Networking Equipment Manufacturer Exposes Secret Password Recovery Procedures

Networking equipment manufacturer Allied Telesis has accidentally leaked an internal support document describing backdoors into its devices.

The document, which was labeled as "INTERNAL ONLY," was inadvertently made public on its website and subsequently indexed by Google.

The question answered in it was "How do I obtain a backdoor password for my Allied Telesis device" and contained solutions for different types of network switches.

"Depending on the device that you are locked out of, there is either a built in Backdoor function, or a way to generate a password, based on the MAC address of the device," the support entry read.

In addition, it had several files attached, including default password lists, a password generator program and special instructions.

The content was copied and posted on file sharing websites before the company had a chance to remove it from public access.

"The Backdoor Passwords listed here are INTERNAL ONLY. Do not give this information freely to any customer as this can compromise a network," a note on the document reads.

This warning has sparked fears that attackers can use the information to attack network switches, however, these procedures require physical access to the devices.

The manufacturer claims they are industry standard password recovery features and says the use of the term "backdoor" was unfortunate.

"All documentation describing this password recovery process as a proprietary 'backdoor' feature is incorrect, and has been removed from the website," Allied Telesis said, according to threatpost.

"By definition this is not a 'backdoor' feature; it is a standard password recovery process for a person who has physical access to the device," it added.

Nevertheless, security experts have argued that the use of MAC addresses to generate backup administrative passwords is not secure because they can be easily determined.

Chris Wysopal, chief technology officer at Veracode, said that vendors could use cryptographic methods to sign the password reset commands and have the devices verify them.

Allied is now working on removing the information from websites that posted it and they have also informed their support personnel about the leak.

Continue...

DNSSEC Adoption Endangered by Controversial US Anti-Piracy Bill

A group of renowed experts have released a technical paper warning members of the US Senate that DNS-related provisions of a new anti-piracy bill endangers DNSSEC deployment and the security of the Internet infrastructure.

The controversial PROTECT (Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act) IP Act proposes some very aggressive anti-piracy measures, some of which rely on DNS servers to blacklist domains that participate in copyright infringement.

The group of DNS experts, which includes Dan Kaminsky, the researcher who discovered a critical DNS flaw that pushed forward the adoption of DNSSEC, Steve Crocker, vice chair of the board of ICANN, Damballa co-founder David Dagon, VeriSign chief security officer Danny McPherson, and Paul Vixie, chairman, chief scientist and founder of Internet Systems Consortium, claim the PROTECT IP provisions are contrary to the US government's commitment to Internet security.

Domain Name System Security Extensions (DNSSEC) are a suite of specifications meant to secure DNS, one of the critical components of the Internet infrastructure.

With DNSSEC, the requests between DNS resolvers and authoritative servers are signed, which ensures the integrity and authenticity of responses. This prevents DNS cache poisoning and other attacks.

"DNS filters would be evaded easily, and would likely prove ineffective at reducing online infringement. Further, widespread circumvention would threaten the security and stability of the global DNS," the experts write in their paper. [pdf]

"The DNS provisions would undermine the universality of domain names, which has been one of the key enablers of the innovation, economic growth, and improvements in communications and information access unleashed by the global Internet," they add.

Furthermore, the PROTECT IP provisions encourage migration away from ISP-provided DNS servers. This is a problem because many ISPs use DNS data to detect security threats on their networks and improve performance.

The group of experts feel that the goals of the bill can be reached through other means, like international cooperation on prosecutions, without endangering DNS security and stability.

Continue...

'Dislike' Button Scam Rapidly Propagating on Facebook

Security researchers at the security firm Sophos have lately revealed that, Facebook scammers are scamming users into pasting rogue code into their web browser's address bars to get a Dislike button added to their options.

The spam messages published by victims say "Facebook now has a dislike button! Click 'Enable Dislike Button' to turn on the new feature!"

The scammers are making use of a hoax to substitute the Share link that is visible under the message with an "Enable Dislike Button" one. If anybody clicks the link, spam message will be shared from the user's account to all their contacts and friends. However, it also runs malicious code on their systems.

Cautioning the netizens, Graham Cluley, Senior Technology Consultant at Sophos stated that, as they had explained earlier, there is no formal or authorized dislike button offered by Facebook and wasn't ever probable to be. He further added that, however it remains something that several Facebook users would like, and thus scammers generally utilized the offer of a 'Dislike button' to scam the innocent netizens, as reported by Global Tvbc on May 18, 2011.

Another scam utilizing the Dislike button attraction is circulating by prompting users to paste malicious JavaScript code into their web browser's address bar.

This tactic is low-tech and should create a whole lot of doubt, but still, numerous users are falling prey to this scam.

Commenting on the above mentioned spam campaigns, which are circulating rogue code in the procedure of their execution, Fred Wolens, Spokesman, Facebook stated that, the spammers have redrafted their actions or activities so that it evades Facebook's scam identification system," as reported by ebrandz on May 18, 2011.

