Security Fix - Brian Krebs on Computer and Internet Security - (washingtonpost.com)Security Fix var SA_Message="SACategory=" + 'opinions'; if ( show_doubleclick_ad && ( adTemplate & BANNER_FLEX_TOP ) == BANNER_FLEX_TOP ){ placeAd('ARTICLE',commercialNode,1,'',true) ;} placeChannelNav(thisNode); makeBreadCrumbsUsingCss(thisNode); if ( show_doubleclick_ad && ( adTemplate & TILE_RIGHT_TOP ) == TILE_RIGHT_TOP ){ placeAd('ARTICLE',commercialNode,8,'',false) ;} if ( show_doubleclick_ad && ( adTemplate & BIG_FLEX_RIGHT ) == BIG_FLEX_RIGHT ){ placeAd('ARTICLE',commercialNode,6,'',true) ;} Subscribe to The Post recent postsSpammers Favor Obama Over McCain 7 to 1Report: Data Breaches Expose About 30M Records in '08New State Laws Target Data Encryption, RFID TrackingHouse.gov Still Plagued by E-mail DelugeOctober is Cyber Security (Un)Awareness Month Stories by Category Cyber JusticeFraudFrom the BunkerLatest WarningsMisc.New PatchesPiracySafety TipsU.S. GovernmentWeb Fraud 2.0 Stories By Date Full Story Archive related linksThe ArchivesSecurity Fix Live: Web ChatsAbout This BlogPassword Primer7 Security TipsTechnology Section syndicateRSS Feed    Posted at 06:15 PM ET, 10/ 2/2008House.gov Still Plagued by E-mail DelugeA glut of e-mail from constituents and special interest groups continued to pose problems for the Web sites for members of the U.S. House of Representatives on Thursday, as millions of Americans attempt to voice their opinions on the financial bailout package the day before an expected vote on the measure.Jeff Ventura, a spokesperson for the House's chief administrative officer, called the volume of e-mail flowing through member Web sites "staggering and unprecedented." He said more than two-dozen interest groups sending large batches of e-mail have contributed to the problem. "Advocacy groups are collecting e-mails and then shoving them into a system that was really designed for manual input, not for people to send us wholesale batches of thousands of e-mails at a time," Ventura said. Still, he said, e-mails from individual users still far outnumber those submitted in bulk. The timing of the Wall Street rescue package also comes just a month before elections in the House, always a busy time for the House Web site. Ventura declined to say how many e-mails the House was receiving, but noted that the volume was more than six times the normal level. "It seems like everyone has something to say about this issue, and unfortunately, the Web site -- the way we had it -- has never experienced this tsunami," he said. "If House.gov has been laboring to load, all of the other sites are feeling this storm as well."Part of problem is that although each member of the House has a "Write Your Rep" page on their individual sites, all of those member pages reside at the main House.gov Web site. When the deluge of e-mail first began in earnest over the weekend, House.gov technicians initially sought to throttle the amount of e-mail that could be sent at any one time through the site. Ventura said the House has since turned to an outside firm that helps distribute the load by serving copies of the House.gov Web pages at multiple locations."As an intermediate step, we were turning away some people trying to get to the site," he said. "Now, what we we're trying to do is enlarge the doorway."Ventura declined to name the company that is mirroring the House.gov Web properties. But according to Netcraft.com, a site that tracks Web server performance, sometime this week House.gov began being distributed by Cambridge, Mass.-based Akamai.com. Akamai mirrors content for a number of the Internet's busiest Web properties, including washingtonpost.com, Microsoft.com and Yahoo.com. Companies also have turned to Akamai for help in withstanding denial-of-service attacks, digital assaults in which cyber crooks swamp commercial Web sites with junk traffic if they refuse to pay extortion demands.The changes made by House administrators appear to be working, at least for the the main House.gov landing page. Abelardo Gonzalez, a solutions consultant with Keynote.com, which measures Web site uptimes, said that the House.gov home page has been loading fine all day but that individual pages and member Web sites are still struggling. "They seem to have fixed the front door, which is an improvement," Gonzalez said. "But unfortunately, it still looks like it's overwhelmed and slow once you start getting into deeper sections of the site."However, Ventura said, there is an upside to their load woes. "It shows the average citizen is really in the game right now," he said. "It's kind of a refreshing thing that at least people are so engaged." The changes made by House administrators appear to be working, at least for the the main House.gov landing page. Abelardo