Packed with vacationers,   Spanair Flight JK5022 smashed into the ground shortly after takeoff from Madrid’s Barajas international airport, bound for the Canary Islands. The Aug. 20, 2008 tragedy killed 154 of 172 souls on board the Boeing MD-80 jetliner.

El Pais cites a 12,000-page investigative report that outlines how a computer infection, spread via an infected USB thumb drive, may have been a contributing factor. A malicious program precipitated failures in a fail safe monitoring system at the airline’s headquarters in Palma de Mallorca. The system was slow in sending out alerts that might have led to delaying or canceling the departure.

Click here to see a PDF copy of the 96-page CIAIAC crash report summary; it’s in Spanish.

Instead, the jet took off with flaps and slats retracted, instead of extended to boost the lifting surface of the wing. The pilots also should have detected something amiss during pre-flight checks, and internal cockpit warnings should have triggered.

Rick Wanner, threat expert at the SANS Institute’s Internet Storm Center, says the revelation show how disruptive malicious programs can be to the controls of any complex network at any big organization. “I am not a pilot, so I cannot speak with authority on how to fly a passenger airliner, but it seems clear to me that this accident was caused by the failure of a number of controls leading to a disastrous outcome,” says Wanner in this blog post.

Hot attack vector

Infectious USB thumb drives helped spread the infamous Conficker worm, and more recently, helped elite attackers launch the Stuxnet worm, which pioneered a new way to corrupt Siemens’ SCADA (supervisory control and data acquisition) systems used to run power plants and industrial factories.

Jose Nazario, senior manager of security research at Arbor Networks, notes that USB thumb drive attacks take advantage of security weaknesses in Windows autorun, a basic component built into the Windows operating system. Microsoft added autorun to Windows 95 to make it easier for you to install programs from CD disks, and now from thumb drives, as well.

Nazario says there is an extensive family of malicious programs designed to “take advantage advantage of the autorun functionality when a USB stick is inserted.”

Autorun easy to attack

He says it’s not very difficult to mount an autorun attack. Online discussions are widespread. Bad guys are able to bypass firewalls, intrusion detection systems and other external-facing defenses and load a malicious program from a machine inside the soft, gooey innards of an organization’s network.

Several other tech security experts LastWatchdog interviewed at the Black Hat cybersecurity conference and Defcon hackers event last month in Las Vegas, said the are wary of using randomly-acquired USB sticks.

Narario says they are the equivalent of reusing dirty hypodermic needles. At conferences, it has become routine participant to exchange slide shows, press kits and what have you via USB sticks. The rapid spread of autorun triggered viruses suggests the bad guys are just as routinely slipping infected USB sticks into the mix. Says Nazario:

Think about how many USB sticks you have, you’re probably undercounting. Everyone does. I just found one in my bag I didn’t realize was there. Iget them at a lot of conferences I go to. Now think about how many sticks in the past month your laptop has had used with it, and think about how many other systems you have used your USB sticks on. This is like those classic HIV commercials, where you’re with everyone that person has been with before.

By Byron Acohido

In 2003, DeWalt, then CEO of Documentum, sold the content management firm to EMC, for $1.9 billion, at a share price that translated into a 29% premium, says Daniel Ives, tech industry analyst at FBR Capital Markets.

“Dave DeWalt has the magic touch, in regards to building an organization that shows growth, and also highlighting its potential,” says Ives. “This is the second time he’s done it.”

To polish up Documentum for sale, DeWalt led the company through nine consecuritve quarters of growth, including four acquisitions. He then went to work for EMC, leading its content management and archiving software division. He left EMC in 2007 to take the reins as CEO of then-struggling McAfee.

Again he steered a course of growth through acquisitions and aggressive salesmanship; in negotiating with Intel, he was able to boast that he had turned around McAfee into a double-digit annual growth company with nearly 80 percent gross profit margin.

Fair acquisition price

Andrew Jaquith, tech security industry analyst at Forrester, notes in this post that the $7.7 billion Intel will pay for McAfee, when the deal closes, translates into roughly five times the last trailing four quarters’ revenues, about typical for M&A deals in the security industry.

“The price is not so high that it makes Intel look like Daddy Warbucks, but not so low that it looks like McAfee was desperate to sell,” observes Jaquith.

DeWalt’s new boss, Renee James, Intel’s senior vice president of software and services, has assigned him to run McAfee pretty much as is: fast-growing, highly-profitable, wholly-owned subsidiary.

In a LastWatchdog interview, James declined to give much detail about longer range plans to infuse McAfee’s security expertise into Intel’s struggling Atom chip for Internet-connected mobile devices. “It’s true in mobile solutions that we will have more enhanced security hardware,” said James. “It is an accurate assumption that in the mobile devices market we will be doing integration into the chip.”

Exactly what security features Intel embeds into its Atom chip — and whether a robust market emerges for a security-enhanced mobile-devices chip — remain to be seen.

But there is no question mobility, in general, has a big future in tech. Internet-connected smartphones, netbooks, e-readers and tablets are increasing in usage. All big tech and media companies want to ride the wave. Yet, at this juncture, neither Intel nor McAfee are serious players in the mobility market, says Jacquith.

