Bits & Bytes Computer Store

Clickjackers Could Hijack Webcams

Wed, 08 Oct 2008 12:16:00 -0400

Adobe Systems warned users Tuesday that hackers could use recently-reported “clickjacking” attack tactics to secretly turn on a computer’s microphone and Web camera.

Flash on all platforms is susceptible to clickjacking attacks, Adobe said in an advisory posted Tuesday. By duping users into visiting a malicious Web site, hackers could hijack seemingly-innocent clicks that, in reality, would be used to grant the site access to the computer’s Webcam and microphone without the user’s knowledge.

“This potential ‘Clickjacking’ browser issue affects Adobe Flash Player’s microphone and camera access dialog,” acknowledged David Lenoe, the company’s security program manager, in a post to Adobe’s security blog.

Although a patch is not ready — Lenoe said one would be issued by the end of October — Adobe’s advisory listed steps users can take immediately to block Webcam and microphone hijacking. Adobe recommended that users access Flash’s Settings Manager using a browser to select the “Always deny” option.

Adobe rated the vulnerability as “critical,” its highest threat ranking.

According to Robert Hansen , one of the two security researchers who first raised the warning about clickjacking last month, Adobe will patch the bug in Flash 10, which already has been pegged for other fixes, including a flaw that’s been used by attackers for over a month to poison clipboards with URLs to malicious sites.

Hansen noted that Macs are particularly vulnerable to the Flash clickjacking attack, since all recent Apple notebooks and desktop systems include built-in cameras and microphones.

At the same time that Adobe posted its advisory, it gave Hansen and his research partner, Jeremiah Grossman, the green light to reveal clickjacking details that they had kept confidential at Adobe’s request.

Hansen posted a long entry to his blog that spelled out a dozen different clickjacking attack scenarios. Two weeks ago, when they provided only a general description of clickjacking, Hansen stressed that it was not a single exploit, but a new class of exploits. He hammered that theme again on Tuesday. “There are multiple variants of clickjacking,” Hansen said in his blog post. “Some of it requires cross-domain access, some doesn’t. Some overlays entire pages over a page, some uses iframes to get you to click on one spot. Some requires JavaScript, some doesn’t. Some variants use [cross-site request forgery] to pre-load data in forms, some don’t.”

source: http://www.itbusiness.ca/it/client/en/CDN/News.asp?id=50234

Windows and security

Mon, 06 Oct 2008 08:33:00 -0400

Rogue security apps strike again: Fortinet
5 October, 2008
By Vanessa Ho

For the second consecutive month, rogue security applications topped Fortinet’s top 10 most reported high-risk threats for September 2008.

For the month, rogue security applications made up 61.5 per cent of total activity. In particular, the W32/Inject.GZW!tr.bdr was the most prolific variant of the rogue security Trojans.

“When we see unprecedented volume, it usually indicates that the attacks are working and cybercriminals are trying to act fast to take full advantage of the situation. It also shows the depth of resources available to this criminal organization,” stated Derek Manky, security researcher for Fortinet

Full story: http://www.connectitnews.com/canada/story.cfm?item=6197

Twelve Unnecessary Vista Features to Disable

Mon, 15 Sep 2008 10:12:48 -0400

Vista, thy name is bloat!

The latest Windows packs a lot of code—more than any version of Windows ever—and some of it is just plain unnecessary. All of that excess code has a way of slowing down an operating system. Resellers can regain some PC performance for their customers by removing unneeded features.

I’ve identified a dozen Vista features that you can turn off right now. Some are shiny baubles that slow down graphics performance, while others are optional utilities that hog memory when they shouldn’t. A few can actually be quite useful, though they play a major role in bogging down your PC.

Should you really turn off all of the following features right this minute? That depends on your customer’s computer, work habits, and tastes. (I’ve turned off only seven and a half on my PC, because while none of these features are required for Vista to function, some are still kind of nice and my computer is fast enough to handle them.)

Just to be on the safe side, make sure to create a restore point before you turn any of the items off. That way you can quickly return your machine to its present state should you decide that you don’t like the change. To make a restore point, click Start, type sysdm.cpl, and press Enter. Choose System Protection, Create, and then follow the prompts.

I list the features in the order that would make them easiest to turn off. For instance, I’ve put features that you can remove in the same dialog box next to each other.

Sidebar

You pay a heavy performance price for the analog clock, thumbnail slide-show viewer, and centric RSS news feed that dock in the Windows Sidebar. Turning the whole thing off gives you a big speed boost, especially at boot time.

To remove the Sidebar, right-click anywhere on the Sidebar and select Close Sidebar. Uncheck Start Sidebar when Windows starts, and then click OK.

Aero

Among these features are the thumbnails of your windows that appear when you hover the mouse pointer over the taskbar, as well as the Flip 3D view you get by pressing Windows-Tab. Aero adds a little practicality and a lot of panache to the Vista user interface, and personally, I like it.

If your PC is underpowered or overloaded, however, Aero may be more trouble than it’s worth. To turn it off, right-click the Windows desktop and select Personalize, Window Color and Appearance. In the resulting ‘Window Color and Appearance’ dialog box, click Open classic appearance properties for more color options (if you don’t see the option, that means Aero is already turned off). Select Windows Vista Basic and click OK.

Assorted Interface Beautification Options

You can save some additional clock cycles by turning off all or some of Vista’s pretty interface options, not all of which are directly connected to Aero.

To see the options, click Start, right-click Computer, and select Properties. Click the Advanced System Properties link, the Advanced tab, and then the Settings button inside the Performance box.

You can uncheck all of the listed options by selecting Adjust for best performance, or you can simply uncheck the ones you don’t care for. I unchecked Fade or slide menus into view, Fade or slide ToolTips into view, Show shadows under menus, and Slide open combo boxes. The rest I left on.

Remote Assistance

Don’t worry about turning this item off if you run Vista Home (Basic or Premium). You don’t have it. If you run Vista Business or Ultimate, though, you can use Remote Assistance to control one PC from another—a useful tool if you regularly provide tech support for a relative living far away.

On the other hand, if you’re not providing long-distance support, or if you prefer a third-party remote-control program, Remote Assistance is just a waste of resources. To get rid of it, click Start, right-click Computer, and select Properties. Click Remote Settings. Uncheck Allow Remote Assistance connections to this computer.

Internet Printing Client

Do you ever print documents over the Internet? Neither do I. Chances are, you won’t miss out on anything by disabling Vista’s Internet Printing Client.

Open the ‘Programs and Features’ control panel and click the Turn Windows features on or off link on the left; you’ll get the Windows Features dialog box. Expand the Print Services section and uncheck Internet Printing Client.

Click OK at this point, and then wait several more minutes for the system to ask to reboot.

Windows Meeting Space

I like this program, which lets you share files across a network while editing them with a remote colleague. But I don’t have any use for it in my daily life, and neither do most of the people I know.

So I shut Windows Meeting Space off. You can, too. Simply uncheck Windows Meeting Space while you’re in the Windows Features dialog box.

Windows Ultimate Extras

One of the best things you can do exclusively in Vista Ultimate Edition is turn off the really pointless features that are found exclusively in Vista Ultimate Edition. I refer, of course, to Ultimate Extras, a set of downloadable add-ons available only to Ultimate users. If you didn’t pay for the most expensive version of Vista, these useless add-ons aren’t a concern.
If you do own Ultimate, go to Windows Update (Start, All Programs, Windows Update), click View available updates, and check out all the worthless stuff Microsoft has made available exclusively to people who paid through the nose for the most bloated version of Vista.

As of this writing, the extras include a poker game, some BitLocker and EFS enhancements that hardly anyone uses, several sound schemes, and an odd tool called Windows DreamScene that lets you waste your precious system resources by using video as your wallpaper. If PC World ever asks me to write an article on pointless ways to slow down Vista, I’ll start with DreamScene.

