In a world where the only thing standing between us and the spammers, phishers and hackers is a little piece of tunneling security that keeps IT admins dreaming about warm and snuggly things, the idea of that security being breached is a beastly demon no one could have envisioned. Unfortunately, the pleasant dreams are over and the BEAST is a nightmare that will rock the Internet world, and warm milk ain’t gonna fix this one, folks.

When I go to sleep at night, I do it with the comforting belief that when I awake in the morning and put my feet on the floor, there will be a floor underneath me. In much the same way, I traverse the web knowing full-well that my surfing habits, private information and transactions are snugly tucked away inside a warm blanket of encryption known as SSL/TLS. So when the floor gets yanked out from underneath my feet, you can understand how I might get a little pissed off. And that’s exactly how I felt this morning when I discovered that the floor that protected me from the creeps has begun to sway, as if I had just spent Saturday night at the pub and the floor wasn’t particularly happy about it.

If you want to share the experience, look no further than The Register, which is reporting that at the Ekoparty security conference in Buenos Aires last week, researchers Thai Duong and Juliano Rizzo unveiled their work – BEAST, short for Browser Exploit Against SSL/TLS – which attacks TLS and SSL, the protocols that heretofore kept us warm at night. BEAST is a nifty piece of JavaScript that works alongside a network sniffer to decrypt user account cookies and gain access to restricted user accounts. Yes, you heard it right.

Sing Along: It’s the End of the World as We Know it…Or is it?

Duong and Rizzo made news last year when they unveiled a point-and-click tool that exposes private information and executes arbitrary code. According to Duong, the demo decrypted an authentication cookie used to access a PayPal account. The exploit of SSL and TLS is not a new idea, actually, since the idea was conceived back in 2002; but for years it’s been considered theoretical at best – until now, that is.

Duong noted in an email published by The Register that “BEAST is different than most published attacks against HTTPS. While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests.”

In case you’re wondering how many canned goods you have in the pantry, worry not: it’s not yet time to strip naked and run through the streets proclaiming the end of the world.

“The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet’s foundation of trust,” The Register reports.

It’s not all good news, though.

“Although versions 1.1 and 1.2 of TLS aren’t susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he’s visiting.”

Furthermore, independent security analyst Trevor Perrin writes:

“BEAST is like a cryptographic Trojan horse – an attacker slips a bit of JavaScript into your browser, and the JavaScript collaborates with a network sniffer to undermine your HTTPS connection. If the attack works as quickly and widely as [Duong and Rizzo] claim, it’s a legitimate threat.”

Note: Those who run a web server and who may be concerned about security should modify the servers to favor the rc4-sha cipher, which is widely supported and not vulnerable to the attack unveiled by Duong and Rizzo.

Time to Call Some People Out

It’s being reported that:

“Duong and Rizzo tipped off the major browser vendors about their findings months ago but so far the only response appears to have come from the folks at Chrome. A fix for the attack is currently under test in the development version of their browser.”

REALLY? Shame on you, browser makers. Not surprisingly, two days after The Register first published their article, Google released a developer version of its Chrome browser designed to thwart the attack.

Time to go and huddle in a corner. Now, where did I put that tin foil hat?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

“Holy [Insert Expletive Here]! Et Tu, SSL?”

Spam-ready tablets off the shelves? Zombie PCs out of the box? Testifying before U.S. Congress this week, a top official for the Department of Homeland Security said that technology being imported into the country is sometimes known to contain preloaded security threats. The disturbing news leaves us wondering what’s next – perhaps our credit card numbers automatically being published to Twitter and Facebook when we sign up for an account?

As if the raging war on spam isn’t bad enough, an ominous moment in U.S. Congress this week should leave an unsettling feeling in anyone who has purchased a PC, tablet, or any other connected device; anyone who worries about the safety of their information, for that matter – in other words, pretty much everyone.

Testifying before Congress at the House Oversight and Government Reform Committee this week, Greg Schaffer –the Department of Homeland Security (DHS) Assistant Secretary for Cybersecurity and Communications – admitted that Homeland Security and the White House are aware that electronics and software imported into and sold in the United States are sometimes pre-installed with malware, spyware, keyloggers, and even the components of botnets. Not only are they aware of these threat-laden devices, various media outlets report, but in fact they have been aware for quite some time.

Fast Company first reported the story on Friday. Schaffer was testifying in a tense exchange between himself and Representative Jason Chaffetz. “When asked by Rep. Chaffetz whether Schaffer was aware of any foreign-manufactured software or hardware components that had been purposely embedded with security risks, the DHS representative stated that ‘I am aware of instances where that has happened,’” but not before a long pause where Schaffer seemingly considered the implications of his answer.

According to PC World, Schaffer didn’t go as far as singling out PCs, tablets, or even DVDs and smart phones.

“Schaffer admitted he is aware of instances when foreign-made technology was built with embedded security risks but did not elaborate on what kind of equipment DHS has encountered. He also pointed out that overseas components are found in many domestically manufactured electronics.” [Emphasis added]

It’s not news that some consumer devices and products have entered the retail world with viruses or other malware. Several years ago, digital picture frames with USB ports were found to be infected, and every so often a piece of software is inadvertently set into the wild with some sort of Trojan or some such malware. What makes this story chilling, however, is Schaffer’s implication that the problem could be far larger than just the odd digital photo frame or errant code in a piece of software. If the malware is actually hard-coded onto a chip – as opposed to pre-installed on a hard disk drive – then these chips could be finding their way into everything that has a wired or wireless connection with the Internet. The problem? Hard drives can be wiped. Onboard chips are like taxes – they’re there for life.

Neal Ungerleider of Fast Company suggests that something sinister may be at work here, drawing from the White House’s Cyberspace Policy Review:

“[In the review] is a small acknowledgment that the Executive Branch knows something weird is happening in imported tech:

‘The emergence of new centers for manufacturing, design, and research across the globe raises concerns about the potential for easier subversion of computers and networks through subtle hardware or software manipulations. Counterfeit products have created the most visible supply problems, but few documented examples exist of unambiguous, deliberate subversions…The challenge with supply chain attacks is that a sophisticated adversary might narrowly focus on particular systems and make manipulation virtually impossible to discover. Foreign manufacturing does present easier opportunities for nation-state adversaries to subvert products; however, the same goals could be achieved through the recruitment of key insiders or other espionage activities.’” [Emphasis added]

Don’t Panic!

As disturbingly eerie as this information certainly is, it poses the question: what can we do about it? The answer is readily available. Nothing – at least not as single consumers or even as IT/IS Managers. Some might decide to throw out all their devices and in a Walden moment, return to nature, resorting to carrier pigeons and smoke signals to communicate with the outside world; but most of us recognize that technology owns us now, and for good or for bad, better or worse, we like it. Heck, we love it! We refuse to reject technology because, well, how could we? It makes our lives easier. It makes our lives better, at least if you believe the mantras of GE (We Bring Good Things to Life) and LG (Life’s Good).

