Security News

Online criminals are having greater success with increased technical sophistication affecting a wider range of industries, according to a new report by Cyveillance.

Cybercriminal Attacks Becoming More Targeted

“Cyber criminals are focusing their efforts on developing more sophisticated and targeted attacks rather than using a far reaching blanket approach, in order to reap greater financial rewards,” said Panos Anastassiadis, chief operating officer of Cyveillance.

“From emails to social networks, online criminals have increasingly more information at their disposal and a growing array of attack vectors to appear credible and go undetected. Organizations must be more vigilant in proactively protecting themselves and cannot rely solely on traditional security measures to keep their infrastructure and sensitive information safe.”

While banks and credit unions continue to be the top targets of phishers, governments and the technology and energy industries are now seeing growing number of attacks. During the second half of 2009, 399 brands were first-time targets of phishing attacks, nearly double the amount of first-time targets than in the first half of this year. Averaging over 36,000 confirmed, unique attacks per month in the same period of 2009, phishing attacks continue to succeed despite added security measures and consumer education.

The United States hosted 35 percent of all phishing attacks for the second half of 2009, over 4 times as much as the closest country, Netherlands, hosting 8 percent of all attacks.

The beta version of a free service has become available to help website owners keep their properties safer. QualysGuard Malware Detection is designed to scan sites for malware infections and other threats, regardless of sites’ size or the site owners’ physical location.

Qualys Introduces Malware Scanner For Sites

This service is supposed to do everything shy of solve a problem. The process starts with it conducting daily scans. Then, it’ll alert sites’ owners to any issues it uncovers. Finally, it should point out vulnerable snippets of code, making the removal of malware easier. All without delivering false positives.

Philippe Courtot, the chairman and CEO of Qualys, explained his company’s motivation for introducing this service by stating, “We created QualysGuard Malware Detection as a way to fight against cybercrime and to make the Web a safer place for everyone.”

He then continued, “This is a comprehensive free solution that arms businesses of all sizes to monitor malware threats on their web sites and take steps to remediate vulnerabilities.”

Hopefully QualysGuard Malware Detection will live up to its billing. A free way of keeping sites and their visitors safe certainly sounds good, and is bound to become quite popular if it works well.

A New York man has pleaded guilty in U.S. District Court in Alexandria, Virginia, to criminal copyright infringement for selling more than $250,000 worth of pirated copies of popular business, engineering and graphic design software programs.

According to court documents, Robert Cimino, 59, of Syracuse, N.Y., advertised the sale of discounted popular software programs on a number of Internet advertising forums, operating under the business name “SoftwareSuite.”

Customers would contact Cimino by email and would usually buy the products using PayPal. Cimino would mail them pirated copies of Adobe, Autodesk, Intuit and Quark programs he had burned to CD or DVD to the customers. Cimino admitted that from February 2006 to September 2009, he received at least $270,035 from his sales of infringing software products.

Cimino is scheduled to be sentenced by U.S. District Judge Anthony J. Trenga on May 28, 2010. Cimino faces a maximum sentence of five years in prison, three years of supervised release, a $250,000 fine, restitution and forfeiture.

Online identity theft might become less of a problem in the future thanks to the efforts of Google, PayPal, Equifax, VeriSign, Verizon, CA, and Booz Allen Hamilton. Today, these organizations announced the formation of the Open Identity Exchange (OIX).

OIX is a nonprofit entity meant to make exchanging online identity credentials a more secure process. It’s gotten off to a good start, too, having already been approved as a trust framework provider by the U.S. government.

This means that OIX solutions should at some point allow American citizens to access all sorts of vital information on the Web. Drummond Reed, Acting Executive Director of OIX, explained in a statement, “As we roll out progressively stronger levels of certification, this will empower U.S. citizens to access and manage their tax records, Social Security records, veteran’s benefits, and many other government services online.”

Also, “OIX is currently working on development of trust frameworks for public media, telecommunications, library services . . . and professional associations.”

You may not have to wait long to see these possibilities brought to (figurative) life. In addition to being backed by so many important partners, OIX has received grants from the OpenID Foundation and Information Card Foundation, meaning it’s probably in good financial shape.

FBI Director Robert Mueller spoke about cyber threats along with how the U.S. is working with partners around the world to tackle them, during a keynote address at the annual RSA computer security conference in San Francisco on Thursday.

The Director said U.S. intelligence indicates the threat of cyber terror is “real and rapidly expanding,” including the rise of extremist websites to recruit, radicalize, and incite violence.

Terrorists have yet to launch a full-scale cyber strike, but have “executed numerous denial-of-service attacks” and even defaced the website of the U.S. Congress following President Obama’s recent State of the Union address. The Director told the crowd of cyber professionals that al Qaeda and other extremists “have shown a clear interest in pursuing hacking skills.”

