves all over valid and existing job search websites who are posing as employers," she says. For a list of ways to protect yourself please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. www.networkworld.com -By Meridith Levinson Swine flu fears making millionaires out of Russian hackers As the number of reported swine flu cases climbs, it's time a strong message was sent out against buying Tamiflu over the internet. Panic-induced stockpiling by individuals who aren't officially classified as being at risk of contracting swine flu, and therefore anxious they won't receive Tamiflu from the NHS, will not only line cybercriminals' pockets with millions of pounds in cash but also grant them access to sensitive personal data to be used for other crimes. This year, Sophos has intercepted hundreds of millions of fake pharmaceutical spam adverts and fake pharmaceutical websites, promoted by affiliate members. Working day and night, thousands of affiliates use criminal methods including spam, adware and malware to drive as much traffic to their partners' stores as possible, which then sell high-profit illegal goods as part of a multi-million dollar industry. Once someone searches online for Tamiflu, they are directed to specific online pharmacies such as the Canadian Pharmacy to purchase a generic and very possibly counterfeit version of the drug. What most people don't know is that cybercriminals have often manipulated internet search engine results to drive as much online traffic as possible to these sites. Furthermore they bombard innocent users with adverts via spam email sent from hijacked botnet computers and hacked social networking accounts. The criminal gangs working behind the scenes at fake internet pharmacies are putting their customers' health, personal information and credit card details at risk. They have no problem breaking the law to promote these websites, so you can be sure they'll have no qualms in exploiting your confidential data or selling you medications which may put your life in danger. If you think you need medication contact your real doctor, and stay away from quacks on the internet. To see screen shots of these sites please see full article. Never order medicaion online without checking with your healthcare provider frist. If you have fallen for this scam, notify your service desk immediately and change your passwords. Bulletins posted 11/13/2009 Microsoft looking into new SMB vulnerability report A researcher this week published proof-of-concept code that allows an attacker to exploit a vulnerability in Windows 7 and Server 2008 Release 2 to crash systems. The flaw, detailed by Laurent Gaffie in a blog post on Wednesday, lies in the Windows Server Message Block (SMB) and requires no user interaction to exploit. Attackers can remotely crash systems if a victim machine receives malformed packets, Jonathan Leopando, a member of the Trend Micro technical communications team, said in a blog post Thursday. "What ever your firewall is set to, you can get remotely smashed via IE (Internet Explorer) or even via some NBNS (NetBios Name Service) tricks," Gaffie said. Users are encouraged to block ports used by the SMB protocol until Microsoft offers workarounds or permanent fix, Leopando said In October, Microsoft patched another serious vulnerability in the SMB protocol that Gaffie discovered. For more information please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. http://www.scmagazineus.com -By Dan Kaplan New Flash Attack Has No Real 'Fix' Researchers show how Adobe Flash can be exploited in browsers when victim visits sites that accept user-generated content Researchers have discovered a new attack that exploits the way browsers operate with Adobe Flash -- and there's no simple patch for it. The attack can occur on Websites that accept user-generated content -- anything from Webmail to social networking sites. An attacker basically takes advantage of the fact that a Flash object can be loaded as content onto a site and then can execute malware from that site to infect and steal information from visitors who view that content by clicking it. "Everyone is vulnerable to this, and there's nothing anyone can do to fix it by themselves," says Michael Murray, CSO for Foreground Security, which today posted demonstrations of such an attack against Gmail, SquirrelMail, and cPanel's File Manager. "We're hoping to get a message out to IT adminstrators and CIOs to start fixing their sites one at a time." An attacker could upload malicious code via a Flash file attachment or an image, for instance, and infect any user that clicks on that item to view it. "If I can trick a system to let me upload anything, I can run code in any browser, and Adobe can't fix this," Murray says. "If I can upload a picture to a site and append it with Flash code to make it look like an image, once a user views that, the code executes and I can steal your cookies and credentials." The only thing close to a "fix" is for the Website to move its user-generated content to a different server, according to Michael Bailey, the senior researcher for Foreground Security who discovered the attack. Facebook already does this, he says, which makes the popular social networking site immune to hosting this type of attack. The researchers don't expect Adobe to issue any fixes to Flash's origin policy, mainly because it would affect so many applications. Adobe offers security information for developers using Flash. Be on the look out for any website you visit that uses flash. For more information please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. DarkReading -By Kelly Jackson Higgins Pushdo/Cutwail Spambot - A Little Known BIG Problem Several days ago we started receiving Spam Abuse reports on the IP address to our Corporate firewall I came across an article from Trend Micro Researchers Alice Decker, David Sanchog, Loucif Kharouni, Max Goncharov, and Robert McArdle. The article is titled A Study of the Pushdo /Cutwail Botnet, An Indepth Analysis. The article indicates that this particular botnet has been around since January 2007 and is the second largest spam botnet on the planet. This particular spambot is believed to be responsible for approximately 7.7 billion spam emails per day making it responsible for 1 out of every 25 spam emails sent world wide. According to the findings of the research team the development team for Pushdo/Cutwail work very hard and used several techniques to keep their program "under the radar". In the article they outline these techniques which include things like using multiple variants that react a bit differently, remain memory resident, with very little actually written to disk, and frequent updates and changes to the code to prevent discovery. I am just amazed that this botnet is the 2nd largest in the world, been around for almost 3 years and I am just now dealing with it. We still haven't figured out how this botnet got started, we aren't sure where it started at, but we do know we can't wait to rid our network of this mess. For more information or to see more articles relating to this problem please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. http://isc.sans.org -By Deborah Hale Be on the look out for NACHA spam Nastygram: Beware the NACHA gotcha Cyber thieves on Thursday began blasting out millions of e-mails impersonating NACHA - The Electronic Payments Association, a not-for-profit group that develops operating rules for organizations that handle electronic payments, from payroll direct deposits to online bill pay services. The missives in this latest scam arrive with various subject lines, but all complain about an unauthorized, rejected or failed ACH transaction. Most regular Internet users probably will ignore this message, as few people probably even know what ACH stands for (ACH, or "automated clearing house" refers to the electronic network used by banks to process credit and debit transactions in batches). That's likely just fine with the attackers, who appear to be targeting bookkeepers at small to mid-sized companies -- people who actually recognize what a failed or rejected ACH transaction can mean for their business's bottom line and reputation. According to an alert at the real NACHA Web site, the bogus messages look something like this
Recipients who click the link in the e-mail are brought to a counterfeit NACHA Web site that offers a phony "transaction report" that harbors a copy of Zeus/Zbot. This same piece of malware has been responsible for attacks on thebanking accounts of dozens of businesses chronicled by Security Fix over the past few months, exploits that have cost individual companies hundreds of thousands of dollars. Researchers at the University of Alabama, Birmingham are tracking more than 30 fake NACHA sites that are serving malicious software in connection with this attack. The school reports that only about 16 out of 41 popular anti-virus products currently detect the "transaction report" as malicious. http://voices.washingtonpost.com -By Brian Krebs Spam Campaign Targets Payment Transfer System A new spam campaign is targeting a financial transfer system that handles trillions of dollars in transactions annually and has proved to be a fertile target of late for online fraudsters. The spam messages pretend to come from the National Automated Clearing House Association (NACHA), a U.S. nonprofit association that oversees the Automated Clearing House system (ACH). ACH is a widely used but aging system used by financial institutions for exchanging details of direct deposits, checks and cash transfers made by businesses and individuals. In 2002, ACH was used for nearly 9 billion [b] transactions worth more than US$24.4 trillion. Over the last few months, many businesses have lost money through ACH fraud, primarily when fraudsters obtain the authentication credentials required to transfer money. In many cases, significant portions of the fraudulent transfers are never recovered, and businesses are on the hook with their bank. NACHA has no direct involvement in the processing of the payments, but spammers have nonetheless launched a spam campaign with messages purporting to be from the organization saying that an ACH payment has been rejected. The spam messages have a link to a fake Web site that looks like NACHA's. The site asks the victim to download a PDF (portable document format) file, but it is actually an executable. If launched, the executable will install Zbot, also known as Zeus, an advanced piece of banking malware that can harvest the authentication details required to initiate an ACH transaction, according to M86 Security. The spam campaign is coming from the Pushdo botnet, M86 said on its blog. NACHA has put an advisory on its Web site, warning: "NACHA does not send communications to individuals or organizations about individual ACH transactions that they originate or receive." There are a number of versions of the Zeus malware, which is periodically re-engineered in order to evade detection by antivirus software. As of Thursday, the version of Zeus being spammed was only detected by 16 of 41 antivirus suites, wrote Gary Warner, director of research in computer forensics at the University of Alabama's computer and information sciences department. Antivirus software is the first line of defense against malware like Zeus. However, malware writers can modify the file in order to make it undetectable for a while until the security companies see a sample and create a signature for it. It may take a few days before different security suites can detect it. By that time, the money may be gone. IDG News Service -By Jeremy Kirk For more information or to see a screen shot, click either of the links to see the full articles. If you have fallen for this scam, notify your service desk immediately and change your passwords. Newest Twitter information and threats. Twitter spam worm stealing user logons The popular social media service Twitter is being targeted by a new attack that tries to hijack user accounts to send spam via direct messages. At first, the attack was thought to be the result of "phishing" or social engineering asking people to enter their username and password details into bogus sites masquerading as Twitter's website, possibly done by utilising a cross-scripting vulnerability. However, New York-based PHP and application security specialist Chris Shiflett says that he strongly suspects there's a new variant of the Facebook worm Koobface at large, which searches for users' session ID cookies. These are set on users' computers when they tick the "Remember Me" box to stay logged onto Twitter. While the exact scale of the attack isn't known, anecdotal evidence suggests many thousands of people have been affected and have had their accounts compromised Once it has access to the session cookies, the worm can log on to Twitter and send direct messages to the followers of the user whose account has been compromised. An application and development specialist at an Auckland software house where Twitter users were inadvertently spamming their followers multiple times spoke to Computerworld on condition of anonymity, and says his company's IT security staff suspect a new variant of Koobface as well, one that antivirus scanners have yet to pick up. Complicating the issue is the fact the worm has yet to be found - the specialist says it appears the worm deletes itself after finishing its programmed task. However, the modus operandi of the worm is similar to earlier Koobface attacks, the specialist say. Computerworld -By JUHA SAARINEN Twitter DM Spam Collects Mobile Numbers Cybercriminals are using compromised Twitter accounts to spam out information-gathering websites to unknowing users. The attack starts with compromised Twitter accounts. The accounts are used to send out Direct Messages to the followers of the users who own the compromised accounts. The Direct Message-which is basically the Twitter counterpart of a private message-contains a link to what looks like an IQ test website: An IQ test may seem harmless but the last thing asked for in the test is no longer an answer but the respondent's mobile number. Though the real motive for this scheme is unclear, we believe that this was set up to gather mobile numbers from unknowing users to become potential targets for SMS spam or other mobile-related attack. Users are strongly advised to refrain from clicking the links contained in similar Direct Messages that they may encounter even if the person who sent the DM is a known user. On the other hand, those users who think that their accounts may be one of those compromised should change their passwords as soon as possible. This attack do not simply harvest the affected users' numbers but signed up their mobile for an auto-renewing subscription as described in the terms and conditions. Microsoft Cracks Down On Piracy With Twitter Feed Microsoft has launched a dedicated Twitter feed for its anti-piracy enforcement team in an attempt to curb unauthorised file-sharing The feed, which began on 3 November with a link to a Microsoft page describing how to tell whether a piece of software has been pirated, has only four tweets but is expected to expand. A Microsoft spokesperson described the Twitter handle as a way for the company "to connect with the public on the issues of pirated and counterfeit software." Like many IT companies, Microsoft has been moving to embrace social networking and microblogging as tools for connecting with the online community. Microsoft recently announced that Facebook and Twitter will be incorporated more fully into its search engine, Bing, with users able to search Twitter feeds for real-time information or post data to their Facebook pages. According to McAfee, the number of new file-sharing sites hosting unauthorized content has rocketed upward in the past three months, despite the continuing legal pressure on sites such as Pirate Bay to shut down. McAfee’s Third Quarter Threats Report found a 300 percent jump in the number of sites posting pirated content. Despite this, Microsoft has continued an aggressive campaign against piracy, sometimes with unintended consequences. In September, Microsoft seemed to have concluded a long legal battle against security company Uniloc, which had alleged that Microsoft infringed on its patent relating to anti-piracy technology, when a federal judge tossed out a $388 million (£232 million) damage award against Redmond. Specifically, Uniloc had argued that Microsoft’s anti-piracy registration system for Windows XP and certain components of Office violated its own product-activation patent. Uniloc announced on Oct. 1 that it planned to appeal the federal judge’s verdict. In addition to piracy, Microsoft has been forceful in its attempts to prevent users from installing the full version of Windows 7 onto a blank hard drive using an upgrade disc. Although such a feat is technically possible, Redmond has argued publicly in blog postings that to do so without a "full qualifying license" violates EULA (End User License Agreement). Doubtlessly, issues such as these will end up being reported on the new Twitter feed. http://www.eweekeurope.co.uk -By Nicholas Kolakowski For more information or to see a screen shot, click either of the links to see the full articles. If you have fallen for this scam, notify your service desk immediately and change your passwords. Microsoft defends Hotmail's cookie requirement Microsoft has said its new policy of requiring users to accept third party cookies to log out of Hotmail improves security. Angus Logan, the product manager for Windows Live ID, told The Register the use of third party cookies has two benefits "We write our cookies to multiple domains to give users a good experience with single sign-on, so they can be authenticated to multiple sites (e.g. MSN, Xbox Live, Windows Live, Bing) at once without having to retype their password," he said. "[It also] helps protect user security, by separating the authentication cookies that are used for different services. If a cookie in one domain is compromised, it means that user assets in another domain won't be compromised." Microsoft now uses third party cookies - more controversial than first-party ones because they allow tracking across multiple websites and services - for log out to check whether users are logged into more than one of its web services. "During sign-in, we redirect to the right domain so that the cookies can be written in first-party context," Logan said. "It's only during sign-out, where we need to clear cookies from potentially many domains that we have login.live.com clearing cookies in other domains via the invisible GIF solution*. We are actually removing cookies in this scenario, but it's interpreted by browsers as using third party cookies." Hotmail users who don't accept third party cookies must now shut down their browser to log out. For more information, please see full article.If you are not able to use third party software with your Hotmail account change your passwords offten. Bulletins posted 11/12/2009 Rogue Security Product Copies McAfee’s Look and Feel Recently we have seen the rapid growth of rogue anti-virus/spyware programs. Why? Because it mimics McAfee’s security product. This rogue software displays the same user interface as McAfee Security Center. It also offers a web page that looks similar to McAfee’s legitimate site. I suppose we should be flattered that malware authors have chosen our product as one worth imitating. Rogue anti-virus products have long mimicked Microsoft’s security apps in Windows XP (FakeAlert-XPSecCenter) and Windows Vista/Windows 7 (FakeAlert-EA). The idea behind fake AV software is to trick unsuspecting users into thinking their machines are infected. The malware will display a window that shows many innocent files detected arbitrarily as compromised. These fake security alerts are baseless–they exist to trick victims into pressing the panic button. In this case agreeing to “Remove all threats now” will lead to purchasing the MaCatte Antivirus 2009 product. The rogue software offers several “features”: And that’s not all–MaCatte Antivirus 2009 will block currently installed or downloaded anti-virus software. It will redirect your browser to various misleading websites, including the rogue program’s homepage. Once installed, MaCatte Antivirus will start automatically when you boot Windows. Then it will scan your computer and display numerous infections, but will not remove them until you first purchase the program. The cost of cleaning the “malicious” files comes at the rip-off price of $99. Leading legitimate anti-virus security products don’t come close to the cost of this imposter. I hope that’s an eye opener for you. Don’t become a victim. To see screen shots of what this fake program's website looks like, please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. McAfee Labs Blog -By Girish Pillai New Koobface Component Imitates Facebook User The Koobface botnet has pushed out a new component The Koobface botnet has pushed out a new component that automates the following routines: Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook. All Facebook accounts registered by this component are comparable to a regular account made by a human. The details provided about the account are complete such as a photo, birth date, favorite music, and favorite books, among others. In addition, every account registered is unique in such a way that the details vary for every account registered. Koobface accomplishes these malicious activities by automating Internet Explorer to perform the task of creating and registering an account. However, it does not proceed and will terminate the process if the affected user is using Internet Explorer 6. Moreover, it employs a check if it has already reached the maximum friend requests set by Facebook or not. Hence, it keeps itself under the radar and does not cause any alarm to Facebook administrators. This component fetches details from one of the botnet's available proxy domains.The messages posted through Facebook's wall contain a link that leads to the usual fake Facebook or YouTube page hosting the Koobface loader component. Facebook users are advised to be careful and security conscious. It is probable that the Koobface botnet owns a particular Facebook account. It is a good thing that the Trend Micro Smart Protection Network continues to block malicious URLs spammed by Koobface. To see screen shots of what this program looks like, please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. http://blog.trendmicro.com -By Jonell Baltazar iPhone Targeted Yet Again New hacking tool steals personal data off 'jailbroken' iPhones via a wireless network It has been a tough week for a "jailbroken" iPhone: First a hack changed the smartphone's wallpaper, then a worm spread singer Rick Astley's image as its locked wallpaper, and now a newly released hacking tool can steal personal data. European researchers discovered the so-called iPhone/Privacy.A malware, which targets jailbroken iPhones and iTouch handsets, via a wireless network. Jailbroken devices are disabled such that the user can run code or apps on the device that aren't "signed" by Apple. The hacking tool can copy the user's email, contacts, SMS text messages, calendar, photos, music, video, and other data gathered by an iPhone app, according to Intego, the security firm that discovered it, and the victim would have no idea his iPhone was hacked. The attacker would run the tool on a desktop or laptop machine and be able to identify and break into a jailbroken iPhone or iTouch via WiFi or via the same mobile network. "I haven't seen anything like this before...that's automated to remotely log into the device wirelessly," says Patrik Runald, senior manager of security research for Websense. But the tool can hack only a limited number of iPhones. It targets a jailbroken iPhone or iTouch that has SSH (Secure Shell) installed and is using the default password that comes with the SSH utility. "You're not at risk unless you have all three" of these factors, Runald says. Intego says between 6 to 8 percent of all iPhones have been jailbroken. "This hacker tool could easily be installed, for example, on a computer on display in a retail store, which could then scan all iPhones that pass within the reach of its network. Or a hacker could