Yes, contends Timothy Armstrong, Global Research and Analysis Team, Kaspersky Lab.

Kaspersky has become the lastest antivirus company to begin offering an antivirus protection suite for Apple computers.

Other security products already on the market include Mac versions of Norton Antivirus, Sophos Antivirus, PC Tools iAntivirus, Avast Antivirus as well as McAfee ViruScan, Intego VirusBarrier X5, Avast and ProtectMac AntiVirus .

In launching its Mac security suite, Kaspersky contends that there are multiple scenarios by which Web-borne infections could be transferred from a Mac to a PC in a corporate network.

Infections can spread from a Mac to a PC via tainted USB devices, such as memory sticks, iPods, FlipVideo camcorders or Blackberries, or via corrupted Adobe PDF or Microsoft Office documents shared via email.  ” In this scenario a Mac user might view a file and not get infected, then forward it to a colleague using Windows who would get infected,” says Armstrong.

Similarly, the prolific spread of bad URLs via email and social network messaging and microblogging at one level is platform agnostic. For instance, a Mac user might be naturally inoculated against malware written for Windows OS spreading via a bad URL in social network messages.  But the Mac user, nontheless, could naively forward the  bad URL  on to his or her Windows-using co-workers, says Armstrong. “Further complicating this issue is the use of URL shortening services on sites such as Twitter, which mask the actual destination,” says Armstrong.

Kaspersky has detected a malicious Firefox plug-in that works on both Mac and PC as well as any operating system that will run Firefox, he says. “This plug-in is a Trojan horse which downloads and installs a spam sending bot written in JavaScript.”

You are really good guys. It was a surprise for me that Microsoft can respond on threats so fast. . . BTW, we are closing soon.  –Oct. 2008, attaboy to Microsoft hidden in Zlob coding.

What a difference six  years makes. In the summer of 2002, the braggart author of the infamous MS Blast worm got a $250,000 bounty put on his head for baiting Bill Gates. He was never caught.

Fast forward to the present. After infecting hundreds of thousands of Windows PCs, the author of the Zlob Trojan hides a message for Microsoft’s researchers to find, graciously congratulating the boys in Redmond for forcing the  retirement of Zlob.

Could it be the good guys are finally winning?

Microsoft on Monday helped make that case. The software giant  disclosed new evidence that the good guys are, indeed, getting some traction defending against a centi-billion cybercrime industry whose criminal actors  have become accustomed to operating with impunity.

Scareware, fake Flash updates declining

Microsoft’s security team reported a significant decrease in scareware, those obnoxious online promotions that try to frighten you into paying for worthless antivirus protection.

Also in decline are those faked Flash player updates that actually trigger a download a copy of the Zlob Trojan, which enables the bad guys to take full control of your PC. If the hidden message from Zlob’s author is sincere, those Fake flash player update attacks, down significantly, should soon fade completely away.

During the first six months of 2009, Microsoft’s Malicious Software Removal Tool cleansed scareware infections from 13.4 million Windows PCs, down from 16.8 million in the last six months of 2008.

Additionally, Microsoft in the first six months of 2009 disinfected copies of the Zlob Trojan found on 2.3 million PCs, down from 21.1 million PCs cleansed of Zlob in the last six months of 2008 — a 10-fold decrease.

You’ve run across Zlob if you’ve ever gotten an email or an instant message, or a Facebook or MySpace private message, or a Twitter microblog enticing you to click on a Web link to check out an enticing video or a celebrity doing something, or compelling news event or even yourself doing something weird at a dinner party. Zlob attacks like the one shown below were big during the 2008 U.S. presidential elections.

Clicking on the link to the Flash player update, of course, is a ruse. You actually agree to infect your PC with the Zlob Trojan, which turns your PC into a bot. Slotted into a botnet,(insert usat 03-16 link) your PC will subsequently be deployed to spread spam, steal data, hijack online banking accounts and spread scareware promotions.

One good leads to another

Thus, blunting Zlob also helped to slow scareware. Microsoft has led the way fostering better cooperation and responsiveness from tech security companies. A good example is the leadership role it played in forming and directing the Conficker Cabal, the consortium of normally uber-competitive tech security firms that banded together to keep the one of the largest botnets ever assembled from being put to work,

“We’re starting to make a dent,” says George Stathakopoulos, Microsoft’s General Manager of Trustworthy Computing.

Stathakopoulos acknowledged that the mainstream media, trade press and security bloggers deserve credit for fostering public awareness about rising cyber threats.

He told LastWatchdog that Microsoft accepts the attaboy it received from the author of Zlob — buried in the coding of a recent variant of the Trojan — at face value. Here is the full text:

For Windows Defender’s Team:

I saw your post in the blog (10-Oct-2008) about my previous message.

Just want to say ‘Hello’ from Russia.

You are really good guys. It was a surprise for me that Microsoft can respond on threats so fast.

I can’t sign here now (he-he, sorry), how it was some years ago for more seriously vulnerability for all Windows

Happy New Year, guys, and good luck!

P.S. BTW, we are closing soon.

Conficker and Taterf spreading robustly

Yet, its no time to get complacent. Despite the progress on two fronts, the cyberunderground continues to thrive, says Stathakopoulos. Messaging worms, like Koobface, continue to send out millions of private messages and postings carrying tainted Web links via popular social networks, including Facebook, MySpace and Twitter.

And self replicating worms, like Conficker, and Taterf, continue to steadily infect more and more PCs. Both Taterf and Conficker spread via tainted USB flash drives.

