A posting on the Internet Storm Center (ISC) portal from security organisation Sans yesterday pointed to another mobile Trojan doing the rounds. However, exactly what threat it poses is still unclear.

The Trojan in question created a thread which sent six SMS messages, the contents of which are obfuscated. However, what the Trojan is intending to do is still cloudy.

The ISC reader in question who alerted the site said he received the unsolicited message of garbled characters and a link to a .JAR (Java ARchive) containing the malware through ICQ.

Rather worryingly, according to ISC only 14 out of 41 AV products detected the JAR file successfully.

Rik Ferguson, senior security advisor at Trend Micro, one of the lucky 14 vendors which did detect the malware, said any mobile malware discovered is noteworthy, because there is so little of it around.

"It could be an attempt to find a way through Java to make it more cost effective to write malicious code because Java was designed to be cross-platform," he added. "It could be an attempt to overcome the homogeneity of the mobile platform."

Stay tuned for more updates.

July 2, 2009 | Permalink | Comments (0)

News that hackers have once again found their way into Facebook should serve as reminder to firms using external social networks as part of a business strategy that data is not necessarily secure behind a web site's login details.

Perhaps social suites available from enterprise vendors might be a safer bet.

FBHive, a recently launched site following Facebook, said yesterday it was able to hack into any person's "Basic Information" section, no matter what their privacy settings.

"We have already reported this bug to Facebook on June 7th 2009, through multiple avenues, but it has received little attention. Hopefully this incites a little more action from them," said the post.

The exploit involved fooling the "Edit Information" section of a user's profile to display another user's Basic Information by using the Tamper Data add-on for Firefox.

FBHive launched a video to show Facebook users how easy the hack was.

Although soon after FBHive published its report, the Facebook security team fixed the exploit, the news follows a revelation from a Burton Group analyst back in 2008 that an email add-on called Xobni, which plugs in to Microsoft Office and correlates Outlook contact data with external sources such as Facebook, also managed to override privacy protections.

Analyst Mike Gotta said that when an individual's social data is pulled from an external network site into another person's email account, they should be properly notified.

"I do believe that context of a relationship agreement made within one environment does not necessarily transfer to other environments without the parties being aware and in some cases, consenting to that information being revealed in those other contexts," Gotta had said in his blog.

"What really surprised me though was that I now had access to people's information via Xonbi's Facebook Connect application that I could not access normally on Facebook," he added.

June 23, 2009 | Permalink | Comments (0)

Online identity firm Garlik has revealed that criminals are targeting gamers with increasing regularity in an attempt to harvest personal and financial information which could be worth as much as £4.5m a year.

The research assessed illegal trading of credentials on platforms such as Microsoft Xbox, Sony Playstation and World of Warcraft.

Garlik estimated that around 500,000 XBox Live credentials are being traded on a yearly basis, with a selling price of around £100 for 20 accounts.

It also warned that digital content delivery platform Steam is one of the most highly targeted, with hackers uploading infected add-ons for various titles which contain maliciousTrojan code

"Online games-related account theft is definitely a problem, and while some companies have tried to combat such activity it's an issue that isn't taken seriously enough by most gamers," said Phil Elliott, managing editor of videogames business site GamesIndustry.biz.

"There's a clear risk that compromised personal data could be used for further serious activity."

To minimise their risk exposure, Garlik has warned users not to use the same password for online gaming as banking and other accounts.

The news also comes just a few days after security vendor Webroot reported an "astonishing volume" of phishing Trojans, designed to steal licences, usernames and passwords from gaming accounts.

"These single-purpose Trojans are very good at what they do, and can rapidly (and silently) report the desired information back to servers -- typically, perhaps unsurprisingly, located in China," wrote Webroot's Andrew Brandt on the firm's threat blog.

June 22, 2009 | Permalink | Comments (0)

A new survey by security vendor PC Tools has found that over a third of consumers don't update their security software, while more than half ignore alerts.

Can this really be true? Are PC users really that stupid? Well, as long as the survey wasn't carried out with a select bunch of Luddites, the implications are fairly alarming.

