Phil Muncaster, V3.co.uk, Saturday 4 September 2010 at 06:15:00

This week was dominated by the VMworld 2010 conference in San Francisco, and
some interesting partnership/acquisition activity which could help Dell and CA
offer more secure products.

Twitter, Facebook and Microsoft also released enhancements to their products
designed to improve security.

Twitter made moves to improve the security of its service with support for a
new
authentication system for people using third-party applications to read or
send tweets.

The OAuth authentication method allows subscribers to use third-party
applications without them storing passwords. The apps will still work if the
user subsequently decides to change their password.

Ironically, the corresponding OAuth update required by TweetDeck users to
make them more secure was
used
by scammers to try to spread malware.

Facebook also got in on the act, announcing a
security
feature that allows users to remotely log out of active sessions on any
device, reducing the chances of havingtheir accounts hacked and used to send
spam or malware.

CA announced plans to extend its cloud security capabilities with the
acquisition
of Arcot Systems, a provider of fraud prevention and authentication tools.
The $200m (£129m) deal will help CA strengthen its Identity and Access
Management offerings, the firm said.

Meanwhile,
Dell
announced plans to expand its partnership with security firm Trend Micro, in
a deal which will bring the vendor’s Worry-Free Business Security Services to
its own customers.

Microsoft issued an updated version of its mitigation tool for hardening
Windows applications against common security exploits used by malware. The
Enhanced
Mitigation Experience Toolkit 2.0 is now available from the Microsoft
download centre, and adds two new mitigations to the four already supported in
the tool since version 1.02 was released in October 2009.

Finally, there was a big emphasis on security at VMworld this year. VMware
announced a trio of products aimed at
redefining
virtual security architecture from a perimeter to a defence-in-depth
approach.

VMware vShield Edge, vShield App and vShield Endpoint cover anti-virus, load
balancing and firewall security for cloud systems. By integrating these deep
into the virtualised environment, security could become a selling point for
cloud, according to the company.

Also at the show, Trend Micro
posted
an update for its Deep Security server protection platform, targeting server
virtualisation and sporting a new module for VMware systems.

And Check Point introduced a
virtualised
edition of its Security Gateway appliance.

Iain Thomson in San Francisco, V3.co.uk, Saturday 4 September 2010 at 02:26:00

A software engineer who worked for the security services has been jailed for
a year after being found guilty of attempting to sell classified information.

Daniel Houghton, 25, of Hoxton in east London, pleaded guilty to two offences
under the Official Secrets Act.

Houghton copied over 7,000 files containing staffing lists for the security
services operating abroad onto a memory stick while working at MI6 as a £23,000
per year software engineer.

He tried to sell the data to the Dutch secret service for £1m but the buyers
contacted the British security services when they received the offer, initially
believing it to be a hoax.

In bugged and recorded negotiations, Houghton was bargained down to £900,000
but when he handed over the files on 1 March he was arrested while carrying the
cash in a suitcase.

“This was not an offence committed by a calculating ideologue to disclose
material to a hostile sovereign state,” said David Perry QC, defending,
according to the
BBC.

Perry described Houghton as a “naive young man who came across as a loner”,
and said that he had carried out the crime at the behest of voices in his head.

Judge Justice Bean sentenced Houghton to 12 months, but he was released on
probation owing to the length of time he has already spent in prison.

“If the material had found its way into the hands of a hostile power it would
have done enormous damage and put lives at risk,” said Judge Bean, describing
the defendant as a “strange young man”.

Khidr Suleman, V3.co.uk, Friday 3 September 2010 at 12:04:00

Facebook has announced a security feature that will allow users to remotely
log out of active sessions on any device, reducing the chances of having their
accounts hacked and used to send spam or malware.

Users will be able to see information on all active sessions, including
log-in time, browser, operating system and approximate location based on IP
address.

The device name will also be seen if users have previously named it through
Facebook’s log-in notifications feature.

The security add-on is in the process of being rolled out, and users will
find it under the Account Security section of the Account Settings page.

Facebook claimed that the feature will reduce the chance of users having
their account hacked when forgetting to log out of a session.

“In the unlikely case that someone accesses your account without your
permission, you can shut down the unauthorised log-in before resetting your
password and taking other steps to secure your account and computer,” the firm
said in a
blog
post.

“You should have the best tools possible to control your account and
information, and we’re working hard to improve our tools and your security.”

The social networking site urged users to regularly check the Facebook
Security Page to receive tips and information on security updates.

The new security feature seems to have gone down well with Facebook users,
with many expressed their delight at the move in the comments section of the
blog post.

Shaun Nichols in San Francisco, V3.co.uk, Wednesday 1 September 2010 at 03:50:00

Google has posted sharp criticism of vulnerability database services in the
wake of recent report.

Adam Mein of Google’s security team said in a recent
blog
posting that the process of collecting and producing reports on security
vulnerabilities generated data that was “commonly outdated or inaccurate to some
degree.”

“To make these databases more useful for the industry and less likely to
spread misinformation, we feel there must be more frequent collaboration between
vendors and compilers,” Mein wrote.

“As a first step, database compilers should reach out to vendors they plan to
cover in order to devise a sustainable solution for both parties that will allow
for a more consistent flow of information.”

The posting comes in the wake
of
a report from IBM’s X-Force on software vulnerabilities. The report claimed
that Google had 33 per cent of its reported flaws unpatched.

Mein said that the issue was due to a mistake in the classification of one of
the three high-risk error reports it had seen. Following the correction, the
company’s percentage of unpatched flaws went from 33 to zero.

In a posting to
a
company blog, X-Force manager Tom Cross acknowledged the corrections and
urged developers to get in contact with the company regarding any errors or
inaccuracies in its vulnerability database.

“This sort of input is crucial for us, with more input from software vendors
about vulnerability information we get greater accuracy in our snapshot of the
industry,” he wrote.

