eWeek Security Watch

Fallen Beauty: Attackers Feast on Prejean Scandal

2009-11-20T13:02:18Z

As soon as you see the words "beauty queen" and "sex tape" being used in the same sentence it's pretty easy to predict that we'll seen soon see a spate of related cyber-attacks. And with the sex tape scandal of former Miss California unfolding, the expected range of threats aimed at taking advantage of the news item have already begun to flood in. In one of the latest campaigns, as tracked by researchers at McAfee, attackers are trying to tap into growing interest in the lascivious footage by distributing a malicious Java applet attack tied to the beauty queen's downfall. As with so many video-based attack techniques that we've seen, the campaign tries to lure end users to a site that promises to offer the desired clip, and asks them to download additional content to do so, in this case the aforementioned Java applet. McAfee Avert Labs researcher Rahul Mohandas reports that the involved applet contains a signature that activates browsers to verify themselves through a remote, independent certificate-authority server. Once the signature is verified and the user also approves it, the signed applet can gain more rights, "becoming equivalent to an ordinary application," the researcher noted in a blog post. "When the app is injected into a trusted Web site, users would hardly take the trouble to validate if the certificate is legitimate," he said. Then when the applet runs in the browser it fo course downloads a malicious executable on any affected machines. Mahondas contends that despite its simplicity, the technique should prove effective in catching some flies, as so many legitimate online apps use Java and people are used to interacting with applet downloads. And, "unlike spammed links that contain a cocktail of exploits or a zero-day attack, this approach exploits the applet's design," the expert notes. The fact that the attack isn't tied to a single browser is another important factor to consider, and it works automatically on any machine with the latest version of Java, broadening its impact. Clearly when time honored combinations like sex tape news and poisoned multimedia applets come together it's hard to imagine why attackers wouldn't want to try to get onboard. Because if it ain't broke, why fix it. Follow eWeek Security Watch on Twitter at: eWeekSecWatch. Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

RSA Reveals Inner Workings of Reshipping Scheme

2009-11-20T07:48:48Z

The cyber-underworld is highly specialized, with the malware authors and purveyors at one end, and the cash out fraudsters responsible for laundering loot from compromised accounts on the other end. RSA, EMC's security division, recently took a long look at another side of the cyber-crime business. Researchers focused on a reshipping operation dubbed "Air Parcel Express," where scammers recruited people to serve as mules for merchandise bought with stolen credit card information. The credit card data is often taken via phishing, malware and other attacks. The mules in such operations are typically hired through legitimate channels such as popular employment Websites. According to RSA, the mules in many cases are being duped themselves, and don't even know what they are doing is illegal. Once they are hired, the mules ship the goods overseas. When the scammers get it, they auction it off or sell it. "In order to successfully purchase ('card') expensive merchandise with stolen payment cards and later sell for cash, fraudsters have to ensure that the mailing address matches the billing address," according to RSA. "This obstacle is usually easily overcome by changing the billing address of compromised cards to the addresses of their hired, pre-assigned mules." "Another challenge for fraudsters in managing a successful reshipping operation is obtaining a seemingly innocuous 'drop' address where mules dwell," the researchers explained. "The most effective way to overcome this challenge is to recruit and hire mules that live in the United States. The United States is a strategic location for fraudsters in which to base their reshipping scams as many major online merchants who sell popular high-value goods do not ship their items outside of that country." In addition to their analysis of the shipping operation, RSA included some good advice on how to recognize shady job opportunities and avoid getting roped into this sort of scheme.