“This deal doesn’t improve their prospects,” he says. “In the mobile market, Intel has had its lunch eaten by ARM Holdings, a company whose energy-effiicient designs have underpinned the chips of choice on mobile devices like Apple’s iPad.”

For McAfee’s part, DeWalt’s recent acquisitions of mobile security companies Trust Digital, tenCube and Solidcore look prescient, and certainly added to his sales pitch to Intel. But the revenue those firms bring to the table is small potatoes. “McAfee deserves credit for thinking outside the PC box, but its execution in this area is, at best, in the early stages,” says Jacquith.

Concocting and executing a viable strategy to somehow boost Intel’s Atom chip for mobile devices by tying in a McAfee security contribution will be a big challenge for DeWalt.

Shifting consumer AV market

But even before he tackles security for the Atom chip, DeWalt must prove that the shiny apple he sold Intel is, indeed, as tasty as it looks on paper.

McAfee reported net revenue from its consumer security market increased $32.0 million, or 9%, to $381.0 million in the six months ended June 30, 2010. That accounts for nearly 40% of its revenue, a major factor in the price Intel agreed to pay for McAfee.

But the long-lucrative consumer PC antivirus market is mature, portending slow growth. Yet it remains highly competitive. And it is also in flux. More and more PC users are content to use free basic antivirus protection from AVG, Avira, Panda Security, Immunet and others. These suppliers make money by upselling trial users to paid versions.

And a new wild card in this “free” protection segment is Microsoft Windows Essentials, which is completely free; Microsoft has nothing to upsell.

McAfee, Symantec and Trend Micro sell to consumers primarily by cutting deals with Dell, H-P, Acer, Lenovo and Sony to install free trial versions on new Windows 7 PCs.

Oliver Friedrichs, CEO of startup Immunet, who has made career stops at McAfee and Symantec, contends that suppliers offering free basic protection tied to upselling will inevitably overtake the giants who market free-trial versions on new PCs.

“The antivirus industry is seeing significant deterioration due to the free antivirus software market,” says Friedrichs, adding that usage of free basic antivirus by U.S. computer users is approaching 50% . “This has not only taken away opportunity for (free-trial) antivirus vendors, but it is deteriorating existing market share as well.”

How well DeWalt navigates this shifting of the consumer market remains to be seen. Financial services firm UBS expects McAfee to become less aggressive on pricing under Intel. That should benefit its arch rival Symantec, whose share price is trading near its two-year low. UBS is even projecting that unless Symantec takes advantage and breathes life into its share price it could become an acquisition target of the likes of Oracle, IBM , Cisco or Hewlett-Packard.

Clashing cultures

Meanwhile, DeWalt almost certainly will also have to deal with a clash of corporate cultures. Gartner tech security industry analyst Peter Firstbrook points out that the marriage of a hard-charging software sales company an entrenched chip manufacturer lacks any intrinsic synergy.

“Chip vendors work on long-term, well-planned cycles, while security companies have to be much more reactive to market conditions,” says Firstbrook. “Intel is a dominant player in their market and driven by staid engineering culture while McAfee is a scrappy west coast sales-driven company.”

DeWalt, who is a University of Delaware Hall of Fame champion collegiate wrestler, told LastWatchdog that he is pumped up to grapple with all of these challenges:

I stayed for along time afterward with EMC, making it successful with Documentum, and I’m going to do the same thing here with Intel, making this successful for them. Our visions are very similar, the strategies are similar, it’s going to be a pleasure to really help bring security benefits to the world. I think this is just a great combination, I can’t tell you how excited my employees are. And, clearly, all of our partners are excited, because they can make more money, and do more things together too. So there are lots of very positive aspects to this.

By Byron Acohido

VeriSign this week launched a new managed DNS service aimed at helping companies and organizations — especially small- and medium-sized firms — run more smoothly and better defend against denial of service attacks.

That follows the big announcement late last month at the Black Hat cybersecurity conference in Las Vegas by the Internet Corporation for Assigned Names and Numbers.  ICANN rolled out a new standard the tech community has been hashing over for more than a decade, called DNS Security Extensions.

DNSSEC is being hailed as the cornerstone of the Internet of the near future, one in which it will be much more  difficult for cybercriminals to redirect Internet users to web sites erected to infect visitors’ PCs with malicious programs.

DNS is the backbone of the Internet. It involves a series of steps to connect a domain name, such as lastwatchdog.com, to its actual numerical location on the Internet, all in a few moments time.

“A lot of people don’t know just how critical DNS is,” says Matt Larson, VeriSign, vice president of DNS research. “If DNS doesn’t work things come to a screeching halt.”

VeriSign runs some 140 data centers around the world that assign and keep track of the IP addresses for all .com and .net Web sites on the planet. It carries out the final step of connecting a domain name — the word preceding .com or .net in a Web address — to its actual numerical location on the Internet.

VeriSign recently sold off its Checkmark authentication unit to antivirus giant Symantec for $1.28 billion in cash, to focus on this “root-level” naming service.

However, the company launched VeriSign Managed DNS this week to directly provide businesses and organizations with a new service that will monitor their Web servers and handle the DNS traffic that occurs just before the root-level connection is made.

