Security Bytes

December 20, 2007  12:52 PM

From Russia with love

Leigha Leigha Cardwell Profile: Leigha

Bill BrennerBeing in the Christmas spirit and all, I’m going to dispense with the usual advice-oriented column this week. Fear not, I’ll get back on theme after the New Year.

For this week, I want to focus on some blog chatter about the latest malicious creation to come out of Russia, because, well, it amuses me. It probably shouldn’t, but it does.

According to security software firm PC Tools, someone in Russia has created malware that flirts with females or males seeking relationships online in order to dupe them out of their personal data. Security Blog Log

CyberLover can conduct fully automated flirtatious conversations with chat-room visitors and dating sites to lure them into a set of dangerous actions such as sharing their identity or visiting Web sites rigged with malware. It can establish a new relationship with up to 10 partners in just 30 minutes and its victims cannot distinguish it from a human being.

“As a tool that can be used by hackers to conduct identity fraud, CyberLover demonstrates an unprecedented level of social engineering,” says Sergei Shevchenko, senior malware analyst at PC Tools. “It employs highly intelligent and customized dialog to target users of social networking systems.”

The sad thing is that the creators of CyberLover are certain to make money off this, since there are plenty of gullible people out there looking for love in all the wrong places.

Folks in the blogosphere are talking about how this thing comes close to passing the Turing Test, which I honestly had never heard of before today. According to an entry in Wikipedia, The Turing Test is a proposal for a test of a machine’s capability to demonstrate intelligence. Described by Alan Turing in the 1950 paper “Computing machinery and intelligence,” it proceeds as follows: a human judge engages in a natural language conversation with one human and one machine, each of which try to appear human; if the judge cannot reliably tell which is which, then the machine is said to pass the test.  [On a slightly unrelated note, Turing, an English mathematician, logician, and cryptographer whose life ended in suicide, will be the theme of the RSA security conference in April.]

Technologist Brad Templeton writes about CyberLover and the Turing test in his Brad Ideas blog, noting how it may be having a successful run by fooling people in a language that is a second language to the target, and/or claiming that it is using a second language for itself. With English as the lingua franca of the Internet and world commerce, he notes, it’s common to see two people talk in English, even though it is not the mother tongue of either of them.

“It’s easier to see how a chatbot, claiming to not speak English (or some other ‘common’ language) very well — and Russian not at all — might be able to fool a Russian whose on English is meager,” he wrote, “though you have to be pretty stupid to give away important information within 30 minutes to a chat partner you know nothing about.”

Curt Monash, a leading analyst of and strategic advisor to the software industry, wrote in the Text Technologies blog that it might be fun to point two copies of the bot at each other and watch them chat each other up.

Meanwhile, a visitor to the Slashdot blogging forum was reminded of a bot he created years ago that would randomly send people messages until the person at the other end stopped responding.

It spewed out nonsense sentences and most people ignored them from the start, the blogger noted, but even those that didn’t quickly got the idea when it cycled back on the same message more than once. One time, however, he remembered “this one guy replying back to this bot as if it was a real person for almost two hours!”

What I’m reminded of, though, is a conversation I had with security luminary Eugene Kaspersky in October. During a visit to Kaspersky Labs’ Massachusetts office, I asked Kaspersky why so much malware comes from his homeland.

A dismal economy and lax law enforcement is fueling the problem, nudging Russian computer programmers into an underground market where easy money can be made creating programs used to steal credit card and Social Security numbers.

“[Russian hackers] don’t see themselves as doing anything criminal,” Kaspersky said at the time. Many Russian programmers compare themselves to weapons manufacturers — they build the technology but are not the ones using it. In other words, they’re not responsible if someone else is pulling the trigger. Meanwhile, Kaspersky said, the Russian economy is still shaky enough that people are looking for ways to make a steady living, and building malware for online gangsters is one way to do it.

And so you can expect a lot more of this malware in the new year and beyond.

My take: If you can’t see the person in front of you, it’s probably best not to flirt with them in the first place.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at

December 20, 2007  5:56 AM

Mozilla releases Firefox 3 beta 2

Leigha Leigha Cardwell Profile: Leigha

Mozilla has delivered on its promise to release the second beta for Firefox 3 by year’s end. Security is to be a major part of Firefox 3, and I recently asked some IT professionals to play around with it and offer some additional impressions. The reviews were mainly positive.

Check out the report here.

December 18, 2007  8:48 AM

Mega patch for Mac users

Leigha Leigha Cardwell Profile: Leigha

Apple users tend to have a false sense of security superiority when it comes to their beloved Mac machines. But you gotta give Apple some credit — when a security hole is discovered, the company is pretty good about patching it quickly.

This time around, Apple has released Security Update 2007-009 to fix some 41 flaws in Mac OS X and the Safari Web browser.

