Internet Security News

Facebook Becomes A Favorite Target Of Phishers

Due to widespread concerns about its thoughts on users' privacy, Facebook has been under all sorts of fire lately, facing criticism from U.S. senators, European data protection authorities, and many tech experts. Now, yet another problem's cropped up, as Facebook's been called a top target of phishers.

Facebook Becomes A Favorite Target Of Phishers

The Securelist division of Kaspersky Labs issued a report yesterday, and the identities of the top three organizations that have been targeted by phishers may not come as a surprise to anyone; they're PayPal (with 52.2 percent of all attacks aimed at it), eBay (with 13.3 percent), and HSBC (with 7.8 percent).

The report, which covered the period between January and March of this year, next stated, though, "Facebook popped up unexpectedly in fourth place. This was the first time since we started monitoring that attacks on a social networking site have been so prolific."

By way of explanation, the report then continued, "Having stolen users' accounts, the fraudsters can then use them to distribute spam, sending bulk emails to the account owners and their friends in the network. This method of distributing spam allows huge audiences to be reached. Additionally, it lets the fraudsters take advantage of the social networking sites' additional options, like being able to send different requests, links to photo's and invitations, all with the advertisement attached, both within the network and to users' inboxes."

Obviously, this isn't good news for Facebook's users or the security community as a whole. Facebook acts as a sort of point of entry to information about a whole lot of people (the social network had 400 million users in early February).

This isn't good news for Facebook, either, though - nothing that makes its users uncomfortable or unhappy, and therefore likely to leave, is - so perhaps we'll at least see the company make some attempt(s) to address this problem.

Anyway, if you're curious, the list of phishers' targets picked up after Facebook with Google, the IRS, Rapidshare, Bank of America, UBI, and Bradesco.

Google Goes After Impersonator Scammers

As huge corporations go, Google's a pretty cuddly one, but according to the search giant itself, everyone should be careful about offers of employment or wealth that involve its name. "Google Money" scammers represent a growing problem that the company is trying to combat.

Google Goes After Impersonator Scammers

A post on the Official Google Blog announced today, "[D]espite hundreds of consumer complaints and our own efforts to keep these sites from tricking people, some scams continue. To fight back, we're working to stop various fraudulent 'Google Money' schemes, and this week filed suit against Pacific WebWorks and several other unnamed defendants."

The post then added, "[W]e're still working constantly to remove scammy URLs from our index, and we'll permanently disable AdWords accounts that provide a poor or harmful user experience, whether or not they use Google's trademarks illegally."

The problem continues to exist, though.

So fair warning: The scams are known to operate under names like the Earn Google Cash Kit, Google Adwork, Google ATM, Google Biz Kit, Google Cash, Google Fortune, Google Marketing Kit, Google Profits, Google StartUp Kit, Google Works, and the Home Business Kit for Google. From there, they tend to be fairly standard make-money-from home affairs.

As always, stay sharp.

Senate Uncovers Online Credit Card Tricks

A report issued by a U.S. Senate committee only uses the word "scam" when quoting different consumers; the report's title employs the phrase "aggressive sales tactics," instead. Still, it looks like a number of big online companies have been caught profiting off people's confusion.

Senate Uncovers Online Credit Card Tricks

An investigation ordered by Senate Commerce Committee Chairman John D. Rockefeller IV discovered that Affinion, Vertrue, and Webloyalty "gain access to online consumers by entering into financial agreements with reputable online websites and retailers," according to the official report.

Then, "[T]he three companies insert their sales offers into the 'post-transaction' phase of an online purchase, after consumers have made a purchase but before they have completed the sale confirmation process. These offers generally promise cash back rewards and appear to be related to the transaction the consumer is in the process of completing. Misleading 'Yes' and 'Continue' buttons cause consumers to reasonably think they are completing the original transaction, rather than entering into a new, ongoing financial relationship with a membership club operated by Affinion, Vertrue, or Webloyalty."

So individuals wind up paying $9 a month, and companies make millions. Millions upon millions, really. 1-800-Flowers.com, Buy.com, Priceline, and US Airways (among many others) were all given more than $10 million by Affinion, Vertrue, and Webloyalty. Barnes & Noble, eHarmony, and Pizza Hut received between $1 million and $10 million.

It's a bit scary to see this sort of trickery employed by such mainstream organizations. Hopefully the committee's report will force them to clean up their act.