Dan Worth, V3.co.uk, Tuesday 31 August 2010 at 12:06:00

Users of Twitter management app TweetDeck have been warned not to click on
links that claim to be an update for the site but actually contain a Trojan
program.

The application is set for a
genuine
overhaul starting today as part of an
update
to Twitter itself, and the scammers have used the situation to launch the
malicious links.

A member of the TweetDeck team explained in a
blog
post that users should ignore the updates.

“We are seeing a number of updates on Twitter urging users to download a file
called ‘tweetdeck-08302010-update.exe’ from a URL beginning with
http://alturl.com/. These tweets are from hacked accounts and this file does not
come from us,” it read.

The firm added that users should download updates to the application only
from the TweetDeck web site.

TweetDeck also explained five of the most popular ways the fake updates
arrive, including, “TweetDeck will work until tomorrow, update now!” and “Hurry
up for tweetdeck update!”.

The changes to Twitter today causing apps such as TweetDeck to issue their
own site updates centre around the move to OAuth, an authentication method which
allows users to use third party apps without them storing their passwords.

Iain Thomson in San Francisco, V3.co.uk, Monday 30 August 2010 at 22:13:00

Researchers at the Norwegian University of Science and Technology (NTNU) have
discovered a way to hack quantum network traffic using currently available
technology.

Quantum signals are touted as perfectly secure, since the act of observing
the signal changes it and alerts the receiver to the interception.

However, the researchers discovered a way to use a one milliwatt laser to
fool the receiver into believing the message has not been tampered with, when in
fact it can be harvested using traditional techniques.

“Our hack gave 100 per cent knowledge of the key, with zero disturbance to
the system,” Vadim Makarov from NTNU told
Nature.

“We have exploited a purely technological loophole that turns a quantum
cryptographic system into a classical system, without anyone noticing.”

‘Blinding’ the receiving station allowed the team to harvest the data they
needed. The attack worked on two commercially available quantum cryptography
systems from Swiss firm ID Quantique and a MagiQ Technologies system built in
the US.

“Once I had the systems in the lab, it took only about two months to develop
a working hack,” said Makarov.

The team contacted both companies before publishing its research, and patches
have now been issued.

“We provide open systems for researchers to play with and we are glad they
are doing it,” said Anton Zavriyev, director of research and development at
MagiQ.

Iain Thomson in San Francisco, V3.co.uk, Saturday 28 August 2010 at 17:29:00

An international team of academics researching global spam has managed to
cripple a botnet as a by-product of its research.

The team, made up of professors and PhD students at the University of
California, Santa Barbara and Germany’s Ruhr-University Bochum, was conducting a
joint research project analysing spam distribution.

Part of this was running several honeypots (open machines online designed to
catch malware) and looking for patterns in the data.

By matching some of the malware discovered against the free databases
maintained by
Anubis
the team was able to identify the
30
command and control servers used by the PushDo botnet, which is responsible
for large volumes of spam.

“Pushdo has a long history of badness, and some analysis reports date back to
as far as 2007,” said assistant professor Thorsten Holz.

“This piece of malware acts as a dropper, and downloads additional components
which can then carry out different tasks, like for example the Cutwail component
which sends out spam mails.”

After making sure of its evidence the group went to the hosting companies and
informed them of the situation. In all, 20 of the 30 servers identified were
shut down and security researchers at M86 said that the botnet has been
crippled.

“This co-ordinated takedown has had an immediate impact on Pushdo’s spam
output,”
said
Phil Hay, lead security researcher at M86.

“Pushdo has been responsible for wave after wave of malicious spam campaigns
in recent months. Still, we must sound a note of caution. Previous experience
has taught us that these botnet take downs are short lived.”

Holz told V3.co.uk that the hosting companies were helpful in taking
down the servers, but agreed that the botnet might not be out of commission for
long.

“Spammers are making a lot of money,” he said. “It’s very likely that the
controllers will work to re-establish themselves and will move their
infrastructure elsewhere.”

Phil Muncaster, V3.co.uk, Saturday 28 August 2010 at 10:41:00

This week was dominated by data breaches and scareware and spam attacks, with
the unwelcome news that the UK is now the fourth most prolific spam sending
country.

First up, the Financial Services Authority
fined
the UK arm of insurance firm Zurich a record £2.27m for losing the personal
details of 46,000 customers.

The fine is the biggest the regulator has ever issued for an offence relating
to data security, and is punishment for an incident in August 2008 when
information outsourced to Zurich Insurance Company South Africa went missing.

It has raised significant questions over the role of UK data protection
regulator the Information Commissioner’s Office (ICO), which has thus far been
reluctant to impose fines.

In fact, the ICO this week
hauled
electronics retailer DSG International over the coals for allowing sensitive
customer data to be dumped in a skip next to one of its PC World stores.

The watchdog also criticised the Yorkshire Building Society after an
unencrypted laptop containing personal information was stolen from one of its
offices. But it stopped short of fines on both occasions.

Elsewhere, Symantec Hosted Services revealed that the
UK
jumped into the top four spam sending countries globally in August as
volumes of spam sent from infected PCs in the region almost doubled.

The firm’s monthly MessageLabs Intelligence report found that in August, the
UK was responsible for 4.5 per cent of the world’s spam, more than double the
percentage in April, and that UK PCs appear more frequently in prolific spam
botnets such as Rustock.

Many of these spam emails appear to have malicious intent. Sophos
warned
of a major spam campaign designed to trick users into downloading fake
anti-virus software, while a huge increase in potentially dangerous celebrity
death spam prompted security firm Symantec to
warn
users not to open morbid messages.

Sticking with scareware, Symantec Hosted Services warned users to
exercise
extreme caution when using publicly available internet access terminals
after malware was discovered on a terminal in a UK airport lounge.