VeriSign is pitching it new service as an inexpensive, secure way to keep company websites, email and Web systems live and available freeing IT staff to do other things. In event of an outage or service disruption, VeriSign will quickly redirect Internet traffic to backup systems.

“DNS is what we do for a living,” says Ben Petro, VeriSign senior vice president of network intelligence and availability. “It is in our best interest to make sure .com and .net are safe and stable.”

Petro acknowledges it will be difficult to get many of the top 1,000 companies doing business on the Internet, virtually all of whom use rival Neustar UltraDNS, to switch to its new managed DNS offering. So VeriSign is gearing its marketing toward small- and medium-sized businesses, many of whom manage DNS in house. And it is offering a free three month trial, including 24-hour phone support.

The accelerating use of Internet-connected smartphones and mobile devices, like the iPad, to conduct commerce has drastically complicated the Web’s underpinnings. The fundamental steps to resolve a domain name to its numerical address is becoming increasingly complex. “Most organizations are struggling to maintain high availability of these systems,” says Petro.

As for DNSSEC, it should over time make it much more difficult for cybercriminals to spoof responses flying back and forth to resolve a domain name to an IP address. The banking Trojans now plaguing the Internet all circle back to the ability of hackers to readily create false identities within DNS.

“Today its trivial easy to spoof the DNS response,” says Larson. “That’s where man in the middle attacks can get involved. The attacker can slip in a spoofed response that beats the legitimate response back to you.”

DNSSEC incorporates digital certificates into the process. It is designed to makes it next to impossible for criminals to counterfeit. While the foundation is in place, it is expect to take years for corporations, ISPs and infrastructure entities to fully embrace and implement the new standard.

Still, Rod Beckstrom, ICANN president and CEO, uncorked several bottles of champagne for reporters and analysts at the conclusion of the Black Hat news conference unveiling DNSSEC.

“This is, by any measure, an historic development,” saidBeckstrom. “This security upgrade matters to everyone who uses a computer, and that means most of us.”

By Byron Acohido

CEO Eric Schmidt

Google on Monday reversed its long-held support of Net Neutrality — the notion that all Web sites should be equally available to all persons — and joined forces with Verizon calling for new federal laws that would reshape the Internet. Howls of protest instantly erupted from consumer advocacy groups.

MoveOn.Org Civic Action, Credo Action, the Progressive Change Campaign Committee, ColorofChange.org and Free Press and other members of the SavetheInternet.com Coalition, issued a joint statement mincing no words.

“The Google-Verizon pact isn’t just as bad as we feared — it’s much worse. They are attacking the Internet while claiming to preserve it.”

In a nutshell, Google and Verizon want federal laws that would:

• Enable an Internet with upper tiers.
• Ban Net Neutrality on Web-connected mobile devices.
• Restrict the Federal Communications Commission’s oversight of the Internet.

Special-interest Internet

Jeffrey Chester, executive director of the Center for Digital Democracy, says the companies are trying to create  “purposeful digital loopholes  so companies like Verizon and Google, and other well-endowed players, can dominate the future of the Internet.”

The laws they want Congress to enact “potentially would enable them to create the kind of special first class web distribution service that undermines the goals of network neutrality,” says Chester. “Instead of the Internet, we’d have a special interest Web.”

John Simpson, director of Consumer Watchdog, concurs. He says the Google-Verizon proposal  “pays lip service”  to Net Neutrality and contains two fundamental flaws.

“First, it sets up a two-tiered structure. There would be a so-called ‘Public Internet,’ but then the ISPs would be allowed to offer new premium services outside that basic service,” he says. “How long to you think anything of interest would be available on the ‘Public Internet’?

“Second, no neutrality principles would apply to the wireless world. Everyone agrees mobile is clearly the Internet’s future. Allowing data discrimination in the broadband wireless world completely undermines the future of the Internet.

“Essentially, this proposal is nothing more than two corporations meeting together and trying to carve up the Internet for their own advantage, ” says Simpson.

Reader responds

You can read the full text of what Google and Verizon are lobbying Congress to legislate by clicking here. The most recommended comment to the online version of  my page 3B story in today’s print editions of USA Today comes from usatoday.com reader jefflz:

“The deception of (Google CEO Eric)  Schmidt is unforgivable. He talks about an open ” wire line”  internet deliberately leaving the impression all is right with the internet world. Excluded from the so-called policy statement is the wireless internet which includes all mobile devices. This is the market Verizon wants to control big time.

Comcast can have cable- but Verizon/Google will be stomping all over all present and future wireless internet users (4G, 3G and all future G). Come on Eric. – do you take us all for a bunch of fools?You want to keep the pristine image of Google as defenders of Net Neutrality but you are selling the future internet down the river. Such hypocrisy is unforgivable. Google has raised its true flag and it is the flag of Big Brother and Corporate Control.. We must all join forces and fight this destruction of internet openness.

Down with Google!! We need to promote and support open source search engine development – or any service provider that truly embraces Net Neutrality and does not lie to the public like Eric Schmidt and his Google crowd. I would implore all disappointed Google employees to bail out and start planning for a time when your employment contracts will permit you to create a monster Google competitor. There is a Wiki oriented public prepared to help pay for this freedom. Lets all vow to terminate our GMAIL accounts and stop using Google software of any sort.”

