Sleazy informercial king Kevin Trudeau’s 30-day jail sentence has been stayed by the courts. He was slammed with it for orchestrating a spam email campaign designed to influence the judge in his case. He’s currently on trial in Civil Court fighting a complaint by the FTC that the advertising for his “natural cures” book is misleading. He was first sued by them in 1998 and banned from making false claims in the future, ordered to pay $500,000 in consumer redress and pay another $500,000 for a performance bond to ensure compliance. In 2004 he was sued again for ignoring the order and making false claims about a product called Coral Calicum. He was ordered to pay $2 million in fines and damages and banned from doing informercials except for informational publications like books, provided he make no misrepresentations. He again ignored the order which is why he is in court again. Trudeau has long been hawking his natural cures as the answer to everything from obesity to drug addiction.

In an effort to avoid further prosecution Trudeau urged his supporters to email the judge to tell him what his cures did for them and to urge him to find in his favor. The judge said his inbox was overwhelmed with spam and demands that the complaint against Trudeau be dropped and found him in contempt of court. Trudeau was scheduled to report to jail today. The court gave no reason for the change of heart but said the stay was contingent on no more spam campaigns being aimed at the judge or the court.

Look out Waledec, Zeus and Conficker! Chuck Norris is in town. A new botnet named after the iconic action star is targeting and infecting routers, or as one writer joked “The Chuck Norris botnet doesn’t infect routers, it stares them down until they infect themselves.” The botnet, first discovered by Czech researchers, looks for badly configured routers and infects them by guessing the default password. It uses the remote access feature to take control.

It takes over MIPS-based devices running Linux by launching a password guessing dictionary and changes the DNS settings of the router, and then redirects the user to a poisoned webpage that downloads even more malware. It also scans the network for other devices to infect.  Experts say the botnet has infected machines from South America to Asia. There’s no information on exactly how many machines have been compromised, who is behind it, but like other botnets, its goal is to steal personal information like passwords and bank account numbers. Some researchers say it may also conduct DDoS attacks.

For a botnet named after Chuck Norris (it got the name from a line in its code: “in nome di Chuck Norris” which means “In the name of Chuck Norris”) the malware it delivers has a surprising weakness. Since it is installed in the router’s RAM, a simple restart will remove it. To protect against it, make sure all routers and modems on your network are not using the default password and that each device has a unique and hard to guess one.

A highly desirable goal of businesses and web users is the complete eradication of spam from the internet.  That is perhaps a bit too much to hope for, but certainly the goal of reducing spam is something we can all keep working towards.

One of the more effective methods of reducing spam in recent years is through IP filtering.  This technique involves checking the IP address of the computer or server that is trying to send you email against a list of known or highly suspect spam sources.  The lists are provided by various third party organizations such as Spamhaus and are typically integrated into the products sold by security vendors.

The best part of this technique is that the check occurs at the earliest stage of the initial communication between the two servers.  If the IP address is considered to be a spam source then the connection is terminated before time and server resources are wasted by accepting any further part of the email content.

This meant greater efficiency in spam protection systems compared to earlier techniques that involved checking the entire message content for certain keywords or strings that matched a database of known spam.  This technique is still used today, but it is only performed on email that first passes the IP filtering checks.

Some estimates put the amount of spam that is typically stopped by IP filtering at around 80-90%.  That is up to 90% of spam (not of total email traffic) that can be prevented by IP filtering, usually with very few false positives.

The remaining 10-20% poses a bigger challenge.  These emails need to be checked more thoroughly for other characteristics such as:

• Sender address/domain
• Email body content such as text or URI (Uniform Resource Identifier, often called a URL by web users)
• Images and file attachments

This is because spam emails can come from trustworthy sources such as webmail providers and ISPs in which specific accounts have been compromised by a phishing attach.  As a result they cannot be blocked reliably on the basis of sender address/domain. Continue reading Could Better URI Filtering Cure Email Spam?»

Microsoft notched an important legal victory this past week. A court awarded them a restraining order that has effectively cut Waledec off at the knees. The decision was the result of a lawsuit filed on February 22^nd and will result in traffic being cut off to 277 domains that hold the command and control servers that run the botnet. All of the domains are located in China and will be blacklisted by VeriSign. Without its command and control servers Waldec is essentially dead because its millions of zombies can’t contact home for instructions.

