Enterprise Security Today

Celebrity Deaths Drive Spam, with Jackson Pervasive

Thu, 02 Jul 2009 08:11:24 -0500

With recent celebrity deaths, spammers are shifting strategies in hopes of cashing in on the misfortunes of others. Although several celebrities have passed away in the last few weeks, pop star Michael Jackson's death is driving the greatest spam volume.

Less than eight hours after Jackson's untimely death, Sophos began to intercept spam campaigns using the singer's name. Sophos also discovered cybercriminals taking advantage of 1970s TV icon Farrah Fawcett's death to spread fake antivirus software.

Mass Mailing Worms

Since then, Sophos reports large volumes of more spam, malware and other scams. For example, Sophos reports a mass-mailing worm that spams out messages with subject lines such as "Remembering Michael Jackson" with an attached file called "Michael songs and pictures.zip."

The e-mail, which claims to come from sarah@michaeljackson.com, says the attached ZIP file contains secret songs and photos of Michael Jackson. However, the reality is that opening the attachment exposes recipients to infection -- and if a computer is victimized, it spreads the worm to other Internet users.

Attackers have also set up a bogus Italian YouTube site link in an e-mail. When users click on the e-mail they get an error message indicating a Flash player upgrade is required in order to view the video. The download link ushers the victim to a fake codec that downloads a Trojan.

Exploiting Human Misery

How does the rash of celebrity deaths compare with other major world events? It's not at all unusual for the bad guys to try and take advantage of big international news stories in their attempts to infect computers and steal money, according to Graham Cluley, a senior security consultant at Sophos.

Cluley points to hackers in the past taking advantage of the death of the pope, the incarceration of Saddam Hussein, the death of kung-fu actor David Carradine, a Concorde crash in Paris,...

The Latest App: Smartphone Interpreters

Thu, 02 Jul 2009 07:27:33 -0500

Uncle Sam may soon get a little diplomatic help from the iPhone and BlackBerry. On June 30, an Egyptian company specializing in translation software released a tool designed to translate quickly between English and Arabic by way of a wireless device.

Cairo-based Sakhr Software introduced an application -- downloadable to Apple's iPhone and Research In Motion's BlackBerry -- that in seconds transmits an audio translation of a spoken phrase.

At the outset, Sakhr is pitching the software toward the U.S. intelligence community and the Defense Dept., which have lacked adequate Arabic language capabilities, particularly since the September 11 terrorist attacks. "What we are solving is a real-world problem," says Sakhr spokeswoman Tuyen Ho. "This product will help men and women in the armed forces and intelligence community bridge the communications gap. It will help keep them safer." The company declined to name customers but said it is talking with the Defense and Justice departments and various intelligence agencies.

Aiming at Businesses, Too

In recent months, U.S. government agencies have stepped up their reliance on cutting-edge tech tools for diplomatic means. The State Dept. in April arranged a delegation of executives from Google, AT&T, Twitter, and other tech startups to journey to Iraq to meet with government officials, business leaders, and students to discuss ways to use tech across that country.

The software Sakhr released June 30 is also designed for use by businesses. Its debut coincides with Sakhr's acquisition of software maker Dial Directions for an undisclosed amount. The two companies collaborated on the app for a year, with Sakhr developing the language software and Dial Directions designing the mobile architecture. Sakhr plans to release a version for consumers in August.

Sakhr designed its software so that users concerned about the security of their transmissions can host conversations on their own servers and monitor and mine...

Cyberspace Shapes Up To Be Next Battleground

Fri, 03 Jul 2009 07:02:57 -0500

Congressional computers have been penetrated, probably by the Chinese. The avionics system of the F-22 fighter may be compromised. Computers of our presidential candidates were hacked into --- and probably not by teenagers on a lark.

Last year's advance of Russian tanks into Georgia was accompanied by the disruption of Georgian government computer systems.

These are only public manifestations of a new reality: Attacks on computer systems will be an integral element of future conflict, and the United States is more dependent on computer networks than any other nation.

Both policy-makers and the military are in the early stages of coming to grips with this threat. We need to take some important first steps to strengthen our national capability to defend ourselves in cyberspace.

