Latest Security applications News

Posted: December 9, 2010 in Security

‘Trojanized’ Google Android security tool found in China

Suspicious code is lurking in a repackaged Chinese version of a tool Google released last weekend to remotely clean malicious apps off Android phones, Symantec said Thursday.

This “trojanized” package was found on an unregulated third-party Chinese marketplace and not on the official Android Market, the security vendor said in a blog post.

After 58 malicious apps were found on the Android Market last week and downloaded onto about 260,000 devices, Google removed the apps from the market and then wiped them from the phones too.

Now, Symantec says someone appears to have taken the “Android Market Security Tool” used to clean up the devices infected with the malware, repackaged it and inserted code in it that seems to be able to send SMS messages if instructed by a command-and-control server.

It also looks like the code used in the new threat is based on a project hosted on Google Code and licensed under the Apache License, according to Symantec.

A Google spokesman provided this statement when asked for comment: “We encourage Android users to only install applications from sources they trust.”

Several things should raise red flags for people with this threat–it’s not on the official, trusted Android Market and it requires a user to install it whereas the Google tool used an automatic push function to distribute the legitimate app.

The initial malware found on the Android Market, dubbed “DroidDream”, not only could capture user and product information from a device but also had the ability to download more code capable of further damage.

“We have added detection for the trojanized version of Google’s application as Android.Bgserv,” Symantec said.

Meanwhile, a Kaspersky researcher has questioned the efficacy and methods of Google’s Android security tool itself.

Study: Negligence cause of most data breaches

Negligence is the biggest cause of data breaches at corporations, but criminal attacks are growing fastest, a study released Wednesday concludes.

The average cost of a data breach for a victimized organization increased to US$7.2 million, and the average cost per record came to US$214, up US$10 from the previous year, according to the 2010 Annual Study: U.S. Cost of a Data Breach, which was conducted by the Ponemon Institute and based on data supplied by 51 U.S. companies across 15 different industry sectors.

The costs associated with a breach involve detecting the incident, investigation, forensics, customer notification, paying for identity-protection services for victims, business disruption, and productivity losses, said Larry Ponemon, chairman and founder of the Ponemon Institute. A record can contain only one piece of information on an individual or multiple pieces of data, including social security number, contact information, driver’s license number, purchasing habits, and account number, he said.

Malicious or criminal attacks are the most expensive and make up the fastest-growing category, with 31 percent of all breaches involving malice or crime. Negligence was the most common threat, with 41 percent of all breaches, according to the study, which was sponsored by Symantec.

The most expensive breach reported in the study was US$35.3 million, and the least expensive was US$780,000.

The companies have devised an online Data Breach Calculator for helping estimate how likely a breach is and how much a breach would cost based on an organization’s size, industry, location, and security practices.

Report: Malware-laden sites double from a year ago

More than 1 million Web sites were believed to be infected with malware in the fourth quarter of last year, nearly double from the previous year, according to figures released today by Dasient.

Malvertising, advertising containing malware, also is on the rise, with impressions doubling to 3 million per day from the third quarter of 2010, Dasient said in a blog post.

“The probability that an average Internet user will hit an infected page after three months of Web browsing is 95 percent,” the company said.

The news corresponds with information released this week by another security firm. An analysis of than 3,000 Web sites across 400 organizations last year found that 44 percent of them had serious vulnerabilities at all times, while 24 percent were frequently vulnerable for an average of at least 270 days a year, according to WhiteHat Security, which provides Web site testing and security services for companies. Meanwhile, only 16 percent of the sites examined were found to be rarely vulnerable, the report said.

About 64 percent of those sites had at least one information leakage vulnerability, which inched past Cross-site scripting as the most prevalent vulnerability, WhiteHat said.

Neither WhiteHat nor Dasient identified the Web sites they analyzed or disclosed whether any of the biggest Web brands were among those with malware or vulnerabilities.

Dasient researchers wanted to see how easy it would be to spread malware on social-networking sites and created some test accounts to spread various types of links. More than 80 percent of the dozen unidentified sites it tested allowed through links that were on Google’s Safe Browsing list, while all of them allowed through links that led to a benign drive-by download.

In another test, the researchers posted an ad whose click-through links led to a benign drive-by download and found that the social-networking site kept the ad up for more than three weeks before pulling it. The ad had the headline “Click for a security test”, led to a site at “,” and said a Windows calculator would pop up if the computer was vulnerable.

China-related DoS attack takes down Codero-hosted Web sites

A distributed denial-of-service attack that affected thousands of customers at Codero and other hosting providers appeared to come from within China and to be launched at a Chinese site that is critical of communism or its Domain Name System provider, Codero said Tuesday.

The disruptions that took Codero’s customers offline for most of the morning were collateral damage in the attack, Ryan Elledge, chief operating officer at Codero, told ZDNet Asia’s sister site CNET.

Directly in the path of the attack was a Codero customer that hosts DNS records for sites on the Internet, including a Web site critical of communism that appeared to be the ultimate end target, he said. At least three other hosting providers for that Web site were also affected by the attack, he said. Elledge declined to name any of the companies involved or the Web site.

Meanwhile, all of Codero’s customers were back up by 1 p.m. PT, according to Elledge.

About 5,000 servers in its Phoenix data center were affected, which meant slowdowns or outages for at least that many customers, Elledge said. He could not say how many customers had been affected in total.

Initially, Codero thought the problem was due to issues with one of its upstream providers, but that turned out not to be the case, he said. “We were receiving more than 1.5 million packets per second in the attack. It paralyzed our core routers, and our upstream providers were unable to pinpoint where the target IPs were,” he said.

The company reported problems beginning about 7:30 a.m. PT. “We are experiencing network issues affecting part of our PHX data center,” the company posted on its Twitter page. “Engineers are working with upstream providers.”

“Another attempt is now under way at routing traffic to specific segments of our network,” Codero tweeted around 9:30 a.m. PT.

Codero, which has points of presence in Irvine, Calif.; Denver; Chicago; and Ashburn, Va., is migrating a data center from San Diego to Phoenix. Only the Phoenix location was affected by the attack, Elledge said.

Google confirms it pulled malicious Android apps

After several days of silence on the issue, Google has confirmed it removed several malicious apps from its Android Market earlier this week and said it would remove the apps from users’ devices as well.

Only devices running an Android version earlier than version 2.2.2 were susceptible to the rogue apps, which took advantage of known vulnerabilities, the Internet giant reported yesterday in company blog. The company believes the only information that was accessed by the apps were the unique codes used to identify the the specific device and the version of Android that it was running.

Fifty-eight malicious apps were identified and removed but not before they were downloaded to about 260,000 devices, according to a TechChrunch report. Google said it would use a kill switch to remotely remove the apps from users’ devices and push an Android security update to affected users to repair the damage done by the apps. Affected users can expect to receive an e-mail from Android Market support explaining the action, Google said.

The developer accounts associated with the apps were suspended and law enforcement officials were contacted, Google said.

Earlier this week, a Reddit user discovered that pirated versions of legitimate apps on the Android Market were infected by a Trojan called DroidDream, which uses a root exploit dubbed “rageagainstthecage” to compromise a device, according to a report on enthusiast site Android Police.

The malware was described as especially virulent because it apparently cannot only capture user and product information from a device but also has the ability to download more code capable of further damage.

Google representatives did not immediately respond to a request for further information or comment.

DDoS attacks harmless: Anonymous user

Distributed denial-of-service (DDoS) attacks are harmless, according to Australian Matthew George, who was charged for his role in the Anonymous group’s bid to crash federal government websites last year.

George was one of possibly hundreds of Australians under the Anonymous banner who participated in DDoS protest attacks against the Australian Parliament House and Department of Broadband, Communications and the Digital Economy Web sites. Melbourne resident Steve Slayo was the only other user charged for participating in the attacks.

For his role, George faced 10 years imprisonment for “causing unauthorized impairment of electronic communication to or from a Commonwealth computer”, but received a US$550 fine with a recorded conviction. Federal police raided George’s home in June last year and he faced court in October.

Speaking to ZDNet Asia’s sister site ZDNet Australia, George rebuked comments by the Australian Federal Police that sentences for DDoS attacks are too weak, instead saying that the act does not cause permanent damage.

“DDoS service attacks are harmless. Most hosting companies have DDoS attack precautions in place and there is no long-term damage caused to any servers or Web sites,” George said.

“It is far different to hacking in and defacing or rooting a server [because] when the DDoS attack is stopped everything goes back to normal as if nothing had ever happened.”

“You can’t compare DDoS attacks to child porn, hacking or writing a virus–it’s like comparing apples with oranges.

“As far as saying that the sentence was too weak, maybe they should pass that on to the district public prosecutors as [it] agreed that the sentence was fair in my case.”

AFP High Tech Collection and Capability manager Grant Edwards told a security conference this month that the courts are unwilling to issue tougher sentences for DDoS attacks because “they don’t understand the threat”.

Edwards cited the penalties handed to George and Slayo, who received a good behavior order, as examples of soft sentences.

George said the criminal conviction may make it harder for him to gain employment opportunities.

He said he believes most participants in the DDoS attacks were from Australia. The AFP has refused to confirm if it is investigating other users for their role in the attacks. It had not received requests by the likes of MasterCard and Visa, which were hit with DDoS attacks for blocking funds to whistleblower Web site Wikileaks.

A ZDNet global poll found that readers do not support DDoS attacks on companies that cut off Wikileaks.

This article was first published at ZDNet Australia.

WordPress hit with second big attack in two days

The popular blogging-site hoster WordPress was hit with another distributed denial-of-service last Friday, the second in two days.

“Unfortunately, the DDoS attack from yesterday returned in a different form this morning and affected sitewide performance,” the company said in a notice on its Automattic site, which serves as a dashboard for the service. “The good news is that we were able to mitigate it quickly and performance returned to normal around 11:15 UTC. We are continuing to monitor the situation closely.”

Stats on show that the site was affected for about an hour or so starting around 3:15 a.m. PST. One day earlier, WordPress was hit with an attack that reached “multiple Gigabits per second and tens of millions of packets per second,” hampering the company’s three data centers and disrupting nearly 18 million hosted blogs and members of its VIP service, including the Financial Post and TechCrunch.

Typically, DDoS attacks are accomplished using botnets of thousands of compromised computers that are directed to a target Web site with the motivation of overwhelming the site and taking it offline.

WordPress did not provide many details about either attack, but founder Matt Mullenweg told ZDNet Asia’s sister site CNET on Thursday that the first attack may have been politically motivated against one of the site’s non-English blogs. He did not immediately respond to an e-mail seeking comment on Friday.

Expert: Android Market should scan for malware

Android Market apps should be scanned for traces of malware to protect Android customers from downloading apps that look legitimate but are in fact malicious, a security expert said.

Last week Google removed a bunch of malicious apps, most disguised as legitimate apps, from the Android Market after they were found to contain malware. The malware, dubbed DroidDream, uses two exploits to steal information such as phone ID and model, and to plant a back door on the phone that could be used to drop further malware on the device and take it over.

“At a minimum, they have to do signature-based scanning for known malware,” said Chris Wysopal, chief technology officer at Veracode, an application security provider. “DroidDream is now a malware kit and it would be easy for people to make variations of it and insert it into new software.”

But traditional signature-based antivirus software isn’t good at detecting brand new malware or existing malware that has been modified enough to slip past the antivirus programs. To catch something like DroidDream then, behavioral-based antivirus scanning should also be used, according to Wysopal.

“Downloading and installing additional software onto the device outside of the app store is the kind of behavior that should be scanned for,” he said.

A Google spokesman declined to comment beyond confirming that the company had removed some apps and disabled several developer accounts for violating Android Market policies.

Most if not all of the 55 or so apps that were pulled from the Android Market were repackaged versions of legitimate apps, said Kevin Mahaffey, chief technology officer at Lookout, which provides security software and services for Android, BlackBerry, and Windows. This means that even more cautious Android users could have been more easily duped into downloading one of the apps, he said. (Symantec has a list of some of the apps removed from the Android Market here.)

Depending on the handset used, Android versions may be patched by now, but others are not, he said. The vulnerabilities exploited by the malicious apps have been patched in Android 2.3, also known as Gingerbread, but older versions could still be vulnerable, according to Mahaffey.

It’s not clear whether DroidDream did in fact download any software onto devices that installed any of the malicious apps. The command-and-control server the malware set up to communicate with the victim devices is offline now and “we haven’t seen any evidence that the server was pushing apps to the devices,” Mahaffey said.

It’s also a mystery who is behind the malicious apps, but there’s a possibility it’s someone in China as the malware was also found on alternative Android marketplaces that target Chinese users, he said.

Cleanup can be a pain; in addition to removing the app, any additional software it may have hidden in the device must be wiped. Lookout can walk Android users who need help through the cleanup process, Mahaffey said.

The Android Market is flourishing, with the number of apps growing faster than the iPhone market, according to Lookout. Android also has greater overall market share of mobile operating systems in the U.S. (29 percent) than Apple’s iOS and Blackberry (both 27 percent), Nielsen announced last week.

Much of the success of the platform is due to the fact that the operating system is open-source and thus attracts a large number of developers. The openness of Android’s platform fosters innovation, but leaves much of the responsibility for security on the shoulders of Android customers, experts say. (More details on the different security models between Android and iPhone is here.)

In one analogy Wysopal has come across, the iPhone environment has been likened to Disney World and Android to New York City. You might not have as much freedom and choice at Disney World, but you probably feel safer.

“How are people who don’t read CNET supposed to know that they need to do something on their phone to bring it back to its factory state because it’s been compromised” by a malicious app, Wysopal said. Apple could send a warning out to all iPhone users if it needed to but that can’t happen on the Android because of all the different flavors of the operating system running on the different handsets, he said.

This may be the first time Google has removed malicious apps from the Android Market, but it’s not the first time apps have been pulled. Last year two proof-of-concept apps designed to test how easy it would be to distribute an innocuous program that could later be made malicious were removed. Later in the year Google pulled another app the same researcher created to illustrate a flaw in the mobile framework that allowed apps to be installed without a user’s knowledge. That hole also was plugged.

WordPress hit by ‘extremely large’ DDoS attack

Blog host was the target of a distributed denial-of-service (DDoS) attack earlier today described by the company as the largest in its history.

As a result, a number of blogs–including those that are a part of WordPress’ VIP service–suffered connectivity issues. That includes the Financial Post, the National Post, TechCrunch, along with the service’s nearly 18 million hosted blogs.

According to a post by Automattic employee Sara Rosso on the company’s VIP Lobby (which had been down at the time of the attacks, though was archived by Graham Cluley over at Naked Security), the size of the attack reached “multiple Gigabits per second and tens of millions of packets per second”. Rosso had also said putting a stop to the attack was “proving rather difficult”.

Rosso had also said the company would be handling its VIP sites ahead of general users.

Denial-of-service attacks are designed to overwhelm Web sites with requests, effectively shutting them down. The ones that are distributed present a much larger challenge to combat, since they can come from a wider variety of networks and hosts.

In an e-mail to ZDNet Asia’s sister site CNET, WordPress founder Matt Mullenweg said the attack had affected three of the company’s data centers, and was the largest its seen in the company’s six-year history. Mullenweg also said that the attack “may have been politically motivated against one of our non-English blogs”, but that that detail had not been confirmed. Full e-mail below:

There’s an ongoing DDoS attack that was large enough to impact all three of our data centers in Chicago, San Antonio, and Dallas–it’s currently been neutralized but it’s possible it could flare up again later, which we’re taking proactive steps to implement.

This is the largest and most sustained attack we’ve seen in our six-year history. We suspect it may have been politically motivated against one of our non-English blogs but we’re still investigating and have no definitive evidence yet.

WordPress later updated that the problem has been fixed. “Our systems are back to normal. We’ll continue to monitor them and post updates here if needed,” the company said on its status page. No word yet on if the company had gotten to the bottom of which of its blogs had been the target of the attack.

Google pulls infected apps from Android Market

Google has taken down more than 50 infected programs from its official app store, Android Market.

The apps contained malware called DroidDream hidden in seemingly legitimate apps and were pulled on Tuesday, mobile security company Lookout said in a blog post on Wednesday. Between 50,000 and 200,000 users downloaded the infected apps, said the company.

“Unlike previous instances of malware in the wild that were only available in targeted alternative app markets, DroidDream was available in the official Android Market in addition to alternative markets, indicating a growing need for Android users to take extra caution when downloading apps,” the blog post said.

Read more of “Google pulls infected apps from Android Market” at ZDNet UK.

Air traffic control system ‘not safe’, say UK controllers

Technology being introduced at one of the two major U.K. air traffic control hubs is “not fit for purpose” and did not adequately handle a breakdown in air traffic communications, according to a number of air traffic controllers.

The EFD (Electronic Flight Data) system rolled out at the Scottish and Oceanic Air Traffic Control (ATC) Centre at Glasgow Prestwick Airport has had difficulty handling complex inputs, according to people posting on an air traffic control forum.

“[Controllers] don’t want to use this system, not because they like to have a whinge, but because they know it is neither safe, nor efficient enough to do the job,” wrote one Prestwick controller, Arty-Ziff, on the Pprune forum in February. “This system should have been tested properly before it went into live operations.”

Read more of “Air traffic control system is ‘not safe’, say UK controllers” at ZDNet UK.

Microsoft fixes hole in its antivirus engine

Microsoft has plugged a hole in its antivirus and antispyware software that could allow an attacker authenticated on the local system to gain LocalSystem privileges.

The fix for the privilege escalation vulnerability is included in an update to the Microsoft Malware Protection Engine. Since the malware protection updates are automatically applied, most end users and administrators won’t need to do anything, Microsoft said in its advisory, issued Wednesday. The update should be applied within 48 hours of the advisory release, or by the weekend.

The vulnerability is rated “important” for Windows Live OneCare, Microsoft Security Essentials, Windows Defender, Microsoft Malicious Software Removal tool, Forefront Client Security, and Forefront Endpoint Protection 2010.

“The update addresses a privately reported vulnerability that could allow elevation of privilege if the Microsoft Malware Protection Engine scans a system after an attacker with valid log-on credentials has created a specially crafted registry key,” the advisory says. “An attacker who successfully exploited the vulnerability could gain the same user rights as the LocalSystem account. The vulnerability could not be exploited by anonymous users.”

Workstations and terminal servers are primarily at risk, Microsoft said.

Apple shares Mac OS X Lion with security experts

Apple not only released a preview of its next operating system, Mac OS X Lion, to developers on Thursday, the company is also giving it to security experts for review.

“I wanted to let you know that I’ve requested that you be invited to the prerelease seed of Mac OS X Lion, and you should receive an invitation soon,” said a letter sent by Apple to an unknown number of security researchers. “As you have reported Mac OS X security issues in the past, I thought that you might be interested in taking a look at this. It contains several improvements in the area of security countermeasures.”

Dino Dai Zovi and several other researchers tweeted about being invited to try out the prerelease version of the new Mac OS. “This looks to be a step in the direction of opening up a bit and inviting more dialogue with external researchers,” Dai Zovi wrote. “I won’t be able to comment on it until its release, but hooray for free access!”

I asked Charlie Miller, another expert on Mac security, if this was the first time Apple had offered to show an OS preview to security experts, and what the significance is.

“As far as I know they have never reached out to security researchers in this way. Also, we won’t have to pay for it like everybody else,” he wrote in an e-mail. “It’s not hiring us to do pen-tests of it, but at least it’s not total isolation anymore, and at least security crosses their mind now.”

“I haven’t downloaded it yet, but if I had, I couldn’t talk about it,” he added. “Damn NDAs.”

Google flags London Stock Exchange site for malware

Google has temporarily flagged up the London Stock Exchange’s website as a malware danger, due to a third-party advertiser on that site hosting malicious software.

The issue came up on Sunday, a spokesperson for the London Stock Exchange (LSE) told ZDNet Asia’s sister site ZDNet UK. “We were previously carrying an advert from a third-party provider,” a spokesperson said on Monday. “That advert, if you clicked through to the third-party website, had a flag up as being a virus or something similar. We’ve obviously taken the advert down off our website.”

According to Google’s Safe Browsing diagnostic page, a visit to a page on the LSE site on Saturday resulted in malicious software being downloaded and installed without user consent. The malware was hosted on a site called, while two others — and — appeared to be “functioning as intermediaries for distributing malware to visitors of this site”, Google said.

Read more of “Google flags London Stock Exchange site for malware” at ZDNet UK.

Microsoft fixes hole in its antivirus engine

Microsoft has plugged a hole in its antivirus and antispyware software that could allow an attacker authenticated on the local system to gain LocalSystem privileges.

The fix for the privilege escalation vulnerability is included in an update to the Microsoft Malware Protection Engine. Since the malware protection updates are automatically applied, most end users and administrators won’t need to do anything, Microsoft said in its advisory, issued Wednesday. The update should be applied within 48 hours of the advisory release, or by the weekend.

The vulnerability is rated “important” for Windows Live OneCare, Microsoft Security Essentials, Windows Defender, Microsoft Malicious Software Removal tool, Forefront Client Security, and Forefront Endpoint Protection 2010.

“The update addresses a privately reported vulnerability that could allow elevation of privilege if the Microsoft Malware Protection Engine scans a system after an attacker with valid log-on credentials has created a specially crafted registry key,” the advisory says. “An attacker who successfully exploited the vulnerability could gain the same user rights as the LocalSystem account. The vulnerability could not be exploited by anonymous users.”

Workstations and terminal servers are primarily at risk, Microsoft said.

Apple shares Mac OS X Lion with security experts

Apple not only released a preview of its next operating system, Mac OS X Lion, to developers on Thursday, the company is also giving it to security experts for review.

“I wanted to let you know that I’ve requested that you be invited to the prerelease seed of Mac OS X Lion, and you should receive an invitation soon,” said a letter sent by Apple to an unknown number of security researchers. “As you have reported Mac OS X security issues in the past, I thought that you might be interested in taking a look at this. It contains several improvements in the area of security countermeasures.”

Dino Dai Zovi and several other researchers tweeted about being invited to try out the prerelease version of the new Mac OS. “This looks to be a step in the direction of opening up a bit and inviting more dialogue with external researchers,” Dai Zovi wrote. “I won’t be able to comment on it until its release, but hooray for free access!”

I asked Charlie Miller, another expert on Mac security, if this was the first time Apple had offered to show an OS preview to security experts, and what the significance is.

“As far as I know they have never reached out to security researchers in this way. Also, we won’t have to pay for it like everybody else,” he wrote in an e-mail. “It’s not hiring us to do pen-tests of it, but at least it’s not total isolation anymore, and at least security crosses their mind now.”

“I haven’t downloaded it yet, but if I had, I couldn’t talk about it,” he added. “Damn NDAs.”

Facebook seeking encryption for apps, mobile

In response to complaints that a recent announcement of secure connections doesn’t go far enough, Facebook said today that it’s planning to roll out additional changes that would shield mobile devices and all apps from eavesdropping.

Last month, Facebook began offering the ability for users to turn on HTTPS (Hypertext Transfer Protocol Secure) to encrypt all communications with the site. However, F-Secure and others have noticed that some apps require users to switch to a regular HTTP connection to use the app, but don’t warn users that the switch then becomes permanent.

Asked for comment, a Facebook representative said the company is working to make it so that the switch to unencrypted communications is only temporary and that Facebook is encouraging developers to write apps that support HTTPS.

“We are pushing our third-party developers to begin supporting HTTPS as soon as possible. We’ve provided an easy way for third-party developers to encourage to do this, and we hope to transition to fully persistent HTTPS soon,” the rep said in an e-mail. “However, we recognize that there is currently too much friction in this process and we are iterating on the flow so that the setting will only be temporarily disabled for that session. The account will then return to HTTPS on the next successful log in. We are testing this flow now and hope to launch it in the near future.”

Also this week, a computer science professor at Rice University demonstrated that his Motorola Droid X running Android could be eavesdropped on with the right sniffing software. Dan Wallach ran the Wireshark network protocol analyzer and Mallory proxy in his undergraduate security class a few days ago. He found that Facebook sends data (except log-in credentials) in the clear, even though he has his Facebook account set to use HTTPS whenever possible, he wrote on the Freedom to Tinker blog.

Asked for comment, the Facebook representative said the company is working to provide Secure Sockets Layer (used in HTTPS) on mobile platforms in coming months.

“After launching SSL for the site, we are still testing across all Facebook platforms, and hope to provide it as an option for our mobile users in the coming months,” the rep said in a statement. “As always, we advise people to use caution when sending or receiving information over unsecured Wi-Fi networks.”

Wallach also found that Google Calendar traffic is not encrypted. In response, a Google representative said, “We plan to begin encrypting traffic to Google Calendar on Android in a future maintenance release. When possible, we recommend using encrypted Wi-Fi networks.”

(A tip of the hat to Dan Goodin at The Register.)

EU outlines shortcomings in UK data law

The European Commission has revealed details of where it sees shortfalls in U.K. data law, as it considers whether to take action against the British government over the matter.

Data protection expert Chris Pounder received the information from the Commission as part of a long-running Freedom of Information exchange. In a blog post earlier this week, he shared the details of a letter sent to him by the European body, outlining where the U.K. Data Protection Act does not meet the requirements of the European Union’s Data Protection Directive.

“This case concerns an alleged failure of the U.K. legislation to implement various provisions of the Directive 95/46/EC on data protection,” the Commission said in the letter dated Feb. 16 (PDF). “As we have already informed you, the provisions concerned are Articles 2, 3, 8, 10, 11, 12, 13, 22, 23, 25 and 28 of that Directive.”

Read more of “EU outlines shortcomings in UK data law” at ZDNet UK.

US agents seek new ways to bypass encryption

SAN FRANCISCO–When agents at the Drug Enforcement Administration learned a suspect was using PGP to encrypt documents, they persuaded a judge to let them sneak into an office complex and install a keystroke logger that recorded the passphrase as it was typed in.

A decade ago, when the search warrant was granted, that kind of black bag job was a rarity. Today, however, law enforcement agents are encountering well-designed encryption products more and more frequently, forcing them to invent better ways to bypass or circumvent the technology.

“Every new agent who goes to the Secret Service academy goes through a week of training” in computer forensics, including how to deal with encrypted files and hard drives, U.S. Secret Service agent Stuart Van Buren said at the RSA computer security conference last week.

One way to circumvent encryption: Use court orders to force Web-based providers to cough up passwords the suspect uses and see if they match. “Sometimes if we can go in and find one of those passwords, or two or three, I can start to figure out that in every password, you use the No. 3,” Van Buren said. “There are a lot of things we can find.”

Last week’s public appearance caps a gradual but nevertheless dramatic change from 2001, when the U.S. Department of Justice spent months arguing in a case involving an alleged New Jersey mobster that key loggers were “classified information” (PDF) and could not be discussed in open court.

