More Mac scareware is continuing to pop up which seems almost daily, with the cybercrooks following the same sort of strategy which has worked so well on Windows: regularly change the look and feel of the fake anti-virus software; use legitimate-sounding brand names (or steal genuine product names); stick to a price-point between $50 and $100; keep the fear factor high; but keep the core programming very similar so development costs are negligible.

Scareware, or fake anti-virus, is fake security software which pretends to find dangerous security threats – such as viruses – on your computer. The initial scan is free, but if you want to clean up the fraudulently-reported “threats”, you need to pay.

Once you’ve paid, the scareware stops lying to you about the non-existent threats, as though it really did clean them up. This means that many victims of this sort of fraud don’t even realise they’ve been duped. Until next time.

These latest OS X scareware variants come from the MacDefender group, though they identify themselves during startup as Mac Shield:

Mac Shield loading screen.

Once activated, the software pretends to look through your files, pretends to find malware, and invites you to clean up:

Mac Shield Virus Scan

But the cleanup isn’t free – you’re required to register:

Mac Shield registration screen.

Registration means payment. The minimum you can get away with is $59.95. But for just $40 more, you can get a lifetime software licence and lifetime support – which would be a good deal, were it not for the fact that the software is completely fraudulent, that the “lifetime” of the software ends tomorrow when the crooks move on to the next bogus brand name, and that there’s nothing to support, since there was no malware in the first place.

You even get a 30-day money back guarantee. Good luck claiming it.

Here are some top anti-scareware tips for Apple users:

* If you use Safari, turn OFF the open “safe” files after downloadingoption. This stops files such as the ZIP-based installers favoured by scareware authors from running automatically if you accidentally click their links.

* Don’t rely on Apple’s built-in XProtect malware detector. It’s better than nothing, but it only detects viruses using basic techniques, and under a limited set of conditions. For example, malware on a USB key would go unnoticed, as would malware already on your Mac. And it only updates once in 24 hours, which probably isn’t enough any more.

* Install genuine anti-virus software. Ironically, the Apple App Store is a bad place to look – any anti-virus sold via the App Store is required by Apple’s rules to exclude the kernel-based filtering component (known as a real-time or on-access scanner) needed for reliable virus prevention.

* Religiously refuse any anti-malware software which offers a free scan but forces you to pay for cleanup. Reputable brands don’t do this – an anti-virus evaluation should let you try out detection and disinfection before you buy.

If you would like to try a great free version of a REAL anti-virus software package for free, Sophos has a great free product you can try out here.

Spammers are now using Facebook Events to trick users into completing online surveys, taking part in online contests and perform other tasks which allow spammers to generate commissions. In some cases, users are also tricked into giving up their mobile phone number, which is then automatically signed up for expensive premium services.

According to multiple security firms, spammers using Facebook Events to promote their links have been highly successful in their efforts to dupe unsuspecting users thus far. According to a report from TrendMicro,”tens of thousands” of users had mistakenly registered for one spammer’s event. Meanwhile, Sophos found an example where over 10 million Facebook users had been targeted, and over 165,000 had accepted.

TrendMicro’s fraud analyst Paul Pajares says that spammers have turned to Facebook Events instead of posting their links to users’ walls where they can “easily get lost in the News Feed.” These bogus events often have tantalizing, link-bait titles like “How to Find Out Who’s Viewing Your Profile” or “Who Blocked You From His Friend List?”

Example of fake event.

For the record, Facebook doesn’t allow you to track profile views or blocks, either through its own user interface and feature set or via third-party Facebook applications. Facebook even explains in its own online Help documentation that “blocking someone is completely confidential,” and that no one will ever be notified that they’ve been blocked. It also does not permit third-party applications to track this information, either.

In addition, any application that claims it can show you who’s been viewing your profile should be reported, Facebook says in a separate FAQ (frequently asked question) available here.

However, the Event spam is new enough that Facebook has not yet updated its Help documentation to refer to both applications and events. The pages only mentions apps.

That said, any links promoting such activities should be avoided at all costs, no matter the source.

How these scams work:

Once on an Event’s page, users visiting the “More Info” section  are provided with instructions on how to find out the answer to the question the event promotes (e.g. who blocked you, who’s viewing your profile, etc.) The final step, of course, is clicking the spammer’s link.

This link is obfuscated using a URL-shortener like bit.ly, which takes a longer link and compresses it into a shorter one that redirects to the site in question. Bit.ly and other services like it grew in popularity thanks to Twitter, which limits the number of characters in its status update field to 140 characters. For Twitter users sharing news and other links with each other, these services are invaluable. However, for spammers, the shorteners can hide what would otherwise be questionable domain names and URLs from potential scam victims.

As a best practice, you should avoid any event invitations of a similar nature, even if you see a friend promoting them on their own Facebook Wall. The tricky, bogus events being used by these cyber criminals also automatically reshare the Event’s link to victims’ own Facebook pages. If you see something like this, you may want to inform your friend that they were a victim of a spammer.

Microsoft has launched another salvo in its campaign to hammer the final nail into the coffin of an outdated, insecure product: Internet Explorer 6.

The problem with Internet Explorer 6 is that Microsoft no longer supports it, and the creaky old web browser simply doesn’t provide anything approaching a sufficient level of defence as severely critical vulnerabilities have been left unpatched.