Researchers: Online Threats Demand New Security Model

2009-11-19T22:10:25Z

Large organizations continue to invest significant amounts of money in IT security initiatives despite the lagging worldwide economy, but most continue to struggle in preventing today's sophisticated electronic attacks, researchers contend. In a recent report on the pervasiveness of online threats, and the inability of most organizations to sufficiently protect themselves against such risks, analysts with Enterprise Research Group said that continued investment in perimeter defensive mechanisms is not paying off. Attackers are well aware of the types of systems being aligned to stop their online assaults and are showing little trouble in circumventing the tools, said ESG analyst Jon Oltsik in the report. "Today's security portfolio of e-mail filers, security gateways, and endpoint security are only marginally effective in detecting, blocking, or remediating web threats," the analyst said. "This isn't a coincidence since the multi-faceted approach used by modern cyber-attacks takes advantage of the large gaps between all of these independent security tools." In particular, the ability of attackers to trick end users into falling for social engineering schemes, specifically those carried out via legitimate sites including popular social networking platforms including Facebook and Twitter, is making it even harder for organizations to effectively protect their IT environments. The dynamic nature of the web that has provided so many organizations with so much opportunity to expand their reach is also leaving them woefully at risk as attackers find new and highly effective ways to leverage the online ecosystem to pursue their criminal intentions, Oltsik said. At the same time, so-called cloud-based security systems that use centrally located online intelligence and filtering capabilities to identify potential threats before they reach users do offer the potential for some relief from Web-based attacks, the expert contends. Ultimately most organizations will need to avail themselves of both internal defensive solutions and such cloud-based services, according to the ESG paper. Users will also have to do a better job of helping to warn each other about emerging online threats if real progress is to be made, the researcher said. "What's needed is a new type of layered defense architecture combining onsite security systems and cloud-based intelligence. Furthermore, users should help each other by banding together in a cloud-based 'community watch' as they share intelligence in a community of other users and security vendors," Oltsik writes. "This community-based 'network effect' may be the only way to address unprecedented web threat volume." In fact, ultimately the pressure to find new ways to handle online risks may force organizations to do a far better job in creating top-down security strategies that address the entire spectrum of potential attacks, the expert said. "Since web threats demand new types of defenses, smart CIOs and CISOs may be able to address web threats with an integrated 'defense-in-depth' architecture that combines multiple packet filtering technologies for web threats, viruses and DLP," Oltsik concludes. "This may also provide a perfect occasion to align malicious code defenses that block 'bad' traffic, networking technologies that accelerate 'good' traffic, and a solution that includes central management and advanced tools for network visibility." Follow eWeek Security Watch on Twitter at: eWeekSecWatch. Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

Sizing Botnets No Exact Science

2009-11-19T12:27:54Z

After leading a concerted effort shut down the notorious Mega-D botnet (aka Odzok), researchers with FireEye are trying to estimate the size of the massive fleet of zombie machines, which is an interesting art in and of itself. After doing some detailed research into the operation of Mega-D, which was known for its ability to shift its C&C infrastructure rapidly to stay ahead of attempts to cut it off, FireEye engaged in an aggressive effort to work with ISPs and other important players to shut the whole thing down. Now, having apparently done so, researchers with the company are trying to understand just how large Mega-D might have been by tracking the sheer number of IPs that are still trying to connect with the botnet despite the fat that its head has effectively been chopped off. By directing any IPs trying to call back to Mega-D for instructions to a central locations, or "sinkholes", the experts are watching with wonder as the hits role in and trying to chart the reach of the botnet by measuring the rate of activity. "After about 5 days we saw 487,430 unique IP addresses connecting to us. It's difficult to estimate the true size of this botnet using this number, but we can get a good idea of where the infected systems are," writes Todd Rosenberry of FireEye Malware Intelligence Lab in a blog post. From a regional standpoint, machines in Brazil accounted for the biggest share of Mega-D, coming in at 11.5 percent of all attempted connections, followed closely by India and Vietnam. Other countries known for their frequent involvement in such attacks including China and the USA had far less involvement in the botnet, based on the study, falling at no.s 16 and 17 on the ranking by nation, respectively. Overall, FireEye estimates that machines in 214 countries had been swept up by the zombie network, although the top three nations had far more infected devices than any others, the anti-malware company said. One of the reasons that it remains challenging to scope the size of such botnets is because by counting the involved IPs you only get a small fraction of the machines that might be looped in, or many cases you get far more IPs, based on the fact that there are likely multiple machines behind a lot of the addresses and that the bots are constantly moving around to new IP addies to avoid detection. However, by comparing its own research to that of UCSB researchers who infiltrated the Torpig botnet to its own research figures, FireEye does have some metrics for purposes of comparison. For instance, over the course of 10 days, the UCSB researchers tracked 1,247,642 unique IPs and roughly 182,800 unique bots related to Torpig. By comparison, the highest rate of attempts to connect back to Mega-D in a single day was 48,785 active bots. When compared to the Srizbi botnet, which FireEye went after roughly a year ago, Mega-D also seems pretty sizeable. Using the metric of how many unique bots were involved in the campaign, FireEye found that while 44 percent of the connections it traced back to Srizbi appeared to be unique, the number was 51 percent for Mega-D. By comparing the total number of IPs related to Mega-D (487,430) to that figure of 51 percent, FireEye estimates that Mega-D could have encompassed roughly 250,000 endpoints. The researchers admit the entire approach and results need to be taken with a grain of salt, but, at least we're finally getting an idea of how pervasive these infected networks may be. Follow eWeek Security Watch on Twitter at: eWeekSecWatch. Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