Now, after keystroke-logging spyware has become commonplace, even being marketed to parents as a way to monitor kids’ activities, there’s less reason for secrecy. “There are times when the government tries to use keystroke loggers,” Van Buren acknowledged.

As first reported by CNET, FBI general counsel Valerie Caproni told a congressional committee last week that encryption and lack of ability to conduct wiretaps was becoming a serious problem. “On a regular basis, the government is unable to obtain communications and related data,” she said. But the FBI did not request mandatory backdoors for police.

Also becoming more readily available, if not exactly in common use, is well-designed encryption built into operating systems, including Apple’s FileVault and Microsoft’s BitLocker. PGP announced whole disk encryption for Windows in 2005; it’s also available for OS X.

Howard Cox, assistant deputy chief for the Justice Department’s Computer Crime and Intellectual Property Section, said he did not believe a defendant could be legally forced–upon penalty of contempt charges, for instance–to turn over a passphrase.

“We believe we don’t have the legal authority to force you to turn over your password unless we already know what the data is,” said Cox, who also spoke at RSA. “It’s a form of compulsory testimony that we can’t do… Compelling people to turn over their passwords for the most part is a non-starter.”

In 2009, the Justice Department sought to compel a criminal defendant suspected of having child porn on his Alienware laptop to turn over the passphrase. (A border guard said he opened the defendant’s laptop, accessed the files without a password or passphrase and discovered “thousands of images of adult pornography and animation depicting adult and child pornography.”)

Another option, Cox said, is to ask software and hardware makers for help, especially when searching someone’s house or office and encryption is suspected. “Manufacturers may provide us with assistance,” he said. “We’ve got to make all of those arrangements in advance.” (In a 2008 presentation, Cox reportedly alluded to the Turkish government beating a passhprase out of one of the primary ringleaders in the TJ Maxx credit card theft investigation.)

Sometimes, Van Buren said, there’s no substitute for what’s known as a brute force attack, meaning configuring a program to crack the passphrase by testing all possible combinations. If the phrase is short enough, he said, “there’s a reasonable chance that if I do lower upper and numbers I might be able to figure it out.”

Finding a seven-character password took three days, but because there are 62 likely combinations (26 uppercase letters, 26 lowercase letters, 10 digits), an eight-character password would take 62 times as long. “All of a sudden I’m looking at close to a year to do that,” he said. “That’s not feasible.”

To avoid brute-force attacks, the Secret Service has found that it’s better to seize a computer that’s still turned on with the encrypted volume mounted and the encryption key and passphrase still in memory. “Traditional forensics always said pull the plug,” Van Buren said. “That’s changing. Because of encryption…we need to make sure we do not power the system down before we know what’s actually on it.”

A team of Princeton University and other researchers published a paper in February 2008 that describes how to bypass encryption products by gaining access to the contents of a computer’s RAM–through a mechanism as simple as booting a laptop over a network or from a USB drive–and then scanning for encryption keys.

It seems clear that law enforcement is now doing precisely that. “Our first step is grabbing the volatile memory,” Van Burean said. He provided decryption help in the Albert “Segvec” Gonzalez prosecution, and the leaked HBGary e-mail files show he “went through a Responder Pro class about a year ago”. Responder Pro is a “memory acquisition software utility” that claims to display “passwords in clear text”.

Cox, from the Justice Department’s computer crime section, said “there are certain exploits you can use with peripheral devices that will allow you to get in”. That seems to be a reference to techniques like one Maximillian Dornseif demonstrated in 2004, which showed how to extract the contents of a computer’s memory merely by plugging in an iPod to the Firewire port. A subsequent presentation by “Metlstorm” in 2006 expanded the Firewire attack to Windows-based systems.

And how to make sure that the computer is booted up and turned on? Van Buren said that one technique was to make sure the suspect is logged on, perhaps through an Internet chat, and then send an agent dressed as a UPS driver to the door. Then the hapless computer user is arrested and the contents of his devices are seized.

Father of firewall: Security’s all about attention to detail

newsmaker Marcus J. Ranum is a world-renowned expert and innovator on IT security, whose pragmatic approach is lauded by industry peers. Two decades ago he designed and implemented Digital Equipment Corporation’s (DEC) Secure External Access Link–regarded by many, but not Ranum, as the first commercial firewall.

He has held senior security roles at a variety of high-profile companies in which he has administered the White House e-mail system. He has consulted for many Fortune 500 organizations, and has been a key presenter at countless security events around the world. Ranum resides on a remote farm in Pennsylvania far from the cities and fast Internet. He’d welcome the end in the battle for IT security, even if it meant the end of the industry.

Q: Why did you enter the information security industry? What do you find most interesting about it?
Ranum: I got dragged in quite by accident when my boss at DEC, Fred Avolio, put me in charge of one of the company’s Internet gateways and told me to “build a firewall like Brian Reid and Bill Cheswick’s”–20 years later I suppose you could say I’m still working on that assignment. And, to be honest, I didn’t find anything particularly interesting about computer security; once you understand the strategic problem then it’s all just a lot of attention to detail.

Marcus Ranum 

(Credit: Munir Kotadia/ZDNet Australia)

What I do find most interesting about security is how people react to it: they want to do something dangerous safely and are generally resentful when you tell them that’s not going to work. So I see the whole industry as a vast dialectic between hope and concrete effort on one side, and cynical marketing and wilful ignorance on the other.

What do you find is the most pressing issue in the information security industry and what can be done to fix it?
The most pressing issue in information security is one we’re never likely to do anything about, and that’s achieving reliable software (security is a subset of reliability) on end-point systems. That means operating system design and reliable coding, two things that the trend lines are moving in the opposite direction of right now. Consequently, the current trend is “cloud computing”, which, in effect, is visualizing the mainframe: acknowledging that end-points are badly managed and unreliable and putting data and processes in the hands of professionals who are expected to do a better job maintaining them and making them reliable–and cheap–than departmental IT.

Of course, that’s a pipe dream, because the same practices that brought us unreliable code-mass on the end points are being used to build the aggregated services. The backlash when it’s all revealed to be a pipe dream is going to be expensive and interesting, in that order.

What can be done to fix it? Again, the trend lines are all going the wrong direction–the fix requires technically sophisticated management with healthy scepticism toward marketing claims, good software engineering and a focus on getting the job done right, not getting something that you can’t understand from the lowest bidder. It will correct itself. The industry will re-aggregate into competence centers, which will become more expensive when they realize they have the upper hand, and that will re-trigger the fragmentation to the desktop and department cycle.

To fix things, we’d need to all focus ruthlessly on reliability, which means also quality, and not … “ooo! Shiny thing!”

You’re no fan of blacklisting, yet much of the industry is built on it and it’s the source of a lot of cash. Can you explain your opposition to blacklisting and whether you think change to a dominant whitelisting model is inevitable? What would happen to revenues in the security industry if such a shift happened?
I’m a huge fan of blacklisting! It’s a crucial technology! It just doesn’t answer the question that many people are expecting it to, which is “is this software good?” Blacklisting is the best technique for identifying something, because it can answer not only the question “is this thing bad?” but “what is it?” It seems to be human nature to want to know what was thrown at us, and that’s why people are so intellectually comfortable with signature-based intrusion detection/prevention and signature-based antivirus. It’s easy to implement and it’s easy to understand–and it’s easy to keep selling signature update subscriptions.

When you’ve got companies like Symantec saying that blacklists don’t work, I think it’s an important acknowledgement that a lot of the security industry is just happy to keep churning the money-pump as long as it’s not sucking air. The trend there seems to be reputation–[meaning] “continue to trust someone else’s opinion”–it’s a more flexible approach to building a cloudy and hype-ful dynamic blacklist, but in the long run it’s not going to work any better than static blacklists. By work I mean “solve the malware problem for customers”. If by work you mean “solve the relevance and financial problems for antivirus vendors”, I think it will “work” just fine for a long enough [time] to keep them happy.

Meanwhile, I keep asking IT managers “do you have any idea why you gave a user a computer?” and “if you know why they have a computer, why not configure that computer so that what it can do is what it’s supposed to do and not much else”–where much else means things like “participate in botnets”. I’m constantly baffled by how many IT managers say it’d be hard to enumerate all the software they run. It’s bizarre because knowing the answer to that question is what IT’s job is. If my company gave me a computer so I can do e-mail and edit company documents, it seems pretty simple to imagine that it ought to run some office apps and an e-mail client configured to talk to our IMAP server and maybe nothing else. For a while I was hopeful that the app-store model on increasingly powerful handheld devices would let us do away with the current “bucket of fish guts” approach to desktop security, but it looks like the app stores are going to be a big target and eventually a distribution vehicle for badware.

So, you need blacklists so that you can tell someone “that piece of weird stuff you just tried to run is called Stuxnet” and that’s interesting and useful, but you need the whitelists more, because that’s how you define your notion of what you think your computer should be doing. If you cast the problem in terms of a firewall policy it’s the old default-permit versus default-deny all over again. Default-deny is what the survivors do, and default-permit is for the guys who want to spend all their time doing incident response and forensics. None of this is anything less than completely obvious.

As far as security industry revenues–who cares? Nobody is worrying about the impact that the internal combustion industry has had on the steam-power boilermakers’ industry, are they? In fact, I think it’d be awesome if we could someday dry our hands, put away our tools and say “There, fixed it, now let’s write something fun!” Believe it or not there was a time early in the firewall industry when I thought we’d built all the tools that security would need; it was just a matter of fielding policy-based access control, offline authentication, point-to-point cryptography and then levelling up software quality. But in the late ’90s the lunatics took over the asylum and–well, the results speak for themselves.

You said once that businesses lack the willpower to brand devices as corporate, rather than personal, assets. Must this happen? Are platforms to “secure” bring-your-own devices not enough?
Let me throw that back at you, OK? How would you feel if the U.S. announced that we were putting our ballistic missile systems control into an iPad application and we were going to let the guys in the silos use their personal iPads so we could save a whole bunch of money?

It always depends: it depends what’s at stake, how replaceable it is, how easy it is to clean up an “oopsie” and whether you are really willing to be part of that “oopsie”. Every single journalist who has ever complained that some agency or company leaked a zillion credit cards or patient data or secrets should never ask the question you just asked me.

You should be asking why do they tolerate systems and software that are so bad, so shoddy, so mismanaged that they’ve got no idea what they are doing, yet they allow them to be used to access my bank account? Are you insane?! These problems are inevitable side-effects of poor configuration management, which is poor system management, which means “don’t know how to do IT”.

Yes, I do realize that I am arguing against today’s prevailing trends in IT management.

Do you still equate penetrate and patch to turd polishing? How prevalent is this and is it realistic to expect software vendors to change their attitude to security?
Yes, I do. It’s one thing for a sculptor to say they start with a block of marble and then chip away everything that doesn’t look like an angel, but that doesn’t work for software. You can’t start with the idea that a buggy mass of stuff [will] eventually turn into enterprise-class, failure-proof software by fixing bugs until there aren’t any more. No matter how much polish you put on a turd, it’s still a turd.

The software industry almost understands this–you’ll occasionally see some piece of software get completely re-architected because its original framework became limiting. As pieces of software get more complex and powerful, developers usually resort to things like source-code revision control, unit testing, regression testing, et cetera. Why doesn’t the idea that a security bug is just another bug sink in? If a manager can comprehend that there’s a major cost to an out-of-cycle patch because of some reliability failure, they ought to be able to understand that a security flaw is just a particularly painful out-of-cycle patch with bad publicity attached to it.

The problem is that the software industry is target-locked on time-to-market because that is where the big rewards are–asking them to do anything that might affect time-to-market is asking them to risk being an also-ran. Some of that can be managed by adopting a model of “write a toy version, throw it over the fence, and if it succeeds take the lessons learned and write a real version shortly after”, but I’m afraid that sometimes the toy version becomes the production codebase for a decade. We’ve seen the results of that and they’re not very pretty.

It’s been about six years into the 10 by which you predicted hackers would no longer be portrayed as cool and educating neo-luddite users on security would become a null point. What’s your take of the current climate?
I think that, at least partly, thanks to the spread of malware and botnets, and the professionalization of cybercrime, a lot more “normal people” are less impressed with hacker culture. The “grey hat” community’s commercial interest is pretty clear to just about everyone now, so I think the hacking community has some reputation damage to deal with.

As far as educating neo-luddites, I think I was pretty much completely wrong there. Not wrong that education won’t help, but wrong that the newer generation of executives will have a better grasp of security. From where I sit it looks like it’s actually getting worse.

Which mobile platform will (or do you hope will) win out–the open Android, walled Apple or locked down Blackberry?
I wish they would all go away. Which they inevitably will. The song “Every OS Sucks” sums up my views very nicely. A disclosure: I bought an iPad because it plays movies nicely and doesn’t pretend to be a telephone. I do like the delivery model of “app store” systems for fielding software–it’s much better than letting users install things themselves or worse yet when the system comes bundled with 10,000 pieces of shovel-ware. I’m concerned about code quality, of course: it’s not going to be possible for the app stores to vet code for malware, and I’m not convinced the “walls” in the “walled garden” aren’t made of Swiss cheese.

You once told me privacy is a myth and something held by the privileged few. What is your take on privacy now, where do you think it is heading and what significance will this have?
I think that what I might have said is more that privacy has only ever been for the wealthy and powerful. What we’ve seen lately is the veneer coming off–the U.S. government is consistently and cheerfully trampling on privacy and has pardoned itself and its lackeys for all transgressions. Meanwhile, we see that if you read Sarah Palin’s e-mail you get in trouble, but if you read Joe Average’s e-mail you’re the FBI. Privacy is a privilege of power, because the powerful need it so they can enjoy the fruits of their power without everyone realizing how good they’ve got it.

Meanwhile, the entire population of the planet seems to want to join social-networking Web sites that exist to collect and re-sell marketing information and push ads in their users’ faces, then they complain when they discover that the sites are doing exactly what they were created to do. What else did they expect? I never really cared about privacy, but a few years ago I adopted a strategy of leading a fairly open life. It’s easy to get my phone number and address and e-mail address and to find out where I’ve been and who I’m sleeping with and what and how much I drink or what music I listen to. There are only a few things about my lack of privacy that annoy me and it’s mostly the stupidity of commercial marketing–I get a credit card offer from the same big bank every month. I’ve gotten one from them every month for 15 years. I periodically wonder why it hasn’t sunk in to them that I’m not interested, but I have a big garbage can and it’s their money they’re wasting.

I’m a subscriber of your six dumbest ideas–are there some that you would update?
The piece was originally going to have a few more dumb ideas than it did, but the next one to write about was “ignoring transitive trust“. I wrote that piece while I was stuck in Frankfurt Airport and I was pretty tired and trying to explain why transitive trust makes a mockery out of most of what we see as “Internet security” was just too much for me to attempt. If I’d had more courage I’d have also tackled “cost savings achieved now will continue forever” for the outsourcing and cloud computing fans.

Could you briefly explain why you think cyberwar is BS?
There are several reasons cyberwar is BS: technological, strategic and logistical. The people who are promoting it are either running a snow-job (there’s a lot of money at stake!) or simply don’t understand that warfare is the domain of practicality and cyberwar is just a shiny, impractical toy. Unfortunately, there’s so much money involved that the people who are pushing it simply dismiss rational objections and incite knee-jerk fear responses by painting pictures of burning buildings and national collapse and whatnot.

[See a longer explanation of the cyberwar phenomenon on Ranum’s Rearguard podcast.]

Probably the shortest rebuttal of cyberwar is to point out that it’s only practical if you’re the power that would already expect to win a conventional war–because a lesser power that uses cyberwar against a superpower is going to invite a real-world response, whereas it’s attractive if you already have overwhelming real-world force–but then it’s redundant. Cyberwar proponents often argue by conflating cybercrime, cyberespionage, cyberterror and cyberwar under the rubric of “cyberwar” but they ignore the obvious truth that those activities have different and sometimes competing agendas.

A short cyberwar: “be glad we jacked you up with Stuxnet because otherwise we’d have bombed you”. A shorter cyberwar: “be afraid. give me money”.

This article was first published at ZDNet Australia.

Rapid tech adoption overwhelming security staff

Information security professionals are overwhelmed by the rapid deployment of new technologies in the workplace, potentially putting government agencies, businesses and consumers at risk, reveals a new study released Friday.

According to the 2011 (ISC)2 Global Information Security Workforce Study (GISWS), IT security personnel are challenged by the proliferation of mobile devices as well as the rise of cloud computing and social networking. Many of the professionals admitted they needed more training to manage these technologies, yet, reported that such tools were already deployed without security in mind.

Conducted by Frost & Sullivan in the second half of 2010, the study surveyed over 10,400 IT security professionals from the public and private sectors. U.S.-based respondents made up 61 percent of total respondents, while 22.5 percent were from Europe, Middle East and Africa. Respondents in Asia accounted for 16.5 percent of the sample pool.

Mobile “single most dangerous threat”
Organizations polled ranked mobile devices as No. 2 security concern, after application vulnerabilities. At the same time, almost 70 percent of respondents said their companies had in place policies and technologies such as encryption and mobile VPN (virtual private network) to meet the security challenges posed by portable devices.

In the report, Frost & Sullivan said mobile security could be the “single most dangerous threat to organizations for the foreseeable future”.

Security professionals, on the other hand, appeared more lax in their approach toward social media, treating it as a personal platform and doing little to manage it, reported the analyst firm. Less than half, or 44 percent, indicated their companies had policies in place to control access to social media sites.

Frost & Sullivan said it was “disappointed” that 28 percent of organizations globally had no restrictions on the use of social media.

Robert Ayoub, the research firm’s global program director for information security and author of the report, said in a statement that the pressure to “secure too much” and a resulting skills gap increasingly put a strain on IT security professionals. This, in turn, creates risk for organizations across the world in the coming years.

“The good news from this study is that information security professionals finally have management support and are being relied upon and compensated for the security of the most mission-critical data and systems within an organization,” Ayoub said. “The bad news is that they are being asked to do too much, with little time left to enhance their skills to meet the latest security threats and business demands.”

He added: “Information security professionals are stretched thin, and like a series of small leaks in a dam, the current overstretched workforce may show signs of strain.”

Manpower, skills key to risk management
The risks, according to Ayoub, can be mitigated by attracting quality talent to the field and investing in professional development for emerging skills.

The need for skills improvement was especially evident in the area of cloud computing–over 70 percent of survey respondents reported the need for new skills to properly secure cloud-based technologies.

However, nearly two-third of respondents in the (ISC)2 study indicated that they did not expect any budget increases this year for IT security personnel and training.

In terms of manpower growth, Frost & Sullivan estimates there are 2.28 million information security professionals globally as of 2010, of whom around 750,000 are based in the Asia-Pacific region. The analyst firm expects the region’s demand for security professionals to increase at a compound annual growth rate of 11.9 percent to over 1.3 million by 2015.

Ayoub noted: “As the study finds, these solutions are underway but the question remains whether enough new professionals and training will come soon enough to keep global critical infrastructures in the private and public sectors protected.”

SA chief wants to protect ‘critical’ private networks

SAN FRANCISCO–The head of the National Security Agency (NSA) said today that the U.S. military should have the authority to defend “critical networks” from malware and other disruptions.

Gen. Keith Alexander, who is also the head of the Pentagon’s U.S. Cyber Command, said at the RSA Conference here that the NSA’s “active defenses” designed to defend military networks should be extended to civilian government agencies, and then key private-sector networks as well.

“I believe we have the talent to build a cyber-secure capability that protects our civil liberties and our privacy,” Alexander said.

Alexander’s comments come only two days after William Lynn, the deputy secretary of defense, offered the same suggestion. In an essay last year, Lynn likened active defenses to a cross between a “sentry” and a “sharpshooter” that can also “hunt within” a network for malicious code or an intruder who managed to penetrate the network’s perimeter.

But the power to monitor civilian networks for bad behavior includes the ability to monitor in general, and it was the NSA that ran the controversial warrantless wiretapping program under the Bush administration. Concerns about privacy are likely to turn on the details, including the extent of the military’s direct involvement, and whether Web sites like and could be considered “critical” or the term would only be applied to facilities like the Hoover Dam.

Alexander offered little in the way of specifics today. “We need to continue to refine the roles of government and the private sector in securing this nation’s critical networks,” he said. “How do we extend this secure zone, if you will? How do we help protect the critical infrastructure, key resources?”

At the moment, the Department of Homeland Security (DHS) has primary responsibility for protecting critical infrastructure. A presidential directive (HSPD 7) says the department will “serve as a focal point for the security of cyberspace”. During an appearance at RSA two years ago, Alexander stressed that “we do not want to run cybersecurity for the U.S. government.”

That was then. After Cyber Command was created–following reports of a power struggle between DHS and the NSA–it moved quickly to consolidate its authority. An October 2010 memorandum of agreement (PDF) between the two agencies says they agree to “provide mutually beneficial logistical and operational support” to one another.

Senators Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine) recently pledged to reintroduce a controversial bill handing President Obama power over privately owned computer systems during a “national cyberemergency,” with limited judicial review. It’s been called an Internet “kill switch” bill, especially after Egypt did just that.

Alexander didn’t address that point. “The intent would be: let’s build how we can do this with DOD, show we can extend that to the government, and then to key critical infrastructure,” he said.

Fighting spam and scams on Twitter

SAN FRANCISCO–Twitter presents a relatively new frontier for spammers, malware creators, and all around bad guys, which in turn has created the opportunity for security researchers and vendors alike to try to figure out, and put a stop to, their efforts.

One company that’s trying to get a handle on the size of the problem, and on ways to fight it, is Barracuda Networks. During a talk at the RSA security conference here, which wraps up Friday, Barracuda outlined some of the research it has been doing in this area over the past two years.

Paul Judge, chief research officer and vice president of cloud services for Barracuda, noted that what makes Twitter a particularly attractive target is that it is both a social network and a search engine. This lets scammers place their wares on a public feed to reach a list of followers, as well as seek new eyeballs by making use of trending keywords to have their wares appear in Twitter search results.

But who, you’re wondering, would follow a scammer on Twitter? It’s more common than you’d think, said Barracuda research scientist Daniel Peck. One example the company tracked was Download-Heaven, a site that was using a Twitter account to push links to hosted shareware filled with malware and Trojans.

Download-Heaven had 445 followers while following only one account itself. Peck said the scammers were following other Twitter users as a way of getting them to return the favor and follow Download-Heaven. Then the scammers would simply unfollow those users while leaving them to continue receiving its updates, including links to malware.

Barracuda looked for that sort of imbalance as it tracked a raw stream of data from Twitter. It also looked for accounts that had been unfollowed by a lot of users over time; such accounts have often been recognized by other Twitter users as bad news. Finally, Barracuda tried to figure out the behaviors of typical users to see if it could put together additional filters that would spot users who were up to no good.

The result was a reputation system that looked at the Twitter public stream (through its API), as well as an extra 20,000 queries per hour outside of the normal public stream. The test ran for two years and evaluated tweet-to-follower ratios as well as the content of what users were sharing. What Barracuda found was that just 43 percent of Twitter users could be classified as “true”. These were users that had more than 10 followers, friends, and tweets. That was compared with the other 57 percent of the network, which fell into a bucket of questionables.

By analyzing the flow of accounts, Barracuda was also able to create a “crime rate”–the percentage of accounts created per month that end up getting suspended by Twitter. This number would swing wildly based on real-world events, such as Oprah joining the network, or the World Cup kicking into gear, which would bring in big swells of new Twitter users, and, in turn, flocks of scammers.

These topical items were another area Barracuda focused on during the test. Much like trying to game conventional search engines to get new eyeballs, scammers were adding topic tags and/or popular words and phrases to tweets to get them to show up in the “Trends” field on Twitter pages and higher up on Twitter’s search results pages. To track how widespread this practice was, Barracuda began grabbing popular search terms on Twitter every hour, and doing searches for them on the site. It would then look at the tweets that turned up, follow any included links, and look for malicious code on the resulting Web sites.

What they found, after five months of searching for popular words and phrases on Twitter as well as on more traditional search engines like Google, Yahoo and Bing, was a total of 34,627 samples of malware. Twitter accounted for 8 percent of this total, with the other search engines logging the remainder.

“It’s interesting, because we’ve been doing this work for probably nine months of a year now, and the last time we really examined it and looked back on this, it charted very differently,” Judge said. “About 69 percent of the malware that we found was on Google at the time, only 1 percent was on Twitter.”

“A couple things happened,” Judge continued. “Google didn’t necessarily get better–there was more malware–basically Bing, Twitter, and Yahoo got worse. So, as the amount of malware increased, Google pretty much stayed steady with the amount of malware that was found there, but the other engines we started to see become a little more equal opportunity.”

To Twitter’s credit, the company has made several efforts to keep this malware at bay. Back in March of last year, it began routing links through a filter that scans for malware and keeps sullied links from being posted. It also employed its own link-shortening service that similarly vets links. And the company transitioned to using OAuth, which lets users authenticate their credentials without providing a username or password, potentially keeping users from having their credentials hijacked by rogue third-party applications.

Judge closed by noting that Barracuda had put together its own tool that can help users see if they’ve accidentally befriended one of these spammy or scammy users, or posted one of their links. The free Profile Protector scans both your Facebook and Twitter profiles and identifies users that are on the company’s watch list.

FBI: We’re not demanding encryption backdoors

The FBI said today that it’s not calling for restrictions on encryption without backdoors for law enforcement.

FBI general counsel Valerie Caproni told a congressional committee that the bureau’s push for expanded Internet wiretapping authority doesn’t mean giving law enforcement a master key to encrypted communications, an apparent retreat from her position last fall.

“No one’s suggesting that Congress should re-enter the encryption battles of the late 1990s,” Caproni said. There’s no need to “talk about encryption keys, escrowed keys, and the like–that’s not what this is all about”.

Instead, she said, discussions should focus on requiring that communication providers and Web sites have legally mandated procedures to divulge unencrypted data in their possession.

The FBI says that because of the rise of Web-based e-mail and social networks, it’s “increasingly unable” to conduct certain types of surveillance that would be possible on cellular and traditional telephones. Any solution, it says, should include a way for police armed with wiretap orders to conduct surveillance of “Web-based e-mail, social-networking sites, and peer-to-peer communications technology”.

Caproni tried to distance the FBI from its stance a decade ago, when it was in the forefront of trying to ban secure encryption products that are, in theory, unbreakable by police or intelligence agencies.

“We are very concerned, as this committee is, about the encryption situation, particularly as it relates to fighting crime and fighting terrorism,” then FBI director Louis Freeh told the Senate Judiciary committee in September 1998. “Not just bin Laden, but many other people who work against us in the area of terrorism, are becoming sophisticated enough to equip themselves with encryption devices.”

