Security Fix
Main
Security
MalwareMSNBC Security
Security Fix
Security World News
Random Feeds
Archives
| Dec 2008 | Nov 2008 | Oct 2008 | Sep 2008 | Aug 2008 | Jul 2008 | Jun 2008 | May 2008 | Apr 2008 | Mar 2008 |Thu, 27 Nov 08
Srizbi Botnet Re-Emerges Despite Security Firm's Efforts
http://voices.washingtonpost.com/securityfix/2008/11/srizbi_botnet_re-emerges_despi.html?nav=rss_blog
In the fallout resulting from knocking McColo Corp. offline, this past week may prove to be a missed opportunity in the prevention of a dramatic reappearance of junk e-mail, as a botnet that once controlled 40 percent of the world's spam apparently has found a new home. The botnet Srizbi was knocked offline Nov. 11 along with Web-hosting firm McColo, which Internet security experts say hosted machines that controlled the flow of 75 percent of the world's spam. One security firm, FireEye, thought it had found a way to prevent the botnet from coming back online by registering domain names it thought Srizbi was likely to target. But when that approach became too costly for the firm, they had to abandon their efforts. "This cost us a lot of money. We engaged all the right people. In the end, it comes back to the fact that there wasn't a process
Wed, 26 Nov 08
Spam Volumes Expected to Rise with Botnet Resurrection
http://voices.washingtonpost.com/securityfix/2008/11/spam_volumes_expected_to_rise.html?nav=rss_blog
Spam volumes could rise considerably over the next few days now that one of the world's largest networks of compromised computers used for blasting out junk e-mail was brought back to life tonight. The "Srizbi" botnet, a collection of more than half a million hacked PCs that were responsible for relaying approximately 40 percent of all spam sent worldwide, was knocked offline two weeks ago due to pressure from the computer security community. On Nov. 11, the Internet servers used to control the Srizbi botnet were disconnected when a Web hosting firm identified by security experts as a major host of organizations engaged in spam activity was taken offline by its Internet providers. Turns out, Srizbi's authors had planned ahead for such a situation by building into each bot a fail-safe mechanism in case its master control servers were unavailable: A mathematical algorithm that generates a random but unique Web
Wed, 26 Nov 08
Two Weeks Out, Spam Volumes Still Way Down
http://voices.washingtonpost.com/securityfix/2008/11/64_69_65_73_70_61_6d_64_69_65.html?nav=rss_blog
A full two weeks after a Web hosting firm identified by the computer security community as a major host of organizations engaged in spam activity was taken offline, the volume of spam sent globally each day has yet to bounce back. The block graph over at e-mail security firm IronPort suggests that the company blocked around 35 billion spam messages on Monday. Prior to hosting provider McColo's shutdown, IronPort was flagging somewhere around 160 billion junk e-mails per day. A quick glance at the volume flagged by Spamcop.net shows that they're still detecting well below half of the spam volumes they were just two weeks ago. I'm not suggesting this is a permanent situation: I happen to agree with most experts who have said they expect spam volumes to at some point bounce back or even exceed previous levels. Still, it is nice to see this drop in junk e-mail
Tue, 25 Nov 08
Pharmacy Extortionists Take on CIA, DoD, FBI, NSA
http://voices.washingtonpost.com/securityfix/2008/11/pharmacy_extortionists_take_on.html?nav=rss_blog
Extortionists targeting clients of Express Scripts -- one of the nation's largest pharmacy benefits management firms -- may have inadvertently picked a fight for which they were ill-prepared. Security Fix has learned that among the company's biggest customers is the federal government, and specifically almost every federal law enforcement, military and intelligence agency in the country. Last month, St. Louis-based Express Scripts said extortionists are threatening to disclose personal and medical information about millions of Americans if the company fails to meet payment demands. Express Scripts is the third-largest U.S. pharmacy benefit management firm, which processes and pays prescription drug claims. Working with more than 1,600 companies, it handles roughly 500 million prescriptions a year for about 50 million Americans. The company has refused to pay the demand, and since then the extortionists have moved on to targeting clients of its member companies directly. The Fairfax County Public Schools system