A new website,  www.ie6countdown.com, attempts to convince users of the reasons why they should upgrade to a more secure version of the web-browsing software, and provides information for organisations on how they can best migrate.

What I found particularly interesting, however, was a graphic of the world showing the percentage of browser marketshare Internet Explorer 6 has in each country.

India, Saudi Arabia, Taiwan and Vietnam are all doing a poor job of choosing a hardened web browser, with IE6 responsible for ten percent or more of the browser usage in those countries.

But the worst country by miles is China, where – according to Microsoft – Internet Explorer 6 accounts for over a third of the browser usage. Hmm, I wonder how much of that is related to pirated copies of the software that users have chosen not to replace with legitimate later versions?

Anyway, this is a good campaign by Microsoft – and although it is clearly designed to switch people to Internet Explorer 9, anything which encourages computer users to throw its ageing predecessor IE6 in the garbage bin has to be applauded.

It’s not often that we encourage you to stop using one of our products, but for #IE6, we’ll make an exception: http://bit.ly/g0wt4m

March 4, 2011 2:24 pm via webReplyRetweetFavorite

@Microsoft

Microsoft

Lets make Microsoft’s day – help them kill off Internet Explorer 6.

For years, ads pimping malware disguised as legitimate antivirus programs have gone to great lengths to mimic the look and feel of Microsoft’s Internet Explorer browser and Windows operating system. Now Mozilla Firefox, Google Chrome, and Apple Safari are getting the same treatment.

A security researcher from Zscaler has recently uncovered a campaign that’s tailored to the browser that the intended victim is using. Those with IE will see the same tired graphic depicting a Windows 7 security alert, but look what happens when the visitor is using Firefox.

Fake Warning in Firefox

Not only does the image contain internal Firefox elements in the source code, it also spoofs the security warning the browser shows when users attempt to navigate to an address known to be malicious, said Julien Sobrier, a senior security researcher at Zscaler.

When the intended mark visits the page with Chrome, the ruse looks altogether different. The first screen shows a warning window bearing the browser’s distinctive logo and the words “Chrome Security has found critical process activity on your system and will perform fast scan of system files.”

Fake Google Chrome warning

The user then sees what purports to be a Chrome window showing a virus scan.

Fake scan in Google Chrome

Not to be left out, Safari is also spoofed, although with significantly less effort. The initial warning looks like this:

Fake Safari warning

But the scan page defaults to the look and feel of IE.

The ads are an attempt to trick visitors into believing they have infections that can be cured by the software being offered in the ad. By customizing the screens to the browser, it stands to reason, malware mongers stand a better chance of succeeding.

“I’ve seen malicious pages tailored in the past, but they were mostly fake Flash updates or fake codec upgrades for Internet Explorer and Firefox,” Sobrier said. “I’ve never seen targeted fake AV pages for so many different browsers.”

Some of the sites that redirect to the scam include columbia.faircitynews.com, www.troop391.org, jmvcorp.com. When successful, the redirected page pushes the file InstallInternetDefender_xxx.exe, where “xxx” is a number that changes frequently. At time of writing, it was detected as malicious by just 9.5 percent of the major (legitimate) AV packages, according to a VirusTotal scan.

No doubt, many readers are savvy enough to spot scams like this, but what about poor Aunt Mildred, who has being told by a well-meaning relative to never, ever use the heavily targeted IE? Makes you realize why fake AV can be such a huge revenue generator.

Sobrier, who blogged about his findings here, first spotted the customized ads on Monday.

USB Flash Drive

Here’s some good news for anyone who has been struck by auto-running malware from a USB stick in the past. Microsoft has rolled-out an “important, non-security update” through Windows Update, changing the behaviour of Autorun when you plug a USB stick into your computer.

Not sure what Autorun is? It’s the technology which causes a program to start automatically when you insert a CD or USB stick into your Windows PC. You may have spotted the Autorun.inf files in the root directory of your USB sticks and on CDs in the past.

It may sound like a neat idea, but a lot of malware (The Conficker worm would be perhaps the most infamous example) has exploited the technology to infect computers via USB sticks in the past.

The more recent versions of Windows, like Windows Vista and Windows 7, have made changes to the way that Autorun operates and this has helped fight the spread of Autorun malware. But older versions of Windows, such as Windows XP, were still often at risk.

In fact, in a blog post published yesterday, Microsoft’s Holly Stewart presented statistics which suggested that “Windows XP users were nearly 10 times as likely to get infected by [Autorun malware] in comparison to Windows 7.”

XP vs. 7 using Autorun.

Yesterday, Microsoft rolled out an update via its Windows Update infrastructure, to users running versions prior to Windows 7, which effectively prevents Autorun malware from automatically infecting computers without the user’s permission.

Note, however, that this isn’t the death of Autorun entirely. As Microsoft’s Adam Shostack explains on the MSRC blog, Autorun is still available for “shiny media” such as CDs and DVDs.

Hmm. I guess that will be welcome news for any misguided company which tries to emulate Sony’s disastrous scheme from 2005 where music CDs automatically installed a rootkit as part of their DRM copy protection.

