IT Security Blog

REMINDER: Over the next several weeks I will be transitioning the MX Logic IT Security Blog over to the McAfee Avert Labs blog.  Please continue to follow me there. 

In the latest social engineering tactic targeting people who like to play games online, a new spam campaign has emerged attempting to lure users into downloading a Monopoly game, which is more like a game of Russian Roulette.  The email arrives as a seemingly innocuous invite from a random user (usually your first clue that this is something to avoid!) using an inviting subject line like "Play Online Together" or "Tom has invited you to play Monopoly":

If the recipient follows the link to the monopoly2009.com web site, they are greeted with a web page that actually looks fairly well done advertising the Monopoly "game" and encouraging the user to download using several links dispersed throughout the page after giving a brief history of the game and providing some fun facts.

No code is injected on the user's computer just by visiting the web page.  They need to download and install the monopoly.exe executable file that the site tries to deliver.  The executable file is just the first stage of the process, however.  A fairly common tactic being deployed by hackers is that the code that is installed as a result of the web site download is only the beginning.  At this point the trojan is activated on your computer, and now it is going to go out to another computer behind the scenes and download the second stage of the malware, the piece that turns your machine into a spam sending zombie touting Canadian Pharmacy products.

As the icing on the cake, the folks who created the page also included a hit counter at the bottom to lead you to believe that there are people playing the game online right now.  Don't be fooled.  This is merely a counter of how many people have visited the page thus far.

ALERT: Over the next several weeks I will be transitioning the MX Logic IT Security Blog over to the McAfee Avert Labs blog.  Please continue to follow me there. 

Now onto today's blog post :)

Another celebrity death.  Another recycled scareware tactic attemping to lure users to download malware by telling them that their PC is infected with a virus.  We saw it after the deaths of Michael Jackson, Farrah Fawcett, and Natasha Richardson earlier this year.  Now the attention of cyber criminals has turned to Monday's death of Patrick Swayze as the soup du jour for malware distribution.

Queries for information on the death of the popular actor may lead to news stories that look legitimate when returned in search results, but when followed will lead users to a site that looks like this:

 

This similar tactic of presenting a window to the user that looks very much like a legitimate Windows popup has been used many times before in various forms.  The Windows Explorer-like screen presented to the user also uses geolocation to attempt to identify the country and city that the user is coming from in an attempt to make the user believe that their data is actively under attack.  Popups with phrases like "Scan procedures finished.  34 Potential aggressive items was found!" and "Your computer remains infected by threats!  They might lead to data loss and file structure damage, and needed to be heal as soon as possible.  Return to Total Security and download it secure to your PC" also attempt to trick users into believing that the only way that they can protect themselves from infection is by downloading bogus security software.

Clearly scareware tactics are something that cyber criminals have latched onto as a popular method for malware distribution as it continues to be a recurring and evolving theme.  Conficker/Downadup largely popularized scareware with its success (although it wasn't the first to use it) and now others are riding of that popularity to repurpose it for their own scams.

 

Friday usually get people excited since it’s countdown to the weekend but this week we’re excited about it because we’re going to be having some stellar guests participate in the SecurityBuzz podcast.

As you may recall last week Robert Scoble’s WordPress blog Scobleizer was hacked. We’ve asked Scoble and Rob La Gesse, director of customer development at Rackspace to join us to discuss corporate blogs and security issues they face, how to prevent them, etc.

The podcast will be posted Friday afternoon so stay tuned. In the meantime, let us know if you have any questions you’d like for us to ask these guys and/or answer during the podcast. You can post them here or send me a note via Twitter - @smasiello.

In my copious amounts of spare time one of the things that I like to put thought into is where I believe the Threat Landscape is headed.  Even in just the last 10 years since the Melissa virus (yes, I know viruses extend quite a bit further back than that.  I'm just using this as a reference point) we've gone from mass mailing viruses to network worms that run through your network compromising any vulnerable host as quickly as it can to social engineering tricks that sometimes even make it difficult for the trained professional to tell whether something is real or fake. 

So, the question that I pose to myself is "What's Next?"  Taking even just the events of the last decade into account, where are we headed for the next few years?  Some of this is obviously hard to determine because that also involves being able to forecast what new technologies will be released, but we can start to make some assumptions based off of what is available today. 

Since this is a blog post, I'll try to keep this relatively brief.  Maybe it is something that I can submit as an article to some technology pub as a full byline article (Here's a free plug for the folks over at (IN)Secure Magazine, who just released Issue 22 today.  I like them and I've had the opportunity to write for them twice now) at some point soon.

Some things to think about:

-- The Insider Threat
Especially given the current economic conditions and the uneasiness around many offices around the country as to whether or not their companies will remain viable, organizations need to be ever cognizant of the data that is leaving their organization.  Given that the latest USB 3.0 spec that was released in November 2008 allows for data transfer speeds at about 5Gb per second sensitive, proprietary corporate data can be pulled off a company's network an onto a thumb drive faster than ever before.  Couple that with the number of disgruntled employees who either see the writing on the wall for their own jobs or who are upset at benefit and wage freezes/cutbacks, and you have a dangerous cocktail for data theft.  We need to make sure we are putting as much focus on protecting our sensitive assets from insiders who much more easily have access to proprietary data as we do keeping the external threats at bay.

-- VoIP
Voice over Internet Telephony technologies are being adopted at an ever increasing rate.  This is happening not only in the enterprise space, but in the consumer market.  Services like Vonage make it easier than ever for people to have portable phone numbers so that they can be easily reachable at local numbers by family members out of state.  VoIP implementations at organizations are also becoming ever popular as well.  As these technologies become more widely adopted we have started to see hints of what abuse of these tools might look like.  Throw away phone numbers used to make spam phone calls have started to become more common.  There are services available online which allow you to purchase throw away numbers in blocks.  Spammers and can use and abuse these numbers just like they do IP addresses now. 

Another thing to watch out for is the compromise of VoIP systems as vulnerabilities start coming out in larger quantities.  Threats like direct voicemail injection will become another method that cyber criminals will use in order to get advertisements delivered to end users.  As the social engineering used in these threats improves, they could easily be used to steal personal identities and corporate data. 

-- Mobile Malware
Let's face it.  The phones that we carry in our pockets are little personal computers.  Although they lack the computing power of the quad-core processors now becoming commonplace on personal computers, they are another "always connected" device that people always have turned on.  I think the only time that I turn mine off on a weekly basis is when we are doing our weekly recording of the Security Buzz podcast, and that is mainly because the GSM buzz wreaks havoc with the microphones (and our Executive Producer's headphones :) ).  As mobile phone manufacturers have opened up their APIs to developers to create third party applications, they will need to be ever diligent in their QA processes to make sure that applications don't get posted to their distribution channels that contain some form of malware or open up a trojan backdoor to the device.  The mobile phone industry is growing by leaps and bounds with the addition of new, better, more feature rich smartphones entering the market.  The smartphone market is too large of a target for cyber criminals to ignore, especially if you consider the value of the data that we are now storing on these devices.  Secure sandboxing of third party applications is a must, but that is only a start.  Only hundreds of mobile malware variants exist today (compared to the approximately 1 every 4 seconds that is released for PCs), but that number is slowly growing and as hackers pay more attention to how they can penetrate mobile devices, that number is sure to only increase.

-- Social Networking
Social networks provide an interesting shift in the information sharing game because the rules that typically govern what personal data people are willing to share seem to have gone out the window.  This has really opened the door for cyber criminals.  With the data that is now available online through the use of social media sites like Facebook, Myspace, and Twitter criminals can much more easily target attacks to specific individuals or groups of individuals using data made available via public profiles or geolocation tools that map your IP address to what town you live in (or near) so that they can deliver compelling content which direct you to malware infected downloads (ala the Waledac botnet).  The Web of Trust that exists between users on social networking sites is being actively exploited regularly by hackers looking to take advantage of the fact that users will click on whatever their friends send to them.  It's already been proven that people will click on links and open attachments from people they don't know so why would they judge more closely the content from those that they do.

-- Political Hacktivism
Recently cyber criminals have picked up the pace a bit with respect to using online resources like social networking sites to quickly spread political messages in order to help them spread propaganda and recruit people to fight for their cause.  Due to the sensitive nature of political issues and the passion that people have for them, social engineering techniques like creating highly controversial views on sensitive topics is something that cyber criminals will latch onto in order to get people to react quickly and irresponsibly to either open attachments or visit websites that they would normally scrutinize more closely. 


These are only a small sampling of what I believe we will be encountering as we move forward (I didn't even go into the increased prevalence of compromise of legitimate web sites, and the further use of file sharing services, and calendar spam!), but they are things that we will need to keep top of mind as we look toward what threats are coming down the road.  Hackers will go where the money is and the money is where the people are.  So, whether it is Twitter, MySpace, Facebook, email, instant messenger, or our phones, criminals will leverage whatever technology is available because in their eyes the goal is to make money regardless of the available technologies, and if one person can be the one to figure out how to exploit a technology for their own financial gain before the others they'll end up getting the lion's share of the notoriety as well as beat defense mechanisms to the punch.

According to this ThreatPost article the main web site for apache.org was hacked earlier today through an SSH key compromise where the intruder was able to gain root access to Apache's server.  The current apache.org site has been redirected to one of its European mirrors while the other server has been taken offline.

While on the machine the attacker was able to replace the ssh (Secure Shell) client and server applications with versions that would log the usernames and passwords of those who were to access that machine.

Although the Apache folks believe that they identified and remediated the vulnerability quickly, and that no software available on the site was compromised, if you have recently downloaded software from the Apache web site, you might want to take a cynical approach and remove and reinstall the software from the uncompromised site that Apache has up now. 

Information is still slowly coming out about this story, and we will likely know more in the coming days.  It is important to note at this point that although Apache believes that they identified and fixed the problem quickly, the possibility remains until we hear otherwise that this server may have been compromised by hackers for some time and that many software downloads had potentially been affected if any publicly available software was modified. 

My advice: Be over-protective.  Keep a close eye on the traffic coming in and going out of your network to look for anything suspicious.  With over 50% of the web server installations worldwide, Apache is a potential high-value target for criminals as any infected software downloads could lead to backdoors in systems that install binaries with embedded trojans.

Byron Acohido of the USA Today poses a question that we have been battling for a long time in his latest piece on GSM conversation eavesdropping.  That question is how much time is enough time to give a vendor to patch an issue before the vulnerability becomes public knowledge? 

The debate rages as to who is should be the one to set the time frame for responsible disclosure?  Should the person who identified and reported the vulnerability to the vendor also be the one to determine that timeframe?  That sounds a bit like extortion to me.  "Fix this problem by the time I say you should have it fixed by else we'll expose you to the world"  seems an awful like someone who is sitting more toward the "black" end of the white/black hat spectrum. 

Should the vendor be the one to control that timeframe based on their knowledge of the risk factors (i.e. how exploitable is this problem?, Is it already being exploited?, What is the potential for damage if it were to be exploited?, How will it affect our market position, amongst other criteria) and other defined priorities?  Should they be held accountable for patching known flaws regardless of these factors due to their fear of being taken to task by the person who found the bug? 

In Byron's article, he specifically mentions a campaign by Karsten Nohl, who is threatening to expose a longstanding flaw in the encryption method used on GSM phones that will allow eavesdropping of conversations to take place.  Nohl mentions in the article that this is already being exploited widely, but is also calling upon the community of hackers to crack the encryption method.  If it is already being exploited (meaning that proof of concept code exists), why is he calling on the community do it?  Isn't that somewhat reinventing the wheel?  I didn't quite follow this path in Byron's article. 

