There are risks and costs to action. But they are far less than the long range risks of comfortable inaction.
John F. Kennedy
IT and Related Security News Update from Centre for Research and Prevention of Computer Crimes, India (www.crpcc.in) Courtesy - Sysman Computers Private Limited, Mumbai
There are risks and costs to action. But they are far less than the long range risks of comfortable inaction.
John F. Kennedy
P3P
Platform for Privacy Preferences is a specification that will allow users' Web browsers to automatically understand Web sites' privacy practices. Privacy policies will be embedded in the code of a Web site. Browsers will read the policy, and then, automatically provide certain information to specific sites based on the preferences set by the users. For instance, if the site is an e-commerce site, the browser will automatically provide shipping info. If the site is requesting demographic info, then the browser will know to provide it anonymously.
The P3P specification was developed by the W3C P3P Syntax, Harmonization, and Protocol Working Groups, including W3C Member organizations and experts in the field of Web privacy. P3P is based on W3C specifications that have already been established, including HTTP, XML and Resource Description Framework (RDF).
Sue Marquette Poremba
May 14 2008
http://www.scmagazineus.com/Medical-data-breaches-on-the-rise/article/110114/
Despite privacy regulations, data breaches are not only becoming more common within the medical community, hospitals and medical centers are slow to report the breaches to patients.
During the month of May, for example, patients at Staten Island University Hospital in New York were told that a computer with their medical records was stolen four months earlier, while information on patients of the University of California San Francisco (UCSF) Medical Center was accessible on the internet. The affected patients were told six months after it was discovered.
One reason medical data breaches are increasing is because more hospitals are integrating electronic records, said Pam Dixon, executive director of the World Privacy Forum.
“Until recently, we were in an era of privacy through obscurity,” Dixon told SCMagazineUS.com on Wednesday.
With everything in paper form, it was possible to get information on a patient, but was not easily shared.
The bottom line: What once only a handful of people had access to is now accessible by any number of medical personnel, and not just within the hospital, said Todd Chambers, chief marketing officer at Courion, a provisioning and access compliance solutions provider.
“Medical information is sent out to lab firms, or patient data needs to be shared with a specialist not part of the hospital system,” Chambers said. “There is a need for more data control in these non-employee relationships.”
In the UCSF situation, the breach highlighted an otherwise little known practice of sharing patient information for fund-raising purposes. Historically, hospitals have always approached “grateful” patients for fund-raising, said Arthur Caplan, a medical and bioethics professor at the University of Pennsylvania in Philadelphia.
“What has changed is better databases with more economic data on patients, families, their businesses, their gift history, etc.,” he said. “More powerful databases represent far greater intrusions into personal privacy.”
Dixon added that the information released by UCSF included department head information, so it was possible to learn about the patient's specific medical condition.
To better protect patient records, Omar Hussain, president and CEO of Imprivata, provider of access management solutions, recommended stronger password systems, as well as stronger enforcement.
When it comes to the discussions between health care and security issues, he added, patient care always comes first. Tighter security over patient records can get in the way of offering swift medical care, so personnel opt for what is easy and quick over what is most secure.
Patients can best protect themselves in several ways, Dixon said.
“Be proactive,” she said. “If you can, be cautious about the hospital or medical center you are visiting. Monitor it for reports of data breaches and how they were handled.”
Once installed, the rootkit would be able to silently monitor and control the device -- a troubling notion given Cisco's dominance in the router market
By Robert McMillan,
IDG News Service
May 14, 2008
http://www.infoworld.com/article/08/05/14/Hacker-writes-rootkit-for-Ciscos-routers_1.html
A security researcher has developed malicious rootkit software for Cisco Systems' routers, a development that has placed increasing scrutiny on the routers that carry the majority of the Internet's traffic.
Sebastian Muniz, a researcher with Core Security Technologies, developed the software, which he will unveil on May 22 at the EuSecWest conference in London.
Rootkits are stealthy programs that cover up their tracks on a computer, making them extremely hard to detect. To date, the vast majority of rootkits have been written for the Windows operating system, but this will mark the first time that someone has discussed a rootkit written for IOS, the Internetwork Operating System used by Cisco's routers. "An IOS rootkit is able to perform the tasks that any other rootkit would do on desktop computer operating systems," Muniz said in an interview.
Rootkits are typically used to install key-logging software as well as programs that allow attackers to remotely connect with the infected system. However, the most notorious rootkit of all, distributed by Sony BMG Music, stopped unauthorized CD copying.
