Cyber criminals pushing the same scam that corrupted advertising on the New York Times website last week are using Twitter to lure new victims.
Internet security firm F-Secure labs blogged over the weekend that hackers were using dummy Twitter accounts to spread links to malware-infected websites. If the links are clicked, the websites then use intrusive pop-ups and bogus warnings that a user's computer is infested with malicious programs in an attempt to convince them to purchase fake anti-virus software.
Twitter uses CAPTCHA technology - distorted groups of letters and numbers that humans can recognize but text-recognition programs cannot - to foil automated attempts at account creation, but the scam artists have apparently figured out a way to work around this, either by enlisting the help of large groups of assistants or by exploiting some weakness in the CAPTCHA technology itself.
This and the New York Times malvertisers illustrate the changing face of the malware threat. F-Secure security advisor Sean Sullivan told Eweek that "The rogue pages are not very 'malicious' as far as attacking the computer's OS. These are using social engineering tactics and mimicking Windows."
Monthly Archives: September 2009
Virus protection might not be so protective after all
A white paper released last month by internet security firm Cyveillance states that top anti virus programs detect as little as 16 percent of online malware in real time.
The study tested the effectiveness of the 13 most popular anti-virus programs by feeding confirmed malware to them in real time and observing how much of the malicious code was caught by each program. Even the top-ranked contender detected less than half of the malware.
Experts say that the report underlines the fact that online criminals are, at present, comfortably outpacing computer security technology. Web-based malware is a particular growth sector among cyber criminals, and can be some of the most difficult for traditional anti-virus programs to detect.
The proliferation of social networks has also offered a juicy target for online crime, say the experts, with highly targeted "spear phishing" attacks growing more and more common. Social engineering, or simply tricking users into divulging sensitive log-on information, is more difficult to defend against than purely digital threats, and is growing more prevalent as social networks expand.
The study tested the effectiveness of the 13 most popular anti-virus programs by feeding confirmed malware to them in real time and observing how much of the malicious code was caught by each program. Even the top-ranked contender detected less than half of the malware.
Experts say that the report underlines the fact that online criminals are, at present, comfortably outpacing computer security technology. Web-based malware is a particular growth sector among cyber criminals, and can be some of the most difficult for traditional anti-virus programs to detect.
The proliferation of social networks has also offered a juicy target for online crime, say the experts, with highly targeted "spear phishing" attacks growing more and more common. Social engineering, or simply tricking users into divulging sensitive log-on information, is more difficult to defend against than purely digital threats, and is growing more prevalent as social networks expand.
Two-factor security can’t keep all hackers at bay
Advanced online security measures adopted by banks, including passwords that change every minute, are just one more hurdle for professional hackers to overcome, warn security experts.
One-time passwords and other cutting edge techniques can keep out low-level cyber criminals, but no system is safe from particularly clever or determined hackers. Sam Curry, vice president of security firm RSA told tech blog Zikkir that "Companies should be very leery of both prophecies of doom, like the death of a technology, [and] rosy visions of security. Everything is breakable."
All is not lost to the hackers, however. Experts like Curry suggest a number of additional steps that can be taken to throw additional roadblocks into the path of would-be cyber criminals. Bank transactions, for example, could be conducted only using a computer running Linux, or one that was specially secured against the interception of online communication.
Alternatively, financial firms can take the initiative back from hackers by returning to low-tech methods of doing business. One company that was the victim of a financial Trojan attack told Zikkir that they have "gone back to writing manual checks."
One-time passwords and other cutting edge techniques can keep out low-level cyber criminals, but no system is safe from particularly clever or determined hackers. Sam Curry, vice president of security firm RSA told tech blog Zikkir that "Companies should be very leery of both prophecies of doom, like the death of a technology, [and] rosy visions of security. Everything is breakable."
All is not lost to the hackers, however. Experts like Curry suggest a number of additional steps that can be taken to throw additional roadblocks into the path of would-be cyber criminals. Bank transactions, for example, could be conducted only using a computer running Linux, or one that was specially secured against the interception of online communication.
Alternatively, financial firms can take the initiative back from hackers by returning to low-tech methods of doing business. One company that was the victim of a financial Trojan attack told Zikkir that they have "gone back to writing manual checks."
Hackers hijack PBS.org
Malicious JavaScript was found on PBS.org after hackers replaced code in the Curious George section of the website.