Unified Creeps: Cyber-crime to Rage on in '10

2009-11-19T03:51:27Z

Typically you've got to wait until at least December to begin seeing security researchers' foreboding predictions for the malware and unethical hacking landscape in the next year to come. However, in keeping with the theory of unified cultural creep, or the increasingly invoked notion that supports the strange reason why we've begun to see Christmas sales a week or so after Halloween, experts at security market leader Symantec have already published some of their forecasts for the last year of the first decade of the latest century and millennium. To anyone who follows security and threat trends most of these forecast items shouldn't remotely approach any form of a surprise. However, if you look back over the years of annual reports and predictions, it actually serves as an interesting and fairly accurate timeline of the realities that we've actually seen. OK, the mobile malware thing STILL hasn't happened. But, of course, it made the cut once again this year (...and obviously will continue to do so until it becomes a reality. But will the people who were predicting it five years ago seem smart or not so much? Only time will tell.) Anyways, there's a full range of the usual suspects involved, but there are some interesting conclusions from Symantec about how certain trends, such as attacks on users of social networks, may likely evolve. For Symantec's full report in podcast format, click here. But a summary of the top trends that the company is warning us about for 2010 includes: -AV will continue to be overwhelmed: Even Symantec recognizes that it's becoming impossible to filter for malware using sigs or even heuristics. Leading researchers with the company have been talking about different forms of reference-based security for a few years, but the company says the approach will become "key" in 2010. I smell a product launch. -Social engineering is king: Attackers don't target classes of devices or operating systems, they go directly after users and fool them into doing themselves in. That's been the way of the walk for a while now, but, predictably, Symantec contends that it's only going to become worse in '10, with new delivery techniques employing legitimate applications and smarter targeting of smaller groups of end users. -Scareware is everywhere: Rogue AV scanners must work on someone, since they're seemingly involved in every form of threat from simple phishing to advanced botnets these days. Next year the attack pattern will continue to proliferate, with rebranded copies of free third-party antivirus software carrying added attack code becoming a more widespread tactic, the experts predict. -Social applications make noise: In addition to more of the same attacks aimed at social networking site users, the broader availability of legitimate APIs meant for building apps that integrate with the systems will introduce new opportunities for the bad peeps, as well as the good, says Big Yellow. -Everybody hates Windows 7: If you've been living under a rock you might have missed the news that Microsoft has launched a new OS. And people have already found vulnerabilities in it. And attackers will target it. A lot. That one I could have predicted. But look at it this way, if you're Microsoft, this used to be such an obvious problem that it was too ubiquitous to even put on these types of lists. That's actually progress! -Fast Flux gets Faster: This hydra-like fashion of botnet control that allows for increased resiliency based on the use of changing and distributed hosts acting as C&C proxies is pretty impressive and scary. As more traditional botnets feel the squeeze, Symantec says attackers will be forced to invoke wider use of the fast flux technique in 2010. Not good. -Making short work of Shorteners: Well, a technology whose value proposition is based on helping to obscure a URL that it's trying to send people to seemed like a good idea within the world of 140 character culture. Unfortunately, URL shorteners have already proven a very useful tool for attackers seeking to suck people into visiting their infected Web sites. In a new yet completely predictable turn, spammers and phishers will also used the services to help avoid filters in the coming year. Since we don't get enough spam as it is. -Mac and Mobile Malware Manifestation!: Well, if they keep predicting it every year it has to happen sometime, right? I predict that someday the Earth will be a scorched barren rock being sucked into the Sun. Quote me on it! Follow eWeek Security Watch on Twitter at: eWeekSecWatch. Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