So, what's the point to all of this?  On one side we have "grey hat" (in my opinion this designation is silly.  Grey hat is just a candy-coated way of saying "black hat", but wanting to appear as if you have the public's best interests in mind) hackers who feel like they are the superheroes of the security community by holding threat of humiliation over the heads of companies who don't fix software flaws on their timeframe (Nohl suggests that the flaw he threatens to expose has existed for 15 years.  I am not sure how many of us are truly in the position to either confirm or refute that claim).  One the other we have companies who may have good intentions to fix vulnerabilities, but clearly perform their own internal risk assessments first based on a number of criteria, only a few of which I mentioned earlier. 

In my opinion, the answer to the question "how long should a vendor have to fix a reported vulnerability?" lies with the vendor and with the vendor alone.  Certain factors may cause a company to shift those priorities and release a patch outside of their regular software release cycles or the flaw might be something that doesn't get fixed until the next major software release.  Either way, if you really have the common good (as opposed to your own inflated ego) in mind, you'll let the vendor responsible for fixing the bug do so on a timetable that is acceptable to both them and their customers.  If their customers aren't happy with whatever that timeframe is, don't worry, they'll complain loudly (customers do that :) ) and the vendor will be forced to shift their priorities accordingly.  The process self-regulates that way and leaves the over inflated egos out of it.

Obviously there are many opinions on both sides of the fence on this issue.  So, let's have them!  Feel free to drop me a note at sam AT mxlogic.com or on Twitter as "@smasiello". 

Our Threat Operations Center has recently noticed a new type of phishing campaign attempting to phish login credentials to Yahoo!'s Local Search Marketing tool.  This is similar to the Google Adwords phishing campaign that we reported back in May 2008 attempting to obtain login credentials to Google's Adwords site from customers.  In this instance the email that is being sent is spoofing a from address @yahoo-inc.com (Yahoo's internal email domain) and trying to convince the user that their account is about to be suspended.  Sounds like just about every other phishing campaign, right?

The phish reads as follows:

Dear Advertiser,

We just want to remind you that, on August 25, 2009, your Local Sponsored Search account will be discontinued. You will be upgraded to a new Sponsored Search account with geo-targeting and other great new features.

Please note the following: In order for us to upgrade your account you need to verify your user/password of your account. Please remember to input your Sponsored Search user and password correctly NOT your email and password.

Please visit the following link to verify your account:
hxxp://onlinemarketingyahoo.com/adui/signin/loadSignin.htm

Sincerely,

Your Partners at Yahoo! Search Marketing Copyright 2009 Yahoo!, Inc. All rights reserved.


Note the generic nature of the introduction, which should generally be one of your first tipoffs that the email is not authentic.  If you have a personal relationship with a company and they wanted to send you an important email communication they would use your real name.  Also note the missing period between "onlinemarketing" and "yahoo" in the URL.  If you weren't looking closely, this could be easily missed by someone reading the email (even if it were present, the actual URL for Yahoo!'s Local Advertising tool is "searchmarketing.yahoo.com", not onlinemarketing,yahoo.com.  This point might also be missed by the casual recipient.

The potential audience being targeted by this email is somewhat limited because it will only make sense to those who are customers of this Yahoo product.  That rarely seems to stop most spammers.

Do we really know?  Recent research would say that we don't.

In late April two conflicting articles were published: One was an article was posted at IT Brief which appears to have been supported by AVG that states 250,000 malicious web sites are created every day and another article was published by Security Pro News that says MessageLabs claims 3,500 new malicious sites daily. 

So, which is it?  The truth in my opinion is that we don't really know.  Also, what neither of these articles discuss is the increase in compromise of legitimate sites due to trojans like Gumblar.  The number of compromised legitimate sites is also harder to quantify because it is likely there are a lot more of them out there than are currently known. 
One thing appears to be for certain and that is that we have reached the tipping point with the web being used as the primary threat vector for the distribution of malware ahead of email.

Last month we discussed the abuse of Twitter's Trending Topics system to increase the ranking of interesting topics so that links can be distributed via Tweets that lead users to phishing and malware sites.  This tactic was a follow up to previous abuses of Google's PageRank system which accomplished the same purpose.

The commonality with those two scenarios is that the cyber criminals had to do work to increase the ranking or interest of a particular topic in order to lure users to infected web sites. 

We are starting to see a new wrinkle where hackers are using already popular Google Trending Topics, search criteria that users are interested in and looking for through Google, to determine what users already want to see.  They are now tailoring their social engineering tactics to create new spam and websites that exploit users' curiosity.  No work required on a hacker's part to organically generate interest.  That interest is already being generated by high profile news stories, which have already shown to be very effective through the many iterations of Storm and Waledac over the past couple of years. 

An example is being reported by Dan Kaplan at SC Magazine where he said (via Sophos) that cyber criminals have created fake websites claiming to show nude videos of Erin Andrews, a popular ESPN reporter, who was recently videotaped through a peephole camera.  These fake websites are being used to inject malware onto curious users' computers.  They could also very easily be used in phishing campaigns to steal user's personal information.

Search criteria for these Erin Andrews videos through Google currently accounts for two out of the top three search trends at the writing of this post. 

As news of the most recent Twitter breach spread and details of what was compromised started to come forth the question that was at the forefront of my mind was "Whatever happened to responsible disclosure?" where you notify the vulnerable party, give them ample time to fix the problem, and if any information is released publicly, it is done after the problem has been confirmed resolved by the vendor.

According to the article on TechCrunch that contains data that was stolen, they "spent much of the last 36 hours talking directly to Twitter about the right way to go about doing that" (where that = the right way to go about releasing the data).  Now I was certainly not privied to those discussions, but I have a hard time believing personally that those discussions involved Twitter saying "yes, please post the information, but just leave out the secret sauce bits."  I don't understand what criteria TechCrunch used such that they are now the governing authority over what is and is not confidential or why they feel they have a right to make that call to begin with.  I am disappointed that a purportedly reputable news organization would feel that they have such privilege. 

In a follow up post TechCrunch attempts to justify their actions by pointing to previous cases where they and another news organization had each taken it upon themselves to post sensitive information.  I guess that means that since there is a precedent for something happening that it somehow makes it right?  They also state within this article that they "break big stories."  Obviously, those that break the big stories get the big press, but let's not also forget that a certain level of responsibility is expected as well.  Saying that "others do it too" as justification for doing anything is just plain juvenile. 

Of course, let's not let the person who leaked the information to TechCrunch off the hook either as they are certainly culpable as well.  At this point nobody seems to know who that person is (at least not publicly).  This mystery person submitted the information with the expectation that it would get published.  Otherwise, why send it to a news organization to begin with.  They baited the hook and TechCrunch bit down hard. 
Whether TechCrunch will end up facing any legal action from Twitter remains to be seen.  Twitter might want to consider at least sending TechCrunch a thank you note for at least temporarily turning the stink-eye from this whole mess away from themselves as TechCrunch appears to be getting flamed worse than Twitter, who had the breach to begin with!

Funny how things work sometimes :)

It looks like the Hack du Jour, Twitter, has had another high profile data breach.

It seems like we have been around the block on this topic before on a couple of occasions, haven't we?

According to TechCrunch the cause of this most recent data breach isn't stolen Twitter account credentials because of ClickJacking exploits or people who have given up their logins because of look-alike Twitter application sites.  This exploit was far more elementary and one that Twitter could stand to learn a lesson from on their own account signup form: weak passwords.  According to the TechCrunch article, the password to some of Twitter's publicly facing servers was "password".  Maybe they thought that was too easy for people to guess and that nobody would actually try a password as simple as "password" ?  Either way, this is another example of how Twitter needs to take its own security and the security of its users much more seriously.  Strangely enough repeated lapses in judgment does not appear to have slowed their growth.

The portion of the MSNBC article that I linked to in the first paragraph that irked me the most was in the section titled "Dangers Highlighted" where the author states that "The techniques used by the hackers to obtain access to Twitter highlight the dangers of a broader trend promoted by Google Inc. and others toward storing more data online, instead of on computers under your control."  I couldn't disagree more with this statement.   The missteps by Twitter that have caused their recent compromises are not a result of a lack of standards or good security practices by cloud computing, SaaS, or other off-network service providers.  They are a result of Twitter's poor security practices and Twitter's alone. 

Any service provider, construction outfit, or home business who has their own network equipment needs to ensure that they have taken proper precautions to secure those devices.  That includes changing default passwords and identifiers (like SSIDs on wireless access points) all the way through to keeping those devices up to date on security patches and application updates.  These are not practices that are relevant to Cloud Computing providers alone.  To insinuate such in an effort to spread FUD against these types of services is downright irresponsible, in my opinion.  We're talking about best practices that need to be employed by everyone in all industries and form factors.  Perhaps if we did that instead of just talking about it and always looking to point the finger at someone when they make a mistake we would have less people to point fingers at.

Roger Thompson, Chief Research Officer at AVG Technologies, said in an article posted on Network World that the latest vulnerability in Microsoft's Video Controller ActiveX library could be the next Conficker. 

I very much disagree with that sentiment. 

Conficker was similar to the Slammer worm from back in 2003 where there was no overt action required on the part of any individual person to get infected.  You could get infected simply by being out of date on security patches.  The current Directshow exploit requires a user to visit a malicious web site (links to sites hosting the exploit code are currently being sent out in spam emails) to get infected.  Also, the user must be an admin on their computer to get infected by the Directshow exploit.  Most people do run in this mode, however so that won't be much of a hurdle to clear, but the requirement that a user must visit a web site hosting malicious code is a tactic that users are becoming more accustomed to avoiding. 

There are some similarities here that are worth pointing out, however.

For starters, there are claims that Microsoft knew about this vulnerability well in advance of exploit code being released for it, but neglected to patch it.  This makes sense considering Windows Vista and Internet Explorer 8 are not vulnerable to this exploit, but Windows XP and Internet Explorer 6 and 7 are.  This does beg the question though as to why Windows Vista is not vulnerable since it has been out for well longer than the exploit has supposedly been known by Microsoft.  This is similar to the Conficker situation because the MS08-067 vulnerability that allowed that worm to appear was also being exploited for about a month prior to Microsoft releasing an out of band patch for it.  Unfortunately, at that point the damage had already been done and regardless most of the machines that were infected with Conficker are running versions of Windows XP that had never installed a single Microsoft security update (see research at http://mtc.sri.com/Conficker).

Anyway, I digress from my point.  Although I do believe that the Directshow exploit is significant and that the out of band patch that Microsoft released to address it is absolutely the right thing for them to have done (as opposed to waiting for their typical Patch Tuesday release next week), I believe it is blowing the situation out of proportion to say that this will be the next Conficker.

As predicted in this month's MX Logic Threat Forecast and Report, cyber criminals have decided to take advantage of the July 4th holiday to send out spam that links to a malware infected web site.

All of the messages that our Threat Operations Center have observed thus far have July 4th themed subject lines and brief message bodies consisting of only a few words followed by a link, a tactic used many times by the Storm/Waledac folks previously. 

Some of the subject lines that we have seen thus far include:

Amazing firework 2009

Amazing Independence Day salute

Amazing Independence Day show

America for You and Me

America the Beautiful

American Independence Day

Bright and joyful Fourth of July

Celebrate Independence

Celebrate the spirit of America

Celebrate with Pride

Celebrating Fourth of July

Celebrating the Glory of our Nation

Celebrating the spirit of our Country

Celebrations have already begun

Fabulous Independence Day firework

Fourth of July Fireworks Shows

God Bless America

Happy Birthday America!

Happy Birthday USA!

Happy Birthday, America!

Happy Fourth of July

Happy Independence Day

Home of the Brave

Independence Day firework broke all records

Let the fireworks begin!