The hack redirected users who clicked on an image of the curious little monkey to an error page. The error page contained an iframe linked to a third-party .info domain, which hosted a wide array of malware, including exploits targeting Acrobat Reader, AOL SuperBuddy, AOL Radio AmpX and Apple QuickTime.
The web security blog Purewire said that information found on several associated web domains indicates that a criminal was using this exploit and others to build a botnet that he or she is planning to lease. PBS said that the malicious code was removed from the website late Friday. The number of users whose computers were infected is not known.
It is unknown how the hackers gained access to PBS.org in order to plant the malware-spreading JavaScript, but the incident does serve to further highlight the recent trend of criminals using legitimate websites to spread malicious programs and data. Security experts say that caution is necessary during the current wave of malware-related incidents.
The hack redirected users who clicked on an image of the curious little monkey to an error page. The error page contained an iframe linked to a third-party .info domain, which hosted a wide array of malware, including exploits targeting Acrobat Reader, AOL SuperBuddy, AOL Radio AmpX and Apple QuickTime.
The web security blog Purewire said that information found on several associated web domains indicates that a criminal was using this exploit and others to build a botnet that he or she is planning to lease. PBS said that the malicious code was removed from the website late Friday. The number of users whose computers were infected is not known.
It is unknown how the hackers gained access to PBS.org in order to plant the malware-spreading JavaScript, but the incident does serve to further highlight the recent trend of criminals using legitimate websites to spread malicious programs and data. Security experts say that caution is necessary during the current wave of malware-related incidents.
Microsoft wants web developers to support IE 8
Filed under Security News
Tagged as comply, developers, IE 8, Internet Explorer, Microsoft, standards
Tagged as comply, developers, IE 8, Internet Explorer, Microsoft, standards
Microsoft's web development team is reaching out to web developers to help websites support Internet Explorer versions 6,7 and 8.
IE 8, the latest version of the Windows web browser, is compliant with web standards, according to Microsoft's Steve Guttman of the Expression Web team. Expression Web created a free web tool, SuperPreview, for developers.
"Internet Explorer 8 is an important release because it reconfirms Microsoft's commitment to interoperability and renewed emphasis on Web Standards," Guttman said on the IE blog.
Guttman said his team is in the process of doing significant tooling to support existing and emerging specifications.
Expression web "helps developers and site owners in migrating their sites from earlier versions of Internet Explorer to the standards-compliant Internet Explorer 8," Guttman said.
The full version of SuperPreview also supports Firefox and ships with Expression Web 3.
Web developers are locked in a battle over different versions of web browsers and website development standards. The next version of the core language of the web is HTML5.
The current browser war pits IE against open source browsers like Firefox and Chrome. Microsoft's IE 8 recently beat the others in a lab test the company sponsored of web browser performance against websites containing malware.
IE 8, the latest version of the Windows web browser, is compliant with web standards, according to Microsoft's Steve Guttman of the Expression Web team. Expression Web created a free web tool, SuperPreview, for developers.
"Internet Explorer 8 is an important release because it reconfirms Microsoft's commitment to interoperability and renewed emphasis on Web Standards," Guttman said on the IE blog.
Guttman said his team is in the process of doing significant tooling to support existing and emerging specifications.
Expression web "helps developers and site owners in migrating their sites from earlier versions of Internet Explorer to the standards-compliant Internet Explorer 8," Guttman said.
The full version of SuperPreview also supports Firefox and ships with Expression Web 3.
Web developers are locked in a battle over different versions of web browsers and website development standards. The next version of the core language of the web is HTML5.
The current browser war pits IE against open source browsers like Firefox and Chrome. Microsoft's IE 8 recently beat the others in a lab test the company sponsored of web browser performance against websites containing malware.
Google flashes fastest Chrome web browser
Google announced a new stable version of its Google Chrome web browser, boasting a 150 increase in Javascript performance, a redesigned new tab page, themes capability and HTML5 features.
Compared to the other major web browsers - Microsoft Internet Explorer, Mozilla Firefox, Apple Safari and Opera - Chrome is creeping up in marketshare at almost 3 percent, according to PC World.
New Tab allows users to see screenshots of the other websites visited in the browsing session. Mouse and keyboard shortcuts and drop-down menus allow users to open news tabs from links and reopen closed tabs. The address bar can be used as a search bar for easier, faster web search.
The newest version of Internet Explorer, IE 8, has more options and add-ons, including added web filtering that allow users to scan websites for malware threats.