Meanwhile, security firm Zscaler discovered nearly
three
million phoney YouTube pages all pushing unsuspecting users towards fake
anti-virus downloads.

People were also warned about the dangers of USB related infections this
week, after Panda Security research found that around a
quarter
of infections are spread by dodgy memory sticks.

However, there was some good news for UK computer users. New AVG research put
Britain in a
lowly
31st place on its list of most dangerous countries in whicn to surf the web.
Users in Turkey and Russia are at the greatest risk of online attacks, according
to the report.

Finally, Microsoft and Apple were forced to respond to more security threats
this week.

Microsoft
issued
a security advisory about a flaw that could affect a huge number of
third-party Windows applications. The flaw, which was discovered by Acros
Security, is called a ‘binary planting’ bug and can be exploited as applications
load dynamic link libraries. Acros discovered the flaw last year and was
surprised at the extent of the problem.

Meanwhile,
Apple
released an update which addresses 13 vulnerabilities in the consumer and
server versions of OS X 10.5 and 10.6. Included in the update are fixes for
flaws that, if targeted, could allow for remote code execution attacks.

Shaun Nichols in San Francisco, V3.co.uk, Friday 27 August 2010 at 03:43:00

Users in Turkey and Russia are at the greatest risk of online attacks,
according to a recent report.

Security firm AVG said that the two nations had the highest concentration of
attack attempts per citizen. The report compared attack attempts collected by
its Threat Labs to the total number of its users in a country.

AVG said that one in 10 of its Turkish users had been subject to an attack
attempt this year. In Russia, meanwhile, one in every 14 users had been
attacked.

Ranking third on the list was Armenia, with one of every 24 users subject to
attack, followed by Azerbaijan and Bangladesh.

The UK ranked 31 on the list, with one in 63 users attacked. Users in the US
had a one in 48 chance of attack, earning that country the ninth spot on the
list.

Among the safest countries to surf were Japan, which logged attacks on just
one in every 404 users. Taiwan, Argentina and France were also noted for low
attack levels.

AVG chief research officer Roger Thompson said that while the report
generally indicated the risk residents take in visiting sites in their native
countries and languages, users who are travelling in high-risk countries should
exercise extra caution.

“If you are going online in one of those countries in an internet café or
some place where you don’t know whether data is being sniffed, you should be
particularly careful,” he said.

In general, Thompson suggested that users protect themselves by using “safe
hex” techniques such as keeping different ID and password information for each
site.

“If you have only got one ID and password, you are only as good as the
security of every one of them,” he said.

“If one of them falls and you have only got one user name and password, then
you’ve let out the keys to the kingdom.”

Shaun Nichols in San Francisco, V3.co.uk, Friday 27 August 2010 at 02:07:00

Security experts are issuing warnings following the discovery of a malware
scam using email attachments.

The attack uses emails claiming to be from delivery service FedEx. The
message claims that the user was unable to receive a package due to an address
error and instructs users to print out an attached form to claim the package.

The attachment, however, contains a malicious .zip file which, when opened,
triggers the malware attack. Security firm Sunbelt Software
identified
the malware as zbot.

Sophos senior technology consultant Graham Cluley said that the attack shows
an interesting twist on the common tactic of hiding malware trojans as email
attachments.

“Unlike many of the other Fedex-related malware attacks we have seen in the
past, the emails carry the message about the failed delivery in the form of an
image rather than text, possibly in an attempt to try to defeat more
rudimentary anti-spam filters,” Cluley said in
a
blog post.

Users are being advised to use common security best practices such as
avoiding suspicious messages and not loading unknown or suspicious file
attachments.

Iain Thomson in San Francisco, V3.co.uk, Thursday 26 August 2010 at 01:23:00

The largest data breach ever suffered by the US military was carried out
using a USB Flash drive, the US deputy defense secretary William Lynn has
revealed.

In an article in the journal Foreign Affairs, Lynn recounted how in
2008 a military laptop in the Middle East was accessed by an operative from a
foreign government who installed malware via a USB Flash drive.

“It was a network administrator’s worst fear: a rogue program operating
silently, poised to deliver operational plans into the hands of an unknown
adversary,” Lynn wrote

“This … was the most significant breach of US military computers ever and
it served as an important wake-up call.”

The US military mounted a huge mission to shut down the malware, dubbed
Operation Buckshot Yankee, and
banned
the use of USB drives on all its systems following the attack. Lynn did not say
what, if any, data was lost.

“Fascinating. Blame the Flash drive,” said Forrester senior analyst John
Kindervag.

“Expect the USB bashing to start again soon. Sysadmins all over will be
buying up the world’s supply of Epoxy resin and shoving those nasty USB ports
full of that goop. Go long on glue manufacturers.”

The US Defense Department has 15,000 networks and seven million devices in
use in dozens of countries, with 90,000 people working to maintain them, Lynn
said. The military had reconfigured its systems since the attack to meet similar
threats.

He also reaffirmed the view,
outlined
by retired US general Michael Hayden at the Black Hat USA conference this year,
that the military now views the online world as its newest operating sphere.

Shaun Nichols in San Francisco, V3.co.uk, Wednesday 25 August 2010 at 23:05:00

Cisco has released a security advisory to address vulnerabilities in a pair
of its products.

The company said that the update will plug security flaws in its Unified
Communications Manager and Unified Presence lines.

The US Computer Emergency Response Team (US-CERT) is advising administrators
to review and install both updates.

For the Unified Communications Manager, the update will patch a pair of
security flaws that could allow denial-of-service attacks. Cisco said that an
attacker could use a specially-crafted Session Initiation Protocol (SIP)
message to trigger a processing error and bring down voice services on a
targeted system.

The Unified Presence patch also addresses the SIP-handling denial-of-service
vulnerabilities within the messaging platform.

Cisco said that it has yet to receive any reports of exploitation in the
wild.