Let's celebrate Independence Day

Light up the sky

Long Live America

Proud to be an American

Sparkling Celebration of Independence Day

Spectacular fireworks show

Stars and Stripes Forever

Super 4th!

The best firework you've ever seen

The best of 4th of July Salute

This Land Is Your Land

Time for Fireworks

Well done 4th!

Traffic so far has been pretty modest, only at about 2,500-3,000 per hour and is likely being mitigated by the fact that many companies have given their employees July 3rd off this year in observance of the fact that this year's United States Independence Day holiday is on a Saturday.

Below is a screen shot of a sample message that someone may receive in conjunction with this campaign:




The site that users who click the link in the email are lured to claims to be a video of a fireworks show, but is actually a download of an executable file (video.exe) that when run will infect the user's PC.  So far all of the links that our Threat Operations Center have observed have been subdomains of the "moviesfireworks.com" domain, however our team is on the lookout for more, and this post will be updated as necessary.

Below is a screen shot of the fake video web site.






Here's to everyone having a safe, happy, and malware free July 4th holiday :)

In the vein of beating a dead horse, our Threat Operations Center has found another fake Microsoft Outlook/Outlook Express scam with a link to malware making the rounds.  This new variant shows a bit more effort in attempting to make the email appear as if it is actually from Microsoft.

This new tactic is similar to the two previous instances that we have seen over the course of the last 3 weeks where emails were being sent out that claimed to link to updates for Microsoft Outlook and Outlook Express.  The previous emails were text based, however and outside of using the names of Microsoft products as a lure, didn't contain any convincing social engineering to convince the recipient that the message was authentic.  This new tactic does go one step further to create an HTML based message that looks similar to the formatting that one would see when viewing a Microsoft Tech Bulletin. 

A screen shot of the received message is below:




As you can see, this isn't the full message, but the pertinent parts are included.  There are several links at the bottom of the message labeled "Contact Us", "Privacy Statement", and a couple of others which link off to the Microsoft site in an effort to make the email appear more authentic. 

The creators of this new variant also put a little extra care into how they crafted the URL used in the email.  As you can see from the example above the display URL appears as if it is going off to update.microsoft.com, which isn't uncommon.  In the background these links are typically either going directly to an IP address or to a domain that is clearly not associated with the company they are spoofing.  The tactic being used here is the latter of the two, but you have to pay close attention because if you just quickly glance at the URL, you'll miss something important. 

For example, here is one of the URLs that our TOC observed:

hxxp://update.microsoft.com.hfhilf.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=137389514006574829074907904242972292094527445893638626111136583

You'll notice that the link is really going to "hfhilf.com", clearly a domain not associated with Microsoft, but prepended to the domain is "update.microsoft.com" followed by a query path that looks very much like it could be a legitimate Microsoft Office update path. 

As usual, there are a couple of grammatical errors that are your basic tipoff that this message is not from Microsoft.  Couple that with the fact that Microsoft does not generally blast out update notifications in this manner and you have two tell-tale signs that this email is the work of cyber criminals, not an official update notification. 

In a story released a few days ago, BITS (Banking Infrastructure and Technology Services) released a paper titled "Email Sender Authentication Deployment" focusing primarily on how financial institutions can implement DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) technologies to authenticate mail coming from their domains as opposed to spoofed emails sent by spammers. 

In a release done by the Online Trust Alliance (OTA) in 2008, it was reported that 51% of the Fortune 500 consumer facing brands, 52% of the Fortune 500’s consumer-facing financial service brands, and 54% of the Internet Retailer top 300 brands were currently authenticating their email. 

Many major financial insitutions are on-board this bandwagon as well, but clearly there is room for improvement.  As pointed out by Paul Smocer, VP of Security for BITS, only about 10-15% of BITS 100 members are currently using any form of email authentication.  A statistic that seems to be quite different than the adoption rates of F500 brands.  For those who haven't yet implemented sender authentication, BITS has released this guide to help financial institutions understand the business value in the implementation of these solutions. 

Will SPF and DKIM stop spoofing?  No, but what they will do is help email receivers to identify messages that are actually being sent by a financial institution like Bank of America versus an email that was sent by a spammer to merely look like an official BofA message in an attempt to steal someone's identity or web site login credentials. 

The question that I would pose here is that for the increased consumer confidence that is attempting to be fostered by using email authentication technologies, is it too little too late?  I've heard people from some of the largest banks in the country state that their studies have found that many of their own customers don't even open email from them anymore or have moved away from online banking entirely solely because of their concerns of having their identities stolen.  In their eyes, it is easier to avoid the potential for risk entirely (even if it costs additional fees to walk into a branch to conduct business) by not even dealing with their bank via online means.   This is because they cannot distinguish between legitimate communications from their bank and what is being sent by cyber criminals. 

Trust is very hard to earn and even more difficult to re-establish once lost, especially if you are dealing with matters involving someone's wallet.  To that point, when I think about where we are today with the low level of trust that users have overall with email as a communication and marketing vehicle, I believe that as an industry that we should be doing everything that we can to help email senders and receivers proactively identify malicious email, but users might be too jaded to care.

Today the FTC announced via their web site that they have shut down 3FN (aka Pricewert), a major rogue internet service provider specializing in hosting botnets, phishing web sites, child pornography, and other illegal, malicious web content. 
Unfortunately, however we are not seeing any volume drop offs as a result of this shut down.  Back when McColo, another rogue hosting provider, was shut down back in November 2008, we observed an immediate drop in spam volumes of about 60%.  No such luck this time.  In fact, spam volumes haven't been affected at all according to our Threat Operations Center. 

This begs the question "Why not?"  How come spam was so significantly affected by the McColo shutdown, but the termination of 3FN doesn't appear to have had any effect thus far?  The reason is that botnets, particularly those that were affected by the McColo shutdown but who serve as a lesson to all botnet owners, have gone to great lengths to ensure that they have built redundancy into their networks to prevent the disruption caused by McColo from ever happening again.  It is suspected that some of the larger spam sending botnets like Cutwail had command and control servers hosted at 3FN, but because they now work in a multi-homed model where they have command and control centers interdispersed amongst many different providers on many different networks, the shutdown of a single hosting provider will require nothing more than a minor update to be distributed from the other command and control servers to point the members of that botnet away from 3FN allowing business to run as usual.

Government intervention and the veritable whack-a-mole game that goes on with upstream bandwidth providers can only go so far to get these illegal web hosts shut down.  We need more cooperation from the domain registrars in order to completely take these rogue domains offline.  Unfortunately, with the decentralization of domain registration that has allowed domain registrars to setup shop who are more than happy to allow these rogue domains to come online and stay online, cyber criminals will continue to flock to these services until high authorities step in to get them shut down; a concept much easier said than done.

Every so often our Threat Operations Center runs across things that are either too interesting or too humorous to not pass along.  Yesterday, we saw another one of those examples.

It is not uncommon to see messages spoofing government entities.  We've blogged many times in the past year about scams targeting entities like the US Tax Court, the Internal Revenue Service, the US District Court, the US Department of Justice, and most recently the Social Security Administration (external link to SC Magazine). 

The scam du jour targets the US Treasury.  The email appears to come from the U.S. Treasury Support Center and has a subject line containing the words "Federal Reserve Bank" with various other words/phrases like "Attention" or "Read Carefully" either prepended or appended in an effort to grab the attention of the reader.  As is commonplace with most of the scams that we run across, it has share of grammatical comedies. 






I found two things most interesting in this case: 1) The actual email does not do anything to convince the user that they have to do something RIGHT NOW in order to avoid some loss of privilege or convenience (e.g. their online bank account will get locked out) as most do.  2) (and in my opinion the more comical) The URL in the email contains the word "phishing" in it.  Now, I understand that the phishing reference is likely in relation to the content of the message, but I found it simultaneously funny and ironic that an obvious scam would risk tipping off a would-be victim by including a word that would set off as many red flags with someone as obvious as "phishing." 

As of the time of this writing the domains that are associated with this scam are still up, however the web sites that are being pointed to by these particular scams appear to be down.  The fact that the domains still exist is reason to believe that they will be recycled for future federal bank related scams. 

Just as a general Public Service Announcement, if you are interested in Cross Site Scripting exploit news, and if you are not following @xssexploits on Twitter, do so (and of course follow @smasiello too :) ).

The reason that I mention that is, in addition to wanting to stay up to date on some of the latest XSS announcements, @xssexploits is also one of the first places that I was informed about the recently made public XSS vulnerabilties found on several McAfee web sites. 
So, why are these exploits of consequence?

One of the sites mentioned as being vulnerable to cross site scripting vulnerabilties is McAfee's Rebate and Promotion Center web site.  One of the fields that a user must populate when filling out the form to obtain a rebate is the date that you purchased one of McAfee's qualifying products in mmyydddd format.  By using a technique known as HTML code injection a user could get redirected to another (potentially malicious) McAfee look alike web site used for phishing unsuspecting user's sensitive information or a malware distribution site that looks like an official McAfee web site. 

Many security vulnerabilities are introduced by software not doing proper input checking.  Following a "whitelist model" where as part of the input checking code you specify the valid types of input as allowed (generally a small list) as opposed to identifying all of the input that is not allowed (a much larger list) is common practice.  In this case, it doesn't appear as if the form was doing any kind of input checking.  Why the form would allow HTML characters such as quotation marks, less than, and greater than symbols in a field that is clearly expecting only numerical input is only asking for trouble.

I am not trying to pick on McAfee here, but they are a prime example of the reality that if it can happen to a company where security is their business you would expect them to have a pretty keen eye towards security vulnerabilities within their own web site.  Back in January, CWE and SANS posted their list of the top 25 programming errors that occur most frequently within applications and Improper Input Validation is at the top of that list.  It tops the list because it is the most common flaw and because it is the easiest to exploit.  Improper input checking can be exploited with even the simplest of test cases which means that even your lowest level hacker who only knows the bare minimum about XSS and code injection could take advantage of this flaw. 

Protect your brand.  Protect your web site.  Protect your users.  Follow secure coding practices and incorporate a security mindset into the products and applications that you build.  You don't have to be a security company to think securely.

Over the coming days, please be on the lookout for any spam campaigns related to the recent outbreak of the Swine Flu.  With the number of confirmed swine flu cases rising in the United States (currently at 40 according to this recent article posted on bloomberg.com) and around the world coupled with the threat looming that the World Health Organization (WHO) will raise its pandemic alert because of the illness, and you have a combination of circumstances that creates a dangerous cocktail that we frequently see spammers and phishers jump all over.

Although we are yet to see any specific fraudulent campaigns related to the Swine Flu in our Threat Operations Center, our team is on high alert looking for anything that may crop up.  Due to the nature of today's blended threat landscape, it is possible that we could see phishing campaigns related to donations to help victims of Swine Flu purporting to be from the WHO or other related organizations.  We could also see emails that attempt to lure users to news oriented web sites that play videos which are setup as spoofs for the intention of distributing malware. 

News grabbing events like the Swine Flu outbreak are exactly the type of social engineering lures that spammers love to latch onto because of the public's interest in learning more about the topic.  Be aware.  If you would like to learn more about the recent Swine Flu, or any other breaking news story topic, visit the site of your most trusted news organization directly.  Clicking on links within emails is an invitation for trouble.

Just about anyone and everyone who is active on the internet is either using, has used, or at least has heard of Twitter, the micro-blogging service that grew in usage by 752% in 2008 and is poised to grow even more in 2009. 