Conspiracy Theory

Assume for a moment that the White House and other governments know far more than they’re saying (not a leap at all). Then assume that detecting and removing these hard-coded security risks not only represents a huge difficulty, but rather a virtual impossibility (not a stretch). Now imagine that the threats represented by this built-in malware could be a mixture of state-sponsored and/or private interests – some in it for innocuous concepts like ‘national security’ and some in it for more tangible returns like money. Finally, imagine if the whole truth got out – how it would create such a panic that Greece’s finances would seem rock-solid next to what was left of the global economy. No wonder Schaffer took so long to answer.

As much as it sounds like the stuff that Hollywood is made of, the truth is in there somewhere. If so, then (for all you Star Trek fans) like the Borg, this new threat is lurking and waiting, ready to pounce and assimilate your information, and there’s not a darned thing you – or anyone else – can do about it. Come to think of it, spam is the equivalent of the Borg – maybe even a progenitor of the 24th Century race.

I think I’m going to avoid the rush and post all my personal information on Twitter. I hate waiting.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

U.S. Official Admits Imported Computer Tech is Known to be Infected

In what surely must be the third sign of the pending apocalypse, video game industry icon, Sega Corp. is hacked for data on 1.3 million of its users. And just when you thought the world hadn’t gotten any stranger, hacktivist group LulzSec offers assistance to the creators of Sonic the Hedgehog. The problem: the real victims in these attacks are the users, caught in the middle of a brewing war that will inevitably lead to more spam.

One would think that gaming giants like Sony and Nintendo could manage a basic task like keeping their doors locked and blinds drawn, and one would be wrong; but lest you think that they’re alone, look no further than another venerable icon in the game development world, Sega Corp., which this week announced that they too had been hit by the bug that of late seems to have a nasty habit of popping up on a weekly basis.

“Names, birth dates, e-mail addresses and encrypted passwords of users of Sega Pass online network members had been compromised,” Sega said in a statement on June 19th, also indicating that while no credit card information had been compromised, a whopping 1.3 million user accounts were breached.

Add this to the tally of an estimated 100 million plus PSN, Qriocity and Sony BMG Music users and you have yourself a startling amount of personal information floating out there in the cloud. (Nintendo got off easily: LulzSec ‘merely’ posted a server configuration file on their site to show that they could hack Nintendo if they so desired).

Recognizing that not all of the players have been so forthcoming, and in the spirit of giving credit where credit is due, hats off to Sega for getting in front of this one.

“We are deeply sorry for causing trouble to our customers,” said Sega spokesperson Yoko Nagasawa, “We want to work on strengthening security.”

So, is it coincidence that all three gaming companies are Japan-based? Probably. But it isn’t coincidental that some of the biggest names in the gaming software world have been compromised by a variety of groups – Anonymous and LulzSec have laid claim to the Sony breaches, and as mentioned, LulzSec felt the need to point out a security flaw in Nintendo’s security, but so far no one has taken responsibility for Sega. Of this, however, we are certain: it probably wasn’t LulzSec.

How can we be sure that it wasn’t LulzSec? Well, in a bizarre twist of events, LulzSec has come forth to offer its assistance in tracking down the perpetrator. On June 17th the group posted to Twitter: “@Sega – contact us. We want to help you destroy the hackers that attacked you. We love the Dreamcast, these people are going down.”

Whether Sega takes LulzSec up on the offer is anybody’s guess (‘probably not’ is the consensus here), but the group that targeted the U.S. Government after President Obama made hacking a declaration of war just can’t seem to get its philosophical mojo in sync with its actions. LulzSec has stated that their attack on Sony was a blow in the name of solidarity after Sony declared its own war on iPhone hacker extraordinaire, George Hotz, better known as GeoHot. But in what felt like an “I love you, man!” moment, LulzSec seemed almost honorable in its hack on Nintendo, stating publicly that they simply wanted to make Nintendo aware of its own vulnerabilities. Now that Sega has been hacked, however, LulzSec wants to help because they clearly like Sega (or, at least, the Dreamcast). It feels like frontier justice, the Old West approach to settling a beef, and while some might applaud LulzSec’s attempt at heroism, one cannot help but wonder: “what happens if I tick these guys off?”

What, indeed. LulzSec has declared its own war, but the burning question is who is the enemy? On June 15th, LulzSec posted to Twitter: “Tango down – cia.gov – for the lulz.”  According to the International Business Times, “The site of the CIA, which engages in covert activities at the request of the President of the United States, was back two hours later. The CIA has not revealed that valuable information was stolen.” And on June 13th, the group took on the U.S. Senate website, stating “We don’t like the US government very much.  Their boats are weak, their lulz are low, and their sites aren’t very secure.  In an attempt to help them fix their issues, we’ve decided to donate additional lulz in the form of owning them some more!”

Data Insecurity

Everyone wants to talk about the economic impact on the targeted companies, but with the amount of information that’s been compromised, it’s the guys in the middle of this brewing war – the end users – who are the true victims. It’s highly unlikely that Anonymous is sitting on the data, and LulzSec seems to enjoy giving it away for free. Regardless of the cost, it’s conceivable that data breaches like the ones on the game companies will lead to spam-laden inboxes. One only has to look at the highly-publicized attack on Epsilon earlier this year.

Where does it all end? This week, LulzSec released a manifesto of sorts, as the group celebrated its 1,000th Tweet with a letter that reads like it was co-written by Charlie Sheen.

“Yes, yes, there’s always the argument that releasing everything in full is just as evil, what with accounts being stolen and abused, but welcome to 2011…We’ve been entertaining you 1000 times with 140 characters or less, and we’ll continue creating things that are exciting and new until we’re brought to justice, which we might well be.” Justice may eventually be LulzSec’s endgame, but until then, “this is the lulz lizard era, where we do things just because we find it entertaining.”

Entertaining? Really? Hey, Sonic the Hedgehog! See if you can escape the nasty trap that Dr. Robotnik set for you! Now that’s entertaining.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

LulzSec Offers Aid, ASCII Art to Sega After Big Hack Attack

In what’s rapidly becoming a cliché of the direst proportions, Sony gets yet another dose of what some consider Karma. Not to be left out, however, Nintendo suffers the wrath of the group claiming to have taken Sony down. Which leads everyone to ask: Is Microsoft next? If so, when will the other shoe drop? And more importantly: When does the phishing expedition begin?

What a difference a week makes. In case you weren’t tuned in last week at this time, Sony had just moved its one billionth PS3 console, gamers everywhere were cheering the mammoth entertainment provider for its second-to-none gaming experience, and cures for cancer and the common cold left mankind with the incontrovertible belief that we are all destined to live long and prosperous lives.

