Tech Bitch

Google has met its match. Analysis of spam by men with machines has shown that 4.6% of all spam originates from Web mail-based services and the proportion of spam from Gmail increased two-fold from 1.3% in January to 2.6% in February, mainly promoting adult-oriented Web sites.Yahoo! Mail was the most abused Web mail service responsible for sending 88.7% of all Web mail-based spam.

Hackers have recently relied on new techniques for evading spam detection which involves computationally solving anti-spam CAPTCHAs, mechanisms designed to eliminate automated sign up tools used by spammers by requiring the user to perform a task that can only be performed by a human.

Once hackers develop a computational method with a 20- to 30% success rate they can use their botnets to create unlimited numbers of accounts on compromised services for spamming and phishing. Yahoo! Mail and Hotmail CAPTCHAs were first broken in July 2007. The increase in spam from Gmail this month may be indicative of similar success.

There are several approaches a spammer can take to defeat a CAPTCHA. Whether they do so using an algorithm, a ‘mechanical turk’ or combination of the two, e-mail providers are feeling the pressure to keep pace but are limited to what a human can realistically solve creating ever more doubt surrounding the long-term effectiveness of the CAPTCHA as a security mechanism for protecting email services from abuse.

Also in February, targeted Trojan attacks increased to approximately 30 per day, an increase of around 200% since the end of 2007. These attacks focus specifically on small numbers of targets in each incident, thus keeping below the radar of the wider security industry. One particular attack this month involved up to 900 targeted Trojans, primarily intended for named senior business executives worldwide, and made use of multiple attack vectors including compromised websites and malicious downloads.

It’s obvious online shifties are going to greater lengths than ever before to reach their targets. Not only are we seeing a significant increase in the number of targeted Trojan attacks, but they often appear to be based on prior intelligence gathered about their targets. At the same time though, more and more businesses are protecting themselves against potential threats by only allowing employees to access pre-approved Web sites.

In fact, there’s an increase in the number of Web sites blocked by businesses because they did not fall within an allowed list, rising by 12.9% from last month. By blocking unclassified Web sites, businesses can safeguard themselves against both new and existing potential threats. This is especially true of those Web sites which appear and disappear within 24 to 48 hours which are often used for phishing, spam, Trojans and other fraudulent activities. In fact, 62.2% of all Web-based viruses and 82.5% of all spyware and adware were from this kind of Web site.

The Storm botnet has also continued to be a significant force in driving spam in February. For the first time it has been used to send spam touting VXPL, a drug promising male sex organ enlargement (don’t bother, I’ve tried it and it doesn’t work -Ed!), and nicotine patches, likely tapping into a seasonal increase in smokers trying to quit. At the same time, there was an increase of activity from Storm to further compromise computers, making up more than 96% of this month’s email-borne malware linking to malicious sites.

Details of around 5000 of MTV Networks’ staff, including their names, dates of birth, social security numbers and even their salaries, have been compromised, the firm’s parent company, Viacom, has revealed. That’ll teach ‘em for spending too much time with those shifty hoodies.

As news of the potentially serious identity theft incident broke over the weekend, the incident could have been avoided had the company used database encryption on its personnel files.

Precise details of how the data was accessed have yet to be revealed, or whether the illegal access occurred as the result of an internal or external intrusion. Despite this, the simple message to IT people is to make sure you encrypt the human resources information files.

Using a data vault approach to HR files is a given in the modern world of employment, as companies owe a clear duty of care to their staff which, if they fail to meet, renders them liable to litigation, both by the relevant authorities and the staff themselves.

Perhaps worse there is the potential damage to a company’s reputation when something like this happens. The depth of the fallout will become clear as further details of the apparent IT security faux pas are revealed in due course. Come on people, get a grip …

According to data gathered at Panda Security’s the Infected or Not Web site, the NaviPromo adware has been the most active malicious code this week.

Adware is annoying malware designed to show unwanted advertising while we browse the Net. Some adware can, of course, also spy on our surfing habits. This type of malware occupies nine spots in the top ten most prevalent malicious codes this week. The only exception is the Virtumonde spyware, which takes second place.

Top 10:

1. Adware/NaviPromo
2. Spyware/Virtumonde
3. Adware/OnlineAddon
4. Adware/VideoAddon
5. Adware/SecurityError
6. Adware/Zango
7. Adware/Lop
8. Adware/PurityScan
9. Adware/SaveNow
10. Adware/Gator

Keylogger.DB exploits a vulnerability in Access, Microsoft’s Access database application. This Trojan is designed to capture key strokes so that it can get any information entered by the user on Web pages.