sit in an Internet caf and let his computer scan all iPhones that come within the range of the wifi network in search of data. Hackers could even install this tool on their own iPhones, and use it to scan for jailbroken phones as they go about their daily business," Intego says in its advisory Websense's Runald says so far the only big threats to the iPhone have been on jailbroken devices. "There are lots of vulnerabilities [found] in the iPhone," he says. "But so far, we've not seen anything [attack-wise] because the model Apple implemented for it is pretty decent. It won't run any unsigned apps on the device." Of the three attacks this past week, Runald says the iPhoneOS.Ikee worm that was written by an Australian researcher was the most damaging because it spread automatically. To see screen shots of what this program looks like, please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. DarkReading -By Kelly Jackson Higgins Majority Of Web Apps Have Severe Vulnerabilities Flaws 'could potentially lead to the exposure of sensitive or confidential user information during transactions,' according to new report from Cenzic The number of software vulnerabilities detected has risen to the point that almost 9 out of 10 Web applications have flaws that could lead to the exposure of sensitive information. Cenzic's "Web Application Security Trends Report Q1-Q2, 2009" report, released on Monday, says that more than 3,100 vulnerabilities were identified in the first half of the year, 10% more than the number identified in the second half of 2008. Of the vulnerability total, 78% were Web application vulnerabilities, lower than in the second half of 2008 but higher than in the first half of last year. The SANS Institute's Top Cyber Security Risks report, released in September, found that over 60% of attack attempts on the Internet target Web applications. Ninety percent of the Web application vulnerabilities were in commercial Web apps and 8% were the browsers that run Web apps, Cenzic's report says. The makers of the software affected by the top ten vulnerabilities include PHP, SAP (NYSE: SAP), Sun, Citrix (NSDQ: CTXS), Apache, F5 Networks, Symantec (NSDQ: SYMC), and IBM (NYSE: IBM). If you would like more information on these vulnerabilities please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. DarkReading -By Thomas Claburn About the security content of Safari 4.0.4 This document describes the security content of Safari 4.0.4. This update is recommended for all Safari users and includes improvements to performance, stability, and security including: For more information on the update to get a link, please see full article. Bulletins posted 11/10/2009 Being Framed for Child Porn... by PC Virus PC owners caught with child porn loaded on their computers Of all the sinister things that Internet viruses do, this might be the worst: They can make you an unsuspecting collector of child pornography. Heinous pictures and videos can be deposited on computers by viruses — the malicious programs better known for swiping your credit card numbers. In this twist, it's your reputation that's stolen. Pedophiles can exploit virus-infected PCs to remotely store and view their stash without fear they'll get caught. Pranksters or someone trying to frame you can tap viruses to make it appear that you surf illegal Web sites. Whatever the motivation, you get child porn on your computer — and might not realize it until police knock at your door. An Associated Press investigation found cases in which innocent people have been branded as pedophiles after their co-workers or loved ones stumbled upon child porn placed on a PC through a virus. It can cost victims hundreds of thousands of dollars to prove their innocence. Their situations are complicated by the fact that actual pedophiles often blame viruses — a defense rightfully viewed with skepticism by law enforcement. "It's an example of the old `dog ate my homework' excuse," says Phil Malone, director of the Cyberlaw Clinic at Harvard's Berkman Center for Internet & Society. "The problem is, sometimes the dog does eat your homework." The AP's investigation included interviewing people who had been found with child porn on their computers. The AP reviewed court records and spoke to prosecutors, police and computer examiners. Make sure that your computer security software is up to date and for more information on what to be on the look out for please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. http://abcnews.go.com -By JORDAN ROBERTSON AP Botnet masters turn to Google, social networks to avoid detection Twitter, Facebook and other social networks, as well as a number of Google services, are being eyed by cybercriminals not only to steal user data, but to use their storage and bandwidth for certain botnet command-and-control capabilities. The occurrences have been detected in greater numbers in recent months by various security firms. Cybercriminals behind many botnets remotely control zombie machines via a single communication channel, such as Internet relay chat (IRC) and a command-and-control server to dictate orders and collect stolen data. Another method to dictate orders is via a peer-to-peer protocol, a method still used to command portions of the botnet created by the notorious Conficker worm. But it has become too easy for security researchers to detect, track and filter botnet traffic, experts say. The number of IRC botnets is on the decline. Two-thirds of IRC botnets are shut down within 24 hours, said Jose Nazario, a botnet expert and senior security engineer for Lexington, Mass.-based Arbor Networks Inc. It appears bot masters are testing out ways to take advantage of free storage and bandwidth offered by cloud-based services to make it more difficult for people to weed out and eradicate malicious traffic. "When they shift over to cloud what they get is resiliency and anonymity," Nazario said. "There's no way Google can give us access to source code because there's legal barriers these guys have to deal with." Security researchers at Arbor Networks have discovered the latest occurrence -- a Google AppEngine application used by cybercriminals to feed commands to zombie computers that make up a botnet. The application functions as a switch to feed URLs to zombie machines, and then to a webpage where they can download additional instructions and malware. Nazario said the links led to a site hosted by a small ISP based in the United States. Google was contacted and the AppEngine application was taken down. The ISP unwittingly hosting the second stage malware has also taken it down. For more information on what to be on the look out for please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. SearchSecurity.com -By Robert Westervelt Rogue Anti-Spyware Targets Sesame Street’s Big Bird The idea of malware distributors abusing Google Trends is not new. The bad guys have once again demonstrated that they, too, can take advantage of Google Trends. This time their target is Big Bird’s birthday. It’s not new that the Google logo includes Big Bird; it does so on special occasions. The Google logo clearly shows Today’s Hot Trends, and that’s a target for malware writers. This year is the fortieth anniversary of Sesame Street, and the bad guys have begun their attack. Searching for keywords such as Big Bird’s birthday and Big Bird on Google displays pages with compromised sites. Users have no idea what they will get by clicking on search results, which now are like a virtual minefield; you never know what will happen next. McAfee strives to protect users from such attacks through its free SiteAdvisor technology. It warns users with green, yellow, and red alerts next to each search result. You can minimize your risk of attack by using SiteAdvisor and paying attention to what you are clicking on. For more information or to see a video of what to be on the look outfor please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. McAfee Labs Blog -By Arun Pradeep Firefox flaws account for 44% of all browser bugs Apple's Safari takes second, with 35%, IE in third with 15%, says vulnerability tally Firefox accounted for almost half of all browser vulnerabilities in the first six months of 2009, a Web security company claimed today. According to California-based Cenzic, Mozilla's browser had the largest percentage of Web vulnerabilities over the six-month span, while Apple's Safari had the dubious distinction of coming in second. Microsoft's Internet Explorer (IE) was third, while Opera Software's flagship browser took fourth place. "It's not rocket science," said Lars Ewe, Cenzic's chief technology officer, referring to the browser bug counting. "We used several databases, including the CVE (common vulnerabilities and exposures) database to count the number of known vulnerabilities." Firefox accounted for 44% of all browser bugs reported in the first half of the year, said Ewe, while Safari vulnerabilities came to 35% of the total. IE, meanwhile, accounted for 15%, while 6% of all the flaws were in Opera. Cenzic did not separately count the number of "zero-day" bugs -- those unpatched at the time exploit code went into circulation -- said Ewe, who defended his company's tally at the same time he downplayed their significance. "At the end of the day, the number of vulnerabilities is only one measurement of a browser's security," said Ewe. "We're not trying to point a finger at any one browser. I would certainly not abandon Firefox because of this." For more information please see full article. Computerworld -By Gregg Keizer Apple delivers mammoth update, patches 58 bugs Retires Tiger from security support with second Snow Leopard patch batch Apple patched 58 vulnerabilities in its Mac operating systems today, the most since May 2009, including several in the QuickTime media player that it had fixed separately in early September. Apple apparently also retired Mac OS X 10.4, aka Tiger, from security support; none of the patches affect that operating system, which debuted in April 2005. Apple traditionally stops providing security updates for its oldest still-supported OS several months after the release of a new edition. Today's security update was the sixth from Apple this year, and the second that included patches for Snow Leopard , launched in late August. "Seems a little large, but really, it's par for the course for Apple," said Andrew Storms, director of security operations at nCircle Network Security, referring to the number of individual bugs quashed in today's 2009-006 update. In May, Apple patched a record 67 vulnerabilities ; it addressed 55 in February, 33 in September, and 19 in two separate August updates. "Thank goodness Apple didn't release it tomorrow," Storms said. Microsoft, which unlike Apple sets a regular schedule for its security updates, is slated to deliver six updates Tuesday that will patch 15 vulnerabilities. More than half of the vulnerabilities patched today, 32 out of the 58, were accompanied by the phrase "may lead to arbitrary code execution," which is Apple's way of saying that a flaw was critical and could be used by attackers to hijack a Mac. Apple does not assign ratings or severity scores to the bugs it patches, unlike other major software makers, such as Microsoft and Oracle. Several open-source components of Mac OS X were also patched in Apple's update today, including the Apache Web server, Fetchmail, IPSec, LibXML, OpenLDAP, OpenSSH, PHP, RADIUS and Subversion. "I looked up the release dates of those to get an idea of Apple's response time," Storms said. "Apache was patched in June; Fetchmail, LibXML and Subversion in August; and PHP and RADIUS in September." Storms and other security experts have been critical of Apple's sometimes-lethargic patching pace for open-source pieces it includes in Mac OS X. "To harp on the fact again, if Apple is going to distribute open-source code and applications, they need to close that loophole faster," said Storms. "Some of those, like PHP and LibXML were pretty important to get patched, and they were fairly fast, for them, this time. But OpenSSH's bug was patched more than a year ago." The security update can be downloaded from the Apple site or installed using Mac OS X's integrated update service. Snow Leopard users, however, won't see the security update separately, since the patches were rolled into the Mac OS X 10.6.2 upgrade also released today. For a link to the security download or for more information please see full article. Computerworld -By Gregg Keizer Drowning in Passwords: Tips to Stay Safe and Sane If you spend much time online, you probably have the same problem I do: How to remember your ever-growing list of online usernames and passwords-and stay secure at the same time. If you're one of the majority, your security strategy may be nothing more than using a single password for every site you need to access. On the one hand, the chances of it being stolen aren't terribly high and you probably won't forget it. But if it is stolen, the malefactor will have access to your entire online life, including bank accounts and maybe medical records. Not a pretty thought. It turns out that there are a number of strategies that will help you avoid that ugly scenario. Most of them are simple, free or quite inexpensive, and much more secure than what you're doing now. But some are just halfway measures that could let you down in a pinch. A Free Trick or Two Don't want to spend money? You could simply put your passwords in a password-protected file. If you use Microsoft Word, it's easy. Simply go to Tools, then Options and click the security tab. You'll have the option to require a password to open the file, or just to modify it. If you're traveling, you can put that file on a USB drive. But don't forget that password. If there's a backdoor that will let you recover the file without it, I haven't heard about it. Most browsers, including Internet Explorer, Firefox and Safari, can automatically fill in forms and passwords for you. That's certainly helpful and if you're certain that no one else has access to your computer, it's not terribly risky. However, if your teenager or someone else does use your computer, you could be in trouble. A simple solution is to delete saved passwords and forms when you get done. In Firefox, for example, go to "Tools," "Options" and then the security tab and look for the "saved passwords" button. Click it and a list of saved passwords and usernames opens up. Simply delete all or some of them. Other browsers have similar features. Also remember that public computers are often infected with malware, including keyloggers that copy everything you type. Password managers defeat them, since the password is not actually typed on the page. For information on other products and tips to try please see full article. Nov. 10, 1983: Computer Virus Is Born 1983: Fred Cohen, a University of Southern California graduate student, gives a prescient peek at the digital future when he demonstrates a computer virus during a security seminar at Lehigh University in Pennsylvania. A quarter-century later, computer viruses have become a pandemic for which there’s no inoculation. Cohen inserted his proof-of-concept code into a Unix command, and within five minutes of launching it onto a mainframe computer, had gained control of the system. In four other demonstrations, the code managed to seize control within half an hour on average, bypassing all of the security mechanisms current at the time. It was Cohen’s academic adviser, Len Adleman (the A in RSA Security), who likened the self-replicating program to a virus, thus coining the term. For information on the histroty of the computer virus, please see full article. Bulletins posted 11/9/2009 New Spamming Botnet On The Rise Festi quickly jumps from sending about 1 percent of all spam to 5 to 6 percent, MessageLabs researchers say Upping its output of spam by nearly 5 percent in recent weeks, a new botnet called Festi has grabbed the attention of researchers, cracking the list of top 10 most prolific spamming botnets, according to Symantec's MessageLabs Intelligence team. Festi, which the researchers first started watching closely in August, is currently sending an average of 2.5 billion spam messages a day around the world -- mostly pharmaceutical spam, including male-enhancement and herbal remedies, as well as jewelry and watches. The botnet has apparently pumped up the volume of spam by recruiting more bots, about 60 percent of which are in Asia, 18 percent in Europe, and 9 percent in North America, according to MessageLabs. And its spamming volume jumped significantly during the past few days. "Festi had been fairly invisible in terms of the amount of traffic it was sending out -- each time we would look at it...it was not featured in the top 10 [spamming botnets]," says Paul Wood, senior analyst for MessageLabs Intelligence and Symantec Hosted Services. "We were quite surprised when it started increasing in significant volume over the last few days." But while Festi's growth is impressive -- and it's now at the No. 5 slot -- it's still not in the league of the top five spamming botnets. According to MessageLabs, Grum accounts for 23.2 percent of all spam; Bobax, 15.7 percent; Cutwail, 11.1; Rustock, 10 percent; and Bagel, 8.2 percent. MegaD accounts for 6.8 percent of all spam, according to MessageLabs. Joe Stewart, a researcher with SecureWorks' Counter Threat Unit and a botnet expert, says Festi "looks like it's up-and-coming." SecureWorks has a slightly different order in its top five botnets, with Cutwail at No. 1, followed by Rustock, Xarvester, Grum, and MegaD. Stewart says of the spam he monitors, Cutwail, which has a half-million bots, sends 65 percent of spam. Festi likely infects its victims via drive-by downloads, Stewart says, and it's somewhere around 25,000 bots. Its malware is a kernel-based spam bot, too, which isn't typical. "It's a little unusual when you see a brand-new spam bot come out already using rootkit capabilities and running directly out of the kernel," Stewart says. "That suggests this person already [may] have...some experience with spam systems." The good news about Festi is that it's mostly a spamming botnet, with no malicious, data-stealing malware. If you have fallen for this scam, notify your service desk immediately and change your passwords. DarkReadin -By Kelly Jackson Higgins Fake security tools still big threat, worms on rise The No. 1 offender to Canadian's PCs in the first half of 2009 was Win32/ZangoSearchAssistant, adware that victims probably don't even know hit them, according to a recent security report from Microsoft Corp. ZangoSearchAssistant tricks unsuspecting users into downloading it in the guise of improving search results and producing related links based on user-specific keywords, explained Mohammad Akif, security and privacy lead with Microsoft Canada Co. "You might think what a stroke of luck, I was just searching for Michael Jackson earlier, and now this offer is popping up," said Akif. But in reality, the related links are companies in ZangoSearchAssistant's network. Most of the Top 25 security threats listed in the seventh version of the Microsoft Security Intelligence Report (SIRv7) are consumer threats, but those of importance to the enterprise include ASX/Wimad and Win32/Renos, said Akif. Both Trojans, Wimad and Renos have had a presence in the enterprise for some time, as have others, said Akif. "That is the biggest category from an enterprise perspective," he said. Wimad, for instance, positions itself as a Windows media file, tricking users into downloading it. SIRv7 also reported that worm infections rose by nearly 100 per cent compared to the preceding six months, thanks to Conficker and Taterf. "All over the world, it has become the No. 1 threat," said Akif. There were 16.8 million infections in 2008 compared to 13.4 million in the last six months. But rogue security software is morphing, becoming more sophisticated in how it attacks, said Akif. It's more difficult to identify now because they do things like latch on to free software. For more information please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Computerworld Canada -By Kathleen Lau Mozilla fixes Firefox crash bug Just a week after it last updated Firefox, Mozilla has rushed out a new version of its browser to fix a crash bug that programmers inadvertently introduced. Firefox 3.5.5, which Mozilla posted for download late Thursday, fixes a small number of what the company called "stability issues" in the release notes that accompanied the update. Unlike almost all interim updates that Mozilla issues about once every six weeks, version 3.5.5 did not patch any security vulnerabilities. The main bug quashed Thursday was one that was causing a high number of crashes in the Windows version of Firefox 3.5.4, the update that Mozilla launched Oct. 27 to patch 16 flaws. "We're seeing lots of crashes in the GIF decoder," noted Mozilla developer Joe Drew in the message that kicked off the discussion on Bugzilla, the company's bug and change tracking system. Only the Windows edition of Firefox 3.5.4 was crashing, others reported on Bugzilla. The GIF decoder is the component that parses .gif image files embedded in Web pages. "This bug was actually caused by bug 514776 which removed the check for null mImageFrame," said another Firefox programmer, Jeff Mulzelaar, on Bugzilla. "I don't know why that check was removed." Information about the bug Mulzelaar mentioned is password-protected and not available to the general public. Firefox 3.5.5 also fixes a stability bug in the Mac version, and another crash problem in the Windows and Mac editions. Mozilla's older browser, Firefox 3.0, was not affected by the bugs. The most up-to-date version of that edition is Firefox 3.0.15, which was also released Oct. 27. Firefox accounts for an estimated 24% of all browsers worldwide, according to data from U.S. Web metrics company Net Applications. Firefox 3.5.5 can be downloaded for Windows, Mac OS X and Linux from the Mozilla site; current Firefox users can call up the browser's update tool or wait for automatic update notifications to appear. For more information please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Computerworld Canada -By Gregg Keizer Six ways to botch your backups If you watch over a lot of data, take care to avoid these mistakes Many of us were shocked the other week that a company as prominent as Danger, Inc. could make such a rookie mistake by losing the data of T-Mobile's Sidekick customers. As a system administrator, if there is one thing you absolutely have to get right, it's backups. Here are six ways to botch them. So you've made a smart decision by making sure that your company's data is on redundant disks. Disk arrays using RAID 1,5 and 6 can continue to function if a drive fails. Great, but what if you lose multiple drives due to a power surge, defective controller, fire, flood, or user error? What if the data becomes corrupt or is accidentally deleted? RAID is great for uptime, but it isn't even close to being a complete backup. Perhaps you're taking advantage of the plethora of cheap, spacious external drives to backup your system. That's actually not a horrible idea if afterward you disconnect the drive and move it to an alternate location. However, keeping that backup online and connected is a bad idea. Imagine that your system becomes compromised by a virus or a hacker; all data on all connected drives could easily be erased. What if your power supply fries and it sends out a jolt that kills both internal and external drives? Keeping your backup hard disk away from you system minimizes the risk of a single problem wiping out all your data. Many of the things that could cause you to need your backups are the very things that can destroy your on-site backups. Nature can be cruel, and data closets with lots of electronics are excellent candidates for a fire. Shortly after 9/11/2001, I heard an anecdote of a company that operated from one tower and kept its off-site backups in the second tower. Obviously losing its data wasn't the worst of this company's problems, but losing all your data is a quick way to lose your business. When was the last time you performed a test restore of your data? If the answer is never, then how do you know your backups are good? How do you know that you're even backing up the right data? It's true that most media is pretty reliable. However, disks, tapes, and optical media can all become damaged or corrupted. Performing regular backups and rotating your media are good ways of making sure that a single bad tape won't ruin your business. f you're performing an operating system update, major software upgrade, or hardware upgrade, you'd better backup your data before making the change. Performing any sort of significant update is just the sort of excuse your system needs to corrupt its databases or become unbootable. It's best to be prepared by first performing a backup even if your database is clustered. If you have fallen into one of these traps, notify your service desk immediately and change your passwords. Malware SPAM: Congratulations!! You have won todays Macbook Air winner.zip A malicious attachment in today's malware spam is in the wild. The email message is: Congratulations!! You have won todays Macbook Air. Please open attached file and see datails. 