By Byron Acohido

But company spokeswoman Natalie Kerris told LW late Friday that  she could give no hints about when the patch would go into wide public release.

“With regard to what you’re asking about, we’re aware of this reported issue,” said Kerris. “We’ve already developed a fix, and it will be available to customers in an upcoming software update.”

This week or a few weeks? asked LW.

“I don’t have a specific time frame,” Kerris said. “It will be in an upcoming software update.”

What about wider concerns that this vulnerability opens up a new attack vector?

“If you’re talking in general about jailbreaking, with regard to jail breaking Apple’s goal has always been to insure that our customers have a great experience with their iPhones, and jailbreaking can seriously degrade that experience,” said Kerris. “The vast majority of customers do not jailbreak their iPhones. This can violate the warranty, and can cause iPhone to become unstable and not work reliably.”

Apple’s conundrum

While publicly saying very little of substance, it’s clear Apple is wrestling with a difficult security conundrum. The company is suddenly facing the big, nasty elephant Microsoft has somewhat tamed over the  past decade — and Adobe has been forced to come to grips with over the past several months: resolving zero-day vulnerabilities before the bad guys can swoop in and take advantage.

Apple may have a patch ready, but that’s just half the ball game. The company must coordinate patching with AT&T in the United States and more than a dozen other mobile phone service carriers s worldwide. That’s not easy, says John Hering, CEO of mobile security firm Lookout.

And Apple’s risk assessment and product liability experts ought to be taking a long, hard look at whether the company’s current protocols for pushing out security patches to iPhone, iPad and iPod users needs a major overhaul. At present, iPad and iPhone users must not only be aware that a security patch is available, they must also manually install the patch via iTunes, says Hering.

That’s a far cry from how Microsoft’s finely-tuned Windows Auto Update service pushes out patches for fresh zero-day flaws quickly to most consumers. And Adobe has done much to streamline its patch issuing methodology in recent months. Now it’s Apple’s turn.

“We’re in a cat-and-mouse game with openness and security at odds, and consumers stuck right in the middle,” says Hering.

Brand new game

Jailbreaking refers to hacking iOS to download Web apps not approved by Apple. This used to be difficult.

And anyone who did so to his or her iPhone risked Apple shutting down service, or “bricking” the device. This spring a website came along called jailbreakme.com that made it trivial to jailbreak your own iPhone or iPad. Next, the Electronic Frontier Foundation won a federal ruling effectively banning Apple from bricking jailbreaked iPhones.

Then last week, a technique for remote jailbreaking appeared on the jailbreakme.com. It is now possible to access the operating system of an iPhone or iPad owned by someone else. An attacker would get “fairly complete control of affected devices,” says Michael Price, McAfee Labs’ senior operations manager, Latin America. No such attacks are known to have happened yet, he says.

For the moment, the most visible concern for Apple has been pranksters going into Apple and Best Buy retail stores and jailbreaking floor display models, according to tech blog Engadget. Yet the security and privacy concerns are acute. And the stakes are elevated because iPhones and iPads have come into high profile use in companies and organizations.

Security experts expect the pattern that has come to dominate the PC world to begin to permeate smartphones. Bad guys continually flush out new security flaws in PCs, then tap into them to launch malicious attacks. Good guys, meanwhile, scramble to patch and block.

Now cybercriminals are rapidly adapting PC hacking techniques to all smartphone platforms, including Symbian, Google Android, Windows Mobile, RIM BlackBerry and Apple.

It’s a brand new game with new rules,” says Dror Shalev, chief technology officer of DroidSecurity, which supplies protection for Google Android phones. “We’re seeing rapid growth in threats as a side effect of the mobile Web app revolution.”

Shalev agrees with LastWatchdog that iOS is starting off intrinsically more locked down than Windows was 10 or 15 years ago. “Security has come a long way,” says Shalev. “Yet there are many more potential security and privacy threats with the growing use of GPS, cameras and microphones.”

Apple’s singular exposure

iPhones, in particular, have become a pop culture icon in the U.S., and now the iPad has grabbed the spotlight.

“The more popular these devices become, the more likely they are to get the attention of attackers,” says Joshua Talbot, intelligence manager at Symantec Security Response. “Once a device is jailbroken, attackers may try to target these devices by attempting to trick users into installing malicious software. Additionally, attackers may target the software installed after a phone has been jailbroken.”

Talbot says infected iPhones could be used to record phone calls, text messages, emails, and track the location via GPS. Or an attacker could profit by dialing premium rate numbers or purchasing costly apps, in which the attacker has an interest. “Any data stored or entered into the phone could also be stolen,” he says. “This could be sensitive documents, voicemail passwords, passwords to websites such as email and trading sites, etc.”

Apple’s exposure is singular. The company has made a big deal about hiding technical details of iOS, allowing only approved Web apps to tie in. This tight control initially made it easier to keep iOS secure. But now Apple may have to share iOS coding with antivirus firms, says Sorin Mustaca, development manager for antivirus firm Avira.

Windows, Google, Nokia and RIM share such coding to help antivirus firms develop protections. “Apple does not allow this, making it challenging for antivirus vendors to create third-party protection for iPhones and iPads,” says Mustaca.