All in all, though, Microsoft has done a good thing here. Autorun was never a necessary technology in my point of view, and its exploitation by malware made it a dangerous liability. Locking it in a windowless room, handing it a service revolver and appealing to its sense of decency is probably the best move that can we make.

Many people have been pleased to hear that Facebook is now allowing users to choose full SSL/HTTPS encryption throughout their session to prevent their accounts from being compromised through unencrypted WiFi using tools like Firesheep.

After the announcement though, lots of people are confused and requested we provide better instructions on how to choose this more secure option. I was able to find a brief (only 1.5 minutes!) YouTube video on how to enable this feature.

As of the time of this article (January 28, 2011) only a fraction of all Facebook accounts have been enabled to use this option. I expect it to be available to all Facebook users in a short amount of time.

The myth that HTTPS sessions consume a large quantity of resource needs to be quashed. While encryption may seem to be a heavy duty task, modern algorithms are designed to create the maximum security for a minimum impact.

If you are a web master or IT administrator who is responsible for providing services to your customers, please look into securing your pages and following Facebook’s lead. If they can provide an extra layer of protection for more than 500 million users, surely you can provide the same protections to your users.

For Facebook users, in addition to selecting the new HTTPS option, take a look at this guide on how to secure your profile. I hope this can help some of the people out there, as of lately, there have been a lot of bad things going around on Facebook.

Facebook has added APIs for developers to access the home address and mobile numbers of users, so FarmVille can see where, as well as who, you are. Permission to access such data must be given through the usual notification system, but with the vast majority of users simply agreeing with everything they’re asked, the new facility is attracting privacy concerns beyond those incurred by sharing one’s details with the developers of Bejeweled Blitz or similar.

Users almost always click “Allow” when faced with such decisions, as demonstrated by Microsoft’s Active X technology more than a decade ago and proven by the thriving malware ecosystem sustained by inattentive Facebook users today.

The alternative is pointed out by Sophos security, which suggests a more totalitarian approach: “Wouldn’t it better if only app developers who had been approved by Facebook were allowed to gather this information?” There are no Trojans on iOS or in the Mac App Store, so perhaps pre-approval is the way forward, restrictive as it is.

Sophos has said that the new APIs, applied on Friday, might be fodder for rogue application developers. Survey scams that form one of the mainstays of security threats on Facebook often attempt to hoodwink punters into supplying their mobile number and signing up to premium rate text messaging service of questionable utility.

The process of extracting mobile phone numbers of potential marks, which used to be a matter of social engineering trickery, might now be done much more easily. Users would still need to give permission for third-party Facebook applications to access this personal contact data but this has become a matter of fooling someone into clicking a dialogue box rather than the trickier process of hoodwinking them into typing in their mobile phone number.

Facebook recently beefed up its account recovery options to include messages sent to a designated mobile phone number as part of its account recovery procedure. This, and other factors, mean that the mobile phone number of many users will be held by the dominant social network.

Mobile phone numbers might even be held by the social network without users submitting them, in cases where their friends have recorded relevant phone numbers in their address book and make use of Facebook’s iPhone application. More details on this privacy exposure can be found in an article here.

Sophos is urging users to remove their addresses and phone numbers from Facebook, as a precaution. A guide on reviewing Facebook privacy settings, developed by Sophos, can be found here.

Facebook’s privacy dashboard can be found here.

The new APIs, launched at the weekend, also provide notification for developers if a user “unlikes” something: so next time you take a thumbs-up off a page, expect a phone call asking why, and perhaps a knock on the door from someone seeking a more detailed explanation.

UPDATE: Douglas Purdy, director of developer relations, just posted on the Facebook developer blog to explain that Facebook agrees with its critics that the feature could be better implemented and the company will be pulling it until changes are made.

“Over the weekend, we got some useful feedback that we could make people more clearly aware of when they are granting access to this data. We agree, and we are making changes to help ensure you only share this information when you intend to do so. We’ll be working to launch these updates as soon as possible, and will be temporarily disabling this feature until those changes are ready. We look forward to re-enabling this improved feature in the next few weeks.”

It will be interesting to see what they decide to change when and if they re-release this new “feature” to the masses.

Microsoft is at odds with a researcher employed by Google who published a zero-day Internet Explorer vulnerability on New Year’s Day. The vulnerability was discovered using cross_fuzz, a browser fuzzing tool created by Google researcher Michal Zalewski, who says he gave Microsoft more than six months of warning before going public with the flaw. That hasn’t stopped Microsoft from sharply disagreeing, however, with the company arguing that Zalewski has now put thousands of IE users at risk.

According to Zalewski’s published timeline of events, he first told Microsoft about the vulnerability in July of last year and provided the company with copies of cross_fuzz for independent verification. Zalewski informed the company that he planned to release the tool in January, and Microsoft acknowledged the report at that time—confirmed on Tuesday by Microsoft spokesperson Jerry Bryant.

Microsoft said it was unable to reproduce any problems using the cross_fuzz tool upon being informed of the issue in July, despite Zalewski’s insistence that he saw “multiple crashes and GDI corruption issues” in IE. The company claims it was only notified on December 21 of a new version of cross_fuzz that could cause a potentially exploitable crash.