You can turn Windows Ultimate Extras off in the Windows Features control panel by clicking Turn Windows features on or off to open the Windows Features dialog box, and then unchecking Windows Ultimate Extras.

Tablet PC Stuff

I own a tablet PC, and I love Vista’s tablet-oriented features—especially the Input Panel for writing with the stylus. But if you don’t have a tablet, these features are useless to you.

Turning off Vista’s tablet features is a two-step process: Start in the Windows Features dialog box.

You complete the job in the Services window, which you open by clicking Start, typing services, and pressing Enter. Find and double-click Tablet PC Input Services. In the ‘Startup type’ drop-down menu, select Disabled, and then click OK.

ReadyBoost

If you’re not using this much-hyped Vista feature—which supposedly speeds up Vista by caching memory to a flash drive—it’s actually slowing your system down a tiny bit. (And if you are using ReadyBoost, it’s probably still a drag on your PC. You turn off ReadyBoost in Services. If you aren’t already there, click Start, type services, and press Enter. Find and double-click ReadyBoost. In the ‘Startup type’ drop-down menu, select Disabled, and then click OK.

Search Indexing

This one is a real trade-off. Turning off Vista’s indexing will slow searches to a crawl—I’m talking minutes, not seconds. But ditching this convenient feature could very likely speed up your general PC use significantly.

In other words, turning off indexing will help your PC’s performance only if you seldom search by file content, or if you use a third-party search tool such as Copernic Desktop or Google Desktop (in which case you probably have two indexing routines running at the same time, which is an even bigger waste).

If you match either of those descriptions, turn off indexing by clicking Start, typing services, and pressing Enter. Find and double-click Windows Search. In the ‘Startup type’ drop-down menu, select Disabled, and then click OK.

Offline Files

If you work on files stored on a server somewhere, and you can’t depend on that server always being available, Vista Business and Ultimate’s Offline Files feature makes your life easier by copying the files to your hard drive and keeping them synced.

Of course, that sort of thing isn’t for everybody, which is probably why Microsoft didn’t include Offline Files in the Home editions of Vista. But if you have Business or Ultimate and still don’t need Offline Files, turn it off by clicking Start, typing services, and pressing Enter. Find and double-click Offline Files. In the ‘Startup type’ drop-down menu, select Disabled, and then click OK.

Windows Error Reporting Service

Every time Windows experiences an error—either with its own processes or with a third-party program—it offers to report the problem to Microsoft. In theory, doing so can help the company locate problems with its OS (and heaven knows that would be a good thing). But more than likely, your report will either go unresolved or just end up in a big ol’ pile of other people’s reports on the same problem. Either way, you’re wasting your system’s precious resources on a feature that isn’t doing you any good.

To disable this unhelpful service, open the Services window: Click Start, type services, and press Enter. Find and double-click Windows Error Reporting Service. In the ‘Startup type’ drop-down menu, select Disabled, and then click OK.

UAC: Boon or Bloat?

One of Windows Vista’s most controversial new features is User Account Control (UAC), which attempts to protect your system from malware by forcing you to authorize certain system-altering actions by clicking through a dialog box from time to time. To some people, this feature is an unwanted annoyance that must be eliminated. Other users appreciate the added security. While I wouldn’t go so far as to lump UAC in with the other wasteful features in this article, I can certainly understand why some folks would like to turn it off—or at least minimize its intrusive behavior.

source: http://www.itbusiness.ca/it/client/en/CDN/News.asp?id=49831

Websense Discovers Worm Proclaiming WWIII

Mon, 14 Jul 2008 09:16:21 -0400

Source: http://www.connectitnews.com/canada/story.cfm?item=5912

Websense Security Labs ThreatSeeker Network has recently discovered another Storm worm spam campaign that centers on the start of World War III because U.S. forces have allegedly invaded Iran. The messages offer a video of this alleged recent drama.

However, instead of clicking on a video, users would download an executable that turns their machine into a botnet which the spammer can now use to send more spam or distributed denial of service (DDOS) attacks from that infected machine.

“Storm is the most popular botnet of all time,” said Stephan Chenette, manager of Websense Security Labs. “This attack more than any surround key events that are happening [in the world] and [this time] it focuses on the tension that exists between the U.S. and Iran and exploiting people’s interest in that story.”

If a victim of such an attack, Chenette said that users can become liable for any spamming or DDOS that originates from their machine, even if they are unaware of it happening as most law enforcement officials look at where the spam is coming from and not necessarily the spam’s author.

Since there are no patches available to stop Storm and since the worm relies on the social-engineering aspect of the web to get its message out, Chenette recommended that people install a web filtering product that does pre-emptive and real-time scanning to filter malicious URLs. As well, common sense can provide the biggest protection. He cited that people should be wary when they receive links they never heard of and always be cautious when surfing the web.

Even after interest in the tense relations between the U.S. and Iran dies down, Chenette said don’t expect the Storm worm to stay quiet.

“Storm will continue to surround itself to the next event as long as it is intriguing to the user,” he added. Chenette warned that users should be on the lookout for Storm attacks around the Beijing Olympics and the U.S. presidential election.

Firefox Downloads Exceed 1.6 Million on First Day

Thu, 19 Jun 2008 08:52:19 -0400

http://www.e-channelnews.com/ec_storydetail.php?ref=416399

According to Mozilla, Firefox 3 reached 1.6 million downloads by early Tuesday evening. The Web site saw almost 9,000 copies of the free, open-source software downloaded every minute in the opening hours of its availability.

The release of Firefox 3 kicked off Download Day, the Mozilla community’s campaign to set a new Guinness World Record for the greatest number of software downloads in 24 hours.

Michael Gartenberg, an analyst at JupiterResearch, is not surprised at the download numbers, since Mozilla has been pushing the new version heavily for months. “Mozilla certainly threw a nice stunt and Firefox 3 is very good browsing technology,” he said. “Most users, though, are not going to see dramatic differences from what they were using before.”

Speed, Fidelity and Security

Still, Mozilla calls Firefox 3 a major update. “We’re really proud of Firefox 3 and it just shows what a committed, energized global community can do when they work together,” said John Lilly, CEO of Mozilla.

It took the community three years to develop the latest version. It’s available in about 50 languages. It’s two to three times faster than its predecessor and it offers more than 15,000 improvements, including a smart location bar, malware protection, and extensive under-the-hood work to improve the speed and performance of the browser, Mozilla said.

At the end of the day, Gartenberg said, browsing innovations are about speed, displaying Web pages so content presents correctly, and security features to protect users from malicious Web sites.

“Firefox’s big new feature is the ability to search your surfing history and find sites you’ve been to in the last three months,” Gartenberg said. “It’s sort of a mini-search engine for your own browsing experience.”

Many Improvements

Among the other improvements, Firefox 3 now uses less memory and its redesigned page-rendering and layout engine means users see Web pages two to three times faster than in Firefox 2.

Firefox 3 also raises the bar for security. The new malware and phishing protection helps protect from viruses, worms, Trojans and spyware. Firefox 3’s one-click site ID information allows users to verify that a site is what it claims to be. Mozilla’s open-source process leverages the experience of thousands of security experts around the globe.

More than 5,000 add-ons let users customize Firefox 3. Firefox add-ons allow users to manage tasks like participating in online auctions, uploading digital photos, seeing weather forecasts, and listening to music, all from the browser. The new Add-ons Manager helps users find and install add-ons directly from the browser.

What's the best format for my pictures

Wed, 14 May 2008 09:51:23 -0400

http://www.pcworld.ca/news/column/a225b73e0a0104080036ef21e94a0a30/pg0.htm

Dave Johnson
PC World
Monday, July 24, 2006

Why is JPEG so popular? When is it better to use TIFF or RAW formats? PCworld.ca gives you all the information you need to choose the right format and make sure your memories get digitally immortalized without loss of quality.

The next time you start pining for the good old days of computing, keep this in mind: in 1995 we had to negotiate hundreds of image file formats, and no two imaging programs spoke the same language. These days, with just a handful of common file types for digital photos, we’re living on easy street. Even so, it’s rarely obvious which file format is best for a given image. Here’s a look at the strengths and weaknesses of the three most common digital-photo formats.