Leveraging opportunity

Pressure is building. Mikko Hypponen, senior reseacher at antivirus firm F-Secure, says hackers are likely working on a worm to take control of jailbroken iPads and iPhones.

“My guess is we’ll see it within a week,” says Hypponen. “There’s very little users can do to protect themselves beforehand.”

The Jailbreakme site exploits two distinct iOS vulnerabilities to pull off the hack. The first exploits a bug in Apple software that parses fonts in PDF files. That allows hackers to inject code of their choosing into the document-viewing app. A second bug allows them to break out of a security sandbox built into the devices so the code can access the root of the device.

Even after Apple issues the patch, whenever that turns out to be, it could take weeks or months for most iPads and iPhones to get manually patched. During that gap, McAfee’s Price says there is little hindering opportunistic cyber gangs from launching campaigns to corrupt unpatched iPads and iPhones on a wide scale.

“This type of incident, in which the mobile phone operating system is subject to malware, demonstrates why it’s safer to have a completely separate inner chip with its own operating software and hardware to protect both subscriber and carrier sensitive data,” says Jean-Louis Carrara, vice president for digital security company Gemalto. “This can be done with a UICC, a newer version of the Subscriber Identity Module (SIM card) already found in about half of U.S. mobile phones. The UICC can provide advanced security features and act as a secure storage repository of sensitive personal and financial information that is impervious to malware.”

By Byron Acohido

The software giant issues security patches on the second Tuesday of each month, and only rarely issues so-called out-of-band patches. The company has never issued an emergency patch this close to Patch Tuesday, says Jason Miller, data and security team leader at patch management firm, Shavlik Technologies.

“Coming out with this patch this close to a Patch Tuesday is severe,” says Miller. “People should be paying attention to this one, and patch as soon as possible.”

Importantly, the emergency patch does nothing for hundreds of millions of PCs still running Windows XP Service Pack 2 and Windows Server 2000, since Microsoft last month  stopped issuing security updates for those older versions of its flagship operating system. The company continues to urge Windows XP SP2 users, in particular, to upgrade to Windows XP SP3, which will continue to get security updates, or to buy new Windows 7 PCs.

To be clear, this patch will work on Windows XP SP3, Windows Server 2003 SP2; Windows Vista, Window Sever 2008, Windows 7, Windows Server 2008 R2. It will not work on Windows XP SP2 or Windows Server 2000.

Million dollar flaw

At the Black Hat and Def Con security conferences in Las Vegas last week, attendees referred to this Windows flaw as a million dollar vulnerability. Like the RPC-DCOM flaw, which led to the MSBlast and Conficker worms, and the LSASS flaw, which led to Sasser, this one affects all versions of Windows.  Savvy hackers can tweak a basic Window component, called LNK. This is the simple coding that enables shortcut program icons to appear on your desktop.

No one in the legit world knew the LNK flaw existed until mid July, when security blogger Brian Krebs began reporting on a sophisticated worm spreading via USB thumb drives. That worm, known as Stuxnet, took advantage of the newly-discovered LNK flaw to run a malicious program designed specifically to breach Siemens SCADA (supervisory control and data acquisition) software systems. Over a period of months the attackers had infected Siemens SCADA controls in power plants and factories in Iran, Indonesia, India and some Middle East nations, according to antivirus firm Symantec.

Not long after the Siemens SCADA attack began to grab headlines, copycat hackers leapt into action adapting their every-day attacks to include infections spread through the LNK flaw. Researchers at McAfee intercepted faked email messages purporting to come from Microsoft security that, in fact, spread LNK infections by attempting to get the recipient to open an attached zip file. Compliments of McAfee, here is the text of one such email:

From: Security@microsoft.com

Subject: Microsoft Windows Security Advisory

Hello, we are writing to you about a new Microsoft security advisory issue for Windows.

There is a new potentially dangerous software-worm, attacking Windows users through an old bug when executing .ICO files. Although this is quite an old way of infecting software, which first was used in 1982 with Elk Cloner worm, the new technique the new worm is using is more complicated, thus the speed and number of attacs has strongly increased.

Since you are the special Microsoft Windows user, there is a new patch attached to this e-mail, which eliminates the possibility of having you software infected.

How to install: open an attached file “2286198.zip” with password “security” install it to the base disk C:/ folder, so that the included files adres was “C:/lol.dll”

Attachment: 2286198.zip

Anyone who followed all of those instructions would be infected with a malicious program that tapped into the LNK flaw. McAfee researcher Craig Schmugar says he doubts many of these email ruses were successful because the user had to complete a series of tasks for an infection to take hold.

However, criminal hackers did not stand pat. Several hacker gangs began incorporating the LNK flaw into their multi-faceted cyberattaks. “Most of them are using the LNK exploit as a propagation technique,” says Roel Schouwenberg, senior researcher at Kaspersky Lab.

One cybergang has been spreading a worm, known as Sality, for several months. Sality infections initially get spread via tainted USB thumb drives. Recent versions have begun to tap into the LNK flaw, then spread to computer servers set up to act as shared drives among groups of workers.

Subsequently, any worker who accesses the shared drive gets infected. Each infected machine will corrupt any USB thumb drive inserted into any of its USB ports, and infect the thumb drive. The infected PCs also begin steal account logons and hijack online banking accounts, says Schouwenberg.

