With a whole new batch of very malicious software on the loose, it is probably a good idea to know exactly what constitutes a sign that your computer is infected. I came across the following list on Washington Post's website. Here are signs that your computer is infected, and as is often the case, your computer will exhibit often more than one of these symptoms.

Poor computer system performance, including slower response times and longer start-up and shut-down times.

Dramatic loss in Internet connection speeds

Loss of hard disk space

Web browser frequently closes for no apparent reason

Browser's home page resets and cannot be changed.

New desktop icons and applications, like toolbars, suddenly appear

Access to various computer security-related Web sites is blocked

Pop-up ads appear even when the Web browser is closed

Also, the way to avoid malware is to make sure you install a firewall and anti-virus software, download security patches regularly, and be aware of what you're installing and only download software from trusted Web sites.

This will be my last entry before 2007, so I hope you all have a happy and healthy (for you and your computer) new year.

Tags: Malware, Infected Computer

Posted by pschooff in Better Protection | Permalink | Comments (0) | TrackBacks (0)

Two years ago, Microsoft’s Bill Gates predicted that by the year 2006, spam would be finished. While even at the start of this year it looked like Gates’ prediction might still come true, since then spam has experienced a resurgence. You could say 2006 is the year spam returned with a vengeance.

The recent surge in spam can be attributed to two main factors: the rise of botnets and image spam. As I've blogged before, Botnets refer to massive collections of computers that have been infected with malicious software, generally without the computer owner’s knowledge, so that they can be controlled by an external operator. Botnets are often created solely to spread spam. And where spam could once be fought by shutting down the source of the spam (and was probably the reason for Bill Gates’ optimism), botnets exponentially increase the number of computers used to send out spam. Botnets have been uncovered that range in number from a few thousand to more than one million infected computers, making shutting down every single one impossible.

The other factor in spam’s recent rise is the switch from text to image-based spam. Where just a year ago filters were having great success screening out spam by searching for words like “stock” and “sex” and “enlarge,” the new spam comes with the sales pitch entirely embedded in an image, severely hampering the detection abilities of many spam scanners. And with spam flooding inboxes, this will inevitably lead to a shakeout in the industry as customers search for better methods to stay on top of this deluge.

Spam’s change in tactics has also brought with it a major change in content. While there are still plenty of spam emails promising easy riches or offering an impossible pharmaceutical miracle, my company, Message Partners, has kept a close watch on several new and more dangerous types of spam that we expect to see much more of in 2007.

The first is the stock pump-and-dump scam. While this scam has been around since the inception of the internet (and long before that), only recently has it come to encompass hyper-aggressive spamming. This type of spam is easy to spot, as the subject line just about screams out the latest hot stock pick. The fact that simply mentioning a stock’s name to millions of people in an email inevitably drives up the stock’s price, coupled with the fact that spammers can make money directly from buying and selling stock without having to rely on a secondary sales site, means this type of spam is likely to stick around for some time.

The second and far more dangerous type of email that has come with the new wave of spam is known as phishing. Phishing is fake email that purports to be official email from a bank or legitimate website for the purpose of stealing password or financial information. Phishing emails, and the subsequent websites they link to, tend to steal their graphics directly from the sites they are trying to imitate, which means, visually, they are almost impossible to tell apart. While there have been countless warnings about never responding to, or clicking on a link from, any email asking for personal information, phishing has proven so effective that one can only conclude that all it takes is for a few phishing emails to make it into a few inboxes before someone gets hooked.

Bill Gates’ prediction about spam’s demise shows just how tricky it can be to make predictions about technology, but it seems self-evident that both the amount of spam and the dangers it poses will only increase in 2007. Also, the ease with which these crimes can be committed, along with the cash windfalls that can be won by even modest success, means that cyber crime has become a major focus of organized crime.