First, we must abandon the notion that static defenses will help us against sophisticated threats.

One bipartisan Senate bill proposes to establish a government committee to set standards for all computer systems and software.

This is the electronic equivalent of building a Maginot Line of concrete fortifications against a mobile enemy.

It may keep common criminals at bay, but it will be no defense against a mobile and adaptable top-tier adversary.

American government and private computer systems operate on an interconnected global network that is constantly changing like a biological organism.

It operates at light speed, and both friends and adversaries are connected to the same network.

We must anticipate that the most dangerous players will stay quiet until a time of national tension.

Our cyber-defense capabilities must be inherently dynamic, with a close connection between system operators, intelligence analysts, and the researchers who can rapidly build and deploy tools to protect or restore vital capabilities.

Second, our intelligence on other countries' cyber capabilities must be strengthened.

We have scores of trained experts who know the ins and outs of foreign radars and missile systems and almost none who...

Red Condor Outperforms Google's Message Security

Tue, 30 Jun 2009 13:03:59 -0500

Rohnert Park, Calif., June 30, 2009 �- Red Condor, the award-winning provider of fully managed email security solutions, today announced the results of a recent third-party head-to-head anti-spam effectiveness and feature comparison test between Red Condor Message Assurance Gateway 2700 (MAG2700) and Google Inc.'s Message Security powered by Postini. The test, which was conducted by The Tolly Group, found that the MAG2700's spam detection rate was significantly higher than Postini's with 84% fewer false positives. Following the week-long test, The Tolly Group concluded that Red Condor offers, "better anti-spam performance at considerably less cost."

The Tolly Group's test showed that Red Condor's MAG2700 is more accurate when it comes to delivering legitimate email. Red Condor generated only one false positive in more than 190,700 inbound emails; whereas the Postini Hosted Service generated one false positive in just 527 inbound emails. (A false positive is defined as a good email classified as spam that is not spam.)

The Tolly Group also found that the Red Condor MAG2700 had a spam detection rate of 99.991%; whereas Postini's detection rate was only 95.397%. This means that while Red Condor misclassified less than 0.01% of the total spam emails, Postini misclassified more than 4.60%; indicating that Red Condor is significantly more accurate stopping bad email and malicious content.

"The MAG2700's performance in head-to-head evaluations against the industry-recognized leaders continues to validate the effectiveness of our system and technology," said Dr. Thomas Steding, president and chief executive officer of Red Condor. "During the test, our spam filter outperformed Postini's, and our system produced far fewer false positives. In addition, our MAG2700 one-year price per mailbox is 85 percent less expensive than Postini's hosted service. Combine Red Condor's exceptional performance with our price, ease of use, worry-free management and around-the-clock support, and it's clear why so many...

Veracode To Assess Mobile-App Security Risks

Tue, 30 Jun 2009 12:42:22 -0500

Burlington, Mass., June 30th, 2009 -� Veracode Inc., provider of the world's leading Application Risk Management Platform, today announced expansion of its SecurityReview� cloud-based subscription service to support mobile applications. With more than 100,000 mobile applications already in the market and millions of mobile users accessing critical business data, the security risk posed by these applications is staggering. Veracode announced immediate availability for Windows Mobile with near term support for other platforms such as RIM BlackBerry, Google Android and Apple iPhone. Veracode's SecurityReview is the first solution to enable enterprises and software vendors to assess the security risk of mobile applications before they are shipped or deployed to combat the growing number of data breaches and compliance failures.

Enterprises are increasingly transacting critical data with customers and remote workers through mobile applications, yet the security of these applications goes largely untested. Source code for mobile applications is rarely available, as most software is written by third parties and is insufficient in finding vulnerabilities such as backdoors, malicious code or flaws introduced by third party libraries and components. Veracode provides the only solution to assess binary code � the way attackers see it � enabling organizations to apply a common, holistic approach to secure both their mobile and server applications regardless of whether they are internally developed, purchased from a commercial vendor, outsourced or open source.

"Mobile applications are one of the fastest growing segments of the software market," said Diana Kelley, principal analyst, Security-Curve. "Insecure software which processes sensitive data poses a risk to enterprises, regardless of the platform it is run on. Enterprises need to apply the same risk assessment and security analysis to mobile applications as they do to those housed in data centers."

