Security Bytes

September 30, 2009  1:01 PM

Microsoft makes free antivirus software widely available

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

Software meets the needs of those looking for lightweight, free antivirus.

Microsoft Security Essentials (MSE), free antivirus software for Windows users, has been in beta for quite some time. Today, Microsoft has ripped the beta status off the software, making it widely available to the public.

Security Essentials is aimed at consumers who are content with free antivirus, but it could help businesses, especially those whose employees sometimes work on their personal computers. A no-no in many industries, but tolerated by many firms.

From Microsoft:

Microsoft Security Essentials is a free* download from Microsoft that is simple to install, easy to use, and always kept up to date so you can be assured your PC is protected by the latest technology. It’s easy to tell if your PC is secure — when you’re green, you’re good. It’s that simple.

No new features were provided in the final release version. It provides antivirus and antspyware protection and removal. That’s it. Microsoft said it worked to keep the software light. I’ve been using it on my little Acer Aspire netbook and I can report that it doesn’t appear to slow the machine down at all, unlike other free software suites I’ve used.

Our security expert contributor, Eric Ogren said Microsoft Security Essentials lacks vision. Ogren called it “yesterday’s antimalware solution” and said consumers should stick to free versions provided by AVG or Avast and check if their Internet service provider offers a free version of a more full-fledged suite.

September 29, 2009  2:08 PM

Experts, vendors search for PCI’s holy grail

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

The First Data-RSA partnership is pitted against the Heartland-Voltage E3 project in the payment industry race for securing transactions.

Like the Betamax vs. VHS format war or the Blu-ray vs. HD DVD scuffle, the transaction processors in the payment industry are wrestling with how to secure credit card data without affecting transaction times or strapping merchants with additional costs. So far there are two options on the table: Format-preserving encryption vs. in-motion encryption and token technology.

In June, Heartland Payment Systems Inc. announced that it would work with Voltage Security Inc. and others to design a credit card masking service called E3 that uses format-preserving encryption. Heartland CEO Robert Carr briefly mentioned the E3 project at a Sept. 17 Senate panel hearing on his company’s breach. He told the Senate Homeland Security and Governmental Affairs Committee that the goal is to make credit card data unreadable to outsiders at the point of the swipe.

Another processor is working toward the same goal. Last week, while payment industry experts met at the Mandalay Bay Resort and Casino in Las Vegas for the Payment Card Industry Security Standards Council North American Community Meeting, First Data Corp. made a broad announcement, telling the industry that it planned to take a different route. First Data said it would partner with RSA to use its tokenization technology and provide end-to-end encryption and tokenization for merchants.

Which method will win the industry’s favor is anybody’s guess. But it’s likely to be a combination of the two. First Data hasn’t provided the cost of its service, but claims it won’t slow transaction times by issuing tokens. The First Data implementation should be fairly easy for merchants. Most of the work will take place on First Data’s servers. The Heartland E3 service consists of new payment terminals. Beyond the costs associated with buying and deploying the terminals, Heartland says there would be no monthly encryption maintenance fees, no key management fees, and no activation fees. Heartland has a good website describing the E3 project and its status.

Experts largely agree that these offerings are a step in the right direction to better protect sensitive payment data. Our site experts have written extensively about tokenization. Tokenization technology is a cheaper way to comply with PCI DSS, but by no means is it a silver bullet. Experts say it helps scale down the scope of a PCI assessment by making network segmentation easier. Expert Mike Chapple explained how to implement a PCI network segmentation.

One of our best pieces of advice came last year from a former certified PCI quality security assessor (QSA). He said merchants should focus on eliminating data, not securing it. The faster the data is purged from a merchant’s systems, the less likely it will have to deal with a costly data breach.

Until a solution is embraced by the entire payment industry, attackers will continue to find holes that give them access to those coveted credit card numbers. For now, we’ll have to take a step back until a method is found that satisfies both merchants and payment processors. Maybe the winning solution hasn’t been invented yet.