The company said that there are no known workarounds for the vulnerabilities,
though a free update has been posted. Administrators can obtain the updates
through their IT service providers or through the company’s technical assistance
centre.

Cisco’s update comes on the heels of fixes from several other big names in
the industry. Earlier this week Adobe
posted
fixes for its Shockwave player, and Apple
released
an update for OS X.

Iain Thomson in San Francisco, V3.co.uk, Wednesday 25 August 2010 at 12:53:00

Vulnerability disclosures reached record levels in the first half of
2010,according to the latest report from IBM‘s X-Force security team.

The team’s mid-year trend and risk report documented 4,396 disclosed software
vulnerabilities in the first six months of the year, a 35 per cent increase on
2009. This was attributed to software vendors disclosing more data and the
increased number of security researchers now focused on finding flaws in code.

“Throughout the software industry people have got the message about computer
security and are doing more to identify vulnerabilities and as a consequence we
are seeing more,” Tom Cross, manager at X-Force, told V3.co.uk.

“So, paradoxically, code is actually getting more safe, but on the other side
we’re seeing more exploits.”

Of the 2010 disclosures by all software companies, over half still have no
patch available, rising to 71 per cent for critical or high-ranking
vulnerabilities. In the latter case, Google is the worst offender, with 33 per
cent of these important flaws still unpatched.

However, by taking all flaws into account Sun is the worst offender, with 24
per cent of vulnerabilities unpatched.

For the first time in the report’s history, web application vulnerabilities
have reached 50 per cent of all code flaws reported. However, the report found
that the number of problems related to ActiveX has fallen sharply, something
Cross attributed to efforts by Microsoft and others to sort out the issues with
the controls.

As for operating system vulnerabilities, Microsoft had the lion’s share of
critical flaws disclosed so far this year, with Linux, Apple and HP-UX all
seeing significant falls. However, if all types of vulnerability are taken into
account, Apple has had the worst year so far, with Linux following closely
behind.

On the spam front, volumes have continued to grow rapidly and now stand at
their highest level ever. However, in some good news, spammers have been forced
to change tactics by government action in China.

China topped the tables of spam-hosting nations throughout last year, but
the Chinese government has cracked down on company registrations and hosting,
giving only verified operators based in the country a licence to do business.

“You can see the results clearly in our data, the volume of domains hosted in
China dropped off a cliff,” Cross said.

“This is a huge pat on the back for the people who run China’s top level
domain infrastructure.”

As a result of the change, Russia now hosts around two-thirds of all spam
domains, but Cross warned that similar government action there would have
limited success due to the number of countries able to host spammers.

He added that one of the biggest threats on the horizon was state-sponsored
hacking, or Advanced Persistent Threat (APT) as it is sometimes referred to by
the military and others.

This involves highly customised attacks launched against key targets,
including governments and increasingly private sector companies that deal with
commercially valuable information.

“I would expect most, if not every, government is considering state-sponsored
attacks,” he said.

“We used to talk about cyber warfare as a futuristic concept but it’s a
reality.”

Cross recommended that companies identify those employees with access to
sensitive information, give them intensive training on how to avoid falling
victim to an attack, and include a contact in the IT department to liaise with
over suspicious communications.

As for more general threats, the riskiest area of the internet for users is
pornography sites. Around seven per cent of web sites contain pornographic
material and they are the most likely areas to find malware.

“It’s long been the case that if you stroll through the red light district of
the internet you are more at risk from attack,” Cross commented.

Iain Thomson in San Francisco, V3.co.uk, Wednesday 25 August 2010 at 02:24:00

Adobe has issued a patch fixing 20 vulnerabilities in its Shockwave media
player.

The patches cover Adobe Shockwave Player 11.5.7.609 for both the Windows and
Mac platforms, and the company is rating the update as critical.

“The vulnerabilities could allow an attacker, who successfully exploits these
vulnerabilities, to run malicious code on the affected system,” the company said
in a
security
advisory.

Eighteen out of the 20 fixes cover problems that would allow remote code
execution of affected systems. Of the other two, one could allow a
denial-of-service attack while the other flaw would allow a denial attack and
could theoretically be exploited to allow remote code execution, although no
attacks have been spotted in the wild.

Adobe has been plagued by a series of attacks on its software by crackers
looking to exploit the popularity of its software. The company has shifted to a
monthly patching cycle and teamed up with Microsoft to share security
information with third parties.

“Adobe’s doing a very good job at producing solid code and patching, but so
many people are targeting its software,” Tom Cross, manager of IBM X-Force
Research, told V3.co.uk.

“The bottom line is it’s a really popular set of software products and a lot
of people have them on their PCs. If it wasn’t Adobe it would be another
software house.”

Phil Muncaster, V3.co.uk, Saturday 21 August 2010 at 15:29:00

It was a relatively quiet week in security this week, until Thursday, when
the biggest deal of recent years was announced; Intel making
a shock
$7.8bn move for security giant McAfee.

The acquisition works out at around $48 (£30) per share, and McAfee will
operate as a wholly owned subsidiary within Intel’s Software and Services Group.

Intel chief executive Paul Otellini stressed that the deal will help the chip
firm meet the demand from users for a secure computing experience, just as it
has delivered on the demand for improved connectivity and energy efficiency in
the past

However,
analysts
were deeply sceptical about the move, expressing surprise that it was Intel
that had made the move on McAfee after much speculation over the security
vendor’s future.

HP also got in on the M&A action this week with the
acquisition
of Fortify Software for an undisclosed sum. Fortify’s products help
customers to identify, detect and fix software vulnerabilities, reducing risk
and helping to comply with stringent industry regulations such as the Payment
Card Industry Data Security Standard.

Elsewhere there was good news for the security industry as new Gartner
figures
suggested
security software spending will reach a worldwide total of $16.5bn (£10.6bn)
this year as the industry pulls further clear of recession.

