Welcome to Apple iCloud phishing attacks

August 27, 2011 by  
Filed under Security News

461 views  5 Comments
FaceBook Logo FB Comments

When a Naked Security reader forwarded us a suspicious email he received today, it served as a healthy reminder for all computer users to be on their guard against phishing attacks.

 

The email claims to come from Apple, and appears to have targeted our correspondent because he is a user of Apple’s MobileMe service.

 

Apple is planning to shut down its MobileMe service in mid-2012, as it is readying its new iCloud service (which will store music, photos, calendars, documents etc in ‘the cloud’ and wirelessly push them to all of your devices).

 

Understandably, a lot of MobileMe users are interested in how they will migrate to iCloud and this is the issue that the phishing email uses as bait.

 

icloud phish3 Welcome to Apple iCloud phishing attacks

Subject:

Welcome to iCLOUD

Message body:

Important information for MobileMe members.

Dear MobileMe member,

Please sign up for iCloud and click the submit botton, you'll be able to keep your old
email address and move your mail, contacts, calendars, and bookmarks to the new service.

Your subscription will be automatically extended through July 31, 2012, at no additional charge.
After that date, MobileMe will no longer be available.

Click here to update iCLOUD

Sincerely,

The Apple store Team

 

If you make the decision to click on the link in the email, however, you are not taken to an official Apple website – but instead a third-party site that is trying hard to present itself in an Apple style.

 

apple phishing3 Welcome to Apple iCloud phishing attacks

 

Yes, it’s a phishing website.

 

And just look what it’s asking for: your credit card details, your address, your social security number, your full date of birth, your mother’s maiden name and your Apple ID credentials.

 

Crumbs! Imagine the harm a fraudster could cause with all that information.

 

Make sure you have your eyes peeled for phishing attacks, and be on your guard regarding unsolicited messages you receive in your inbox. It could be you who gets hit by a phishing attack next.

 

By Graham Cluley @ nakedsecurity.sophos.com



Apple hires jailbreaking iPhone hacker Nicholas Allegra

August 27, 2011 by  
Filed under Security News

370 views  1 Comment
FaceBook Logo FB Comments

Nicholas Allegra, better known as ‘comex’, the creator of the JailBreakMe website which made it child’s play for iPhone owners to jailbreak their devices, has been given an internship at Apple.

 

The 19-year-old from Chappaqua, New York posted the news of his new position on Twitter:

 

comex tweet2 Apple hires jailbreaking iPhone hacker Nicholas Allegra

 

Allegra has given Apple plenty of headaches in the last couple of years, finding security vulnerabilities in Apple’s iPhone that allowed anyone to convert their smartphone into a device capable of running unapproved applications.

 

Normally jailbreaking requires users to connect their device to a computer before they can start to tamper with the set-up of their iPhone or iPad – but JailBreakMe made it significantly easier.

 

Just visiting the website with Safari would trigger a security vulnerability, allowing code to run which would jailbreak the iPhone or iPad.

 

jailbreakme2 Apple hires jailbreaking iPhone hacker Nicholas Allegra

Apple don’t like folks jailbreaking their iPhones, so it’s understandable that they would rather have the man behind the JailBreakMe website working for them rather than exposing their security weaknesses.

 

After all, whenever Allegra updated his JailBreakMe website to defeat Apple’s security he was given a potentially dangerous blueprint to more malicious hackers who may want to plant more dangerous code.

 

Each time Allegra has found a flaw in Apple’s software, the company has been forced to rush out a security patch.

 

So, what’s going to change now Apple has made jailbreaking expert Nicholas Allegra an intern?

 

Well, I would imagine that they’ll be strongly encouraging him to share with them any details of security flaws he finds with their software rather than updating his drive-by jailbreaking website. That way they’ll be able to work on patching any vulnerabilities he discovers before they are made public.

 

I’m sure they’ll be particularly keen to prevent Allegra from publishing details on how to jailbreak the next incarnation of iOS, version 5.0, or the much-mooted iPhone 5.

 

From Apple’s point of view it’s a case of: If you can’t beat ‘em, hire ‘em.

