SecurityProNews

Due to widespread concerns about its thoughts on users' privacy, Facebook has been under all sorts of fire lately, facing criticism from U.S. senators, European data protection authorities, and many tech experts. Now, yet another problem's cropped up, as Facebook's been called a top target of phishers.

Facebook Becomes A Favorite Target Of Phishers
The Securelist division of Kaspersky Labs issued a report yesterday, and the identities of the top three organizations that have been targeted by phishers may not come as a surprise to anyone; they're PayPal (with 52.2 percent of all attacks aimed at it), eBay (with 13.3 percent), and HSBC (with 7.8 percent).

The report, which covered the period between January and March of this year, next stated, though, "Facebook popped up unexpectedly in fourth place. This was the first time since we started monitoring that attacks on a social networking site have been so prolific."

By way of explanation, the report then continued, "Having stolen users' accounts, the fraudsters can then use them to distribute spam, sending bulk emails to the account owners and their friends in the network. This method of distributing spam allows huge audiences to be reached. Additionally, it lets the fraudsters take advantage of the social networking sites' additional options, like being able to send different requests, links to photo's and invitations, all with the advertisement attached, both within the network and to users' inboxes."

Obviously, this isn't good news for Facebook's users or the security community as a whole. Facebook acts as a sort of point of entry to information about a whole lot of people (the social network had 400 million users in early February).

This isn't good news for Facebook, either, though - nothing that makes its users uncomfortable or unhappy, and therefore likely to leave, is - so perhaps we'll at least see the company make some attempt(s) to address this problem.

Anyway, if you're curious, the list of phishers' targets picked up after Facebook with Google, the IRS, Rapidshare, Bank of America, UBI, and Bradesco.

As huge corporations go, Google's a pretty cuddly one, but according to the search giant itself, everyone should be careful about offers of employment or wealth that involve its name. "Google Money" scammers represent a growing problem that the company is trying to combat.

Google Goes After Impersonator Scammers
A post on the Official Google Blog announced today, "[D]espite hundreds of consumer complaints and our own efforts to keep these sites from tricking people, some scams continue. To fight back, we're working to stop various fraudulent 'Google Money' schemes, and this week filed suit against Pacific WebWorks and several other unnamed defendants."

The post then added, "[W]e're still working constantly to remove scammy URLs from our index, and we'll permanently disable AdWords accounts that provide a poor or harmful user experience, whether or not they use Google's trademarks illegally."

The problem continues to exist, though.

So fair warning: The scams are known to operate under names like the Earn Google Cash Kit, Google Adwork, Google ATM, Google Biz Kit, Google Cash, Google Fortune, Google Marketing Kit, Google Profits, Google StartUp Kit, Google Works, and the Home Business Kit for Google. From there, they tend to be fairly standard make-money-from home affairs.

As always, stay sharp.

A report issued by a U.S. Senate committee only uses the word "scam" when quoting different consumers; the report's title employs the phrase "aggressive sales tactics," instead. Still, it looks like a number of big online companies have been caught profiting off people's confusion.

Senate Uncovers Online Credit Card Tricks
An investigation ordered by Senate Commerce Committee Chairman John D. Rockefeller IV discovered that Affinion, Vertrue, and Webloyalty "gain access to online consumers by entering into financial agreements with reputable online websites and retailers," according to the official report.

Then, "[T]he three companies insert their sales offers into the 'post-transaction' phase of an online purchase, after consumers have made a purchase but before they have completed the sale confirmation process. These offers generally promise cash back rewards and appear to be related to the transaction the consumer is in the process of completing. Misleading 'Yes' and 'Continue' buttons cause consumers to reasonably think they are completing the original transaction, rather than entering into a new, ongoing financial relationship with a membership club operated by Affinion, Vertrue, or Webloyalty."

So individuals wind up paying $9 a month, and companies make millions. Millions upon millions, really. 1-800-Flowers.com, Buy.com, Priceline, and US Airways (among many others) were all given more than $10 million by Affinion, Vertrue, and Webloyalty. Barnes & Noble, eHarmony, and Pizza Hut received between $1 million and $10 million.