Microsoft immediately issued Security Advisory (2488013), confirming that the vulnerability impacted all supported versions of IE. Microsoft explained that the vulnerability exists due to the creation of uninitialized memory during a CSS function within the browser, making it possible for the memory to be leveraged by an attacker with a specially crafted webpage.

“We immediately worked to reproduce the issue with the updated and original tool and are currently investigating it further to determine if it is actually exploitable,” Bryant told sources.

This is when the stories diverge, however. Zalewski says he heard virtually nothing from Microsoft until mid-December, at which point others were able to reproduce the problem, including by means of the original cross_fuzz version used last July. According to Zalewski, Microsoft was suddenly concerned about the potential PR fallout and claimed the IE problems only surfaced after he had updated his code. Zalewski said he confirmed that the problem was unchanged by running both the new and old versions of the fuzzer and told Microsoft again that he planned to release the tool in January.

“Response from [Microsoft Security Research Center] confirms that these crashes are reproducible with the July 29 fuzzer; unclear why they were unable to replicate them earlier, or follow up on the case,” Zalewski wrote on December 29. As promised, he released the fuzzer on January 1.

Now, Microsoft is accusing Zalewski of increasing the risk to IE users—the company says attackers may find a way to exploit the flaw before a patch can be tested and distributed. Zalewski insists that Microsoft knew about the flaw and his plan to release in January for more than six months, however, and did nothing until it was almost too late.

Whichever way this he-said, she-said fight ends up, Microsoft says it’s actively monitoring the situation and plans to issue a patch soon.

Intel on Monday said that it was building a hardware security layer in its next-generation Core chips to prevent streaming movies from being copied. The chip feature, called Insider, includes an end-to-end protection layer and management feature to unlock high-definition movies from online streaming services, said Karen Regis, consumer Consumer Client Marketing Manager at Intel.

Insider is a part of Intel’s enhanced graphics offerings in its next-generation Core processors, which will be officially released on Jan. 5, ahead of the Consumer Electronics Show in Las Vegas.

With Insider, users will get access to more 1080p high-definition streaming content, which is not yet mainstream on the Internet, Regis said. Movies with the 1080p high-definition — in which images are shown in a 1920 by 1080 pixel resolution — can also be found on Blu-ray discs. Studios are also worried about pirating, which discourages them from making premium 1080p content available via streaming, Regis said. Insider provides a security blanket that could encourage more studios to make high-definition movies available, Regis said.

Intel has partnered with Warner Bros. Digital Distribution, which will make 300 high-definition titles available from its WB Shop or Best Buy’s CinemaNow service. The movies can be played only on systems with the next-generation Core processors, Regis said.

The feature in time will trickle down to Intel’s other consumer chip offerings, Regis said. Intel is also partnering with more studios and announcements will be made in the upcoming months.

Beyond Insider, the company is also building many new graphics technologies into the Core chips to speed up creation and rendering of video. Intel for the first time is building a graphics processor and CPU inside the same chip, which will improve application and graphics performance while consuming less power. The Core chips are based on a new microarchitecture code-named Sandy Bridge.

Intel is adding specialized hardware accelerators to quickly encode and decode video. The feature, called Quick Sync, allows users to transfer high-definition video into a format suitable for smartphones in a matter of seconds. The hardware accelerators are faster than software, which could take minutes to transfer video.

Intel is also upgrading its Wi-Di technology, which enables users to wirelessly transmit images and video from a PC to a high-definition TV. Users will now be able to stream 1080p content, an improvement from the previous 720p resolution. Users will also be able to stream protected movies from the Intel Insider feature, Regis said.

But the Core processors won’t support DirectX 11, which makes graphics more realistic on PCs running Microsoft’s Windows 7 OS. Intel is a step behind Advanced Micro Devices, whose upcoming Fusion chips include graphics processors that support DirectX 11.

“We have tested applications — we don’t see a huge number of applications that use features in DirectX 11 today. We will have that capability built into our processor graphics before it’s in the mainstream,” Regis said.

In the consumer segment, DirectX 11 is more relevant to high-end gaming, where discrete graphics cards are heavily used, Regis said. Intel will initially ship quad-core Core chips in January, followed by dual-core chips in February.

Shortened URLs included in garden-variety emails and tweets are harder for antivirus and antispam applications to weed out, giving hackers another lucrative avenue to spread spam quickly and with much greater efficiency.

That’s the word from security software vendor Symantec (NASDAQ: SYMC), which dedicated most of its July MessageLabs Intelligence report to the pesky shortened URLs that are pretty much a prerequisite for quickly sharing links to stories, tweets and images on Twitter and other microblogging services.

Symantec’s report found that shortened-hyperlink spam hit a one-day peak of 18 percent of all spam emails on April 30, a total of more than 23.4 billion messages in one 24-hour period.

More troubling, Symantec security experts said, is the recent trend showing that shortened, spam-laden URLs are becoming as much a fabric of the spam culture as come-ons from Nigerian royalty and shady pharmaceutical dispensaries.

In the second quarter of last year, Symantec found that there was one day out of the three-month span during which shortened hyperlinks appeared in more than 1 in 200 spam messages. This year, however, there were 43 days when shortened URLs with spam accounted for 0.5 percent of all spam traffic and 10 days when the total surged to more than 5 percent of all spam messages.