Fred further added that, netizens should be cautious and spread awareness. Users must ensure that their friends should be careful of the messages and alerts posted on their walls. He stated that, if someone receives such kind of messages, then he should immediately hide it or mark as spam. Marking the message as spam might be a better option as users can then help Facebook enhance its security from the future prospects.

Conclusively, Wolens stated that, Facebook is learning and enhancing the situation with every single new spam campaign and repetition of its defenses.

Continue...

UK Student Hacker Gets Suspended Jail Sentence Over Malware Scam

A 22 year old student of the UK University, Paul McLoughlin, has been released with a suspended prison sentence after being arrested for utilizing malware to steal users' login credentials for websites related to, as reported by PC World on May 18, 2011.

The Metropolitan Police central e-crime Unit (PCeU) stated that, McLoughlin was held responsible for compromising passwords from around 100 users and 20 user accounts, including one from his own, Salford University, as reported by PC World on May 18, 2011.

The offender scammed preys into installing what was supposed to be a software solution to avoid game licensing which had concealed within it the simply-available and effectual Windows password compromising utility called iStealer.

If downloaded, this tool can search an extensive array of passwords on the computer, comprising even those for e-mail, web browsers, quick messaging, social networking websites, login credentials and his deliberate target, gaming websites and services.

Crimes of McLoughlin came into limelight after a US citizen and iStealer prey got in touch with the Salford University, which further communicated the matter to the police.

On investigating the matter, Police ultimately traced the attack to a software pretending as a gaming utility that had been installed by McLouglin onto the file-sharing networks. Police, working in a close association with the security vendor McAfee and the University of Salford, recognized the encrypted aspects of an FTP server inserted within the malware, a finding that acknowledged McLouglin as a key offender in this instance.

Investigators think that the offender was encouraged by a wish to access free gaming facilities instead of making money through the trick, as he (McLoughlin) got an 8 months sentence - suspended for 12 months.

Commenting on the whole matter, Colin Wetherill, Detective Inspector of the Police Central eCrime Unit stated that, a trial for this specific crime is exceptional and comes under section 3A of the Computer Misuse Act 1990. He added that, in their attempts to maintain the Internet as a secure place, they will dynamically examine and impeach cyber criminals utilizing these tactics, while putting into practice the experience attained to their investigations into those engaged in more grave and planned kinds of cybercrime," as reported by The Register on May 18, 2011.

Continue...

Novel Version of Alureon Malware Identified

A novel variant of Alureon Trojan (also recognized as TDSS, TDL, and Tidserv) has been identified lately by Microsoft researchers, as reported by HELP NET SECURITY on May 17, 2011.

The Alureon Trojan has been in existence since 2007, and it's task comprise primarily in enabling the criminal to interrupt inward and outward Internet traffic so that he can gather private information and data, such as login details and credit/debit card details, but also to enable him to compromise the hacked machine with extra amount of malware.

Furthermore, Alureon is a famous and usually researched malware family that has few rootkit-like abilities in few of its variations. The latest version of the malware displays some behavior that researchers haven't observed earlier and which make it more troublesome for anti-malware software to find it and for experts to segment down its parts.

With the passage of time, the Alureon family of Trojans has been altered and directed to access rootkit abilities and utilized numerous tactics to stay concealed from the PC's user as well as AV solutions.

Microsoft took aside the latest version of Alureon and discovered that the malware presently utilizes what is basically a brute-force attack to decrypt its own encrypted parts.

Commenting on the matter, Dennis Fisher, Researcher at Microsoft, stated that, a specific set of files was consuming more than usual time to display malicious behavior than others. The researchers began finding out reason for all this, and concluded with a link from the past. He further stated that, at this point and situation the malware was utilizing Win32/Crypto-style decryption to avoid anti-virus solutions, as reported by Threat Post on May 16, 2011.

He further added that, the decryption feature or task maintains a documentation of all earlier attempted keys to evade using the similar key again and so running for an extraordinarily long time on a user's computer. He said that, this indicates that, the function will attempt a maximum 255 times prior to successfully finding the key. This magic value utilized during the final decryption step was earlier recovered from the header of the encrypted file.

The researchers further added that, however, that's not just the obfuscation and avoidance tactics this novel variant utilizes. Besides, it distributes the encrypted data all through the code, data, as well as resources, additionally obscuring the stagnant retrieval of the encrypted file.

Continue...

Ratio of Malicious Downloading: Microsoft

Microsoft stated on Tuesday (May 17, 2011) that one out of every 14 programs downloaded by Windows users displays the presence of malicious software.

Although modern browsers are well equipped with security features that are designed to caution users and bar them from unsafe software, about 5% of these users generally ignore these alarms and ends up downloading spiteful Trojan horse programs.