According to the Director, the FBI’s cyber capabilities and partnerships include:

*Cyber squads in each field office nationwide, with over 1,000 specially trained agents, analysts, and digital forensic examiners who run complex undercover operations, share intelligence with law enforcement and intelligence partners, and provide training to counterparts around the world;

*More than 60 overseas offices-called legal attachs-that share information and coordinate joint investigations with their host countries;

*Agents embedded with police forces in Romania, Estonia, the Netherlands, and other countries; and

*Mobile Cyber Action Teams-highly-trained groups of agents, analysts, and experts in both computer forensics and malicious code who travel the world to respond to fast-moving cyber threats.

The Director stressed the relationship with the private sector is vital in reporting breaches of cyber security. “No one country, company, or agency can stop cyber crime,” he said.

“A ‘bar the windows and bolt the doors’ mentality will not ensure our collective safety. We must start at the source; we must find those responsible.”

Google and the other companies that were affected by Operation Aurora had some commendable security measures in place, according to a new report from McAfee; you might consider them the virtual equivalents of steel doors with reinforced hinges. However, it turned out that the companies might have left their internal safe doors unlocked.

McAfee: Intellectual Property Poorly Guarded In Aurora Attacks

George Kurtz, McAfee’s CTO, explained late yesterday on the McAfee Security Insights Blog that he discovered some problems with respect to the companies’ source code configuration management systems (SCMs). Enough problems to call them “inherently insecure,” in fact, as he found that attackers were able to “siphon out source code or, worse, modify and add code.”

Kurtz then continued, “SCMs are used by software engineers to manage their projects and are used to store source code, the crown jewels of any tech company.”

And as you might suppose, leaving one’s intellectual property exposed isn’t the best way to run a business.

In response, McAfee is taking a closer look at how SCMs should be secured, and Perforce, which is a popular management system, has been scrutinized in what’s supposed to be the first in a series of white papers.

These lessons should benefit a wide range of individuals and companies, considering that many organizations have probably modeled their security systems after what Google, Adobe, Rackspace, and other corporations hit by Operation Aurora have in place. Hopefully an Operation Aurora 2 will become impossible as a result. Or at the least, perhaps some less organized and skilled hackers will be repelled.

Meanwhile, efforts to identify the people behind Operation Aurora haven’t progressed much since the last time we discussed them. A security company called Damballa did issue a statement earlier this week alleging that the hackers used a “garden variety botnet” and were “more amateur than average,” but Google has disputed this claim.

McAfee issued a warning today to consumers about “scareware,” or fake antivirus software calling it possibly the most costly online scam in 2010, causing significant monetary loss and damage to users’ computers.

McAfee Warns Consumers Of Fake Antivirus Software

Scareware is the first scam outlined in McAfee’s new Consumer Threat Alert program that warns people about the latest and most dangerous online threats.

“Even the savviest of computer users fall victim to online threats because cybercriminals have become so sophisticated,” said Jeff Green, senior vice president of McAfee Labs.

“The Consumer Threat Alerts are a warning sound to keep consumers from falling victim to online dangers. We’re on the front lines watching and protecting against threats, and we pass that knowledge onto consumers.”

Scareware is one of the most widespread, dangerous and sophisticated online scams, victimizing an estimated one million people around the globe everyday. McAfee says cybercriminals make profits of $300 million worldwide from scamming consumers with scareware.

Fake antivirus software pops onto a users’ screen and alerts the users their computer may be vulnerable. To disguise the scam, cybercriminals create legitimate looking logos of fake security companies.

The pop-up prompts the user to scan the computer for vulnerabilities, which they don’t realize is fake, or even buy the “security software” which is actually malware in disguise. Cybercriminals get victims to input their credit card information, giving criminals’ access to the user’s computer and bank details.

“It’s an incredibly lucrative business for cybercriminals,” said Francois Paget from McAfee Labs, a security research expert.

“In fact, one company known as ‘Innovative Marketing’ made an estimated $180 million through these scams in one year, and more than four million consumers purchased their fake security software thinking it was real.”

Two bulletins address eight vulnerabilities in Microsoft Windows and Office. Internet Explorer advisory warns of new zero-day vulnerability being used in targeted attacks.

Interesting commentary: I don’t think this is really a case about ISP liability at all. It is a case about the use of a person’s image, without their consent, that generates commercial value for someone else. That is the essence of the Italian law at issue in this case. It is also how the right of privacy was first established…

Microsoft fixed eight vulnerabilities with two patches on Tuesday, but it also disclosed a new, zero-day Internet Explorer flaw that is being leveraged in active attacks.