The Banker.KTG Trojan spreads by using social engineering techniques.In this case, the bait is a link to a video that users receive via e-mail. If you try to play the video, a message is displayed informing you that you need to download a video codec to view it. However if you do it, you will actually be downloading a copy of the Nabload.DCH Trojan onto your computer.

Banker.KTG is designed to steal information entered through virtual keyboards, one the security measures implemented by many online banks. This Trojan spreads in a similar way to Orkut.AT, a Trojan which uses the Orkut social network to reach victims.

The MonaRona.A Trojan also uses social engineering techniques to spread, in this case, by offering users the possibility of downloading the Unigray application. Once it has reached the computer, the Trojan displays a warning message identifying itself as a virus that has been created to protest against human right violation. This malware has been designed to carry out malicious actions like disabling the Task Manager or end processes belonging to certain applications.

Finally, a number of junk e-mails announcing Fidel Castro’s death have been used to distribute the FakeDeath.A worm. This e-mail contain a link to a video. If you click the link, you will become infected. The worm downloads multiple copies of itself to P2P application shared folders and creates a key in the Registry Windows to ensure it is run every time the system is started up.

A 41-year-old woman has been charged with distributing bogus anti-virus software to over a million Internet users.

Lee Shin-ja, a former CEO of Media Port, is said to have earned over 9.2 billion won (approximately £4.5 million) since 2005 with a free anti-spyware program that displayed fake security warnings and directed Internet users to purchase Media Port’s Doctor Virus clean-up solution costing 3850 won (£2) a month.

Seoul Central District Prosecutors Office claims that 41-year-old Lee hired two computer programmers to assist in the scheme. Both have been charged in connection with the case, and are said to have deliberately coded the software to display false security alerts on files which were not infected with spyware or other malware.

More and more people are becoming concerned about the security of their personal computer - and it’s all too easy for the unscrupulous to try and fool users into believing a bogus warning. In this case 3.96 million Internet users are reported to have tried the free software, with 1.26 million people going on to purchase the ‘cure’. With those kind of figures it’s no surprise that the authorities are looking seriously into whether a large number of people have been defrauded by scareware.

Experts in white costs note that there are hundreds of different security programs wanting a piece of the South Korean market, many of which are not well-known in the rest of the world. Unlike much of the rest of the world, it’s not uncommon for South Korean computer users to run multiple anti-virus programs at the same time - probably because many of their homegrown solutions are crap don’t come with an on-access scanner.

This environment increases the likelihood that people will download and ‘test the water’ with a product they stumbled across on the internet. Unfortunately it seems there are cybercriminals desperate for increasing market share who are prepared to scare users into making an ill-informed security purchase. An unnamed spokesperson for Doctor Virus claims that their software is no longer displaying bogus security warnings.

Cyber risks could be the next big trigger for knuckle-wrapping against directors. Big wigs could be held responsible for loss to companies and their shareholders if they failed their duty of care by not taking preventative measures against risks such as phishing, improper data manipulation or data loss.

The threat to big earners is universal across all sectors as any company utilising technology as a platform or for business support is exposed. In particular, financial institutions need to be very concerned due to the dependence on the confidentiality of their data and the overall exposure relating to online banking.

In a recent example, a clothing retailer now faces lawsuits by shareholders alleging that the company failed to prevent a hacker from obtaining details of millions of cardholders and it has already reportedly agreed to a multi-million pound settlement to banks for the same situation.

In addition to concern over the subprime crisis, situations like the NHS losing patient data and HMRC mislaying over 25 million records of child benefit claimants have provoked directors to think about the next big risks they may face and they are asking us how the nature of the threat is changing.

On top of the direct loss from technology abuses, there are risks to the management of companies relating to how well they protect against the attacks. Directors could find themselves being sued by employees or shareholders for not taking appropriate measures to prevent hacking, for example, or failing to provide back up for lost data. This is adding another layer of risk to directors who need to take action to protect the assets of their business against cyber crime or else face being sued.

Cyber risks are pervasive. However, insurance should be perceived as the last resort. Directors must look to prevent the cyber risks in the first place by developing strong IT security defences and business continuity plans which are regularly tested, and heightening awareness among the board to create a security culture with all departments and employee roles.

Taking a page from its own miniaturisation playbook, Yoggie Security Systems has launched another ultra-portable USB key-sized hardware-based firewall solution. Just like the others in the range, it helps protect your laptop from malicious attacks.

Targeted at road warriors with wireless security at the top of their agenda, the Firestick Pico (around £60) places a physical barrier between your Windows-based computer and the Internet to help ensure that threats never reach your PC. Unlike software firewalls, the Firestick Pico is actually a Linux-powered mini-computer specifically designed to protect PCs from menaces including denial of service (DoS), buffer overflow and a broad range of malicious attacks.

Similar in size and appearance to a regular USB flash memory drive, the orange-coloured Firestick Pico is a ‘complete’ Linux-based 300MHz computer with a dual flash memory mechanism that constitutes an ‘untouchable operating system’ running an independent firewall application. In addition, the Firestick Pico comes with a complimentary Kaspersky security software suite. To make the Firestick Pico a little more robust in case itself comes under attack, the OS is actually stored in ROM, and copied to flash memory when it is installed, meaning that no permanent damage can ever be done to the device.

Unlike the company’s Pico Pro and Gatekeeper Pro, which offload all security applications from a PC, the Firestick Pico offloads just the firewall functionality at a much lower cost. This allows different levels of security and a range of price points for technical buyers. One of the most appealing features provided by the Firestick Pico driver and software is Firestick Pico ‘Enforcement’. This feature prevents or disables connection to a network when the Firestick Pico is not connected to your laptop, useful for IT staff managing systems that leave corporate HQ.

A firewall is a system designed to prevent unauthorised access to or from a private network (or computer). Firewalls can be implemented in hardware, in software, or in a combination of both. All Internet messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. Firewalls are considered a first line of defence in protecting private information.

Firewall-protection mechanisms like the Firestick Pico include essential tools like Stateful Inspection packet filtering, DoS/DDos attack detection and prevention, Syn Flood attack detection and prevention, Port Scan and ICMP attack detection and prevention (Smurf and Fraggle Attacks) Layer 2 attack prevention (ARP spoofing and poisoning).

How does the Firestick Pico actually work? Before any data is accepted for processing by your laptop’s operating system, a low-level driver redirects it to the Firestick Pico where a full security check is performed. Security breach attempts are identified and thwarted, and only safe, secure data is passed back to the laptop. An easy-to-use Web-based management console provides status information, security logs, and reports, and is used to configure security policy and other settings. While security policies are set by you, security updates are transparently downloaded from Yoggie.

Operating the Firewall Pico on a day to day basis is a snap. However, you do need to install driver software, set a username and password, and delve into the management console. Protection status indicators on the unit itself provide instant feedback - green when protection is enabled and red when protection is disabled - and notification balloons from the icon tray on your laptop contain information on status and events. There’s a separate display on the unit which blinks when updates are being downloaded, and the dedicated power indicator provides reassurance that the device is actually on and working.

The management console lets you monitor security activity by viewing the current security status, view and print security reports and logs, view and configure security, system and user settings, and view and print a firewall activity report based on a 3D chart. The status page of the console enables you to view your current risk level (a rating based on current activity) and security events. This includes gauges and event counters that indicate the number of security breach attempts thwarted by your Firestick Pico during the last 15 minutes during which the device was connected and working.

Worrying about security can be quite a daunting task these days. You have to worry about data loss/theft, malware, DoS attacks, and much more. Software solutions seek to circumvent these security risks but they can’t actually do that until after the threat has already reached the PC, thus making them somewhat vulnerable and susceptible to attack themselves. Hardware solutions on the other hand are usually much more robust and difficult to get around.

Yoggie’s Firewall Pico does a good job of securing a laptop from outside threats, but it’s an entry-level and less powerful solution compared to the company’s more powerful Pico Pro and Gatekeeper Pro products. If you’re nervous about your laptop security and don’t entirely trust a software-only solution, Yoggie definitely has a product to suit. [6.5]

Security boffins at SoftScan whispered into my ears this morning. Instead of sweet nothings they said that spam levels have remained steady, accounting for 96.47% of all e-mail scanned by their infallible servers. What a disappointment!

However, some eagle-eyed white costs noted in the last couple of weeks subtle changes to the delivery and format of ‘bulk mail’ spam, which may indicate that spam levels will increase once again in the near future.

The change is in messages sent out in vast quantities apparently by the same few providers. Similarities observed in the past in the technical makeup of the messages have led SoftScan to conclude that these messages are written on templates specifically designed to have maximum effect on bypassing anti-spam filters.

“It’s too early yet to be absolutely certain, but a change in the template indicates that the spammers are trying out new tactics, which is normally a precursor to a larger blitz of spam,” comment Diego d’Ambra, CTO of SoftScan.

