by Ryan Naraine
July 6th, 2009 @ 11:34 am

Malicious hackers are launching code execution exploits against new, unpatched vulnerability in the Microsoft Video ActiveX Control, the company warned in an advisory. The attacks are currently targeting users of Microsoft’s Internet Explorer browser. “An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention,” Microsoft said.

The company said the buggy ActiveX Control can be safely removed without any compatibility issues: Our investigation has shown that there are no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control. For Windows XP and Windows Server 2003 customers, Microsoft is recommending removing support for this ActiveX Control within Internet Explorer.

…Though unaffected by this vulnerability, Microsoft is recommending that Windows Vista and Windows Server 2008 customers remove support for this ActiveX Control within Internet Explorer using the same Class Identifiers as a defense-in-depth measure. Internet Explorer users should pay careful attention to the workarounds section of Microsoft’s advisory and take all necessary precautions. Microsoft has activated its security incident response process but a patch won’t be ready for at least a few months.

by Elinor Mills
July 6, 2009 5:59 PM PDT

It is possible to use publicly available data on state and date of birth to predict someone's Social Security number, particularly if they were born after 1988 and in smaller states, according to an article published Monday in The Proceedings of the National Academy of Sciences.

The ability to use statistic inference to predict the sensitive data exposes the Social Security numbers to identity fraud risks on "mass scales," the article said. Social Security numbers "were designed as identifiers at a time when personal computers and identity theft were unthinkable; today, abused as authentication devices, they enable an 'architecture of vulnerability,' in which losses are incurred even in absence of fraud, because of costs caused by attempts to defend, and exploit, the system," the article concluded.

The researchers from Carnegie Mellon University analyzed Social Security numbers of people who have died to detect statistical patterns in the assignment of numbers. They were then able to use those patterns to predict a range of values likely to include a living person's Social Security number. Birth data, meanwhile, can be inferred from data brokers, voter registration lists, online white pages, and social-networking profiles, the report said.

The researchers identified in a single attempt the first five Social Security digits for 44 percent of the records of the people listed as dead from 1989 to 2003 and the complete Social Security numbers in fewer than 1,000 attempts for 8.5 percent of those records. On average, the researchers matched on the first attempt the first five digits for 7 percent of all records for people born nationwide between 1973 and 1988.

By Dan Goodin
1st July 2009 21:32 GMT

The leader of a malicious hacker collective who used his job as a security guard to breach sensitive Texas hospital computers has been arrested just days before his group planned a "massive DDoS" attack for the July 4 Independence Day holiday.

Jesse William McGraw, 25, of Arlington, Texas, was taken into custody late Friday evening after posting screenshots showing he had complete control of computers that administered air-conditioning systems at The Carrell Clinic in Dallas, federal prosecutors said. McGraw also brazenly posted videos showing him installing malware on hospital computers that made them part of a botnet he operated, said a network security expert, whose sleuthing uncovered the breach.

As a contract security guard at the hospital, McGraw had no authorized access to any of its computers. But that didn't stop the miscreant, who went by the handle GhostExodus, from taping himself as he walked down the halls of the hospital with a blue security guard uniform poking out through a gray hoody, as he bragged about gaining control over sensitive computers. "It's a unique mindset among these hackers," said Wesley McGrew, a 29-year-old network PhD network security researcher at Mississippi State University.

"It's all about respect and fame and the respect of their equally weird peers." According to McGrew and federal prosecutors in Dallas, McGraw was the leader of a hacker gang known as the Electronik Tribulation Army. He had recently posted videos admonishing fellow hackers to carry out a "massive DDoS," or distributed denial of service, attack on July 4, a date he called "Devil's Day".

By Sumner Lemon
July 2, 2009 05:59 AM ET

IDG News Service - Apple is working to fix an iPhone vulnerability that could allow an attacker to remotely install and run unsigned software code with root access to the phone. The attack in question exploits a weakness in the way iPhones handle text messages received via SMS (Short Message Service), said security researcher Charlie Miller, during a presentation at the SyScan conference in Singapore on Thursday.

