There was good news for US and UK security chiefs today with the latest stats from managed security firm Network Box showing that India and Russia have both leapfrogged them in the list of top virus sources.

India is now the world's single biggest producer of viruses, accounting for 13.74 per cent, while Russia comes next, producing just over 11 per cent. The US now accounts for just over eight per cent, an impressive decrease from 14.65 per cent last month.

The UK dropped down from fourth to seventh on the list.

However, there was bad news for the US in the spam list, with the latest stats showing it came out as number one source for worldwide spam, at just over 12 per cent. India came second with Brazil in third and the UK in fourth with five per cent.

The stats echo those form Symantec Hosted Services which last week declared the UK also in fourth place with around 4.5 per cent of the world's share of spam.

However, Network Box warned that the trends are unlikely to continue in the same vein next month, given the agility of cyber criminals.

"The country sources of these internet threats shifts each month, which shows how quickly internet criminals can move their operations round the world and launch attacks," said Network Box internet security analyst, Simon Heron.

"Businesses need to be vigilant and ensure they are not opening up the back door to a hacker when they use new applications or technologies."

August 31, 2010 | Permalink | Comments (0)

Some good news for Windows users for a change; Microsoft's free-to-download Security Essentials tool has been certified by anti-virus research organisation AV-Test as part of an in-depth study of 19 security products.

Security Essentials was launched last year as a replacement for the scrapped Windows Live OneCare subscription service, and is a free download for consumers running Windows 7, Windows Vista and Windows XP SP2 or higher.

At the time, questions were raised about whether a free security product could really prove effective in protecting Windows computers, especially when compared against full-blown security suites from established vendors such as Symantec and McAfee.

However, Security Essentials seems to have fared well in AV-Test's study, especially in the usability category which examines how much a particular tool impacts on the performance of the computer it is running on.

This tallies with feedback from reviewers and testers, who have previously praised the tool for its unobtrusive operation. Some security suites can slow down a PC alarmingly.

In terms of protection, Security Essentials was still rated as less effective than Symantec's Norton Internet Security 2010 or AVG: Internet Security 9.0, both of which are paid-for suites, but Microsoft has always maintained that the product is aimed at those users who would otherwise have no protection at all, rather than at taking market share from other security vendors.

August 19, 2010 | Permalink | Comments (1)

Omnipresent cyberstar Justin Bieber is the fishing bait of choice for malware distributors, according to Panda Labs.

The security firm said that blackhat search engine optimisation attacks were being used to distribute malware, and added that it had found as many as 200 different web addresses that exploit the teen singer's name.

Panda found a number of references to Bieber on the links it studied, and these ranged from 'justin bieber takes estrogen pills', to 'justin bieber smoking weed', 'justin bieber pregnant', and 'justin bieber removes left testicle'.

Although this technique is not new - the last episode of meandering confusathon Lost prompted a similar blooming of sites, for example - it is still annoying. Panda said that the fake web sites appeared high in search rankings, and once clicked prompted the user to download a file which turns out to be fake anti virus software.

"These types of activities have become increasingly common and any popular topic or issue is used by cyber-crooks to spread their creations," said Luis Corrons, technical director of Panda Labs.

"By positioning web sites used to distribute malware among the first results in search engines, they can be sure that numerous internet users will inadvertently download the fake antivirus."

August 18, 2010 | Permalink | Comments (0)

An infected widget from web hosting firm Network Solutions could have affected over five million separate domains, according to new research from web app security firm Armorize.

The security firm revealed that the 'Small Business Success Index' widget was infected last week, but the malware could have been operating in some form for months. It soon realised that the problem was much more widespread than at first thought.

"Yesterday I had some time to sit down and study this widget further, and discovered something critical - it's a part of the standard domain parking page of Network Solutions," explained co-founder Wayne Huang.

According to a Google search, the widget in question was available and serving malware on more than 500,000 domains, but according to Yahoo that number rose to over five million, he said.

"I didn't have time to click on every single one of them, but I clicked on enough to conclude that, all of them are indeed infected, via the same widget we blogged about a few days ago," wrote Huang.

"Also, neither Google or Yahoo actually shows all results. Google shows the first 45 pages only, and Yahoo shows the first 100 only. So we couldn't really go through all the domains one by one...and 5 million is too large a number for manual verification anyways."

The drive-by-malware in question, when downloaded, redirects user searches and monitors various search terms, automatically popping up advertising on the user's screen, for which the malware writer will get a fee.

According to Armorize, Network Solutions took down the widget within three hours of being contacted. However it remains worrying how such a large scale drive-by download remained under the radar for so long.

