In a marked shift from just a year ago, security experts have noted that for the first time ever, there have been more phishing emails detected than emails infected with viruses. According to MessageLabs, in January 2007, 1 in 93 emails (1.07%) was some sort of phishing attempt, while only 1 in 120 emails (.83%) was found to be infected by a virus.

Part of this can be explained by the new viruses, and that they are much more targeted. As I’ve blogged here before, cybercriminals that launch virus attacks no longer rely on huge macro-attacks in an attempt to infect every computer in the country. This is mainly because this type of attack can be quickly quelled using blacklisting and content analysis, along with the fact that the longer the new viruses goes undetected, and unreported, the more profitable they are to the hackers.

Mark Sunner, chief technology officer at MessageLabs, said: "If you look at infected email traffic for January, it's very spiky. With Storm Worm there are clear spikes, then drops down to normal levels. It's as though someone is turning on the tap briefly, then letting it abate."

At the same time, phishing has become much more sophisticated, with man-in-the-middle attacks, though still rare, increasing. One such attack tries to hijack a user session when a user is tricked into clicking on a link, users go to a fake portal that is hosted on a compromised machine, and any information entered, such as bank details and codes, is relayed through the compromised machine to the real bank site. Once the users have validated themselves on the real system through the compromised relay, hackers kill the user connection through the relay, and take over the session.

This is possible because phishing attacks have become much more personalized and much more believable (which includes sending phishing emails to banks the victims actually use, instead of just using random phishing spam). Also, more phishing sites are using Flash content rather than HTML to avoid the anti-phishing technology deployed in web browsers.

Finally, another reason for this shift is that malware has moved more in the direction of web-based attacks., which simply means the virus level remains constant, only users are more likely to pick it up surfing the web rather than opening an email attachment.

Tags: Phishing, blacklisting, cybercriminals

Posted by pschooff in Phishing | Permalink | Comments (0) | TrackBacks (0)

After you've spent the time and energy constructing the perfect Newsletter to keep your happy customers abreast of your company's new offerings, the worst thing that could happen is for that email to get mistaken for spam and, BAM, it gets deleted before it even gets opened. Here’s how not to avoid your company being mistaken for a spammer, taken from Dark Reading:

1. Ignore “unsubscribe” requests - This is pretty self-explanatory, and requires good list management so as the people who do not want your fantastic Newsletter don’t keep getting it ('cause if they do, they're going to end up hitting the SPAM button on their email, which will only add to your email delivery problems). Of course that means making sure your unsubscribe link is still working. It’s also key to note that in the U.S. it is ILLEGAL not to provide the ability to unsubscribe.

2. List “repurposing” – Your company email list should be treated as your company’s lifeblood and your livelihood, and in no way whatsoever sold to another company so they can’t start trying to sell them on something. We’ve all had this happen with snail mail, and as a matter of fact, a recent magazine subscription of mine had my name misspelled, and you would not believe how many subscription offers I now get with that very same misspelling. But online, that will likely get you tagged as a spammer, and render your mailing list useless.

3. Provide unclear privacy checkbox instructions, and then ignoring users’ responses – Fairly simply and self-explanatory, but also includes things like NOT having the opt-in box prechecked, which looks unprofessional and a little shady. Also, if the directions are not clear, this could also create some consumer distrust, which is exactly NOT the way to run a successful enterprise (unless you’re a spammer, of course).

4. Lose track of the company’s desktop and server machines that could be co-opted by someone else – Andrew Lee, chief research officer for Eset, says he recently conducted an audit for a client and found an infected machine sitting under some tables in the janitor's broom closet. It was pumping out thousands of IP scans per minute. "No one had any idea it was there, or why it was there, and by the age of the hardware, it had been there a very long time," he says. "It's very hard to get free of the taint of being a spammer, or being associated with an IP that is on a lot of block lists. And it can be really hard to clean that up." A company simply needs to account for every connected computer. Enough said.

5. Not keeping lists up-to-date – This is fairly simple, and is as important as not allowing customers to opt out. But this also means not using old lists for the very reason that the opt outs may suddenly be opted back IN. If your company is reported to Spamcop or any other spam reporting service, be sure to follow up immediately for a speedy resolution.