He didn't provide a detailed description of the SMS vulnerability, citing an agreement with Apple. Miller is an authority on MacOS X security, and is a co-author of The Mac Hacker's Handbook. The SMS vulnerability allows an attacker to run software code on the phone that is sent by SMS over a mobile operator's network. The malicious code could include commands to monitor the location of the phone using GPS, turn on the phone's microphone to eavesdrop on conversations, or make the phone join a distributed denial of service attack or a botnet, Miller said

Apple is working to patch the vulnerability and expects to have a fix ready later this month, before Miller discusses the attack in greater detail during a planned presentation at the Black Hat USA conference in Las Vegas. Despite the SMS vulnerability, the stripped-down version of MacOS X used in the iPhone makes it more secure than computers running the full-blown operating system, Miller said. For starters, the stripped-down version of the OS presents fewer options for attackers, removing applications and features such as support for Adobe Flash and Java, which they might otherwise be able to exploit for vulnerabilities.

In addition, the iPhone includes hardware protection for data stored in memory and the phone is designed to only run software code that has been digitally signed by Apple. The iPhone also requires applications to run in a sandbox, a security feature that isolates them from other applications and limits their access to the phone's capabilities. But SMS offers a way for attackers to get greater access to the phone's capabilities, Miller said.

by Elinor Mills
July 1, 2009 8:00 AM PDT

MOUNTAIN VIEW, Calif.--The computer security industry historically borrows military defense concepts to combat digital threats, literally creating war rooms where experts follow attacks in progress on huge screens with phones ringing off the hook.

Not so at Google's Postini e-mail security service provider unit. Instead, computerized systems monitor 3 billion messages per day that flow in and out of customer systems and pass through Postini's thousands of machines in data centers around the U.S. and in Europe before hitting the Internet. The Postini system is highly automated, distributed, and scalable, characteristic of all of Google's operations.

Google's Gmail antispam efforts are separate from those of Postini, which Google acquired two years ago, although it follows similar computerized operations and the teams have started to integrate the processes. Postini represents Google's commercial push into e-mail security, offering a subscription-based service to more than 50,000 customer companies and organizations and more than 15 million business users. In addition to protecting e-mail from spam and viruses, Postini offers compliance and archiving services.

Sentinels and canaries - About 35 members of the Postini Site Reliability Engineering team have access on their machines to a dashboard that shows the number of transactions per second the Postini service is handling, as well as the message per minute rate and graphs of the error percentage rate obtained from a test system known internally as "Sentinel," according to Craig Croteau, who leads the group.

By Nick Farrell
Tuesday, 30 June 2009, 11:18

A BLIND Boston teen has been sentenced to more than 11 years in prison for hacking into the telephone network and harassing the Verizon investigator. According to PCW, Matthew Weigman, 19, was part of a group of telephone hackers that met up on telephone party lines.

The court heard how Weigman was known as "Little Hacker". He started breaking into phone networks aged 14. His favourite afternoon was spent using spoofing technology to make it appear like an emergency call was being made from a victim's house. The idea is to harass their targets, preferably by having Inspector Knacker of the Yard (or Precinct) show up at their door with guns.

One of the group spoofed an attack and told dispatchers that he was holding hostages and had killed family members with an AK47 while high on drugs. Weigman was given the longest sentence of the group. This was partly because he showed up at the home of a Verizon investigator who had been building a case against the group to scare the bejesus out of him. Quite how threatening a blind bloke can be, prosecutors didn't say. We suppose if he had a dog it might be another matter.

By Jacqui Cheng
June 30, 2009 12:30 PM CT

PC makers won't have to meet the July 1 deadline to preinstall or prepackage China's Green Dam Youth Project, and the new deadline is still somewhat nebulous. Chinese authorities still plan to offer the software to schools and Internet cafes at that time, though. The Chinese government has decided to delay the implementation of its controversial client-side filtering software, Green Dam Youth Escort.