Go mainstream with JPEG: This format is the default that digital cameras use to save pictures, and every photo editing or viewing program can read it. Because you’re able to adjust JPEG’s compression level, you can make your files smaller, trading off image quality for portability.

If you’re a casual photographer who shoots, prints and shares without much serious editing in between, stick with JPEGs. Just be sure to set your camera to capture pictures at the lowest compression, which equates to the highest image quality. You can always reduce the quality later to shrink the file size, but you can’t bring the lost image data back.

JPEG does have a downside. Every time you make a change to a photo and save it, you’re reducing the quality of the image. It’s like making a photocopy of a photocopy: Eventually the loss of detail will become obvious (often painfully so), even if you always employ the highest quality setting available.

TIFF maintains quality: The TIFF image-compression format is revered because it’s lossless—no information is lost during the compression (as opposed to JPEG’s “lossy” compression). TIFF files are larger than comparable JPEGs, but nary a pixel or a shade of lavender is lost when you create, edit or save a TIFF.

With TIFF, you’ll neither have to deal with the extra baggage that accompanies the RAW format (which we’ll get to in a moment) nor worry about JPEGs throwing away some colour information every time you save a photo. For best quality, configure your camera to save shots as TIFF files, and keep saving them that way afterward. Or save pictures on your camera at the best JPEG quality and then, after you edit them on your PC, choose File, Save As and select TIFF. You might lose an almost imperceptible bit of quality with the first JPEG save, but once the file is a TIFF, the quality is locked in.

There is a drawback, however: TIFF files are much larger than JPEGs, and the TIFF format is not as universal as JPEG. You’ll still need to save a copy of the TIFF image as a JPEG if you want to share it via email or to place it on the web.

Photo fanatics love RAW: To wring every last drop of quality out of your photos, use your camera’s RAW mode (if it has one). RAW is lossless, and it offers more colour depth—12 bits of colour per pixel, compared with 8 bits per pixel for JPEG and TIFF. This lets you extract more detail from your photos in such editing programs as Adobe Photoshop and Photoshop Elements. Your camera saves RAW files before any white balance, sharpening or other effects are applied. It’s an unprocessed source file that offers you unlimited creative freedom.

Unfortunately, every camera maker has its own flavour of RAW, and sometimes different models from the same camera vendor vary in their handling of RAW. For example, Nikon calls its RAW files “NEF”, while Canon uses both “CRW” and “CR2” RAW files also require more work on your part. You’ll have to apply white balance, tweak the colours, and perhaps add sharpening to the image. And, since you can’t save your changes to RAW files, you’ll have to keep two copies of your photos—the original RAW version and the edited JPEG or TIFF file. Still, photo fanatics wouldn’t have it any other way.

Try an alternative format: PNG is now the default image-file format for screens captured by Macs, and nearly all browsers can open them. In addition, every photo editing program offers its own proprietary format. Photoshop’s PSD, for instance, is lossless, and it preserves layers, so you can return to an editing project right where you left off. However, such proprietary formats usually can’t be opened outside of the program that created them, so you’ll eventually need to save the files as JPEGs to share them.

Clean Machine. Does one exist?

Thu, 08 May 2008 08:18:11 -0400

http://www.infoweek.ca/index.php?page=shop.product_details&flypage=shop.flypage&product_id=2241&option=com_virtuemart&vmcchk=1

by Thomas Claburn

Since Friday, more than half a million Trojan horse programs disguised as media files have been detected on consumer PCs, according to McAfee Avert Labs.

“This is one of the most prevalent pieces of malware in the last three years,” said Craig Schmugar, a McAfee Avert Labs researcher, in an e-mailed statement. “We have never before had a threat this significant that arrives as a media file.”

The Trojan malware, Downloader-UA.h, was added to the McAfee database several days ago. In the past 24 hours, it has been detected by McAfee VirusScan Online on more than 119,000 computers out of almost 436,000 scanned, an infection rate of 27%. Other malware McAfee is tracking exhibits an infection rate in the 1% to 5% range.

The malware does not affect computers running Mac OS X.

The malicious media files appear to be either MP3 audio files or MPEG video files and can be found on file-sharing services like LimeWire and eDonkey. McAfee believes they were placed there by cybercriminals.

When a user tries to play one of the infected media files, he or she is prompted to download a file called PLAY_MP3.exe, Schmugar explained in a blog post. The file does not contain music or video as advertised. Rather, the Trojan program — Downloader-UA.h — presents users with an end-user license agreement. If the user agrees to the terms set forth in the 4,800-word EULA, he or she consents to the installation of NetNucleus’ Mirar Toolbar adware, and the Trojan downloads the adware “FBrowsingAdvisor” and “SurfingEnhancer,” which serve pop-up and pop-under ads.

“In the end you’re left with a fake MP3 file taking up space, a worthless MP3 player, adware that claims not only to not display popups, but also to block them, and more adware that successfully displays popup and popunder ads,” Schmugar wrote.

In December 2006, NetNucleus threatened to sue security company Sunbelt Software for categorizing its Mirar software as adware. Mirar, the company insisted in a letter, “is a bona fide search tool that collects keywords from Web sites to direct users towards similarly themed sites.” A month later, Sunbelt’s attorney responded, insisting in a letter that Mirar’s designation as adware was accurate.

Web becoming the distribution point for malicious code: Symantec

Wed, 09 Apr 2008 09:31:34 -0400

http://www.echannelline.com/canada/story.cfm?item=DLY040808-1

8-April-2008
by Vanessa Ho

Volume XIII of Symantec’s Global Internet Security Threat Report (ISTR) reports that the Web has quickly become the attack vector of choice.

Symantec’s Global ISTR provides a six-month update of Internet threat activity and includes analysis of network-based attacks, a review of known vulnerabilities and highlights malicious code activity. It also discusses numerous issues related to online fraud, including phishing and spam.

According to Michael Murphy, vice president and general manager of Symantec Canada, the biggest change in this volume of the report has been attacks to the Web moving from something to watch out for to something that is now is in the realm of reality.

“One of the seismic changes in this threat report is the first real evidence that threats are targeting Web applications almost exclusively while attacks to computers and operating systems has slowly fallen off the screen,” said Murphy.

He added that attacks of today are focused on web applications, Web content and Web sites because that’s where people are hanging out and that’s where data is being collected.

“The ubiquitous nature of the Web and Web applications is why attackers are using it as an attack vector and the expansion of social networking sites are more than ever a conduit attackers are trying to exploit,” Murphy noted.

The report indicated that social networking Web sites have been easy targets for criminals to spoof and because these sites are trusted by users, phishing attacks mimicking them may have a better chance of success.

Murphy indicated that the top four phishing sites that the report observed were social networking sites like MySpace and Facebook.

“The end user is always going to be the weakest link and the attackers are leveraging that because they want to dupe the individual to capture data. If you cull enough data from somebody you can create an identity [that can] be worth a lot of money. The commercialization is what drives the attackers,” he added.

In terms of this underground economy, volume XIII of the ISTR noted that bank accounts were the number one goods and services being sold followed by credit cards and full identities. While Murphy said the pricing of these haven’t changed since the last report, the bulk purchases of bank accounts and the like has.

Another new finding is that attackers are moving away from mainstream developed countries to regions or countries like Peru where security practices, legislation and infrastructure are not well developed.

Other attack trends include Symantec observing an average of 61,840 active bot network computers per day, a 17 per cent increase from the first half of 2007. Canada saw an average of 7,344 active bot infected computers per day. Toronto, Montreal and Calgary were the top bot cities.

Volume XIII also broke out attack trends in terms of malicious activity via ISPs.

Murphy stressed that this doesn’t mean that it’s the ISPs propagating the attacks but their subscribers with IP addresses assigned by them that are the attackers.