6. Having vulnerable mailer forms on your website – botnets have made this less common, but if you have a mailer form on your Website that is vulnerable to an open relay, an old-school spammer could use this to shoot his mail through, notes Eset's Lee. "This is much less common now. But it still happens, particularly in smaller businesses where there is less expertise in the organization."

"Hackers usually begin by sending to a potential target's domain a massive number of messages using different names just to see if they can get any responses," says Mike Katz, President of Message Partners, an up-and-coming email security company. "This is how a cybercriminal typically uncovers working addresses inside an organization to coordinate their attack."

7. Working with less than reputable third-party mailers – Like buying stolen goods known to be stolen, if you’re not part of the solution you are part of the problem. A good way to make sure a company is reputable is make sure they use the same policies as you, i.e. checking email addresses and maintaining clean databases. Adds Eset's Lee. "Unfortunately, even legitimate companies that have no intention of spamming have been caught outsourcing their [email] advertising to companies which are less than scrupulous."

Another warning sign, if a price is too good to be true, ask more questions, like where do they get their mailing lists, and ask to see their opt out page and check to see if it actually works.

Tags: Spammer, Company Newsletter, Stop Spam

Posted by pschooff in Spam | Permalink | Comments (0) | TrackBacks (0)

As I’ve reported in my year ending summary, some estimate that spam now comprises 9 of all 10 email message currently sent. But more important, and something I have not covered, is exactly what all this spam cost.

The first, and most direct cost, is to service providers in the form of churn, or customer turn-over, obviously from customers angry with so much spam getting through to their email and looking for to change email accounts in hopes of getting less spam. But I'm looking at spam from more a corporate cost level.

Experts estimate that 90% of all business communications is now done electronically. So to figure out the cost of spam, I went to the spam cost calculator at Computer Mail Services. For a company of 50 people working 40 hour weeks with an average salary of 25 dollars per hour (the other variables were number of spam message a day, which I set at 25, and average number of seconds spent junking email, which I set at 2 seconds). According to those settings, the company lost a grand total of $4,166 dollars a year (this in no way calculates the cost of anyone getting scammed out of credit card or banking information).

Now I know that’s a pretty random number, as employees are not robots, and every employee second does not relate to a company’s bottom line. Obviously, employees waste time at work, but the spam calculator says that yearly, with 25 spam emails a day and 2 seconds wasted on each spam, a total of 5 hours a year is spent per employee on spam. Wouldn’t you much rather have that employee wasting that time talking with other employees and building company spirit then going down a list deleting one spam after another?

So therefore spam depletes company spirit: that's a whole 'nother cost entirely.

Tags: Cost of Spam, Service Providers, Churn

Posted by pschooff in Spam | Permalink | Comments (0) | TrackBacks (0)

As this blogger, and many others, report on the aftermath of the "storm" worm, one of the reasons for the worms effectiveness is the very fact that many thought this type of malware attack was obsolete.

Because of the effectiveness of blacklisting, along with content pattern matching, cyber criminals have largely abandoned large scale attacks in favor of micro-attacks, which are small and specific to certain industries and designed to stay under the radar to avoid detection. So most security experts concluded that the days of massive worldwide Sasser like attacks were a thing of the past. Click here for the Wikipedia explanation of 2004's Sasser computer worm.

One aspect of the storm worm that has come into favor with malware is its use of social engineering. Computer users, and people in general, seem to fall for headlines that warn of imminent massive threats or reports of a large number of deaths. I guess this is just like the local evening news that go by the saying, "If it bleeds, it leads." Triggering the all-too-human flight or fight syndrome seems one of our most unavoidable impulses, and apparently the perfect delivery mechanism for malware.

Symantec gave the storm worm a 3 rating, which is rare, as they mostly only rate malware at a 1 or 2. Some question whether the storm worm really merited so much media coverage, with some saying storm's overexposure was the result of a slow news week. All I know is that one company I work for had their email completely shut down for an entire day this week, and while we were uncertain of the bugs true origins, it sure seemed to bear all the hallmarks of the storm worm.

Tags: Storm Worm, Sasser, Social Engineering

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

I blogged on here several months ago about Phishtank and their efforts to combat phishing. As the site is reliant on users, where users both contribute potential phishing sites and then vote on their legitimacy, the more people actively engaged in PhishTank's fight the better. And as phishing is a threat to almost all legitimate types of business on the internet, people should really get involved. To join the fight, just click here.