That is why my company, Message Partners, has never stopped focusing on building one of the most versatile and adaptable email engines available anywhere. We have also continually added to our state-of-the-art weapons to fight spam and viruses and phishing in whatever form they take. As James Joyce, the Director of Plug and Play computers, a major internet service provider in Australia, said, “Without Message Partners our systems and customers would be overloaded with junk email.”

At Message Partners, we have never stopped believing that as long as we keep using email, email will keep trying to use us. And as email grows ever more important as a vital form of business communication, that makes choosing the right email platform all that much more essential.

With that said, I want to wish everyone happy holidays. In terms of the security sector, it has been a most challenging year, and it is only going to get more so. I am heading off to Michigan, where I'm from, for the holidays, but will be able to squeeze in a couple of more security blogs before the end of the year (but not until after Christmas).

Tags: Spam, Botnets, Phishing, Stock Pump and Dump, 2007 Predictions

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

The internet has become a major focus of criminal enterprises due to its hidden, anonymous nature, explains a recent report from McAfee. Criminals simply find it easier and more lucrative to steel from the comforts of a computer station than to jump old ladies in alleys. And that ease makes it that much easier to recruit others to engage in online crime as well.

As David Marcus, security research and communications manager for McAfee, said, For organized crime, the Internet is the best thing to come along since bootlegging and moonshine," Marcus said. "And it's a lot safer to run a botnet than it is to go to the street and break someone's kneecaps.”

The report also says that organized crime is targeting some of the top talent at high-tech schools, sponsoring their high-end education and then getting them placed in a companies to give them inside access. The sense of immunity in cyberspace helps a lot, making people more willing to engage in high-tech crime. It’s much easier to sit at Starbucks and commit wire fraud then it is to hang out in dank basements planning the next bank heist.

Considering this, McAfee says that IT departments should be prepared for a nasty escalation of threats in the future. Also, IT should start on a plan to secure hand-held devices, as those are going to become the focus of the future. The fact that hand-helds are quickly supplanting the PC for people on the road means they will soon be in the net-burglars bulls eye.

The report also reaches the following conclusions:

Cybercriminals are increasingly using phishing schemes to trick unsuspecting computer users out of their money.

Cybercriminals are focusing more on social networking and community sites to find targets. By loading fake profiles and pages with adware, spyware, and Trojans, criminal code writers are cashing in on the popularity of MySpace , FaceBook, and other places people gather.

Password proliferation means that simple guesswork often is all it takes to uncover people’s data.

With an estimated 12 million computers conscripted for botnets, botnets have clearly become the preferred method for e-thieves to launch attacks.

Tags: Security Trends, Botnets, Hand-held Vulnerability

Posted by pschooff in Better Protection • Hackers • McAfee | Permalink | Comments (0) | TrackBacks (0)

In a recent survey of IT pros at least two-thirds indicated that company insiders accounted for at least some of the losses their company experienced from security breaches. Seven percent of those surveyed said that insiders accounted for 80% of their financial losses.

While the above data makes it clear that insiders are not the most common form of attack, they can be by far the most costly and most damaging, which makes insider attacks the most feared by both the government and security pros.

The first and most obvious way to prevent these types of attacks is to do detailed background checks on all prospective employees. Second, the fact that most attacks take place between when an employee is terminated and their access is revoked means that system access should be terminated simultaneously with employee end-of-employment notification.

While defending against an insider attack can be difficult, the following patterns, found on Information Week, gives the warning signs of a potential insider attack.

Be aware of anytime anyone with access to sensitive information has a falling out with his or her superiors. For instance, there is the story of Claude Carpenter, “who worked for government contractor Network Resources doing part-time systems administration on three Internal Revenue Service servers. In May 2000, suspecting he'd be fired after a dispute with a co-worker, Carpenter inserted several lines of code that would command the three servers under his care to wipe out data if network traffic reached a certain level. He tried to conceal his activities by turning off system logs and removing history files, but he aroused colleagues' suspicion by calling several times during the next two weeks to ask "if the machines were running OK" and "if anything was wrong with the servers.”

