Enterprise Security Today

Hackers' Posts on Epilepsy Forum Cause Migraines, Seizures

Fri, 09 May 2008 07:12:40 -0500

Computer attacks typically don't inflict physical pain on their victims.

But in a rare example of an attack apparently motivated by malice rather than money, hackers recently bombarded the Epilepsy Foundation's Web site with hundreds of pictures and links to pages with rapidly flashing images.

The breach triggered severe migraines and near-seizure reactions in some site visitors who viewed the images. People with photosensitive epilepsy can get seizures when they're exposed to flickering images, a response also caused by some video games and cartoons.

The attack happened when hackers exploited a security hole in the foundation's publishing software that allowed them to quickly make numerous posts and overwhelm the site's support forums.

Within the hackers' posts were small flashing pictures and links -- masquerading as helpful -- to pages that exploded with kaleidoscopic images pulsating with different colors.

"They were out to create seizures," said Ken Lowenberg, senior director of Web and print publishing for the foundation.

He said legitimate users are no longer able to post animated images to the support forum or create direct links to other sites, and it is now moderated around the clock. He said the FBI is investigating the breach.

Security experts said the attack highlights the dangers of Web sites giving visitors great freedom to post content to different parts of the site.

In another recent attack, hackers exploited a simple coding vulnerability in Sen. Barack Obama's Web site to redirect users visiting the community blogs section to Sen. Hillary Rodham Clinton's official campaign site.

The hackers who infiltrated the Epilepsy Foundation's site didn't appear to care about profit. The harmful pages didn't appear to try to push down code that would allow the hacker to gain control of the victims' computers, for instance.

"I count this in the same category of teenagers who think it's funny to put a cat in...

Web Site Flap Prompts Alaska Democrat To Give Up House Race

Fri, 09 May 2008 07:13:33 -0500

A Democratic congressional candidate abruptly dropped out of the race Wednesday and said a former campaign worker was linked to an Internet smear aimed at a rival.

Jake Metcalfe said he had known nothing about a scheme to redirect Internet users searching for fellow Democrat Ethan Berkowitz to bogus sites intended to harm Berkowitz's candidacy. But he added, "It appears that a former campaign worker was involved in these acts, and I condemn them."

Metcalfe, former chairman of the Democratic Party in Alaska, said he takes responsibility and apologized to Berkowitz on Wednesday.

The disputed Web sites contained variations of Berkowitz's name but were not associated with the candidate's campaign. When users clicked on the Web sites, they were directed to pages that attempted to portray Berkowitz as a privileged California liberal or to gay cultural sites in San Francisco.

"I made a mistake by not taking these allegations more seriously from the beginning," Metcalfe said.

Berkowitz said Wednesday it is time to move past the Web site flap. Married with two children, he has roots in San Francisco but has lived since 1990 in Alaska, where he has served as a prosecutor and legislator.

"I think it's time to close a chapter and go back to what we should have been doing all along, which is talking about the direction the state is taking," Berkowitz said.

Metcalfe's former campaign manager, Dana Krawchuk, claimed that his political adviser Bill Scannell talked about such a scheme last year in front of her and Metcalfe.

Scannell has denied establishing the fake Web sites but he resigned last week, saying the allegations were hurting Metcalfe.

Metcalfe said Wednesday he had not determined that Scannell was behind the ruse.

"I've talked to Bill. Bill denies it's him, but the evidence shows he may have had something to do with it," Metcalfe said.

Metcalfe said he...

EU Says Consumers Are Cheated by Travel, Airline Sites

Fri, 09 May 2008 07:16:53 -0500

A third of people who shop for flights on airline and other travel Web sites in the EU are being cheated by misleading ads and price schemes, the European Commission said Thursday, threatening legal action to stop such practices.

The European Union's consumer protection chief gave airlines and tour operators one year to fall in line with consumer rules or face court action and possible fines.

"It is unacceptable that one in three consumers going to book a plane ticket online is being ripped off or misled or confused," said Meglena Kuneva, the EU's consumer protection commissioner.