As we know, where there are users, there are hackers.  Any technology that has grown in popularity at the speed of which Twitter has is certain to become a target for information and money stealing cyber criminals.  As such, Twitter has been the target of several application exploits over the last few months including a Samy-like exploit which would force users to follow you, multiple Clickjacking exploits, and two worms dubbed Mikeyy and Stalkdaily just this past weekend.
Funny enough, one of the things that is frequently part of the fallout of numerous security exploits is a drop in brand trust and user confidence.  So far, that fallout does not appear to have taken place with Twitter.  At least based on the reported numbers, Twitter's growth does not seem to have been hampered at all despite the numerous security flaws that have been patched over the past 8 months.  Perhaps this is because there hasn't been a serious incident of data theft or widespread malware infection as a result of one of these exploits.  Rest assured, those are coming!

So, what can we learn as a result of Twitter's recent security woes? 

I believe that one of the most important lessons to be learned from Twitter is the need to ensure security is being built into your product from the concept and design phases, not after the code has been consumed by the public.  This is true for online applications like Twitter as well as boxed software that you buy in the stores.  Don't let your customers be your test bed to identify security risks because you can bet that criminals will find them and exploit them before your customers do.  At that point you have put your customers at risk also.  It is far cheaper and less damaging to your corporate brand and reputation if security risks are identified up front, before any code is launched than to try to retrofit security into a live product.

Up to this point the vulnerabilities exposed on Twitter have largely been considered annoyances.  I was unable to find any reports of identity or financial theft as a result of a Twitter exploit, and again perhaps that is why they haven't been placed under the same microscope that Microsoft and Google have been.  Don't take these proof-of-concept quality threats lightly though as they could easily have been much more nefarious than they were.

Let's take the Mikeyy worm as a primary example.  One of the ways that Mikeyy would spread is by sending Tweets out under the accounts of infected users trying to lure their followers to visit the profile of another Twitter user that exploited a site flaw.  Once that page was visited the user's account was hijacked and Tweets would be sent out as them to their followers trying to trick them into clicking also.  Rinse and repeat.  In this instance the worm was merely spreading out across Twitter to anyone who was fooled into clicking the link presented in the Tweet.  What if this link was forwarding unsuspecting users out to a drive by malware site that installed malware like Storm or Conficker?  In a previous post we discussed how URL abbrevation services can potentially hide an underlying threat vector to redirect users to malware drive-by or phishing sites.  Granted, that example isn't one of a specific Twitter flaw, but it is just another thing that users of the popular service need to be on the lookout for.

In its short existence Twitter has almost single handedly revolutionized how we communicate (in 140 characters or less :) ) online.  Whether you are using Twitter to communicate with friends from school, family, or professionally to keep up on market trends or as another method to increase your brand awareness (a recent report by comScore said that more than 50% of Twitter users are between 25-54 with most users being on the upper end of that scale), Twitter has stormed onto the social media scene and has already become an important part of how people communicate online.  I use it myself.  As such, it creates another avenue by which we need to make sure we educate ourselves and our users about the potential for online threats.

Word is spreading of a botnet called Psyb0t that is going around and compromising the home routers of people who have not changed the default login password on those devices.  According to published numbers around 80,000-100,000 Linksys and Netgear routers have been affected by Psyb0t.  It is important note there are a couple of criteria that must be met before your router can be exploited via Psyb0t.  First, the router must be a MIPS device (x86 devices are not vulnerable to Psyb0t).  Second, it has to be configured to be administered remotely (from the internet, not the local LAN), and third it needs to be using the default password that the device was originally configured with (a common insecure practice).

Although Psyb0t is the first botnet alleged to be exploiting home routers, the concept of compromising routers with default passwords is not a new one.  One of the things that I have the honor of doing as part of my job is a quarterly section for SC Magazine called the "Threat of the Month".  The piece that I submitted for their February 2009 issue was on the topic of "Drive By Pharming".  Essentially what drive by pharming entails is the compromise of home routers that have the "Remote Administration" port enabled so that you can modify their settings from the internet.  If the factory password is still set as the password used to login to the device it is trivial for an attacker to get in, modify your settings to point you to a malicious DNS server such that traffic to legitimate sites gets repointed to sites setup to phish passwords or inject malware.  That is only one possibility.  Another is that a new version of firmware could be uploaded to turn the device into a bot. 

At their core, these home routers are mini computers, susceptible to attack and infection if proper precautions are not made to protect them.  Default passwords for just about every router made are trivial to find on the internet.  In fact, there are sites setup, like routerpasswords.com, that allow you to select the manufacturer of the router and it will tell you the default password based on their known models.  Be sure to secure all layers of your home or business (plenty of SOHO businesses use standard Cable/DSL modems for their internet connectivity) network.  Never assume that this is being done by someone else or that it is someone else's responsibility.  The default settings on most of the gear that you will buy are setup such that initial access and administration of the device is easy (reduces support costs and angry customers).  From there it is up to you to make sure best practices are followed to keep your network and data secure from outside intrusion.

I have been starting to feel like I have hardly been in the office over the past month.  After attending MAAWG in San Francisco for a week in mid-February I was in town for a week and a half before going on an extended vacation/business trip to Orlando for InfoSec World 2009 and some time visiting my wife's family.  I am finally back in town and expect to be so for about the next month until RSA rolls around in late April so expect to see regular blog updates rolling out again.

I wanted to take a few minutes to talk about something that has kind of been bothering me lately.  It is something that I have been hearing more and more of in passing conversation as it relates to browser security, in particular between Firefox and Internet Explorer.  Similar to the debates that have been raging for a few years now between the "security" of Apple's OS X (and previous versions) as compared to Microsoft Windows are debates between how using Firefox is a more secure browser than Internet Explorer. 

Is it, really?  Or Is it just a matter of perception? 

At the end of the day, the level of security of any application installed on our computer is a combination of the vendor's ability to release timely updates to address new security issues, and the user's ability/willingness to install those updates.  The discussion about application security is completely irrelevant if user's do not install the updates that the vendor provides. 

Take this recent analysis of the Conficker worm/botnet as an example.  According to the report, more than 90% of the users who got infected with Conficker got infected while using Internet Explorer 6, the default browser that comes with Windows XP.  Windows XP is also the OS that has the highest concentration of infected Conficker users, but that is to be expected as it is currently the most deployed Windows OS version.  What this tells me is that many users who are running Internet Explorer 6 are not keeping it up to date with updates and patches.  This is also somewhat to be expected because the largest concentration of infections are in countries like China, Brazil, Russia, and India who also have some of the highest numbers of pirated copies of Windows in the world.  You could argue that this might not be the best example of browser security because Conficker is an exploit for an OS level vulnerability, but the reasoning is still sound in that if you aren't applying OS patches you likely aren't patching your browser either.  If you aren't familiar with the "insecurity iceberg" report, I would recommend it.  It is a good read as it outlines browser and plugin usage across many different data cross-sections to illustrate that browser security is about more than just the browser.  It also includes the many plugins that are available such as Adobe Flash, Java, Apple Quicktime, and Adobe PDF Reader. 

So, to go back to my original question, is Firefox really more secure than Internet Explorer?  In addition to my previous argument about patching, I believe this also comes down to an issue of perception.  For example, Firefox releases security updates more frequently than Internet Explorer.  Does that make it more secure or less secure?  Additionally, Firefox has a "nagware" type of feature where it regularly throws popups at you when a new version is available encouraging you to upgrade to the latest and greatest version of the browser.  This gives the impression to the user that they are being kept safer.  Second, Firefox has an active community of developers creating plugins for Firefox that help create additional security features on top of what the browser already provides.  Neither Firefox nor IE have any native protection against what is known as Clickjacking.  With Noscript, a plugin available for Mozilla based browsers like Firefox (et al), Clickjacking protection can be added.  IE currently has no protection available although it is being planned for IE 8.  Another security threat that I have written about previously is the danger that can be introduced by URL abbreviation services like TinyURL and SnipURL.  Firefox has a plugin that will allow users to preview where these abbreviated URLs will really take the user before they click the link.  URL abbreviation services are being used more and more by phishers and malware creators to trick users into clicking on legitimate looking links and redirecting them to malicious web sites.  So, there are security related addons that users can plug into their browsers if you know what the good, actively maintained ones are and know where to look, but this functionality isn't native to the browser and leaves the user with having yet even more software to have to update.

You could make analogies between the OS X and Windows debate here too.  Apple users claim they don't have the malware problem that Windows users have.  In sheer volume of released exploits, this is certainly true, however you are also dealing with a much smaller market share.  Is the reason that Firefox exploits haven't been more widely targeted that they just don't have the market share to support the effort on the part of cyber criminals? 

My point is that there are compelling arguments on both sides of the browser security war debate, but at the end of the day is onus is still on the user to make sure their software (includes both browser and plugins!) is patched regularly, and that they are employing additional security measures like anti-virus and outbound traffic blocking firewalls to reduce their risk.  More online threats are moving to the browser every day so having multiple layers of defenses in place at different points of the network remains your best method to minimize risk. 

Following on the heels of last week's announcement of a trojan horse being installed as part of some pirated copies of iWork '09 for the Mac being distributed on peer-to-peer file sharing services comes another announcement that a trojan has also been identified in pirated versions of Adobe Photoshop CS4 for the Mac.

No word yet on whether the new Photoshop trojan was created by the same people who created the iWork trojan that was used to launch DDoS attacks. 

It is important to note that these trojans do not attempt to infect other computers, rather they stay resident on the local machine.  Since the trojans run as root, it is possible that once it has been installed it could be used to affect other applications.  Since these trojans also have a phone home component it could (not confirmed) be used for information theft as well.

Trojans being distributed via applications shared through peer-to-peer file sharing services are nothing new in the PC world, but have recently been garnering more attention for Macs as Apple's computers have been gaining market share.  The Mac fallacy of invulnerability is being challenged more frequently now.  It looks like Apple has finally gained enough penetration into the computer market that cyber criminals are targeting them and their users with more regularity.  This is a trend that will certainly continue especially if you consider the number of Mac users who have resisted purchasing security software in the past.

There has been quite a bit of press over the last day or two with respect to a design flaw with SSL that could allow an attacker to forge a security certificate such that it circumvents the built-in authentication methods within your browser.  This means that your browser could believe that a malicious, look-alike web site for your bank could authenticate to your browser as your real bank web site if this attack is carried out correctly.  See this story from CNET that has a graphical proof of concept example using Bank of America.

If you are not familiar with MD5, essentially it is a 128-bit hashing algorithm that is used by many security applications.  For example, an MD5 hash is commonly used as a checksum by system integrity validators (SIV) to ensure that key binaries on your system have not changed their default composition (if they have, this could indicate a trojan or rootkit has been installed on your system). 

MD5 checksums have been known for some time to not be completely secure as it is typically expressed as a 32-bit hexadecimal number.  This means that there are only a finite number (2^128) of potential hash possibilities.  This has been considered to be good enough for many applications, but with the power of today's clustered computing environments (also including botnets), it has been found that the time it takes to generate a targeted MD5 collision has been greatly reduced.  According to the CNET article, performing the initial forgery proof of concept took about 2 weeks on a cluster of 200 Playstation PS3s.  This kind of computing power is infinitesimal compared to most botnets.  Quite a few articles on the web (do a Google search for "md5 collision example" and some will yield source code) already discuss how easy it is to create an MD5 collision. 

Web site forgeries are only one example of how MD5 collisions can be used to circumvent security technologies.  My friend Adam O'Donnell from Cloudmark points out in a Twitter update that an MD5 collision could also be utilized to make malicious software look legitimate.  Take our SIV example from earlier.  If a malicious version of a binary was created with the same md5 checksum as its legitimate counterpart, your security checks may never identify that the original executable was modified if your PC were to get infected with some type of trojan or rootkit.  This could also cause AV companies to have to rethink how they do some of their own scanning methods also.