But he added that these statistics prove that ISPs can do a better job in educating their customers in the area of security.

“It not about just about offering technology but helping customers understand the challenges facing them and how they can protect themselves beyond anti-virus to include anti-phishing, personal firewall and data loss prevention,” said Murphy.

In terms of vulnerabilities, the Mozilla family of browsers had the highest number of vulnerabilities during this reporting period at 88, a 60 per cent increase over the last report. The window of exposure for these vulnerabilities was three days. While Microsoft showed fewer reported vulnerabilities, its window of exposure was the longest at 11 days.

As well, Symantec documented 239 browser plug-in vulnerabilities in the last six months of 2007 compared to the first six months where browser plug-in vulnerabilities were 237. During the last half of 2007, 79 per cent of those vulnerabilities affected ActiveX components, down from 89 per cent in the first half.

“As much as browsers have become secure, plug-ins have not and patches have not been readily available,” said Murphy.

New in this report is the observation of malicious code trends that noted in the last six months of 2007, seven per cent of the top 50 malicious code samples modified web pages, up three percent from the first half of 2007. In the second half of 2006, none of the top 50 malicious codes samples attempted to modify web pages on compromised computers.

“This is almost a reverse to old school stuff,” said James Quin, senior research analyst with Info-Tech Research Group. “Web site defacement was one of the first types of cyber attacks done just for notoriety and now the same threat is being turned around for monetary gain.”

In the second half of 2007, 40 per cent of malicious code that propagated did so as shared executable files, a significant increase from 14 per cent during the first half of the year.

“Most file sharing is peer-to-peer and SMTP [and are targets] because this is where individuals are most socially engineered,” said Murphy.

While spam has grown 71 per cent from 65 per cent in the previous volume of the report, Murphy noted that spam is becoming less about selling product but more as a conduit for social engineering phishing attacks.

“As long as spam is still lucrative and fast growing, it will still be used,” he added

As for what to watch for in the future, Murphy said there is an increasing trend in the industry to adopt whitelisting.

He explained that whitelisting is list of all applications or things that are good that can get onto a person’s network or computer. Traditionally, blacklisting was used. Blacklisting is a list of all things that are bad that needs to be prevented from entering a network or system.

But now with over a million distinct threats that are out there today, Murphy said it would take a lot of time and effort to maintain a blacklist that long and be portable enough so that a device with enough computing power can hold the list to detect malicious threats.

He added the problem with a whitelist is determining what makes the list but Murphy still believes that whitelisting is the way to go considering how threats are growing.

“Symantec is working on how to best to integrate whitelisting but not at the expense of blacklisting as they have to co-exist together.”

Another trend to watch is the rapid and widespread growth in external storage devices like USB sticks, cellular phones, audio players and cameras that can pose a risk to enterprise data loss.

Growing Crimeware-as-a-Service (CaaS) industry caters to cybercriminals

Wed, 09 Apr 2008 09:27:05 -0400

http://www.connectitnews.com/canada/story.cfm?item=5572

7 April, 2008
By Erin Bell

Crimeware-as-a-Service (CaaS) is the latest business model for cybercriminals, according to Finjan Inc.’s Q1 2008 Web Security Trends Report.

The report, which outlined the findings of Finjan’s Malicious Code Research Center, said that criminals have started to use online cybercrime services instead of dealing with the technical challenges of running their own Crimeware server, installing Crimeware toolkits or compromising legitimate websites themselves.

“Cybercriminals and criminal organizations are getting better and better at protecting themselves from law enforcement by using the Crimeware services, especially since the operator does not necessarily conduct the criminal activities related to the data that is being compromised but only provides the infrastructure for it,” said Finjan CTO Yuval Ben-Itzhak.

Operating in parallel with legitimate mainstream software providers, the creators and owners of these Crimeware toolkits provide their customer base with update mechanisms while tooling them with sophisticated, anti-forensic attack techniques, as well as the ability to manage and monitor malicious code affiliation networks. It enables a new level of Crimeware availability by supplying anyone willing to purchase an easy-to-use Crimeware toolkit.

During 2007, the MCRC covered the trend of new Crimeware that purely focuses on financial gain, as well as the way it works to get revenue out of each infection. In this report, MCRC showed how the delivery and distribution of malware have been upgraded to deliver a different type of malware to different geographical regions.

“Cybercriminals can now generate more targeted infections and deliver specialized Crimeware for specific geographical regions,” Ben-Itzhak said. “Our report illustrates how these criminals are employing marketing and sales techniques to address the cybercrime economy and ensure that the market they are after gets the proper ‘product’ localized for it.”

According to Finjan, the next phase in the commercialization process of Crimeware will be creating a service for getting straight to stolen data by providing the victim data tailored to the criminal intent. Having such a service eliminates the need for attackers to even have to log-in to manage an attacker profile on a Crimeware-toolkit platform.

Concludes Ben-Itzhak: “The trends described in this report confirm that the security industry and law enforcement agencies should take an innovative approach in handling these Crimeware commercialization threats. Cybercriminals continue to adapt legitimate technologies and business models to support their criminal activities.”

Finjan is a global provider of web security solutions for the enterprise market.

New Threat Report reveals infected websites remain active longer

Thu, 03 Apr 2008 09:00:00 -0400

http://www.connectitnews.com/canada/story.cfm?item=5555

2 April, 2008
By Vanessa Ho

In ScanSafe’s recent Global Threat Report, the web security-as-a-service company revealed that web threats including viruses, Trojans, password stealers and other forms of malware are becoming more prevalent and that compromised websites remain live for a longer period of time than before.

ScanSafe scanned more than 80 billion web requests and blocked 800 million web threats in 2007 on behalf of corporate customers in more than 50 countries across five continents.

ScanSafe’s analysis found a 61 percent increase in malware during the second half of 2007. 21 per cent of all the malware blocked by ScanSafe in 2007 was zero-day malware —new malware for which there is no existing patch or anti-virus signature.

According to Mary Landesman, senior security researcher with ScanSafe, the biggest reason why malware increased by 61 percent was its move to the web.

“The web allows this sort of thing,” said Landesman. “In the past, the web was a one-way medium but Web 2.0 has become widely adopted to make it [more] dynamic with third-party content.”

She added that web applications required to drive this interaction often have vulnerabilities or lack of validation. As well, there are not enough security conscious web developers out there to write more secure code.

In addition to viruses, Trojans, password stealers and other forms of malware becoming more prevalent, ScanSafe noted that an increasing number of legitimate sites are unknowingly hosting malware and compromised sites are remaining infected longer — in some cases more than two months.

The most frequently encountered malware is designed to steal passwords and other sensitive financial information from bank accounts and even online games — putting corporate and personal financial information at greater risk and opening businesses to legal liability and compliance risks.

“Malware is now a criminal business and with any business they are looking for an ROI. If they compromise a legitimate website, they can get millions of potential victims. That’s why the web is a favored medium,” Landesman noted.

ScanSafe also noted that there has been a significant increase in the amount of time a site is delivering malware. In the second half of 2007, malware on infected sites remained live for an average of 29 days, a 62 per cent increase from 18 days during the first half of the year.

Additionally, zero-day threats have an even longer shelf life once they compromise a website. Websites infected with zero-day malware remained live an average of 61 days in the second half of 2007, up 190 per cent from 21 days during the first half of 2007.

“This goes towards the amount of effort these attackers are putting in new threats and points to perhaps the need for signatures to be delivered in a timely fashion,” said Landesman.

The average time to life for all malware blocks over the course of the year was 24 days.

The report also noted that the complex network of advertising providers and advertising affiliates has made it increasingly easier for attackers to surreptitiously insert malicious advertising. One rogue partner and a large number of sites can begin delivering malware, potentially exposing millions. In 2007 several high profile sports sites unwittingly served malicious ads, including the websites for the National Hockey League, Major League Baseball, TheSun.co.uk, MySpace.com and PhotoBucket.com.

