Security Bytes

January 10, 2008  1:52 PM

Green security?

Marcia Savage Marcia Savage Profile: Marcia Savage

These days, “green” is being used to market everything from cars and light bulbs to cleaning products. Now security vendors are jumping on the bandwagon to promote their products as good for the environment.

Astaro today issued a press release touting its unified threat management (UTM) appliances as facilitating “greener networks.” The technology, according to the vendor, allows customers to remove up to 10 standalone products, thereby limiting computer waste and reducing electricity consumption between 50 percent and 1000 percent, depending on the number of network security point products deployed and their power draw.

“Astaro is committed to greener networking,” Astaro CEO Jan Hichert proclaimed. The Astaro Security Gateway gives customers an affordable way to create “a far greener network environment,” he said.

Given how reluctant executive management can be when it comes to buying security, going green might be a tough sell. But if it improves the bottom line, then we’re talking.

January 10, 2008  12:04 PM

Former CA security exec Ron Moritz joins Microsoft’s Forefront team

David Schneier David Schneier Profile: David Schneier

Microsoft, continuing its quest to become the New York Yankees of security by amassing the best free-agent talent available, recently signed up another heavy hitter: Ron Moritz, the former head of CA’s security division and one-time CTO at Symantec. Moritz left CA in July after a five-year run heading up the eTrust security operation and joined Microsoft in mid-December.

Moritz is just the latest CA veteran to join Microsoft. Last summer, Jakub Kaminski and three of his colleagues joined Microsoft from CA’s Australian antimalware operation. And Ian Hameroff, a longtime CA antivirus guru made the move to Redmond several years ago. Microsoft also has recruited AV veterans from other rivals as well, including Vinny Gullotto, formerly of both McAfee and Symantec, and Jimmy Kuo, another ex-McAfee researcher. Moritz will be spending most of his time in Israel, but will be making regular trips to Redmond, as well.

January 10, 2008  11:31 AM

Storm goes phishing

Leigha Leigha Cardwell Profile: Leigha

The Storm Trojan and related botnets have become so huge and prolific in its social engineering tricks that it’s almost becoming easy to overlook some of what it is up to. The file on this one is getting so thick it’s getting harder to keep up with each new page.

But here’s something that stands out: Evidence that Storm’s controllers are now using it for phishing attacks.

Mikko Hypponen has written an analysis on it in the F-Secure blog complete with screen shots. He writes about detecting a phishing run using the domain, in which the IP address of the site was changing every second or so. The server was an active fast flux site and was hosted within a botnet, he says.

“Somebody is now using machines infected with and controlled by Storm to run phishing scams,” he says. “We haven’t seen this before, but we’ve been expecting something along these lines.”

Here’s one of the screen shots from the F-Secure blog:


January 9, 2008  12:24 PM

New MBR rootkit on the loose

David Schneier David Schneier Profile: David Schneier

The folks at Symantec’s Security Response Center have an interesting writeup on a new Trojan making the rounds that installs a MBR rootkit on compromised machines. Known as Trojan.Mebroot, it is finding its way onto PCs through drive-by downloads, the attackers’ old standby infection method. Once it’s on a machine, the Trojan overwrites the MBR (master boot record) to ensure that it’s loaded at startup. It also installs a custom backdoor.

If you recall, there have been a few proof-of-concept rootkits of this kind in the last couple of years, including eEye’s BootRoot and VBootkit, which was derived from BootRoot and written by a couple of Indian researchers. Symantec’s analysis shows that Mebroot seems to share some code with BootRoot as well.

For now, Trojan.Mebroot seems to run successfully only on Windows XP (all Service Packs) due to some hard-coded values inside the attack code. For a complete analysis of the threat, please refer to our writeup for Trojan.Mebroot.

There appears to be a link between Trojan.Mebroot and Trojan.Anserin. Similarities such as the main distribution Web site and the polymorphic packer used in both threats suggest that they may be closely related.

Nothing like starting the year off with a nasty little Trojan. Good times.

Update: VeriSign’s iDefense research team estimates that about 5,000 PCs have been infected with this rootkit since Dec. 12, and that the group responsible for creating it also has developed some well-known banking Trojans and other malware.

January 8, 2008  9:32 AM

Security update for VMware ESX Server, VirtualCenter

Leigha Leigha Cardwell Profile: Leigha

VMware has released a hefty security update to address flaws in the VMware ESX Server and VirtualCenter. Attackers could exploit the flaws to perform actions with escalated privileges, cause a denial of service or compromise a vulnerable machine.

The Heise Security blog has a decent synopsis of the problems addressed:

“Versions 3.0.1 and 3.0.2 of ESX Server include a buffer overflow in the OpenPegasus CIM Management Server that can be exploited by an attacker to remotely inject code and execute it with root privileges,” Heise said.

The problem resides in the PAMBasicAuthenticator::PAMCallback() function that performs authentication using pluggable authentication modules (PAM). The vendor recommends that users of version 2.5 switch to a bug-fixed version 3.0.1 or higher.