The deadline for PC makers to preinstall or package the software was originally set for July 1, but it has now been pushed back to an unspecified date. A representative from the Ministry of Industry and Information Technology (MIIT) confirmed to Xinhua that the deadline had been moved at the request of some computer makers. As a result, the deadline of July 1 won't be enforced for PC makers, though the ministry still plans to provide free downloads of Green Dam for schools and Internet cafes as of that date.

"The ministry would also keep on soliciting opinions to perfect the preinstallation plan," wrote Xinhua. News first came out about China's plan to mandate the Web filtering software earlier this month. Green Dam was spun as a way for parents to block porn from their home computers. The blacklists can be updated remotely, however, making Green Dam quite an attractive option for a government that likes to keep tight control over what kind of content its citizens are exposed to.

Soon thereafter, the University of Michigan soon discovered that Green Dam was plagued with serious security vulnerabilities. Not only can malicious websites easily take advantage of the security bugs to run arbitrary code on the user's computer, much of the blacklist content was apparently stolen verbatim from commercial filtering programs sold in the US. Exploit code was even published online, but that failed to discourage China's lawmakers at the time—the MIIT insisted that it was still moving forward with the plan as recently as last week.

by Elinor Mills
June 29, 2009 4:24 PM PDT

Max Ray Vision, aka "Iceman," pleaded guilty on Monday to two counts of wire fraud stemming from the theft of nearly 2 million credit card numbers and $86 million in alleged fraudulent purchases. Vision faces up to 60 years in prison when he is sentenced in October in federal court in Pittsburgh, according to federal public defender Michael Novara.

Vision was arrested in September 2007 and accused of operating an underground forum called "Carders Market" where cybercriminals bought and sold stolen credit card numbers and other data. He was targeted as part of a sting operation in which FBI agent J. Keith Mularski spent two years undercover infiltrating a group of cyberscammers who bought and sold stolen credit card numbers on a rival site called "Dark Market."

In an interview with CNET News in May, Mularski talked about Vision, whose last name used to be Butler: There are a lot of guys who I think their curiosity just got the best of them and it led them down a dark path. One of the guys, Max Butler, who ran our rival site called Carders Market and used the hacker name "Iceman," was arrested in San Francisco. He was very intelligent. He could have been an excellent security expert.

Vision had worked as a security consultant before being arrested. In a statement to the court, Novara said: "Max has always preferred using his extraordinary computer skills--his computer vision--for the good of society and the cyberworld, and he hopes that he will be given the opportunity in the future to once again don the white hat."

By Jacqui Cheng
June 29, 2009 8:38 PM CT

Spam levels remained high in June of 2009, and botnets are behind a large majority of it. They cover at least 83 percent of all spam and possibly more, since some of the smaller ones send spam through webmail services to make it seem like they are real people. There's a ton of spam on the Internet—we all are painfully aware of this already.

However, what once required an actual person to send is increasingly being taken over by botnets. A new report from Symantec's MessageLabs says that more than 80 percent of all spam sent today comes from botnets, despite several recent shut-downs. According to MessageLabs' June report, spam accounted for 90.4 percent of all e-mail sent in the month of June—this was roughly unchanged since May. Botnets, however, sent about 83.2 percent of that spam, with the largest spam-wielding botnet being Cutwail.

Cutwail is described as "one of the largest and most active botnets" and has doubled its size and output per bot since March of this year. As a result, it is now responsible for 45 percent of all spam, with others like Mega-D, Xarvester, Donbot, Grum, and Rustock making up much of the difference. The security firm says that many of the smaller botnets send spam through various webmail accounts, making it appear as if a real person was sending the messages. In this sense, there could be an even higher percentage of spam with botnets behind it.

Other items of interest in the MessageLabs report were the fact that instant messenger spam containing links to malware were on the rise, and that image spam continues to grow. Researchers had noted earlier this year that image spam was making a comeback after almost going extinct in 2008, and now MessageLabs says that it accounts for between 8 and 10 percent of all intercepted spam. "Almost certainly sent from a botnet, the emails often contain no hyperlinks," reads the report.

By Jacqui Cheng
June 25, 2009 8:37 PM CT

Two defendants in a scareware scam case have settled with the FTC after showing that they had no means to pay the organization's previous $1.9 million order. The scammers now only have to fork over their illegally obtained earnings—unless they somehow manage to find that extra money later, that is.

The Federal Trade Commission has settled a case involving two scareware scammers. The settlement will relieve the two defendants of having to fork over almost $1.9 million as part of a judgment made against them, but will still require them to forfeit $116,697 in assets to the FTC. The two defendants, James Reno and ByteHosting Internet Services, LLC, were based out of Cincinnati when they began their "massive deceptive advertising scheme."

The two supposedly conned over a million customers into buying computer security software (such as WinFixer, WinAntivirus, DriveCleaner, XP Antivirus, and more) that ended up falsely claiming that they had found viruses, spyware, and porn on people's machines. The software would then ask for money in order to rid the computers of these fake viruses. The FTC received an injunction in 2008 barring ByteHosting and Reno for falsely representing that any sort of security analysis had been conducted.

In December, the FTC got them permanently banned from engaging in scareware marketing and required them to provide monetary relief to customers who were unfairly cheated by their schemes. The settlement announced today, however, will suspend the $1.9 million that Reno and ByteHosting would have paid—the FTC says this is because of their inability to pay the full amount. Instead, the defendants will just have to fork over all gross revenues that they made from the scam.

by Adrian Kingsley-Hughes
June 24th, 2009 @ 10:54 am

Yesterday I downloaded the installation files for Microsoft Security Essentials beta, Microsoft’s free consumer antimalware program. So, is it any good? Well, so far I’ve got as far as downloading the files, installing the application on a couple of test machines (You don’t think I’m brave/crazy enough to roll this out on production machines, do you?), set it up and thrown a few test viruses at the app. So far, so good, but I’ve still got a lot of questions:

* What’s stability like?
* How quickly will the app respond to new threats?
* How much of a performance hit is the app on systems, especially when running scans?
* How long until hackers start busting holes in the app?
* What will other security vendors make of it?

These and more questions will be answered at some point in the future … So far though, so good. Microsoft Security Essentials seems pretty primitive (no email integration, for example), and I’m surprised it doesn’t integrate better with Windows Firewall. That said, basic antimalware software is much better than none at all, so it’s hard to complain about it. By the way, if you haven’t downloaded the installation files for Microsoft Security Essentials beta, you’ve missed the boat now because Microsoft closed the door on downloads.

by Elinor Mills
June 24, 2009 4:59 PM PDT

Venture capitalist Guy Kawasaki got more than he bargained for from an automated feed he set up on his Twitter account. Some of Kawasaki's more than 139,000 Twitter followers noticed something strange when they saw a particular non-VC-related tweet sent from his account on Tuesday.

The update advertised a sexy video of "Gossip Girl" star Leighton Meester and had a link leading to a site where, if the visitor clicked to view the video (and ostensibly download a necessary codec), a Trojan called OSX/Jahlav-C for the Mac OS would be installed instead, Graham Cluley wrote on his blog on Wednesday for antivirus vendor Sophos. Kawasaki told The Wall Street Journal his account is set up to redistribute updates from NowPublic, a user-generated news site.

The auto-published tweet was from a NowPublic feed that was not moderated by the site, NowPublic co-founder Michael Tippett told the WSJ later. "Auto-feeds on Twitter can be quite risky," Michael Argast, a security analyst for Sophos, told CNET News. Kawasaki's account wasn't the only one redistributing the malicious link; the same tweet was sent from other lower-profile accounts.

By Jaikumar Vijayan
June 23, 2009 09:35 PM ET

Defense Secretary Robert Gates today approved the creation of a unified U.S. Cyber Command to oversee the protection of military networks against cyber threats. In a memorandum issued today to the Joint Chiefs of Staff, Gates said he intends to recommend to the President that the new command be led by the director of the National Security Agency (NSA) Lt. General Keith Alexander.

Gates directed the Commander of the U.S. Strategic Command, General Kevin Chilton, to develop implementation plans for USCYBERCOM, as the new unified command will be called. The plans are due by Sept. 1 and need to include the new command's mission, roles and responsibilities, reporting structures, and accountability measures, Gates said. The new command will most likely headquartered in Fort Meade, MD. and will reach initial operating capabilities by October, and full operating capability by October 2010, Gates said in his memo.

The "subordinate unified" cyber command will operate under U.S. Strategic Command for military cyberspace operations. Gates also ordered the Under Secretary of Defense for Policy to develop policies and strategies for what he described as a comprehensive approach to Department of Defense cyberspace operations. The proposal to create the new command has been expected for some time now and is part of an effort to address growing threats to Department of Defense and Pentagon networks from a wide range of foreign and domestic threats.

As part of its mission U.S. Cybercom is also expected to develop a range of offensive cyber warfare capabilities. The proposal for Cybercom is part of a broader effort by the Obama administration to bolster federal and military cybersecurity capabilities. It comes a few weeks after President Obama announced the creation of a White House cyber security coordinator role and plans to develop a comprehensive national strategy for protecting U.S. interests in cyberspace.

by Mary Jo Foley
June 23rd, 2009 @ 6:31 am

Just a quick reminder: Microsoft plans to allow the public to download a beta version of “Morro,” now known as Microsoft Security Essentials (MSE) on June 23, starting around 9 a.m. PT. Update (8 a.m. PT): The beta download is now live. Or maybe not. It was for a minute, there…. MSE is the free antivirus/anti-malware product that is replacing Microsoft’s paid Windows Live OneCare subscription service.

It is aimed primarily at users who can’t or won’t pay for security software. Here are the details about today’s beta kick-off: Who is eligible: Anyone in the U.S., Israel or Brazil who wants to try MSE on XP SP2, Vista or Windows 7 (Beta or Release Candidate) can grab the beta. Last week, Microsoft officials told me there was no cap planned for the beta, but shortly thereafter a spokesperson said the beta will be capped at 75,000.

“This could change though depending on what the download scenario is,” he added. Download site: Testers will be able to download MSE beta from Microsoft Connect by going to this page: http://www.microsoft.com/security_essentials/ . Versions: The MSE beta will be available in 32- and 64-bit flavors. It will be available in English and Brazilian Portuguese on June 23 and simplified Chinese some time later this year. Update: The beta is restricted by country.

The beta site says: “This beta is available only to customers in the United States, Israel (English only), People’s Republic of China (Simplified Chinese only) and Brazil (Brazilian Portuguese only).” How long will the beta be available: Microsoft plans to keep the beta open until the cap is reached or the final product is available, whichever comes first. When is the final MSE release due: Official word is before the end of calendar 2009. I’ve seen several bloggers saying this fall.

By Nick Farrell
Tuesday, 23 June 2009, 10:36

US SPAM KING Alan Raksky has admitted charges that he and others committed fraud by manipulating the prices of dodgy Chinese stocks. PC World reports that Ralsky, 64, and seven co-conspirators allegedly engaged in a spam campaign during 2004 and 2005 to pump up the prices of Chinese thinly-traded penny stocks on US exchanges.

After trading volumes and prices of the over-the-counter 'pink sheet' stocks rose, the spam gang sold off all their shares. Spammer kingpin Ralsky, who was convicted of bank fraud in 1995 and once boasted of sending 70 million spam emails per day, pleaded guilty to conspiracy to commit wire and mail fraud, violating the US CAN-SPAM Act and money laundering along with four other defendants on Monday in US District Court in Detroit.

Ralsky, of Bloomfield Hills, Michigan, faces a possible sentence of 87 months in federal prison along with a $1 million fine. His son-in-law, Scott Bradley, 38, pleaded guilty to the same charges and is looking at 78 months porridge plus a $1 million fine. John Brown, 45, of Fresno, California admitted to creating a botnet to distribute the spam and pleaded guilty to the same charges plus conspiracy to commit computer fraud.

He is facing 63 months in gaol and a $75,000 fine. William Neal, 46, also of Fresno, and James Fite, 36, of Culver City, California, also pleaded guilty in the case. The five defendants will be sentenced on October 29. Charges are still pending against three more defendants. Alas, the US doesn't have the death penalty for spammers.