What all of this really highlights is the fact that MD5 is no longer a "good enough" (and in reality hasn't been, but that hasn't stopped people from using it) hashing algorithm if your intention is to create a hash that will be used as part of any kind of security/authentication system.  I agree with Paul Kocher's statements from the CNet article in that although this is certainly not one of the biggest security issues facing us right now.  Between all of the other application based attacks that exist, this one could be potentially very dangerous as it is another one of those that we have discussed that do not require elaborate social engineering to be carried out effectively (at least for web site forgeries) as the redirection to a malicious site can be carried out at the network level. 

This is not one of those types of attacks that is likely to occur on a large scale against many widely used web sites (like the Bank of America proof of concept) as it would likely get sniffed out very quickly, but if used for smaller, more localized attacks could prove to be effective. 

According to this RWW (Read Write Web) article posted on Saturday, a recent cyber war simulation revealed that the United States is not equipped to handle a major attack against its computer networks. 

This news is not new. 

Other articles have been published (example from Signal Online here) about the vulnerability of the United States to a cyberterrorism attack, but we are not alone. 

Be sure to understand that this is not potentially just a United States issue, it could be a world-wide issue.  South-East Asia is vulnerable according to this article from DarkNet.  Microsoft claims that Europe is also a likely target for attack.  Siliconindia.com wrote last Thursday that India is also vulnerable to cyberterrorism.  Many other countries surely are as well.

If such an attack were to happen (and to be honest, I am not entirely convinced that this would actually happen, but I am certainly not discounting the need for increased security awareness regardless of its potential effects either) on any of the major economies, its effects would be experienced at a global level. 

One of the many items that Obama is being pressed on as he puts together his new administration is the creation of a National Office for Cyberspace that is headed by a new Cybersecurity Czar.  I believe that this is a good idea if the right appointment is made, but neither that person nor the Cyberspace Office can act in a silo.  They need to coordinate with other nations and create uniformity in establishing policies and procedures.  An obvious question that then arises out of all of this is "Are the policies enacted by the National Office for Cyberspace going to be compulsory for Government Agencies or on the Finance, Telecom, and Energy industries only?"  Secondarily, if these policies will also be required for small businesses and enterprises, what will be the cost to them? 

The RWW article also asks the question on whether or not the White House is the right entity to be coordinating this effort for the United States.  A good question considering their track record in addressing issues like spam via the CAN-SPAM act, which just celebrated its fifth birthday.  Despite that negative mark though, I'll ask the question for discussion as to who else could coordinate this effort and achieve the necessary involvement from the EU, India, South-East Asia, et al?  If there is such a group, let them step forward.

There are clearly a lot of questions that are as of yet unanswered and likely will not be answered for the foreseeable future.  Here's to hoping that the Obama administration will be taking the cybersecurity initiative as a whole (not just from the cyberterrorism angle) seriously and that he also solicits the opinions and ideas of the security industry when making any decisions.  We have a lot of ideas and recommendations that should be seriously considered.

For the last two out of three months Microsoft has released an out-of-band patch to fix a critical vulnerability in one of its applications.  Today they are releasing an update to patch a critical vulnerability within Internet Explorer.  The patch addresses an XML handling bug within the browser that would allow an attacker to inject malware onto an unsuspecting user's computer merely by visiting a compromised web site.

Back in October Microsoft also released an out-of-band patch to address a vulnerability in the "Server" service which affected many versions of Windows XP and Windows Server 2003.  This new update is right on the heels of a record setting Patch Tuesday on December 9th where an incredible 28 patches were released with 23 of them carrying a "Critical" rating.

Since I have had a couple of people ask me the question, I figured it was appropriate to address the question here.  That question is "What does an out-of-band patch mean?"  In this context I am referring to an update that is released outside of Microsoft's typical update schedule.  The second Tuesday of every month is widely called "Patch Tuesday."  This is when Microsoft releases its software/application updates for the month.  Many of these patches are security related.  When a patch is released on a day other than Patch Tuesday, like today, it is then considered "out-of-band."

This is an especially critical vulnerability to patch as soon as possible as exploit code has been available and hackers have been taking advantage of this vulnerability for about a week now.  Typically following "Patch Tuesday" is another common term called "Exploit Wednesday" (which is likely when this exploit was released into the wild).  Exploit Wednesday is when new exploits are commonly released which either address new vulnerabilities brought about by the code that was patched or take advantage of existing code issues with the knowledge that Microsoft is typically slow to react to release a patch outside of its normally published schedule.

Test and deploy this patch immediately or encourage your users to use a different browser (such as Firefox or Chrome) until you can deploy the fix.

*** UPDATE 12/18/2008 9:15am MST *** More information here written by SC Magazine which re-emphasizes the importance of rapid patch testing and deployment due to the number of active exploits.

It has been one month since McColo had its upstream bandwidth cutoff by Global Crossing and Hurricane Electric.  What has changed since? 

As we've previously reported (here and here), immediately after the McColo shutdown we saw a 50-60% decline in spam volume.  This drop carried on for about 9 days even though in the middle of all of this McColo was briefly brought back online by TeliaSonera.  During this brief uptime the Rustock botnet was able to update itself and point its bots to different command and control hosts.  It wasn't until 4 days later that Rustock came back with a vengeance and resumed its normal spamming activities.

Since that time we have also seen the Mega-D botnet come back online as well.  The current net result is still positive as spam volumes are still about 40% lower than what they were prior to McColo.  This is largely due to the fact that the Srizbi botnet still only shows minor signs of life despite reports that Srizbi is back in the hands of its original owners.

I am still surprised that these botnets were so easy to cripple to begin with, even if only temporarily.  What this will end up leading to, however is the bigger, better botnet which will have more redundancy built in, have command and control centers that are live on multiple networks having bandwidth provided by multiple providers and fast fluxes both its nodes and nameservers to create a truly interconnected network that can only be taken down by effectively removing all of the connected, infected machines.  Add in encrypted channel communication between the nodes and some of the DDoS defense mechanisms incorporated by botnets like Storm and your botnet is bulletproof.

As defenses improve, attack tactics evolve.  Just like when Word macro writers realized that they had to move on to the next generation of infection, those who are diligently working on new botnet communication technology are working on the next generation botnets (yes, plural).  Get ready.

It looks like Apple has finally changed their tune as it relates to using security software on their PCs and is now telling their users to make sure they have antivirus software installed.  See article here.

This move was inevitable.  At some point Macs would gain enough market share for them to become more of a target for hackers and cyber criminals.  Most security researchers have been saying that for a long time, and I applaud Apple for finally coming to that realization also, even though it really should have been said some time ago.  Now the Mac users who have long been saying that they don't need to worry about malware "because they run a Mac" really don't have a leg to stand on as even the manufacturer of their computer has come out and contradicted that claim.

From a timing perspective this announcement comes at a good time as well.  As IT managers are working on their 2009 budgets, this is now something that they need to include as another line item to allocate money for early in the year.  If your Mac does not already have some kind of antivirus software installed, the time is now to get it.  Apple's personal computer market share continues to increase which means its prevalence as a target will also continue to rise.  Don't be left holding the bag either as a personal Mac user or as a corporate user.  Macbots are coming.  iPhones and iPods will not be far behind.

*** UPDATE 12/2/2008 4:42pm MST ***  So it looks like I need to recant a little bit.  If you look at Apple Knowledge Base Article 4454, you notice the last updated date of December 2, 2008.  This article was originally published back on June 8, 2007.  Unfortunately, the existence of this article hasn't changed most Mac user hubris in their invulnerability to malware because the fact of the matter remains that many Mac users still don't use antivirus software on their machines.  The time is still now to change that.  A widespread Mac virus could be a devastating event!

There has been a considerable increase in the use of comment and profile spam to promote pornographic or phishing sites in search engines. Today we discovered that the AARP’s website has been compromised by a two-pronged attack.

First, hackers found vulnerabilities in AARP.org’s user profile functionality, allowing them to post JavaScript redirect code and HREF links to porn sites. Second, hackers employ bots in a massive campaign to submit blog comments containing links to the hacked AARP.org user profiles.

This provides hackers with multiple benefits. Among them:

• Search engines rank sites based upon links from other sites. If a high-ranking site like the AARP (to which Google has assigned a Page Rank of 8/10) links to the hacker’s site, it increases the recipient site’s ranking and traffic.
• The bot-driven blog comment spam drives increased visibility of the hacked AARP profiles, driving higher traffic numbers and ranking to the AARP profile itself.
• Users who view the seemingly innocent AARP member profiles are automatically redirected to porn sites, and served up malware "anti-virus" applications to help them "fix" the problem.

Typically, most blog platforms do a fair job of limiting comment spam. Even so, a cursory check for inbound links to some of the hacked AARP.org profiles shows many blogs now have the AARP.org bot-submitted links in their comment areas.

As we’ve covered before, spam makes a lot of people a lot of money. Hackers have great incentive to find vulnerabilities in email systems as well as web-based content management platforms. They're also increasingly using SEO (search engine optimization) to help stack the odds in their favor. The possibility of being able to inexpensively market on such a massive scale means the threat will never completely go away.

Whether it’s your website or your email network, constant vigilance is necessary to keep your organization from getting egg on its face.

Just ask the AARP.

(Note: The above image is from a non JavaScript auto-redirecting post.)

I've taken a bit of heat internally because I neglected to announce last week's posting of the monthly MX Logic Threat Report and Forecast for September.  The latest edition can be downloaded here.

In that report we mention our prediction that as the Democratic and Republican National Conventions concluded and as the campaign season kicks into high gear that we expected to see a continuation of some of the more recent spam tactics that have been employed where hackers were using tabloid like news headlines as a lure to get people to open malicious emails, but with a political twist.  So, instead of using fake Britney Spears or Oprah headlines as a means to get unsuspecting users to view a video or news clip the movement has started toward targeting Barack Obama using similar means.

Some of the subject lines that we are currently seeing targeting Obama are:

Obama is ponstar now
Porno with Obama
Sex Video with Obama
Obama Sex Video
Barack Obama Hardcore
Barack Obama sex story with girl
Obama private porno
Barack Obama sex story with Ukrainian girl

Note that we have not yet seen any similar tactics targetting John McCain.

Volume on this tactic is currently extremely low (under 100 total have been seen thus far), but this is likely a proof of concept method that will play itself out over the next two months where more believable tactics are used by spammers.  Instead of using tabloid like headlines, be on the lookout for emails containing attachments or links to sites claiming to be hosting the latest candidate television commercial or video with excerpts from a speech at their latest campaign stop.

Obviously there is a bit of a shock factor with these tabloid like headlines that grab people's attention, but since this tactic has been around for several weeks now, expect it to morph to using lures that are far more plausible in the very near future.

According to this story posted on Wired yesterday, a keylogger has been found on laptops being used in the space station.  The reported malware, W32.Gammima.AG (see here for description on Symantec's web site), has been around since August 2007 and steals passwords from a few (rather obscure here in the United States) online games.

You are thinking "So what?  What risk does an online game keylogger pose to a laptop on the space station?  Why should I care?"

As you know, we like to think bigger picture here.

Let's start with the obvious question of why the anti-virus software running on the laptop didn't immediately identify and stop a one year old virus?  I don't know about you, but that sends up lots of red flags to me!  This obviously begs the question of how long this keylogger has actually been resident on the laptop and if there are other, yet undetected, rootkits and keyloggers on those machines?  Also, what other computers were potentially exposed to these infected machines that this virus could have propagated to?  What information has been exposed to theft or compromise either from the laptops or from other exposed machines on the NASA network?  What was done with these laptops once the virus was detected?  Were they merely cleaned to the virus scanners standards (which clearly aren't that high!) or was the computer completely taken out of commission so that it could be wiped to Department of Defense specifications and re-imaged before it was redeployed? 
Obviously there are a lot of unanswered questions in relation to this story, and of course NASA will never make the answers to those questions public, but this certainly calls into question the validity of the security measures employed by one of the most important programs of the 20th and 21st centuries.  Where else within the federal government does the potential for similar security breaches exist?   Are potential data leakages like this something that the Department of Homeland Security is focused on preventing?  If not, they should be!  Let's be sure we aren't aiding and abetting the bad guys by giving them the exact information we are looking to protect!