McAfee: Cyberwarfare A Big Threat

It might not be long before we return to the days of schoolchildren diving under their desks in warfare preparedness drills. Only now, instead of hiding from nukes, the kiddos may be unplugging their computers, since McAfee has indicated that a cyberarms race is taking place.

McAfee: Cyberwarfare A Big Threat

Dave DeWalt, the president and CEO of McAfee, said in a statement, "[S]everal nations around the world are actively engaged in cyberwar-like preparations and attacks." These include China, France, Israel, Russia, and the U.S., and it's no secret that the members of this group aren't all on great terms.

What's more, cyberwarfare's barrier to entry is so low in comparison to traditional hostilities (a roomful of computers vs. thousands of men, tanks, and airplanes) that lots of other countries are almost sure to pursue the idea.

Then, if and when the virtual bullets start flying, things could get really nasty. McAfee reported, "Attackers are not only building their cyberdefenses, but cyberoffenses, targeting infrastructure such as power grids, transportation, telecommunication, finance and water supplies, because damage can be done quickly and with little effort."

At least this state of affairs would create a good job market for security professionals. Everybody else might benefit in a physical manner from the dive-and-unplug exercises, too.

ICSA Labs Finds Flaws In New Security Products

It's sometimes fun to be an early adopter, as the long lines and waitlists for things like iPhones and the new Camaro have proven. But where security products are concerned, do yourself a favor and let other folks go first, since a fresh report indicates that it can take more than a single try to get things right.

ICSA Labs Finds Flaws In New Security Products

ICSA Labs, which is based in Pennsylvania and has been around for 20 years, tests and sometimes certifies products. Emphasis on "sometimes."

An ICSA Labs Product Assurance Report indicated that just 4 percent of security products attain certification following a first round of testing. Most have to try again between one and three times before making the cut.

And it's not guaranteed that a product will ever meet the necessary standards, either. According to ICSA Labs, only about 82 percent of products attain certification in the end, meaning about one-fifth of all applicants (and perhaps a much larger percentage of products) aren't up to snuff.

So leave the shakedown cruises to less cautious individuals. Just repeat "patience is a virtue" a few times and read reviews while you're waiting, and remember that things will be less likely to blow up in your face when you finally get onboard.

Nigeria Announces Early Results Of Anti-Scammer Initiative

No one's sure how many there are to go, but according to a Nigerian official, there are about 800 scam email addresses and 18 criminals that can be considered "down." Mrs. Farida Waziri, the chairperson of a government agency, announced that some shutdowns and arrests occurred thanks to an initiative called Project Eagle Claw.

Nigeria Announces Early Results Of Anti-Scammer Initiative

Nigeria's Economic and Financial Crimes Commission is the force behind Project Eagle Claw, and with Microsoft's help, has just started ramping it up. Waziri explained in a statement, "We expect that Eagle Claw as conceived will be 100% operational within six months and at full capacity, it will take Nigeria out of the top 10 list of countries with the highest incidence of fraudulent e-mails."

She then gave some very interesting details, continuing, "[U]pon full deployment, the capacity to take down fraudulent e-mails will increase to 5,000 monthly. Further it is projected that advisory mails to be sent to victims and potential victims will be about 230,000 monthly."

Anything Nigeria can do to address the problem of scammers operating from within its borders will of course be good for the country's image. More than that, it might help honest Nigerians become part of the online world (since some entities have just taken to blocking troubled regions as a whole).

Then there will be the benefit to the rest of the world, with maybe millions of dollars not getting lost. For that reason, Project Eagle Claw is likely to gain a lot of fans.

MessageLabs Names Most- (And Least-) Spammed States

When considering where to live, it's wise to look up stats about an area's climate, the cost of living, and its proximity to other important stuff in your life. Symantec's MessageLabs recently supplied some information about your odds of getting spammed, too.

MessageLabs Names Most- (And Least-) Spammed States

Somewhat surprisingly, the states you might imagine as being the "most wired" - California, New York, Washington - weren't at the top of the list. Instead, the state in which spam represents the highest percentage of all emails received is Idaho, with 93.8 percent.

In an email to SecurityProNews, a Symantec/MessageLabs representative then listed the other top states (in order) as Kentucky, New Jersey, Alabama, Illinois, Indiana, Massachusetts, Pennsylvania, Arizona, and Maryland.