Even till the past five years, it was quite effortless on the part of hackers to steal away or decode information from computers. Innumerable browser bugs were present and a lot of users were not even good at patching. But, at present, browsers have turned out to be more secure and software developers can easily take away patches, in case of any problem.

Additionally, instead of decoding the browsers, hackers utilize a method called social engineering. For instance, this method is utilized in spreading spam among users through social network Facebook. In the disguise of presenting important and spicy news, users were being attracted to click on a malicious program.

According to Alex Stamos, a founding partner with Isec Partners, a security consultancy, attackers are quite acquainted with the fact that users cannot be easily fooled around in downloading Trojans, as reported by COMPUTERWORLD on May 17, 2011.

These sort of social-engineering hackers also instigate into infecting victims by hacking into several web pages and exploding fake antivirus warnings that seems like messages from the operating system, "Download these and you're infected."

Enterprises are also prospective victims to a kind of social-engineering technique called spear phishing. In this technique, criminals take time to find out about their victims and create a special crafted program or a malevolent document to be enough attractive to the victims.

According to Joshua Talbot, a manager with Symantec Security Response, attackers are quite intelligent and take the full advantage of any event that may turn down or attract people's attention. On tracking down 50 most popular malicious program during 2010, Symantec revealed that 56% of the attacks contained Trojan horse programs, as reported by COMPUTERWORLD on May 17, 2011.

Continue...

Spammers Didn’t Switch their Tactics during Q1-2011

As per the Kaspersky Labs' first quarterly report for 2011,cybercriminals did not much make use of new techniques for spam circulation and used the same conventional tactics during the first quarter of 2011.

One of the most well admired techniques, as per Kaspersky, was to dispatch links to a video clip promoting spammer services, another tactic observed was dispatching e-mails that says "Stop sending me spam" supposedly authored by an annoyed receiver of spam. The e-mail was actually a spam in itself with a video link directing the reader to a spammer's website.

Spammers also exploited the Japanese earthquake and tsunami disaster to dispatch spam e-mails capitalizing on these events and persuading victims to pay cash for false donations and fake relief funds.

Besides spam, the latest report notifies regarding malware. During Q1- 2011, Trojan-Spy.HTML.Fraud.gen sustained its top rank in the Top 10 list of malicious programs circulated through e-mail traffic. This Trojan makes use of spoofing technology and emerges in the appearance of an HTML webpage. The report highlights that, it appears with a phishing e-mail including a video link to a bogus website similar to that of a famous bank or e-pay system, where the user is requested to furnish a login as well as a password.

The report further stated that, the other leading entry in the Top 10 most malicious programs was an e-mail worm family that collects e-mail ids and circulate them through e-mail traffic.

Finally, Kaspersky's recent report also highlighted phishing statistics observed by the company during the first quarter of 2011. The amount of phishing e-mails was quite small and accounted for just 0.03% of the total e-mail traffic. The firm highlighted that, PayPal and eBay remained in the objectionable position of being the companies most regularly attacked by the phishers.

Commenting on the matter, Maria Namestnikova, Senior Spam Analyst at Kaspersky Lab, stated that, remarkably during Q1-2011 Google services, such as Google Checkout and Google AdWords were less taregted. The phishers shifted their focus to the extremely famous Brazilian social networking website, Orkut ( owned by Google), as reported by Techzone360 on May 13, 2011. She further stated that, it is worth pointing out that accounts of the users related to Google's services, including Orkut, are interlinked. Therefore, having got credentials for any one of these accounts, a phisher can avail any Google service registered with the similar user.

Continue...

Andy Dolich Victimized by an E-mail Scam

Exactly 1,398 of Andy Dolich's best friends or contacts got the same spam e-mail on April 13 (2011) that Andy was in some kind of problem and he badly needed their assistance, as reported by Mercury News on May 19, 2011.

Remarkably, Andy Dolich is an American sports executive, and presently runs a sports consultancy, Dolich & Associates, in Los Altos, California.

The alleged e-mail notified readers that Dolich was in London, where his passport and credit cards were stolen, and he was looking out for some "quick funds" to return to his home.

To send him financial help, which he guaranteed to pay back, he could be contacted at his listed e-mail id or at a cited phone number at the "hotel's help desk."

Commenting on the matter, Dolich stated that, he had a friend in London who believed this (e-mail) was sent from London, and who attempted to find him said that, he will help him. He further stated that, his 2 other affluent friends, not the kind to be influenced, were about to send financial help, but didn't. He further highlighted that, he was quite sure that few people must have sent money, as reported by Mercury News on May 19, 2011.

Dolich later found out that his Google account has been compromised by cyber criminals.

Unluckily, the scam that targeted several of Dolich's friends and contacts was the 419 scam or the notorious Nigerian scam.