According to Microsoft, Waledec is one of the 10 largest botnets in the world and responsible for most of the spam hawking fake and shady internet pharmacies, male enhancement products and designer knock offs. They had this to say about Waledec on their blog:

Waledac is estimated to have infected hundreds of thousands of computers around the world and, prior to this action, was believed to have the capacity to send over 1.5 billion spam emails per day. In a recent analysis, Microsoft found that between December 3-21, 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more.

While Microsoft claims victory, it’s more than likely short lived. As we’ve seen in the past with shutdowns like McColo, it doesn’t take long for the cybercriminals behind botnets to regroup and start anew, and they are getting better and better at it everyday.

Over the past week there have been two instances of banks and customers suing over phishing attacks. In the first, Texas-based Hillary Machinery Inc, fell victim to a phishing attack and had over $800,000 stolen from their account. Their bank, PlainsCapital, was able to recover around $600,000, but when Hillary Machinery requested the bank refund the remaining $200,000, PlainsCapital slapped them with a lawsuit. The suit asks that the court certify their security procedures to be reasonable and that it processed the fraudulent ACH transfers in good faith. Hillary Machinery was stunned.

In the second case, a Michigan supply company is suing its bank, claiming it does not adequately protect its customers from phishing attacks. Experi-Metal Inc claims that Comerica Bank encouraged phishing attacks by sending customers an email asking them to click on a link to download an update to the bank’s security software. This is a well worn trick used by phishers and the company says by doing so it made customers more willing to trust fake emails claiming to be from Comerica. Experi-Metal lost over $500,000 to a phishing attack.

In response the bank said that it was the fault of the Experi-Metal employee who fell for the phishing scheme and handed over the company’s banking credentials. Furthermore they said, the phishing site would have been obviously fake “”to any reasonably alert person who was responsible for safeguarding EMI’s financial records and digital credentials.” Ouch. Basically they are insisting it’s not their fault that the employee was stupid enough to fall for the phishing email, but does Comerica hold some responsibility for its practice of sending out emails with links directing customers to download a security update? (The bank has switched to a different system. The employee apparently trusted that the phishing email was real because of the previous one) What do you think? When a phishing attack happens who should be held responsible, the victim or the bank?

3000 credit card numbers belonging to customers of electronics retailer Small Dog Electronics have been compromised in a data breach. The breach left the sensitive data exposed for almost a month between late December and late January. The company claims it is PCI compliant and that it was subjected to a penetration test. They are now pursing the issue with that tester. The CEO, Don Mayer said the security flaw has been fixed but had no other details, admitting he did not even know what language their ecommerce system was written in.

“I’m very proud of our staff in terms of their reaction. We have dealt with this very responsibly, and notified customers immediately of the breach,” Mayer added. “We are doing everything in our power to reclaim our customers’ trust and provide the credit monitoring services that are necessary.”

Small Dog’s customers appear to be less satisfied with the company’s response, claiming the letters sent explaining the incident offer no compensation or credit protection and that although the company will provide the service if asked, many don’t realize they can ask.

Should a company offer credit protection in the event of a data theft? I believe so. It’s an important step in keeping your existing customers’ trust and gaining that of potential new customers. Data breaches are a growing threat. Last year the average total cost of a data breach was $6.75 million for an average of $204 per compromised record. Security experts say there are three main causes of data breaches, System glitches, which account for 36%, malicious attacks, which account for 24%, and the most common cause, negligence or simple human error, which accounts for a whopping 40% of all data breaches.

SPF is good but not perfect at flagging spam.

How effective is sender authentication in contributing to the fight against spam? A recent analysis of Microsoft’s email volumes revealed some interesting findings on the subject.

The analysis conducted by Terry Zink studied the impact of two sender authentication technologies, DKIM and SPF, on his company’s email flows.

DKIM, or DomainKeys Identified Mail, allows the sender of an email message to take responsibility for it while it’s in transit. It’s a way to validate a domain name identity associated with a message through cryptographic authentication.