The U.S. territory of Puerto Rico wound up on the opposite end of the list, followed by Montana, Alaska, Kansas, South Dakota, Tennessee, Vermont, Rhode Island, Wisconsin, and Florida.

We're not quite sure what to make of these findings; the states don't appear to be ordered according to Internet penetration rates, GDP per capita, overall population, physical size, or anything else. Still, if you're looking to move, now you have a better idea of how to decrease the odds of getting bombarded with spam at your new home.

Enormous Malware Archive Creates Stir

A Dutch company known as the Frame4 Group has created what's almost the computing equivalent of a Center for Disease Control lab. The Malware Distribution Project is, according to its own site, the "world's biggest private malware archive."

Enormous Malware Archive Creates Stir

Don't jump to the conclusion that the project's run by a bunch of supervillains; the malware samples are supposed to be "offered for the purposes of analysis, testing and malware research."

Also, customers are screened, and a monthly access fee of about $1,235 should act to keep out some of the riffraff.

It actually seems possible that the Malware Distribution Project could be of great help to the security community. When you consider that medical researchers don't have to wander from house to house, asking people if they have cancer, every time they want to start a new experiment, certain practices start to seem a little outdated.

There is a potential for problems, though. One nightmare scenario relates to the Malware Distribution Project's figurative walls failing and everything getting out. Having all of that malware run amuck at once - particularly if security researchers' computers were the first things it'd come across - would be bad.

Then there's the possibility that some unpleasant person would gain access to the Malware Distribution Project's archive and just sort of go on a shopping spree. This way, some relatively stupid hacker might be able to get his (or her) hands on the most sophisticated viruses in existence.

As you might imagine, the Malware Distribution Project is definitely proving divisive.

Anyway, at last count, the repository contained a whopping 3,336,503 files.

UPDATE (10-13-09): Anthony Aykut, the Managing Director of Frame4 Security Services, got in touch with SecurityProNews this morning to pass along some information. In an email, he wrote, "[T]he malware is neither downloadable via the web site or accessible in any other way via the www; in fact, the (secure) servers where the malware is stored (or analyzed/processed) is not even connected to the outside world."

Aykut also stressed that nothing is sold to the public, and added, "Largely due to the security measure(s) mentioned above, and also based on to the fact that the storage media are protected by biometric devices, getting access to the MD:Pro archive is, well, pretty impossible."

Avsim Hacker (Maybe) Brought Before Cops

Perhaps people who like to spend their spare time in the cockpits of imaginary F-16s should be left alone. The man in charge of a flight simulator site that was attacked claims to have identified the hacker and forwarded information to the authorities.

Avsim Hacker (Maybe) Brought Before Cops

Avsim is one of the best-known flight sim communities in existence. It's been around for a long time, too. Unfortunately, a hacker managed to wipe about a decade's worth of modification info and forum posts from the site's servers back in May.

Now, though, Tom Allensworth, the publisher and CEO of Avsim, has told the BBC, "We . . . have incontrovertible evidence of the individual that performed the hack. We have protected the forensic evidence and provided that evidence to the London police. We are committed to bringing justice to bear on this case."

Allensworth is confident in the outcome, too, adding, "We fully expect that the criminal complaint . . . will result in the perpetrator spending some time behind bars - under UK law." (Since Avsim's located in the US, this means he's not pushing for extradition or anything of that sort.)

Neither London's Metropolitan Police Service nor the accused individual (who hasn't been publicly named) has made any comment yet.

Email Password Hackers Present Real Threat

The next time you have something really important to tell someone, consider whether a drive over to his or her house wouldn't be a nice way of spending a few minutes. One reporter has found that it's quite easy (and perhaps all too common) for people to buy email accounts' passwords from hackers.

Email Password Hackers Present Real Threat

Tom Jackman wrote in an article for the Washington Post, "[S]ervices as YourHackerz.com are still active and plentiful, with clever names like 'piratecrackers.com' and 'hackmail.net.' They boast of having little trouble hacking into such Web-based e-mail systems as AOL, Yahoo, Gmail, Facebook and Hotmail, and they advertise openly."

Jackman found that prices for passwords range from around $30 to $100, which means that even the average ten-year-old can probably afford these hackers' services.