Gonzalez, a solutions consultant with Keynote.com, which measures Web site uptimes, said the House.gov homepage has been loading fine all day, but individual pages and member Web sites are still struggling. "They seem to have fixed the front door, which is an improvement," Gonzalez said. "But unfortunately, it still looks like it's overwhelmed and slow once you start getting into deeper sections of the site."Update, 6:32 p.m.: Added comment from Keynote.comPosted by Ju-Don Roberts | Permalink| Comments (9)Share This:  Technorati | October is Cyber Security (Un)Awareness MonthOctober is Cyber Security Awareness Month, and it seems many people are in need of some serious awareness-raising on this front. A recent survey indicates that while more than 80 percent of computer users thought they had firewall software installed, follow-up inspections found that only half of those users actually had the software installed or running on their PCs. The data comes from a poll of 3,000 Americans conducted by Zogby International, with security vendor Symantec conducting follow-up manual computer scans on computers belonging to 400 of those surveyed. While the study suggests that Americans seem to be well aware of whether they have up-to-date anti-spyware and anti-virus software installed, only 52 percent had anti-spam filters set up, even though 75 percent thought they did, Symantec found.Fifty-one percent of those surveyed said they had been targeted by a phishing attack, a scam that uses spoofed e-mail to lure recipients into entering personal or financial data at fake bank, e-commerce or social networking Web sites. In about 65 percent of those cases, recipients said the phishing e-mail looked legitimate. More than half (54 percent) reported having their computer infected by a virus, and just 21 percent said they felt their computers were "very safe" from hacker attacks.There are plenty of free security products available, but since there are also plenty of malicious software titles now masquerading as legitimate (see my recent scareware post for more on this), I thought it best to name a few here. Tips and tools after the jump.Continue reading this post »»Posted by Brian Krebs | Permalink| Comments (11)Share This: Technorati | New Federal Law Targets ID Theft, CybercrimePresident Bush last week signed into law a bill that seeks to make it easier for prosecutors to go after cybercrooks, while ensuring that identity theft victims are compensated for their time and trouble when convicted identity thieves are forced to cough up ill-gotten gains. The Identity Theft Enforcement and Restitution Act of 2008 lowers the bar prosecutors need to clear before bringing hacking and other cybercrime charges against an individual. Under current federal cybercrime laws, prosecutors must show that the illegal activity caused at least $5,000 in damages before they can bring charges for unauthorized access to a computer. The new law eliminates that requirement. The law makes it a felony, during any one-year period, to damage 10 or more protected computers used by or for the federal government or a financial institution, and directs the U.S. Sentencing Commission to review its guidelines and consider increasing the penalties for those convicted of identity theft, computer fraud, illegal wiretapping or breaking into computer systems. The new law allows federal courts to prosecute when the cybercriminal and the victim live in the same state. Under current law, federal courts only have jurisdiction if the thief uses interstate communication to access the victim's PC. In addition, the law also expands the definition of cyber-extortion. Identity theft victims could find it easier to win compensation for their trouble as a result of this law, assuming their attackers are brought to justice. The law requires that in cases where convicted identity thieves are ordered to pay restitution, the victim should get a chunk of that money "equal to the value of the time reasonably spent by the victim in an attempt to remediate the intended or actual harm incurred by the victim from the offense."Some ID theft victims can spend thousands of dollars and months or years dealing with credit bureaus and debtors from accounts fraudulently opened in their names, but the law doesn't appear to take into account lost opportunities associated with identity theft. According to the Federal Trade Commission, some consumers victimized by identity theft may lose out on job opportunities or be denied loans for education, housing or cars because of negative information on their credit reports. In rare cases, they may even be arrested for crimes they did not commit.Posted by Brian Krebs | Permalink| Comments (12)Share This: Technorati | Software Lets Users Manipulate Passport DataA security researcher has published a software tool that makes it easy to copy and modify identification data encoded onto the computer chips embedded in passports issued by the United States and dozens of other countries. Jeroen van Beek, a security researcher at the University of Amsterdam, discussed his work at the Black Hat security conference in Las Vegas last month, but only this week released the tool that allows anyone to manipulate data on the passport chips.  