A Cisco rootkit is particularly worrisome because, like Microsoft's Windows, Cisco's routers are very widely used. Cisco owned nearly two-thirds of the router market in the fourth quarter of 2007, according to research firm IDC.
In the past, researchers have built malicious software, known as "IOS patching shellcode," that could compromise a Cisco router, but those programs are custom-written to work with one specific version of IOS.
Muniz's rootkit will be different. "It could work on several different versions of IOS," he said.
The software cannot be used to break into a Cisco router -- an attacker would need to have some kind of attack code, or an administrative password on the router to install the rootkit, but once installed it can be used to silently monitor and control the device.
The rootkit runs in the router's flash memory, which contains the first commands that it uses to boot up, said EuSecWest conference organizer Dragos Ruiu.
Muniz said he has no plans to release the source code for his rootkit, but he wants to explain how he built it to counter the widespread perception that Cisco routers are somehow immune to this type of malware. "I've done this with the purpose of showing that IOS rootkits are real, and that appropriate security measures must be taken," he said.
Security researcher Mike Lynn offered a similar rationalization for his controversial 2005 Black Hack presentation showing how to hack into a Cisco router and run a small "shellcode" program.
Lynn's presentation was "very shocking because, until then, nobody thought you could actually build exploits for Cisco," Ruiu said. "This rootkit is the next step."
Within hours of his 2005 Black Hat talk, Lynn was sued by Cisco, which claimed he had exposed trade secrets in violation of his Cisco end-user license agreement.
Cisco's suit was quickly settled, but Muniz and his employer clearly have Lynn's experience in mind as they ready for next week's conference. They declined to provide technical details on the presentation ahead of time. "We're still in the process of putting the whole presentation together, and we also need to work with Cisco before we talk to anybody," a Core spokesman said. "The big concern is making sure that everything is cool with Cisco."
Cisco declined to comment for this story.
Jennifer Granick, the Electronic Freedom Foundation lawyer who represented Lynn in 2005, said that Cisco could bring these trade-secret claims against Muniz, but because the technical community reacted so negatively to the 2005 lawsuit, she believes that this may not happen. "Cisco thinks of itself as really researcher-friendly," she said. "I think they will be very careful before filing legal action."
Still, the rootkit comes at a sensitive time for Cisco. Last week, the New York Times reported that the FBI considers the problem of fake Cisco gear a critical U.S. infrastructure threat.
In late February the FBI culminated a two-year investigation by breaking up a counterfeit Cisco distribution network and seizing an estimated $3.5 million worth of components manufactured in China. According to an FBI presentation on Operation Cisco Raider, fake Cisco routers, switches and cards were sold to the U.S. Navy, the U.S. Marine Corps., the U.S. Air Force, the U.S. Federal Aviation Administration, and even the FBI itself.
The U.S. Department of Defense has expressed concerns that the lack of security in the microelectronics supply chain could threaten the country's defense systems, and the idea that an attacker could sneak a rootkit onto a counterfeit Cisco system has security experts worried.
Cisco routers are typically compromised by hackers who are able to guess their administrative passwords, said Johannes Ullrich, chief research officer with the SANS Institute. But there are few tools around to check these systems for signs of hacking. "How would you find out?" he said. "That's the big problem."
Martyn Williams,
May 12, 2008
IDG News Service
http://www.cio.com/article/355363/ATM_Glitch_Hits_Systems_Integration_At_Major_Japanese_Bank
A software glitch that crept into a massive system integration project at Japan's Bank of Tokyo Mitsubishi UFJ left thousands of customers unable to withdraw money on Monday morning.
Customers of the bank were unable to complete about 20,000 transactions when they used ATMs belonging to Seven Bank, an electronic bank operated by convenience store chain Seven Eleven, said Takashi Takeuchi, a spokesman for the Bank of Tokyo Mitsubishi UFJ. The problems were caused when the Bank of Tokyo Mitsubishi UFJ system sent a message containing a Chinese character that the Seven Bank system was not expecting.
When Bank of Tokyo Mitsubishi UFJ customers attempt to withdraw money, one of the checks that is made it whether their bank account books -- notepad size books used by all major banks in Japan to record transactions in lieu of monthly statements -- are up to date. If there are 10 or more transactions waiting to be recorded in the book then the ATM will remind customers to update their bank account books.