August 17, 2010 | Permalink | Comments (1)

A Japanese hacker has been arrested on suspicion of creating malware which deletes a user's computer files and replaces them with manga-style images of octopuses and squid.

Up to 50,000 computers may have been infected by Masato Nakatsuji, 27, of Izumisano, Osaka Prefecture, the Asahi Shinbun reported today.

High-tech crime officers said Nakatsuji is suspected of writing the Ikatako (squid-octopus) virus, which was distributed on the Winny file-sharing site in May, disguised as a file for anime songs, according to the report.

He was arrested whilst serving a suspended sentence for a previous offence and reportedly told police: "I wanted to see how much my computer programming skills had improved since the last time I was arrested."

Police arrested Nakatsuji in 2008 for violating copyright laws by writing a virus which replaced user files with anime images.

August 5, 2010 | Permalink | Comments (0)

As the row over BlackBerry security continues to rumble on, there was more bad news for Research In Motion today with news emerging that the European Commission rejected use of the devices in favour of the iPhone and HTC handsets.

The European Union's executive body reviewed the use of smartphones by its staff, which number over 30,000, two years ago, according to a Reuters report today.

"Following this evaluation, the HTC and the iPhones emerged as the most suitable platforms for voice/mail-centric mobile devices," a Commission spokesman told Reuters in an email.

"As a result, the Commission currently supports these two platforms."

The news will be a blow to RIM as it struggles to fend off strong competition from Apple and phones running Google's Android operating system.

Apple pulled off a coup in May when UK bank Standard Chartered offered its worldwide workforce the chance to switch from BlackBerry to iPhone.

The decision by Saudi Arabia and the United Arab Emirates this week to ban key BlackBerry services has added to RIM's woes.

However, somewhat ironically, these "security concerns" appear more to be due to the fact that BlackBerrys are too secure, with both authorities expressing concerns that they can't monitor encrypted communications made over the devices.

For its part, the UK government remains convinced that BlackBerrys are the most secure smartphone around, saying in June that it would not sanction ministerial use of iPhones for official business due to security concerns.

"The only mobile telecoms or personal digital assistant devices that have been issued to ministers of the department are BlackBerrys," said health secretary Simon Burns.

"The department does not issue Apple iPhones to staff as these are not approved for government use by the Communications-Electronics Security Group [CESG]."

August 4, 2010 | Permalink | Comments (0)

V3.co.uk entered the world of hacking yesterday by participating in a 'Hack the Lab' session arranged by network security firm Stonesoft.

A fictitious web site was created especially for participants to hack into and the results were interesting and a little frightening.

Using tools such as Nmap (port scanner), Netcat (multi-purpose tool), Metasploit (command line tool) and John the Ripper (password cracker), which are all freely available on the internet, we had a crack.

We successfully managed to hack into the fabricated web site and obtained not only admin login details, but credit card details of the owners and customers in under just under half an hour.

This was done using a Virtual Network Computing (VNC) tool, which we installed on the fictitious admin machine to gain remote desktop access.

Alan Cottom, technical engineering specialist at Stonesoft, was on hand to explain the principles.

There are usually five steps that an attacker goes through when looking to carry out a hack:

1. Selecting the target: There are mainly two types of hackers. Those who focus on an individual or organisation for financial/political gain and those who are opportunistic, who scan ports looking to find vulnerable systems.

2. Gathering information: Once a target has been selected, the hacker embarks on the most important process which is the research phase. Attackers aim to gather as much information as possible, including business/domain/contact names, web site addresses, phone numbers and emails. These are all primary pieces of information that a hacker is eager to acquire. The more information an attacker has, the easier it is to gain access into a system.

Individuals must be careful about posting computer details on forums as hackers commonly browse these to pick up information about potential targets.

Hackers are always on the look out for mergers and acquisitions as these are seen as 'soft targets' because businesses usually want to link IT systems quickly and may sacrifice security, Cottom said.

3. Exploiting vulnerabilities: Hackers do not waste their time breaking into firewalls, they look to exploit vulnerable areas of a system i.e. through a web server that may not have been patched properly or a test machine that has remained connected.

4. Leaving a back door: After access has been found, a hacker always leaves a back door to regain entry, by planting a root kit or a remote shell. Some may even modify access rules.

5. Covering tracks: The best attackers will look to disable auditing processes and delete event logs.

The first thing a good administrator will do if he/she suspects there has been an attack is check the logs, so hackers will want to cover their tracks by disabling these, Cottom said.

There have been several high profile hacks recently including the infiltration of Google's Gaia password system in January. This occurred when an employee clicked on an MMS link and had their machine infiltrated, which was used to gain access to the firm's admin system.

However, Twitter experienced one of the most embarrassingly simple hacks last year when a user used a brute force password cracker to gain admin access. Passwords were changed, private information was viewed, and tweets were sent out from users such as Britney Spears.

