Adobe

In an advisory published Wednesday, Adobe said a critical vulnerability exists in Acrobat and Reader versions 9.3.4 and earlier, and that there are reports that this critical vulnerability is being actively exploited in the wild. The company says its in the process of evaluating the schedule for an update to plug the security hole.

Meanwhile, an evil PDF file going around that leverages the new exploit currently is detected only by about 25 percent of the anti-virus programs out there (the Virustotal scan results from today are here, and yes it’s a safe PDF).

Adobe’s advisory doesn’t discuss possible mitigating factors, although turning off Javascript in Reader is always a good first step. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript and un-check Enable Acrobat JavaScript).

Better yet, consider using an alternative PDF reader that isn’t quite so heavily targeted as Adobe’s, such as Foxit, Sumatra, or Nitro PDF.

Secunia first announced in March that it would soon make the auto-update feature available to consumers, noting that the average PC user needs to install a security update roughly every five days in order to safely use Microsoft Windows and all of the third-party programs that  typically run on top of it.  The new beta version doesn’t allow auto-updating for all applications, although Secunia says the list of applications that can be auto-updated through its tool will grow as the public beta progresses.

Overall, PSI 2.0 Beta seems to work quite a bit faster and use fewer resources than earlier versions. But my main concern in allowing third-party programs to update through PSI has so far been — ironically — relinquishing control over the update process. That’s because many “free” applications — such as Java, Adobe and Foxit readers — are free because a number of users never bother to deselect the check mark in the box next to offers to install additional software that is often bundled with these products, including virus scanners and various browser toolbars.

I am happy to report that so far this has not been an issue. On my test installation of the PSI 2.0 beta, it allowed auto-updating for 10 installed applications, including Adobe AIR, Flash Player, Foxit, Firefox, Thunderbird, Opera, Pidgin, Skype, Java, and xChat. The PSI tool updated all of those apps without any unwanted add-ons or toolbars that I can see.

Stefan Frei, research analyst director at Secunia, said the company wants to hear from users who receive more than just the security update.

“We always try to provide updates without unnecessary add-ons, but this is exactly the kind of of feedback we are looking for during the beta,” Frei said in an e-mail to KrebsOnSecurity.com. “So far we haven’t received any support cases indicating that we don’t hit it right on, but it is something we [are] aware of and will address if we receive any reports from users who find that it could be optimized.”

If PSI can’t auto-update any programs, it includes a clickable “Install Solution” link in the tool that fetches the executable update directly from the vendor’s Web site.

For those who don’t want to install PSI, Secunia makes available on its site an online version of this tool — Online Software Inspector — although the OSI requires users to have Java installed (PSI does not require Java).

If you’ve used the new PSI Beta, please sound off in the comments with your experiences.

Company owner Christopher Mallick broke the news to ePassporte customers in an e-mail sent Thursday, saying Visa International had suspended the company’s ePassporte Visa program, which is processed through St. Kitts Nevis Anguilla National Bank.

Dear ePassporte Account Holders,

Please be advised that, at 12:00 PM PDT today, September 2, 2010, we were notified that effective immediately, Visa International has suspended our banking partner’s (St. Kitts Nevis Anguilla National Bank) ePassporte Visa program. The ePassporte e-Wallet program continues to be up and running, except funds cannot be transferred between your Visa Account and your e-Wallet. At this time ePassporte can no longer issue Visa Cards, and the ability for our Account Holders to make point of sale purchases and withdraw funds from ATMs has also been suspended.

At this time we do not know why this drastic action was taken by Visa. To us, it is unconscionable that such action would be taken without the opportunity for ePassporte to fully understand Visa’s reasons and to be able to take all steps necessary to keep our program running the way it has so successfully done for over 7 years. But that is what Visa has done.

As soon as we have more information we will be in contact with you.

In the meantime please be assured that your funds are safe.

We are very sorry for the short notice and apologize for any inconvenience this may cause. The ePassporte team is working diligently to rectify this situation.

We kindly ask you to bear with us while we work through this issue.

Please feel free to contact us via the message center or at our call center, should you have any questions, comments or concerns.

Thank You,

Christopher Mallick

ePassporte’s Visa Virtual Account allowed customers to pay online at any Website that accepted Visa cards. The program also issued customers physical cards that could be used to withdraw cash at ATMs around the globe.