But a single Chinese character in the message asking customers to update their books sent from the Bank of Tokyo Mitsubishi UFJ's computer was not understood by the Seven Bank ATM. The ATM was expecting a Japanese katakana character, not a Chinese character, and that caused the transaction to fail, said Takeuchi. Withdraws at other ATMs and at Seven Bank by those customers whose books didn't need updating were carried out with no problem, he said.
Problems began soon after 7 a.m. local time, when the Bank of Tokyo Mitsubishi UFJ ATM network was turned on again after an upgrade to the bank's host computer. Service was returned to normal at 11:55 a.m. and Bank of Tokyo Mitsubishi UFJ issued an apology to its customers.
Bank of Tokyo Mitsubishi UFJ was created in January 2006 through the merger of Bank of Tokyo Mitsubishi and UFJ Bank. It ranks as the world's largest bank by assets, and integration of its two computer systems for retail banking has been put off until now because of the monumental task facing integrator IBM Japan.
The weekend work saw the Bank of Tokyo Mitsubishi's system, which was originally supplied by IBM Japan, upgraded. The next stage of the year-long project will see the UFJ Bank system, originally supplied by Hitachi, upgraded in a series of five steps between July and December. When the upgrades are complete, the two systems will be merged to create a single system.
The delay in joining the two systems has meant confusion for customers. Because the two ATM networks continue to operate independently, bank customers will sometimes face fees at certain times of day when using ATMs that previously belonged to the other bank from where their account used to be held. Bank of Tokyo Mitsubishi UFJ has been unable to close down many branches because it has had to keep the two networks in operation.
Robert McMillan
IDG News Service
May 15, 2008
NATO plans to set up a cyberdefense center in Estonia later this year to research and help fight cyberwarfare, the organization announced Wednesday.
The Cooperative Cyber Defence Centre of Excellence will operate out of Tallinn, Estonia, with a staff of 30. Half of the specialists at the center will come from its seven sponsoring countries: Germany, Italy, Spain, Latvia, Lithuania, Slovakia and Estonia.
Cyberwarfare has been on NATO's radar for the past year, following the widely reported cyberattack against member country Estonia in May 2007. The attacks, which security experts have compared to a poorly coordinated cyberbrawl, succeeded in knocking some financial systems in the country offline for several hours, prompting Estonia to ask for help from NATO.
The attacks were sparked by the relocation of the Soviet war memorial in downtown Tallinn, a move that angered the country's ethnic Russians. Russia was blamed for the attacks, although no Kremlin connection to the cyberincident has been proven.
Allied defense ministers pressed for a NATO cyberdefense policy at their October 2007 meeting, a move that led to the creation of the Cyber Defence Centre, NATO said in a statement.
The center will help NATO "defy and successfully counter the threats in this area," said General James Mattis, NATO's supreme allied commander, transformation, in the statement.
The new cyberwarfare center is expected to be online in August and will be formally opened sometime in 2009, according to an Associated Press report.
Ask advice from everyone, but act with your own mind.
Yiddish proverb
OWASP
Short for Open Web Application Security Project, an open source community project set up to develop software tools and knowledge-based documentation for Web application security. Some of the project’s work includes:
· A guide to define security requirements to build secure Web applications.
· Developing an industry standard testing framework for Web application security.
· VulnXML - A standard data exhange format to allow commercial, open source and research tools to communicate and interoperate.
· Web Scarab - An open source enterprise-level Web application scanner.
· Developing a component-based approach to filtering malicious input and output to a Web application.
· Web Maven - An intentionally insecure Internet bank users can download and learn from.
All of the project’s software and documentation is released under the GNU GPL, and the project is staffed entirely of volunteers.
The Gemstone Forcaster
March 2008
http://www.preciousgemstones.com/gfspring08.html#2
(Editor: This is an informative article written by Robert James, President, International School of Gemology. It outlines how Ebay scamsters make money and get high positive feedback by selling grossly embellished diamonds. It is reprinted with permission.)
How the bad guys are getting away with it.
I want to say that there are a lot of really good sellers on eBay. Honest people doing honest business. But today, I want to give you some insider information regarding how so many of those sellers using deceptive trade practices can continue in business. I have learned this information from years of trying to do consumer awareness regarding some of these eBay seller practices as reported by consumers. This is case history, not conjecture.