Also, Phishtank made a recent call to developers for ideas to better the site. David Ulevitch, CEO of OpenDNS and the founder of PhishTank, said, "I want PhishTank to be the best site it can be." According to Dark Reader, PhishTank has grown from around 2,400 active members in its first month to more than 10,000 after three months. PhishTank says they have uncovered more than 35,000 phishes to this point, so who can say how many people they've saved from getting ripped off.

The only problem is that PhishTank still relies on blacklisting to ultimately be effective, and the fact that the recent explosion of botnets has pretty much rendered blacklisting ineffective. But this could be offset if anti-spam efforts continue along the content analysis route, where PhishTank could certainly help on the content side by providing proven phishing emails.

But the time has clearly come to upgrade PhishTank. As the site relies on user input, the easier the site is to use the greater the participation will be (PhishTank is actually fairly easy to use, but some have called for an easier verification process). Says Ulevitch, "I'm looking for fresh perspectives, so we're bringing in outside folks that might bring in fresh energy and ideas." I say the less phishing there is the better it is for everyone.

Tags: Phishing, Tags: Combat Phishing, Tags: blacklisting

Posted by pschooff in Phishing | Permalink | Comments (0) | TrackBacks (0)

As the "Storm" worm makes its way around the world, experts are predicting that as the worm infects more and more computers, another big wave of spam is soon to follow.

The storm worm is being distributed in order to set up another botnet, or a network of infected computers that can be controlled by an external master computer. The worm, first uncovered Jan. 15, is being called storm because in the subject line it references a major storm in Europe.

Like a tabloid newspaper prospecting for readers, the subject line attached to the malware varies between, "230 dead as storm batters Europe" and "First nuclear act of terrorism!" As reported by Eweek, they say that this is another example of the rising tide of social engineering spam, which is spam that plays on people's fears to gain access. The spam contained attachments titled "full clip.exe" and "read more.exe," and once opened they create a backdoor can be exploited in the future.

Since that successful attack, which was mostly focused on consumers, a new variant has appeared with subject lines like "The Mood for Love" and "I Dream of You."

Commtouch officials said they identified and blocked over 5,000 distinct variants during the first four days of the "Storm" worm activity, and there were time periods during those days when the malware accounted for nearly 17 percent of all global Internet e-mail traffic.

"Malware writers know they have limited time before an AV signature or heuristic will be created to block any mass-distributed malware, so they break the outbreak into thousands of variants and distribute in smaller numbers of instances to maximize infection," said Haggai Carmon, Commtouch vice president of products, in a statement.

"Once AV engines battled to get a signature out within the first few hours of the outbreak, now the hard truth is that even these signatures are now becoming ineffective to protect against the first wave of each new variant. In the time it takes to write and distribute each new signature, thousands of newer variants are launched against which the signature does not protect."

Tags: storm worm, malware/a>, botnet

Posted by pschooff in Spam | Permalink | Comments (1) | TrackBacks (0)

Was recently at a meeting with a service provider, the excellent Comendo of Denmark, that provides internet and email security to many large multinationals throughout Europe, and they asked me: but come on, do stock pump-and-dump scams really work? Who in this day and age would fall for such a scam? (Please note: I am paraphrasing here.)

While I've blogged about it numerous times before, I found the following succinct summation on the effectiveness of spam scams at Slashdot.org. It follows:

"Laura Frieder and Jonathan Zittrain have analyzed pump n' dump spam activity in their paper Spam Works: Evidence from Stock Touts and Corresponding Market Activity'. Unbelievably, it appears that spammers are able to achieve a 5% gain on pumped stock before dumping it, along with a dramatic increase in transaction volume of the stock. From the synopsis: ' We suggest that the effectiveness of spammed stock touting calls into question prevailing models of securities regulation that rely principally on the proper labeling of information and disclosure of conflicts of interest to protect consumers, and we propose several regulatory and industry interventions. Based on a large sample of touted stocks listed on the Pink Sheets quotation system, we find that stocks experience a significantly positive return on days prior to heavy touting via spam. Volume of trading responds positively and significantly to heavy touting.'"

Tags: Stock Spamming, Stock Pump and Dump, Spam's Effectiveness

Posted by pschooff in Spam | Permalink | Comments (0) | TrackBacks (0)

Where are the ISPs in the battle against Botnets?

Botnets have threatened the very viability of email, so why haven’t ISPs joined in the battle to put them out of business? Experts say that ISPs just don’t have the resources yet in place to do battle, and it probably doesn’t make financial sense for them either. Yet!

“I don't think the botnet problem is large enough in the U.S. to catch ISPs' attention here yet," says David Maynor, CTO of Errata Security. "It will have to start costing them a lot of money first.”

That’s not to say not all ISPs haven’t joined the battle. Earthlink works with a “feedback loop system” where users can click a “this is spam” button, which helps Earthlink update their filters. Earthlink is an active member of the Messaging Anti-Abuse Working Group (MAAWG), which also includes Microsoft, Verizon, Cox Communications, Comcast, and Bellsouth. Recently MAAWG added behavioral monitoring to help detect zero-day attacks.

Then again, some people are plenty glad IPSs have stayed out of the fight. For ISPs to be actively involved they must have remote access to your desktop.

Says Dan Kaminsky, director of penetration testing for IOActive, “I don't want an ISP to have root on my box," he says. "Why should an ISP be in the position to monitor what software I'm running? Should they even know? But on the flip side, we are not winning the bot war, we’re losing it substantially, which may require a rethinking of networking in general and how we deal with botnets," he says. "Even if you gave Comcast or another ISP root on millions of machines so they could see if botnets are on them... Botnet authors could just hide from them.”

ISPs should definitely be actively quashing command and control botnet nodes that run on their networks, though, he says. This was taken from a list at Dark Reading.

Tags: botnet, ISP Botnet

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

According to FaceTime Communications, risky employee behavior is the reason behind the growing threat of botnets. FaceTime also discovered it actually isn't the total number of botnets that have increased, as more were uncovered in 2005 than 2006, but the increasing sophistication of botnets and the difficulty finding them that has lead to the recent explosion of spam.

FaceTime warns that today's malware is "stealthier, more complex and harder to identify and defend against." Also, FaceTime tracked 1,224 unique threats from "greynet" applications, programs which users download onto the corporate network usually without informing the IT department. Apparently, attacks over peer-to-peer networks increased by 140 percent over 2005 levels and multichannel attacks jumped to 29 percent of all attacks in 2006.

Also, as I've blogged before, FaceTime found that these new cybercriminals are well-funded, extremely savvy, and generally try to collect as much info as possible before moving to the next target. And it seems the main door these hackers use to get access is through greynet applications. According to the company's Second Annual Greynets Survey, 39 percent of users believe they should be allowed to "install the applications they need on their work computers," independent of IT oversight or policy, while 53 percent of users report they "tend to disregard" company policies that govern greynet usage, specifically IM and peer-to-peer file sharing.

The study also discovered that 80 percent of IT managers are at locations that have experienced greynet-related attacks within the last six months.

"Despite myriad security technologies employed by enterprise IT managers to block malicious attacks, the user is often the biggest vulnerability, especially on the real-time, socially-networked Web" said Frank Cabri, vice president of marketing for FaceTime, in a statement. "In 2007, the biggest security risk for organizations is likely to be their own users, as employees install consumer-oriented greynet applications onto their workplace computer faster than the IT team can keep up with the corresponding controls."

And as if we didn't know already, the motive behind most of these attacks are purely financial.

Tags: greynet, Company Servers, Malware

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

As proof that IT pros must update often and on-time, and many still don't, a certain patch that Symantec issued seven months ago for a vulnerability in their antivirus software is still being actively exploited throughout cyberspace. That means that a virus that should be dead and gone by now is still very much ALIVE!

As reported by The Register, this exploit turns user PCs into zombies that join other zombies to create a vast botnet used to spread spam and engage in denial-of-service attacks. And the only thing keeping this malware alive is other IT pros, pro as in procrastinators (although there are plenty of excuses, of course, as just about everything needs to be done yesterday).

The attack targets unpatched versions of Symantec Client Security and Symantec AntiVirus Corporate Edition. Symantec initially dismissed the flaw, saying it wasn't likely to be exploited, until the the worm resurfaced in November. And unlike many Symantec updates, which are installed automatically, the fix for corporate antivirus software has to be downloaded on the company's website and manually installed. Symantec is wisely re-evaluating this policy.

Let's face it, most IT professionals pay for protection so they can be free to worry about all the other things there are to worry about in a corporate computer system.

