Monthly Archive for December, 2008
It is said that any security system is only as strong as its weakest link. A team of researchers today proved that point yet again, showing the world how they could use known weaknesses in the encryption technology that protects online transactions to undermine the security around e-commerce. washingtonpost.com ran an in-depth story I wrote about their findings, along with a sidebar explaining the weakness in a bit more detail. Long story short: An international team of security experts (pictured at right, thanks to Alexander Klink) showed that they could undermine the system most of us rely on to secure our online transactions, so that even though the browser indicates your connection is encrypted (Web browser address starts with "https://") and vetted by a third party to be secure and authentic, it may in fact be controlled by an attacker offering up a counterfeit Web site designed to steal your
Cyber crooks are once again blasting out fake holiday e-greeting cards in a bid their special kind of cheer. Also, there are signs that computer viruses may again be piggybacking on digital photo frames and other data storage devices that make popular holiday gifts. E-greeting scams are hardly new, but they tend to increase around major holidays, probably because consumers are more receptive to opening them at these times and because more people are home in front of their computers. Most of these e-greeting scams try to foist malicious software by claiming the recipient needs to install some application in order to view the card, such as Adobe's Flash Player. Almost invariably, the downloaded program isn't a legitimate add-on, but malware. According to Symantec, some of the fake e-card domains being used in this scam include (please don't visit any of these sites): * [http://]itsfatherchristmas.com * [http://]bestchristmascard.com * [http://]whitewhitechristmas.com *
If you suspect or know your PC is infected with a virus, it's probably wise to avoid purchasing anything using that computer until you're sure the machine is clean. That includes additional anti-virus or security products. Chances are the malicious software on your machine includes built-in ability to steal user names, passwords and other sensitive data from infected hosts. Recently, I've heard from several people who used their credit or debit cards at the first sign of infection, to renew or upgrade their anti-virus protection when their existing software didn't work or failed to update. Also, in a Live Web chat a few weeks ago, one reader described how he "stupidly" went online and bought an anti-virus product after realizing he'd infected his machine with a DNS hijacker Trojan. Consumers can be forgiven for such goofs: After all, they paid for security software, they expect (rightly or wrongly) to be
A comprehensive new study that peers into huge troves of financial data stolen by cyber thieves confirms what experts have surmised from looking at much smaller, isolated caches of digital loot: That criminals can make hundreds, even thousands, of dollars a day selling data stolen with the help of widely available software toolkits. Recent reports by security firms Finjan, RSA, SecureWorks and Symantec have shown that stolen identities, bank accounts and credit card numbers are sold in bulk every day in shadowy online forums, often for pennies on the dollar. In its analysis, Symantec found in 2007 that the going rate for the keys to assuming someone else's identity was between $14 and $18 per victim. Those reports either presented conclusions based on examining a single cache of stolen data, or by observations based on watching transactions between cyber thieves. But a report released today by researchers at the University
Security Fix has often praised Mozilla for equipping its Firefox Web browser with a no-hassle system for automatically applying security updates. But for those users still browsing the Interwebs with anything less than Firefox 3, it's time to take note: Mozilla shipped its final update to Firefox 2 on Tuesday, and plans no further updates for this version. Put simply: If you want to keep using Firefox safely, you're going to need to upgrade to Firefox 3. The latest version of the popular browser received mixed reviews on its release, but Mozilla appears to have done a good job ironing out the kinks since then. Most notably, Firefox 3 consumes far less system memory than older releases. That said, there is a non-trivial chance that Mozilla may in fact ship another update to Firefox 2. A bug report filed Wednesday with Mozilla indicates the browser maker overlooked a security flaw
Microsoft today issued an emergency update to plug a critical security hole present in all versions of its Internet Explorer Web browser, a flaw that hackers have been leveraging to steal data from millions of Windows users. The patch, which Microsoft dubbed MS08-078, fixes a security vulnerability that Microsoft says already has been used to attack more than 2 million Windows users. As Security Fix and other members of the tech community have chronicled, attackers have been busy compromising thousands of Web sites by seeding them with code that installs password-stealing software on computer systems of Web site visitors who use Internet Explorer. Microsoft estimated Monday that one in every 500 Windows users had been exposed to sites that try to exploit the flaw. Additionally, it said the number of victims was increasing at a rate of 50 percent daily. Vulnerability management company nCircle said Microsoft's decision to issue the
Online bill pay giant CheckFree.com said the hijacking of its Web site this month affected an estimated 160,000 people, a disclosure that offers the most detailed account yet of the true size and scope of a brazen type of attack that experts say may become more common in 2009. In a filing with Wisconsin's Office of Privacy Protection, CheckFree said at least 160,000 people may have visited the site during the nine-hour period it was hijacked, which had redirected visitors to a site in Ukraine. An analysis of that Ukranian site indicated that it was trying to exploit known security flaws in Adobe Acrobat and Adobe Reader, in an attempt to install a variant of the the Gozi Trojan, which is among the most sophisticated password-stealing programs in use today. CheckFree controls between 70 to 80 percent of the U.S. online bill pay market. Among the 330 kinds of bills
Web security firm Websense is warning that scam artists have hijacked Google's sponsored links to spread rogue anti-virus software. While this type of attack is not new, I was amazed to find how deeply Google's ad program appears to be infested with this crud. Websense's alert shows how following sponsored links generated by searches for popular software titles may not be such a hot idea. Their investigation of the sites served up at those links took them through what appears to be a long and convoluted effort to trick visitors into installing bogus security software. Websense discovered the scam after searching for WinRAR, a popular tool used for archiving files and folders. Interestingly, when I searched for WinRAR just a few minutes ago, I found two different sponsored links to sites that offered up a version of the program that came with a malicious keystroke-logging program attached, according to a
Microsoft is signaling that it plans to ship an emergency software update on Wednesday to fix a dangerous security hole in its Internet Explorer Web browser that thousands of compromised Web sites have been using to install malicious software. Microsoft says the critical flaw is present in all versions of IE, from IE5 all the way up through IE8 Beta 2. In an unusually frank blog post, the company estimated that about 0.2 percent of Windows users worldwide may have been exposed to Web sites containing exploits that try to attack this vulnerability. While one in every 500 IE users may not sound like a large number, Microsoft said the frequency of attacks is increasing dramatically. "That percentage may seem low, however it still means that a significant number of users have been affected. The trend for now is going upwards: we saw an increase of over 50 percent in
Apple has released software updates to fix at least 21 security vulnerabilities in its Mac OS X operating system and other software for the Mac. The patches are available via Software Update or Apple Downloads. Seven of the updates included in this patch bundle fix flaws for the Mac version of Adobe's Flash player, flaws that Adobe patched last month in two separate releases. No matter what OS platform you use, it's important not only to keep Flash updated with the latest security protections, but also to only use Adobe's site to grab those updates (for everything but Solaris, Flash 10,0,12,36 is the latest version). Bogus Flash updates are probably the single biggest vector for distributing malicious software in use today. So, when in doubt, keep this link handy: It will show you whether you are indeed running the most up-to-date version of Flash.