Oh, wait. That was the Bizarro world. Over here in the land of reality and taxes, Sony didn’t sell its billionth console, but it did cough up another million user accounts, albeit unwillingly. In what’s quickly becoming (or has already become) something of a joke ending with a simple punch line – ‘Sony’ – another hack attack saw the entertainment giant scrambling to quietly warn users that another breach in its security, this time of Sony BMG Music’s website, had occurred. The announcement seemed like it came from the Bizarro world, considering that over at Playstation.com, splashed in prominence on the main page is the announcement of Sony’s ‘Welcome Back’ program, designed to mollify irritated users whose access to the Playstation Network and Qriocity had been down for a month.

The group LulzSec claimed responsibility for the hack, and this time, even though the result doesn’t seem nearly as severe – one million accounts, compared to 78 million in the PSN/Qriocity breach – this one has increasingly chilling implications. First, LulzSec, which wasted no time in reporting its success, stated in an anonymous post, “We just want to embarrass Sony some more. Can this be hack number eight? Seven and a half?!”

Second, the LulzSec team gives a detailed account of the fruits of their labors: “Personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 “music codes” and 3.5 million “music coupons”.

Third, they went and posted the data for everyone to see, ready for phishing enthusiasts, spam artists and identity thieves everywhere to just pluck the data out of the cloud and go to work. All this while the U.S. Congress is grilling Sony and email marketing company Epsilon about their recent security woes.

Fourth – and maybe most disturbing – was how LulzSec claims they went about it. “Our goal here is not to come across as master hackers, hence what we’re about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?” Ohhh, man. For Sony, this must seem like the makings of a script for the sequel to The Hangover 2 (too bad they don’t own the rights to the blockbuster movie series – it would have made for good irony).

Word on the street, however, suggests that Sony brought it on themselves, and that maybe this is just Karma coming back to roost. Speculation has been that both Anonymous – the hacktivist group which laid claim to the PSN breach – and LulzSec were striking a blow in the name of solidarity for the way Sony has been treating George Hotz, better known as iPhone hacker extraordinaire GeoHot. In February, a premonition of what was to come showed up in a warning from Paul Roberts at ThreatPost, who wrote about the early February security breach at HBGary: “Don’t kick the hornet’s nest.” Interestingly enough, the hornets he referred to were none other than Sony’s newest, bestest nemesis,  Anonymous.

But wait, there’s more! It seems that LulzSec wasn’t happy just taking Sony down. Last week, Nintendo Corp. announced that it was stung by the hornets when LulzSec posted a server configuration file on its website as proof that they hacked another of the three giants in the gaming arena, a claim that was confirmed by Nintendo. Nintendo stated that no user data was compromised in the attack, which actually happened weeks before (question: are these companies really helping their own cause by sitting on this information?) In a strange message on Twitter, LulzSec sounded charitable when the group tweeted, “We’re not targeting Nintendo. We like the N64 (gaming console) too much – we sincerely hope Nintendo plugs the gap.”

Is Microsoft next? International Business Times reports that, “it is because of the random nature of LulzSec’s attack on Nintendo that certain analysts and industry commentators have speculated that a future cyber attack on Microsoft may be in the works,” and there’s a lot of truth in those words, if recent activity is any indicator. Perhaps Microsoft has already been hit, and like their counterparts have chosen to sweep it under the carpet. Whichever the case, the question here is: what’s the real story in all this? That a mega corporation like Sony can be embarrassed – repeatedly – so easily, if LulzSec’s claims are true? That if companies like the ones being breached aren’t safe, then how can the average IT manager expect to protect her company’s networks? That the frequency of these security breaches has media in general taking a ‘ho-hum’ approach to new occurrences? That hackers are so ambivalent toward what they do that in one breath they can take down one gaming giant for fun and another for vengeance? Or – getting back to Sony and considering LulzSec’s claims – how in the heck could Sony let themselves be taken down again and so easily?

You choose.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Hatriot Games? Sony Hacked Again, Nintendo a Wii Bit Compromised

In what is eerily beginning to look like a monthly ritual, another high-profile organization is targeted by Cyber Terrorism. This time it is the world’s largest military contractor. Is it World War III, or just another day at the office?

Lockheed Martin Corporation, the world’s largest defense contractor, announced this week that it staved off what it calls a “significant and tenacious attack” on its servers. The attack, which Lockheed Martin detected on May 21, still remains something of a mystery in terms of scope, but Reuters reports that, as of May 29, employee access was still down.

“No customer, program or employee personal data was compromised thanks to ‘almost immediate’ protective action taken after the attack was detected May 21,” company spokesperson Jennifer Whitlow stated in an email distributed by the company.

The Bethesda, Maryland company is the world’s biggest aerospace company and the largest supplier of military systems to the U.S. government. The maker of the F-16, F22 and F-35 Lightning fighter jets also sells military equipment across the globe.

In an effort, perhaps, to ensure that they themselves haven’t been compromised, the U.S. Government has offered its assistance in determining the scope and source of the attack. Bloomberg News reports that in a May 28 email from Homeland Security, spokesperson Chris Ortman states the Department of Homeland Security, along with the Department of Defense, is looking into the matter.

“[We are] aware of a cyber incident impacting [Lockheed]” and will be “determining the extent of the incident, performing analysis of available data in order to provide recommendations to mitigate further risk.”

Lockheed said in an email that the attack on May 21 was discovered “almost immediately” and no employee, program or customer data was lost. Lockheed uses RSAs mobile security platform. RSA, a division of EMC Corporation of Hopkinton, Massachussetts, recently increased security on their system after a security breach in March of this year. In that attack, amongst the stolen information were data directly related to RSA’s SecurID authentication products. MarketWatch reports that after this most recent attack, Lockheed Martin employees were required to change their passwords, and that the breach may have been a direct result of the SecurID information stolen from RSA.

Bloomberg helped clarify the possible nature of the attack, in statements from a source speaking under the condition of anonymity. “The remediation involves replacing the SecurID tokens issued by RSA that often expire in three years, said the person, who wasn’t authorized to discuss the matter publicly.” An eerie premonition of what might be coming next, EMCs clients include, “defense-contractor clients, which make missiles, aircraft and other weapons, [including] Northrop Grumman Corp. (NOC) and Raytheon Co. (RTN).” Bloomberg also stated that EMC declined comment on the matter.

Not surprisingly, the U.S. military remains tight-lipped on the matter. In an email, U.S. Air Force Lieutenant Colonel April Cunningham stated that the resulting fallout of the attack is, “minimal” and that the powers that be, “don’t expect any adverse effect.” Reuters also stated that Cunningham “declined to specify the nature of the impact, saying that as a matter of policy, the department does not not comment on operational matters,” and that DHS spokesperson Ortman said that the department will be working with Lockheed Martin to review the “available data in order to provide recommendations to mitigate further risk.”