Tags: Security Updates, PC Zombies, Symantec Patch

Posted by pschooff in Better Protection • Patches • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

Like anyone, I get tired of turning on the evening news and always hearing about this or that horror, and in terms of blogging about security, quite frankly I am tired of all the stories about how hackers have made mincemeat of our defenses (let’s face it, we work hard and pay good money to keep our computers secure).

So I am happy to report about this most excellent and totally free tool from Secunia, the Secunia Software Inspector, which, when downloaded, will scan your machine to tell you exactly what patches you are missing. And get this, this program not only tells you how you stand with Microsoft Window’s updates, but will also give you the heads up on Skype, instant-message applications, Web browsers Firefox and Opera, as well as multimedia applications such as Adobe Reader, QuickTime, iTunes, Macromedia Flash Player, Sun's Java JRE, and Winamp.

I uncovered this information on Brian Kreb’s Security Fix, and what is great about this handy tool is there is no need to download any software, you can simply run the scanner straight from the site (but you will need to temporarily enable Javascript if you have it disabled). So check out your patches pronto and let's at least make hackers have to work for it.

Tags: Patch Checker, Security Inspector

Posted by pschooff in Better Protection • Patches | Permalink | Comments (0) | TrackBacks (0)

Some weeks, I feel really good about the direction computer security is going on; other weeks, and this is one of those other weeks, everywhere I turn there seems to be more bad news.

In a report at Symantec Solutions, it states that, as hard as it might be to imagine, many IT professionals will look back on these days and see them as the good old days of corporate security. To me, I hate to say it, but in every way it looks to be true. Computer security seems to be getting more dangerous by the day, and they don't take weekends off.

A short time ago, malware came in three basic threats: viruses, worms, and Trojan horses. Today there are still viruses, worms, and Trojan horses, but there is also spyware, adware, rootkits, botnets, phishing, and search engine hijacking. These newer attacks, unknown just a few years ago, are much more sophisticated, and also represent a major change in computer hacking.

The first change is, as with the sheer number of new types of attacks listed above, there are just so many more types of attacks coming from so many different delivery methods. Criminals are combining malware, which we can now basically call crimeware, into blended attacks that make them all that much more difficult to detect and repel. Also, these attacks are incorporating much more of a social-engineering element and requires some amount of interaction (like the attack I wrote about yesterday, which perfectly imitated internal email and told employees they were being fired, and once they clicked on the attached link, downloaded a key logger).

The other great change is, like now calling malicious software crimeware, is a change in the underlying motivation of hacking. What was once ego based, as in trying to attack the most systems with the most clever and disruptive type of virus or such, the newer attack is pure stealth, as the longer they go unnoticed, the more information they can hijack and the more money they can steal. Very simply, the new hacker is purely profit-driven.

So how should companies prepare for these new types of attack?

Symantec says that companies need to improve their threat response. The rise of blended attacks means IT departments need more integrated, comprehensive approaches. For example, an integrated, high-quality anti-virus solution combined with an e-mail scanning system and a firewall represent a far more difficult challenge then they do individually.

Also, as I've said repeatedly, update, and update often. As it seems even Microsoft will be offering updates more frequently then the monthly scheduled Patch Tuesday, companies must keep up with updates. That includes scheduling more scans to detect crimeware, as some sit dormant in systems waiting for a downtime between scans.

Finally, IT managers should have a plan that, if their systems are compromised, they sill have access to the data they need to keep the company going. This plan has an added benefit in that it will provide preparation for any type of disaster, not just from crimeware.

Tags: Crimeware, Malware, Trojan Horses

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

As if every day doesn’t bring a brand new threat, I’ve come across this report on CIO Today warning against spear phishing, or targeted spam, called that because the sender is able to make it look like the e-mail is coming directly from within the organization. As you can probably guess, that makes it more difficult for spam filters to spot.

Recently, some employees at Dekalb Medical Center in Decatur, GA, received e-mails that said they were being laid off. The e-mail's subject line read, “Urgent – employment issue” with the sender listed as dekalb.org, the same domain the medical center uses for internal e-correspondence.

The e-mail contained a link for more info, and several employees, obviously concerned, clicked on the link, in turn downloading a keylogger program that could record their every keystroke.

Apparently, this type of spam, where spammers can spoof the sending e-mail address to make it look like it’s inter-office e-mail, is on the rise. Also, the fact that spammers are only sending a few of these messages out at a time makes it doubly difficult for spam filters to pick-up and block en masse.