We need to first remember that in spite of eBay’s claim that they are just a venue and not responsible for the deceptive trade practices going on, eBay has a collateral interest in the auctions. eBay makes a percentage off of every sale (not to mention the additional 3% they make from payments via PayPal). So it is in eBay’s interest to make as many sales as possible, regardless of what it take to do so. Which not only makes eBay a partner in a deceptive sale, it makes eBay an accomplice in a deceptive sale by their refusal to take action. That is perhaps the biggest deception going on at eBay, their claim that they are not responsible for the actions of the sellers. In fact, eBay is the partner of these sellers.
Bad Guys with 100% Positive Feedback Ratings
I have always found it interesting how many eBay sellers using really deceptive selling practices always seem to boast about their 100% Positive eBay rating, or are even able to maintain a 99% positive rating. Well, it’s easier than many people may realize.
Take, for example, the seller we looked at yesterday, Number1Solutions. This is the seller who had the 2.00 Carat Canary Yellow Diamond that turned out to be a cubic zirconia. This seller has a 99.5% positive feedback in spite of offering auction after auction of these deceptively titled auctions. There are two ways to maintain a high positive rating when you are doing stuff like this.
The first is simply to pad your auctions feedback with your own shill bidder ID. It is quite easy for a person to open multiple eBay accounts. Buy your own goods, give yourself a high rating, and then you build a huge positive number within a short period of time. You can also work in cahoots with other buyers of your ilk and trade off giving each other big positive feedback numbers.
The second is a bit more sinister. And this is how it often works. When a customer realizes that they have been ripped off and demands a refund, the seller agrees to provide a refund but only after the customer posts up a positive feedback for their auction. The buyer is usually so frustrated and so concerned about getting the refund that they will do just about anything to get their money back. So they post up a positive feedback for the seller in spite of the situation, and then the seller issues the refund and receives yet another positive feedback number to their rating.
This has been reported on multiple occasions on the eBay Consumer Forums and there is little anyone can do since you only get one opportunity to leave a feedback on a purchase. And the other issue is that new customers not familiar with seller will look at the 100% positive feedback rating and think that this must be a good seller. Not knowing that the positive feedback is due to coercion.
Making Money Without Really Selling Anything
There is an easy way to make huge profits on eBay that many of the really sneaky sellers use. No one talks about it much because it sounds too logical. And quite honestly it’s legal. Here is how it all works:
First, they get a few rings that are obviously junk. Then put them up at auction claiming they are really excellent quality pieces, require a shipping charge that is in excess of the actual cost to ship, then sell them at a really low price for the kind of ring listed. And as part of their auction in the fine print, they offer a full refund if the customer is not satisfied minus a 10% restocking fee. The seller knows in advance that the item has been misrepresented. And they know the buyer is going to be unhappy with the purchase and demand a refund. But here is where the whole scheme pays off…..
When the buyer calls demanding a refund, the seller tells the buyer this: "I will take the ring back but there is a 10% restocking fee, I do not refund the shipping fee, and you must leave a positive feedback for me before I will do anything for you since I am taking good care of you."
Can you see where this is all headed now?
Consider if I offered for sale a Certified 1.50 carat D-VS1 loose round diamond with an appraisal for $16,000.00, and I offered it at a Buy It Now price of $2,000.00. That would be quite a deal. But when I sent you the diamond you were horrified to find that you got a 1.02 carat L/I2 round diamond. You would become very worried about getting your money back and contact me.
I would tell you that I am so sorry you are not satisfied. And I will give you the refund exactly as promised because I want you to be happy with my company. All you need do is post up a positive feedback for me since I am taking such good care of you. Once done I will issue your refund minus the $200.00 restocking fee, and I would also have the $10.00 left over on the excess shipping charges. Leaving $210.00 in my pocket after all is said and done.
My cost for the whole affair: $15.00.
Time involved: 1 day to post the auction. 5 days for the auction to run. 3 days for the customer to get the ring and start demanding a refund. 3 days to do the dance on the refund. Total time 12 days.
Now, if I have 10 doggy looking diamond rings. Post them up in these kinds of auctions 2 times a month each, and each time I make $210.00 in restocking fees and excess shipping fees, my monthly gross income without ever having to actually sell any of my doggy diamond rings is $4,200.00. And I never actually sold anything.
That is one reason we continue to see such wonderful diamonds apparently being sold for such low prices on eBay. The whole point is not to sell diamonds; the whole point is to collect restock fees.