"Today, there isn't a major financial institution, software vendor or healthcare provider...

Man Pleads Guilty in Pa. to Credit Card Scam

Wed, 01 Jul 2009 07:10:41 -0500

A San Francisco man who allegedly had 1.8 million stolen bank and credit card numbers on computers at his California apartment has pleaded guilty to wire fraud for his role in an online clearinghouse where identity thieves could share stolen information.

Max Ray Vision, 36, who legally changed his last name from Butler, has been in custody since September 2007 when law enforcement officials raided the "safe house" apartment where he hacked into the computers of financial institutions to steal credit data.

Assistant U.S. Attorney Luke Dembosky said credit card companies Visa, MasterCard, American Express and Discover tracked more than $86 million in fraudulent purchases to the account numbers found on Vision's computers.

Vision was charged in Pittsburgh because he sold more than 100 credit card numbers and related information to a western Pennsylvania resident who is cooperating with the investigation of http://www.cardersmarket.com.

About 4,500 people worldwide could trade or access stolen credit information on the Web site from 2005 until it was shut down in 2007.

Vision faces up to 60 years in prison when he's sentenced Oct. 4, but his actual sentence will be driven largely by the actual losses banks incurred in the scheme, which has yet to be determined.

Federal public defender Michael Novara told Senior U.S. District Judge Maurice Cohill that Vision was a "hacker's hacker," meaning he sometimes broke into the computers of other hackers and took information.

Novara suggested some of the credit information on Vision's computer was obtained that way and that Vision might not be responsible for financial losses related to those accounts.

"There's a lot of stuff on his computer that he's not responsible for and did not intend to use" criminally, Novara said.

Vision didn't comment after the guilty plea to two counts of wire fraud. He had been indicted on a third wire fraud count, and...

Jackson's Death Unleashes Barrage of Online Scams

Wed, 01 Jul 2009 07:13:29 -0500

Minutes after any big celebrity dies, Internet swindlers get to work. They pump out specially created spam e-mails and throw up malicious Web sites to infect victims' computers, hoping to capitalize on the sudden high demand for information.

Michael Jackson's death was no different, and security experts say the fraud artists are just getting started.

The scams started cropping up almost instantaneously as Jackson's death was still hitting the news. As days have gone by, they've gotten more sophisticated -- and dangerous.

Jackson's death "took a lot of people by surprise -- the spammers, too," said Dermot Harnett, principal analyst for anti-spam engineering at Symantec Corp., a security software maker. "It might take them some time to really pounce on this issue. They are catching up pretty quickly, though."

Any major world event, such as the recent protests in Iran, triggers a barrage of Internet attacks. Security experts say the malicious traffic associated with Jackson's death will likely match and perhaps exceed those of other big spamming campaigns, such as those connected with the swine flu outbreak and Saddam Hussein's execution.

Spam is the most common way for fraudsters to find victims after these types of events. They can use a shotgun approach with a boilerplate message about Jackson, taking advantage of people's interests in the topic to improve their batting average over their usual spam campaigns.

By enticing users with such messages and tricking them into clicking on e-mail attachments, scammers can easily infect victims' computers and take command of them for more nefarious activities.

The spam about Jackson's death gets more convincing every day.

One message promises a YouTube video showing the exclusive "last work of Michael Jackson." Instead, victims get a malicious program that steals their passwords. Another promises to show the "latest unpublished photos" of Jackson if you click on a link -- one...

Va. Lawmakers Drill In on Hacker Attack, IT Delays

Wed, 01 Jul 2009 07:13:12 -0500

Some doctors are holding off prescribing painkillers after a hacker accessed more than 35.5 million of Virginia's most sensitive prescription drug records two months ago, a state official told a legislative panel Monday.

Lawmakers probing the state's computer services bureaucracy, the Virginia Information Technologies Agency, also learned that its former director was dismissed earlier this month after refusing to pay VITA's contracted partner, which had missed key deadlines.

Hearings Monday by the House Science and Technology Committee and a Senate Finance technology subcommittee focused on VITA and its $10-year, $2.4 billion contract with Northrop Grumman after years worth of state agencies' complaints over high costs and long service delays they have experienced from the partnership.