“We blocked a ton of spam at our e-mail gateway because the [sender] addresses are not valid, but these were," says Sharon Finney, information security administrator at Dekalb Medical Center that has 3,500 employees

The IT department only heard about the ruse because a frantic employee called HR, who in turn called the CIO. Immediately, IT set the web filter to block all employees from visiting the site (even if they clicked on the link) that contained the malware.

So now, instead of malware coming packed in somewhat pleasant holiday greetings, they are coming disguised as “You’re fired” messages, and with the e-mail address looking like it’s from inside the company, I can imagine more then a few people getting ‘speared.’

Many experts predict that targeted spam is the wave of the future, and will be sent out in more discrete, and less easy to detect, trickles, instead of fire-hose blasts. While there are ways of detecting these types of attacks, as the HTML is written in a way that some filters can detect as suspicious, is Dekalb’s case, several machines were inevitably infected, and IT spent hours cleaning up the mess.

This really just represents the coming challenge for e-mail security companies, as spam becomes much more criminal in their attempts at gathering people's critical information and much less about selling something useless to someone.

Tags: Spear Phishing, Internal Email, Intercompany Email

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

The following list was provided by McAfee to minimize the daily onslaught of spam. Some pretty good advice, and some pretty basic advice (like never responding to spam), but there must be some reason spam keeps coming. I especially recommend the last one, as in get seperate email addys, one for friends, one for mailing lists. From Gmail to Hotmail to Yahoo, there are just so many places to obtain free email, and once spam starts to overwhelm one email address, switch to a new one, as they are very disposable.

Also, my company, Message Partners, has come up with some pretty neat new tricks to beat spam, such as greylisting. McAfee's list follows:

1. Never respond to spam. If you reply, even to request removing your e-mail address from the mailing list, you are confirming that your e-mail address is valid and the spam has been successfully delivered to your inbox. Lists of confirmed e-mail addresses are more valuable to spammers than unconfirmed lists, and are frequently bought and sold by spammers.

2. Check to see if your e-mail address is visible to spammers by typing it into a web search engine. If your e-mail address is posted to any websites or newsgroups, remove it if possible to help reduce how much spam you receive.

3. Disable in-line images, or do not open spam messages. Frequently spam messages include "web beacons" enabling the spammer to determine how many, or which e-mail addresses have received and opened the message. Most current e-mail programs disable in-line images by default to prevent this from occurring.

4. Do not click on the links in spam messages, including unsubscribe links. These frequently contain a code that identifies the email address of the recipient, and can confirm the spam has been delivered and that you responded.

5. When unsubscribing from email, the main rule to follow is: if you didn’t originally opt-in to receive it, or if you don’t recognize the sender/company sending the email, then don’t unsubscribe. Trying to unsubscribe from one email can start a flood of mail from other sources, so if you are unsure, it is best not to unsubscribe and block the mail another way. When unsubscribing from mail always check that the links in the email go to the correct company website and not a phishing site.

6. When filling in web forms, check the site’s privacy policy to ensure it will not be sold or passed on to other companies. There may be a checkbox to opt out of third party mailings.

7. Do not respond to email requests to validate or confirm any of your account details. Your bank, credit card company etc. already have your account details, and would not need you to validate them. If you are unsure if a request for personal information from a company is legitimate, contact the company directly or type the website URL directly into your browser. Do not click on the links in the email, as they may be fake links to phishing Web sites.

8. If you have an email address that receives a large amount of spam, consider replacing it with a new address and informing your contacts of the new address. Once you are on lots of spammers’ mailing lists, it is likely that the address will receive more and more spam.

9. Set up two email addresses, one for personal email to friends and colleagues, and use the other for subscribing to newsletters or posting on forums and other public locations. If you have a more complex email address, it is less likely to receive spam.

Tags: Minimizing Spam, Stop Spam, McAfee

Posted by pschooff in McAfee • Spam | Permalink | Comments (0) | TrackBacks (0)

In it’s first monthly scheduled Patch Tuesday of 2007, Microsoft issued patches for 10 security flaws which fixed vulnerabilities in Excel, Outlook and Windows. 3 of the patches were deemed critical, in that they would allow bot herders to take control of targeted computers in the growing botnet problem, while a fourth patch was rated as important.