Here’s how Microsoft describes the widening array of attacks spreading via the LNK flaw:

Although there have been multiple (malicious software) families that have picked up this vector, one in particular caught our attention this week–a family named Sality, and specifically Sality.AT. Sality is a highly virulent strain. It is known to infect other files (making full removal after infection challenging), copy itself to removable media, disable security, and then download other malware. It is also a very large family–one of the most prevalent families this year.

Wolfgang Kandek, chief technical officer of patch management firm Qualys, notes that infections continue to spread via corrupted USB thumb drives. There was much discussion at Black Hat and Def Con about how easy it would be for cybercriminals to tap into the LNK flaw by spreading malicious web links via email and social network messages.

“Remote attacks through e-mail or websites are theoretically possible, but require multiple steps and user interaction,” says Kandek.

Kandek says Windows 2000 and XP SP2 users are “now in a predicament that will become increasingly urgent. Attacks will continue to become more prevalent and their defensive options are limited.”

By Byron Acohido

Achal Khetarpal, research director at antivirus firm CyberDefender, just typed “4th July dessert recipes” as a Bing query and got this innocuous-looking, but highly invasive, link as the 10th ranked result:

This is step one of a ruse spread by one of the most active scareware gangs out there selling worthless software called Security Master AV. Clicking on the poisoned result instantly launched the fake scan and promotion for Security Master AV:

Black Hat SEO attackers have been intensively poisoning search results on Google and You Tube for the past year or so. Khetarpal’s discovery confirms the basic hacking techniques work well on Bing, too.

“Blackhat SEO attackers are definitely deploying these attacks in Bing, but in smaller numbers,” says Khetarpal.

Save yourself by force-quitting browser

If you see a suspicious virus alert or virus scan, the worst thing you can do is click on anything in the alert or scan, even a “stop scan” or “cancel” button, says Microsoft spokesman Eric Foster.

That’s because clicking on anything the bad guys present to you usually advances the scam. Instead, if you’re using a Windows XP, Windows Vista, or Windows 7 computer hit “ctrl-alt-delete” or type “task manager” into the Windows search box to navigate to your Task Manager.

At this point, the fake scan/alert is running on whatever web browser you are using, says RandyAbrams, Eset’s director of technical education. Locate your browser under the “applications” tab in your Task Manager and then force-quit it by clicking “end task.”

“If the user is running Internet Explorer they need to end Internet Explorer, ” says Abrams. “If they are running Firefox, then end Firefox, Safari, end Safari, if Chrome, then end Chrome.”

At this point, the fake scan/alert is running on whatever web browser you are using, says Randy

Abrams, Eset’s director of technical education. Locate your browser under the “applications” tab in your Task Manager and then force-quit it by clicking “end task.”

Reinstalling Windows operating system

Here’s the rub: If you do happen to click on the fake scan, you will most likely be insistently steered to screens prompting you to pay $30 – $80 for worthless clean up and ongoing protection. At this point, getting rid of the malware now becomes more difficult. You can:

• Still try to force-quite your browser.
• Reboot your PC.
• Try using Microsoft’s free Security Essentials scanning and basic protection tools
• Try running a known-legit virus scan from your antivirus provider.
• Try using a free scan and clean tool such as SpyBot Search & Destroy, Malwarebytes or Vipre PC Rescue.
• Wipe your drive clean and reinstall your Windows operating system.

“Sometimes it is much faster and easier to reinstall the operating system,” says Abrams. “Typically skilled support professionals can fix the issue without requiring a reinstall, but if you go to a major electronics store they may tell you that reinstalling is the only way and that you will lose your data.

“It can take weeks, in some cases, to clean up all of the malware these fake AV products install. They rarely install only one item and often have hidden downloaders to install more.”

Outrageously lucrative

The selling of scareware has evolved into an outrageously lucrative criminal enterprise. Panda Security estimates that scareware generates some $34 million a month in revenue for a cottage industry of criminal gangs and independent specialst. That estimate was affirmed by the bust of one such gang documents by federal regulators to have banked $163 million in sales from 2006-2008.

Blackhat SEO attacks that disperse poisoned search results have become a popular way to spread scareware. Such attacks “are automated and take place every single day,” says PandaLabs researcher Sean-Paul Correll. “It currently is the main delivery method” for scareware.

Kaspersky Lab has also gathered data that “at least some of the bad guys have managed to completely automate this process,” says senior analyst Roel Schouwenberg.

“They run scripts which crawl Google Trends, Twitter trends and potentially other sites to see what are hot topics. This means that basically any ‘breaking story’ will be used for Black SEO,” says Schouwenberg.

Google is the primary target, since it accounts for 65% of U.S. searches, but the techniques hackers use to poison search results work just as well on any search engine, says Andrew Brandt, threat research analyst at antivirus firm Webroot.

“This has been extremely pervasive since the middle of 2009,” says Brandt. “The fact that, nowadays, virtually any search result can contain malicious links is a sign that the Black Hats engaged in this practice have become expert search engine manipulators.”

Recent trending topics for which they’ve spread poisoned search results include the Twilight movie, the Gulf oil spill, World Cup soccer Justin Bieber’s car accident, and Kim Kardashian’s Playboy Video Shoot.