70% of malware scanners will detect the file. Once executed, the trojan will try to connect to IP address 78.159.121.41 If you have fallen for this scam, notify your service desk immediately and change your passwords. Donna's SecurityFlash -By donna People having issue to sign-out their Windows Live ID or Hotmail If you are seeing the message below when signing out of Windows Live ID or Hotmail pages by Microsoft: Sign out failed! We could not sign you out because your browser seems to be blocking third party cookies. You should just close the browser. If you don't want to see the above message, add passport.com, live.com and hotmail.com in your cookies manager. If you are using MSN (e.g. personalized or customized MSN page), add msn.com too For more information please see the link at the bottom of the page of the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Donna's SecurityFlash -By donna Happy Birthday Firefox! Firefox Turns 5 On November 9, 2004, Mozilla's Firefox 1.0 debuted and quickly became a serious contender in the ongoing browser wars. At the time, Microsoft's Internet Explorer dominated the market with a 99 percent market share. Five years later, Internet Explorer still reigns at 65 percent, but Firefox comes in second with an impressive 23 percent. The battle is far from over, as the field is bloating with more competition. "With additional entrants, most notably Google and Apple, joining the fray there's a massive amount of competition in the browser market that is fueling constant innovation and envelope pushing, from speed and features to the development of the mobile browser," Mozilla wrote in a statement. Firefox's philosophy is that the Internet is a public resource and should be as accessible and open as possible. Mozilla spreads the word with wide-open arms to developers, who have beefed up the browser's capabilities with more than 7000 add-ons. Firefox currently has 330 million users worldwide, and celebrated its 1 billionth download in July. Mozilla is making headway in releasing the latest iteration of its browser, Firefox 4.0. In preparation for 4.0's late 2010 release, Mozilla released the Firefox beta 3.6 last week, bringing with it loads of new features that serve as a hint of what's to come. Interface mock-ups for 4.0 are sure to set salivary glands into overdrive as it borrows crisp aesthetic cues from Microsoft's Vista and promises massive increases in speed. Keeping up with the world's current obsession with Internet-ready smartphones, Mozilla is also working on Fennec, a mobile browser. The celebration doesn't stop with press releases and birthday candles -- Mozilla is launching a worldwide campaign called"Light the World with Firefox" that will blast the Firefox logo into the skies of cities across the globe. Mozilla also released an illustrated YouTube video telling its story over the past five years. Check out the Spread Firefox site for Mozilla's game plan for the next five years. There's a lot in store for the little browser that could, and I'm certain millions of people are closely watching its evolution as history unfolds before our eyes. For more information please see full article. Bulletins posted 11/6/2009 October was National Cyber Security Awareness Month and we provided you with several good resources Here's a recap of all of those resources for you in case you missed them.
Gumblar Malware's Home Domain Is Active Again ScanSafe researchers are seeing renewed activity regarding Gumblar, a multifunctional piece of malware that spreads by attacking PCs visiting hacked Web pages. Gumblar can steal FTP credentials as well as hijack Google searches, replacing results on infected computers with links to other malicious sites. When the Gumblar malware was found in March, it looked for instructions on a server at gumblar.cn. That domain was taken offline at the time, but has been reactivated within the last 24 hours, wrote Mary Landesman, a senior security researcher with ScanSafe, on a company blog. Web sites that are infected with Gumblar contain an iframe, which is a way to bring content from one Web site into another. Malware writers usually make those iframes invisible. When a victim visits the site, the iframe will launch a series of exploits hosted on a remote computer to try and hack the visiting machine. Gumblar checks to see if the victim's PC is running unpatched versions of Adobe Systems' Reader and Acrobat programs. If so, the machine will be compromised by a so-called drive-by download. Domain name registrars will often suspend domain names that have been used for malicious purposes, and malware writers will usually frequently change the domains their software looks to for instructions as those bad domains are blacklisted. For some reason, the gumblar.cn domain was released and is in use again. Landesman wrote that Web sites still infected with Gumblar may now be able to call back to the newly activated domain. It would allow those infected PCs to get updated with new malware. If you have fallen for this scam, notify your service desk immediately and change your passwords. IDG News Service -By Jeremy Kirk Microsoft to deliver six patches covering 15 flaws Microsoft on Thursday revealed that it plans to distribute six patches, covering 15 vulnerabilities, as part of its November security update, scheduled for Tuesday. Three of the bulletins are labeled "critical," while the other half are marked "important," according to an advance notification. The three critical and one of the important patches are slated to resolve flaws in Windows, while the remaining two important bulletins will address holes in Office. None of the bugs are present in the just-released Windows 7 operating system. Most vulnerability experts agree that administrators should be most wary of is Bulletin 3, which is rated critical across Windows 2000, XP, Vista and Server 2008. Based on the limited information that Microsoft provides prior to releasing the patches, HD Moore, chief security officer at Rapid 7 and creator of Metasploit Framework, predicts that the vulnerability resides on a common application programming interface, such as GDI (graphics display interface). Andrew Storms, director of security operations at nCircle, said another interesting patch is Bulletin 1, which exclusively affects Vista and Server 2008, surprising considering they are considered more securely coded platforms than their predecessors. Administrators likely will have an easier time with Tuesday's patch batch. Last month's release consisted of 13 bulletins covering a record 34 vulnerabilities, including two severe zero-days. Be on the look out next Tuesday for these updates. http://www.scmagazineus.com -By Dan Kaplan Microsoft to address flaws in Windows, Office for Mac Microsoft on Thursday said it plans to release six bulletins next week, including three critical bulletins, addressing flaws in Windows and Microsoft Office products. The announcement was part of Microsoft's Advance Notification to customers. The security updates will be released Nov. 10 as part of the software maker's monthly Patch Tuesday cycle. The three critical bulletins could allow remote code execution, Microsoft said. The security updates affect Microsoft Windows 2000, XP, Vista and Windows Server 2008. The updates affecting Microsoft Office components are identified as important and affect Microsoft Excel and Word viewer. The update also affects Microsoft Office 2004 and 2008 for Mac. Be on the look out next Tuesday for these updates.For more information please see full article. SearchSecurity.com -By SearchSecurity.com Staff Switchers Guide: Moving from Windows to the Mac Expert advice on migrating from XP or Vista to Mac OS X Moving from a Windows PC to a Mac—at the office or at home—presents the same kinds of opportunities and challenges. It requires some up-front effort: Transferring your data from your old machine to your new one, getting your hardware and software to run, and learning your way around OS X, the Mac’s operating system. (For the purposes of this story, when I say “OS X,” I mean OS X 10.6, also known as Snow Leopard.) For more information on how to make this transition please see full article. Macworld.com -By Harry McCracken Kaspersky Lab releases antivirus app If you want make a Mac user mad, just sidle up and whisper the words, “Mac security software.” Then step back as the incensed sputtering ensues. Well, get your sputterer ready: Following in the footsteps of McAfee and Open Door Networks, Kaspersky Lab has announced its first Mac security software. (There, I said it.) To Kaspersky’s credit, the company is pitching Kaspersky Anti-Virus for Mac primarily as a prophylactic to prevent Macs from spreading malware to Windows PCs via e-mail, file-sharing, and other networked activities. With 85 percent of Mac users also owning a Windows PC, that pitch isn’t entirely implausible. At the same time, Kaspersky Lab argues that the Mac platform isn’t inherently invulnerable and that, as Macs gain market share, malicious hackers could begin to see it as a juicier target. So Kaspersky Anti-Virus for Mac will protect against Mac-specific malware, too, should such a thing ever exist in significant quantity. Kaspersky Lab says the software scans and disinfects files—including e-mail attachments and Web downloads—in real-time. It also claims that it’ll take up just one-percent of your CPU’s resources when idle. (Though if the program is scanning every file you receive or download, how often will that be? And how many of your CPU’s cycles will it suck up when it’s scanning? We’ll have to get back to you on those questions.) Kaspersky Anti-Virus for Mac requires Mac OS X 10.4.11 or higher and an Intel processor. A 1-year license for a single Mac is $40; for three Macs, the 1-year license is $60. A 30-day free trial version (which can be upgraded to the licensed version) is available for download from the Kaspersky e-store. If you own both a Mac and a PC then this might be something for you to condsider. For links to download a trail of this service, please see full article. Bulletins posted 11/5/2009 Botnet Authors Crash WordPress Sites With Buggy Code Webmasters who find an annoying error message on their sites may have caught a big break, thanks to a slip-up by the authors of the Gumblar botnet. Tens of thousands of Web sites, many of them small sites running the WordPress blogging software, have been broken, returning a "fatal error" message in recent weeks. According to security experts those messages are actually generated by some buggy malicious code sneaked onto them by Gumblar's authors. Gumblar made headlines in May when it appeared on thousands of legitimate Web sites, posting what's known as "drive-by download" code that attacks infected visitors with a variety of online attacks. The botnet had been quiet during July and August, but recently has begun infecting computers again. Apparently, however, some recent changes made to Gumblar's Web code caused the problem, according to independent security researcher Denis Sinegubko. Sinegubko learned about the issue about five days ago when he was approached by one of the users of his Unmask Parasites Web-site checker. After investigating, Sinegubko discovered that Gumblar was to blame. Gumblar's authors apparently made some changes to their Web code without doing the proper testing, and as a result "the current version of Gumbar effectively breaks WordPress blogs," he wrote in a blog post describing the issue. The bug doesn't just affect WordPress users, Sinegubko said. "Any PHP site with complex file architecture can be affected," he said via instant message. WordPress sites that have crashed because of the buggy code display the following error message: Fatal error: Cannot redeclare xfm() (previously declared in /path/to/site/index.php(1) : eval()'d code:1) in /path/to/site/wp-config.php(1) : eval()'d code on line 1 Other sites running software such as Joomla get different fatal-error messages, Sinegubko said. "It's a standard PHP error," he said. "But the way Gumblar injects malicious scripts make it always display strings like: eval()'d code on line 1" The bug may seem like an annoyance to webmasters, but it's actually a boon. In effect, the messages warn Gumblar's victims that they've been compromised. Security vendor FireEye said that the number of hacked sites could be in the hundreds of thousands. "Because of the fact that they're buggy, you can now do this Google search and you can find hundreds of thousands of php-based sites that they've compromised," said Phillip Lin, director of marketing with FireEye. "There was a mistake made by the cybercriminals." Not all Gumblar-infected sites will display this message, however, Lin noted. Gumblar installs its buggy code on Web sites by first running on the desktop and stealing FTP (File Transfer Protocol) login information from its victims and then using those credentials to place malware on the site. Webmasters who suspect that their sites have been infected can follow the detection and removal instructions posted on Sinegubko's blog. Simply changing FTP credentials will not fix the problem, as Gumblar's authors usually install a back-door method of accessing sites. If you have fallen for this scam, notify your service desk immediately and change your passwords. IDG News Service -By Robert McMillan Corporate Breaches Increase Chances Of Consumer ID Theft, Study Says When their data is leaked by a business, individuals are four times more likely to suffer identity theft, Javelin study says Consumers who have received data breach notifications within the past year are at a much greater risk for fraud than typical consumers, according to a new study. According to a report published last week by Javelin Research, individuals whose personal information has been compromised in a corporate breach are four times more likely to suffer identity theft or fraud. This result runs contrary to the common mantra among breached companies, which often say that they have no indication that the compromised data has been used by criminals. "Data breach notifications are intended to help consumers take protective action," said Mary Monahan, managing partner and research director at Javelin. "Notification is critical because consumers are over four times more likely to encounter actual fraudulent transactions if they receive a data-breach notification." But the Javelin study also indicates that most consumers don't see a direct relationship between breach notifications and identity theft. "During each of the past three years, an average of 11 percent of consumers received a breach notification," Javelin said. "Slightly more than 33 percent of breach victims experienced exposure of their Social Security numbers, and 15 percent of breach victims had their ATM PINs compromised. [But] despite 19.5 percent of breach victims suffering some kind of fraud in the past year, only 2 percent attribute their fraud to the breach." The Javelin report, "Data Breach Notifications: Victims Face Four Times Higher Risk of Fraud," is based on multiple years of data and includes updates on 2009 data breaches. The report also presents a timeline overview of the most recent and egregious data breaches in U.S. history, with recommendations for how individuals and companies can increase safety. If you have fallen for this scam, notify your service desk immediately and change your passwords. SSL Hole Cracks Open Secured Web Traffic A critical new flaw in SSL, or the Secure Sockets Layer used to protect Web traffic for online banking, shopping, and any other https connection, allows an attacker to break into any theoretically secured connection and add malicious commands. Taking advantage of the flaw requires accessing the specific network traffic between a client, such as a Web browser, and a Web or other server. That means most home users probably wouldn't be specifically targeted by one of these potential man-in-the-middle attacks, according to discoverer Marsh Ray, a security researcher at PhoneFactor, which provides phone-based two-factor authentication solutions. However, businesses and organizations are likely targets. Per Ray, any SSL-protected traffic could potentially be vulnerable, whether it's for an https site, secured database communications, or a secured e-mail connection. The problem doesn't allow for decrypting and stealing SSL-encrypted data outright, but instead allows for inserting any command into the communications stream. That would be bad enough for https traffic, where a victim Web browser could be made to post data to an attacker-controlled site. And it could prove devastating for a database server. Ray says PhoneFactor originally found the flaw in August while performing internal security testing and kept it quiet while affected vendors and software groups worked on a fix. But in the meantime, an independent researcher also found the flaw and the news broke. Patches are underway but not yet available. The currently proposed fix will require patching all client and server applications, including Web browsers, e-mail programs and any other programs using SSL libraries, according to Ray. PhoneFactor's post on the problem is up on the company's site , and a security researcher named Chris Paget has posted his thoughts on the subject (scroll down to the comments to see some back-and-forth between Ray and Paget). The IDG news service also has a good story up on the topic. If you have fallen for this scam, notify your service desk immediately and change your passwords. Corporate bank accounts targeted in online fraud Criminals have tried to steal an estimated $100 million from corporate bank accounts using targeted malware and money mules, the FBI said on Tuesday. "Within the last several months, the FBI has seen a significant increase in fraud involving the exploitation of valid online banking credentials belonging to small and medium businesses, municipal governments, and school districts," the agency said in a statement. The FBI is seeing, on average, several new victim complaints and cases every week, according to a report prepared by the Internet Crime Complaint Center and linked to in the FBI release. Brian Krebs reported on The Washington Post's Security Fix blog last week that the FBI puts losses from online fraud involving malware and money mules at around $40 million. Krebs is keeping a running list of businesses who have been victims of online theft and detailing the attacks. Here is how the typical scam works. The criminals may find contact information and an organizational chart of a business online, as well as information about who handles the financial transactions for the company or agency. So-called "spear phishing" e-mails are sent to the employees who can initiate funds transfers, either wire transfers or transfers through the Automated Clearing House (ACH) system. The e-mails contain either an infected file or a link to a Web site hosting malware. Once the file or link is opened, the malware containing a key logger is installed on the recipients' computer. The key logger harvests the user's corporate online banking user name and password and creates another account using that information or initiates a fund transfer masquerading as the authorized user. The money is typically transferred into accounts opened by willing or unwitting people, known as "money mules," who then forward the deposits overseas. Usually, increments of less than $10,000 are transferred to avoid currency transaction reporting. The money mules are recruited through "work from home" ads or contacted after placing resumes on employment Web sites. In several cases, banks did not have proper firewalls or antivirus software to protect against such attacks, the FBI said. Current signature-based anti-virus programs are increasingly ineffective and companies should also consider using heuristic detection, application white listing that allows only known software and libraries to execute on a system, and reducing user privileges, the report advised. Last week, the Federal Deposit Insurance Corp. (FDIC) issued a warning to banks and financial institutions about the increased use of money mules in unauthorized electronic funds transfers. "Money mule activity is essentially electronic money laundering...," the FDIC statement said. Criminals are shifting their focus to stealing online bank credentials from businesses instead of consumers because there is more money in the corporate bank accounts to plunder, according to Amit Klein, chief technical officer of browser security vendor Trusteer. "Therefore, criminals can transfer larger sums of money, with a lower risk of raising red flags and being detected by a bank's anti-fraud systems which look for anomalous or unusually large withdrawals or wire transfers," he said in a statement. "Unfortunately, small-medium businesses do not have any better browser security mechanisms than consumers to protect their banking credentials from being stolen." If you have fallen for this scam, notify your service desk immediately and change your passwords. http://news.cnet.com -By Elinor Mills Veterans Day Spam on the Rise Just like any business owners, spammers have been using holidays to increase their revenue. Last week's theme was Halloween. This week, spammers are capitalizing on the upcoming Veterans Day holiday to sell their products. They're using discounts, free shipping, combo packs, and free samples with purchase, among other marketing strategies, to lure their victims. Veterans Day is observed annually in honor of military veterans. This American holiday is celebrated on November 11th of each year. To view a screen shot of what to be on the look out for please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. New Facebook malware promises to reveal identities in a users 'Honesty Box' Warnings have been made about a new Facebook attack that promises to display hidden messages. An application on the social networking site, named ‘Honesty Box', allows users to send and receive ‘anonymous messages and discover what people really think of you' with all of the users friends and network members allowed to write in it. Part of the selling point is that the messages are anonymous. The application writers claim that they ‘will never reveal who sent messages on Honesty Box, unless, in our sole judgment, the content of a message violates our Terms of Use and/or Privacy Policy'. However Christopher Boyd, director of research at FaceTime security labs claimed that a group of individuals are spamming a fake program to the walls of unsuspecting Facebook users, which promises to reveal who left them messages in their Honesty Box. Boyd said: “The program claims it will strip out the hidden data from your honesty box, then convert it into a name so you know who left the message. Of course, it's all nonsense; the program is bound with a random Keylogger /Trojan/virus of the attackers' choosing, which means your day could take a very random and unfortunate turn depending on what they have in store for you. “This could be a perfect setup for scammers to phish accounts, then use those compromised accounts to spam the application onto more Facebook walls where new victims can be attracted by the lure of ‘really secret stuff'.” If you have fallen for this scam, notify your service desk immediately and change