Computer & Internet Security News

[VelMurugan]

US cybersecurity proposals upset lobby group

Recent cybersecurity legislation introduced in the US Congress seems to be creating a split in the tech community.

Some security vendors say new regulations may be necessary, while a major tech association said it has major concerns about the legislation, called the Cybersecurity Act.

The legislation, introduced April 1, would require US President Barack Obama to develop a national cybersecurity strategy, create cybersecurity standards that some private companies would have to follow, and allow the president to shut off Internet traffic to compromised federal and privately held networks that are part of the US critical infrastructure.

Those provisions of the bill raise major concerns with TechAmerica, a giant trade group that represents a wide range of technology companies, Phil Bond, president of the organisation, said Monday. There are parts of the bill TechAmerica supports, but giving federal officials the power to shut down private networks may be going too far, he said.

Granting such authority "requires a whole lot of discussion," Bond said. "It gives us great pause to think a federal official would be able to shut down a private network."

The bill, introduced by Senators Jay Rockefeller, a West Virginia Democrat, and Olympia Snowe, a Maine Republican, also gives new cybersecurity authority to the US Department of Commerce, when some of that authority already exists elsewhere, said Liesyl Franz, vice president of information security program and global public policy at TechAmerica.

The bill would give the agency power to license and certify cybersecurity professionals, and TechAmerica has questions about how that would operate, she said.

The bill's authors have indicated the legislation is a starting point for discussion, and TechAmerica will engage in that discussion, Bond said. Instead of new cybersecurity mandates, the government and other groups need to do more education about why private companies should invest in cybersecurity, TechAmerica officials said.

Some small companies still may not understand the need for cybersecurity measures or have the money to buy tools, Franz said. TechAmerica called for the US government to initiate a nationwide dialogue about cybersecurity, and the bill does include money for federal cybersecurity research and development and for regional cybersecurity centers.

The trade group could support some new regulation on a "case-by-case basis," Bond added.

But just hours after the TechAmerica briefing, CEOs of two major cybersecurity vendors said some new regulation may be necessary. John Jack, president and CEO of Fortify Software, and Philippe Courtot, chairman and CEO of Qualys, both suggested the US government could come up with broad standards that private industry should follow.

The government should not mandate specific technologies but it could act as a "catalyst to show the way," said Jack, speaking at the Fortify Leadership Summit in Washington, D.C.

The US government could also "elevate the bar" for IT vendors by enforcing security standards, but creating effective legislation would be difficult, Courtot added.

"The problem is that the technology is moving so fast," he said. "It's easy to say, it's harder to do."

Also speaking at the summit, former US Secretary of State Colin Powell urged cybersecurity vendors to secure data but not lock it down so tightly that it is useless. The US, in the wake of the 11 September terrorist attacks, locked down airplane travel and foreign visas so tightly that many foreign students were discouraged from coming to US universities, he said.

With IT security, organisations still need to use data. Cybersecurity needs to serve organisations' operational needs, he said.

"We need to do security in a reasonable way," Powell said.

Source : techworld

[VelMurugan]

Botnets plague US Internet Explorer users

Research from security vendor Finjan suggests that enterprise IT shops are losing the war against those who would hijack company PCs for botnets. Almost half the victims are in the US, and most use Internet Explorer (IE).

Finjan's Malicious Code Research Center (MCRC) uncovered a network of 1.9 million Trojan horses running on corporate, government and consumer computers around the world during an investigation of command-and-control servers run by botnet herders from the Ukraine and elsewhere.

One server, launched in February but later shut down, was hosted in the Ukraine and controlled by an online gang of six people who managed to establish a vast Trojan distribution network.

"Hackers keep looking for improved ways to distribute malware and Trojans are winning the race. The sophistication of the crimeware and the staggering amount of infected computers proves these people are raising the bar," Finjan CTO Yuval Ben-Itzhak said. "Corporate and governmental data remain prime targets, especially computers in the US and the UK which are under attack, and need to protect themselves."

Based on posts found on various hacking forums, researchers believe 1,000 hijacked computers are being rented out for $100-$200 (£70-£140) a day. The bad guys can make $190,000 a day for renting a botnet of 1.9 million infected computers.

The Trojan horse programs are silently dropped on computers when the user visits compromised websites that hide the malware. The giant command-and-control server researchers uncovered includes the IP addresses of infected machines as well as the computers' name inside corporate and government networks that are running the Trojan horse.

Computers in 77 government-owned domains (.gov) from the US, UK, Brazil, Turkey and India have been compromised and are running the Trojan horse. The malware is remotely controlled by hackers who use them to deliver almost any command on the end-user computer as they see fit, including reading emails, copying files, recording keystrokes, sending spam, and making screenshots.

Here's the global spread of infected computers in percentages, based on Finjan's findings:

* US: 45 percent
* UK: 6 percent
* Canada: 4 percent
* Germany: 4 percent
* France: 3 percent
* Other: 38 percent

The Trojan horse is infecting computers running Windows XP and using the following browsers to hunt its prey:

* Internet Explorer: 78 percent
* Firefox: 15 percent
* Opera: 3 percent
* Safari: 1 percent

Finjan's findings square with what other researchers are seeing.

Alex Lanstein, senior security researcher at FireEye, a security vendor based in the San Francisco Bay area, said some of the larger botnets out there get no press, because their overlords don't want to make news and let people know their machines are infected. Cimbot, for example, is a piece of malware that has been used to create a botnet that now accounts for about 15 percent of the world's spam, he said.

Among the problems security researchers have encountered when trying to track and shut down botnets is that the newer worms used to build botnets are using strong cryptography to protect the command-and-control centers, said Paul Kocher, president and chief scientist at Cryptography Research.