You get to keep the diamond ring. You get to keep the restock fee. You get to keep the shipping fee. And you get to add yet another Positive Feedback to your rating with every sale.
And with millions and millions of new visitors on eBay reading your positive feedback, and the fact that eBay makes money every time you make a sale so they are not going to do anything about it, it’s really a pretty good living if you can sleep at night by doing it.
There are a lot of variations on the above. But this is just a look at some of the antics going on with some of the bad eBay sellers who are giving the good sellers a bad name.
The News, Pakistan
May 12, 2008
http://www.thenews.com.pk/print1.asp?id=112131
Islamabad : The word ‘cyber crime’ usually raises an eyebrow among computer users, IT experts and especially countrymen where majority of the people are not familiar with the relevant laws.
The number of Internet users is growing very rapidly worldwide. Estimates show that 70 per cent information is now digital and there are about 800 billion pages on the web. This vast invasion creates potent threats and vulnerabilities to cyber crime.
In our country (Pakistan), cyber crime laws are wide ranging, which are required to be implemented rigorously. The Electronic Transaction Ordinance 2002 and Prevention of Electronic Crimes Ordinance 2007 are some of the steps taken to control this menace.
The latest ordinance is aimed at fighting cyber crimes under which the accused could be jailed for more than seven years or fined up to Rs1 million. Under the ordinance, a tribunal with the name of Information & Communication Technologies would hear cases of crimes registered under cyber crimes.
“As soon as possible after the commencement of this ordinance, the federal government shall, by notification in the official gazette, constitute the Information & Communication Technologies Tribunal whose principal seat shall be Islamabad,” the ordinance says.
The tribunal will work under section 193 and 228 of Pakistan Penal Code 1960. The tribunal will have the status of a court and will work under section 480 and 482 of Pakistan Penal Code.
The tribunal will comprise seven members, headed by a chairman with principal seat in Islamabad. The chairman may constitute Benches of the Tribunal and unless, otherwise, directed by him, a Bench will consist not less than two members. A Bench will exercise such powers and discharge such functions as may be prescribed, with at least one Bench in each province.
The ordinance while carrying 18 different offences will be affective in curbing cyber related crimes. According to the text of the ordinance, accessing any electronic system or electronic devices without permission would legally be a crime.
Similarly, accessing, destroying, hacking and sabotaging any criminal data set up by any organisation or the government, or committing a fraud using an electronic system or Internet, or making unauthorised changes, or using someone else’s code or password to access information, or to harass anyone using Internet, or to transmit immoral matter or images, or using electronic system, device or Internet, or to participate in a terrorist or destructive activity are all crimes.
Before the promulgation of the new ordinance, the Federal Investigation Agency dealt with fraud and cyber crime under the Electronic Transaction Ordinance 2002. It was a reporting centre for all types of cyber crimes and provided necessary technical support in making systems secure. It provided timely warning of cyber threats to all concerned and advised on recovery techniques after the actual cyber attacks.
But ignorance of the intricacies of Information Technology and the related laws usually lead to susceptible misinterpretation. For example, online transactions are common phenomenon all around the world, which is imperative for the companies to have foolproof security.
“Security flaws or vulnerabilities in software should be the first responsibility of a software developer,” Kaneez Akhtar, an IT expert, said. But ironically, the end receivers are the users who have to endure mental agony and financial loss. It is the joint responsibility of all stakeholders especially the cyber business companies to coordinate with each other and help eradicate this menace.
“Coordination is a must for all the people concerned because individual efforts will not bring that respite required in the country,” Jabar Baloch, an executive director of an IT company in G-8, commented.
Three Charged in Dave & Buster's Hacking Job
Robert McMillan,
IDG News Service
May 12, 2008
It may not have been the greatest hack ever, but police say the malicious software sneaked onto restaurant chain Dave & Buster's corporate network was good enough to earn criminals hundreds of thousands of dollars.
Three men have been charged with hacking into the network and then remotely installing "packet sniffer" software on point-of-sale servers at 11 Dave & Buster's locations throughout the U.S.
A packet sniffer logs information being sent over a network. In this case, the criminals used it to log credit- and payment-card data as it was sent from the branch locations to corporate headquarters.
The hacking took place from April to September 2007 and was lucrative, according to court filings. At Dave & Buster's Islandia, New York, location, for example, the hackers accessed details of about 5,000 payment cards. The information was sold to other criminals who then used the card numbers to scam online merchants. The criminals were able to post at least US$600,000 in fraudulent transactions from 675 cards taken from this one store.