The main way a PC gets infected is when a viral flash drive gets inserted into its USB port. The virus launches a program that looks for computers nearby sharing the internal network, and spreads the infection to those machines. It also corrupts all of the USB ports on each newly infected machine. So each PC is primed to taint any clean flash drive that subsequently gets plugged into any of its USB ports.

In the first six months of 2008, the number of copies of either Conficker or Taterf Microsoft cleaned up rose 98.4% as compared to the last six months of 2008. That total includes 4.9 million PCs found infected by Tartef in the first have of this year, compared to 2 million in the last six months of 2008, a 156% spike.

Stathakoupoulos says Conficker continues to spread at about the same rate as corporations can find it and clean it up. He says the number of Conficker infected machines, mostly inside corporate networks, remains stable at about 5 million.

However, Sunbelt Software CTO Eric Sites notes that a number of reliable reports indicate the number of Conficker infections recently topped 7 million. “The spread, and the battle, is very much continuing,” says Sites, even though “nothing much has been done” on the part of the bad guys to put Conficker-infected PCs to use in criminal pursuits. Security experts say Conficker’s controllers aren’t likely to make a move as long as the worm remains under heavy scrutiny.

By Byron Acohido

Fast forward to the present. At this moment, Facebook is being blanketed by two high-volume email phishing campaigns.

These are serious, money-making drives that leverage PCs infected in previous attacks. While the perpetrators get rich, they also lay groundwork assuring future attacks.

This new breed of multi-purpose, continually-expanding phishing campaign is also inundating Twitter – nearly to atrophy. Twitter is at a loss as to how to effectively deal with hordes of hacked Twitter account holders stampeding to change their passwords.

Meanwhile, Hotmail, Gmail, YahooMail and AOL mail are under seige, as well. Phishing attacks to trick legit users into giving up their log-on credentials have become so routine that newbie hackers can pull them off with ease, using free tool kits; some of these newbie phishers are so fresh-faced that they feel compelled to brag about their new-found skills to the British press.

But make no mistake: phishing has evolved into a very serious, lucrative  criminal industry. After a lull earlier this year, phishing levels spiked 200 % between May and September, according to IBM X-Force.

Phishing for financial account log-ons, common for nearly a decade, continues. By now, most Web users know enough to avoid them. However, in the ever-evolving calculus of the cybercrime, the username and password to your non-financial Web accounts — especially Hotmail, Facebook, Twitter, Gmail, YahooMail and AOL mail — have emerged as white hot commodities.

“These log-ons can be used to accomplish a number of tasks,” says Sam Masiello, threat researcher at McAfee’s MXLogic messaging security section. “A user’s login information could potentially lead to a gold mine.”

Unstoppable campaigns

The ongoing Facebook attacks vividly illustrate what’s going on at the cutting edge. Two top botnet gangs are bombarding Facebook members with targeted phishing emails to get control of their Facebook accounts.

There is nothing Facebook can do directly — beyond warning its members — to slow down these attacks. “This virus has been spreading over email, not on Facebook,” says Facebook spokesman Simon Axten. “We’re educating users on how to detect this through the Facebook Security Page.”

In this ongoing attack, the bad guys are directing an army of computers they’ve previously infected to systematically send out trageted email messages, like the one shown below,  to millions of Facebook members.

The messages advise recipients to click “here” to activate a “new login system that will affect all Facebook users.” This takes the victim to a mocked-up Facebook log-in page, shown below, with the victim’s email address already filled in, but the password blank. Typing your password, of course, gives up full access to your Facebook account to the crooks.

But they aren’t done yet.

Another prompt, shown below,  then appears advising you to download an “update tool,” which actually installs the ZeuS banking Trojan, (insert usat ZeuS, link) which lurks on your harddrive waiting for a chance to steal your online banking log-ons, the next time you type them.

As of this morning, messaging security firm AppRiver had counted 41 different Web domains sending out 600 of these targeted phishing emails per minute. “We have seen around 6 million pieces of email so far this morning,” says Fred Touchette, senior analyst at messaging security firm AppRiver.

At its peak yesterday, about 1,000 viral emails per minute were being pushed out, he says. “This was a two-pronged attack,” says Touchette. “The first purpose was to phish Facebook accounts, and the second was to attempt to deliver a Trojan onto the victim’s machine.”

The Trojan installed was none other that ZeuS, the uber popular Banking Trojan that can be customized to do everything from stealing account log-ons to specific banks, to automating man-in-the-middle attacks that stealthily extract funds while the real account user is logged on. See LastWatchdog’s investigative report on A-Z, the rich young creator of ZeuS, who presumably continues to earn royalties for his masterpiece.

This same group of phishers  has tried variations of this type of phishing attack — with lures purporting to come from the IRS, the HMRC and a banking consolidation service in the UK called One Account. The phishers’ main goal is to “intercept financial account information,” says Touchette.

Bredolab wormhole

The other big, ongoing Facebook phishing campaign began on Monday, 26OCT2009, around noon Pacific time, says Jamie Tomasello, abuse operations manager for messaging security firm Cloudmark.

These emails  purport to come from support@facebook.com, and contain a zip file said to hold the recipient’s new password, recently changed for security reasons by Facebook.

This simple ruse is fooling many smart, computer-savvy people. Cloudmark has found evidence of Facebook members actually going into their junk mail folders to retrieve these viral messages, then clicking on the infectious zip file. This installs a the Bredolab Trojan downloader, a versatile little program that works like a wormhole into the PC’s harddrive.

The thought of a tech-savvy Facebook user grabbing a viral email out of a junk mail folder and clicking on an viral zip file must have the attackers joyous.