"It used to be you could track how a botnet was getting its commands and send out fake commands to take it out," he said. "It's getting a lot harder to do that."

The newer botnets are also building their own P2P networks to communicate and have gotten good at snuffing out a machine's security controls.

"We're also watching more sophisticated efforts among botnet-building worms to evade detection," Kocher said. "They're more polymorphic, changing from copy to copy. It makes it more difficult for an antivirus author to craft a signature to block it."

Gunter Ollmann, vice president of research at Atlanta-based security vendor Damballa, said enterprise IT shops would do well to ramp up efforts to detect the lesser known malware being used to such devastating effect these days. In the last 2 years, he said, IT shops have deployed a broad range of detection and prevention technologies. Each layer of defense has gotten better at fending off certain attacks.

"The more common the threat, the better the protection," he said. "But the bad guys are very much aware of how these defenses work, so they're using more sophisticated, targeted social engineering attacks. Looking at the malware used, a high percentage is IDS and AV proxy aware."

Ollmann and others offer the same advice: Since attackers are so successful at using social engineering tricks - luring users with fake headlines that play on current events and duping them into clicking on malicious links - one of the best defenses remains user education.

Show the average user what they're up against every time they go online and they are less likely to be duped into downloading the bot-building code, experts say.

[VelMurugan]

Researchers get hands on 70GB of personal data

University researchers gained control of a network of hacked PCs, harvesting 70GB of compromised data from the machines.

Researchers from the University of California exploited a botnet, known as Torpig or Sinowal, and monitored more than 180,000 hacked computers by exploiting a weakness within the command-and-control network used by the hackers to control the computers. It only worked for 10 days, however, until the hackers updated the command-and-control instructions, according to the researchers' 13-page paper.

Still, that was enough of a window to see the data-collecting power of Torpig/Sinowal. In that short time, about 70G bytes of data were collected from hacked computers.

The researchers stored the data and are working with law enforcement agencies such as the FBI, ISPs and  the US Department of Defense to notify victims. ISPs also have shut down some webtes that were used to supply new commands to the hacked machines, they wrote.

Torpig/Sinowal can pilfer user names and passwords from e-mail clients such as Outlook, Thunderbird and Eudora while also collecting e-mail addresses in those programs for use by spammers. It can also collect passwords from Web browsers.

Torpig/Sinowal can infect a PC if a computer visits a malicious website that is designed to test whether the computer has unpatched software, a technique known as a drive-by download attack. If the computer is vulnerable, a low-level piece of malicious software called a rootkit is slipped deep into the system.

The researchers found out that Torpig/Sinowal ends up on a system after it is first infected by Mebroot, a rootkit that appeared around December 2007.

Mebroot infects a computer's Master Boot Record (MBR), the first code a computer looks for when booting the operating system after the BIOS runs. Mebroot is powerful since any data that leaves the computer can be intercepted. Mebroot can also download other code to the computer.

Torpig/Sinowal is customised to grab data when a person visits certain online banking and other sites. It has been coded to respond to more than 300 websites, with the top targeted ones being PayPal, Poste Italiane, Capital One, E-Trade and Chase bank, the paper said.

If a person goes to a banking website, a falsified form is delivered that appears to be part of the legitimate site, but asks for a range of data a bank would not normally request, such as a PIN or a credit card number.

Websites using SSL (Secure Sockets Layer) encryption are not safe if used by a PC with Torpig/Sinowal, since the malicious software will grab information before it is encrypted, the researchers wrote.

Hackers typically sell passwords and banking information on underground forums to other criminals, who try to covert the data into cash. While it's difficult to precisely estimate the value of the information collected over the 10 days, it could be worth between US$83,000 to $8.3 million, the research paper said.

There are ways to disrupt botnets such as Torpig/Sinowal. The botnet code includes an algorithm that generates domain names that the malware calls on for new instructions.

Security engineers have often been able to figure out those algorithms to predict which domains the malware will call on, and preregister those domains to disrupt the botnet. It is an expensive process, however. The Conficker worm, for example, can generate up to 50,000 domain names a day.

Registrars, companies that sell domain name registrations, should take a greater role in cooperating with the security community, the researchers wrote. But registrars have their own issues.

"With few exceptions, they often lack the resources, incentives or culture to deal with security issues associated with their roles," the paper said.

[VelMurugan]

Spam levels plummet says McAfee

It may not seem like it but global spam volumes have dropped 20 percent for the first quarter this year according to McAfee's latest research on the topic.

The company attributed the dramatic reduction in spam to the November shutdown of the notorious McColo spam-generating site. In the McAfee Threat Report for the First Quarter 2009, the security firm said spam levels are still 30 percent below their peak seen in the third quarter of last year right before the shutdown of the rogue ISP McColo.

Spam as a total percentage of mail volume is now at 86 percent - hardly great news, but 90 percent had been the more common figure and current levels haven't been this low since 2006, according to McAfee. All mail, both good and bad combined, is believed to have averaged about 100 billion messages per day worldwide in March, a trend continuing into April, notes Dave Marcus, McAfee director of communications.

However, McAfee is not optimistic that spam volumes will continue to drop as they have done in the first quarter. "The question is not whether spam will return to previous levels but rather when it will return," McAfee says in its report.

The United States remains the top country whose computers - many of them compromised - generate the most spam worldwide. "The US continues to lead the world with 35 percent of the globe's spam output," McAfee states in its report.

But in other nations there's also trouble, McAfee points out, asserting that criminals have been attacking Russian banking and government networks in order to use computer resources within them to generate malware-laden email and spam.

