Google executives faced tough questions Thursday, in a meeting with members of Congress, about changes to the company’s privacy policy scheduled to go into effect March 1.

However, the search giant failed to assuage lawmakers’ privacy concerns stemming from the company’s controversial plans to step up the cross-referencing of data generated by consumers who use its popular online services, says Rep. Mary Bono Mack, R-Calif., who arranged the closed-door briefing.

Pablo Chavez, Google’s public policy director, and Michael Yang, its deputy general counsel, outlined how the company supplies consumers with a number of tools to protect their privacy. Lawmakers questioned whether tools that Google makes available to help consumers control their privacy were user-friendly and effective.

Rep. Joe Barton, R-Texas, says Chavez and Yang “danced around actual details, and instead spoke in generalities, highlighting their efforts to ‘enhance the user experience’ — but at what cost?”

Bono Mack said she expects Google to proceed with its planned March 1 change.

“I don’t know that I got any more clarity than what I’ve been reading in the press,” says Bono Mack. “There’s a big concern in Congress about privacy, on both sides of the aisle.”

Public hearings on Internet privacy are planned for this spring, she says. And Google spokesman Chris Gaither says: “We’re happy to discuss our updated privacy policy with Congress.”

On Thursday, the Google officials were pressed on whether the company’s new policy enables a consumer to easily and completely delete a Gmail message or a record of a search for sensitive information, such as on a medical website.

“Consumers want to know if they hit the delete button, that something truly is deleted,” says Bono Mack.

Gaither made reference to Google’s stated privacy policy. The company aims to ” maintain our services in a manner that protects information from accidental or malicious destruction,” the policy states. “”Because of this, after you delete information from our services, we may not immediately delete residual copies from our active servers and may not remove information from our backup systems.”

He added that the new privacy policy “does not change our archiving or deletion practices.”

File sharing has become a major way corporations collaborate with employees and partners and interact with customers. It fuels the sharing of rich content across Internet-connected devices in the home and office and distributed to mobile devices and has emerged as a major component of cloud computing, the delivery of content and services across the Web.

“If legitimate content is housed on the same service that might have infringing content, it gets sucked into this vortex and it’s gone,” says Dennis Fisher, security blogger at Threatpost.com. “I don’t know how much the government or these companies (advocating strict anti-piracy enforcement) have thought this through. I would guess not a lot.”

Federal authorities shut down Megaupload.com, one of the world’s most popular file-sharing sites, Thursday and accused it of costing copyright holders more than $500 million in lost revenue from pirated films, music and other content.

Sandvine's cyberlocker traffic data: yellow=megaupload; grey=rapidshare; green=filesonic

Four executives arrested in New Zealand appeared Friday in an Auckland courtroom to begin extradition proceedings that could take more than a year. Three others remain at large.

According to New Zealand’s Fairfax Media, a defense lawyer raised objections to a media request to photograph the proceedings, but his client, Megaupload chief Kim Dotcom, spoke out, saying he would not object “because we have nothing to hide.”

The judge granted the media access, and ruled that Dotcom and the three other suspects would remain in custody until Monday, the next scheduled hearing in the case.

The five-count indictment, which alleges copyright infringement as well as conspiracy to commit money laundering and racketeering, described a site designed specifically to reward users who uploaded pirated content for sharing, and turned a blind eye to requests from copyright holders to remove copyright-protected files.

It was unsealed a day after technology companies staged an online blackout to protest two related bills in Congress that would crack down on sites that use copyrighted materials and sell counterfeit goods. Congressional leaders agreed Friday to indefinitely delay action on those bills — Stop Online Priacy Act in the House and Protect IP Act in the Senate.

Critics contend SOPA and PIPA don’t so much protect the rights of filmmakers, musicians, writers and artists as they do preserve an antiquated film and music distribution system.

“No law passed in the U.S. is going to have any real effect on whether people steal movies, music and books. That ship has sailed,” Fisher says. “The network of underground sites that traffic in pirated movies and music won’t disappear. It will simply adapt.”

Within 24 hours after U.S. authorities shut down Megaupload servers in Virginia, ABC News reported that the website was accessible again by typing a numeric address in a Web browser. But that address led to a webpage with a message saying work was underway to restore Megaupload, and asking people to spread the word on Facebook and Twitter.

Megaupload may have had a contingency plan with a backup domain and server at the ready to restore services should its main servers go down, something that many Internet companies do, Fisher says.

Hilwa

Al Hilwa, an analyst at research firm IDC, says defining who is responsible for strictly obeying copyright laws is at the heart of the piracy issue. “Shifting that responsibility to the technology providers, networks, hosters and intermediate service providers who make up the file-transfer chain would mean burdening them with escalating costs. That would make them uncompetitive and hurt their growth.” he says.

That law enforcement officers were able to coordinate internationally to take action demonstrates that current laws targeting copyright violators work, says Art Brodsky, a spokesman for Public Knowledge, a Washington, D.C.-based communications and technology advocacy group. “They roped in New Zealand police and the FBI flew down there,” he said. “So why do you need more laws?”

On Friday afternoon, Twitter and Facebook users continued buzzing about the shutdown of Megaupload. Some posted messages such as “R.I.P. Megaupload,” “Missing Megaupload already,” and “Let’s all have 1 minute of silence for Megaupload.”

Meanwhile, federal authorities are investigating disruptions to the Justice Department website and threats to the site maintained by the FBI believed to be prompted by the Megaupload arrests.

The Justice Department website was back online Friday after being hit Thursday evening. An alliance of hackers known as “Anonymous” claimed responsibility.

In a written statement, the Justice Department said its Web server had experienced a “significant increase in activity, resulting in a degradation in service” and that the activity was “being treated as a malicious act.”

The enforcement action against Megaupload and actions by hacktivists was not unprecedented. Something similar happened in May 2006 when authorities shut down movie-sharing site Piracy Bay.

Millions of people use websites such as Megaupload and Bit Torrent to transfer TV shows, movies and music. Other file-sharing sites like You Send It and Dropbox focus on file-sharing for workplace collaboration. And newer file-sharing sites like Spotify focus on file-sharing within social media and mobile devices.

If anti-piracy enforcement actions accelerate, hacktivists can be expected to uniformly retaliate, says Josh Shaul, chief technology officer at Application Security.

“We may be looking at a cycle of more enforcement action, more sites being taken down and more retaliation by hacktivists,” Shaul says. “People will bring up new file-sharing sites in countries where they can’t be taken down, and the cycle will continue.”

The hacktivists are getting better at retaliating quickly. Recruits to help execute distributed denial of service (DDos) attacks are trained and equipped to instantly add the processing power of their individual PCs to the cause.

The constant stream of nuisance requests that cut off public access to the Justice Department and motion picture industry websites came from about 5,635 individuals using a networking tool called a “low orbit ion cannon,” according to messages posted by Anonymous, which claims this to be the largest such attack ever. PCs likely scattered in multiple nations, using tried-and-true technology to make them difficult to trace, were used.

Such attacks formulate spontaneously in Internet Relay Chat rooms. Participants must use their own initiative to set up their PCs ahead of time so they can’t be traced, but the necessary software and training are readily available online.

“The ranks of the hacktivists are swelling,” Shaul says. “More people are willing to stick their necks out on the line and start hacking.”

While Justice says it is illegal for anyone to download pirated content, its investigation focused on the leaders of the company, not end users who may have downloaded a few movies for personal viewing.

Megaupload.com has 150 million registered users, about 50 million hits daily and endorsements from music superstars. The U.S. indictment said founder Dotcom made $42 million last year alone.

The website allowed users to download some content for free, but made money by charging subscriptions to people who wanted access to faster download speeds or extra content. The website also sold advertising.

The movie industry has fought against the site, saying it is making money off pirated material. Though the company is based in Hong Kong and Dotcom was living in New Zealand, some of the alleged pirated content was hosted on leased servers in Virginia, and that was enough for U.S. prosecutors to act.

New Zealand police seized guns, artwork, more than $8 million in cash and luxury cars valued at nearly $5 million after serving 10 search warrants at several businesses and homes around Auckland.

Dotcom is a resident of Hong Kong and New Zealand and a dual citizen of Finland and Germany who had his name legally changed. The 37-year-old was previously known as Kim Schmitz and Kim Tim Jim Vestor.

Of the three others arrested Thursday, two were German citizens and one was Dutch. Three other defendants — another German, a Slovakian and an Estonian — remained at large.

The Electronic Frontier Foundation, which defends free speech and digital rights online, said in a statement that the arrests set “a terrifying precedent. If the United States can seize a Dutch citizen in New Zealand over a copyright claim, what is next?”

Acohido reported from Seattle Contributing: Yamiche Alcindor, Roger Yu and Matthew Barakat in McLean, Va.; Kevin Johnson in Washington; Associated Press

The “Here-you-have” virus broke through and swamped email systems at dozens of large organizations late last week. During that same time frame, the “David Leadbetter” virus took careful aim at golf-playing executives and managers at specific corporations.

Spam accounts for an estimated 90% of all e-mail traffic, or roughly about 300 billion messages daily. Viral messages carrying an innocuous-looking “Here-you-have” or “Just-for-you” subject line at one point last Thursday accounted for an astounding 14.2% of spam messages moving across the Internet, says Nilesh Bhandari Cisco product manager.

Bhandari

So at its peak some 42 billion tainted “Here-you-have” or “Just for you” messages controlled by the same cyber gang were moving across the Internet. “This means billions of effective spam messages occurred in these short bursts,” says Bhandari. “Whenever we see billions of effective spam hits, that’s a lot of messages and certainly a major attack. This one was among the highest levels we’ve seen.”

E-mail security firms, including Cisco’s IronPort division, rarely see a single spam attack accounting for 10 percent of spam traffic. That includes very effective spamming campaigns – like the one following Michael Jackson’s death and a very recent one exploiting the popularity of Apple’s iPad app store.

Familar replication technique

According to cybersecurity experts, Here-you-go/Just-for-you spam disrupted e-mail systems at ABC-Disney, Comcast, Wells Fargo, Google, Coca Cola, several utilities and dozens of large organizations by combining a few simple, tried-and-true spamming tricks.

Source: Cisco IronPort

The attackers began by initially sending a comparatively small number of e-mails to specific individuals at certain organizations, says Don Gray, chief security strategist at tech security firm Solutionary.

The messages contained a declarative statement asking the recipient to click on a link to a PDF document or a video, vaguely suggesting the recipient should have been expecting the link.

Sverdlove

But the PDF or video file associated with the link actually downloaded a .scr , or screensaver, file — which many antivirus systems do not automatically block, says Harry Sverdlove, CTO at tech security firm  Bit9.

“Once the link is clicked, the (malicious) file is downloaded through the user’s system, typically through their Web browser,”  says Sverdlove. “Central email gateways would not see this traffic, and central firewalls are not likely to detect anything suspicious about simple internet traffic over port 80.”

Clicking on the link swiftly downloaded a malicious program that did two things:

• Disabled any antivirus protection.
• Began replicating versions of similarly tainted messages to every contact in the victim’s e-mail address book.

Recipients of subsequent rounds of email, therefore, got Here-you-have messages arriving from a known contact. “The spam filter failed in that it did not detect the threat because it came from a legitimate source,” Christopher Elisan, senior research analyst at Damballa. “The receiver knows the sender, and mistakenly clicks on the URL because it all seems legit. A good social engineering trick, well executed.”

Smith

This email replication technique was actually pioneered back in 1999 by a hobbyist hacker, named David L. Smith, creator of the milestone Melissa e-mail virus. Smith created a self-spreading technique that has been a staple hackers looking to infect large numbers of PCs ever since.

Melissa enticed recipients to open a viral e-mail attachment with messages like “Check this!! This is some wicked stuff,” or “Question for you. It’s fairly complicated so I’ve attached it.” Clicking open the attachment triggered a sequence by which Melissa made copies of itself, simultaneously e-mailing itself to the first fifty names in victim’s e-mail address book. It only took a handful of the fifty to open the attachment, followed by a handful after that, and so on, for Melissa to spread exponentially.

Intensive cat-and-mouse game

Melissa’s replication technique quickly caught on with email virus spreaders. As a result, most enterprise spam filters today routinely block any email carrying attachments. Most large organizations today also pay big bucks for overall help keeping viruses out of their networks.

As part of this cat-and-mouse game, antivirus companies such as Symantec, McAfee, Trend Micro, Sophos, Kaspersky, Panda Security and others have taken to maintaining extensive  labs manned by dozens to hundreds of highly-trained threat analysts — experts assigned to watch for the latest attacks, and push out updates, called “virus signatures,” to each PC in a corporation’s network as quickly as possible.

Egan

As a measure of how intensive this cat-and-mouse game has become,  at the time Melissa appeared in 1999, Symantec issued new virus signatures on a weekly basis. Today, it issues 10,000 to 15,000 new virus signature daily, and recommends that its corporate customers consider installing the new signatures daily, if not hourly, says Gerry Egan, Director of Symantec Security Response.

Something of an equilibrium had been in recent years, with most corporate email systems keeping viral spam acceptably in check.  But the Here-you-are attackers blew that out of the water.

“They were surprisingly successful,” says Egan. “They seem to target larger organizations, and all it took was one or two users to click on the link. The pure simplicity of the message was what caused this one to succeed.”

Solutionary’s Gray believes the attackers counted on a recent social phenomenon to help them. Younger employees have fallen into the habit of clicking on free Internet-delivered apps for their smartphones and iPads, without a second thought. Many may be too lightly concerned about the risks of clicking on an infectious link, says Gray.

Golfing tips PDF carries cutting-edge attack

Leadbetter

Meanwhile, as Here-you-have spam swamped dozens of corporations late last week, specific employees at a much smaller set of corporations received e-mail with the subject line “David Leadbetter One Point Lesson.”

Recipients were asked to click open an attached Adobe PDF document containing golfing advice from David Leadbetter, a famous golfing coach. However, the PDF document was spring-loaded to take advantage of a recently discovered security flaw in Adobe Reader for which Adobe has not yet issued a security patch.

In stark contrast to the simplicity of the Here-you-have campaign, the David Leadbetter attack was extremely sophisticated, says Gray. It is the first attack known to bypass two important major security improvements Microsoft has gone through great pains to add to the Windows operating system.

The attackers were able to get around “Date Execution Prevention,” or DEP, which Microsoft introduced in Windows XP Service Pack 2, as well as “Address Space Layout Randomization,” or ASLR, which the software giant added to Windows Vista and Windows 7.

To boost the legitimacy of the tainted PDF, the attackers included a VeriSign digital signature stolen from Missouri-based Vantage Credit Union. This is a trick borrowed from the authors of the milestone Stuxnet worm, notes Sophos analyst Chet Wisniewski. Stuxnet, you’ll recall, grabbed headlines in July when it began to attack the LNK component of Windows. LNK files enable shortcut icons to appear on your PC desktop.

The Stuxnet attackers briefly took control of Siemens’ SCADA (supervisory control and data acquisition) systems used to run power plants and industrial factories in Iran, India and elsewhere, suggesting specific intent.

Attack motivations

Gray

The overlapping occurrences of the simple, noisy Here-you-have attack and the stealthy David Leadbetter attack makes Solutionary’s Don Gray wonder if the attacks were somehow co-ordinated. After all, he says, any major spamming group worth its salt knows that a high volume attack that unduly disrupts numerous companies’ IT systems is the surest way to draw attention of law-enforcement.

Gray wonders if the Here-you-have attackers purposefully drew attention to provide cover for — and 0improve the odds of success for –  the David Leadbetter attack. “It seems like they were trying to go after high-value targets,” says Gray.

Joe Stewart, senior researcher at SecureWorks, has another theory, backed by months of tracking of the specific malicious coding that turned up as part of last week’s Here-you-have attack.

Stewart kept track of a smaller-scale attack in early August that used “Here you are” in the subject line. He believes that  early August attack and the one last week both are the work of a cyberjihad organization, called “Brigades of Tariq ibn Ziyad,” whose goal is to penetrate U.S. agencies belonging to the U.S. Army, according to this 2008 forum posting. Stewart also unearthed this 2009 forum posting in which a poster using the nickname ”iraq_resistance” seeks tips for using Visual Basic to send emails and launch a program over a network using admin credentials. These are the basic functions for launching a virus or a worm, notes Stewart.

Stewart believes last week’s Here-you-have attack was so noisy “because iraq_resistance is relatively inexperienced as a developer, and possibly also that he doesn’t care because either way it’s more attention to his cause.”

UPDATE. Late Sunday night, 12 Sept. 2010. IDG News Service cybersecurity reporter Bob MacMillan posted this news story based on an e-mail interview with a hacker asserting that he is the author of Here-you-have and seemingly corroborating  Stewart’s Iraqi resistance scenario.

Go forward implications

By the end of last week, all of the antivirus companies had issued fresh virus signatures to block Here-you-have spam, and were on high alert for any variants.

Cleaning up individual PCs may take days or weeks. Until then, infected PCs will continue to spam contacts in address books, though the actual infections will be blocked by the new signatures, says Fred Fred Touchette, senior security analyst at messaging security firm, AppRiver.

“Aside from sending out additional spam emails to their contact lists, companies must also deal with an infection that has likely disabled their existing anti-virus which leaves them open to further infections,” says Touchette. “They have also had additional malware installed on the machines such as password stealing software, and network monitoring software. These could be used to gain remote access to the victim computers so that they can be used by its attackers for any number of nefarious reasons.”

Patricia Titus, CISO at  Unisys and former CISO at the Transportation Security Administration, says large organizations should take heed.

“Regardless of whether you’ve been affected or not, it is important to look at your security posture and analyze what has worked and why,” says Titus. “For IT professionals, these unfortunate incidents present an opportunity to demonstrate to senior executives how their investments are working to protect their critical assets.”

By Byron Acohido

It’s not widely known that the telecom giant is home to a crack cybersecurity forensics team. Over the past half dozen or so years, Verizon’s cybersleuths have been retained by large organizations to probe more than 900 separate cases of data theft in which some 900 million records were compromised.

Based on direct evidence from those hands-on probes of real hacks, Verizon’s annual breach report stands apart from other cybersecurity studies, many of which are based on subjective, anecdotal opinions of survey respondents.

For the first time, the U.S. Secret Service contributed information from 84 major cybercriminal cases it investigated in 2009. Combined with findings from 57 private investigations Verizon conducted last year, the report gives a high-definition snapshot of cybercriminal activity.

One big finding: cybercriminals used stolen account logons in 38% of successful data breaches, accounting for 86% of the records compromised in 2009. This dovetails with the relentless rise in phishing attacks that trick people into divulging usernames, passwords and answers to authentication questions, says Wade Baker director of risk intelligence at Verizon Business.

There are some stunning commonalities among the combined 141 breach cases investigated by Verizon and the Secret Service:

• 98% of all data breached came from hacked servers.
• 96% of these breaches were avoidable through simple intermediate controls.
• 85% of these attacks were not considered highly difficult.

“These were breaches of organizations with pretty mature security programs,” notes Baker. “When you talk about large, distributed organizations with massive, diverse IT systems, it is just flat out hard to have a consistent approach to security.”

Cisco also released a first-of-its kind report at Black Hat today. The switching technology giant merged data collected from its IPS line of products with investigative analysis from its IronPort messaging security and ScanSafe web security acquisitions.

For the second quarter of this year, ending June 30, Cisco’s new Quarterly Global Threat Report found:

• Continuous high-saturation of malicious software circulating on the Internet.
• Eastern Europe encountered the highest rate of web-based malicious software, followed by South America and China.
• Cybercriminals acutely intensified attacks against pharmaceutical and chemical companies, as well as energy, oil and gas companies.

By Byron Acohido

Meanwhile, the FBI has launched an official investigation of a caper in which the perpetrators — greyhat researchers calling themselves Goatse Security –  freely claim responsibility for the attack.

“We believe what we did was ethical,” Goatse member Escher Auernheimer told PC World’s Greg Keizer in a telephone interview. “What we did was right.”

Auerheimer notes that  Goatse waited until AT&T had closed the hole before  outing the e-mail addresses it had grabbed. This, he contends, amounts to  “responsible disclosure.”

Going public with the discovery of a fresh security hole is one thing. But actually taking advantage of the vulnerability to steal data is another. Pierce the privacy of high-powered, well-connected iPad users, and you wake the sleeping giant: the FBI.

“The disclosure was completely irresponsible,” says Sean Sullivan, Security Advisor, at antiviurus company F-Secure. “There is no reason why the Goatse Security group needed to harvest data. They only did it to sensationalize the issue and they are guilty of violating personal privacy.”

Celebrity quotient

Bloomberg

Goatse researchers claim to have extracted 114,000 e-mail addresses, including many high profile celebrities, athletes and politicos, New York City Mayor Michael Bloomberg, White House Chief of Staff Rahm Emanuel, and movie producer Harvey Weinstein, among them.

They did this by tricking AT&T’s servers into divulging the correct unique identifier for the iPad and associated e-mail addresses. The incident, no doubt, has worsened the already strained relationship between AT&T and Apple, says Rick Munarriz, senior analyst at The Motley Fool. iPhone and iPad users have complained about dropped calls, poor signals and expensive usage rates, notes Munarriz.

Jon Heimerl, Director of Strategic Security at Solutionary, a data security consulting company, believes AT&T is largely at fault for this latest stumble. “In no way is this an ‘iPad breach,’ ” says Heimerl. ” This was someone grabbing information off of an AT&T server that was accidentally left exposed to the Internet.”

Hemanshu Nigam, founder of security consultancy SSP Blue, says Apple bears the largest share of culpabibility since it set the authentication requirements ATT was required to follow.

“This is exactly where the flaw existed,” says Nigam, former security chief at MySpace. “Apple needs to start putting user security ahead of user convenience. The hacker community is obviously gearing up to dethrone the king and this is just another warning shot.”