I reached out to both Mallick and Visa for further details and will update this blog if I hear from either.

Update, Sept. 7, 1:07 p.m. ET: Visa just issued the following statement, sent to me via e-mail in response to my request last week for more information:

“At the request of St. Kitts-Nevis-Anguilla National Bank (SKNA), on September 2, 2010, Visa blocked network access for prepaid cards issued by SKNA and operated by ePassporte.com to address certain program deficiencies.  ePassporte.com is a third-party agent that works with SKNA.

“It is important to note that impacted SKNA prepaid cardholders are still able to access their funds through SKNA or SKNA’s agent, ePassporte.com.  For more information cardholders should contact SKNA or ePassporte.com.

“Visa is committed to maintaining the integrity of its global payment network and routinely conducts due diligence to ensure Visa prepaid programs adhere to the company’s stringent program requirements and controls.”

Original post:

This news caught my attention because I have recently encountered ePassporte accounts tied to several shady affiliate programs, such as those used to reward people who promote rogue anti-virus products and online pharmacy sites.

A number of adult Webmaster forums are buzzing with the news, but few seem to know more than what’s in the statement from ePassporte. However, the administrator of the online forum italkcash.com suggests that the move by Visa is in response to new anti-money laundering requirements mandated by the Credit Card Act of 2009, which affects prepaid cards and other payment card instruments that can be reloaded with funds at places other than financial institutions.

While ePassporte’s Mallick can’t be happy about these developments, the situation may provide a nice bump for his new movie: Mallick helped produce the Paramount film Middle Men, a movie released Aug. 6, 2010 that is based on his personal experiences in the porn Web site billing industry. The synopsis from the film’s Wikipedia entry seems oddly prescient:

In 1995, straight-and-narrow businessman Jack Harris (Luke Wilson) who builds the first online billing company dealing exclusively with adult entertainment, finds himself in the middle of a whirlwind filled with starlets, con men, Russian mobsters, federal agents, and international terrorists. Caught between a porn star and the FBI, Harris learns that even becoming one of the wealthiest entrepreneurs of his generation may not be enough to keep him out of trouble. It is based on the experiences of producer Christopher Mallick.

Click the image below for a Youtube.com trailer of the movie.

Yeah, I had to re-read that line a few times, too. Which is probably why I’ve put off posting a note here about the article from which the above quote was taken, a thought-provoking essay in the Harvard National Security Journal by Dan Geer, chief information security philosopher officer for In-Q-Tel, the not-for-profit venture capital arm of the Central Intelligence Agency.

The essay is well worth reading for anyone remotely interested in hard-to-solve security problems. Geer is better than most at tossing conversational hand grenades and then walking away, and this piece doesn’t disappoint. For example:

“Looking forward, without universal strong authentication, tomorrow’s cybercriminal will not need the fuss and bother of maintaining a botnet when, with a few hundred stolen credit cards, he will be able to buy all the virtual machines he needs from cloud computing operators. In short, my third conclusion is that if the tariff of security is paid, it will be paid in the coin of privacy.”

Geer’s prose can be long-winded and occasionally sesquipedalian (such as the phrase “Accretive sequestration of social policy”), but then he turns around and shows off his selective economy with words by crafting statements like:

“..demand for security expertise so outstrips supply that the charlatan fraction is rising.”

In the essay, Geer touches on a pet issue of mine: Accountability for insecurity. I recently wrote an editorial for CSO Online addressing a public request for advice by the Federal Communications Commission (FCC), which wants ideas on how to craft a “Cybersecurity Roadmap” as part of its $7 billion national broadband initiative.

In that column, I suggest that the FCC find a way to measure and publish data about the number and longevity of specific cyber security threats resident on domestic ISPs and hosting providers. I also suggest that the government could achieve this goal largely by collecting and analyzing data from the many mainly volunteer-led efforts that are already measuring this stuff.

Geer warns readers that “the demand for ‘safe pipes’ inexorably leads to deputizing those who own the most pipes.” But mine isn’t a “punish or regulate ISPs-for-having-lots-of-security-problems” approach. Instead, it’s more of a “publish a reputation score with the imprimatur of the federal government in the hopes that the ISPs will be shamed into more proactively addressing abuse issues” idea.

Who knows if my idea would work, but it wouldn’t be terribly risky or expensive to try. After all, as Geer said, “security is a means and that game play cannot improve without a scorekeeping mechanism.”

“These are heady problems,” he concludes. “They go to the heart of sovereignty.  They go to the heart of culture.  They go to the heart of ‘Land of the Free and Home of the Brave’.  They will not be solved centrally, yet neither will they be solved without central assistance.  We have before us a set of bargains, bargains between the Devil and the Deep Blue Sea.  And not to decide is to decide.”

Cue the music.

The attackers stole the money from The University of Virginia’s College at Wise, a 4-year public liberal arts college located in the town of Wise in southwestern Virginia.

Kathy Still, director of news and media relations at UVA Wise, declined to offer specifics on the theft, saying only that the school was investigating a hacking incident.

“All I can say now is we have a possible computer hacking situation under investigation,” Still said. “I can also tell you that as far as we can tell, no student data has been compromised.”

According to several sources familiar with the case, thieves stole the funds after compromising a computer belonging to the university’s comptroller. The attackers used a computer virus to steal the online banking credentials for the University’s accounts at BB&T Bank, and initiated a single fraudulent wire transfer in the amount of $996,000 to the Agricultural Bank of China. BB&T declined to comment for this story.

Sources said the FBI is investigating and has possession of the hard drive from the controller’s PC. A spokeswoman at FBI headquarters in Washington, D.C. said that as a matter of policy the FBI does not confirm or deny the existence of investigations.

The attack on UVA Wise is the latest in a string of online bank heists targeting businesses, schools, towns and nonprofits. Last week, cyber thieves stole more than $600,000 from the Catholic Diocese of Des Moines, Iowa.

Update, Sept. 4, 4:27 p.m. ET: Jordan Fifer, a reporter for the Highland Cavalier, the official student newspaper for UVA-Wise, writes that school officials now say they have recovered the stolen money.

Recommended reading:

Target: Small Businesses

Charting the Carnage from Ebanking Fraud

eBanking Guidance for Banks and Businesses

Avoid Windows Malware: Bank on a Live CD

My explanation of the reason that this is a big deal may seem a bit geeky and esoteric, but it’s a good idea for people to have a basic understanding of the threat because a number of examples of how to exploit the situation have already been posted online. Readers who’d prefer to skip the diagnosis and go straight to the treatment can click here.

DLL Hijacking

Windows relies heavily on powerful chunks of computer code called “dynamic link libraries” or DLLs. Each of these DLLs performs a specific set of commonly-used functions, and they are designed so that Windows can share these functions with other third-party programs that may want to invoke them for their own purposes. Many third-party apps will load these DLLs or bring their own when they first start up and often while they’re already running.

Typically, DLLs are stored in key places, such as the Windows System (or System32) directory, or in the directory from which the application was loaded. Ideally, applications will let Windows know where to find the DLLs they need, but many do not.

The potential for trouble starts when an application requests a specific DLL that doesn’t exist on the system. At that point, Windows sets off searching for it — looking in the above-mentioned key places first. But eventually, if Windows doesn’t find the DLL there or in a couple of other places, it will look in the user’s current directory, which could be the Windows Desktop, a removable device such as a USB key, or a folder shared on a local or remote network.

And while an attacker may not have permission to write files to the Windows system or program directories, he may be able to supply his own malicious DLL from a local or remote file directory, according to the U.S. Computer Emergency Readiness Team.

Several months ago, experts from a Slovenian security firm warned that hundreds of third-party applications were vulnerable to remote attacks that could trick those apps into loading and running malicious DLLs. According to the Exploit Database — which has been tracking confirmed reports of applications that are vulnerable to this attack — vulnerable apps include Windows Live Mail, Windows Movie Maker, Microsoft Office Powerpoint 2007, Skype, Opera, Medialplayer Classic and uTorrent, to name just a few.

The FixIt Tool

Roughly one week ago, Microsoft released a workaround tool to help users and system administrators blunt the threat from all of this by blocking insecure DLLs from loading from remote and local file sharing locations. But the tool wasn’t exactly made for home users: After you installed and rebooted, you still had to manually set a key in the Windows registry, an operation that can cause serious problems for Windows if done imprecisely.