“As far as spammers are concerned, any tactics that make it harder to block their spam emails are going to be exploited,” Paul Wood, a senior analyst at Symantec’s MessageLabs, said in the report.

“When spammers include a shortened URL in spam messages, these shortened hyperlinks contain reputable and legitimate domains, making it harder for traditional antispam filters to identify the messages as spam based on the reputation of the domains found in the spam emails,” he added.

This alarming influx of shortened URLs containing spam and malware was to be expected, security experts say, as more and more people embrace Twitter, its messages’ 140-character limit and the short URLs they often necessitate. And now that these shortened URLs with legitimate-looking domains are now being disseminated by botnets, the spammers are increasing their infection rate and generating lots of ill-gotten revenue.

Symantec’s surveillance revealed that the infamous Storm botnet, which reemerged in May, is the main source of malicious shortened URLs, accounting for some 11.8 percent of spam in the category.

“While botnets are often the source of short URL spam, 28 percent of this type of spam originated from sources not linked to a known botnet, such as unidentified spam-sending botnets or non-botnet sources, such as webmail accounts created using CAPTCHA-breaking tools,” Wood added.

The report discovered that that on average, one website visit is generated for every 74,000 spam emails containing a shortened URL link and the most frequently visited shortened links from spam received more than 63,000 website visits.

There are increasing concerns about website attacks on the mind today, thanks to hackers’ takedown of high-profile sites during the Wikileaks cyberwar in particular, and the website defacements that often accompany political turmoil such as those that hit both Pakistanese andIndian government-run sites recently as well as some prompted by political issues here in the U.S. Sometimes the hacks are more akin topranks, while other times they serve as a way for those with strong opinions to express that sentiment anonymously. And sometimes, the hacks are initiated by spammers, instead of these sorts of political “hacktivests.”

To defend against this form of online vandalism, Google has announced it will begin to identify hacked sites, right in the Google search results.

According to news from Google’s Webmaster Central blog, the Internet search giant will begin warning Web surfers of sites that may have been hacked with a message that reads “This site may be compromised.” This will help protect those browsing the Web from becoming victims of malware, as is especially the case when sites are compromised by spammers, says Google.

Example of compromised websites in search results.

Users clicking the warning link will be directed to this page in Google’s Help Center that explains more about the notice and what it means, but Google will not stop you from clicking through on the search result itself, nor does it insert an additional warning after doing so, as it does with sites known to host malware.

Google says it will use “a variety of automated tools” to detect signs of hacked sites as quickly as possible and it will then add the notification and alert the site’s webmaster to the issue. Webmasters who are worried that the notices will negatively affect their search traffic can request a site review to accelerate the notification’s removal once this problem has been resolved.

Facebook survey scams continue to be a big problem. Just this weekend security companies estimate that hundreds of thousands of Facebook users have been hit by a resurgence of the “Girl killed herself” scam. I can certainly believe them as my Facebook news feed has been littered with them all weekend.

After seeing all the different profiles sending out all kinds of junk to their friends from these scams, it is obvious that many people are struggling to clean up their accounts after they were tricked into allowing a third party application to post messages from their profile. Of course, these messages look to your online friends as though you posted them, so it’s really important that the problem gets resolved or the scam will just spread more and more virally.

Here’s a quick YouTube video where Sophos Security shows you how to clean up your Facebook account from such an attack:

So make it easy on yourself and just don’t click on this type of random stuff if you see it pop up on your news feed from a friend. If you are really curious, try messaging your friend to see if they really meant to post it first. The internet can be a scary place… so stay safe out there!

Priya Nayak, who works in consumer operations under Google’s “Google Accounts” wing, puts it best: “My Google Account is very valuable to me.” And thus, in honor of National Cyber Security Awareness month, Nayak has taken to the Google blogs to dish out a list of helpful security measures one can use to have an online life that’s hacker-free.

Nayak does make a good point—whether it’s Google or another service, the world is increasingly moving toward a shared, online experience. Our photos are online; our e-mail is online; our blogs and calendars are online. As such, our online identities present a lucrative target for scammers, phishers, and others who would seek to harm our digital domains.

More importantly, one’s online accounts can be seen as a launching pad to do harm to others. After all, if everyone on your contacts list assumes that everything you send is on the up-and-up, it makes scams like those, “send me money, I need help” kinds of deals even more effective—why would anyone question your queries if you’ve had an excellent online track record so far?

“Account hijackers prey on the bad habits of the average Internet user,” writes Nayak. “Understanding common hijacking techniques and using better security practices will help you stay one step ahead of them.”

So how, then, do you do that?

Google—via Nayak—recommends that you start by choosing unique passwords for each of the major online “terminals,” as it were, which you use to access sensitive information about your life. That means no reusing passwords between, say, your Google Accounts and your online banking setup, or your Facebook page and your work e-mail, etc.

And once you have this batch of unique passwords set up, get ready to practice your memorization skills—that’s because Google recommends that you change your passwords no fewer than two times per year. Before you get ready to take the easy way out, Google prefaces that it’s not enough to just change a letter or append a new number to your existing password. You have to go back to the drawing board and concoct a brand-new segment of numbers and letters.