Tue, 25 Nov 08
Felony Spyware/Porn Charges Against Teacher Dropped
http://voices.washingtonpost.com/securityfix/2008/11/ct_drops_felony_spywareporn_ch.html?nav=rss_blog
A substitute teacher in Connecticut who faced 40 years in prison for allegedly surfing porn Web sites in the presence of seventh graders has been cleared of the charges after state prosecutors dropped the case. The remarkable story of Julie Amero touched a nerve with our readers the last time I wrote about it. Prosecutors had charged Amero with four felony counts of endangering a child, but security experts rose up to her defense. They argued that spyware and adware, which had infected her PC, was responsible for serving the porn sites on her machine. According to a story Friday in the Hartford Courant, Amero agreed to plead guilty to a single charge of disorderly conduct, which is considered a misdemeanor and came with a $100 fine. "Amero, who has been hospitalized and suffers from declining health, also surrendered her teaching license," the Courant's Rick Green writes. Alex Eckelberry, president
Sat, 22 Nov 08
Spamhaus: Microsoft Now 5th Most Spam Friendly ISP
http://voices.washingtonpost.com/securityfix/2008/11/spamhaus_microsoft_now_5th_mos.html?nav=rss_blog
Microsoft is rising quickly on a running list of the Top 10 Worst Spam Service ISPs as maintained by spamhaus.org, a group that tracks unsolicited commercial e-mail. The software giant debuted on the list earlier this month at number 9 (one being the worst), and has slid over the past few days down to number 5. Spamhaus says spammers and scam artists are abusing Microsoft's live.com and livefilestore.com properties to redirect visitors to sites that peddle fake pharmacy products, porn and Nigerian 419 scams. Spamhaus explains how entities wind up on its Top 10 list: Although all networks claim to be anti-spam, some network executives factor revenue made from hosting known spam gangs into corporate policy decisions to continue to sell services to spam operations. Others simply decide that closing the holes in their end-user broadband systems that allow spammers access would be too costly to their bottom lines. Richard
Fri, 21 Nov 08
Peculiar Patch Pits iPhone Security vs. Safari
http://voices.washingtonpost.com/securityfix/2008/11/peculiar_patch_pits_iphone_sec.html?nav=rss_blog
Earlier this year, Security Fix criticized Apple for making iPhone users wait for security updates that Apple had fixed in its other products four months earlier. Now, it appears that iPhone users may have received a patch for a critical security hole four months before Apple fixed the flaw in its other products. Taking a look at the vulnerability summary from the update Apple released last week to fix critical vulnerabilities in Mac and Windows versions of its Safari browser, we can see that Apple corrected a serious flaw in WebKit, the rendering engine used by Safari on Mac OS X, Windows and the iPhone: WebKit CVE-ID: CVE-2008-2303 Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A signedness issue in Safari's handling of JavaScript array indices
Fri, 21 Nov 08
Web Fraud 2.0: Faking Your Internet Address
http://voices.washingtonpost.com/securityfix/2008/11/web_fraud_20_faking_your_inter.html?nav=rss_blog
One of the casualties from the unplugging of McColo Corp. is fraudcrew.com, a Web service that offered paying customers the ability to hide their identities online by routing their traffic through computers controlled by others. Fraudcrew, which has not been charged with any crime, offered subscribers a point-and-click way to mask the source of their Internet connections, so that Web sites could not tell the true location of visitors using the service. The site was advertised heavily on Russian online forums catering to computer hacking and identity theft. There are a number of services like those offered by Fraudcrew (Security Fix profiled another one earlier this year) that not only aid in hiding one's identity online, but could also defeat security measures put in place by financial institutions. Many online banks will check to see whether the customer's Internet address is coming from a location already associated with the customer's
Wed, 19 Nov 08
So Much Spam From One Place?