2011: The Year of the Cyber Terrorist?

In the spirit of keeping score, the Lockheed Martin cyber attack is only the latest in a litany of high-profile targets, making 2011 seem more and more like the Year of the Cyber Terrorist:

• In January, the Canadian government was the target of an “unprecedented cyber-attack” by Chinese hackers, which took down the systems of two government agencies.
• In February, pro-Iranian hackers calling themselves the “Iranian Cyber Army” launched an attack against the Voice of America’s website. VOA’s Persian News Network also experienced satellite interruptions.
• In early March, major agencies of the government of South Korea were bombarded in a Distributed Denial of Service (DDoS) attack.
• Also in March, the European Commission revealed that it had been the victim of an “ongoing [and] widespread cyber attack” against its servers.
• In early April, email marketing firm Epsilon reported that it had been breached, in a targeted attack which could cost the affected parties more than $600 million;
• In mid April, Sony Corporation made news – over and over again – as its woes kept the company’s PlayStation Network and Qriocity servers dark for several weeks. The result of the attack saw the user account information of more than 70 million released into the wild.
• In May, the U.K. Finance Minister stated that the U.K. Government’s servers are under a constant state of attack, averaging more than one attack per day just on the Ministry of Finance.

Cyber Horror or Cyber Hype?

While it may be premature to declare this the Year of the Cyber Terrorist, it certainly seems like these attacks are becoming more frequent and more severe. Perhaps it would be more accurate to dub this the ‘Era of the Cyber Terrorist.’ Bill Davidow at Forbes suggests that World War III, if it ever occurs, will be fought on the battlefield of cyber space. Tony Bradley of PCWorld takes an interesting perspective in his article, Lockheed-Martin Attack Signals New Era of Cyber Espionage, suggesting that the era of cyber espionage is in full bloom. The attack on Lockheed Martin, Bradley writes, “seems at face value like either a state-sponsored attack, or an attack by well-funded hackers with the intent to market whatever information can be extracted internationally to other governments.”

Food for thought, or all-out lunacy? As if the media frenzy isn’t enough, this week China announced that it has an elite “Cyber Warfare Unit” dubbed the ‘Cyber Blue Team.’ The jury’s still out as to the purpose of Cyber Blue, but add to the mix last year’s kafuffle over Stuxnet and its intended purpose and you have yourself one heck of a Cyber Thriller, Hollywood movie rights and all.

Hmm. Time to get writing.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Lockheed Martin Latest to Succumb to “Significant” Cyber Attack

In the most recent spam scam to assault Facebook, users are being greeted with a message advising them to ‘verify’ their account, seemingly a noble act of spam prevention and surely not spam itself, right? Not so fast. Those rascally little hackers have swapped out the ‘Like – Comment – Share’ links with a ‘== VERIFY MY ACCOUNT ==’ link, making clicking eminently attractive and practically unavoidable for the uninformed user. Clicking the link, of course, has exactly the opposite effect advertised by the malware, not only posting the message on the user’s wall, but in fact spreading JavaScript that, according to The Register, is “highly obfuscated.” (If interested, you can check out an interesting analysis of the script here.)

“Facebook has become a veritable cesspool of spam, with fake links promising to show users things like how many people have visited your profile or the never-released photos of Osama bin Laden’s body,” reports the Detroit Free Press.

In fact, it seems that these clickjacking schemes have become the norm and Facebook, by its own admission, has only been able to react to the scams as they appear.

“We’ve been shutting down the scammy pages that are the source of this spam as soon as we detect them or they’re reported to us,” Facebook’s Fred Wolens told the Free Press.

So let’s return to the kingdom of the blind. No disrespect to any Facebook user intended, but knowing how to recognize a genuine security threat often requires three things: experience, specialized understanding in what goes on under the hood, and the requisite savvy that comes with being an IT professional. The first one is easy. Think about the first time you learned that touching an open flame wasn’t such a good idea. Anyone who’s been nailed at least once by a malicious link will testify that they think twice before clicking again. The second and third, however, require specialized information that, simply speaking, aren’t part of the average computer user’s frame of reference. And to be fair to Facebook users everywhere, they shouldn’t need to have that specialized knowledge. It would be counterintuitive to the concept that Facebook is easy to join. Easy to use.

To give Facebook credit, last week the website announced several new features implemented to combat clickjacking:

• Web of Trust (WOT) – Web of Trust is a free service that grades sites based on user experience. Basically a community that relies upon reported links, WOT intercepts links in Facebook, warning the user that the link could be dangerous, if it has been frequently reported by the community.
• Clickjacking Prevention – Since clickjacking is based on tricking the user into thinking they’re clicking on one thing when in fact they’re clicking on another, Facebook has implemented extra security measures to detect whether links are trying to pretend they’re something else. In essence, users will be required to confirm their choices when they click “Like.”
• Cross-Site Scripting (XSS) Protection – Malware often tricks users into pasting malicious code into the browser address bar. Facebook has added an extra layer of protection, providing a popup window advising the user that he or she is trying to address a bad link.
• Login Approvals – Facebook has added an optional – but highly recommended – layer of security by offering two-factor authentication, meaning that whenever a user tries to log on to Facebook from a new device, he or she will also have to enter a code sent via SMS to the user’s mobile device.

If you’re reading this and you have responsibility for office workers who have access to Facebook, you’re probably already copying and pasting into an enterprise-wide email. That would be a wise choice.

Let’s face the facts. Social networking does a great job of bringing people together in cyberspace. The problem: it also makes it way too easy to put hackers, spammers and cyberpunks together with innocent users who are not trained – or even interested in being trained – in how to recognize malicious code and spam when and where it appears. As memberships continue to grow in unprecedented proportions, hackers will continue to figure out how to exploit the system.

You had better hang on. The one-eyed men aren’t going away anytime soon. In fact, they’re fitting themselves for crowns.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Facebook Spam Prevention Scam Propagates, Hackers Rejoice

Recent Security Breaches May Bring Discussions on Cloud Computing Crashing Back to Earth

Cloud computing isn’t a new concept. Technically speaking (and some may disagree), cloud computing is as old as public chat rooms and web mail. As long as we’ve been able to attach a file and send it out into the cold, dark server-based galaxy of cyberspace, we’ve all been living in the cloud. The term itself – cloud computing – is nothing more than a marketing construct developed by software companies for the express purpose of paying homage to the offices of CEOs and Boards of Directors, wherein the almighty dollar is king.

That’s the cynical view. Now for the idealistic, almost Utopian, approach:

Cloud computing is the miracle cure that will change our lives to the point where we wonder how we survived the chaos that existed before living in the cloud. It will increase productivity and collaboration, reduce office footprints by giving rise to telecommuting. Some may say that it even reduces the need for localized data security because the security is now in the safe, competent hands of dedicated data centers. The cloud even tips a hat to green computing, reducing the carbon footprint in offices by passing application and data loads off to remote servers, thus reducing the need for localized and/or dedicated servers (truth be told, the jury’s still out on this one).