McAfee cites Rusfinance Bank, OGO Bank, Tusarbank, Link Capital Investment Bank, Maritime Bank, Vladivostok Alfa Bank, Bank Voronezh and Inter-Svayz Bank as being among the Russian financial institutions inadvertently generating spam.

"This data suggests online criminals are largely indiscriminate about their targets and will attack any organisation of financial or other interest to them," McAfee said in its report.

The McAfee report also added, "Our data suggests that computer systems in the following Russian government offices are controlled by cybergangs."These institutions would include the Ministry of Taxation, Nazran Region; the Russian State Internet Network; Regional Finance and Economy Institute; Joint Institute for Nuclear Research; and Pension Fund of the Russian Federation, among several others.

Marcus says McAfee has notified these institutions of its findings, which were recently made as the security firm combed through information it was collecting about spam and IP addresses.

When it comes to malicious web activity from sites with "bad reputations"for hosting malware, the top three countries remain the United States, China and Russia. But this last quarter saw growth in malicious web activity from sites in the Netherlands, United Kingdom, Republic of Korea, Japan, France, Canada and Czech Republic, the McAfee report concluded.

[VelMurugan]

Apple slammed over browser patch programme

Apple and Opera are slow at distributing updates, lagging behind vendors such as Google and Mozilla, according to new research.

Only 53 percent of users on a 3.x version of Safari applied a new update within three weeks, wrote Thomas Duebendorfer of Google Switzerland and Stefan Frei of the Swiss Federal Institute of Technology (ETH Zurich) in a research paper.

Also, people running a 3.2 version of Safari are required to apply a Tiger or Leopard operating system update first before getting new browser updates, which slows the overall patch process. Within three weeks of the release of Safari version 3.2.1, for example, only 33 percent of users had it installed.

Opera's browser will check for updates once a week, but a user must go through the same installation procedure for updates as if they were installing Opera for the first time. It's a cumbersome process, the researchers wrote.

Three weeks after a new release, only 24 percent of active daily users of Opera version 9.x have the newest version installed. However, Opera plans to incorporate an auto-update mechanism in its next planned release, version 10.

"All in all, the poor update effectiveness of Apple Safari and Opera gives attackers plenty of time to use known exploits to attack users of outdated browsers," the researchers wrote.

Frei and Duebendorfer collected their data on browsers by analysing Google's web logs, which records the user-agent strings of browsers. A user-agent string is data that usually reveals the type of web browser and version a person uses.

Microsoft's Internet Explorer browser was excluded from some parts of the study since its user-agent string does not reveal incremental version changes for security reasons.

Google's Chrome came out on top. The study found that 97 percent of Chrome users on version 1.x received an upgrade within three weeks. Chrome uses a silent update mechanism where updates are downloaded automatically without user prompts and then applied when the browser is restarted.

Google has also open-sourced its auto-update technology, code-named Omaha, which means anyone can use it. Omaha will poll Google for updates even when Chrome is not running, the researchers wrote. Chrome checks for updates every five hours.

Chrome users may not hit a 100 percent update level due to other problems, such as people not restarting the browser, firewalls blocking updates and some computers, in place such as Internet cafés, that run read-only software images in virtual machines that don't allow software updates, they wrote.

Mozilla's Firefox browser came in second best, with about 85 percent of users employing the latest version 21 days after its release. Firefox frequently checks for updates and also prompts users to install the new version, which contributes to the speedy updates, they wrote.

Updating a web browser is important as it is one of the most frequently attacked applications. Frei and Duebendorfer wrote that overall, 45.2 percent of web users were not using the latest version of their web browser, according to the Google server logs they analysed.

"Web browsers are in dire need of a very effective update mechanism or they will lose the battle for securing vulnerable web browsers before their users fall victim to attackers," they wrote.

[VelMurugan]

Adobe plans patch for Acrobat zero day flaw

Adobe has promised to patch the newest zero-day vulnerability in its popular Adobe Reader software no later than next Tuesday, potentially adding another update to the month's busiest patch day for the second time in three months.

That date is also Microsoft's regularly-scheduled monthly Patch Tuesday.

On Friday, Adobe's security team announced that it would issue updates to Adobe Reader and Acrobat - versions 9.x, 8.x and 7.x for Windows, 9.x and 8.x for Mac and Linux - by next Tuesday.

"We are in the process of fixing the issue," said David Lenoe, the company's security program manager, in a blog post, referring to the unpatched Reader bug that Adobe acknowledged 28 April.

"Additionally, we have confirmed the second vulnerability (CVE-2009-1493) for Adobe Reader for Unix," he added, referencing a second bug that was reported last week. "This issue will be resolved in the upcoming Adobe Reader for Unix updates. Currently, we have not been able to reproduce an exploitable scenario for Windows and Macintosh, but we will continue to investigate."

In lieu of a patch, Adobe had earlier urged users to disable JavaScript in Reader and Acrobat to protect against attack. Both vulnerabilities - the first, which affects Adobe's Windows, Mac and Linux software, and the second that apparently only affects Linux - have gone public with supporting proof-of-concept attack code.

Adobe's pace has quickened since the last Reader zero-day vulnerability. Adobe acknowledged a critical bug on 19 February, but waited until 24 February to recommend disabling JavaScript and fixed the flaw on 10 March for Reader and Acrobat 9.x on Windows and Mac. Although the 9.x fix was to release on 11 March, Adobe finished its work and unveiled it a day early, even though that was also Microsoft's patch day for the month.

Adobe didn't complete its patching until March 24, when it delivered updates for Linux and Solaris, putting the bug's window of vulnerability at between 19 and 33 days.