It’s double-important that you realize just how your passwords and accounts are used, in the sense that a given service provider isn’t going to just call you up on the phone and ask you for this information.
Phishing, after all, is one of the top four ways that unscrupulous folk gain access to your sensitive online information. That’s in addition to someone reusing any passwords they’ve previously acquired from you across new sites, malware that infects your system and logs your password without you knowing, and brute force attacks on your accounts.

If you want to check out just how secure you are online, Google’s crafted a simple checklist you can use to ensure that you’re going about your digital business the right way.

Example of infected website warning.

According to a new report published in a blog last month by researchers at security firm Dasient, the number of websites infected by malware in the second quarter of 2010 spiked to more than 1.3 million — the first time that figure has ever topped 1 million.

“That’s a jump of almost two times the number that we saw in the previous quarter,” says Neil Daswani, co-founder of Dasient. “The numbers are really surprising.”

Malware authors are becoming more efficient and creative in their methods of attacking websites, Dasient says. For one thing, they are creating new malware at an exceedingly rapid rate: Dasient detected more than 58,000 new infections in Q2 alone, raising its comprehensive malware library to more than 200,000 different infections.

Attackers are also becoming more crafty in the way they distribute their payloads, Daswani observes. For example, many malware authors have begun deploying new infections late on Friday afternoons, when they know most IT departmental resources will be at an ebb over the weekend.

“They can make the campaign last longer by starting it right before a weekend,” Daswani says. The average malvertising campaign in Q2, for example, lasted 11.5 days.

Malvertising itself continues to grow, Dasient says: More than 1.6 million malvertisements are served on an average day, up 20 percent in the second half of Q2, according to the report. Some 42 percent of websites rely on third-party advertising resources, yet many site operators do not vet this content for malware before they serve it, Daswani notes.

Attackers favored JavaScript over iFrames as a means of delivering malware in Q2, according to the report. “In Q2, over 43,000 JavaScripts and over 15,000 IFRAMEs were added to Dasient’s infection library,” Dasient says. “As a percentage of the total number of new entries, JavaScript samples have increased by 19 percent, and JavaScript samples now make up 74 percent of the entries for the quarter [as compared to 55 percent three quarters ago].”

“One of the advantages of JavaScript is that it can be used to modify a whole Web page, whereas an iFrame is more limited,” Daswani says. “JavaScript offers a larger attack surface.”

Attackers use .com and .cn domains most frequently to host malicious code, Dasient says. In Q2, there was a rise in .info domains that were infected and used to host malicious code, the report states.

Three out of four drive-by-downloads have one letter filenames and are written to the User’s Application Data directory, according to Dasient. The most common name for a drive-by-download was f.exe.

The level of attack sophistication is going to only increase over time, Daswani says. “This is a problem that isn’t slowing down,” he says. “It’s not going away.”

reCAPTCHA Logo.

A researcher last month demonstrated how he solved Google’s reCAPTCHA program even after recent improvements made to the anti-bot and anti-spam tool by the search engine giant.

Chad Houck, an independent researcher, also released the algorithms he wrote to crack reCAPTCHA. Houck had published a white paper on the hack prior to presenting his research at Defcon in Las Vegas, and says that Google made several fixes to reCAPTCHA that defeated several of his algorithms before he was scheduled to give his presentation. He then quickly came up with a few additional approaches with his algorithms, and says he was able to beat the updated reCAPTCHA 30 percent of the time.

“ReCAPTCHA has never been wholly secure. There are always ways to crack it,” says Houck, whose algorithms have been available online since Defcon. “The information [about the research] is out there. Google still hasn’t changed it, which kind of surprises me.”

Google, however, thus far has not seen any signs of this being actively used in the wild.

A Google spokesperson says the company had strengthened the verification words in the program both before and after Houck’s paper was published. “We introduced changes both before and after its appearance to improve the strength of our verification words,” the spokesperson says. “We’ve found reCAPTCHA to be far more resilient while also striking a good balance with human usability, and we’ve received very positive feedback from customers. Even so, it’s good to bear in mind that while CAPTCHAs remain a powerful and effective tool for fighting abuse, they are best used in combination with other security technologies.”

ReCAPTCHA, which was originally created by Carnegie Mellon University and later purchased by Google, basically protects websites from bots and spam by generating distorted text or words that humans can read, but software or optical character readers cannot. The words used by the reCAPTCHA program come from books that are being digitized. The program, which runs on many major websites as a way to validate that the user on the site is a human and not an automated bot or spammer, presents the user with two real words to type into a box, one of which is for verification and the other for digitization purposes.

Houck’s hack works using a combination of his own algorithms, including one that decodes the “ribboning” protections reCAPTCHA uses to mask the words from software, a homemade OCR, and a dictionary attack.

He says the weakness of the reCAPTCHA program are in the way it’s designed. “It presents two words, one for verification and one for digitization,” he says. “Every time someone types the verification word correctly, the program assumes they also typed the digitization word correctly.”

Google’s latest tweaks to the program took out what Houck calls the “inverted blob,” or ellipses that help mask the text from bots, and increased the vertical ribboning and dilatation of the text, which positions the characters so they overlap slightly and aren’t easy to segment, he says. “But I solved that,” he says. “So all of their security features are flawed.”

His so-called “blanket algorithm” basically straightens out the text so it’s machine-readable. “And it segments the characters and gets run through the OCR,” which scans them, he says. “I also used a dictionary attack, which makes it a lot more efficient.”