Stand back and take a long look at both these views. Does either ring true? Of course not. In fact, the truth seems to lie somewhere in the middle, but all good IS Managers approach the topic cautiously and with a great deal of research into the pros and the cons, the tools and the risks. The implications of employee training alone can leave the strongest of IT people waking in the middle of the night, screaming for their mommies. All the while, evangelists in the form of software account managers stand on soapboxes, thumping on white papers that explain cloud computing and its cost benefits and pointing long, bony index fingers straight at us, promising, “this is what cloud computing can – nay, will – do for you! ROI! ROI!”

It’s no wonder that the caution, confusion and fear have risen to monumental levels; but like the tortoise in Aesop’s fable, IT professionals approach the finish line, slowly and steadily, hoping all the while that the bosses won’t push them over the edge of a precipice from which there is no safe return.

Amidst all the confusion, news of recent security breaches at some very large companies may be the warning that IT people everywhere have been looking for – the ammunition they need to remind their bosses that being the first to jump off a cliff before checking for water below isn’t the best way to embrace innovation. The recent woes felt by Sony Corporation, Epsilon and Amazon serve as that useful warning. While some may not recognize the name Epsilon as a household name, all will recognize the other two. If one was asked to name the top technology companies in the world today, Sony and Amazon would surely be in that list. So it’s no surprise that the news of these data breaches (a reported 100 million accounts compromised for Sony, which is still experiencing issues two weeks after the breach) has shaken the online world to its very core. And one of the casualties here may very well be cloud computing.

According to Reuters, “Some businesses are rethinking plans to move to cloud-based computer systems located at remote data centers that can be accessed over the web,” and that the Sony breach and Amazon’s recent outage at its cloud computer center, “have caused some businesses to put the brakes on plans to move their operations into the cloud.”

This might only be the beginning, because no one really knows what’s going to happen next. It seems that a new security breach greets us each week, and with each story it seems like the hits are getting worse and the stakes are getting higher.

“Nobody is secure,” Eric Johnson, professor at Dartmouth University and technology advisor to corporations, was quoted by Reuters. “Sony is just the tip of this thing.”

In fact, Reuters reports that since Sony announced its PlayStation Network and Qriocity breaches on April 26, stocks for companies involved in cloud computing have not only underperformed, but “Salesforce.com Inc, a maker of web-delivered software, has dropped 3 percent. VMware Inc, which sells software for building clouds, has declined 2 percent.” Lest one thinks this is a general trend in the stock markets, Reuters reports that The Standard & Poor’s 500 Index has increased by 3.3 percent.

So does this mark a major setback for cloud computing, the miracle of modern connectivity? It certainly gives rise to conversations about data security and the risks associated with putting sensitive data ‘out there.’ Ever since the term ‘cloud computing’ was coined and then pushed – and pushed again – out to the marketplace as the solution to everyone’s problems, there’s been an uneasiness about the implications of placing data – the lifeblood of modern society – outside the firewall. People, in a cloudlike trance, seem to have been soaking up the concept of being able to access their data from anywhere in the world, but at what cost?

Perhaps these recent events are the wakeup call that everyone needed. Consider a newborn baby and a crib, which has all the requisite safety features, including bars to keep the child safe from falling. Nearby, you have a bed, soft and safe and comfortable in its own right, but lacking the features designed to protect a young child. Who in their right mind would opt for placing the baby on the bed, and then leave the baby unattended?

It’s something to consider.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Hey, You! Get Off Of My Cloud!

Let’s recount what happened. On April 19th, without so much as a “how do you do,” the PlayStation Network and Qriocity, Sony’s on-demand service for music and videos, went down, rendering all aspects of the network – multiplayer gaming, PlayStation Store access, web access, NetFlix and Qriocity services – unusable. It was a little eerie, too, in the way it transpired. Users were simply unable to log on to their PSN and Qriocity accounts, normally a common occurrence when the system is down for periodic maintenance. But hours turned into a day and some media outlets picked up the story, when the outage still greeted users. “We’re aware certain functions of PlayStation Network are down” was Sony’s response, but not long afterward they posted on their EU blog that there was, “the possibility of targeted behaviour by an outside party.” Not long after that, Sony announced that the service would be down for “a full day or two.”

Since then, the issue has turned into something of a nightmare, both for Sony and the 78 million members of the services. Hours turned into days, days into a week. What was very quietly sold as an outage turned into the worst possible outcome: three days into the outage, Sony finally announced that the service failure was in fact the product of “an external intrusion.” Nearly a week after the initial outage, Sony finally announced that personal information was also compromised. For those of you keeping score, here’s what Sony UK reported as being compromised: name, shipping address, billing address, country, email address, birthdate, PSN/Qriocity ID, PSN/Qriocity password, PSN/Qriocity security question and answer, and purchase history. Ouch.

Every major media outlet has keyed in on the unprecedented breach. Sony’s taken a big black eye in the stock markets – according to Reuters, Sony’s shares dipped 4.5 percent on Thursday (markets were closed on Friday) – and lawsuits against Sony Corporation are already being discussed. One class-action attorney in the United States is considering filing a suit on behalf of PSN account holders and several governments are looking into the security breach, including US Congress and the UK Information Commissioner’s Office, which Reuters announced was “investigating whether Sony violated laws that require it to safeguard personal information.” Double ouch.

Perhaps even more damaging to Sony, PSN and Qriocity members are expressing their outrage at Sony’s delay in revealing the breach, the ongoing loss of service, and the loss of their personal information (I for one, was lucky: the week before the outage I changed my credit card number due to a lost card). Reuters stated that “some gamers writing in online forums called for a boycott of Sony products, while shoppers at London video-games stores said they might leave the PSN network.”

Reuters also reports that “a Sony spokesman said that after learning of the breach it took ‘several days of forensic investigation’ before the company knew consumers’ data had been compromised.” Unfortunately for Sony, however, news media everywhere can’t help but draw the similarity to another Japanese company which came under scrutiny in 2010. And in a case of ‘timing is everything,’ the announcement that credit card information may have been stolen broke only hours after Sony introduced its first tablet PC. Thankfully, on May 1st The Montreal Gazette reported that, “there’s no evidence that anyone’s credit card information has been compromised.” Sony reported that the credit card info was encrypted, and credit card companies have observed no suspicious behavior. But the damage has been done and what the fallout will look like, from this data getting into the wild, is anybody’s guess.

What hasn’t been reported (much) since the April 19th breach is that there was a premonition of something big coming only weeks before. On April 4^th, Engadget reported that users trying to log on to their PSN and Qriocity accounts couldn’t get online, instead receiving a brief message from Sony stating that the service was down for maintenance. Hacktivist group Anonymous claimed responsibility for that outage, but Sony quietly denied any funny business, instead opting for the ‘sporadic maintenance’ approach. It might have been left right there and forgotten, were it not for the current woes that plague the beleaguered electronics company.