Over the last 24 hours we have seen a large influx of a new email borne malware campaign alleging to be a notification of non-delivery from FedEx.  
The email alleges that you sent a package on July 25, but because the recipient's address was not correct when it was shipped it had not been delivered.  It then asks the user to print out a copy of the attached invoice (a .zip file which contains malware) and to collect a copy of the package at the FedEx Office (address of office not given, which should be one clear indicator that something is fishy about the email).

Sample subject lines that we have seen in our Threat Operations Center include:

You Have A Package!!!
Tracking N <fake tracking number>

Volumes have been pretty high as we have seen over 21M of these fakes hit our systems within the last 24 hours, accounting for about 80% of all of the email borne malware that we have seen over that same period.

It's times like this that we are reminded that although many of the large scale malware campaigns that we now see are hosted on infected web sites, static malware distributed over email is still an active, viable tactic being employed by cyber criminals.

Every few months another story comes out that talks about the vulnerability of the United States to a cyber-terrorism/warfare/attack.  Today, CNN.com posted another one of these stories.

The fact of the matter is that cyber-warfare is occurring every day.  Every day the network infrastructures of internet service providers, organizations, and every connected network node in the United States and around the world are under siege from network attacks.  Could they all be the type of attack that could bring down a network and cause hundreds, thousands, or millions of dollars in lost productivity?  To some degree, yes.  Botnets hold enormous distributed computing power that, when fully harnessed, are capable of launching distributed denial of service attacks that could overwhelm any network and bring it to its knees.  Everywhere infrastructures are overbuilt in part to manage growth, but in larger part to attempt to protect server farms from becoming overloaded and unresponsive in the event of an attack. 

Spam (the most popular use for botnets) costs in the United States alone are estimated to be in the $200B (with a B) realm for 2008.  That's just email!  That doesn't take into account the number of web sites that are now hosting malware (both sites that were setup for the sole purpose of malware hosting and now legitimate web sites also) with keylogger payloads which leads to problems like identity theft
and corporate espionage which only add to that $200B figure. 

The cyber war is being fought every day with attacks originating from all over the globe aimed at equally dispersed targets.  Although it is true that many of the networks and service providers in the United States can better handle an attack than some in the former Soviet republic of Georgia, bandwidth is still finite and if a botnet launches an attack against you that is larger than your pipes and servers can handle, you have problems and that isn't just a United States issue.

According to this story a laptop that contained approximately 33,000 records of customers of the Clear system (Clear is a for-pay system that allows customers to go through a separate security line at some airports using a smartcard). 

Apparently the laptop has been found....in the same room that it was allegedly lost in.  The title of the article linked to above is "Laptop Discovery May End SFO Security Scare"....I couldn't disagree more.

If someone unauthorized had access to the room that the laptop was in when it disappeared, that same person had access to put the computer back after they were done with it (stealing data, installing a trojan to steal more data...the list goes on).  According to the story customer data on this laptop was NOT encrypted which means anyone who had access to the computer had unfettered access to all of the customer information stored on it which included names, addresses, birth dates, driver license numbers, and passport numbers.  Of course, now the TSA is saying that the computers must use encryption, but that is like buying flood insurance while your basement is under 8 feet of water.  Too little, too late.

This is a huge black eye for Verified Identity Pass, the company that operates the Clear program.  My favorite line in the article is where their CEO Steven Brill states "We don't believe the security or privacy of these would-be members will be compromised in any way."  The fact that their CEO would make a statement like that just underscores what little he and his company understand about security and the protection of customer information. 
Hopefully this will prompt the TSA into doing a more security oriented deep dive on all of their vendors.  It is important for them to know just how many other basements either are currently or are headed for 8 feet of water in their respective basements.  As a member of the DHS, the TSA already doesn't have a very good record as it relates to security.  Any proactive measures that they can take to ensure the security posture of their organization and the vendors they do business with will help mitigate future high-profile breaches.

According to information being posted by many news outlets the DNS cache poisoning vulnerability that we commented on back on July 9th, the window that researchers and network operators had hoped would be open to patch DNS servers until the Blackhat conference has closed.  Several examples of exploit code have been released out into the wild which show how to take advantage of this vulnerability and attacks have also been spotted in the wild (Thanks to Websense for providing some of the links). 

The folks working on the Metasploit Project were one of the first to jump on the bandwagon by making the exploit available via their freely available Metasploit application. 

So, if you have not yet updated your DNS servers, the time is now to test the patch and update your production servers.  Patches are available from all of the major vendors.  It was widely expected that once the details of the vulnerability were released, exploits would follow very quickly afterward. 

Many have bemoaned the fact that the details of this vulnerability were kept under wraps for so long while others viewed it as a commercial ploy for the Blackhat conference.  My personal opinion is that in the name of responsible disclosure this situation was handled with 100% professionalism and sensitivity as to the nature and severity of the problem.  Based on the amount of coordination that was required to get all of the vendors together, discuss the problem, and patch their applications, there was no way that this could have been done such that it would please everyone involved.  The overly vocal minority is trying to put a black eye on a process that worked as well as it possibly could given the number of stakeholders involved.  It is truly impressive to me that the details were not disclosed sooner. 

It cannot be said strongly enough.  Protect your users and your network.  This is not a problem you can ignore.

Jason Michael Milmont, the author of the Nugache worm, and the creator of what came to be known as "Fast Flux" has plead guilty to one count of unlawfully accessing computers, a felony, in a Wyoming federal court.

Fast Flux is an abuse of the domain name system (DNS) by which botnets will continually rotate the IP addresses associated with a malware infected web site to evade detection and forensic analysis.  This constant mobility makes the botnet very difficult to shut down.

There is also an evasion tactic called "Double Flux" which is similar to Fast Flux in that it will not only rotate a domain's responding IP addresses, but also that domain's authoritative name servers.  The reason that it is called "Fast" flux is because these IP addresses will rotate as often as every couple of minutes.
The Nugache worm was used to launch distributed denial of service (DDoS) attacks as well as steal personal information such as credit card numbers from the computers that were infected with Nugache.  It has been estimated that controlled up to as many as 15,000 on his botnet.

Under the terms of his deal Milmont has agreed to pay approximately $74,000 in damages and faces up to five years in federal prison. 

In my opinion, this story is only significant because of Milmont's contribution to the botnet community with how his Nugache worm used peer-to-peer networking technology and fast flux in order to create a fully redundant, interconnected network to prevent his botnet from easily being shut down.  The size of the Nugache botnet (about 15,000 computers) pales in comparison to some of the botnets that we are seeing today, but the work done by Milmont paved the way for worms like Storm which heavily relied on fast flux to stay alive.

The July 2008 edition of PC Magazine has a short story on page 92 titled "Hacked Through the Heart" which references a paper published at secure-medicine.org discussing the possibility of hacking the human body through wireless reprogrammable Implantable Medical Devices (IMDs) such as pacemakers.  These attacks could lead to effects such as changing the settings on the pacemaker or even disabling it entirely!  The paper also goes into detail as to how some of these attacks would take place.

Although the paper mentions that as of right now these are theoretical scenarios, the more important point to remember is that these IMDs are driven by software and "where there is software, there are vulnerabilities" and "where there are vulnerabilities, there will be exploits."  I could easily envision a scenario where this creates a Cyber Hitman of the Future where hits are carried out in such a way that they would be virtually untraceable and if executed correctly could have an elapsed time effect where the full damage of the attack may not materialize for days, weeks, or even months after it initially occurred.

On a lighter note, this certainly gives new meaning to the term "Insider Threat" (I'm funny on a Friday :) )

According to this article posted on CSO Online, a security researcher named Sebastian Muniz has created a rootkit that will work on "several different versions of IOS." 

One of the concepts that I have been throwing out there since we originally started talking about drive-by pharming (aka DNS Rebinding attack) is the potential of similar vulnerabilities being exploited in an effort to move malware infections out closer to the network edge and create a "router bot" whereby a compromised router could potentially be used for the distribution of spam, viruses, and malware similar to how PCs are used today.  This would be even more difficult to detect than a PC based malware infection, however as I do not believe that there are any network device based rootkit/malware detection engines that even exist right now (please do correct me if I am wrong here) although this may certainly create a market for them.  Would you be able to easily detect if your router was being used to distribute spam if it wasn't affecting your web browsing or normal internet usage?  Not likely.

One of the things that concerned me from the article was the quote from EuSecWest conference organizer Dragos Ruiu where he said that "nobody thought you could actually build exploits for Cisco."  This is a dangerous attitude to have for any software application.  I like to say "Where there is software, there are vulnerabilities."  This is often followed by "Where there are vulnerabilities, there are exploits" although far more vulnerabilities exist than there are exploits written for them. 

One should never assume that software is hacker-proof.  It very well may be (however unlikely), but even making the assumption or suggestion is when you've conceded that your guard has been let down.  Always remain diligent in your pursuit of security!

Ok, I'll step off my soapbox now.  Have a great weekend!

Over the past 10 months or so we've often discussed different social engineering tactics as it relates to different types of spam and malware campaigns.  These tactics range from using pinpoint precision to identify individual scam recipients (like CEOs and other C-Level Executives) to using tragic current events, naked celebrity videos, holiday e-cards, IRS tax refunds, or free/discounted sporting event tickets as a lure to get people to open malicious email attachments or click links that redirect them to web sites that are infested with malware.

So, the question is: How far will cyber criminals go in an attempt to get a foothold on your PC or steal your personally identifiable information?

The answer is simple: As far as they need to. 

Cyber criminals will go to whatever lengths are necessary to trick you into doing what they need you to do in order to get infected with malware.  This means that the success of their campaign is almost solely related to their ability to establish trust and to make their campaign appear as legitimate as possible.  As an example, some of the IRS tax refund scams that we have been seeing this tax season even go so far as to link to or display the real IRS web site's logo, Privacy Policy and Online Help.  The Federal Subpoena scam that we spoke about earlier this week included not only the name of the person that the scam was being sent to and their company name, but also their phone number! 

As cyber criminals continue to hone their social engineering tactics, it is becoming more and more critical that people understand, are aware of, and keep a keen watch out for new potential threat vectors and the techniques that are being used in order to trick them into giving up information that could result in loss of identity, company secrets, or their life savings. 

Losses being incurred as a result of cyber crime are increasing at an alarming rate and now we have reached the point where people are more fearful of being a victim of cyber crime than they are physical crime.  According to Gartner, losses as a result of phishing alone could top the $4B mark in 2008!  That increase is no accident and does not appear to be slowing anytime soon. 

Whether it is iPods being shipped with malware, digital picture frames, navigation systems, or hard drives, the number of incidents of electronic equipment being shipped from the manufacturer with malware is disturbing!

How does this happen?  This is typically a by-product of PCs that are used for things that are outside their intended business purpose.  For example, if a computer's primary business function is to load software onto a digital picture frame or to test the ability of a computer to connect to and transfer files to the frame, then those should be the only parameters by which that machine is used.  It should not be used to plug in external USB drives, download videos and music off of the internet, or to surf porn sites.  Any of these activities are vectors of unnecessary risk and could end up infecting the PC with malware which will subsequently get passed onto other devices.