Landesman added that it would be difficult to shut down websites that are known to be compromised as there are legal and jurisdiction issues, and some ISPs may not be on board with this.

She stressed that the best protection from compromised websites is for users to do real-time scanning of web traffic as well as keep security patches up-to-date and use traditional solutions like anti-virus.

“There is not enough awareness of the move of threats to the web and not enough awareness that this is another vector that enterprises need to be concerned about more than any of the other traditional malware.”

Adware biggest offender for computer infections

Wed, 02 Apr 2008 09:04:19 -0400

From http://www.connectitnews.com/canada/story.cfm?item=5549

Adware was the worst offender for causing malware infections in the first quarter of 2008, but Trojans were close behind the as the second most active category.

According to the Panda Software’s PandaLabs Q1 malware analysis and detection report, adware was the cause of 28.58 per cent of all infections, making it the leading cause of infections during the first three months of the year. Trojans followed closely behind with 25.46 per cent of all infections.

“Adware is a type of malicious code that shows ads while users surf the Web. Besides being annoying, many variants can compromise the computer’s security or performance, so users should take precautions,” said Luis Corrons, technical director of PandaLabs, in a statement.

After adware and Trojans, the figures dropped significantly. Worms accounted for 9.94 per cent of all infections, representing the third worst offender in the first quarter of 2008.

In terms of new malware strains that appeared in the first quarter, there were more new Trojans than anything else (62.16 per cent of new malware strains detected in Q1 were Trojans), followed by adware (20.34 per cent) and worms (8.87 per cent).

“The huge amount of new Trojans put in circulation every month indicates that cyber-criminals are interested in creating new strains more frequently, making detection increasingly difficult for security solutions, which will be unable to update signature files in time, leaving users unprotected,” Corrons said.

The two most active viruses in the quarter were adware. Comet topped the list as the most active virus, followed by NaviPromo. After that, the most active viruses were, in descending order, W32/Bagle.HX.worm, W32/Bagle.RC.worm, W32/Bagle.RP.worm, SaveNow (adware), Starware (also adware), W32/Puce.E.worm, Zango (adware) and Virtumonde (spyware).

The report also included a special section on threats to cell phones, smartphones, iPhones, etc. PandaLabs stated the three biggest threats to such devices are worms, Trojans and spyware.

“Their behavior and features are similar to those of malicious codes for computers,” said Corrons. “Trojans designed to steal confidential data like e-mail passwords, instant messaging contacts, etc., are the most prevalent, with 54.48 per cent of all infections. This shows attacks against cell phones are becoming increasingly sophisticated.”

The most common effects of malware for cell phones include cell phone blocking, battery consumption, sending of SMS to premium numbers, deletion of folders and messages, and theft of phone numbers, SMS or other sensitive data stored on the devices.

Botnet scams are exploding

Mon, 31 Mar 2008 09:47:54 -0400

http://www.e-channelnews.com/ec_storydetail.php?ref=415753

Two days after actor Heath Ledger died, e-mails began moving across the Internet purportedly carrying a link to a detailed police report divulging “the real reason” behind the actor’s death.

Ledger had been summarily drafted into the service of a botnet.

Bots are compromised computers controlled by profit-minded crooks. Those e-mails were spread by a network of thousands of bots, called a botnet. Anyone who clicked on the link got instantly absorbed into the fast-spreading Mega-D botnet, says security firm Marshal. Mega-D enriches its operators, mainly by distributing spam for male-enhancement pills.

Largely unnoticed by the public, botnets have come to inundate the Internet. On a typical day, 40% of the 800 million computers connected to the Internet are bots engaged in distributing e-mail spam, stealing sensitive data typed at banking and shopping websites, bombarding websites as part of extortionist denial-of-service attacks, and spreading fresh infections, says Rick Wesson, CEO of Support Intelligence, a San Francisco-based company that tracks and sells threat data.

“It’s like a disease you can’t even feel,” Wesson says. “The mechanisms we use to protect our networks simply are not working.”

The botnet problem shows no sign of easing. Security firm Damballa pinpointed 7.3 million unique instances of bots carrying out nefarious activities on an average day in January - an astronomical leap from a daily average of 333,000 in August 2006. That included botnet-delivered spam, which accounted for 91% of all e-mails in early March, up from 64% last June, says e-mail management firm Cloudmark.

The upshot of this deluge is profound, if not immediately obvious, says Adam O’Donnell, Cloudmark’s director of emerging technology. Telecoms and Internet service providers must absorb the cost of carrying botnet traffic; they can be expected to pass that expense onto companies and consumers, he says. Meanwhile, tens of millions of botted computer users are experiencing degraded performance with no clue why.

Beyond that, cybercrime gangs are stockpiling enough stolen data to fuel identity theft scams for years to come. Meanwhile, law enforcement is negligible, and security protections for consumers and businesses remain, at best, patchwork and haphazardly deployed, says Somesh Jha, computer science professor at the University of Wisconsin-Madison. “The botnet landscape is shifting, and the worst hasn’t happened yet,” says Jha, who is also chief scientist at security software firm NovaShield.

A perfected Storm

Exhibit No. 1 showcasing botnets’ criminal potential: the mega botnet Storm.

At first, the e-mail that began circulating on Jan. 19, 2007, appeared to security researchers to be a garden variety e-mail virus. It carried a tainted link to a news story about a deadly storm. In fact, the gang that released the e-mail had spent months preparing a strategy for amassing a sprawling, impenetrable botnet designed to self-replicate.

Fourteen months later, Storm remains entrenched as the largest, most active botnet clogging the Internet. Security experts credit Storm’s operators with breakthroughs now being widely emulated by copycat botnet operators.

Storm was first to make wide use of peer-to-peer, or P2P, communications - the technology that allows one computer to share files with any other computer across the Internet. Bots in a botnet typically receive instructions from a central PC, called the command-and-control server. Authorities are getting better at discovering and shutting down such central servers.

So Storm’s operators perfected a way to use P2P communications to issue commands from a rotating subset of PCs inside the botnet. As extra protection, Storm became the first botnet to encrypt its instructions.

“They’ve built a very resilient infrastructure,” says Dmitri Alperovitch, principal researcher at Secure Computing. “If one command server gets shut down, it moves to the next.”

Meanwhile, Storm rewrote the book on the psychological ploys - known as social engineering - that lure victims into clicking on tainted attachments or Web links. Storm e-mails arrived with irresistible links to holiday-themed greeting cards, Beyoncé Knowles and Kelly Clarkson music videos, even an NFL game-tracking tool. Storm peaked last July, infecting an estimated 1.7 million PCs, according to Symantec.

Anti-virus firms began to block Storm e-mail, and Microsoft (MSFT) helped clean up Windows PCs infected by Storm. But Storm’s operators proved adept at dodging the latest anti-virus filters. Subscribing to the idea that the best defense is an aggressive offense, they also began attacking any researcher who tried to isolate any of their bots. Outsiders detected trying to establish contact with a Storm bot are inundated by an avalanche of nuisance requests launched from the wider botnet.

“Storm has a self-defense mechanism,” Alperovitch says. “Any time someone probes the botnet too much, it reacts automatically and starts a denial-of-service attack against that researcher.”

Tool of choice

The result: Storm endures as the king of botnets with several hundred thousand infected PCs doing its bidding on any given day. Yet Storm is really a one-trick pony. It generates cash mainly by spewing spam urging recipients to buy shares in obscure companies, the linchpin to an array of scams spinning off the artificial inflation of the share price.

Another tier of smaller, multipurpose botnets spring from widely available tool kits that make it easy for anyone to infect computers, assemble a basic botnet and embark on a criminal career. Dozens of crime rings, for instance, have cropped up to run phishing scams that lure victims into clicking on fake Web pages where they get tricked into divulging passwords and other sensitive data.

Botnets distribute phishing spam, host phishing Web pages and store phished data. Since 2005, phishers have used botnets to take aim at more than 1,750 companies and government agencies, mainly financial institutions, including 106 fresh targets in the fourth quarter of 2007, according to a survey by security data firm Cyveillance.