Firefox 3.5.3 automatically detects out-of-date versions of Adobe Flash that are vulnerable to active security vulnerabilities and remain unpatched on many PCs.
Google released Chrome one year ago and the newest beta version features additional browser extensions - but users should only download extensions from trusted sources, Google said on the Chromium blog.
Compared to the other major web browsers - Microsoft Internet Explorer, Mozilla Firefox, Apple Safari and Opera - Chrome is creeping up in marketshare at almost 3 percent, according to PC World.
New Tab allows users to see screenshots of the other websites visited in the browsing session. Mouse and keyboard shortcuts and drop-down menus allow users to open news tabs from links and reopen closed tabs. The address bar can be used as a search bar for easier, faster web search.
The newest version of Internet Explorer, IE 8, has more options and add-ons, including added web filtering that allow users to scan websites for malware threats.
Firefox 3.5.3 automatically detects out-of-date versions of Adobe Flash that are vulnerable to active security vulnerabilities and remain unpatched on many PCs.
Google released Chrome one year ago and the newest beta version features additional browser extensions - but users should only download extensions from trusted sources, Google said on the Chromium blog.
Microsoft ending security support for Windows Server 2000
Filed under Security News
Tagged as 2000, ending, Microsoft, security, support, w2k, Windows Server 2000
Tagged as 2000, ending, Microsoft, security, support, w2k, Windows Server 2000
Microsoft announced that it is ending extended support for Windows 2000 Server on July 13, 2010 and Windows Server 2003 and it is downgrading mainstream support to extended support for Windows Server 2003 R2.
Crissy House, Windows Server Operations Manager, said in a blog post that those with Windows 2000 Server will only have access to "self-help online support," meaning online Knowledge Base articles, FAQs and troubleshooting tools.
For Windows Server 2003 and Windows Server 2003 R2, extended support will include security updates and paid support.
"Customers will continue to have access to all security updates and Self-Help Online Support options (Example: Knowledge Base articles, online product information etc.)," House's blog post said.
Microsoft will not have a SP3 release for Windows Server 2003, she said.
Microsoft last month disclosed that it is ending support for Windows XP SP2 in July 2010. Microsoft will end support for Windows XP in April 2014, according to PCMag.com.
Self-Help Online Support is available throughout a product's lifecycle and for a minimum of 12 months after the product reaches the end of its support.
Unpatched PCs running XP are vulnerable to exploits from malware including Trojans, worms and spyware.
Crissy House, Windows Server Operations Manager, said in a blog post that those with Windows 2000 Server will only have access to "self-help online support," meaning online Knowledge Base articles, FAQs and troubleshooting tools.
For Windows Server 2003 and Windows Server 2003 R2, extended support will include security updates and paid support.
"Customers will continue to have access to all security updates and Self-Help Online Support options (Example: Knowledge Base articles, online product information etc.)," House's blog post said.
Microsoft will not have a SP3 release for Windows Server 2003, she said.
Microsoft last month disclosed that it is ending support for Windows XP SP2 in July 2010. Microsoft will end support for Windows XP in April 2014, according to PCMag.com.
Self-Help Online Support is available throughout a product's lifecycle and for a minimum of 12 months after the product reaches the end of its support.
Unpatched PCs running XP are vulnerable to exploits from malware including Trojans, worms and spyware.
Data security compliance costs plague firms
Costs of compliance and number of vendors with access to sensitive information are cited by a majority of businesses as stumbling blocks to preparations for new data security regulations taking effect in Massachusetts next March.
According to a survey conducted by Goodwin Procter and the International Association of Privacy Professionals (IAPP), companies face major challenges in complying with the state’s data security rules that impose significant requirements on entities possessing personal information of state residents, including entities based outside Massachusetts.
The survey revealed that 60 percent of information privacy professionals say their organizations have more than 10 vendors with access to personal information and 30 percent say they have over 100 vendors with access to personal information - which complicates the compliance process.
Complying with the new regulations is also costing 33 percent of respondents more than $50,000. Another 12 percent of those surveyed say their organizations have spent between $10,000 and $50,000 and 44 percent have spent more than 100 hours in compliance activities.
Although the cost of compliance is significant, other research indicates that data breaches are far more costly to contain. In 2007, the average cost of a data breach was $6.3 million, according to a Ponemon Institute study released earlier this year.
According to a survey conducted by Goodwin Procter and the International Association of Privacy Professionals (IAPP), companies face major challenges in complying with the state’s data security rules that impose significant requirements on entities possessing personal information of state residents, including entities based outside Massachusetts.