http://voices.washingtonpost.com/securityfix/2008/11/so_much_spam_from_one_place.html?nav=rss_blog
Washingtonpost.com today published a follow-up story to the pieces we ran last week on the unplugging of a California Web hosting company and the subsequent worldwide drop in spam levels. Today's piece tries to answer the question we heard from so many readers: "How Can So Much Spam Come From One Place?" Some of the less newsy but just as interesting stuff was cut from the piece for space and story flow reasons. One of those was a section on what security experts think the incident will mean for the evolution of botnet technology and its use by the bad guys: Security experts worry that botnet creators will learn from the experience and make key changes to improve the security, stealth and resiliency of their herds. One of the largest and most advanced spam botnets ever designed, "Storm," was successful in large part due to its decentralized nature. As the
Wed, 19 Nov 08
'Network Identity Theft' Politely Avenged
http://voices.washingtonpost.com/securityfix/2008/11/network_identity_theft_avenged.html?nav=rss_blog
A massive swath of some 65,536 unique Internet addresses that appear to have been swiped from early Internet pioneers by a convicted spammer has been reclaimed by Internet regulators, Security Fix has learned. In April, Security Fix reported that a huge block of Internet addresses once assigned to San Francisco Bay Packet Radio -- an organization that was involved way back in the 1970s in testing the predecessor to the global commercial Internet that we all use today -- was being used to send e-mail for a company called MediaBreakaway. That company's chief executive is Scott Richter -- a self-avowed "spam king" who has been sued by a number of the Internet's biggest players -- including Microsoft and Myspace -- for sending spam. When I was first presented with this information, I put the relevant questions to the American Registry for Internet Numbers (ARIN) -- one of five regional Internet
Mon, 17 Nov 08
Critical Security Updates for Firefox, Safari
http://voices.washingtonpost.com/securityfix/2008/11/critical_security_updates_for.html?nav=rss_blog
Apple and Mozilla have each issued updates to fix a large number of critical security flaws in their respective Safari and Firefox Web browsers. The Apple update, which brings Safari to version 3.2, is reportedly causing many users to experience frequent browser crashes. According to an article Friday at MacFixIt, some of the problems seem related to several Safari plug-ins, including "Concierge" bookmarks manager, "PithHelmet" ad-blocking software, and "AcidSearch" search enhancement software. Other problems with this update may be related to a new anti-phishing feature built into Safari 3.2 (Firefox and Microsoft's Internet Explorer have had this feature for more than two years now). MacFixIt and other forums suggest those having trouble with the Safari update should disable the phishing filter and see if that helps. If not, check to see if removing any installed add-ons fixes the problem. While the Safari update fixes more flaws in the version built
Fri, 14 Nov 08
A Closer Look at McColo
http://voices.washingtonpost.com/securityfix/2008/11/the_badness_that_was_mccolo.html?nav=rss_blog
Yesterday, we published a story about Web hosting firm McColo being knocked offline after being accused by the computer security community of serving as a gateway to organizations engaged in spam activity. In trying to get a sense of the activity attributed to McColo, I put together a flow chart, or mind map, showing McColo's relationship to various sites associated with botnet activity, spam, pharmacy domains, etc. I created the flow chart with the excellent and gratis FreeMind software. I've included a screen shot for those who don't have or want this software installed (click on the image to enlarge it). For those who do have FreeMind installed, check out this file, which allows you to click any arrow in the graphic and view some of the source data for those citations. Others can view the source material at the end of this post. The upper right-hand section of the
Fri, 14 Nov 08
Spam Volumes Drop by Two-Thirds After Firm Goes Offline
http://voices.washingtonpost.com/securityfix/2008/11/spam_volumes_drop_by_23_after.html?nav=rss_blog
The volume of junk e-mail sent worldwide plummeted on Tuesday after a Web hosting firm identified by the computer security community as a major host of organizations engaged in spam activity was taken offline. (Note: A link to the full story on McColo's demise is available here.) Experts say the precipitous drop-off in spam comes from Internet providers unplugging McColo Corp., a hosting provider in Northern California that was the home base for machines responsible for coordinating the sending of roughly 75 percent of all spam each day. In an alert sent out Wednesday morning, e-mail security firm IronPort said: In the afternoon of Tuesday 11/11, IronPort saw a drop of almost 2/3 of overall spam volume, correlating with a drop in IronPort's SenderBase queries. While we investigated what we thought might be a technical problem, a major spam network, McColo Corp., was shutdown, as reported by The Washington Post