By comparison, if Adobe patches next Tuesday, the window for the newest flaw would be only 14 days.

"Their timing is the silver cloud," agreed Andrew Storms, director of security operations at nCircle Network Security Inc. "But it's difficult to see through that cloud."

Storms, who has been critical of Adobe's security process, remained so today. Not only has Adobe set the Reader patch for the same day that Microsoft will roll out it own fixes, but the paucity of information and the lack of security management tools from Adobe continues to frustrate Storms.

"We've been trying to figure out ways to roll out [Adobe's] mitigation of disabling JavaScript," Storms said. "We're trying to find an easy way to deploy that setting change, and then pull that out when the patch arrives, but we're still grappling with that. Plus, we don't even have a real sense for what the risk is looking like now."

Storms contrasted the lack of information, and lack of a tool to automate the process of disabling Reader's JavaScript, with Microsoft's clear-cut directions for vulnerabilities in, say, an Internet Explorer ActiveX control.

"If Adobe had said, here's the risk and here's a way to do this [mitigation] quickly in the enterprise, we'd be talking about a different story," Storms argued. "But they don't give us that information up front."

According to Adobe's security advisory, no in-the-wild exploits have been reported targetting the two unpatched vulnerabilities.

[VelMurugan]

New grid service simulates DDoS attacks

A new online service launched by grid computing vendor Parabon Computation aims to help companies better prepare for Distributed denial of service (DDoS) attacks by giving them a way to simulate a full-fledged DDoS attack on their networks.

Parabon operates one of the largest commercial computational grids in the country. Its new Blitz Distributed Testing Service makes use of the thousands of computers on its online computing grid to generate DDoS attacks on demand against specified targets.

The service allows companies to test their networks against DDoS attacks at scales comparable to a full-on cyberattack, according to Steve Armentrout, president and CEO of Parabon. Currently, the company can harness anywhere between 5,000 and 10,000 computers on its grid to generate targetted network traffic against a site or server, Armentrout said.

That number is still far less than the tens of thousands of compromised computers that are sometimes used to launch a DDoS attack against a target.

Even so, the service is a considerable improvement over current DDoS testing approaches, in which a single standalone high-performance computer might be used to generate very fast traffic against a network to test its ability to withstand such loads.

Such network load and performance tests "do not get to the true nature of a massive distributed denial of service attack," which can come from anywhere, Armentrout said.

The Parabon Blitz service got its first public airing at the Department of Defense's Defense Information Systems Agency (DISA) Customer Partnership Conference in Anaheim, last week. DISA provides information technology and communications support for the entire Department of Defense.

Steven Hutchison, a test and evaluation executive at DISA, said Parabon's Blitz service is "remarkable" in that it allows for a very realistic simulation of a DDoS attack. "It allows you to put many different assets to hit a [target] application at one time. So your entry points are from all over as opposed to network load testing," involving a single source of traffic, Hutchison said.

Such a service can be very useful for "red-teaming" exercises in which Department of Defense networks are tested for weakness in "operationally realistic" conflict situations, he said.

DDoS attacks are often considered one of the biggest problems on the Internet because they are very difficult to stop. They can last for weeks and are sometimes used by extortionists as a way to extract money from targets.

The attacks in Estonia degraded network service for nearly two weeks and there have been numerous similar attacks on commercial and government targets in the US over the past few years.

Over the years companies have resorted to a variety of methods to mitigate the effects of a DDoS attack. The most common approach has been to set aside extra network bandwidth and server processing capacity to withstand sudden surges in traffic.

Another has been to geographically distribute web servers so as to be able to quickly move services away from an affected site if needed.

[VelMurugan]

Alleged Cisco hacker cornered by authorities

The Swedish man indicted by US authorities for the alleged 2004 theft of source code for Cisco Systems' IOS software may be prosecuted in his home country.

District prosecutor Chatrine Rudström is waiting for documents from the US before deciding whether to prosecute the man for the crimes in Sweden and according to Swedish rules, Rudström said in an interview with Computer Sweden.

Philip Gabriel Pettersson, 21, was indicted by US authorities on Tuesday on one count of intrusion and two counts of misappropriation of trade secrets. He was also indicted on two counts of intrusion involving NASA. Each count of intrusion and theft of trade secrets carries a maximum penalty of 10 years in prison, three years of supervised release and a $250,000 (£165,000) fine.

In November 2007, a Swedish court convicted Pettersson on seven counts of intrusion at a number of Swedish universities in November 2007. He received a suspended prison sentence and a 200,000 Swedish kronor ($25,000) fine.

He has always claimed that he is innocent and only developed the tools that were used during the attacks.

Pettersson found out about the latest round of charges in his local paper, he told Computer Sweden.

[VelMurugan]

Windows 7 inherently insecure says researcher

Windows 7 continues a long-running Microsoft practice of putting users at risk, according to a security researcher.

The new operating system's Windows Explorer file manager still misleads users about the true extension of a file, said Patrik Runald, chief research advisor at Helsinki-based F-Secure. Rather than reveal the full extension for a filename, Windows Explorer hides the extension for known file types, giving hackers a way to disguise malware by using those file types' extensions and icons.

Windows Explorer, for example, will show the .txt icon and display "attack.txt" as the filename for a Trojan horse that's actually been named "attack.txt.exe" by the hacker. The practice goes back to at least Windows NT, and has been criticised in the still-popular Windows XP and the newer Windows Vista.

"People typically look at the icon to know what the file is," said Runald. "If it looks like a Word doc or a PDF file, there's an implicit trust in it, and users are more likely to click on those files, even if they are actually an executable."