The survey revealed that 60 percent of information privacy professionals say their organizations have more than 10 vendors with access to personal information and 30 percent say they have over 100 vendors with access to personal information - which complicates the compliance process.
Complying with the new regulations is also costing 33 percent of respondents more than $50,000. Another 12 percent of those surveyed say their organizations have spent between $10,000 and $50,000 and 44 percent have spent more than 100 hours in compliance activities.
Although the cost of compliance is significant, other research indicates that data breaches are far more costly to contain. In 2007, the average cost of a data breach was $6.3 million, according to a Ponemon Institute study released earlier this year.
Online “swine flu” infects cyberspace
As they frequently do, purveyors of malware are using big news as a means to distribute their harmful programs. This time, it's the global swine flu crisis that opened the door.
Computer criminals have circulated an email message detailing an alleged conspiracy on the part of the pharmaceutical industry to infect the world with swine flu in order to profit from the outbreak. When opened, the message infects the user's computer with a virus capable of stealing personal and financial information.
While computer viruses spread in lockstep with physical ones, there are other, less sophisticated dangers in cyberspace associated with swine flu. Phishing scams promise critical information about the treatment and spread of the virus in exchange for personal information. Swindlers hawk bogus cures like "colloidal silver" as protection against swine flu.
Additionally, scammers skilled in search engine optimization (SEO) can catapult malware-installing websites to the top of search engine results for "swine flu" and other popular search terms. "Literally every current relevant news topic is actively targeted each day, including highly publicized speeches given by President Obama [last] week," wrote security expert Sean-Paul Correll at his blog on pandasecurity.com.
Computer criminals have circulated an email message detailing an alleged conspiracy on the part of the pharmaceutical industry to infect the world with swine flu in order to profit from the outbreak. When opened, the message infects the user's computer with a virus capable of stealing personal and financial information.
While computer viruses spread in lockstep with physical ones, there are other, less sophisticated dangers in cyberspace associated with swine flu. Phishing scams promise critical information about the treatment and spread of the virus in exchange for personal information. Swindlers hawk bogus cures like "colloidal silver" as protection against swine flu.
Additionally, scammers skilled in search engine optimization (SEO) can catapult malware-installing websites to the top of search engine results for "swine flu" and other popular search terms. "Literally every current relevant news topic is actively targeted each day, including highly publicized speeches given by President Obama [last] week," wrote security expert Sean-Paul Correll at his blog on pandasecurity.com.
SANS report: Web application flaws a greater threat than OS flaws
Filed under Security News
Tagged as application, flaws, greater, risk, SANS, threat, Vulnerabilities, web
Tagged as application, flaws, greater, risk, SANS, threat, Vulnerabilities, web
Hackers are exploiting security vulnerabilities in client-side web applications such as Adobe Flash at a greater rate than un-patched vulnerabilities in operating systems like Windows, according to a new report from the SANS Institute.
Based on an analysis of data from more than 6,000 organizations and 9 million systems, SANS said its research shows that the top security threats to organizations and individuals are based on the web.
And because organizations often take longer to patch client-side vulnerabilities in applications than to fix security holes in OSs, they are leaving themselves open to a greater number of cyberattacks targeting these flaws, SANS reported.
Client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office are currently the primary targets of attacks on computers connected to the internet.
These vulnerabilities are actively exploited by phishing emails containing malicious links and attachments, while attackers target these same vulnerabilities when users visit infected websites.
"Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most website owners fail to scan effectively for the common flaws and become unwitting tools used by criminals," SANS said in the report.
Apart from the Conficker worm, no major new attacks targeting OS flaws were seen in the reporting period from June through August of this year.
Based on an analysis of data from more than 6,000 organizations and 9 million systems, SANS said its research shows that the top security threats to organizations and individuals are based on the web.
And because organizations often take longer to patch client-side vulnerabilities in applications than to fix security holes in OSs, they are leaving themselves open to a greater number of cyberattacks targeting these flaws, SANS reported.
Client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office are currently the primary targets of attacks on computers connected to the internet.
These vulnerabilities are actively exploited by phishing emails containing malicious links and attachments, while attackers target these same vulnerabilities when users visit infected websites.
"Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most website owners fail to scan effectively for the common flaws and become unwitting tools used by criminals," SANS said in the report.
Apart from the Conficker worm, no major new attacks targeting OS flaws were seen in the reporting period from June through August of this year.