Contacted by IDG News Service, the Islandia Dave & Buster's restaurant manager said he was unaware of any fraud being linked to his location. Dave & Buster's corporate offices did not return a call seeking comment.
Dave & Buster's operates about 50 restaurants in the U.S. The locations feature video games, billiards and arcade-style games.
The people charged are Maksym Yastremskiy, Aleksandr Suvorov and Albert Gonzalez. Yastremskiy and Suvorov are being held in Turkey and Germany, respectively, and face fraud and computer hacking charges.
Yastremskiy "was one of the biggest resellers of stolen credit card data targeted by the USSS [United States Secret Service]," said Special Agent Matthew Lynch in a sworn statement filed in the case.
Gonzalez, who was arrested in Miami within the past two weeks, wrote the packet sniffing software, Lynch said. He was charged with one count of wire fraud conspiracy.
The three men charged in this case were arrested over the past year, but the case was sealed until Monday.
Unfortunately for the criminals, Gonzalez's code had some problems, according to Lynch.
In April 2007 it bombed its first test, on a point-of-sale server at the Dave & Buster's in Arundel, Maryland. "The packet sniffer malfunctioned ... and no credit or debit card account information was captured, " Lynch said.
Even when the packet sniffer worked, the hackers were forced to keep returning to the Dave & Buster's network and restarting their malicious software, Lynch said. A bug in the packet sniffer caused it to shut down whenever the computer it was monitoring rebooted.
International cyber criminals often see poorly secured retail computer networks as an easy source for credit card information.
Cyber thieves used similar techniques in the massive 2006 TJ Maxx data breach, stealing credit card numbers from the company's computer system and then using them for purchases at stores like Wal-Mart. Court filings suggest that more than 94 million accounts may have been affected in that case.
May 11, 2007 / AFP Report
http://news.yahoo.com/s/afp/20080512/tc_afp/chileinternetcrime
A hacker broke into Chile's government sites mining data from six million people which he then posted on the Internet on two popular servers for several hours, the El Mercurio daily have said.
The personal data included names, street and email addresses, telephone numbers, social and educational background, and was taken from Education Ministry, Electoral Service and state-run telephone companies' websites from late Saturday to early Sunday.
"Its a serious matter and we're investigating," Police Cibercrime Brigade chief Jaime Jara told the newspaper.
The data was displayed for several hours before authorities removed it on the technology information website "FayerWayer" and community website "ElAntro."
The hacker said on the websites he splashed the data "for the whole world to see ... (to) show how unprotected personal data is in Chile ... nobody bothers protecting that information."
I think and think for months and years. Ninety-nine times, the conclusion is false. The hundredth time I am right.
Albert Einstein
OVAL
Acronym for Open Vulnerability and Assessment Language. OVAL is an XML-based language that provides a standard for how to check for the presence of vulnerabilities and configuration issues on computer systems. OVAL standardizes the three main steps of the process: collecting system characteristics and configuration information from systems for testing; testing the systems for the presence of specific vulnerabilities, configuration issues, and/or patches; and presenting the results of the tests.
Each OVAL vulnerability definition is based primarily on Common Vulnerabilities and Exposures (CVE), a dictionary-type list of standardized names for vulnerabilities and other information related to security exposures.
Parasitic botnet spams 60 billion a day
Darren Pauli
08/05/2008
http://www.computerworld.com.au/index.php/id;316576616;fp;4;fpid;16
The Srizbi botnet has stormed over its competition to become the Internet's biggest spammer.
Researchers claim the botnet is responsible for 50 percent of all spam, and is the biggest of its kind in history.
It's 300,000 zombie computers are being worked hard. The much larger Storm Worm required about 500,000 nodes - with some figures even suggesting anywhere between 1 million to 50 million -- to deliver 30 percent of global spam.
Joe Stewart, director at US consultancy Secure Works, said the Srizbi Trojan is the biggest botnet in history and the most powerful. He said Srizbi, aka "Cbeplay" and "Exchanger", can blast out 60 billion messages a day.
Storm is now in a tea cup after its spam output was cut down to a mere 2 percent, due to widespread media coverage which kicked off a race by security vendors to squash the threat.
Trojan.Srizbi is one of the first full-kernel pieces of malware, according to Symantec. It hides itself as a rootkit and operates completely within the kernel, without any interaction in user mode.