On Tuesday, Microsoft simplified things a tiny bit, by releasing one of its “FixIt” tools to make that registry fix so users don’t have to monkey around in there. Trouble is, you still need to have installed the initial workaround tool before you can install this point-and-click FixIt tool.

It’s tough to gauge whether DLL hijacking poses the same threat to home users that it does to users on larger enterprise networks. Microsoft maintains that this class of vulnerability does not enable a “driveby” or “browse-and-get-owned” zero-click attack, but the attack scenarios Redmond describes where a Windows user could get owned by this attack probably would work against a majority of average Windows users.

And while it may take some time for developers of vulnerable third-party apps to fix their code, Microsoft’s interim fix does add a measure of protection. If you’d like to take advantage of that protection, visit this link, scroll down to the Update Information tab, and click the package that matches your version of Windows. Install the fix and reboot Windows. Then visit this link, and click the FixIt icon in the center of the page and follow the installation prompts.

Further reading:

An excellent writeup on this from SANS Internet Storm Center incident handler Bojan Zdrnja.

A discussion thread about this on DSL Reports’ security forum.

In a statement released last week, the diocese said the fraud occurred between Aug. 13 and Aug. 16, apparently after criminals had stolen the diocese’s online banking credentials. The Diocese it was alerted to the fraud on Aug. 17 by its financial institution, Bankers Trust of Des Moines.

The diocese also said the FBI and U.S. Treasury Department were notified, and that the FBI had taken possession of several diocesan computers. To date, roughly $180,000 has been recovered.

The diocese added that law enforcement had advised them that the theft seems to have been the work of a highly sophisticated operation based overseas, which moved the stolen money out of the United States by recruiting people who unknowingly act as intermediaries.

“While the Diocese of Des Moines is protected by insurance and anticipates the restoration of the funds, we have been advised that such criminal activity is rampant,” Des Moines Bishop Richard Pates said. “Obviously, any entity that experiences such a crime should be significantly concerned.”

Once again, the theft involves so-called money mules willingly or unwittingly recruited by a specific money mule cash-out gang whose work I have written about several times already. Among the mules involved in this incident was a man in Newnan, Ga. who received almost $30,000 of the church’s cash. Daniel Huggins, the 29-year-old owner of Masonry Construction Group LLC, got mixed up with a company calling itself the Impeccable Group, claiming to be an international finance company operating out of New York.

Huggins said the Impeccable Group recruited him via e-mail, claiming it had found his resume on job search site Monster.com. The Impeccable Group told him he would be doing payment processing for the company, and on Aug. 16, Huggins’ erstwhile employers sent him two payments, one for almost $20,000 and another for slightly less than $10,000.

Huggins said he contacted the Impeccable Group shortly after the transfers because the amounts seemed quite high and the transfers appeared to be coming from the Catholic Church. The scammers apparently were ready for this question and were quick on their feet with a reply that was as plausible as it was diabolical: Huggins was told the money was going to be distributed as legal settlements to people who had been affected by the clergy sexual abuse scandals that have rocked the church in recent years.

“The told me it was going to be payouts to some of the settlements in the sex crimes cases against the Church,” Huggins said.

Huggins’ bank discovered the fraud and froze his account while there was still almost $10,000 left in it from the fraudulent transfers. Huggins said he was told to expect a call from lawyers for the Des Moines diocese, but he’s conflicted about whether he will return the money he made from his part in the scam: Minus the Western Union and Moneygram wire fees, Huggins earned commissions totaling nearly $800 for helping the thieves transfer the stolen money out of the country.

“I already sent the money to pay off my credit card balance,” Huggins said. “I guess I’m still up in the air on that one.”

The screen shots below were taken of Huggins’ “task manager,” an online communications panel that Impeccable Group used to communicate with money mules they had recruited.

According to security firm M86 Security Labs, junk e-mail being relayed by Pushdo (a.k.a. Cutwail) tapered off from a torrent to a dribble over the past few days. M86 credits researchers at LastLine Inc., a security firm made up of professors and graduate students from University of California, Santa Barbara, the Vienna University of Technology (Austria), Eurecom (France), and Ruhr-University Bochum (Germany).