There are diverse variations, but majority of them have the similar technique. A web-based e-mail account is compromised (similar to that of Dolich in the above mentioned instance). Then the cybercriminal imitates the victim (as Dolich in above mentioned instance), dispatching an emergency help to the victim's all the contacts and friends. Further, the security experts highlighted that, the message generally has few variation on getting attacked or robbed and urges the recipient of the e-mail to send money to a location the criminal can access.

Due to the maliciousness related to the scams of the above mentioned kind, security experts suggest users that, if they are actually concerned regarding a friend being troubled abroad, then they should firstly try to confirm the incidence through phone to check if they left the nation in the first place. Additionally, always keep in mind that, if a friend is in some overseas location, all foreign nations host embassies and consulates of other nations will help travelers who are trapped abroad.

Continue...

HM Treasury Regularly Witnesses 'hostile' Cyber Attacks

Recently, the Google's Zeitgeist conference was held on 16 May 2011. George Osborne, UK's Chancellor of the Exchequer, highlighted during the conference that, during 2010 "hostile intelligence agencies" were accountable for several grave and pre-planned efforts to compromise the Treasury's computer and access personal and financial information. He stated that, these were element of a vast number of cyber attacks on government networks, which overall got over 20,000 malicious e-mails monthly, as reported by Guardian on May 17, 2011.

Previously during 2011, UK Home Secretary William Hague declared that attackers had effectively compromised government networks with the Zeus trojan or "Zbot", as reported by Naked Security on May 16, 2011.

Certainly, majority of the attacks believed to be targeting the UK government are targeting other organizations and businesses across the globe also. Governments and companies equally face the challenge of protecting their systems, as well as their private information from the cybercrooks.

The chancellor notified the Google Zeitgeist conference regarding an e-mail dispatched to the Treasury and its international collaborators during 2010. The e-mail was attached with a document. After few minutes, the similar e-mail appeared to have been again sent to the same distribution list.

Mr. Osborne stated that, as a matter of fact, in the second e-mail, the genuine attachment was exchanged with a file including malicious code. He added that, it would have simply appeared to the receiver of the e-mail that the attachment had been dispatched twice, as reported by FT on May 16, 2011.

The probable intent, as with nearly all cyber attacks on state IT systems, was to gain access to few of the several market information that the Treasury holds, making it one of the most famous targets for such strikes.

During early 2011, UK Home Secretary William Hague announced that attackers had effectively compromised government networks with Zeus Trojan, as reported by Naked Security on May 16, 2011.

Mr. Osborne stated that, during February 2011, William Hague, Foreign Secretary elaborated a series of efforts by foreign intelligence agency to access market sensitive information from British systems, as reported by THE WALL STREET JOURNAL on May 16, 2011.

Continue...

Sony BMG Greece hit by hacker

For the fourth time in about a month, hackers have broken into a Sony network.

In the latest intrusion, hackers hit the Web site of Sony BMG in Greece and pilfered a database containing the usernames, real names and email addresses of people who had registered with the site, according to security firm Sophos.

The stolen data was passed on to Hacker News, which posted a copy of it on PasteBin.com, Sophos said.,

Chester Wisniewski, senior security adviser at Sophos, today said that the intrusion was made possible by a SQL injection flaw that allowed the intruders to inject malicious code into the Greek Sony BMG site.

According to Wisniewski, the attacker appears to have used an automated SQL injection tool that searched for vulnerabilities in the site

"This looks like it was an old-school hacking," Wisniewski said. "It surprised me that Sony missed this one, considering how easy it was to find. This was not sophisticated at all."

The breach didn't require strong hacking skills, he added.

It was the third breach of a Sony system in recent days.

Last Thursday, Sony disclosed that an intruder has broken into So-net, a Japanese Sony ISP subsidiary, and stole about $1,200 worth of virtual tokens.

That same day, security firm F-Secure announced that it had discovered a phishing site being hosted on a Sony server in Thailand.

Those attacks were far smaller in scope than intrusions last month into Sony's PlayStation Network and Entertainment Online sites that compromised data on almost 100 million account holders.

The April attacks prompted Sony to shut down both networks for several days while its internal security team worked to fix the problems with the help of consultants from three external security firms.

The company restored limited service on both networks about 10 days ago. Sony has yet to fully restore all previously available functionality.

Continue...

PlayStation Network hack will cost Sony $170M

Sony expects the hack of the PlayStation Network and will cost it ¥14 billion ($170 million) this financial year, it said Monday.

Unknown hackers hit the network gaming service for PlayStation 3 consoles in April, penetrating the system and stealing personal information from the roughly 77 million accounts on the PlayStation Network and sister Qriocity service. A second attack was directed at the Sony Online Entertainment network used for PC gaming.

Sony responded to the attacks by taking the systems offline. It called in several computer security companies to conduct forensic audits and rebuilt its security system.