As the line between what is known as a PC and what actually runs the same type of software as your PC continues to blur you can expect to see more of these types of incidents occurring.  This is unfortunate because as we have become more dependent on technology in our every day lives and as the devices that we used have become more advanced, our level of confidence in those devices to function in a safe, secure, stable manner has declined significantly.  These sorts of compromises represent one of the biggest new threats to corporate networks and will be another one of the avenues used more prevalently by cyber criminals to steal sensitive, confidential, and personal information as malware continues its evolutionary process.

I came across an article this morning on the SC Magazine site talking about a new virus called "MonaRonaDona" which takes a bit of a different twist when put next to most strains of malware released over the past couple of years. 

As we know malware made the move from a vehicle used to achieve fame or notoriety to a method used to make large amounts of money a few years ago.  Similar to how MBR rootkits are a bit of a throwback to a time when attacking the MBR was a popular method of virus infection, the MonaRonaDona worm is a throwback to the time when worms were written mostly for recognition.  Granted, there is a financial component to MonaRonaDona as well, it is not likely to be very successful.

MonaRonaDona appears to be spreading via malicious advertisements being posted on web sites.  The user will not know they are infected until they reboot their machine when they will receive a popup that states: "Hi, My name is MonaRonaDona. I am a Virus and I am here to Wreck Your PC. If you observe strange behavior with your PC, like program windows disappearing etc, it's me who is doing all this. I was created as a protest against the Human Rights Violation being observed throughout the world & the very purpose of my existence is to remind & stress the world to respect humanity."  This malware will also prevent the user from opening common programs on their PC such as Microsoft Office and Adobe applications.

Very noble, but I fail to see how preventing me from opening Word does anything to remedy crimes against humanity in places like Darfur.

Part of the intention of the worm author as well is to socially engineer the user of the infected PC to perform a search in the Google search engine for the name of the worm.  Among other fake sites engineered by the malware authors is a site to purchase a product named Unigray.  For $40 Unigray alleges that it can clean your PC of MonaRonaDona.  Of course, all it really cleans is your wallet out of $40 :)

Personally, this worm seems like a lot of work for what will likely be very little reward.  It is different though, especially with the hacktivism angle, from most other malware which makes it interesting. 

We've discussed before that we expect to see more political based spam as the presidential election year wears on, especially closer to Democratic and Republican convention times.  Expect to see more political based hacktivism type malware lures as the year progresses and as the race for the White House intensifies.  As we saw with the Ron Paul spam last November, the stage has been set to use spam as a method for propaganda distribution pertaining to the upcoming election!

Hardly a day goes by anymore where there isn't some sort of breach of confidential data. Whether it is the exposure of almost 40,000 Social Security Numbers of Georgetown University alumni, faculty, and staff or the theft of 35,000 records of current and former customers of T. Rowe Price, or even the well documented theft of over 45M credit and debit card numbers from TJX, data theft is rampant and we still haven't learned our lesson.

No matter how much education you do on security best practices and even if 99.99% of your company follows those practices, it only takes one person making one mistake to cause a potential breach. Although some data breaches are the result of large scale infrastructure weaknesses, a large number of them are also the result of the indiscretion of one person. One person who didn't properly secure an open PC or who didn't properly secure a hard drive with sensitive data can cause the loss of millions of records which can result in untold numbers of identity thefts!

We've said this before, but I absolutely believe it to be 100% true: protect your personal information and monitor your bank accounts and credit cards like the data has already been compromised (because it likely has. The real question is whether or not someone is going to use YOURS). As with many things in life, early detection gives you the best possibility of recovery. You may not be able to prevent damage to your credit or reputation from happening, but there is a lot we can do to mitigate it once it happens.

....or so networking equipment vendor 3Com would have you believe.

Today's blog entry is based off of an article posted by The Star Online which states that (when comparing the risks associated between wired and wireless networks) "the risks are the same as those posed to wired networks  the typical computer virus infection and odd worm-intrusion incident". Last I checked, worms and viruses, although significant risks in and of themselves, are far from the only risks facing wireless and wired networks.. What about the hacker next door who sets up a wireless sniffer to try to crack the encryption key used on your wireless network? Or the one who is just casually looking for completely open wireless networks to attach onto?

The article also states: "Whats even more interesting is that some of these organisations did not face any security threats and have found that the security of their networks either improved or remained unchanged when they moved to wireless" This has nothing to do with the deployment of wireless. There are three main encryption technologies used on wireless networks today: WEP (Wired Equivalency Protocol), WPA (Wi-Fi Protected Access), and WPA2 (version 2 of WPA) which actually consists of two versions: WPA2-Personal and WPA2-Enterprise. Nowhere in any of these acronyms is the word "security" used. Why? Because they do not provide "security". They provide encryption (which can be cracked) and some level of access control, but not "security". In this instance, as part of the deployment of wireless to the organization's internal network resources they may have employed some additional safeguards such as requiring authentication to a VPN after successful wireless connection, but this is an architectural change and is not related to the security of the wireless network.

The article also mentions that consumer-grade wireless networking equipment is less secure than enterprise grade equipment. Not true. Generally consumer and enterprise grade wireless access points support all of the current encryption protocols mentioned above. Unfortunately, not all of the equipment that is connecting to these access points (predominantly laptops) support these new protocols. This is especially true in organizations that deploy older, bargain basement type laptops whose internal wireless adapters may not even support encryption beyond basic WEP. Nevertheless, this is not a factor of the security of the access point. This is a factor of the capabilities of the machines connecting to the network. The security itself of the wireless access point is not lacking because it is a D-Link you bought for $75 from a local retailer versus a Cisco access point that may have cost several hundred.

Why am I being so hard on this article? Mainly because I keep hearing people trying to make the connection between wireless networks and security. In this case they are trying to make the connection between wireless deployment and _increased_ security! As I mentioned earlier, there are certainly some best practices that you can deploy as an organization if you are looking to go wireless, but again these are not security functions of the wireless network or the wireless network equipment itself, rather functions of your own architecture and safeguards put into place such that you limit what a potential criminal has access to even if they do manage to successfully get onto your wireless network.

Wireless is a wonderful technology and I am a big proponent of it (I use it all day between work and home), but wireless does not equal security. Please don't confuse the two!

It's been a while since we have seen a good Ransomware trojan. It is too bad for the criminals who wrote this new trojan that they can't spell.

Back in March, 2006 a worm named Cryzip was discovered. If your PC got infected with this worm it would look for files on your PC with certain extensions (.doc, .xls, and .zip, to name a few) on your C drive, encrypt them and leave a text file behind which described how you could get your files back if you paid a $300 "ransom" to an e-gold (anonymous online money transfer service) account.

This new trojan works a bit differently. The new ransomware effectively locks up your PC and demands that in order to get control back you must send $35 (apparently ransoms don't fetch what they used to) to get it back. The cyber criminals probably figured that the $35 figure was low enough such that people would feel that it was easy enough to pay.

The infected machine is also displays an error message window that has the title of "ERROR: Browser Security and Antiadware [sic] Software component license exprited [sic]" Funny...I didn't know my browser security could exprite! This window also tells you that surfing porn and adult sites without security software is "dangerows". Oh no! I don't know what "dangerows" is, but I am pretty certain I don't want any of it!

If you click to activate a new license in the error window you are presented with this window which displays a 1-900 number and a PIN to enter when you call (the cost of the call is $35).

The biggest weakness with Cryzip which used a low-grade encryption key which was actually posted online by security researchers which essentially rendered the trojan and its extortion technique useless. Maybe someone will pay the $35 to unlock their PC infected with this new trojan and post the cleaning instructions online? :)

As we near the end of another year I can say with surety that 2007 will be remembered among spam and malware filtering companies as the year of the Storm Worm. In 2005 it was the year of the Sober worm, but 2007 has most definitely been owned by Storm and its many variants.

So, as we close out 2007 we start to look forward to 2008. What are some of the 2007 trends that we expect to continue in 2008? What will be new? How will current trends evolve?

Here are some of my random thoughts:

-- We will see an increased prevalence of Web 2.0 attacks.

When we talk about "Web 2.0" we are talking mostly about interactive communities like blogs, wikis, and social networking sites like MySpace and Facebook. Web 2.0 sites provide a richer, more interactive internet experience for its users which extends the internet beyond just your typical "download content and view pages" approach and puts users in more control over the content.

From a user experience perspective, this is a great idea, but typically what makes things easier for the user carries along with it some level of security implication.

As part of the Web 2.0 experience, more code execution is being pushed to the client browser. This doesn't necessarily change the types of attacks that exist in Web 2.0 applications versus Web 1.0 applications (attacks like XSS, SQL Injection, and CSRF still exist just as they did before), but now will manifest themselves in different ways. As such it will be the responsibility of the application developer to be more aware of client side input validation and make sure that potentially malicious code never makes it from the "untrusted" user environment to a site's "trusted" backend infrastructure. Cyber criminals will try to exploit these potential vulnerabilities in code validation as much as possible.

-- We will see an increase in "blended threats" in 2008.

If you are not familiar with the term "blended threat" it is a combination type of threat which will mix the data stealing capabilities of malware with backdoor botnet capabilities. What this means is that if you are infected with one of these hybrid types of malware you could have a keylogger installed on your machine which is logging your keystrokes and sending your potentially confidential and personally identifiable information to a cyber crook for sale in the underground community, but your machine is also available as a spam zombie such that botnet herders can rent time on your computer to send out spam/viruses/etc.

The holiday season is a particularly interesting time to potentially see these types of threats also because of the amount of online shopping that takes place in the 5 weeks between Thanksgiving and Christmas. comScore recently released their Cyber Monday 2007 Statistics which showed that $733 million dollars was spent online on Cyber Monday (the Monday after the Thanksgiving weekend) alone. This is obviously a target that is too large for criminals to ignore.

-- Abuse will continue to move into other forms of communication

We've already seen some of this in 2007, but is something that we expect to continue not only into 2008 but beyond.

Mobile phone and PDA abuse is already a big problem in places like Europe and Japan. It isn't so much so yet in the United States, but as smartphones make more of a movement into the space where they allow the development and installation of third party applications users will need to be continually wary of the security implications of these new conveniences. The line between the PC and the phone is becoming blurrier every day and as such mobile computing devices will soon need to deploy the same types of security suites that should be installed on every desktop and laptop PC.

We also expect to see more tele-spam (spam sent via VoIP technologies) and voicemail injection (the compromising of vulnerable VoIP systems to inject spam voicemail directly into a user's voicemail inbox.

In the vein of "targets too large for criminals to ignore" the smartphone industry is expected to be a $250B industry by 2011. You can be sure that cyber criminals will do whatever they can to get a piece of that pie!

-- Continued movement of malware away from email as a primary distribution vector.

This is another one of those trends that we have seen shift over the past year or two. Malware authors have already begun the movement from the "push" based method of infection that we have talked about previously (where static malware content is pushed to the user via an email attachment) to a "pull" based model where users pull the content from a web site, typically lured to by a link in either an email or an instant message.

The Storm Worm is actually a great example of this transition in action. Early versions of the Storm Worm pushed executable file attachments to unsuspecting users when opened would infect the user's PC with Storm. Later variants used social engineering tactics like fake, malicious e-cards to lure people to web sites to download more dynamic pieces of malware.

More and more viruses have been following this trend over the last year or two and we expect this trend to continue. By 2009 or 2010 we expect malware distribution by internet pull based methods to surpass email as a distribution vector making it the primary method of infection. The email virus is likely to never completely go away, but the dynamic nature of the web as a way to distribute malware carries many advantages that email's static nature does not.

-- More targetted phishing/malware attacks

What discussion about social engineering would be complete without a mention of the evolution of tactics by cyber criminals in an effort to establish legitimacy with their targets?