The attack is targeted at electronic passports or "e-passports." According to the U.S. State Department, the United States stopped issuing passports without the chips in August 2007. Close to four dozen other countries also issue e-passports, which are designed around an open international standard. The information on the chips - name, date of birth, passport number, photo, etc. - is designed to be readable by a wireless interface known as radio frequency identification (RFID) reader. In a demo given to The Times Online, van Beek showed how his tool could be used to clone and manipulate the data chips so that they could be planted inside a fake or stolen passport to mask the identity of the passport holder. From that Times story: Building on research from the UK, Germany and New Zealand, Mr van Beek has developed a method of reading, cloning and altering microchips so that they are accepted as genuine by Golden Reader, the standard software used by the International Civil Aviation Organisation to test them. It is also the software recommended for use at airports. A baby boy's passport chip was altered to contain an image of Osama bin Laden, and the passport of a 36-year-old woman was changed to feature a picture of Hiba Darghmeh, a Palestinian suicide bomber who killed three people in 2003. The unlikely identities were chosen so that there could be no suggestion that either Mr van Beek or The Times was faking viable travel documents. Conceivably, a terrorist or wanted criminal seeking to travel under another name could use van Beek's tools and method to forge documents because of a widespread lack of security checks needed to enforce the international e-passport standard. The data encoded on the e-passport chips is signed with cryptographic keys held by the issuing country - thus allowing the issuing country to tell if a citizen had altered the data on the device. The problem is that only 10 of the 45 countries that issue e-passports have agreed to share the public keys that are needed to test the integrity of the data on one another's passport chips. Worse still, only five countries are actively sharing the data. As a result, someone who has changed the name or swapped in a new photo on an e-passport chip can simply sign the information using his own personal cryptographic key, and relatively few countries would be able to detect the manipulation, said Adam Laurie, a freelance security researcher with RFIDiot.org, a site that hosts software and research designed to expose holes in RFID technology. "This is the big problem with the whole thing: It relies on checking the digital signatures of the content on the passport, but if nobody's checking those signatures, you can't tell if the data is legitimate," Laurie said.Following the 9/11 attacks, the United States told other countries they would have to adopt the e-passport system if they wanted their citizens to avoid applying for visas every time they wanted to enter the country. But Bruce Schneier, a renowned cryptography expert who serves as chief security technology officer for the British telecommunications giant BT, said the lack of an international system for checking the signatures actually makes the entire system less secure because countries are bound to place a higher degree of trust in the newfangled passports. "In this case, the authority for the thing is the thing itself: It's like my giving you an ID card and saying it's valid only because I say it's valid," Schneier said.For its part, the State Department says the e-passports will be supplemented by other security technologies. For example, the inclusion of the digital photograph on the e-passport chip enables biometric comparison, through the use of facial recognition technology at international borders, the government says. But in an op-ed published in The Washington Post, Schneier warned that researchers would likely discover even more security weaknesses that could be used to defeat the security of the e-passport system. "The security mechanisms on your passport chip have to last the lifetime of your passport," Schneier wrote. "It is as ridiculous to think that passport security will remain secure for that long as it would be to think that you won't see another security update for Microsoft Windows in that time."Update, Oct. 1, 7:32 a.m.: An earlier