 

By Graham Cluley @ nakedsecurity.sophos.com



‘May God always bless..’ Facebook virus hoax spreads

August 27, 2011 by  
Filed under Security News

251 views  4 Comments
FaceBook Logo FB Comments

Facebook users are sending scary warnings to each other regarding a supposed new piece of malware spreading across the social network.

 

god always bless May God always bless.. Facebook virus hoax spreads

 

Attention!!!If you see anyone post out an application written "May God always bless this kind person below with peace, love and happiness", with your profile picture attached below, and send by your friend via Bold Text. Please DONT click "like" or "SHARE", is a spyware, and all your info at FB will be copy and reuse for other purpose. Please share this info out. Thanks......;)

 

The warnings are being spread rapidly by well-intentioned Facebook users, but the truth is that we have seen no evidence of any such spyware.

 

Our friends at Facecrooks believe they have got to the bottom of the mystery.

 

They have determined that rather than a genuine virus, the warning was kicked off by a Facebook application called Bold Text making over-exuberant, if not downright spammy, wall postings.

 

may god bless facebook May God always bless.. Facebook virus hoax spreads

 

Over one million people are reported to have used the application, so clearly its self-promoting tactics are working.

 

If you see one of your friends reposting the warning about the ‘May God always bless..’ message then please tell them that it isn’t true that it’s a virus, and point them to this article or the information on Facecrooks.

 

And if you installed the Bold Text application, and aren’t enjoying the messages it is posting, you should revoke its access to your Facebook account.

 

It’s not the first time, of course, that Facebook users have been misled of the full facts by virus hoaxes. Most recently we have seen a bogus warning message about an Olympic Torch virus that could “burn the whole hard disc.. C of your computer”

 

Make sure that you stay informed about the latest genuine scams spreading fast across Facebook and other internet attacks. Join the Sophos Facebook page, where more than 100,000 people regularly share information on threats and discuss the latest security news.

 

By Graham Cluley @ nakedsecurity.sophos.com

 


TDL4 – Top Bot

July 24, 2011 by  
Filed under Security News

390 views  2 Comments
FaceBook Logo FB Comments

TDSS variants

 

The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today. TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center. TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.

 

Its creator calls this program TDL. Since it first appeared in 2008, malware writers have been perfecting their creation little by little. By 2010, the latest version was TDL-3, which was discussed in depth in an article published in August 2010.

 

The creators of TDSS did not sell their program until the end of 2010. In December, when analyzing a TDSS sample, we discovered something odd: a TDL-3 encrypted disk contained modules of another malicious program, SHIZ.

 

tdl4 pic019  TDL4 – Top Bot
TDL-3 encrypted disk with SHIZ modules

 

At that time, a new affiliate program specializing in search engine redirects had just emerged on the Internet; it belonged to the creators of SHIZ, but used TDL-3.

 

The changes that had been made to the TDL-3 configuration and the emergence of a new affiliate marketing program point to the sale of TDL-3 source code to cybercriminals who had previously been engaged in the development of SHIZ malware.

 

Why did the creators of TDL decide to sell source code of the third version of their program? The fact is that by this time, TDL-4 had already come out. The cybercriminals most likely considered the changes in version 4 to be significant enough that they wouldn’t have to worry about competition from those who bought TDL-3.

 

In late 2010, Vyacheslav Rusakov wrote a piece on the latest version of the TDSS rootkit focusing on how it works within the operating system. This article will take a closer look at how TDL-4 communicates with the network and uploads data to the botnet, which numbered over 4.5 million infected computers at the time of writing.

 

Yet another affiliate program

 

The way in which the new version of TDL works hasn’t changed so much as how it is spread – via affiliates. As before, affiliate programs offer a TDL distribution client that checks the version of the operating system on a victim machine and then downloads TDL-4 to the computer.

 

tdl4 pic029  TDL4 – Top Bot
Affiliates spreading TDL

 

Affiliates receive between $20 to $200 for every 1,000 installations of TDL, depending on the location of the victim computer. Affiliates can use any installation method they choose. Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services.

 

The changes in TDL-4 affected practically all components of the malware and its activity on the web to some extent or other. The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down. The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies.

 

The ‘indestructible’ botnet

 

Encrypted network connections

 

One of the key changes in TDL-4 compared to previous versions is an updated algorithm encrypting the protocol used for communication between infected computers and botnet command and control servers. The cybercriminals replaced RC4 with their own encryption algorithm using XOR swaps and operations. The domain names to which connections are made and the bsh parameter from the cfg.ini file are used as encryption keys.