Windows, Runald continued, is smart enough to know the true nature of the file, and will, for instance, run an .exe even if the filename shows as "attack.txt" in Explorer.

"This has been used for years by virus writers - maybe less than it used to be, since most attacks now are drive-by downloads [using browser vulnerabilities], and not email attachments," Runald noted. "But you still see it."

Microsoft should show the true filename in Explorer, urged Runald. "Bottom line, it's a still bad idea not to."

Windows 7 RC launched yesterday, and will be available for download until at least through the end of July.

[VelMurugan]

PowerPoint patch due next week

Microsoft has confirmed it will deliver just one security update next Tuesday, namely a fix for PowerPoint which is probably the patch for a month-old bug that developers admitted they missed during stress testing.

The single update, which will be labelled "critical," Microsoft's highest threat ranking, is a big drop from last month, when the company issued eight updates that patched 23 vulnerabilities.

"Last month, Microsoft closed three of the four known outstanding vulnerabilities, and left us only one in-the-public-domain bug," said Andrew Storms, director of security operations at nCircle Network Security. The sole unpatched public flaw was the PowerPoint vulnerability Microsoft acknowledged 2 April in a security advisory that warned of ongoing attacks using rigged presentation files.

"The question, is there a pattern here, have they caught up?" asked Storms. "Could we have hit bottom?"

But he immediately dismissed that idea. "Don't think for a minute that I believe that," Storms said. "Microsoft has done a fantastic job of getting people to report [vulnerabilities] only to them, but that doesn't mean there are no other bugs. Frankly, I expected more than just the one."

As is Microsoft's practice, it released only the most general information about the upcoming security patch in the advance notification it posted on Thursday. Unlike the April security advisory, however, the early warning today noted that PowerPoint 2000, 2002, 2003 and 2007 will require patching; the advisory had not painted the newest version, PowerPoint 2007, with the bug brush.

Previously, Microsoft had admitted that the bug was in an older PowerPoint file format. The inclusion of PowerPoint 2007, Storms speculated, means that the new version may be affected when it tries to convert from an older format to the Office 2007 native format.

The last time Microsoft issued only one update on a Patch Tuesday was in January, when it fixed flaws in Windows' Server Message Block (SMB) file-sharing protocol. At the time, another security expert, Eric Schultze, the chief technology officer at Shavlik Technologies, called the bugs "super nasty."

"Don't get me wrong, I'm happy to have the PowerPoint patch," said Storms today.

A side benefit of the light Microsoft load is that it will make it easier for users and IT administrators to also deploy the anticipated Adobe Reader and Acrobat security updates. Adobe said last week that it had set 12 May, Microsoft's already-scheduled patch day, to release updates for a critical vulnerability in the popular PDF applications.

Storms was critical of Adobe's decision to slate the Reader and Acrobat updates on a day when people will be scrambling to apply Microsoft's fixes. "This makes it quite a bit easier to get the Adobe updates out," Storms said Thursday.

Microsoft will release the one security update at approximately 1 pm ET on 12 May.

[VelMurugan]

Spam domains for sale for just $700

Spammers in China are being offered a great deal -  just $700 (£460) to use a server that allows the sending of as much spam as they want. . It's called bulletproof hosting, and to the people who fight spam and cybercrime it's becoming a big problem.

Cybercriminals use these services not just to host servers, but also to register Internet domain names that they use for spam and online attacks. In a three-month period this year, researchers at the University of Alabama at Birmingham traced more than 22,300 domains, all used to send online pharmaceutical spam, to just six bulletproof computers hosted in China, said Gary Warner, director of research in computer forensics at the university.

The Waledac Trojan, which uses clever social-engineering techniques to spread itself, has been using bulletproof domain names to keep itself alive, Warner said. "We had over 70 domains that the entire community worked their butts off and tried for four months to try to shut," he said. "Because we can't shut down the domain names we can't shut down the spread of the virus."

Bulletproof domain-name registration is even cheaper than bulletproof servers. A criminal can anonymously register a bulletproof domain for $100.

Several dozen bulletproof hosting services operate worldwide, but the "vast majority" of them are in China, Warner said. Even scammers from countries considered soft on spam use the services because they are so reliable, he added. "Even the Russians use the Chinese bulletproof registrars."

The providers are upfront about what their services are used for.

Here's how one company, Tecom, promotes its service: "Usually, your web hosting provider will shut down your web site within days, or even sooner, if they find out you are sending bulk emails and directing people to your site on their server. Bullet-Proof Web Hosting helps you to direct customers to your website, and you won't have to worry about being shut down because of spam complaints."

Tecom says its services, which are hosted in "major cities in China," cannot be used for online gambling or pornographic material, however. China's Ministry of Public Security has cracked down on Internet pornographers since the mid-1990s.

When a domain is being used for spam or to spread malicious software, security researchers usually use an established protocol to report the domain to its registrar, who can then remove it from the Internet.

That doesn't work with bulletproof domains, because the registrars simply ignore the take-down requests. "I think there's some confusion about how the Internet community needs to work together," Warner said. "There are just these grey spaces [for Chinese companies] ... 'Should I have to terminate a domain because an American company told me to?'"

China has recently toughened its cybercrime laws and arrested some alleged identity thieves. Warner hopes these moves will presage a crackdown on bulletproof hosting. "This is the next area for them to tackle," he said.

[VelMurugan]

US teen in court for Scientology web hack

A 19-year-old New Jersey man has pleaded guilty to knocking the Church of Scientology's website offline in a series of January 2008 online attacks.

