AT&T. still stinging from embarrassment after their poor network coverage prevented Steve Jobs from connecting to the internet with his iPad during his WWDC keynote speech, now has an even bigger PR nightmare to contend with. A group of hackers revealed that they were able to gain access to over 100,000 email addresses belonging to iPad users-and not just any users. Among those whose personal info was compromised are New York City Mayor Mike Bloomberg, White House Chief of Staff Rahm Emanuel, the CEO of the New York Times, and Steve Jobs himself, along with many other public figures.

The group discovered that a program on AT&T’s website would display the email addresses when given the unique identification number given to each iPad. Once they wrote a script to automate the process it took them just 6 hours to collect 114,000 email addresses. AT&T said it fixed the security hole promptly once it was informed of it. Continue reading Data Breach Exposes Email Addresses of Over 100,000 iPad Users»

Compromised computers spew spam.

John Leydon over at The Register posted an interesting article recently. It seems that botnet herders have learned how to avoid honeypots. Honeypots are the name given to traps set by security firms-groups of unprotected computers designed to lure botnets so that they can study their command structure and malware deliveries. This helps them come up with ways to detect and fight back against them. Now that the herders know how to spot and avoid them, they may lose this valuable tool.  While many firms say they are aware of this and working on the problem, some are skeptical and say the seriousness of the issue is being exaggerated.

I personally disagree. I mean seriously, does this surprise anyone? Botnet herders and other cybercriminals are getting better and better at avoiding detection and protecting themselves. When McColo was abruptly shut down in 2008 it knocked several botnets offline for MONTHS. Thanks to improved technology, recent similar shutdowns have resulted in botnet downtime shrinking to just hours or days. No matter how good we think we are at detecting malware, blocking spam and fighting botnets, the cybercriminals will always be a step ahead. They are constantly changing and evolving. These folks will never wind up on an episode of America’s Dumbest Criminals. These people are smart, creative, and determined and because of that we need to take every warning seriously. We are woefully unprepared for a major cyberattack or act of cyberwarfare, and until that changes we’ve got to stay on the ball.

A popular security term is “defence in depth”.  It sounds really clever and evokes images of multiple layers of protection from a threat.

An example of defence in depth would be a perimeter network firewall, a secondary firewall, third tier firewalls at branch offices, and maybe even client firewalls.  If one firewall fails, or is circumvented somehow, another one potentially saves the day.

It is a good concept but it naturally adds complexity to any environment.  And when applied to email spam and virus protection the complexity sometimes undermines the effectiveness and efficiency of the system.

Why Defence In Depth for Email Threats?

Quite a few years ago IT departments had a problem.  Email viruses would sometimes get through their servers and infect the network.  It happened when your server did not receive a new signature database from the vendor in time to stop the infection.

There were two underlying weaknesses with the older generation of email security products.  Firstly, they updated usually only once per 24 hours.  Secondly, they utilised a single engine for scanning emails for threats.

Under those conditions it made sense to deploy more than one product in a multi-tiered fashion, so that more than one detection engine could inspect the content.  If an outbreak did occur, you hoped that one of your vendors would get an update out fast enough to stop it. Continue reading Should You Use More Than One Anti-Spam Product?»

The security of social networks was thrust into the spotlight yet again this week with the successful hack of the Twitter Grader application run by Hubspot, a maker of social media and internet marketing tools.

The Twitter Grader application uses an algorithm to calculate, or grade, a Twitter user’s ranking among their peers.  This type of tool has been very popular with Twitter users who willingly grant access to their Twitter accounts for websites that offer this type of ego-feeding information.

The compromise resulted in thousands of unauthorized messages being sent from Grader users’ Twitter accounts containing a link to a web page that hosted an embedded video.  The content turned out to not be malicious and it has been speculated that this was an attempt to increase the search engine rankings of the website.

The hack was quickly acknowledged by Hubspot who proceeded to take down the Grader application while they investigated the issue.  Grader users are advised to revoke access for Grader to their Twitter accounts and also to consider changing their account password. Continue reading Twitter Grader Hack Highlights Social Network Spam Risks»

There have recently been two publicized, high profile attacks on email marketing services.  The two services are Aweber and iContact, each confirming the attacks within about a month of each other.

These companies, and many others like them, provide email marketing services to websites and other online businesses.  Email marketing, when done properly, is a legitimate practice and is not spam although some people do not make the distinction between the two.

A legitimate email marketing service will require a subscriber to deliberately opt-in to a list, usually by sending them a confirmation email before they are added to a marketer’s email list.  This stops spammers from simply harvesting email addresses, importing them into one of these services, and starting to spam them.

This opt-in requirement, plus other measures, assures a high deliverability rate for the customers of the email marketing service because antispam systems on the receiving end can have a high level of confidence that the marketing messages are opt-in and not spam.

Among the more paranoid web users there is a tendency to use unique emails for each mailing list that they sign up to.  So if they were to sign up to ABC Corp’s mailing list, they would use paul_abc@somewhere.com, and then for XYZ Pty Ltd would use paul_xyz@somewhere.com.

This might seem like a lot of hassle to go to, generating unique email addresses for every list you subscribe to, but when the attacks on these companies occurred it was these people who noticed the problem first.  Suddenly their secret, unique addresses began receiving pharmaceutical spam emails.   Your average person who uses one single email address probably would not have noticed this additional spam.