Trust no links

The bad guys are using several sophisticated methods to cause poisoned search results to appear high in results ranking. Eset senior research fellow David Harley describes one, called index hijacking:

Index hijacking tends to involve manipulation of the Google PageRank (PR) algorithm . Google doesn’t discuss the detail of the algorithm, and has frequently modified the overall ranking strategy, which also involves other attributes such as link text, content of a page and its neighbors, and so on. A classic manipulation technique is to create a Rank Sink, a page with lots of good incoming links and few visible outgoing links. This increases what Google calls the importance of a page, since it looks like a page that attracts visitors rather than transient, more or less random link hopping. Each incoming link is a vote for the page that increases its importance.

Search poisoning is just one type of attack in the daily mix of malicious software detected and blocked antivirus vendors. Bottom line: Internet users not wishing to have control of their PC turned over to an attacker must be skeptical of all links — whether in a search result, e-mail messaging spam, Facebook wall posting, Tweeted posting, or just routinely navigating to known, safe web sites that might be hacked and tainted.

In this miasmic environment, poisoned search results ebb and flow, intensifying general threats to Internet users at predictable times.  “These attacks are omnipresent, ” says Kaspersky Lab’s Schouwenberg.

Adam McNeil, Webroot threat research analyst, adds: “What we have observed is that Google seems to figure out a way to thwart this malicious SEO for a time, then the bad guys figure out a loophole in Google’s new algorithm.”

By Byron Acohido

In 2008, Heartland lost a record 130 million credit card records to a gang of cyberthieves, topping the previous record of 94 million records lost by the TJX retail chain. Miami hacker Albert Gonzalez was convicted for his part in both capers.

As a result, Heartland is now asking its merchant customers to purchase a new “E3″ credit card swiping terminal designed to encrypt payment card magnetic stripe data much quicker than current systems.

“Data is protected from the point of swipe and through Heartland’s processing network — not just at certain points during the transaction flow,” says Bob Carr, Heartland’s chairman and chief executive officer. “We are making the highest degree of security available to every merchant regardless of size — without charging extra monthly or transaction fees and taxes.”

There are no changes to a merchant’s daily routine or the speed of transactions — and “no large equipment investment,” says Carr. However, to use this system, merchants must purchase E3 terminals or PC-based magnetic stripe readers configured to use E3. It remains to be seen how many of Heartland’s customers will purchase the new equipment.

Carr noted that once the new hardware is installed in check-out lines, merchants can continue business operations as usual. He contends merchants will save time and money since E3 automates the process of continually changing the encryption keys that convert sensitive account information to encrypted data. Heartland also will not impose any added transaction fees for using E3 technology.

Carr also notes that E3 devices include EMV/chip card technology capabilities — which may be coming to the United States — and the ability to update encryption technology.

“Centuries ago, cities across the world gave up on trying to protect themselves by making walls higher and thicker and more distant with moats,” says Carr. “We believe it is important to make card data indiscernible as it enters the payment cycle so if the firewalls are too weak, the enemy gains nothing of commercial value. We believe this is the enhanced security method the payment industry requires in today’s world.”

By Byron Acohido

And as anyone paying attention knows, infected PCs in corporate settings are in high demand by cyber gangs controlling the botnets driving all forms of cybercrime. Botnets are used to  spread spam, steal data, hijack online bank accounts, commit click fraud and conduct denial-of- service attacks for extortion or political reasons.

The software giant announced Tuesday that it will stop supporting computers using those older operating systems as of July 13th. Service packs contain major security and reliability upgrades.

Global exposure

Qualys estimates 50% of Windows XP machines used by businesses are SP2 machines. Qualys manages computer upgrades for over four thousand corporations, government agencies and large organizations worldwide, as well as small- and medium-sized businesses.

“No new security patches for Windows XP SP2 means that users will not get updates to the core operating system and its components,” says Qualys CTO Wolfgang Kandek. “The overall effect will be that the machine becomes increasingly susceptible to attacks from malicious software.”

Most XP machines in U.S. homes are running with the more recent Service Pack 3. That’s because most U.S. consumers enable Windows auto update, the online service Microsoft uses to automatically push out security fixes to consumer PCs.

However, Gunter Ollmann, VP of research at Damballa, notes that Windows XP SP2 and Windows 2000 are  deployed extensively in computing devices as embedded operating systems that are difficult to update. He says many solenoid devices, such as  those used in the petrochemical and water and gas industries, are still shipped with these old operating systems.

“Unfortunately they’re also prime candidates for compromise via worm-based malware – in particular botnets and other persistent threats,” says Ollmann.

Ollmann,  a leading expert on the activities of botnet gangs, says he expects the major gangs to be “unaffected or simply not care about this recent news.” The primary reason, he says, is because  “their malware agents are more than capable of operating upon newer operating systems and have already been proven to be backwardly compatible with XP SP2.”

Update to SP3 — or buy Windows 7

Microsoft issues security updates on the second Tuesday of each month, known as Patch Tuesday. Corporate users typically install service packs and security patches manually, only after extensive testing, says Jason Miller, data and security team manger at Shavlik Technologies.