Dmitriy Guzner, of Verona, New Jersey, was part of an underground hacking group called 'Anonymous' that has made the church a target of several attacks. He had been expected to enter a guilty plea when he was charged last October, but it was not formally entered until Monday, the US Department of Justice said in a statement.

He faces 10 years in prison on computer hacking charges and is set to be sentenced on 24 August in US District Court for the District of New Jersey.

The attacks began 19 January and managed to knock the Scientology.org website offline by hitting it with several bursts of unwanted Internet traffic. Called a distributed denial of service (DDOS) attack, it flooded the site with as much as 220Mbit/s per second of traffic.

Anonymous promoted the incident with several YouTube videos.

"For the good of your followers, for the good of mankind and for our own enjoyment, we shall proceed to expel you from the Internet and systematically dismantle the Church of Scientology in its present form," a creepy computerised voice says in one Anonymous video.

[VelMurugan]

New warning over cloud security gaps

The security gaps in cloud computing demand greater scrutiny than traditional IT outsourcing models, a new Forrester report has said.

With traditional outsourcing models, a customer places its own servers in someone else's data centre, or a service provider manages devices dedicated to that customer. But multi-tenancy rules the day in cloud computing, and customers may not know where their data is stored or how it's replicated, Forrester analyst Chenxi Wang writes in a report titled How secure is your cloud?

"Cloud computing decouples data from infrastructure and obscures low-level operational details, such as where your data is and how it's replicated," Wang writes. "Multi-tenancy, while it is rarely used in traditional IT outsourcing, is almost a given in cloud computing services. These differences give rise to a unique set of security and privacy issues that not only impact your risk management practices, but have also stimulated a fresh evaluation of legal issues in areas such as compliance, auditing, and eDiscovery."

The rise of software-as-a-service, along with web-based platforms for building applications and hosting server or storage capacity have many industry watchers examining the benefits and pitfalls of cloud computing.

Wang notes that the Electronic Privacy Information Center recently filed a complaint against Google with the US Federal Trade Commission, alleging that its security and privacy controls are inadequate.

Wang quotes Boeing chief security architect Steve Whitlock as saying: "Like many others, we see huge potential and benefits for moving into 'the cloud,' but we see risks, security issues, and interoperability issues. The community has much work to do to make the cloud a safe place to collaborate."

Whitlock is also on the board of the Jericho Forum, an industry group that examines the erosion of the network perimeter. While securing applications and data in the cloud is difficult because of the lack of visibility and control, customers must make the effort to evaluate vendors' security and privacy practices, Wang says.

"Companies must consider these aspects: data protection, identity management, vulnerability management, physical and personnel security, application security, incident response, and privacy measures," she writes.

For example, customers should seek information about the vendor's encryption system; how the vendor protects data at rest and in motion; the vendor's documentation available to auditors; authentication and access control procedures; and whether the vendor has proper data segregation and data leak prevention measures.

There are still numerous questions to be worked out regarding not just security in the cloud but also liability. To avoid pitfalls, customers need service-level agreements that specify a set of "detailed liability conditions and consequences," Wang writes.

"The fact that the laws do not treat data in the cloud the same as data on-premises leads to complicated liability discussions," she writes.

[VelMurugan]

Apple issues massive set of patches

When Apple does updates, it does them big. The company has patched a whopping 67 vulnerabilities in Mac OS X, the largest for Apple since March 2008.

Among the patches are fixes for the two bugs that researchers used in March to walk off with $5,000 each in a noted hacking contest.

"For Apple, updates this size are now becoming the norm," said Andrew Storms, director of security operations at nCircle Network Security.

Security Update 2009-002, which was bundled with the upgrade for Leopard to Mac OS X 10.5.7, and available separately for users of Tiger, plugged holes in BIND, CoreGraphics, Disk Images, Flash Player, iChat, Kerberos, QuickDraw Manager, Safari, Spotlight, WebKit and other bits and pieces of the operating system.

More than a third of the vulnerabilities - 26 of the 67 - were labelled with Apple's "arbitrary code execution" description, meaning the flaws are critical in nature and could be exploited to hijack a Mac. Unlike many other vendors, such as Microsoft and Oracle, Apple does not assign a threat ranking to the bugs it discloses.

Over half of the bugs were in open-source components or applications that Apple integrates with Mac OS X, including the Apache web server and the WebKit browser rendering engine that powers Safari. "I don't see Apple moving at a faster pace," said Storms, referring to previous criticism that the company consistently patches open-source pieces months after the code has been updated by outside developers. "Some of these I remember patching [on Linux] back in December."

"Open-source continues to be a popular vector for researchers looking for Mac OS X vulnerabilities," Storms continued. Researchers can look for fixed bugs in open-source code, and use that information to reverse-engineer an exploit against Apple's operating system secure in the knowledge that the company hasn't yet pushed out updates.

Apple also fixed three bugs in Flash that Adobe patched back in February, five in the CoreGraphics component that could be exploited by malicious PDF files, and one in the built-in Spotlight search engine that hackers could leverage with a malicious Microsoft Office file.

But the highest-profile vulnerabilities today - if only because they attracted so much media attention - were the two bugs used at "Pwn2Own," the annual hacking contest sponsored by 3Com's TippingPoint.

Last March, security analyst Charlie Miller, exploited a flaw in the Apple Type Services component of Leopard to break into the laptop in less than 10 seconds. Later that same day, a computer science student from Germany who would only give his first name as Nils exploited Apple's Safari by using a vulnerability in WebKit.

Apple patched both vulnerabilities today, nearly two months after the contest. Mozilla, in comparison, patched its Firefox browser - which Nils also hacked at the CanSecWest security conference on the same day he broke Internet Explorer 8 and Safari - on 27 March.