In response to lobbying from the FBI, a House committee in 1997 approved a bill that would have banned the manufacture, distribution, or import of any encryption product that did not include a backdoor for the federal government. The full House never voted on that measure. (See related transcript.)

Even after today’s hearing ended, it wasn’t immediately clear whether the members of the House Judiciary crime subcommittee would seek to expand wiretapping laws as a result.

Rep. Bobby Scott, D-Va., said that the panel’s members received a secret briefing last week from the FBI, but that the bureau should make its arguments in public. “It is critical that we discuss this issue in as public a matter as possible,” he said. It’s “ironic to tell the American people that their privacy rights may be jeopardized because of discussions held in secret”.

Rep. John Conyers, D-Mich., said “to me this is a question of building backdoors into systems…I believe that legislatively forcing telecommunications providers into building backdoors into systems will actually make us less safe and less secure.”

That was echoed by Susan Landau, a computer scientist at Harvard University’s Radcliffe Institute for Advanced Study, who said “there aren’t concrete suggestions on the table…I don’t quite understand what the FBI is pushing for.”

Caproni said her appearance before the panel was designed to highlight the problems, not call for specific legislation. But, she added, “it’s something that’s being actively discussed in the administration.”

Under a 1994 federal law called the Communications Assistance for Law Enforcement Act, or CALEA, telecommunications carriers are required to build in backdoors into their networks to assist police with authorized interception of conversations and “call-identifying information”.

As CNET was the first to report in 2003, representatives of the FBI’s Electronic Surveillance Technology Section in Chantilly, Va., began quietly lobbying the FCC to force broadband providers to provide more-efficient, standardized surveillance facilities. The Federal Communications Commission approved that requirement a year later, sweeping in Internet phone companies that tie into the existing telecommunications system. It was upheld in 2006 by a federal appeals court.

But the FCC never granted the FBI’s request to rewrite CALEA to cover instant messaging and VoIP programs that are not “managed”–meaning peer-to-peer programs like Apple’s Facetime, iChat/AIM, Gmail’s video chat, and Xbox Live’s in-game chat that do not use the public telephone network.

Also not covered by CALEA are e-mail services or social-networking sites, although they must comply with a wiretap order like any other business or face criminal charges. The difference is that those companies don’t have to engineer their systems in advance to make them easily wiretappable.

Cybercrime costs US$43B a year

Cybercrime is costing the United Kingdom 27 billion pounds (US$43.5 billion) a year, according to the government, which has pledged to work with businesses to combat the problem.

The total figure covers 21 billion pounds (US$33.8 billion) from losses suffered by businesses, 3.1 billion pounds (US$5 billion) by citizens and 2.2 billion pounds (US$3.5 billion) by government, the Office of Cyber Security and Information Assurance (Ocsia) said in a report summary published on Thursday. It did not account for the other 700 million pounds (US$1.1 billion).

The report, produced by Ocsia and BAE Systems security subsidiary Detica, marks the first time the government has made a public estimate of cybercrime costs. At a press launch event, security minister Baroness Pauline Neville-Jones emphasized that while the figures are an estimate, they still give an indication of the scale of economic loss suffered by the U.K.

Read more of “Cybercrime costs the UK £27bn a year” at ZDNet UK.

Securing the smart grid no small task

SAN FRANCISCO–The road to a secure smart grid is still being built. Can it be finished in time to keep next-generation threats at bay?

That question was left largely unanswered during a panel discussion on “securing the smart grid” at the RSA security conference taking place here this week.

The smart grid promises to bring a number of benefits to both consumers and utilities in the coming years–things like intelligent off-peak appliance use; real-time metering; and customer education on efficiency and conservation. But bringing that kind of experience to fruition is still a work in progress, with some of the blame being placed on utility companies for not being agile enough when it comes to security, interconnectivity, and the like.

According to specialists, the problem is (and continues to be) huge fragmentation among the power companies, something that on its own is issue enough, but as the panelists lamented, the same problem threatens the technologies these companies plan to roll out.

“In my experience, utility companies are very siloed,” said Mike Echols, the program manager for critical-infrastructure protection at the Salt River Project in Arizona. “Each of those silos has its own IT groups, and there’s a reason for that. They don’t want to converge because in typical IT that’s considered a risk.”

In the electricity industry that risk has become more apparent after what happened last year with Stuxnet, the computer virus that targeted homogenized industrial systems and represents the first in a wave of expected attacks aimed at infrastructure. As the grid gets more intertwined with consumer electronics and home area networks, the likelihood of a wider range of targets is expected to increase.

So what would it take to make utilities less fractured from an IT perspective? Echols suggested that IT security be put higher on the ladder of the corporate structure of these utility companies, so that important decisions trickled down into the subgroups. “Cybersecurity tends not to be in a leadership position,” he said, while noting that this is beginning to change with increased compliance, which is driving changes in the power industry.

Another big issue, as noted by panelist Gib Sorebo, chief cybersecurity technologist for SAIC, is that outside security companies looking to do business with the utilities first need to gain a deep understanding of power companies before trying to tackle security challenges.

“We have to know how important it is for us to understand how everyone does their jobs, what the concerns are, and what the potential impact is depending upon what kind of events take place–and to show that communication,” Sorebo said. “You see that same kind of thing happening in banking.”

One question that lingers is whether a system that’s simply more secure will be able to handle evolving threats. Heath Thompson, the CTO at Landis & Gyr, said the industry hadn’t come to grips with that yet but that there were the beginnings of a foundation for stronger security across the entire ecosystem. To attack new threats head on, however, the systems need to be readily adjustable with things like upgradeable firmware and infrastructure.

Ultimately though, making the grid too connected from a technology perspective could do just as much harm as good, which is why the right safeguards have to be put in place. “The smart grid can do a lot of wonderful things in terms of automation and finding events quickly,” Sorebo said. “But it can also automate disaster, and that’s something that more and more people obviously need to focus on.”

S’pore sets data protection law for 2012

SINGAPORE–It took several years in the making but the nation is now ready to take another step closer to introducing a data protection regime, with the Singapore government announcing plans to put forth legislation for debate in parliament early-2012.

The proposed laws will provide a “baseline standard for data protection in Singapore”, Lui Tuck Yew, minister for the Information, Communication and the Arts, indicated on Monday in a written response to a parliamentary question.

According to Lui, a review–initiated five years ago–to assess the need for a data protection system and the appropriate model for the country, has now been completed.

The government, he said, “concluded it would be in Singapore’s overall interests” to put in place such a regime, designed to “protect individuals’ personal data against unauthorized use and disclosure for profit”.

“The proposed law is intended to curb excessive and unnecessary collection of individuals’ personal data by businesses, and include requirements such as obtaining the consent of individuals to disclose their personal information,” the minister said.

“It will also enhance Singapore’s overall competitiveness and strengthen our position as a trusted hub for businesses and a choice location for global data management and processing services.”

As part of the data protection regime, a Data Protection Council is expected to be established to oversee the implementation of the legislation, Lui added.

Meanwhile, the country’s ICT regulator, the Infocomm Development Authority of Singapore (IDA), will engage relevant stakeholders in further consultation and work to address concerns from the “public, private and people sectors”.

Bryan Tan, director at Keystone Law, pointed out that businesses must “start making preparations for the arrival of the legislation”. To prepare for the data protection regime, they need to reexamine their databases and data collection practices, the Singapore-based lawyer said in a circular Tuesday.

“Businesses that are unprepared may have to pay a heavy price,” he warned.

HP, VMware plan further product integration

HP and VMware plan to develop and market a range of intrusion prevention security products, in a collaboration that builds on existing work.

The hardware maker and virtualisation company said on Tuesday that they aim to tailor HP’s TippingPoint Intrusion Prevention System (IPS) range of products to fit VMware‘s virtualisation security vShield and management vCloud Director packages.

The companies said the integration will allow security management to extend across physical and virtual IT stacks, and allow IT professionals to automate “the processes of scanning, identifying threats and blocking attacks” across these areas, HP said in a statement.

Read more of “HP and VMware plan further product integration” at ZDNet UK.

Microsoft looks to healthcare for improved security

SAN FRANCISCO–Microsoft wants to make tomorrow’s tech-security world work a lot like tomorrow’s healthcare industry.

While the comparison has long been made in the security industry, with threats like “viruses”, Scott Charney, corporate vice president in Microsoft’s Trustworthy Computing group, noted that the response to those problems has fallen short in areas where healthcare has proved more agile.

“Every year there’s a new version of the flu,” Charney said to attendees of this year’s RSA Conference. “There was a time before SARS, and a time before H1N1. And when those threats appeared, [the healthcare industry] didn’t scramble to know what to do, they already had defenses.”

Microsoft’s multistep plan to put a similar safety net in place approaches the problems from both a security and a data ownership position.

Charney said one option is cryptographically signed health certificates. These would be provided for users who had gone through various security check protocols to prove their machine was not dripping with malware before getting on something like a bank’s site or a local intranet.

The second aspect of this measure would be alerting people to possible security holes ahead of when their machines have been compromised. That way, they could put fixes into place before encountering attack scenarios, as well as to avoid compatibility issues with sites and services.

Charney also highlighted the importance of making sure whatever lockdown system went into place for compromised machines would not go too far, so critical services like VoIP weren’t being sealed off as well. After all, Charney said, nobody wants to be kept from calling 911 during a heart attack because their computer needs to download software updates.

Symantec brings reputation security to the enterprise

SAN FRANCISCO–Security giant Symantec is trying to give companies a better way to determine how trustworthy files are.

At the RSA Conference here, Symantec CEO Enrique Salem outlined the new reputation-based security feature built into the company’s new Endpoint Protection 12, client-side security software that gives files a score based on the scanning of 2.5 billion files the company keeps track of in its cloud-based database.

Dubbed the “Insight Reputation System”, the feature looks at files that have been downloaded from the Web and gives each one a score based on risk. This is based on what kinds of things the file does, as well as who it’s from.

“The idea of a blacklisting approach is no longer going to be effective, and Internet Protocol-based recognition where we track IP addresses is not good enough,” Salem said. “We need real-time, contextual tracking that look at a series of attributes; things like file age, download source, prevalence, and brings all those things together.”

The tool for that, Salem said, is Endpoint Protection 12, which the company claims is the only reputation-based system that’s context-aware. The new tool, which is the first major update to the Endpoint Protection suite in three years, will be released in April.

Salem also went into specifics about how it was becoming increasingly important to identify threats at the point of download given the consumerization of IT and the proliferation of consumer devices within businesses–both things that have made it increasingly difficult to keep threats at bay, and represent the new battleground for threat activity itself.

“It wasn’t that long ago that you as security professionals had control,” Salem said. “You had control of the desktop, you had control of the database, you had control of the applications, you had control of the servers, and to some extent, you even had control of the users.”

The problem, Salem said, was that control had been toppled with new devices, and new ways of doing business. “Now what’s happening is that those days are over, because all kinds of devices are coming into your office: USB drives, notebooks, and many of them aren’t your devices. They’re your partners, they’re people that are bringing them into your environment,” Salem said. “And what are they doing? They’re accessing corporate e-mail, they’re logging into their Facebook pages, and their Twitter accounts.”

Symantec’s solution to get above the problem is a new initiative called O3, which Salem compared to the Earth’s ozone layer, protecting the surface from outside forces. O3 is made up of three security layers:

1. A rules engine for enforcing the information specific devices can access from where.
2. A protection enforcement layer that determines what employees from what devices can access the information.
3. A compliance/monitoring layer for access and understanding of what policies are being enforced.

“That’s our approach, that’s our vision for what has to be done. It has to be a layer above the clouds,” Salem said.

US Defense Dept. proposes armoring civilian networks

SAN FRANCISCO– A top Defense Department official said today that the United States military should “extend” a technological shield used to protect its own networks to important private sector computers as well, which could sweep in portions of the Internet and raise civil liberty concerns.

William Lynn, the deputy secretary of defense, proposed at the RSA Conference extending “the high level of protection afforded by active defenses to private networks that operate infrastructure” that’s crucial to the military or the U.S. economy.

What Lynn refers to as “active defenses” were pioneered by the National Security Agency. In an essay last year, Lynn likened them to a cross between a “sentry” and a “sharpshooter” that can also “hunt within” a network for malicious code or an intruder who managed to penetrate the network’s perimeter.

But the power to monitor civilian networks for bad behavior includes the ability to monitor in general, and it was the NSA that also pioneered a controversial warrantless wiretapping program under the Bush administration. NSA director Keith Alexander was named head of the U.S. Cyber Command last year, an idea that Lynn had championed.

Concerns about privacy are likely to turn on the details, including whether the military merely provides source code for defensive and offensive technologies–or if it includes actual authority and oversight. Another open question is whether Web sites like and could be considered “critical infrastructure”, or the definition would be narrowed to facilities like power plants.

Lynn, who has been speaking frequently about cybersecurity threats in the last year, didn’t elaborate. “Securing military networks will matter little if the power grid goes down or the rest of the government stops functioning,” he said.

That echoes comments made by Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine), who have pledged to reintroduce a controversial bill handing President Obama power over privately owned computer systems during a “national cyberemergency”, with limited judicial review. It’s been called an Internet “kill switch” bill, especially after Egypt did just that.

At the moment, the Pentagon is responsible only for defending .mil computers, and the Department of Homeland Security has responsibility for other governmental networks. Lynn said the military (and remember, the NSA is part of the Defense Department) is aiding DHS, much like it provides troops and helicopters to aid after a natural disaster

“The military provides support to DHS in the cyber domain,” Lynn said. Like equipment and troops provided to FEMA, he added, military “cyber” support will be “available to civilian leaders to help protect the networks that support government operations and critical infrastructure…These resources will be under civilian control and be used according to civilian laws.”

“Through classified threat-based information and the technology we have developed to employ a network defense,” he said, “we can significantly increase the effectiveness of cybersecurity practices that industry is carrying out.”

Homeland Security hinted at this during an interview with ZDNet Asia’s sister site CNET last year at the RSA conference. The department said at the time that it might eventually extend its Einstein 3 technology, which is designed to detect and prevent in-progress cyberattacks by sharing information with the NSA, to networks operated by the private sector.

Stuxnet expert: other sites were hit but Natanz was true target

Stuxnet may have hit different organizations, but its main target was still the Natanz nuclear enrichment plant in Iran, an expert who has analyzed the code said Monday.

Ralph Langner, who has been analyzing the code used in the complicated Stuxnet worm that used a Windows hole to target industrial control systems used in gas pipelines and power plants last year and possibly earlier, said the initial distribution of Stuxnet was limited to a few key installations.

“My bet is that one of the infected sites is Kalaye Electric,” he wrote in an e-mail to ZDNet Asia’s sister site CNET. “Again, we don’t have evidence for this, but this is how we would launch the attack–infecting a handful of key contractors with access to Natanz.”

Langner was responding to a report (PDF) released late last week by Symantec that said five different organizations in Iran were targeted by a variant of Stuxnet, several of them more than once, dating back to June 2009.

“We have a total of 3,280 unique samples representing approximately 12,000 infections,” the Symantec researchers write in a blog post about the report. “While this is only a percentage of all known infections, we were able to learn some interesting aspects of how Stuxnet spread and where it was targeted.”

The Symantec researchers, who have made other important discoveries in the quest to de-code Stuxnet, don’t name the organizations they suspect as targets. As of September 2010, they had estimated there were more than 100,000 infected hosts, nearly 60 percent of them in Iran.

“Unfortunately Symantec doesn’t tell the geographic location of the targeted organizations,” Langner said. “My theory is that not all may be in Iran since chances are that at least one significant contractor is a foreign organization (this is something we are researching presently).”

Langner said he and partners have been able to match data structures from one of the parts of the multi-pronged Stuxnet attack code with the centrifuge cascade structures in Natanz.

“The significance of this is that it is now 100 percent clear that Stuxnet is about Natanz, and Natanz only,” he said. “Further evidence (that matches with the recent discoveries of Symantec) suggests that Stuxnet was designed as a long-term attack with the intention not only to destroy centrifuges but also to lower the output of enriched uranium.”

Langner, based in Germany, offers more technical details of Stuxnet on his blog.

Symantec and Intel collaborate on security

Symantec and Intel have worked together to embed two-factor authentication technology into the hardware of second-generation Intel Core and Core VPro processors.

The work will integrate Symantec‘s VeriSign Identity Protection (VIP) cloud-based security product with Intel’s Identity Protection Technology (IPT), the security company announced last Wednesday.

“By synchronizing VIP with the Intel chipset, we have created the first ever strong authentication credential that you will never see but will always have in your PC,” Atri Chatterjee, vice president of User Authentication at Symantec, said in a statement. “The combination of our proven VIP service with Intel IPT provides users with a new level of ‘built-in’ strong authentication.”

Read more of “Symantec and Intel collaborate on security” at ZDNet UK.

Facebook scams aplenty

With Valentine’s Day round the corner, cybercriminals are once again “cashing in” on the commercialization of the event, hoping to scam unsuspecting Facebook users.

A new entry on Sophos’ Naked Security blog warned that rogue apps with names such as Valentine’s Day and Special Valentine have been making rounds in the social media site, tricking users to involve their friends in the scam.

Senior technology consultant Graham Cluley said the modus operandi of these apps was to get users to click on the splash screen, which would then display a teaser, claiming it would send a poem to the selected friends.

But what the apps are really after, are personal information of users who unknowingly “Allow” them access, warned Cluley. The apps would then post messages on the user’s wall, luring his or her friends to complete an online survey which was disguised as a “Facebook Anti-Spam Verification” dialog box. The scammers earn commission for every completed survey.

The security expert also cautioned that in the past, cybercriminals are known to have sent rogue Valentine’s Day e-cards to spread virus on computers, hence called for users not to let their guard down.

Cheap spam tool
Separately, Symantec engineers have detected a popular viral Facebook application toolkit known as NeoApp that allows one to create applications for the social network. The toolkit guides the ‘developer’ to, for example, place links to funny videos and where to put the survey links in order to maximize cashback.

Once a user installs the applications created with the toolkit, the cybercriminal can send messages to unsuspecting users and friends through statistic pages and easy-to-use templates, the security vendor warned in a blog post.

With the app priced at US$50 or less, it “pretty much allows anyone, even those without coding skills, to create a fast-spreading viral message on Facebook”, Symantec’s Candid Wueest said.

According to him, the app will also have access to affected user’s private data, such as personal e-mail address, and “administrators” controlling the app will be able to send convincing spam mail.

Wuesst added that the app itself and what it does are against the usage policy of Facebook.

He advised that there is no need to install an application just to see images, and users of the social media site should always excercise vigilance when an app requests access to personal information.

McAfee: Data theft attacks besiege oil industry

For years, companies in the oil and energy industry have been the victims of attempts to steal e-mail and other sensitive information from hackers believed to be in China, according to a new report from McAfee.

The attacks, to which McAfee gave the sinister name “Night Dragon”, penetrated company networks through Web servers, compromised desktop computers, bypassed safeguards by misusing administrative credentials, and used remote administration tools to obtain the information, the security firm said Thursday. McAfee and other security companies now have identified the method and can provide a defense.

“Well-coordinated, targeted attacks such as Night Dragon, orchestrated by a growing group of malicious attackers committed to their targets, are rapidly on the rise. These targets have now moved beyond the defense industrial base, government, and military computers to include global corporate and commercial targets,” McAfee said in a white paper (PDF) published today.

And the attack was at least partially successful, McAfee said. “Files of interest focused on operational oil and gas field production systems and financial documents related to field exploration and bidding that were later copied from the compromised hosts or via extranet servers.

“In some cases, the files were copied to and downloaded from company Web servers by the attackers. In certain cases, the attackers collected data from SCADA systems,” the supervisory control and data acquisition systems that control and monitor industrial processes.”

McAfee didn’t reveal details about what SCADA data was involved, but it’s a potentially serious matter: such systems are at the operational heart of everything from oil pipelines and refineries to factories and electrical power distribution networks.

McAfee told The Wall Street Journal that the attacks appeared to be purely about espionage, not sabotage. The latter possibility has become a more vivid fear with the Stuxnet attack that apparently damaged Iranian nuclear operations. China is a particular concern: it’s a rising industrial power that Google has implicated in attempts to crack its own network and obtain sensitive information.

McAfee notified the FBI of the Night Dragon attacks, and the FBI is investigating, the Journal reported.

Several Night Dragon attacks were launched in November 2009, McAfee CTO George Kurtz said in a blog post, but attacks have been going on for at least two years and likely as long as four.

“We have strong evidence suggesting that the attackers were based in China,” Kurtz said. “The tools, techniques, and network activities used in these attacks originate primarily in China. These tools are widely available on the Chinese Web forums and tend to be used extensively by Chinese hacker groups.”

The attacks themselves used a variety of methods that, although described as “relatively unsophisticated”, were nonetheless effective.

First came an attack to compromise a Web server that then became a host for a variety of hacking tools that could probe the company’s internal network. Password cracking and other tools were used to gain access to PCs and servers. Remote administration software, including one called zwShell, let attackers control compromised Windows PCs to gather more data and push the attack toward more sensitive areas.

An appendix of the white paper offers more details on the Chinese connection:

While we believe many actors have participated in these attacks, we have been able to identify one individual who has provided the crucial C&C infrastructure to the attackers–this individual is based in Heze City, Shandong Province, China. Although we don’t believe this individual is the mastermind behind these attacks, it is likely this person is aware or has information that can help identify at least some of the individuals, groups, or organizations responsible for these intrusions.

The individual runs a company that, according to the company’s advertisements, provides “Hosted Servers in the U.S. with no records kept” for as little as 68 RMB (US$10) per year for 100 MB of space. The company’s U.S.-based leased servers have been used to host the zwShell C&C [command and control] application that controlled machines across the victim companies.

Beyond the connection to the hosting services reseller operation, there is other evidence indicating that the attackers were of Chinese origin. Beyond the curious use of the “zw.china” password that unlocks the operation of the zwShell C&C Trojan, McAfee has determined that all of the identified data exfiltration activity occurred from Beijing-based IP [Internet Protocol] addresses and operated inside the victim companies weekdays from 9:00 a.m. to 5:00 p.m. Beijing time, which also suggests that the involved individuals were “company men” working on a regular job, rather than freelance or unprofessional hackers. In addition, the attackers employed hacking tools of Chinese origin and that are prevalent on Chinese underground hacking forums. These included Hookmsgina and WinlogonHack, tools that intercept Windows logon requests and hijack usernames and passwords…

Although it is possible that all of these indicators are an elaborate red-herring operation designed to pin the blame for the attacks on Chinese hackers, we believe this to be highly unlikely. Further, it is unclear who would have the motivation to go to these extraordinary lengths to place the blame for these attacks on someone else.

Researchers demo iPhone passwords hack

A German research firm has demonstrated how passwords stored on an iPhone can be retrieved in less than six minutes without needing to know the passcode.

Researchers from German engineering and research firm Fraunhofer tested the hack on an iPhone 4 and iPad 3G running iOS 4.2.1 and found that it was possible to access a range of passwords stored on the device, including: MobileMe, Google Mail as a Microsoft Exchange account, Microsoft Exchange email accounts, VPN logins and Wi-Fi network credentials.

The researchers said that the hack was relatively easy to perform and used freely available tools. However, they did have to jailbreak the device and install an SSH server in order to access the phone and copy the keychain access script that allows access to the stored information.

Read more of “Researchers demo iPhone passwords hack” at ZDNet UK.

Major Aust banks expose credit card data

Australia’s biggest banks are posting credit card numbers in clear view on mailed customer statements in a direct violation of credit card security regulations.

Placing numbers where any mail thief could grab them is a fundamental breach of the troubled Payment Card Industry Card Data Security Standard (PCI DSS), according to sources in the industry.

The industry standard, drafted by card issuers Visa, MasterCard and American Express and enforced by banks, is a series of security rules to which any business dealing with credit card transactions must adhere.

The standard is a collaborative industry effort to reduce financial fraud by mandating baseline security measures that essentially must accompany any credit card transaction. A call center operator, for example, would be required to destroy a paper note if it was used to temporarily jot down a credit card number, while a Web site that stores transaction information must ensure it is adequately secure.

Non-compliant large businesses–or tier 1 organizations bound by strict rules–face hundreds of thousands of dollars in fines, and risk losing their ability to process credit cards. The fines scale according to the number of credit card transactions processed.

But St George and the Commonwealth Bank have breached rule 101 of the standard by sending out potentially millions of paper statements to letterboxes that clearly detail credit card numbers in full.

The credit card numbers are listed as an account reference, and match that shown on cards number-for-number.

The breach has been known to card issuers for years, but they have failed to push the banks to change their practice.

Sources within the issuers working with PCI DSS compliance say they want the banks to truncate, or scramble, the numbers but they have since received a cold response.

Commonwealth Bank said that it was considering this as an overall security issue, but internal and external assessments led it to believe that it was compliant with the PCI DSS standard.

St George had not responded at the time of writing.

ANZ Bank has truncated the last four digits of its account numbers detailed on paper statements so they do not match Visa and MasterCard credit cards.

The bank said it made the change in 2001 during a “large investment” to improve credit card security. Its customers use a single account number for all dealings with the bank.

IP Payments director Mark Lewis said the banks practised double standards by allegedly ignoring the PCI DSS breach while enforcing the regulations on merchants.

“The banks have been beating their drum that everyone should be PCI [DSS] compliant when the standard came into effect. It is hypocritical,” Lewis said. His company offers PCI DSS compliance services, which includes means to truncate credit card numbers as they appear on printed statements.

“The systems are so old that changing those numbers would be a nightmare. At the end of the day, these systems are 30 years old, much older than PCI [DSS], and the banks are struggling to keep them compliant.” Yet he didn’t think banks could rest on that excuse.

While the paper statements omit credit card expiry dates or Card Security Value numbers, the former can be simply guessed or ascertained through social engineering, according to PCI DSS experts.

Since credit cards expire inside of four years, a fraudster can use a process of elimination to determine the date. They need only enter the number associated with each month over that period into a Web site until one works.

“It is potentially a huge risk,” Lewis said. “The volume of numbers going out if someone was to cotton on to it would make it an ideal target.” He said a criminal would attempt to intercept the statements, by exploiting potential vulnerabilities in the production and distribution process.

Only some online and telephone-based payment systems require the Card Security Value number located on the back of credit cards. This cannot be guessed but could be acquired from banks by masquerading as a victim using their identity credentials lifted from the statement and Internet Web sites.

Sense of Security chief operating officer Murray GoldSchmidt said the banks are dealing with more risky fraud vulnerabilities.