"My message to industry is clear: act now or we will act," she said.

Preliminary findings of an EU investigation indicate the main problems on the sites are misleading pricing and vague conditions and contract terms. Airlines and other travel companies often add airport taxes, handling fees, baggage and seating charges and a variety of other costs on top of the prices that first appear on Web sites.

"The price first advertised on a Web site should be the final price," said the European Commission, the EU's executive office.

Kuneva said such problems existed "in all sectors" of the airline industry, including both discount and full-fare carriers.

The EU is hoping to raise the awareness of bargain hunters so they will not be fooled by hidden charges or unclear small print.

Kuneva said legal restrictions in most EU nations prevented her from "naming and shaming" the airlines and tour operators suspected of breaking EU laws.

Norwegian and Swedish consumer rights authorities, however, listed many of the companies involved on their Web sites. They included Irish low-cost carrier Ryanair, Austrian Airlines and Blue1, a Finnish airline fully owned by Scandinavian airline operator SAS AB.

An initial review in September found that more than 50 percent of sites checked were misleading consumers on tickets advertised...

Yahoo Teams with McAfee for Safer, More Secure Searching

Wed, 07 May 2008 13:39:18 -0500

Web searching can expose users to a whole range of malicious sites, so Yahoo is now teaming up with security vendor McAfee to make its search experience more secure for users.

On Tuesday, the two companies announced a partnership that they said will "deliver a safer Web-search experience" through the beta launch of a new SearchScan feature. Built on McAfee's SiteAdvisor technology, SearchScan alerts Yahoo Search users when they're visiting risky sites.

More Than Neighborhood Crime

Those suspect sites could be hiding spyware, adware or other software that is less than friendly to your PC. SearchScan also knows about sites with bad e-mail practices, such as ones that send out spam.

Suspected risky sites show up with a red warning sign and text in the search-results page, thus cautioning users with a visual indicator. For instance, a risky site would receive the warning sign -- a red triangle -- under it, as well as red text that reads: "Warning: Dangerous Downloads, Unsolicited E-mails."

The SearchScan beta is available to users of Yahoo Search in the United States, Canada, the United Kingdom, France, Italy, Germany, Australia, New Zealand and Spain. The Yahoo-McAfee arrangement is a global agreement to work together on other fronts as well, such as bringing Yahoo Search to McAfee users.

Risky browsing resulting from search engines is a concern for 65 percent of Americans online, according to Yahoo -- even more than neighborhood crime, getting a wallet stolen, or an e-mail-based scam. As an online safety issue, it is second in importance only to children's safety on the Net.

According to McAfee Vice President Tim Dowling, "Research indicates four out of five Web site visits start with a search," and that SearchScan's new, advance warning can be one of the strongest weapons against online threats.

Cited as Worst by McAfee

McAfee said that...

'Crimeserver' Discovered with Treasure Trove of Stolen Data

Thu, 08 May 2008 07:23:39 -0500

Cybercriminals collect a treasure trove of data from Web surfers whose computers are infected with Trojans. That's all-too-common news these days, but a recent case shows that the problem is getting worse. Finjan Inc., which makes secure Web gateway products, discovered a server in Malaysia being used by hackers to store more than 1.4 gigabytes of stolen data. What surprised the Finjan researchers was that the data was stolen from businesses as well as individuals -- and it was amassed in just three weeks.

Yuval Ben-Itzhak, Finjan's chief technology officer, told us that there were other surprises from the discovery of the Malaysian-based "crimeserver" that was being used as a command-and-control center for the Trojans installed on infected PCs around the world.

"Quite often we see end-user online banking information being logged, but on this server we found a lot of business-related data, such as e-mail communications, patient medical histories, and even screenshots of Outlook," he said. This compromised information could lead to a host of problems for an organization, from violations of federal regulations about patient privacy to the loss of critical business information.

Crimeware as a Service

Ben-Itzhak said the crimeserver was left totally open so that data could be accessed by anyone. The Finjan report about the attack surmised that crimeware is evolving with a new and alarming customer-service focus.