version of this story incorrectly stated the date of the Washington Post op-ed article by Bruce Schneier. It was published in 2006.Posted by Brian Krebs | Permalink| Comments (55)Share This: Technorati | Microsoft, Washington State Sue Scareware PurveyorsMicrosoft Corp. and the state of Washington this week filed lawsuits against a slew of "scareware" purveyors, scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software.The case filed by the Washington attorney general's office names Texas-based Branch Software and its owner James Reed McCreary IV, alleging that McCreary's company caused targeted PCs to pop up misleading security alerts about security threats on the victims' computers. The alerts warned users that their systems were "damaged and corrupted" and instructed them to visit a Web site to purchase a copy of Registry Cleaner XP for $39.95. "We won't tolerate the use of alarmist warnings or deceptive 'free scans' to trick consumers into buying software to fix a problem that doesn't even exist," Washington Attorney General Rob McKenna said. "We've repeatedly proven that Internet companies that prey on consumers' anxieties are within our reach."Paula Selis, who heads the attorney general's consumer protection unit, said Registry Cleaner found the same 43 "critical" errors on each PC they used to examine the software, while consumers who purchased the product were told their machines were instantly rid of the imaginary threats. Selis said that in addition to handing their name, address and credit card numbers to someone "who is obviously a fraudster," consumers who purchased the software may have been lulled into a false sense of security, thinking the bogus software would protect them from future threats. "We're absolutely certain that consumers across the country have been deeply affected by this," Selis said. No one answered the phone at the number listed on Branch Software's Web site. McCreary could not be immediately reached at his home number, nor did he respond to e-mailed requests for comment.  In a separate action, Microsoft filed five "John Doe" lawsuits to learn the identities of individuals responsible for marketing other scareware products, including such titles as Antivirus 2009, Malwarecore, WinDefender, WinSpywareProtect and XPDefender. Microsoft also amended two complaints filed earlier to unmask those running SMP Soft LLC, a Delaware corporation that markets a scareware product called Scan & Repair Utilities. The products named in the lawsuits used a variety of methods to prompt victims to install the scareware products. Scan & Repair Utilities, for example, was advertised via misleading instant message alerts sent over Skype, a popular Internet telephony service. Other products, such as Antivirus 2009 and XPDefender, come disguised as Web browser plug-ins or "codecs" that certain Web sites claim the visitors need to install in order to view online videos. The sites typically are advertised in junk e-mail messages touting video links to adult content or international news events. The fake codecs are in fact Trojan horse programs that change a variety of settings on the victims' computers and serve the victims with incessant warnings that their computers are infected with malicious software. Alex Eckelberry, president of Clearwater, Fla.-based security firm Sunbelt Software, said the spread of fake security software has become a pandemic. "This is an absolutely huge problem, and these rogue anti-spyware products are what most consumer PCs are getting infected with now," Eckelberry said. Some of the most aggressive scareware products make critical changes to the victims' PCs, such as preventing consumers from restoring their computers to an earlier, known-secure state. "These guys are doing whatever it takes to get you to buy their crap software," he said. The lawsuits were filed under Washington's Computer Spyware Act, which among other things punishes individuals who prey on user concerns regarding spyware or other threats. Specifically, the law makes it illegal to misrepresent the extent to which software is required for computer security or privacy, and it provides actual damages or statutory damages of $100,000 per violation, whichever is greater. Posted by Brian Krebs | Permalink| Comments (50)Share This: Technorati | Wigle.net: The 411 on Wireless Access PointsIf you thought your wireless network was too remote or obscure to find, you might want to think again. There's a non-trivial chance that the name of your network and its precise geographic coordinates are already mapped out and searchable by anyone with a Web browser. At least for U.S.-based networks, probably the best place to find that information is at the free database maintained by Wigle.net. The Wireless Geographic Logging Engine is a Web site that maps data gathered by "wardrivers," geeks who enjoy cruising around with open laptops connected to global positioning system (GPS) devices in order to chart the distribution of wireless networks.  WiGLE's database allows anyone to search for a wireless network by geographic area or by the name of the service set identifier (SSID), the moniker either manually or otherwise automatically assigned to all wireless access points. Wireless routers broadcast their SSIDs as a way of inviting users nearby to connect with the network. A successful search yields a plethora of data about each wireless network, including its name, the longitude and latitude of the network (viewable on a street map with an extra click), and whether the network is protected by encryption (WiGLE doesn't differentiate between networks protected by WPA encryption or those guarded by the far less secure WEP encryption, since most wardriving software used to collect this data does not distinguish the two). Apart from catering to rabid wardriving enthusiasts, WiGLE also attempts to foster an increased awareness of the need for security when using wireless networks, said Andy Carra, who co-founded WiGLE in 2001."Showing that wireless networks are easily and publicly visible to anyone nearby has proven an effective means of explaining the need for host security and encryption of network traffic," Carra said in an e-mail to Security Fix.It's okay to leave the SSID on your router to the default, unless you've not bothered to protect the router with encryption or change the factory default user name and password that's needed to administer the router. Why is changing the default settings on wireless access point a big deal? Because there are plenty of Web sites that list the default user names and passwords built into every brand of router out there. If you operate a wireless access point using the default settings, not only would a local passerby be able to use your network to browse the Web, but he or she also could change the configuration on the router to keep track of the Web sites you're visiting, route your traffic through another network, or block you from being able to view certain Web sites. Not incidentally, there also is malicious software circulating these days that will make some of those changes for you if you haven't altered the router's default password and/or user name (yes, you can generally change both the user name and the password if you like).For instance, if I were looking for an exposed wireless network, I'd probably start by searching the local zip code for the default SSID assigned to many popular routers. After all, these would most likely be the networks powered by users who yanked their shiny new routers straight out of the box and plugged them right into the user's modem without modifying a thing. A search for access points named "linksys," - the factory default SSID for routers made by the company by the same name, for example -- turns up approximately 1,591,085 results in WiGLE's database. See the graphic below for a glance at the Top 1000 SSID names (most of the others at the top of the list in the left hand column also are default SSID names). According to the latest stats on WiGLE, roughly 37 percent of the networks listed in its database are unencrypted and wide open for anyone to use. That's a fair number of exposed networks when you consider that WiGLE has the goods on more than 16 million wireless nets across the country (another 8,204 wireless networks with location data were added to WiGLE during the 24 hours I was researching this post). I couldn't find my own wireless networks in WiGLE, but I was able to locate my father-in-law's encrypted network just by searching for his (very unique) SSID. It pulled up a nice zoomable map of his neighborhood in suburban Maryland, with the name of the SSID beside the approximate longitude and latitude of his house. Just out of curiosity, I punched those same coordinates into Google Earth, which sure enough zoomed straight into a shot directly above his backyard. If you are running a wireless network and haven't changed the default user name and password, or set it up to use encryption, take a few minutes to do that. If you're not sure how to do these things, this site has some easy-to-follow video and text primers on four of the most widely used wireless routers on the market. Incidentally, if you find your wireless network in WiGLE and want it removed from the database, e-mail the site administrators at this address and they will gladly nix it for you. So how about it, dear Security Fix readers? Has your Wi-Fi network been logged by the WiGLE wardrivers? Let us know in the comments below. Or if you have questions about this post or other security matters, join me at 11 a.m. ET for a live Web chat.Posted by Brian Krebs | Permalink| Comments (8)Share This: Technorati | Apple, Mozilla Push Security UpdatesApple on Wednesday issued an update that plugs at least two dozen security holes in the version of Java that runs on Mac OS X systems. Mozilla also pushed out patches to correct a number of security and stability issues with its latest version of the Firefox Web browser.  