Sophos researchers warn of new Amazon phishing scam

Phony email message claims Sony laptop is on the way.

Security researchers at SophosLabs have discovered yet another new phishing campaign aimed at users of Amazon .com. A fraudulent Amazon email message claims a Sony VAIO A1133651A laptop has been ordered and is being shipped. The email includes an attached file that supposedly contains the tracking information for the customer.

There’s no surprise at what happens next. Opening the attached file (track.zip) includes an embedded Trojan Horse. In his blog, Graham Cluley of Sophos said the scareware program is designed to look like fake antivirus software.

Of course, this tactic is nothing new. But clearly cybercriminals think it is still an effective route to achieve their goal - to infect as many computers as possible with their malware.

We’ve written about rogue antivirus a number of times in the past. In December, the FBI warned that rogue antivirus losses are exceeding $150 million. Symantec issued a report last year on the scareware phenomenon. In a one year period, Symantec said it documented 43 million rogue security software attempts. It identified more than 250 different flavors of rogue antivirus.

- Matthew DeBarros

Estonia defense minister talks about 2007 cyberattacks

Attacks raised the issue of cybersecurity on the global agenda.

Jaak Aaviksoo, the minister of defense of the Republic of Estonia, had the daunting and unenviable task of dealing with the massive cyberattacks that hit his country in the spring of 2007. For more than three weeks, Estonia’s government agencies, banks, telecoms, and online news services suffered large-scale DDoS attacks as well as Web defacements, he said in a keynote Wednesday at the IT Security Entrepreneurs’ Forum at Stanford University. The attacks, he said, aimed “at the credibility of the Estonian government,” as well as the private sector.

Traffic coming into Estonia was 400 times more than normal, creating havoc for a country Aaviksoo described as heavily reliant on the Internet. In response, officials blocked traffic altogether, he said: “Something close to a sea blockade.”

The cyberattacks served to bring the issue of national cybersecurity on the global agenda, Aaviksoo said. “Cyberattacks that may constitute a national security threat are no longer science fiction,” he said, adding that attacks similar to the ones endured by Estonia could happen on a larger scale to bigger countries.

National responsibility combined with international cooperation is critical for fighting cybercrime, he said. Public awareness also is important as is law enforcement. The legal instruments to fight Internet crime “are clearly underdeveloped,” Aaviksoo said.

He said there’s been a lot of speculation about the source of attacks but no conclusions. At the time, some speculated that Russia was behind the attacks.

Robert Maley dismissal, in retrospect, not surprising

As first reported last week in the The Patriot-News of Pennsylvania and other outlets, Pennsylvania CISO Robert Maley was either fired or resigned under pressure following an appearance at RSA Conference 2010.

It’s been widely reported that the man credited with building Pennsylvania’s information security program from scratch lost his job because at RSA he revealed a design flaw in the commonwealth’s driver’s exam-scheduling Web application. SearchSecurity.com alum Dennis Fisher writes on ThreatPost.com that Maley’s firing is bad for the industry, and while it’s hard to argue any of Fisher’s points, there are some important details that have thus far been overlooked.

At RSA, Maley not only spoke on a panel with other state CISOs, but he also led his own session on changing the culture of application security. SearchSecurity.com was at that session, and the first thing Maley noted was that a travel ban was in place for Pennsylvania officials due to the state’s economic troubles, which barred him from speaking in an official capacity. He then said he was at RSA on “vacation” but considering that the content of his talk was entirely focused on his work as Pennsylvania CISO, it’s not a stretch to believe that alone would have been grounds for his dismissal.

In addition to the exam-scheduling application issue, Maley also discussed a number of other security issues within his organization that may not have pleased officials back home, including past SQL injection attacks on state websites, a control for an open Lotus Notes system that could have led to a system compromise, and a 2008 cross-site scripting vulnerability in a voter registration website that exposed voters’ personal information.

Yet what’s especially odd about the timing is that Maley delivered a similar presenation at the RSA Conference in 2009. Why did the talk cost Maley his job now? Sources speculate that it was a combination of violating the state travel ban and choosing to discuss the issue with the exam-scheduling application, which is still under investigation. Maley himself has discussed at length the political upheaval his state-wide security policy changes have caused, and as a result he surely wasn’t in the business of making friends in Harrisburg. It’s easy to see how once word of his RSA appearance got out, there were plenty of people there ready and waiting to drop a dime on him. So it stands to reason that even in information security, politics is still politics.

Static source code analysis turned on its head

If you’re into source code analysis and Web application security, then you know who Caleb Sima is. Sima, for the uninitiated is cofounder of SPI Dynamics and the guy who helped build the popular static source code analyzer, DevInspect. SPI Dynamics was scooped up three years ago by HP and until recently, Sima has been busy handing off his pride and joy to the computing giant. He’s since left HP and has emerged as CEO of Taipei-based Armorize Technologies.

Armorize does source code analysis and Web application security, and is anxious to spread its influence beyond Asia into the U.S. Sima has known about Armorize for a while, meeting up annually with founders Wayne Huang and Matt Huang at the RSA Conference and learning more about their unique approach to source code analysis.

The company’s CodeSecure product turns static source code analysis on its head. Unlike traditional analysis tools that compile and scan projects and then produce a to-do list of issues and vulnerabilities that pain developers to remediate, CodeSecure does real-time language syntax analysis, Sima said, and like a spell-checker, highlights problematic lines of code and with a right-click of the mouse offers suggested fixes as the developer is typing.

“That’s the way it should be,” Sima said. “We’re enabling developers to identify problems and give them the ability to have standards of remediation practices and standard code practices. It’s agile and that’s the way it should be. The goal is to be able to take the technology and for example, give it to a college kid with little or no experience and have him code a secure Web application.”

This is pretty contrary to what other security companies say about introducing security tools into the development lifecycle, Sima said.

“Security companies are shoving security into the development arena. In my viewpoint, developers shouldn’t learn anything about security. It’s not their job. Ultimately, security should be invisible to the developer; it’s the right way to get things done.”

RSA panel weighs PCI implications of cloud computing

Cloud computing takes PCI compliance into unfamiliar territory, but PCI auditors should make an effort to understand the technology, experts said during a panel discussion Wednesday at the RSA Conference 2010 in San Francisco.

“Auditors have to get used to it,” said Liam Lynch, chief security strategist at eBay. “They need to understand the technology.”

“It’s incumbent on you to avail yourself to understand the cloud environment,” Jim Reavis, executive director of the Cloud Security Alliance, told an attendee who identified himself as an auditor who wanted help in auditing an application in the cloud.

Reavis said CSA earlier this week pre-announced the availability of its Cloud Controls Matrix, a toolset of cloud security controls that map to industry regulations such as PCI and HIPAA. When the CSA releases the full toolkit, there will be 50 controls related to PCI, he said (a CSA press release said the release is scheduled for April).

“We’ll see education of QSAs [Qualified Security Assessors] regarding where standards apply to the cloud model,” he said.

Reavis also said the industry needs SAS-70s that “are scoped properly for cloud environments.”

eBay is both a consumer and producer of cloud services, and is a Tier 1 PCI compliant company, Lynch said.  Regulations are important, he said, but added, “from an eBay perspective, I worry more about criminals than auditors.”

Ward Spangenberg, director of PCI and compliance at security-services firm IOActive, said one of the first things a company needs to do before moving into the cloud is to make sure the cloud provider understands its compliance requirements. A company also needs to know what data is important in their environment before moving to a cloud service, he said.

Shamir acknowledges chip-and-PIN attack as his favorite

Every year Adi Shamir, one of the inventors of the RSA algorithm, brings something new to the table at the annual RSA Conference Cryptographers’ Panel. This year, he gave a shout-out to Ross Anderson, Steven J. Murdoch, Saar Drimer and Mike Bond for their work on breaking chip-and-PIN authentication in credit cards. That team released a paper in early February that explained how to use a man in the middle attack to take down the technology, which is widely used in Europe and Canada as a means of authenticating the card and customer in a transaction.

Credit cards carry an embedded chip and when the card is run through a reader, it asks the customer to enter a PIN. Via a series of digital signatures and cryptography, both ends are authenticated on the card, not on the back end, and the transaction goes through.

Shamir said Ross et al’s research learned that the cards returned a message with the number 900 verifying that the password was authenticated. “No matter what any other details might be, if it’s happy with the password, it sends back 900,” Shamir said.”All you have to is replace a card with one that will always report 900 no matter what PIN is entered, and you’re done!”

So is chip and PIN apparently

Secure cloud concept built on new Intel processor

At a press event here on the opening day of the RSA Conference in San Francisco, EMC’s security division, RSA, along with Intel and VMWare unveiled a proof of concept for creating secure and compliant cloud services.  An interesting aspect of this “vision” was its foundation — an upcoming new processor from Intel called Westmere.

The processor for servers features seven new instructions for accelerating encryption and decryption, an executive with Intel’s data center group said. It also features Intel’s Trusted Execution Technology to deliver “a new base root of trust,” he said. An RSA press release said the technology “authenticates each and every step of the boot sequence, from verifying hardware configurations and initializing the BIOS to launching the hypervisor.”

Other components of the RSA/Intel/VMWare concept, which is going to be demonstrated at the conference, are security information and event management (RSA’s enVision technology) and GRC management software (from Archer Technologies, which was recently acquired by EMC). The idea is to provide cloud services with greater visibility, finer controls and streamlined compliance, the companies said.

Pat Gelsinger, president and chief operating officer, EMC Information Infrastructure Products, said the proof of concept “portends to a more secure, more compliant environment” and encompasses both public and private cloud services.

VMWare is owned by EMC.