Attackers Abuse Google to Push Rogueware

2009-11-19T00:18:45Z

Cyveillance said Nov. 16 it has uncovered a search engine optimization poisoning campaign that has impacted more than 260,000 sites. The scheme targets Google search by getting victims to click on links that are routed to sites that attempt to download malware onto their machines. According to Cyveillance, the common string albums/bsblog/category is found in the URLs for numerous blogs. Inputting that into Google will generate a series of results leading to malicious sites, the company observed. "Readers can simply copy and paste the destination URL into your browser to direct it to the desired Website; you would be taken to [a] boring but otherwise harmless blog posting like those pictured earlier in this discussion," Cyveillance said. "The attack only happens when the compromised blog site determines that you arrived by way of Google by checking the HTTP referrer." Only a small number of the sites contained Google's warning that the site is harmful. These types of black hat SEO schemes are nothing new. Typically, they are tied to news events that attackers know will generate interest and a lot of Web searches. Once taken to the malicious site, the visitor may be tricked into downloading rogue antivirus software or malware. In the case of the campaign detected by Cyveillance, the infected sites utilize rogue blog publishing software that automatically and regularly publishes new posts with titles such as "las vegas rental no credit check" or "uninvited song lyrics alanis morrissette morissette." "These posts are intentionally not titled just with simple terms that are very popular like 'Britney Spears,' 'Obama' or 'Paris Hilton' to avoid having to compete in search rankings with the millions of pages which already exist for these topics," according to Cyveillance. "Instead, the authors of this exploit take advantage of the long tail of search, where rare combinations of search terms in aggregate make up a very large portion of the queries made by Web surfers in search engines." When a user clicks on one of the Google search results, he or she is taken to a "middleman" domain like ionisationtools.cn or moored2009.cn. The server at these domains redirects the user to another site pushing the rogue antivirus software. The middleman domains are live for a day or two and are then taken offline. Cyveillance wrote:

The actual fake anti-virus drop sites are found on domains such as:
• premium-protection6.com
• file-antivirus3.com
• checkalldata.com
• foryoumalwarecheck4.com
• antispy-scan1.com All these domains observed by Cyveillance were registered with Chinese registrar TodayNIC.com and like the middlemen sites above, these domains are registered one or two days before the inbound Google search traffic will be arriving, suggesting that the software now directing search traffic from the infected websites may know in advance where the drop sites will be in advance.

Enterprise Security Challenged by Web 2.0, Mobile Devices

2009-11-17T20:07:28Z

Mobile devices and Web 2.0 technologies are forcing organizations to adapt to a new set of security needs, but many enterprises may be falling short, according to a study by the Ponemon Institute. Dubbed the "Worldwide State of the Endpoint Survey 2010," the study was commissioned by Lumension Security to take a look at how emerging technologies and the "consumerization" of IT are impacting IT operations and security. The news was not good. In a survey of 1,427 IT security pros and 1,582 IT operations professionals from around the world, many respondents revealed that a lack of planning and support for security initiatives is hurting the ability of organizations to protect their resources. Among the survey's key findings:

• 56 percent of individuals surveyed said mobile devices are not secure, representing a risk to data security. • 49 percent of individuals surveyed said data security is not a strategic initiative for their companies. • 48 percent of individuals surveyed said their companies have allocated insufficient resources to achieve effective data security and regulatory compliance. • 47 percent of individuals cited a lack of strong CEO support for information security efforts as a reason for ineffective data security programs. • 41 percent of individuals said there was a lack of proactive security risk management in their organizations.

better address risk in the coming year. "Threats to the endpoint are not going to disappear in 2010, so it's time for organizations to be more aggressive, more proactive and much more collaborative," he said.