September 25, 2009  1:52 PM

Video shows Twitter attacks using shortened URLs

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

Symantec video highlights shortened URL problems on Twitter.

Back in June, I wrote about URL shortening services and how they could contribute to sending the Internet out of control. In short, Cligs, the fourth used URL shortening service, suffered an attack at the time that edited most URLs on Cligs to point to a new location. According to Cligs, 2.2 million URLs were affected. The error was nearly unavoidable by users. Even links from trusted sources were redirected to a new location.

Symantec posted a blog entry and a video Thursday showing how shortened URLs are spreading rogue antivirus and ultimately malware onto victim’s machines. “Clicking any link like this is entirely a security leap of faith, said Symantec’s Ben Nahorney.

The simple answer is to not click on shortened URLs or users should instead download the browser add-ons for FireFox and Internet Explorer that preview the URL. Those behind Twitter have not yet stepped up to address the issue. It could be addressed by developing a tool within Twitter that masks a long URL and doesn’t count toward the 140 character limit. Perhaps the URL should be treated as an attachment within a Tweet. Once the attachment is opened revealing the link, a user can examine the link for authenticity.

September 24, 2009  1:42 PM

Attackers target PDF, DirectShow flaws with malicious banner ads

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

Advertising networks DoubleClick, YieldManager and FastClick have supplied a series of malicious banner ads to several popular legitimate websites this week.

Security vendor ScanSafe says it has discovered a series of malicious banner ads appearing on popular websites, including, and While the discovery is far from groundbreaking, it supports the recent SANS Institute report showing legitimate websites increasingly being targeted by attackers.

Making it even more difficult for legitimate website owners is the third-party relationship they have with popular advertising networks. Let’s face it, advertising networks is what keeps many websites afloat. Without DoubleClick, YieldManager, FastClick and others many website owners wouldn’t be able to get a snapshot of their audience or provide relevant visitor data to potential advertisers. In this case it appears that the three ad networks I named inadvertently delivered the malicious ads.

From ScanSafe:

The malicious ads delivered PDF and DirectShow exploits engineered to silently install a Trojan downloader. The installed malware attempts to download further malware, intercepts and tampers with Web searches and can redirect the user to sites other than expected – including sites that can lead to further malware infestation.

The malicious ads appeared on the sites between Sept. 19-21. They took advantage of another rising concern highlighted in the SANS report – client applications not being fully patched. In this case, the attackers were targeting PDF and DirectShow flaws – updates that should have been applied to client machines.

September 23, 2009  1:28 PM

Conficker analysis finds P2P coding limited, less sophisticated

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

New analysis of Conficker finds peer-to-peer coding less sophisticated and not likely coded by the same developers who coded the other major components of Conficker.

Researchers at SRI International have conducted additional research on Conficker C and determined that a peer-to-peer (P2P) module was not likely coded by the original programmers of the worm.

From the latest SRI research:

The P2P module provides a limited peer command set, keeping complexity to a minimum – perhaps due to scheduling pressures and quality control concerns in deploying new functionality across millions of geographically dispersed victim machines.

The report is very technical. Researchers reverse engineered the P2P protocol and provided the results of their findings. My takeaway is that the P2P protocol, though unsophisticated, has been an important part of how Conficker has been able to continue to infect and how those behind the worm have been able to bypass security filters to send out orders. SRI said the P2P coding conducts scan-based peer discovery across the Internet, looking for previous versions of Conficker to upgrade to the latest and greatest version.

The fact that security experts haven’t been able to stop the spread of orders via Conficker’s P2P algorithm enables Conficker to remain a threat, the SRI researchers said.

Unfortunately, unlike the binary delivery distributions over the DGA rendezvous points that were achieved by the Conficker Working Group [2], whitehats currently employ no equivalent capability to hinder binary distributions through Conficker’s peer network.

September 17, 2009  1:13 PM

Successful rogue antivirus hinges on social engineering

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

Attackers are getting better at social engineering because Internet users are ignoring privacy.

Attackers have gotten very good at tricking end users into clicking on links to malicious content and they’re likely to get even better, according to a blog entry this morning in the SANS Internet Storm Center diary.