The Trojan is rumoured to contain code capable of uninstalling competing rootkits.
Marshall vice president of products, Bradley Anstis, said the Srizbi botnet has grown quickly to overtake the rival Mega-D botnet since the start of the year.
"Srizbi is the single greatest spam threat we have ever seen. Srizbi now produces more spam than all the other botnets combined," Anstis said.
"As Mega-D went offline, Srizbi stepped in to fill the gap and hasn't looked back since."
Mega-D rose quickly to prominence earlier this year after security researchers reported the Viagra-spruiking botnet had topped Storm's peak spam output by 30 percent.
"It is probable the [Mega-D] spammers got spooked and decided to lay low for a while, security researchers were close to discovering their control servers when the plug was pulled," Anstis said.
"Typically the spammers like the 'low and slow' approach; building their botnet up over time and trying to stay under the radar to avoid detection. It is an intriguing chain of events that."
The Rustock botnet has taken the second spot as the most notorious spammer, Mega-D third, followed by Hacktool.Spammer, Pushdo and Storm. Marshall estimates about 15 percent of spam is from other sources.
Srizbi has been documented spruiking watches, pens and of course Viagra.
Robert McMillan,
IDG News Service
May 09, 2008
http://www.pcworld.com/businesscenter/article/145703/hackers_find_a_new_place_to_hide_rootkits.html
Security researchers have developed a new type of malicious rootkit software that hides itself in an obscure part of a computer's microprocessor, hidden from current antivirus products.
Called a System Management Mode (SMM) rootkit, the software runs in a protected part of a computer's memory that can be locked and rendered invisible to the operating system, but which can give attackers a picture of what's happening in a computer's memory.
The SMM rootkit comes with keylogging and communications software and could be used to steal sensitive information from a victim's computer. It was built by Shawn Embleton and Sherri Sparks, who run an Oviedo, Florida, security company called Clear Hat Consulting.
The proof-of-concept software will be demonstrated publicly for the first time at the Black Hat security conference in Las Vegas this August.
The rootkits used by cyber crooks today are sneaky programs designed to cover up their tracks while they run in order to avoid detection. Rootkits hit the mainstream in late 2005 when Sony BMG Music used rootkit techniques to hide its copy protection software. The music company was ultimately forced to recall millions of CDs amid the ensuing scandal.
In recent years, however, researchers have been looking at ways to run rootkits outside of the operating system, where they are much harder to detect. For example, two years ago researcher Joanna Rutkowska introduced a rootkit called Blue Pill, which used AMD's chip-level virtualization technology to hide itself. She said the technology could eventually be used to create "100 percent undetectable malware."
"Rootkits are going more and more toward the hardware," said Sparks, who wrote another rootkit three years ago called Shadow Walker. "The deeper into the system you go, the more power you have and the harder it is to detect you."
Blue Pill took advantage of new virtualization technologies that are now being added to microprocessors, but the SMM rootkit uses a feature that has been around for much longer and can be found in many more machines. SMM dates back to Intel's 386 processors, where it was added as a way to help hardware vendors fix bugs in their products using software. The technology is also used to help manage the computer's power management, taking it into sleep mode, for example.
In many ways, an SMM rootkit, running in a locked part of memory, would be more difficult to detect than Blue Pill, said John Heasman, director of research with NGS Software, a security consulting firm. "An SMM rootkit has major ramifications for things like [antivirus software products]," he said. "They will be blind to it."
Researchers have suspected for several years that malicious software could be written to run in SMM. In 2006, researcher Loic Duflot demonstrated how SMM malware would work. "Duflot wrote a small SMM handler that compromised the security model of the OS," Embleton said. "We took the idea further by writing a more complex SMM handler that incorporated rootkit-like techniques."
In addition to a debugger, Sparks and Embleton had to write driver code in hard-to-use assembly language to make their rootkit work. "Debugging it was the hardest thing," Sparks said.
Being divorced from the operating system makes the SMM rootkit stealthy, but it also means that hackers have to write this driver code expressly for the system they are attacking.
"I don't see it as a widespread threat, because it's very hardware-dependent," Sparks said. "You would see this in a targeted attack."
But will it be 100 percent undetectable? Sparks says no. "I'm not saying it's undetectable, but I do think it would be difficult to detect." She and Embleton will talk more about detection techniques during their Black Hat session, she said.