The SANS Internet Storm Center (ISC) Web site has a pretty good summary of what’s been fixed:

2007-009 10.5.1 includes fixes for CF Network, Core Foundation, CUPS, Flash Player Plug-in, Launch Services, perl, python, Quick Look, ruby, Safari, Samba, Shockwave Plug-in and Spin Tracer.

2007-009 10.4.11 Universal and 10.4.11 PPC include fixes for Address Book, CUPS, ColorSync, Core Foundation, Desktop Services, Flash Player Plug-in, gnutar, iChat, IO Storage Family, Launch Services, Mail, perl, python, ruby, Samba, Safari, Shockwave Plug-in, SMB, Spotlight, tcpdump and XQuery.

“Several of these issues are rather serious, so we strongly advise installing these updates at your earliest convenience,” ISC handler Maarten Van Horenbeeck wrote, adding that users can read up on the individual CVE numbers and vulnerability descriptions here.

December 17, 2007  10:40 AM


David Schneier David Schneier Profile: David Schneier

Every once in a while someone gets it so right that there really isn’t much to add. This post by Chris Hoff is as good as it gets. If you’re not reading his frequent posts on security, survivability and other assorted topics already, here’s the perfect chance to get started.

December 17, 2007  10:10 AM

Top 5 security stories of 2007? You tell us

Leigha Leigha Cardwell Profile: Leigha

It’s that time of year where we in the news business love to make lists of the top news stories of the year. I’ve drawn up a Top 5 list of my own for your amusement, but admit that my judgment could be off. And so I ask you, the reader, to look over my list and tell me if there’s anything you would add or detract. I’ll work your feedback into our final Top 5 story.

My list:

5.) Problems slow the deployment of Windows Vista

IT professionals struggled mightily to make sense of Microsoft’s Windows Vista, but compatibility problems slowed enterprise-wide deployments to a crawl.

4.) Security of the iPhone in doubt

Apple’s iPhone — the year’s most hyped piece of technology — quickly gained the attention of hackers eager to find security weaknesses. It didn’t take them long to find something.

3.) The pain of PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) got plenty of attention as the list of data breaches grew and compliance deadlines approached. By year’s end many were still struggling to meet all of PCI DSS’s requirements, but that didn’t stop some experts from insisting on even tougher provisions.

2.) Malware takes cyberspace by Storm

When Storm was first discovered in January, it looked like another typical worm outbreak. But Storm kept spreading throughout 2007 and it soon became clear that the malware was the creation of sophisticated botnet builders. By year’s end, it was continuing to spread in the form of smaller, more customized botnets capable of launching a variety of attacks.

1.) TJX data breach exposes 94 million records

TJX acknowledged a massive data breach in January that ultimately exposed more than 94 million records to online fraud. To date, it is the biggest systems breach in history.

December 13, 2007  3:30 PM

eEye founder Maiffret leaves the company

David Schneier David Schneier Profile: David Schneier

Marc Maiffret, the founder and longtime CTO of eEye Digital Security, has left the company to work on other projects. Maiffret is among the best-known hackers on the security scene and made his name in the early part of this decade by exposing a series of serious vulnerabilities in Microsoft products, particularly the company’s Web server product, IIS. Never afraid to speak his mind, regardless of the topic, Maiffret was a gold mine for reporters, including me, over the years and often drew the ire of officials at Microsoft and other software vendors who weren’t happy with the way Maiffret and eEye publicized their findings.

eEye has been going through a transition in the last few months, which has included layoffs and the exit of some top executives, including CEO Ross Brown. The company has struggled to find its footing as enterprise security provider and is now in a position where its competition is coming from heavyweights such as Symantec and IBM with virtually unlimited resources. So it’s not going to get any easier.

Maiffret is still serving as an adviser to eEye.

December 11, 2007  2:25 PM

Bad holiday PR

Leigha Leigha Cardwell Profile: Leigha

I absolutely love Christmas, and even have a soft spot for a lot of the tacky stuff that comes with it, like fake silver trees, loud-colored garland and the Coca-Cola version of Santa Claus.

But there is one thing that will bring out the Grinch in me every time — holiday-inspired PR pitches security vendors insist on hurling at me with the glee of kids in a snowball fight. The folks at PGP will probably be mad at me for this, but I can’t help but make an example of them this time around.

Here’s what they sent me Tuesday as I sat anxiously awaiting this month’s Microsoft patch bulletins:

The 12 Threats of Christmas

The twelve threats of Christmas, is networking secure?

The bad guys are shaking their lures.

With the Storm Worm, and rootkits, and crimeware everywhere, We should prepare For infections we’d rather not share!

O the twelve threats of Christmas, what more can we endure?