By my count, Apple's Java updates address 24 separate security flaws in its implementation of Java. The majority of these flaws were fixed in security updates that Sun Microsystems has been shipping since April, but Apple maintains its own version of Java and is responsible for managing those updates for OS X systems. The Java update is slightly different depending on whether you're an OS X 10.4 (Tiger) or 10.5 (Leopard) user. Either way, the Java patch is available through Software Update or directly from Apple Downloads. Firefox is configured to install all updates automatically (after the browser is closed out and restarted), so users should receive a prompt to install the latest 3.0.2 version soon. Interested users can read about the changes in this new version of Firefox here. Posted by Brian Krebs | Permalink| Comments (6)Share This: Technorati | Fake Facebook 'Add Friends' E-Mail Adds MalwareSocial networking sites like Facebook and MySpace give scam artists and virus writers new ways to package tried-but-true tricks. The latest example of this making the rounds is an e-mail that appears to be an invitation from Facebook to add a friend: A recipient who opens an attached image to take a look at their new friend instead opens the door for hackers to compromise his PC. Internet security firm Websense warns about this latest scam, which takes advantage of common notifiers sent by Facebook to alert users when another user adds them as a friend on their social network: The spammers included a zip attachment that purports to contain a picture in order to entice the recipient to double-click on it. The attached file is actually a Trojan horse. The message also includes a login form to the Facebook home page. While there are countless examples of scam e-mails that try to steal Facebook usernames and passwords using a fake login page, any credentials entered into the form are sent directly to Facebook, logging the user into his or her actual page. Websense says this is probably a ruse to make the message appear more authentic, but in reality the scammers could have easily intercepted those credentials as well. As Security Fix has warned time and again, social networking sites are fast becoming the most fertile grounds for spreading malicious software and Internet scams. Earlier this year, Symantec Corp. found that two social networking sites together were the target of 91 percent of U.S.-based phishing Web sites. Social networking sites also were the leading targets of phishing sites located in four other countries listed by Symantec in its phishing Top 10.Here a few tips and things to keep in mind that can help you avoid being burned by e-mail based attacks: -E-mail addresses in the "From:" field can be easily spoofed. -Never open attachments in e-mails that you weren't expecting, even if the e-mail appears to come from some person or entity you know and trust. (Legitimate Facebook friend requests, in fact, don't include attachments.)-Avoid responding to unsolicited e-mails. You'll only let spammers know they've got a mark for future e-mails.-Consider switching from HTML e-mail to text-based messages only. Malicious Javascript and nasty instructions written in other powerful scripting languages can be embedded in HTML messages, and in many cases that code will load as soon as you view the message.Posted by Brian Krebs | Permalink| Comments (39)Share This: Technorati | Blog ArchivesRSS FeedSubscribe to The Post © document.write(new Date().getFullYear()) The Washington Post Company if ( show_doubleclick_ad && ( adTemplate & BANNER_FLEX_BOTTOM ) == BANNER_FLEX_BOTTOM ){ placeAd('ARTICLE',commercialNode,2,'',true) ;} function getSPYear(date_string){ var re1 = new RegExp("\\w+,\\s(\\d{2,2})-(\\w{3,3})-(\\d{2,2})\\s(\\d{2,2}):(\\d{2,2}):(\\d{2,2})","g") ; date_string.match(re1) ; var year = (2000 + RegExp.$3/1) ; return new String(year) ;}var thisYear = 2005;var dateStr = getSPYear('Wednesday, 16-Mar-05 14:52:37 EST') ;if( dateStr.indexOf('2') != -1 ){ thisYear = dateStr;}function openWin(url){ var navWin = window.open(url,"NewWin", "scrollbars,toolbar=false,menubar=false,resizable=false,width=740,height=595,top=0,right=1000"); } placeChannelNav('article970');rs = (typeof thisNode != 'undefined')?thisNode.split("/")[0] + "/" + thisNode.split("/")[1]:null;DM_addToLoc("thisNode", rs);DM_tag();placeSiteMetrix(); |
|