“People are very addicted to their Facebook accounts. They are so accustomed to communicating frequently and rapidly all the time,” says Tomasello. “They are aware of all the attacks, and are concerned about them. Yet many of them believe this is a legitimate security message from Facebook that got inadvertently sent to their junk mail folder.”

Unlike the attackers spreading ZeuS infections, the Bredolab campaigners do not try to first get the recipient to type in his or her password. As shown below, this criminal gang cut right to the quick and asks you to download a zip file that installs the Bredolab wormhole, according to security firm M86.

One of the first programs the attackers download through the wormhole is a botnet management program that enlists the PC into the infamous PushDo botnet, one of the most prolific distributors of pharm spam, says Bradley Anstis, Vice President of
Technical Strategy at M86 Security.

By installing the wormhole and botnet agent up front, the attackers quickly gain the option to come back later and download a keystroke logger to grab the any Web mail, social network or financial account log-ons.

In fact, researchers at VeriSign iDefense found evidence the bad guys followed up rather quickly to do just that. “The Bredolab downloader installed two additional Trojans — in this case, ZeuS and Glacial Dracon,” says Ryan Olson, Rapid Response Director at VeriSign iDefense.

“Both of these Trojans are designed to steal information as well as credentials for online banking Web sites,” Olson continues. ” In the end, the goal of these attacks is usually financially motivated - and the market for online banking credentials is relatively lucrative.”

Virgin accounts

In the evolving cyberunderground, valid Web mail and social network accounts are considered highly valuable “virgin” assets, useful for sending out viral e-mail messages likely to go unblocked by spam filters, Sophos researcher Beth Jones says.

Virgin Web mail or social network accounts can sell for as much as $2 - more than double what a stolen credit card account number fetches, says Fred Rica, principal at PricewaterhouseCoopers’ security practice.

Besides botting you and stealing all of your account log-ons, the bad guys can now also use your Web mail and social networks accounts to carry out a matrix of lucrative online capers, made all the easier if you use just one or a handful of the same passwords.

They can send out e-mails that appear to come from you to everyone in your address book to try to get them to divulge passwords. And they can scour your e-mail folders for clues to the social networks and online banks you use, then crack into those accounts - and change the passwords so only they can access them.

Part of this is because many online services require an e-mail address to set up a Web account. Meanwhile, replacement passwords are typically sent to that e-mail address - a perfect setup for a crook who is in control of the e-mail account, says Amichi Shulman, chief technical officer of security firm Imperva.

Entry-level cybercrime

The harvesting of virgin Web mail accounts has become a cornerstone of the cyberunderground, so much so that it has evolved into an entry-level cybercrime, says AppRiver analyst Touchette. Starter kits, complete with slick, ready-made faked log-on pages for each of the top Web mail services and social networks, are readily available - for free. A newbie phisher has only to supply a website on which to host the faked page and collect the stolen passwords.

This has become a widespread activity, one that is keeping the cyberunderground supplied with a new generation of scammers getting in on the ground floor. The crooks supplying the free tool kits have a stake in flushing out as many virgin accounts as possible. “Each account presents new opportunities to make money,” Touchette says.

Other attacks

The demand for virgin Web mail accounts has, in fact, become so robust that top-tier cybercrime gangs are going after them with other kinds of attacks as well. Some specialize in tainting legitimate Web pages, or corrupting search results, with imperceptible infections.

Clicking on the tainted Web page or corrupted search result can open a backdoor on the user’s PC, through which the attacker can install a program to steal keystrokes - especially those typed into a Web mail log-on form.

Another popular attack involves hacking into the databases of employment sites, shopping sites or any site that collects sensitive information, including valid e-mail addresses.

ScanSafe researcher Mary Landesman says she regularly finds caches of thousands of stolen Web mail log-ons stashed away in nooks and crannies of the Internet, often organized in a way that makes it clear an infection or database hack was used to harvest the data.

“Most disturbingly, we came across a cache of stolen credentials quite by accident posted in plain view on a now defunct website,” she says. “Presumably others could have found it as well.”

Twitter users can no longer change passwords

Yet the phishing ruses are arguably the quickest, cleanest way to steal log-ons to non-financial Web accounts.

Twitter is being swamped with simple email phishing ruses. The bad guys are also creating new Twitter accounts and steal existing ones, then using them to send out viral microblogs — Tweets carrying infected Web links. Because these links are shortened, it’s impossible to spot a good vs. malicious one. And Tweets move in real time pushed out from multiple sources around the globe, viewable by anyone using the service at that moment. This characteristic imparts a veil of trustworthiness ripe for cyber criminals to take advantage of.

Many Twitter users whose accounts have been compromised via phishing attacks and malicious URLs circulating in Tweets change their passwords to maintain their existing accounts. But so many are doing that that Twitter can’t handle the avalanche of password  change requests. Twitter has begun locking out password changes, and now advises users not to change their usernames and passwords.

Tomorrow, 29OCT2009, antivirus company Kaspersky plans to publicly unveil something called Krab Krawler, a tool it has been developing that’s designed to troll Twitter microblogs for malicious URLs and then add them to Kaspersky’s blacklist of malicious programs.

Meanwhile, variations of the phishing email attacks slamming Facebook messages are being aimed at other high-profile targets. Phishing ruses purporting to come from the IRS, FedEx, UPS and Her Majesty’s Revenue & Customs, to name a few. One that’s now in circulation, shown below, purports to come from the FDIC, and is also spreading the Bredolab wormhole.