“Junk mail from these few providers seems to come in waves and from the distribution you can see that there are some very successful spammers that cover a large part of the market. In addition, we’ve also seen a change in the delivery of these messages. This may mean that the botnets have been recruiting significant numbers of new zombies or that the spammers are trying to find new ways to bypass blacklist technology.”

Virus levels remained typically low during the month accounting for just 0.09% of all e-mail scanned. The top five virus families in February were:

1. Phishing (85.92%)

2. Dropper (7.07%)

3. Diehard (2.14%)

4. Netsky (1.37%)

5. Downloader (0.97%)

ESET announced today that for the third consecutive month INF/Autorun, a generic detection for malware that uses the Windows Autorun facility to infect machines, was the number one detected threat in February.

The AutoRun facility allows programs on removable media such as CDs, DVDs and USB memory sticks to run automatically when the media is present. Although very convenient for installing legitimate programs, it is now frequently used as an infection vector that many security experts, including ESET, recommend that we disable the functionality.

Trojans using Autorun to infect computers is one of the more common threats in the last few months. In fact, this is one of the tricks the infamous Mocmex ‘digital photo frame’ malware uses. Turning off the Autorun feature reduces the risk of infection, but as with any portable storage media, we should all ensure that USB devices are scanned when they’re opened to make sure nothing malicious is lurking there.

Other highlights of ESET’s monthly report is the adware family, Win32/Adware.Virtumonde (Vundo), which is frequently amongst the top five threats of ESET’s ThreatSense.Net data. Bot herders are paid to install it on compromised machines, where it then directs the compromised machine to sites used as proxies for advertisements at addresses stored locally in the System32 folder. Virtumonde is not self-replicating, but is widely disseminated and can be very difficult and time-consuming to remove if it does manage to get itself installed.

Top 10 Threats for February 2008:

1. INF/Autorun (9.43%)

2. Win32/Adware.SearchAid (8.05%)

3. WIN32/Toolbar.MyWebSearch (3.11%)

4. Win32/Adware.Virtumonde (2.09%)

5. Win32/Adware.Virtumonde.FP (1.69%)

6. Win32/Pacex.Gen (1.65%)

7. Win32/Agent (1.53%)

8. WIN32/Obfuscated.A1 (1.33%)

9. Win32/IRCBot.AAH (1.17%)

10. Win32/PSW.OnLineGames.NLI (1.15%)

Customers of the UK’s three biggest ISPs will have their browsing habits sold to a targeted advertising company in exchange for a cut of the profits.BT, Virgin Media and Carphone Warehouse (owns AOL and TalkTalk) - which collectively have more than 10 million broadband customers - will sell your Internet habits to Phorm, the company behind the new advertising system.

The system tracks the sites that you visit most and then offers personalised advertisements based on the type of sites you spend the most time on. For example, if you spend a lot of time looking at prOn, you might be targeted with ads selling ‘women looking for fun’.

However, the company has its roots in spyware software, sparking security concerns. The bloke who runs the company was founder of PeopleOnPage, an online advertising company that was blacklisted as spyware by Internet security firms Symantec and F-Secure.

It has been reported that Phorm has rejected the concerns, saying that the new model has resolved past problems and new built-in security measures - such as anti-phishing technology sets a whole new gold standard in online privacy.

Concerns have also been raised about targeting users on shared networks, but any customers who don’t want their data being sent to Phorm should contact their ISP and find out how to opt out of the targeted advertising.

Heads Up. The threat posed by zombie networks are real after a teenager was accused of being at the centre of an international cybercrime network.

18-year-old Owen Thorn Walker, a computer whiz from Hamilton, New Zealand, has been charged with two counts of accessing a computer for dishonest purposes, damaging with a computer system, possessing software for committing crimes, and two counts of accessing a computer system without permission. If found guilty, Walker could face up to 10 years in jail. More likely he’ll get his pocket money suspended.

When arrested in November 2007, it was alleged that Walker - known by his online handle ‘AKILL’ - was the boss of a gang that infected 1.3 million computers around the world, stealing banking and credit card information. Kudos!

Hackers can use zombie networks of computers to send spam, manipulate stock prices, steal identities and attack company Web sites. These botnets are one of the biggest security problems faced by the Internet today, and could be a powerful weapon in the hands of an experienced cybercriminal.

Walker appeared in Thames Magistrate’s Court in northern New Zealand, and was released on bail. News of the charges against him follow the unconnected arrest last week of 17 young people in Quebec alleged to have infected up to a million computers in 100 countries around the world.