This you??? Twitter phishing campaign spreads rapidly

A shortened URL leads to a convincing Twitter login page. Twishing also spreads to Facebook.

The latest attempt to grab user names and passwords from Twitter users has been spreading rapidly on Twitter and Facebook. The phony direct message: “This you????” is followed by a shortened URL that leads to a pretty convincing Twitter login page. The malicious URL is also spreading on Facebook, where some users have linked their Twitter accounts.

This tactic has been used time and time again and is successful because it comes from a person being followed and trust on some level.  A similar “This you” phishing campaign first surfaced last September. The domain name uses the same email address used in the previous campaign:  lixing688 at gmail.com The domain is registered in Shang Hai. In addition, the URL also sends people to a phony Bebo social networking page.

Graham Cluley of Sophos posted a video demonstration of the This you??? phishing attack.

If you suspect any of your Twitter accounts have been compromised, change your passwords immediately.

FTC probes P2P corporate data leaks

An FTC investigation found financial records, drivers’ license and Social Security numbers available for viewing on P2P networks. Monitor your network traffic, experts say.

The FTC this week notified nearly 100 organizations that personal information, including sensitive data on customers and employees had leaked onto peer-to-peer (P2P) file-sharing networks.

The file-sharing programs, popular with music and now video enthusiasts, have long been thought to be a pariah in many corporate networks, but apparently either poor security controls or a lack of communicating security policy to employees has resulted in a resurgence of P2P application use on many endpoint machines. The problem is as the FTC puts it so succinctly, “when P2P file-sharing software is not configured properly, files not intended for sharing may be accessible to anyone on the P2P network.”

Our site security expert, Kevin Beaver warned in a 2003 tip that P2P programs “introduce more vulnerabilities and open up more entry points to your network than many security managers ever thought possible.”

Beaver’s advice may be old, but it certainly isn’t outdated:

One of the best ways to keep up with P2P applications on your network is to know your traffic. A simple network analyzer sitting on a network hub on the public side of your firewall can show you what P2P traffic is going in and out of your network. There are P2P “air gap” and firewall products that can help control this. Some content filtering products are also now able to detect and stop P2P traffic.

Businesses should take note of the FTC alert on the P2P breaches. FTC Chairman Jon Leibowitz said the FTC found health-related information, financial records, drivers’ license and Social Security numbers available for viewing on P2P networks.

Leibowitz not only issued a warning to companies, but to the developers behind the file sharing programs themselves:

“Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure. Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing.”

The FTC said it was conducting an investigation into firms where customer or employee information has been exposed on P2P networks.

A webpage has also been established, Peer-to-Peer File Sharing: A Guide for Business, by the FTC to educate businesses about the problem.

Microsoft patching issue tied to Alureon rootkit

Blue screen issues tied to deployments of Microsoft’s Windows kernel patch is the result of the Alureon rootkit.

Microsoft issued the results of its investigation into a number of people reporting a Blue Screen of Death condition after deploying its February batch of patches, finding ties to a specific patch and malware infected machines.

Engineers at the software giant confirmed the blue screen is tied to the deployment of MS10-015, a Windows kernel patch that repairs two longstanding kernel vulnerabilities. Machines that have the blue screen condition are infected with the Alureon rootkit, a family of data stealing Trojans that allow an attacker to intercept a computer’s Internet traffic in order to steal user names, passwords and credit card data. The rootkit gives Alureon the ability to avoid detection, allowing it to perform malicious routines uninterrupted. Microsoft said it can also hide files and disk sectors.

“The restarts are the result of modifications the Alureon rootkit makes to Windows Kernel binaries, which places these systems in an unstable state,” said Mike Reavey
Director of the Microsoft Security Response Center in a MSRC blog entry. “Customers should continue to deploy this month’s security updates and make sure their systems are up-to-date with the latest anti-virus software.”

Shortly after Microsoft released its updates Feb. 9, customers began reporting sporadic machines being blue screened after deploying the patches. Patching professionals and patching experts from several vulnerability management vendors said few corporate deployments were reporting the condition.

Microsoft halted its automatic release of MS10-015 pending the results of its investigation. Patrick W. Barnes, an Amarillo, Texas-based computer expert was the first to discover a rootkit infection.

Reavey further explained the cause of the blue screen:

In the particular case of Alureon, malware writers modified Windows behavior by attempting to access a specific memory location, instead of letting the operating system determine the address which usually happens when an executable is loaded. The chain of events in this case was a machine became infected, during which the malware made assumptions as to the layout of the Windows code on the machine. Subsequently MS10-015 was downloaded and installed, during which the location of Windows code changed. On the next reboot the malware code crashed attempting to call a specific address in Windows code which was no longer the intended OS function.

The only way to repair the problem, according to Reavey is to reinstall Windows. But Reavey said a simpler solution to detect and remove Alureon is being developed and could be available in a few weeks.