M86’s forensic work reveals that the FDIC phishing attack is also the handiwork of the same the Pushdo botnet gang behind the Facebook Bredolab phishing scam. Not at all surprising.

By Byron Acohido

“Great features won’t matter unless customers trust our software,” Gates pronounced at the start of 2002.

Fast forward to the fall of 2009. While Microsoft has made great strides in security, the decision to add gradations to the User Account Control mechanism in Windows 7 — and set the default setting at medium -high — once again lays bare the company’s engrained features bias.

“Overall Windows 7 is a big improvement and a much more secure operating system,” says Eric Voskuil, CTO of security firm BeyondTrust. “However, UAC in its default configuration is a ticking time bomb.”

UAC is the feature introduced in Vista that finally made a distinction between user-level access, needed to open files and work with data, and administrator-level access, needed to install new applications on your harddrive. From a security standpoint, user-level control is restricted, and, therefore, good; while administrator-level access is wide open and thus can be very, very bad.

User-level vs. administrator-level access

In Windows XP, administrator-level access was enabled by default, a big reason cybercriminals have been able to install malicious applications on tens of millions of Internet-connected Windows PCs and amass them into botnets to carry out Internet-enabled criminal activities.

Microsoft designed UAC to put users in control of when to grant administrator-level access to the harddrive. But UAC frequently prompts Vista users for permission to do something, sometimes more than once. Apple ridicules Vista’s UAC, portraying it as an overbearing secret service agent in this TV commercial, even though the Mac OSX operating system has a very similar security feature, albeit more elegantly executed.

Because many annoyed Vista users simply turned UAC off — in effect reverting to XP-level exposure with wide-open administrator-level access — Microsoft created a slider bar ,  shown below, for Windows 7 that enables users to set two intermediate levels of access, medium-low and medium-high.

To enable these gradations Microsoft created a mechanism called “auto-elevate” that automatically grants permission for administrator-level access for certain routine functions. This feature increases usability by reducing the number of permission requests the user sees.

In early July 2009, a programmer name Leo Davidson published proof-of-concept code showing how any program, good or bad, could tap into the Windows 7 auto-elevate feature when UAC was set at off, medium-low or medium-high. The upshot: setting the UAC default at medium-high would reduce the number of annoying prompts users see — but also leave a door wide open for cyber criminals to access the harddrive.

Davidson’s discovery and disclosure was very much in the same vein as the work of vulnerability researchers who’ve discovered and disclosed thousands of Windows operating system vulnerabilities, some that have subsequently led to infamous cyber attacks — from CodeRed to Conficker.

Framing the debate

In fact, Microsoft quickly listed Davidson’s proof of concept exploit as malware.

But then a debate ensued that underscores Microsoft’s ongoing struggle to balance features and profits against security and the risk of losing the public’s trust.

On one side of the debate, security researchers like Voskuil and a 21-year-old Melbourne college student and security blogger, named Long Zheng, argued that Microsoft was obligated to somehow mitigate the auto-elevate vulnerability. However, the only way to do that was to get rid of the medium and medium-high UAC gradations, in effect dump auto-elevate, says Voskuil.

On the other side, two of Microsoft’s best and brightest — Dr. Mark Russinovich, one of only 22 Microsoft Technical Fellows, and Jon DeVaan, Senior Vice President, Windows Core Operating System Division — dug their heels in to defend the auto-elevate feature.

To Russinovich’s and DeVaan’s credit, each engaged fully in the debate and laid out their positions in detail.

Russinovich argues in this blog post that, while the auto-elevate exploit disclosed by Leo Davidson is viable, it would require deliberate intent and a non-trivial effort to put into action. “The follow-up observation is that malware could gain administrative rights using the same techniques,” writes Russinovich. “Again, this is true . . . from the perspective of malware, Windows 7’s default mode is no more or less secure than the Always Notify mode (”Vista mode”).”

DeVaan in this blog post acknowledges that UAC “is one of those features that has a broad spectrum of viewpoints with viewpoints and advocates staking out both ends of the spectrum…security on one end and usability on the other.”

DeVaan then goes on to argue that UAC is “not a security boundary.” Therefore, he asserts that auto-elevate flaw exposed by Leo Davidson does not “constitute a vulnerability.”

Thus when Windows 7 launched on Thursday, 22Oct2009, it shipped with a UAC default setting of medium-high.

“This is the decision they felt they had to make to sell Windows 7,” says Voskuil. “From a security standpoint, they should at least be honest about it.”

Voskuil says cybercriminals have already begun to tweak their attacks to slip through the medium-high setting. “It defeats the purpose of the whole system,” he says. “Anybody can do whatever they want; all they need to do is get the user to launch code.”

Playing to cyber criminals’ strengths

The medium-high UAC default setting plays directly to the strength of cyber gangs adept at tricking PC users into clicking on corrupted Web links arriving in email spam, Twitter microblog postings, Facebook messages and Google search results as LastWatchdog reported here. The bad guys are also planting infectious launch code hidden in online advertisements displayed by popular Web sites, such as the New York Times. The prime criminal directive: infect as many PCs as possible to turn them into bots and align them into botnets, the engines driving cyber crime.

Cybercrime has come along way since Bill Gates issued his Trustworthy Computing memo in 2002. Hardly anyone, save for raw newbies or political activists, launch attacks for bragging rights. Cybercrime has emerged as a centi-billion dollar, smooth-running, steadily-expanding  global industry.

Malicious software tool kits, like MPack, Turk-o-jan and ZueS can be readily purchased and easily customized. This malware is being churned out by professional programmers, like A-Z, the young and rich author of ZueS, whom I wrote about in this investigative cover story.