Security professionals are saying the most important update is the MS07-004, which fixes a problem in the Vector Markup Language which could potentially allow remote code execution if the user visits a certain web page. This is considered crucial because it affects all versions of Internet Explorer, including the most recent release IE 7.

The other critical and important patches are, according to Microsoft, and taken from Search Security, are as follows:

MS07-002, which fixes five separate security flaws in Microsoft Excel, most of which are exploitable when the spreadsheet program parses certain files and processes malformed IMDATA, column and palette records. One of the flaws wasn't specified.

MS07-003, which fixes three separate flaws in Microsoft Outlook. The first flaw is exploitable when Outlook parses a file and processes a malformed VEVENT record. The second flaw is exploitable when Outlook parses an .oss file.

The third flaw is a denial-of-service condition that involves the way Outlook processes email header information. "An attacker who successfully exploited the vulnerability could send a malformed email to a user of Outlook that would cause the Outlook client to fail under certain circumstances," Microsoft said. "The Outlook client would continue to fail so long as the malformed email message remained on the email server."

The fourth security update, MS07-001, was rated important. It fixes a remote code execution vulnerability in the Microsoft Office 2003 Brazilian Portuguese Grammar Checker. An attacker could exploit the flaw when Office opens a file and parses the text, Microsoft said.

Today’s security update was only half the number expected by many, as Microsoft said it would release 8 critical updates, but today only issued 4 of them. As a Microsoft spokesman explained, “There are many factors that impact the release of a security update, and every vulnerability presents its own unique challenges," he said, adding that Microsoft also tweaked its advance notification last month when it added MS06-078 to fix two zero-day flaws in the Windows Media Player."

Tags: Microsoft, Patch Tuesday

Posted by pschooff in Patches | Permalink | Comments (0) | TrackBacks (0)

The MS Office programs Excel, Outlook, PowerPoint, and Word are proving to be one of the main beachheads hackers use to gain control over computers and add to the growing bot-net problem. As reported by Brian Krebs on his Security Fix blog, an attack last month against a US based public utility came as a PowerPoint document of heartwarming reflections intended for the holiday.

Apparently, this much forwarded greeting, which had already been making the email forwarding rounds, was picked-up by what is believed to be a China based hacker syndicate, and the greeting was left totally intact, but the file was encoded with malware that would give control over the machine to anyone who opened the file. What’s most worrying, the PowerPoint files was not picked up as bad by the utility's anti-virus filter.

The attack is just another example of what is developing into one of the biggest problems for Microsoft. Microsoft patched a total of 41 critical vulnerabilities in Office products last year, accounting for 1/3 of all of Microsoft’s patches. Even more worrisome, none of the patches last year corrected three remaining vulnerabilities in Word, two of which Microsoft has noted hackers continue to actively exploit.

Therefore, this warning from Microsoft should be closely adhered to: "Do not open or save Microsoft Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources."

On another MS note, Microsoft’s unwillingness to acknowledge widespread weaknesses in any of their software, as well as their continuance to adhere to a somewhat outmoded monthly patch schedule, means that for 2006, Brian Kreb calculated that Internet Explorer was unsafe for 284 days last year, which means MS Explorer was only safe 22 percent of the time spent surfing the internet.

I guess that means you can surf the internet anytime you want, but you can only do it safely 22 percent of the time. That, then, is a computer catch-22.

Tags: Microsoft Office, Bot-net, PowerPoint

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Adobe has confirmed findings that their popular .pdf viewer has serious flaws. Users of Adobe Reader (aren't we all?) are recommended they update their reader promptly.

"Adobe is aware of the recent cross-site scripting vulnerability in versions 7.0.8 and earlier of Adobe Reader and Adobe Acrobat that could allow remote attackers to inject arbitrary JavaScript into a browser session," Adobe said in an emailed statement. "This is not a vulnerability in .pdf. Specifically, this issue could occur when a user clicks on a malicious link to a .pdf on the Web."

The latest version fixes the flaws,. Adobe said they would release patches sometime next week to correct older versions.

This flagrant vulnerability was discovered by Stefano Di Paola and Giorgio Fedon, who warned that hackers could launch cross-site scripting attacks to do a variety of damage. Adobe Reader's dominance of the market adds considerable urgency for the need to get the message out.