“Some 72 percent of fraud is card-not-present, or online fraud; the amount of fraud through other means is smaller and could be at a level.

“Online databases of credit cards are clearly an easy way for criminals to extract large amounts of data in the time it would take to steal a few [paper] statements.”

A source at another card issuer agreed that the standard was focused on “frying bigger fish”, although they did say that putting the numbers on statements was a clear breach of standard requirements.

The industry has struggled to adhere to the standard since its introduction some five years ago, even after the November 2010 deadline meant non-compliance would bring financial penalties. Banks have allegedly been absorbing penalties, a practice Lewis expects will continue into the near future.

This article was first published at ZDNet Australia.

Google extends two-step log-in process to all

Now all Google users can take advantage of the two-step log-in procedure previously available to Google Apps customers.

The company started rolling out the option to use two-step verification to Google Account holders Friday, according to a blog post. The idea comes from a classic security tactic, the notion that accounts are more secure when you log in using two factors: something you know, such as a password, and something that only you have, such as your phone.

Google Apps users started using this feature in September. Account holders log in to Google as usual, but the first time they enable the two-step process they will receive a code via a voice call or text message, or they can generate their own code using a mobile app available for iPhone, Android, or BlackBerry. That code can be saved for 30 days.

Obviously it will be much harder for anyone bent on hacking your account to steal a code sent to your phone (unless you’re a valuable enough target to warrant stealing your phone and hacking your password). It’s an optional feature, but one strongly recommended by security experts.

Experts renew call for greater Facebook security

With security threats continuing to plague Facebook, such as the recent abuse of CEO Mark Zuckerberg’s fan page, experts have renewed calls for the social networking site to step up user protection and education.

Zuckerberg was not the only prominent personality to suffer from a Facebook page hack last month–French President Nicholas Sarkozy was also a victim, according to the Huffington Post. The two high-profile incidents happened in the same week.

Yet Facebook, according to these security observers, remains extremely popular despite these incidents and other threats such as rogue apps.

On one hand, Facebook wants compelling applications to attract new subscribers and increase the amount of time users spend on the site. However, there are less than stringent controls on developers.

“Anyone can sign up and create a bogus Facebook application,” said Chester Wisniewski, senior security advisor at Sophos, in an e-mail interview, adding that users who are affected can be redirected to malicious URLs without being prompted.”

This, he explained, happened with the Koobface worm, which prompted users to download a “FacebookPhotos###.exe” file even before requesting permission for data access.

Wisniewski added that this form of “clickjacking” still occurs, but Facebook claims it is a “browser problem”.

In an earlier report published by ZDNet Asia’s sister site CNET, Facebook’s chief security officer Joe Sullivans was quoted as saying the team does not practice the “gatekeeper approach” when it comes to apps vetting. Instead, it “devotes its energy to the ones that could cause the most damage if they were bad”.

Measures taken, but more can be done
To its credit, Facebook has activated “advanced security controls” to protect at-risk accounts. According to the CNET report, when an account is detected as having an unusually large number of posts, or posting dubious links, the “roadblocks” devised by the team will direct the user to a McAfee cleanup tool that can be used immediately.

The team, which includes staff dedicated to incident response, has also just rolled out the HTTPS (hypertext transfer protocol secure) encryption feature for all activities, not just password entering.

Still, the approach was challenged by Wisniewski, who claimed that security should be adopted from “inside out”, such as configuring the firewall, and not the other way round. To that end, Facebook should make HTTPS a default, not something for the user to opt into, he argued.

“Facebook has taken the opposite approach and I feel [its] users will pay the price in privacy and security until it chooses to implement stronger privacy controls in reaction to these incidents,” said Wisniewski.

Randy Abrams, ESET’s director of technical education, also agreed Facebook can do more for its users. “Facebook doesn’t consider security to be enough of a priority to even mention the word on the log-in screen.

“Facebook can and should do a lot more to promote security education with their users.”

Users an ‘unsolved vulnerability’
Likening Facebook to an “operating system” such as Microsoft Windows, Abrams said it will be subject to security breaches and not be able to protect everyone.

“An operating system is designed to run programs, but it can’t know if the program is good or bad,” he explained.

While Facebook is far from facing a security crisis, Abrams said its users remain “the biggest unsolved vulnerability which Facebook falls flat on its face”.

Sophos’ Wisniewski concurred, noting that users “simply don’t care” about security.

Users, he pointed out, do not seem to be aware of the security issues associated with Facebook; security breaches have also not stopped those concerned and worried about their profiles, from logging in and sharing their lives on the site.

Other sites beware
Other social media sites are also equally at risk, even though their user base may be smaller, warned both experts.

According to Abrams, apart from the user base, there are risk factors such as ease of attack and an attacker’s own motivations. “Other social media sites are equally susceptible but may not get as much attention from the criminal element,” he said, adding that criminals are always on the lookout for vulnerabilities.

No matter how secure a Web site is, users cannot prevent their profiles from getting hacked, said Abrams and Wisnewski. One important way of staying safe is to limit the information that is made public, they noted.

In addition, users should set strong passwords that are not recycled for other sites, and enable the HTTPS option when it is available in the profile.

“Ultimately if a social media site is hacked badly enough then your profile and all of its information is owned by someone else. The risk is rather small, but it is there, so think carefully about what information you put online anywhere,” Abrams warned.

Anonymous hacks security company, say reports

Anonymous, a group of online activists, has attacked a security company that was investigating the collective.

The website of HBGary Federal was defaced with a message from Anonymous, as the group had discovered that HBGary Federal was planning to divulge alleged members of Anonymous to the FBI. In addition, Anonymous downloaded over 60,000 emails from HBGary Federal and posted them on The Pirate Bay file-sharing website, according to security company Sophos.

“You think you’ve gathered full names and addresses of the ‘higher-ups’ of Anonymous? You haven’t,” the group posted on the HBGary Federal website. “You think Anonymous has a founder and various co-founders? False.”

Read more of “Anonymous hacks security company, say reports” at ZDNet UK.

Cloud a haven for cybercriminals

The affordability and increasing popularity of cloud services are providing a new avenue for cybercriminals, say industry observers who note that service providers play a role in curbing such illegal activities. However, they warn that doing so will not be an easy task.

A security researcher last month warned that cloud services can be exploited for criminal purposes. At the Black Hat security conference, Thomas Roth said he was planning to release an open source kit which will enable users to crack Wi-Fi passwords by leveraging the computing power of the Amazon Web Services (AWS) cloud running on GPU-based servers.

There are other similar tools that use leasable cloud services to crack Wi-Fi security authentication mechanisms, such as Wi-Fi Protected Access (WPA), using the cloud infrastructure’s processor cluster to run dictionary attacks.

According to security players, the accessibility of such tools is not uncommon.

In an e-mail interview, Ronnie Ng, manager of systems engineering at Symantec Singapore, pointed to a 2009 blog post which noted that a Web site was purportedly selling automated Wi-Fi Protected Access (WPA) password crackers that used cloud computing technology.

The site allowed anyone to “pay a token sum of US$34 to rent time on a large 400-node computer cluster and check over 135,000,000 potential passwords against a targeted victim in just 20 minutes”. The Symantec blogger noted that even without technical knowledge, a malicious attacker would be able to obtain and use the password for illegal means such as to spy on the victim’s network.

Magnus Kalkuhl, director of Kaspersky Labs’s Europe global research and analysis team, also noted that cloud infrastructure has been misused for hosting malware. He told ZDNet Asia in an e-mail that there have been instances in the past where Amazon Elastic Compute Cloud (Amazon EC2) was used as malware hosting platforms, including a recent instance in which a trojan was spread using Rapidshare.

Kalkuhl noted that, in fact, certain malware “for years” have already been running on their own cloud. “Actually all DDoS (distributed denial-of-service) attacks and spamming services offered by cybercriminals are based on a cloud architecture, [which is] their own botnets made of thousands or even millions of infected PCs.”

In an e-mail interview, Paul Ducklin, head of technology for Sophos Asia-Pacific, added: “Almost anything you can do in the way of cybercrime on a standalone PC can be achieved through the cloud.”

In fact, he noted that cloud-based services such as social networks can make cybercrime easier.

Spams and scams can spread on Facebook, for instance, without ever raising an alarm on the user’s PC, Ducklin explained, noting that the benefit of distributing content automatically from many users to many users over social networks can work to the advantage of cybercriminals.

Responsibility on service providers
With more users moving onto the cloud platform, Ng cautioned that criminal activities on the cloud will rise.

“The cloud’s growing popularity will increase the risk of [users] being targeted by cybercriminals,” he said. He noted that the onus is on cloud service providers to “demonstrate due diligence” in ensuring organizations that lease their services do not engage in malicious activities.

Ducklin concurred: “Why would [businesses] be willing to store [their] data with a cloud provider that also allows cybercrooks and dodgy operators to use its services?”

Citing the case of DDoS attacks related to Wikileaks, he stressed that other users can be affected if a service provider is indiscriminate about whom it provides its services to.

“If your cloud provider services a wide range of businesses, the chance that one of them might become the victim of vigilantes carrying out a DDoS attack is higher,” Ducklin said. “You might lose quality of service due to sociopolitical problems suffered by someone else ‘in your cloud’.”

But while the security players agreed that cloud service providers should be vigilant when providing services, they noted that ensuring total control is not easily achieved.

Kalkuhl said concerns over privacy limit service providers’ ability to have complete control.

“Major cloud service providers like Amazon may check outgoing traffic for suspicious patterns such as DDoS attacks against other machines, [as well as instruct] customers who use virtual machines to conduct system penetration tests to inform the service provider in advance.

“However, it is not possible for the providers to scan the content of [network] traffic for keywords or malware signatures, for instance,” he explained. “Neither are they allowed to scan or manually check what files are stored in a provided [cloud] environment. Otherwise, people would lose their trust in cloud providers and the whole business model would be put at risk.”

Microsoft to seal 22 security holes this month

Microsoft has said it will address 22 vulnerabilities as part of this week’s Patch Tuesday, three of which are critical.

Three of the 12 bulletin items released by Microsoft earlier today are classified as critical, and affect Microsoft’s Windows operating system, with one affecting Microsoft’s Internet Explorer browser as well. The rest are classified as “important”.

In a post on Microsoft’s Security Response Center blog, the company said it will be making fixes for vulnerabilities in the Windows Graphics Rendering Engine, as well as a CSS exploit in Internet Explorer that could allow an attacker to gain remote code execution.

Along with the fixes for the rendering engine and the CSS exploit, Microsoft says it will be addressing zero-day flaws that created vulnerabilities in the FTP service found inside of Internet Information Services (IIS) 7.0 and 7.5.

Not included in this month’s batch of announced patches is a fix for the recently-discovered script injection attacks that affect Internet Explorer. Acknowledged by the company last month in Security Advisory 2501696, the exploit targeted the way IE handled MHTML on certain types of Web pages and document objects, and could provide hackers with access to user information. According to Wolfgang Kandek, chief technology officer at Qualys, the best route to prevent those attacks continues to be the workaround Microsoft outlined in its initial security advisory about the problem.

Microsoft has a full list of the pending issues here.

Report: Hackers penetrated Nasdaq computers

Federal authorities are investigating repeated intrusions into the computer network that runs the Nasdaq stock exchange, according to a Wall Street Journal report that cited people familiar with the matter.

The intrusions did not compromise the tech-heavy exchange’s trading platform, which executes investors’ trades, but it was unknown which other sections of the network were accessed, according to the report.

“So far, [the perpetrators] appear to have just been looking around,” one person involved in the Nasdaq matter told the Journal.

The Secret Service reportedly initiated an investigation involving New York-based Nasdaq OMX Group last year, and the Federal Bureau of Investigation has launched a probe as well. Investigators are considering a range of motives for the breach, including national security threat, personal financial gain and theft of trade secrets, the newspaper reported.

Nasdaq representatives could not be reached for comment.

Investigators have not been able to follow the intruders’ path to any specific individual or country, but people familiar with the matter say some evidence points to Russia, according to the report. However, they caution that hackers may just be using Russia as a conduit for their activities.

The Nasdaq, which is thought to be as critical from a security standpoint as the national power grid or air traffic control operations, has been targeted by hackers before. In 1999, a group called “United Loan Gunmen” defaced Nasdaq’s public Web site with a story headlined “United Loan Gunmen take control of Nasdaq stock market.” The vandalism was quickly erased, and Nasdaq officials said at the time that the exchange’s internal network was unaffected.

Aust pubs tap biometrics to curb violence

Pubs and clubs in Australia are signing up in droves to national and state biometrics databases that capture patron fingerprints, photos and scanned driver licenses in efforts to curb violence.

The databases of captured patron information mean that individuals banned at one location could be refused entry across a string of venues. Particularly violent individuals could be banned for years.

The databases are virtually free from government regulation as biometrics are not covered by privacy laws, meaning that the handling of details are left to the discretion of technology vendors.

Venues typically impose bans of one month to a year, and it is up to the discretion of clubs to adopt or share exclusion lists.

Australia’s largest database idEye, which pitches itself as the only national repository, has said that it has received an explosion of venues signing up to share lists.

“The takeup is growing very rapidly,” said Peter Perrett, chief executive of ID-Tect, the company which created idEye. “It has exploded.”

“You don’t get on the list because you didn’t want to go home–you get on there because you are a safety risk.

“Bans are only effective from one venue, but you will also be flagged…it will pop up and show that this guy is banned, here are three photographs, his details and the offence.”

Venues may choose to accept or ban any individual on the list, and data is encrypted and stored on “secure servers”.

State governments have been cracking down on violence in pubs and clubs, and threatening to impose tough measures on the worst offenders and impose night-time curfews.

The national database can be tweaked to suit a venue, allowing them to source different patron identifiers such as facial recognition, optical character recognition or fingerprint scans.

Perrett would not be drawn further on the database’s adoption, citing commercial sensitivity, but said it is “a lot larger in [use and adoption] than you’d think”.

While patrons remain divided on the need to surrender biometric data to buy a beer, the system appears to have led to a halt in violence in pubs and clubs.

The Woodport Inn on the NSW Central Coast has obliterated the incidents of violence which had once troubled its night club.

“[The] violent people here are gone, just gone,” said one bar manager. “They are scared of it. They know they will be caught.”

The venue is one of several in the area that use NightKey fingerprint scanners, including the Central Coast Hotel and Woy Woy Leagues Club, but it does not share ban lists.

A manager from a Sydney CBD bar, who requested anonymity, said that the ban database had cut violence, adding that the venue may soon be able to reduce its security headcount. The machines are not classified by NSW Police as security equipment and can be operated by a staff member.

Alcohol-related incidences have dropped by up to 80 percent in some venues that use the scanners, according to Perrett. He said the data is a smoking gun that police can use to convict violent offenders.

He said that “very, very serious crime in major places” carried out by offenders currently up before the courts has resulted from investigations lasting “minutes” rather than weeks because of being able to link biometric data to CCTV footage.

Used alone, Perrett said CCTV is inefficient and offenders “are not worried about it”. He added that crime in venues is unreported due to the negative publicity it generates.

The patron data collected in the database is destroyed within 28 days unless an offence is committed beforehand. The data is not automatically fed into police records.

However, many might be concerned about the privacy implications of the collection of such data.

Biometrics Institute head Isabelle Moeller said that pubs and clubs are still refusing to sign onto its biometric charter of use, which has the backing of the Federal Privacy Commissioner.

“[Venues] may roll biometrics out innocently or they may not want to bother with privacy concerns,” Moeller said. “Biometrics needs to be part of privacy law, the government needs to take control of this.”

She said that Clubs NSW has agreed to sign onto the charter and will participate in upcoming biometric privacy discussions, but the reception from other states has been cold.

The Australian Hotels Association (AHA) (NSW) chief executive Sally Fielke said in a statement that the implementation of biometric scanners is a decision for individual clubs. “The introduction of ID scanning is a business decision for individual venues.”

“The AHA (NSW) encourages members to look at a whole range of proactive initiatives to continue to ensure that their venues remain safe…and assists venues to comply with all legal obligations including privacy laws.”

Fielke said that the take-up of the services by AHA (NSW)’s members was low.

It did not respond to questions about whether it would recommend venues use biometric scanning.

This article was first posted on ZDNet Australia.

Microsoft warns of Windows zero-day flaw

Microsoft has warned of a zero-day vulnerability in Windows that could let an attacker collect any information stored in an Internet Explorer user’s browser.

The flaw allows a hacker to inject a malicious client-side script in an otherwise legitimate Web-request response made by the Internet Explorer (IE) browser, Microsoft said in a security advisory on Monday. The script could post content or perform actions online that would appear to have been initiated by the victim.

Alternatively, the vulnerability, which lies in the MHTML Web protocol, could allow the script to collect an IE user’s information, or spoof content displayed in the browser to “interfere with the user’s experience”, Microsoft security advisor Angela Gunn said in a blog post.

Read more of “Microsoft warns of Windows zero-day flaw” at ZDNet UK.

Anonymous: UK arrests are a ‘declaration of war’

Anonymous has issued a warning to the U.K. government after five young men suspected of being connected to the group were arrested on Thursday.
The group, which has claimed responsibility for a series of distributed denial-of-service (DDoS) attacks launched in support of whistle-blowing site Wikileaks, said it viewed the arrests as “a declaration of war” by the British authorities.

“Anonymous believes… that pursuing this direction is a sad mistake on your behalf. Not only does it reveal the fact that you do not seem to understand the present-day political and technological reality, we also take this as a serious declaration of war from yourself, the U.K. government, to us, Anonymous, the people,” the group said in a statement (PDF) on Thursday.

Read more of “Anonymous: UK arrests are a ‘declaration of war’” at ZDNet UK.

A new (old) way to protect privacy: Disclose less

A new pilot project from Microsoft and IBM offers a high-tech twist on this bit of common sense: allowing you to divulge less information about yourself protects your privacy.

Their joint effort is built on the observation that, in many cases, there’s no need for someone verifying your credentials to know everything about you. A bouncer at a nightclub needs to know that you’re 21, not your name or home address. A county database may only require proof that you’re a local resident, not your phone number or e-mail address.

Microsoft and IBM’s solution is called Attribute-Based Credentials, or ABC, and their pilot project is scheduled to be announced tomorrow to coincide with what’s being called Data Privacy Day. ABC is supposed to last four years and result in both a credential architecture and a reference implementation complete with source code that will be made publicly available.

“Our goal is to provide the technical tools but also the societal discussions about how we can achieve privacy in an electronic society,” Jan Camenisch, a Zurich-based cryptographer with IBM Research told ZDNet Asia’s sister site CNET.

The first application is scheduled to appear at Norrtullskolan, a secondary school in Sëderhamn, Sweden, and will allow students and parents to communicate with school officials and access a social network–while protecting their privacy at the same time. Another pilot will be implemented for grading the faculty at the Research Academic Computer Technology Institute in Patras, Greece.

Both pilot project rely on a system called ABC4Trust, which is designed to allow students or parents to “prove” certain aspects of their identity without revealing others. A student can cryptographically prove that she’s a member of a sports team, or demonstrate that he has attended a certain class.

“The problem with today’s solutions is that they don’t make these kind of distinctions,” Ronny Bjones, a Microsoft security technology architect, said. “We leave such a digital footprint around on all these different sites.”

One likely application for the ABC system: electronic identity cards issued by national governments. Microsoft has already demonstrated a system that can verify that someone is at least 18 years old and resides in Berlin, without disclosing an actual birthdate.

The idea of using encryption technology to enable people to disclose less about themselves isn’t exactly new. The legendary cryptographer David Chaum, the father of digital cash who’s now building secure electronic voting systems, developed some of these ideas in the late 1980s.

A decade later, University of Pennsylvania computer scientist Matt Blaze and other researchers published a paper (PDF on what they called “decentralized trust management.” But it was Dutch cryptographer Stefan Brands who fully developed the concept of limited disclosure digital certificates to its fullest.

Microsoft bought Brands’ company, Credentica, in 2008, and released the U-Prove specification last year along with a promise not to file patent lawsuits over its use.

ABC will use both U-Prove and IBM’s related technology called Identity Mixer. “It’s extremely important that we can help people that build solutions (that) build privacy by design,” Bjones said.

This article was first published as a blog post on CNET News.

UK police nab 5 Anonymous DDoS suspects

U.K. police have arrested five young men on suspicion of taking part in distributed denial-of-service attacks launched by Anonymous, the group that has targeted corporate sites for attack in defence of Wikileaks.

The five, who are aged between 15 and 26, were detained at 7am on Thursday at addresses in the West Midlands, Northamptonshire, Hertfordshire, Surrey and London, the Metropolitan Police Central eCrime Unit (PCeU) said in a statement. The suspects were taken to local police stations and remain in custody, the police added.

The Anonymous group of activists undertook a number of distributed denial-of-service (DDoS) attacks last year, using a tool called the Low Orbit Ion Cannon (LOIC) to try to overwhelm servers. The group successfully took down websites belonging to companies including Visa, MasterCard and PayPal, in protest at their suspension of donation-payment processing for the Wikileaks whistle-blowing operation.

Read more of “Anonymous DDoS swoop results in five arrests” at ZDNet UK.

Facebook lets users turn on crypto

Facebook announced Wednesday it is now offering users the ability to use encryption to protect their accounts from being compromised when they are interacting with the site, something security experts have been seeking for a while.

The site currently uses HTTPS (Hypertext Transfer Protocol Secure) when users log in with their passwords, but now everything a user does on the site will be encrypted if he turns the feature on, the company said in a blog post.

Enabling full-session HTTPS eliminates the ability for attackers to use tools like the Firefox plug-in called Firesheep to snoop on communications between a person’s computer and the site’s server.

“Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries, or schools,” the post says. “The option will exist as part of our advanced security features, which you can find in the Account Security section of the Account Settings page.”

Using HTTPS may mean that some pages will take a little bit longer to load, and some third-party applications aren’t currently supported, the company said. The option is rolling out over the next few weeks. “We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future,” the post says.

“Every user’s Facebook page is unique and it’s been complex pulling together all the different parts,” said Facebook Chief Security Officer Joe Sullivan when asked what the time frame is to making HTTPS the default setting. “It’s an interesting technical challenge for the company.”

While banking and e-commerce sites use encryption, social media and other sites have been somewhat slow to move in that direction–the exception being Google. Google has always offered Gmail users the ability to use HTTPS and set it as a default a year ago. The company also offers encryption for use with Google Docs and Web search.

Facebook blames bug for Zuckerberg page hack

A bug allowed an unidentified person to post a message on Facebook CEO Mark Zuckerberg’s fan page on the site yesterday, a spokesman told ZDNet Asia’s sister site CNET on Wednesday.

The odd message that garnered more than 1,800 “likes” and more than 400 comments before it was taken down was: “Let the hacking begin: If facebook needs money, instead of going to the banks, why doesn’t Facebook let its users invest in Facebook in a social way? Why not transform Facebook into a ‘social business’ the way Nobel Prize winner Muhammad Yunus described it? What do you think? #hackercup2011”

A Facebook spokesman provided this e-mail statement today: “A bug enabled status postings by unauthorized people on a handful of public pages. The bug has been fixed.”

Whoever is responsible only had the ability to post on the page and did not have access to private data on the Facebook account, Joe Sullivan, chief security officer at Facebook, said in a follow-up interview with CNET. “It was a very limited bug in that it only applied to the ability to post,” he said.

Specifically, the bug was in an API (application programming interface) that allows publishing functionality on the site, said Ryan McGeehan, security manager for incident response at Facebook.

Only a handful of high-profile accounts were affected, they said, declining to offer exactly whose pages were targeted. They also declined to comment on whether the hack earlier this week of French President Nicolas Sarkozy’s Facebook page was related. Someone had posted a message on the official’s page saying he would be stepping down next year.

Asked if they knew who was responsible for the breaches, Sullivan said he could not comment further because it is an active investigation.

“It’s astonishing the level of speculation without accurate information” in published reports, he said. “There was the (false) assumption that there was unauthorized access to information…Our commitment is to try and prevent that and respond incredibly quickly when something happens.”

“Facebook users–famous or not–need to take better care of their social-networking security,” said Graham Clulely, senior technology consultant at Sophos, in a statement. “Mark Zuckerberg might be wanting to take a close look at his privacy and security settings after this embarrassing breach. It’s not clear if he was careless with his password, was phished, or sat down in a Starbucks and got sidejacked while using an unencrypted wireless network, but however it happened, it’s left egg on his face just when Facebook wants to reassure users that it takes security and privacy seriously.”

Sophos elaborated more about the incident in its security blog.

The odd message posted to Zuckerberg’s fan page relates to Facebook’s announcement last week that it had raised US$1.5 billion at a US$50 billion valuation; US$1 billion of it comes from investment bank Goldman Sachs, which opened up the round to participation from wealthy overseas clients.

Also today, Facebook announced that it is now offering users the ability to secure their connection with the site using HTTPS (Hypertext Transfer Protocol Secure). It is rolling the option out to users and hopes to offer it as a default in the future. Enabling full-session HTTPS will eliminate the ability for attackers to compromise Facebook accounts by using tools like the Firefox plug-in called Firesheep.

CNET’s Caroline McCarthy contributed to this report.

RSA muscles up on core capabilities

newsmaker RSA COO Tom Heiser doesn’t consider himself a visionary because he “cannot predict where things are going to be in five years”. But the company veteran is certain about one thing: security will be an increasingly critical component as cloud and mobile adoption continue to grow.

Heiser joined EMC, which acquired RSA in 2006, as a sales trainee in 1984 after graduating from the University of Massachussetts. The executive progressed through 12 positions within the company before landing up at the EMC security arm in July 2008.

With over 26 years of experience under his belt, the COO considers formulating and executing strategies his strongest suit–skills that are critical in building up RSA’s core strengths in authentication and security management, which he described as “hot growth areas”–thanks to the rise of cloud and mobile computing.

Recently in Singapore to meet up with sales partners, Heiser met up with ZDNet Asia to discuss RSA’s business plans and chat about new year resolutions and the risks in migrating to cloud computing.

It’s been three years since the economic downturn in 2008 and things are finally looking bullish for the global economy. Is one of RSA’s new year resolutions to capitalize on this upswing and enter new markets?
There’s this book called Profit From The Core which we use as a template, and this talks about how close we should stay true to one’s core businesses.

Using this as part of our strategic planning process, we determined that RSA has three cores to our business. One core is authentication, the second is security management, while our third “emerging” core is around virtualization and cloud computing.

Are we branching out of these? Probably not. I mean, we take a look at the whole landscape of security, and we see what’s hot, where’s the growth. Security management is super hot, virtualization and cloud computing is crazy hot, so we’re already in these hot, high-growth areas.