Phishing expeditions are just one of many uses of botnets. Some botnets crawl the Internet looking for Web pages that can be corrupted with pop-up ads selling fake anti-spyware; some implant programs on popular Web pages to harvest any sensitive personal data typed there by visitors; some repeatedly click on online advertisements to earn fraudulent “click through” revenue.

“Botnets have become the tool of choice for bad guys,” says Rick Howard, director of intelligence at VeriSign iDefense. “You take over a box (PC), put it in your botnet and forevermore you own that box and can do whatever you like with it.”

One particularly invasive collection of botnets, known as Zbot, is controlled by Russian crime groups going by the online designations UPLEVEL, CAR Group and Glamorous Team. Zbot’s operators late last year got away with swiping millions from banks in four nations, says Don Jackson, a senior researcher at SecureWorks who has been monitoring Zbot.

“We know that the amount stolen in December, which affected banks in the USA, U.K., Italy and Spain, was just over $6 million,” Jackson says. “This is based on sources within the banks and law enforcement that work with us.”

The scammers enticed bank customers to click on a link purportedly to download an updated digital certificate, the equivalent of a digital ID card. Instead, Zbot installed a program that positioned it to come along for the ride the next time the user successfully accessed the account. Zbot then automatically executed cash transfers to other accounts controlled by its operators - while the victim did his or her online banking.

“This scheme is extremely clever and quite ironic considering that digital certificates are provided by financial institutions to protect online bank users from fraud,” Jackson says.

Spyware the real cost

Mon, 31 Mar 2008 08:24:37 -0400

From Connect IT News.

http://www.connectitnews.com/canada/story.cfm?item=5538

Spyware a barrier to productivity
30 March, 2008
By Patricia Pickett
Small businesses are facing huge problems when it comes to spyware infections —.but their troubles could open up doors for channel partners to offer managed services in order to help alleviate the issue, says the Computing Technology Industry Association (CompTIA).

In a recent survey commissioned by CompTIA and conducted by Washington, D.C.-based consultancy Kotler Marketing Group, which polled 537 non-IT employees at businesses with 10 to 200 computer users, more than one in four end users reported having their productivity impacted by a spyware infection during the past six months. Of these, more than one-third reported multiple spyware infections.

According to Steven Ostrowski, director of corporate communications at Oakbrook Terrace, Ill.-based CompTIA, lack of training seems to be behind much of the spyware problem. “Users don’t know oftentimes how to compute safely, how to do e-mail the proper way, and that they shouldn’t open certain e-mail attachments or visit certain web sites,” Ostrowski explained. He added that education has to become more of a business issue rather than a responsibility that sits on the shoulders of the IT department. “The human element continues to be probably the biggest factor in computer security issues that companies are facing…but it has not resonated with a lot of companies that they need this educational component.”

The spyware problem is also cropping up more frequently simply because there is more of it. “The numbers continue to increase despite the efforts of companies to come up with anti-spyware technology,” said Ostrowski. “It seems to multiply and for every step we take to address the problem, it seems that (spyware makers) are two steps ahead.”

The survey also found that users of spyware-infected computers reported living with the problem for 18 work hours — more than two full work days — before getting it repaired. This tended to happen even though users realized that their work productivity was reduced due to the problems associated with spyware. In fact, respondents estimated that their productivity was reduced by 21 per cent when the spyware issue was first noticed, and was reduced by 32 per cent when the problem was at its peak.

While there may be some users who are simply unaware that spyware has infected their computers, it is likely more common that employees will know the source of the problem but will not report it because they are afraid of getting into trouble, Ostrowski said. “There is a fear factor involved because they may be doing something they shouldn’t be doing on their computers during work hours,” he explained. “Eventually after a day and a half they will call the IT department and say ‘I’ve got this problem.’”

CompTIA also polled 200 IT professionals who support small and mid-sized businesses on some of the issues they face. PC support pros who had fixed at least one spyware incident during the past year reported spending an average of 2.8 labour hours per infected PC. That translates into more than 20 hours of reduced worker productivity for each spyware incident at a small business.

Ian says: “This is why I try and educate customers about the hazards of peer-to-peer networks and other risky behaviour when using their computers”

No wonder he gets a little grumpy when he’s told “It’s my computer I can do what I like with it”

Little Red Riding Hood Fights Online Fraud

Thu, 13 Mar 2008 13:01:00 -0400

http://www.e-channelnews.com/ec_storydetail.php?ref=415698

Online fraud is on the rise, and fraudsters have developed sophisticated means of accessing consumers’ sensitive personal information over the Internet. Canadians are being caught by malicious phishing emails and spoof websites, and it’s getting harder to differentiate between what’s real and what’s not.

March is Fraud Prevention Month. With a mandate to “Recognize It, Report It, Stop it,” the Fraud Prevention Forum aims to educate consumers and raise awareness about the dangers of online fraud.

Technology expert, author, journalist and consultant, Marc Saltzman is eBay Canada’s Online Safety expert and can provide advice and tools for identifying and avoiding online fraud and identity theft.

To help Canadian consumers identify and combat phishing attempts and spoof websites, Saltzman uses a video tutorial using the iconic fairy tale figure, Little Red Riding Hood.

- Just over 13,000 unique phishing reports were received by the Anti-Phishing Working Group in August 2005. By August 2006, that number grew to over 26,000.

- More than 10,000 phishing websites exist worldwide to date; almost double the number that existed in 2005

- Reports of phishing complaints to the APWG increased by 34% in the last 12 months

- Up to 5% of these complainants have taken the ‘phishermans bait’ and experienced financial loss as a result of online fraud

McAfee notes malware becoming localized

Fri, 29 Feb 2008 10:18:16 -0500

http://www.connectitnews.com/canada/story.cfm?item=5429

A new report released by McAfee Inc. notes that malware attacks are becoming more regionalized where attacks are being tailored to different cultures and technologies as well as in a person’s own language.

“Two years ago we couldn’t have this conversation, as 98 per cent of threats globally were written in the English language or targeted at the English language. Contrast that to last month where seven per cent of attacks were not in English. It just really means more and more people around the world are getting attacked in their local language,” said Dave Marcus, security research and communications manager at McAfee Avert Labs.

Some of the trends noted in the report, entitled “One Internet, Many Worlds,” include sophisticated malware authors have increased country-, language-, company-, and software-specific attacks and that cyberattackers are increasingly attuned to cultural differences and tailor social engineering attacks accordingly. For example, Marcus noted that attackers targeting people in Germany developed spam geared towards specific cultural interests or events such as the 2006 FIFA World Cup.

Additionally, cyber criminals, particularly those in the United States, will recruit malware writers in countries with high unemployment and high levels of education such as Russia and China in order to get them to write malware code in their local language.

“It is going to be difficult for malware writers in the U.S. to write effective malware to target Chinese people. They need someone that speaks Chinese so they get someone local or contract that task out,” said Marcus.

Other trends noted include cybercriminals taking advantage of countries where law enforcement is lax and that around the world, malware authors are exploiting the viral nature of Web 2.0 and peer-to-peer networks. Also, more exploits than ever before are targeted at locally popular software and applications.

Geographic trends include the U.S. becoming a great malware melting pot where malware in the country includes elements of malicious software seen around the world.

Marcus said the best defense against these localized attacks is education along with having up-to-date security technology.

“If you are a world traveler you got to be aware that certain parts of the world will experience certain threats that may not be in other parts of the world. I need to be educated so I can take action on it or that I am appropriately protected,” he added.

As well, Marcus believed that these localized malware attacks are here to stay and expects the number of attacks to double over the next year.

“It speaks to the fact that more people around the world are coming online and if you really want to steal their identities you have to talk to them in their local language. It is just going to be an even greater problem in the future,” said Marcus.