Online IT Security Drama: Reality or TV?

2009-11-17T12:58:31Z

People who work in the health care field always seem to cringe when they hear others talk about watching popular hospital dramas like "ER" on TV, and, upon questioning, will typically offer that such shows either aren't very realistic or actually remind them too much of their real, grisly work to be much fun to follow. I have to wonder which reaction IT security pros might have in taking in "The Unprotected," an online miniseries dedicated to portraying the theater of database defense, incident response and regulatory compliance. The series was produced and is being hosted by vendor Application Security to help illustrate the problems faced the types of organizations to which it sells its database security software. In the series, the setting is all too familiar, as an internal security team and CTO struggle to figure out how to traverse a minefield that involves electronic data theft, angry consultants and even angrier C-levels (with the threat of truly scary auditors!). A slight knock-off of shows like "Law & Order" and the seemingly endless supply of "CSI" variations, "The Unprotected" actually does a pretty good job of depicting some of the circumstances I'd imagine are happening today in cube farms across America as people wrestle with issues of security and related compliance. But, I also have to wonder, are most real-life organizations as oblivious as they appear to be depicted here, like the fictional company Greencrest and its lukewarm IT department, who seem to think that relying only on firewalls and authentication software to protect their databases is sufficient? Or is the reality even more dire than it's shown on the show, because, in fact most people in real-life companies actually already know how desperate the situation is in trying to ward off ever more sophisticated attacks and maintain compliance with seemingly fluid regulations? It's probably somewhere in between. But it begs the question, should a show like this be scripted to read like "CSI: Rack Server" or something far more helpless, perverse and self-loathing, like some spinoff hybrid of "The Office" where the goal is applying security patches instead of selling paper? I'm guessing that a true reality show based on today's IT security environment would be more like "World's Deadliest Catch." See, the thing is, I think that Applications Security has done something creative here to surface a realistic story in a way that might help some people who do not yet understand the extreme challenges and towering forces that have aligned themselves over the heads of the IT security workers to learn more about these problems they face. But having spoken to so many practitioners over the years, seen them shake their heads while they talk about how their managers don't listen to them, or heard how their line of business leaders won't write them a budget, the sad truth is that it's typically those most closely involved with the affected operations, those who would star in such a show, who are the last ones who need to be informed just how overwhelming the whole situation is. Perhaps life-like fiction was indeed the best idea in this case, because the reality TV version would be too much for almost anyone to stomach. Drama is entertaining. Resignation would just seem sad. Follow eWeek Security Watch on Twitter at: eWeekSecWatch. Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

Koobface Worm Poses as Facebook User

2009-11-12T01:44:41Z

The notorious Koobface botnet has pushed out a new component to help snag Facebook users. According to Trend Micro, the component automates the following routines: registering a Facebook account, confirming an e-mail address in Gmail to activate the registered account, joining random Facebook groups, adding "friends" and posting messages on their walls. The point of doing all this, of course, is to infect more users. As it does so, Koobface tries to stay under the radar by checking to see if the account has reached the maximum number of friend requests to avoid alerting Facebook administrators. "Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook," blogged Trend Micro Advanced Threats Researcher Jonell Baltazar. "All Facebook accounts registered by this component are comparable to a regular account made by a human. The details provided about the account are complete such as a photo, birth date, favorite music and favorite books, among others. In addition, every account registered is unique in such a way that the details vary for every account registered." The component fetches details from one of the botnet's available proxy domains, Baltazar continued. The messages it posts on Facebook walls include a link to either a fake Facebook page or YouTube page hosting the Koobface loader component. "Facebook users are advised to be careful and security-conscious," Baltazar blogged. "It is probable that the Koobface botnet owns a particular Facebook account." For more on Koobface's recent moves, check here.

