Saturday, January 14, 2006

Indian Call Center Workers Sell Customer Data For Pennies

British banks will not face any action over an alleged data breach in an Indian call center last year, the U.K.'s data protection watchdog has said.

In the breach, an undercover newspaper reporter was allegedly able to buy the bank account, credit card, passport and driving license details of 1,000 British bank customers for just 4.25 pounds ($7.50) each from a New Delhi call center worker who was said to have promised to supply confidential data from 200,000 accounts per month.

The Information Commissioner, the U.K.'s data protection agency, warned at the time that the banks could face prosecution for a criminal breach of the country's Data Protection Act.

But the IC said on Friday that it will not be taking action against any of the banks involved in the newspaper sting. Following an investigation, there was no evidence that any personal information was compromised, it said.

An IC official told Silicon.com: "We have no evidence to go on at the moment, and we are not in a position to take further action."

He said the investigation also found the security procedures at the Indian call center involved in the data leak to be "robust."

The City of London police force has said from the outset that it was unable to deal with the allegations because it has no jurisdiction outside of the U.K.

The Financial Services Authority, which oversees British banking, also showed little enthusiasm for an investigation, saying at the time: "Our concerns are whether adequate security controls were in place, but a determined fraudster is always going to get through."

Apple Adds Spyware To iTunes

A new version of Apple Computer's popular iTunes software is prompting complaints from privacy advocates for sending information about computer users' playlists back to Apple.

The new music software includes a "MiniStore" window, which provides recommended links to Apple's music download service when listeners click on songs in their personal playlist, including songs that haven't been purchased from the iTunes store.

To provide those recommendations, the software sends information about the selected song, such as artist, title and genre, back to Apple. But the software also transmits a string of data that is linked to a computer user's unique iTunes account ID, computer experts have found. Because iTunes users typically sign up for the music store with an e-mail address and a credit card number, the account ID number could in theory be linked to that information as well as a customer's purchase history.

Apple also warned about serious security flaws in QuickTime, saying that vulnerabilities in the media player put computers running Windows and Mac OS X at risk of being commandeered by an outsider. An attacker could exploit the flaws by tricking the user into opening a malicious file.
Apple released QuickTime 7.0.4 to address the vulnerabilities. The French Security Incident Response Team, a commercial security monitoring and research outfit, described the problems as "critical," its highest risk rating.

Meanwhile, Symantec released an update to its popular Norton SystemWorks to fix a security problem that could be abused by cybercriminals to hide malicious software. In the PC-tuning application, a feature called the Norton Protected Recycle Bin creates a hidden directory on Windows systems. The feature is meant to help people restore modified or deleted files, but the hidden folder might not be scanned during scheduled or manual virus scans.

Symantec's alert has echoes of Sony BMG Music Entertainment's recent PC security fiasco. The record label was found to be shipping copy-protected compact discs that planted so-called rootkit software on the computers that played them. The rootkit technology also offered a hiding place for malicious software.

Thursday, January 12, 2006

Apple Patches QuickTime Vulnerability

Apple has released version 7.0.4 of QuickTime to resolve several vulnerabilities that could be exploited to provoke denial of service or execute arbitrary code on affected systems.

The security problems are related with buffer overflows when processing graphic and multimedia files. An attacker could cause arbitrary code to be executed when viewing GIG, TIFF, TGA or QTIF files or specially crafted multimedia files.

Users of QuickTime on Windows 2000, Windows XP, Mac OS X (version 10.3.9 and later) are advised to install the update provided by Apple, which can be downloaded from: http://www.apple.com/quicktime/download/standalone.html

More information about the vulnerabilities and the update are available in the Apple advisory at: http://docs.info.apple.com/article.html?artnum=303101

Wednesday, January 11, 2006

Windows XP and Microsoft Office Patches Released

Microsoft has published two security bulletins- MS06-002 and MS06-003-, reporting the availability of updates to resolve several vulnerabilities in Windows, Office and Exchange Server.

Bulletin MS06-002: offers information about an update resolving avulnerability allowing remote execution of code in Windows because of the way that it handles malformed embedded Web fonts. This security problem affects Windows 2000, Windows XP, Windows Server 2003, Windows 98 and Windows ME.

More information at: http://www.microsoft.com/technet/security/bulletin/ms06-002.mspx-

Bulletin MS06-003: refers to a remote code execution vulnerability in Microsoft Outlook and Microsoft Exchange Server because of the way that it decodes the TNEF MIME attachment. This could allow an attacker to take complete control of the system. It affects Office 2000 SP3, Office XP SP3, Office 2003 SP1 and SP2, and Exchange Server.

More information at: http://www.microsoft.com/technet/security/bulletin/ms06-003.mspx

In addition, Microsoft published bulletin MS06-001 last Thursday, which refers to an update to resolve a problem in the processing of certain graphic files.

This bulletin is available at: http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx

iTunes Security Vulnerability Uncovered

eEye Digital Security®, the leading developer of endpoint security and vulnerability management software solutions, as well as the industry's foremost contributor to security research and education, today announced the discovery of four critical security vulnerabilities related to Apple Computer® and the company's QuickTime® software, as well as the download application for its iTunes® music store.

These flaws have the potential to inflict serious damage, as they allow an attacker to take complete control of an affected system and execute harmful action remotely, including installing programs, viewing, changing or deleting data.

Enterprise networks are particularly vulnerable and organizations should take immediate action to identify affected machines, as the likelihood that the immensely popular QuickTime and iTunes applications are installed on their network is extremely high.

To give an indication of the scope of this issue, the iTunes music download service has distributed 850 million songs since its introduction and is often used in conjunction with the equally popular iPod® personal music system, of which 42 million have been sold since the device's inception.

"Most IT departments probably saw Apple's security update and thought 'that's a consumer application, I don't have to worry about security policies for that.' Those IT departments would be mistaken," said Marc Maiffret, eEye's co-founder and chief hacking officer.

"There are few people that have not seen a co-worker with an iPod wandering the halls of their organization, and those iPods probably mean iTunes is on your network. These flaws highlight the need for rigorous security policies and their enforcement via network security scanning and comprehensive endpoint security that will allow enterprises to mitigate this growing threat."

eEye strongly recommends that IT departments implement tools to enforce security policies that properly manage the installation of potentially vulnerable applications such as iTunes and QuickTime.

Those organizations that are utilizing eEye's Retina® Network Security Scanner can immediately scan for affected systems running these applications. Organizations that have deployed the Blink® Endpoint Intrusion Prevention System have been protected against these vulnerabilities since their discovery several months ago and can postpone patching to regularly scheduled maintenance cycles.

Unlike signature-based technologies, such as anti-virus or behavior-based solutions, current Blink customers aren't required to do anything to realize protection from this flaw, as no updates or policy changes are required. For those interested in protecting corporate systems with Blink, an evaluation version is available for download on eEye's website: http://www.eEye.com/Blink.

Although these security flaws were initially found in the QuickTime application, because the popular iTunes application is so closely integrated with QuickTime, all of these security issues are also exploitable via the iTunes software.

All systems running Windows 2000, Windows XP and Apple Mac OS X are vulnerable to these issues. Apple has released a solution to these issues in the form of a new version of the QuickTime player software -- QuickTime 7.0.4. Additional information on all of the security flaws announced by Apple yesterday can be found here: www.eEye.com/html/research.

Tuesday, January 10, 2006

Microsoft Warns of Critical Security Flaws

Microsoft Corp. on Tuesday warned users of its Windows operating system of two "critical" security flaws in its software that could allow attackers to take complete control of a computer.

The world's largest software maker issued patches to fix the problems as part of its monthly security bulletin. The problem mainly affects the Windows operating system.

The warning came after the company last week made a patch available earlier than expected to fix a different critical flaw in the Windows operating system.

"People should always be vigilant about not opening unexpected attachments or following links to Web sites that arrive via e-mail or instant messages," said Oliver Friedrichs, a senior manager at Symantec Corp.

"Increasingly, criminals are delivering crimeware -- such as bots, Trojans, and spyware onto unsuspecting users' computers through spammed messages."

Computer security experts and Microsoft urged users to download and install the patch available at www.microsoft.com/security.

Microsoft defines a flaw as "critical" when the vulnerability could allow a damaging Internet worm to replicate without the user doing anything to the machine.

For more than three years, Microsoft has been working to improve the security and reliability of its software as more and more malicious software targets weaknesses in Windows and other Microsoft software.

More than 90 percent of the world's personal computers run on the Windows operating system.

PC Vulnerabilities Increase in 2005

Computer Emergency Response Team/CoordinationCenter (CERT/CC) has released statistics on the vulnerabilities reported since it was founded in 1995 and on the vulnerability notes and other documents it has published since then.

The data - available athttp://www.cert.org/stats/cert_stats.html - includes a significant increase in the number of security problems registered last year.

According to CERT/CC, in 2005, 5,990 vulnerabilities were reported compared to 3,780 in 2004.

What's more, last year it published 285 vulnerability notes and handled 624,634 email messages. It also published 104 National Cyber Alert System documents.

In total, since CERT/CC was set up in 1995 to 2005, it has reported 25,590 vulnerabilities.

Since last year, the advisories, incident notes and summaries published by CERT/CC are incorporated in National Cyber Alert System documents.

The 5 viruses most frequently detected by Panda ActiveScan, PandaSoftware's free online scanner:

1) Sober.AH
2) Metafile
3) Paytime.D
4) Sober.AH
5) Netsky.P

Monday, January 09, 2006

Your IM Buddy, Or A Hacker? It's Getting Harder To Tell

Just before New Year's, some Europeans received a link from the buddy list in their MSN Instant Messenger software to a purported funny Christmas picture. The joke was on them. Clicking on the link let in a worm that exploited the recent Windows Meta File vulnerability, giving hackers access to their PCs.

That's just one example--out of a few thousand--of how hackers used IM to attack computers in the past year. Instant-messaging security vendors FaceTime Communications Inc. and IMlogic Inc. reported last week that malware delivered over instant-message clients has skyrocketed in recent months.

FaceTime cites a more than 20-fold increase in the number of reported IM worm and virus variants since 2004. And in a sign that larger security companies are taking IM threats seriously, Symantec Corp. said last week that it will acquire IMlogic for an undisclosed sum.

In addition to FaceTime and IMlogic, vendors such as Akonix Systems Inc. and MessageLabs Ltd. offer software and hardware to manage enterprise instant messaging and protect networks from attack. According to the Radicati Group, 85% of businesses of all sizes say instant messaging is taking place on their networks.

And, as Gartner analyst Andrew Jacquith puts it, "There's always going to be some dope who clicks on a message, no matter how robotic or obviously fake it looks."

IM client software is pervasive within businesses and can serve as a powerful business tool, so companies should have a plan for dealing with it. Education is key, but so is proper management.
Energy brokerage firm Amerex Energy tracks about 150 IM users in its Houston corporate offices. It bought IMlogic's IM Manager to archive chats when brokers started closing deals via instant messages, but CIO Brian Trudeau says it also offers security. "It gives us the capability to control IMs a little bit more," he says. Using IM Manager, Amerex blocks all file uploads to IM clients and can specify who uses instant messaging and when.

Just Like E-Mail Attacks
IM attacks usually look and feel like E-mail attacks: They try to get targeted users to either download an infected file or click on a link that sends them to a Web site where they'll be infected with a virus. "A lot of the things that you thought about in the last decade about managing your E-mail can be applied to instant messaging," IMlogic CEO Francis DeSouza says.

Like the broader security-software community, vendors specializing in IM have antivirus capabilities and software that lets companies block downloads and blacklist certain Web sites and can log and archive all chats.

But IM attacks are getting more devious. Just last week, FaceTime found one on AOL Instant Messenger. The company quickly contacted AOL, as well as Microsoft and Yahoo, since many attacks are cross-platform.

Tens of thousands of AOL client machines were unknowingly infected with BitTorrent, a peer-to-peer downloading program often used to download copyrighted material. With this installed, hackers could upload a movie to a victim's hard drive and use the PC as a vehicle for sharing the content with others.

Virus attacks are getting more complex, too, moving away from the simple social engineering that might spur someone to send money to a Nigerian "prince" or click the link for a picture of Osama bin Laden.

Late last month, security vendors started seeing malicious code that went beyond a link or file and created automated responses to victim's queries. So a victim might ask his IM "buddy" if the file was safe, and the malicious bot would respond that it was.

IMlogic discovered a bot that responded six different ways, depending on the question a victim asked.

No attack has hit millions of users--yet. But since people often read and respond to IMs more quickly than E-mail, a virus could broadside a company in a matter of minutes.

IM Worm Makes New Use Of Old Techniques

The Sober virus was not the only worm to make its run on Friday. FaceTime Communications reported the discovery of a new worm transmitted via instant messaging.

The new worm targets PCs that have been infected with the lockx.exe or palsp.exe viruses and uses Internet Relay Chat-enabled malware to connect the host to a server for further infection through a series of commands.

One of those commands has the ability to control the AIM client on the infected PC and send a message containing links to the host's buddy list. When recipients click on the link, they become infected with new variants of the IRC-enabled malware along with an installation of "creame.exe," which delivers multiple adware payloads.

This type of new worm illustrates the need for companies to have a solution in place that specifically protects IM applications, said Brian Moody, vice president of sales and development for solution provider Computer Media Technologies, San Jose, Calif. The big problem is that traditional antivirus software will not scan for these types of worms, Moody said.

"The issue to safeguard from this has been to disallow the use of IM, but IM can be an incredible productivity tool," Moody said.

Incorporating security applications in existing antispyware and antivirus programs that deal specifically with IM applications is something that customers are demanding, Moody said, and it validates Symantec’s recent acquisition of IMlogic.

The best way for users to protect themselves from this type of worm is to be careful about clicking on links within an IM, said Tyler Wells, senior director of research and development for FaceTime Communications, Foster City, Calif.

"The worm is relatively simple, but it works well because of the speed of IM. Companies need to take a proactive approach and bring in a solution that deals with these types of attacks," Wells said.

Sunday, January 08, 2006

InformationWeek Windows patch Patched Windows Bug Will Be Danger For Months January 6, 2006

Although Microsoft pushed out a patch early to fix a major bug and even recommended that enterprises deploy it immediately, the underlying vulnerability will continue to haunt Windows users for the next six to eight months, a security professional said Friday.

Thursday, Microsoft released an out-of-cycle patch for the 10-day-old Windows Metafile flaw, admitting it did so to placate customers who were demanding an early fix.
"When I spoke to a number of customers and asked if the current situation warranted an out of band release of the update, they said yes," wrote Mike Nash, vice president for security business, on the Microsoft Security Research Center (MSRC) blog late Thursday.

Nash went on to recommend that enterprises roll out the fix as soon as they're able.

"You should deploy the update as soon as is feasible. Put it through your testing process and get it deployed. If it were my decision, I would move up [your] schedule. That is what we are doing in our IT operation here at Microsoft," he wrote.

"Absolutely that's the right advice," seconded Mike Murray, director of research at vulnerability management vendor nCircle. "The sooner you get everyone patched the better you are. The current exploits don't include an automated worm, but for threats that require some user interaction, this is as bad as it gets."

Exploits leveraging the WMF vulnerability now number in the hundreds, security firms allege, with thousands of Web sites -- some of them legitimate, but hacked to silently deploy malicious code -- seeding these exploits.

"We viewed this an incredibly serious threat from the beginning," said Murray. "It's been actively exploited in the wild. This is the kind of blended threat people will use for months for phishing attacks and to collect bots."

Murray estimated that it will take six to eight months for enterprises to fully deploy the WMF vulnerability patch, a time during which attackers will continue to compromise computers.

Computer security: We're part of problem

Greed may be behind the nation's breaches in computer security, but companies offering products consumers don't need and the public's willingness to accept them have not helped, according to an expert on the subject.

Eugene Spafford, a professor of computer sciences at Purdue University, told those attending Thursday's installment of the January Series at Calvin College that you are almost on your own when it comes to protecting personal information transmitted through computers. As executive director of Purdue's Center for Education and Research in Information Assurance and Security, Spafford has counseled two presidents, the National Security Agency and the FBI on computer security matters.

"Most of our problems are things that wouldn't be there if students had paid attention during introductory courses, but they are there," Spafford said, adding an estimated $100 billion yearly is lost worldwide because of computer-related crime.

Among the leading causes are computer manufacturers and software designers continually offering more powerful systems than the average user needs, and programs that create vulnerabilities with continued updates.
The other problem, of course, is the public accepts the current trend, Spafford said.
"Your average home system has speed and connectivity far beyond what is necessary," Spafford said. "That leaves a lot of room, most of which is used for spyware, viruses and worms.
"We have developed a culture of patching where we are used to repeated, temporary fixes. There are few other products where we accept this rather abysmal performance, and we treat it as a matter of course."
The most important preventative medicine is using some common sense and keeping security software and firewalls updated. But that can be tricky in a world where two new worms or viruses are created every hour of every day, Spafford said.

"That means your anti-virus software has to be updated about every 20 minutes," Spafford said. "If someone walked up to you on the street and said, 'I'm with your bank. There's a problem with your account. Please fill out this 3-by-5 card with all of your personal information,' I doubt you'd do it, but that's what they're doing online."

And according to Spafford, don't wait for the government to come to the rescue anytime soon.
He said the Department of Homeland Security, long touted as a white knight in the fight against computer crime, is spending less than 1 percent, or about $16 million of its $1.3 billion budget, on the issue.

"The Department of Homeland Security is spending more making sure you don't carry a pair of nail clippers on a plane than they are on cyber security," Spafford said. "Which do you think is more dangerous?"