What we don’t want to do is delude ourselves. You won’t see us getting into network-based security or endpoint-based security, firewall or antivirus. Those are big but, like antivirus, super slow growth and ripe for disruption. You can take a look at the numbers–antivirus is estimated to be effective 35 percent of the time. So, we’re assuming the firewall will be breached and antivirus won’t work.

Where do you see RSA’s focus heading in 2011?
What RSA has done is we have assembled a portfolio of products, solutions and services into a suite that addresses customers’ challenges. IT spend is supposed to grow 4 to 6 percent this year, and the security market is supposed to grow 9 percent. If you look at these figures, security is twice what the IT spend is. This demonstrates that we’re in areas of high growth.

One of these areas is in security management. We’re putting RSA’s enVision, security information and security management, data loss prevention (DLP) and Archer Technologies’ GRC (governance, risk and compliance) products into a suite, which is where customers are spending their dollars.

The other trend is the explosion of virtualization and cloud computing, and their associated risks. We have tons of data on that, and one statistic that jumped out at me was that 91 percent of CIOs are concerned about security with cloud deployments. Another survey showed that 51 percent of CIOs said security was their No. 1 concern. So, we’re attacking this concern and our portfolio is uniquely positioned to capitalize on that.

That would mean that some companies still can’t quite manage the security risks involved when moving to the cloud?
Absolutely. It’s something I see all the time.

About two months ago, for instance, we were talking to one of the top five global healthcare companies which recently completed a huge private cloud deployment. The company was very progressive and driving cloud for cost savings and operational efficiencies. So it was virtualizing its IT infrastructure and was going crazy with that.

But when we met the CIO and his team, he was, like, ‘I need a strategy to keep up with this thing’. He wasn’t involved in the upfront deployment, so now what he’s doing is playing catch-up with how to protect that environment. This happens all the time.

I wouldn’t call the CIO’s reaction as panic, but you could see huge concern on his part where it was reactive rather than proactively building security into the company’s cloud deployment.

You identified authentication as one of RSA’s core areas. Could you give us a glimpse of authentication innovations that are on the cards?
If we go back seven years ago, over 80 percent of RSA’s business was SecurID. In 2011, this will be the first year that SecurID constitutes less than half of our business. It’s not that the business is declining, but that all the other areas are seeing high growth.

If we fast forward, we still have the largest market in authentication but what we’re doing is deploying it in a cloud environment, which is the next big thing.

Mobile authentication is also a big growth area for us. There are over 300 million identities we’re protecting through our software-as-a-service (SaaS) application products. There’ll also be other things through mobile and non-token-based authentication, which are coming up real soon.

Mobile security presents a huge opportunity for us. How do we protect smartphones and make sure these are secured? The other challenge is how we can turn this device into an authenticator.

So these are great opportunities on both fronts: to secure the device, and using the device to secure.

Rivals such as Dell Computer, which acquired storage vendor Compellent last month, and Hewlett-Packard have been pretty active on the acquisition front. Are you planning to join in on the M&A (mergers and acquisitions) fray?
We will be acquisitive, mark my word on that.

Acquisitions aside, though, we’re driving a lot of internal innovations as well. So, we’ll stay true to our core, but we’re going to complement it both organically with our own development as well as through M&A activities.

You’ve been with EMC since 1984, fresh out of graduating from the University of Massachusetts. Ever thought of doing something else, like, investing in your own startup?
You know it’s an interesting question because I once thought of becoming a venture capitalist (VC). But, I’m not a visionary, I can tell you that now. I think I’m very good with execution, and I can develop a strategy but I can’t predict where things are going to be in five years.

I probably picked only one stock to invest in in the past five years–General Electric at US$8 a share–because I knew it wasn’t going to go under. That’s why I never became a VC!

Today, I put everything into my work and family but leave the rest, such as investing, to the professionals.

Did you plan to stay with the same company for so long?
I didn’t plan for it. I would have bet anything that I wouldn’t have been with the same company for 26, almost 27 years. Never in a million ways would I have planned it the way my career has panned out.

In fact, I was 22 years old when I first started out and I wanted to work for IBM, but that offer didn’t come in until after I started with EMC. By then, Roger Marino, one of the founders of EMC, wouldn’t let me quit. I still see him socially and I thank him for keeping me here every time.

I don’t know if you consider it a role or a job but, to me, I had about 12 different jobs in my almost-27 years at EMC. That has allowed me to stay fresh and learn. It’s like every time I’m wrapping up a role, they would say, ‘Hey, do you want to run M&A?’ and I’d think, ‘I’d love to run M&A!’ So I go run M&A. Or ‘Hey, RSA’s got some changes going on’ and I’d say ‘I love RSA! They’ve got so much potential’, and there I go. It’s just been unbelievable for me.

In one sense, being at EMC is all I know, and yet, it’s also kind of embarrassing. But who knows what’s next? One of my tenets is to do the best job possible and your career and compensation will follow. It’s a little bit idealistic, but I haven’t seen anybody following this motto not get rewarded by it.

Retailer’s Web site hack exposes credit card details

Cosmetics company Lush has warned customers that its U.K. Web site has been hacked repeatedly over the past three months, exposing credit-card details to fraudulent use.

Lush did not release technical details of the attack, nor specify the number of customers compromised or the security techniques used to handle the data involved, but anecdotal evidence indicates that some customers have been the victims of fraud.

The company sent an email statement to customers last Thursday outlining the incident and urging them to contact their banks.

Read more of “Attacks on Lush website expose credit-card details” at ZDNet UK.

Hackers target carbon emissions trading market

In a digital heist reminiscent of a John le Carré novel, more than US$9 million worth of greenhouse-gas emissions permits were stolen from the Czech Republic electricity and carbon trading registry last week and transferred to accounts in other countries, at the same time as the Prague-based registry office was evacuated due to a bomb threat.

That electronic theft, the latest in a series of security breaches affecting the market for carbon emissions, led the European Commission to suspend transactions in national European Union registries last Wednesday for a week.

“Three attacks have taken place since the beginning of the year and other registries are known to be vulnerable to similar attacks,” the European Commission said in a statement last Friday. “The Commission’s best estimate is that roughly 2 million allowances, representing a total of less than 0.02 percent of allowances in circulation, have been illegally transferred out of certain accounts.” The much-larger carbon futures market was not affected, the agency said.

Valued at 14.48 euros each, those 2 million allowances would be worth about US$39.4 million based on last Friday’s trading.

Carbon emissions allowances, or permits, are not your typical computer hacker target. Similar to other commodities that are traded on spot and futures markets, European Union Allowances permit energy companies and industrial factories to trade their pollution permits by buying and selling allowances allocated by their government. For instance, a Romanian energy company that expects to emit less carbon dioxide for a particular year can sell its extra government-issued emissions allowances to a utility in Germany that expects to emit more carbon dioxide than its government permits.

Ostensibly, the trading system should be highly secure and trades carefully accounted for to prevent fraud and theft. But lax security at some of the registries and the fact that transactions can be completed quickly on the spot market are likely what is appealing to thieves, sources told ZDNet Asia’s sister site CNET.

“It seems it is relatively easy to access the registries in this country and other countries,” said Nikos Tornikidis, carbon portfolio manager at Blackstone Global Ventures, from whose account 475,000 allowances were stolen.

“Once you get your hands on the allowances, it is quite easy to sell them and the settlement is almost instantaneous,” he told CNET in an interview. “In a matter of hours you can get money out of the system. This doesn’t happen when you trade other things.”

The bomb threat coinciding with the theft of the allowances is just “too coincidental”, said a trader close to the matter who asked to remain anonymous. “The registries have lax security,” he said. “They don’t have mechanisms to filter the accounts” by serial number to prevent theft.

Some people suspect that an insider was involved, the trader said, adding that he believes it was computer hacking instead.

The market was operating normally until around 12:30 p.m. Tuesday when Prague police received a tip of a bomb threat and the offices of the Czech registry, OTE, which stands for Electricity Market Operator, had to be evacuated, according to Reuters.

Early the next morning, employees at Blackstone Global Ventures went to check their carbon permissions account and noticed that it had been nearly emptied out. In addition, the contact information on the account had been changed, something that should only be accomplished by someone with administrator privileges at the registry, said Tornikidis.

Blackstone reported the matter immediately to the Czech Republic registry and was able to find out the unique serial numbers for the missing allowances, he said. “I hope that we managed to stop the trading at a point where our allowances are with the first buyers after the hacker sold them,” he added.

The Czech Republic registry said a total of 1.3 million permits were missing from six accounts and that the digital assets were transferred to accounts in Poland, Italy, Estonia, Lichtenstein, and Germany, and possibly other countries, according to Reuters.

As custodian of the carbon emissions permissions, the OTE has a fiduciary obligation to account holders and should replace any that are missing, Tornikidis said.

“I don’t know how it is possible in today’s IT world that someone is able to hack into an account where someone’s assets are and transfer them out,” he said. “Why can’t they follow the money trail?”

Jiri Stastny, chief executive officer at the OTE in Prague, could not be reached for comment and other employees at the government-run registry directed all calls to him.

The Czech Republic is not the only country to have security problems crop up in the relatively new carbon emissions trading market. The Austrian registry reported theft of allowances due to hackers two weeks ago and 1.6 million allowances belonging to cement maker Holcim in Romania were reported stolen from that country’s registry in November. A year ago, 250,000 allowances were stolen in Germany after companies there were targeted by phishing attacks, according to reports.

The European Commission is likely to require additional security procedures at the national registries, such as passwords being sent to mobile phones or other two-factor authentication methods, according to a Bloomberg report.

This article was first published as a blog post on CNET News.

Malware toolkits guarded with stolen DRM

Malware writers are pinching anti-pirate technology embedded into some of the world’s most popular software to protect their own, according to Symantec.

The antivirus company said writers of complex malware toolkits can embed measures to prevent users from stealing their work.

This means the writers are able to rent the toolkits to non-technical users who then embed the malware into websites in hopes of duping victims out of information such as bank account details.

Writers may also take a commission in an “affiliate system” from the value of victim information stolen using the kits.

Anti-piracy measures used in the most popular software, including Symantec products, have been reverse-engineered and distributed over the internet.

“They are using the same Digital Rights Management (DRM) technology used as major software,” Symantec head Craig Scroggie said. “They are locking down their software for a minimal amount of use or they are changing the IP reply domain so they have to be involved in the sale.”

“They will build their own DRM, steal it from the big names or cobble it together.”

Most would-be buyers of the toolkits lack the technical understanding to reverse-engineer the DRM measures.

The price of a malware toolkit has risen substantially, Scroggie said, from about US$15 in 2006 to more than US$8000.

“The premium is because of the success rate,” Scroggie said.

This article was first published at ZDNet Australia.

S’pore government preps 2FA facility

SINGAPORE–The local government has set up a wholly-owned subsidiary to operate the country’s IT security facility focusing on two-factor authentication (2FA), which is part of an initiative first announced in 2005.

Called Assurity Trusted Solutions, the subsidiary will oversee operations of the national authentication framework (NAF), a nationwide security layer to authenticate online transactions between the government, businesses and citizens.

Officials from the Infocomm Development of Singapore (IDA) said at a media briefing here Thursday, that Assurity is scheduled to roll out its services in the second half of this year, offering 2FA services to service providers and consumers. ST Electronics has been contracted to design, build, operate and maintain the NAF infrastructure, in a deal spanning five years. When asked, IDA officials declined to reveal how much the contract was worth.

More details to follow…

Report finds smart-grid security lacking

Echoing concerns of security experts, a new report from the Government Accountability Office warns that smart-grid systems are being deployed without built-in security features.

Certain smart meters have not been designed with a strong security architecture and lack important security features like event logging and forensics capabilities used to detect and analyze cyberattacks, while smart-grid home area networks that manage electricity usage of appliances also lack adequate built-in security, according to the report released last week by the GAO, the auditing and investigative arm of the U.S. Congress.

“Without securely designed smart-grid systems, utilities will be at risk of not having the capacity to detect and analyze attacks, which increases the risk that attacks will succeed and utilities will be unable to prevent them from recurring,” said the report.

The report also took aim at the self-regulatory nature of the industry, saying utilities are focusing on complying with minimum regulatory requirements rather than having adequate security to prevent cyberattacks.

The National Institute of Standards and Technology “does not have a definitive plan and schedule, including specific milestones, for updating and maintaining its cybersecurity guidelines to address key missing elements”, the report concluded. One of the important elements NIST has failed to address is the risk of attacks that use both cyber and physical means, the report said.

“Furthermore, Federal Energy Regulatory Commission has not established an approach coordinated with other regulators to monitor the extent to which industry is following the smart-grid standards it adopts,” the report said. “The voluntary standards and guidelines developed through the NIST and FERC processes offer promise. However, a voluntary approach poses some risks when applied to smart-grid investments, particularly given the fragmented nature of regulatory authority over the electricity industry.”

In comments on the report that were included as an appendix, the Department of Commerce–which oversees NIST–says NIST “agrees that the risk of combined cyber-physical attacks on the smart grid is an area that needs to be more fully explored in the future.”

Meanwhile, FERC Chairman Jon Wellinghoff said in comments included in an appendix to the report that he will ask his staff to evaluate ways to improve coordination among regulators and assess whether challenges identified in the report should be addressed in FERC’s cybersecurity efforts, but will need to work within the commission’s statutory authority.

The goal of the smart grid is to improve reliability and efficiency by incorporating information technology systems into power lines and customer meters for monitoring power distribution and usage without having to send operators into the field.

(Via Threatpost)

This article was first published as a blog post on CNET News.

Australian university exposes student info

The University of Sydney has exposed thousands of student details including names, addresses and course information to public access via the Internet.

The details were stored in a way that allowed it to be accessed by altering identification numbers revealed in a university Web address.

University of Sydney vice chancellor spokesperson, Andrew Potter, said the details have been pulled offline and the university is investigating the matter.

“We confirmed that method of access was possible and immediately we shut it down,” Potter said. “We do not know as yet if details were compromised.”

Potter did not rule out contacting students to warn them of the breach, but was unsure if an IT forensic investigation was underway.

A review of logs could reveal if the details were compromised, but industry track records suggest many similar attempts do not.

“It depends on having the right logging, which is seldom the case,” HackLabs director Chris Gatford said.

Such vulnerabilities, where data can be accessed by entering sequential numbers into a URL address, are common and are often introduced by software developers.

But common mitigation efforts also fail.

“Developers move the identity from the URL to part of a post request, but it still doesn’t mitigate the vulnerability,” Gatford said. “You can use a local proxy then to identify that value and do the attack in the post of the request”.

The vulnerability was pointed out to the university by the Sydney Morning Herald, which also reported earlier this week that the university’s Web site and corporate Web pages had been hacked and defaced.

This article was first published at ZDNet Australia.

Two charged in AT&T-iPad data breach

Two men were charged with computer crimes today for allegedly hacking into AT&T servers and stealing e-mail addresses and other information of about 120,000 iPad users last summer.

Andrew Auernheimer, 25, was arrested in his home town of Fayetteville, Ark., while appearing in state court on unrelated drug charges, and Daniel Spitler, 26, of San Francisco, surrendered to FBI agents in Newark, N.J., according to the U.S. Attorney’s office in New Jersey. Both men were expected to appear before federal judges in Arkansas and New Jersey.

They each face one count of conspiracy to access a computer without authorization and one count of fraud in connection with personal information. They’re also looking at a maximum of 10 years in prison and a US$500,000 fine.

Auernheimer was ordered held until a bail hearing set for Friday, while Spitler was released on US$50,000 bail and ordered not to use the Internet except at his job as a security at a Borders bookstore, according to an Associated Press report. In comments to reporters outside the Newark courthouse, Spitler said he was innocent and that: “The information in the complaint is false. This case has been blown way out of proportion.”

Auernheimer told the magistrate that he had been drinking until 6:30 that morning and said of the complaint: “This is a great affidavit–fantastic reading,” according to the AP report.

Last June, Auernheimer told ZDNet Asia’s sister site CNET that members of his hacker group, which calls itself Goatse Security, uncovered a hole in AT&T’s Web site used by iPad customers on the 3G wireless network and went public with it by revealing details to Gawker Media.

Up until then, AT&T automatically linked an iPad 3G user’s e-mail address to the iPad’s unique number, called Integrated Circuit Card Identifier (ICC-ID) so that whenever the customer accessed the AT&T Web site, the ICC-ID was recognized, the e-mail address was automatically populated and the ICC-ID was displayed in the URL in plain text.

Spitler is accused of writing a script called the “iPad 3G Account Slurper” and using it to harvest AT&T customer data via a brute force attack on the site, which fooled the site into revealing the confidential information, according to the criminal complaint filed last week but unsealed and released publicly today.

The complaint includes Internet Relay Chat messages supposedly sent between Auernheimer and Spitler in which they talk about selling the e-mail addresses to spammers, shorting AT&T stock before releasing details of the breach, and destroying evidence.

“If we can get a big dataset we could direct market iPad accessories,” Auernheimer says in a message to Spitler, according to the complaint.

In another chat session included in the complaint, Spitler says he would like to stay anonymous so he doesn’t get sued. “Absolutely may be legal risk yeah, mostly civil you absolutely could get sued,” Auernheimer replied, the complaint read.

Before going to Gawker, Auernheimer also allegedly contacted Thomson-Reuters and the San Francisco Chronicle, and sent an e-mail to a board member at News Corp. whose e-mail address was leaked in the breach in attempts to get news articles written about the incident, according to the complaint.

Asked if he reported the hole to AT&T, Auernheimer replied “totally but not really…I don’t (expletive) care I hope they sue me”, according to the chat logs.

“Those chats not only demonstrate that Spitler and Auernheimer were responsible for the data breach, but also that they conducted the breach to simultaneously damage AT&T and promote themselves and Goatse Security,” the U.S. Attorney’s office said in a statement.

AT&T has spent about US$73,000 as a result of the breach, including contacting all iPad 3G customers to notify them, the complaint says. Among the iPad users who appeared to have been affected were White House Chief of Staff Rahm Emanuel, journalist Diane Sawyer, New York Mayor Michael Bloomberg, movie producer Harvey Weinstein, and New York Times CEO Janet Robinson.

Auernheimer told CNET last summer that the data exposed in the breach was contained. The concern was that iPad users who had their e-mail addresses exposed would then be at risk of receiving phishing or spam e-mail that appeared to be from Apple or AT&T but which was designed instead to trick them into revealing more information or downloading malware.

Auernheimer did not return an e-mail seeking comment, and Spitler could not be reached. AT&T did not immediately respond to a request for comment.

Auernheimer, a self-described Internet “troll”, was arrested last June when authorities found drugs while searching his home for evidence related to the AT&T-iPad investigation. He was later released on bail.

This article was first published as a blog post on CNET News.

App servers potential threat to mobile landscape

While both Web and app servers face pressing security issues, the latter is increasingly in the firing line as more users are now utilizing mobile devices to access apps. The risk is further exacerbated due to the fact that technologies behind app servers are more complex, cautioned a security executive.

According to Jonathan Andresen, technology evangelist at Blue Coat Systems Asia-Pacific, there are two factors behind the security challenges presented by app servers. First, the two-way communication between the user and the app server has intensified. This can result in users unknowingly “uploading” malicious content to an app server that is not protected, Andresen said in an e-mail.

Second, compared with Web servers, app servers need more CPU power, he said, noting that this makes app servers more vulnerable to denial-of-service (DoS) attacks.

These two factors, combined with a rise in threats targeting mobile devices, put app servers in an “especially challenging” position, he said.

Another security player agreed with Andresen’s observation.

Paul Oliveria, technical marketing researcher at Trend Micro, noted that many apps today are essentially “mini browsers” in which they gather user input, send it to a server and display the results for users to view.

Oliveria explained: “These [app] servers are vulnerable to all the usual attacks that traditional Web servers are vulnerable to, and in fact, probably more so.”

He pointed out that “almost anyone” can now develop an application and sell it. In the case of Google Android apps, for example, interested developers can simply submit an application form, pay US$25 and start developing apps.

Given the scenario, and for a relatively small investment required from the developers, he questioned whether these developers would be as committed, compared with more established developers, to beefing up their app server security.

To combat potential threat to app servers, Oliveria reckoned that any good and reputable developer would expect users to behave in unpredictable ways and code apps to restrict the type of information sent by users to the app server.

He also called on developers to pay attention to securing their server-side infrastructure which can be accessed not only via an app, but also through a Web browser or direct network connection.

Paul Ducklin, head of technology at Sophos Asia-Pacific, added that less is more with regard to the amount of information users should be allowed to access via app servers.

He noted that a traditional Web server is set up to help a company get as many people as possible to visit its corporate Web site and learn about its operations, but the Web administrator will only put up information that the company wants the public to see.

App servers, however, often give public access to information that is traditionally not made available to users outside the company, Ducklin noted.

“So developers need to ensure that when they make it easier for users to access the app servers [for more information], they don’t open up too much or they may experience their personal ‘Wikileaks moment‘,” he warned.

Andresen recommended deploying purpose-built security appliances such as application firewalls as a best practice to secure app servers. He explained that adding another layer in front of the application server would ensure security is not compromised, regardless of whether coding for the application is secure or not.

He also zoomed in on social networking apps, noting that with over 30 billion pieces of content such as Web links, blog posts and photos, shared on these platforms each month, it is “extremely difficult for application vendors to detect malicious content uploaded by users”.

In this landscape, it would not be viable for mobile users to deploy a complete PC-centric security tool on devices that have limited processing abilities, Andresen added.

“What users need is a lightweight browsing capability that can leverage the processing capabilities of a user-driven cloud network [to filter, validate and secure Web content delivered to mobile devices],” he surmised.

RSA: SMS bank tokens vulnerable

Mobile phone attacks will increase this year as criminals attempt to intercept SMS-based authentication tokens, according to security company RSA.

The tokens are designed to complement username and password log-in checks by requiring users to validate payments with unique numerical codes, in this instance sent by SMS.

It is becoming more popular, and the Commonwealth Bank of Australia claims to have 80 per cent of its customer base using tokens to validate third-party payments via SMS or through safer handheld token-number generators. The bank isn’t forcing customers to use it, but those who don’t will not be permitted to carry out high-risk transactions over NetBank.

RSA said in a 2011 predictions report that sending tokens via SMS will make phones a target.

“The use of out-of-band authentication SMS…as an additional layer of security adds to the vulnerabilities in the mobile channel,” the company said in its report.

“A criminal can…conduct a telephony denial-of-service (DoS) attack which essentially renders a consumer’s mobile device unavailable.

“SMS forwarding services are also becoming mainstream in the fraud underground and enable the [token] sent by a bank via text to a user’s mobile phone to be intercepted and forwarded directly to the cybercriminal’s phone.”

The company said that mobile phone smishing attacks, or phishing scams sent via SMS, will also rise this year.

“Success rates are higher with a smishing attack compared to a standard phishing attack, as consumers are not conditioned to receiving spam on their mobile phone so are more likely to believe the communication is legitimate,” the report said.

It said there are no effective technologies to prevent smishing.

The report also claimed that the infamous Zeus malware, widely blamed for most of the online transaction fraud, will merge with rival SpyEye to create a hybrid trojan.

It alleges that the new hybrid will include a kernel mode rootkit, improved HTML infection abilities and remote desktop access.

“Should [its creator] act on his plans, this already spells evolution in the type of commercially available malware likely to be sold in the underground in 2011,” the report read.

This article was first published on ZDNet Australia.

OECD: Cyberwar risk is exaggerated

While governments need to prepare for cyberattacks involving espionage or malware, the likelihood of a sophisticated attack like Stuxnet is small, according to a study by the Organisation for Economic Co-operation and Development (OECD).

In a cyberwarfare report (PDF) released yesterday, the OECD said that the risk of a catastrophic attack on critical national systems has been exaggerated. The majority of cyberattacks are low-level and cause inconvenience rather than serious or long-term disruption, according to a co-author of the report, professor Peter Sommer of the London School of Economics.

“There are many scare stories, which, when you test, don’t actually pan out,” Sommer said. “When you analyze malware, a lot is likely to be short-term, or fail.”

Read more of “Cyber-war risk is exaggerated, says OECD study” at ZDNet UK.

Facebook tweak reveals addresses, phone numbers

In what is potentially another privacy misstep, Facebook has made a change to a permissions dialog box users see when downloading third-party Facebook apps–a change that potentially makes users’ addresses and phone numbers available to app developers.

The tweak was made known to developers of third-party apps last Friday night, by way of a post on the Facebook Developer Blog. Basically, when a person starts downloading a third-party Facebook app, a “Request for Permission” dialog box appears that asks for access to basic information including the downloader’s name, profile picture, gender, user ID, list of friends, and more. What’s new as of Friday is an additional section that asks for access to the downloader’s current address and mobile phone number.

As mentioned in numerous media reports, the concern among Facebook users and privacy advocates is that users won’t notice the change and will click the dialog box’s Allow button unthinkingly. Further, people are worried that unscrupulous developers could cook up bogus apps with the sole purpose of capturing the private information–apps that wouldn’t necessarily be spotted and taken down immediately. Aside from the potential for outright hacking and identity theft, it’s not unheard of for app developers to sell information on Facebook users to data brokers.

Users of third-party Facebook apps can simply click the Don’t Allow button–which reportedly won’t interfere with a successful download–or they can remove their address and phone number from their Facebook profile.

Graham Cluely, with security company Sophos, suggested in his own blog post that users do the latter. (The post was brought to our attention by PC Magazine.)

“My advice to you is simple,” Cluely wrote, highlighting the following with boldface text, “remove your home address and mobile phone number from your Facebook profile now.”

Cluely also wondered if Facebook could have taken a safer approach.

“Wouldn’t it be better if only app developers who had been approved by Facebook were allowed to gather this information?” he wrote. “Or–should the information be necessary for the application–wouldn’t it be more acceptable for the app to request it from users, specifically, rather than automatically grabbing it?”

ZDNet Asia’s sister site CNET e-mailed Facebook a request for comment but hadn’t heard back by publication time.

Privacy was a major issue for Facebook last year, with the company provoking the concern of privacy advocates, lawmakers, and social-networking fans alike.

This article was first published as a blog post on CNET News.

App marketplace vendors mum on account hacks

Mobile app store vendors were coy about incidents related to account hacks when asked if they had preventive measures to safeguard hacked accounts from being exploited.

Following recent reports of hacked Apple iTunes accounts being sold on Chinese online auction site Taobao, ZDNet Asia queried app marketplace operators about security measures they implemented to protect accounts from being hacked and used illegally.

Chris Chin, Microsoft’s Asia Pacific director of developer marketing for mobile communication, said users who discover that their Windows Live ID has been compromised should recover their account by resetting their password. Windows Phone 7 users buy apps from the Microsoft Windows Phone Marketplace which is linked to their Windows Live accounts.