It's a bit scary to see this sort of trickery employed by such mainstream organizations. Hopefully the committee's report will force them to clean up their act.

It might not be long before we return to the days of schoolchildren diving under their desks in warfare preparedness drills. Only now, instead of hiding from nukes, the kiddos may be unplugging their computers, since McAfee has indicated that a cyberarms race is taking place.

McAfee: Cyberwarfare A Big Threat
Dave DeWalt, the president and CEO of McAfee, said in a statement, "[S]everal nations around the world are actively engaged in cyberwar-like preparations and attacks." These include China, France, Israel, Russia, and the U.S., and it's no secret that the members of this group aren't all on great terms.

What's more, cyberwarfare's barrier to entry is so low in comparison to traditional hostilities (a roomful of computers vs. thousands of men, tanks, and airplanes) that lots of other countries are almost sure to pursue the idea.

Then, if and when the virtual bullets start flying, things could get really nasty. McAfee reported, "Attackers are not only building their cyberdefenses, but cyberoffenses, targeting infrastructure such as power grids, transportation, telecommunication, finance and water supplies, because damage can be done quickly and with little effort."

At least this state of affairs would create a good job market for security professionals. Everybody else might benefit in a physical manner from the dive-and-unplug exercises, too.

It's sometimes fun to be an early adopter, as the long lines and waitlists for things like iPhones and the new Camaro have proven. But where security products are concerned, do yourself a favor and let other folks go first, since a fresh report indicates that it can take more than a single try to get things right.

ICSA Labs Finds Flaws In New Security Products
ICSA Labs, which is based in Pennsylvania and has been around for 20 years, tests and sometimes certifies products. Emphasis on "sometimes."

An ICSA Labs Product Assurance Report indicated that just 4 percent of security products attain certification following a first round of testing. Most have to try again between one and three times before making the cut.

And it's not guaranteed that a product will ever meet the necessary standards, either. According to ICSA Labs, only about 82 percent of products attain certification in the end, meaning about one-fifth of all applicants (and perhaps a much larger percentage of products) aren't up to snuff.

So leave the shakedown cruises to less cautious individuals. Just repeat "patience is a virtue" a few times and read reviews while you're waiting, and remember that things will be less likely to blow up in your face when you finally get onboard.

No one's sure how many there are to go, but according to a Nigerian official, there are about 800 scam email addresses and 18 criminals that can be considered "down." Mrs. Farida Waziri, the chairperson of a government agency, announced that some shutdowns and arrests occurred thanks to an initiative called Project Eagle Claw.

Nigeria Announces Early Results Of Anti-Scammer Initiative
Nigeria's Economic and Financial Crimes Commission is the force behind Project Eagle Claw, and with Microsoft's help, has just started ramping it up. Waziri explained in a statement, "We expect that Eagle Claw as conceived will be 100% operational within six months and at full capacity, it will take Nigeria out of the top 10 list of countries with the highest incidence of fraudulent e-mails."

She then gave some very interesting details, continuing, "[U]pon full deployment, the capacity to take down fraudulent e-mails will increase to 5,000 monthly. Further it is projected that advisory mails to be sent to victims and potential victims will be about 230,000 monthly."

Anything Nigeria can do to address the problem of scammers operating from within its borders will of course be good for the country's image. More than that, it might help honest Nigerians become part of the online world (since some entities have just taken to blocking troubled regions as a whole).

Then there will be the benefit to the rest of the world, with maybe millions of dollars not getting lost. For that reason, Project Eagle Claw is likely to gain a lot of fans.

When considering where to live, it's wise to look up stats about an area's climate, the cost of living, and its proximity to other important stuff in your life. Symantec's MessageLabs recently supplied some information about your odds of getting spammed, too.

MessageLabs Names Most- (And Least-) Spammed States
Somewhat surprisingly, the states you might imagine as being the "most wired" - California, New York, Washington - weren't at the top of the list. Instead, the state in which spam represents the highest percentage of all emails received is Idaho, with 93.8 percent.

In an email to SecurityProNews, a Symantec/MessageLabs representative then listed the other top states (in order) as Kentucky, New Jersey, Alabama, Illinois, Indiana, Massachusetts, Pennsylvania, Arizona, and Maryland.