Therefore, managers should make it clear to employees that their access and use are being tracked. Also, it is important that each worker be given just enough access to get the job done. In the past, those who have done the most damage had more access then was required to do the job. And as access can often be something of a status symbol, don’t expect employees to complain of having too much.

On a related point, even though technology is everywhere in companies, insider attacks almost always come from IT professionals. A recent survey by the Secret Service and CERT indicated that 86% of internal computer sabotage came from tech workers.

The employees most likely to attack from the inside do share certain characteristics, namely signs of mental health trouble, anti-authoritarian personalities that often clash with their bosses, and a history of behavioral infractions often well-documented by HR. Some recommend that simply getting to know your employees will help create loyalty and tip off potential problems.

Technology can also play a key role in thwarting insider attacks. Any information that could remotely be seen as sensitive should be encrypted. And it is a good idea to create an audit train, where employees that need access must get written approval from their bosses, which creates a written record.

Risk management software can also help, as I blogged here recently about IBM buying Consul Risk Management. These services are designed to alert managers when certain data or system are improperly accessed.

Technology also plays a big role when an employee is terminated, as immediately severing all access privileges is just a start. Managers should ideally audit projects the employee worked on before the termination process to fully understand the employees access.

The fact is, termination does not end the risk, and in many cases just begins it. It’s not always a bad idea to be able to hold something over a former employees head, like their severance package, just to keep them in line. And while that might seem to many IT managers the responsibility of HR, IT has to know that they are in fact the first line of defense when it comes to insider attacks.

Tags: Insider Attacks, Security Breach

Posted by pschooff in Better Protection | Permalink | Comments (0) | TrackBacks (0)

These last couple of months, in the cat and mouse game of computer security, I have to admit some days it really feels like the rodents are winning. Or, to paraphrase a certain holiday tale, Not a creature was stirring, but the mice were running wild.

And as the holidays approach, I just wanted to relay a quick tale where a bad guy gets what he deserves. The worst thing about the story that follows is the fellow was once one of us, but is now an IT professional gone bad.

According to eWeek, it seems one Roger Duronio, an employee of PaineWebber, was constantly complaining about his pay and bonuses with the company. And instead of simply quitting and seeking better pay elsewhere, Duronio hatched a plan to infect 1,000 of PaineWebber’s 1,500 networked computers in various branch offices with a “logic bomb.”

So Duronio quit his systems administrator job with PaineWebber in February 2002. On March 4, 2002, the bomb detonated and started deleting files. Duronio bet that, when the news of the attack hit, PaineWebber's stock would plummet. Only problem, PaineWebber’s stock stayed exactly the same, and the bet that Duronio made by selling the stock short actually ended up costing him $23,000 dollars.

And, as you can clearly tell in my telling this tale, Duronio was busted. A New Jersey judge ordered him to pay $3.1 million in restitution and sentenced him to 97 months in prison.

Thus ends the holiday tale. So remember, keep current with your updates and patches, and please, only use your IT powers for good.

Tags: Hacker, Logic Bomb, PaineWebber

Posted by pschooff in Hackers | Permalink | Comments (0) | TrackBacks (0)

I hate to report how the bad guys are improving their methodology without immediately offering a remedy from the good guys, but this seems to be one of those cases. As always in dealing with phishing, never, ever reply to unsolicited email from even the most seemingly legitimate source. If you feel you might be having account troubles at your bank, with eBay, with Paypal, or whatever the site, simply log onto those sites directly.

In a report quoted on Brian Krebs’ Security Fix, the Anti-Phishing Working Group found that 52 percent more phishing sites were discovered this past October (bringing the total to 37,444). As if I even needed to tell you, that is the highest on record, and is 52 percent higher than September of this year, and 9 times the amount recorded from October a year ago.

Experts peg this near-exponential growth on a new phishing method called “Rockphish.” Just like botnets were started to circumvent spam blacklists (as blacklists stopped spam by denying its point of origin, but how do you deny thousands of different points of origin that are changing all the time), the tools to fight phishing are based on authenticating official webpages and shutting down those deemed illegitimate.