“They will take Leo’s code, or write their own, because it’s not difficult to do, and integrate it into their own malware, and when it launches on your Windows 7 machine, through whatever mechanism, it will get past the medium-high setting on UAC,” predicts Voskuil.

Cyber criminals are counting on most Windows 7 purchasers to stick with Microsoft’s default settings. Voskuil recommends immediately elevating your Windows 7 UAC default setting from “notify me only when programs try to make changes to my computer,” to the “always notify” setting.

You will see more annoying prompts. But you will be better protected.

Expert commentary encouraged.

by Byron Acohido

With the launch of Windows 7 on Thursday 22Oct2009 , Linux vendors, led by IBM, are touting the intrinsic security superiority of Linux vs. Windows. Vendor hype aside, the Windows 7 launch does raise two big questions:

• In what way is Windows 7 more secure than Vista or XP?
• Is Linux truly more secure than Windows?

Jacob West, Director of Security Research at application security firm Fortify Software, thoroughly answers these questions in this exclusive LastWatchdog guest blog post. Comments are encouraged.

By Jacob West

Director of Security Research, Fortify Software

Windows strengths
Security Development Lifecycle  (SDL)

• Microsoft has done pioneering work with their Security Development Lifecycle, which builds security in throughout their development lifecycle.
• Microsoft attributes significant reductions in mainline products-including Windows Vista, Internet Explorer, and SQL Server-direction to their application static analysis, runtime security testing, and other key aspects of the SDL .

Security on the Desktop

• One positive side effect of the target virus and malware authors have painted on Microsoft products is that most Windows users have an antivirus or anti-malware utility install.
• These tools aren’t silver bullets, but if the cyber villains out there decide to turn their crosshairs on non-Windows platforms users may find themselves in a rush to find solid solutions.

Windows weaknesses
Virii and Malware

• Despite some valiant efforts, virii and malware plague the lives of Windows users who dare to use the Internet.
• From the end-user standpoint it’s hard to argue with the fact that Windows users are more impacted by malicious software than users of other operating systems, which is supported by the fact that Kaspersky Labs found that more than 99% of malware threats in the first half of 2008 targeted Windows platforms.

Linux strengths
Architecture

• One of the biggest advantages Linux has over Windows when it comes to security is its architecture.
• The inherently multi-user architecture of Linux systems promotes a segregated hierarchy of trust that is fundamentally more secure than the single-user design of Windows systems past.
• User Account Control (AUC) in Windows Vista, which means among other things that user programs run with restricted permissions and require the privileges of a super-user to perform sensitive actions, is a good step forward.
• The poor security architecture of past versions of Windows continue to haunt current users in the form lf legacy software that fails to install or even run, in many circumstances, without the elevated privileges that UAC seeks to enforce.
• Windows 7 takes a step backwards by relaxing the restrictions enforced by UAC to make installing and running legacy programs easier, but at the cost of security.

Many Eyes Theory

• The “many eyes” theory proposes that because anyone can access open source code, developers will find and fix more bugs than in traditional closed code bases.
• Projects like the Department of Homeland Security’s project to identify and remediate vulnerabilities in open source software and Fortify Software’s Fortify Open Review have demonstrated that community vulnerability identification efforts can effectively identify security bugs in open source.
• However, our research suggests that widely-used open source projects are woefully lacking when it comes to providing their users with access to security expertise, implementing secure development lifecycles, and leveraging static analysis to identify widespread security vulnerabilities.

Linux weaknesses
New targets

• One of the biggest security disadvantages for Linux is that hasn’t benefited from the years of attacks that Windows platforms have weathered.
• Although their exploits are no fun for Windows users, the hordes of malware authors have served as de facto security auditors and have led to the remediation of piles of security bugs in Windows.
• If Linux gains widespread adoption, there’s no reason to think the crosshairs of malware authors might not increasingly follow. The question will then be whether the eyes of the many developers that have contributed to Linux will stand the test of the highly motivated hackers poised to pull the trigger.

A new survey by tech systems consulting firm Unisys and Leiberman Research found 93% of 583 respondents open to the notion of using fingerprinting to confirm their identities and secure their data.

Some 58% of those polled by Unisys said they would be willing to provide biometric data to merchants and financial institutions to verify their identity. This includes retinal and perhaps even vascular scanning, akin to this system used to control access to the Port of Halifax.

“We believe that Americans are receptive to biometrics because of legitimate fear about misuse of personal information and pervasive risk of identity theft and identity fraud,” says Mark Cohn, Unisys Vice President of Enterprise Security. “There is a growing awareness that biometric technology in a well-designed system can offer the highest levels of identity protection.”

Public responds to pain points

Americans are beginning to grasp how easy it is for cyber criminals to obtain usernames and passwords and use them to access our banking, social network , free Web mail and other online accounts.

This realization has been agonizingly slow in developing. But another poll out this week shows that the pain points are being felt. Some 81% of the 1,003 respondents surveyed by The Chertoff Group and Penn, Schoen & Berland said they were concerned about the security of their personal data online, with 54 percent indicating they were “very concerned.”

“The poll findings paint a troubling picture, with profound implications for online innovators and the broader technology community for years to come,” says the Chertoff Group’s namesake, Michael Chertoff, former Secretary of the Department of Homeland Security under Pres. Bush.

Budding public outcry

Last Watchdog is hopeful that these polls could signal budding public outcry to slow down the headlong rush by the financial services industry, aided and abetted by tech companies, to advance the use of convenient Web services, without fully addressing the security implications.