The U.S. territory of Puerto Rico wound up on the opposite end of the list, followed by Montana, Alaska, Kansas, South Dakota, Tennessee, Vermont, Rhode Island, Wisconsin, and Florida.

We're not quite sure what to make of these findings; the states don't appear to be ordered according to Internet penetration rates, GDP per capita, overall population, physical size, or anything else. Still, if you're looking to move, now you have a better idea of how to decrease the odds of getting bombarded with spam at your new home.

A Dutch company known as the Frame4 Group has created what's almost the computing equivalent of a Center for Disease Control lab. The Malware Distribution Project is, according to its own site, the "world's biggest private malware archive."

Enormous Malware Archive Creates Stir Don't jump to the conclusion that the project's run by a bunch of supervillains; the malware samples are supposed to be "offered for the purposes of analysis, testing and malware research."

Also, customers are screened, and a monthly access fee of about $1,235 should act to keep out some of the riffraff.

It actually seems possible that the Malware Distribution Project could be of great help to the security community. When you consider that medical researchers don't have to wander from house to house, asking people if they have cancer, every time they want to start a new experiment, certain practices start to seem a little outdated.

There is a potential for problems, though. One nightmare scenario relates to the Malware Distribution Project's figurative walls failing and everything getting out. Having all of that malware run amuck at once - particularly if security researchers' computers were the first things it'd come across - would be bad.

Then there's the possibility that some unpleasant person would gain access to the Malware Distribution Project's archive and just sort of go on a shopping spree. This way, some relatively stupid hacker might be able to get his (or her) hands on the most sophisticated viruses in existence.

As you might imagine, the Malware Distribution Project is definitely proving divisive.

Anyway, at last count, the repository contained a whopping 3,336,503 files.

UPDATE (10-13-09): Anthony Aykut, the Managing Director of Frame4 Security Services, got in touch with SecurityProNews this morning to pass along some information. In an email, he wrote, "[T]he malware is neither downloadable via the web site or accessible in any other way via the www; in fact, the (secure) servers where the malware is stored (or analyzed/processed) is not even connected to the outside world."

Aykut also stressed that nothing is sold to the public, and added, "Largely due to the security measure(s) mentioned above, and also based on to the fact that the storage media are protected by biometric devices, getting access to the MD:Pro archive is, well, pretty impossible."

Perhaps people who like to spend their spare time in the cockpits of imaginary F-16s should be left alone. The man in charge of a flight simulator site that was attacked claims to have identified the hacker and forwarded information to the authorities.

Avsim Hacker (Maybe) Brought Before Cops Avsim is one of the best-known flight sim communities in existence. It's been around for a long time, too. Unfortunately, a hacker managed to wipe about a decade's worth of modification info and forum posts from the site's servers back in May.

Now, though, Tom Allensworth, the publisher and CEO of Avsim, has told the BBC, "We . . . have incontrovertible evidence of the individual that performed the hack. We have protected the forensic evidence and provided that evidence to the London police. We are committed to bringing justice to bear on this case."

Allensworth is confident in the outcome, too, adding, "We fully expect that the criminal complaint . . . will result in the perpetrator spending some time behind bars - under UK law." (Since Avsim's located in the US, this means he's not pushing for extradition or anything of that sort.)

Neither London's Metropolitan Police Service nor the accused individual (who hasn't been publicly named) has made any comment yet.

The next time you have something really important to tell someone, consider whether a drive over to his or her house wouldn't be a nice way of spending a few minutes. One reporter has found that it's quite easy (and perhaps all too common) for people to buy email accounts' passwords from hackers.

Email Password Hackers Present Real Threat Tom Jackman wrote in an article for the Washington Post, "[S]ervices as YourHackerz.com are still active and plentiful, with clever names like 'piratecrackers.com' and 'hackmail.net.' They boast of having little trouble hacking into such Web-based e-mail systems as AOL, Yahoo, Gmail, Facebook and Hotmail, and they advertise openly."

Jackman found that prices for passwords range from around $30 to $100, which means that even the average ten-year-old can probably afford these hackers' services.