 

Readers may recall that one of the distinguishing features of malware from the TDSS family is a configuration file containing descriptions of the key parameters used by various modules to maintain activity logs and communications with command and control servers.

 

tdl4 pic03s9  TDL4 – Top Bot enlarge49  TDL4 – Top Bot
Example of configuration file content

 

Compared to version 3, there are only negligible changes to the format of the configuration file. The main addition is the bsh parameter, an identifier which identifies the copy of the malware, and which is provided by the command and control sever the first time the bot connects. This identifier acts as one of the encryption keys for subsequent connections to the command and control server.

 

tdl4 pic04s9  TDL4 – Top Bot enlarge49  TDL4 – Top Bot
Part of the code modified to work with the TDL-4 protocol.

 

Upon protocol initialization, a swap table is created for the bot’s outgoing HTTP requests. This table is activated with two keys: the domain name of the botnet command and control server, and the bsh parameter. The source request is encrypted and then converted to base64. Random strings in base64 are prepended and appended to the received message. Once ready, the request is sent to the server using HTTPS.

 

The new protocol encryption algorithm for communications between the botnet control center and infected machines ensures that the botnet will run smoothly, while protecting infected computers from network traffic analysis, and blocking attempts of other cybercriminals to take control of the botnet.

 

An antivirus of its own

Just like Sinowal, TDL-4 is a bootkit, which means that it infects the MBR in order to launch itself, thus ensuring that malicious code will run prior to operating system start. This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.

 

TDL nimbly hides both itself and the malicious programs that it downloads from antivirus products. To prevent other malicious programs not associated with TDL from attracting the attention of users of the infected machine, TDL-4 can now delete them. Not all of them, of course, just the most common.

 

tdl4 pic05s9  TDL4 – Top Bot enlarge49  TDL4 – Top Bot
TDSS module code which searches the system registry for other malicious programs

 

TDSS contains code to remove approximately 20 malicious programs, including Gbot, ZeuS, Clishmic, Optima, etc. TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them.

 

This ‘antivirus’ actually helps TDSS; on the one hand, it fights cybercrime competition, while on the other hand it protects TDSS and associated malware against undesirable interactions that could be caused by other malware on the infected machine.

 

Which malicious programs does TDL-4 itself download? Since the beginning of this year, the botnet has installed nearly 30 additional malicious programs, including fake antivirus programs, adware, and the Pushdo spambot.

 

tdl4 pic065  TDL4 – Top Bot
TDSS downloads

 

Notably, TDL-4 doesn’t delete itself following installation of other malware, and can at any time use the r.dll module to delete malware it has downloaded.

 

Botnet access to the Kad network

 

One of the most outstanding new features of TDL-4 is the kad.dll module, which allows the TDSS botnet to access the Kad network. So what do the cybercriminals want with a publicly accessible file exchange network?

 

We have known about botnets controlled via P2P for some time now, although until now, these were closed protocol connections created by the cybercriminals themselves. In contrast, TDSS uses a public P2P network in order to transmit commands to all infected computers in the botnet. The initial steps of how TDSS makes use of Kad are given below:

  1. The cybercriminals make a file called ktzerules accessible on the Kad network. The file is encrypted and contains a list of commands for TDSS.
  2. Computers infected with TDSS receive the command to download and install the kad.dll module.
  3. Once installed, kad.dll downloads the file nodes.dat, which contains the publicly accessible list of IP addresses of Kad network servers and clients.
  4. The kad.dll module then sends a request to the Kad network to search for the ktzerules file.
  5. Once the ktzerules files has been downloaded and encrypted, kad.dll runs the commands which ktzerules contains.

 

tdl4 pic07s5  TDL4 – Top Bot enlarge49  TDL4 – Top Bot
Encrypted kad.dill updates found on the Kad network

 

Below is a list of commands from an encrypted ktzerules file.

 

  • SearchCfg – search Kad for a new ktzerules file
  • LoadExe – download and run the executable file
  • ConfigWrite – write to cfg.ini
  • Search – search Kad for a file
  • Publish – publish a file on Kad
  • Knock – upload a new nodes.dat file to the C&C which contains a list of Kad server and clients IP addresses, including those infected with TDSS.