Chin added: “If you believe unauthorized Marketplace purchases were made with your account, contact our support team.” However, he did not reveal if there have been reports of hacked Windows Live accounts being used to buy apps illegally or the types of safeguards Microsoft has implemented to prevent such incidents from happening.

Chin, however, did say that the company is “focused on helping to educate people about what they can do to increase their online safety and reduce the risk of fraud”.

Noting that a common cause of compromised online accounts is threats from malware and phishing, he added that users should use a secure Web browser when surfing online.

Google declined to comment for the story

When contacted, Apple did not respond specifically to ZDNet Asia’s queries on what preventive measures it had implemented to protect its users. Instead, a company spokesperson pointed to a news report that revealed Taobao had since taken down auctions of hacked iTunes accounts and added that the Chinese company should instead be contacted for comments.

Taobao spokesperson, Justine Chao, told ZDNet Asia in an e-mail interview that the Chinese auction site removed the listing of hacked accounts after receiving complaints from Taobao users that the iTunes accounts sold were “not what they expected”.

“We had not been advised by Apple to take any action thus far,” she noted. “Our decision to remove the listings was done in the interest of protecting the consumers who shop on Taobao.”

Previous reports noted that the site was reluctant to take down the listings unless it receives “a valid takedown request”.

Hacked user shares experience
A ZDNet Asia reader, Kassandra, recalled the harrowing experience she encountered when her iTunes account had been hacked and used to purchase apps, and the long process it took to dispute the charges.

In an e-mail interview, she explained that she discovered on May 11, 2010, that her iTunes account was used to purchase apps that she did not download. The New York-based sales coordinator said the apps purchased were in Mandarin and were transacted in China.

She said she has always been careful about managing her financial information and frequently changes all her passwords. A credit card number she used was stolen once but Kassandra said she had taken care then to change all her credit cards.

When she realized the app purchases had been made illegally via her iTunes account, she tried to contact Apple but could not find a dedicated iTunes customer service number to call.

“Getting to talk to an actual human being [at Apple iTunes] was a process,” she recalled. “I e-mailed their customer service but I needed action to be taken immediately, so I called the main Apple customer service and just kept talking to whoever I could and asking to be transferred [to the relevant person].”

“They repeatedly told me to e-mail iTunes but I wouldn’t take that for an answer,” Kassandra said. Her perseverance was rewarded when she was transferred to a department handling Apple accounts and the customer service representative was helpful, she noted.

The representative then said the company would do whatever it could to resolve the issue but added that it was not possible for an iTunes account to be hacked. “I found out that wasn’t true when I searched online and found that many people have experienced their accounts getting hacked into,” Kassandra said.

She noted the Apple representative told her the bank would handle the money issue. However, she added that her bank had to contact Apple to dispute the charges, which racked up to over US$400. She added that she made frequent calls to the bank to make sure the dispute would be managed smoothly.

Kassandra said: “At one point, the bank was not going to take the charges off because it said the purchases ‘were similar to my purchase history with Apple’.”

While the dispute was eventually resolved, the incident has made her nervous about making purchases online. “I do not feel safe,” said Kassandra.

Another mobile user, Nicole Nilar, shared that while she is not worried about online security when buying apps, she is more concerned about purchasing fake applications. A senior digital marketing executive who owns an Android phone, Nilar told ZDNet Asia in an instant message interview that she had heard about illegitimate applications masquerading as real applications in Google’s Android Market.

“The developers rip off the screenshots of popular apps and sell them at a high price. It’s only after buyers have made their purchase before they realize they paid US$6 to US$8 for only a wallpaper,” she said.

While she noted that Apple might be too strict with its app ecosystem, she said Google should take a few leaves out Cupertino’s book and implement measures to ensure apps on its marketplace are legitimate.

Global spam traffic rebounds as Rustock wakes

Spam is on the rise after the Rustock botnet awoke from its Christmas slumber, according to Symantec.

On Monday the Rustock botnet, responsible for a significant portion of the world’s spam, resumed activity after pausing spam operations on Dec. 25.

“As Rustock has now returned, this means the overall level of spam has increased. MessageLabs Intelligence honeypot servers have seen an increase of roughly 98 percent in spam traffic between 00:00 and 10:00 today compared to the same period on Jan. 9,” Symantec wrote on Monday. “It is too early to say what effect this will have on global spam levels, or if this return is permanent, but at the moment it certainly seems as if the holiday is over and it’s now back to business as usual,” it said.

Read more of “Global spam traffic rebounds as Rustock wakes” at ZDNet UK.

Tablets unsafe for enterprise adoption?

With tablets becoming more popular on the consumer and enterprise front, experts agree that security is an element that must be dealt with, especially as more applications are developed to enhance their usability.

Edison Yu, manager for ICT practice at Frost and Sullivan, warned that it is “pertinent” for users to start being aware of the risks. Many of the apps, he said in an e-mail, “may actually look to leverage on the increasingly prevalent habit of users sharing their personal data around freely, and [enable] cybercriminals to steal and sell private information”.

According to Kwa Kim Chiong, CEO of JustLogin, the security risks tied to accessing apps via tablets are no different from that of accessing them via the Web. “Whichever means you choose to access the applications, there will be threats”, he said in an e-mail.

The head of the Singapore-based software-as-a-service (SaaS) provider added that the Wi-Fi which tablet users log on to, contributes to the overall risk level as the data transmitted could be intercepted by hackers.

However, Bryan Ma, associate vice president for devices and peripherals at IDC Asia-Pacific’s domain research and practice groups, said the threat to tablets is for now not a concern. This is because “theoretically speaking”, while tablets, as with other computing devices, are open to threats, the user base is not big.

“If you look at security threats, they tend to threaten the Windows platform, mainly because of the sheer number of users,” Ma noted.

Tablet usage, though, is on the uptrend. In a report released last November, research analyst Gartner predicted that media tablets will displace around 10 percent of PC units by 2014. A separate forecast from FBR Capital Markets indicated that 70 million of such devices will be sold this year, with a PC sale lost for every 2.5 tablets sold.

Secure tablet ecosystem takes many hands to clap
As more enterprises adopt tablets, Frost & Sullivan’s Yu agreed that vendors can look to incorporate into future models more security features, on top of the ability to communicate with other devices and technologies.

“It is critical for the tablet to take on more enterprise-class capabilities, be it support for enterprise apps or reaching the required performance levels,” he noted. “With mobility expected to characterize the office environment of the future, the tablet could find itself at the forefront of the enterprise mobile computing trend.”

One such tablet that is already perceived to be “safe”, is the Playbook by Research in Motion (RIM). The highly publicized but yet-to-be launched device, would have security functions built in, as RIM’s customer base tend to be businesses and IT managers, Ma of IDC said. Security protocols to protect sensitive data from unauthorized access, for instance, would be among such features, he explained.

Kwa, whose SaaS company develops human resource and collaboration apps for the Apple iPhone and iPad, said JustLogin’s apps communicate directly with the Web services hosted at their own servers, and no data is stored locally on the tablets.

“Before the user is able to access the data, the application will encrypt the password entered on the tablet and call one of the Web services. The validation is done through a series of handshaking protocols before the data is sent over,” he explained.

Handshaking protocols refer to technical rules a computer must observe to establish connection with another system.

Asked who should shoulder the responsibility to ensure a safer tablet ecosystem, both Kwa and Frost & Sullivan’s Yu said all parties–from hardware vendors to app stores and users–have their roles to fulfill.

While IDC’s Ma argued the hardware vendor’s responsibility is merely to make its product as attractive as possible, Yu said adding security features is the way forward, as vendors “can do their bit in protecting end users from cyberthreats since many consumers may not be as security-savvy.”

End users could limit information sharing on the Web, and enterprises “have to realize that tablets are still consumer-based, therefore these devices may not be safe for corporate adoption”, Yu cautioned.

Kwa pointed out that apps, too, have to be secure. To that end, he noted that Apple’s App Store is more secure than Web applications available on the Internet, as they are vetted before they are released for users to download.

“At least [the process] is controlled and there is an identifiable owner behind each application,” Kwa said.

Sophos: Spam to get more malicious

Spam is becoming more malicious in nature as trickery tactics change in line with current user interests, according to a new report released Tuesday by Sophos.

The security vendor’s “Dirty Dozen” report, reviewing global spam trends between October and December 2010, noted that more unsolicited e-mail messages were spreading malware and attempting to trick unsuspecting users into giving confidential data such as user names and passwords.

Sophos also noted an increase in more focused, targeted e-mail attacks, or spear-phishing. Cybercrooks continued to seek victims via social networks, with a growing number of reports of malicious apps, compromised profiles and unwanted messages spreading across social networking sites such as Facebook and Twitter.

“Spam is certainly here to stay, however, the motivations and methods are continuing to change in order to reap the greatest rewards for the spammers,” Graham Cluley, senior technology consultant at Sophos, said in a statement. “What’s becoming even more prevalent is the mailing of links to poisoned Web pages–victims are tricked into clicking a link in an e-mail, and then led to a site that attacks their computer with exploits or attempts to implant fake antivirus software.”

Traditional spam messages touting pharmaceutical products have not gone away either, Sophos noted. Tens of millions of Americans are believed to have purchased drugs from unlicensed online sellers, it added in the report.

Cluley noted: “As long as spammers continue to make money from these schemes, Internet users can be sure that they’ll continue to receive unsolicited e-mail and social networking scams.

“To combat this, it’s essential that computer users remain wary of clicking on unknown links, regardless of whether they appear to be on a trusted contact’s social networking page.”

US reigns as spam king
Europe and Asia were the top two continents of spam origin, with a combined share of 64 percent, while the United States continued to be the country responsible for the most junk e-mail. The U.S. accounted for 18.8 percent of spam messages worldwide in the previous quarter, and continues to be plagued by bots, or zombie PCs that are remotely controlled by hackers, Sophos said.

Three Asian nations made the latest Dirty Dozen list: India took second spot with a 6.9 percent share of spam relayed between October and December 2010; South Korea was No. 8 with 3 percent; and Vietnam, which accounted for 2.8 percent, clocked in at No. 10. The three countries have consistently been ranked among the Top 12 over the last year, according to Sophos.

Microsoft plugs three Windows holes, works on others

Microsoft today issued two bulletins fixing three holes in Windows, including one rated critical for Windows XP, Vista, and Windows 7 as part of Patch Tuesday.

“We are not aware of proof-of-concept code or of any active attacks seeking to exploit the vulnerabilities addressed in this month’s release,” the company wrote in a Microsoft Security Response Center blog post.

The critical vulnerability is addressed in Bulletin MS11-002. The bulletin fixes the critical hole and an “important” vulnerability, both in Microsoft Data Access Components, that could allow an attacker to take over the computer if a user merely viewed a malicious Web page.

The second bulletin, MS11-001, resolves an “important” vulnerability that could allow remote code execution if a user opens a legitimate Windows Backup Manager file that is located in the same network directory as a malicious library file. The user would have to visit an untrusted remote file system or WebDAV (Web-based Distributed Authoring and Versioning) share for the attack to be successful.

More details are in the security advisory for this month.

Meanwhile, Microsoft revised Security Advisory 2488013 related to Cascading Style Sheets (CSS) to add an additional workaround for a vulnerability that affects Internet Explorer and for which there have been reports of targeted attacks.

“The most important vulnerability, known as “css.css”, affects all versions of Internet Explorer and is rated critical,” said Wolfgang Kandek, chief technology officer at Qualys. “The exploit code is public and targeted attacks have been observed.”

Security experts said they were more interested in when Microsoft plans to patch existing zero-day holes than in the fixes that were released.

“Instead of talking about the number of bulletins being patched today, everyone’s mind is on the five vulnerabilities that are not being patched,” said Andrew Storms, director of security operations for nCircle.

Microsoft has a list of the pending issues here. On that list is a bug in IE disclosed by Google security researcher Michal Zalewski for which he said an exploit had been leaked to the Web. He also publicly released a tool he said he had used to find the hole and others in major browsers. Microsoft says it is still assessing the issues Zalewski brought up.

This article was first published as a blog post on CNET News.

US memo on insider threats leaked

A White House memo on how to improve data security in the wake of the publication of hundreds of thousands of leaked US documents on WikiLeaks has been leaked.


Leaked memo on WikiLeaks aftermath

The memo, which was circulated to the heads of U.S. government departments and agencies on Jan. 3, was handed to MSNBC news. The document was formulated in response to leaks to the WikiLeaks Web site by whistleblowers and designed for use by agencies handling classified material.

The memo asks whether government agencies that handle national security documents have adequate data security practices in place, including appropriate access controls. The document provides a checklist, with questions including whether disparate information about employee evaluations, polygraph tests and IT auditing of user activities, are pieced together to give indicators of insider threats. The memo also asks whether the agency uses psychiatrists and sociologists to gauge employee “despondence and grumpiness as a means to gauge waning trustworthiness”.

Read more of “US memo on insider threats leaked” at ZDNet UK.

China’s US$90B ups cyberwar stakes

Last year, Northrup Grumman released a report warning that China had a mighty cyber arsenal which it could use in a possible future cyber conflict. News last week that Chinese defense spending could be double the public figure could mean that such claims are true, and perhaps even conservative.

The news arose in diplomatic cables dating back to 2006 obtained from Wikileaks by Fairfax newspapers. Australian diplomats reported to the United States that the Australian Government believed China’s military budget was US$90 billion, double the US$45 billion publicly announced by Beijing.

Australian intelligence and defence agencies told the U.S. that China was building a military capability well above that needed to repel a move for independence by Taiwan, and said it had become a risk to stability in the region.

“China’s longer-term agenda is to develop ‘comprehensive national power’, including a strong military, that is in keeping with its view of itself as a great power,” the cables said.

A document (PDF) provided to the U.S.-China Economic and Security Review Commission by Northrop Grumman in October last year claimed that China’s had a significant cyber warfare capability, including a military and civilian militia comprised of network specialists, and fully-functional offensive hacking and counter-intelligence wings.

The document also claimed the country has stockpiled a kinetic arsenal that includes lasers, high-power microwave systems and nuclear-generated electromagnetic pulses to supplement its cyber warfare force. It also claimed the country is training its forces to work under “complex electromagnetic conditions”.

While it is unclear if defense specialists espousing China’s cyber warfare capabilities, such as Northrop Grumman, were privy to this information, the larger defense budget would seem to lend credence to their claims.

It’s something governments do not like to discuss. Last year, the United States opened its Cyber Command, but that is still heavily dependent on private industry. Meanwhile, the Australian Defence Force revealed in its Defence Whitepaper that it will “invest in a major enhancement of [its] cyber warfare capability”, yet that appears to centre on response and defensive means.

The extent and intent of cyber warfare arsenals is hotly contested and there are as many cyberwar sceptics as proponents.

Yet, it’s certainly reasonable to suggest China did not splurge US$90 billion on guns and bombs alone. In a time heavy with cyberwar rhetoric, it would make sense for them to hedge their bets.

This article was first published at ZDNet Australia.

Chinese auction site touts hacked iTunes accounts

Tens of thousands of reportedly hacked iTunes accounts have been found on Chinese auction site Taobao, but the company claims it is unable to take action unless there are direct complaints, according to news reports.

The Global Times reported Thursday as many as 50,000 illegally obtained iTunes accounts were sold on China’s biggest consumer auction site. The Beijing-based newspaper also interviewed a seller who admitted the accounts were hacked but did not reveal how they were obtained.

Taobao, however, said that to protect its users, it would not be taking action until it has received a formal request. In a statement carried by BBC, the company said: “We take all reasonable and necessary measures to protect the rights of consumers who use Taobao, of our sellers and of third-parties. Until we receive a valid takedown request, we cannot take action.”

Advertisements on Taobao for the iTunes accounts offer heavily marked down prices. One of the listings visited by ZDNet Asia allowed buyers to decide how much they wanted in the accounts, with US$1 in exchange for only 1 RMB (US$0.15). Buyers are required to purchase at least US$10 and at the time of writing, 175 transactions have been made.

Access to the iTunes account is, however, limited to 12 hours, according to the listing. It also cautioned buyers that apps bought via this means are not upgradeable and that it would be a matter of time before illegally acquired iTunes accounts are closed.

Apple had declined to comment on the news, according to BBC.

This is not the first time Apple iTunes accounts have been compromised. In July 2010, reports surfaced that customers accounts were hacked and used to purchase software. However, it is not clear whether the accounts being sold on Taobao are related to the previous incident.

Corporate data accessed by too many

With increasing ease of access to corporate data, organizations are in danger of “breaches” in the form of files, rather than database records, warned security vendor Imperva, adding that the number of affected companies is set to rise.

As more and more sensitive data gets disseminated as unstructured content, hackers may seek to take advantage of the loopholes, and make away with confidential data for financial or personal gains, Stree Naidu, Imperva’s Asia-Pacific vice president, told ZDNet Asia in an e-mail interview.

“While most business applications use structured storage such as databases to maintain and process sensitive and critical data, users are constantly creating and storing more unstructured content, based on the information taken from these systems,” he said.

Such information include data stored in excel spreadsheets, presentations and medical lab results sent as letters to patients. However, it is not merely the transfer of the information that is opening up loopholes and opportunities for unauthorized access, Naidu explained.

The documents do not actually need to be sent anywhere for a threat to exist. What we’ve observed, and the recent WikiLeaks incidents have shown, is that data is accessible by too many people within the business–people who do have a legitimate need for access, despite strict company policies,” he pointed out.

Therefore, reducing access rights to a business need-to-know level and monitoring access activity are some ways to mitigate the risk.

Furthermore, with data volume increasing at 60 percent every year, increased sharing of data, as well as data retention policies, are also contributing to the threat of security breaches, Naidu said.

The situation is further complicated by the fact that files are “autonomous entities”, which organizations do not have control of even with today’s tools, he added. Unlike database records, which are created by pre-programmed applications, the inability to maintain control of files “may result in excessive access privileges and an inadequate audit trail of access to sensitive information”.

Cloud-based software such as Google Docs and Jive, and internal document management systems such as Microsoft’s SharePoint or EMC’s Documentum becoming part of enterprise IT, have also upped the attack surfaces and, therefore, risk of threats.

The Wikileaks incident last year was a clear indication that “massive leakage and compromise of sensitive information is indeed becoming a clear and present danger”, according to Naidu.

Another case of high-profile breach involved a former Goldman Sachs employee, who stole source code used for a proprietary high-frequency trading program, by using his desktop to upload the code to a server based in Germany, Naidu noted.

The bank identified the misconduct after observing large amounts of data leaving the servers, which led to the rogue employee’s arrest.

With these in mind, Naidu said organizations ought to budget and plan for the next generation of file access monitoring and governance tools to reduce the risk of file exposure. Some key characteristics to take note of include:

  • Policies set and expressed by content of file, rather than metadata
  • Flexible deployment, without impacting data stores or network architecture
  • Adaptive deployment with focus on the most accessed files, without compromising the ability to track sensitive information in older files
  • Ability to identify file owners and excessive rights to files

The executive also advised that enterprises be constantly on the lookout as hacking methods are always “improving and evading detection”. Businesses, he urged, should increase monitoring visibility of traffic and setting security controls across all organization layers.

“A security control should understand these shifts in the hacker industry and rapidly incorporate these changes in their organization,” said Naidu. “This could even include incorporating a reputation-based control, which could stop large automated Web-based attacks known to originate from malicious sources.”

Spam drops sharply over Christmas

The amount of spam being pumped out by networks of compromised computers dropped sharply over the festive period, according to Symantec.

The security company’s subsidiary MessageLabs said the steep drop was in part due to spam coming from the Rustock botnet slowing to a trickle, while two botnets, Lethic and Xarvester, appear to have ceased activity.

“Rustock is sending spam in much-reduced volumes, while the other two botnets have stopped sending spam altogether,” MessageLabs intelligence senior analyst Paul Wood told ZDNet UK on Thursday.

Read more of “Spam drops sharply over Christmas” at ZDNet UK.

Microsoft to fix Windows holes, but not ones in IE

Microsoft said Thursday that it will release two security bulletins next week fixing three holes in Windows, but it is still investigating or working on fixing holes in Internet Explorer that have been reportedly exploited in attacks.

One bulletin due out on Patch Tuesday, rated “important,” affects only Windows Vista but the second one, with an aggregate rating of “critical,” affects all supported versions of Windows.

Microsoft said it is not releasing updates to address a hole affecting Windows Graphics Rendering Engine that it disclosed earlier this week, or one disclosed in late December, Security Advisory 2488013, that affects Internet Explorer and for which there have been reports of targeted attacks, the company said in a post on the Microsoft Security Response Center blog.

“We continue to actively monitor both vulnerabilities and for Advisory 2488013 we have started to see targeted attacks,” the post said. “If customers have not already, we recommend they consult the Advisory for the mitigation recommendations. We continue to watch the threat landscape very closely and if the situation changes, we will post updates here on the MSRC blog.”

Also not mentioned in the Patch Tuesday preview announcement by Microsoft is a bug in IE disclosed last weekend by Michal Zalewski, a security researcher for Google based in Poland. Zalewski released a tool he used to find the hole and others in all the major browsers and said that an exploit for the IE bug had been leaked to the Web accidentally. Security firm Vupen has confirmed the critical hole in IE 8. Microsoft says in Security Advisory 2490606 that it is investigating the bug reports.

Josh Abraham, a security researcher at Rapid7, was surprised that Microsoft was not rushing to fix holes that were reportedly being used in attacks.

“With only two bulletins this month, the big shock is that Microsoft is not addressing two security advisories that have already been weaponized,” Abraham said. “I would bet that if the malicious attackers start using the exploits, then we will see an out-of-band patch.”

Meanwhile, as Microsoft released its Patch Tuesday preview, Sophos is warning people about a fake Microsoft security update e-mail circulating that contained a worm. The subject line says “Update your Windows” and urges recipients to download an attached executable. But Microsoft does not issue security patches via e-mail attachments. Another clue that it’s a scam–Microsoft is misspelled in the forged e-mail header as “microsft.”

This article was first published as a blog post on CNET News.

Sourcefire buys Immunet for US$21M

Network security company Sourcefire is acquiring Immunet, a cloud-based anti-malware startup, for US$21 million in cash, the companies announced Thursday.

The acquisition expands the cloud-based offerings for Sourcefire, creator of the open-source Snort intrusion detection technology.

Columbia, Md.-based Sourcefire said it will not lay off any of Immunet’s full-time staff, which is based in Palo Alto, Calif.

Sourcefire paid US$17 million at the closing of the deal and will pay US$4 million during the next 18 months dependent on product delivery milestones, the companies said in a statement.

Immunet chief executive Oliver Friedrich co-founded SecurityFocus, which Symantec acquired in 2002, and Secure Networks, which McAfee bought in 1998.

The acquisition announcement comes on the heels of news Wednesday that Dell is acquiring SecureWorks.

This article was first published as a blog post on CNET News.

US govt e-card scam hits confidential data

A fake U.S. government Christmas e-card has managed to siphon off gigabytes of sensitive data from a number of law enforcement and military staff who work on cybersecurity matters, many of whom are involved in computer crime investigations.

According to, the rogue e-mail messages sent out on Dec. 23 last year had the subject “Merry Christmas” and purported to originate from a address.

The body message read: “As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings.

“Be sure that we’re profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission.”

This was followed by two links to the alleged greeting cards, which lead to pages hosted on compromised legit Web sites. Victims who clicked on the links were infected with a Zeus Trojan variant, which stole passwords and documents, and uploaded them onto a server in Belarus, reported

The article also revealed that the latest attack bore the same technique to one uncovered last year, where 74,000 PCs were found to be part of a botnet. In the earlier incident, victim machines were controlled by Web sites registered with the same e-mail address. Alex Cox, principal research analyst with NetWitness, said the new case either involved the same person or copied the exact same technique.

Security blogger Mila Parkour pointed out that the “pack.exe” file downloaded by the Trojan was a Perl script converted to an executable file by way of a commercial application called Perl2exe. The pack program was responsible for stealing the documents on a victim’s computer and relaying the data to a file repository in Belarus. author Brian Kerb said: “The attack appears to be the latest salvo from Zeus malware gangs whose activities over the past year have blurred the boundaries between online financial crime and espionage, by stealing both financial data and documents from victim machines.”

He explained that this activity was unusual as most criminals using Zeus were interested in money-related activities, whereas the siphoning of government data was associated with advanced persistent threat attacks, the same category that of stuxnet attacks.

Some of the victims included an employee at the National Science Foundation’s Office of Cyber Infrastructure, an intelligence analyst in Massachusetts State Police and an employee at the Financial Action Task Force.

Another report by news agency AP said there was no evidence that the stolen classified information had been compromised.

Microsoft warns of Windows flaw affecting image rendering

Microsoft warned on Tuesday of a Windows vulnerability that could allow an attacker to take control of a computer if the user is logged on with administrative rights.

To be successful, an attacker would have to send an e-mail with an attached Microsoft Word or PowerPoint file containing a specially crafted thumbnail image and convince the recipient to open it, Microsoft said in its advisory, which also contains information on workarounds.

An attacker also could place the malicious image file on a network share and potential victims would have to browse to the location in Windows Explorer.

The flaw, which is in the Windows Graphics Rendering Engine, could allow an attacker to run arbitrary code in the security context of the logged-on user, meaning that accounts that are configured to have fewer user rights would be affected less.

The vulnerability affects Windows XP Service Pack 3, XP Professional x64 Edition Service Pack 2, Server 2003 Service Pack 2, Server 2003 x64 Edition Service Pack 2, Server 2003 with SP2 for Itanium-based systems, Vista Service Pack 1 and Service Pack 2, Vista x64 Edition Service Pack 1 and Service Pack 2, Server 2008 for 32-bit, 64-bit, and Itanium-based systems and Service Pack 2 for each.

Microsoft said it is not aware of attacks exploiting the vulnerability or of any impact on customers at this time. The company is working on a fix but did not indicate when it would be available.

This article was first published as a blog post on CNET News.

US agency hunts down international cybercrime ring

A Vietnam-based international cybercrime ring believed to be involved in identity theft, wire fraud and money laundering is the target of a U.S. law enforcement agency following the house raid of two Vietnamese students suspected to be “money transfer mules”, news agencies reported.

On Monday, technology news site ComputerWorld reported that the U.S. Department of Homeland Security (DHS)’s Immigration and Customs Enforcement (ICE) investigations unit had raided the house of two Vietnamese Winona State University exchange students and seized their documents and computer equipment.

The 22-year-old students, Tram Vo and Khoi Van, are suspected of working as money transfer mules for a Vietnam-based international cybercrime ring, having made more than US$1.2 million selling software, video games and Apple’s iTunes gift cards on eBay purchased with stolen credit card numbers, the report stated, citing the affidavit filed in support of the search warrant issued for the raid.