But as Krebs states, “In Rockphish attacks, multiple phishing scams targeting different banks are placed on the same Web server. Each individual scam page is assigned to an Internet subdomain that for a short time is tied to an Internet address of a compromised computer that the phishers control. When a would-be victim clicks on a link in a Rockphish scam, they are routed through the drone PC to the correct scam page.”

One phish-fighter stated that a single Rockphish attack generated 2,000 unique phishing Web addresses in two days. This allows them to rapidly change addresses of phishing sites, and represents a serious blow to the efficacy of the current phish-fighting tools.

Tags: Phishing, Rockphish

Posted by pschooff in Phishing | Permalink | Comments (0) | TrackBacks (0)

Covering another patch Tuesday for Microsoft, I was thinking that instead of naming their new operating system Vista, they should have named it Cabbage, and then I could call today Cabbage Patch Tuesday.

According to Microsoft, today they issued fixes for 11 holes in different versions of Windows operating systems along with other products. These updates include a fix for 2 vulnerabilities in Windows Media Player, which hackers could use to install software just be getting users to open a modified Windows Media Players file.

Another update fixes four security problems in Internet Explorer in which hackers could break into or steal data from vulnerable PCs by either getting the user to visit a specific internet site or opening a specific email. This patch does not apply to IE 7. And while there were a few rumblings about IE 7 vulnerabilities this past month, Microsoft is still investigating them for potential future patches.

Also, today’s bundle includes a patch for a dangerous vulnerability in Microsoft Visual Studio 2005 that attackers are already using to infect vulnerable machines. Visual Studio is not a default program (as in if you had in installed on your system, you would know it).

Finally, according to Brian Kerbs Security Fix, none of the updates include a fix for a Microsoft Word vulnerability currently being exploited. Microsoft said they were aware of the serious hole in basically every version of Word, and even warned about a second one, but yet this is the second month in a row that Microsoft has not issued an Office patch. Hopefully Microsoft will rectify these problems next year, and until then, always beware of opening attachments and stay off the back-alleys of the internet.

Tags: Patch Tuesday, Microsoft

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

This list comes from Ira Winkler, one of the nation's leading computer security experts and president of Internet Security Advisors Group, a security consultancy that specializes in vulnerability assessments and penetration testing services, in an interview with Baseline.

First, IT should focus their attention inward, as insiders continue to represent the biggest security threat. That includes putting in intrusion detection and misuse-and-abuse detection, because even when outsiders break in, they show-up as insiders.

Second, practice security awareness, which in many cases simply means practice security common sense. And to have common sense, users must have common knowledge, and it should be the fundamental goal of every security department to communicate common security knowledge to all employees. And this common knowledge should not only address how employees behave internally, but also how they behave externally, because if employees are only expected to behave internally one way and externally another, bad security behavior is bound to be brought into the company.

Finally, make absolutely sure the basics are taken care of. That means make sure the systems are hardened, all the updates are turned on and enabled, all the antivirus software is turned on and updated regularly, and in general all of your software is continually updated.

As Winkler said, “The attacks aren’t coming from geniuses. Probably, there are one or two geniuses out there in any attack that find a vulnerability and create a tool for that vulnerability. Then, at that point, many morons can take that attack script and run it against anybody. But if companies are implementing the basics properly and proactively securing their systems, they will be ahead of the curve and prevent the crimes.”

Tags: Better Security

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Just want to make a quick post to remind about the importance of keeping current with software updates. Missing a day of updates may not seem that catastrophic (it’s just always so easy to think, “Well, it didn’t hurt me last time”), the fact is, according to Smart Biz, there are 25 new viruses or threats released each day (and that estimate doesn’t give hackers any weekends or holidays off).

So if you let updates go for one day, then two, and pretty soon a whole week has gone by, that means there are now 175 new viruses trying to overrun your PC and break into your network. So to put it simply, you absolutely positively must update. Please.