 

The most interesting command is Knock. This command allows the cybercriminals to create their own Kad P2P, the clients of which are exclusively TDSS-infected computers.

 

tdl4 pic08 en5  TDL4 – Top Bot
How publicly accessible and closed KAD networks overlap

 

Essentially, the TDSS botnet kad.dll module is more or less the same as cmd.dll in terms of control function. By running nodes.dat files containing a list of IP addresses of Kad clients in addition to ktzerlrules, which contains a command to download a new nodes.dat file from cybercriminal servers, the owners of the botnet can both include their infected computers in the publicly accessible Kad network and remove them from the network. The publicly accessible Kad network contains no more than 10 TDSS infected computers. This makes replacing the ktzerules file as inefficient as possible, which prevents other cybercriminals from taking control over the botnet. The total number of TDSS infected computers on the closed network number tens of thousands.

 

tdl4 pic09s5  TDL4 – Top Bot enlarge49  TDL4 – Top Bot
Kad.dll code responsible for sending commands from the TDL-4 cybercriminals

 

Furthermore, access to Kad makes it possible for the cybercriminals to download any files to botnet machines and make them accessible to the P2P users. This includes adult content files and stolen data bases.

 

The key threat that such a botnet poses is that even when its command and control centers are shut down, the botnet owners will not lose control over infected machines. However, the system does face two major obstacles:

  1. By using the publicly accessible Kad network, the cybercriminals still run the risk of fake botnet commands.
  2. When developing the kad.dll module for maintaining communication with the Kad network, code with a GPL license was used — this means that the authors are in violation of a licensing agreement.

 

Extended functionality

 

In addition to its known adware function, TDL-4 has added some new modules to its arsenal. This article has already touched on the ‘antivirus’ function and the P2P module. The owners of TDSS have also added several other modules to their malware, and now offer services such as anonymous network access via infected machines and 64-bit support.

 

The proxy server module

 

A file called Socks.dll has been added to TDSS’s svchost.exe; it is used to establish a proxy server on an infected computer. This module facilitates the anonymous viewing of Internet resources via infected machines.

 

Having control over such a large number of computers with this function, the cybercriminals have started offering anonymous Internet access as a service, at a cost of roughly $100 per month. For the sake of convenience, the cybercriminals have also developed a Firefox add-on that makes it easy to toggle between proxy servers within the browser.

 

tdl4 pic10s5  TDL4 – Top Bot enlarge49  TDL4 – Top Bot
Firefox add-on for anonymous Internet use via the TDSS botnet

64-bit support

 

The appearance of a 64-bit malicious driver in TDSS was another innovation in malware in 2010. In order to support operations with 64-bit systems in user mode, TDL-4 contains a module called cmd64.dll, a version of cmd.dll for 64-bit systems. However, due to the limitations of working with 64-bit programs, cmd64.dll code only provides communication with the botnet command and control servers.

 

tdl4 pic11s5  TDL4 – Top Bot enlarge49  TDL4 – Top Bot
List of botnet command and control center commands

Working with search engines

 

The cmd.dll module (see for details) remains almost completely unchanged. This module facilitates communication with the botnet command and control servers and substitutes search results, i.e. fraudulently manipulates advertising systems and search engines. The newest innovation in the list of commands for TDSS is the SetName command, which assigns a number to each infected computer. For search engines and banner networks, TDSS uses the same fake click and traffic technologies as similar malicious programs. However, TDSS has the longest list of search engines for which it substitutes search results.

 

tdl4 pic125  TDL4 – Top Bot
List of search engines supported by TDSS

Botnet command and control servers

When running, TDSS uses several sources to obtain lists of command and control server addresses. The default list is taken from cmd.dll; if these addresses are inaccessible, then TDSS gets a list from cfg.ini. If for some reason no command and control server listed is accessible, then a list is created from an encrypted file called bckfg.tmp, which the bot receives from the command and control server on first connection. Since the beginning of the year, around 60 command and control centers have been identified across the globe.