Twitter could have avoided this by simple employing a lockout of accounts after three-password attempts.

Essential Security Tips from Stonesoft
- Use alphanumeric passwords, but not ones that are so complicated that you need to write them down.
- Keep anti-virus software and patches up-to-date.
- Do not click on suspicious links in emails or instant messages.
- Turn office hardware off at night.
- Take a look at some Intrusion Prevention Software.

V3.co.uk will post a video demo of Alan Cottom explaining the stages of hacking soon.

July 29, 2010 | Permalink | Comments (0)

With the Black Hat conference taking place later this week it seems apt that there are some interesting security problems being announced that are worth keeping an eye on.

Firstly, it's been discovered that many "private" browser sessions are in fact nothing of the sort, and that hackers could gain access to sites visited, despite claims to the contrary by many firms.

A report on the New Scientist web site claims that researcher Collin Jackson from the Carnegie Mellon University in Pittsburgh found ways that hackers could detect which sites were visited even with the security mode enabled.

A hacker could, "guess what sites you've been to based on traces left behind", Jackson is reported as saying.

Secondly, a wireless security researcher from AirTight Networks claims to have discovered a vulnerability in the WPA2 security protocol for Wi-Fi protection that compromises user security, which has been termed Hole 196.

Md Sohail Ahmad explained that the Hole 196 loophole allows malicious users to bypass private key encryption and authentication to sniff and decrypt data from other users, scan Wi-Fi devices and install malware.

Although AirTight acknowledged that to exploit this vulnerability a hacker would have to be on the same network, corporate thieving and espionage is a key concern to many large corporations, making the threat very real.

The vulnerability has been given the name Hole 196 as it relates to a line on page 196 of the IEEE 802.11 Revised Standard published in 2007 from which the exploit is made possible.
Ahmad will be demonstrating the vulnerability at the Black Hat Arsenal (and again at DEFCON18) in a presentation wonderfully titled "WPA Too?!" on 29 July.

July 26, 2010 | Permalink | Comments (0)

Google has increased the maximum payment for those who find a bug in its Chromium web browser to $3,133.7.

The Chromium Security Reward scheme was launched in January and Google claims that the program has been a success.

"We have been notified of numerous bugs, and some of the participants have made it clear that it was the reward program that motivated them to get involved with Chromium security," Google said in a blog post this week.

"Whilst the base reward for less serious bugs remains at $500, the panel will consider rewarding more for high-quality bug reports. Factors indicating a high-quality bug report might include a careful test case reduction, an accurate analysis of root cause, or productive discussion towards resolution."

The maximum reward for a single bug has been increased substantially from $1,337 to $3,133.7. But this will only be paid to those who find critical bugs in Chromium, the company said.

The increased reward reflects the fact that the sandbox makes it harder to find bugs of this severity, Google added.

Google follows in the tracks of Mozilla, which upped its bounty payment to $3,000 last week.

Even though Google has added $3,000 to the reward, not all users are happy, however.

"I highly doubt a $3,133.7 payoff is justifiable. If you figure an individual (or team) put in a combined effort of 160 hours, you're getting paid roughly $19 per hour," noted one commenter on the Google blog.

"I personally wouldn't waste my resources on someone who can not be justified being paid more than $19/hr. Neither would I waste my time providing any information to anyone who values their operating budget for security at $19/hour per incident."

Looks like someone woke up on the wrong side of bed.....or maybe he was just upset that the reward is no longer code for elite.

July 21, 2010 | Permalink | Comments (0)

Mozilla has disabled a malicious password stealing add-on known as Mozilla Sniffer, which was uploaded on 6 June and downloaded by 1,800 users.

The add-on contained code that intercepted login data submitted to any web site, and sent this data to a remote location.

Mozilla discovered the bug on 12 July, and added it to its block list prompting the add-on to be uninstalled.

"All current users should receive an uninstall notification within a day or so. The site this add-on sends data to seems to be down at the moment, so it is unknown if data is still being collected," Mozilla said in a blog post.

Mozilla Sniffer was not developed or reviewed by Mozilla. It was in an experimental state, and all users that installed it should have seen a warning indicating it is was not reviewed, Mozilla said.

A security flaw was also discovered in version 3.0.1 of the CoolPreviews add-on.

The vulnerability is triggered using a specially crafted hyperlink. If the user hovers the cursor over this link, the attacking script is given control over the host computer.

So far 177,000 users have a vulnerable version installed. This is less than 25 per cent of the install base and it will continue to decrease as more users are prompted to update to a new version, Mozilla noted.

July 15, 2010 | Permalink | Comments (0)