Plus, unless someone important is involved or things get rather serious, law enforcement isn't terribly likely to look into (or at least resolve) the matter, because accessing a computer without authorization is just a misdemeanor in most areas and tracking down a perpetrator can be difficult.

And it doesn't help, of course, that all of these facts have now been publicized in a widely-read newspaper.

So if you've got some nasty business rivals or psycho exes, at least try to play it safe by changing your password often for as long as you're in the person's sights. Then there's always the option of putting a few more miles on the odometer, too.

When most people think of cyber crime and cyber terrorism, they think of credit card information being stolen, identities being compromised, and, most recently, massive DDOS attacks by organizations like Anonymous and Lulzsec. What they don't tend to think of is the water coming from their faucet, the lights in their home and the gas heating their houses. Yet the ramifications of attacks on these basic utilities could far outweigh those of identity fraud. And these attacks are on the rise.

Despite Recent Threats American Infrastructure Is Still Vulnerable To Cyber Attack
In 2010 the Homeland Security Department responded to only 116 requests for assistance from it's Control System Security Program cyber experts. By September of 2011 there were 342. All of these attacks aren't domestically originated, either. On Nov. 8 an IP address originating from Russia attacked an Illinois based water utility company, managing to control a Supervisory Control And Data Acquisition system, resulting in a burnout of the associated pump. These types of real world results to cyber attacks are not unknown. In 2007 hackers managed to attack a diesel generator, causing it so self destruct.

At this time, companies in the sights of these types of attacks can only prevent between 67% and 76% of these types of attacks. They could prevent more but there's one thing holding them back: money. Right now these companies spend $5.3 billion on cybersecurity. To reach a 95% prevention rate they would have to increase that amount to more than $46 billion, an increase they say their customers won't approve.

With the very real and national threat posed by cybersecurity some would like the government to step in and foot the bill for these improvements. Others may think that this is a private sector issue and the government need not intervene. However, Glenn Derene said it best in his October 2009 article, "The next world war might not start with a bang, but a blackout."

Dog the Bounty Hunter, known for his shirtless leather vest approach to dressing and his less than tactful approach to apprehending bail jumpers, may not be ready for the next round of bounties coming down the pike. This year, at the CanSecWest in Vancouver, companies like HP and Google are offering rewards for hackers and research teams who can exploit zero-day vulnerabilities within the most common browsers.

Pwn2Own Contest Puts Bounty On Browser Vulnerabilities
This contest, known as Pwn2Own, has been an annual event at CanSecWest since 2007. Though in past years it has been criticized for randomly drawing participants and removing browsers once it had been exploited, this year the browsers will be fair game until the end with points awarded to the participant for each successful attack. In addition, the prize money offered is substantially larger, paying out $60,000 for first place, $30,000 for second and $15,000 for third. Google will also offer strictly Chrome based awards, paying $20,000 for a successful sandboxed exploitation and $10,000 for other unique attacks.

The goal of Pwn2Own, of course, is to find the vulnerabilities so they can be patched in the future. Though some may take issue with this methodology, it's common practice these days. As has been said far too many times in literary history, it takes a criminal to catch a criminal. This is simply the software version of hiring an ex theif to expose the weaknesses in your home security system. And while I hope none of the participants come with Dog's cliche catch them then try to recuperate them in the backseat of his car methodology, the increased prize money is sure to attract a plethora of hacker bounty hunters.

AVG technologies is the maker of one of the most successful pieces of anti-virus software in the world, and they are going public.

AVG Makes Its First IPO Of $125 Million
Founded in 1991, and based in the Netherlands, AVG not only offers their widely used free anti-virus software, but they also offer various premium software and services for those who require a bit more protection. Apparently in the 9 months of the last fiscal year, the company's revenue rose a full 24%, or to $191 million. They also more than double their profits from the last year to 68.8 million dollars, which is amazing considering the fact that so much of their manpower goes into free software.

Big name companies such as JP Morgan, Goldman Sachs, Morgan Stanley, and even Intel have chosen to back the growing company. They will be trading under the ticker symbol AVG, so make sure you keep an eye out because this company is making big moves.

Amazon Web Services has made the decision to team up with Check Point Software Technologies to offer their customers reliable security services.

Amazon Gains New Cloud Security Partner
Check Point announced the release of the Virtual Appliance for Amazon Web Services, which according to Check Point, "enables customers to extend their security to the cloud with the full range of protections using Check Point Software Blades." Up until now, Amazon Web Services only provided very basic security measures for users of their services, but that's not the case anymore.

Any user of the EC2 cloud services can get the Virtual Appliance directly from Amazon and set it up. Check Point describes many of the individual blades on as shown below:

"The Firewall and IPS Software Blades protect services in the public cloud from unauthorized access and attacks. The Application Control Software Blade helps prevent application layer denial of service attacks and protects your cloud services. The IPsec VPN Software Blade allow secure communication into cloud resources. The Mobile Access Software Blade allows mobile users to connect to the cloud with an SSL encrypted connection with two factor authentication and device pairing. The DLP Software Blade prevents data breaches with unique User Check technology to allow real-time user remediation."

Both companies want to attract a wide range of potential customers, especially small companies and startups that are building their infrastructure in the cloud. They seem to realize that most people see it as a very risky move to have sensitive data there, so this should be accessible for just about everyone. According to an article from SecurityWeek.com, the base price for these services is $2000, and that comes with the firewall and virtual gateway. Everything else is icing on the cake and will cost you more money on top of that, but hopefully not too much.

A presentation at a German security conference has many people worried about a this newly realized vulnerability that is present is most web frameworks.

HashDOS: Important Vulnerability Coming into the Spotlight.
According to a post from Sophos, "The type of hashing used by PHP, Java, Python and JavaScript in this attack is not a cryptographic hash, it is a simple mathematical hash used to speed up storing and retrieving data posted to web pages."

Under normal circumstances, the collisions in the hashes are managed by built-in language constructs and are not really an issue. However, in these types of attacks, the attacker can send pre-calculated values that will result in all of the hash values being the same, which will crash the majority of servers. On that same Sophos post, they stated that, "An example given showed how submitting approximately two megabytes of values that all compute to the same hash causes the web server to do more than 40 billion string comparisons." which is an nearly inconceivable for just looking some data for a webpage.

Apparently the keepers of the language Perl, went ahead and did something about this vulnerability some time ago, but nobody else followed suit, so they are all at risk. Hopefully, the people behind PHP, Python, and other applicable languages will actually pay attention this time and go ahead and make the necessary changes.

When is comes to security for mobile platforms, there is a very serious learning curve to getting it right and keeping it strong.

Mobile Security Will (Probably) Always Be More Difficult

Every day that goes by, mobile devices are getting smaller, sleeker, and more powerful, and to some people out there, that just means the they are new and vulnerable. This is a huge problem considering the rate at which people are acquiring smart phones for personal and business use, which also tend to hold sensitive data.

Large corporations are steadily gaining the power to do something about the situation, and most are taking advantage. Many products have come out lately that allow these corporations to monitor the mobile devices given to their employees for business use. Most also allow administrators to delete/block unwanted applications, block malicious incoming data, and disable the device completely. This is fantastic for new phones and ones that haven't been compromised yet, but what about the ones that aren't so lucky?

According to Lookout, a leading mobile security firm, mobile botnets are going to be one of the biggest problems for mobile platforms in the coming year. In fact, some of these have already been created, like the DroidDream scam that was removed from the marketplace not too long ago. One issue that I always like to bring up when talking about mobile security is the universal fragmentation of the world of Android, which is a huge part of the reason attacks like DroidDream can occur. The vast majority of the Android enabled devices out in the market right now are 2-3 OS releases behind, which poses a huge security threat whether your phone is actively tracked by a company admin or not. There will always be third-party solutions for fighting off attacks, but the issue will not be resolved until the Android (and is some ways, Apple) actually does something about it.

Users of the popular online gaming service have been getting phony emails from sites claiming to give away Microsoft points (the online currency for Xbox Live).

Widespread Xbox Live Phishing Scams Plague Gamers
These emails are made to look very official and many unwary consumers have been getting dragged in to the scam. These emails redirect to these sites where people are asked to enter sensitive information that can be used to purchase more points. Many users have been making reports of checking their bank statements and finding many charges on these cards that they did not make. The transactions are generally very small and they victims don't actually notice until it has already been going on for some time.

This is apparently not the first time something like this has happened with the service, as hackers have shown in the past to have multiple methods of getting customer information. While it is clearly wrong on the part of the cyber-criminals to participate in these activities in the first place, it is also the victims fault in this case. Unlike other, more direct methods of stealing customer information, such as directly from a database, this method requires the customer to give away their info. So, what that means is that any savvy user can avoid such situations by simply paying attention to what they are doing.

DO NOT GIVE YOUR INFORMATION AWAY TO STRANGE WEBSITES. This is something every company offering web services should remind their customers just to make sure that they are safe. As these customers have trusted the companies to protect their information, their should actually be a little effort on both sides. However, if you or anybody you know has already been affected by these scams, go here to the Xbox site to report the incident.

Recently Facebook, headed up by billionaire entrepreneur Mark Zuckerberg, was hacked and violent, pornographic photos were posted on millions of users profiles.

Facebook Gets Hacked!
Apparently, this attack did not actually compromise any user data, but at the same time, that does not mean it wasn't serious. With over 800 million active users, Facebook is responsible for protecting a lot of personal data. Currently, the company is blaming the attack on a flaw in certain browsers. Apparently, users were tricked by the hacker(s) into inserting malicious javascript code into their address bars which granted the hacker(s) access to their profiles.

Obviously the people at Facebook aren't just sitting around not doing anything about this. According to a spokesperson for the company, "Protecting the people who use Facebook from spam and malicious content is a top priority for us, and we are always working to improve our systems to isolate and remove material that violates our terms," which is somewhat relieving. However, many are still surprised and upset that this happened in the first place.

What the public needs to understand is that Facebook is not the only major company out there that has been hacked recently. Sony, Valve, Google, Lockheed Martin, and others have all been victim to major attacks in the past few months. Facebook is trying their best to control the situation and is advising its members not to enter anything into their address bar that they don't know is safe.

Valve corporation, make of many popular game series' such as Half-Life, Team Fortress and Portal, had its popular video game on-demand service hacked on November 6th, although it is not yet known whether they all were taken or not . Apparently an outrageous 35 million possibly had their personal information compromised in the attack. According to the BBC, "The attackers used login details from the forum hack to access a database that held ID and credit card data" which could now be used for any number of purposes. Valve issued a statement letting users know the extent of the situation:

Online Game Service Steam Gets Hacked!
"We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating."
Adding this as well:

"We don't have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely."
They alerted customers that they will have to change their forum passwords the next time they login, and suggested that they change their Steam passwords (which are apparently separate) as well. This is not a great time for this to happen to Steam, as many high profile titles such as Modern Warfare 3 and The Elder Scrolls: Skyrim, have come out this week, and this may make users a bit more wary about using the service now and in the future.

Since 2004, October has been deemed Cybersecurity Awareness month in an attempt to spread information about this increasingly important subject.

October Is National Cybersecurity Awareness Month
As time goes on and our livelihoods are more and more dependent internet-related technology, it is necessary for the general public to understand some of the risks involved when using the internet. This has become even more important since the internet has moved past just desktops and laptops, but to phones, tablets, games consoles, and sometimes even things like refrigerators. You have access to information from the workplace, you can control you finances, and even control the security of your home from these devices. The people behind NCSAM have come up with the slogan STOP. THINK. CONNECT., which they see as the steps you should take when using the internet to always make sure you stay secure. On the Site they are described as such:

• STOP: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.
• THINK: Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact your safety, or your family's.
• CONNECT: Enjoy the Internet with greater confidence, knowing you've taken the right steps to safeguard yourself and your computer.

This effort has been considered important enough for even the Department of Homeland Security to back it, as they want to keep out nations cyber infrastructure intact, which starts with securing all of the end-users. If you would like more information on NCSAM or any of the entities backing this effort, please visit http://www.staysafeonline.org/ and get informed.