 

Control server
address
Server address at the
beginning of February
Server address at the 
beginning of March
Percentage of 
mentions in C&C lists
01n02n4cx00.ccnoipnoip0,05%
01n02n4cx00.com91.212.226.5noip0,43%
01n20n4cx00.com91.212.226.591.193.194.90,21%
0imh17agcla.com77.79.13.2891.207.192.220,80%
10n02n4cx00.com194.28.113.20194.28.113.200,22%
1il1il1il.com91.212.158.7291.212.158.726,89%
1l1i16b0.com91.193.194.1191.193.194.110,43%
34jh7alm94.asia205.209.148.232noip0,03%
4gat16ag100.comnoipnoip2,07%
4tag16ag100.com178.17.164.12991.216.122.2506,69%
68b6b6b6.comnoipnoip0,03%
69b69b6b96b.com91.212.158.75noip6,89%
7gaur15eb71.com195.234.124.66195.234.124.666,85%
7uagr15eb71.comnoipnoip2,07%
86b6b6b6.com193.27.232.75193.27.232.750,14%
86b6b96b.comnoipnoip0,24%
9669b6b96b.com193.27.232.75193.27.232.750,22%
cap01tchaa.comnoipnoip2,19%
cap0itchaa.comnoipnoip0,58%
countri1l.com91.212.226.691.212.158.726,89%
dg6a51ja813.com91.216.122.25093.114.40.2216,85%
gd6a15ja813.com91.212.226.591.212.226.52,07%
i0m71gmak01.comnoipnoip0,80%
ikaturi11.com91.212.158.75noip6,89%
jna0-0akq8x.com77.79.13.2877.79.13.280,80%
ka18i7gah10.com93.114.40.22193.114.40.2216,85%
kai817hag10.comnoipnoip2,07%
kangojim1.comnoipnoip0,14%
kangojjm1.comnoipnoip0,24%
kur1k0nona.com68.168.212.2168.168.212.212,19%
l04undreyk.comnoipnoip0,58%
li1i16b0.comnoipnoip0,05%
lj1i16b0.comnoipnoip0,05%
lkaturi71.comnoipnoip0,14%
lkaturl11.com193.27.232.72193.27.232.720,22%
lkaturl71.com91.212.226.691.212.158.727,13%
lo4undreyk.com68.168.212.1893.114.40.2212,19%
n16fa53.com91.193.194.9noip0,05%
neywrika.innoipnoip0,14%
nichtadden.innoipnoip0,02%
nl6fa53.comnoipnoip0,03%
nyewrika.innoipnoip0,03%
rukkeianno.comnoipnoip0,08%
rukkeianno.innoipnoip0,08%
rukkieanno.innoipnoip0,03%
sh01cilewk.com91.212.158.75noip2,19%
sho1cilewk.comnoipnoip0,58%
u101mnay2k.comnoipnoip2,19%
u101mnuy2k.comnoipnoip0,58%
xx87lhfda88.com91.193.194.8noip0,21%
zna61udha01.com195.234.124.66195.234.124.666,85%
zna81udha01.comnoipnoip2,07%
zz87ihfda88.comnoipnoip0,43%
zz87jhfda88.com205.209.148.232205.209.148.2330,05%
zz87lhfda88.comnoipnoip0,22%

 

A careful examination of this list reveals that the IP addresses of command and control centers are constantly changing, while some command and control centers are phased out altogether. These changes are due to the use of proxy servers, which hide the true location of the command and control centers.

 

Command and control server statistics

 

Despite the steps taken by cybercriminals to protect the command and control centers, knowing the protocol TDL-4 uses to communicate with servers makes it possible to create specially crafted requests and obtain statistics on the number of infected computers. Kaspersky Lab’s analysis of the data identified three different MySQL databases located in Moldova, Lithuania, and the USA, all of which supported used proxy servers to support the botnet.

 

According to these databases, in just the first three months of 2011 alone, TDL-4 infected 4,524,488 computers around the world.

 

tdl4 pic13s all2  TDL4 – Top Bot enlarge49  TDL4 – Top Bot
Distribution of TDL-4 infected computers by country

 

Nearly one-third of all infected computers are in the United States. Going on the prices quoted by affiliate programs, this number of infected computers in the US is worth $250,000, a sum which presumably made its way to the creators of TDSS. Remarkably, there are no Russian users in the statistics. This may be explained by the fact that affiliate marketing programs do not offer payment for infecting computers located in Russia.