"Crimeware has reached a new level of sophistication. After the birth of sophisticated crimeware toolkits, closely followed by Crimeware-as-a-Service (CaaS), we now see the availability of user data as a 'customer' service by granting open access to the crimeware server with the harvested data."

Finjan researchers noted that the Malaysian server had changed hosting locations a number of times between late last year and the time the crimeserver was discovered, "likely to prevent it from being closed down...

Global Piracy Rampant -- But You Can Fight Back

Wed, 07 May 2008 07:26:21 -0500

Piracy is running rampant, according to a report from the U.S. government. Not the kind of pirates with eye patches and parrots on their shoulders, but rather the kind that downloads content illegally from the Internet, counterfeits products, and generally hijacks the profits of pharmaceuticals, electronics, software, and other goods. China and Russia were singled out in particular for their weak protections of intellectual property rights (IPR).

The report, known as Special 301, is conducted annually by the Office of the United States Trade Representative (USTR) to examine the global state of IPR in accordance with the Special 301 provisions of the Trade Act of 1974. This year, the USTR designated 46 countries in one of three "watch list" categories. China and Russia -- which were both given kudos for improved measures against pirates and counterfeiters -- made their way to the top of the list, followed by other trading partners, including Argentina, Israel, Pakistan and Thailand.

On the Lists

Belize and Lithuania both were removed from the Watch List thanks to "heightened engagement" with the United States. Other countries, including Egypt, Lebanon and Turkey, made their way off the dreaded Priority Watch List and on to the less serious Watch List, thanks to improvements made on IPR. (Spain and Greece are new Watch List members as well.) The USTR wields power against friend and foe; even Canada is on the Watch List, cited in part for its "weak border measures [that] continue to be a serious concern for IP owners."

The International Intellectual Property Alliance (IIPA), which represents a group of seven trade associations concerned with copyright, hailed the report (it had requested that Canada be put on the Watch List) and issued a matrix of estimated trade losses due to copyright piracy. It estimated that China's piracy cost businesses...

Missouri Governor Accused of Ordering E-Mail Purge

Wed, 07 May 2008 07:24:38 -0500

Gov. Matt Blunt or his top deputies ordered Missouri's backup e-mail tapes to be destroyed to avoid complying with an open-records request from The Associated Press, a lawsuit filed by state investigators alleged Monday.

The lawsuit was filed by investigators appointed by Attorney General Jay Nixon to look into whether Blunt's office had violated open-records laws by deleting some e-mails.

A former governor's office attorney sued Blunt earlier this year alleging he was fired for raising concerns that the office was not complying with the Sunshine Law or Missouri's document-retention policies.

Shortly after former Blunt staffer Scott Eckersley went public with his allegations last fall, The AP filed an open-records request Oct. 31 seeking e-mails retrieved from the state's electronic backup files. Specifically, The AP sought e-mails sent or received by Blunt, Eckersley and several top governor's office employees.

In response to that request, a supervisor in the state's Office of Administration set aside the backup e-mail tapes that same day so they would not automatically be taped over as part of the state's standard 60-day retention cycle, the lawsuit said.

But later on Oct. 31, the lawsuit alleged, either Blunt, one of his top three deputies or someone acting under their direction indicated to acting administration commissioner Rich AuBuchon "that it would be in everyone's best interest" if the backup files were taped over.

The lawsuit claimed AuBuchon then told the state's chief information officer, Dan Ross, that "there was concern at a `higher level'" over the fact that the backup e-mail files had been set aside. Ross then asked two separate computer technology supervisors to place the backup e-mail tapes in line to be taped over, the lawsuit said.

Both supervisors refused to do so, the lawsuit said, and the next day the attorney general's office received a confidential tip that Ross had sought to...

Like Windows XP Over Vista? You're Safe a Few More Years

Wed, 07 May 2008 07:16:17 -0500

The internal battle between Windows XP and Windows Vista continued last week with the release of Service Pack 3 for Windows XP, which will extend the life of the venerable XP for another few years.