Users in many countries are being offered a year-long identity-theft protection program and free games. The cost estimate includes those actions and associated legal costs, said Masaru Kato, Sony's CFO, at a Tokyo news conference.

"To date, we have not confirmed any misuse of personal information or credit cards," said Kato.

The costs will be booked in Sony's current financial year, which will end on March 31.

Sony said it made the announcement because it expects to record a net loss of ¥260 billion for the financial year just ended due to charges associated with U.S. GAAP (generally accepted accounting practices) rules.

The March 11 earthquake and tsunami occurred just three weeks before the end of the financial year and didn't have a large impact on the company's global financial performance for the year, but it did push Sony's Japanese operations into a loss.

Those Japanese operations had lost money the previous two years but Sony, anticipating a profit in the year just ended, had recorded tax credits it intended to carry forward. However, GAAP rules say tax credits cannot be recorded for three years in a row, so Sony is recording a non-cash charge for the credits it had taken.

The earthquake hit Sony's domestic operations and led to a sharp fall in consumer demand in Japan in the last weeks of March, but its effect on the results for Sony's electronics business was limited because it occurred so close to the end of the financial year. Sony estimates that resulted in a ¥22 billion drop in sales and ¥17 billion in quake-related costs.

Overall, the company said sales in the previous year were around ¥7.2 trillion.

The company will report an operating profit of around ¥200 billion, but the GAAP-related charge will help push Sony to a net loss of around ¥260 billion. Operating income more closely tracks the company's performance in its core areas and excludes many one-off charges.

Sony will report actual results for the financial year from April 2010 to March 2011 on Thursday.

Continue...

Malware Assaults on the Rise, Says Microsoft

In its Security Intelligence Report that Microsoft published on May 12, 2011, the software company released statistics on different malware groups along with their infections during 2010 both on the basis of three months and six months, reported Eweek.com dated May 12, 2011.

Says Microsoft, 7 malware groups occur frequently for the network environments of both corporate and individual users, albeit their order and proportions are different. Win32/Conficker, a kind of PC-worm that proliferates variously typically runs well in a corporate network environment compared to the Net that's publicly shared. The malware ranks first among the series of top domains, maintaining considerable margin; however, occupies the 9th spot among the series of non-domains, states Microsoft.

Evidently, it's been many years that malware specially designed for Java has been into existence, nevertheless, cyber-criminals hadn't concentrated enough on abusing security flaws in Java till as of recent period. Reportedly, during Q3-2010, Java assaults rose to about 14 times the attacks identified during Q2-2010 whence two vulnerabilities within Sun (presently called Oracle) JVM namely CVE-2009-3867 and CVE-2008-5353 were exploited. Together the flaws made it up to an 85% share of total Java exploits spotted during H2-2010, the report states.

Furthermore, malware Pornpop made its debut during Q4-2010 whence it's been spreading pretty fast. Also, though it's some time that ClickPotato has been into existence, the threat from it isn't too great. But during H2-2010, both these malware were the most-prevalent being responsible for almost 25% of all contaminations.

There's also a significant mention of scareware in the report implying fake security software that's used as a highly frequent means for defrauding victims off their money. Nonetheless, the scareware which was most frequently spotted till the 3rd quarter of 2010 was FakeSpypro that eventually disappeared during Q3-2010. Following this, another scareware namely FakePAV appeared that became the Q4's most frequently spotted rogue anti-virus.

Remarking about the above report, Principal Analyst Graham Titterington at Ovum stated that as more-and-more end-users and tools emerged on the Internet daily, there'd been more doors opened for cyber-criminals now than ever-earlier for ensnaring end-users with attacks, published Infosecurity.com dated May 12, 2011.

Continue...

Malware-Ridden Geek.com Contaminating Visitors, Warns Zscaler

Security researchers from Zscaler the security company warn that Geek.com a technology reviews and news website was lately struck with a malware assault. The perpetrators have been successful in inserting malicious iframes inside the website's different sections, including articles, top page, about us and so on.

States Senior Security Research Engineer Umesh Wanve at Zscaler, a number of infections have occurred, while the iframes lead the website's users onto various malware sites. Softpedia.com reported this on May 16, 2011.

Apparently, a rogue iframe was inserted inside an article say, titled "Call of Duty: Modern Warfare 3" dated May 13, 2011 whose details consequently got exposed, and which also diverted end-users onto a toolkit for attack code. This toolkit would carry out different checks for figuring out the version of a particular application that end-users had loaded onto their PCs followed with delivering attack codes for security flaws inside that application.

Additionally, the security researcher states that the most frequently utilized software such as Adobe Reader, Flash Player, Java Runtime Environment alternatively the Web-browser normally get attacked.

At the moment, drive-by download assaults represent an important channel for malware distribution online. They're extremely perilous as in the majority of instances victims can wholly see the assaults.