 

To be continued…

 

This heading of this last section has become traditional in our articles on TDSS. In this case, we have reason to believe that TDSS will continue to evolve. The fact that TDL-4 code shows active development — a rootkit for 64-bit systems, the malware running prior to operating system start launches, the use of exploits from Stuxnet’s arsenal, P2P technology, its own ‘antivirus’ and a lot more — place TDSS firmly in the ranks of the most technologically sophisticated, and most complex to analyze, malware. The botnet, with more than 4.5 million infected computers, is used by cybercriminals to manipulate adware and search engines, provide anonymous Internet access, and acts as a launch pad for other malware.

 

TDSS and the botnet that unites all the computers it infects will continue to cause problems for users and IT security professionals alike. The decentralized, server-less botnet is practically indestructible, as the Kido epidemic showed.

 

Source:  Securelist.com



Symantec Loves VIPRE

July 14, 2011 by  
Filed under Security News

381 views  2 Comments
FaceBook Logo FB Comments

Our good friends over at Symantec love VIPRE so much, they’ve decided to use the logo in their new marketing campaign!

 

symantec1238123p thumb5 Symantec Loves VIPRE

 

We prefer our colors, of course (I like blue) but otherwise, not a bad copy of our logo.

 

vipre antivirus jpg thumb4 Symantec Loves VIPRE

 

Imitation is the sincerest form of flattery!

 

Alex Eckelberry -  GFI

 



The Web Security Strategy for Your Organization

July 6, 2011 by  
Filed under Security News

844 views  4 Comments
FaceBook Logo FB Comments

In today’s business world, internet usage has become a necessity for doing business.  Unfortunately, a company’s use of the internet comes with considerable risk to its network and business information.

 

Web security threats include phishing attacks, malware, scareware, rootkits, keyloggers, viruses and spam.  While many attacks occur when information is downloaded from a website, others are now possible through drive-by attacks where simply visiting a website can infect a computer.  These attacks usually result in data and information leakage, loss in productivity, loss of network bandwidth and, depending on the circumstances, even liability issues for the company.  In addition to all this, cleanup from malware and other types of attacks on a company’s network are usually costly from both the dollar aspect as well as the time spent recovering from these web security threats.

 

Fortunately, there are steps a company can take to protect itself from these web security threats.  Some are more effective than others, but the following suggestions should help narrow down the choices.

 

 

 

Employee internet usage policy

The first and probably the least expensive solution would be to develop and implement an employee internet usage policy.  This policy should clearly define what an employee can and cannot do when using the internet.  It should also address personal usage of the internet on the business computer.  The policy should identify the type of websites that can be accessed by the employee for business purposes and what, if any, type of material can be downloaded from the internet.  Always make sure the information contained in the policy fits your unique business needs and environment.

 

 

Employee education

Train your employees to recognize web security threats and how to lower the risk of infection.  In today’s business environment, laptops, smartphones, iPads, and other similar devices are not only used for business purposes, but also for personal and home use.  When devices are used at home, the risk of an infection on that device is high and malware could easily be transferred to the business network. This is why employee education is so important.

 

 

Patch management

Good patch management practices should also be in place and implemented using a clearly-defined patch management policy.  Operating systems and applications, including browsers, should be updated regularly with the latest available security patches. The browser, whether a mobile version used on a smartphone or a full version used on a computer, is a primary vector for malware attacks and merits particular attention. Using the latest version of a browser is a must as known vulnerabilities would have been addressed

 

 

Internet monitoring software

Lastly, I would mention the use of internet monitoring software.  Internet monitoring software should be able to protect the network against malware, scareware, viruses, phishing attacks and other malicious software.  A robust internet monitoring software solution will help to enforce your company’s internet usage policy by blocking connections to unacceptable websites, by monitoring downloads, and by  monitoring encrypted web traffic going into and out of the network.

 

There is no single method that can guarantee 100% web security protection, however a well thought-out strategy is one huge step towards minimizing risk that the network could be targeted by the bad guys.

 

 

This guest post was provided by Sean McCreary on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information: GFI web security software.

 

All product and company names herein may be trademarks of their respective owners.