Tags: Software Updates

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Microsoft is looking into a vulnerability in MS Word that could allow a hacker to gain control of a PC or Mac just from opening a malicious Word file attached to an email.

According to this Microsoft advisory, so far this previously unknown flaw has only been used in limited attacks and affects Word 2000, Word 2002, Word 2003, Microsoft Word Viewer 2003, Word 2004 for Mac, Word 2004 version X for Mac, and Works 2004, 2005, and 2006.

"In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker," the advisory stated.

Microsoft may release a patch for the issue on its regularly monthly patch schedule, which would fall on December 12, or could issue an emergency update before or after that date.

Until then, and even after than, it's a good idea never to open an attachment from a sender you don't directly know. And even if you do get an attachment from someone you know, it's probably a good idea to approach attachments cautiously, and if anything about the email seems even a little bit off (I once got an email from a lawyer friend that started off with "Yo," and my friend would never say that), check with the sender directly.

Tags: Microsoft Word, Email Virus

Posted by pschooff in Hackers • Microsoft • Patches | Permalink | Comments (0) | TrackBacks (0)

When a bank robber is getting ready to rob a bank, you can bet the successful ones case out the bank beforehand and try to learn every possible thing they can about the bank’s strengths and weaknesses. Well, when a cybercriminal is zeroing in on a company to attack on the internet, there are three main Google searches they use to do just about the same thing.

The following three searches should give you a good hacker’s eye-view of your company's web presence and exactly where the most obvious weaknesses lie.

The three searches, taken from IT World, are (note that the xxx.com should be replaced with your URL):

Site:xxx.com – This displays the systems under that domain name known to Google and is used by attackers to quickly identify potential targets on the internet. This also shows pages that exist under that domain, the structures and technologies (HTML, Notes, ASP, PHP, etc) in use and helps the attacker focus their attack.

Filetype:yyy site:xxx.com – This quick search allows hackers to uncover possible confidential data accessible on your site. The yyy should be replaced with common file names like doc, xls, txt, rtf, ppt, and the search commonly reveals data that can range from customer lists to marketing lists to phone books to email addresses and more.

Link:xxx.com – This reveals sites that link to your site and can help attackers discover business partners and others who might have special access through partner networks, firewall rules, VPNs, etc. This is also a good search to possibly reveal phishing and scam sites that may be linked to you in order to steal content and graphics.

While these three searches barely just scratch the surface of the ever-morphing world of Google hacks, these should quickly reveal the most obvious, and easily correctable, problems with your company’s internet presence.

Tags: Google Hacks

Posted by pschooff in Better Protection • Google • Hackers | Permalink | Comments (0) | TrackBacks (0)

IBM seemed to answer that question today, as they announced plans to acquire Consul Risk Management, Inc., a software company located in Delft, Netherlands, and with offices in Herndon, Virginia.

Consul is the leading provider of compliance and security software. This acquisition strengthens IBM’s Service Management initiative by adding key data governance and compliance monitoring, auditing and reporting capabilities across mainframe and distributed environments, a unique capability unmatched by other competitors.

Many companies are uncertain which employees need access to certain sources of sensitive information, such as personal health records or a company’s finances. I found the following quite interesting, and hence the title of this blog, that a recent industry report found that 86 percent internal security incidents are perpetrated by a company’s most privileged and technical users, as in IT admins, vendors, consultants, etc. Left unchecked, privileged users can violate company compliance policies and lead to identity theft.

Consul provides an “auditor-in-a-box” which uses a single management technology dashboard. Consul's monitoring and auditing capabilities cover a wide array of systems, applications and resources, including IBM's mainframe environment. The technology provides powerful visibility of insider threats and specific reporting designed to help address customers' compliance activities related to various regulations such as Sarbanes-Oxley and HIPAA.