Apple Introduces New MacBook and MacBook Pro Models

Tue, 26 Feb 2008 10:53:00 -0500

Apple Introduces New MacBook and MacBook Pro Models:

Multi-Touch Trackpad Comes to MacBook Pro

MARKHAM, Ontario—February 26, 2008—Apple® today updated its popular MacBook® and MacBook Pro notebook lines with the latest Intel Core 2 Duo processors, larger hard drives and 2GB of memory standard in most models. In addition, MacBook Pro includes the latest NVIDIA graphics processors, now with up to 512MB of video memory, and Apple’s innovative Multi-Touch™ trackpad, first introduced in MacBook Air™. All Mac® notebooks include a built-in iSight® video camera for video conferencing on-the-go*, Apple’s MagSafe® Power Adapter that safely disconnects when under strain and built-in 802.11n wireless networking for up to five times the performance and twice the range of 802.11g.**

The new MacBook Pro features the latest Intel Core 2 Duo technology with up to a 2.6 GHz processor with 6MB of shared L2 cache; up to 4GB of 667 MHz DDR2 SDRAM memory and up to a 300GB hard drive, plus NVIDIA GeForce 8600M GT graphics with up to 512MB of video memory. Every MacBook Pro now includes a trackpad with Multi-Touch gesture support for pinch, rotate and swipe, making it more intuitive than ever to zoom and rotate photos in iPhoto® or Aperture™ 2 or browse web pages in Safari™; an illuminated keyboard that makes it ideal for dimly lit environments such as airplanes, studios or conference halls and a built-in ambient light sensor, which automatically adjusts the brightness of the keys as well as the brightness of the display for optimal visibility.

Featuring a gorgeous 13-inch glossy widescreen display, and with prices still starting at just $1,149 (CAN), the new MacBook lineup comes in three models and includes faster processors and larger hard drives across the line; sleek white 2.1 GHz and 2.4 GHz models with 120GB or 160GB 5400 rpm hard drives and a stunning black 2.4 GHz model with a massive 250GB 5400 rpm hard drive, previously only available as an option. The 2.4 GHz MacBook models ship with 2GB of memory standard, expandable up to 4GB across the line.

Every MacBook and MacBook Pro includes a built-in iSight video camera for video conferencing on-the-go; Apple’s MagSafe Power Adapter that magnetically connects the power cord and safely disconnects when under strain; the latest generation of 802.11n wireless networking for up to five times the performance and twice the range of 802.11g; built-in 10/100/1000 BASE-T Gigabit Ethernet for high-speed networking; Bluetooth; analog and digital audio inputs and outputs; USB 2.0; FireWire® and a built-in SuperDrive®.

Every Mac in the Apple lineup comes with iLife® ‘08, the most significant update ever to Apple’s award-winning suite of digital lifestyle applications, featuring a major new version of iPhoto and a completely reinvented iMovie®, both seamlessly integrated with the new .Mac Web Gallery for online photo and video sharing***. Every Mac also includes Leopard®, the sixth major release of the world’s most advanced operating system which introduces Time Machine™, an effortless way to automatically back up everything on a Mac; a redesigned Finder™ that lets users quickly browse and share files between multiple Macs; Quick Look, a new way to instantly see files without opening an application; Spaces, an intuitive new feature used to create groups of applications and instantly switch between them; a brand new desktop with Stacks, a new way to easily access files from the Dock and major enhancements to Mail and iChat®. .Mac members can use the new Back to My Mac feature to browse and access files on their home computer from a Mac over the Internet while out on the road.

Website categories that cause the most damage to users

Tue, 19 Feb 2008 11:36:23 -0500

Web of Trust (WOT), an online reputation rating community, has unveiled the findings of its study that looked at the categories of websites that are the most dangerous for Internet users. These website categories can cause major financial damage and damage to computers.

Based on an analysis of 17 million websites rated by the WOT users community, three categories emerged as causing the most damage: adult content (28 per cent); software (27 per cent), which includes free and licensed software sold and downloaded over the Internet; and entertainment (16 per cent) sites that include movies, games, music, screensavers and smileys.

Other dangerous categories include search sites, digital marketing providers and consumer research sites that make empty promises of free gifts or money.

The main vehicle in the above scams is a permanent website, unlike the “throwaway” sites used in phishing attacks carried out with the aid of fraudulent e-mail messages. Dangerous sites usually remain in business for months or years, attracting millions of visitors and causing them damage.

The nature of this damage includes direct financial damage caused by non-delivered or poor-quality products, by lack of payment or through credit/debit card fraud. Computer damage is caused by installing malicious software or changing the computer’s settings. Increasing online threats include spyware that makes the user vulnerable to further attacks.

“With this study we wanted to shed light on the dark corners of the Internet. The findings show that Internet users should be really cautious when downloading software, movies, music and screensavers, not to mention when visiting sites with adult content,” said Esa Suurio, head of WOT and CEO of Against Intuition, Inc., a provider of software and services for the WOT community and promotes the community’s goals.

A list of the 50 websites with the worst reputation and deemed dangerous can be found here

“Many of the dangerous websites are well designed and seem reliable, but if you download content from them you may run into problems, even with the latest security software installed on your PC. In particular, spyware can bypass security controls, leaving you vulnerable to further attacks,” Suurio said.

New crimeware toolkit infects over 10,000 U.S. Websites

Tue, 19 Feb 2008 11:22:38 -0500

http://www.echannelline.com/canada/story.cfm?item=DLY021108-3

Finjan Inc. says its Malicious Code Research Center (MCRC) has identified yet another significant new Web attack — the latest in a genre of crimeware that threatens to turn highly trusted Websites into insidious traps for unwary visitors. The attack, which Finjan designated as “random js toolkit”, is an extremely elusive crimeware Trojan that infects an end user’s machine and sends data from the machine via the Internet to the Trojan’s “master” (read: cyber-criminal).

More than 10,000 Websites in the U.S. were infected in December by this latest malware, the company said. Data stolen by the Trojan can include documents, passwords, surfing habitats, or any other sensitive information of interest to the criminal.

Finjan is a San Jose, Calif.-based vendor of real-time secure gateway and anti-crimeware solutions.

The attack is described in detail in Finjan’s latest “Malicious Page of the Month” report. Among other things, that report stated in order to safeguard end users from these malicious Web threats, businesses should opt for real-time inspection technologies that analyze each piece of Web content regardless of its URL, context, and appearance. “Attempts to pattern malicious code and create signatures, or to categorize known malicious sites, are clearly too little, too late when it comes to providing adequate protection to today’s dynamic and evasive Web threats.”

The random js toolkit is a JavaScript code that is created dynamically and changes every time it is being accessed. As a result, it is almost impossible to be detected by traditional signature-based anti-malware products. Explained Finjan CTO Yuval Ben-Itzhak, “Signaturing a dynamic script is not effective. Signaturing the exploiting code itself is also not effective, since these exploits are changing continually to stay ahead of current zero-day threats and available patches. Keeping an up-to-date list of ‘highly-trusted-doubtful’ domains serves only as a limited defense against this attack vector.”

What’s needed to counter this exploit is dynamic code inspection technology that can detect and block an attack in real time, Ben-Itzhak said.

“This technology doesn’t depend on the origin URL, signature or the site’s reputation, but inspects the Web content in real-time, as served,” he said. “It analyzes the code’s intentions before enabling it be executed on the end-user browser.”

Ben-Itzhak noted that the random js toolkit is an example of the recent trend among cyber-criminals to undermine trusted Websites.

“In mid-year 2007, studies showed there were nearly 30,000 new infected Web pages being created every day. About 80 percent of those pages hosting malicious software or containing drive-by downloads with damaging content were located on hacked legitimate sites. Today the situation is much worse.”

The attack is executed by way of the dynamic embedding of scripts into a Web page. It provides a random filename that can only be accessed once. This dynamic embedding is done in such a selective manner that when a user has received a page with the embedded malicious script once, it will not be referenced again on further requests. This method prevents detection of the malware in later forensic analyses, the company said.

To download the report, visit http://www.finjan.com.