Unisys: Interest in Biometric Authentication Growing

2009-11-10T23:21:10Z

Perhaps underscoring a concern with fraud and identity theft, a new survey from Unisys found that a growing number of consumers are open to biometric authentication solutions. The company's biannual Unisys Security Index included responses from 8,300 people from nine countries. Unisys found that despite a general decrease in overall concern about security threats, consumers remain most concerned about bank card fraud and identity theft. These concerns, Unisys contends, may have led to increased acceptance by consumers of biometric technologies. According to the report, 58 percent of Americans would be willing to provide biometric data to merchants and financial institutions to verify their identity. Ninety-three percent said they would be "interested in using fingerprinting to secure their data." In the U.K, 95 percent of respondents said they would be willing to provide fingerprint data. In addition, 90 percent said they would provide an eye scan, while 82 percent said they would provide a facial scan. "Consumers worldwide seem to be growing more comfortable with the idea of using advanced and sometimes unfamiliar technologies to secure their identities as a way to prevent fraud," said Mark Cohn, vice president, enterprise security at Unisys, in a statement. "Given the concern about bank fraud and identity theft, it is not surprising that people would embrace new ways to protect themselves. But we were somewhat surprised by the wide acceptance of biometrics such as iris recognition and facial scans, technologies which consumers were more familiar with than we might have predicted." Overall, Belgium and the U.K. were the most accepting when of biometric authentication schemes, which encompass everything from voice prints to photo ID to facial scans. The least interested were New Zealand and Brazil. "In many countries, levels of consumers' acceptance of new forms of identity management appear to be higher than what might be expected," Cohn said. "These results indicate that some governments and financial institutions should 'catch up' with consumers and implement these solutions at a faster rate."

New Attack Abuses Web Browser Cookies

2009-11-06T20:32:14Z

A security researcher has uncovered a serious exploit that could endanger popular Websites. The attack was uncovered by Michael Bailey, a senior security researcher at Foreground Security, and unveiled Oct. 24 at the ToorCon conference in San Diego. According to Bailey, due to the way Web browsers handle cookies, it is possible for a vulnerability on a Website subdomain to be leveraged against a parent domain. "A weakness in a server with a subdomain pointed at it can be used to both leak cookies and set cookies for the main domain," Bailey wrote in a paper (PDF) on the issue. "This can in turn be used to perform multistage session fixation and cross-site scripting attacks. "For example, www.advertising.expedia.com contained an XSS hole," he wrote. "Using that hole, one could poison the global cookies for the expedia.com domain. The main Expedia Website (www.expedia.com) would use those cookies in the body of the Web page, without proper escaping, and permit an attacker to inject malicious JavaScript into that application. This would allow the attacker to fully compromise the user's session on the Website, and the payload would persist until the user cleared his cookies or the server overwrote them, which may take months." Part of the attack's success lies in the fact that for many businesses, there is a perception that applications on subdomains are isolated from the rest of the Website, Bailey told eWEEK. "According to the structure of DNS [Domain Name System] this should be true, but Web browsers, and specifically their implementations of cookies, create implicit trust relationships that are ripe for abuse," he explained. Users can mitigate the attack by using the 'Private Browsing' features of Internet Explorer, Mozilla Firefox and other browsers, he said. But there are still scenarios where the attack could work despite that capability. "While it may keep sensitive information from being leaked through cookies, it will not prevent cookies from being poisoned," Bailey said. "The consequences of this are application-specific, but the end result is the same: Private browsing [modes] cannot be assumed to fully protect the user from these attacks." Blocking cookies will also help prevent the attacks, but will disable the functionality that these attacks abuse, he added. "For example, if a Web browser does not store session data, there will be no sessions to attack, but it also will not be able to use those sessions to maintain state," he said. "Disabling cookies may be effective, but it is not practical." Bailey did however outline some solutions in his paper. Any vulnerability on an untrusted subdomain can affect a trusted domain, so administrators should pay careful attention. All applications should be reviewed for common vulnerabilities such as cross-site scripting and cross-site request forgery, and administrators should be wary of third-party servers and applications. The researchers also recommend that high-value DNS records be audited to locate unused servers and IP addresses. "Security people often make the comment that you are only as secure as the weakest link in the chain, and that is now literally true," Mike Murray, chief information security officer of Foreground, told eWEEK. "Your weakest-security subdomain Website can compromise your highest-security one."