Wanve wrote that unfortunately, numerous assaults of the kind could be seen carried out daily. According to him, cyber-criminals were actively compromising several authentic websites via the exploitation of weak codes within Web programs. Moreover, they were continuously watching for widely visited Internet sites or websites providing hot news so they could aim their attacks on those sites, Wanve added. Theregister.co.uk published this on May 17, 2011.

Moreover, the assault similar to others on widely visited websites having intense traffic was risky as it abused Geek.com that enjoyed a brand reputation during the last 15-years among its dedicated visitors, the research engineer observes.

And because the above assaults are extremely malicious, security specialists recommend some easy tips which end-users require following. First, they shouldn't consider any website as totally secured and secondly, they must load reliable malware removal program onto their PCs for foiling and lessening malware-ridden threats.

Continue...

Reminiscing Stuxnet Exploit: US Government

While referring to a research report by an audit firm, the US Government alarmed about certain defects that were noticed in two Iconics Scada systems namely Genesis32 and BizViz on May 11, 2011, as per the news published in V3 on May 13, 2011.

CERT while warning against the vulnerabilities of Genesis32 and BizViz products, manufactured by the Massachusetts-based Iconics Company, exclaimed that malware by these products allow attackers to remotely execute malicious code that run these SCADA. The malware can even gain supervisory control and acquire data, programs, and the Industrial Control Systems.

In this type of vulnerable exploitation, a user possessing ActiveX control installed can take a tour to a page that contains particularly crafted JavaScript. Users are usually entices to go to such web pages through email, instant message or links on the internet, claimed the original advisory.

The definite impact to individual organizations is dependent on several factors that may vary from one organization to another. According to the recommendations by the ICS-CERT, every organization should estimate the impact of this vulnerability on the basis of their environment, architecture, and product implementation.

Passage of a specially crafted string with the "SetActiveXGUID" method will make it probable to overflow a static buffer and implement arbitrary code on the machine of the user taking into consideration the advantages of the logged on user. The construction of a JavaScript ROP exploit by SecurityAssessment will act as a proof of the concept.

ICS-CERT has cautioned users at companies that are still running the compromised systems from opening any web links or unsolicited attachments in emails. IT managers operating in these facilities should also preserve explicit security and minimally expose network for all control system devices.

At the onset, it is necessary to site control system networks and remote devices that exists behind firewalls and segregate them from the business network, recommended, advisory ICS-CERT. Secure methods, such as virtual private networks should be used only on the requirement of remote access.

In another revelation of Scada systems, similar discoveries have been undertaken since Stuxnet worms were demonstrated and caused a dramatic effect on the industrial systems.

In case of any suspicious observation of malicious activity by an organization, internal procedures should be followed and the findings of the report should be provided to ICS-CERT for the purpose of tracking and maintenance of correlation against other incidents. ICS-CERT also prompted organizations to conduct proper impact analysis and risk assessment before adopting any defensive measures.

Continue...

Rustock Closure Makes Little Impact on Spam Volumes

Kaspersky Lab, which released its Q1 2011 spam report, states that spam levels declined 2% to 3% prior to commencing to their earlier volumes following the Rustock network of-bots' takedown on March 16, 2011.

Also, it's reported that the effect on worldwide e-mail junk wasn't very great when Rustock was shutdown compared to when Bredolab and Cutwail/Pushdo botnets were closed during 2010.

Elaborates Head of Content Analysis & Research Darya Gudkova at Kaspersky Lab, the above may be because of Spamit an enormous pharmaceutical associate scheme's takedown as well as of Rustock that dispatched pharma spam, but possibly stopped distributing bulk e-mails towards 2010 end. Moreover, Rustock may have been utilized for various reasons. It's further probable that the spammers of their own thought it better to slow down operations for sometime due to agencies of law enforcement showing their concerns about botnets between July and December 2010, Gudkova explains. Itp.net published this on May 13, 2011.

Thus owing to the above, spam volumes spotted in total e-mail between January and March 2011 was slightly less than 80%, accounting for a partial 1.4% rise over the earlier quarter (Q4 2010). However, this rise was yet 6.5% below the percentage of Q1 2010.

Moreover, according to the report, during Q1 2011, spam generated in the Latin American and Asian countries contributed a share of over 3.85% and 2.93% respectively in the total global spam. Contrarily, spam levels generated in Western and Eastern Europe dropped 2.36% and 5.64% respectively. Also among the countries distributing spam most vigorously, Africa was a new entrant. The amount of unwanted e-mails originating from African nations contributed a 3.66% share in global spam, being more than that of Canada and USA.

Interestingly, the above statistics correspond with the predictions of Kaspersky Lab that botnets are likely to begin moving to countries which don't have any anti-spam law or the laws are not very effective. Nevertheless, spammers' operations indicate that bot-networks will undergo further development in future within countries where there is greater protection, implying that their proliferation will be more or less equal worldwide, similar to the present situation.

Continue...