Both of them controlled more than 180 eBay accounts and more than 360 PayPal accounts, which were opened using stolen identities, noted a separate report by the Star Tribune, a Minnesota, U.S.-based spreadsheet.

ComputerWorld explained that the students had posed as eBay sellers using the stolen identities to sell discounted products such as Rosetta Stone software, video games, textbooks and Apple iTunes gift cards.

When a legitimate eBay buyer orders the products, they would purchase the items from a third-party merchant using stolen credit card accounts and request for the items to be sent to the buyer. However, the merchant would not able to claim the payment of the products as the owner of the stolen credit card will inform the relevant bank that the payment was an unauthorized transaction, the report stated.

Online retailers such as eBay, PayPal, Amazon, Apple, Dell and Verizon Wireless were among the high-profile victims, noted Star Tribune.

Cybercrime gangs’ growing sophistication
The DHS investigation on the Vietnamese cybercrime outfit, code-named “Operation eMule”, began in September 2009, according to the abovementioned affidavit.

In the document, DHS Special Agent Daniel Schwarz wrote: “The criminal ring makes online purchases from e-commerce merchants using stolen credit card information and then utilizes an elaborate network of mules based in the United States. The criminals get stolen credit or bank card numbers by hacking PCs or databases. In some cases, they simply buy the stolen personal information from underground online marketplaces.”

According to ComputerWorld, money mule networks are needed by cybercrime organizations to get the stolen money out of the country, which is the “hard part”. Mules working for the Vietnamese organization, for instance, would get their orders via a secured Web site that is available only to “vetted members”, Schwartz said. He added that the money involved in such crimes is “estimated to exceed hundreds of millions of dollars”.

Such sophisticated cybercrime rings are on the rise, too.

In October last year, authorities arrested more than 100 people in the U.S. and U.K. in connection with another money mule operation, which was operating out of Ukraine, the report stated. Then, scammers hacked into bank accounts, transferred money around and used mules to move the money offshore via services provided by payment companies such as Western Union.

A ZDNet Asia report in July last year also revealed that a Russian check-counterfeiting ring had netted US$9 million through a combination of malware, botnets, virtual private networks and money mules recruited online.

Microsoft warns of Office-related malware

Microsoft’s Malware Protection Center issued a warning this week that it has spotted malicious code on the Internet that can take advantage of a flaw in Word and infect computers after a user does nothing more than read an e-mail.

The flaw was addressed in November in a fix issued on Patch Tuesday, but with malicious code now spotted in the wild, the protection center apparently wants to be sure the update wasn’t overlooked.

Symantec underlined the seriousness of the flaw to ZDNet Asia’s sister site CNET’s Elinor Mills in November:

“One of the most dangerous aspects of this vulnerability is that a user doesn’t have to open a malicious e-mail to be infected,” Joshua Talbot, security intelligence manager at Symantec Security Response, said at the time. “All that is required is for the content of the e-mail to appear in Outlook’s Reading Pane. If a user highlights a malicious e-mail to preview it in the Reading Pane, their machine is immediately infected. The same holds true if a user opens Outlook and a malicious e-mail is the most recently received in their in-box; that e-mail will appear in the Reading Pane by default and the computer will be infected.”

Users of Microsoft Office should be sure to install the fix. You can use your Start menu to check for updates: Click the Start button, click All Programs, and then click Windows Update. Details of the MS10-087 update, including which software versions are affected, can be found here.

This article was first published as a blog post on CNET News.

Researcher reports apparent China interest in IE hole

A security researcher who created a tool he used to find numerous bugs in major browsers has released it to the public, saying the importance of its distribution is heightened by the leak to the Web of an unpatched vulnerability in Internet Explorer.

Michal Zalewski, a Google security researcher based in Poland, announced in a blog post that he was releasing a tool called “cross_fuzz” and said its distribution was a priority because at least one of the vulnerabilities discovered by the tool appears to be known to a mysterious third party.

“I have reasons to believe that the evidently exploitable vulnerability discoverable by cross_fuzz, and outlined in msie_crash.txt, is *independently* known to third parties in China,” Zalewski wrote in a separate post.

“While working on addressing cross_fuzz crashes in WebKit prior to this announcement, one of the developers accidentally leaked the address of the fuzzer in one of the uploaded crash traces. As a result, the fuzzer directory, including msie_crash.txt, has been indexed by GoogleBot,” he continued. “I have confirmed that following this accident, no other unexpected parties discovered or downloaded the tool.”

On December 30, there were two search queries from an IP address in China that matched keywords mentioned in one of the indexed cross_fuzz files, he said.

Of the 100 or so bugs Zalewski said he found in IE, Firefox, Opera, and browsers powered by WebKit, including Chrome and Safari, he said he notified the vendors or developers in July and that they are in varying stages of resolution. He provides a timeline for contacting Microsoft here, noting that his first contact on the matter was in May 2008.

“At this point, we’re not aware of any exploits or attacks for the reported issue and are continuing to investigate and monitor the threat environment for any changes,” Jerry Bryant, group manager for Trustworthy Computing response communications at Microsoft, said in a statement.

This article was first published as a blog post on CNET News.

Data breach affects 4.9 million Honda customers

Japanese automaker Honda has put some 2.2 million customers in the United States on a security breach alert after a database containing information on the owners and their cars was hacked, according to reports.

The compromised list contained names, login names, e-mail addresses and 17-character Vehicle Identification Number–an automotive industry standard–which was used to send welcome e-mail messages to customers that had registered for an Owner Link account.

Another 2.7 million My Acura account users were also affected by the breach, but Honda said the list contained only e-mail addresses. Acura is the company’s luxury vehicle brand.

According to Honda’s notification e-mail to affected customers, the list was managed by a vendor. All Things Digital suggested, but could not confirm, that the vendor in question is e-mail marketing firm Silverpop Systems, which has been linked with the recent hacking incidents including that of fast-food giant McDonald’s.

In a Web page addressing affected customers, Honda said it would be “difficult” for a victim’s identity to be stolen based on the information that had been leaked. However, it has warned that customers ought to be wary of unsolicited e-mail messages requesting for personal information such as social security or credit card numbers.

Compelling scams an ‘obvious danger’
Graham Cluley, senior technology consultant at Sophos, pointed out that cybercriminals who possess the list may e-mail the car owners to trick them into clicking on malicious attachments or links, or fool them into handing over personal information.

“If the hackers were able to present themselves as Honda, and reassured you that they were genuine by quoting your Vehicle Identification Number, then as a Honda customer you might very likely click on a link or open an attachment,” he explained in a blog post.

Acura customers, he added, could also be on the receiving end of spam campaigns.

Cluley noted that the incident serves as a reminder that companies not only need to have adequate measures in place to protect customer data in their hands, they also need their partners and third-party vendors to “follow equally stringent best practices”.

“It may not be your company [that] is directly hacked, but it can still be your customers’ data that ends up exposed, and your brand name that is tarnished,” he said.

Mozilla exposes older user-account database

Mozilla has disabled 44,000 older user accounts for its Firefox add-ons site after a security researcher found part of a database of the account information on a publicly available server.

The file had passwords obscured with the now-obsolete MD5 hashing algorithm, which has been rendered cryptographically weak and which Mozilla scrapped for the more robust SHA-512 algorithm as of Apr. 9, 2009. The older database didn’t end up anywhere dangerous, Mozilla believes.

“We were able to account for every download of the database. This issue posed minimal risk to users, however, as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure,” said Chris Lyon, Mozilla’s director of infrastructure security, in a blog post about the database exposure Tuesday.

Mozilla notified affected users of the problem by e-mail yesterday, it said. “Current users and accounts are not at risk,” Lyon said.

Password security has become a more prominent concern after a hack of Gawker blog sites earlier this month. Even with passwords obscured by strong hash algorithms, user names can be valuable in further hack attempts, especially when people reuse the same password on multiple sites.

“Unique passwords are a requirement, not a luxury,” said Chester Wisniewski of security firm Sophos in a blog post about the event.

This article was first published as a blog post on CNET News.

McAfee: Smartphones, Apple top ’11 crime targets

Security firm McAfee expects malicious activity in 2011 to target smartphones, URL shorteners, geolocation services like Foursquare, and Apple products across the board, according to a report released Tuesday.

“We’ve seen significant advancements in device and social-network adoption, placing a bulls-eye on the platforms and services users are embracing the most,” Vincent Weafer, senior vice president of McAfee Labs, said in a release announcing the report. “These platforms and services have become very popular in a short amount of time, and we’re already seeing a significant increase in vulnerabilities, attacks and data loss.”

In other words, the security infrastructure surrounding popular new services and devices–and more importantly public awareness of potential threats that people may face when using them–may not be up to par with better-established technologies. Take URL shorteners, for example. Because it’s so easy to mask longer URLs with them and because Twitter users have grown accustomed to clicking them without much thought, McAfee expects that they will continue to be targets for spam, scams, and viruses.

Social networks will remain hotbeds of malicious attacks, McAfee predicted, but geolocation services like Foursquare and Facebook Places will see new prominence. “In just a few clicks, cybercriminals can see in real time who is tweeting, where they are located, what they are saying, what their interests are, and what operating systems and applications they are using,” McAfee noted. “This wealth of personal information on individuals enables cybercriminals to craft a targeted attack.”

As for hardware, mobile devices (particularly those used on corporate networks), Internet TV platforms like Google TV, and devices running Apple operating systems are anticipated to be prime targets.

McAfee also said that the saga of WikiLeaks, the controversial classified-document repository that dominated headlines around the world late in 2010, is likely to spawn copycats in 2011. The security firm expects “politically motivated attacks” to be on the rise.

This article was first published as a blog post on CNET News.

Microsoft warns of IE zero-day

Microsoft has warned of a vulnerability that affects all versions of the Internet Explorer web browser.

Hackers can use the flaw to take control of a computer, Microsoft said in an advisory on Thursday.

“Microsoft is investigating new, public reports of a vulnerability in all supported versions of Internet Explorer,” said the advisory. “The main impact of the vulnerability is remote code execution.”

Read more of “Microsoft warns of IE zero-day” at ZDNet UK.

Lookout raises US$19.5 million for smartphone security

Lookout Mobile Security, which specializes in armoring smartphones from hackers, said today that it’s raised an additional US$19.5 million in funding.

The San Francisco-based startup says it now has nearly 50 employees and about four million registered users of its software, which includes a spyware scanner, remote backups, and a stolen phone locator. That’s up from a reported 2 million users in September and 3 million in November.

Lookout’s security apps currently are available for Android, BlackBerry and Windows Mobile. In an interview with ZDNet Asia’s sister site CNET, Lookout CEO John Hering said an iPhone version will be “coming very shortly” and customers should expect to “see something in 2011”.

New features in Apple’s iOS 4 operating system, announced in April and made available a few months later, aid development, Hering said. Those changes “enable us to do quite a bit more,” he said.

Some of Lookout’s features, like remote wipe and and a more comprehensive remote backup, are available only to customers who purchase the premium version for US$3 a month.

Wednesday’s funding round came from Index Ventures and existing investors Accel Partners and Khosla Ventures.

This article was first published as a blog post on CNET News.

Irate hackers bring down sports body’s Web site

The World Taekwondo Federation’s (WTF) Web site was hacked after it punished a Taiwanese fighter for cheating at the Asian Games, AFP reported.

According to the news agency, the South Korea-based governing body’s site was taken down on Tuesday night, defaced with the words “still unfair” by attacked who supported Taiwan’s taekwondo exponent, Yang Shu-chun. The report did not state how long the site was down for. It is now operational.

The seeds of the hackers’ discontent were sown during the Asian Games last month when Yang was found to have extra “detachable” sensors in her socks, an action considered to be illegal in the sporting event. Fighters are only allowed to wear sensors built into their socks, which are then used as part of the electronic scoring system, AFP explained.

Following weeks of investigation, the WTF decided on Tuesday to punish Yang’s wrongdoing with a three-month suspension from the sport. Additionally, her coach received a 20-month suspension, while the Chinese Taipei Amateur Taekwondo Association was fined US$50,000 for “negligence and wrongdoing” for its role in the chain of events.

The decision angered Yang’s supporters and triggered the attack on the governing body’s Web site, said AFP.

Taking the WTF’s site offline was not the first transgression by the hackers, though. Earlier, while investigations were still ongoing, the Asian Taekwondo Union’s Web site carried a statement condemning Yang for a “shocking act of deception”, the news agency reported.

The statement set off a wave of anti-Korean ire in Taiwan, which resulted in hackers bringing down the ATU’s Web site in November, it added.

APAC enterprises still not DDoS-aware

Distributed denial-of-service (DDoS) attacks have been around for at least a decade, with thousands of such incidents taking place each day around the world. But, a whopping 99 percent of these attacks go unreported, according to a security expert.

In light of recent high-profile WikiLeaks and consequent security incidents, Mark Teolis, general manager of DOSarrest, explained that while most large e-commerce sites have some level of protection, many are not adequate to deal with such assaults, especially complex layer 7 DoS attacks (L7DA), in an e-mail interview with ZDNet Asia.

Frost and Sullivan’s analyst, Edison Yu, agreed. He noted that this is the case particularly in the Asia-Pacific region, where instead of using an application firewall, many enterprises still rely on traditional firewall and intrusion prevention system (IPS) for protection against L7DA.

Yu explained that these sophisticated DDoS attacks are able to bypass the traditional firewall and target applications, bringing down Web sites due to an overwhelming volume of service requests being sent out by botnets.

The “Brute Force” program is said to be able to send more than 1 million attempts per second. L7DA also has the capability to slow down the HTTP server.

According to DOSarrest, the top misconception enterprises have is that traditional firewalls are able to thwart all DDoS attacks. The security vendor added that over the past 12 months, L7DA consisted of 60 percent of the overall DoS threat landscape, followed by SYN type floods which comprised 30 percent, and UDP/ICMP attacks taking 10 percent.

The company also revealed that 80 percent of DoS attacks had a layer 7 component, while the same percentage carried a combination of two or more components.

Teolis noted that “most purpose-built, so-called DDoS mitigation devices” will not stop all layer 7 attacks, but enterprises can thwart them by adopting a “robust multi-layer strategy”. This includes eliminating all non-essential traffic in the cloud, having good SYN protection and implementing a well-designed robust system for layer 7.

DOSarrest, which represents various merchants in different industries including pharmaceuticals, gaming and music downloads, revealed that one of its customers was a victim of “Operation Payback” during the WikiLeaks-related attacks but suffered zero downtime. A coordinated series of attacks comprising Internet activists that target opponents of online piracy, Operation Payback launched <a href=”; _cke_saved_href=””>attacks on Web sites of banks</a> that withdrew its services from WikiLeaks.

Internet not built for trust
Yu, who has been tracking the developments of DDoS attacks, noted that what used to be reserved to drive “cyber espionage”, is now being exploited by cyber criminals to gain sensitive data or compromise monetary transactions.

He described it as a “two-way situation” where, increasingly, enterprises are migrating to the Web for commercial reasons. By making more information available online to provide employees and customers easy access, businesses are giving criminals greater opportunities to scrutinize system loopholes, thereby, making their sites more vulnerable, he said.

“The Wikileaks incident has emphasized that the Web was never designed as a trusted environment,” Yu cautioned. “I think that’s something we tend to forget when we go online and embrace the Web in personal and professional domains.”

Jonas Frey of Probe Networks, was quoted in a recent NetworkWorld article, saying that even as ways to mitigate and thwart attacks continue to emerge, attackers have also been successful in discovering new security loopholes. He added that there is “no real solution right now”.

“Nowadays the consumers have a lot more bandwidth and it’s easier than ever to set up your own botnet by infecting users with malware and alike,” Frey said in the report. “There’s not much you can do about the unwillingness of users to keep their software or operating system up-to-date. There is just no patch for human stupidity.”

While the figures paint a grim picture, Teolis believes the overall risk is still low. However, he noted that the landscape remains unpredictable.

Yu noted: “DDoS is becoming more and more contentious, given the nature and motivation behind the attacks, [and this is] something which enterprises are not very wary of.”

In a bid to minimize risk exposure, the analyst urged enterprises to relook access to the corporate network through mobile devices, and evaluate if their IT infrastructure is capable of handling these security threats.

As more criminals target layer 7 DDoS attacks, an increasing number of security vendors are launching service offerings that specifically target such risks. Kaspersky, for instance, recently announced plans to start selling an “experimented DDoS shield” globally if it is able to work effectively.

Sophos: Beware Facebook’s new facial-recognition feature

Facebook’s new facial recognition software might result in undesirable photos of users being circulated online, warned a security expert, who urged users to keep abreast with the social network’s privacy settings to prevent the abovementioned scenario from becoming a reality.

Graham Cluley, senior technology consultant at security vendor Sophos, said in a statement released Monday that the new facial recognition software introduced last week by Facebook have capabilities to match peoples’ faces in photos uploaded by other members. While users will not be automatically identified, or “tagged” in Facebook parlance, members who upload these pictures will be prompted to tag a list of suggested friends identified by the facial recognition software, Cluley noted.

Furthermore, he added that once a Facebook user has identified people to be tagged in a photo, these individuals run the risk of being singled out by the social networking site to other friends.

“Even people who are not on Facebook, or who choose not to identify themselves openly in uploaded pictures, may nevertheless end up [being] easy to find in online photos,” he explained.

In an earlier report, Facebook’s vice president of product, Chris Cox, told ZDNet Asia’s sister site CNET News that photo tagging is “really important” for control because every time a tag is created, it highlights a photo of the user which he was not aware had been uploaded online. “Once you know [this picture exists], you can remove the tag, or you can promote it to your friends, or you can write the person and say, ‘I’m not that psyched about this photo’,” Cox said.

He said the feature will be rolled out to about 5 percent of Facebook’s U.S. users this week and, “assuming that goes well”, the company will continue to launch it in other markets. He also stressed that there will be an opt-out option for the new feature, so if members do not want to show up in their friends’ tagging suggestions, they will not.

Cluley, however, spoke out against Facebook for maintaining an opt-out, rather than opt-in, stance toward user information. “While this feature may be appealing for those Facebook users that are keen to share every detail of their social life with their online friends, it is alarming to those who wish to have a little more anonymity,” he said.

He cited a recent Sophos poll that revealed 90 percent of Facebook users surveyed called for features on the social networking site to become opt-in. With the introduction of the facial recognition capability, he predicted that this percentage will rise.

To prevent privacy loss, Cluley recommended that users opt out when the feature is turned on. He added that keeping on top of new features and ensuring privacy settings are up-to-date is essential for Facebook users in order to make sure they do not share too much personal information online.

This is not the first time the social network has received flak for instituting an opt-out policy for its features. In March, Facebook users were up in arms after the site announced it would automatically share user data with a select group of third-party sites without specific permission.

Security expert suggests demilitarizing cybersecurity

perspective As if the wars on terror and drugs weren’t keeping U.S. officials busy enough, the drum beats of cyberwar are increasing.

There were the online espionage attacks Google said originated in China. Several mysterious activities with Internet traffic related to China. The Stuxnet worm that experts say possibly targeted Iranian nuclear centrifuges. An attack on the WikiLeaks site after it released classified documents damaging to U.S. foreign policy. And don’t forget the Internet attack on Estonia from a few years ago.

To deal with the geopolitical dramas that are projected in the online world, the U.S. is using military strategy and mindset to approach cybersecurity, creating a Cyber Command and putting oversight for national cybersecurity under the auspices of the Department of Defense.

But offense isn’t always the best defense, and it never is when it comes to Internet security, says Gary McGraw, author and chief technology officer at security consultancy Cigital. More secure software, not cyber warriors, is needed to protect networks and online data, he writes in a recent article, “Cyber Warmongering and Influence Peddling.”

ZDNet Asia’s sister site CNET talked with McGraw about how the militarization of cybersecurity draws attention from serious threats.

CNET: So, Tell me what’s wrong with going to DEFCON 1 in cyberspace now?
McGraw: I wrote an article with Ivan Arce, the founder and chief technology officer of Core Security Technologies. He’s from Argentina. Every time I talk to him he asks ‘what is up with you Americans and cyberwar anyway? Why are you so obsessed with cyberwar?’ Because nobody else is talking about it in the rest of the world. I travel a lot internationally and he is right. So we started talking about why that was. One of our main points is that there is a confusing blend of cyberwar stuff, cyber-espionage stuff and cybercrime stuff, and the stories are used to justify whatever political or economic end people may have, instead of trying to disambiguate these three things and talk about what they actually are.

What’s the danger with that?
The danger is that if we lump everything under ‘cyberwar’, then our natural propensity in the United States is to allow the Defense Department to deal with it. The DoD set up a Cyber Command in May. Cyber Command has an overemphasis on offense, on creating cyber-sharpshooters and exploiting systems more quickly than the enemy can exploit them. I don’t think that’s smart at all. I liken it to the world living in glass houses and Cyber Command is about figuring out ways to throw rocks more accurately and quickly inside of the glass house. We would all be better suited trying to think about our dependence on these systems that are riddled with defects and trying to eliminate the defects, instead.

Is the rhetoric all driven by attracting money? That’s a very cynical way of thinking.
A lot of people think it is. The military industrial complex in the U.S. is certainly tied very closely to the commercial security industry. That is not surprising, nor is it that bad. The problem is the commercial security industry is only now getting around to understanding security engineering and software security. The emphasis over the past years has been on trying to block the bad people with a firewall and that has failed. The new paradigm is trying to build stuff that’s not broken in the first place. That’s the right way to go. If we want to work on cybercrime and espionage and war, to solve all three problems at once, the one answer is to build better systems.

You mention that cybercrime and cyber-espionage are more important than cyberwar. Why is that?
Because there is a lot of crime, less espionage, and very little cyberwar. (chuckles) And the root cause for capability in all these things is the same. That is dependence on systems that are riddled with security defects. We can address all three of those problems. The most important is cybercrime, which is costing us the most money right now. Here’s another way to think about it: everyone is talking about the WikiLeaks stuff, and the impact the latest (confidential files) release is having on foreign policy in the U.S.

The question is, would offensive capability for cyberwar help us solve the WikiLeaks problem? The answer is obvious. No. Would an offensive cyberwar capability have helped us solve the Aurora problem where Google’s intellectual property got sucked down by the Chinese? The answer is no.

What would have helped address those two problems? The answer is defense. That is building stuff properly. Software security. Thinking about things like why on earth would a private (officer) need access to classified diplomatic cables on the SIPRNET (Secret IP Router Network)? Why? If we thought about constructing that system properly and providing access only to those who need it, then things would be much better off.

The term “cyber” makes it seem more scary. We’re just talking about Internet, right? Might there be a problem with semantics?
There could be. There has been an over emphasis on cyber war in the U.S. The problem with cybersecurity is that there is just as much myth and FUD and hyperbole as there are real stories. It’s difficult for policy makers and CEOs and the public to figure out what to believe because the hype has been so great, such as with the Estonia denial-of-service attack from 2007. So that when we talk about Stuxnet it gets dismissed.

So it’s the boy who cried wolf problem?

Stuxnet is real. Is that cyberwar?
It seems like a cyberweapon. I think it qualifies as a cyberwar action. My own qualification is that a cyberattack needs to have kinetic impact. That means something physical goes wrong. Stuxnet malicious code did what it could to ruin physical systems in Iran that were controlling centrifuges or that were in fact centrifuges. If you look at the number of centrifuges operating in Iran you see some big drops that are hard to explain. (Iranian President Mahmoud) Ahmadinejad admitted there was a cyberattack on the centrifuges.

So why does the attack on Estonia not qualify?
The kinetic impact is important, but also an act of war is the act of a nation-state. The Estonia attacks fail the nation-state actor test. It also fails the real impact test. Sure, their network went down, but whoop dee do! Who cares? If you took that same sort of attack against Google or Amazon they wouldn’t even notice. I think people were using that attack–which was carried out by individual cybercriminals in Russia, not by the state–to hype up the cyber war thing. In fact, in my work in Washington [D.C.], the Estonia story keeps coming up, over and over again, as an example of cyberwar.

What is your qualification to discuss cyberwar matters and policy?
This year, I’ve been working more in Washington than I have in past. I’ve been to the White House, the Pentagon, talked to think tanks. I’m a little bit worried that the discourse is too much about cyberwar. We should try to untangle the war, espionage, and crime aspects and maybe emphasize building better systems and getting ourselves out of the glass house as opposed to trying make a whole new cadre of cyber-sharpshooters as [CIA Director] General Hayden suggests. For policymakers the conception of our field [of security] is muddled.

I’m worried we’re not spending on [Internet security] defense at all. There’s no way to divide and conquer networks. That is, we can’t defend the military network or the SIPRNET but not defend the Internet because we’re ignoring 90 percent of the risk. Most of the infrastructure in the U.S., 90 percent of it that’s important, is controlled by corporations and private concerns, not by the government. The notion that we can protect military networks and not the rest of it just doesn’t make any sense. That’s one problem.

The other problem is the Air Force has always been about domination in the air and taking away that capability from the enemy early and eradicating infrastructure. This notion of a ‘no-fly zone’ is kind of interesting. Unfortunately those tactics don’t work in cyberspace because there is a completely different physics there. There is no such thing as taking ground or controlling air space in cyberspace. Things move at superhuman speed in cyberspace. So some of these guys who are good military tacticians are having a hard time with cyberwar policy and cyberdefense because of the analogies they’re using.

You mentioned in your article that “in the end, somebody must pay for broken security and somebody must reward good security”. Are you suggesting that we hold software makers liable for flaws?
I don’t know what the answer is. We need to change the discourse to be around how do we incentivize people to build better systems that are more secure and how do we disincentive building of insecure systems that are riddled with risk? As long as we can have that conversation then policy makers might be able to come up with right sort of levers to cause things to move in the right direction. We’re not suggesting any particular approaches, like liability. We’re just trying to change the discourse from being about war to being about security engineering.

Anything else?
I think we are at risk and I do think cyberwar is a real problem we have to grapple with. But even though we are at risk, we need to have rational conversations about this. Too much FUD and hyperbole don’t do anything to help the situation. The poor guys that are charged with setting policy have a hard time doing that because we’re having the wrong conversation at the policy level right now.

This article was first published as a blog post on CNET News.

LinkedIn disables passwords in wake of Gawker attack

LinkedIn is disabling passwords of users whose e-mail addresses were included in the customer data that was exposed in an attack on the Gawker blog sites.

The professional-networking site is taking this action to prevent any of its customers from having their LinkedIn accounts hijacked in the event that they used the same password that they used on any of the Gawker sites.