Malware SEO: Gaming Google Trends and Big Bird

2009-11-05T12:24:57Z

Malware distributors continue to flex their abilities to tap into whatever's hot in terms of search engine activity, even on a daily basis. We've grown accustomed to the idea that whenever there is a major news item worldwide, from natural disasters to celebrity gossip stories, attackers will be hot on the heels of legitimate reports in attempting to create campaigns that suck in end users seeking information on the publicized events. However, the evolution of the crimeware underground has reached the point where this isn't just a pattern that ties itself to a handful of major news events each month, or week, but instead attempts to tap into whatever the big news is each day. This is perhaps best personified by attackers' work to ride the coattails of yesterday's celebration of the 40th anniversary of the debut of seminal children's television show Sesame Street. As reported by Webroot blogger Andrew Bryant, among others, a spate of rogue AV threats popped up on Wednesday as legitimate properties including Google marked the show's anniversary in one form or another. "The black hat SEO gangs that have been manipulating Google results for the better part of the year have seized on a new target from which they've launched their current salvo of rogue antivirus guano," noted Bryant in a blog post. "That's right, the lovable, giant jaundiced avian friend to child and adult alike is being used to hijack searches and rope unsuspecting users into a vortex of popups and fake scans." Yes, he's talking about Big Bird. The researcher notes that the Sesame St.-driven attacks are really just further proof that malware purveyors are looking at Google Trends each day and formulating new social engineering angles based on whatever the hot topics may be. This shift from monthly or weekly attack customization shows how granular attackers' efforts have truly become, he said. Of course, underlying the up-to-the-moment engineering are many of the same rogue AV scanner threats we're seeing all the time, with the "Internet Antivirus Pro" program among those in distribution yesterday, delivered on the wings of Sesame St.'s massive winged mascot. The use of a children's TV show to pass along the threats also highlights the need to educate children to the perils of following unfamiliar links, or opening unsolicited messages, Bryant notes. Attackers have also become so skilled at gaming Google's SEO patterns that they were able to plant threats as high as the seventh result for Sesame St. related results on Wednesday, he said. "Disgusting? Yes. Surprising? Hardly," the expert wrote. "Hooking your scumbag wares to celebrity deaths, peephole videos, and high profile arrests is one thing. But as far as I'm concerned, a line has been crossed. Yes, the dark back-alleys of the Internet are pretty far afield from Sesame Street. But nobody messes with the Bird." What's next? A phony Match.com profile on the longtime co-habitation and apparent bliss of "roommates" Bert and Ernie? Shameless! Follow eWeek Security Watch on Twitter at: eWeekSecWatch. Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

Facebook Campaigns Serve Up Nasty Cocktail

2009-11-04T12:25:44Z

Anyone with a busy e-mail in-box has likely noticed the dramatic uptick in Facebook-related phishing campaigns making the rounds over the last several weeks. Waves of the threats are surging across the Web daily, encouraging users to click on an attachment based on their need to update their Facebook log-in information. For people like myself who don't use the popular social networking site, it's pretty clear that the campaign is nothing but an attack in waiting, but many of the messages do feature a fairly believable level of polish, using the same logo images and fonts typically employed by the networking site itself. Having taken a closer look at the widespread attack, researchers with McAfee are warning that the threats actually serve up far more than just a Facebook password phishing scheme, but also a dangerous cocktail of malware infections that will leave many affected endpoints squarely in the hands of electronic assailants. In a blog post authored by McAfee AVERT Labs researcher Arun Pradeep, the multi-tiered level of sophistication involved in the Facebook campaign is spelled out. First off, in addition to seeking people's Facebook data, the threat downloads a keylogger malware attack that is aimed at stealing people's credit card, social security, and banking passwords from their machines. And, almost predictably at this point, the attack also loads a rogue AV scanner application which also disables applications including Windows Notepad and Wordpad until users agree to pay for additional malware cleansing tools. "Phishing campaigns on social networking sites are not new," Pradeep notes. "[But] scammers are not satisfied only pushing spam to sell 'Canadian' pills. Now they also want to sell fake security products, and they need all of our passwords," the expert said. In terms of its delivery model, once a user opens the attached zip file claiming to offer the password update info, they are served up a spreadsheet file that, once opened, drops the actual malware cocktail onto their machine. After the malware takes root, it establishes a connection to the attacker's server through the HTTP port and attempts to download more payloads, including the aforementioned keylogger. The attack then forwards any data that it can gather to a remote server through a backdoor. In terms of the phony AV angle, the rogue application enters through the same backdoor and then "covertly" installs itself before running and killing many applications that might be open, including Notepad, Calculator, Registry Editor, Task Manager, and others, Pradeep said. The attack does not go after Internet Explorer because it needs IE to communicate back with its malware server. So there you have it, if you've been wondering what all those Facebook spam notes were up to, McAfee's taken off the wrapper for us. If you've already fallen for the ruse, it might be time to call in your IT staff, or to merely toss your PC out the window and start over. Just kidding. Sort of. Follow eWeek Security Watch on Twitter at: eWeekSecWatch. Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