Free Apple iTunes Giftcard scam spreads on Facebook

July 5, 2011 by  
Filed under Security News

172 views  1 Comment
FaceBook Logo FB Comments

Facebook users are being tricked into helping scammers earn money, in the mistaken belief that they will receive a free $25 Apple iTunes Giftcard.

 

We have seen a number of Facebook users posting messages like the following onto their walls:

itunes giftcard 32 Free Apple iTunes Giftcard scam spreads on Facebook

Free $25 Apple iTunes Giftcard
[LINK]
Limited time left, get yours now!

 

Clicking on the link takes you to a webpage which urges you to “Share” the message with your Facebook friends before you can go any further.

 

itunes giftcard 22 Free Apple iTunes Giftcard scam spreads on Facebook

 

You should, of course, always treat such requests with suspicion – but that hasn’t stopped many people unwittingly help the scammers to spread their links far and wide across Facebook.

 

itunes giftcard 12 Free Apple iTunes Giftcard scam spreads on Facebook

 

Perhaps you noticed that you still haven’t been given a free $25 Apple iTunes Giftcard at this point. Instead, the scammers would like you take a survey.

 

itunes giftcard 62 Free Apple iTunes Giftcard scam spreads on Facebook

 

Clearly they have no qualms about using Apple imagery to try to trick you into believing that the campaign is endorsed in some way by Apple itself.

 

This type of survey scam is all too familiar to regular readers of Naked Security. The scammers earn commission for every survey they trick people into completing – and your chances of ever receiving an iTunes Giftcard are close to zero.

 

itunes giftcard 52 Free Apple iTunes Giftcard scam spreads on Facebook

 

But it’s too late for your Facebook friends, as you have already shared the link with them – and so the scam spreads across the social network as users pass it on between eachother.

 

Of course, if you have fallen for the scam, it’s a good idea to remove all references to it from your Facebook page and warn your friends not to participate in it.

 

itunes giftcard 42 Free Apple iTunes Giftcard scam spreads on Facebook

 

If you use Facebook and want to get an early warning about the latest attacks, you should join the Sophos Facebook page where we have a thriving community of over 100,000 people.

 

By Graham Cluley @ nakedsecurity.sophos.com

 

 


Facebook changes privacy settings for millions of users – facial recognition is enabled

June 9, 2011 by  
Filed under Security News

289 views  1 Comment
FaceBook Logo FB Comments

When Facebook revealed last year it was introducing facial recognition technology to help users tag their friends in photographs, they gave the functionality to North American users only.

 

Most of the rest of us found the option in our privacy settings was “not yet available”, which meant we could neither enable or disable it. We simply had to wait until Facebook decided to roll it out to our account.

 

Well, now might be a good time to check your Facebook privacy settings as many Facebook users are reporting that the site has enabled the option in the last few days without giving users any notice.

 

There are billions of photographs on Facebook’s servers. As your Facebook friends upload their albums, Facebook will try to determine if any of the pictures look like you. And if they find what they believe to be a match, they may well urge one of your Facebook friends to tag it with your name.

 

The tagging is still done by your friends, not by Facebook, but rather creepily Facebook is now pushing your friends to go ahead and tag you.

 

Remember, Facebook does not give you any right to pre-approve tags. Instead the onus is on you to untag yourself in any photo a friend has tagged you in. After the fact.

 

If this is something you’re uncomfortable with, disable “Suggest photos of me to friends” now.

 

Here’s how you do it.

 

* Go to your Facebook account’s privacy settings.

 

* Click on “Customise settings”.

 

* Under “Things others share” you should see an option titled “Suggest photos of me to friends. When photos look like me, suggest my name”.

 

* Unfortunately at this point you can’t tell whether Facebook has enabled the setting or not, you have to dig deeper..

 

* Click on “Edit settings”.

 

facial facebook 11 Facebook changes privacy settings for millions of users   facial recognition is enabled

 

* If Facebook has enabled auto-suggestion of photo tags you will find the option says “Enabled”.

 

facial facebook 21 Facebook changes privacy settings for millions of users   facial recognition is enabled

 

* Change it to “Disabled” if you don’t want Facebook to work that way.

 

* Press “OK”.

 

Earlier this year, Sophos wrote an open letter to Facebook. Amongst other things, we asked for “privacy by default” – meaning that there should be no more sharing of information without users’ express agreement (OPT-IN).

