Shaun Nichols in San Francisco, V3.co.uk, Wednesday 3 November 2010 at 18:26:00

Microsoft is warning users to be on the lookout following the discovery of a
security flaw in its Internet Explorer browser.

The company said that the vulnerability exists in versions, 6 7 and 8 of the
browser, though the IE 9 beta releases are not subject to the flaw.

Microsoft blamed the condition on an invalid flag reference within the
browser. If targeted, an attacker could use a specially-crafted web page to
trigger an error and then have the ability to remotely execute code on a
targeted system.

Such remote code vulnerabilities are a favourite amongst malware writers for
infecting victims with trojan packages.

The company said that while targeted attacks on the flaw have been reported,
the threat to users at this time is believed to be extremely limited. Microsoft
did not say whether the flaw would be addressed with the 9 November monthly
security update or through an out-of-band patch at a different date.

Users wishing to protect their systems in the meantime can run the browser in
protected mode or use the IE 9 beta. Additionally, Microsoft is advising users
to be weary of untrusted sites or suspicious links.

David Neal, V3.co.uk, Tuesday 2 November 2010 at 11:36:00

Google has extended its bounty payouts to researchers who spot security
issues in some of its web applications, following a number of successes with its
Chromium rewards programme.

The company said that the initiative hopes to mirror the reports Google has
been receiving from external security researchers.

“We’ve seen a sustained increase in the number of high-quality reports from
researchers, and their combined efforts are contributing to a more secure
Chromium browser for millions of users,” said the Google Security Team in a
blog
post.

“Today, we are announcing an experimental new vulnerability reward programme
that applies to Google web properties.

“As well as enabling us to thank regular contributors in a new way, we hope
it will attract new researchers and the types of reports that help make our
users safer.”

Researchers are asked to provide information on security problems in Google
search pages, YouTube, Blogger and Orkut.

This means that some applications, most notably Android, Picasa and Google
Desktop, will not be included. Google said that it may expand the programme in
the future.

Google explained that it is difficult to provide a list of vulnerability
discoveries that will be rewarded, but that “any serious bug which directly
affects the confidentiality or integrity of user data” will meet its criteria.

“We anticipate that most rewards will be in bug categories such as XSS,
XSRF/CSRF, XSSI, bypassing authorisation controls (e.g. User A can access User
B’s private data) and server-side code execution or command injection,” the firm
said.

However, Google has a definite list of vulnerability discoveries that will
not be rewarded, including attacks against its own infrastructure, social
engineering and physical attacks, denial-of-service, SEO black hat techniques or
bugs in technology the company has only recently acquired.

Google also warned researchers against testing on accounts that were not
their own or had been set up specifically for testing.

Rewards start at $500 (£310) but can go as high as $3,133 (£1,960).
Benevolent researchers can anonymously donate to charity, and Google will match
any such donations.

Phil Muncaster, V3.co.uk, Saturday 30 October 2010 at 12:01:00

This week in security has been a fairly quiet one. Adobe’s latest revelation
of a zero-day flaw in Reader, Acrobat and Flash was probably the pick of the
stories, while a TechNet conference hosted by the Armed Forces Communications
and Electronics Association also provided some outspoken views on cyber crime.

First to Adobe, though, and its
zero-day
problems. The firm has not yet released a patch, but has issued a workaround
for IT administrators to ward off intruders.

Danish security analysts Secunia rated the flaw as ‘extremely critical’ as it
could cause a crash and potentially allow an attacker to take control of the
affected system

Elsewhere it emerged that the
notorious
Koobface social networking malware is now targeting Mac OS X systems.
Security firms reported that variants of the malware have been targeting Mac
users on social networking sites such as Facebook, Twitter and MySpace.

There was more gloomy news earlier in the week as spam monitoring firm Spam
Ratings found that one in 10 UK web firms is
sending
unsolicited email to customers, contributing to a spam landscape that is
spiralling out of control.

The firm’s 12-month study of 10,000 web sites and 150,000 emails found that
spam has increased dramatically, and that the main source of the messages is web
sites.

However, better news came from Russia, as police were reported to have
filed
a criminal case against a man accused of being one of the world’s most
prolific spammers.

Igor Gusev and his company Despmedia are accused of running a huge
pharmaceutical spam operation that police estimate generated $120m (£75m) in
three and a half years, primarily by selling counterfeit pharmaceuticals such as
Viagra

Elsewhere, the Internet Crime Complaint Center
issued
two fraud alerts warning of attacks targeting enterprises and individual
users.

The attacks range from malware-laden emails and phishing attempts, to social
engineering scams that attempt to trick people into handing over account
information.

Finally, there was some tough talking to come out of the TechNet conference
in London this week. First a senior director from the US Department of Energy US
said the country is
bracing
for an attack on its national energy grid computing systems involving
Stuxnet-like malware.

Then the former CIO for the FBI, Zalmai Azmi, argued during a keynote speech
that
current
laws are outdated and ill-designed for the digital age, and actively prevent
law enforcers effectively fighting cyber crime.

Azmi also warned the crowd of military technologists that the current cyber
security workforce is woefully undermanned to deal with the scale and level of
modern threats, and that greater co-operation between the intelligence community
and the private sector is necessary.

Phil Muncaster, V3.co.uk, Thursday 28 October 2010 at 16:39:00

The US is bracing for an attack on its national energy grid computing systems
involving Stuxnet-like malware, according to a senior director from the
Department of Energy.

Patrick Ciganer, director of the department’s Transparency Initiative, told
attendees at a conference organised by the Armed Forces Communications and
Electronics Association that “it is going to happen”.

“We have to avoid the obvious scenarios and mitigate the consequences when an
event happens,” he said.

Ciganer explained that the department has already taken preventative steps,
such as ensuring a high level of redundancy in the network and a
defence-in-depth approach to cyber security.

Stuxnet was branded “probably the most important malware in the last 10 years
” by F-Secure chief research officer Mikko Hyppönen at the event.

The malicious code
exploited
four zero-day vulnerabilities in its mission to disrupt industrial
supervisory control and data acquisition systems, and is likely to have been
crafted by a state-backed group.

However, Ciganer warned that Stuxnet is not the only threat facing critical
national infrastructures such as the US energy grid, and that the utility
industry’s move towards smart grids could pose new security threats globally.

“We had a simple point-to-point system with a clearly defined set up of
controls, but as [the system] gets smarter with localised intelligence the risk
will increase,” he said.

“With multi-layered interconnectivity you are opening the door to a broader
set of vulnerabilities.”

Phil Muncaster, V3.co.uk, Wednesday 27 October 2010 at 13:54:00

Browser manufacturer Mozilla is working on a fix for yet another critical
zero-day vulnerability in its Firefox software, which is being used by cyber
criminals to install Trojans on victims’ PCs.

Norwegian security vendor Norman ASA was the first to discover the flaw in
Firefox 3.5 and 3.6, the latest version, after identifying new malware infecting
the
Nobel
Prize site early on Tuesday.

If users of these versions of Firefox visited the site while the attack was
active, the Trojan would have covertly installed itself on their PC, Norman ASA
explained.

The malware would then attempt to connect to two internet addresses which
point to a server in Taiwan. If the connection was successful, the perpetrator
would gain access to the infected PC.

In an update on the
Mozilla
security blog, the browser maker said that the Nobel site is now being
blocked by Firefox’s built-in malware protection.

“However, the exploit code could still be live on other web sites,” the firm
said. “We have diagnosed the issue and are currently developing a fix which will
be pushed out to Firefox users as soon as the fix has been properly tested.”

Mozilla advised users in the meantime to disable JavaScript in Firefox or use
the NoScript add-on.

There are no other reported attempts to exploit this flaw at present.

Only last week,
Mozilla
updated Firefox to fix nine security flaws, including five remote code
execution vulnerabilities which, if exploited, could allow attackers to remotely
install malware on a targeted system.

Phil Muncaster, V3.co.uk, Sunday 24 October 2010 at 15:15:00

This week was dominated by the government’s spending plans, and the IT
security sphere was no different. First up on our round-up list is yet another
high level acknowledgement of the threat to the UK of cyber attack.

This time it was UK home secretary Theresa May who confirmed that the
government is aware of the
threat
of sophisticated terror attacks designed to take out the country’s national
infrastructure

Then the following day, prime minister David Cameron
pledged
a further £500m to help the UK defend against the growing threat of cyber
attacks.

Cameron argued that the rise in “unconventional threats” had made an increase
in spending on cyber defences necessary.

Also this week, Panda Security
launched
an anti-virus product designed to protect popular Apple products including
the iPhone and iPad.

The Spanish security firm said that Panda Antivirus for Mac can counter the
increasing threats targeted at Apple products.

Mozilla and Google, meanwhile,
released
updates designed to shore up their respective browsers.

The Firefox update includes fixes for nine security flaws, including five
remote code execution vulnerabilities. If exploited, such flaws can allow
attackers to remotely install malware on a targeted system without user
notification.

The Chrome update, meanwhile, patches 10 flaws in multiple versions of the
browser, including two unique to the Linux version.

There was bad news for Apple, though, after a
security
flaw was uncovered in its FaceTime for Mac video chat tool just one day
after its introduction.

The application reportedly fails properly to conceal account information
relating to the Apple ID service, putting users at risk of account theft in
certain situations.

And finally, security vendor Stonesoft claimed this week to have discovered a
dangerous
new category of threat which could render network security tools useless.

So-called ‘advanced evasion techniques’ use different methods in virtually
limitless combinations to avoid detection by 99 per cent of current products on
the market, according to the vendor.

The firm argued that a “clear rethink” is needed in the network security
industry to combat such threats.

Wendy M Grossman, V3.co.uk, Wednesday 20 October 2010 at 12:52:00

Stephen Howes, chief executive and co-founder of
GrIDsure,
has a not-so-modest ambition: to reinvent passwords to make them more secure and
less onerous. He has the technology; what’s needed is real-world adoption.

“People are forgetting the end user,” he said. “Being forced into using
complex passwords doesn’t fit with the natural way of thinking.”

Howes began as a software engineer, graduating from what’s now Oxford Brookes
University in the early 1980s when programming was all mainframes and Cobol.

“You didn’t go immediately to a keyboard and start typing. You had to plan
things out properly and do things on coding sheets and really think about the
problem you were trying to solve,” he said.

“Someone typed your code in for you, and a couple of days later you’d go in
and run it for the first time and see how many errors there were.”

After a brief stint in the pharmaceutical industry, Howes took a “leap of
faith” and went to work for a company that the local recruitment agency told him
was doing things with “this thing called the internet” that might never amount
to anything.

The company was Pipex, and Howes became employee number 20. He stayed there
while it was bought by UUnet and then WorldCom, whose stock options he still has
on paper.

Again, problem solving was a key element. “It was quite recognised within
UUnet that if there were nutty problems to be solved, give them to the guys in
Europe,” Howes said.

Americans would want to give up and move on after a couple of days. “In
Europe we would keep cracking at it until we found a solution,” he explained.

It was, Howes said, an exciting time working with internet visionaries, and
he stayed “until WorldCom came and screwed it up”.

In 2002 he started up an IT consultancy. “I was doing a piece of work for a
guy named Jonathan Craymer [GrIDsure's co-founder], who was working on a
mechanism for being able to remember PINs,” he said.

“Somebody asked him how they could generate one-time PINs or passwords
without having to carry any hardware. So he sat in my kitchen one day and
scribbled on lots of pieces of paper and a few hours later came up with the
GrIDsure concept.”

The technology is deceptively simple: instead of a traditional password entry
box, it offers a square grid made up of smaller squares. Choosing a password is
a matter of picking a pattern.

Thereafter, whenever you need to log in you are shown the same grid with
random numbers in each square; you enter the numbers that correspond to your
pattern.

For many people, remembering a pattern is easier than remembering a complex
sequence of numbers and letters. Meanwhile, an interloper trying to steal the
password is stymied because the numbers in the grid are different every time.

The difficulty with trying to reinvent something as basic as passwords,
however, is getting people to buy in; it’s easier to stick with known methods.
Therefore, the tough problems for GrIDsure to solve are out in the world.

“The hardest is not with GrIDsure per se, but in getting the
established security community to think out of the established box. And also
that people naturally try to find complicated answers to problems,” said Howes.

Instead of looking for the nirvana of security, it would be wiser to accept
that hackers are attacking the problem in “incremental steps”, according to
Howes.

“The approach to hacking should be met by security people who take an
incremental approach to security. You only have to stay one step ahead of the
bad guys to be successful. You don’t have to be 100 steps ahead,” he said.

Howes is regularly asked how he came up with the password idea. “When you’re
trying to solve a problem you have to think a bit differently with an open mind,
” he said.

A lot of that open mind goes back to his personal background. “I’m one of
those people who don’t like being told what to do or think. I hated every day of
school,” he explained. In the military, he said, he’d have been locked up for
questioning orders.

“It would be lovely to resurrect another UUnet,” he said, adding that the
kind of innovative thinking that went on among the group of internet visionaries
assembled there was overtaken by business considerations after the dot-com
bubble burst, and hasn’t really resumed.

“It would be good to get people in a room to blue-sky some things that could
or should be done. There’s a lot more opportunity there,” he said.

“Some of the protocols we use on the internet are 40 to 50 years old. It
needs people to come in and have a rethink about some of these things and
develop new protocols to make it more secure.”

Rosalie Marshall, V3.co.uk, Tuesday 19 October 2010 at 15:27:00

Security experts have warned that the UK needs to act fast in implementing
proper defences against cyber attacks.

The possibility of a attack that could cause serious distress to the UK
government and industry is increasingly likely, according to GCHQ director Iain
Lobban.

The
threat
profile was raised last week at the RSA Conference Europe, when Lobban
advised national security agencies to work with internet service providers to
mitigate a potential attack. Lobban suggested that ISPs provide a direct feed of
information to GCHQ to make the government intelligence agency aware of attacks
as soon as they happen.

The strategy would require a different sort of partnership between national
security agencies and key industry players, he said, with systems being more
interconnected.

Also at the RSA Conference, former White House advisor Richard Clarke urged
the European Union to work with the US to
clamp
down on nation states that allow hackers to carry out attacks from within
their borders.

Clarke suggested that an international organisation could filter the internet
traffic in the troublesome states.

The House of Lords, meanwhile, has committed to staying up to date with the
latest
cyber security issues.

The Lords discussed the need for greater collaboration between the private
sector and government, and echoed the sentiments of the EU, which wants to work
more closely with Nato to share intelligence and defend member states against
cyber attacks.

As the topic became a focus point in the news last week, security experts
have come forward with views on how the UK can best protect itself from attack.

Robert Roy, chief technology officer at Fortify Software, argued that
Clarke’s proposed method of monitoring internet traffic is a reactive measure
which has cost and privacy implications.

“Monitoring traffic certainly has its sensitivities. The US government has
already taken to doing something along these lines with Einstein, the intrusion
detection system that monitors traffic going to government sites,” he said.

“It is now considering using a similar system to protect critical
infrastructure.”

However, Roy warned that private industry is unlikely to spend money
monitoring traffic unless they are legally obliged to do so, and ISPs will not
want to be seen as blocking individuals’ access to the internet.

Roy suggested that a government’s first priority in protecting against cyber
attacks should be strengthening the software it uses.

“The overall issue is that our systems are weak in terms of their ability to
detect threatening attacks,” he said.

“We can be reactive, and monitor attacks and try to intercept them, but the
alternative is to look at what the threats are going after, and to look at the
software and assets.

“Internet criminals want to break into the software, so we need to strengthen
it. We also need financial incentives in place to encourage nations to protect
their infrastructures.

“And the government needs to educate the public on the dangers of clicking on
links they are not familiar with. Visiting web sites with malware on them is one
of the most serious threats at the moment.”

Graham Titterington, principal analyst at Ovum, pointed out that the UK also
needs to strengthen plans for dealing with the aftermath of a cyber attack on
critical national infrastructure.

“This should include a full study of the network interconnections surrounding
supervisory control and data acquisition systems, full application testing
relating to security for these systems, and a review of alternative ways in
which these could be connected, if they have to be connected at all,” he said.

Greg Day, European director of security strategy at McAfee, suggested that
testing government systems and training staff will help the country to combat a
cyber attack.

Day commended the government for its advances this year, including the Cyber
Security Operations Centre and the Office of Computer Security, as well as the
launch of the Cyber Security Challenge aimed at finding the UK’s future cyber
security experts.

“Governments need to understand the potential scale and scope of enemy
attacks in order to put the right defences in place. In the past this has been a
little static, but lessons have been learnt,” Day said.

“The government has talked of a step-change in the approach to national
threats with a major increase in resources to combating internet threats.

“Positive steps are being made, and countries just need to make sure they are
dynamic enough to keep pace with the changing threat landscape.”

Kevin Franks, chief executive at Lieberman Software, agreed that countries
must collect ongoing intelligence about the threat landscape, saying that the UK
needs to establish cyber security laws with teeth rather than relying on annual
IT audits to mitigate vulnerabilities.

“We need continuous compliance, continuous auditing and a new strategy
towards the idea of making cyber defence a daily activity,” said Franks.

Calum Macleod, European director at Venafi, said that his 25 years in the
encryption industry had taught him that automation is key to keeping a close
watch on procedures and security best practices.

Organisations should use comprehensive tools to monitor the status of IT
systems, according to Macleod, as well as the workflow and audit results.

Bradley Anstis, technical strategy vice president at M86 Security, argued
that organisations need to make staff and partners aware of the right people to
notify when they find compromised data, and that the security industry should
share knowledge on new attack methods as much as possible.

The dynamic nature of today’s cyber threats mean that organisations need to
use proactive malware detection technologies and not rely solely on software
patches.

“These proactive technologies are able to detect completely new and emerging
attacks by concentrating on what the attack is trying to do, rather than trying
to identify the attack,” said Anstis.

Phil Muncaster, V3.co.uk, Tuesday 19 October 2010 at 10:52:00

Online authentication firm VeriSign has launched three cloud-based services
designed to help online retailers reduce downtime, improve performance and
availability, and mitigate the risk of DDoS attacks and other threats.

Released in time for the busy Christmas shopping period, which can generate
over a third of annual sales for some retailers, the
eHoliday
Uptime bundle combines a DNS Availability, Network Availability and
Application Availability service.

DNS Availability features VeriSign’s managed DNS service to ensure web site
availability and reduce costs associated with maintaining DNS infrastructure,
according to the firm.

The Network Availability component uses VeriSign’s Internet Defense Network
to provide customers with a scalable DDoS monitoring and mitigation service.

Finally on offer is a real-time threat intelligence service from VeriSign’s
iDefense managed security services arm, designed to provide online retailers
with the information they need to block threats from malware and application
vulnerabilities.

“The DNS failures and DDoS outages experienced by many companies last year
emphasises the high cost of downtime during the holidays,” said Ben Petro,
senior vice president of VeriSign’s Network Intelligence and Availability
business.

“We want every company that depends on their web site for sales to have
access to best-of-breed offerings that defend against the primary threats to
availability.”

Ted Julian, principal analyst at Yankee Group, said that to be forced offline
in the festive season could lead to losses of millions of dollars for the top
online retailers.

“Ensuring availability should be a primary objective for retailers and online
businesses at all times,” he added.

The launch of the eHoliday Uptime bundle coincides with this week’s
E
Commerce Expo taking place at London’s Olympia. V3.co.uk will be
covering all the news from the show and we have a dedicated
e-commerce
blog for our event coverage.

Phil Muncaster, V3.co.uk, Monday 18 October 2010 at 14:30:00

Security vendor Stonesoft claims to have discovered a dangerous new category
of threat which could render network security tools useless.

So-called advanced evasion techniques (AETs) use different methods in
virtually limitless combinations to avoid detection by 99 per cent of current
products on the market, according to the vendor.

AETs can be coupled to an exploit to effectively make that exploit invisible,
allowing hackers as much time as they like to test and refine exploits on a
target system until they are successful, according to Stonesoft chief executive
Ilkka Hiidenheimo.

The use of AETs at a network level could lead to serious data breaches
involving the loss of corporate information from mission-critical applications,
Stonesoft warned.

“Even our product doesn’t offer full protection because we’re finding new
holes and combinations of evasions all the time,” said Hiidenheimo.

“A very clear rethink is needed in network security. All security
functionality must be software-based, automated and updatable, because when
something is found in the wild you need to make changes very quickly.”

Stonesoft has informed CERT-FI in Finland for vulnerability co-ordination
purposes, and has had its research validated by third-party testing organisation
ICSA Labs.

The company has shared its intelligence with the industry in an attempt to
help in the race to find an effective solution.

“The issues identified by Stonesoft affect a range of content inspection
technologies,” said Jussi Eronen, head of vulnerability co-ordination at
CERT-FI.

“Continuous co-operation among CERT-FI, Stonesoft and other network security
vendors is essential for remediating the identified vulnerabilities.”

Phil Muncaster, V3.co.uk, Saturday 16 October 2010 at 08:30:00

This week in security was dominated by some stark warnings from security
experts about the cyber security readiness of governments including the UK’s,
and the likelihood of imminent attacks.

The director of GCHQ, Iain Lobban, warned during a speech at the
International Institute for Strategic Studies that the UK is facing the very
real threat of a
cyber
terrorist attack on its critical infrastructure.

Meanwhile, at the RSA Conference Europe event in London, former White House
advisor Richard Clarke
called
on the UK, US and European Union to crack down on “cyber sanctuaries”,
nation states which allow hackers to carry out attacks from within their borders
as long as they are directed outside the country.

Also at the show, former US secretary of homeland security Michael Chertoff
argued
that a clear doctrine is needed from individual countries and through
international treaties to determine how to deal with cyber fraud, espionage or
outright attacks on systems.

The House of Lords held a
two-hour
debate on how the UK can best protect itself against cyber attacks, raising
a number of concerns about the UK’s cyber security defence strategy, and warning
that greater knowledge of the sphere and more clear-cut lines of responsibility
are needed.

There was some good news, though, after the government announced plans to
step
up investment in its national cyber security strategy with a major round of
new funding in an effort to bolster the protection of critical national
infrastructures, according to reports.

Elsewhere, Adobe’s head of product security, Brad Arkin, revealed that the
next
version of Reader will be out before the end of the year, offering new
security features designed to defend against recent attacks on the software.

And BT’s outspoken chief security technology officer, Bruce Schneier,
accused
the chief executives of big name tech companies such as Google and Facebook
of “deliberately killing privacy” in their quest to boost profits.

Schneier branded Facebook the “worst offender”, alleging that the site
deliberately eroded privacy in order to successfully pursue its business model.

Finally, it was security giant McAfee’s annual Focus event in Las Vegas this
week, the first since its acquisition by Intel.

Chief executive Dave DeWalt
outlined
an initiative for what the company calls ‘McAfee 3.0′, designed to match
McAfee’s security platforms with hardware from Intel to provide deeper levels of
security.

The firm also announced updates to its
ePolicy
Orchestrator and
Endpoint
Security platforms.

Iain Thomson and Shaun Nichols in San Francisco, V3.co.uk, Saturday 16 October 2010 at 06:57:00

Shaun started the week at McAfee’s Focus 2010 conference, and we had security
on our minds, so thought we’d cover some of the myths in the industry.

You won’t find conspiracy theory rubbish about anti-virus firms releasing
their own malware, or how the government has a secret backdoor to every computer
running Windows. Instead it’s a look at some of the more serious security
misconceptions that lead users to fall prey to infection.

It’s an increasingly dangerous world online, and hopefully some of these tips
can save an awful lot of time and heartache.

Honourable
mention: Government agencies do business via unsolicited e-mail


Shaun Nichols: This one seems a bit far-fetched, but it
resurfaces every year. Email messages claiming to be from the IRS, HM Revenue
& Customs and other agencies tell recipients that they must fill out some
sort of form which is conveniently attached. The form, of course, is laden with
malware and the user is immediately infected.

These sort of attacks should never happen for a very simple reason: the
government does not process taxes and other important forms via email.

If you get an unsolicited email claiming to be from your country’s tax
agency, don’t open it. If you think there is a legitimate issue, visit the
agency’s web site or, better yet, call them directly.

Iain Thomson: It’s not just governments that shun the use of email
for official business, but almost all banks and a host of other companies as
well.

Phishers would face much leaner times if people understood this one better. I
think part of the problem is the bright spark who called it ‘email’ in the first
place.

Traditional mail is a tangible object but far too many treat email as just as
trustworthy when it’s quite patently not. All you’ve got to go on is an email
address that may or may not be spoofed.

There’s a reason why law offices, banks and administration offices have huge
numbers of filing cabinets. If it’s important, you put it on paper.

Honourable
mention: Porn malware indicates unsavoury habits


Iain Thomson: Before you ask, no this isn’t from personal experience,
but I’ve been to more than a few meetings where the PowerPoint presentation has
suddenly been obscured by a salacious pop-up.

There’s the usual ribald remarks about the internet habits of the laptop’s
owner, but it’s not so long ago that people got fired on the suspicion of using
work hardware for unsavoury purposes.

There’s still the prevailing view that you only get that kind of malware from
porn sites, but in fact any malware can carry a pop-up package and the porn
industry seems more willing than most to use this annoying form of advertising.

That said, as an IT manager, if this occurs, it’s worth running a quick check
on the staff member’s viewing habits, just to be on the safe side. A sharp email
can usually sort out any unsavoury habits, at least on company property.

Shaun Nichols: The textbook study on this is the case of Jule Amero.
The Connecticut school teacher was charged with displaying pornography to minors
when her computer began displaying pop-up windows during a class.

A team of security experts following the case have long maintained that Amero
had no intention of exposing the students to pornography, but was the victim of
a malware infection obtained from a site that was otherwise safe for all ages.

While Amero was eventually let off with a $100 fine, she had her teaching
credentials revoked and was subjected to a legal battle that lasted four years.

Today, many point to the case in arguing that the legal system and the public
in general are woefully ignorant about the nature of malware and computer
security.

10.
Microsoft updates offer full protection


Shaun Nichols: This one covers a couple of areas. There’s the
worry of unpatched or ‘zero-day’ vulnerabilities, yes, but there’s also the risk
of third-party application flaws.

It used to seem like flaws in Microsoft Windows or Office were the only thing
that attackers ever targeted. These days, however, plenty of other components
are being exploited.

Users who only install the monthly patch from Microsoft these days will
sooner or later find their systems loaded with all sorts of unpleasant wares.

If you don’t have fully-patched versions of Internet Explorer, Acrobat
Reader, Java and Flash, you are just asking for a malware infection.

Iain Thomson: There’s the rub, Shaun. Analysts are now calling Adobe
the new Microsoft when it comes to patches.

Microsoft has made great strides and its patching system is one of the best
in the business. Its developers have also become a lot more security aware,
although they’re still playing catch-up.

Adobe is unfortunately a victim of its own success. When you build software
that’s so ubiquitous it’s going to come under attack, and Adobe is the de facto
standard in a couple of areas. The firm isn’t alone either; pretty much every
successful software company is now being targeted.

There are some useful free tools from Secunia and others which now scan and
patch your entire system automatically. It’s a good idea to run regular scans
and fix any vulnerabilities before someone uses them.

9.
Short passwords are secure


Iain Thomson: These days if you’re not using an eight- or
nine-digit password for important accounts you’re really not secure.

Carrying out brute-force password attacks has never been easier thanks to the
ever increasing power packed into processors. At a very basic level, checking
every conceivable letter or symbol to break a password is an inelegant attack,
but one that’s becoming increasingly viable.

According to the most recent data, a six-digit password can be cracked in
minutes if it’s all lower case letters. The time goes up to a day or so if it
incorporates upper case letters, numbers and symbols, but it’s still an easy
job.

If you take a strong password of 14 characters, however, that time shoots up
to hundreds of years. Every extra character you add to a password increases the
number of possible combinations tenfold, and on long passwords that adds up.

Remembering long passwords need not be difficult with the right technique.
Pick a song lyric or a favourite phrase and turn it into a password. For
example, the opening line of George Orwell’s Ninteen Eighty-Four is:
‘It was a bright cold day in April, and the clocks were striking thirteen.’ That
can become 1w@bcdiA&tcws13. And don’t bother, it’s not one of my passwords.

Shaun Nichols: Social engineering, or tricking someone into giving
you their password, is a much more elegant and efficient means of compromising
an account, but the old brute-force method of guessing thousands of different
passwords works too.

In general, password security goes like this: short words are terrible, words
in the dictionary are bad, letter and number combinations are better and
complete gobbledygook is best.

Just don’t do something dumb like keep a piece of paper with all of your
passwords under your keyboard or in the top drawer of your desk. That one has
been foiling security protocols since 1983, if Wargames is to be
believed.

8.
If I don’t get pop-ups/crashes I don’t have an infection


Shaun Nichols: One common misconception about malware is that
it operates where you can see it. Many people think that, unless their systems
are spitting out obscene pop-up windows and randomly turning off and on, there’s
no reason to worry.

These days, however, stealth is the name of the game in malware. Tools such
as key-loggers and botnet controllers are designed to run as quietly as
possible, operating on levels that people can’t detect.

Occasionally a poorly written piece of malware will cause a conflict with
another component and crash a system, but for the most part you won’t know
you’re infected until you run a security scan or get your credit card bill.
Obviously the former is highly preferable to the latter.

Iain Thomson: At the risk of sounding like an old fart, I miss the
good old days when hackers were in it for the giggles and notoriety.

In those days you knew you’d been hit by malware. Either your system locked
up entirely or you got an angry call from IT regarding the surge in your current
levels of network traffic or a host of emails you’d been unwittingly sending.
Either way you knew you’d been hit.

Nowadays, malware is more criminal and the whole object is to slip under the
radar unnoticed. It’s a sad change of affairs. Now let me tell you about how
this was all fields at one time …

7.
Familiar ‘brand’ sites are safe


Iain Thomson: It used to be the case that you could trust reliable web
sites to be safe to visit, but that’s becoming increasingly untrue.

Injecting malware into web pages is a common tactic these days, either by
hacking the page or, more commonly, by using bought advertising space.

There’s not a lot that can be done to prevent this, unless you’ve got someone
monitoring the site constantly or have a very good security set up. But even the
best web sites slip up occasionally.

The easiest way round this is to patch your browser religiously, and use one
of the less common browsers. It won’t prevent a zero-day breach but will give
the best measure of protection.

Shaun Nichols: One piece of malware that is particularly loathed in
the security world these days is the Zeus Trojan.

Aside from being remarkably easy to deploy and operate, Zeus has this neat
trick of being able to inject code into HTML files. You might go to your bank’s
web site, log in to your account, and then be asked for your PIN and social
security numbers. All this happens on a page that has the URL of an otherwise
trusted site.

For most phishing attacks, taking a close look at your browser’s URL window
or manually entering the bank’s address will keep you safe, but Zeus changes the
game.

If a page seems weird or if a new input box appears and you suspect an
infection, it’s not a bad idea to run a malware scan and contact your
bank/creditor/etc to make sure they made the changes themselves.

6.
It’s only a Facebook application


Shaun Nichols: This one is quickly becoming a major security
concern. With the advent of Facebook applications, a huge new platform has
opened up to developers, and that includes those who create malware.

Unscrupulous developers have crafted applications that spam users with
messages, tricking them into posting things on their walls and even scamming
their friends.

Unfortunately, Facebook users don’t exercise the same sort of common sense
they do with PC-based applications, so these scams are even more effective.

People really need to understand the importance of keeping Facebook
information secure. Aside from the information that can be obtained from
infiltrating a person’s account, an attacker can use a compromised account to
execute social engineering attacks on that user’s friends and family (i.e. the
‘I’m stuck in Romania and need a money transfer’ scam).

A good rule of thumb: if you don’t trust it enough to put on your own
computer, don’t install it on your Facebook page.

Iain Thomson: A huge part of successful hacking comes down to social
engineering, but now we’re doing the hacker’s job for them.

The first time I heard about the money transfer scam I was amazed that people
were getting caught out by it in such huge numbers. If someone’s in dire straits
in a foreign land the last thing they’re going to do is check Facebook.

It’s the trust-based nature of these sites that causes the problem, but
Facebook chief executive Mark Zuckerberg et al wants us to share more
information not less, and social networking companies are less than stellar when
it comes to keeping their traffic secure.

5.
IT will protect my company PC from any malware infection


Iain Thomson: This one causes a lot of hollow laughter in IT
departments across the globe. The IT manager is not a god, although a sizeable
number of them might dispute that.

There are so many things that need to be sorted out on a corporate network
that protecting end users usually involves little more than slapping some
commercial security software on a system and hoping for the best.

The better admins will at least set it to auto-update and lock the software
down, but it’s amazing how many times I see work computers where the user can
not only download what they like but turn off the security software.

Hard-pressed IT staff do their best, but there’s no fix for a dumb user.

Shaun Nichols: The vast majority of office workers will admit to
using their computers for personal surfing, and those that don’t admit it are
lying through their teeth.

Because of this, you have a vested interest in keeping your work machine
clean. Aside from possibly leaking confidential information and costing you a
job, a malware infection on your workplace PC can lead to the loss of your
personal account details.

This means that getting an infection on your PC isn’t just something you can
dump on the IT department as you head out for the day. Office workers need to
treat their work PCs like their home PCs, and that means paying attention to
security and surfing responsibly.

4.
Get security software and you’re protected


Shaun Nichols: There are tens of thousands of new malware
applications created every day. While anti-virus vendors have made great strides
with the transition to always-connected security services, there are still
plenty of threats out there that go unnoticed.

Having anti-virus software doesn’t give you a licence to behave recklessly.
Going onto shady web sites, downloading applications from anonymous sources and
failing to patch your system puts you at risk even if you’re running the best
security software.

Additionally, you have to keep your security software updated. Many new
malware applications will target and disable anti-virus tools, particularly
older software. Keeping a clean, secure PC is not a one-time task, it’s an
ongoing process.

Iain Thomson: It’s not something security vendors like to talk
about, but it wasn’t so long ago that anyone could stop unique malware against a
single target.

All commercial security software relies on a range of systems feeding them
data, both from customers and honeypot servers online, on malware which is in
circulation.

If a piece of malware is unique, signature-based software is about as useful
as a chocolate teapot. We’ve seen numerous cases of this over the years; it’s
usually business rivals, jealous lovers or, er, journalists.

Security software has improved as more vendors add heuristic detection
systems. These look at the behaviour of software and watch for signs of malware
in action. Unfortunately a lot of the heuristic software isn’t very good, and
you either get false positives or not enough detection.

3.
Hackers work alone


Iain Thomson: We’ve all seen it in films – the hacker who
lives on his own in his mother’s basement. Kevin Smith should have been ashamed
of himself for re-enforcing the stereotype in the latest Die Hard.

While there are obsessive hackers out there, the biggest problems with
computer security comes from hacking organisations. You might only need one
person to write the malware code or carry out an attack, but if you want to
actually make money you need a bigger organisation capable of shifting and
laundering the money.

Also it’s perfectly possible to be highly sociable while on a computer. IM
and email conversations are just as valid as face-to-face contact, and often
more useful.

Shaun Nichols: If there’s one thing about cyber crime that people
need to grasp, it’s that organised crime is now highly involved.

Because of this, malware and identity theft have become far more
sophisticated and professional. Financial information and account details are
the primary targets, and malware often runs without any obvious signs of its
activity.

When a site promises free software, easy money or other deals too good to be
true, you should treat it just like you would a three card monty table. Cyber
crime has become a slick and sophisticated operation, and if you don’t treat it
as such you’re asking for trouble.

2.
Apple users are safe


Shaun Nichols: This one is always good for a few angry comments and
emails. It’s also a harsh truth that many choose to ignore. Running a Mac OS
system does not make you immune to security threats.

Let me start by saying that I am a Mac user and have been since I was seven
years old. I love the platform and have no ill will towards its users. But the
Mac OS community needs to wake up. The thought that Mac users don’t have to
worry about malware is naïve and irresponsible.

First off, the volume of malware for Mac OS systems is slowly but surely
growing. While malware writers may still prefer the low-hanging fruit of
unpatched Windows XP machines, they are sniffing around the OS X world.

If the chance for a successful exploit is higher due to careless users, they
may well look beyond the Mac’s comparatively small market share and start
attacking in earnest.

Aside from that, Macs can be nice carriers for malware. You might not get
infected by visiting a certain site or loading a certain file, but what about
the PC users you share the link with?

It’s about time all Mac users got wise about security. Install patches and
keep a close eye on where you surf and what files you open and share.

Iain Thomson: I’ve ranted about this before, but Shaun has covered
the bases very well. The key reason why Apple gets so few attacks is largely
down to market share. The company is very much a minority and malware writers
want the biggest number of potential victims.

However, I think criminals are missing a trick here. Yes, Apple’s market
share is small, but it also makes some of the most expensive kit on the market,
ergo if you have an Apple you are relatively well off when you consider that
half the world lives on less than $5 a day. Such tempting targets won’t go
unattended for long.

However, credit where credit’s due. I suspect, and some security
professionals agree, that Apple simply does a better job of hardening its
operating system and keeping security in mind.

1.
We are secure


Iain Thomson: This had to be number one. There is no 100 per
cent secure computer system. End of story.

Of course, it’s a logical impossibility, and code is never perfect. But
criminals online are looking for as little work as possible and target the
low-hanging fruit. The trick is to move further up the tree, and it’s not hard
to do.

By using a few simple tricks you can make yourself a lot safer and move the
problem on to less secure users. We’ve outlined some ideas here, but there’s a
host of other ways you can protect yourself from attack.

There may be little defence against a sustained personal online attack, but
these are very rare. In the most part malware is a numbers game, and following a
few good security rules can make sure you don’t become a crime statistic.

Shaun Nichols: As any security expert will tell you, cyber crime
will continue to thrive no matter how well systems are locked down. The reason?
Meatware. No matter how good the protection on a computer, the person behind it
can always be duped.

Whether it’s handing over your password or installing a fake video codec, the
easiest way into a system is to con the person behind it into doing what you
want. When security vendors talk about ‘social engineering’, this is what they
mean.

For this reason, I will take a well-maintained network and savvy users over a
top-of-the-line deployment and a bunch of novices any day.

A good knowledge of the risks on the web and how to avoid them is worth
thousands of dollars in hardware and software.

Rosalie Marshall, V3.co.uk, Friday 15 October 2010 at 15:32:00

The House of Lords has raised a number of concerns about the UK’s cyber
security defence strategy, warning that greater knowledge of the sphere and more
clear cut lines of responsibility are needed.

The Lords held a two-hour debate yesterday afternoon on how the UK can best
protect itself against cyber attacks, directing a number of questions at Home
Office security minister Baroness Neville-Jones, who attended the discussion.

The basis of the debate was the Protecting Europe report, published in May by
the EU Subcommittee for Home Affairs, which recommended that the EU and Nato
work together to defend member states against cyber attacks.

Lord Jopling asked Neville-Jones what steps the government had taken to
increase collaboration between the two organisations, but Neville-Jones
responded that “bigger issues” had prevented a Nato-EU partnership on cyber
crime.

“We all know that there are bigger issues – or at any rate other issues -
that prevent that from happening, which are wholly contrary to the interests of
the member states of both organisations and the organisations themselves. That
is one thing that we have not yet succeeded in cracking,” she said.

Neville-Jones called for the private sector to co-operate with the government
to protect the UK from cyber attacks.

“We are clearly not going to have an effective national platform which
protects the operation of our society and gives us economic advantage
internationally so that people decide to invest in the UK because they know that
it has communications that they can trust, except in partnership with the
private sector,” she said.

“We need to have a partnership that does strategy and operational
co-operation, whereby the government’s technical expertise can be brought to
bear to help to ensure that private sector operators and companies have the
cyber security that they and the nation need for business continuity.”

Neville-Jones also said that the UK population needs to be made more aware of
the possibility of cyber attacks, and the government needs to encourage good
security practice among ordinary citizens.

Meanwhile, the Lords raised their own cyber attack concerns. Lord Reid of
Cardowan said that the House had to commit itself to fighting cyber attacks,
even though many of its members were not up to speed with the latest
technological developments.

“It is to be expected in a House like this, for all our wisdom, that we might
not be as au fait with technological advances as the younger generation.
However, we ignore this at our peril. It should be at the front of our
considerations here,” he said.

Lord Harris of Haringey expressed concerns that the government would go ahead
with plans to merge the Police Central E-Crime Unit into a new national crime
agency, and in doing so would make it more fragile. He believes that the unit
should remain independent and its budget maintained.

Lord Harris questioned whether the UK’s supervisory control and data
acquisition systems are sufficiently protected, and called for more clear cut
lines of responsibility for the defence of such systems.

“Who is in charge of setting the standards of security for our critical
national infrastructure? Who is responsible for attributing where attacks are
coming from? Who is responsible for managing resilience and recovery should an
attack take place? Who is responsible, if necessary, for retaliation or taking
out those who are carrying out these attacks?” he asked.

Finally, Lord Browne of Ladyton argued that the priority for organisations
internationally is to find ways to ease the detection of cyber attacks and the
prosecution of those responsible.

“Internationally, in the absence of sufficient treaty law or UN statutes
dealing explicitly with cyber actions, we need urgently to define the role that
international law should play in covering either offensive or defensive cyber
actions,” he said.

The Lords discussed some of the most dangerous cyber attacks to date,
including the 2007 attack on Estonia, the recent Stuxnet virus designed to
attack specific industrial infrastructure, and the 2008 intervention in the US
security system that was performed with a memory stick.

The cyber attack issue has already received a fair bit of commentary this
week after Iain Lobban, director of GCHQ,
warned
that the UK government is at risk of an attack.

Meanwhile, former White House
security
advisor Richard Clarke said that swift preventative action needs to be taken
to defend against cyber attacks.

He suggested that the European Union should work with the US to clamp down on
nation states that allow hackers to carry out attacks from within their borders.

Phil Muncaster, V3.co.uk, Thursday 14 October 2010 at 14:42:00

The government is to step up investment in its national cyber security
strategy with a major round of new funding in an effort to bolster the
protection of critical national infrastructures.

Neil Thompson, director of the Office for Cyber Security, told the audience
at a Royal United Services Institute conference that the announcement would be
made as part of next week’s strategic defence and security review, according to
The Guardian.

Thompson reportedly said that cyber attacks are “cheap, quick and deniable”,
and require a “step change” in the government’s approach.

The comments came on the same day as GCHQ director Ian Lobban warned that the
UK is facing the very real threat of a
cyber
terrorist attack.

“There are over 20,000 malicious emails on government networks each month.
Cyber space lowers the bar for entry to the espionage game for states and
criminals,” he said in a speech at the International Institute for Strategic
Studies.

Richard Clarke, a former White House cyber security advisor, said at the RSA
Conference Europe yesterday that governments including the UK and US are
woefully unprepared for a
concerted
cyber attack on critical national infrastructure.

“We need in all countries to stop worrying about cyber war on the offensive
and start worrying about cyber war on the defensive,” he said.

“We all need public-private plans to defend the systems that matter. We have
strategies, but they don’t tell you how to defend the country from an active
cyber attack.”

V3.co.uk, Thursday 14 October 2010 at 08:21:00

McAfee Labs head of research Dave Marcus shows reporters how social
networking sites such as Twitter can be used to gather far more information than
users intended to share.

Iain Thomson in San Francisco, V3.co.uk, Thursday 14 October 2010 at 01:53:00

Security software vendor GFI are trialing a new form of software pricing
structure,


whereby a user buys protection for the life of the computer rather than on a
rolling


subscription basis.

The new VIPRE lifetime package covers virus, phishing and spam protections
along with firewall software built in and an intrusion detection and prevention
system. Users can also block adverts as well as Javascript, VBScript and ActiveX
controls.

“Our one-off price for a product that lasts the life of a PC, rather than
just 12 months, means peace of mind and even better value for money, without
compromising on protection from malware,” said Alex Eckelberry, general manager
of GFI’s Security Business Unit.

“Antivirus protection can be a costly purchase, as the true cost of a product
– the


annual renewal fees to keep receiving the latest virus definition updates – is
rarely


communicated at the time of purchase.”

The software is compatible with both 32- and 64-bit versions of Windows 2000,
XP,


Server 2003, Vista, Server 2008, Server 2008 R2 and Windows 7. Th code will
allow for one hardware upgrade to a host system.

GFI does the majority of its business with small and medium sized companies
but it


hoping this package will appeal to consumers as well.

Shaun Nichols in San Francisco, V3.co.uk, Thursday 14 October 2010 at 01:43:00

McAfee is running a demonstration at its Focus conference in Las Vegas
designed to show the ease with which a malware botnet can be built and deployed.

Using a collection of virtualised systems, reporters were allowed to infect a
‘victim’ desktop with the Zeus malware by way of an email attachment and then
monitor activities on the bot system.

Data gathered from the victim system included keystrokes, browsing activity
and screen shots of clicked images.

The demonstration also allowed reporters to inject code into otherwise
legitimate pages, and install other infections such as the Phyllis malware.

Zeus has become notorious in the security community owing to its ease of
deployment and ability to inject code into otherwise legitimate sites.

New versions of the malware can cost thousands of dollars, but older versions
can be obtained for little or no cost.

Dave Marcus, head of research at McAfee Labs, told V3.co.uk that the
aim of the demonstration was to provide a firsthand view of Zeus and the extent
to which it can log activity.

“The whole point is to let people get hands on with what we protect against,
” he said. “You have people who have been administering anti-virus and managing
networks for years who have never seen Zeus in action.”

Phil Muncaster, V3.co.uk, Wednesday 13 October 2010 at 14:50:00

Positive news for the security industry emerged today after Microsoft’s
latest Security Intelligence report revealed a reduction in the volume and
severity of vulnerability disclosures and malware infection rates during the
first half of the year.

However, Microsoft was forced to patch more vulnerabilities during the first
six months of 2010 than during the last six months of 2009.

The
Microsoft
Security Intelligence Report volume 9 covers the period from January to June
2010 and is based on data gathered from tools such as Windows Defender,
Microsoft Security Essentials, Internet Explorer, Forefront, Bing and the
Malicious Software Removal Tool.

Vulnerability disclosures were down 7.9 per cent from the second half of
2009, while severity was also largely down in the period, with ‘medium’ and
‘high’ disclosures declining by 10.7 per cent and 9.3 per cent.

The number of data breaches involving loss of personally identifiable
information, meanwhile, fell 46 per cent in the first half of 2010 compared with
the first half of 2009. The loss of such information as a result of malicious
activity was half of that due to incidents of negligence, said Microsoft.

There was also positive news on the malware front, with a reported 13.8 per
cent drop in the number of infected computers cleaned by Microsoft desktop and
anti-malware products during the period.

“There are a host of positive examples of industry efforts having an impact,
but we all know that cyber crime is not going away,” said Adrienne Hall, general
manager of Microsoft Trustworthy Computing.

As if to confirm this, Microsoft cleaned more than 6.5 million computers of
botnet infections between April 2010 and June 2010, double the amount for the
same period a year before.

Microsoft also revealed that it was forced to patch more vulnerabilities in
the first six months of 2010 than during the previous six months.

The average number of vulnerabilities addressed per bulletin increased from
2.2 in the second half of 2009 to 2.8 in the first half of 2010.

Hall said during her keynote speech at RSA Conference Europe that governments
and industry must collaborate more to mitigate the cyber security threat.

She also pointed to law enforcement and innovations in the security industry
as key elements in the fight against cyber crime.

Phil Muncaster, V3.co.uk, Wednesday 13 October 2010 at 13:14:00

A former presidential special advisor on cyber security has called on the UK,
US and European Union to crack down on “cyber sanctuaries”, nation states which
allow hackers to carry out attacks from within their borders as long as they are
directed outside the country.

Richard Clarke said at the RSA Conference Europe that nations such as
Belarus, Russia and Moldova do not offer much help to US or UK law enforcers
when they track hacking attacks to within their borders.

“These countries have in effect become cyber sanctuaries where governments
allow the hackers to do the attacks as long as they are directed outside the
country, and they provide a kickback to the authorities, and that they do a
little [hacking] work for the government when that government needs plausible
deniability,” he said.

Clarke argued that pressure needs to be applied on these countries to
co-operate, just as it had been on nations such as the Bahamas that supported
money laundering.

“We can do the same for cyber crime. If you don’t live up to a set of norms
like the European Convention on Cybercrime there will be consequences,” he said.

“We could limit traffic in and out of renegade countries, or insist that all
traffic coming in and out be filtered and monitored by an international
organisation.”

Clarke warned that cyber criminals are becoming richer and more
sophisticated, even hiring computer scientists to alter hardware and firmware so
that it contains backdoors which can be exploited.

The security expert also said that the Stuxnet worm highlighted the existence
of cyber warfare capabilities, and that it is time for nation states such as the
US and UK to think seriously about cyber defences.

“We need in all countries to stop worrying about cyber war on the offensive
and start worrying about cyber war on the defensive,” said Clarke.

“We all need public-private plans to defend the systems that matter. We have
strategies, but they don’t tell you how to defend the country from an active
cyber attack.”

Clarke even suggested that cyber peace could eventually be achieved, just as
nuclear arms control was engineered despite critics on all sides who said it
could never be done.

“If you begin with baby steps there are ways we can make agreements which
will make us safer, so it’s about time we march down that path even if it takes
us 15 years,” he said.

Phil Muncaster, V3.co.uk, Sunday 10 October 2010 at 09:52:00

This week was dominated by the news that Microsoft and Oracle are planning
huge patch updates on Tuesday. Other key stories included RIM finally striking a
deal with the United Arab Emirates over monitoring BlackBerry communications,
and a busy week for Symantec at its Vision conference in Barcelona.

First up, Oracle said that its
upcoming
security update will address 81 flaws. Among the products being updated are
Oracle Database, Peoplesoft CRM, E-Business Suite and Fusion Middleware. In
total, the company said that the update will affect hundreds of Oracle and Sun
software offerings.

Also this coming Tuesday, Microsoft is to release its
biggest
ever security update, with a total of 49 vulnerabilities to be fixed. The
firm has scheduled 16 updates for October’s Patch Tuesday, which will fix
security issues n Windows, Internet Explorer, Microsoft Server software and
Office.

Not to be outdone, Adobe this week
fixed
23 serious security vulnerabilities in its Reader and Acrobat software that
affect Windows and Macintosh systems. The firm released a security bulletin with
fixes for issues that could either make systems crash or give remote attackers
control.

It was a busy week for Symantec, after the security firm launched malware
detection software dubbed
Ubiquity,
which is designed to identify malicious files from day zero and give enterprises
increased protection against mutating software.

Symantec also announced
updates
to its mobile security platform and encryption software, as well as the
launch of
Hosted
Endpoint Protection. This new cloud offering is designed to let small and
medium businesses deploy protection through the cloud without the need to manage
additional hardware or software.

It was a good week for RIM, meanwhile, as the firm finally
managed
to avoid a ban in the United Arab Emirates of its BlackBerry service after
appeasing the country’s telecoms authorities.

A statement released by the country’s Telecommunications Regulatory Authority
confirmed that BlackBerry services are now compliant with the country’s
regulatory framework and that the threat of a ban had been lifted.

And finally, authorities in Iran
arrested
an unspecified number of people this week for allegedly enabling the Stuxnet
malware to access its nuclear command and control systems, according to reports.

However, the virus authors appear to be creating new versions of the malware
code, according to Iranian state media.

Shaun Nichols in San Francisco, V3.co.uk, Friday 8 October 2010 at 03:38:00

A security executive at Microsoft is suggesting a plan to limit internet
access for malware-infected PCs.

In a recent report
(PDF),
Microsoft corporate vice president of Trustworthy Computing Scott Charney
suggested that authorities and administrators adopt a model similar to that used
by health officials when controlling infectious diseases.

“In the physical world, there are also international, national and local
health systems that identify, track, and control the spread of disease
including, where necessary, quarantining people to avoid the infection of
others,” wrote Charney.

“To improve the security of the internet, governments and industry could
similarly engage in more methodical and systematic activities to improve and
maintain the health of the population of devices in the computing ecosystem by
promoting preventative measures, detecting infected devices, notifying affected
users, enabling those users to treat devices that are infected with malware, and
taking additional action to ensure that infected computers do not put other
systems at risk,” he added.

Malware botnets have become a major security concern in recent years.
Infections such as
Waledac
and
ZeuS
have infected hundreds of thousands of systems and put both individuals and
large enterprises at risk.

To help combat the spread of botnets, Charney suggests a system which could
limit or completely block internet access for infected machines until the botn
et malware is removed.

“Under this model, a consumer machine seeking to access the internet could be
asked to present a ‘health certificate’ to demonstrate its state,” he wrote.

“Although the conditions to be checked may change over time, current
experience suggests that such health checks should ensure that software patches
are applied, a firewall is installed and configured correctly, an antivirus
program with current signatures is running, and the machine is not currently
infected with known malware.”

Iain Thomson in San Francisco, V3.co.uk, Tuesday 5 October 2010 at 04:11:00

Iran has arrested an unspecified number of people for allegedly enabling the
Stuxnet malware to
access
to its nuclear command and control systems.

Iran’s intelligence minister, Heydar Moslehi, told the national Mehr news
agency that the ministry had “complete mastery” over government computer systems
and was able to counter any online attacks by “enemy spy services”, according to
the
New
York Times.

“All of the destructive activities perpetrated by the oppressors in
cyberspace will be discovered quickly and means of combating these plans will be
implemented,” Moslehi said.

“The Intelligence Ministry is aware of a range of activities being carried
out against the Islamic Republic by enemy spy services.”

The Stuxnet code is a
highly
sophisticated piece of malware,
the
first aimed at industrial control systems and
possibly
written by a Siemens insider, which has caused high concern among security
analysts. Last week’s Virus Bulletin 2010 conference devoted half a day to
examining the malware, which experts believe is government inspired.

Interestingly, the virus creators appear to be creating new versions of the
malware code, according to Iranian state media.

Hamid Alipour, an official at the state-run Iran Information Technology
company, said the worm was spreading.

“This is not a stable virus,” he said last week.

“By the time we started to combat it three new variants had been
distributed.” Alipour said his company hoped to eliminate it within “one to two
months”.

Shaun Nichols in San Francisco, V3.co.uk, Tuesday 5 October 2010 at 04:01:00

The number of cyber crime operations emanating from Europe is growing,
according to security experts.

Trend Micro said that over the first half of 2010, Europe had surpassed both
Asia and the Americas as the top region for producing web-based threats.

The company said the rise in Europe-based threats may well be down to efforts
by the government in China to force local internet service providers to curb
illegal activities there, which
have
been credited with driving criminals to operators in Eastern Europe.

Trend Micro threat research director Jamz Yaneza told V3.co.uk that
the Chinese government’s campaigns do appear to have made an impact in overall
levels, albeit small.

“That is one of the reasons why the amount of spam coming out of China has
lessened,” said Yaneza.

“It is still one of the biggest, next to Europe.”

The report also found a trend towards localisation in online attacks. The
company found that in countries such as Brazil, botnet infections and phishing
attacks have been tailored to target smaller, local banks.

“Most of the bots target low-hanging fruits, and most of these are local
banks,” said Yaneza.

“A lot of these emails are being worded better by local individuals.”

In the coming months, Yaneza expects to see cyber criminals shift their
attention to emerging platforms. The researcher recommends that users patch not
only their operating system, but individual applications and plug-ins that
could be vulnerable.

“In the second half of this year we are going to see a lot more attacks using
zero-days and we are going to see gadgets and smartphones factor in,” Yaneza
said.

“My suggestion is for users to be a bit more aware and not think that just
because you are not using one of the most popular systems out there that you are
safe.”

Iain Thomson in San Francisco, V3.co.uk, Friday 1 October 2010 at 03:40:00

Delegates at the Virus Bulletin 2010 conference in Vancouver have heard that
the Stuxnet worm could have been an inside job.

Graham Cluley, senior technology consultant at Sophos, told V3.co.uk
that the worm may have been written by someone with detailed knowledge of
Siemens’ computer systems, possibly a current or former employee.

“The message I got was that it appears to have been written by someone with
inside knowledge of how Siemens’ systems work,” he said.

“But none of the presenters gave any evidence about who wrote it and against
who it was targeted. Unless we get access to the computer it was written on, or
someone admits writing it, we’ll probably never know.”

The malware contains the date 9 May 1979, which coincides with the execution
of an Israeli businessman in Iran. But Cluley explained that this date is also,
for example, the birth date of actress Rosario Dawson, and could be a red
herring.

Cluley also said that the evidence for this being a targeted attack on Iran
is patchy, since Symantec reported that more attacks had been reported in India
and Indonesia than in Iran.

Mikko Hyppönen, chief research officer at F-Secure, told V3.co.uk
that, based on the evidence he’d seen, the Stuxnet worm looks like a government
attack, although conference presentations focused on the technical details of
the attack rather than the motive.

“The obvious conclusion from Stuxnet is that there isn’t any clear motive
other than sabotage,” he said.

“Crucially no-one has found a way that anyone could make money from this,
which makes criminal involvement unlikely. If you look at the level of
difficulty and complexity behind Stuxnet, it has to be a government effort.”

Hyppönen was awarded Best Educator at the conference, while Kaspersky Lab
founder Eugene Kaspersky received a Lifetime Achievement award.

Iain Thomson in San Francisco, V3.co.uk, Thursday 30 September 2010 at 03:17:00

Security experts at the Virus Bulletin 2010 conference have voted
overwhelmingly to abolish Adobe’s PDF standard and replace it with a safer
format.

Paul Baccus, a senior threat researcher at Sophos, conducted a straw poll on
the future of PDF during a conference session, and found that 97 per cent favour
dumping the standard and working on a safer format with better software
security.

Baccus then asked whether anyone from Adobe was in the audience. After a
pause a voice at the back shouted: “Of course not, it’s a security conference.”

The poll was unofficial, but did highlight growing concerns in the security
community about Adobe’s software after a string of attacks against the code.

Graham Cluley, senior technology consultant at Sophos, told V3.co.uk
that Adobe is taking steps to improve the situation, but is “increasingly seen
as the new Microsoft”.

“Microsoft has improved dramatically on its software security and now hackers
are going after Flash and PDF because they are almost as widespread as Windows,
” he said.

The annual Virus Bulletin conference, held in Vancouver this year, has
attracted 600 security experts from the private and public sectors around the
world.

The opening keynote was given by a Facebook staffer who talked of the
increasing problems caused by online crime moving into social networking.

However, some delegates criticised the presentation as being too limited and
lacking serious information sharing. No copies of the presentation were
distributed.

Day two of the conference on 30 September will see a number of presentations
on the
Stuxnet
worm which recently hit an Iranian nuclear facility.

Tonight, however, the security researchers will be living it up as only they
know how, according to Cluley.

“We’re having a welcome reception after the first day’s sessions, and then
it’s time for the entertainments, which this year will include checkers and
chess. We know how to party in Vancouver,” he said.

Phil Muncaster, V3.co.uk, Tuesday 28 September 2010 at 15:09:00

Security experts have warned of a malicious spam campaign on LinkedIn capable
of infecting users with the Zeus data-theft malware.

Cisco IronPort’s senior security researcher, Henry Stern, explained in a
blog
post that the malicious email arrives containing a link with a fake LinkedIn
contact request.

“Clicking the link takes victims to a web page that says ‘please waiting…. 4
seconds’ and redirects them to Google. During those four seconds, the victim’s
PC is infected with the ZeuS data-theft malware via a drive-by download,” he
said.

“ZeuS embeds itself in the victim’s web browser and captures personal
information, such as online banking credentials, and is widely used by criminals
to pilfer commercial bank accounts.”

The spam emails became so prevalent that, at one point on Monday, they
accounted for as much as a quarter of all spam sent within a 15-minute interval,
according to Stern.

“What makes this attack unique is the combination of the extremely high
volume of messages transmitted, the focus on business users, and the use of the
ZeuS data-theft malware,” he said.

“This strongly suggests that the criminals behind this attack are most
interested in employees with access to financial systems and online commercial
bank accounts.”

Stern said that organisations should instruct staff to delete any such
request, especially from people they do not recognise.

Phil Muncaster, V3.co.uk, Monday 27 September 2010 at 14:52:00

Iranian sources appear to have confirmed that the Stuxnet worm has infected
PCs at the country’s Bushehr nuclear power facility, but maintain that it has
not disrupted the plant’s operations.

First discovered in July, the
sophisticated
Stuxnet threat has been designed to disrupt the supervisory control and data
acquisition systems that control manufacturing processes in factories and plants
around the world.

Bushehr project manager Mahmoud Jaafari told Iran’s Islam Republic News
Agency (IRNA) on Sunday that some of the personal computers belonging to
employees had been
hit
by the virus, but that fixes were being applied to remove the infections.

In a
harder
line response on the English language version of the IRNA site later in the
day, M. Zarean, deputy chairman of Iran’s Atomic Energy Organisation for Safety,
Protection and Security, claimed that the worm had “not hit Iran’s nuclear site
or software”.

Iran’s Mehr news agency
reported
on Saturday that Stuxnet had infected “the IP addresses of 30,000 industrial
computer systems” in the country, although it declined to be more specific about
the incident at Bushehr.

Security vendor Symantec
said
last week that the majority of Stuxnet incidents are at Iranian IP
addresses, and that the sophistication and time taken to craft the worm
indicates that it is likely to have come from a state-sponsored source.

Phil Muncaster, V3.co.uk, Monday 27 September 2010 at 12:41:00

Twitter has been forced to take down another worm attack spreading rapidly
across the site, just days after the
onMouseOver
flaw caused havoc.

High-profile users including blogger Robert Scoble were hit by the new
attack, which helped to spread the worm to many more Twitter users, according to
Sophos senior technology consultant Graham Cluley.

After clicking on a link preceded by the term ‘WTF’, victims are taken to a
web page which uses a cross-site request forgery technique to automatically post
an obscene message from the visitor’s Twitter account.

“All the user sees if they visit the link is a blank page, but behind the
scenes it has sent messages to Twitter to post from your account,” said Cluley
in a
blog
post.

“The messages obviously couldn’t be sent if you weren’t logged into Twitter
at the time you clicked on the message.

“Chances are that the reason why this attack spread so speedily is that
people were curious to see what they would find at the end of a link only
described as ‘WTF’.”

A posting on the
Twitter
status update site this morning reads: “We’ve fixed the exploit and are in
the process of removing the offending tweets.”

However, Paul Vlissidis, technical director at NGS Secure, argued that
although this worm did not pose a great threat, it could pave the way for more
serious attacks in the future.

“This worm appears to be mischievous rather than malicious – similar to the
worm that exploited the mouseover flaw last week – but it does expose a serious
issue in the Twitter security model which needs to be rectified to ensure that
its users do not suffer weekly or daily incidents of this kind,” he said.

Phil Muncaster, V3.co.uk, Sunday 26 September 2010 at 13:20:00

This week in security was dominated by yet another threat to Twitter users. A
newly uncovered vulnerability was exploited to deliver malicious pop-ups and
third-party web sites.

The
‘onMouseOver’
attack allowed pages to open just by moving a mouse over a link, meaning
that users did not have to click on anything to launch the pages.

The attack also generated and published code in the Twitter user’s update box
that linked to third-party sites to propagate the code further.

Embarassingly for Twitter, it later emerged that the site’s security team had
patched
the flaw last month, but it was allowed to “resurface” after a site update.

In other news,
Cisco
posted a security update for its networking and unified communications
tools, addressing 10 flaws in the IOS networking firmware and two in the Unified
Communications platform.

On a similar theme, ArcSight, recently acquired by HP, refreshed a number of
its enterprise products, promising better
management
tools and enhanced protection, while Microsoft is to extend its
Security
Essentials tools free of charge to SMEs for up to 10 PCs.

Google
introduced
a two-step sign-in code for access to Google Apps accounts, designed to
provide business users with added security when using the cloud without the need
to invest in additional software.

And finally, there was worrying news for IT managers from Symantec Hosted
Services, after its latest MessageLabs Intelligence Threat report found that a
third of employees are more likely to
trigger
a web site block while working remotely than at the office.

Paul Wood, senior analyst for Symantec Hosted Services, said that the main
threat is office-based workers who work remotely only on occasion.

V3.co.uk staff, V3.co.uk, Friday 24 September 2010 at 16:24:00

The big news for V3.co.uk readers this week was the latest handset
releases from HTC, which feature the firm’s highly praised Sense interface.

Orange, meanwhile, has launched a £99 Android phone called the ‘San
Francisco’, which it said is just the first in a series of “affordable” Google
OS devices.

On the security front, the Stuxnet worm has been causing concern for
industrial computer systems, hackers have stolen Interpol chief Ronald Noble’s
Facebook identity, and Twitter has suffered yet another attack on its users.

This follows news that sophisticated cyber attacks are becoming increasingly
prevalent.

Other popular stories concerned mobile coverage in the Tube, the latest 27in
iMac all-in-ones, and Microsoft’s attempts to publicise Windows Phone 7.

HTC
Desire HD and Z on pre-order to ship on 11 October


Forthcoming handsets up for pre-order on Amazon.co.uk and Play.com

HTC
Sense interface upgrade first look


Hands-on with the extra services and functionality on HTC handsets

Orange
launches £99 Android ‘San Francisco’ phone


New handset first in a series of affordable Google OS devices, says operator

Stuxnet
worm exploits four zero-day vulnerabilities


Iranian industrial computer systems targeted by sophisticated worm

Hackers
steal Interpol chief’s Facebook identity


Ronald K Noble labels cyber crime “most dangerous criminal threat”

Apple
iMac 27in (late 2010 edition) review


Apple beefs up the basic spec and adds an SSD option to its stylish all-in-one
iMac desktops

Windows
Phone 7 and the smell of desperation


Microsoft’s attempts to publicise Windows Phone 7 are starting to appear more
and more desperate

Twitter
‘mouse over’ hack causing chaos


Micro-bloggers plagued by yet another attack

Boris
wants mobile operators to fund Tube coverage


Mayor hoping carriers will foot the £100m bill before the Olympics

Cyber
attacks growing in number and sophistication


HP research paints a grim picture of relentless assaults