Initial reports were sketchy but eventually first Aweber, and then later iContact determined that a data breach had occurred in their systems.  In both cases the outcome was the same – subscriber email addresses were compromised, but customer account and billing information was not. Continue reading Email Marketing Services Targetted by Hackers»

Security researchers have discovered a vicious new virus. Dubbed Win32.Worm.Zimuse.A, it appears to have originated in Slovakia but has been quickly making its way around the world with the highest rate of infection now in the United States, followed by Slovakia, Thailand, and Italy.  The virus and its variant, Win32.Worm.Zimuse.B, both work in the same destructive way. Once the system is infected, Zimuse creates between 7-11 copies of itself, installs a rootkit, alters system registry entries, and creates several driver files.  After a pre-determined number of days (40 for A, 20 for B) it springs to life with a poorly written fake Windows Defender warning:

          “System Defender – Kernel Error 0xC00000005

This problem is unambigously cause by malicious contents in IP packers in transport layer from website: www.offroad-lm.szm.sk. To bee patient, Windows Defender scan your hard drive(s) for bugs caused by system incompatible code. To recovery of system press OK button. Wait to successfull end of scanning. Inform about this administrator on www.szm.sk and incriminated web site.”

Once that appears, the system is doomed. The next time the user restarts the computer they will be greeted with the heart stopping error “FATAL: No bootable medium found.” This is because the virus overwrites the Master Boot Record, which permanently damages the drive. What makes this virus even more dangerous is that until the message pops up it’s nearly impossible to know the system is infected.

Win32.Worm.Zimuse A and B distribute themselves in very different ways. The first variant embeds itself on legit sites, possibly by poisoning an ad network, and pretends to be an IQ test. The second spreads via exchangeable media like USB flash drives. Experts think it was a malicious prank intended only for fans of a Slovakian motorcycle gang but it has gone far beyond that, destroying data wherever it lands. This could be especially devastating if it hit a critical government or business network.

It is extremely important to make sure your data is backed up safely and to be more cautious than ever about sharing storage media and clicking on links. All IQ tests should be avoided, and web surfing should be confined to familiar sites. If you aren’t sure if your system’s anti-virus programs are up to date, contact your IT department.

In a new report by the Government Accountability Office, NASA was reprimanded over its lax security practices and told to shape up.  NASA has reported nearly 1300 security incidents in the last 2 years, and although it has taken some steps to improve its IT issues, the GOA says it still has far to go.

“NASA remains vulnerable to similar incidents going forward,” the report finds. “Control vulnerabilities and program shortfalls make it possible for intruders, as well as government and contractor employees, to bypass or disable computer access controls and undertake a wide variety of inappropriate or malicious acts.”

The security breaches reported at NASA include malware infections, data theft, the theft of several laptops containing data on a prototype hypersonic jet, a space telescope and a lunar orbiter, 82 computers being made part of a botnet thanks to the installation of rootkits, and the infection of 86 other computers with the Zoneback Trojan, and others infected with the Coreflood Trojan.

The GAO made 200 recommendations addressing 129 weaknesses. NASA says it is continuing to improve its IT management and better train its employees on proper security practices. Kind of scary that a high tech agency like NASA could be so careless when it comes to security!

Trojans are most popular form of bad apps among crackers.

Trojans remain the most popular form of malware on the Internet, according to a report from IBM Managed Security Services.

The report, which is prepared quarterly by Big Blue’s Internet Security X-force, estimated that more than 56 percent of the malware in circulation can be categorized as Trojans. That shouldn’t be surprising since that form of malicious code offers computer miscreants a way to deliver an assortment of dastardly functions in a single package, functions such as spying, stealing information, logging keystrokes and downloading more poisonous programs.

IBM identified eight specific categories of Trojans now in circulation.

Continue reading IBM report says Trojans remain top threat»

The Home Office issued a public notice about Phorm’s targeted advertising service, but curiously, before the notice was issued, the Home Office had a nice little discussion with Phorm directly to get their “opinion” on the advice before it went out.

Phorm’s service tracks online surfing and then delivers advertisements. The service has been under criticism from several fronts concerning privacy issues. According to BBC reports, Phorm had first requested the Home Office to give a position on its technology back in 2007; the Home Office responded in January 2008 to Phorm, saying, “I should be grateful if you would review the attached document, and let me know what you think.”

Later, the Home Office sent another document, thanking Phorm for their “amendments” to the Home Office’s advice.

It seems to me that when a government agency issues a public notice about a suspect company’s practices, it doesn’t make much sense to ask the suspect company for their input. This sort of collusion is more than bizarre, and seems more like a PR move by Phorm than any attempt by the Home Office to provide meaningful advice to the public.

A new report is revealing that most federal agencies aren’t following security protocols that could prevent phishing attacks. The report by the Online Trust Alliance, a group of security companies working to fight Internet fraud, found that 56% of the 25 agencies it studied did not authenticate emails or domain names.

        “Phishers will send mail that appears to come from the most recognized domains, such as IRS.gov, for example,” said Craig Spiezle, chairman and founder of the Online Trust Alliance. “What the owner of those domains can do is publish a declaration that tells Internet service providers, receiving networks and e-mail programs, ‘No e-mail will come from this domain,’ or ‘Only mail from these specific IP addresses is authorized to send mail from this domain.’ But most agencies are not doing that.”

Continue reading Federal Agencies Not Doing Enough to Prevent Phishing»