Lawmakers intensified their scrutiny of the six-year-old agency created to consolidate the state's diverse and far-flung computer systems after the Prescription Monitoring Program was hacked on April 30 and after the dismissal of former VITA chief Lemuel Stewart.

With the prescription database still offline two months after it was accessed because of FBI and state criminal investigations and work to upgrade the system, some doctors are reluctant to prescribe highly addictive painkillers such as Oxycodone, Vicodin, morphine and Valium, said Sandra Whitley Ryals, director of the Department of Health Professions.

"I do not have any indication, however, of how many that might be," she told the panel.

Later, she downplayed the magnitude, describing calling the reports sparse and anecdotal. She said the department has gotten no complaints from patients being denied needed drugs.

"I do know that our prescribers, mostly physicians, have grave concerns about not being able to access the information," she said. They were being asked "to use their best judgment," she said.

The database was established for professionals who prescribe painkillers, the pharmacists who fill the prescriptions and police to flag abuse and theft.

Among the information accessed were names, birth...

Cyberwar Defenders Reach an Impasse

Wed, 01 Jul 2009 07:12:52 -0500

The United States and Russia are locked in a fundamental dispute over how to counter the growing threat of cyberwar attacks that could wreak havoc on computer systems and the Internet.

Both nations agree that cyberspace is an emerging battleground. The two sides are expected to address the subject when President Barack Obama visits Russia next week and at the General Assembly of the United Nations in November, according to a senior U.S. State Department official.

But there the agreement ends.

Russia favors an international treaty along the lines of those negotiated for chemical weapons and has pushed for that approach at a series of meetings this year and in public statements by a high-ranking official.

The United States argues that a treaty is unnecessary. It instead advocates improved cooperation among international law enforcement groups. If these groups cooperate to make cyberspace more secure against criminal intrusions, their work will also make cyberspace more secure against military campaigns, U.S. officials say.

"We really believe it's defense, defense, defense," said the State Department official, who asked not to be identified because authorization had not been given to speak on the record. "They want to constrain offense. We needed to be able to criminalize these horrible 50,000 attacks we were getting a day."

Any agreement on cyberspace presents special difficulties because the matter touches on issues like censorship of the Internet, sovereignty and rogue actors who might not be subject to a treaty.

U.S. officials say the disagreement has hindered international law enforcement cooperation, particularly given that a significant proportion of the attacks against American government targets are coming from China and Russia.

And from the Russian perspective, the absence of a treaty is permitting a kind of arms race with potentially dangerous consequences.

Officials around the world recognize the need to deal with the growing threat of cyberwar. Many countries,...

Unclear What Happens to Personal Info With Clear

Wed, 01 Jul 2009 07:12:24 -0500

More than a quarter million people are wondering what will happen to their fingerprints, Social Security numbers, home addresses and other personal information now that a company that sped them through airport security is out of business.

Government officials are wondering too.

The sudden shutdown of the Clear program, run by Verified Identity Pass Inc., this week has raised more concerns about who keeps our personal information, how well it's protected from theft and whether it could be sold to the highest bidder.

If Verified files for bankruptcy protection or is taken over by another company, security experts say it's unlikely customers' private data would be handed over to creditors or new owners. But they -- as well as some members of Congress -- are starting to trace the data trail.

Worries about protecting personal information and the danger of identity theft cover many areas of life in the 21st century beyond travel -- from drawing cash out of an ATM to handing a credit card over to a store or restaurant.

On Tuesday, the parent company of retailers T.J. Maxx and Marshall's said it will pay $9.75 million in a settlement with a number of states related to massive data theft that exposed tens of millions of payment card numbers.

Clear said it will secure the personal information it gathered, which it says it handled according to Transportation Security Administration standards, and will "take appropriate steps to delete the information." Clear only provided information to TSA when it was part of the agency's pilot program, Registered Traveler, which ended in July 2008.

In a statement on its Web site Friday, Verified Identity Pass said that all of its Clear airport kiosks have been wiped clean of data. Employees' laptops are in the process of being cleared.

Although it was a private company, Clear had to follow TSA...