your passwords. http://www.scmagazineuk.com -By Dan Raywood Three-year-old Office Patch Stymies Most Attacks Users running Microsoft Office can stump nearly three-fourths of all known attacks targeting the suite by applying just one three-year-old patch, according to recently published data. Almost three-out-of four attacks -- 71% of all those spotted in the first half of 2009 -- exploited a vulnerability in Word that was patched in June 2006, Microsoft said in its bi-annual security intelligence report, released Monday. The flaw was fixed in the MS06-027 security update issued. The second-most popular exploit, with a 13% share, aimed at a bug that was quashed in March 2008, Microsoft said. The flaw was one of seven patched by the MS08-014 update. The 2006 update patched Word 2000, Word 2002 and Word 2003, while the 2008 fix affected Excel 2000, Excel 2002, Excel 2003 and Excel 2007. Microsoft made the point that patching Office was as important as keeping Windows up-to-date with security fixes. "The majority of Office attacks observed in [the first half of 2009], 55.5%, affected Office program installations that had last been updated between July 2003 and June 2004," the company said in its report. "Most of these attacks affected Office 2003 users who had not applied a single service pack or other security update since the original release of Office 2003 in October 2003." Unfortunately, users are far less likely to update Office than they are to patch Windows. According to Microsoft's data, the median amount of time since the last Office update was an amazing 5.6 years, compared to just 1.2 years since the last Windows update. "Users can keep Windows rigorously up to date and still face increased risk from exploits unless they also update their other programs regularly," Microsoft warned. Wolfgang Kandek, the chief technology officer at security vendor Qualys, echoed Microsoft's take on Office patching patterns. "We see the same in our data," Kandek said. "People just don't patch Office, and when they do, they patch it much slower than Windows." That especially holds true in the enterprise. "This is a major security hole in the enterprise," Kandek said. "IT admins are not focusing on Office as they are on Windows. They do what's required of them," he continued, hinting that they often do little more than that. "Windows' security has a high profile, and so they're patching Windows. I don't think they're looking at Office, to tell you the truth." Qualys obtains its data from PCs that it manages for its clients, most of which are companies. One way to stay up-to-date without patching every month is to apply the infrequent service packs that Microsoft issues for Office. "If the Office 2003 RTM users in the sample had installed SP3 [Service Pack 3] and no other security updates, they would have been protected against 98% of observed attacks," Microsoft said. "Likewise, Office 2007 RTM users would have been protected from 99% of attacks by installing SP2." Microsoft delivered Office 2003 SP3 in September 2007, fixing more than 450 bugs in the application suite, and adding other security measures, including file blocking of older formats, a move that confused users well into the following year. Office 2007 SP2 hit the street in April 2009. Nine out of 10 Office exploits in the first half of 2009 involved a Trojan downloader, or backdoor malware. "These kinds of threats allow attackers to access compromised systems later to install more malware," Microsoft said. Microsoft urged Office customers to use the Microsoft Update service, a superset of the better-known Windows Update that pushes patches for Windows and Office. Here, too, Kandek was stumped by Microsoft's practice of offering two separate update services. "I'm not sure why that's the way they do it," he said, speaking of Microsoft's providing Office updates to consumers and small businesses only through Microsoft Update. "I don't see why they simply can't replace Windows Update with Microsoft Update, and patch everything." Microsoft offers Office, as well as Windows patches, to businesses that use its Windows Server Update Services (WSUS) patch management system. Office was last patched Oct. 13 when Microsoft unveiled a record number of security updates and fixed flaws. The security intelligence report can be downloaded from Microsoft's site in PDF or XPS document formats. For a link to download these patches please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Computerworld -By Gregg Keizer 3 Views on the New Game Lose/Lose Game or Trojan? You're Not the Judge Lose/Lose's creator clearly states that his game will delete your files, but Symantec still calls it a Trojan. The folks at Symantec have looked right past the artistic intent behind Lose/Lose, a computer game that deletes your files every time you shoot an alien, because they've just classified the game as a Mac Trojan. Lose/Lose is described by its creator as "a game with real life consequences." It's a standard space shooter in the spirit of Galaga, except that each alien is assigned to a file on your hard drive. Blast the alien, and the file is gone forever, for real. Getting hit by an alien crashes the game, never to be played again. Here's what creator Zach Gage says about the project: "By way of exploring what it means to kill in a video-game, Lose/Lose broaches bigger questions. As technology grows, our understanding of it diminishes, yet, at the same time, it becomes increasingly important in our lives. At what point does our virtual data become as important to us as physical possessions?" When I read about the game on Make a couple months ago, I chuckled at the concept, watched the video and wisely skipped trying the game for myself. Symantec, on the other hand, dubbed the game a Trojan, gave it a name ("OSX.Loosemaque") and created a threat assessment. Most amusing is how Symantec employee and blogger Ben Nahorney acknowledges Gage's intent: "What's interesting is that the author of this ‘game' flat-out says what it does on his Web site," Nahorney writes. "Reading through the author's description, it seems that he has created this game/threat as some sort of artistic project." Still, Nahorney follows with a valid point, that someone with truly bad intentions could modify Lose/Lose's code and distribute a game that doesn't pronounce its file-deleting capabilities outright. So next time you download some obscure, simplistic alien-shooting game from the Internet, consider yourself warned. Mac Game: Art project or malware? As part of his Master of Fine Arts thesis project, Zach Gage wrote a game to run on Macintosh computers that resembles Space Invaders but with a digital roulette twist--for every alien space ship the player destroys a random file on the computer is deleted. "Lose/Lose is a video-game with real life consequences. Each alien in the game is created based on a random file on the player's computer. If the player kills the alien, the file it is based on is deleted. If the player's ship is destroyed, the application itself is deleted," the computer technology design major wrote on his Web site. "At what point does our virtual data become as important to us as physical possessions? If we have reached that point already, what real objects do we value less than our data?" he asks. On September 14, Gage posted his "Lose/Lose" game on his Web site and at the Experimental Gameplay Project, which links back to his site where he has a big warning in red: "KILLING ALIENS IN LOSE/LOSE WILL DELETE FILES ON YOUR HARDDRIVE PERMANENTLY." The application also displays a warning when it is launched. This week, Symantec announced that it has flagged the application as malware, a Trojan it has dubbed OSX.Loosemaque. Sophos is calling it a Trojan too, OSX/LoseGame-A and Intego has named it OSX/LoserGame. "We are concerned that somebody could take this and modify it in some way where users aren't aware of the consequences," Kevin Haley, director of product management at Symantec Security Response, said in an interview on Wednesday. "We want to make people aware of what's on their machine and they can make the decision on whether to run it or not." Asked to comment on the stir his project was creating, Gage seemed amused. "I'm kind of OK with it being labeled malware," he said in a phone interview. "I would categorize it as dangerous software, but not malware because it is dangerous if you use it in a certain manner. Whereas malware implies it was designed to be malicious...Calling it a Trojan is really blowing it out of proportion." Trojan horses are programs, typically masquerading as a benign program or hidden in legitimate software, which provide an attacker unauthorized access to the system. However, Gage's program explicitly says what it does and what the consequences are. In addition to exploring the nature of risk and reward with regard to war and the notion of how small wins distract from the larger picture, the game provokes discussion about the risks people take with technology every day, Gage said. "We need to pay attention to how we behave on computers," he said. Apparently, some people don't mind playing with fire. The list of high scorers on the game site shows more than 40 players, with the highest score having destroyed nearly 5,000 files, or aliens. "I'm surprised anyone has played it," Gage said. "I'm shocked." Asked to comment on any possible beneficial merits of the project, Symantec's Haley said: "I don't see the positive aspect of it, but I suppose if it's art we're not supposed to completely understand it." http://news.cnet.com -By Elinor Mills New Mac 'game' Plays Russian Roulette With Your Files Looking for an ideal holiday gift for that brooding philosophy student in your life? Check out Lose/Lose. It's reminiscent of classic arcade games like Space Invaders, but with a sobering twist: Each time you destroy an alien, the game deletes a file from your Mac. Forever. Created by Zach Gage, a digital artist in New York City, Lose/Lose puts the player in the position of shooter as aliens rain down from above. Get touched by an alien, you lose. Kill an alien, you score points--but you also vaporize a random file from your home directory. If your ship is destroyed, the game deletes itself from your hard drive. The game is clearly intended to be food for thought rather than mindless entertainment. Above the download link on his site, Gage issues a warning--in large, red, all-capped lettering--that Lose/Lose permanently deletes files from your hard drive. It's not meant for hardcore gamers. Or maybe it is. "By way of exploring what it means to kill in a video-game, Lose/Lose broaches bigger questions," Gage writes on his site. Gage himself doesn't seem entirely clear on what those bigger questions are. He meanders through a few ideas, including the value of data versus the value of real objects and the question of what the real point of the game is. "[T]he aliens will never actually fire at the player. This calls into question the player's mission ... Is the player supposed to be an aggressor? Or merely an observer, traversing through a dangerous land?" If it's the latter, you don't have to be a great thinker to know that Lose/Lose won't go viral anytime soon. Symantec, the Maytag repairman of the Mac software world, says it considers the game a potential security threat and will begin detecting it as OSX.Loosemanque. That hasn't stopped people from downloading it. A list of high scores on Gage's site includes a few "Losers" who claim to have eclipsed 4,000 points. If nothing else, it's a way to kill time while you reformat a hard drive. To view screen shot of the game or to get more information please view any of the links listed above. If you have fallen for this scam, notify your service desk immediately and change your passwords. Bulletins posted 11/4/2009 FBI warns of $100M cyber-threat to small business Cyberthieves are hacking into small- and medium-sized organizations every week and stealing millions of dollars in an ongoing scam that has moved about US$100 million out of U.S. bank accounts, the U.S. Federal Bureau of Investigation warned Tuesday. It's now one of the top problems being addressed by the National Cyber Forensics and Training Alliance (NCFTA), which works with the FBI and industry to share information about cyber attacks, according to NCFTA Executive Director Ron Plesco. "Every year there seems to be a trend and this has been the trend this year," he said. There has been a "significant increase" in what's known as ACH (automated clearinghouse) fraud over the past few months, much of it targeting small businesses, municipal governments and schools, the FBI said in an alert posted to its Web site. The criminals can move thousands or even millions of dollars out of their victims' accounts very quickly, using online banking to add new payees to the organization's bank account and then moving the money overnight. Usually the first step is an e-mail to the company's bookkeeper or financial officer that can include malicious attachments designed to look like Microsoft software patches, or simply links to malicious Web sites. The idea is to get the criminal's keylogging software onto a computer with online banking access and then steal login credentials. Once they have access to the bank account, the hackers set up ACH transfers to money mules -- typically innocent victims who think they're doing payroll processing for international companies -- who then transfer the money overseas via services such as Western Union and Moneygram. In one case, the criminals even launched a distributed denial-of-service attack against an ACH processor to prevent the bank from recalling transfers before the money mules could move them overseas. Once the money is out of the country, it is gone for good. For information on how hackers are getting away with this, please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. IDG News Service -By Robert McMillan Windows 7 vulnerable to 8 out of 10 viruses Now that we in the northern hemisphere have had some time to digest the Windows 7 hype and settle in for the coming winter, we thought we would get some more hard data regarding Windows 7 security On October 22nd, we settled in at SophosLabs and loaded a full release copy of Windows 7 on a clean machine. We configured it to follow the system defaults for User Account Control (UAC) and did not load any anti-virus software. We grabbed the next 10 unique samples that arrived in the SophosLabs feed to see how well the newer, more secure version of Windows and UAC held up. Unfortunately, despite Microsoft's claims, Windows 7 disappointed just like earlier versions of Windows. The good news is that, of the freshest 10 samples that arrived, 2 would not operate correctly under Windows 7. User Account Control did block one sample; however, its failure to block anything else just reinforces my warning prior to the Windows 7 launch that UAC's default configuration is not effective at protecting a PC from modern malware. As of October 31st www.netmarketshare.com states that Windows Vista has a 19% market share against Windows XP's 70.5% and Windows 7's 2%. Approximately 1 in 5 Windows users is using either Vista or Windows 7. These users often have newer computers, automatic patching, and firewalls and anti-virus software in place. With millions of hosts still infected with Conficker, ZBot and Bredo, it is obvious a lot of unprotected machines are still out there, and it is no surprise that most of those are XP. For a full list of vulnerabilities please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Chester Wisniewski’s Blog -By Chester Wisniewski Adobe Fixes More Bugs in Shockwave Player Adobe Systems has issued an update for five vulnerabilities in its Shockwave Player, which is installed on some 450 million PCs. It classified the update as "critical," its most severe rating. The vulnerabilities affect version 11.5.1.601 as well as earlier ones. The company recommends upgrading to version 11.5.1.602. Four of the problems could allow an attacker to execute malicious code on a computer, while the fifth one could lead to a denial-of-service condition, Adobe said in its advisory. Shockwave Player is used to display content created by Adobe's Director program, which offers advanced tools for creating interactive content, including Flash. The Director application can be used for creating 3D models, high-quality images and full-screen or long-form digital content and offers greater control over how those elements are displayed. Adobe also issued an update for the Shockwave Player in July. Vulnerabilities in third-party applications are often targeted by hackers. Vulnerabilities in operating systems such as Windows have become somewhat less prevalent, so hackers have turned to finding problems in applications in order to take control over computers. Adobe's applications are frequently targeted due to their widespread installation. Programs such as Flash and the Reader and Acrobat applications have been frequently exploited to hack PCs. Recognizing the problem, Adobe announced in May that it would issue quarterly updates for Reader and Acrobat on the same day that Microsoft releases its patches. For a link the download for this upgrade please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. IDG News Service Blog -By Jeremy Kirk Java, BlackBerry desktop get security bug fixes Sun Microsystems and Research In Motion have issued critical bug fixes for security issues with their products. The patches were issued separately on Tuesday, with Sun releasing version 6 Update 17 of its Java Runtime Environment and BlackBerry updating its BlackBerry Desktop Software, used to sync data between the BlackBerry and a PC. Both updates include fixes for critical security bugs that could be abused by attackers to run unauthorized software on a victim's computer, although none of the flaws appear to have been publicly known before Tuesday. Sun patched 12 Java bugs in total, including flaws that could be exploited to crash a computer or allow untrusted applications to run as though they were trusted. Sun estimates that there are about 800 million Java desktop users worldwide, so Sun's updates are important. Hackers have increasingly turned to third party software such as Java as Microsoft has made it harder to attack the core Windows operating system. There is just one BlackBerry bug fix. The problem lies in a Lotus Notes DLL that is included by default in all BlackBerry Desktop 5.0 and earlier installations. RIM warned that the flaw could be used to run unauthorized software on a victim's PC. As with the worst of the Java bugs, an attacker could take advantage of the BlackBerry bug by first tricking the victim to visit a specially crafted Web page. For a link the download for this upgrade please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. IDG News Service -By Robert McMillan Red Hat delivers stand-alone hypervisor, management tools Red Hat Tuesday made good on its promise to deliver a stand-alone hypervisor and a set of management tools as its gears up to go toe-to-toe with VMware and Microsoft to become a top-tier provider of virtualization and cloud computing infrastructure. Red Hat made generally available its Red Hat Enterprise Virtualization for Servers, which includes both a stand-alone hypervisor and a management platform. Both were first introduced at the Red Hat Summit in August. Red Hat Enterprise Virtualization Hypervisor supports both Linux and Windows virtual servers and desktops. The hypervisor is based on Red Hat Enterprise 5.4 kernel with KVM, which was released earlier this year. "It inherits all the enterprise features of RHEL 5," says Navin Thadani, senior director of the virtualization business at Red Hat. He also said performance is on par with bare metal deployments. Red Hat Enterprise Virtualization Hypervisor can scale up to 96 cores with 1TB of RAM at the host level, and up 16 virtual CPUs and 64GB of RAM at the guest level. In addition, it supports live migration, power management features, multi-part I/O and memory page sharing. The Red Hat Enterprise Virtualization Manager for Servers is the second component of the suite. It is a centralized server virtualization management system that features high-availability tools, live migration, load balancing, and image management for Linux and Windows machines. It also has set of centralized monitoring tools. Red Hat also says that it is in beta with the desktop version of Red Hat Enterprise Virtualization Manager, which will offer a full VDI environment and support for SPICE remote rendering technology. Those tools are the product of last year's $107 million acquisition of Qumranet. Red Hat said in September that the APIs from those tools will be merged into Libvirt, the current virtualization API used by Red Hat, around the time RHEL 6 is released. Red Hat officials said the tools will be on par with VMware's base management platform, and that partners will be called on to add capabilities to the base platform. In addition, the tools also will be positioned for managing public clouds, creating a link between internal networks and hosted platforms. For more information please see full article. Network World -By John Fontana E-voting system lets voters verify their ballots are counted This is not security related, but we thought it was a good tip and worth posting because it can help you make sure that your vote was counted. A new electronic voting system being used today for the first time in a government election in the U.S. will allow voters and elections auditors in Takoma Park, Md. to go online and verify whether votes have been correctly recorded. The voting system is called Scantegrity and was developed by independent cryptographer David Chaum, along with researchers from the University of Maryland-Baltimore, the George Washington University, MIT, the University of Ottawa and the University of Waterloo. It uses cryptographic techniques to let both voters and election auditors check whether votes have been cast and counted accurately. The Scantegrity technology is being used to augment regular optical-scan voting systems in Takoma Park's city council election. To cast a vote, an individual takes a paper ballot and fills in the optical-scan oval next to the name of the selected candidate using a pen with a special type of ink. When the bubble is filled, it reveals a three-digit confirmation number already printed on the ballot using an invisible marker. That three-digit code is a sort of randomly generated cryptographic marker that's used to associate the voter's choice with the appropriate candidate. The codes are separately randomized for each oval and for each ballot, ensuring that the codes don't reveal who an individual voted for, Chaum said in an interview with Computerworld . Voters can use that confirmation code to later log into the city's election Web site to confirm that their votes were recorded accurately. If the code is present on the Web site, it means the ballot was counted correctly, he said. Scantegrity also lets election auditors -- and even third-party observers -- check whether the results were accurately tabulated without revealing how each individual vote was cast, Chaum said. Though it is not possible to link an individual ballot to a specific candidate, auditors can verify that the codes do lead to the recorded votes. Scantegrity uses cryptographic techniques to first map each code to the associated candidate and then completely conceals the link. It then uses a concept known as "zero-knowledge proof" to show auditors that the codes do in fact correspond to the right candidates, said Aleks Essex, a PhD. student in computer science at the University of Ottawa who was involved in the Scantegrity effort. The results of today's elections in Takoma Park are being audited by two officials one of whom is from Harvard University. "It is a really powerful thing to have public transparency of the tabulation process and yet preserve ballot secrecy," Chaum said. Because Scantegrity is built on open-source software, it can be used elsewhere to run similar audits against election results using custom tools, he said. Pamela Smith, President of the Verified Voting Foundation, said that technologies such as Scantegrity do add an additional layer of integrity to the election process. But to a