Houck says he emailed recaptcha.net about his research, but never got a reply.

Just how difficult would it be for a bad guy to exploit this? “As long as you know how to program well enough, it would take a day to implement my algorithms,” he says.

Example of private browsing in Firefox.

Features in the four major browsers designed to cloak users’ browser history often don’t work as billed, according to a research paper that warns that users may get a false sense of security when using the built-in privacy settings.

The private-browsing modes are supposed to allow users to visit a website without leaving any trace on their computers, and yet Internet Explorer, Firefox, Chrome, and Safari frequently leave tracks, according to the research, which is scheduled to be presented at next week’s Usenix Security Symposium in Washington DC. The makers of those browsers — Microsoft, Mozilla, Google, and Apple respectively — often hail the offerings as a way to enhance privacy when using shared computers.

One failure that affects IE, Firefox, and Safari happens when users save SSL, or secure sockets layer, client certificates while browsing in private mode. The browsers store a record of those actions in a file that allows anyone who has physical access to know exactly what site the user was visiting at the time. Similarly, when IE and Safari encounter a self-signed certificate, it is stored in a certificate vault that is preserved even after the private session ends.

Similarly, Firefox users who make security certificate settings while in private mode will have a partial copy of their browsing history stored in a file called cert8.db, the researchers said.

“We discovered that all these browsers retain the generated key pair even after private browsing ends,” the researchers wrote. “Again, if the user visits a site that generates an SSL client key pair, the resulting keys will leak the site’s identity to the local attacker.”

The study (PDF here) showed each browser failing in specific settings.

The privacy mode in Firefox, for instance, is undermined when a user sets site-specific preferences or uses a variety of Mozilla-sanctioned plug-ins. The open-source browser also stores websites visited that dole out custom protocol handlers based on the HTML5 standard.

For its part, IE’s InPrivate mode can be undermined when websites make SMB queries, since the Microsoft browser shares large chunks of code with Windows Explorer.

The researchers also devised a way for webmasters to detect when someone visiting their sites is using the privacy mode. It involves placing an iframe with a unique web address and then “using JavaScript to check whether a link to that URL was displayed as purple (visited) or blue (unvisited).”

The researchers said that to the best of their knowledge they are the first to demonstrate a way to detect private browsing mode — but that may not really matter for much longer. The technique appears to use the decade-old browser history attack, which was recently fixed in Safari and will soon be fixed in Firefox. It’s only a matter of time before Microsoft and Google follow suit.

Using the technique, they confirmed what we all suspected: the feature is mainly used when surfing to porn sites. Gift and news sites, not so much.

The PowerEdge R410 Rack server has spyware within its embedded systems management software. The direct seller is sending customers letters warning of the danger and also telephoning those affected.

A post in a support forum says customers should hear from Dell shortly. It does not provide any technical explanation of what type of spyware is included with the hardware or what extra cleaning process customers should go through.

Some forms of malware are likely to have spread if the hardware has been attached to a network. The forum post, from yesterday morning, is here.

The forum poster was concerned not to have more technical information – and that the call he received to book technical support said the call might not happen for up to ten days.

In response a Dell support staffer said there was an issue with a small number of service motherboard stock – new PowerEdge systems are not infected. He said the malware would not infect non-Windows servers.

Dell has also sent out the following statement:

“Dell is aware of the issue and is contacting affected customers. The issue affects a limited number of replacement motherboards in four servers – PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410 – and only potentially manifests itself when a customer has a specific configuration and is not running current anti-virus software.

This issue does not affect systems as shipped from our factory and is limited to replacement parts only. Dell has removed all impacted motherboards from its service supply chain and new shipping replacement stock does not contain the malware.

Customers can find more information on Dell’s community forum.” – Forrest Norrod, vice president and general manager of server platforms at Dell.

Fortunately the forum has also been updated with information which answers some of the relevant questions – the malware was found in the flash on motherboards, not in firmware. It is a W32.Spybot worm which should be detected by any decent anti-virus software.

Dell said that less than one per cent of boards shipped have the infection. Systems using an iDRAC Express or iDRAC Enterprise card will not be damaged. In fact systems will only be hit if you run an update to either Unified Server Configurator (USC) or 32-bit Diagnostics.

The Pirate Bay

A series of attacks on The Pirate Bay, one of the most well known and controversial file-sharing websites has allowed a group of Argentinian hackers, headed by malware researcher Ch Russo, to access both the user database and the website administration panel of The Pirate Bay, comprising over 4 million usernames and email addresses in the process.

It is thought that the group first targeted the website administration panel on The Pirate Bay, the group succeeded and then employed a series of SQL injection vulnerabilities to gain access to the user database, where they were able to add and amend records and obtain information to identify trackers and torrents uploaded by specific users.

Ch Russo posted a cryptic message on his blog detailing reasons behind the attack:

As any other website, as any other system or mechanism, www.thepiratebay.org has robust parts and soft spots. We beleive that the people behind this comunity always acted with the local laws on their side, and so have we. The community caused problems to huge companies and corporations which turned into threats between this companies and them. What we have done, we did not do it with anger, or for commercial value. As always, we saw the change, the moment and decided to take it. The protocol or procedure done to achieve this wasn’t anything out of the ordinary.