Rogue antivirus programs have been one of the most successful schemes, according to SANS. The scheme is simple. It involves tricking users that they have been infected with a virus and must download an antivirus program to disinfect their machine.

From the SANS diary entry:

The main reason, however, why rogue AV is so successful is its persistence and amount of details – the web page they use to scare the visitor looks almost exactly like Windows’ Security Center. … It is now not strange that rogue AV programs are infecting so many machines. The devil is in the details, and the attackers made damn sure that all details are here to fool the potential victims.

I used to say that only your mother or grandfather actually clicks on those links, but clearly the attackers have gotten better at using social engineering tactics to easily trick victims into clicking on links. But clearly it doesn’t matter how technology savvy the younger generation is.

The mountains of data being placed on social networking websites like Twitter, Facebook, MySpace and others is making it easier for attackers to scan and identify victims by location, know their likes and dislikes and understand who their friends, family and coworkers are. The result is terrifying to consider.

The SANS’ Bojan Zdrnja points out that persistence has been key to the success of rogue AV. Those behind it have coded it elegantly, Zdrnja says. They also stay on top of current events to get users to click on search engine results leading to malicious Web pages.

The attack takes persistence on the part of the attacker, but it also is relying on our complete ignorance of privacy. The use of social networks and the amount of information being shared on the Internet is feeding right into the hands of cybercriminals.

September 16, 2009  1:29 PM

Zeus Trojan evades antivirus software, Trusteer says

Marcia Savage Marcia Savage Profile: Marcia Savage

A study of 10,000 PCs infected with the Zeus showed that the machines had antivirus installed.

The Zeus Trojan has already proven itself to be one nasty piece of malware in its quest for banking credentials. Now, a new report by security vendor Trusteer shows another alarming facet of Zeus: It’s infecting PCs with updated antivirus software 77% of the time.

In a study of 10,000 PCs infected with the Zeus, also called Zbot, Trusteer found that most of the infections occurred on machines where an antivirus product was installed and kept up-to-date: 31% percent of the Zeus-infected PCs had no antivirus while 55% percent had updated antivirus software. Installing antivirus and keeping it updated only reduces the probability of a Zeus infection by 23%, Trusteer concluded.

The study was based on reports gathered from consumer PCs running Trusteer’s Rapport, which the company said detects Zeus through a unique fingerprint the Trojan leaves when it penetrates the browser process. Rapport is a browser plug-in that protects online credentials and transactions. According to Trusteer, the technology detects whether a PC has antivirus and whether it’s updated through the Windows Security Center.

Trusteer claims that its test of how effective antivirus is against Zeus in the wild is more accurate than most other antivirus efficiency tests, which it says are performed in the lab. The test result, the company said, is “disturbing and reveals that the vast majority of Zeus infections go unnoticed by antivirus products.”

September 15, 2009  1:24 PM

VeriSign extends DDoS attack protection service

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

VeriSign has entered into the DDoS protection market, hoping the latest spate of DDoS attacks have raised enough concern among companies that they are shopping for solutions.

The firm is using the word “cloud” to describe their DDoS service since it filters network traffic in one of VeriSign’s data centers before it reaches the company network. It entered the market for DDoS protection earlier this year but is announcing a monitoring-only service this week.

From the company announcement:

DDoS attacks have become a serious threat to enterprise online business continuity. What has traditionally been managed as an incremental part of bandwidth provisioning and cost has now evolved into a threat of growing scale and sophistication that warrants a dedicated review and mitigation approach.

After talking to experts about this during the last round of attacks aimed at South Korean and some U.S.-based websites DDoS attacks don’t appear to be increasing in sophistication and certainly don’t seem to be causing great concern among ISPs and network service providers that partner with Cisco, TippingPoint, Arbor Networks and others. Most enterprises either rely on ISPs or network service providers or if they’re big enough, they’ll partner with Cisco and others to install an appliances to detect and weed out bad traffic.