Plus, unless someone important is involved or things get rather serious, law enforcement isn't terribly likely to look into (or at least resolve) the matter, because accessing a computer without authorization is just a misdemeanor in most areas and tracking down a perpetrator can be difficult.

And it doesn't help, of course, that all of these facts have now been publicized in a widely-read newspaper.

So if you've got some nasty business rivals or psycho exes, at least try to play it safe by changing your password often for as long as you're in the person's sights. Then there's always the option of putting a few more miles on the odometer, too.

U.S. Government Releases List Of Words They Look For Online

It's pretty obvious by now that the U.S. government wants to desperately spy on our online activities. Reports that the NSA is building a giant facility to intercept and record our communication are pretty bad, but groups like the NSA and FBI already watch for certain words online all in the name of protecting you from the bad guys. Thanks to the Freedom of Information Act, we now know what those words are.

U.S. Government Releases List Of Words They Look For Online

The full document containing the keywords is called the "Analyst's Desktop Binder." The document comes from 2011 so we can consider it to be pretty recent. The people who use the document as a guideline are those working at the Department of Homeland Security's National Operation Center. Those working at the center look for words to spot signs of danger so they can stop attacks before they happen, or so that's what they say.

The Daily Mail reports that the document was forced into the open after people questioned the true reason behind the monitoring. There are those who believe that the U.S. government is only monitoring online activities and keywords to find those that criticize the government online and spread dissent. The government obviously denies those claims and sticks to its claims that they're only trying to protect its citizens.

The words that the government actively looks for are split into a number of categories. The categories range from the usual suspects like "Domestic Security" and "HAZMAT & Nuclear" to things like "Southwest Border Violence" and "Weather/Disaster/Emergency." All of these categories contain some bizarre words that you wouldn't even think about when it comes to these categories like "pork" in the "Health Concern + H1N1" category. Sure, H1N1 is swine flu, but pork is a common enough word that it's used outside of talking about a specific illness.

The most interesting category of all, however, is "Cyber Security." Oddly enough, Anonymous is not listed in the group of keywords although I assume the term will be there in the updated keyword list for this year. Some of the terms in the category include "China," "2600," and "DDOS."

According to the DHS, they don't just look at these words and go into high alert every time a person talks about cooking up some pork on Facebook. Speaking to The Daily Mail, a spokesperson said that they review the context before they start firing signal flares.

That's a relief, I can't tell you how many times I've used the word "Anthrax" to refer to the legendary metal band. Hopefully the DHS doesn't employ people who think listening to metal is tantamount to social disorder.

Check out the full list of words below. I've set up the document to skip to the list of words immediately, but it's worth checking out the full report to see how the DHS monitors what you say on social media.

Analyst Desktop Binder_REDACTED

Yahoo Axis Private Certificate Key Leaked at Launch

Though the security issue has been resolved, Yahoo slightly botched the launch of Axis, its new mobile browser and desktop extension, by leaking its private certificate file in the source code of the Chrome extension. The private certificate was used to sign the extension, and could have been used to create a false extension that would be authenticated as officially from Yahoo.

Yahoo Axis Private Certificate Key Leaked at Launch

Nik Cubrilovic, an entrepreneur, hacker, and blogger at New Web Order, revealed Yahoo's mistake in a blog post. There, he warned users of the danger the leak posed and demonstrated how the vulnerability could be exploited by creating his own, harmless, forged extension. From the blog post:

The clearest implication is that with the private certificate file and a fake extension you can create a spoofed package that captures all web traffic, including passwords, session cookies, etc. The easiest way to get this installed onto a victims machine would be to DNS spoof the update URL. The next time the extension attempts to update it will silently install and run the spoofed extension.

Cubrilovic, after realizing what dangers the leak posed, quickly reported the mistake to Yahoo. According to The Next Web, Yahoo responded by pulling down the Chrome extension and blacklisting the leaked certificate key. The Next Web quoted a Yahoo spokesperson as saying:

Since discovering this issue we have immediately pulled down the chrome extension. We have blacklisted the exposed cert key with Google which has resolved the vulnerability. An updated chrome extension should be available within the next 30 minutes with this issue completely resolved. We take issues like this very seriously and are dedicated to working around the clock to ensure resolution. We apologize for any inconvenience.

A new Chrome extension is already available for Axis. The mishap only slightly tarnishes what was otherwise a smooth launch for Yahoo's new mobile browser. There have been no reports of any malicious software spread using the vulnerability, so score one for Cubrilovic and the rest of the white hat hackers of the world.

(New Web Order via The Next Web)

Apple Hires Kapersky Labs To Test Mac Security

The Flashback malware threat that recently plagued Mac computers opened a lot of eyes to the fact that Apple's computers may not be secure as their users have always believed. The Flashback malware attacked users' Macs by means of a flaw in Java that allowed it to install on users' computers without their knowledge. Apple ultimately dealt with the problem by releasing a tool that would remove it from infected computers, but not before the malware netted its creators as much as $10,000 per day in stolen ad revenue.

Apple Hires Kapersky Labs To Test Mac Security

The result of the Flashback threat has been to draw increased attention to the security situation of Mac computers. One recent study found that as many as 20% of Macs are carriers for Window-targeted malware, while security firm Kapersky Labs recently claimed that Apple was a decade behind Microsoft in terms of security.

The situation apparently got Apple's attention, as well. According to Computing, Apple has asked Kapersky to analyze the security of OS X and make recommendations to improve it. Nikolai Grebennikov, Kapersky's CTO, said that OS X is "really vulnerable," and that Apple "doesn't pay enough attention to security," noting that the Java vulnerability that allowed Flashback to infect Macs had been patched by Oracle months before the outbreak, and Apple hadn't bothered to release an update for OS X.

For the moment, Kapersky will only be working on OS X, though Grebennikov foresees similar security issues with iOS in the next year or so, unless Apple takes further steps to secure the platform.

55,000 Twitter Accounts Hacked, Passwords Exposed

Hackers appear to have successfully exposed the passwords of as many as 55,000 Twitter accounts yesterday, sparking the website to conduct an investigation into just how the security breach occurred.

The hack was first reported on the blog Airdemon.net where it was said that "anonymous hackers" - note that it's not the proper Anonymous, as in the hackivist collective, but it's not clear whether that punctuation difference was intentional or not - gained access to the the accounts, some of which are said to belong to celebrities. The account information was so enormous that it took five pages on Pastebin to share all of the information.

55,000 Twitter Accounts Hacked, Passwords Exposed

According to CNET, Twitter is looking into the breach and have notified the affected accounts with notices to reset their password.

Yesterday evening, Twitter, via the @twittercomms account, said that many of the accounts affected were duplicates or spam-ish.

@twittercomms
Twitter CommsThe list of alleged accounts & passwords consists of more than 20,000 duplicates. Also suspended spam accounts & incorrect login credentials 12 hours ago via Twitter for Mac · Reply · Retweet · Favorite · powered by @socialditto

After crunching the numbers and identifying the duplicate accounts shared on Pastebin, Anders Nilsson at S�kerhetsbloggen determined that the total amount of actual accounts is 34,062 and, of those, only 25,068 appear to be legit. He also postulates that a majority of the accounts appear to be associated with email accounts from Brazil, which would make sense since when I looked at the list of account info on Pastebin my browser offered to translate the webpage into Portuguese. More interesting, Nilsson also points out that the list of yesterday's hacked accounts appear to be accounts that were hacked last summer.

So maybe Twitter's right to downplay this security breach and it's not really as threatening or legitimate as it first appeared to be. Do you think Twitter's responded appropriately, or should it be taking the matter a little more seriously? Think this situation is more hoax than actual hack?

Update: Even though the sentiment is pretty much summarized above, here is the official Twitter statement a spokesperson provided to WPN:

We are currently looking into the situation. In the meantime, we have pushed out password resets to accounts that may have been affected. For those who are concerned that their account may have been compromised, we suggest resetting your passwords and more in our Help Center.

It's worth noting that, so far, we've discovered that the list of alleged accounts and passwords found on Pastebin consists of more than 20,000 duplicates, many spam accounts that have already been suspended and many login credentials that do not appear to be linked (that is, the password and username are not actually associated with each other).

Oracle Offers Workaround After Confusion Leads to Zero-Day Disclosure

Many software developers offer bounty programs for their products. The concept is that someone finds an vulnerability and notifies the developers of the software for a reward. The point is to dissuade hackers from using the vulnerabilities by offering them something "better"(?). Of course one would think that, after the vulnerability is turned in and the reward given, the developer would scramble to correct the issue. Oracle seems to have a different process in place.