“There is no indication that your LinkedIn account has been affected, but since it shares an e-mail with the compromised Gawker accounts, we decided to ensure its safety by asking you to reset its password,” the company said in an e-mail to users today.

To reset your LinkedIn password, go to the Web site and click on “Sign In” and “Forgot Password?” and follow the directions.

Gawker’s Web site and back-end database were compromised, and passwords, usernames, and e-mail addresses for about 1.3 million user accounts were posted on the Pirate Bay Bit torrent site over the weekend. The passwords were encrypted with technology. However, weak passwords can easily be cracked by brute force attacks. (To find out how to check if you are at risk and get more details about the incident read this FAQ.)

People who use the same password on multiple sites are at risk of having their accounts on those other sites compromised. This happened already on Twitter, with some accounts being used to send spam shortly after the Gawker breach was publicized.

Security experts urge people to choose strong passwords, to change them often and to not use the same password on multiple sites.

This article was first published as a blog post on CNET News.

New scam tactic: Fake disk defraggers

We’ve all heard about fake antivirus programs, also known as scareware. These programs falsely claim that your computer is infected with malware and prompt you to buy a product that will do nothing for you, except put your credit card number into the hands of criminals.

Well now there are fake disk defraggers that masquerade as applications that fix disk errors on a computer. In a blog post, the GFI Labs (formerly Sunbelt Software) blog Dubbed the programsFakeAV-Defrag rogues and said they had names like HDDDiagnostic, HDDRepair, HDDRescue, and HDDPlus.

It would appear that the scammers are trying out the new programs to see which might best confuse potential victims and evade detection by legitimate antivirus software. The defragger clones emerged last month with names like UltraDefragger, ScanDisk and WinHDD and which pretended to find “HDD read/write errors. Earlier this month, there was PCoptimizer, PCprotection Center, and Privacy Corrector that were more generic security products rather than specifically antivirus, the post says.

Computer users should be suspicious of applications that are advertised via e-mail, pop up warnings about problems (especially immediately after you click on a Web page video), demand that you make a purchase before it will fix the problems, and prompt you to update your browser, GFI Labs said.

If you aren’t sure if a program is legitimate, you can search by the name on a search engine or onGFI Labs’ site.

This article was first published as a blog post on CNET News.

Microsoft to boost Office security

Microsoft plugged 40 holes with 17 patches on Tuesday and said it will improve the security of Office 2003 and Office 2007 by adding a feature to the older versions of its productivity software that opens files in Protected View.

Customers should focus on the two critical bulletins that are part of Microsoft’s monthly Patch Tuesday security update, says Jerry Bryant, group manager for response communications in Microsoft’s Trustworthy Computing Group. The first is MS10-090, a cumulative update for Internet Explorer. It fixes seven vulnerabilities in the browser and affects IE 6, 7 and 8. There have been attacks targeting IE 6 on Windows XP, Bryant said.

The other critical bulletin is MS10-091, which fixes several vulnerabilities in the Windows Open Type Font driver. It affects all versions of Windows, primarily on third-party browsers that natively render the Open Type Font, which IE does not, according to Bryant.

The other bulletins are not critical and “could potentially be put off until after Christmas”, he said in an interview with CNET. Windows (all supported versions), Office IE, SharePoint, and Exchange are affected by the bulletins. Details are in the security advisory here and in the Microsoft Security Response Center blog post.

Meanwhile, the company will be porting Office File Validation, which is currently in Office 2010, to Office 2003 and Office 2007 by the first quarter of next year, Bryant said. It will be an optional update.

The move will help protect customers from attacks that target about 80 percent of the Office vulnerabilities, Bryant said. Attackers typically create a document that uses an exploit and e-mail the maliciously crafted document to potential victims or host it on a Web site and prompt people to open it.

Office File Validation checks the file-format binary schema, such as .doc or .xls, and opens the file in a protected view if it detects a problem. “If the user wants to edit or continue to open the document then there are severe warnings about what that might mean” and that it could be dangerous, Bryant said.

This article was first published as a blog post on CNET News.

McDonald’s warns customers about data breach

McDonald’s (U.S) is warning customers who signed up for promotions or registered at any of its online sites that their e-mail address has been compromised by an unauthorized third party.

The customer name, postal address, phone number, birth date, gender, and information about promotional preferences may also have been exposed, the company said in an FAQ on its Web site. Social Security numbers were not included in the database, the company said.

The data was managed by an e-mail database management firm hired by Arc Worldwide, a “longtime business partner” of McDonald’s, according to a recorded message on the company’s toll-free number. The unnamed database management firm’s computer systems were improperly accessed by a third party, McDonald’s said.

McDonald’s did not disclose the number of records involved or when the breach happened. McDonald’s representatives did not immediately return a call seeking comment this morning.

“This incident has nothing to do with credit card use at the restaurants,” the FAQ says. “The database that was accessed by the unauthorized third party did not contain any credit card information or any other financial information. Further, the information in the database was not gathered from our restaurant registers, but from voluntary subscriptions to our websites or promotions.”

McDonald’s is informing customers by sending e-mails to people who subscribed on the sites and has notified law enforcement authorities. The company advised customers to be wary of anyone calling them reporting to be from McDonald’s and to report it to the company if that happens.

This article was first published as a blog post on CNET News.

Malware for smartphones is a ‘serious risk’

Businesses and consumers are at risk of data breaches through smartphone use, according to the European Network and Information Security Agency .

Data leakage and disclosure, phishing and spyware are among the more common risks, the European Network and Information Security Agency (Enisa) said in a report.

The report focused on threats posed to the end user, company employees and high-level company officials–people that use smartphone devices for managing disparate aspects of their lives.

Read more of “Enisa: Malware for smartphones is a ‘serious risk’” at ZDNet UK.

Akamai says it can withstand Anon attacks

Akamai managers say they could have bolstered the Web sites that buckled under attacks launched recently by Internet vigilantes.

The world’s largest content delivery network says it has enough servers and the right kind of network to “mitigate distributed denial-of-service (DDoS) attacks”, Neil Cohen, Akamai’s senior director of product marketing told ZDNet Asia’s sister site CNET. DDoS describes the practice of overwhelming a Web site with traffic so that it can’t be accessed.

Some well-known sites were the targets of DDoS attacks launched by a loosely connected group of WikiLeaks supporters who call themselves Anonymous or Anon for short. The group lashed out at companies they consider to be hostile to WikiLeaks, the service responsible for publicizing an enormous amount of classified U.S. government documents. Some of those attacked were MasterCard, Visa, PayPal, and Amazon.

MasterCard, Visa, and PayPal stopped processing donations made to WikiLeaks while Amazon stopped hosting WikiLeaks servers. At this point it appears that Amazon was able to withstand the attack while MasterCard and Visa’s sites were inaccessible for extended periods.

Cohen said few other companies have as much experience as his with defending Web sites from this kind of threat. He said that late last month, a number of U.S. retail sites came under DDoS attack from multiple different countries. Cohen said he was unaware of who was behind it or why, but he said that Akamai helped some of the retailers withstand the onslaught of hits to their sites, which in some cases reached to 10,000 times the normal daily traffic to some of these sites. None of the sites went down, he said.

“What we did over the last decade was built out our network and we now have 80,000 servers in 70 countries,” Cohen said. “We can mitigate DDoS attacks by having a server extremely close to the court rather than try to absorb the attack in one centralized location. As an attack grows in size and distributes out to more bots, we have a server near the compromised machines. As the attack gets bigger, our network scales on demand.”

While there are reports that Anonymous is giving up on DDoS attacks related to the WikiLeaks case, it is unlikely that we’ve seen the end of them. In retaliation against the entertainment industry’s antipiracy attempts, Anonymous knocked out the Web sites belonging to the Motion Picture Association of America, the Recording Industry Association of America, Hustler magazine, and the U.S. Copyright Office.

This article was first published as a blog post on CNET News.

App firewall helps counter DDoS threats

With cyberattacks getting more sophisticated, enterprises that rely on Web applications should look to application firewall for better protection, particularly against distributed denial-of-service (DDoS) attacks, urged a security expert.

Vladimir Yordanov, director of technology at F5 Networks, explained that with 80 percent of attacks hitting Web apps these days, traditional protection such as the conventional perimeter system firewall offers very little protection. Such systems are the reason why DDoS-type attacks are successfully executed to compromise Web sites and payment systems, he added.

“Tradition systems, such as intrusion prevention or intrusion detection systems, cannot block effective requests as these are not easily detected. The attacks targeting coding or browser flaws are usually let through, and it is the application firewall’s job to weed out bad traffic,” Yordanov noted during an one-on-one interview with ZDNet Asia on Monday.

Typically, the application firewall responds by sending a cookie or response to ensure the user is real and sending a valid request, before allowing access into its system, the security expert pointed out. In many instances of DDoS attacks used recently against PayPal, MasterCard and Visa, requests are sent out by botnets, or zombie machines, and these computers are not able to respond to requests, he added.

According to earlier reports, this series of attacks–codenamed “Operation Payback”–were initiated by supporters of jailed WikiLeaks founder Julian Assange, whose Web site has been shut down by Internet service providers, Web hosting companies and payment providers across the U.S. and Europe.

As a form of protest to the treatment of WikiLeaks and Assange, supporters made use of 3,000 voluntary computers and up to 30,000 hacked machines to shut down the Web sites of PayPal, Mastercard and Visa, which had earlier deemed WikiLeaks to be a criminal organization and denied it their services.

No foolproof solution
Besides creating app firewalls, other forms of protection that enterprises could look at include “clean pipes” from ISPs that filter out bad traffic and putting in place a high level network security, Yordanov pointed out. Also, enterprises can sanitize their protocols, ensure that all information needed to establish the connection is present before allowing access, he added.

However, as security technology is constantly evolving, hackers and cybercriminals have managed to find ways to compromise systems, and this is made worse by the increasing access of networks from mobile devices. Yordanov let on that the more dispersed a workforce is, the greater risk of an attack, which is currently a situation that criminals are exploiting.

Conceding that no solution is 100 percent foolproof, the executive said the best way for a system to be kept safe from attacks is to have the system shut down.

“Rather than having the Web site be compromised, it’s better to have it shut down completely,” Yordanov said. “If the engineers are able to trace the IP addresses of where the requests are sent, they can also eliminate the sources by blocking the addresses, but only if they are static. But increasingly, these requests change frequently, so it is not that useful.”

The F5 director noted that while shutting down the system is helpful, the option is suited only for enterprises with enough manpower to constantly monitor Web traffic.

Cloudy security prospects
When quizzed on the level of security for cloud computing, the IT expert expressed pessimism at the current situation, but said things will improve given time.

He revealed that he had personally gone through SLAs (service level agreements) offered by six cloud providers, but none made commitments to protect customers’ data.

“One even asked for all of your data, but there is no procedure that tells you how to get it back, and how they actually protect the data,” Yordanov noted. “[Protection agreements] are all worded loosely now.”

He went on to say that the industry is still at an early stage, rather like e-commerce when it first started. The executive expects to see a similar “revolution” within cloud computing to spur adoption, though.

In the meantime, many large enterprises are eyeing the private, rather than public, cloud, he said. That is because cloud providers are not sure if they can fully guarantee the safety of their clients’ data, so private cloud deployments are a way of shielding themselves from potential legal action, Yodanov added.

Filet-O-Phish: details stolen in McDonald’s hack

McDonald’s has lost thousands of customer details to a hacker, including names, phone numbers and street and e-mail addresses. The fast food chain is also warning of pending phishing scams.

The customer details were lost after a hacker broke into the fast-food restaurant’s U.S. marketing partner and stole the details provided by customers who sign up for promotions.

McDonald’s was concerned that the hacker might use the details to conduct phishing scams.Phishing scams are fraudulent email campaigns run by criminals to steal financial and identity information, or infect users computers with malware.

“In the event that you are contacted by someone claiming to be from McDonald’s asking for personal or financial information, do not respond and instead immediately contact us… McDonald’s would not ask for that type of information online or through e-mail,” the company wrote on its website.

“Law enforcement officials have been notified and are investigating this incident.”

The company apologized for the breach.

McDonald’s spokesperson Bronwyn Stubbs said Australian customers were not affected.

An e-mail provider hired by promotion company Arc Worldwide was responsible for the loss, which did not include credit card data or social security numbers.

This story was first posted in ZDNet Australia.

Gawker wrestles with reader data breach, hacking has apparently been the victim of a pair of security compromises last weekend, one of which put reader’s data at risk.

The tech gossip site informed readers last week in a blog post that its database of reader commenting accounts had been compromised and urged its users to change their passwords:

Our user databases appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you’ve used the same passwords.

We’re deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems. And, yes, the irony is not lost on us.

Later in the day, it was revealed that the site itself was compromised as well when a post appeared on the site reportedly linking to the site’s source code at The Pirate Bay. The story appeared under the byline of Gawker writer Adrian Chen, but Chen tweeted that he had not written the story and the site had been hacked.

Gawker representatives did not immediately respond to a request for additional information.

This article was first published as a blog post on CNET News.

Symantec: DDoS attacks hard to defend

It has surfaced that the distributed denial of service (DDoS) attacks on Visa and MasterCard Web sites on Wednesday were carried out by a toolkit known as low orbit ion cannon (LOIC).

In an e-mail interview with ZDNet Asia, Ronnie Ng, senior manager for systems engineering at Symantec Singapore, explained that LOIC is a network stress testing application that attempts a DOS attack on the target site by flooding the server with TCP, UDP and HTTP requests. The intention here is to disrupt the service of a particular host.

It is widely understood that there are free attack toolkits readily available on the Web, and LOIC is one of them.

“There are many applications out there that are capable of carrying out such attacks, some of which are legitimate, depending on the user’s intention, and can be found with a simple search,” Ng added.

“However, there are many underground tools also designed for malicious use that can be utilised efficiently with methods such as botnets. Even a simple tool that sends out small packets can have a great impact if used collectively,” he said.

While the DDoS form of attack is not new, the security expert gave consolation that cyber criminals are not always one step ahead of protection that Web merchants have today.

Ng said: “Attackers are constantly looking for ways to get the information they are after. This varies from using DoS to exploiting vulnerabilities–low or high severity ones–to compromise a system.”

He added that as protection technologies continue to evolve to provide maximum protection, proper patch management and user awareness of today’s cyber threats are necessary to ensure a higher security stand.

While it is possible to maintain high-level security for the payment merchants, Ng admitted that difficulties remain in defending against typically distributed DDoS attacks.

Online merchants will need to audit gateways and firewall rules to ensure they are capable of dealing with small-scale everyday attacks and have comprehensive policies in place to defend themselves against large-scale attacks,” he said.

Some of these policies can include more aggressive packet filtering, setting adjustments to determine how and when packets may be dropped, implementation of rules for IP addresses, and IP address block blacklisting when certain thresholds are reached, the expert recommended.

Visa and MasterCard’s sites were hacked on Wednesday by a network of 15,000 online activists, who coined the attack “Operation Payback”. This was carried out in retaliation of the credit card companies and PayPal’s announcement that they would no longer process donations toWikiLeaks.The hackers also tried to hit, but failed.

The group of hackers, called Anonymous, have vowed to target British government Web sites if WikiLeaks founder, Australian Julian Assange, was extradited to Sweden, where he is wanted over allegations of sexual assault. Assange is now in remand in the U.K. over rape charges.

In a separate development, several ex-members who participated in the WikiLeaks program have said they are planning to launch a new site, known as OpenLeaks, to continue to support whistle-blowing activities.

In the Netherlands, Dutch police confirmed the arrest of a 16-year-old teenager who has admitted to participating in the attacks.

Microsoft to plug critical IE, final Stuxnet Windows holes

Microsoft said today that next week’s Patch Tuesday will bring 17 updates plugging 40 holes and featuring two rated “critical”, including one in Internet Explorer (IE) that was targeted in attacks last month.

The critical IE vulnerability was written for IE6 and 7 but IE8 is also vulnerable, Microsoft said when it issued a warning about it in November.

Also fixed on Tuesday will be the final of four holes in Windows that the Stuxnet malware used.

“This is a local Elevation of Privilege vulnerability and we’ve seen no evidence of its use in active exploits aside from the Stuxnet malware,” Mike Reavey, director of the Microsoft Security Response Center, said in a blog post.

Windows (all supported versions), Office IE, SharePoint, and Exchange are affected by the bulletins, today’s advisory says.

This brings Microsoft’s total bulletin count for the year to a record 106, Reavey said. He attributed that to vulnerability reports in Microsoft products increasing slightly and older products “meeting newer attack methods, coupled with overall growth in the vulnerability marketplace”.

“Meanwhile, the percentage of vulnerabilities reported to us cooperatively continues to remain high at around 80 percent; in other words, for most vulnerabilities we’re able to release a comprehensive security update before the issue is broadly known,” Reavey wrote.

This article was first published as a blog post on CNET News.

Debit cards a magnet for fraud

Debit card fraud has increased dramatically in the year to June 2010 thanks to an explosion of ATM (automated teller machine) skimming.

The cost of skimming fraud has rocketed by 94 percent to more than AUD$22 million (US$21.56 million) since 2009 and accounts for 79 per cent of debit card fraud.

Debit cards are vulnerable to ATM skimming, where fraudsters replace the terminals with devices capable of reading PINs and stealing account information from the magnetic strips.

Figures from the Australian Payments Clearing House show incidents of fraud on magnetic stripe debit cards used for EFTPOS PIN transactions have jumped to about 3 in every 1000 transactions, or some 84,000 in the year ending June 2010.

The cost of that fraud over the same period has risen to close to AUD$28 million (US$27.44 million), from 7.4 cents to 10.7 cents in every AUD$1000 (US$980.1) transacted.

An industry source told the Australian Financial Review that the spike in ATM skimming was caused by a string of scams targeting McDonald’s restaurants in which criminals replaced handheld EFTPOS devices with replicas capable of transmitting account details via Bluetooth.

But the same figures show the cost of fraud affecting credit cards with embedded chips has dropped from 60.1 cents to 58.6 cents in every AUD$1000 (US$980.1) transacted, and the likes of Visa and MasterCard are chuffed.

“This is great news for cardholders and merchants alike and shows that the industry investment in chip is paying off,” Visa’s local general manager Chris Clark said.

The clearing house is more sobering; it points out that while the cost of credit card fraud has dropped, the amount of fraud has increased.

It attributes the rise to moves by banks to lower the threshold value of fraud investigated, meaning banks will detect more but cheaper fraud.

The drop in the value of fraud detected coincides with a push by MasterCard and Visa to drive the use of contactless credit cards such as payWave and PayPass, which bypass identity confirmation measures for transactions less than AUD$100 (US$98.01).

The system uses a fast wireless system to process the transactions and does not transmit account information, according to the system’s developers.

While fraudsters have moved away from scamming credit cards, they are having a field day with vulnerable online shoppers.

Fraud targeting Internet, mail or phone shoppers–where citation of credit cards is not required–has surged by 25 per cent to AUD$102.6 million (US$100.56 million).

It accounts for more than half of all frauds on credit, debit and charge cards, according to the clearing house.

The clearing house said better IT security in line with adherence to the Payment Card Industry(PCI) Data Security Standard (DSS) is critical to reduce online or “card-not-present” fraud.

The house’s chief executive officer Chris Hamilton said that Australia had a lower incidence of fraud than other nations: “Australia [is] less attractive for fraudsters from other countries.”

This article was first published at ZDNet Australia.

Facebook, Twitter boot WikiLeaks supporters after Visa attack

A hacker group that calls itself “Anonymous” says it took the Visa Web site down on Wednesday in retaliation for the credit card company suspending payments to the WikiLeaks site.

Earlier Wednesday the group hit the MasterCard site with a distributed denial-of-service attack for the same reason, and it took down PayPal over the weekend. The MasterCard site was back up this afternoon.

“IT’S DOWN! KEEP FIRING!!!” the group tweeted on its Operation Payback campaign page.

On Tuesday, Visa said it was suspending payments to the controversial whistle-blower site, joining MasterCard and PayPal.

Operation Payback also said its page had been banned from Facebook for violating terms of use, and late Wednesday afternoon the group’s Twitter account was suspended as well. Attempts to reach the group’s Twitter page displayed a warning that said “Sorry, the profile you are trying to view has been suspended.” A Twitter representative declined to comment on the matter.

Facebook bans pages that are “hateful” or “threatening” or which attack an individual or group, according to a warning Operation Payback posted to Twitter. A Facebook spokesperson provided this statement: “Specifically, we’re sensitive to content that includes pornography, bullying, hate speech, and threats of violence. We also prohibit the use of Facebook for unlawful activity. The goal of these policies is to strike a very delicate balance between giving people the freedom to express their opinions and viewpoints–even those that may be controversial to some–and maintaining a safe and trusted environment.”

Meanwhile, Icelandic hosting company DataCell EHF said it will take legal action against Visa and MasterCard over their refusal to process donations for WikiLeaks. DataCell said that it had been losing revenue as a result of those actions.

WikiLeaks has come under attack since it posted its latest release of about 250,000 confidential U.S. diplomatic cables to the Web last month, embarrassing officials and incurring the wrath of foreign leaders. That release followed posting of cables related to the U.S. operations in Afghanistan and Iraq earlier in the year.

As U.S. politicians cry foul and WikiLeaks’ payment and infrastructure providers cut their ties to the beleaguered site, supporters have stepped up efforts to keep the site up, creating mirrors of the site, and enacting revenge on those companies that turn their backs on the project.

While that war is being waged, Julian Assange, the public face of WikiLeaks, is behind bars for accusations not believed to be directly related to WikiLeaks. He was arrested on Tuesday in London on allegations of sexual assault in Sweden. Assange says he and the Web site are being unfairly punished for telling people what their governments are doing.

Asked for comment, Visa said in a statement Wednesday that its processing network that handles transactions was functioning normally but that its Web site was down. “Visa’s corporate Web site––is currently experiencing heavier than normal traffic. The company is taking steps to restore the site to full operations within the next few hours.”

Anonymous’ Operation Payback account on Twitter having been suspended and at 3 p.m. to include comments from Visa and Facebook.

This article was first published as a blog post on CNET News.

PC quarantines raise tough complexities

The concept of quarantining PCs to prevent widespread infection is “interesting, but difficult to implement, with far too many problems”, said security experts.

It was mentioned by Microsoft’s security chief Scott Charney that ISPs could be allowed toquarantine infected PCs in “infection wards” to ensure the machine is cleared of malware before allowing connection to resume.

In an e-mail interview with ZDNet Asia, Michael Sentonas, McAfee’s CTO for Asia-Pacific, questioned the effectiveness of cutting Internet connection off a computer, when updates on security software and operating system patches can be done only online.

“There is also the issue around educating consumers or non-security professionals on what to do if they are infected and quarantined. Many non-security trained Internet users understandably leverage the Web to resolve issues. How are they going to achieve this without Internet [access]?” asked Sentonas.

Other uncertainties pertaining to resolution may also be difficult to ascertain, such as once the machine is remediated, who releases the computer from quarantine and who determines the machine is safe, he asked.

Sentonas also likened to the concept of not allowing an unsafe car to go on the roads so others are protected, which ESET’s senior research fellow David Harley said works up to a point”. However, he added that success would depend on individual implementations.

While enterprises have used [the concept] for years to protect their own networks, home users who are also the system administrators are often “ill-equipped” for such a role, Harley commented. But he admitted that such an approach could have a significant mitigating impact, subject to the diagnostic accuracy of the ISP, which very often could be a hit-and-miss situation.

Should the quarantine action be adopted, the question of where it should be done and what the standards and procedures should be can be tricky when conditions differ from country to country, and are dependant on the contract between the consumer and ISP, both experts said.

As Sentonas pointed out, the situation in an enterprise is less complicated than that of a home user, as “configuration of individual systems may be standardized and regulated centrally”. To deal with home PCs, however, raises numerous possibilities and complexities with the different systems and applications.

Legally, Harley was concerned with loss of earnings due to quarantining a PC. “If the PC is infected, VoIP may be impacted. [The question then is whether] the total loss of VoIP access would put the user in a precarious position. Consider the situation where the user does use some software, paid or even free. What appeal process does he have?”

On the other hand, this “walled garden” approach may be a revenue stream for security providers supplying contracted services to other service providers, said Harley. That said, if it is being used as a marketing tool for the security provider, this might create illegal problems.

“Indeed, we’re already seeing instances where fake support services circumvent legislation that regulates cold calling by ‘solving’ security problems on the victim’s PC, but for a fee,” explained the ESET research fellow.

“The walled garden approach can be said to be ‘grooming’ end users for this sort of abuse,” he added, noting that banks could in the future require the use of approved security measures before allowing a customer to connect to its servers.

  1. Thanks for the informative article, it was a good read and I hope its ok that I share this with some facebook friends. Thanks.

  2. Thanks so much for your downright post.this is the words that keeps me on track straight through out my day. I have been searching nearby for this site after being referred to them from a colleague and was thrilled when i was able to find it after searching for long time. Being a demanding blogger, i’m hopeful to remarked anothers taking initivative and contributing to the society. Specific wanted to commentary to show my appreciation for your website as it is very captivating to do, and many writers do not regain acknowledgment they deserve. I am definite i’ll be back and will forward any of my friends.

  3. Zita Gaumer says:

    This weblog appears to recieve a good ammount of visitors. How do you advertise it? It offers a nice individual twist on things. I guess having something useful or substantial to say is the most important thing.

  4. Backlinks says:

    I love it when people come together and share opinions, great blog, keep it up.

  5. Darell Clipp says:

    Howdy this is somewhat of off topic but I was wondering if blogs use WYSIWYG editors or if you have to manually code with HTML. I’m starting a blog soon but have no coding know-how so I wanted to get advice from someone with experience. Any help would be enormously appreciated!

  6. the information on this article is really 1 of the most beneficial substance that I’ve at any time occur throughout. I really like your submit, I will appear again to examine for new posts.

  7. I just want to tell you that I am very new to blogs and honestly savored you’re blog site. More than likely I’m planning to bookmark your blog post . You certainly have terrific well written articles. Kudos for sharing your webpage.

  8. I simply want to say I am all new to blogging and absolutely enjoyed your web site. Likely I’m planning to bookmark your blog post . You definitely come with awesome well written articles. Thank you for sharing your web-site.

  9. I simply want to mention I’m newbie to blogging and actually enjoyed this blog. Probably I’m likely to bookmark your blog . You definitely have really good article content. Thanks a bunch for sharing your website.

  10. Una Derose says:

    That seems fine yet i’m just still not too certain that I favor it. In any case will look even more into it and decide personally! 🙂

  11. Thanks , I have recently been looking for info approximately this subject for a while and yours is the best I have came upon till now. However, what in regards to the conclusion? Are you sure in regards to the source?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s