Another interesting trend in the report is the drop of infected emails - only one infected email in over 2500 compared to one in 909 in 2007. This coincides with the increase in infected websites where one infected webpage is discovered and blocked every 5 sec in 2008 compared with 14 sec in 2007.

Download the report here if you're interested.

This warning comes to us from Sunbelt Software, whose CFO received one of the scam emails. The emails are realistic, carrying a certain believability. A screensaver file disguised as a tax refund PDF file (tax_refund_scr) is attached to the email. When the user clicked, a PDF file seems to appear but unknown to the user, malware is also downloaded to steal financial and confidential data.

Check it out here at the Sunbelt Software Blog.

Bob, TSA employee since 2002, explains this on the Evolution of Security blog.

First up, Facebook. It recently acknowledge that a new functional capability called Beacon continues to track user activity long after users have logged off the site and even when users have elected to not display their activities to Facebook friends. Beacon is part of the Facebook Ads platform that tracks user acitivities on Facebook partner sites like Blockbuster and reports those activities to the "friends" of the Facebook account. Account holders may choose to not have those activities reported but it appears that even in that case, the activities are tracked and stored in some Facebook database. As you can imagine, privacy advocates are up in arms. You can read more about this case, if you're interested.

You can assume that these privacy issues will not go away and will continue to plaque Facebook and other social networks. Sometimes, problems are less about guarding privacy but rather the abuse of trust within the social network. Here's a chilling story about how a MySpace teen took her own life because of a cruel prank perpetrated by adult neighbors.

Perhaps the issue is that both the guarding of privacy and the protection of social network subscribers may be at odds with each other. To some extent, that's how it works in real life...we yield some privacy to trusted authorities - banks, hospitals, law enforcement, the state...to gain protective services of some kind or another.

However, striking this balance works in the cyberworld may not be so easy.

There are a few interesting implications of this phishing attack, none of which pertain specifically to what Salesforce should or could have done.

Implication #1 - this kind of targeted phishing or "spear phishing" is difficult to monitor and eliminate. When a specific target is singled out, the attack tends to proceed undetected for a while before it becomes evident. No specific remedies or signatures are available to address them.

Implication #2 - until now, most highly phishing attacks have been targeted at financial institutions and consumers. Relatively recent examples include the Bank of America "change of email" scam and ADP.
Not surprisingly, SaaS providers may now be next on the list. Although, the value of the information to scammers may not be apparent, it is likely that phishing attacks against SaaS applications that hold identity and proprietary info will be on the rise.

Implication #3 - phishing is only the starting point for the attack. In the Salesforce incident, it was uncovered that some of the customers who were effectively phished, also had keyloggers and other malware downloaded onto their machines. From the Salesforce letter sent to customers -

"...As a result of this, a small number of our customers began receiving bogus emails that looked like salesforce.com invoices, but were not--they were also phishes. Unfortunately, a very small number of our customers who were contacted had end users that revealed their passwords to the phisher... However, a few days ago a new wave of phishing attempts that included attached malware--software that secretly installs viruses or key loggers--appeared and seemed to be targeted at a broader group of customers."

Not a lot of good news there. The point is that in this new Web 2.0, Saas enabled world, there is a Long Tail to this phishing problem...targeted, sophisticated attacks cannot be tackled by simply preaching "security awareness". Nor it is enough to use signature based phishing detection techniques. We need a different approach.

In a special Internet announcement in Arabic, picked up DEBKAfile’s counter-terror sources, Osama bin Laden’s followers announced Monday, Oct. 29, the launching of Electronic Jihad. On Sunday, Nov. 11, al Qaeda’s electronic experts will start attacking Western, Jewish, Israeli, Muslim apostate and Shiite Web sites. On Day One, they will test their skills against 15 targeted sites expand the operation from day to day thereafter until hundreds of thousands of Islamist hackers are in action against untold numbers of anti-Muslim sites.

Can you say - "bring it on"? Nah... I don't know if this is legit but either way, I don't anticipate it'll actually register with anyone.