Storms was struck by the contrast between Apple's update and the one that Microsoft unveiled earlier today. "Microsoft, which historically has had the view of producing the less-secure operating system, puts out one bulletin today, with 14 vulnerabilities. And Apple comes out with [an update with] 67 bugs," he noted. "It's a 'I coulda had a V8' moment, where you slap your forehead," Storms continued. "It's like history changed in front of my eyes."

Critical of Apple's security practices in the past, Storms didn't let up today. "Who really knew that OS X was this insecure?" he said. "This has to be a wake-up call for somebody."

He did not, however, hit the quality of Apple's patches. "The quality on both sides is good," he said. "I don't see a difference in quality between the two [Apple and Microsoft]." Instead, he focused on the lack of business-grade management tools and the paucity of information that Apple provides about the bugs and the ensuing patches.

"Macs really still aren't an enterprise tool," he said, "even though Apple's marketing likes to say that they are, and that they're used in enterprises."

Apple last patched its operating system in mid-February 2009, when it fixed 48 vulnerabilities. Today's patch tally was 40 percent larger, and the biggest since that 90-fix update 14 months ago.

Safari also was patched today. Apple issued separate security updates for Safari 3.0 and the beta of Safari 4.0; both updates patched three vulnerabilities in the Mac and Windows versions of the browser. Mac users can apply the updates separately, but the patches are included in the 67 that make up 2009-002.

The security update can be downloaded from the Apple site or installed using Mac OS X's integrated update service. Leopard users, however, won't see the security update separately, since the patches were rolled into the Mac OS X 10.5.7 upgrade also released today.

[VelMurugan]

Microsoft steadies PowerPoint with flaw fix

Microsoft closed a critical PowerPoint hole that that has been under attack since last month, along with 13 other, less-important flaws in the Office application and related software.

The patch shores up Office 2000, XP, 2003, and 2007, as well as PowerPoint Viewer, Office Compatibility Pack and Works software, but but there's no fix yet for Office for Mac.

News of targetted attacks using malicious .ppt files came out last month. Microsoft said Office 2007 wasn't affected by the zero-day flaw, but it received a fix for a different, privately disclosed flaw in this patch. Find full patch details in bulletin MS09-017.

Redmond says that fixes for Office for Mac, along with Microsoft Works 8.5 and 9.0, are still in the works. The Mac versions weren't under active attack, according to an MSRC post, and the company says it didn't want to hold up the patch release while it worked on the Mac patches.

This was only the fourth time in four years that Microsoft has released just one security bulletin, according to Symantec. Run Windows Update to get the fix right away, or wait a bit for it to come down via Automatic Updates.

[VelMurugan]

Pirated Windows 7 packed with Trojans

Pirated versions of Windows 7 have been found with hard-to-detect Trojans intended for cybercrime purposes, according to a security firm.

Microsoft Windows 7 release candidate, made available to developers last week, almost immediately was pirated through various channels, including Torrents and news groups, according to security company Damballa. A pirated version Damballa has seen had a malware Trojan packed into it that would give an attacker the ability to take control of a computer and download whatever additional malware they wanted.

Tripp Cox, vice president of engineering at Damballa, says the pirated version basically becomes part of a criminal botnet.

The Trojan in this pirated version of Microsoft Windows 7 recently made use of the domain name "codecs.sytes.net" for its command-and-control, but Damballa worked with industry partners it declined to name to nullify its effective use.

Damballa then was able to observe the rate of piracy for the Windows 7 release and noted that cybercrime organisations appear to be ready to exploit it. Cox says Damballa has witnessed a few thousand downloads of the pirated version of Windows 7.

There's a "collusion" between "software pirates and cybercrime organisations," says Cox, who adds the pirated Windows 7 distribution that Damballa uncovered through its collection methods may be just one of several pirated versions with different malware characteristics.

Damballa contends that traditional signature-based anti-malware detection methods will not likely be able to spot the Trojan embedded in the Microsoft Windows 7 pirated version. Damballa's products detect by monitoring botnet behavior, such as the ability of botnets to communicate via infected computers to command-and-control points.

[VelMurugan]

Pirates eat into UK software sales

Pirate software on PCs in the UK is breaking new records. The use of unlicensed software last year surged to 27 percent of all software, translating to around £1.49 billion in lost sales, according to the sixth annual global IDC software piracy study.

Worldwide, software piracy climbed to a record high, making up 41 percent of all software installed on the planet, according to the IDC report released today by the Business Software Alliance (BSA).

The value of unlicensed and pirated software worldwide could be as high as the US$50 (£33) billion, and cost another $150 (£99.3) billion to $200 (£132.4) billion in value-add technology services, the study of 110 countries revealed.

"Much more needs to be done by the industry and the government to warn businesses and consumers of the risks associated with under-licensed software, from a legal, financial and operational point of view," said Alyna Cope, spokeswoman for the BSA UK country committee.

"Software piracy hurts our knowledge-based economy by weakening the very foundation on which it is built - respect for intellectual property and innovation."

Software piracy also hurts the wider economy, according to BSA and IDC. An IDC study released in January 2008 found that reducing software piracy by 10 percentage points over four years could generate more than £6 billion in economic growth and increase tax revenues by £1.47 billion to support local programmes and services.

British Chambers of Commerce senior policy adviser, Kevin Hoctor, said piracy threatens the digital community jobs and revenue.

"To realise the Government's Digital Britain ambition, our digital and communications industries must have the protection they need in terms of copyright and piracy," said Hoctor. "In the current economic climate the impact effective enforcement could have on employment and revenue should not be ignored".