The sheer scale and constantly evolving nature of malware today means regular security updates are essential if your PC is to remain as resistant to attack as it can be. But if, as the research suggests, 40 per cent of women and just 20 per cent of men remember to switch on their automatic updates, the future looks grim.

Of course, enterprise PCs will have the requisite policies and technologies in place to minimise the risk of infection, so why care about the consumer sphere?

Botnets are the source of most evil these days; sending spam, launching denial of service attacks and firing off more malware. Until users take the security of their systems more seriously, these botnet-based attacks will continue to make corporate information security chiefs work hard for their money.

An interesting footnote is the 56 per cent of consumers who ignore security alerts when they flash up. This is a concern that security software companies must consider carefully. Are security notices generally too frequent, rendering the important ones lost in the noise? Should consumers be given an easier way to set alert levels? At the very least, a bit of food for thought.

June 18, 2009 | Permalink | Comments (0)

Many companies fail to protect sensitive data from embittered ex-employees by not properly and quickly terminating all access when someone leaves the company, according to a new study.

A survey by access management firm Courion found that, although the majority of IT managers reckon that terminated employees will not attempt to remotely access data, over half admitted to having no real idea of what access routes remain active after someone leaves the company.

"The fact that 53 per cent of IT managers are largely unaware of employee access rights is of great concern, and has been exacerbated by the high frequency of mergers and acquisitions in the current climate," said Stuart Hodkinson, general manager at Courion.

"The time for over confidence has passed. It is important for IT managers to close these holes by undertaking regular audits, and ensuring that employees have access only to the information they need to do their jobs."

This proliferation of what Hodkinson calls "zombie accounts" is also aided by the fact that 28 per cent of respondents said that their company still provisions accounts manually, making delays and errors in deactivation much more likely.

The survey found that nearly half of businesses take more than a day to inform the IT department of a departing employee, and around a third admit that it takes more than a week to shut off access to systems.

Hodkinson sees this as a worrying window of opportunity for disgruntled employees to attack internal systems, or obtain valuable information that could cost the company a lot of money and tarnish its reputation.

The survey also revealed that nearly one in 10 companies could never be completely certain that terminated employees no longer have access to IT systems.

June 15, 2009 | Permalink | Comments (0)

Security firm Webroot is warning that cyber criminals are increasingly going after the credentials of online gamers.

In a blog posting, the firm's Andrew Brandt said that the Webroot Threat Research Group had been tracking an increase in this kind of activity since the start of the year.

He said the researchers had noted an "astonishing volume" of phishing Trojans, designed to steal the licence keys that gamers use to install copies of legitimately purchased games, and also the usernames and passwords which players use to log in to their accounts on games such as World of Warcraft.

"These single-purpose Trojans are very good at what they do, and can rapidly (and silently) report the desired information back to servers -- typically, perhaps unsurprisingly, located in China," wrote Brandt on the Webroot threat blog.

"We know the exact servers they contact, and what kinds of information they're sending. And we know why: Thar's gold in them thar WoW accounts, and the rush is on to cash in."

According to Brandt, the method by which the initial executable file gets on a user's PC varies, with exploits in malicious iframes being commonplace. Once infected, PCs could end up with "metric tons of malware on them", he added.

"I can only imagine that it takes very little effort for the jerks behind this scheme to retrieve thousands of account details," wrote Brandt.

"With such an effortless infection method, and the difficulty of prosecution (let alone identifying the perps), they don't even seem to be concerned in the slightest about covering their tracks."

June 14, 2009 | Permalink | Comments (0)

Gordon Brown has turned to web pioneer Tim Berners-Lee as he struggles to take control of the expenses scandal that has rocked his government for what feels like years already.

Brown and the rest of Parliament is getting ready for its summer holidays so in the midst of scurrying around looking for passports and toothbrushes he has somehow found the time to come up with the idea of publishing all MPs' expense claims online - in the next few days. It is thought that by making MPs more accountable in this way they may stop claiming for things like funeral wreaths and duck habitats.

Doing anything in the 'next few days' doesn't sound like a good idea to us. It has the ring of a rush around it and given the sensitivity of the information involved it really ought to come with the sort of protection that Danielle Lloyd rolls with these days. And that is likely to take a bit more time than the quoted few days.