If you're interested, read the entire Debka.com report here.

(HT: Bruce Schneier)

1. Yahoo! Messenger 8.1.0.239 and earlier
2. Apple QuickTime 7.2
3. Mozilla Firefox 2.0.0.6
4. Microsoft Windows Live (MSN) Messenger 7.0, 8.0
5. EMC VMware Player (and other products) 2.0, 1.0.4
6. Apple iTunes 7.3.2
7. Intuit QuickBooks Online Edition 9 and earlier
8. Sun Java Runtime 1.6.0_X
9. Yahoo! Widgets 4.0.5 and previous
10. Ask.com Toolbar 4.0.2.53 and previous

Among the qualifying criteria is that it must be able to run on Microsoft Windows platform and be a well known consumer application, downloaded by individuals.

It's interesting to note that Yahoo (Messenger, Widgets) and Apple (Quicktime, iTunes) related software each appears twice while Microsoft, with its extensive scope and distribution of software is only represented by MSN Messenger. Go figure.

Although the patch was issued on Monday, problems persist in the wild, since many users don't remember to update their Adobe reader software regularly (guilty as charged!). Symantec has identified the threat as Trojan.Pidief.A. The rogue PDF document is attached to spammed e-mail, and arrives with a filename such as YOUR_BILL.pdf or INVOICE.pdf, said Symantec.

Here are few suggestions by Symantec to protect yourself

- Apply the Adobe issued patches
- Block the delivery of PDF files in email.
- Issue advisory to employees to avoid reading or executing PDF files from unknown or untrusted sources.
- Block access to the network and IP address involved in this attack.

Apparently, hackers have cracked Ann Coulter's website and posted a fake message offering apologies for her recent comments and announcing her retirement as media talking head. Here's the fake message -

An Open Letter to Readers by Ann Coulter October 15, 2007

Dear Readers,

I've been participating in a charade for nearly eleven years, now. Quite frankly, I'm sick of it. You have all been a part of a sick joke that I began considering shortly after first getting on the air. At first, it was quite interesting to see how people would react when I would use twisted logic and poorly masked bigotry.

But eleven years is a long time to be living a fake life, and I can no longer tolerate this falsity. Even someone as fake as I tires out eventually.

Here's the truth, I don't care what people believe. Jews don't need to be "made perfect" as I so arrogantly proclaimed to Editor & Publisher not a half week ago. I don't even care if people are Muslim. Granted, I don't know much about the religion or the people, but they are people. This is something that we cannot forget, they are in an abhorrent situation. These people are in need of education. Perhaps if we did not participate in causing them misery, they would not hate us so.

In fact, does it really matter whether we are Christian, Jewish, Muslim, Atheist, or even Pagan? We are one nation. One. We should not let petty differences separate us, we are all American, and should act in that manner.

And with that, my precious viewers, I bid you adieu. My career as a media figurehead is over.

Signed,

Ann Coulter

P.S. - Oh, and Bill O'Reilly is also just acting.

[From the hackers:] Haha, did it again. Oh, those silly web admins...they just embarrass themselves.

(Admins, check for an e-mail address in the CMS. Find it. I know you will.)

It's tough being a celebrity these days. Never mind the paparazzi, now hackers are out to get you.

Social networking sites pose yet another security issue for security managers today, courtesy of the Web 2.0 model. While some of these social networking sites like Linkedin have distinct business applicability and value, other sites clearly emphasize the purely “social” part of the equation.

Should security or IT managers even be concerned about whether employees are accessing these sites? Here are couple of things to consider -

1. Social networking sites are increasingly targets for new exploits, especially cross-site scripting attacks. Like many Web 2.0 sites, social networking apps are ripe for client side attacks. For instance, in November,2006, a MySpace targeted CSS exploit replaced the navigation menu, enabling an attacker to redirect the user to a spoofed web page.

2. Social networking sites can be a platform to launch attacks. Because social networking sites drive traffic, it can be an effective launch point for various attacks targeting other platforms or components. Over a year ago, an online banner advertisement running on MySpace used a Windows security flaw to infect more than a million users with spyware related to Windows Meta Files.

3. Social networking sites can lead to compromise of privacy or proprietary information. What you do on a site is information that social networking apps control and could expose. Case in point - last year, Facebook added a feature called News Feeds that exposed privacy and behavioral information about account users...without their explicit consent. The outrage from its users were expected and the problem was addressed but it's a clear lesson to all users.

4. Social networking sites may be costing businesses millions of $$$ in employee productivity. According to recent studies, due to the result of social networking's overwheming popularity, many of these sites are becoming a source of loss productivity as employees spend time visiting these sites during work hours. As reported in this article, a study commissioned by a UK law firm noted that Facebook is costing British firms 130 million pounds ($264M) in lost productivity every single day.

Should companies be blocking social networking sites as a matter of practice? Perhaps not. But there's certainly ample reason to be concerned from a security perspective.

Examples? Instant messaging, Skype are just two peer-to-peer (P2P) technologies that have found traction in the consumer world but are increasingly used in the corporate environment. More apps/tools are being used everyday without the awareness, much less consent of security managers. The reality is that most security organizations have little to no ability to limit or monitor its use and sometimes the implications to security can be staggering. For instance, P2P file sharing tools like LimeWire and BearShare have been implicated in a number of highly publicized security breaches where proprietary and privacy data has been compromised.

Needless to say, ignoring this web 2.0 problem won’t make it go away. If anything, the notion of unregulated, unmonitored deployment of web 2.0 apps will only increase and so will the security issues surrounding its use.

Next post, how corporations deal with social networking sites...

According to this article, three spreadsheets with social security numbers of over 5000 customers have been iinadvertantly leaked by a former employee of the ABN AMRO Mortgage Group. The problem was traced to the use of a peer to peer (P2P) file sharing tool called BearShare. Here's an excerpt from the article explaining what happened -

Tiversa Inc., a Pittsburgh company that offers data-leakage protection services, traced the origins of the ABN data to a Florida computer with the BearShare software installed..With such peer-to-peer sharing systems, files are obtained directly from another user's hard drive rather than a central hub like traditional Web sites. As a result, once a file begins to circulate, copies can sit on computers all over the world, ready to be grabbed by other users.

Although this data compromise was unintentional, P2P tools are increasingly becoming the weapon of choice in the arsenal of identity thieves. Most companies are clueless about this threat...and unfortunately, some of these companies hold our privacy data

Independent Security Evaluators, a security consulting group headed up by security expert Avi Rubin, reported on a number of iPhone vulnerabilities. Among the more serious vulnerabilities that can be exploited may result in the following -

- Exploit may redirect placed phone calls to phone numbers designated by attacker.
- Continuous loop of call attempts. Turning off the phone is the only recourse
- Tracking of personal info including calls placed by user.
- Preventing phone from dialing out.

You can read the full report here.

The commercials say "it's not just a version of the Internet...it's the Internet". Well, now we know it comes with vulnerabilities as well...just like the Internet experience we know and love.

SPI Dynamics has been at the helm of web application security lifecycle tools for quite a while, carving out a leadership position in this niche. Their products focus on detecting vulnerabilities and assessing security of web applications from development to deployment.

This acquisition could signal an interest in market for application security assessment tools vendors . Other smaller, less established players like Fortify are still out there to be had.

Staples is starting a program to recycle old computer equipment. It's relatively inexpensive ($10/item) and it's an expansion of their existing recycling program for cell phones. Here's the press release.

Just before you jump in your car and head over to your local Staples with your old laptop circa 1998, just remember a couple of things. First, check to see if your local Staples offers this service because it's not rolled out nationwide. Secong, remember to boot up the machine and wipe your hard drive. If you don't do that, you just might expose proprietary or personal information, that you'd prefer to keep private.