So what’s to be made of this recent security war? Several things come to mind. First – and always first – system security and privacy are paramount. It’s always been easier to break something than to make something, and even though it’s extremely difficult to plan for every contingency – or the prowess of some hackers, it seems – if you’re going to play in a big arena you had better bring your A game. The fallout could be devastating. Don’t get me wrong: Sony should be commended for, amidst the criticism bombarding the company, not rushing to get their network back up and running. Since the breach, the company has been consistent with the message that they’re ensuring additional security before restoring the services, even rebuilding parts of the system, which Sony purports to be reactivating this week.

Second, coming clean up front is always easier than trying to explain why you didn’t afterward. The stage that is international news media is relentless and unforgiving, especially when the media can grab onto numbers like 78 million and run with them. Toyota saw it in 2010 and now Sony will have to endure the scrutiny of governments, courts, and maybe most important, their users.

Third, if you do have a PSN or Qriocity account, you may want to take the advice given here. And turn your spam filters on high.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

PSN Security Breach: Gaming Not So Fun Anymore, a Warning to Others?

So far this week, I have received at least one notification a day from various companies that I do business with, who have sent me legitimate email of a non-marketing nature, informing me that my email address may have been obtained as a result of the breach at Epsilon. The breach appears to have only compromised customer mailing lists; no other account or personal information appears to be at risk, and statements from Epsilon are supported by similar statements from other customers. At worst, this information can be used for targeted phishing attacks, as a user receiving an email from a company they have done business with will appear on the surface to be more legitimate than an email they receive from a company they have never heard of.

These lists might also be used for more generic spamming, as they will contain addresses known to be valid, which will yield spammers more results than randomly generated lists. In addition to the emails being sent out by the companies who used Epsilon, email admins may want to remind their users of some general safety precautions around emails and phishing attacks, including:

• Don’t respond to e-mails that require you to enter personal information directly into the e-mail.
• Don’t respond to e-mails threatening to close your account if you do not take the immediate action of providing personal information.
• Don’t reply to e-mails asking you to send personal information.
• Don’t click on links contained in emails.

While Epsilon Data Management may have had the responsibility for securing this information, and may be held accountable by its customers, end users will be looking to the companies they provided their information to as responsible. Despite what the fine print says, if you gave your email address to ACME, and you start to get targeted SPAM messages, you are going to blame ACME… you’ve probably never even heard of Epsilon until now.

And this brings up an interesting point. What is considered due diligence on the part of companies that interact with consumers, when it comes to outsourcing to firms like Epsilon and sharing information with them? My employer is audited for SAS70 compliance every six months. One implication of that is that any service provider I wish to deal with must also be SAS70 compliant before I can even consider them (there is much more I must do, but that is the entry point.)

I know of no guidelines or specific recommendations for this, so I am asking you, the readers, to leave a comment with some of the things you do when considering an IT outsource provider. What steps do you take, or what requirements do you have, for your service providers? Do you follow a specific externally developed checklist, or do you have your own?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Companies Suffer due to Outsourced Provider’s Security Breach

News agencies have reported that several South Korean websites, including the Presidential Office, the Ministry of National Defense, the National Assembly and the Ministry of Foreign Affairs and Trade were attacked by cyber criminals on March 4, 2011. The attack was effective enough to shut down some of the sites.

According to Stars and Stripes, Yonhap news reported that U.S. Forces Korea websites were attacked, but USFK spokesman David Oten “would not comment on whether U.S. military computers had been affected by the virus, citing policy meant to protect operational security.”

“There was a DDoS attack, but no damage was reported,” said a presidential aide at Cheong Wa Dae, the executive office of the President.

Media reports theorize that the attackers compromised two peer-to-peer file-sharing websites using malware. The attacks appear to be linked to a similar incident in July, 2009, when nearly 30 organizations were overrun by a distributed denial of service (DDoS) attack. In both incidents, ‘zombie computers’ were used to carry out the attack. This method is an attractive option for the modern cyber criminal, because the use of zombie computers reduces the attacker’s risk of being detected, and by hijacking the computers of thousands of unsuspecting users, the attack is often quite effective.

Although the methods used to implement a DDoS attack vary, denial of service prevents an Internet site or service from functioning by overwhelming a web server with an unmanageable amount requests at a given time. In the attacks of July 2009 and March 4 of this year, the DDoS attack compromised users’ personal computers with malicious code that caused their machines to attack South Korean websites without the users’ permission.

According to the Korea Herald, an official for the Korea Communications Commission (the state telecommunications policy maker) stated that, “the number of zombie PCs, which are infected by malware and taking part in the attack, currently totals up to 11,000, much smaller than the 115,000 counted during the 2009 cyber attack.” He added that the South Korean government is, “making preparation measures since the number [of zombie PCs] is likely to increase.”

After the incident, the KCC released a second-level warning regarding the attack, indicating that the government will be monitoring any increases in online traffic and will keep a close watch out for malicious code which could be used in the commission of a denial of service attack. Cyber security professionals are working with the South Korean government to address security flaws uncovered by the recent attack.

South Korean information security firm AhnLab said that additional attacks were expected, The Herald reports. The firm also said that the attackers hacked two local peer-to-peer file sharing websites a day before on late Thursday and planted malware in the files.

Kim Hong-sun, chief executive of AhnLab, stressed the inherent dangers of spam, being infected by malware, and the preventative measures that can be taken. “For the PC to not be infected by the malicious code, one must have the latest security patch for the computer operating system and must update the vaccine program, along with checking the system in real time,” Hong-sun stated.

“The attached links sent through the e-mails and online messengers should not be clicked on and files should be screened when downloading them from peer-to-peer sites.”

In the 2009 attack, South Korean and U.S. websites were flooded with signals from infected computers causing service disruptions. While reports vary, as many as 270,000 computers were used to attack U.S. and South Korea-based websites. The BBC reports that the 2009 attack was blamed on North Korea, although no evidence has been uncovered to support this claim.

The 2009 incident was traced to a Chinese IP address used by the North Korean Ministry of Post and Telecommunications. Following the attack, the government established a cyber security center designed to protect financial and economic institutions, claiming it would utilize various methods to mitigate the risk of future DDoS attacks.

The ultimate goal of these attacks remains a mystery. One might surmise that they were ‘nuisance’ attacks perpetrated by hackers who wanted to flex their collective brain cells; or worse, that they were coordinated efforts with an as yet unknown purpose. Either way, the purpose of the attacks and who coordinated them seems irrelevant. The end result is the same and this recent wave of cyber crime might only be a precursor of what’s to come.