Oracle Offers Workaround After Confusion Leads To Zero-Day Disclosure

The vulnerability, rated a 7.5 on the CVSS scale (0-10, 10 being severe), was found by Joxean Koret four years ago. Acting as a man-in-the-middle, the vulnerability allowed remote access to Oracle's 10g and 11g database versions without authentication. Obviously a rather large issue. Oracle seemingly sat on this until it's quarterly security update (2 weeks ago) where it seemingly fixed the bug, even crediting Koret in the "Security-in-Depth" program.

Assuming the vulnerability corrected, Koret published a proof of concept, detailing the methods to using the flaw. After a few follow up emails, however, it turned out that Oracle's intention was to correct the flaw in future versions of it's software. The now published solution can be found here.

Microsoft Warns of Conficker Worm Threat

The latest Microsoft Security Intelligence Report (SIR) has complied new data taken from over 600 million systems worldwide, and has found that iterations of the Conficker worm have appeared on roughly 220 million computers over the past 2.5 years. This makes Conficker one of the most substantial ongoing, broad-based threats to enterprises.

Microsoft Warns Of Conficker Worm Threat

According to Wikipedia -

Conficker, also known as Downup, Downadup and Kido, is a computer worm that surfaced in October 2008 and targets the Microsoft Windows operating system. The worm exploits a previously patched vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7 Beta, and Windows Server 2008 R2 Beta. The worm has been unusually difficult for network operators and law enforcement to counter because of its combined use of advanced malware techniques.

Conficker was set to launch on April Fool's Day in 2009, but nothing really happened - though not to say the malicious code didn't get around, and still broadly exists. Data from Microsoft's SIRv12 shows detections of Conficker have gone up 225% since early 2009, and was traced to 1.7 million systems in Q4 2011. Research also shows that 92% of Conficker infections are instances of compromised passwords, and the other 8% are due to systems lacking the latest security updates. Commenting on a a lack of Windows security, Tim Rains, Director of Microsoft Trustworthy Computing, states, "Conficker is one of the biggest security problems we face, yet it is well within our power to defend against - It is critically important that organizations focus on the security fundamentals to help protect against the most common threats."

Microsoft recommends users take the following measures to promote better system security:

Use strong passwords and educate employees on their importance
Keep systems up to date by regularly applying available updates for all products
Use antivirus software from a trusted source
Invest in newer products with a higher quality of software protection
Consider the cloud as a business resource

Again, the two primary measures to be taken are to use and protect solid passwords and to frequently access Windows Update. Also, Microsoft plans to launch an updated version of its SkyDrive cloud system in tandem with the introduction of Windows 8, which is rumored to be sometime in October. It's noted that the cloud can also improve security for businesses.

The State of IT Security [Infographic]

We all know about threats to the valuable data we store everyday, we hear about them all the time. There's always some anonymous hacker shutting down a website, or publishing someones private data. It's just something that has become part of living in the age of information. After all, you can't have so much information so readily available and not have it fall into the wrong hands once in awhile.

The State Of IT Security [Infographic]

Unfortunately, there's a lot more to data breaches than just the hacks we hear about in the press. Verizon has taken a particular interest in tracking breaches of data and has been doing so since 2004. You might not be surprised to learn that last year, 2011, was the second highest year for breaches ever.

The breaches occurred in all kinds of industry including; banking, healthcare, retail, information management, food service, and probably just about any field you can think of. They also happened all over the world. So what can be done?

This next infographic from Backgroundcheck.org gives us the lowdown on where these breaches are happening, what we can do to better protect ourselves, and what these breaches are costing us. Everybody should take a look at this one, it's packed with useful data management information.

Check it out:

Internet Explorer 9.0.6 Now Available, Fixes Security Flaws

I remember just a few years ago when Internet Explorer was the laughing stock of the browser community. It lacked the functionality that other browsers had while lacking even basic security functions. It's what led to the impression that IE was a virus haven, but Microsoft has made great strides in making IE a more attractive and secure browser. The new update today only reaffirms that.

Internet Explorer 9.0.6 Now Available, Fixes Security Flaws

Microsoft today announced the release of Internet Explorer 9.0.6. It fixes "five privately reported vulnerabilities in Internet Explorer." The worst vulnerability would allow "remote code execution" if a user visited an infected Web site. This would allow somebody to gain control of the PC in question with the same user rights as the local user.