Smartphone users were warned to
beware
of an Android application that installs a commercial spying tool on
handsets.

Tap Snake looks like a clone of the 1970s game Snake, but once installed it
runs a piece of Russian surveillance software called GPS SPY. The software
updates a central server on the user’s position every 15 minutes, and cannot be
turned of

And finally RIM’s ongoing problems in India
took a
new turn this week, according to reports. First it emerged that the
BlackBerry maker met with the Indian government and agreed to provide manual
access to BlackBerry instant messages by 1 September, and automated access by
year-end.

It then emerged that Indian officials may have come up with a way of
monitoring encrypted corporate emails sent from BlackBerry devices, according to
a government source. The method involves intercepting and making a copy of a
corporate email at the moment it is sent to a company’s enterprise server, and
then sending it on to the ISP’s monitoring systems.

If RIM agrees to this it could mean the revocation of the proposed ban on BES
email services slated for 31 August.

Shaun Nichols in San Francisco, V3.co.uk, Thursday 19 August 2010 at 02:20:00

Facebook has taken down multiple fake pages following the discovery of a
massive survey scam.

Security firm Sophos said that the scam spread through the social networking
site’s ‘Share’ function, which allows users to display web pages with contacts
on Facebook.

The scam began by offering users a page called “Top 10 funny t-shirt fails.”
Upon clicking the page, the user is asked to fill out a short “verification”
process which concludes with sending the user to a number of third party survey
sites.

In the process, the page uses a script to access the user’s ‘Share’ button,
reposting the link on the user’s news feed and putting everyone on the user’s
friend list at risk of attack.

Additionally, one of the survey sites asks for mobile phone numbers which are
used to subscribe the user to premium text messaging services.

“Instead of tricking the user into liking something, it tricks them into
using the Facebook ‘Share’ feature without requiring the user to acknowledge the
fact that they are sharing it,” said Sophos researcher Onur Komili in a
company
blog post.

The technique is similar to a scam
spotted
on a Facebook earlier this year. That attack covertly activated the user’s
‘Like’ button to spread scam pages on the social networking service.

Iain Thomson in San Francisco, V3.co.uk, Wednesday 18 August 2010 at 20:34:00

City of London police have arrested eight people on suspicion of fraud during
dawn raids in London, Essex, the West Midlands and Middlesbrough.

The gang was charged with fraudulently obtaining mobile phones and SIM cards
using stolen identities and other financial data. The phones were then used to
continuously ring international premium rate phone lines.

“Today we have struck at the very heart of a complex criminal network that
has been targeting the telecommunications industry to steal millions of pounds,”
said Detective Superintendent Bob Wishart of the City of London Police

“Our investigation found a crime gathering momentum. Each month more SIM
cards were being used to make more phone calls to premium rate lines at more
expense to the network provider.”

The police raids also found mobile phones worth £15,000, many still in their
boxes, as well as laptops and SIM cards ready for use.

A police spokesman told V3.co.uk that such scams were possible
because of variations in international telecommunications laws. With such UK
premium services money paid is held in escrow for a while to check for fraud,
but some overseas providers demand the money upfront.

As a result some of the telecommunications companies involved, such as O2,
only discovered the fraud when they tried to bill bogus accounts after paying
for the calls up front.

“This was a sophisticated and organised attempt to defraud mobile phone
operators,” said Adrian Goreham, O2′s general manager of Fraud & Security.

“We are committed to reducing mobile phone crime and have a dedicated team
that monitors and investigates such attempted criminal activity. We are
extremely pleased that our own investigation and the information we have shared
with the City of London Police has resulted in these arrests.”

Iain Thomson in San Francisco, V3.co.uk, Wednesday 18 August 2010 at 03:20:00

Security firms have warned of an Android application that installs a
commercial spying tool on handsets.

Tap Snake looks like a clone of the 1970s game Snake, but once
installed it runs a piece of Russian surveillance software called GPS SPY. The
software updates a central server on the user’s position every 15 minutes, and
cannot be turned off.

During installation the game asks for the right to access certain handset
functions, including GPS. The user must agree to this, but Symantec warned that
people need to be more aware of the dangers of simply allowing installation of
new code.

“It shows how new mobile threats are evolving and emerging,” said the
Symantec Security Response team in a
blog
post.

“Our advice for users of smartphones is to be careful of what you install,
and always check whether the application you’re installing is asking for rights
it doesn’t really need.”

F-Secure also
warned
about the software, saying that the app will be removed from the Android
Market and that Google should consider using its Remote Application Removal
feature to eliminate the software completely.

Google has used this so-called
Android
kill switch before, but it is not likely to be considered in this case since
the download rates for Tap Snake are low and mobile security software can remove
the rogue application easily.

However, a Google spokesman told V3.co.uk that people need to be on
their guard, and should take note of reviews and comments from other users in
the Android Market.

“When installing an application, users see a screen that explains clearly
what information and system resources the app has permission to access, such as
a phone’s GPS location,” he said. “We consistently advise users to only install
apps they trust.”

Phil Muncaster, V3.co.uk, Saturday 14 August 2010 at 14:58:00

This week was dominated by smartphone security, in particular the RIM’s
continuing struggle to placate foreign governments over access to the encrypted
data of its customers, and new security concerns over the Palm Pre.

First up, the Saudi government apparently decided early in the week that RIM
is doing enough to ease its concerns over not being able to
monitor
encrypted Messenger traffic.

The Saudi Press Agency reported that the Communications and Technology
Commission “permits the continuation of BlackBerry Messenger services in
addition to the continuation of joint work with service providers to fulfil the
remaining requirements”.

However, later on there was bad news for RIM as the
Indian
government issued an ultimatum: make information from BlackBerry Enterprises
Services and BlackBerry Messenger “accessible to law enforcement agencies” by 31
August or face a ban.

Elsewhere, a team at MWR Infosecurity uncovered a
zero-day
flaw in the Palm Pre operating system which allows the handset to be used as
a bugging device. Alex Fidgen, director of MWR, told V3.co.uk that a
specially crafted text message can subvert Palm’s webOS completely.

Over at Apple, the firm issued an update to patch the
iOS
vulnerabilities disclosed earlier this month by iPhone ‘jail-break’
researchers. The updates block remote code execution flaws in the iOS PDF viewer
and IOSurface components which can be exploited through specially crafted web
pages.

It was a big week for security admins too, after Microsoft and Adobe issued
hefty patch updates. Microsoft
issued
14 bulletins addressing 34 vulnerabilities in Windows, Office, Internet
Explorer and Silverlight.

Eight of the 14 bulletins were labelled ‘critical’, the highest of
Microsoft’s security alert levels. If exploited, the vulnerabilities could allow
an attacker to remotely execute malicious code on a targeted system.

Adobe, meanwhile,
patched
six ‘critical’ vulnerabilities in Adobe Flash Player from version 10.1.53.64
downwards, warning that the flaws could allow attackers to take control of a
user’s system

Facebook was
forced
to patch a security hole that left users’ names and profile pictures
available to unrelated users, while M86 Security researchers warned of
another
Zeus attack targeted at the customers of a specific UK bank, which has
compromised over 3,000 accounts and transferred in excess of £600,000 from
victims’ accounts to its creators.

Finally, The
latest
security tests from Virus Bulletin have identified 19 of the 54 security
suites examined as inadequate for VB100 status.

The products were tested on Windows Vista Business Edition SP2 using a
variety of malware and security simulations, and the testers noted a marked
inability of some software to cope with heavy attacks.

Shaun Nichols in San Francisco, V3.co.uk, Saturday 14 August 2010 at 01:43:00

The growing integration of graphics processors into normal computational
tasks could threaten security protections, according to a new report from the
Georgia Tech Research Institute.

The organisation warned that general processing over GPU (GPGPU) platforms
could dramatically increase the success rate for ‘brute force’ password attacks.

GPGPU platforms such as
OpenCL
have taken off recently as chipmakers and developers seek to harness the power
of GPU chips for compute-intensive tasks such as financial analysis or physics
modelling.

The multi-threading capabilities of GPU chips could allow an attacker to
increase the frequency of new password combinations and log-in attempts,
allowing an attack tool to attempt to guess a system password.

The researchers suggested that using the techniques with a normal consumer
graphics card could allow an attacker to easily compromise passwords of up to
seven characters.

Research scientist Joshua Davis said that passwords under 12 characters could
be vulnerable, and that administrators may need to institute alphanumeric
passwords the length of entire sentences to keep their systems secured.

Security authentication vendors are pointing to the report as a call to adopt
two-factor authentication systems which combine conventional account information
with single-use passwords or codes.

“Ultimately, no matter how long and complex you make a password, it can still
easily be hacked or stolen by means such as shoulder-surfing or malware,” said
GrIDsure chief executive Stephen Howes.

“I therefore believe that static passwords have no place in today’s connected
world, and consumers should be offered more effective alternatives that offer
better security without making their lives more complex or inconvenient.”

Iain Thomson in San Francisco, V3.co.uk, Thursday 12 August 2010 at 23:07:00

The latest security tests from
Virus Bulletin have
found 19 of the 54 security suites examined to be inadequate for VB100 status.

The software was tested on Windows Vista Business Edition SP2 with a variety
of malware and security simulations and the testers noted a marked inability of
some software to cope with heavy attacks.

“Most notable this month has been the remarkable level of instability under
pressure noted in many of the products – while our tests do put unusual strain
on products, it is clearly important that security software should continue to
function under pressure, and should not crumble in the face of heavy attack,”
said John Hawes, Virus Bulletin’s Anti-Malware test director.

“Flaky behaviour will certainly not instill a sense of security in users.”

The team also noted that false positive rates were very high, with legitimate
files from Corel, Roxio and Adobe falsely identified as being infected. Kingsoft
and Bkis BKAV scored particularly poorly, but Microsoft’s free security suite
did pass the VB100 test.

“The most important validation of anti-virus quality comes from independent
certification organizations like Virus Bulletin,” said Eric Foster, group
manager for Microsoft Windows marketing.

“It is no surprise that we are very excited that Microsoft Security
Essentials achieved the VB100 award.”

Iain Thomson in San Francisco, V3.co.uk, Thursday 12 August 2010 at 02:56:00

Users of Windows XP Service Pack Two (SP2) may still be able to get security
updates, despite the
lack
of Microsoft support, thanks to a hack rediscovered by researchers at
F-Secure.

SP2 users trying to upload security updates now get an error message, but the
team at F-Secure remembered an old hack that gamers used to run Grand Theft Auto
on older Windows systems. Altering the registry code by one digit fools
Microsoft’s servers into accepting the host system as running SP3 and allows the
installation of current security patches.

“It turns out that an SP2 system will think it’s SP3 if you edit this key:
HKLM\System\CurrentControlSet\Control\Windows, and edit the DWORD value
CSDVersion from 200 to 300 (and reboot),”
said
F-Secure.

“It worked for GTA IV, so we decided to test it with KB2286198. And our test
worked, WindowsXP-KB2286198-x86-ENU.exe installed on our SP2 test system once we
tweaked the registry. We also tested an LNK exploit, and it did not infect the
system after the patch.”

Users of older versions of XP are being
urged
by Microsoft to upgrade their systems but many are proving
slow
to do so. Security consultant Dale Pearson said that while the hack seemed
to work users shouldn’t expect such easy fixes in the future.

“I recommend people carry out their own testing, and then, if appropriate,
look to apply this patch as an interim measure,” he said.

“However it is still important to update your systems to XP Service Pack 3 or
to Windows 7, as this issue will continue, and you may not be so lucky next
time.”

Iain Thomson in San Francisco, V3.co.uk, Thursday 12 August 2010 at 02:21:00

A team at MWR Infosecurity has uncovered a zero-day flaw in the Palm Pre
operating system which allows the handset to be used as a bugging device.

Alex Fidgen, director of MWR, told V3.co.uk that a specially crafted
text message can subvert Palm’s webOS completely.

The flaw allows the phone to be used as a recorder and transmitter for
anything within its microphone’s range.

“You receive a specially crafted business card and, once you open it, game
over,” said Fidgen. “We were surprised to find the lack of security architecture
we needed to exploit in the way that we did.”

Palm’s security systems do not use sandboxing in this case, unlike the
security precautions seen in Google’s code, Fidgen explained.

Palm, now
part
of HP, did not return requests for comment.

MWR also disclosed a flaw in older versions of the cross-platform WebKit
layout tool which could allow an attacker to harvest user log-ins and passwords
for sites visited on a handset.

The vulnerability has been fixed in Android 2.2, a Google spokesman told
V3.co.uk.

“This is a bug which is not exclusive to Android and that can only be
triggered if users visit a malicious web site or access a malicious Wi-Fi
network via their mobile phone,” he said.

“We are not aware of any users having been affected by this bug to-date, and
it has been fixed in the latest version of Android. As always, mobile phone
users can protect themselves by only visiting web sites and using Wi-Fi networks
they trust.”

Iain Thomson in San Francisco, V3.co.uk, Wednesday 11 August 2010 at 01:39:00

Android users are at risk from the first SMS malware targeted at the open
source operating system
according to security
firm Kaspersky.

The Trojan, dubbed Trojan-SMS.AndroidOS.FakePlayer.a, arrives disguised as a
13kb media file application which, once downloaded, notifies the user that it
requires access to the SMS system of the phone. However, once installed, the
phone then text messages a premium rate phone number

“The IT market research and analysis organization IDC has noted that those
selling devices running Android are experiencing the highest growth in sales
among smartphone manufacturers. As a result, we can expect to see a
corresponding rise in the amount of malware targeting that platform,” said Denis
Maslennikov, Mobile Research Group manager at Kaspersky Lab.

The company would be bringing out an anti-Android malware product early next
year he said.

There have been incidences of malware targeted at handsets using the Android
operating system for a year or more now, and some handsets were shipped with
malware
preloaded.

But this is the first widely available Trojan Kaspersky said it had seen in
the wild. It primarily affects Russian users but if the malware model is
successful it may be opened up to other users.

Phil Muncaster, V3.co.uk, Tuesday 10 August 2010 at 13:02:00

Malware reached its highest ever levels in the first half of this year,
according to new stats from McAfee, which has urged the industry to go on the
offensive in the fight against cyber criminals.

The
McAfee
Threats Report: Second Quarter 2010 (PDF) recorded six million
malicious files during the quarter, making a total of 10 million for the first
six months of the year.

USB-borne malware, fake anti-virus software and social media specific malware
were the most popular of the 55,000 new threats discovered every day on average.

Unsurprisingly, World Cup related scams and blackhat search engine
optimisation attacks also peaked in the quarter.

“It is obvious that cyber criminals are becoming more in tune with what the
general public is passionate about from a technology perspective, and using it
to lure unsuspecting victims,” said Mike Gallagher, chief technology officer of
global threat intelligence at McAfee.

“These findings indicate that not only should cyber crime education be more
widespread, but security organisations should move from a reactive to a
predictive security strategy.”

This more offensive strategy, as outlined in the
McAfee
Security Journal, requires more proactive law enforcement and a more
cohesive approach by the security community.

Botnet takedowns, end-user education and greater information sharing between
computer users, security professionals and administrators, are all important
aspects, said McAfee.

The vendor also urged the use of increased fines and the public disclosure of
cyber criminals’ names in order to make it more difficult to generate money
from such scams.

Finally, McAfee laid a large chunk of responsibility at the feet of the
Internet Corporation for Assigned Names and Numbers, which it said should take a
stronger stance on cyber crime because it is responsible for approving the
registrants that sell the domains used to host malicious sites.

The calls echo those made by the Serious Organised Crime Agency earlier this
year, when it highlighted the
problem
of DNS abuse, calling for a “minimum standard for registrations”.

V3.co.uk staff, V3.co.uk, Friday 6 August 2010 at 15:10:00

Our look at the top 10 most anticipated smartphones was the runaway hit with
V3.co.uk readers this week, followed by a warning of solar storm
disruption.

The hackers have been busy, meanwhile, offering an iPhone 4 jailbreak tool
and the ability to run Apple’s FaceTime app over 3G, along with a hack that
allows eavesdropping on GSM mobile calls.

Also popular was an Eclipse plug-in for Oracle developers, an out-of-band
Windows patch, the HTC Desire Android 2.2 update, and the United Arab Emirates
banning BlackBerry services.

Top
10 most anticipated smartphones


Don’t upgrade your mobile before reading our pick of the hottest devices coming
soon

SANS
Institute warns of solar storm disruption


Satellite and radio communications could face problems

Hackers
publish iPhone 4 jailbreak tool


JailbreakMe allows users to install non-Apple approved apps

Oracle
offers Eclipse plug-ins to developers


Oracle Enterprise Pack features improved debugging

FaceTime
over 3G comes to jail-broken iPhone 4


My3g app offers 3G video calls on cracked handsets

Microsoft
to release out-of-band Windows patch


Emergency fix issued for Windows shortcut bug

HTC
Desire Android 2.2 update landing this weekend


Smartphone will synchronise with iTunes and offer 720p video capture

United
Arab Emirates to ban BlackBerry services


Country’s telecoms watchdog raises concerns about offshoring of data

UK
government refuses to upgrade from IE6


Too costly to the taxpayer, says Downing Street in response to petition

Researcher
unveils techniques for GSM hacking


Demonstration shows how mobile call data could be gathered

Iain Thomson in San Francisco, V3.co.uk, Friday 6 August 2010 at 04:33:00

A frequency analysis study of the words used in different types of spam has
revealed the tactics used by spammers.

Research conducted by MessageLabs Intelligence into short URL spam split the
data into four types: sales spam, phishing, malware and targeted attacks. In
each case it classified the words used in the headers into a top 10 format.

The most common word in sales spam was ‘Viagra’, reflecting the popularity of
pharmaceutical sales, which makes up around three quarters of all sales spam
messages. ‘Prices’ was the second most common word, with ‘special’ and
‘discount’ also polling highly.

For both phishing and malware spam the top word was ‘account’, showing the
financial targets commonly sought by the spammers. ‘PayPal’ was popular with
phishers while malware writers favoured ‘attached’ or ‘attachment’, a favourite
attack vector.

However, ‘please’ was the top word for targeted attacks, and it was also in
the top five for phishers and malware spam.

“Politeness is a factor in successful spam,” Paul Wood, MessageLabs
Intelligence senior analyst, told V3.co.uk.

“When we look at malware the social engineering component is the most
important. It’s no use writing a sophisticated piece of malware if the social
engineering isn’t right”

Targeted spam attacks account for only around 0.02 per cent of all spam he
said, but they are the most dangerous form since it can take weeks or months for
a sample to turn up and a signature file developed by antivirus vendors.

“Even if you have up to date antivirus, no matter how good it is, such
malware can be very difficult to find,” he said.

“The most common method is for the software to be embedded in a document, so
use maximum caution.”

Overall the research found that on average one in every 74,000 spam emails
was answered, with around 120bn spam messages sent every day.

Iain Thomson in San Francisco, V3.co.uk, Friday 6 August 2010 at 03:28:00

Adobe has issued a
security
alert that it will be releasing an out of band patch next week to fix a
critical flaw in its Acrobat and Reader platforms.

The attack vector is a flaw in TrueType that allows a malicious code embedded
in a PDF document to run. The problem was discovered by Charlie Miller,
principal analyst at Independent Security Evaluators, and
disclosed
[PDF] at this year’s
Black
Hat conference.

“The vulnerability is caused due to an integer overflow error in CoolType.dll
when parsing the “maxCompositePoints” field value in the “maxp” (Maximum
Profile) table of a TrueType font. This can be exploited to corrupt memory via a
PDF file containing a specially crafted TrueType font,” said Secunia in an
advisory.

“Successful exploitation may allow execution of arbitrary code.”

The flaw affects Adobe Reader 9.3.3 for Windows, Macintosh and UNIX, Adobe
Acrobat 9.3.3 for Windows and Macintosh, and Adobe Reader 8.2.3 and Acrobat
8.2.3 for Windows and Macintosh.

Miller discovered the problem while testing a new security tool he developed
called BitBlaze. He did not publish exploit code, but gave enough details to
allow exploit code to be designed.

“The updates will address critical security issues in the products, including
CVE-2010-2862 which was discussed at the Black Hat USA 2010 security conference
on Wednesday, July 28, 2010,” said Adobe’s product security incident response
team (PSIRT)
blog.

“These security updates will be made available for Windows, Macintosh and
UNIX.”

The team also said that, as far as it is aware, no attacks have been found in
the wild at this time.

Shaun Nichols in San Francisco, V3.co.uk, Friday 6 August 2010 at 03:17:00

Germany is warning iOS users not to visit untrusted sites in the wake of a
recent vulnerability disclosure.

The country’s BSI office of information security noted that if exploited, the
vulnerabilities could allow an attacker to obtain control of, and execute, code
on a targeted iOS device.

The vulnerabilities were
first
discovered and exploited by the iPhonedevteam research group as a method for
remotely performing jailbreak procedures on iPhone 4 handset.

Currently there are no known attack sites targeting the threat, and the site
which performs the unlock procedure clearly notifies users of the jailbreak
procedure and requires approval before launching the process.

The BSI has been especially active in warning users of impending security
risks of late. The group was
among
the first to recommend that users switch to an alternative browser when an
Internet Explorer vulnerability fell victim to exploits earlier this year.

Apple, meanwhile, has told reporters that it is working on a fix for the
flaws and will address the vulnerabilities with its next iOS update. The company
did not give a specific date for the update’s release, however.

Iain Thomson in San Francisco, V3.co.uk, Friday 6 August 2010 at 02:08:00

Researchers at cloud security specialist Zscaler have developed a tool
designed to stop infections from poisoned web pages.

The free
Search
Engine Security tool is designed to mask the browser from attacks where
malicious code is embedded in pages. This code flashes up a fake virus alert or
request for a codec and tries to download malware onto the viewer’s computer.

“We saw that traditional anti-virus was struggling with this kind of attack,
” said Michael Sutton, vice president of security research at Zscaler.

“In general less than a quarter of anti-virus engines were detecting these
binaries because they change so fast. We think we can break the attacks with
this tool.”

Based on Zscaler research, virtually all popular search terms include
malicious content in the top 100 results. In some situations up to 50 per cent
have been malicious, and Google is the primary target.

Such attacks deliver customised software depending on the type of browser. By
masking the referrer, the software is never activated.

“I’m not aware of any tool that covers this issue,” said Julien Sobrier,
senior security researcher at Zscaler. “The tool development didn’t take too
long. What took more time was understanding how search engine optimisation
works.”

The tool is being released for Firefox initially, he said, as it has the best
developer toolkit for add-ons. If it proves popular Zscaler could port it to
other browsers.