Wed, 12 Nov 08
Major Source of Online Scams and Spams Knocked Offline
http://voices.washingtonpost.com/securityfix/2008/11/major_source_of_online_scams_a.html?nav=rss_blog
A U.S. based Web hosting firm that security experts say was responsible for facilitating more than 75 percent of the junk e-mail blasted out each day globally has been knocked offline following reports from Security Fix on evidence gathered about criminal activity emanating from the network. For the past four months, Security Fix has been gathering data from the security industry about McColo Corp., a San Jose, Calif., based Web hosting service whose client list experts say includes some of the most disreputable cyber-criminal gangs in business today. On Monday, Security Fix contacted the Internet providers that manage more than 90 percent of the company's connection to the larger Internet, sending them information about badness at McColo as documented by the security industry. On Tuesday afternoon, I heard back from Global Crossing, one of McColo's major Internet providers. Their spokesman declined to discuss the matter, except to say that Global
Wed, 12 Nov 08
Pharmacy Processor Offers $1M Reward to ID Extortionists
http://voices.washingtonpost.com/securityfix/2008/11/pharmacy_processor_offers_1m_r.html?nav=rss_blog
Express Scripts, the nation's third largest pharmacy benefits management company, is offering a $1 million reward for information leading to the arrest and conviction of the individual(s) responsible for trying to extort money from the company. The St. Louis-based firm said last week that in early October it received a letter that included the names, birth dates, Social Security numbers and in some cases prescription data on employees from 75 of its customers. The authors also threatened to expose millions of consumer records if the company declined to pay up, Express Scripts said. Express Scripts handles roughly 500 million prescriptions a year for about 50 million Americans. Since the company has said it has no intention of paying the ransom, the attackers appear to be trying new tactics. Express Scripts said the extortionists have now moved on to directly contacting companies who use their services, by sending letters to the
Wed, 12 Nov 08
Microsoft Patches Four Windows Security Holes
http://voices.washingtonpost.com/securityfix/2008/11/microsoft_patches_four_windows.html?nav=rss_blog
Microsoft today released a pair of security updates to plug at least four security holes in its Windows operating systems and other software. The software patches are available through Windows Update or via Automatic Updates. One of the patches earned Microsoft's most dire "critical" rating, while the other carries the less severe "important" label. Microsoft assigns a critical rating to vulnerabilities that hackers can exploit to break into vulnerable systems without any help from the victim. Important updates address flaws that usually require the victim to help the exploit along in some key way. The critical update involves at least three flaws in a key component of Windows called Microsoft XML Core Services. This vulnerability is present in every supported version of Windows, as well as certain versions of Office. The second patch addresses an important flaw in the Microsoft Server Message Block (SMB), a component of Windows used to
Wed, 12 Nov 08
VISA to Enforce Payment Card Security in Europe
http://voices.washingtonpost.com/securityfix/2008/11/visa_inc_on_monday_dramaticall.html?nav=rss_blog
Update, 1:20 p.m.: A major correction is in order for this story: A spokesman for Visa just contacted me to say that the new deadlines actually apply to all non-U.S. retailers except those in Europe. The spokesman said Visa Europe is its own association and is subject to a different set of timetables. I will update this story with exactly what the European timetables are when I hear back from Visa Europe. Original post: Visa Inc. on Monday dramatically expanded its credit and debit card security requirements to retailers in Europe, an unexpected move that could be a financial boon to security auditing companies, but a huge cost for European merchants already feeling the pinch from the global financial crisis. The new payment card industry (PCI) mandates (PDF) that certain on- and offline European retailers stop storing the data read when the customer's credit or debit card is swiped through
Sat, 8 Nov 08
Extortionists Target Major Pharmacy Processor