More iPad attacks likely

Heimerl and Nigam do agree on this point: wider use of iPads, especially among movers and shakers, portends intensified hacks — by professional cybercriminals, not just security researchers looking to grab headlines.

Heimerl

“The iPad is a new product, and as such likely has unintended (security weaknesses) built in.” says Heimerl. “Odds are that someone will find something to hack in the device operating system, or in one of the primary applications that the iPad runs, like the Safari browser.”

Although email addresses in and of themselves may seem low value, “knowing these addresses opens them up to a large number of spammers and would-be social engineers that will now be checking every login field on the internet for accounts belonging to them,” says Jason Haddix, Security Engineer at Redspin.

Sam Diaz, senior editor at ZDNet, calls out Mayor Bloomberg and  Chief of Staff  Emanuel, for owning iPads in the first place.

” What I would really want to know – given the volume of government officials whose official work e-mail addresses were found . . . is exactly who paid for all of these iPads that are reportedly in the hands of so many people in Washington, Diaz writes in this post. “Last time I checked, the iPad was a pretty expensive device, especially for government agencies that probably have better uses for government dollars other than to buy iPads.”

iPad best security practices

In wake of the breach, Rescuecom CEO David A. Milman suggests these precautions for iPad users:

• Turn off the 3G Network. AT&T has stated that there is no more threat to customers. However, turning off 3G wireless Internet service, at least temporarily, will protect an individual’s personal data from any further attack.
• Request a new SIM from AT&T. The ICC-ID number that the hackers breached is attached to each user’s SIM, the card linking an individual iPad to its user. Changing the SIM card would change the ICC-ID as well, rendering that information useless.
• Change your iPad e-mail address. The simplest solution is to stop using the compromised e-mail address. AT&T states the only information illicitly obtained was user’s e-mail addresses. Changing your address would eliminate this threat.
• Limit iPad usage. Using the iPad is, most likely, still safe. However, to best protect personal data, users should be careful what they use the iPad for. Avoid tasks such as mobile banking or anything that transmits personal information, especially when on a 3G network.

For those consumers who have not yet purchased an iPad, but were considering it, Milman recommends waiting at least six months for the manufacturer to work the major bugs out of the system.

“While most everyone is aware that security is important, very few of us understand what goes into securing the software, hardware, and networks that contain our most valuable asset, our identity,” says Milman. “AT&T’s breach is a perfect example of how at risk we are.”

By Byron Acohido

Both involved nothing-out-of-the-ordinary cyberattacks that quixotically rose above the din to grab international headlines.

The mainstream attention is welcomed. It helps to underscore how the Internet underground has advanced to the point where a plethora of powerful hacking tools and services  is readily available to  novice hackers and elite crime gangs alike –  with  prices  to fit every budget.

“Hacker have more options and are getting better at execution,” says Don Jackson, senior researcher at SecureWorks. “The script kiddie of today is much more dangerous that the script kiddie of five years ago, or even one year ago.”

Pricing of hacking tools

In Operation Aurora, Chinese hackers sent targeted messages to specific senior managers at 30 corporations luring  them to click on a corrupted Web link. Clicking on the link activated a  hacking tool designed to tap into a fresh zero-day vulnerability in Internet Explorer browser.  The crooks likely paid $5,000 or maybe more for this  cutting-edge malicious code.

Such zero-day attacks have long become commonplace, of course. The template for zero-day attacks  dates back to December 2005, and the antics of the  Russian iframeCash.biz gang, led by Andrej Sporaw. The enterprising  Sporaw and company  flushed out a fresh zero-day hole in a Windows operating system component, called Windows metaframe file, and began exploiting the WMF hole to launch pop-up ads for early versions of scareware. You can read about that in this chapter of my book, Zero Day Threat: The Shocking Truth About How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity.

In the Chinese zero-day attack last month,  one of the targeted corporations happened to be Google — in a mood to complain. The search giant cried foul, igniting an international brouhaha over how China does business.

By contrast, the Kneber botnet gang paid nothing for the powerful, simple-to-use ZeuS hacking tool they’ve been using to harvest account logons from tens of thousands of botted PCs inside hundreds of corporate networks. The version they used has for months been readily available for free on criminal forums.

ZeuS is best known as a widely popular banking Trojan. Current versions of ZeuS sell for up to $10,000, and are used by elite cyber gangs to wire funds from of the online banking accounts of small- and medium-sized businesses, as LastWatchdog recounted in this investigative story. But older, free versions of ZeuS work just fine for turning an infected PC into a bot and harvesting all the PC’s account logons that are stored in Web browser cookies,  says  SecureWorks’ Jackson.

To bot PCs with their free copy of Zeus, the Kneber gang most likely is patronizing spamming specialists to send out email lures and enticing Facebook messages and Twitter tweets enticing them to click on a corrupted Web link. The cost: as low as $10 per 100,000 spammed messages.

Those fooled into clicking on the link got the Kneber gang’s free copy of ZeuS installed. The gang probably spent something on the order of $300 to $1,000 to rent an Internet-connected server on which they collected and stored the harvested account logons delivered by their fresh  bots.

Drawing notariety

It was this command & control/storage server that  NetWitness tracked down and accessed in late January. NetWitness’ report on what it found — 68,000 account logons stolen from 75,000 botted PCs in 2,411 corporate networks in 196 countries — drew big headlines in the Wall Street Journal and New York Times. Journal tech security beat reporter Siobhan Gorman reported that the affected companies included Merck, Cardinal Health, Paramount Pictures and Juniper Networks.