The software provides alerts when information or technology assets are at risk, when data has been accessed by an unauthorized user, or if compliance rules have not been followed. The product uses patent pending "W7" methodology (Who, did What, When, Where, Where from, Where to and on What) to consolidate and analyze vast amounts of user and system activity.

“Consul is uniquely capable of rounding out the IBM portfolio to help clients more fully address compliance around access to private information to help reduce risk in their organizations," said Al Zollar, general manager, IBM Tivoli Software. "Together, IBM and Consul will be able to offer integrated security management and powerful user activity monitoring across the entire IT infrastructure from devices and systems to applications in both traditional and service oriented architectures.”

“With today's high volume of compliance activity, auditors typically want to know that organizations have control of privileged user activities," said Joe Sander, CEO, Consul. "Beyond knowing who has the right to access specific data, companies need to ensure that only appropriate individuals are doing so, without hindering business productivity. Consul software is one of the industry's first solutions to address the intersection of audit and policy compliance efforts with information security and operational risk.”

Tags: Compliance, Consul, Sarbanes-Oxley

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

The International Telecommunication Union (ITU), a Geneva-based branch of the UN, warned recently that the ever increasing number of passwords required from computer users today makes it a virtual certainty that users will have no choice but to start repeating passwords. And just one repeated password doubles the chances of it being cracked, and in turn doubles the effectiveness of the cracked password.

As the ITU said in its 2006 internet report, the increasing need for passwords “May cause security breaches, and leave them vulnerable to the machinations of identity thieves ever increasing in number and inventiveness,”

The ITU also warned against the extensive use of cookies by internet marketers, saying that, while some people are not bothered by it, that cookies could very well lead to a breakdown in consumer trust and stall any future expansion of internet commerce.

In a recent blog on passwords, I discuss such a system to generate passwords, one that creates a hierarchy for the importance of the password. This system suggests using a key card to help create passwords, a key card that does not give the passwords away in case it is ever lost or stolen. You might want to give it a read here.

Tags: Cookies, Creating Passwords

Posted by pschooff in Better Protection | Permalink | Comments (0) | TrackBacks (0)

In a disturbing trend for the future of computer security, gone are the days of the lone hacker sitting in their basement looking to write the killer code that would one day make them famous, or better yet, infamous. Instead, they have been replaced by whole networks of organized hackers who quality test their efforts for maximum damage and also offer software updates and tips to other hackers using their programs. Why, you ask?

The answer is simple: money. No longer do hackers dream of making their name simply by hacking, but instead want to make their name the old fashion way: steal your money. And to do that requires a high level of expertise and professionalism, and as reported by Eweek, it represents the central threat against the future of computer security.

That means malware will become increasingly sophisticated as it searches for ever newer ways to hide inside seemingly legitimate applications and steal your vital information. Phishing schemes, or fake emails connected to fake sites that often look incredibly legitimate and try to trick you into giving out financial or password information, are also expected to proliferate.

As reported by McAfee Labs, another threat expected to rise in 2007 is the use of potentially unwanted programs to put adware on users’ PCs. These usually advertise themselves as simple games or helpful applications, but serve as a backdoor for all sorts of nasty software.

Botnets are expected to continue proliferating. Their success in spreading spam means they will probably be enlisted to carry out much worse crimes, as the fact that they comprise an entire network of computers makes it difficult to track down the source of the cyber-crime.

And with the explosive growth of video sharing and peer-to-peer sites, we can certainly expect malware writers to start focusing more of their efforts on them as well. MPEG files, which play video, are considered to become one of the major system for malware delivery to your computer. The recent discovery of the W32.Realor worm virus, hidden in media files, only confirms that.

Also, file-sharing sites continue to prove the adage that free is rarely if ever free. Nearly one third of all files on LimeWire and BitTorrent held hidden website redirects, although few of the files were found to be malicious. But I think the lesson to learn is, with Hacker Inc. now in business, don’t expect the era of harmless hacks to last long.

Tags: Security Trends, Hackers, Malware

Posted by pschooff in Hackers • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)