While DKIM can be a way to block spam sent from hijacked domains, it’s less effective against spammers who create their own domains and spew junk from them. However, when used with some form of reputation analysis, it can contribute to cutting down spam traffic from those sites, too. The reasoning being that if a domain sent “good” mail to you in the past, it will continue to do so in the future.

SPF, or Sender Policy Framework, was designed to blunt another tactic used by spammers: address spoofing. It allows senders to specify which hosts are permitted to send their emails. It does that by creating an SPF record in the DNS, or Domain Name System. When a message arrives at its destination, the recipient system can check where it was sent from to the SPF record in the DNS. If it was sent from a host specified in the SPF record, the address can be assumed to belong to the originator of the message. If it’s sent from a host not in the SPF record, then it’s likely the message is spoofing its origin and can be trashed as spam.

Continue reading Sender authentication effective, but no panacea against spam»

Virtualization has been a growing trend in business computing over the last few years.  Companies are able to use virtualization to reduce costs and improve efficiency.  What started at the server level is also infiltrating desktop computing, with virtualized desktops now showing up in a lot of environments.

Another recent trend has been the appearance of botnets that have the ability to detect when they are being studied by security researchers.  Often this study is taking place using honey pots, which are fake systems set up by researchers to be deliberately infected with malware so that they can study its behaviour.

This has lead some security experts to predict that soon it will be common for botnets to actively look for the signs of a honey pot and either deactivate those systems, or perhaps even generate DDOS attacks against the researchers.

The CTO of database security firm Imperva, Amichai Shulman, suggests that “Most honeypot machines are based on a virtualization platform (most often VMWare). By detecting this attribute of the infected platform, malware developers will probably be able to detect most honeypots out there.”

The intersection of these two trends could have a positive outcome for businesses concerned about botnets infecting their corporate systems.  If botnets actually did begin shutting down when virtualization platforms were detected, then the use of virtual desktops could in itself prevent a botnet from becoming active. Continue reading Will Virtualization Protect Businesses from Botnet Infection?»

A new phishing attack launched by Zeus has taken aim at military personnel and intelligence officials in several countries including the US. The spammers behind the attack exploited a trusted security firm and sent fake messages pretending to be from the firm. Using social engineering tricks they sent messages to the same people their earlier phishing attack had targeted. The messages acknowledged the attack and asked them to download a zip file that claimed to be a security patch that would fix the vulnerability that allowed the earlier attack. The file has just a 35% anti-virus detection rate.

Unlike most phishing attacks, which tend to target banks and other financial firms with the goal of monetary gain, this attack is much more worrisome. While the kind of information that could be stolen in such an attack could be sold for huge sums on the black market, the other implications are far more serious. Should a hacker gain access to a military or intelligence computer there is no telling what kind of havoc they could wreak. It could result in a national security crisis. This should be of particular concern to the US government, which has come under fire in recent months for its poor cyber security practices. Last week, the Bipartisan Policy Center hosted a simulation of a cyber attack on the US and the government failed miserably. Security experts say the government is woefully unprepared for a cyber attack and that it’s no longer a question of if one will occur, but when.

A widespread cyber attack that started 18 months ago has affected nearly 2,500 businesses and government agencies. Led by a Zeus variant, it infiltrates corporate and government networks and steals passwords, log on credentials, banking info and other confidential data.

The Zeus botnet has over 74,000 infected PCs under its control and is using them to carry out the attack. 10 federal agencies are among the victims and there is no telling just how much sensitive data the hackers have stolen. Security firm NetWitness did manage to intercept 75GB of stolen data, but there is likely much more out there.

“The botnet is still active and still actively being managed by the organized criminal activity behind it,” NetWitness CTO Tim Belcher told The Register. “Over the last month, we’ve seen it retask its (victim) members half a dozen times looking for different types of information.”

In a surprising twist, the firm discovered that the affected PCs were also infected with Waledec. This could mean there are two cybergangs working together or merely that a solitary gang is using more than one strain of malware to avoid detection.

Among the organizations attacked are Merck, Paramount Pictures, and Cardinal Health. All in all organizations in 196 countries around the world have been attacked. Rumors are swirling that even the Pentagon was hit, but they are declining to confirm any such breach.