“We frequently speak with IT administrators who are running Windows XP SP2 on many machines in their network, and this will affect many businesses across the globe,” says Miller. “For a variety of reasons, mainly resources and cost, many businesses still run older versions of Operating Systems and service packs in their environments.”

Miller says upgrading to the latest service pack level is definitely not a simple task for most organizations, especially  “for those companies with many machines spread across the globe and not readily accessible. Examples of these types of hard-to-manage devices include ATM machines and point of sale devices like cash registers at your local Home Depot.”

Microsoft spokeswoman Alison Dwiggins declined to supply an estimate of how many Windows XP SP2 PCs and Windows 2000 servers remain in business-use globally. “As you know, we don’t break out the install base,” she wrote in an email reply to questions submitted by Technology Live.

Microsoft recommends that its customers buy new Windows 7 PCs. Alternatively XP SP2 users can install Service Pack 3. The procedure is described here. Asked to characterize the go-forward risks of using Windows XP SP2 PCs, Dwiggins replied:

Per the Microsoft support lifecycle policy, Microsoft will no longer provide support or updates (including Security Updates) for the versions of Windows that have reached the end of support. Installation of the most current service pack and all available Security Updates (at a minimum) is recommended to ensure that available security protections are in place for a Windows computer and to prevent the spread of malicious software to other computers.

Shavlik’s Miller recommends that corporate users bite the bullet and replace their older machines with new Windows 7 units.

“Companies choosing to not adhere to vendor support lifecycles presents a risk to a network as vulnerabilities exist that can lead to virus outbreaks, breaches in security and potential loss of data,” says Miller.  “The longer Microsoft continues to support legacy products and applications, Microsoft and its customers will suffer as they will spend effort and energy supporting legacy code instead of ultimately developing new technologies and security measures.”

By Byron Acohido

McAfee’s recent error blacklisting a core Windows operating system program triggered the shut down of corporate systems worldwide, requiring manual cleanup of thousands of workplace PCs. That incident helps support the viability of a new approach security vendor Lumension has recently begun advocating, called ‘intelligent whitelisting.”

Intelligent whitelisting works by scanning an entire network for malicious programs, then cleaning up any infections. Lumension then takes a snapshot the clean network before locking it down. No new applications are permitted to run, unless expressly authorized by an IT manager. Lumension contends that intelligent whitelisting greatly reduces the likelihood of unauthorized code running on a corporate network, while eliminating the possibility of a major blacklisting faux pas, like the one that struck McAfee’s corporate customers.

In this exclusive LastWatchdog Q&A,  CEO Pat Clawson explains how Lumension arrived at a product strategy he says is designed to combine the best features of whitelisting and blacklisting.

LW: What differentiates Lumension from other vendors like Symantec, McAfee or Sophos that offer a first line of defense against malware?

Clawson: Aside from size, our main differentiator really lies within our company’s commitment to driving change in an industry that’s largely been focused on a dated blacklisting/antivirus technology.

This is what vendors like Symantec, McAfee or TrendMicro have continually banked on as the crux of their business for the past ten years or more.

LW: You reset the Lumension’s core strategy about two years ago, can you briefly describe how that came about?

Clawson: We collaborated as a management team to truly get a deep understanding as to who we really were. We’re really good at helping our customers deal with zero-day vulnerability issues. The moment a vulnerability is known or discovered, we work with operating system and application manufacturers like Microsoft to gather the right patches, tear them apart, test them, and get them to our customers.  We get the “how do you respond to a vulnerability” piece of the equation. It’s been our lifeblood for years.

When we sat down to think through our core strategy two years ago, our question became “how do we help customers use the agents that already live on each machine connected to their network to protect their systems, data and applications before a vulnerability is publicly announced?”

So, rather than taking the path of least resistance, we chose to put a stake in the ground. We wanted to introduce a disruptive technology that leveraged our existing strong relationship with operating system and application manufacturers. We wanted to blend the technologies we acquired via Secure Wave and Stat along with our existing Patchlink technology into a cohesive approach that is today known as intelligent whitelisting.

LW: What was the company’s core strategy before the strategy shift?

Clawson: We were very focused on enterprise patch remediation and vulnerability assessment. This is where are roots are and where our deep seated domain expertise lived until our strategic shift. According to IDC, we were then and are now the largest company in the world ranked #1 in market share for the fourth consecutive year for proactive endpoint risk management.

LW: Change is never easy. Can you describe a key challenge you had to overcome to pull off the transition?

Clawson: The transition away from patch remediation and vulnerability management, forced a name change. With three companies joining as one entity, each with its own brand, one US-centric and one EU-centric, a name-change was inevitable.

Coupled with that, we had customers from all three companies coming together, all wondering what it all meant for them. Based on that, we had to essentially rebuild our brand perception not just within our customer base but within the industry at large.

We wanted to rebuild ourselves as a thought leader which takes time. So, we spent a couple years creating that brand and thought leadership stance while keeping a laser focus on creating a platform that people could understand and use to protect themselves from both the known and unknown threats that abound.

LW: What benchmarks would you like to in the next two years?

Clawson: Logically, it’s about technology adaptation. Our goal is to be the most successful at pilfering our larger competitors’ existing customer base, bringing intelligent whitelisting to as many organizations as we can over the next two years.

–By Byron Acohido