Cybercrooks Concentrating on Increasing Malicious Attacks

As per the recent security report released by Microsoft, there has been a considerable surge in the usage of marketing strategies and fraud techniques to steal money and data from innocent users, as reported by Info Security on May 12, 2011.

The report highlighted that, cybercriminals continue to add in social baits that seems to be legal marketing campaigns and product promotions. Six of the leading 10 most widespread malware families during H2- 2010 fell into these classes of attack technique.

Across the threat scenario, the firm noticed a specific polarization in terms of criminal behavior. On one hand, there are a small number of complicated attackers, whose intentions differ from large payoffs to targeted attacks.

On the other hand, there are cyber attackers, who leverage more accessible attack techniques, in few instances actually developed by the more skilled cybercrooks, along with social tactics to get a small sum of money from large number of peoples.

Commenting on the matter, Jeff Williams, Principal group program manager at the Microsoft Malware Protection Center, stated that, the marketing-like tactics comprise both when one is browsing the web and when one is getting e-mails. He further added that, users might face a tough time differentiating among a genuine business marketing campaign and the illegal one, which is creating a surge in malware and associated breaches, as reported by Info Security on May 12, 2011.

Malware ridden websites generally seem absolutely legal and usually offer no apparent indicators of their malicious nature, even to knowledgeable computer users.

As per the report, during H1- 2010, attackers showed indications of targeting online gaming websites with rising frequency, though this push seemed to have decreased as social networks came under augmented attack. Impressions that targeted gaming websites reached 16.7% of all impressions during June prior to declining to a more general 2.1% during December (2010).

Williams further stated that, these are places, where there are several customers and have passwords and credentials that can be compromised via keylogging and other methods. These websites provide crooks the chance to monetize in several ways, whether that is via in-game transactions, money transactions, or similar tactics, as reported by Info Security on May 12, 2011.

Continue...

Malware Contamination on Windows 7 High, While for XP Low

In its latest edition of Security Intelligence Report that Microsoft released on May 12, 2011, the company reveals that the infection rate on Windows 7 rose over 30% in H2-2010, while that on Windows XP dropped over 20%.

Says Principal Group Program Manager Jeff Williams for Microsoft Malware Protection Center, the rate of contamination on Windows 7 increased, that's because of more malware attacks prevailing in cyber space. Computerworld.com published this on May 12, 2011.

Notably, during July-December 2010, there was a mean rate of more than 4 32-bit Windows 7 computers getting infected for every 1,000 such computers, a rise of 33% compared to about 3 such PCs getting infected for every 1,000 during H1-2010.

Furthermore according to the report, computers with 64-bit Windows 7 were less infected, with 2.5 such PCs getting contaminated among every 1,000 all through 2010.

There was also an increase in contaminations on Windows Vista Service Pack 2, the most recent version of the problematic operating system between July and December 2010, the report indicates.

Meanwhile, the study paper as well discusses the countries where malware infections are the greatest. It says that based on an examination of exploits and security flaws existing on over 600m client PCs, approximately 11-12m computers within the USA have malware contraction every three months. This figure has been computed from Windows PCs along with PCs, which have Microsoft's security programs enabled; however, there's an enormous margin between the first and second spots. Thus in Brazil, merely 2.0 computers were infected among 2.9m every quarter during 2010, while China following in second place had an infection rate of 1.9m PCs per 2.2m.

Nevertheless, the percentage of contaminations for every computer, changes the picture since Turkey in particular displayed contaminations for every 1,000 personal computers scrutinized. Says Microsoft, in Turkey, malware contaminated 36.8 computers from a total of 1,000 during 2010. Additional countries showing large contamination percentages included Spain at 36.1%, Korea at 34.8% and Taiwan at 29.7%. Conversely, nations having low contamination percentages included Japan with 4.4%, India -3.8%, Austria -3.4%, Philippines -3.1%, Belarus -1.6%, Bangladesh -1.4%, and Mongolia -1.3%.

Continue...

Murwillumbah Inhabitant Gets “Stranded Abroad” Scam E-Mail

Retired man George Anderson of Murwillumbah (New South Wales, Australia) was taken aback the day he got one electronic mail from the account of his son apparently on vacation in Indonesia; however, forced to visit Spain immediately. Mydailynews.com.au reported this on May 14, 2011.

Mr. Anderson found that the e-mail in which his son apologized for not informing him of his tour to Spain stated that the writer was in certain problems in Spain as he lost his wallet while returning to his hotel.

Consequently, there was a request for $3,980 with which the writer could clear his hotel bills as also return home as the embassy of Australia apparently declined to help. The e-mail also provided an address where the money could be sent in Seville (Spain).

Unluckily, cyber-criminals hacked into the e-mail of Anderson's son followed with the compromise of his list-of-contacts, security researchers point out.