It may be that a critical mass of consumers won’t remain oblivious to rising cyber risks much longer. Less than 1-in-10 respondents to the Chertoff poll said they trust Web mail providers, private companies and online brokerages.

The poll found that regional banks and healthcare providers, for the now, are deemed most trustworthy, but only about 30 percent of the respondents said they placed trust in these top-ranking organizations. The Chertoff Poll also found that Americans are:

• Highly concerned about the security of their personal data online.
• Unfamiliar with and concerned about many new technologies.
• Willing to accept more limited capabilities in return for greater security

“The more that the public understands their exposure, the more challenging it will be for companies to convince customers that their personal data is secure,” says Chertoff. “Those companies that demonstrate their commitment and competence in consumer security first will have the advantage in the 21st century.”

President Mark Penn, President of Penn, Schoen & Berlan, says that as Americans move more and more of their lives online “the companies that prioritize providing effective, reliable, and understandable security measures will have the chance to create powerful relationships with consumers.”

Convenience isn’t everything.

By Byron Acohido

Symantec and Panda Security have separately uncovered yet more evidence underscoring the rapid advance of scareware - and the increasing guile of its purveyors.

PandaLabs virus hunter Sean-Paul Correll recently discovered an attack that not only bombards you with obnoxious sales pitches for worthless antivirus protection - it also prevents you from opening any of your applications until you make a purchase. “It’s a major leap,” says Correll. “We have not seen this before.”

Meanwhile, Symantec researchers have now confirmed that another gang of scareware scammers aren’t content to just sell worthless programs - the are also pulling all PCs they touch into the “cosma” botnet.

To date, it was thought that scareware purveyors focused mainly on causing alarming - and bogus - virus scans to run on your PC, and then cornering you into paying $30 to $100 for a fake clean up.

But in this report issued today, 20Oct2009, Symantec reveals how the gang selling Antivirus XP 2008 is also taking over long term control of any PC they infect. This is being carried out manually by a controller who needs no special tech skills, Marc Fossi, manager of research and development at Symantec Security Response, told LastWatchdog.

Symantec obtained a copy of a drag-and-drop tool these crooks have at their disposal. The tool requires just a couple of clicks on a menu page to insert the infected PCs into the cosma botnet, as shown here:

So even if the victim does not make a purchase, his or her machine gets botted and can now be used to spread spam, steal account logins and carry out other criminal activities, including spreading more scareware promos.

Scareware integrates botnet creation

The discovery that one group of bad guys has now integrated a slick bot-creation tool into their scareware campaign is a troubling development. “If they’re doing it, it’s likely others are too,” says Fossi. “It wouldn’t be any more difficult for other guys to do exactly the same thing.”

Other findings in Symantec’s report reinforce proof points in LastWatchdog’s 10June2009 investigative cover story published in USA TODAY.

• From July 2008 to June 2009, Symantec received reports of 43 million attempts to install some 250 different strains of scareware, typically selling for $30 to $100.
• The top five scareware promos were for SpywareGuard 2008, AntiVirus 2008, AntiVirus 2009, SpywareSecure, and XP AntiVirus.
• Middlemen, called affiliates, earn from 1 cent to 55 cents for each PC they infect with scareware promotions, and a hefty cut of any actual purchases. Top affiliate are earning upwards of $300,000 per month.
• At least one top-level distributor - there are an estimated dozen or so organizations who supply the malicious code and handle the financial transactions - is earning an estimated $1.2 million a year.

“It’s clear cybercriminals are willing, eager and well-equipped to prey on Internet users,” says Rossi.

Scareware meets ransomware

Panda’s finding that another enterprising scareware affiliate –  selling Total Security 2009  — has added a blackmail component to his to sales pitches is equally troubling.

So-called ransonware has been seen before. Six months ago, promos were being circulated for something called “FileFix Pro.” This particular scam involved encrypting files stored in the My Documents folder of the victim’s PC. Pitches would then follow to buy FileFix Pro to decrypt the files.

But the ongoing Total Security 2009 scareware campaign is much worse. It looks similar to the fear-based promos that trigger fake scans showing your PC to be riddled with viruses. But it goes a step further by locking out access to all other applications. When you click on any other application the text balloon (shown below) appears above the clock in the lower left corner of your desktop.

You then get steered back to pitches to buy Total Security 2009. Your machine is now unusable. You won’t be able to open Microsoft Office, your favorite online game, or even your antivirus clean up tools. The only thing you can open is Internet Explorer - so you can navigate to the Total Virus 2009 shopping cart page.

There you can use Visa or MasterCard to pay $79.95 for a standard version. You may also opt to spend another $19.95 to purchase “premium” tech support services.

Once the payment clears, you receive a serial number to activate Total Security. You can then open your other applications.

Correll surmises that scareware purveyors are becoming more aggressive because the lucrative scam - in which sales affiliates routinely earn six figure monthly incomes, as Symantec has documented - may be getting saturated with practitioners.

“They may not be making enough money, or maybe they want to make more money,” says Correll.

By Byron Acohido

This sound familiar? You cannot stop scans that pop up on your screen and warn you that your PC is infested with viruses. This is followed by insistent pitches to pay $30 to $100 for a cleanup service and ongoing  protection.

So sorry. Your PC is infested with scareware. See this report about how scareware purveyors are resorting to blackmail to get you to pay for worthless antivirus protection — and botting your PC along the way.

What can you do? Sunbelt Software is providing a nifty free tool you can use to restore your PC to working order.