These are the kind of vulnerabilities that can lead to the creation of a botnet. People visit a Web site and get their computer hijacked by a foreign party. Their computer then becomes part of the botnet collective which usually goes unnoticed by the user if the creator of the botnet is good at their job.

Microsoft says that this updated is rated critical for IE6, IE7, IE8 and IE9 on Windows clients. It's rated moderate for the same versions of IE on Windows servers. You can check out the full security bulletin for all the information including which operating systems are affected.

If you have automatic updating turned on, the update should have already been applied. If you're like me and have automatic updates turned off, you can apply it the usual way through Windows Update. While I don't use Internet Explorer and many Windows users reading this now probably don't either, it's still suggested that you install the update. There's always that small chance of a friend using your computer and browsing with Internet Explorer. It's better to be safe than sorry.

New Variant of Flashback Malware Exploits Unpatched Java Vulnerability in Macs

A new variant of the Flashback trojan has appeared, exploiting a Java vulnerability found in Macs. Cyber security firm F-secure announced this discovery via its blog today.

New Variant of Flashback Malware Exploits Unpatched Java Vulnerability in Macs

Flashback is a trojan that was originally distributed in the guise of erotic images or politically offensive material. It was later updated to be distributed in a fake installer application for the Adobe Flash Player plug-in. The malware works by downloading its payload from remote sites and creating a backdoor in users' browsers through which the users' information is transmitted to remote servers. Previous versions of the malware targeted older Java vulnerabilities (CVE-2011-3544 and CVE-2008-5353, according to F-secure) which were repaired in updated versions of Java.

But the most recent variant of Flashback, called Flashback.K, exploits a newly discovered vulnerability (CVE-2012-0507) and is capable of "infecting systems without user interaction" [F-secure]. Originally this variant of Flashback targeted both Mac and Windows systems, but a patch released by Oracle in February as part of a Windows Java update has rendered up-to-date Windows machines safe from the attack. Apple has yet to release the update for OS X.

F-secure also warns of yet another available Java exploit that is currently on sale in the computer underworld.

At least until Apple releases a patch for the newly targeted exploit, F-secure urges users to disable the Java client on their Macs. As a rule, the company recommends that users keep Java disabled on their browsers, enabling it only when necessary and with caution, and then disabling it again immediately when it is no longer needed.

The company also provides instructions on detecting and removing Flashback from your Mac.

[F-secure, Photo Source: ThinkStock]

Microsoft: Internet Crimefighter and Bane Of Botnets

Microsoft's stepping up its effort against online crime lately by sending its own employees to accompany U.S. marshals in federal raids of facilities that are suspected of participating in one of the nastier methods of cybercrime: botnets.

Microsoft: Internet Crimefighter & Bane Of Botnets

A profile in the New York Times today on Richard Boscovich, Microsoft's senior lawyer in the company's digital crimes unit, offers a glimpse into the company's increased vigilance in policing the online world by taking the fight offline. Boscovich is credited with creating Microsoft's branch of law enforcement as an effort to watch over "fraud that could affect the company's products and reputation." In what sounds more like Law & Order: The Microsoft Unit than something you'd expect from the maker of Windows operating systems, the Times describes a recent government raid in Pennsylvania aimed at taking down botnets:

With a warrant in hand from a federal judge authorizing the sweep, the Microsoft lawyers and technical personnel gathered evidence and deactivated Web servers ostensibly used by criminals in a scheme to infect computers and steal personal data. At the same time, Microsoft seized control of hundreds of Web addresses that it says were used as part of the same scheme.

Although companies like Google and Apple tend to dominate most tech headlines these days, Microsoft's Windows is still the most used operating system around the world among internet users, which has the unfortunate side effect of making it the most likely target for botnets. While Microsoft continues to offer up patches and security upgrades for its users, the company has also endorsed recent legislation like the Anti-Bot Code of Conduct for Internet Service Providers. Taking on cyber criminals in the first-life world suggests Microsoft doesn't feel like waiting around for the law's delay to start hindering botnets and bot-herders, criminals that utilize botnets.

In what I imagine sounded like a Batman growl unintentionally slipping into a press interview with Bruce Wayne, Boscovich said that the purpose of the raids was to send a message to cyber criminals. "We're letting them know we're looking at them," said Mr. Boscovich.