 

Unfortunately, once again, Facebook seems to be sharing personal information by default. Many people feel distinctly uncomfortable about a site like Facebook learning what they look like, and using that information without their permission.

 

Most Facebook users still don’t know how to set their privacy options safely, finding the whole system confusing. It’s even harder though to keep control when Facebook changes the settings without your knowledge.

 

The onus should not be on Facebook users having to “opt-out” of the facial recognition feature, but instead on users having to “opt-in”.

 

Yet again, it feels like Facebook is eroding the online privacy of its users by stealth.

 

If you are on Facebook and want to keep yourself informed about the latest news from the world of internet security and privacy you could do a lot worse than join the Sophos Facebook page where we regularly discuss these issues and best practice.

 

You should also take some time to read our step-by-step advice on how best to configure your Facebook privacy settings.

 

 

By Graham Cluley @ http://nakedsecurity.sophos.com/

 



Sony Europe hacked by Lebanese hacker… Again

June 4, 2011 by  
Filed under Security News

108 views  Leave a Comment
FaceBook Logo FB Comments

By my count this is unlucky hack number 13 for Sony. A Lebanese hacker known as Idahc dumped another user database at Sony Europe containing approximately 120 usernames, passwords (plain text), mobile phone numbers, work emails and website addresses.

3fa7730af88d7350ea572823cf6cc5fd Sony Europe hacked by Lebanese hacker... Again

The attacker claims that he used standard SQL injection techniques to acquire the database. I think it is fair to say it appears that Sony has not learned anything from the previous 12 attacks.

 

SQL injection flaw? Check. Plain text passwords? Check. People’s personally identifiable information totally unprotected? Check.

 

Idahc is the same attacker who targeted the Canadian Sony Ericsson site in May, 2011. In his note on pastebin he states: “I was Bored and I play the game of the year : ‘hacker vs Sony’.” He posted the link to pastebin with the simple note “Sony Hacked: pastebin.com/OMITTED lol.”

 

sonyhackedtweet24513 Sony Europe hacked by Lebanese hacker... Again

If you are a database administrator (especially a Sony one) and want to avoid your sensitive data from ending up in the headlines I recommend you actually test your web applications for SQL vulnerabilities.

 

A great resource with detailed information on how to protect against SQL injection attacks is available at codeproject.com.

 

You can also download our free technical paper Securing Websites.


By Chester Wisniewski @ nakedsecurity.sophos.com

 


sonyhackedtweet24513 Sony Europe hacked by Lebanese hacker... Again


WARNING – Facebook Dislike button spreads fast, but is a fake – watch out!

May 16, 2011 by  
Filed under Security News

514 views  2 Comments
FaceBook Logo FB Comments

Don’t be too quick to click on links claiming to “Enable Dislike Button” on Facebook, as a fast-spreading scam has caused problems for social networking users this weekend.

 

Messages claiming to offer the opposite to a like button have been appearing on many Facebook users’ walls:

fb dislike button3 WARNING   Facebook Dislike button spreads fast, but is a fake   watch out!

Facebook now has a dislike button! Click 'Enable Dislike Button' to turn on the new feature!

 

Like the “Preventing Spam / Verify my account” scam which went before it, the scammers have managed to waltz past Facebook‘s security to replace the standard “Share” option with a link labelled “Enable Dislike Button”.

The fact that the “Enable Dislike Button” link does not appear in the main part of the message, but lower down alongside “Link” and “Comment”, is likely to fool some users into believing that it is genuine.

 

Clicking on the link, however, will not only forward the fake message about the so-called “Fakebook Dislike button” to all of your online friends by posting it to your profile, but also run obfuscated Javascript on your computer.

 

The potential for malice should be obvious.

 

As we’ve explained before, there is no official dislike button provided by Facebook and there isn’t ever likely to be. But it remains something that many Facebook users would like, and so scammers have often used the offer of a “Dislike button” as bait for the unwary.

 

Here’s another example that is spreading, attempting to trick you into pasting JavaScript into your browser’s address bar, before leading you to a survey scam:

dislike button address bar3 WARNING   Facebook Dislike button spreads fast, but is a fake   watch out!

 

If you use Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.


By Graham Cluley @ nakedsecurity.sophos.com