Twelve hackers hacking

Eleven passwords cracking

Ten laptops leaving

Nine phishers phishing

Eight Web sites crashing

Seven spammers spamming

Six Trojans sneaking

Five breaches more!

Four corp’rate spies

Three bot nets

Two online games

And an unencrypted missing flash drive!

The only gift I can give in return is a groan followed by a Bah Humbug!

December 10, 2007  1:03 PM

Pay no attention to the pop-up box behind the curtain

David Schneier David Schneier Profile: David Schneier

Bill Clinton may be the world’s champion when it comes to parsing words and phrases to suit his own purposes, but to give credit where credit is due, executives from software companies are making up ground in this race quickly. One prime example of this is the reaction from a Microsoft executive in a recent story by our Bill Brenner on Vista deployments challenges. Users have roundly criticized the User Account Control technology in Vista for its propensity to throw pop-up boxes at users constantly. This, and other Vista quirks, have led quite a few enterprises to put off their Vista roll-outs until after SP1 at the earliest. Microsoft’s answer to this was both odd and instructive, I think:

Shanen Boettcher, general manager of Windows client product management at Microsoft, doesn’t deny there have been problems. But if the sales figures are any indication, he said, the first year of Vista has been a success.

In addition to having sold 88 million copies of Vista, he said, more than 42 million PCs are now licensed under volume licensing agreements, demonstrating that businesses are buying into the long-term value of Vista.

In other words, as long as the thing is selling, we’re good. It would be interesting to see a breakdown of those sales figures to see how many copies were pre-installed on new PCs and how many were shrinkwrapped. The feeling I get from IT folks is that right now they’re only upgrading to Vista when they have to buy new machines, not by choice. Enterprises tend to move pretty slowly on deployments of major new products like this anyway. Microsoft has, in fact, made a number of changes to the way that UAC behaves in response to user feedback. But it’s interesting that the executive’s first reaction to questions about problems with UAC and other Vista features is, Hey, look how many copies we’ve sold.

December 7, 2007  2:21 PM

The changing role of the CSO

David Schneier David Schneier Profile: David Schneier

In the last few months I’ve been hearing more and more from CEOs, CIOs and CSOs about the changing role of the CSO (or CISO, depending on your org chart) in the enterprise. In the past, the CSO has nearly always been a technically minded person who has risen through the IT ranks and then made the jump to the executive ranks. That lineage sometimes got in the way when it came time to deal with other upper managers who typically had little or no technical knowledge and weren’t interested in the minutiae of authentication schemes, NAC and unified threat management. They simply wanted things to work and to avoid seeing the company’s name in the papers for a security breach.

But that seems to be changing rather rapidly. Last month I was on a panel in Chicago with Howard Schmidt, Lloyd Hession, the CSO of BT Radianz, and Bill Santille, CIO of Uline, and the conversation quickly turned to the ways in which the increased focus on risk management in enterprises has forced CSOs to adapt and expand their skill sets. A knowledge of IDS, firewalls and PKI is not nearly enough these days, and in some cases is not even required to be a CSO. One member of the audience said that the CSO position in his company is rotated regularly among senior managers, most of whom have no technical background and are supported by a senior IT staff member who serves as CISO. The CSO slot is seen as a necessary stop on the management circuit, in other words. Several other CSOs in the audience said that they no longer report to the CIO and are not even part of the IT organization. Instead, they report to the CFO, the chief legal counsel, or in one case, the ethics officer.

The number of organizations making this kind of change surprised me at the time. But, in thinking more about it, it makes a lot of sense, given that the daily technical security tasks are handled by people well below the CSO’s office. And many of the CSOs I know say they spend most of their time these days dealing with policy issues such as regulatory compliance. Patrick Conte, the CEO of software maker Agiliance, which put on the panel, told me that these comments fit with what he was hearing from his customers, as well. Some of this shift is clearly attributable to the changing priorities inside these enterprises. But some of it also is a result of the maturation of the security industry as a whole, which has translated into less of a focus on technology and more attention being paid to policies, procedures and other non-technical matters.

How this plays out in the coming months and years will be quite interesting. My guess is that as security continues to be absorbed into the larger IT and operations functions, the CSO’s job will continue to morph into more of a business role.

December 7, 2007  6:26 AM

Time to update your Skype

Leigha Leigha Cardwell Profile: Leigha

Skype users will want to upgrade to version for Windows to close a security hole attackers could exploit to run malicious code on vulnerable machines.

According to Danish vulnerability clearinghouse Secunia, the problem is an error in the “skype4com” URI handler when processing short string values and can be exploited to corrupt memory. Successful exploitation allows execution of arbitrary code when a user visits a malicious Web site.

The flaw was disclosed by an anonymous researcher via TippingPoint’s Zero-Day initiative.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: