by Elinor Mills
June 18, 2009 1:09 PM PDT

Microsoft will launch a public beta of its anti-malware service, Microsoft Security Essentials, on Tuesday as it phases out its Live OneCare suite in favor of a simpler free consumer security offering. Microsoft Security Essentials, which will run on Windows XP, Vista, and Windows 7, will be available in the U.S., Brazil, and Israel in English and Brazilian Portuguese.

A public beta version for Simplified Chinese will be available later in the year. The service works like traditional antivirus products in which client software monitors programs on a PC. When something changes on the computer, such as files being downloaded or copied or software trying to modify files, the system checks against a set of malware signatures in the client program to see if the code matches the signature for known malware. If so, it blocks it from getting downloaded.

If no signature match is found, the system will ping the server-based Dynamic Signature Service to see if any new signatures are available and, if so, it removes the malware. If it appears to be new malware, the Dynamic Signature Service may request a sample of the code in order to create a new signature. The service updates its anti-malware database constantly and publishes new antivirus signatures to Microsoft Update three times a day, Alan Packer, general manager of Microsoft's Anti-Malware team, said in an interview on Thursday.

"The hope is that people who install Security Essentials and enable auto updates in their Windows configuration will be protected" automatically, he said. The service also includes new technologies that help protect against rootkits, programs that are designed to hide the fact that a PC has been compromised, and is also designed to run efficiently by scanning when the PC is idle and conserving on memory usage.

By Jaikumar Vijayan
June 18, 2009 05:54 PM ET

The unrest in Iran is serving as a warning on how easy it is for individuals and groups to use a social networking tool like Twitter to mobilize a cyber-army against a political or commercial target anywhere in the world.

Over the past few days, news media reports have described how Twitter is being used by ordinary Iranians to receive and broadcast real-time information on the political unrest in the country after recent elections. But a still developing and less benign use of Twitter in Iran has been its application in denial-of-service attacks against key government officials, including those affiliated with President Mahmoud Ahmedinejad.

Initially, the tweets directed users to online locations with links that users could click on to participate in a DoS attack against a particular Iranian Web site, said Richard Stiennon, founder of IT-Harvest, a Birmingham, Mich.-based consultancy. A Google Doc circulating on the Web, for instance, lists several URLs pointing to Iranian Web sites listed by categories such as "Governmental and HARDLINE NEWS," "Police, Ministry of Interior," "Central Bank," "Commerce Banks" and "Office of Ahmadijenad and Khameneie."

When a user clicks on any of the links, it initiates a continuous stream of page refresh requests to the targeted Web site that will eventually overcome the site if enough people click on the link. More recently, tweets have begun circulating that allows users to achieve the same result by simply clicking on the embedded URL in the message. As soon as a user hits the page, as many as 24 frames open up simultaneously and refresh continuously, causing a DoS attack against the 24 separate Web sites Stiennon said.

By Nick Farrell
Thursday, 18 June 2009, 10:08

CREATOR of perfect hardware and software, Apple has released a patch bundle indicating that things might not be as unblemished as the PR spin would have us believe. Apple released 45 software patches to fix security vulnerabilities (which its hardware is not supposed to suffer from) in its popular Iphone and Ipod Touch mobile devices.

Most users would not notice them because they were issued as part of the Iphone 3.0 operating system. While the tame Mac press rushed to praise Apple for its "stellar security" reputation it had to admit that 45 is a large number when it comes to counting patches. If it were Microsoft releasing this many the Mac Fanbois would be dribbling with bile by now. Linux fanbois would just laugh at them both, of course.

The Mac press has pointed out that analysts have yet to uncover any malicious software targeting the Iphone since Apple got into the mobile phone market two years ago. But then again viruses for the mobile market are rare.

By John Oates
18th June 2009 09:38 GMT

Facebook is facing a difficult future as it tries to exploit user data to turn a profit - European regulators are considering sweeping reform of data regulations to prevent social networks from over-exploiting the private data of their users. Changes would extend data protection rules to third party application developers which use social networking profile data to function.

They would also extend European data protection rules to firms operating in Europe - not just those based in Europe. Social networking sites increasingly rely on third party application developers, not just to make their sites more attractive to users, but also to turn a profit. The proposals are not law yet but are contained within an unpublished report from the Article 29 Data Protection working party obtained by the FT.

Article 29 is made up of European data protection regulators and other experts - the UK is represented by Information Commissioner Richard Thomas. The group has previously clashed with Google over the anonymising of IP addresses. The group is also concerned at how corporate marketeers are using social networking sites to sell their wares. They should also face stronger regulation, the group believes.

The stronger rules could even apply to people with thousands of acquaintances or contacts on such sites Facebook has already got in trouble with its users over how their data is handled. Much of the problem is transparency - how much data does the company hand over to third party developers and what do they do with it?

17 June 2009, 10:00

JIANGMIN, the Chinese software house behind the Internet filter that's being mandated by the glorious Peoples Republic, has admitted that its "Green Dam Youth Escort" has a serious security vulnerability. The company said the filtering software has a backdoor that hackers can exploit with maliciously crafted websites to place Trojan malware on users' PCs that can spread viruses or even take over systems remotely.

The security loophole apparently exists in the Green Dam's website filtering function. About 50 million Chinese Internet users have installed the Green Dam product so far, with more expected to adopt it after it's bundled with all PCs shipped in China from 1 July. Jiangmin is suggesting that users stop using the website filtering function until it can release a patch.

By Gregg Keizer
June 16, 2009 12:54 PM ET

A URL-shortening service that condenses long Web addresses for use on micro-blogging sites like Twitter was hacked over the weekend, sending millions of users to an unintended destination, a security researcher said today.

After Cligs, a rival to the better known TinyURL and bit.ly shortening services, was attacked Sunday, more than 2.2 million Web addresses were redirected to Kevin Saban's blog, which appears on the Orange County Register's Web site. Noticing a dramatic upswing in traffic, Saban -- who uses Cligs in his Twitter messages to shorten URLs -- contacted Pierre Far, the creator of Cligs.

"Quite curious," was how Graham Cluley, a senior technology consultant with security company Sophos, put it. "Our first thought was that it was a spam campaign, that the hack would redirect [users] to a porn site perhaps, but it seems that [Saban] was entirely innocent. Very bizarre." Cluley's take was fueled by the assumption that the vast majority of criminal activity on the Internet is based on the profit motive, and here there didn't seem to be one.

"Maybe this was a mistake on the part of the hackers," he said. "Maybe they just got the [shortened] URL wrong, and meant to direct users to a different site." That site, he said, could have been a malware-infected address where exploits lay in wait. Or to a spam destination, since spammers have used shortened URLs

By Robert McMillan
June 15, 2009 08:29 PM ET

An apparently ad-hoc cyber protest against the results of recent Iranian elections has knocked key Web sites offline. On Monday, sites belonging to Iranian news agencies, President Mahmoud Ahmadinejad and Iran's supreme leader Ayatollah Ali Khamenei, were knocked off-line after activists opposed to the Iranian government posted tools designed to barrage these Web sites with traffic.

This type of attack, known as a denial of service (DoS) attack, has become a standard political protest tool, and has been used by grassroots protesters in several cyber-incidents over the past few years, including cyber events in Estonia in 2007 and Georgia last year. Activists had encouraged anti-government protesters to use automatic Web page refresh tools such as Pagereboot.com, to hit government run site.

But they have also developed custom DoS tools. One such tool, called BWRaeper was posted to an Iranian sports discussion forum on Monday. Others are being promoted via Twitter and blogs, and hosted by activists in the U.S. The "campaign is starting to target international users, compared to the original one aiming to recruit Iranians only," said Dancho Danchev, a security consultant who has blogged about the tools. "Judging by the effect this crowdsourcing is having, they've disrupted the sites set as targets."

Danchev counts 12 sites as being under attack, including other news agencies, the Ministry of Foreign Affairs, Ministry of Justice, National Police, and the Ministry of the Interior. In response to the attacks, state-sponsored Iranian News site Fars News added a small piece of Web code that redirected the attack to pro-opposition Web sites, Danchev said via instant message. "Apparently, they thought that the attackers wouldn't stop their attack since they were also indirectly loading the [attack code]," he added. "They, however, didn't stop the attack."

by Elinor Mills
June 12, 2009 3:38 PM PDT

In a move that could land Sanford Wallace in jail if convicted, a federal judge on Friday referred a lawsuit Facebook filed against the "spam king" to the U.S. Attorney's office for possible criminal proceedings. A written ruling from Judge Jeremy Fogel in U.S. District in San Jose, Calif., is expected early next week, a court clerk said.

The action came at a hearing on a Facebook motion that Wallace be found in criminal contempt for allegedly continuing to send spam on Facebook. Facebook sued Sanford and two others in February alleging they used phishing sites or other means to fraudulently gain access to Facebook accounts and used them to distribute phishing spam throughout the network. The judge had earlier entered a preliminary injunction against Wallace for failing to appear in court for the original proceedings, said Sam O'Rourke, Facebook's lead counsel for litigation and intellectual property.

Wallace appeared in court on Friday in what is believed to be his first court appearance in any of the cases filed against him, according to O'Rourke. Facebook also had asked for a default judgment in the case, but the judge was prevented from taking action on that since Wallace filed for Chapter 11 bankruptcy protection on Thursday and civil actions seeking monetary sanctions are automatically stayed when a defendant files for bankruptcy, O'Rourke said. Facebook believes Wallace filed for bankruptcy to avoid a default judgment and criminal contempt order, he said.

Facebook plans to ask the bankruptcy court to lift the stay so a ruling can be made on the default judgment to become a creditor, O'Rourke said. "We're very pleased Judge Jeremy Fogel agreed that there were grounds for criminal contempt and that the U.S. Attorney's office should investigate Wallace," Facebook said in an e-mail statement. "Wallace filed for bankruptcy, which is not unexpected and only delays our judgment temporarily. We will continue to pursue the judgment and will be reviewing his filing very closely."

By Gregg Keizer
June 12, 2009 12:10 PM ET

Mozilla on Thursday patched 11 vulnerabilities in Firefox, more than half of them labeled "critical." The update was the first since late April, when Mozilla rushed out a refresh to plug a hole that the company's developers has inadvertently introduced in the Windows version of the browser, and came just days after the launching of a "tweener" build of the upcoming Firefox 3.5.

Of the 11 flaws fixed in Firefox 3.0.11, six were rated critical, one "high," two "moderate" and two "low" in Mozilla's four-step system. Three of the six critical bugs were in the browser's rendering and JavaScript engines, a frequent target of Mozilla's patching. "Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla said in the advisory for the engine patches, using its now-standard boilerplate language.

The SSL tampering vulnerability was reported to Mozilla by three researchers working for browser rival Microsoft, and a fourth at Purdue University. The four -- Shuo Chen, Ziqing Mao, Yi-Min Wang and Ming Zhang -- co-wrote a paper titled "Pretty-Bad-Proxy: An Overlooked Adversary in Browsers' HTTPS Deployments," that they published May 1 (download PDF). Mozilla ranked the vulnerability as "high." Other patches prevent hackers from pinching browser cookies, executing JavaScript attack code and spoofing Web addresses.

Thursday's update was the fifth this year for Firefox 3.x, but not the first for Mozilla's browsers this week. On Monday, Mozilla rolled out Firefox 3.5 Preview, a build the company said is a near-finished version of the official Release Candidate, or RC. Although new-found bugs had delayed the RC's release yet again, Mozilla wanted to get something in testers' hands, and so took the unusual step of delivering the Preview. At this point, Mozilla has not set a scheduled for posting Firefox 3.5 RC, once slated to appear the first week of June.

by Elinor Mills
June 11, 2009 7:13 PM PDT

The abstract concepts of "botnet" and "Trojan" just became a lot more concrete for me. In less than an hour on Thursday, I was able to use programs readily available on the Internet underground for as little as $300 to infect several Windows clients and take complete control of them in a test environment.

In contrast to the real world, the McAfee Malware Experience event, which was akin to a Malware 101 class (or, in my case, Malware for Dummies), served up printed step-by-step instructions for us nonhacker journalists. But McAfee researchers said the programs used--real samples of malicious code from the wild--were not particularly sophisticated and any script kiddie could manage them easily.

First, I used a tool to infect a PC with a Sub Seven Trojan. With a few clicks it was on the client and I had remote access to everything on that machine via a so-called "back door." A management console provided an easy-to-use interface, including drop down menus with names like "Fun Manager."

Feeling mischievous I used the "flip screen" feature so that everything on the victim's PC was upside down and I changed the colors for the desktop and background to Hello Kitty hues of pink and orange. If I wanted to be nastier I could have directed the victim's browser to a URL of my choosing, turned on the client's Web cam, taken control of a chat session, printed out obscenities on the networked printer, or hidden the desktop or mouse from sight.

by Mary Jo Foley
June 10th, 2009 @ 3:57 pm

Last fall, Microsoft announced its intentions to deliver a free replacement for its OneCare antivirus/anti-malware product for Windows PC consumers. Since then, company officials repeatedly have refused to provide any more info on Morro’s status (beyond the promised Q2/Q3 2009 launch date).

It would stand to reason that date must be close, since Microsoft has been removing OneCare from the channel for the past couple of months. And, as one of my readers noted today: “I thought OneCare was supposed to die in June, and working for a small business, I’m trying to figure out if we can play wait-and-see on it or if we really need to plunk down $1k for antivirus licenses for everybody. (Right now we’re not running anything! Eek!)”

Yes, reader, OneCare is only available at retail through June 30, 2009. But I haven’t been able to get Microsoft to provide any guidelines on when and whether the company planned to launch a public or private external test build of Morro. (I ask periodically, to no avail.)

However, Reuters seemed to have more luck: “A Microsoft spokesman said on Wednesday (June 10) that the world’s biggest software maker is testing an early version of the product with its own employees. Microsoft would ’soon’ make a trial version, or product beta, available via its website, he added, but declined to provide a specific date.”

by Elinor Mills
June 10, 2009 5:27 PM PDT

Like many people, I'm worried about identity fraud. Not paranoid, just generally curious what the chances are that I could be victimized by things like mail theft. Sure, I could sign up for one of the fee-based identity fraud monitoring services like LifeLock or Debix, or I can get a credit report that might give me some clue that a credit card has been taken out by someone else in my name.

Now there is a Web site that offers an assessment of a person's identity fraud risk for free. The My ID Score site was recently launched by ID Analytics, which offers corporations and consumers services to protect them against identity fraud. The site scans the company's ID Network, billed as the largest identity fraud database in the U.S., to see what types of activities and transactions have been made in your name.

It looks at hundreds of variables and data points and then looks for anomalies, such as credit card applications on the same day with different addresses or pre-paid cell phone purchases in a short period of time, said Thomas Oscherwitz, chief privacy officer at ID Analytics. The site focuses on transactions that use your personal data and does not look at account fraud in which someone uses your stolen credit card or in which your credit card data was stolen in a network breach at a payment processing company, for example.

"We look at events within the network, such as whether someone is using your information to apply for credit cards," he said. I tried the site out and am happy to report that my score was 63, indicating low risk. Most people fall within the range of 1-450, which is considered moderate risk, according to Oscherwitz. A score of 600 and above is considered high risk, he said. The site asks for basic information such as name, address, phone number, and date of birth.

by Ryan Naraine
June 9th, 2009 @ 3:07 pm

Adobe has issued its first ever scheduled quarterly update for its Reader/Acrobat product line, a mega-patch covering 13 documented security vulnerabilities. The patches address “critical vulnerabilities” in Adobe Reader 9.1.1 and Acrobat 9.1.1 and earlier versions.

“These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system,” Adobe warned in an advisory. The company also acknowledged it has silently fixed several security problems that are not being publicly documented. Some raw details on today’s update:

* This update resolves a stack overflow vulnerability that could potentially lead to code execution (CVE-2009-1855).
* This update resolves an integer overflow that leads to a Denial of Service (DoS); arbitrary code execution has not been demonstrated, but may be possible (CVE-2009-1856).
* This update resolves a memory corruption vulnerability that leads to a Denial of Service (DoS); arbitrary code execution has not been demonstrated, but may be possible (CVE-2009-1857).
* This update resolves a memory corruption vulnerability in the JBIG2 filter that could potentially lead to code execution (CVE-2009-1858).
* This update resolves a memory corruption vulnerability that could potentially lead to code execution (CVE-2009-1859).
* This update resolves a memory corruption vulnerability in the JBIG2 filter that leads to a Denial of Service (DoS); arbitrary code execution has not been demonstrated, but may be possible (CVE-2009-0198).
* This update resolves multiple heap overflow vulnerabilities in the JBIG2 filter that could potentially lead to code execution (CVE-2009-0509, CVE-2009-0510, CVE-2009-0511, CVE-2009-0512, CVE-2009-0888, CVE-2009-0889).
* This update resolves multiple heap overflow vulnerabilities that could potentially lead to code execution (CVE-2009-1861).

The patches apply only to Windows and Mac users. The compnay said updates for Adobe Reader on the UNIX platform will be available on June 16, 2009.

By Gregg Keizer
June 9, 2009 04:10 PM ET

Microsoft today issued 10 security updates that patched a record 31 vulnerabilities in Windows, Internet Explorer (IE), Excel, Word, Windows Search and other programs, including 18 bugs marked "critical."

Of the 10 bulletins, six patched some part of Windows, while three patched an Office application or component, and one fixed a flaw in IE. Eighteen of the 31 bugs were ranked critical, Microsoft's most serious ranking in its four-step score, while 11 were tagged as "important," the next-lowest label, and two were judged "moderate." The total bug count was the most patched by Microsoft in a single month since the company began regularly-scheduled updates in 2003.

The previous record of 26 vulnerabilities patched occurred in both August 2008 and August 2006. "This is a very broad bunch," said Wolfgang Kandek, chief technology officer at security company Qualys, "compared to last month, which was really all about PowerPoint. You've got to work everywhere, servers and workstations, and even Macs if you have them. It's not getting any better, the number of vulnerabilities [Microsoft discloses] continues to grow."

Security experts were all over the map when it came to naming which fixes to deploy first. "IE's, by far, takes the cake," said Andrew Storms, director of security operations at nCircle Network Security. "It's a client-side bug, there are eight CVEs and there's no doubt that it will be exploited." As Storms said, MS09-019 patches eight separate vulnerabilities in Microsoft's Internet Explorer browser.

By Dan Goodin
9th June 2009 00:52 GMT

A well-known security consultant says Apple is struggling to effectively protect its users against malware and other online threats and suggests executives improve by adopting a secure development lifecycle to design its growing roster of products.

"Based on a variety of sources, we know that Apple does not have a formal security program, and as such fails to catch vulnerabilities that would otherwise be prevented before product releases," writes Rich Mogull, founder of security firm Securosis and a self-described owner of seven Macs. "To address this lack, Apple should integrate secure software development into all internal development efforts."

Microsoft was among the first companies to integrate an SDL into its internal development routine. Under the program, products are built from the ground up with security in mind, so that poorly written sections of older code are replaced with code that can better withstand attack. It also subjects programs to a variety of simulated attacks. Adobe Systems recently beefed up the SDL program for Reader and Acrobat following criticism about the security of those two programs.

Mogull's suggestion was one of five he made recently to ensure company is doing everything it should to safeguard its customers. "It's clear that that Apple considers security important, but that the company also struggles to execute effectively when faced with security challenges," he writes in a recent article on Mac news website Tidbits. He goes on to fault the company for its ongoing failure to patch a gaping security hole in Mac versions of Java.