Go to this link. Print out the step-by-step instructions for Sunbelt’s VIPRE PC Rescue Program. Keep these instructions handy. If your computer becomes so infected that it won’t run, power down, then boot back up in safe mode. Then follow the instructions.

“It may not completely clean up the PC, but it should give you access to your PC so can start using other tools,” says Eric Howes, Sunbelt’s Director of Research Services.

Most scareware infections now routinely lock out access to antivirus defenses and cleanup tools. Once you get back up and running with VIPRE Rescue,  you should be able to run clean-up tools that come with your paid antivirus suite, or free ones, like Spybot Search & Destroy and Malwarebytes. It’s a good idea, once you’re back up and running, to use both, as one may catch something the other doesn’t.

VIPRE Rescue is the type of tool a Geek Squad technician might use; previously it was out of the reach of the average consumer. But Sunbelt is making available pro-bono to one and all.

“The scareware scams out there are so devious and malicious, and the effects on PCs are so drastic that we felt that consumers really needed this kind of powerful program to deal with these nasty infections, which can take the entire PC hostage,” says Howes. “You really need to do an end-around the malware.”

And from now on, if you see an offer for a  fake scan like the one above, or any pop-up that might be scareware, do not click on anything — not even “cancel.” This will only take you deeper. Instead, hit ctrl-alt-delete to open your task manager. Check the applications tab and seek out the scanning program. Click “end task” to force quit the program. If you have any doubts, force quit all of your applications and shut down.”

I recently had to do this when I too-quickly clicked a link on a Google search result without checking it closely, triggering a scareware scan. Force quitting worked.

Be careful out there.

By Byron Acohido

By Patricia Titus

CISO, Unisys Federal Systems

How do we as a nation address the abysmal approach to IT security?  Law makers have been wrestling with the idea of more regulations, but that may not be enough to encourage better security practices.  We already have several regulations that have not gotten us closer to the end zone.  I’m in favor of tax incentives for companies that demonstrate effective IT security practices, but this cannot be done without the development of a well thought out approach.  Critical success factors must be developed in the form of a concise set of performance measures based on standards.

The Department of Commerce has already charged the National Institute of Standards and Technology (NIST) Computer Security Division to develop a set of special publications and guidelines called Federal Information Security Management Act (FISMA). These well thought out guidelines such as the Special Publication 800-53 provide federal government chief information security officers with a standardized approach to effective IT security.  Why can’t this same division be charged with creating the same standards for the private sector?

The language in these guidance documents is so slanted toward the federal government that it’s difficult to get corporate executives to see their value.  Also CEO’s are cost cutting right now and implementing a program that may increase operating or capital expenses may not be appealing.  However, if the adoption of these security standards were tied to a tax incentive, perhaps the CEO would be willing to spend a few dollars to gain this compensation.

By Byron Acohido, USA TODAY

It took only a modicum of skill for a cybergang to steal 94 million credit and debit card payment records from the TJX retail chain - and follow that up by hauling in 130 million records from credit card processor Heartland Payment Systems.

Court records reveal that those record-setting break-ins were almost too easy. Even more surprising: The thieves were able to take their sweet time extracting the data, in each case going undetected for more than a year.

What happened to TJX and Heartland was not unusual. And details unveiled in the prosecution of gang members involved in both thefts have shed fresh light on a business truism demanding more scrutiny: Workplace networks have turned out to be much more porous and difficult to defend than anyone ever anticipated.

Overly complex IT systems are producing endless opportunities for cyberthieves, who need only to master simple hacking techniques to get their hands on sensitive data. The result: Data breaches continue to plague companies, hospitals, universities and government agencies - any entity that collects data and conducts business on a digital network.

The vast majority of organizations routinely fail to take simple defensive measures, such as shoring up common website weaknesses or uniformly enforcing the use of strong passwords.

“Networks have become a hodgepodge of components stitched together, creating security holes that can easily be taken advantage of,” says Barmak Meftah, senior vice president at applications security firm Fortify Software.

Though companies are loath to publicly disclose data losses, about 656 data breach cases made headlines in 2008, up from 446 in 2007, according to the non-profit Identity Theft Resource Center. Through nine months this year, ITRC has archived new stories chronicling 391 data thefts.

With IT staffs stretched thin - and concentrating on adding digital services - data heists are going unreported, or unnoticed, security analysts say. “The problem for any organization is, ‘How do I make sure all the doors and windows are closed, and how do I keep them closed, without stalling my business model?’ ” says Steve Dauber, marketing vice president at security assessment firm RedSeal.

Data thieves, in turn, are having a field day using well-understood hacking techniques to carry out increasingly refined cyberthefts. “They know where the money is,” says Ivan Arce, CTO of security assessment firm Core Security Technologies. “And they’re getting to where the money is faster and with less noise.”

Simple hacks

Federal charges filed against Albert Gonzalez accusing the 28-year-old Miamian of playing key roles in the TJX and Heartland capers illustrate just how easy data thieves have it.

Gonzalez pleaded guilty in August to fraud and conspiracy charges for his part in cracking into TJX, parent of T.J. Maxx and Marshalls discount clothing stores, and seven other national retailers from 2005 through 2006. He faces similar charges for his role in data thefts from Heartland and four big retailers from late 2007 through 2008.

In the attacks against the retailers, court records show, Gonzalez and several cohorts used a technique called war driving. Despite its name, war driving is considered an innocuous pastime of hobbyists who cruise neighborhoods with a laptop and inexpensive antennas to map out Wi-Fi signals - wireless Internet connections - being broadcast from homes and businesses.