Dutch Attacker Hijacked iPhones, Demanded Ransom

2009-11-03T22:54:30Z

A Dutch teenager has backed away from an extortion scheme targeting Apple iPhone users. The scheme was uncovered Nov. 2 when reports surfaced that an attacker was compromising iPhones and holding them for ransom. After using port scanning and OS fingerprinting to find iPhones in T-Mobile's 3G IP range, the attacker took advantage of the default root passwords of iPhones jail-broken through OpenSSH. According to reports, the owners of the phones received a message on their screens that the attacker had control of their devices. To get it back, they were told to visit a Website, where they were told to send about $5 in euros to a PayPal account in exchange for instructions on how to remedy the situation. The message on the Website reportedly read as follows:

"Your iPhone is not secure. That's the reason your visiting this page, isn't it? Well you can pay me $4,95 at my paypal account PureInfinity92@mailinator.com, and I'll mail you very easy instructions on how to secure your iPhone. You can also contact me at PureInfinity92@gmail.com If you don't pay, it's fine by me. But remember, the way I got access to your iPhone can be used by thousands of others. And they can send text messages from your number (like I did..), use it to call (or record your calls), and actually whatever they want, even use it for their hacking activities!' I can assure you, I have no intention of harming you or whatever, but, some hackers do! It's just my advise to secure your phone."

In a twist of fate for victims, the attacker for what ever reason changed his or her tune and posted instructions for changing the phone's SSH password. Users who changed the default password were not subject to the attack.

McAfee: Piracy Sites Jump 300 Percent

2009-11-03T14:22:07Z

The Pirate Bay shutdown didn't slow piracy. In fact, according to McAfee, the number of new file-sharing sites hosting unauthorized, copyrighted content shot up in the past three months. In their Third Quarter Threats Report, researchers at McAfee took a look at piracy scene. What they found was that cyber-criminals are taking advantage of The Pirate Bay shutdown to the tune of a 300 percent jump in the creation of file-sharing sites. Over at V.i. Labs, which specializes in anti-piracy software, file hosting services are a significant piracy distribution threat. In a report earlier this year V.i. found that all the pirated product releases it searched for on search engines, index sites and BitTorrent tracking sites were available on Rapidshare, which has an Alexa traffic rank of 17 - a number that surpasses Amazon.com. "There is little hope for organizations to eradicate references to the actually links to the pirated software on file hosting sites and other Web portals," said Victor DeMarines, vice president of products, V.i. Labs. "Organizations can try and scour the internet and write DMCA notices to these piracy channel sites, but given that pirated software can be renamed, re-packaged or zipped to bypass detection this is not feasible." DeMarines said he would like to see the DMCA (Digital Millennium Copyright Act) Safe Harbor provisions tightened to crack down on sites like Rapidshare that profit through the distribution of pirated content. "Notification of DMCA infringements place too much ownership on the copyright holders," he said. "By not providing any accountability for who is uploading and/or downloading content from these servers, file host provides a perfect medium to propagate pirated content. At a very minimum these services are used to advertise what the top downloaded files are to allow vendors or copyright owners to focus their review of what is available on these sites."