Unlike the old system, the fact that this one is online will make it open to abuse from both internal and external sources, whether that's admin staff accidentally leaving a USB stick containing expenses details on the train, or attackers trying to hack into the system. And given that the old system couldn't cope with internal abuse we can't help but worry how it will handle a nation full of disgruntled voters and a million sweaty keyboards.

Anyway, like most government backed online initiatives it is bound to run years over schedule, cost billions, and then fall over due to demand on launch - maybe they could use an extra few days to actually make sure that it works.

June 10, 2009 | Permalink | Comments (1)

Verizon Business has become the latest organisation to nail its colours to the cloud computing mast, with new cloud-based network management, reporting and monitoring tools.

The IP network provider announced Asset Assurance, a new suite of fault management and monitoring tools and reporting capabilities available to Verizon Private IP customers as a service.

Based on CA's Spectrum Infrastructure Manager, Asset Assurance is a SaaS-based solution combining device monitoring, alarming, fault isolation, root-cause analysis, service-level reporting and IT service management.

An Internet Security Assessment service will provide analysis of potentially harmful traffic, including Virtual Discovery & Classification and External Risk Assessment, supported by professional services.

And new managed security capabilities for Verizon Secure Gateway-Firewall are designed to prevent customers from harmful traffic as they transfer voice and data from public to private networks.

Verizon Business is marketing these solutions at companies of all sizes, saying its flexible billing model will appeal to all.

"IP networks have fast become the heart of most business operations worldwide, which means that companies, more than ever before, are relying on network security and the performance of their business applications to fuel success," said Blair Crump, president of worldwide sales for Verizon Business.

"As a result, we've deepened our global Private IP capabilities to even further boost customer confidence that business communications within and beyond their corporate walls will perform seamlessly and securely."

May 24, 2009 | Permalink | Comments (0)

A highly dangerous SSH flaw discovered a few months ago could still cause your organisation headaches, according to security experts.

The vulnerability was first made public when it emerged last November that researchers at Royal Holloway's Information Security Group had found the flaw, which could allow hackers access to sensntive data.

SSH, or the Secure Shell Protocol, was designed to provide a secure channel between networked devices by encrypting data and is widely used by system administrators to allow them to securely access remote systems and to transfer sensitive data across the internet, according to the ISG.

The team duly discovered a basic design flaw which opens up the possibility of limited plaintext recovery attacks against SSH.

Although the attack is difficult to achieve, it is a very dangerous flaw given the fact that SSH is meant to be bullet-proof, and because of what it is meant to protect.

And although the open source implementation of SSH, OpenSSH, as well as a commercial product techTIA, have been updated to include protection for the flaw, firms could still be at risk, according to Gartner analyst John Pescatore.

"If you're using an inexpensive web hoster, query them to make sure they've patched the flaw," he said. "In addition, quite often these open source technologies are built into other pieces of software, so it's important to check if you have some in use, in places you didn't know about."

He advised firms undertake vulnerability scans of their systems to detect if they are running any unpatched versions of SSH.

May 18, 2009 | Permalink | Comments (2)

The EU appears to be forging ahead with plans for a US-style data breach notification law which would require all organisations to disclose when they lose sensitive data.

The commissioner for Information Society and Media, Viviane Reding, told the European parliament earlier this week that the commission "will start work without delay to consult widely and make proposals" regarding the extension of notifaction laws to all firms.

A contentious telecoms bill is currently working its way through parliament, which includes a clause to force ISPs and service providers to disclose any breaches.

In an exclusive interview with vnunet.com last October, European data protection supervisor Peter Hustinx said that any proposals to make data breach notification mandatory for all organisations would be "fair and in line with reality".

But the UK's data protection watchdog the Information Commissioner's Office has argued against such laws, saying it should be allowed to decide on a case-by-case basis whether an individual organisation should be forced to disclose a data breach.

The arguments against such laws usually state that they will desensitise the public to data breaches and thus lose their impact. There are also question marks about whether there should be a lower limit set on how many records are lost, after which point disclosure should be made mandatory.

But supporters of US-style laws say that they will help to give everyone a clearer idea of the scale of the data breach problem - information which will be especially helpful to law enforcers.

May 8, 2009 | Permalink | Comments (0)