For example, the DDoS attacks against U.S. federal agencies and South Korea sites were aimed at top level domains, bringing down the agency home page. It did not disrupt business and processes in place to protect against DDoS mitigated the threat, filtering out or throttling down the suspected nefarious traffic before it could cause any major disruptions.

Jose Nazario, a noted botnet and DDoS expert with Arbor Networks went as far as to call the attacks a nuisance.

“This attack is requesting [Web] pages and content that is easily obtainable. The attacks are trivial to detect and trivial to thwart.”

Of course the attacks are a serious threat to online retailers and social networks which depend solely on website up-time for business. VeriSign quotes a Forrester Research survey which found that 74% of companies have experienced a DDoS attack of some kind. And 75% are overprovisioning their bandwidth to handle attacks. My guess is the overprovisioning is a standard method used in addition to DDoS protection for ecommerce sites not willing to risk downtime.

A great example of the type of customer VeriSign is targeting is online payment-processing company, Piryx. The fledgling company was taken down last weekend by a DDoS attack. It provides online payment-processing services for U.S. Rep. Joe Wilson’s (R-S.C) campaign fundraising arm. Wilson was the congressman who yelled out “liar” during President Barak Obama’s healthcare speech. Piryx said the attack knocked out services for about 150 other Piryx clients.

The company is only a year old and extremely small when compared to many of its industry peers. It received its first round of funding in 2008. Piryx is more of an example of a business that accepted the risk DDoS posed. It gambled and lost. It’s also the kind of customer that may not have had the client base or the funding to invest in DDoS protection.

September 14, 2009  1:54 PM

ShmooCon soliciting papers

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

Organization announces an open call for papers and presentation proposals for the annual ShmooCon event.

The Shmoo Group is soliciting papers and presentations for the sixth annual ShmooCon. The event is slated for February 5-7, 2010 in Washington DC.

The organization said that despite being a security conference, it is soliciting submissions on “offbeat technology topics.”

From the announcement:

ShmooCon presentations should be focused on topics that are of interest to security and technology professionals who are paying attention to current trends and issues. Presentations dealing with new technologies such as cloud computing or large-scale virtualization or new takes on existing methods and techniques are of interest. Presentations that are rehashes of old talks, primers on known technologies, or vendor pitches will be rejected and summarily panned.

The 2009 conference included sessions on a variety of topics. Researchers exposed social networking threats, flaws in Google Android were presented in a mobile security session and a demonstration was given on how to easily clone smart cards — just to highlight a few.

September 9, 2009  8:04 PM

Reuters: Obama ready to select cyber security czar

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

Reuters reported Wednesday that Frank Kramer, a former assistant Defense secretary under President Bill Clinton. is the lead candidate, according to an unidentified source.

Citing sources close to the matter, Reuters reported today that President Barak Obama is expected to name a security coordinator “in the next week or two.”

U.S. chief technology officer Aneesh Chopra told reporters at a technology conference on Wednesday that he had interviewed candidates for the position, and that a coordinator would be named in the not too distant future.

Reuters calls the lead candidate, Frank Kramer, a former assistant Defense secretary under President Bill Clinton. If this is the case, Kramer signals the need for an international focus on cybercrime. He has been involved in international affairs since the 1970s and turned his focus on technology as a research fellow at the Center for Technology and National Security Policy, part of the National Defense University – which has focused on national security policy and military plans when it comes to understanding technology and policy.

Obama had announced the creation of a White House senior cybersecurity coordinator position in May. Since then a number of names had surfaced as candidates for the position including former Republican U.S. Congressman Tom Davis. Several top cybersecurity officials also stepped down since then, including Melissa Hathaway, Obama’s top adviser on security who spearheaded the 60-day review helping shape the administration’s position on cybersecurity. Last month, Mischel Kwon, the director of US-CERT, the Department of Homeland Security’s research and response unit also resigned.

While it has taken more than three months to name a person to the position, experts say it’s going to take years to realign and coordinate all the different facets of the position, let alone setting priorities that result in bolstering federal cybersecurity.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: