Web Security - Laptop Security Blog

Virtual Criminology Report Indicates Fear Tactics

Earlier in December, McAfee released their 4th annual Virtual Criminology Report, which outlines trends in global cybercrime. The report indicated that cybercriminals quickly shifted tactics to take advantage of emotional “hot ticket” items such as the economic recession. Botnets alone are capable of sending 100 billion spam messages per day, an infrastructure that is making it easier and more lucrative for cyber criminals to stay hidden.

Banking scams emerged soon after banks started to struggle during the start of the recession. Cybercriminals are taking advantage of the fear and uncertainty of this by asking users to “update account information” before their bank merged, for example. Targeted scams emerge as early as a day after news breaks, as they did also during the presidential race this year. In addition to a shift in tactics, the report indicates that criminals are becoming more aggressive:

“With almost all of today’s malware being financially motivated, even cybercriminals are looking for more business in tough economic times and are really stepping up their game.”

Analysts say these trends point out that cybercriminals are getting faster and smarter than ever before. Also tapping into fear that’s the result of the economic downturn, there has been an increase in scammers luring customers into “internet sales” jobs that are end up assisting cyber criminals in things such as money laundering. Some examples of various recent scams of these sorts can be found on the Avert Labs blog.

As with all security problems, with both consumers and the corporate environment, the solution to these issues comes by combining education with technology:

“Technology alone cannot solve the problem. Education alone cannot solve the problem. Both combined, however, can enable us all to use the Internet the way we want.”

In addition to these measures, the report strongly encourages governments to step up in fighting cybercrime. Law enforcement at every level has been ad-hoc and incapable of coping with cybercrime, with issues in cross-border law enforcement making the issues worse.

Download the McAfee Virtual Criminology Report here. And, along similar lines, the Anti-Phishing Working Group has published their quarterly report, indicating that the use of malware on websites to steal passwords and other sensitive information is at an all-time high.

The FBI is also reminding people to be aware of holiday-themed scams criminals are using to steal personal information and/or money. Be aware of greeting e-card scams, spoofing and phishing scams. They remind you not to respond to unsolicited email, not to click on links or attached files, to keep private information to yourself, and to verify with the business the email is supposedly from, just in case.

Sophos Security Threat Report 2009

Sophos has published its Security Threat Report 2009 [PDF], which examines the threat landscape from the last 12 months and tries to predict emerging cybercrime trends for 2009.

As the third quarter Sophos report indicated earlier, the U.S. led the way in malware. More malware was hosted on U.S. websites (37%), and more spam is relayed from U.S. computers (17.5%), than any other country. When one U.S. company accused of collaborating with spammers and hackers disconnected from the Internet in November, 2008, spam went down by 75%.

“Not only is the USA relaying the most spam because too many of its computers have been compromised and are under the control of hackers, but it’s also carrying the most malicious webpages.” - Graham Cluley, senior technology consultant for Sophos

Graham goes on to say that U.S.-based computers are making a “disturbingly large contribution to the problems of viruses and spam” today. The report also indicated that most malicious code is now found on innocent websites, mainly because corporations have secured their email gateways to prevent attacks and spam (though one in every 714 email messages contains a malicious email attachment).

Highlights from the study:

Biggest malware threats – SQL injection attacks against websites and the rise of scareware
New web infections – 1 new infected webpage discovered every 4.5 seconds
Malicious email attachments – 5x more at the end of 2008 than at the beginning
Spam-related webpages – 1 new webpage discovered every 15 seconds
New scareware websites – 5 identified every day
Amount of business email that is spam – 97%

The report indicates that 2009 will see growing attacks on Mac computers and cross-platform software, as well as mobile devices such as the iPhone and Google Android. The report suspects that data leaking will be a larger concern in 2009, especially given the use of mobile technologies, from laptops to thumb drives to phones. As Sophos notes, the problems are not insurmountable:

“Sound security practices, up-to-date protection and an active commitment to keep informed can all help defend business networks in the year ahead.”

In other news, the Pentagon has banned the use of thumb drives because of a virus threat detected on defense networks. I was kind of hoping it was to prevent data breaches, but perhaps this will force the government to update their security policy to be more comprehensive of new data devices - be they thumb drives or iPhones.

Underground Economy Growing

Symantec released their Report on the Underground Economy in late November. The report indicates that while the financial markets may be struggling on nearly a global scale, the underground markets are thriving and becoming more self-dependent.

The study, which looks at the July 2007 - June 2008 timeframe, seeks to examine the black market used to advertise and traffic stolen information such as Social Security numbers, credit card information, bank account details and more. Even email addresses are valuable, since they can be used to create phishing campaigns for more valuable information. The underground economy is a global market, with an estimated value of total advertised wares (this stolen information being used to obtain goods, services or loans) being over $276 million.

Credit card information was being sold for anywhere between $0.10 and $25 per card, often sold in bulk packages. In addition to the buying selling of stolen information, the economy also has people who buy and sell new exploits and scams. Often sellers will post samples of the information they have for sale, with Symantec monitoring 44,752 unique samples of sensitive information.

The Top Samples of Information Posted:

There is evidence that profits made from the sale of this stolen information is now being re-invested into the growing strength of these cyber criminals - purchasing new exploits, hiring developers to create more exploits, expanding infrastructure, etc. Given its lucrative nature, the underground economy is growing and becoming more sophisticated. There is evidence that attackers are sharing information to help each others’ work: another example of the organized nature of the underground economy.

Download the report here [PDF].

Other great security articles this week:

Network World: Technical standards for managing a virtual environment
Network World: How to Use Network Behavior Analysis Tools
WSJ: Leaked Army Files Highlight Dangers of Peer-To-Peer
McAfee blog: Christmas Worm Uses McDonalds, Coca-Cola as Bait
CNet: Apple deletes Mac antivirus suggestion
Security Watch: Online Malware Goes Vertical

Via Security Watch

Data Doctor Recommends Computrace

Ken Colburn (aka the Data Doctor) was on CNN a couple of weeks ago to give some simple advice on protecting your sensitive information if your computer is stolen. The most common mistakes people make that put data at risk on lost laptops, according to Ken, are: not set a password on the computer, auto-saving username and passwords, and leaving sensitive information unprotected by alternate passwords or encryption.

As you can see from the video below, Ken goes on to recommend software than can help make your computer more secure and/or recover it. He recommends LoJack for Laptops / Computrace, as well as other programs listed here.

Thanks Ken for the great coverage!

Also in the news: Microsoft will stop selling its Windows Live OneCare consumer security service and will re-release it as a free download by the end of 2009. They hope this will mean less malware. Speaking of malware, a new trojan came up a couple days ago that can send both Mac & PC users, even with patched software, to impostor websites. Ouch!

White House Repeatedly Hacked

The Financial Times reports that Chinese hackers penetrated the White House computer network on multiple occasions, obtaining emails between government officials. On each hacking incident, the cyber criminals were able to steal information before the White House security systems and professionals could patch the security holes.

The new insight comes on the heels of another report that the presidential campaigns of Barack Obama and John McCain were hacked over the summer. The FBI and Secret Service revealed to each Obama and McCain that large amounts of files had been stolen as related to policy positions - information that may be useful in future negotiations with the U.S. administration. The hack came from a “foreign entity”, either Russian or Chinese.

Subsequent reports indicated that the attacks on the Obama and McCain systems came from China, and that other cyber attacks have been made on the White House from the same source. E-mail archives were attacked several times in recent months, a constant “cat and mouse” game with defenses going up each time a new attack was detected.

It is difficult to trace the exact source of the attacks. It is reported that, as far as the White House attacks go, only the unclassified network was breached. That doesn’t mean the information was not valuable or sensitive, nor that classified information was not present.

Also in Government related news:

Google shares health searches with government (CNet)
Inmate hacked prison network, broke into employee database (Register)
Hackers buy their way into Obama search results, seed malware (Times Online)
FTC grants delay in enforcement of ‘red flags’ identity theft program (TFC)
IRS rolls out system with known security issues [PDF] (.Gov)
Nevada, Massachusetts roll out new data privacy laws (WSJ)

For more information on Absolute’s services for the Government sector, read here.

Via CNet image: barackobama.com

Encrypted Wireless on the Rise

RSA just released the results of their annual wireless security survey. The survey indicates that, with wireless use up dramatically in home, business and public hot-spots, encryption is improving. 97% of corporate access points in New York City were encrypted, up from 76% last year.

The improvements are not universal across major cities, with London having 20% of wireless access points without any form of encryption. In addition, this survey (for the first time) looked at the type of wireless encryption standard used. The WEP standard is no longer adequate, so encryption is not quite as good at this level. Paris has advanced security on 72% of wireless access points, while NY and London had below 50%. The survey also looked, also for the first time, at in-home wireless security. The survey found security on home wireless networks to be superior to corporate networks.

Out of RSA also is a great blog post about the importance of the 5 Ps - Proper Planning Prevents Poor Performance. Worth a read! And to continue your reading, check out our laptop security best practices.

Image: ppdigital @morguefile

Malicious Email Up

The latest report from Sophos indicates that 8x more malicious email attachments were spammed in Q3 of 2008.

The quarterly report from Sophos looks at spam trends. For the July - September 2008 time span, the report indicates that there was a rise in the proportion of spam emails sent with malicious attachments, as well as an increase in social engineering techniques in spam messages.

The report indicates that 1 in every 416 email messages contained a dangerous attachment. This was an 8 fold increase compared to Q2. Most of the increase can be attributed to several large-scale malware attacks, including one with was disguised as an iPhone arcade game with a penguin character. Most of the attacks were still for Windows-based users, and the US led the way as the top country responsible for relaying spam across the globe.

In addition to malware sent via email attachments, malicious links were designed to prey upon user curiosity. This type of social engineering included “breaking news alerts”. Other new methods were explored, including spam using Facebook and Twitter.

Here is a video from Sophos about how one large social engineering campaign worked:

Also of high importance in the news right now is a report that security researchers have found a way to crack the Wi-Fi Protected Access (WPA) encryption standard that’s used to protect data on many wireless networks. This is worrying news, which you can read about more here.

image: microsoft clipart

Hotel Network Security

Cornell University School of Hotel Administration has released the results of a study on “Hotel Network Security“. The study concluded that US hotels are “generally ill-prepared” to protect their guests from network security issues.”

The study was conducted by Josh Ogle, Erica L. Wagner Ph.D. and Mark P. Talbert of Cornell University’s Center for Hospitality Research. The study of 147 US hotels found that there was a mixed picture with regard to the security of guest connections to the hotel wired and wireless networks.

Many business travelers use their hotel to continue working on the road, an increasingly common practice with the mobile workforce of today. However, as we’ve talked about in many instances on the Absolute blog, this places sensitive corporate information at risk.

According to the study, some hotels still rely on basic hub technology for their networks, which broadcasts every packet from every user to other users (no security). Others may have upgraded to more secure switches or routers, or may have encryption for Wi-Fi connections. Even with all of these upgrades, malicious lurkers can still intercept guest transmissions.

Highlights from the study:

20% of hotel networks use hub topologies
90% of hotels offered wireless access
Out of the 39 hotels that had supplemental site visits, only 6 had wireless encryption
21% of hotels reported that malicious activity had taken place on their networks

The report outlines an example of best practice, with the case of the W Dallas Hotel - Victory. They have set up virtual local area networks (VLANs) for all hotel guests, inhibiting attackers from using the most common means of data intercept. The study goes so far as to lay fault on hotels that are not using available technology to protect hotel guests.

A number of recommendations were also made for hotel guests, including having an updated firewall, using the secure socket layer (SSL) protocol for transactions, and using virtual private network (VPN) or SSL-based email.

Download link: Hotel Network Security: A Study of Computer Networks in U.S. Hotels [PDF] Author note: at the time of publishing, the PDF link was not working well.

Via GCN ; Image: Microsoft Clipart

U.S. Leads Cyber Attacks

A new study from SecureWorks indicates that the United States now leads, geographically speaking, as the host for cyber attacks. This means that the United States is hosting computers that are responsible for the most attacks, regardless of who is doing the attacking.

Host computers responsible for cyber attacks may have been compromised and are being used as bots, or they may originate from cyber criminals within the U.S. Hunter King, security researcher for SecureWorks, warns that not only are “organizations and personal computer users… putting their computers and networks at risk by not security them, but they are actually providing these cyber criminals with a platform from which to compromise other computers.”

Attempted cyber attacks by originating country:

United States - 20.6 million
China - 7.7 million
Brazil- 166,987
South Korea - 162,289
Poland - 153,205
Japan - 142,346
Russia - 130,572
Taiwan - 124,997
Germany - 110,493
Canada - 107,483

The figures for this study were based upon threats intercepted on behalf of its customers during the first 9 months of 2008. The report, as described here, outlines how Chinese hackers are taking control of unprotected networks, versus just using distributed bots.

Via security watch ; image: istockphoto

Most People Ignore Dialog Boxes

The Psychology Department of North Carolina State University recently pursued a study about pop-up boxes in order to understand user behavior. The study, which will be published in the Proceedings of the Human Factors and Ergonomics Society, was discussed by John Timmer of Ars Technica.

The researchers created a number of fake dialog boxes with various clues indicating to users that they were not real dialog boxes (what they said, mouse behavior, flashing text). One of the boxes read:

Warning! You are about to install some malware. Malware is bad. By reading this warning through to the end and still clicking yes you’re failing the Windows Darwin Test. Don’t be that guy, if you’re reading this message still then wise up and for the love of your family photos on your hard drive click the ‘No’ button.

A panel of 42 college students were told to watch as a series of websites loaded, with questions about the sites to follow. The fake dialog boxes were loaded in a random order, and user behavior was tracked. The study found that students were so anxious to get the dialog boxes out of the way that they ignored them. Here are the results:

26 out of 42 students clicked “OK” for the “real” dialog, but 25 out of 42 students clicked “OK” for two of the fakes and 23 on the third
9 out of 42 students closed the window (11 closed the dialog box)
A few users would minimize the dialog window or drag it out of the way
The response time between dialog boxes, real and fake, did not vary, indicating little time was spent evaluating them

When interviewed after, students indicated that they only cared about “getting rid” of the boxes. Many expressed a “degree of contempt” for the dialog boxes, after long-standing experience with them, which made them not care what the boxes said any longer.

In general, this type of user behavior is quite risky. It opens the opportunity for fake dialog boxes to infect a user’s computer by predicting this type of disinterested user behavior.

There is a lot of talk around this issue, some believing that software designers have some responsibility to make software easier to use, so users won’t be desensitized to clicking through dialog boxes, while others believe that users are at fault / are lazy. I believe that users lack education about potential risks, but also about what to do with pop-up dialogues. Even valid dialog boxes can be hard to decipher, so it’s no surprise that the ubiquity of confusing dialog boxes has created an environment of dismissive user behavior.

Via emergent chaos, ars ; Image: ppdigital @morguefile

Virtual Criminology Report Indicates Fear Tactics

Sophos Security Threat Report 2009

Underground Economy Growing

Data Doctor Recommends Computrace

White House Repeatedly Hacked

Encrypted Wireless on the Rise

Malicious Email Up

Hotel Network Security

U.S. Leads Cyber Attacks

Most People Ignore Dialog Boxes

Education Newsletter

Corporate Newsletter

Government Newsletter

Healthcare Newsletter

Recent Posts

Recent Comments

Absolute Links

Links

Subscribe

Categories

Search

Archives

Absolute Software News