large extent, optical-scan voting machines already offer a relatively high degree of verification support. Because such machines save a record of the voter's intent, auditors can go back and verify results if necessary, she said. The bigger issue in Maryland is that the state needs to adopt optical-scan systems on a larger scale, she said. Maryland is one of the few states that rely on touch-screen voting systems, which are costlier to operate and maintain than optical scan systems, she said. For more information on how to tract your vote please see full artcle. Bulletins posted 11/3/2009 FBI Says ‘Money Mule’ Scams Now Top $100 Million The hackers looting bank accounts of small and mid-sized businesses around the county are hitting new victims every week, and have now racked up approximately $100 million in attempted losses, the FBI said Tuesday. “The infection vector has not been determined in every case,” the bureau’s Internet Crime Complaint Center wrote in an intelligence note on the growing scam. “However, FBI analysis has identified more than two dozen different pieces of malware on the compromised account holders’ computers all containing key loggers.” Using these Trojan horses, cybercrooks have been intercepting victims’ web-banking credentials and then initiating money transfers to mules around the country. The mules are consumers who’ve been lured into fake work-at-home scams, in which their employment involves receiving money and then forwarding the funds to Eastern Europe. The money has been siphoned through wire transfers, and through Automated Clearing House, or ACH, networks, the bureau said. ACH networks are normally used for direct deposits and online bill payment. “In one case, the subjects used a Distributed Denial of Service (DDoS) attack against a compromised ACH third-party provider to prevent the provider and the bank from recalling the fraudulent ACH transfers before money mules could cash them out,” the FBI reports. “These ACH transfers ranged from thousands to millions of dollars.” Just last week the FBI had put the losses at $40 million, according to a story by WashingtonPost.com reporter Brian Krebs, who’s been closely following the attacks. On Thursday the FDIC warned U.S. banks to watch for suspicious activity that could indicate a customer has been recruited as a mule. If you have fallen for this scam, notify your service desk immediately and change your passwords. http://www.wired.com -By Kevin Poulsen Trojan pokes Facebook for zombie commands Crimeware distributors have begun using Facebook as a command and control channel for a Trojan that turns compromised Windows PCs into zombie drones. Zombie clients poll the Notes section of the mobile version of Facebook for instructions. Compromised clients might be instructed to download further code from a specified web site or told to wait for commands, for example. The Trojan spreads via booby-trapped email attachments that take advantage of well-known PDF or Office flaws to infect unpatched systems. These messages pose as email from courier firms and the like. This has become a very common strategy for targeted attacks, which have replaced mass mailing worms as the main malware danger to business. What distinguishes this Trojan from run of the mill malware is its (experimental) use of Facebook to receive commands instead of traditional botnet control channels such as Internet Relay Chat (IRC). Most of the heavy lifting - such as uploading stolen data - is still done through a web server, however, Symantec researcher Andrea Lelli explains. "The Trojan is using a Facebook account to receive URLs to contact, and it may post some timedate stamps back to the account, but nothing more than that," Lelli writes. "The real command and data processing is done through the remote URL that was received from the notes, and this URL may point anywhere." "It [the Trojan] simply uses the standard Facebook functionalities, which in no way are malicious, dangerous or faulty. This particular Trojan is quite limited and seems to be a targeted attack, but it can be considered a precursor of a botnet using a social network as a C&C [command and control] server." Symantec found the mobile Facebook account associated with the Trojan, established 16 October, showed very little signs of activity. Either hackers have deleted handshakes from compromised boxes that ought to have been exchanged or else the malware is yet to infect anything. Virus writers have begun experimenting with varied means of controlling botnet clients over recent months. In August, for example, security researchers at Arbor Networks discovered a botnet that used Twitter to relay commands to compromised hosts. ® If you have fallen for this scam, notify your service desk immediately and change your passwords. Software Shields Online Banking on Infected PCs A U.K. security company is giving to banks, for free, security software that it says can block malicious software from manipulating online banking transactions or stealing data, even if the computer is infected. The product, called SafeOnline, comes from Prevx, a small security company in Derby, England. The module is designed to offer an additional layer of security for secure browsing sessions conducted with SSL (Secure Sockets Layer) technology, indicated by the "https" in the URL (Uniform Resource Locator). Cybercriminals are developing increasingly sophisticated software that, in what is known as man-in-the-middle or man-in-the-browser attacks, can intercept online banking transactions while in progress and transfer funds with the user believing nothing is awry. SafeOnline installs its own kernel-level driver on Windows PCs. During a secure browsing session, all information from the keyboard is routed through that driver, which defeats attempts to record keystrokes or other interference, said Mel Morris, Prevx's CEO and CTO. SafeOnline has other components, such as an antiphishing feature that prevents authentication information from being entered into a suspicious Web site. It also verifies DNS (Domain Name System) lookups against other trusted DNS servers, which helps prevent pharming, where a correct domain name leads to bogus Web site. Banks that decide to use SafeOnline with their customers will also get an antimalware component that is in Prevx's other self-titled security product, Prevx 3.0.5. Prevx is a small company in a brutally competitive security market, dominated by big players such as Symantec, McAfee and Trend Micro. Banks don't want to pay for security software, so Prevx decided to give it to those that want it for free, Morris said. "I suppose to an extent you can argue from their perspective that had security vendors done their job there wouldn't be a need for such a product," Morris said. Prevx's software can run alongside other security suites. It was purposely created that way as a way for Prevx to get into the market against entrenched competitors, Morris said. SafeOnline will detect and halt malware, but if a customer wants to remove the malware, they will have to pay a subscription fee, which is how Prevx will generate revenue. SafeOnline with the malware removal component will cost £15.95 (US$26) annually. SafeOnline is also a module in Prevx 3.0.5, which costs £24.95 a year. Morris is hoping that customers see that Prevx outperforms other security suites by detecting more malware and then drop their subscriptions in favor of Prevx. For more information see full article or contact your bank to see if they are going to participate in this. IDG News Service -By Jeremy Kirk Are You Being Scammed by Facebook Ads? I've written a bit lately about how cyberthieves using social media to scam people. It turns out the most egregious scammers are many "legitimate" companies that run deceptive ads on these networks. TechCrunch has a fascinating series on how advertisers are using social games to trick Facebook and MySpace users into forking over personal information or signing up for recurring subscriptions they don't want. It starts with stupid-yet-addictive quizzes and games like FarmVille, Mafia Family Wars, and Mobsters. The games themselves are free, but if you want to advance faster than your friends, you'll probably have to buy virtual objects using real money. Per BusinessWeek: Zynga doesn't charge users to play FarmVille, but it does sell digital crops, cattle, and farmland. Corn seed, for instance, goes for the equivalent of 10 cents; cows run 20 cents each. All those digital goods add up. Zynga pulls in its nine-figure annual revenues from FarmVille and 20 other games....One recent success: digital sweet potato seeds that cost $5 a packet. The seeds, which of course cost nothing to duplicate, pulled in more than $400,000 in three days. Don't have $5 to spend on a bag of imaginary seeds? You can get $450 in Farm Cash by clicking an ad and signing up to receive a "free learning CD" from Video Professor. Of course, the "free" offer comes with caveats; if you don't cancel in time, you'll pony up $190 for an entire learning series. Per TechCrunch's Michael Arrington: A typical scam: users are offered in game currency in exchange for filling out an IQ survey. Four simple questions are asked. The answers are irrelevant. When the user gets to the last question they are told their results will be text messaged to them. They are asked to enter in their mobile phone number, and are texted a pin code to enter on the quiz. Once they've done that, they've just subscribed to a $9.99/month subscription. The other, slightly more benign scam is "lead generation," in which you surrender your name, e-mail address, cell number, and so on in exchange for virtual cash, discount coupons, or something else of minimal value. Your name is then sold and resold ad infinitum to marketers, who'll deluge you with spam, junk mail, telemarketing calls, even junk texts to your cell phone. (When e-mail marketers claim they use only "opt-in" lists for their spam victims, this is usually the kind of list they're talking about.) Again according to TC, roughly a third of some social game publishers' revenue comes from lead gen. Then there are the regular old deceptive ads, such as "[name of your friend here] has a crush on you," that use information from your social profile to trick you into clicking. How do they get your friend's name? Most likely because you installed a Facebook app that shared this info with advertisers. Webmasters desperate for revenue have a term for these kinds of ads. They call them cash cows, because they're so much more lucrative relative to legit pay-per-click ads. Only in this case, you're the meat on the stick. Do you really need to play stupid games or take yet another bogus IQ quiz? Surely there are better ways of wasting your time. Like reading more Cringely blog posts or taking more InfoWorld quizzes, for example. It won't do a thing for your FarmVille status, but it will make you smarter, thinner, and more appealing to those hot Russian gals. Trust me. For more information please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Bulletins posted 11/2/2009 Web-based attacks skyrocket, Pirating sites surge, security firms say Web-based attacks are continuing to become a popular method for attackers to spread malware, create zombie computers and harvest account credentials, according to two new security reports. The spam that lures victims to malicious websites is also increasing, helping fuel the trend. Attackers are setting up more than 3,000 new malicious websites every day, according to Symantec Corp.'s MessageLabs October 2009 Intelligence Report. The sites, which spread malware and scareware antivirus programs, increased more than 32% over September. The MessageLabs report found new malware accounting for 37.6% of all Web-based malware intercepted by the security vendor in October, an increase of 4.1% since September. Meanwhile, McAfee Inc., which released its quarterly analysis, detected a new wave of file sharing sites fueling an increase in Web-based attacks. The sites may have cropped up as a result of the clampdown on The Pirate Bay torrent site following the prosecution of its founders in Sweden, according to McAfee. While the sites appear to contain pirated material, McAfee researchers said many of the files contain malware and malicious software downloaders. In addition the McAfee report found spam and malware levels at an all-time high. McAfee said spam in the third quarter reached its highest level in history, breaking the previous record set in the second quarter of 2009 by 10%. It now comprises 92% of all email. Spammers employed successful social engineering tricks in the third quarter, using the names of prominent government agencies to lure users to click on a malicious link leading to attack websites. Spam messages using the Internal Revenue Service (IRS) warning of a misreported income tax filing and more recently the Federal Deposit Insurance Corporation (FDIC) warning people that their bank is on a list of failed banks, are tricking users into visiting attack sites, McAfee said. Much of the spam can be attributed to the Cutwail botnet, which has rebounded since its command-and-control servers were disrupted by the Federal Trade Commission shutdown of rogue ISP 3FN.net. Koobface continued to spread in the third quarter, tricking victims into downloading malware and spyware to their PCs via social networking sites Facebook, MySpace and Twitter. Koobface spreads using victim friend lists, making it behave as a worm, McAfee said. Although the number of Koobface attacks was down slightly from the previous quarter, McAfee warned users of social networks to remain vigilant. In addition, McAfee found the rogue antivirus business continuing to grow quarter after quarter. The scareware antivirus programs are spreading via poisoned search engine results. "Given the black-hat search-engine optimization (SEO) tactics that infect those searching for the latest malware data as well as the rapid rise in the rogue anti-virus business, one wonders how much fear permeates the security community," McAfee said. "In addition, plain old malicious websites continue to thrive. Even with the cooperation of the Internet community to combat them, there are many opportunities for malware authors to exploit." If you have fallen for this scam, notify your service desk immediately and change your passwords. SearchSecurity.com -By Robert Westervelt Computer worm infections up, scareware antivirus down, Microsoft says Microsoft today released its biannual Security Intelligence Report which demonstrates some surprising conclusions about the threat landscape impacting enterprise networks. For example, the number of rogue security software infections, a high-profile scourge earlier this year, were down as were the number of Trojan and downloader infections. Computer worm infections, on the other hand, surged upward. The report covers the first six months of 2009 and is based on data collected from more than 450 million computers running Microsoft's Malicious Software Removal Tool (MSRT), users of its cloud-based security services Forefront Online Protection for Exchange, antimalware visibility into Hotmail and Windows Messenger, as well as Web crawlers on its Bing search engine. The rise in worm infections can partially be attributed to Conficker, which hit almost 5 million machines starting approximately a year ago and carried into early this year. Worm infections were up more than 98% from the last Security Intelligence Report. Jeff Williams, principal architect of Microsoft's Malware Protection Center, attributed the rise to the investment cybercriminals are making in finding new vulnerabilities to exploit beyond buffer overflows, for example, which were the attack vector for many early worms. "The resurgence illustrates that criminals are investing in finding vulnerabilities that are difficult to find and create malware for," Williams said. "They have a profit motive; they're spending time and investing in technical expertise and operating like a business. This is a change not only in tactic, but in focus." Many instances of Conficker, for example, were spread via infected USB memory sticks; Windows XP and Vista's autorun features would automatically execute the malware on an infected stick that were often carried into a business from the outside. Those autorun capabilities have been muted in Windows 7, Williams said. Williams added that he believed the decline in Trojan and downloader infections is attributed to the advancements made in creating generic antimalware signatures not only for specific strains for malware, but for entire malware families. However, the cat and mouse game continues, as hackers move away from Trojans toward other weapons. "Criminals are more overt in their attacks," Williams said. "In regard to the decline in Trojans, think about it in terms of tactics. A Trojan is a foothold on a box. The industry is so much better responding not only to new threats but with generic signatures for threat families. If protection is in place before a threat exists, that raises the bar for the criminal." Scareware numbers were also in decline; 13.4 million infections for this report, compared to 16.8 in the last. Scareware relies on social engineering to spread; users visiting a malicious or infected website would be presented with a pop-up claiming that the user's machine has been infected and that they should download protection from the pop-up. Williams conceded this is primarily a consumer problem. He said the decline in numbers can be attributed to a couple of fronts: legal action by the Federal Trade Commission to take down Innovative Marketing, a purveyor of the WinFixer family of scareware, and the deployment of the SmartScreen filter in Internet Explorer 8 which blocks phishing sites as well as attempts to install rogue malware. "Users need to stay up to date on antimalware from a trusted party," Williams said. "The attackers' tactics may be getting more sophisticated, but fundamentally at the end of the day, you know that Microsoft.com is Microsoft.com. The same goes for any major security software ISV. They're going to have that trust and customers should understand they can go there for help rather than a pop-up that is randomly generated from the Web." If you have fallen for this scam, notify your service desk immediately and change your passwords. Information Security magazine -By Michael S. Mimoso Malware Conceals Itself as Boss’s Letter Trend Micro threat analysts found spammed messages that pretend to be a letter coming from the “boss”. It bears the subject “get back to my office for more details” and instructs users to read the attached ZIP file, which contains a letter. The ZIP attachment is, of course, not a letter but an .EXE file (info.exe) detected by Trend Micro as TROJ_CUTWAIL.GT. Upon execution, TROJ_CUTWAIL.GT creates registry entries to automatically execute at every system startup. It also drops a Trojan dropper detected as TROJ_DROPR.ST. Cutwail is known as the ’spam engine’ of the notorious botnet, PUSHDO, which spammed around 7.7 billion spam a day last Q2. For the past few days or so, Trend Micro has reported about various spam that used malicious attachments (ZIP or RAR) to hide the malware. This suggests that old tactics never die and continue to be an effective way of infecting users. We blogged about it in the following posts: Users are advised to be wary in opening any attached file even if it comes from a person with authority or 'boss'. Trend Micro users are protected via its Trend Micro Smart Protection Network that detects TROJ_CUTWAIL.GT and blocks the spammed email message. Non-Trend Micro products users can use free tools like HouseCall to stay secure from this attack. To see a screen shot please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. http://blog.trendmicro.com -By Maria Alarcon Christmas Spam Spotted With Christmas just right around the corner, spammers are already flooding users' inboxes with unwanted emails. No surprises there. Spammers are known to exploit the holidays for its malicious activities Just recently, Trend Micro threat analysts found another spammed messages that claimed to be a 'replication specialist' and entice users to buy replica products like watches, handbags, and jewelries in a discounted price. It bears any of the following subjects: Morever, it encourages users to place their orders before November 1st because of a limited supply. Clicking the URL in the email message leads users to a fraudulent site that sells expensive imitation products. Accordingly, it uses various URLs in the email but points to the same landing page. As early as September, Trend Micro has already alerted users of holiday-themed spam. As usual, users are advised not to avail any products from spammers. Trend Micro protects users from this attack through its Smart Protection Network. Non-Trend Micro products users can use free tools like eMail ID to stay secure. To see a screen shot please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. http://blog.trendmicro.com -By Nino Penoliar Microsoft counters Windows 7 upgrade hack advice Alert Sweeps 'crapware' under carpet Microsoft has wagged its finger at users to dissuade them from hacking upgrade versions of Windows 7 to get a full copy of the new operating system on their PC. Reacting to tips being served up online, Microsoft has warned that while it's technically possible to perform what's known as a "clean" install of Windows 7 on a PC, you'll be breaking the law You'll be breaking the Microsoft End User License Agreement (EULA), meaning you're potentially running a pirated copy of Windows. Also, Microsoft has "reminded" small-and-medium-size businesses they cannot transfer licenses for Windows from old machines to new PCs. Eric Ligman, global partner experience leading in Microsoft Worldwide partner group has blogged bluntly: "Bottom line is, no, OEM Microsoft Windows licenses do not have any transfer rights and live and die on the original computer they are shipped with and installed on, period. These kinds of things happen each time there's a new release of Windows. In past years, Windows users have posted advice on how to get the upgrade editions of Windows XP and Windows Vista working on PCs without Windows pre-installed on the hard drive. Upgrade copies are always cheaper than the full product. Last week's release of Windows 7 has delivered a fresh crop of advice. So-called "signature" PCs being showcased at Microsoft's inaugural retail store in Scottsdale, Arizona, aren't quite right. They're missing a feature PC users will be only too aware off: crapware, which has been deliberately excluded so as not to ruin the in-store computing "experience". TechFlash has reported the PCs from OEMs at its store are missing all the useless apps, crippled and time bombed software that usually eat up valuable screen, processor and memory real-estate thanks to the cross promotional deals signed by Microsoft and OEMs. Instead, you'll get full versions of Microsoft's Windows Live software and services, programs such as Silverlight, the Zune software, and Adobe's online technologies. For more information on how to upgrade or install Windows 7 please see full article. Operating Systems -By Gavin Clarke 10 Essential Windows 7 Downloads A gallery of free and cheap tools to help you migrate to and settle in with Microsoft's newest operating system. Windows 7 may be brand spanking new, but that doesn't mean you can't find free or cheap tools to tweak its settings, add features, or smooth an upgrade from XP or Vista. We've compiled a list of ten valuable software tools -- many of them free -- that can make your Win7 experience a lot more rewarding. (Click on each of the images for a closer look at the tool.) Windows 7, like its predecessors, doesn't provide built-in protection against malware such as viruses and spyware. (It does have a firewall, however.) Brave souls upgrading to Windows 7 from XP must do a clean install, a tedious process that includes, among other things, reinstalling all of your apps. Why not load most of your free and open source programs all at once? Ninite does just that. One such app, Photo Gallery, is a free, easy to use photo manager/editor that's worth a download, particularly if you're not already using Google Picasa to organize your pics and videos. Anyone moving