LastLine’s Thorsten Holz said his group identified 30 Internet servers used to control the Pushdo/Cutwail infrastructure, located at eight different hosting providers around the globe. Holz said Lastline contacted all hosting providers and worked with them to take down the machines, which lead to the takedown of nearly 20 of those control servers.

“Unfortunately, not all providers were responsive and thus several command & control servers are still online at this  point,” Holz wrote on the company’s blog. “Nevertheless, this effort had an impact on Pushdo/Cutwail, which you can also see in new Anubis reports generated today  by re-running the analysis: Many connection attempts fail and infected machines can not receive commands anymore.”

It will be interesting to see whether this action has a lasting effect on the Pushdo/Cutwail botnet, which has rebounded from similar infrastructure attacks in the past. In January 2010, researchers at Neustar and several ISPs targeted the control servers for the Lethic botnet, another botnet that at the time was estimated to be responsible for relaying roughly one in ten spam e-mails. But just a month after that takedown, spam volumes from Lethic began recovering.

In May 2009, the Federal Trade Commission ordered the unplugging of a hosting provider in Northern California called 3FN, which was at the time hosting a large number of Cutwail control servers. The 3FN takedown — a type of botnet assault that I like to call a “shun” — relies on ostracizing or immobilizing ISPs and hosting providers that repeatedly turn a blind eye to serious abuse on their networks.

This latest action by Lastline falls into the other major takedown category, a group of tactics best described as “stuns,” wherein researchers target a botnet’s control infrastructure in a coordinated takedown. I discuss both of these tactics in the latest McAfee Security Journal, available at this link.

The invitation, sent via e-mail on Aug 13 by White House Senior Adviser for Intellectual Property Enforcement Andrew J. Klein, urges select recipients to attend a meeting on Sept. 29 with senior White House and cabinet officials, including Victoria Espinel, the Obama administration’s intellectual property enforcement coordinator.

“The purpose of this meeting is to discuss illegal activity taking place over the internet generally, and more specifically, voluntary protocols to address the illegal sale of counterfeit non-controlled prescription medications on-line,” the invitation states.

Klein did not return calls seeking more information. A spokeswoman for the White House Office of Management and Budget confirmed the event, but declined to offer further details. The meeting appears to be a continuation of the administration’s Joint Strategic Plan on Intellectual Property Enforcement, an initiative unveiled in June that promised to “address unlawful activity on the internet, such as illegal downloading and illegal internet pharmacies.”

According to the World Health Organization, approximately 8 percent of the bulk drugs imported into the United States are counterfeit, unapproved, or substandard, and 10 percent of global pharmaceutical commerce — or $21 billion — involves counterfeit drugs. LegitScript.com, a verification service for online pharmacies, is currently tracking more than 45,000 rogue Internet pharmacies.

A report (PDF) released in June by anti-spam and domain policy compliance group Knujon (“nojunk” spelled backwards) found that some 162 domain name registrars may be in breach of their contracts with the Internet Corporation for Assigned Names and Numbers (ICANN), the entity which oversees the registrar system. Many of the registrar violations named in that report were linked to rogue online pharmacies that are being advertised through spam and/or pharmacy affiliate programs like Glavmed and RX-Promotion — both affiliate networks that have been tied to botnet and cybercrime activity.

The Adobe patch applies to Shockwave Player 11.5.7.609 and earlier on Windows and Mac operating systems. Adobe recommends that users upgrade to Shockwave Player 11.5.8.612, available at this link. But before you do that, you might want to visit this link, which will tell you whether or not you need to update, and indeed whether you currently have Shockwave installed at all. If you visit it and don’t see an animation, then you don’t have Shockwave (and probably aren’t missing it either).

One other note about Shockwave: Firefox users may notice a “Shockwave Flash” entry when they click “Tools,” “Add-0ns,” and then the “Plugins” tab. For reasons that are too complicated to explain in one breath, this is actually Adobe’s name for its regular Flash player, which most people probably do want installed because can be difficult to browse and use the Internet without it.  By the way, if you haven’t updated your Flash Player in a while, Adobe issued a new version of that software on Aug 10 that plugged a half dozen security holes.

Apple’s update affects Mac OS X Server 10.5, Mac OS X 10.5.8 , Mac OS X Server 10.6 , Mac OS X 10.6.4 and is available via Software Update or from Apple Downloads.