VMware also addressed security holes in the ESX Server service console package, which includes Samba, Perl, OpenSSL and util-linux, as well as some older vulnerabilities in software included with VirtualCenter Management Server 2 and ESX Server 3.0.1 and 3.0.2.

January 7, 2008  8:51 AM

Microsoft launches new vulnerability/research blog

Leigha Leigha Cardwell Profile: Leigha

The Windows administrators I talk to on a regular basis generally applaud Microsoft for doing a better job at communicating with customers on security matters. One of the most mentioned examples is the Microsoft Security Response Center blog. The software giant is taking the concept even further with the launch of its new Security Vulnerability Research and Defense blog.

The first three postings of the blog appeared Dec. 27, while many of us were away for the holidays. Here’s how Microsoft describes the blog’s role in its inaugural entry:

“We expect to post every Patch Tuesday with technical information about the vulnerabilities being fixed. During our vulnerability research, we discover a lot of interesting technical information. We’re going to share as much of that information as possible here because we believe that helping you understand vulnerabilities, workarounds, and mitigations will help you more effectively secure your organization.”

Since tomorrow is Patch Tuesday, I’ll be asking around in the coming days about how this blog may or may not be helpful to the security update process.

January 4, 2008  1:31 PM

Sears spyware illustrates perils of online commerce

Leigha Leigha Cardwell Profile: Leigha

Bill BrennerMy colleague, Dennis Fisher, has already blogged about Sears using spyware on its customers. But since I’ve come across plenty of blog chatter that reflects his opinion and mine, I’ve decided to offer my two cents. So thanks for indulging me this week…
Every now and then, a big company does something to remind us how easy it is to get burned when conducting commerce in cyberspace. The latest example comes from retail giant Sears, which has decided it’s OK to use spyware on its customers. Security Blog Log

Ben Googins, a senior researcher in CA’s antispyware division, tripped over the practice during some online holiday shopping and outlined his experience in a CA blog posting.

Here’s how he explains it in his write-up:

“Visiting (and a few weeks ago, I was offered a chance to join My SHC Community, for free, but what I received was, from a privacy perspective, very costly. is distributing spyware that tracks all your Internet usage — including banking logins, email, and all other forms of Internet usage — all in the name of ‘community participation.’ Every Web site visitor that joins the Sears community installs software that acts as a proxy to every Web transaction made on the compromised computer. In other words, if you have installed Sears software (the proxy) on your system, all data transmitted to and from your system will be intercepted. This extreme level of user tracking is done with little and inconspicuous notice about the true nature of the software. In fact, while registering to join the ‘community,’ very little mention is made of software or tracking. Furthermore, after the software is installed, there is no indication on the desktop that the proxy exists on the system, so users are tracked silently. An interesting note, the spyware Sears distributes is ‘genetically’ related to software CA Anti-Spyware has detected for a few years by the name of MarketScore (and other aliases) and distributed by other Web sites.”

Rob Harles, a senior vice president of Sears Holdings Community (SHC), denied Sears is monitoring customers with spyware in a response to Googins blog posting. “The vast majority of members of My SHC do not participate in any form of tracking, and those that have explicitly signed up do so after having been presented with simple, easy to understand language to which they have agreed,” he insisted.

Looking around the blogosphere, I see that several security experts are as unmoved by Harles’ claims as I am.

Let’s start with a blog analysis from Benjamin Edelman, whom I consider to be one of the best antispyware researchers out there.

Edelman writes that he reviewed the installation sequence and agrees with Googins that it offers very little mention of software or tracking and otherwise falls short of industry standards. He then offers a step-by-step breakdown of his own review.

“The email invitation provides vague notice midway through a lengthy paragraph that, according to its topic sentence, is otherwise about another topic,” he writes. “The first sign-up page makes no mention at all of any downloadable software. The privacy policy and license agreement describe the application only in the tenth page of text — where few users are likely to find the disclosures.”

Of Harles’ claims that the installer provides “a progress bar that they [users] can abort,” Edelman writes, “I disagree. The video and screenshots are unambiguous: The SHC installer shows no progress bar and offers no abort button.”

Security luminary Bruce Schneier writes in his blog that if “a kid with a scary hacker name did this sort of thing, he’d be arrested.” But, he continues, “this is Sears, so who knows what will happen to them. But what should happen is that the antispyware companies should treat this as the malware it is, and not ignore it because it’s done by a Fortune 500 company.”

I agree. Companies that do this love to hide behind their user license agreements, which are often bogged down with legalese and confusing to customers who often accept the terms anyway because they lack the legal aptitude to see what they’re getting into. In this case, Sears buries the truth of what they are doing.

Consumers need to know that when they do business online, the vendor is doing everything possible to protect their personal information. Once in awhile, we find that a vendor’s network security efforts were insufficient, allowing hackers to access that data. That’s what happened at TJX.

But as far as I’m concerned, it’s just as bad — if not worse — when it’s the company you’re doing business with that uses specialized code to invade your privacy.

If Sears is going to insist that there’s nothing wrong with this practice, the only solution is to do business someplace else.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at

January 4, 2008  1:05 PM

Why is Sears tracking users’ Internet activity?