to Windows 7 from XP and Vista should check out this free download, which helps you copy files and settings from one PC to another. (Windows 7 comes with Easy Transfer.) This free customization tool detects whether you're running Windows 7 or Vista, and offers only those tweaks that are relevant to your OS. So you're about to ask: If Windows 7 has zip compression built in, why do I need the latest version of WinZip? Well, if you seldom use zip archives, you probably don't. But zip fans will appreciate the improvements in WinZip 14 Standard, which has simplified the process of zipping and mailing archives in Win 7. This free app makes it easier to select which programs will load when Windows starts, monitor your hard drives' performance, "health," and temperature, and fiddle with the Registry -- if you dare. Need to resize pictures in Windows 7? This free utility makes it easy -- simply right-click one or more image files in Windows Explorer. This bundle of 16 tools from Systerac has everything you'll need to keep Windows 7 running smoothly Don't upgrade to Windows 7 before running this free utility from Microsoft. Upgrade Advisor scans your PC to see if it's ready for Win 7. If it detects any potential problems, including insufficient memory, incompatible hardware, or outdated software, it'll let you know in a brief summary report. For more information or download links please see full article. eBay phishing scam scariest email blunder of 2009 The eBay email fraud campaign, which took place in May this year, and aimed to get users of the online auction site to disclose their bank details has been named this year's scariest email blunder by Proofpoint. eBay users received an official looking message that warned "inactive customers" may have their Pay Pal accounts deleted and asked recipients to confirm their details, including their credit card number, expiry date and PIN. The Conficker virus which knocked out the Royal Navy and Royal Air Force's email in January came second, while the scam emails that attempted to lure recipients into divulging their personal information to receive a tax refund was listed as the third scariest email issue this year. Other that made the list included a judge ordering a Gmail account to be deactivated, 10,000 Hotmail passwords being leaked and Jack Straw's email account being hacked. Keith Crosley, director of market development at the email security firm, says: "These demonstrate the ongoing need for user training, for corporate email policies and for technology to enforce corporate policies". If you have fallen for this scam, notify your service desk immediately and change your passwords. PC Advisor UK -By Carrie-ann Skinner Tech Insight: Developing Security Awareness Among Your Users Skip the 'Wall of Shame' and instead try promotional events, penetration testing your users There's a general misconception about user awareness that the IT industry has fostered for years: the belief that end users are dumb, and awareness is a waste of time. This mind set seems to affect the information security field more than any other area of IT. We even have t-shirts that say things like, "Social Engineering Specialist: Because There Are No Patches For Human Stupidity." There's obviously no "IT smarts patch" or 12-step program to help users better recognize phishing scams or make them think twice before clicking on a link from Facebook. It's the job of IT and the company to develop an information security awareness program that's interesting, innovative, and won't bore users to tears. And that's where the breakdown occurs -- a breakdown that feeds the negative attitude about user awareness. Getting users to take ownership in security is critical to the success of any awareness program. For users to truly believe they are the first line of defense, they need to take ownership of the problems caused by their lack of understanding of security issues and the consequences of their actions. Are they aware of data breach disclosure laws in your state? Do they know what attackers are after these days? Have they seen real-world examples of attacks against other users? Penetration testing is one method being used more often to help companies realize the deficiencies in their security awareness programs. Enterprises that have previously left users out of the scope of pen tests are now contracting for full-scope pen testing that includes social engineering, simulated phishing e-mail messages, and attacks against client-side applications. The lessons learned from a pen test can be leveraged to show your users how important their role is in protecting sensitive corporate data. But avoid negative practices, such as a "wall of shame." Calling out users publicly for their security gaffes can be a very effective tool at curbing risky behavior (i.e., surfing porn and social networking sites) in the short term, but employees often end up embarrassed and resentful of information security, which can backfire, leading to carelessness and apathy toward their responsibilities to help protect company data. Plenty of resources are available to help you develop effective security awareness programs. NIST SP 800-16 and related NIST SSP 800-50 (PDF) are excellent guidelines. Microsoft also has developed a guidance document and sample materials, which are available here. In addition, here are some activities and materials suggested by NIST in SP 800-16: Information security awareness programs can work, but only if you implement them with the right motivations -- and not just to meet compliance requirements. Numerous resources are available to help companies create effective programs to promote secure computing practices resulting in a safer environment for both users and the company's sensitive data. For more information on developing security awareness please see full article. Firefox 3.6 Beta Boosts Speed, Adds Features After promises of an early release, a "test build" teaser, and then an unexpected delay, Firefox 3.6 beta is finally available for download. You can grab a copy for the PC, Mac and Linux on the Mozilla Web site. On top of promised features such as faster javascript handling, outdated plug-ins check, and bookmark synchronization, Mozilla pushed out more enhancements: One of the biggest perks of Firefox as a whole is the ability to tinker underneath the hood, and Mozilla appears excited to assist developers in the process of improving its browser with a special Web site devoted to the process. For more information or to get a download link,please see full article. Bulletins posted 10/30/2009 Surge in Halloween-related fake antivirus websites Hackers are exploiting web users searching for Halloween-related content on the web, says Panda Security. Research by the security vendor revealed that hundreds of websites designed to distribute fake antivirus software, are coming up top in results offered by some the web's most popular search engines Fake antivirus software, which is also known as scareware, encourages web users to part with their hard-earned cash to download hoax security software that serves no purpose. According to Panda Security, these fake antivirus programs display aggressive messages to users claiming they are infected and that to resolve the problem they need to buy a license (for the program). A simple click will take the user to an apparently legitimate web page, from where they are defrauded. Panda Security said web users should no click through to links or install software from untrusted sources and use a web browsing tool that alerts users to the reputation of the site, for example whether it's classified as malicious. If you have fallen for this scam, notify your service desk immediately and change your passwords. PC Advisor UK -By Carrie-ann Skinner USB stick security flaw puts data at risk USB sticks have been found to contain a significant security flaw which could be exploited to break into millions of computers around the world, according to researchers at MWR InfoSecurity. The UK firm claimed that the flaw could allow the creation of USB sticks that "interrogate a computer and download the contents". The researchers added that such devices are just months away from development, and are likely to be used by malevolent and sophisticated criminals to steal the contents of entire hard drives. "What millions of us have seen in countless James Bond and other spy thrillers around the world has now taken a step closer to being realised," said Alex Fidgen, commercial director at MWR InfoSecurity "The bad guy plugging a small device into the system and removing sensitive data is no longer theoretical. It is possible." Criminals could exploit a flaw in the driver software of USB devices to take control of systems and steal information. Fidgen claimed that MWR InfoSecurity has been concerned about these security implications for some time. "Hackers are becoming more and more sophisticated, and business is under threat. Up until now people have felt secure in the knowledge that a simple USB stick could not copy their information without their permission. We have proved that it is not the case," he said. The firm claimed that it has already cracked one operating system using its tools, and is now turning its attention to others. Fidgen added that the researchers had built the hack to raise awareness of the security issues, and had shared their findings with the UK government's Centre for the Protection of National Infrastructure. If you have fallen for this scam, notify your service desk immediately and change your passwords. http://www.v3.co.uk -By David Neal Microsoft cleans up bugs after biggest patch release After releasing its largest-ever group of security patches two weeks ago, Microsoft has done a little cleaning up Over the past few days, the company has re-released two security updates and issued a workaround for a Windows CryptoAPI patch that caused Microsoft's own instant-messaging server to crash. "This is the patch month that will not die," said Susan Bradley, chief technology officer with Tamiyasu, Smith, Horn and Braun, an accountancy. She added that the Communicator issue was "a big one to miss," because Microsoft is usually careful about testing its security updates with its own products. Scott Turner, network systems administrator with the Public Health Institute in Sacramento, California, noticed the bug immediately after installing Microsoft's updates. "We deployed the patch," he said. "When I came in the next day, nobody could connect" to Communicator. According to a support article on Microsoft's Web site, the MS09-056 update disables several services that Communications Server needs in order to operate. The bug affects Live Communications Server 2005, Office Communications Server 2007 and evaluation versions of Office Communicator 2007. Microsoft has released a workaround for the problem, but Turner hasn't yet been able to try it out. He's had to disable the MS09-056 update in the meantime to get his company's Communicator users up and running. Another buggy patch fixed over the past few days was the MS09-043 Office update, first released back in August. This was apparently misconfigured so that customers who use Microsoft update tools such as Windows Server Update Services (WSUS) were given bad scan results. Customers who use Microsoft's tools may believe they're fully patched, when in fact they're not due to this bug, said Eric Schultze, an independent security consultant. Those customers should re-run their update tools to be sure that they're patched, he added. Microsoft said it also corrected some "detection entries" and "file and registry key verification information" in an update to the MS09-062 patch, released Wednesday. The company declined to provide any further explanation of the issues, referring inquiries to its online documentation If you Windows 7 run your update tool to get the patches. For more information please see full article. IDG News Service -By Robert McMillan Bugs & Fixes: Snow Leopard's Spelling Ignore button is ignored This is the checker used by applications such as TextEdit and Stickies. Namely, the Ignore button in the Spelling and Grammar dialog is itself ignored. After updating to Snow Leopard (Mac OS X 10.6), I noticed an odd quirk in the Spelling Checker built into Mac OS X. This is the checker used by applications such as TextEdit and Stickies. Namely, the Ignore button in the Spelling and Grammar dialog is itself ignored. That is, when a word is flagged as potentially incorrect and I click the Ignore button (indicating that I want the word to be treated as correct going forward), the word continues to pop up as incorrect for the remainder of the document. This never happened to me under Mac OS X 10.5. This bug may not show up on all Macs running Snow Leopard, but it showed up on all three of mine. The company declined to provide any further explanation of the issues, referring inquiries to its online documentation After some investigation, I determined the cause: the Automatic by Language option. You’ll find it in the popup menu at the bottom of the Spelling and Grammar dialog. It’s the default selection. This is a new option in Mac OS X 10.6, replacing 10.5’s Multilingual item. Automatic by Language determines what language you are using and automatically shifts to the the appropriate spelling dictionary. For whatever reason, it also appears to cause the Ignore bug. If I switched from Automatic by Language to U.S. English, for example, the Ignore function worked as expected. A easily-solved related problem was that, each time I quit and relaunched an application such as TextEdit, the selection reverted back to the Automatic by Language default. To fix this, go to the Language & Text System Preferences pane. From the Text tab, access the Spelling pop-up menu and select U.S. English. This makes your selection the new default. Now the Ignore bug should be gone for good. The remaining problem is: What should you do if you really want to use Automatic by Language? In that case, you’ll either have to wait for a Mac OS X Update that fixes the bug or learn to live with being ignored by Ignore. For more information please see full article. Could H1N1 flu make the Internet sick? Could the H1N1 flu virus give networks a bad case of congestion? It could if workers and students are forced to stay home because of the pandemic. Officials at the U.S. Government Accountability Office weighed in on the potential for clogged networks Monday in a 71-page report (download PDF); Gartner Inc. analysts reiterated the GAO’s concerns yesterday. Although the issue has been raised before by various ISPs and network carriers, recent worries have focused on securities firms that depend on third parties to clear trades and process payments over the Internet, according to the GAO. “Internet congestion during a severe pandemic that hampers teleworkers is anticipated, but responsible government agencies have not developed plans to to address such congestion and may lack clear authority to act,” the GAO warned. Gartner picked up that GAO theme and offered some technical tips for businesses grappling with the problem. Work-at-home strategies for organization “may be in jeopardy as residential Internet bandwidth supply may not meet demand,” Gartner said. Both Gartner and the GAO, as well as other groups, have consulted with ISPs, carriers and large carrier consortiums on this issue, and have noted that Internet backbone congestion from a pandemic is not a major concern. The larger problem may be with the network “edge” or “last mile” in the residential portion of the Internet. The last mile is a generic name often used for the wired connections between homes and carrier switching offices, often a mile or so away from a group of homes. Al Berman, executive director of the Disaster Recovery Institute in New York, agreed, saying there could be congestion problems for workers who work at home without the right equipment. He urged companies to do stress testing on their private networks. Gartner said that dozens of residential DSL users could share a single DSLAM connection at the carrier’s switching office to reach the backbone, contributing to congestion problems. “Last-mile DSL and cable modem networks are where remote access falls apart,” said John Girard, a Gartner analyst. “Backbones will be affected [some], but the network edge will crash.” While the network edge impact would vary by neighborhood, Gartner based its comments on a Centers for Disease Control planning guideline that assumes 40% of the workforce might not be in the workplace for an extended period of time during a pandemic. Gartner suggested three ways businesses can improve bandwidth for work-at-home employees during a pandemic: In certain ways, Gartner went further than the GAO in airing concerns about network readiness, although the focus of Gartner’s comments was on businesses — not how the government should work with businesses. Gartner analyst Roberta Witty said that current work-at-home strategies being implemented by organizations to deal with pandemic-related network congestion “will likely not work” in a true emergency. She recommended that IT groups work with network service providers to decide in advance which business operations require heavy Internet use. Companies may even need to stagger hours of operation to increase chances of getting needed bandwidth. The GAO’s report is far broader, and indicates that service providers could add extra network capacity, install direct lines to businesses, temporarily reduce maximum transmission rates or shut down some Internet sites. But all those methods are limited by technical difficulties and whether the government has the authority to insist on such moves. The GAO asked several government agencies to comment on its report, and included a response from the Department of Homeland Security (DHS) that went on for several pages. In one portion, DHS urged all Internet users, including financial services, to develop pandemic contingency plans. “An expectation of unlimited Internet access during a pandemic is not realistic, any more so than an expectation that traffic congestion on hurricane evacuation routes can be completely avoided,” the DHS wrote. “All users which rely on the Internet, including the financial services sector, should not expect that Internet congestion problems will be easily solved….” For more information on how to protect your company from this, please see full article. Bulletins posted 10/29/2009 Facebook scam email tries to spread Zeus bank trojan Another email attack leveraging Facebook is pummeling inboxes this week, according to researchers. This one tries to steal passwords and, even more concerning, spreads the insidious Zeus, or Zbot, trojan to victim machines, according to experts at email protection vendor AppRiver. The phony messages claim that Facebook is deploying a new login system to offer users more features and security. Users are encouraged to click on a link, which purportedly takes them to a site where they can update their account. The attackers, however, proceed to rip off users' Facebook passwords by tricking them into "logging in." If users follow the bait, they then are brought to a page that prompts them to install an "update tool," which actually is the Zeus trojan, a particularly harmful piece of malware that is known for stealing bank account information from its victims. Engineers at AppRiver said that, as of Wednesday, the spammers had delivered about 1.65 million of these emails at a rate of 1,000 messages per minute per domain. The scam is slick in nature, they said. "As we've come to expect from Zbot, the phishing email is well crafted and could easily trick the unsuspecting recipient into falling for its ruse," the blog post said. "The graphics are well done and all look like something you would see from Facebook." According to Red Condor, another email security provider, the spoofed Facebook login page contains "Facebook.com" as part of the URL's sub domain. "As a result, people with small screen resolution or small browser windows/address bar sizes might they think are actually on Facebook's login page," the company said in a statement. This widespread wave of fraudulent emails comes soon after a separate campaign this week in which recipients were tricked into believing their Facebook password had been reset. They were encouraged to click on an attachment to view their new password. However, that file actually contained a poorly detected executable -- Packed.Win32.Krap.W -- that installs additional malware on the victim's computer and enlists it as part of the Bredolab botnet. Researchers at messaging security provider Cloudmark have witnessed more than 735,000 instances of the message since Monday. Facebook spokesman Simon Axten told SCMagazineUS.com on Thursday that users should be wary of suspicious or unexpected emails claiming to come from Facebook, and they should never open questionable attachments. If you have fallen for this scam, notify your service desk immediately and change your passwords. http://www.scmagazineus.com -By Dan Kaplan FDIC to Banks: Watch for ‘Money Mules’ Duped by Hackers Bank customers are increasingly being duped into acting as “money mules” for hackers, unwittingly laundering cash stolen from business bank accounts, the Federal Deposit Insurance Corporation warned the nation’s financial institutions on Thursday. Using specialized Trojan horse malware, cyber crooks have been intercepting web banking credentials from the computers of small and midsized businesses, and then initiating wire transfers to mules around the country. The mules are consumers who’ve been lured into fake work-at-home scams, in which their employment involves receiving money transfers and then forwarding the funds to Eastern Europe, directly or through other mules. The scheme has exploded in the last year, with the FBI estimating losses at $40 million so far, according to a recent story from WashingtonPost.com reporter Brian Krebs, who’s been closely following the attacks. In its industry alert Thursday, the FDIC offered financial institutions some guidance on how to spot customers who’ve become mules. A new customer who opens an account with a minimal deposit, and then starts receiving big bucks on the wire, should be scrutinized, the alert says “Strong customer identification, customer due diligence, and high-risk account monitoring procedures are essential for detecting suspicious activity, including money mule accounts.” In addition to fake work-at-home scams, cyber crooks are recruiting their pawns with bogus “mystery shopper” jobs, Nigerian-style advance fee scams, and by befriending them over social network sites and spinning “imaginative stories” to persuade them to receive and forward money, the alert says. If you have fallen for this scam, notify your service desk immediately and change your passwords. http://www.wired.com -By Kevin Poulsen Kaspersky system analyzes malicious URLs on Twitter for malware Extensive analysis of links posted on the popular Twitter microblogging service has found that Twitter users are contributing to the spread of malicious URLs posted on the site. The security vendor's analysis system, called Krab Krawler, pulls in thousands of URLs every hour and feeds them into a central database for analysis. The goal is to better understand the intent of the cybercriminals using social networks to spread malware and conduct phishing attacks, said Costin Raiu, chief security expert at Moscow, Russia-based Kaspersky Lab. "It seems that most of the malicious traffic is generated by users themselves who are unsuspectingly posting links to websites which they think are clean that actually turn out to be infected," Raiu said. "The malware keeps changing every week." Kaspersky Lab said Thursday that it is using its extensive analysis of shortened URLs posted to Twitter to help protect its customers in the wake of a rising number of attacks targeting social network users. Twitter was targeted by a cross-site scripting worm in April, and the Koobface Facebook worm spread to the microblogging service in June. Over the summer, a denial-of-service attack knocked the service offline for hours. About 26% of all Twitter posts contain URLs. The analysis has found some shortened URLs leading users to websites injected with code that deliver a standard iFrame attack. Raiu said much of the malicious malware can be attributed to the Gumblar Trojan, which used an automated method earlier this year to infect vulnerable websites and set up drive-by attacks. Automated bots are driving much of the malicious traffic by using malicious accounts. The most popular URL leads to an online dating website that has hosted malware in the past. "It indicates the fact that most of the URLs posted on Twitter seem to be generated by spammers or by people with malicious intent," Raiu said. Most of the malware spreading on Twitter can be detected by antivirus programs. Raiu said Kaspersky is using its analysis to help bolster its protection. It takes two to 12 hours from the time a link is posted to Twitter for the Krab Krawler analysis to take place and for signatures to be deployed to Kaspersky customers, Raiu said. Other security vendors offer browser plug-in tools that scan URLs and block them before they can be clicked. AVG Technologies offers LinkScanner, a tool that checks out URLs and strips out any malware they may contain. The tool uses a blacklist of known harmful sites to filter the URL. Security vendor Finjan Inc. has a SecureTwitter tool that issues a warning message when a malicious URL is detected. Twitter announced a service last summer that internally filters URLS using the Google Safe Browsing API. A number of browser add-on tools enable users to check suspicious URLs before clicking them. If you have fallen for this scam, notify your service desk immediately and change your passwords. SearchSecurity.com -By Robert Westervelt Twitter warns of new phishing attack Twitter warned users Tuesday of a new phishing scam on the social networking site It's the latest in a series of scams that have plagued the site over the past year, designed to trick victims into giving up their user names and passwords. "We've seen a few phishing attempts today, if you've received a strange DM and it takes you to a Twitter login page, don't do it!," Twitter wrote on its Spam message page. The message reads, "hi. this you on here?" and includes a link to a fake Web site designed to look like a Twitter log-in page. After entering a user name and password, victims enter an empty blogspot page belonging to someone named NetMeg99. Neither of these pages appears to include any type of attack code, but both should be considered untrustworthy, according to Sophos Technology Consultant Graham Cluley. "It seems like this was a straightforward phishing campaign, rather than an attempt -- at this stage at least -- to spread virally," he said via email. Victims get these direct messages only from people they follow on Twitter, so they seem more believable than other types of spam. Once a user has been phished by the attack, the criminals are then able to direct message all of the victim's contacts with the phishing spam. Hacked Twitter accounts are a great launching pad for more attacks, Cluley said. "We don't know precisely what they're going to do in this case, but often they will send spam messages to advertise a particular site." Because about a third of users have the same passwords for all of their online activity, criminals can also use the same log-in information to try to get into other Web services such as Gmail or Yahoo, Cluley said. "If you've fallen for one of these traps, don't just change your Twitter password; change your password on every Web site you use," Cluley siad. "Use non-dictionary words and use something that's hard to guess." The Twitter attack comes as Facebook users are also under siege. Security researchers say that a spam botnet is has sent out hundreds of thousands of fake password reset messages. When victims try to open an attachment that supposedly contains their new password, they end up running a Trojan horse program, called Bredolab, that then installs unwanted software on their PCs. If you have fallen for this scam, notify your service desk immediately and change your passwords. IDG News Service -By Robert McMillan Five Things You Should Know About Windows 7 Security Microsoft says Windows 7 is the most secure version of the Windows operating system ever developed. Big deal, right? I am pretty sure that Microsoft has made that claim for every new version of Microsoft Windows in the past 15 years, and that it is a valid claim. What else would you expect? Is Microsoft going to come out with a new operating system and make it less secure than its predecessor? I think not. Still, while the marketing around Windows 7 security may be part hyperbole, there are actually a number of significant security improvements to be aware of, especially for Windows XP users making (or considering) the transition to Windows 7. Many of these security updates existed in Windows Vista as well, so Vista users should already be familiar with them. The kernel is the heart of the operating system, which also makes it a prime target for malware and other attacks. Basically, if an attacker can access or manipulate the operating system kernel they can execute malicious code at a level that is undetectable by other applications or even by the operating system itself. Microsoft developed kernel-mode protection to protect the kernel and ensure there is no unauthorized access. Windows 7 comes with the latest and greatest version of Internet Explorer, IE8. You can download and use IE8 with other versions of Windows, so its not specific to Windows 7, but it does contain some security enhancements worth nothing. First, InPrivate Browsing provides the ability to surf the Web...in private as the name implies. When you launch an InPrivate Browsing window Internet Explorer does not save any information related to your Web surfing. That means that there is no cache containing information you typed, and no history of the sites you visited. This is especially useful if you are using IE8 on a shared or public computer, like at a library. User Account Control (UAC) is the poster child for everything we love to hate about Windows Vista. With Windows 7, UAC is still there, but Microsoft has added a slider that enables you to control the level of protection--and therefore the amount of pop-ups asking for permission to access or execute files--UAC provides. Because of the kernel-mode protection and the changes Microsoft made regarding how, or if, applications are allowed to interact with the core functionality of the operating system, older antivirus and other security software is not compatible with Windows 7. Vendors like McAfee, Symantec, Trend Micro, and others offer Windows7 compatible versions of their security software products, but Microsoft also provides free security tools to protect you if you don't want to invest the additional money. The Windows Firewall and Windows Defender antispyware tools are included with the base installation of Windows 7. You can also download and install Microsoft Security Essentials, a free antivirus product released recently by Microsoft. The Security Center that Windows XP users are familiar with has been replaced by the Windows Action Center. The Action Center is a more comprehensive console for monitoring the Windows 7 system, including security. The security section of the Action Center provides at-a-glance status regarding the security of your Windows 7 system. It includes information about firewall, spyware, and virus protection, as well as the state of Windows Updates, Internet security settings, and UAC. There are plenty of good reasons to make the switch to Windows 7. If you are still running Windows XP, security is arguably the best reason to embrace the new operating system. It may or may not be the greatest operating system ever, but it is definitely the most secure Windows operating system ever. For more information on the security side of Windows 7, please see full article. Five Unexpected Uses for the Esc Key The Esc key has long been the "get me outta here" panacea for many things: canceling a dialog box, getting rid of a button-less splash screen, closing a menu that you clicked open. But those are only the obvious things. Here's a handful of less-than-obvious but just-as-handy solutions the Esc key provides. You press Command-Tab to switch to another application, pressing Tab several times (or just holding it down) because you're moving to a program that's far away on the Application Switcher's bar. You get halfway across the line of program icons and realize--whoops!--you forgot to copy the material that you wanted to bring with you. Use the awkward Command-Shift-Tab to move backwards? Use the more convenient Command-tilde (~), still pressing the key repeatedly? No! While the Command key is still down, press Esc to return to the program you were working in before the premature press of Command-Tab. If you want to erase what you've typed in the Spotlight search field, you don't have to tediously delete it a character at a time: press Esc to instantly wipe the field clean so you can start again. The Spotlight menu stores what you last typed in it unless you erase it so that you can make a second choice from the results list. If your search was fruitless--or mistaken--it's a good idea to erase the contents of the field before you close the menu so you can start fresh on a new search. Press Esc twice: once to erase the field, and a second time to close it. For a relatively tiny thing, the mouse cursor can be an annoying distraction when it happens to be in the wrong spot on your screen while you're viewing a Web page. It's like a fly landing on your TV screen. Whether you're in Apple's Safari or Mozilla Firefox, press Esc and the cursor disappears instantly, cooperatively reappearing as soon as you move the mouse. I'm a tab junkie in Safari: a window just looks wrong without a half-dozen tabs (each containing a separate Web page) arrayed across its top. But when dragging a tab off the bar to create a separate window (and a new tab colony), it's easy grab the wrong one and take it off the tab bar before you realize the mistake. You don't have to drag a nascent window back into the bar: press Esc before you let it go, and it snaps back into its original tab position. This trick works in Firefox, too, as well as in other programs that provide tear-off tabbed windows, such as Adobe's Photoshop CS4 and InDesign CS4. This is currently my favorite Esc key trick because it triggers a feature I've wanted desperately for a long time and didn't realize until recently was already available. In InDesign, a press of a single key selects a tool: V for the selection arrow, T for the text tool, and so on. This one-key access is great--except when you forget you're in a text box and hit V or T or some other tool shortcut and you type the letter instead of get the tool. I just want switch to the selection tool with a single key, without having to deselect the text first (and not just temporarily, as with the Command key). As it turns out, I can: Esc deactivates the text box you're in and activates the Selection tool. The outcome of this article will depend on your Mac OS. Macworld.com -By Sharon Zardetto Happy 40th Birthday, Internet! On October 29, 1969, the Internet came in not with a bang, but with a lo. Letter by letter, UCLA computer science professor Leonard Kleinrock sent a message from his school's host computer to another computer at Stanford Research Institute. Kleinrock was trying to write "login," starting up a remote time-sharing system, but the system crashed after two letters, and lo! The Internet was born with the first data message sent between two networked computers To be fair, the creation of the Internet was peppered with other milestones that could be considered more or less historic. After all, at the core of the Internet was packet-switching--the process of breaking down data into blocks and routing them individually--and in 1968 Donald Davies of the UK's National Physical Laboratory gave the first public presentation of the idea. But if we can all agree that communication--e-mail, chat, social networking--is what makes the Internet tick, Kleinrock's first message was the most significant early step towards what we have today. Today, 40 years later, life without the Internet seems unfathomable. In those rare occurrences where your Internet service provider has trouble, and you can't connect, it's as if the power is out in your entire house. Over 1 billion people are online, and last year, Google announced that it had detected over 1 trillion pages. For more information please see full article. Bulletins posted 10/28/2009 New spam: Your bank has failed, download this Trojan Spam lures victims to a phony FDIC site to check if they are insured, tries to capture banking passwords Spam that tells victims their bank has failed urges them to on a link that will tell if their accounts are insured but that really tries to trick them into downloading a Trojan that will turn their machine into a bot. The spam is addressed as if it comes from the Federal Deposit Insurance Corp. (FDIC), but it’s not. “Recipients should consider the intent of this e-mail as an attempt to collect personal or confidential information, some of which may be used to gain unauthorized access to on-line banking services or to conduct identity theft,” the FDIC says in a warning. The agency says it doesn't send out any unsolicited e-mails. The link to the bogus FDIC site starts with www.fdic.gov, but it later contains a null character followed by the actual domain name, says Bradley Anstis, vice president of technology strategy at M86. The FDIC spam is being sent by the Pushdo botnet, which has also recently been distributing a similar ruse having to do with the IRS and Michael Jackson, M86 says. M86 says it has seen these subject lines on the FDIC spam: FDIC alert: check your Bank Deposit Insurance Coverage; FDIC has officially named your bank a failed bank; and You need to check your Bank Deposit Insurance Coverage. For more information please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Mass web infections spike to 6 million pages 640k sites out to get you An estimated 5.8 million pages belonging to 640,000 websites were infected with code designed to launch malware attacks on visitors, according to a report released Tuesday. The numbers, compiled over the third quarter by security firm Dasient, represent a significant jump in number of legitimate websites that have been compromised. According to numbers Microsoft released on April, some 3 million pages were infected. The number of sites blocked by Google more than doubled between December and August, to almost 350,000. "The bad guys are significantly taking advantage of attacking servers so they can distribute their malware to a very, very large number of clients," said Dasient co-founder Ameet Ranadive. "A lot of these infections are complex and often pretty obfuscated, so it's difficult for experienced webmasters to figure out what parts of their site have been infected and then to remediate it." To understand just how hard it is for webmasters to clean up the mess, consider this: In the third quarter, 39.6 percent of compromised sites had been reinfected after trying earlier to clean up the malware. Criminals are often able to attack a site repeatedly because webmasters fail to change passwords or patch vulnerable web applications that led to the initial exploit. Eleven days ago, ScanSafe, a separate security firm that announced Tuesday it is being acquired by Cisco, reported that more than 2,000 websites were compromised by a mass web infection known as Gumblar. Many of those sites were likely hit in earlier waves and simply reinfected, a ScanSafe researcher said at the time. An estimated 54.8 percent of the attacks observed by Dasient involved malicious javascript that was injected into compromised sites. iFrames that silently redirected users to malicious sites came in second at 37.1. Dasient has cataloged more than 72,000 unique malware infections involving websites. The attacks are growing in popularity because they allow criminals to reach large numbers of victims with a minimum amount of effort. For end users who fail to install the latest versions of Adobe Reader, Adobe Flash and other software on their machines, the attacks often result in a "browse and get compromised" scenario, in which their systems are surreptitiously infected simply by visiting the site. "Hackers are starting to see some success from these attacks and whenever they see success, they continue to invest more," Ranadive said. ® For more information please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. http://www.theregister.co.uk -By Dan Goodin Mozilla fixes 16 flaws with Firefox 3.5.4 Security update also patches 9 bugs in older Firefox 3.0 Mozilla today patched 16 vulnerabilities in Firefox, 11 of them critical, as it updated the open-source browser to version 3.5.4. The 11 critical Firefox 3.5 vulnerabilities were located in a variety of components, including Web worker calls, the GIF color map parser, the string-to-number converter, a trio of third-party media libraries, and both the JavaScript and browser engines. "Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla said in some of the advisories outlining the most serious flaws. Firefox 3.0, which was first released in the summer of 2008 and will be retired from security support in January 2010, was also updated today with the release of version 3.0.15. The older browser received nine patches, four marked critical. The disparity between the two versions' patch counts was due to several that affected only the newer Firefox 3.5, including the three critical bugs outlined in MFSA-2009-63 that required upgrades of the "liboggz," "libvorbis," and "liboggplay" open-source media libraries. For more information please see full article. Computerworld -By Gregg Keizer Norton 360 beta 4 made available Symantec has made a new beta version of its Norton 360 all-in-one security software publicly available. Beta version four of Norton 360, which is compatible with Microsoft's latest operating system Windows 7, features Quorum technology that analyses a file's age, download source, digital signature and prevalence, to determine whether it is a security threat or not. Norton 360 Beta 4 also features the Smart Start-up Manager that allows users to reduce or stagger start-up applications, as well as the ability to backup up files online, and to restore or access them from anywhere via the web. Users will also benefit from enhanced versions of Norton Identity Safe, Norton Safe Web - a website rating service that gives Google, Yahoo! and Live.com search results safety and ecommerce ratings - and the opportunity to try the optional beta of OnlineFamily.Norton, a web-based service that keeps parents in the loop on their kids' online lives. "In the fight against cybercrime, we recognise that consumers need more than just basic protection," said Rowan Trollope, senior vice president, Consumer Products and Marketing, Symantec. "Our technology's effectiveness has been battle-tested and proven in the field, and we're including this new form of security in the Norton 360 beta." For more information or to get a link to the download trial, please see full article. PC Advisor UK -By Carrie-ann Skinner Windows 7 endless reboot answer evades Microsoft Microsoft support offers ideas, but some PCs still crippled after upgrade attempt Users remained stymied today by endless reboots after trying to upgrade their PCs to Windows 7, according to messages posted on Microsoft's support forum. An answer has yet to be found for all users, who began reporting the problem last Friday after watching the upgrade stall two-thirds of the way through the process. Most users said that their PCs had displayed an error that claimed the upgrade had been unsuccessful and that Vista would be restored. Instead, their PCs again booted to the Windows 7 setup process, failed, then restarted the vicious cycle . Several Microsoft engineers, including the company's senior group manager for Windows supportability, have offered advice, but on Monday users continued to publish complaints on a growing forum thread . According to Microsoft's head of support, however, the endless reboot problem isn't on the company's top list of concerns. "It's very early in the process," said Ben Bennett, the director of Microsoft's Windows consumer global support group, in an interview Monday afternoon. "In terms of the top issues of customers who choose to upgrade, the XP-to-Windows 7 [upgrade] is up there on the list for lots of reasons. The netbook upgrade scenario -- how do I upgrade my netbook to Windows 7 -- is also a big one. And another is, 'Where are my applications?' after people have upgraded. They wonder what happened to e-mail and photo editing, for example. Those are the top issues so far." For more information please see full article. Bulletins posted 10/27/2009 Malicious Facebook Password Spam Threat Type: Malicious Web Site / Malicious Code Websense® Security Labs™ ThreatSeeker™ Network has discovered a new wave of malicious email attacks claiming to be a password reset confirmation from Facebook. The From: address on the messages is spoofed using support@facebook.com to make the messages believable to recipients. The messages contain a .zip file attachment with an .exe file inside. The .exe file currently has a detection rate of about 30 percent on VirusTotal. Our ThreatSeeker™ Network has seen up to 90,000 of these messages sent out so far today. The malicious exe file connects to two servers to download additional malicious files and joins the Bredolab botnet which means the attackers have full control of the PC, such as steal customer information, send spam emails. One of the servers is in the Netherlands and the other one in Kazakhstan. For more information or to see an example of the link and a screen shot, please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Blogger: Time Warner Routers Still Hackable Despite Company Assurance A blogger who stumbled across a vulnerability in more than 65,000 Time Warner Cable customer routers says the routers are still vulnerable to remote attack, despite claims by the company last week that it patched the routers. Last Tuesday, David Chen, an internet startup-founder, published information about the vulnerability in Time Warner’s SMC8014 series cable modem/Wi-Fi router combo, made by SMC. The problem would allow a hacker to remotely access the device’s administrative menu over the internet and potentially change the settings to intercept traffic, making possible all sorts of nefarious activity. Time Warner acknowledged the problem to Threat Level that day, and said it was testing replacement firmware code from the router manufacturer, which it planned to push out to customers soon. Shortly after Threat Level published a piece about the vulnerability, a Time Warner spokesman Tweeted to Chen that the patch had been deployed and customer routers were now protected. “Thanks for your post,” wrote spokesman Jeff Simmermon to Chen. “We’ve got a temporary patch in place now while we work on a permanent solution — you should be safe.” But according to Chen, the routers have not been fixed. Writing Monday at his blog, chenosaurus.com, Chen said he ran a scan over the weekend and found 500 routers still vulnerable to attack and that he had not found “a single bit of evidence that supports their claims of a ‘temporary patch.’” “I feel it’s something kind of shady that they’re doing,” Chen told Threat Level. “They’re cheating the customers by letting them think they’re secure, but they’re not.” For more information, please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. http://www.wired.com -By Kim Zetter Microsoft blames Windows 7 upgrade mess on user confusion Microsoft yesterday blamed user confusion for the problems many have encountered trying to move from Vista to Windows 7 after buying a discounted upgrade offered to college students. "Digital River and Microsoft are aware that some customers from the Windows 7 Academic Store had difficulties completing the download or installation of the product," said a Microsoft support engineer identified as "Michael" in a message posted Sunday to the company's support forum . Minneapolis, Minn.-based Digital River fulfills download orders for Microsoft's $29.99 Windows 7 upgrade offer to students. Several hundred users have said that they were unable to upgrade from Windows Vista to the new operating system after purchasing, then downloading, a Windows 7 upgrade, from Digital River. "We are aware that consumers are encountering difficulties installing Windows 7 where the customer is currently running a 32-bit version of Windows such as Windows Vista, but purchased the 64-bit version of Windows 7," Michael said. Last week, users reported that an error message prevented them from unpacking files downloaded from Digital River. The message read: "We are unable to create or save new files in the folder in which this application was downloaded." "This error occurs when you are in the unloading phase of the 64-bit Windows 7 download process and are running a 32-bit version of Windows such as Windows XP or Windows Vista 32-bit," Michael added. "This is by design, as you cannot launch setup for the 64-bit version of Widows 7 while running a 32-bit operating system." According to Microsoft, users can conduct "in-place" upgrades -- those that retain all data, settings and applications -- only from Vista 32-bit to Windows 7 32-bit, or from Vista 64-bit to Windows 7 64-bit. The company had spelled out the in-place upgrade paths last summer, before it released Windows 7. "If you want to move from Windows Vista 32-bit to Windows 7 64-bit, or if you are running Windows XP, you have to do a "Custom" or clean installation that must be started by booting off the Windows 7 64-bit DVD," Michael stressed. A Windows 7 custom upgrade, called a "clean" install by some, requires users to back up data and settings from Windows XP or Vista, install Windows 7, then restore the data and settings before finally reinstalling all applications. Students who mistakenly downloaded the 64-bit edition of Windows 7 from Digital River should request a refund, Microsoft's Michael continued, then pay for and download the 32-bit version instead. He pointed customers to a page on Digital River's site where they could request a refund. "In the Web form, select the Order question option in the drop-down menu and include 'Refund and Request 32-bit' in the first line of the problem description," Michael recommended. Michael claimed that Digital River has identified and contacted customers who have been affected by the download error. "Digital River has been making every effort to make it right for these customers," he said. The Microsoft engineer also said Microsoft would not handle support questions about Windows 7 unless customers were able to reach the initial installation screen; all issues prior to that step were to be directed to Digital River. To see comments from people who have fallen into this trap please see page two of full atricle. Bulletins posted 10/26/2009 Windows 7 upgrade paralyzes some PCs with endless reboots Some users trying to upgrade from Windows Vista to Windows 7 have seen their PCs crippled by an endless series of reboots, according to reports on Microsoft's support forum. Users began posting messages about the endless reboots Friday, saying that the Windows 7 installation would hang two-thirds through the upgrade. They reported a message on their machines that claimed the upgrade had been unsuccessful and that Vista would be restored. Instead, their PCs again booted to the Windows 7 setup process, failed, then restarted the cycle. "My upgrade failed in [the] last step," said a user identified as "Manjigani" in a thread titled "Windows 7 -- Install Message -- Upgrade Unsuccessful" on the Windows 7 support forum. "And now it is in continuous loop. I let it run overnight hoping that it will fix itself, but no luck. I am stuck in limbo." Other than trying to upgrade from Vista to Windows 7, there did not seem to be any common characteristics of the computers or the users' actions. Some said that they had purchased a Windows 7 upgrade electronically from Microsoft's online store, others said they had downloaded the upgrade from Digital River, the Minneapolis-based company that fulfills Microsoft's $29.99 offer to college students, while still others said they had bought a retail copy of the new operating system at stores like Best Buy. Users vented their rage online in scores of messages. Sunday afternoon, a support engineer named "Keith" said that some users' problems may be related to the optical drive speed when creating an install DVD from a disk image downloaded from the Microsoft store or through Digital River. "Make sure you are burning the image at the slowest speed possible to avoid corruption on the installation disc," said Keith. "Digital River and Microsoft are investigating reports of this issue," he added. "This appears to be a series of isolated issues that are often related to the user's Internet provider or installed third-party software." Students, who have faced other problems with their downloaded Windows 7 upgrades, were told by Microsoft to seek help from Digital River through a special request-help page . One user pointed others to a document published last July on Microsoft's support site. The document outlined the endless reboot problem . "When attempting to upgrade from Windows Vista to Windows 7 the upgrade attempt may fail with the message 'This version of Windows could not be installed, Your previous version of Windows has been restored, and you can continue to use it'," the support document stated. "However, the next reboot of the machine will launch the upgrade process again only to fail with the same message." The document included steps users could take to try to regain control of their crippled computers. If you are using Vista and thinking of upgrading to Windows 7, see full article for more information on the upgrade problems. Computerworld -By Gregg Keizer 500,000 job hunters details exposed in Guardian hack Sensitive personal data belonging to 500,000 job hunters have been exposed after hackers attacked The Guardian's Jobs website. The website notified those affected via email on Saturday, calling the attack "a sophisticated and deliberate hack". Names, email addresses, covering letters and CVs, were among the data exposed. However, the Guardian said some of the data was at least two years old. "You have used the site to make one or more job applications and we believe your personal data, relating to those applications, may have been accessed. The supplier who runs the site has identified the manner in which it was hacked and taken steps to prevent a recurrence," the email read. "We learned yesterday evening that the Guardian Jobs website has been targeted by a sophisticated and deliberate hack, which has breached the security of the data on the site," the website said. The company revealed that it halted the attack part-way through and the site is now secure. It also said: "We have no reason to believe that any financial or bank data was compromised". According to the website the hack was stopped before it was completed, and the site is now secure. The Metropolitan Police's e-crime unit are now investigating the incident. "The police remain anxious to keep information about the apparent theft to a minimum, in order not to compromise their investigations, but did agree with us that we could inform those users who may be affected," said a security notice on the website. If you have fallen for this scam, notify your service desk immediately and change your passwords. PC Advisor UK -By Carrie-ann Skinner Are Flash Cookies Devouring Your Privacy? Even if you delete normal tracking cookies regularly to evade tracking by snooping sites and eager advertisers, little-known Flash cookies may be making an end run around your attempts to preserve your privacy. Even if you delete normal tracking cookies regularly to evade tracking by snooping sites and eager advertisers, little-known Flash cookies may be making an end run around your attempts to preserve your privacy. Flash cookies (also known as local shared objects or LSOs) can save certain Adobe Flash-related settings--storing preferences for watching Flash video on a certain site, for example, or caching a music file for better playback. But Flash cookies can also store unique identifiers that track the sites you visit, much as regular tracking cookies do. Deleting the regular cookies on your machine via a standard browser option such as Clear Private Data•Cookies (in Firefox) or Tools•?Delete Browsing History•Delete cookies... (in Internet Explorer) doesn't affect Flash cookies, which are stored elsewhere on your PC. Fixes for Free Software A recent study called "Flash Cookies and Privacy" reports that even the private browsing modes in the latest browsers won't hamper LSOs. Students and researchers at the University of California, Berkeley, and at other universities found that a number of sneaky online actors use Flash cookies to re-create regular tracking cookies that users delete. According to the study, more than half of the top 100 Web sites used Flash cookies, and third-party advertisers tended to be behind the underhanded cookie re-creation effort. If you don't want your privacy preferences to be ignored, you can try a couple of options. If you use Firefox, you can install an add-on called Better Privacy that displays a summary of your current LSOs and lets you arrange to delete Flash and regular cookies automatically whenever you stop or start the browser. If you don't use Firefox, you'll have to dig into the settings box at Macromedia's Flash Player Help page, which lets you change settings for the Flash Player on your system. To delete all existing Flash cookies--good or bad--click the Website Storage Settings tab at the far left of the Flash settings interface, and click the Delete all sites button at the tab's base. To delete them individually, highlight an entry and click Delete website. For more information on how to protect yourself please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Bugs and Fixes: Stymie Malicious Media, Attacks Essential OS fixes are big this month. And fans of free software need to update their Firefox and OpenOffice copies Apple's QuickTime 7.6.4 update revises the program's handling of .fpx, .mov, and .mp4 files on Windows XP, Vista, or 7, or Mac OS X (not Snow Leopard). In QuickTime, click Help•Update Existing Software to ensure that you have version 7.6.4 (for details, see Apple's "About the security content of QuickTime 7.6.4" page). Microsoft's patch plugs a security hole in the way Windows 2000, XP, Server 2003, Vista, and Server 2008 (but not Windows 7) process .asf or .mp3 media files. Microsoft's Security Bulletin MS09-047 lists many vulnerable combinations of Windows Media Format Runtime and OS versions; run Windows Update to confirm you have the fix. Network Flaws Windows Vista and Server 2008 are vulnerable to several network-based security flaws. One, an SMBv2 file-sharing hole could let a remote attacker take over a machine. Microsoft hasn't yet released a patch, but the company has posted a "Fix It" for disabling SMBv2. File sharing should work, but it may be slow. Microsoft did patch a flaw that malicious TCP/IP packets sent across a network might exploit. On Vista and Server 2008, that could mean a full takeover; on Windows 2000, Server 2003, and XP, a system crash is likelier. Microsoft won't release a patch for Windows 2000 (see Microsoft Security Bulletin MS09-048) or XP (which by default doesn't accept the perilous packets). A network problem in the Wireless LAN AutoConfig Service (see Microsoft Security Bulletin MS09-049) could let remote attackers "own" vulnerable Vista or Server 2008 systems. PCs that lack wireless cards or run other Windows versions are safe. A firewall will help block such Web-based assaults. Fixes for Free Software If you use the OpenOffice productivity suite, update to version 3.1.1 or later to avoid a critical problem in how OpenOffice handles Microsoft Word documents. If you open a tainted .doc file, an attacker could take over your PC. Click Help•Check for Updates to see whether you have the latest version (for more details, see OpenOffice.org's 3.1.1 Release Notes). Firefox versions 3.5.3 and 3.0.14 correct three critical flaws. Click Help•Check for Updates, and see Mozilla's security advisories for Firefox 3.0 and for Firefox 3.5. Firefox 3.0 and 3.5 include a security feature that warns you to update Flash if your version is vulnerable; they also provide a link to the Flash download site. If you use Mac OS X versions 10.4 through 10.5.8, fire up Software Update to pick up Security Update 2009-005, which fixes image file, PDF file, or Web site holes. For more information on how to protect yourself please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Bulletins posted 10/23/2009 Yet Another Good National Cyber Security Awareness Month Resource - Google Online Security Blog Still another great National Cyber Security Awareness Month information security resource from Google Online Security Blog - a great website with education, stories and lots of links to more information. As part of our effort to give you good Information Security resources during Cyber Security Awareness Month, we want to recommend that you check out the articles on Google's online security blog. Major Secure Email Products And Services Miss Spear-Phishing Attack Experiment successfully slips fake LinkedIn invite from 'Bill Gates' into inboxes A spear-phishing experiment conducted during the past few days by a researcher has netted some disturbing results: Most major enterprise email products and services were unable to detect a fake LinkedIn invitation on behalf of "Bill Gates," which landed successfully in users' inboxes. Joshua Perrymon, CEO of PacketFocus, sent a spoofed LinkedIn email to users in different organizations who had agreed to participate in his test. He was able to get his spoofed message through 100 percent of the time and across a wide variety of major email products and services, including smartphone email tools. Perrymon won't name names yet -- he's contacting the affected vendors first -- but says he even tried it on willing vendors and was successful. "I tested [this on] six different enterprise networks using the latest email security technology from most of the major vendors, and not a single one picked up on the spoofed email," Perrymon says. He has written a white paper on the attack and plans to reveal the vendors in the test after he has contacted them and received their responses. Perrymon says he tested 10 different combinations of email security appliances, services, and open-source and commercial products; four major client email products; and three major smartphone brands. The problem is that most anti-phishing technology is built to catch large-scale phishing attacks, but not the insidious and dangerous small, targeted ones. "If it's small-scale, the technology definitely can't stop it," he says. "When the attacks get into the hundreds, it starts triggering [the security]," he says. Phishing expert Nitesh Dhanjani, who is also the author of "Hacking: The Next Generation," says it's easy for spear-phishing attacks to abuse traditional, insecure protocols. "Yet [these types of attacks] serve well in raising consciousness to how easy it is to steal information from a targeted party. It is trivial to spoof the 'from' address of an email," says Dhanjani, senior manager of advisory services at Ernst & Young. "Regardless of this, however, spear-phishing attacks are generally successful, [and] many users would fall for the bait even if the 'from' address wasn't spoofed. "The reality is the foundation of protocols, such as SMTP, DNS, and HTTP, are often the weak link because they rely on use cases for legitimate uses that can be easily translated to abuse cases." For more information please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. DarkReading -By Kelly Jackson Higgins From Security Perspective, Windows 7 Off To A Rocky Start Experts express consternation over early vulnerabilities, UAC configuration issues The global launch of Microsoft's next-generation Windows 7 operating system today was greeted with fanfare -- and some grumbling from security professionals who worry the new OS already has too many holes. Windows 7, which has been broadly beta-tested for many months, is hailed as being easier to use than its predecessor, Vista, which didn't catch on the way many industry watchers had expected. But if the new environment is easier on the user, then it isn't as secure as it could be, security professionals say. First, there is the issue of vulnerabilities. Microsoft has patched several security flaws in Windows 7 since last November, and a zero-day exploit of vulnerabilities in Microsoft's Server Message Block (SMB) technology affected both new and old versions of Windows last month. The SMB vulnerabilities were patched in the most recent round of upgrades last week. While most security experts were not surprised by the vulnerabilities that have already turned up in Windows 7, some continue to complain that the implementation of Microsoft's User Access Control feature in the new OS could create even more security problems than were seen in Vista. In a nutshell, experts say, Windows 7 makes it easier for users to turn off or ratchet down the capabilities of UAC to make the new OS easier to use. Unlike Vista, which required a special utility to change UAC settings, Windows 7 enables administrators to simply turn off or reduce security prompts that are designed to warn users they are about to do something risky. In fact, the default configuration of Windows 7 continues to give users administrative privileges and doesn't set the UAC controls on maximum. As a result, IT administrators will have to change settings on Windows 7 PCs if they want to get the full benefit of UAC -- or if they want users to run the so-called "standard" configuration, in which the end user doesn't not have admin privileges. By simplifying the user's ability to change UAC controls, Microsoft might also have made it easier for hackers to distribute malware to Windows 7 PCs, experts say. "Increasing operating system usability also increases security risks -- risks of infection and compromise of data and functionality," says Ray Dickenson, CTO of Authentium, another security tool vendor. "The changes to Windows 7 UAC have made it easy for malware writers to turn UAC off entirely -- without the user's knowledge." Long Zheng, a security researcher, published a proof-of-concept back in June that exploits the UAC flaw. Microsoft says it doesn't consider the UAC settings to be a vulnerability, and the company has stated it has no intent to change the UAC feature. If you are using Windows 7 be on the look out for these security flaws. If you have fallen for this scam, notify your service desk immediately and change your passwords. Apple releases server diagnostic tool for Snow Leopard Apple released a server diagnostic download on Thursday that the company says will test servers running Mac OS X Server 10.6 for hardware issues. Apple Server Diagnostics 3X106 is a 20.20MB download available from Apple’s Support Website. The download is compatible with Snow Leopard Server running on the early 2009 and early 2008 models of the Xserve as well as the early 2009 models of the Mac mini. Apple Server Diagnostics, or AXD, runs a customizable set of tests for diagnosing issues with server components including the Boot ROM, Ethernet controller, fan, hard drive, memory, power supply, processor, sensor, USB ports, and video controller. Users can run the diagnostic tool in Extensible Firmware Interface (EFI) or in Mac OS X or Mac OS X Server, Apple says. For a link to this download or more information, please see full article. Macworld.com -By Philip Michaels Mozilla releases Raindrop, a prototype messaging tool Mozilla has launched a software project designed to let people better manage the ever more voluminous stream of messages coming from sources such as Twitter and Facebook into their e-mail. Raindrop is not another e-mail client, however, said Bryan Clark, the design lead for Mozilla messaging. Mozilla describes it as a “mini Web server” that is installed on a PC and collects conversations and messages from a variety of sources and then intelligently sorts them. The purpose of Raindrop is to allow people to have clearer view of messages they’re getting and not let the personal ones be obscured in an e-mail box among, for example, a morass of Facebook or Flickr notifications. It will also be able to handle notifications from YouTube, blogs and RSS (Really Simple Syndication) feeds. Raindrop “intelligently separates the personal messages from the bulk,” Clark said. Direct messages and replies on Twitter, for example, are more like e-mail than other bulk messages sent on Twitter. Raindrop will separate those direct messages and replies. Messages from mailing lists are also listed separately from personal messages, along with those from other Web services such as Amazon.com or eBay. Users can decide where they want certain types of notifications to appear. Raindrop will also be a platform on which other developers can build. “At the same time, it creates a programming interface (API) that helps designers and developers extend our work and create new systems on top of that data,” according to Raindrop’s Web site. “We aren’t trying to invent new protocols or build new messaging systems, rather focusing on building a product that lets users get a handle on the systems we already use.” Raindrop’s mini Web server is accessed through a browser, and Mozilla intends to make it compatible with any browser that can support Open Web Foundation projects, an organization dedicated to creating a legal framework for nonproprietary Web specifications. The source code is being released under a Mozilla Public License. Two iterations of Raindrops have been built with different designs. More designs will be uploaded to the Raindrop Design Flickr group. So far, there is no installer, but that is a near-term goal. People are advised to carefully read the install notes before trying to run Raindrop. For a link to this download or more information, please see full article. IDG News Service -By Jeremy Kirk New Halloween-themed spam just the first fright With Halloween nearing, users should be on alert for spam and other attacks exploiting the holiday, and experts expect social network websites to serve as a major vector this year. So far, one Halloween-themed spam campaign offers readers the opportunity to earn money from home, according to anti-virus vendor Trend Micro. “Happy Halloween!” the message reads. “Make it even sweeter with some EXTRA CASH in your candy bag!” The message contains a link that redirects users to an inactive site that was registered in August – most likely just for spamming purposes, There will probably be a fair amount of spam associated with the holiday, but other Halloween-themed exploits are sure to ramp up next week as well, Randy Abrams, director of technical education at anti-virus vendor ESET, told SCMagazineUS.com on Friday Users should be on alert for fake Halloween e-cards which could lead to malicious sites intended to infect visitors with malware. Also, users should be wary of clicking on links in emails or on social networking sites to supposed holiday-themed videos, Abrams said. Halloween-themed exploits will likely be rampant, particularly on social networking sites this holiday season. As a basic precaution, users should close their browsers if they see a link that says they need to download or install something, Abrams said. Also, users should ensure their operating systems and anti-virus programs are up to date and use a freely available web tool to ensure all applications are patched. Legitimate e-cards should be addressed specifically to the recipient and include the name of the person who sent the card, instead of simply indicating that the sender was a “friend,” “family member” or “admirer,” Abrams wrote in a blog post on Friday. Also, links to e-cards should be for legitimate e-greeting sites such as American Greetings. Around last Halloween, Trend Micro warned that internet searches for costumes would often lead to "poisoned" results, some of which were propagating rogue anti-virus software. Abrams said he expects to see similar ploys this year. If you have fallen for this scam, notify your service desk immediately and change your passwords. Website Contact: David Matthews |