NetWitness’ media coup  sparked some sniping from rival tech security vendors McAfee and Symantec; each cast aspersions on NetWitness’ characterizations of the significance of its findings. NetWitness shot back with this point-by-point response.

Competitive bickering aside, the fact is any capable researcher could have similarly tracked the Kneber gang’s activities, since they put no effort into stealth. NetWitness went one big step further and exfiltrated stolen data from the gang’s server. Still,  “compared to other ZeuS operations, this was minor league,” says Jackson.

Gunter Ollmann, research director at Damballa and a leading botnet expert, says ZeuS is like the iPhone of hacking tools, spawning a multitude of third party plug-in applications. “There are plenty of tutorials and scripts available for criminals to copy and learn from,” says Ollmann. “Think of ZeuS as a Swiss Army knife with a Lego interface.”

Amateurs are getting more widely involved in harvesting data because there is a rich and robust market for valid account logons, which dangle like candy in the Web browsers of workplace laptops and PCs. And it remains true that many people use the same username and password to gain access to multiple accounts, security experts say.

“There has always been a market for stolen data,” says Frank Kenney, VP of Global Strategy for Ipswitch File Transfer. “Today, the speed at which that information gets leveraged is astounding.”

Corporations are having a difficult time keeping up.

“Most organizations do not have the continuous, real-time monitoring in place to detect this type of activity,” says Phil Neray, vice president of security strategy at IBM’s Guardium subsidiary. “Many of them still focus on defending network perimeters … others focus exclusively on meeting compliance checklists, forgetting that the true mission of security teams is to protect high-value corporate data.”

By Byron Acohido

Jennifer Bayuk was also shocked. Bayuk is the former chief information security officer at Bear Stearns. She is  well-known and well-respected as a security consultant, speaker and author on tech security topics.  I’m just finishing reading her latest work, Enterprise Security for the Executive: Setting The Tone From The Top.

After reading my report on how cyber-robbers are intensively targeting small business online banking accounts, Bayuk went hunting for  copy of the ABA’s new guidance at the organization’s  Web site.  She could find nothing.

“I was actually surprised to see that the ABA put out this type of warning because member banks don’t usually publicly address this issue,” says Bayuk.

Also hard to find — unless you know a banker willing to share –  is an official  copy of the source document of the ABA’s warning, which was issued last August by the Financial Services Information Services and Analysis Center.  Senior ABA officials sit on the board of directors of FS-ISAC. The strongly-worded advisory cautions  small and mid-sized organizations never to use a PC dedicated to Internet banking for e-mail or Web browsing.

Getting the banking industry to go on-the-record

The existence of the FS-ISAC document was revealed in a scoop by Brian Krebs, formerly of the Washington Post’s Security Fix blog, now writing independently at Krebsonsecurity.com. Gartner banking security analyst Avivah Gartner subsequently cited the  FS-ISAC warning in  her 31Aug2009 white paper, Major Financial Services Firms Call Online Banking Dangerous.

But it wasn’t until LastWatchdog asked the ABA to clearly state whether Internet banking is considered safe for small and mid-sized organizations that the ABA –  whose member banks control 95% of the $13.5 trillion in assets held by  the U.S. banking industry –  issued a carefully worded public  stance. Here’s the full response from Doug Johnson, Vice President and Senior Advisor for Risk Management:

• “ABA serves on the FS-ISAC board and helped develop the recent NACHA/FS-ISAC/FBI alert regarding unauthorized ACH transfers affecting small and medium sized businesses, agencies and organizations. ABA, along with the financial services community, developed precautions that we have communicated with all member banks. Small- and medium-sized businesses are strongly advised to heed the guidance issued by their banks. The fraudulent transactions represent a very small portion of the millions of safe and successful ACH transactions conducted daily by businesses across the country. However, ABA is actively monitoring the situation and believes that commercial bank customers can safely utilize online banking by taking the precautions outlined in the alert.”

Keep in mind that the ABA’s public stance has long been that online banking is completely safe and, in fact, makes banking safer since customers do not have to wait for a monthly statement to arrive in the mail to monitor for suspicious activity.  The major safety benefit, according to ABA, is that customers can  check their account balances in real time via the Internet.

LastWatchdog also asked the ABA to elaborate on the rationale that it should be largely left up to small and mid-sized organizations to take full responsibility for keeping any  PC used for Internet banking free of banking Trojans. Johnson’s full answer:

• “Each bank sets its own policy regarding a business customer’s liability related to unauthorized electronic transfers. The banking industry is committed to protecting all customers – including businesses – from the fraudulent activities of criminals. Therefore, banks urge business customers to be aware of their responsibility to keep computers used for online banking free of malicious programs. The American Bankers Association has encouraged member banks to distribute to their business customers guidance developed by the FBI and the financial industry on how to guard their computers against unauthorized security breaches. Specifically, ABA recommends that business customers always initiate ACH or wire transfers under dual control, with one person initiating the transaction and another person approving it. Such controls can greatly reduce the risk of unauthorized transactions made possible by a breach of computer security.”

The reality is small organizations  have “no clue that they,’re not protected, and that’s the problem,” says Litan. The threat is so great that Litan as been counseling her aquaintances who  operate small businesses to go a step further that dedicating a PC to online banking. Litan advocates small bujsiness owners to drop commercial online accounts and move to an individual consumer account.

The services that come with a consumer account will be limited; you won’t be able to do administer payroll online, for instance. But if you do get victimized by a cyber-robber, the banks are compelled by consumer protection laws to make you whole. Not so with a commercial account.