http://voices.washingtonpost.com/securityfix/2008/11/extortionists_target_major_pha.html?nav=rss_blog
One of the nation's largest processors of pharmacy prescriptions said Thursday that extortionists are threatening to disclose personal and medical information on millions of Americans if the company fails to meet payment demands. St. Louis-based Express Scripts said that in early October it received a letter that included the names, birth dates, Social Security numbers and in some cases prescription data on 75 of its customers. The authors threatened to expose millions of consumer records if the company declined to pay up, Express Scripts said in a statement. The company's chief executive George Paz said Express Scripts has no intentions of paying the extortion demand and said his company is working with the FBI to track down the person or persons responsible for the scam. Express Scripts is among the largest pharmacy benefit management firms, companies that process and pay prescription drug claims. It handles roughly 500 million prescriptions a
Fri, 7 Nov 08
Researchers Hijack Storm Worm to Track Profits
http://voices.washingtonpost.com/securityfix/2008/11/study_spam_still_profitable_at.html?nav=rss_blog
A single response from 12 million e-mails is all it takes for spammers to turn annual profits of millions of dollars promoting knockoff pharmaceuticals, according to an unprecedented new study on the economics of spam. Over a period of about a month in the Spring of 2008, researchers at the University of California, San Diego and UC Berkeley sought to measure the conversion rate of spam by quietly infiltrating the Storm worm botnet, a vast collection of compromised computers once responsible for sending an estimated 20 percent of all spam. The teams at Berkley and UCSD conducted the experiment by impersonating a key component of the Storm worm network used to hand off instructions from the worm's master control servers to the "worker bots" -- the tens of thousands of infected end-user systems that do all the spamming. This allowed them to redirect a subset of the spam to virtual
Thu, 6 Nov 08
Malware Piggybacks on Obama Win
http://voices.washingtonpost.com/securityfix/2008/11/malware_piggybacks_on_obama_wi.html?nav=rss_blog
Cyber criminals are blasting out massive amounts of spam touting a video of President-elect Barack Obama's victory speech. Recipients who click the included link are taken to a site that prompts visitors to install an Adobe Flash Player update. The bogus update, however, is actually a data-stealing Trojan horse. The messages, with such subject lines as "election results winner," and "the new president's cabinet?", and "fear of a black president," direct recipients to a site featuring a picture of Obama beneath an official U.S. government seal and the domain name america.gov (the real domain names used to host these fraudulent sites appear to differ from message to message). Beside Obama's visage is an embedded video player that reads "loading player." A few seconds after the site loads, the visitor is prompted to download the malware, disguised as "adobe_flash9.exe". Anti-virus firm Sophos says this piece of malicious software represents as much
Thu, 6 Nov 08
Adobe Issues Critical Acrobat, Reader Updates
http://voices.washingtonpost.com/securityfix/2008/11/adobe_issues_critical_acrobat.html?nav=rss_blog
Adobe has issued a software update to fix at least eight security flaws in its Acrobat and Adobe Reader applications, that if left unpatched could be used by attackers to take control of vulnerable systems, the company said. The vulnerabilities affect Acrobat and Reader versions 8.1.2 and earlier. Adobe characterizes this as a "critical" update -- its most serious rating -- meaning the flaws could let an attacker run and install malicious software on a victim's computer without the victim's knowledge. Updates are available for Reader versions on Microsoft Windows, Linux/Solaris and Mac OS X. The software maker says users with Adobe Reader 8.0 through 8.1.2, who can't update to Adobe Reader 9, should update to Adobe Reader 8.1.3, and that the latest full version of both products, Adobe Reader 9 and Acrobat 9, are not vulnerable to these issues. Links to updates for different versions of Acrobat are available
Wed, 5 Nov 08
Election Hoax Sent Via D.C. Based E-Campaign Group
http://voices.washingtonpost.com/securityfix/2008/11/election_hoax_e-mail_sent_via.html?nav=rss_blog
An e-mail hoax telling 35,000 George Mason University students, faculty and staff, that the election had been moved to Nov. 5, was sent through servers run by a D.C. based company that seeks to help political campaigns promote their messages online. The fake e-mail, sent just after 1 a.m. this morning to a campus listserv, was crafted to appear as though it was sent from GMU's provost. In a follow-up e-mail sent this morning by the real GMU provost, the university said the hoax was perpetrated by someone who had apparently "hacked into" the school's e-mail system. But information sent to washingtonpost.com by a GMU student indicates that the hoax succeeded because of a lack of proper filtering on the university's e-mail servers. In addition, it appears that the message was routed through e-mail servers at a local political advocacy group. According to the information contained in the e-mail header