The mode-of-operation employed in the scam referred to as the "stranded abroad" e-mail fraud actually runs quite sophisticatedly. For, scams of these kinds attempt at exploiting the recipient's compassion via asserting that the writer is someone in dire difficulty like in the incident of Anderson's son who's in a far-off place without money. Thus it's best to avoid answering these fake electronic mails since that would indicate to the scammers that the e-mail id making the response is really valid.

"Stranded abroad" scams normally display other more common hints of fraud too such as headers in capital letters and poor language use that's not necessarily English.

Remarking about the highly-advanced fraud, Anderson stated that he was truly astonished at the way it happened, yet the worrying issue was that they'd seized his son's contact list and possibly sent e-mails to many more people. Mydailynews.com.au reported this.

Eventually according to security researchers, recipients of such e-mails should send the e-mail to International Conference on Contemporary Computing at their website namely http://www.ic3.gov/default.aspx. This website records e-mail frauds as well as cautions others regarding the same. So if end-users follow the measure it'll assist the Police during their efforts at catching the culprits responsible for the scam e-mails.

Continue...

Scam about iPhone 5 Strikes Users of Facebook

Security researchers are alerting that users of Facebook require being extremely cautious about any advertisement for iPhone 5 on the social-networking website, thus published Itproportal.com in news on May 12, 2011.

Indeed the researchers caution of a web-link, called "First Exposure: iPhone 5" that's simply a fake which if clicked unleashes a malware program that's designed to spread onto other users.

Meanwhile, it was in May beginning 2011 that the malicious web-link emerged on Facebook while exploiting users' great enthusiasm in the upcoming iPhone. Apparently, the scam disguises as news web-link giving information about iPhone 5, which is obtainable from www.greatlakesnews.info. In reality, upon clicking this link, users get diverted onto a different website where they're supposed to respond to a CAPTCHA dialog box by entering a word.

But immediately on entering this word, everybody on the user's contact list gets a message that a comment from that user regarding the iPhone 5 has been posted. Thereafter, the users are directed for filling up an online survey questionnaire. Certainly, with this method, people are persuaded for visiting the web-link after a return comment comes from their friends.

The above method is also called clickjacking; however, it becomes even bad if it affects Facebook type of popular social-networking websites where there's a constant sharing of web-links.

Seemingly, in this instance, what's favorable is that anti-virus software may block the given file since such files typically are part of the Andware.Yontoo group of malicious software.

Security Researchers remark that these Facebook frauds are all common in that the technique used is the same viz. how scammers can through various tricks against users make money. Scams that use surveys have generally proved to be pretty effective; therefore it becomes apparent that scammers will concentrate on schemes like the pay-per-install campaigns.

Worryingly, this type of scam is not new on Facebook. Previously during 2011, a same type of iPhone web-link was found circulating online, although the current one is somewhat a changed form of the actual, the researchers lament.

Overall, Facebook advises users not to follow the web-links, despite them looking as coming from known sources.

Continue...

Sutton Trading Standards Alert about Phishing E-Mails

Sutton Trading Standards (STS), the provider of business advices for the benefit of all enterprises situated in Sutton (Greater London, UK) regarding actions expected from them within the purview of criminal law of trading standards, recently alerted netizens to 2 fresh phishing campaigns. Suttonguardian.co.uk reported this on May 10, 2011.

According to one of the campaigns, scammers supposedly employed at British Gas are dispatching electronic mails crafted to make consumers divulge personal information via notifying them that a 732.80-pound refund is due to them obtainable with their passport and driver license copies along with their addresses and names.

The other campaign posing as communication from an HMRC staff member, informs users that they're entitled to a 244.79-pound tax concession, while providing a web-link leading onto a site that prompts the user to enter his bank particulars.

Furthermore, there's also a web-link leading onto the actual HMRC site so users may get duped into believing that they're reading a legitimate e-mail.

Stated Council Spokesman Councilor Simon Wales on community safeguard, Internet scammers were getting increasingly advanced, therefore it was now ever-more vital for remaining wary during Web-surfing operations. Suttonguardian.co.uk published this on May 10, 2011.

Thus given the above e-mails, authorities at STS recommend recipients of the e-mails that they should treat the messages with suspicion instead of becoming convinced with the plain promises they make.

The authorities further suggest recipients for recognizing the clues within the e-mails such as whether the messages look more towards convincing the recipient rather than informing him, then he should be suspicious. Besides, users must read the messages in detail as well as be critical of them such as hunt for inconsistencies, outright phony offers, and breach of commonsense.

Overall, users must remember that HMRC will never notify consumers regarding tax re-imbursements through electronic mails or via telephone. Such notifications are made via ordinary mails. Thus, authorities suggest people getting phishing e-mails that they must tell about them instantly. Finally, according to HMRC, the department is already working closely with other agencies of law enforcement inside the UK as well as abroad towards preventing these assaults.

Continue...