“The bottom line is even if it’s a one in 1,000 or even one in 20,000 chance of your accounts getting ripped off, the  chances of you getting the money back using a commercial account is about 50% , because the banks simply do not have to reimburse you,” says Litan.

Anomalous transfers overlooked

Hillary Machinery, a heavy equipment manufacturer based in Dallas and Houston, recently  learned this the hard way.blogging about the details of your case, if you’re willing to provide.

In  November 2009 cyber-robbers  executed multiple wire transfers and ACH transactions destined for Russia, the  UK and elsewhere, says company spokesman Troy Owen. ” Several hundred thousand was taken, internal transfers made, and multiple ACH’s made before the bank had any clue.”

The unauthorized transfers were “completely out of the range of our normal banking activity,” he says. “Several of the wires were sent overseas and our accounts were specifically set up NOT to wire overseas.”

The crooks used a staging bank or clearing house bank in New York before wiring the stolen funds to offshore accounts. Hillary Machinery’s bank managed to stop transfers of, and retrieve, most of the fund, except for $200,000. Thus far the bank  has refused to take responsibility for any losses, says Owen.

– By Byron Acohido

This  iPhone worm appeared over the weekend, arriving less than two weeks after a 21-year-old Australian researcher, Ashley Towns, released the Ikee worm — the prototype for this new type of attack.

You may recall Towns cleverly changed the wall paper of iPhones he hacked to a picture of 80s singer Rick Astley.

People crack open the locks on their iPhone operating system — referred to as jailbreaking — to subvert Apple’s obsessiveness about permitting only AT&T phone service and corporate-approved apps. Security firm Intego estimates that 6% to 8% of iPhones are jailbroken.

Towns, the young Australian hacker, said he launched Ikee to underscore how most iPhone jailbreakers were too lazy to change the default system password, making their iPhones trivial to hack.

This brings to mind the MySpace Samy worm, initially released by Samy Kamkar as a ploy to get his girlfriend’s attention. Kamkar’s expoloit was  quickly incorporated into profit-driven attacks.

Worm name: “Duh”

Similarly, the iPhone worm released this weekend is much more insidious than the Ikee worm. It installs a botnet management program, giving the intruder the ability to use the iPhone just like they would a botted Windows PC. Bad guys use botnets to spread spam, steal data and hijack online accounts. The worm also changes the default password to make it harder for users to regain control. Sophos researcher Paul Ducklin discovered that the default password was changed from “alpine” to “ohshit.”

Says Ducklin: “I don’t know whether we have an official name for this worm yet, but I’ll refer to it as Duh, because that is the name which the virus itself gives to the component which strongly differentiates it from the earlier Ikee worm. “Duh” is the part which reports back to Cybercrime Control (at IP number 92.61.38.16, which appears to be in Lithuania, that you have been infected, and then regularly checks back for commands to download and run later. That makes this virus a true bot or zombie.”

Russian routlette

Graham Cluley, Sophos senior analyst, notes that there has been a long history of “proof of concept” hacks evolving quickly into more malicious attacks.

“The earlier Ikee worm wasn’t written with an obvious financial motivation,” says Cluely. “However, there is no doubt that the author of Ikee helped the creators of this worm by releasing his source code, giving them a template upon which to create their own more malicious attack.”

Owners of jailbroken iPhones would be wise to also change their default root password — if the worm hasn’t already done it for them.

“Leaving it in its default state is playing Russian Roulette with your data,” says Cluely. “There will undoubtedly more attacks attempting to take advantage of hackers gambling with the security of their jailbroken iPhone.”

Peter James, spokesperson for Intego, concurs: “We are particularly worried that the Rick Astley worm’s creator, having posted the code on-line, has made it that much easier for the bad guys to exploit the weaknesses in jailbroken iPhones,” says James. “It’s very possible that we’ll see more such threats in the future.”

–Byron Acohido

The SANS Institute’s report on Top Cyber Risks is by far the most comprehensive accounting of ongoing cyber attacks ever made public. SANS is the well-respected Washington D.C.-based tech security think tank and training center. The organization distilled attack data from 6,000 companies and government agencies protected by defense systems supplied by two leading tech security companies, TippingPoint and Qualys.

SANS’ cornerstone finding: the vast bulk of attacks to infect home and workplace computers, enlist them into bot networks, and then use them to carry out criminal activities spin off two pervasive weaknesses.

The first: unpatched vulnerabilities in popular consumer applications, especially Adobe’s Acrobat Reader and Flash Player, Apple QuickTime and Microsoft Office. The second: security weaknesses in the Web applications that enable all the cool features on Web 2.0 sites.

Hand in glove

These two weaknesses work hand-in-glove — to the benefit of the bad guys. Here’s how:

Many cyberattacks hinge on getting a victim to click on a corrupted URL, as I explained in my 03Sept2009 USA Today news story.

Of course, the bad URL had to be tainted at some point earlier. Attackers most often do this via SQL injection exploits of legit Web pages; these automated attacks seek out and take advantage of Web sites running poorly- written Web applications.

“Organizations need to pay more attention to the security of their critical software applications,” says Roger Thornton, co-founder and CTO of Fortify Software. “Today’s cybercriminals have  moved to the easiest breach points, which is now the applications an organization uses to conduct its business.”

Upon cracking a Web page, the hacker will typically use off-the-shelf, tried-and-true tools, such as Mpack or IcePack, for the next step. These tools will efficiently seek out security holes in  popular PC applications — the everyday programs that can be found on just about any PC, including Internet Explorer, Acrobat Reader, Flash Player, Microsoft Office.