Social engineering has always been the key ingredient to the success or failure of any cyber crime campaign. If you can do it well, you will have a significant greater chance of success than if you don't. The Storm and Sober worms (the last two really successful email-borne malware campaigns) were successful because of the social engineering tactics they used (Paris Hilton videos, free World Cup tickets, and e-cards as a few examples). As cyber criminals continue to launch new campaigns, you can be certain that they will refine their social engineering tactics to the point where even the trained eye will have trouble quickly determining the (il)legitimacy of an email.

These attacks will also become more targeted similar to the government agency scams from earlier this year that were sent primarily to high C-level executives. Effective social engineering combined with good targeting methods virtually ensure that there will always be people who will fall for these scams which will always leave spam as a virtually 100% profitable venture.

After much ballyhoo and anticipation, yesterday marked the release of the Android SDK. The Android SDK is a project sponsored by the Open Handset Alliance which allows for applications to be built on top of the Android Platform which is a software stack for mobile devices. This will allow developers to create feature rich, interactive mobile applications in Java on top of a Linux kernel. Based on the libraries that are included as part of the SDK, the possibilities of the types of applications that can be developed are virtually limitless. This would be a great opportunity for organizations who are trying to give more tools to the mobile or traveling employee so that they can be more productive, but also more efficient outside of the office.

For all of the positive aspects of the SDK, one element of the SDK that has me concerned regards the implementation of the SDK's security model. According to the web site, "At application install time, permissions requested by the application are granted to it by the package installer, based on checks with trusted authorities and interaction with the user. No checks with the user are done while an application is running: it either was granted a particular permission when installed, and can use that feature as desired, or the permission was not granted and any attempt to use the feature will fail without prompting the user."

Eek!

Essentially what this means is that if a user is tricked into installing some kind of malicious application, once it is installed it basically has the run of the system.

Is anyone else concerned by this?

Ok, so this isn't much different than what we have today where if you attempt to install an application on top of Windows (for example). If you confirm to the UAC that you want to let the application install, it does so and you could potentially have introduced any level of malcode to your system.

If this is no different than what we have today, then why care?

As we continue to open more technologies and platforms to make them easier to use and more adaptable, let's make sure that we are not further perpetrating a poor security model. There is a natural general divergence between ease of use, the addition of features, and security. Even though it is impossible to please all of the people all of the time, it is a poor ongoing practice to not find a middle ground between these 3 and to continue to allow for the open use and distribution of new technology without also heavily considering the security model is irresponsible.

Since MX Logic is based out of Denver, I have an acute interest in the Rockies' advancement to the World Series to face the Boston Red Sox. From a personal standpoint, I also grew up just outside of New York City and as such grew up a Yankees fan (the only team that I like more than the Rockies) so I also have a pretty sour taste for anything having to do with the boys from Fenway.

Anyway, tickets for Games 3-5 of the World Series were supposed to go on sale today via the Rockies' Web Site. Quickly after the sale started, however the ecommerce site (hosted by a company called Paciolan) crashed and crashed hard. Of the 20,000 seats that were available for each game and were expected to be sold, only about 500 seats total were purchased before the site went down. According to reports from Paciolan, there were 8.5 million hits to the Rockies' web site after tickets went on sale.

Most of the afternoon passed and there were no updates from neither the Rockies nor from Paciolan as to the cause of the outage nor when tickets would go on sale again. Finally, this evening it was announced that an "external malicious attack" caused a system-wide outage with Paciolan.

Call me a cynic, but I have some serious doubts as it relates to this claim.

First, shouldn't a site that handles ecommerce transactions for schools like the Universities of Michigan and Southern California and Florida State as well as professional baseball franchises such as the Rockies, Padres, and Phillies be able to handle more than 8.5 million hits? Either way, the article states that the *** Rockies' web site *** sustained 8.5 million hits, NOT Paciolan. There is a difference even though one could reasonably assume that most people who were visiting the web site were there attempting to purchase tickets.

Second, hackers have bigger fish to fry than trying to take down the Colorado Rockies' web site when World Series tickets go on sale. Hackers are financially motivated. Plain and simple! If this was an attack, not only did the person who orchestrated it not stand to make any money off of the deal, but this wasn't exactly the type of attack that would make the underground community take notice of you either.

We've been talking quite a bit lately about the move from "push" based malware to "pull" based. So I figured it was time to dedicate a full blog posting to it and its significance.

Again, pull based malware is generally web site hosted malware where the user "pulls" the content from the web site by virtue of visiting the site with their web browser.

This type of malware is especially dangerous for a couple of reasons:

-- It evades attachment filtering techniques (since there is no email attachment. The content comes via a web site link) -- The user generally has no idea that the site they visited is malicious -- Hackers can employ technologies like server side polymorphism to repack binaries for every download, thus rendering traditional signature based anti virus engines useless

We are starting to see more and more instances of common web site compromises where users can get infected without any lure (for example the 1st Congressional District GOP of Wisconsin was reported as compromised about a week ago by the same group that brought us the Storm Worm. In general, however these types of infections are still the exception, not the norm.

Speaking of the Storm Worm gang, they have actually created a hybrid between push and pull infections for some of their variants. These will look for a number of unpatched vulnerabilities on a victim's PC when launched and if it can't find any that it is looking for will direct the user to download and install the file manually. Even Vista's UAC system only provides rudimentary protection here. Since applications executed directly by the end user are considered trusted (Vista will ask you if you are sure you want to install the program, but who doesn't just click "Yes" to that prompt?) the user falls on their own sword and infects themselves. Nice, eh?

Typically when a user is being lured to a malicious web site multiple communication mediums are leveraged. Something has to let the user know that the site is available and accessible, right? That lure in many cases comes via email.

There is a distinct crossover between email and web defense solutions such the data collected from one can be used to make the other one more effective, creating a synergistic relationship between the systems. At least for the foreseeable future hackers are going to have to continue to use technologies like email in an attempt to get users infected. During that time having a solution which not only monitors and protects your inbound mail flow but also your outbound web browsing activities provides an effective defense-in-depth solution against malware and fraud.

The Computer Security Institute's annual Computer Crime and Security Survey reports that insider attacks are now surpassing computer viruses as the most common cause of security incidents within organizations. It also says, however that the losses incurred are not significant. The fact that insider threats have surpasses viruses in prevalence makes sense to me, but the argument that damage is minimal does not. Companies have been fighting the virus wars for years now. Granted, insider espionage has been a potential issue for much longer than computer viruses, it has generally not received the same level of attention.

It is estimated that a little less than one third of all security incidents are the result of an insider, whether the incident was a result of malicious intent or an honest mistake. What is not accounted for here, however is the level of ease by which insiders can obtain potentially damaging company confidential information. Some users have access to it by default as a result of their position within an organization. Others gain access by finding security weaknesses within the company's infrastructure. Either way, I believe that the reason companies are saying that the resulting losses from the insider threat are not the biggest cost is because they don't know how to estimate the damage.

Do they know how much data was really altered/copied/deleted? Do they have a good idea as to how much that data is really worth? Are the values being underestimated because they don't want to lose face in their respective industries? Do they not want to give their competitors ammunition to use against them? Do they not want their customers to lose confidence in them as a provider of a good or a service?

I think all of those are valid points to consider, but the real question at the root of the entire issue is not "Will you have a security incident?", rather "When will you have a security incident?" and are you equipped to respond?

We generally spend so much time trying to make sure that the bad guys can't get in from the outside, but we need to also consider the possibility that they are already "in" and have been for quite some time.

Do not underestimate the insider threat and the ease by which they can cause damage to your organization. Chances are that someone who may cause either inadvertent or intentional data leakage/deletion already has access to the information they need....they don't have to break in or be sneaky to get it.

Another part of my role here at MX Logic in addition to being in charge of our Threat Research group is that of our security officer. This includes not only security education, but also implementation and enforcement of our internal security policies and procedures.

One of the things that I have been putting a lot of thought into lately is the security implication of telecommuting. Telecommuting is becoming much more commonplace among many different types of organizations now that more and more companies are adopting mobile computing practices. This often comes at the cost of security, however. In an effort to make employees more productive when they are away from the office (either traveling or working from home), the security implications of opening up your network in this way are not always considered...or if they are considered, they are set aside for the trade-off of getting more out of your workforce.

So, what's the big deal? So what if Jane wants to work on her desk PC at home when she telecommutes instead of using her laptop?

There was an article posted recently on darkreading.com that said that 94% of Federal CISOs do not believe that telework/telecommuting programs are a threat to security. It also stated that 83% of Federal CISOs are "interested" in mobile endpoint certification for compliance with the Federal Information Security Management Act. Being interested means that they aren't doing it yet, but think it is a good idea.

These numbers don't add up to me. How can you not be concerned about the security implications of telecommuting, but at the same time haven't even certified that your own equipment is in compliance with your own Information Security Management Act?

Let's discuss some best practices that companies can use when implementing a work from home policy:

-- Setup access control so that only your company authorized PCs are allowed to connect to your VPN. If Jane has been connecting her work laptop to her own home unsecured wireless network or to the local Starbuck's Wi-Fi network, you still can't guarantee that she won't be trying to spread a virus across your corporate infrastructure, but you have more control over this PC than you do Jane's home PC that she shares with her two teenagers.

-- Implement as many defense-in-depth strategies on your company PCs as possible. This includes at least one anti-virus product and some kind of Host-Based Intrusion Prevention System (HIPS).

-- Disable ports on the PC which allow users to plug in external storage devices like USB drives. Not only are these devices handy if someone wants to steal your corporate secrets off of your corporate intranet, but they are an easy injection point for malware.

-- Turn off the wireless radio when the PC is going to be hard wired to the network. It will prevent accidental connection to a potentially rogue wireless network. A nice side effect is that it will increase battery life on a single charge as well since the radio is such a wear on the battery when it is on.

As with anything technology related, technology solutions are only part of the answer. User education is also a large piece of this pie as well. One of the most important jobs of a security officer is security awareness and making sure that security is part of the consciousness of every employee at an organization. It is one thing to put policies and technology in place which enforce security, but it is another entirely to make sure everyone in your company is also aware of those policies and knows and understands how to follow them. The backend technology should be in place to enforce those policies, but it is the end user's responsibility to try to not put themselves into a vulnerable position and that is done through education, education, and more education.

With all of the fun and firestorm of PDF spam volumes and Storm worm variants over the past couple of weeks, I hadn't realized that I hadn't posted anything since the CEAS conference!

My friend Carl Herberger me an article the other day regarding so called "revenge packages" being offered by a company whose web site is at confidentialaccess.com (the site has supposedly been changed since the article was written and denies everything stated). I had never seen the site prior to reading the story, but whether or not it is true the point behind the services that were allegedly offered are the more disturbing piece.

According to the article the site offered services by which for as little as $20 per month you could essentially make the life of someone that you don't like absolutely miserable. The article mentions services such as ruining your target's credit rating, or even having fake text messages sent to their significant other containing false accusations of affairs.

I heard on a radio commercial yesterday that someone's identity is stolen every 3 seconds. What I hadn't really considered until reading this article was that this type of criminal activity had now become a commodity.

Sure, there is an underground economy that buys and sells credit cards and bank accounts for a few dollars each, but that's not what I am referring to. Defrauding someone out of some cash because their credit card number was stolen is one thing. Money can be replaced. What is more disturbing here is the possible destruction of livelihoods and families by a neighbor who doesn't like how loud you play your stereo...or more disturbingly someone you have never met before.

I don't mean to sound naive about this, but I hope that this isn't a sign as to where else society will go. It's telling enough that we are already where we are, but it is truly more disturbing to think about what could be next...