The 300-plus megabyte patch, which was released April 29, includes more than 1,000 patches and cumulative updates for XP, which are eagerly awaited by corporate customers because of the ease at which all of the patches can be applied to desktops and laptops. It basically includes all patches and updates released since 2004, plus a few new ones, in one giant update.

This is the last service pack for XP, which Microsoft plans to stop selling in June if all goes according to plan. However, there is a growing outcry from customers to keep XP available after June. Already some PC manufacturers, including HP and Dell, plan to offer a "downgrade" option from Vista to XP for business customers who request it -- and many plan to, especially corporate clients, which have been very slow to adopt Vista.

The battle between XP and Vista has been fascinating, actually. The lack of adoption of Windows Vista in the corporate world, mainly because of incompatibilities, lack of drivers for legacy printers and other devices and the need for additional RAM and processing power has put Microsoft in a terrible bind. It has already extended its June 30 deadline for the end of XP once; if it does it again, it tacitly admits the failure of Vista in the enterprise. If it doesn't, it ignores the cries of the installed base of its customers, many of whom at least want the choice of XP when it comes to operating systems.

As for the Service Pack, I have applied it to a half-dozen systems and found it flawlessly installed in about 30 minutes...

How To Avoid Cons that Can Lead to Identity Theft

Wed, 07 May 2008 07:25:18 -0500

When most people think about Internet security problems, they focus on viruses and spyware -- technological attacks that usually can be mitigated by technological defenses. But the most insidious Internet security problems today rely on human gullibility, not tricky software. Although technological defenses can help you fend off these newer types of attacks, your best weapons against them are common sense, alertness, and careful e-mail and Web-surfing practices.

These newer types of attacks are called "social engineering," and they are used by criminals to steal your money and identity and to plant malicious software on your computer that can be used to rip you off. Social engineering is the online equivalent of an old-fashioned con game, in which a crook frightens people with false warnings, or tempts them with false promises, and then robs them.

The most common form of social engineering is called phishing, a one-two punch using both e-mail and Web browsing to trick people into typing confidential information into Web sites that look like the sites of real companies, especially financial institutions. But these phishing sites are actually skillfully designed fakes that transmit your sensitive data to criminals, often in distant countries. Once these creeps have your passwords and account numbers, they can loot your funds and steal your identity.

Here are some tips to help you avoid being the victim of social engineering.

1. Never, ever click on a link embedded in an e-mail that appears to come from a financial institution, even if it's your own bank or brokerage and even if it looks official right down to the logo. The same goes for payment or auction services, such as PayPal or eBay.

Don't do this even if the e-mail asserts that your account has a problem or that the bank has to verify your information. And certainly...

Staying One Step Ahead of Password Thieves

Wed, 07 May 2008 07:25:40 -0500

Creating and remembering strong passwords -- like backing up our computers' contents -- is something many of us know we should do, but don't.

And can you blame us? Having to come up with user names and passwords for virtually everything we do on a computer is enough to make anyone use "Magic123" over and over. I've even heard of people who keep lists of passwords taped to their computer screens.

With a little time and some discipline, you can create strong passwords and do a better job managing them.

Of course, no matter how many precautions you take, no password is ever 100 percent secure. By the same token, you don't have to follow all the advice in this column to avoid password theft.

By now most people know that you shouldn't use personal information such as your name, birth date or address in a password. It's also not a good idea to use something obvious such as "1234" or "password."

Passwords should be at least seven or eight characters in length. The longer the password, the stronger it is.

Next, choose a password that would appear as nothing more than a random list of characters to someone else. Use both uppercase and lowercase letters and, if possible, use punctuation marks from all over the keyboard. One technique is to take a phrase that means something to you or a line from a favorite song and create a password by taking the first letter of each word of that phrase or line. Make sure to add in some symbols. For instance, you could replace an "a" with "," but use this technique sparingly in your password.

Although you should never use the same password to secure highly sensitive information on more than one site, it's probably OK to use the same password for low-risk...