A bot is born

Mpack and IcePack and other similar tools go to work on newly infected computers. They quickly run through an extensive list of known vulnerabilities for all popular consumer apps — and exploit the first unpatched vulnerability they run into. The exploit almost always begins with the installation of a tiny wormhole, called a “Trojan downloader,” that secures ongoing access to the hard drive.

The attacker next uses this wormhole to install a botnet management program that turns the computer into an obedient “bot,” reporting to a command-and-control server operated by the “botmaster.” The top botmasters run mega botnets tens of thousands, or even hundreds of thousands of bots strong, with names like Waledac, Pushdo, Cutwail, Rustock, Mega-D and Storm.

Each freshly infected bot instantly begins to participate in myriad criminal activities – everything from spreading spam to triggering scareware promotions to hijacking online banking accounts to participating in politically-motivated Distributed Denial-of-Service attacks.

Top botmasters make use of infected machines judiciously — they’ll pay attention to time zones and use machines during early morning hours when the owner is asleep, for instance. They will also put bots to sleep for a time and use them again later, like letting farmland go fallow. This is to keep control of the bot for an extended period. For obvious reasons, fresh bots are always in high demand.

“The vast bulk of new bots are created when unsuspecting users visit trusted Web sites that are also infected,” says Alan Paller, SANS research director. “Web attacks take advantage of client-side vulnerabilities that are being given insufficient attention by cyber defenders. The web attacks also take advantage of Web programming errors that are not being picked up by common vulnerability scanners.”

The bottom line, says Paller, is that “two cyber risks dwarf all others and users are not effectively mitigating them.”

Web threats mushroom

Serendipitously, SANS  released the results of its milestone survey the same day Websense released its bi-annual threat report covering the first half of 2009. Websense keeps  track of Web-based attacks hitting the networks of its corporate customers; it reported a whopping 671 percent spike in malicious Web links in the first half of 2009 compared to the first half of 2008.

What’s worse: corrupted legitimate sites account for an estimated 77 percent of the bad links lurking on there in the Internet wild.

Web properties that encourage user-generated content — such as media sites, social networks and popular blogs — have become popular targets. This was vividly demonstrated just last weekend when hackers served up viral advertisements all across the New York Times’ Web site.

In a similar attack on USA Today’s Web site last May, cyber criminals patronized a legit ad placement agency to purchase advertising space on USA Today’s Life home page. The crooks then supplied the ad agency with copies of ads for Roxio Creator 2009 and Phoenix University. Then once every hour or so, the crooks sent through an ad containing a bit of malicious code, as shown below. This bad code redirected the visitor’s PC to an insistent promotion to buy worthless antivirus protection.

“Neither clicking, nor hovering over the ad was required to activate the malicious code,” says Purewire researcher Paul Royal, who discovered the USA Today attack. “In addition, the (corrupted) ad could have been, and likely was, served almost anywhere on USA Today’s website.”

Anyone who happened to visit USA Today’s Life home page at the moment the corrupted Roxio ad appeared was infected. Yet, had an investigator checked shortly thereafter, the crooks’ ad would have been found to be clean of any bad code, says Roger Thompson, senior researcher at AVG. This technique of paying an ad network to post a string of harmless, innocuous ads — sporadically replaced by a corrupted ad — has been used widely for at least two years, Thompson says.

So far this year, community-driven security tools, like those used on YouTube and BlogSpot, are proving to be “65% to 75% ineffective” at protecting users, says Websense CTO Dan Hubbard.

“The last six months have shown that malicious hackers and fraudsters go where the people are on the Web,” he says. “From malicious Twitter spam campaigns and blog comment spam to the massive SQL injection attacks, those perpetrating fraud are exploiting the inherent trust users have of known Web properties and other users.”

Web threats graphic courtesy of Trend Micro

–By Byron Acohido

The software giant is raising  a bright red flag because this affects all Windows Vista and certain Windows Server 2008 PCs.

I’ve begun polling some top security researchers and analysts about the go-forward implications of advisory no. 975497 just issued by Microsoft.

The backdrop: Independent researcher Laurent Gaffie earlier this week took credit for discovering — and publicly disclosing — the flaw, an action criticized by Microsoft spokesman Christopher Budd.  “This vulnerability was not responsibly disclosed to Microsoft and may put computer users at risk,” says Budd.

Gaffie claimed that a hacker could use the vulnerability to cause a Vista or Windows Server 2008 PC to crash, displaying the Blue Screen of Death.

But Microsoft’s Budd now says hackers can also remotely exploit the flaw, which means they could create a worm that searches out and takes control of any unpatched PCs connected to the Internet, much as the Conficker worm did.

So the race is on for Microsoft to design, test and issue a security patch. That could take weeks or months, raising these open-ended questions:

• How long will it take Microsoft to design, test and issue a security patch? How long after that before the patch is widely implemented in homes and workplaces?
• Given the threat landscape, what is the likelihood that cyber gangs will launch a self-spreading Internet worm designed to infect millions of Vista and Windows Server 2008 machines?
• To what extent does this vulnerability lend itself to Conficker-like exploitation?
• How effective does the Microsoft work around appear to be?

Budd says Microsoft is not currently aware of any attacks using the SMB2 to take control of PCs. Even so, the software giant is advising Vista and Windows Server 2008 users to do an emergency workaround.

Microsoft “recommends customers review and implement the workarounds outlined in the security advisory,” says Budd. “While these workarounds do not completely mitigate the threat, we’re currently investigating the issue and working to develop a security update. This update will be released once it reaches an appropriate level of quality for broad distribution.”

–By Byron Acohido