Wed, 5 Nov 08
GMU E-Mail Hoax: Election Day Moved to Nov. 5
http://voices.washingtonpost.com/securityfix/2008/11/gmu_e-mail_hoax_election_day_m.html?nav=rss_blog
Unknown hackers broke into George Mason University's e-mail system and sent students a forged message from the school's provost early this morning stating that Election Day had been moved to Nov. 5. The messaged, dated 1:16 a.m., Nov. 4, with the subject line : Election Day Update, read: To the Mason Community: Please note that election day has been moved to November 5th. We apologize for any inconvenience this may cause you. Peter N. Stearns Provost Seven hours later, students, faculty and staff received another message, this time from the real GMU provost, who blamed the e-mail hoax on a compromise of the school's e-mail system. GMU spokesman Daniel Walsch said the university has been fielding calls all morning from students and parents upset or confused about the fraudulent missives. "This is upsetting and embarrassing and has caused a lot of confusion and concern among people," Walsch said. Walsch said
Wed, 5 Nov 08
Taming Vista's User Account Control Pop-Ups
http://voices.washingtonpost.com/securityfix/2008/11/taming_vistas_user_account_con.html?nav=rss_blog
Microsoft Vista users fed up with the incessant security prompts from the operating system's "user access control" feature can now spend less time clicking on the pop-ups. Symantec Corp. has released a free tool that adds a simple "don't ask me again" option to each prompt. The UAC feature, which throws up a "Windows needs your permission to continue" prompt each time Vista users install a program or make minor changes to system settings within Windows, was designed to keep users safer by warning them about downloads or malicious software trying to make changes that the user did not request. It was also an effort by Microsoft to force software developers to write programs that don't need all-powerful administrator access to function properly. But some Vista users find the prompts so annoying that they turn the UAC feature off entirely. Part of the trouble is that there is no easy
Tue, 4 Nov 08
Microsoft Security Report: A Mixed Bag
http://voices.washingtonpost.com/securityfix/2008/11/microsoft_security_report_a_mi.html?nav=rss_blog
Microsoft's successes in producing more secure software are being offset in part by organized cyber criminals, who continue to make inroads into customer PCs largely through faulty third-party software and old-fashioned trickery, the software giant said in a report released today. The analysis comes in Microsoft's latest "Security Intelligence Report," which examined the prevalence of malicious software threats removed from Windows machines by the company's various free and subscription security offerings in the first half of this year. Malware that promotes rogue security and anti-virus programs continues to be the largest single security problem plaguing Microsoft Windows users, the company said. Redmond found that Trojan horse programs - specifically, those that attempt so-called drive-by downloads -- were responsible for the biggest share of malicious software Microsoft removed from systems this year (about 30 percent). The overwhelming majority of that malware highlights non-existent threats on the victim's PC in an effort
Sat, 1 Nov 08
Virtual Heist Nets 500,000+ Bank, Credit Accounts
http://voices.washingtonpost.com/securityfix/2008/10/virtual_bank_heist_nets_500000.html?nav=rss_blog
A single cyber crime group has stolen more than a half million bank, credit and debit card accounts over the past two-and-a-half years using one of the most advanced strains of computer spyware in existence, according to research to be published today. The discovery is among the largest stolen data caches ever recovered. Researchers at RSA's FraudAction Research Lab unearthed the massive trove of purloined data while tracking the activities of a family of spyware known as the "Sinowal" Trojan, designed to steal data from Microsoft Windows PCs. RSA investigators found more than 270,000 online banking account credentials, as well as roughly 240,000 credit and debit account numbers and associated personal information on Web servers the Sinowal authors were using to set up their attacks. The company says the cache was the bounty collected from computers infected with Sinowal going back to February 2006. "Almost three years is a very,