However, retailers have come to depend on password-protected Wi-Fi systems to transmit data from cash registers and price-checking scanners to a central computer server, because Wi-Fi eliminates the hassles and expense of laying cables. By war driving, thieves can readily pinpoint retailers’ Wi-Fi systems. Tapping in is “exceedingly simple,” says Andy Bokor, COO of security assessment Trustwave. Crooks can use free password-breaking programs widely available on the Internet.

Court records show the Wi-Fi system of a Marshalls store in Miami was initially compromised in July 2005. In September 2005, the intruders began downloading data from TJX headquarters in Framingham, Mass. By May 2006, they were able to establish a virtual private network connection to TJX’s servers, enabling them to install custom-built “sniffer” programs.

Sniffers are also widely available for free. Generic ones log all of the traffic moving across a network. To keep from getting swamped with data, the thieves installed sniffers specifically designed to recognize and capture data from the magnetic stripes on the backs of credit and debit cards.

“The interception of data is not technically difficult,” says Matt Marshall, vice president of engineering at security assessment firm Redspin. “You just have to be at the right place at the right time.”

Data thieves today are hustling to position sniffers inside retailers, financial firms and health care companies, in particular. “Anyone who keeps sensitive information on their networks is actively being targeted,” says Marshall.

Going undetected

Penetrating Heartland’s network presented a fresh challenge. Heartland has no Wi-Fi-equipped storefronts, and its hard-wired, central network sits securely behind company walls in Princeton, N.J. However, like many corporations, Heartland has come to rely on a public website to interact with its clients: 250,000 restaurants and smaller retailers across the U.S.

Court records reveal that the thieves used a technique called SQL injection to break in and subsequently embed sniffer programs similar to those used in the TJX attack. In an SQL injection attack, the intruder simply types random characters into a Web page input box, such as those on a log-in page. A determined hacker can often break the connection between the Web page and the underlying database, gaining a foothold to go deeper.

“The attackers did not create any new techniques,” says Alex Horan, director of product management at Core Security. “They simply combined existing techniques in a new way.”

Companies, understandably, rarely discuss data breaches. However, proof that data thieves are targeting hundreds of organizations using similar approaches to breach networks comes from Verizon Business, a division of Verizon Communications that sells consulting services to other corporations. Since 2004, Verizon has dispatched forensic specialists to conduct CSI-like probes of nearly 600 cases of corporate data theft.

In the vast majority of those cases, investigators discovered thieves routinely took days after initially penetrating a network to locate and break into valuable databases. And most often, the intruders spent weeks to years extracting data before being discovered.

“It’s one of the more shocking statistics we’ve run across,” says Verizon principal researcher Wade Baker. “The length of time it takes an organization to discover that data is leaving is often five to six months” after the initial breach.

That pattern suggests “many organizations right now have breaches they don’t know about and won’t discover for some time to come,” says Baker.

Deeper attacks

Meanwhile, data thieves are increasingly seeking out other valuable forms of business data, besides credit card records. The attack of PayChoice, a leading supplier of online payroll services, is a recent case in point.

Attackers used an SQL injection hack to compromise PayChoice’s public Web page but showed little interest in flushing out any credit card account data. Instead, they took e-mail addresses of workers who get paid via PayChoice’s Web portal - and the names of their respective companies.

This put the attackers in position to send e-mails purporting to come from PayChoice addressed to individual people.

“This was a two-stage attack with the first stage being a minor attack to get relatively benign information that could be used in a more sophisticated second stage,” says Matt Moynahan, CEO of applications security firm Veracode.

Upon discovering the breach on Sept. 23, PayChoice shut down its website temporarily to “institute fresh security measures” before starting up again, says PayChoice CEO Robert Digby.

By then bogus e-mails had arrived at an undisclosed number of companies, including security monitoring firm Damballa, a onetime PayChoice client. Damballa was no longer a PayChoice customer when the hack occurred. Even so, several Damballa employees received e-mails asking them to click on a Web link to download a plug-in needed to continue accessing onlinemployer.com, PayChoice’s online portal.

Clicking on the link actually downloaded a version of the ZeuS banking Trojan, a malicious program widely used to break into online bank accounts. In recent months, a rash of malicious banking Trojans have taken aim at the online banking accounts of small businesses.

Tripp Cox, Damballa’s vice president of engineering, says he would not be surprised if the attackers’ ultimate goal was to access Damballa’s business accounts in order to execute wire transfers to money mules, accomplices recruited via work-at-home ads to set up bank accounts to receive stolen funds.

“The end game of this scam is unclear, but the selection of the ZeuS Trojan indicates that the criminals were hoping to get banking account log-in credentials from all of their victims,” says Cox. “One can imagine that they would next check balances of the pilfered accounts and go for the deep pockets.”

In a similar, ongoing attack, a Chinese hacking group continues to send corrupted e-mails addressed to specific employees at targeted companies, says Joe Stewart, senior researcher at security firm SecureWorks, who has examined intercepted samples.

The messages appear to come from known sources referencing a subject the recipient is likely to be working on, Stewart says. Each message attempts to entice the recipient into clicking on a Web link, or to open an attached Microsoft Office file. Doing so implants a backdoor connection, giving the attacker full control.

However, unlike malicious programs of this type that automatically enlist an infected PC into massive spamming networks, this infection turns control over to an attacker who has gone through a lot of trouble to get a perch inside a specific company. “My guess is that they’re seeking to gain a foothold on the network,” says Stewart.

Such attacks illustrate how opportunistic cybercriminals continue to be in taking advantage of porous networks, says Redspin’s Marshall. “The hackers adapt to the current landscape and really leverage it to their advantage,” he says.