What is clear is how the increased vulnerability of corporate and institutional websites is often directly linked to factors outside the direct control of today’s IT manger. Peer-to-peer, phishing scams, email spam, social media spam, the advent of IPv6 – all reasons to consider the ‘X’ factor in today’s connected world: the computer on the other side of that fibre optic cable.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Denial of Service Attack Bombards South Korean Websites

The BBC reports that more than 150 of the ministry’s computers were affected, and it is understood that hackers had control over a number of workstations for weeks.  This incident represents one of the most sophisticated cyberattacks ever launched to date on a government, and the target appears to be sensitive information related to France’s presidency of the Group of 20 industrialized nations, says the Financial Times.

The security and geopolitical ramifications of such an audacious attack aside, the incident is of particular concern to us due to how it was apparently launched via email.  In a nutshell, ministry workers were sent emails with specially tailored PDF attachments that eventually resulted in the installation of Trojan software on their computers.  Technical details pertaining to this spear-phishing attack are not available, though we can make a few conjunctions based on the information that is available.

• The email package probably arrived from a spoofed account within the ministry to invoke automatic trust and increase the chances that the target will open the PDF document
• PDF files are not generally considered to be threat vectors and hence are not blocked or processed by most anti-malware scanners
• At least one popular PDF viewer – Adobe Reader, is heavily targeted for hackers due to a long history of security vulnerabilities as well as its market penetration
• Because it is possible to load Internet web pages by embedding URL links within PDF documents, hackers can target a specific vulnerability within the default web browser

Filling in the blanks, it is clear that the hackers utilized spear-phishing techniques to trick targeted users into opening a harmless-looking PDF document.  Either the PDF was already crafted to exploit the finance ministry’s PDF reader software, or it works as a springboard to cajole the hapless users into visiting a malware-laden URL.

Other notable spear-phishing cases

While the use of PDF files in such a high-profile phish is not particularly common, there were instances in the past where spear-phishing was used against both governments and commercial entities.

• Fellow blogger Sue Walsh wrote about how the UK’s Defense Ministry was hit by a spear-phishing attack in 2009 by use of a “traditional” Trojan attached to an email message. The Trojan was apparently created for the task of searching for and stealing classified documents, and epitomizes how the humble email is still a popular delivery medium for high-stakes cyberattacks.
• Google was penetrated by hackers in an attack which culminated “in the theft of intellectual property” about a couple of years back. In deciding to come forward with this information, Google also observed that the unidentified assailants were “highly sophisticated and targeted” to exploit a previously undiscovered flaw in the Internet Explorer (IE) browser. The IE vulnerability was purportedly triggered by a phishing email that led to a malware-leaden site.

Defending against phishing

While most administrators or users will associate notorious phishing cases with governments or large corporations, the same risk does apply to smaller businesses and individuals. Indeed, fellow blogger John P Mello Jr recently wrote about a new survey which found phishing to be one of the top 3 fraud threats in 2010 – right behind credit card and check fraud.  The take-away here is that scams and hacks conducted via phishing has not abated, but have instead grown more sophisticated and with much greater financial and business repercussions.

Fortunately, the rules and best practices to help defend against phishing have remained the same on the most part.  Readers who are interested can check out the anatomy of a scam spam message or how to avoid new phishing developments.

Conclusion

Reading between the lines, it is obvious that many of the high-profile security breaches originate from the nefarious use of email messages.  While it might be tempting to dismiss the entire problem as one belonging solely in the domain of the security administrator, the fact is that their point of entry is usually achieved via generic phishing messages which are broadcast as spam, or spear-phishing attempts that we covered today.  Ultimately, it is far easier to nip a problem in the bud by training employees to be on the alert, than to mop up the mess afterwards.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Hackers phish their way into the French Ministry of Finance

It’s a very good idea to check the security of your company website. Make sure any unused FTP or CMS logins are disabled, keep the software you use up to date, and get in the habit of periodically searching for your site in Google to see what kinds of links show up.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Hackers Using .edu Domains to Spam

These companies, and many others like them, provide email marketing services to websites and other online businesses.  Email marketing, when done properly, is a legitimate practice and is not spam although some people do not make the distinction between the two.

A legitimate email marketing service will require a subscriber to deliberately opt-in to a list, usually by sending them a confirmation email before they are added to a marketer’s email list.  This stops spammers from simply harvesting email addresses, importing them into one of these services, and starting to spam them.

This opt-in requirement, plus other measures, assures a high deliverability rate for the customers of the email marketing service because antispam systems on the receiving end can have a high level of confidence that the marketing messages are opt-in and not spam.

Among the more paranoid web users there is a tendency to use unique emails for each mailing list that they sign up to.  So if they were to sign up to ABC Corp’s mailing list, they would use paul_abc@somewhere.com, and then for XYZ Pty Ltd would use paul_xyz@somewhere.com.

This might seem like a lot of hassle to go to, generating unique email addresses for every list you subscribe to, but when the attacks on these companies occurred it was these people who noticed the problem first.  Suddenly their secret, unique addresses began receiving pharmaceutical spam emails.   Your average person who uses one single email address probably would not have noticed this additional spam.

Initial reports were sketchy but eventually first Aweber, and then later iContact determined that a data breach had occurred in their systems.  In both cases the outcome was the same – subscriber email addresses were compromised, but customer account and billing information was not.For the attackers this was a major score.  Hundreds of thousands, if not millions of valid working email addresses are now in their hands ready to be spammed.  And now that the data is out there is no way to get it back in again.

The paranoid web users, with their single-purpose email addresses, can probably go to the effort of unsubscribing and then discarding those addresses and generating new ones to re-subscribe with.  The average user with just one email address that all their friends and family know has no such luxury.

Both incidents cast a shadow across the internet marketing industry and put a lot of pressure on email marketers.  These people ask for their subscribers’ trust and in turn trust their service provider to keep their subscriber email addresses secure.

As serious as this incident is, the real impact is not necessarily all that big.  Valid email addresses fall into the hands of spammers every day, there is nothing more special about the ones compromised in these attacks other than the sheer volume of them that the hackers were able to net in one go.

For email users, particularly those in businesses, who are running a good anti-spam system the impact will likely be nothing at all.  The spammers aren’t able to leverage the trust of the email marketing services’ servers to send their spam, they still need to send them out via their usual compromised servers and botnets, which a good anti-spam system will still block.

However it does highlight the fact that as long as we try to use email for legitimate business, spam will always be a problem.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Email Marketing Services Targetted by Hackers

They start by setting up data centers and stocking them with servers, then they seek out a local Internet registry (LIR) or a regional (RIR) one that doesn’t have the resources to verify applications as they should. In most cases anyone applying for a block of IP space must go through a screening process that includes submitting legal documents showing their business name, the names of the officers in their company, a written explanation of why they need the space, a listing of the company’s PCs, router configurations, network maps and more. By going through either local registries or ones that for one reason or another can’t or won’t do a full screening, cybercriminals are getting set up as ISPs. In many cases these less than thorough registries require nothing more than a letter explaining why the space is needed.