The BSA took the opportunity to issue recommendations for the UK government, such as developing strong enforcement mechanisms and tougher anti-piracy laws.

Other recommendations included dedicating significant resources to the problem, including national IP enforcement units, cross-border cooperation, and training for local officers and judiciary officials.

Finally, the government could lead by example by implementing software management policies and requiring the public sector to use only legitimate software.

But CIOs are finding it hard to cope with the "sheer complexity" of licensing schemes, according to Matt Fisher, director at Frontrange Solutions.

"Licensing schemes have become increasingly unwieldy and difficult to manage, meaning that, despite their best efforts, organisations are struggling to get a grip on their licensing software," said Fisher.

"Coupled with the fact that there is no commonality across differing vendors' schemes has made life considerably more difficult and likely brought unintentional misuse of software," he added.

Fisher advised CIOs to implement a standard licensing practice to eliminate complexity. "The good news for organisations is that there is already a mature and professional software asset management community in place to help them address and manage licensing. Working with this community would be a step towards halting the growing software piracy problem," he said.

[VelMurugan]

Phishers hit Twitter again

Twitter users who thought friends were directing them to a "funny blog" got caught up in a phishing scam.

The microblogging service was hit by two different rounds of phishing, as criminals tried to take control of user accounts and then use them as a springboard to attack others.

Both Twitter and Facebook have been hit with phishing attacks in recent days. "The social networking attacks are becoming increasingly common," said Jamie De Guerre, chief technology officer with anti-spam vendor Cloudmark. "Spammers are really moving to attack social networks because of the popularity of the social networks and also because they're not as well defended as most e-mail platforms."

Twitter was hit by another high-profile phishing attack in January. This latest attack had snagged several hundred victims by mid-day yesterday.

Yesterday's attack worked by hackers creating fake Twitter accounts and then started following legitimate Twitter users. Twitter notifies users when they have new followers, sending the user a link to the follower's Twitter profile page. In this case, the profile page contained a link to a phishing site. So the victim, while investigating his new follower, would end up on the fake site Tvviter(.)com (this page is not safe to visit) where he would be asked to enter his Twitter username and password.

Once the phishers obtained their victim's login credentials, they used them to launch the second round of attacks. In this round, they posted Twitter messages such as "hey check thiss out" or "Hey. there is this funny blog going around." These messages included a link to another phishing site.

Scammers are phishing social networks because they have a better chance of tricking their victims, said Rik Ferguson, a security researcher with Trend Micro in his blog about the latest phishing campaign. They "tend to be more successful, because they take advantage of the inherent trust that these systems are based on," he said.

Once criminals have access to these accounts they can make money by sending out spam messages via Twitter or Facebook, or they can re-use the username and password combinations to try to log into other services such as web-based email, Ferguson said.

On Thursday, security vendor AppRiver reported a new round of Facebook phishing attacks. These messages have the subject line "Hello" and read "Check areps(.)at." This scam, which tries to steal Facebook usernames and login credentials, also promotes the bests(.)at domain. (These domains are also unsafe to visit)

Another reason why Twitter spam is so effective is because Twitter users rarely know what sites they're going to visit. Because messages can't be more than 140 characters long, senders often use services like TinyURL or UR.LC to shorten their links, hiding the ultimate destination from web surfers until they arrive at the site.

[VelMurugan]

Risk assessment guides launched

Two free risk-management guides provide directions on how to establish corporate security metrics. The guides, aimed at security professionals, will also offer tips on organizing risk-assessment and presenting findings.

The Center for Internet Security's Security Metrics 1.0 is a pithy compilation of 20 "metrics definitions" covering six areas: incident management; vulnerability management; patch management; application security; configuration management; and financial metrics. The 83-page paper shoots for a mathematical approach that lets an organisation build a scorecard for each category to assess and chart progress-or decline-in each of the six security-management areas.

But as impressive as this effort is, "Security Metrics 1.0" acknowledges that trying to determine a proper range for security spending - often defined as a percentage of the overall information-technology budget--remains hard to determine.

"It is elusive," admits Bert Miuccio, CEO at Center for Internet Security (CIS), which has about 130 members, 90 of them representing end-user organisations. When it comes to spending goals, the "Security Metrics 1.0" guide begs off on the question of a security spending goal, stating "no strong consensus" exists and advises looking to what "peer organisations" with "similar IT profiles" might be doing since more data about it is needed.

But that shouldn't stop companies from investigating the do-the-maths approach defined in Security Metrics 1.0.

"The rationale for releasing these metrics definitions is so organizations can start tracking and reporting on these areas, including budget, in a consistent and repeatable way, and begin sharing that that data with each other," says Miuccio.

The second risk-management guide published this week, entitled Technical Guide: Requirements for Risk Assessment Methodologies, is from the Open Group's security division and it advises on practices that involve planning interactions between auditors, security managers, and the business side, including legal.

The 28-page document is a high-level guide that philosophically looks at the pros and cons of various risk-assessment approaches, including testing, sampling and questionnaires. For instance, while testing can reveal holes, the downside is that "passing a test can lead to a false sense of security," the Open Group's study notes.

According to Open Group's vice president of security, Jim Hietala, future technical efforts will include work on what's called the Automated Compliance Expert Markup Language (ACEML). This is intended as a set of standards for risk assessment, which when implemented in vendor equipment, would allow for automated reporting.

"It's to define a standard for computer systems platforms to share compliance settings," says Jim Hietala, noting that this process tends to be more manual today. IBM is taking the technical lead on the effort, Hietala said.