As you can see, Russo acknowledges that the data would be of huge interest to anti-piracy groups like the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA). In a telephone interview with KrebsOnSecurity he said: “Probably these groups would be very interested in this information, but we are not [trying] to sell it,” adding “Instead we wanted to tell people that their information may not be so well protected.”

Screenshot of the backend of The Pirate Bay

According to Softpedia, the attackers have not been in contact with The Pirate Bay administrators since the attack but the offending weakness has since been identified and patched.

Chinese PC manufacturer Lenovo is the latest high-profile company to be compromised. Sometime over the past weekend, its support pages, which allowed users to download drivers and manuals, were compromised with the addition of a malicious iframe.

The website in this malicious iframe led to the download of a BREDOLAB variant detected as TROJ_BREDOLAB.BY (by Trend Micro). This malware family is well-known for being a downloader of other malware onto affected systems, particularly ZBOT and FAKEAV variants.

BREDOLAB first gained prominence in late 2009 when the number of reported infections significantly grew. Upon investigation by senior advanced threats researcher David Sancho, it was found that BREDOLAB was a new malware family similar to earlier PUSHDO variants.

Later investigations by senior advanced threats researcher Loucif Kharouni established the key role BREDOLAB plays in the criminal underworld. As mentioned earlier, cybercriminals running pay-per-install (PPI) scams frequently use BREDOLAB to infect user systems.

Botnet Model

Lenovo has acknowledged the incident on its official forum and has indicated that the affected pages have now been cleaned. Reports from Vietnamese antivirus vendor Bkis indicated that the pages have been infected since at least Sunday afternoon. Some users also reported getting antivirus warnings while visiting Lenovo’s download website since Saturday.

Users who did go to the Lenovo pages to download support materials from late on June 18 (Friday) to June 21 (Monday) may have been affected by this compromise and should check their systems accordingly.

This further proves the point that you should always have an antivirus program running on your computer at all times (and make sure its updated as well!). Even websites that you think are safe can fall victim to these types of attacks leaving everyone at risk. So be safe out there… cause the internet is one crazy place!

When Apple was just a niche maker of Mac computers and only truly popular among college students and graphic designers, hackers paid little attention to the company. Instead, they focused on Microsoft, which had more than a 90% share of the PC operating system market.

Those days are over. Recent iPad security scares are a sign that Apple’s devices are a growing target for hackers, spammers and malicious coders.

“Market share is a pretty good indicator of who hackers are going after,” said Kevin Haley, director at Symantec Security Response. “Hackers are motivated by money, so they want to get access to the most amount of people.”

Hacker group Goatse Security was able to obtain 114,000 iPad 3G users’ e-mail addresses and iPad SIM card ID numbers from AT&T’s website last week. The vulnerability was on AT&T’s site, but any hit against the iPad dings Apple as well. And in a blog post, Goatse Security said Monday that a “skilled attacker” could take advantage of a weakness in the iPad’s Safari Internet browser to launch a spam attack from a compromised iPad.

“This is a wake-up call for Apple, and it cannot afford to hit the snooze button,” said Hemanshu Nigam, founder of SSP Blue, a cybersecurity consulting firm. “The hacker community focuses on companies that are on the top of their games. Apple has gained enough market share that it has caught hackers’ attention.”

It’s not surprising that Apple is becoming a growing target — it’s simply a matter of scale. Cybercriminals try to hack the software that most people use to access the Internet, and increasingly, that software is made by Apple. While Apple’s PC market share is still in the single digits, Apple is now the second largest smart phone maker in the United States, behind only BlackBerry maker Research in Motion. It has also sold more than 2 million iPads in just two months.

“Any company’s device or platform on which lots and lots of people are exchanging or storing data is going to be susceptible to an attack,” said Fred Rica, principal security analyst at PricewaterhouseCoopers. “Hackers are beginning to change over to other platforms that hadn’t been traditional targets, particularly to mobile.”

As Apple products become higher-profile targets, its response is going to be tested. The company’s stance on security has long been “don’t worry about it.” For instance, on its website Apple says simply, “Mac OS X doesn’t get PC viruses.” The iPhone and iPad websites don’t even mention security.

Apple claims that the Unix framework that its Mac operating system is built on is inherently safer than Windows. The truth is that Mac OS has as many vulnerabilities as Windows, according to Nigam — Apple patches its products just often as Microsoft does.

In the past, Apple has responded quietly when vulnerabilities are exposed, patching products through automatic updates with no announcement. The company’s famous “Get a Mac” ads say Microsoft’s constant security updates and alerts interfere with users’ ability to do work on their computers. Ironically, Apple’s Safari browser’s lack of security alerts is one of the factors contributing to the security hole in the iPad, according to Goatse Security.

“Suggesting Apple doesn’t get viruses gives its users a completely false sense of security,” Nigam said. “It’s essentially taunting hackers. They’ll take it as a challenge, and just start exploiting Apple’s user base.” As a result, Nigam suggested it’s time for Apple to change it’s attitude. Right now, Apple prioritizes the user experience ahead of security. That can backfire. ”Apple has the capability to take charge of this situation now,” he said. “If it doesn’t, it’s risking damage to its reputation for the long haul, a la Microsoft.”