What's old is new again in malware

Tue, 19 Feb 2008 09:54:42 -0500

http://www.connectitnews.com/canada/story.cfm?item=5396

MX Logic, a managed security service provider (MSSP), has noted two incidences where malware writers are starting to re-use old tricks with some new ones to evade detection and remediation.

The first incident uncovered by the MX Logic Threat Center involved a virus targeting the Master Boot Record (MBR) of a PC, a tactic that hasn’t been revised in over ten years. However, virus attackers are also including a rootkit that makes this malware very difficult to detect and remediate.

These MBR rootkit viruses start when a computer’s BIOS activates its master boot code before the operating system loads rather than attaching itself to Windows device drivers as it is traditionally done. These rootkits still remain on computers even after the operating system has been reinstalled.

According to MX Logic, the only way to rid infected PC’s of these rootkits is to download a Microsoft utility executable file called “fixmbr” that will restore the MBR, but reminds users that this is a one-time fix and won’t protect them from similar attacks in the future.

The second incident that the MX Logic Threat Center reported was the use of drive-by pharming attacks. It was the first time that MX Logic noted this threat but pharming attacks have been around since 2004, mostly limited to manual execution of individual spooled web sites.

Drive-by pharming automates this process by manipulating the Domain Name System (DNS) settings on routers and wireless access points that are still using the default password. Therefore, all home and business users with that default configuration are susceptible to attack. In the example reported by MX Logic, customers of a popular bank in Mexico were directed to a malicious site after their DNS settings were unwittingly modified.

“The MBR rootkit and drive-by pharming clearly represent a trend of next-generation attacks utilizing known techniques combined with unknown infiltration tactics that are more malicious and stealthy than any malware previously recorded,” stated Sam Masiello, director of threat management at MX Logic. “We have officially crossed the threshold from superficial, insipid hacking techniques to professionally designed, manipulative tactics which are financially motivated.”

He added that individuals and companies conducting business online need to be aware of their vulnerability to these types of attacks which can happen without their knowledge, and need to proactively protect themselves from falling victim to them.

To detect and prevent threats such as the MBR rootkit and drive-by pharming attacks, MX Logic recommended that organizations consult with their trusted security advisor who can identify and deploy a managed web security product such as MX Logic Web Defense Service that provides an effective first line of defense at the network perimeter. Managed security solutions are a cost-effective, highly reliable tool that deploy easily with no added hardware or software expenses and benefit the user with increased employee productivity, decreased costs, reduced network and storage costs and diminished corporate liability.

Taming the data monster

Fri, 08 Feb 2008 15:32:15 -0500

http://www.theglobeandmail.com/servlet/story/RTGAM.20080206.wgtdatacentre07/BNStory/GlobeTQ

Ian Harvey

February 6, 2008 at 10:00 PM EST

Georgian College’s technology had hit the wall – literally.

The community college in Barrie, Ont., had no room to add more servers to meet the growing demand. IT staff at the college faced a familiar challenge: In the past few years, the cost of storage has dropped dramatically, and businesses have filled basements and warehouses with cheap servers to satisfy the ever-increasing glut of data.

However, the cost of real estate to house the machines – not to mention the electricity to power them – has not declined. In fact, it’s ballooned.

Data centres are power pigs and they’re found in nearly every sector of the economy: everything from business to academia to every level of government. They gobble electricity in an effort to keep hard drives spinning and to feed the insatiable demands of cooling systems that keep processors from overheating. Research by technology analysts IDC suggests for each dollar spent on hardware, another 50 cents is spent on energy costs. By 2001, that ratio will rise to 71 cents per dollar, IDC says in a 2006 study on data centre power consumption.

Georgian College network technologist Shamus Berube replaced 25 servers with 12 power-efficient models. (BILL SANDFORD for the Globe and Mail)

The cost in dollars is compounded by another cost: Studies show that between 2002 and 2006, carbon emissions from data farms doubled.

As a result, businesses have sought ways recently to pare down their racks of servers, trim power consumption and reduce carbon footprints – and at the same time increase the efficiency of their servers so they can accommodate the never-ending stream of data.

Faced with that challenge, Shamus Berube, Georgian College’s network technologist, figured the best plan was to redesign the data farm from the ground up. Mr. Berube replaced the college’s 25 servers with 12 new power-efficient servers made by Dell Inc.

But, for many businesses, new equipment is not enough. While the Dell machines emitted less heat and required less power to run, Georgian College also installed virtualization software from VMware Inc., which is used to create virtual storage partitions on a single machine. Users can install programs on each partition, including operating systems, and run several different processes concurrently. So instead of using four different machines to perform four different tasks (and running at barely 15 or 20 per cent efficiency), the college can run all four tasks on a single machine.

Now, each of Georgian College’s systems runs more efficiently, consumes less power and the IT department can set up isolated areas on the network for students in the college’s extensive technology program who can test theories or run programs without spilling into the main system.

“What we’ve done with the VMware we couldn’t have done otherwise,” Mr. Berube says. “We’ve split the academic side from the faculty side, though they run on the same physical machines, and we can save power there.”

Virtualization software has another purpose as well, one that has more of an impact than simply dividing a physical machine into many virtual drives. Because storage is so inexpensive, businesses have become accustomed to keeping every little shred of data that’s created or passes through their servers. Some businesses, adhering to rules of corporate governance, are obligated to. Nothing gets deleted any more.

Case in point: Dan Trim is director of IT infrastructure at the Health Alliance Plan of Michigan, a health insurance company that services 570,000 clients. Less than a decade ago, the health network had about 80 gigabytes of storage on their mainframe, which today is an average-sized laptop hard drive. “Today, we have about 90 terabytes of storage [90,000 gigabytes] on the storage area network with about 120 terabytes across the company.”

To avoid mountains of data piled up in no particular order, virtualization software from vendors such as VMware and Symantec Corp. acts like a traffic cop, managing data in an orderly fashion and determining where programs or information are best stored.

Sean Derrington, Symantec’s director of storage management, points out an obvious benefit. Businesses will often have multiple copies of the same file on their servers. Maybe it’s a large PowerPoint presentation or a Word document that’s been e-mailed to 2,000 different employees who have all dragged it to their desktop or made a backup copy. Regardless, Mr. Derrington says, “you don’t need 10 copies of the same file.” Software such as Symantec’s Veritas Data Center can identify duplicates and zap them.

But while efficiency and cost savings may be driving businesses’ decisions to upgrade their server farms, there’s a tangential aspect of the new hardware and software that’s decidedly green.

In a 2007 report, the Washington-based Environmental Protection Agency found that the 2006 electricity bill for the servers and data centres in the United States was calculated at approximately $4.5-billion (U.S.). The study goes on to estimate that by implementing efficient technologies and practices, business, academia and government can reduce electrical use by between 20 and 55 per cent by 2011.

And naturally the green benefits are part of the pitch from vendors such as Sun Microsystems, Dell, Intel, IBM and Hewlett-Packard, who all now sell energy-efficient hardware and management software. Some vendors walk the walk, too. HP and IBM have spent more than $1-billion each to consolidate their data centres – in HP’s case to six centres from 85 around the globe, while IBM trimmed more than 150 centres down to a dozen.

Bill Dupley, HP Canada’s IT strategist, says based on HP’s own experience in consolidation, reorganizing a database should be recognized as smart business, not as an IT project.

“We promised a 43-per-cent annual return on an investment of $1-billion,” he says, adding that it was those upfront numbers that got the project fast-tracked. “We delivered $300-million right off the top in lower network costs. The rest will come over three years in terms of needing 50 per cent fewer staff and savings in power consumption and cooling costs.”

Special to The Globe and Mail

BY THE NUMBERS

$1.4-Million — Average annual electrical expense that data centres cost large corporations

20 — Percentage savings potential of green data centres

46 — Percentage of data centre managers talking about or testing green concept

29 — Percentage of managers not considering going green

Source: Symantec green data centre report, published November, 2007