Once the criminals are granted the space they themselves become bulletproof. They obviously will ignore any take down orders. The best example of this kind of set up is the infamous Russian Business Network, which hosted hundreds of spammers, botnet herders, phishers, hackers and other cybercriminals. They firmly ignored take down orders and fiercely protected their customers. RBN was able to get a block of IP space because by going through a European LIR they didn’t bother doing a thorough screening and the RIR, RIPE NCC granted the space based on the LIR’s report.  RIPE defended itself saying they had no way of knowing if an applicant is up to illegal activities or not.

“It is impossible at that stage in the process for the RIPE NCC to determine that a company is involved in illegal activity. The member in question later proved to be a front for RBN,” RIPE said in a statement on the case.

RIPE was eventually able to close down the LIR and reclaim the space from the RBN, but the practice is still flourishing. To stop it, it’s up to LIRs and RIR to stay on the ball and thoroughly screen applicants.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Hackers and Spammers Now Creating Their Own ISPs

Some experts believe that the breach is just too large to have been achieved through phishing alone and suspect malware, mainly keyloggers, may have been involved as well.

“The quantity of people hit makes me think that it was key logging — the success rate for phishing is only about one in 1,000,” Amichai Shulman, chief technology officer for security firm Imperva, told ZDNet. “Secondly, when I went through the list of e-mail account credentials, there were entries with the same username, but a slightly different password, which suggests that they’re typos. I don’t think people would keep falling for a phishing scam and entering their details, it looks more like people are making mistakes and the key-logging software is recording them,” he said.

So far researchers have been unable to pinpoint the exact cause of the breach or determine who is responsible. They recommend that everyone, regardless of what email service they use, change their passwords immediately and then do so every six months. Passwords should be a combination of numbers and letters and every account you have should have its own unique password.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spam From Sites Involved in Data Breach Increases Dramatically

Hackers are using the high profile nature of the attack to spread scareware. They are poisoning search engine results so that people searching using the keyword Cyxymu will be given results that redirect to malicious sites that push rogue anti-virus programs.

Spammers are also exploiting the attack. A new flood of spam has been detected that claims to be a grammatically garbled apology from Cyzymu and links to his blog. Experts say it is likely an attempt by those behind the DDoS attack to further alienate him and get him in trouble. His actual email address was spoofed, and as a result his email box was probably flooded with bounce messages, out of office auto responders, and similar noise. This, experts say, was the attacker’s way of sending a message to Cyzymu, and the link to the blog is an attempt to send a flood of traffic to the site in hopes of crashing it.

While it’s not yet known exactly who is responsible for the initial DDoS attack or the spam and malware attacks spawned from it, Cyzymu has told news outlets that he believes the Kremlin is behind it all.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

DDoS Attack Against Georgian Blogger Inspires Spam, Malware Attacks

To make matters worse the list of FTP credentials is stored on a server in China in plain text, making it available to anyone who stops by. Experts say they were all stolen within the past 2 weeks and most are still valid.

The ZBot Trojan has also been spotted in several email attacks masquerading as everything from a ticket confirmation from Delta Airlines to a critical update for Microsoft Outlook. If downloaded it steals personal information using a keylogger.

It’s crucial to make sure any unused FTP credentials on your website are disabled and that active ones have their passwords changed regularly. As we saw recently when hundreds of government sites in the UK were compromised and redirected visitors to internet pharmacies selling Viagra or porn sites, hackers are eager to infect legit sites. If they hit yours it could be a real nightmare for you and your customers, so stay alert and keep an eye on your servers and FTP logins!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Zbot Trojan is Harvesting FTP Credentials From Major Websites

“We have everything — their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009,” read the message on the Full Disclosure message board. “We are offering them for the highest bidder.”

To prove their claim they showed information related to the company’s operating systems, IP addresses, and software vendors. It’s not yet certain if the message is telling the truth. Full Disclosure claims that the majority of the posts made on its site are hot air,  and T-Mobile seems to concur:

          “Following a recent online posting that someone allegedly accessed T-Mobile servers, the company is conducting a thorough investigation and at this time has found no evidence that customer information, or other company information, has been compromised. Reports to the contrary are inaccurate and should be corrected. T-Mobile continues to monitor this situation and as a precaution has taken additional measures to further ensure our customers’ information and our systems are protected. As is our standard practice, customers can be assured if there is any evidence that customer or system information has been compromised, we would inform those affected as quickly as possible”, said a company spokesperson.

Interestingly, no one seems to be able to contact the hackers who are offering the stolen data for sale. Emails sent to them by reporters received no response.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

T-Mobile Denies Alleged Data Breach

In addition to seeing what type of information the botnet collects and how, researchers also got a good look at victim vulnerability and weaknesses that could have been prevented. Twenty-eight percent of the victims reuse credentials for accessing multiple web sites, which researchers speculate makes it easier for attackers to gather more information on victims. This may be true, although using the same password for multiple non-essential sites isn’t necessarily bad, as long as you don’t use the same password for your bank account. It’s common for some people to be members of dozens of informational web sites which require password access, although for the most part, these don’t log any sensitive information. Ars also notes that Torpig also gathered hundreds of email, forum, and chat messages–also reminding us that it is never safe to give somebody sensitive information, account numbers, or passwords, over instant message. What’s more shocking is that during the ten day period, Torpig gathered credentials for 8,310 accounts at 410 financial institutions. Forty percent of those credentials were stolen from browser password managers instead of from actual login sessions. Researchers say that many of the thefts were the result of weak passwords.

The report also highlighted an interesting phenomenon it calls “Botnets-as-a-service”, suggesting that multiple groups are actually profiting from the stolen data and that Torpig operates as a malware service. But the biggest conclusion that researchers drew is not surprising at all–”the malware problem is fundamentally a cultural problem,” reinforcing the need for not just good anti-malware technology, but also for better education as to proper use and common sense precautions.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

UCSB reserachers hijack a botnet

Sharing the top spot is the Xarvester botnet, which rose from the ruins of Srizbi and also sends out 25,000 spam messages an hour. Mega-D, a former giant, brings up the rear with 15,000 spam messages a day being sent. Interestingly, Waldec, the botnet behind Conficker, is far below the top three, sending only 7,000 spam messages a day. There are a total of 9 botnets that are responsible for most of the spam on the net.

What does this all mean? Well it proves that as far as spammers are concerned, where there’s a will there’s a way, and if their host is shut down, they’ll just find somewhere else to set up shop. Since there are still many countries, such as Romania and Estonia, that do little or nothing to fight cybercrime, there will always be someplace for these cybercriminals to hide. It will take a truly global effort for the war against hackers, spammers and other cybercriminals to truly become effective.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Meet the New Top Botnets