According to researchers, the problem is how Adobe instructs the browser to handle .pdf files. Both Firefox and IE are especially vulnerable.

The flaws affect Adobe Reader 6.0.1 for Windows via Internet Explorer 6 and version 7.0.8 for Windows via Firefox 2.0.0.1. Other versions may also be affected. Though Adobe has fixed the security holes in version 8.0.0, experts worry that many users will be slow to upgrade, leaving themselves open to an easy attack. Adobe sought to raise awareness with its advisory yesterday.

Also, one should always be weary about opening up attachments from an unknown sender. The upgrade to Adobe Reader 8 can be found here.

Tags: Adobe Reader, Update

Posted by pschooff in Better Protection | Permalink | Comments (1) | TrackBacks (0)

A frightening new type of phishing fraud, described recently by Brian Krebs, is being called the “Man-in-the-Middle” scam.

In this instance, an email arrived in an inbox that looked like it was from Amazon and warned that there had been some unauthorized activity on their account. When clicking through the attached link, the browser merely passes through a secondary, man-in-the-middle, proxy site, and then proceeds directly to Amazon’s actual site. This type of scam is actually easier to create than the old type of phishing scam because the scammer has no need to make a duplicate site. Functioning as a proxy, which is like having someone standing behind you and staring over your shoulder, the phisher is able to steal whatever data the user is conned into typing in.

While this scam does have its weaknesses, in that there is no attempt to disguise the fake proxy address with Amazon’s real one in the browser's address bar, its ease of creation and believability means we will be seeing much more of it.

As I wrote in a blog earlier, the simple fact is, any true security solution in the future simply has to perfect real time client and server authentication. Because once we get that, and it's infallible, I simply cannot conceive how phishing could continue to thrive.

Tags: Man-in-the-Middle Phishing, Client Authentication

Posted by pschooff in Phishing | Permalink | Comments (2) | TrackBacks (0)

A recent study by Trend Micro about Internet Security found that 51% of Internet users did not believe their security software adequately protected them. This probably means that vendors aren’t effectively communicating with their customers just how secure their software actually makes them and, if there’s a breakdown, why it occurred.

The survey also found that consumers continued to engage in what Trend Micro called risky behavior, which they deemed shopping online with a credit card, online banking, and downloading free software. I'm glad that they didn't recommend shopping online with cash.

The survey also found that:

• 71 percent of Japanese respondents believed they have not been infected by malware in the last six months yet only 24% of them were confident that their Internet Security solution was effectively protecting them.
• In the US, 51 percent of respondents view the Internet as currently being “very safe” but that number drops dramatically to 32% when respondents were asked if they think the internet will be more or less safe in six months.
• Similarly, in Germany, 43% believe the Internet to be “very safe” but that number drops to 24% when asked about the safety of the Internet in six months
• 67% of respondents in Japan admit to using freeware/shareware programs, compared with only 63% in Germany, 62% in France, 44% in the UK, and 43% in the US

Basically, it is the job of the security vendor to communicate to their customers exactly how safe they are in language they understand. This survey will be compiled regularly, and will prove helpful in offering a window into consumers continuing confidence (or lack thereof) in the internet.

And if the confidence drops like many of those surveyed predicted it would, expect an industry shake-out as consumers begin to reassess their insecure relationships with their security solutions.

Tags: Internet Security Survey, Security Vendor, Consumer Confidence

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

I love statistics. I love looking at a bunch of numbers and statistics and trying to figure the reasoning behind their fluctuations. Which brings me to the following statistic, unearthed by the folks at Shadowserver: on Christmas Day, Shadowserver recorded a sudden 20 percent drop in the number of bot-nets (from 500,000 to 400,000) they had been tracking.

At first this puzzled researchers, as they had no knowledge of any new bot-killer on the loose able to destroy large numbers of spam droids. Also, it certainly couldn’t be entirely explained by everyone taking their vacations over the holidays, as bot-nets are about the only things that don’t ever seem to take a break or need a vacation.

The explanation for the sudden drop is actually quite simple. The fact that many people got new computers for Christmas meant they shut-down their old machines, thereby shutting down the bot-net attached to their computer. But in no way will this provide any lasting relief from bot-nets. It is only a matter of time before the new ones become infected.

Tags: botnets, Statistics

Posted by pschooff in Spam | Permalink | Comments (0) | TrackBacks (0)