Brand new rootkits don't come along every day, Heasman said. "It will be one of the most interesting, if not the most interesting, at Black Hat this year," he said.
By Sofia Santana
South Florida Sun-Sentinel
May 10, 2008
http://www.sun-sentinel.com/news/local/southflorida/sfl-flbsafewifi0510sbmay10,0,423469.story
The FBI issued an alert this week warning that wireless Internet networks, often called Wi-Fi hotspots, are more vulnerable to hackers than most users probably realize.
In South Florida, Wi-Fi hotspots are at airports, fast food restaurants, bookstores, coffee shops, sports bars, school campuses, malls, supermarkets — just about everywhere. Several cities and neighborhoods in the region plan to eventually install networks for residents, too.
For everyone to be able to access the networks, though, security has to be low. That means that often there is no password or registration needed to use the service, and e-mails and instant messages are not encrypted.
Those settings make it very easy for a hacker working from anywhere around the world to use computer codes to peek into your computer and steal sensitive information.
"It's a risky environment," said Derek Kerton, a computer analyst and consultant in San Jose, Calif. "It's like we've left the door open to the house."
But just like a steering wheel lock or car alarm can deter a thief, an up-to-date firewall installed on your computer is the first line of defense against a hacker, Kerton said.
Firewalls, though, don't protect information sent to and from a computer, such as e-mails and instant messages, or IMs. So you shouldn't e-mail or IM when on a Wi-Fi network unless your workplace or other institution has given you access to a virtual private network, or VPN. The VPN is a secure network that encrypts information sent to and from your computer.
Victims often don't know that they've been hacked until their personal information or identity has been stolen.
Here are some tips from the FBI and the Florida Department of Law Enforcement on how to keep your personal computer data safe:
ü Make sure your laptop security is up to date. That includes firewall, antivirus and anti-spyware software. Spyware is a kind of program that can collect information from your computer without your knowledge. It's sometimes used by companies that want to collect marketing information about people who log on to their Web site, but spyware has also been used by hackers who want to mine information from someone's computer.
ü When using a Wi-Fi service, avoid logging in to financial accounts of any kind because hackers might be able to monitor your computer from another location to see what you are typing and steal your log-in information. For the same reason, you also want to avoid logging into e-mail accounts and instant messaging services.
ü When logging on to a site, glance at the address bar to check that you're at an authentic Web page. Hackers set up fake Web pages that look like the real thing to trick people into typing in their log-in information.
ü If the Web address that appears is different from what you originally typed, don't enter your personal information. Close your browser and leave the Wi-Fi network.
ü Don't use the same password for all your online accounts. That way if hackers steal a password, they won't be able to use it at more than one Web site.
ü Make sure your computer does not automatically log on to wireless networks. You can do this by adjusting the Internet security settings on your computer. As an added precaution, turn the computer off when you're not around to ensure that it's not picking up a wireless network signal.
By Sue Marquette Poremba
May 09, 2008
http://www.scmagazineus.com/Stolen-data-could-fetch-in-the-thousands/article/109997/
The going price for stolen information is like any other commodity: the higher the quality, the higher the price, according to McAfee Avert Labs.
McAfee researcher Francois Paget said in a blog post that he found a website that revealed bank sign-on information and credit card data from the United States, United Kingdom, and other European countries. Cybercriminals appear to price the stolen data, such as bank account numbers, according to the size and brand name of the institution and on the amount available in the account. For example, an MBNA account worth $22,000 was priced at 1,500 euros ($2,317).
The sales also come with some guarantees. If the buyer is unable to get into the account or if the account had been closed, the seller will offer a replacement account.
Determining the black market value of stolen data is not something new, but McAfee has been asked to step up its efforts to gather more of this type of information, Dave Marcus, security research and communications manager for McAfee Avert Labs, told SCMagazineUS.com on Friday.
“One of the more interesting aspects of cybercrime that really hasn't been looked at is the going price on things and how much the bad guys are making,” Marcus said. “So we're putting more research time into capturing that type of information.”
Marcus added that this information is priced to sell. Also, because of the volume of information is so high, the thieves can afford to set a more marketable selling price overall.
“The longer the account goes unsold, the more at risk the thief is,” Marcus said.
By publicizing the market value and publishing screen shots that show real numbers, Marcus said it shows users that data theft is a real danger.
“We want to show people that there is a significant threat out there,” he said. “This isn't just a nuisance.”
Thanks for your Visit