David Schneier David Schneier Profile: David Schneier

It seems that Sears, which sells just about everything under the sun, has decided to get into the spyware business too. The retail giant recently has come under fire from a researcher at CA who discovered that Sears’ Web site installs a nifty piece of tracking software developed by ComScore on the machines of some people who join the company’s My SHC community. The researcher, Benjamin Googins, describes in great detail on CA’s security blog exactly what the software does, how little notice gives users about the program’s capabilities and how much data it collects.

Here is a summary of what the software does and how it is used. The proxy:

  • 1. Monitors and transmits a copy of all Internet traffic going from and coming to the compromised system.
  • 2. Monitors secure sessions (websites beginning with ‘https’), which may include shopping or banking sites.
  • 3. Records and transmits “the pace and style with which you enter information online…”
  • 4. Parses the header section of personal emails.
  • 5. May combine any data intercepted with additional information like “select credit bureau information” and other sources like “consumer preference reporting companies or credit reporting agencies”.

In addition, My SHC Community requires a variety of personal information during registration – like name, email, address, city, state, and age. All of this information can be correlated with intercepted data to create a comprehensive profile.

Sounds a whole lot like spyware, no? Googins thought so, and even details which portions of CA’s Anti-Spyware Scorecard the software violates. A company VP responded to Googins by saying that the software is part of an initiative at Sears “to improve our customers’ Internet experience and help guide the future development of Community.” Users must be invited to participate in the program and, the Sears spokesman argues, “My SHC Community goes to great lengths to describe the tracking aspect for those members who receive an invitation. Clear notice appears in the invitation. It also appears on the first signup page, in the privacy policy and user licensing agreement.”

Googins responded in turn by essentially taking apart Sears’ arguments piece by piece and showing screenshots of the signup process on the Web site and the consent notice, such as it is. Bad, right? It gets worse. The CA posting caught the attention of Benjamin Edelman, an assistant professor at Harvard Business School who specializes in spyware and its revenue models. He did his own analysis of the Sears software and installation process and came to the same conclusion that Googins did: “Sears’ claims of adequate notice are demonstrably false. The SHC/ComScore violation could hardly be simpler. The FTC requires that software makers and distributors provide clear, prominent, unavoidable notice of the key terms. SHC’s installation of ComScore did nothing of the kind.”

How this differs from the tactics that companies such as DirectRevenue and others have been using for years is unclear to me. This is not 1999 and it’s implausible for any company of the size and sophistication of Sears to claim that this is all a simple misunderstanding. Without clear notice of the software’s capabilities and disclosure of what the collected data will be used for, this is spyware, plain and simple.

January 3, 2008  4:17 PM

Security pioneer James Anderson dies

David Schneier David Schneier Profile: David Schneier

James Anderson, one of the pioneers in the field that eventually became computer security and the author of some of the seminal papers on the subject, died in mid-November. His passing seems to have gone virtually unnoticed in the industry, and, to hear his friends tell it, that’s perhaps the way he would have liked it. I didn’t know the man, but Gene Spafford, who casts a long shadow of his own in this world, did and his summation of Anderson’s accomplishments is extraordinary.

Jim’s contributions to information security involved both the abstract and the practical. He is generally credited with the invention and explication of the reference monitor (in 1972) and audit trail-based intrusion detection (in 1980). He was involved in many broad studies in information security needs and vulnerabilities. This included participation on the 1968 Defense Science Board Task Force on Computer Security that produced the “Ware Report“, defining the technical challenges of computer security. He was then the deputy chair and editor of a follow-on report to the U.S. Air Force in 1972. That report, widely known as “The Anderson Report“, defined the research agenda in information security for well over a decade. Jim was also deeply involved in the development of a number of other seminal standards, policies and over 200 reports including BLACKER, the TCSEC (aka “The Orange Book”), TNI, and other documents in “The Rainbow Series“.

Computer security is still a relative pup in the technology industry at large, but it is quickly approaching that age when its founders and early visionaries will no longer be around to tell the old stories and pass on their accumulated wisdom. We’ll all be the poorer for that.

January 3, 2008  7:19 AM

Ransomware locks you out, demands $35

Leigha Leigha Cardwell Profile: Leigha

Sunbelt Software CEO Alex Eckelberry warns in a blog posting that new ransomware is on the loose, locking up victims’ machines and demanding $35 to return functionality to the user.

The bad guys are using the Delf.ctk Trojan to hijack the PCs, and victims are told to dial a 900 number that can be traced to “,” a payment processor also used by hardcore pornography Web sites to charge for access to their content, Eckelberry wrote. He offers a step-by-step account of what happens, complete with screen shots the victims encounter.

Eckelberry says a search on the US 900 number shows the first link as passwordtwoenter com, which shares an IP with a number of other similar sites:

p2e com
chargemybill com
chargemyphonebill com
password2enter com
passwordtoenter com
passwordtwoenter com
phonetoenter com
pin2enter com
pintoenter com
pintwoenter com
ptwoe com

“Apparently, this is a payment processor that’s now being used for malware, whether they know it or not,” he wrote.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: