Farewell 2009, and The Washington Post
This will be the last post for the Security Fix blog. Dec. 31 marks my final day at The Washington Post Company.
Over the last 15 years, I've reported hundreds of stories for washingtonpost.com and the paper edition. I have authored more than 1,300 blog posts since we launched Security Fix back in March 2005. Dozens of investigative reports that first appeared online later were "reverse published" in the newspaper, including eight front-page stories and a Post Magazine cover.
Through it all, you - the reader - have been my most valuable source, most reliable critic, and most persistent muse. Loyal readers are the reason Security Fix has consistently been among the most-visited blogs on washingtonpost.com. Thank you.
Hackers exploit Adobe Reader flaw via comic strip syndicate
Hackers broke into an online comic strip syndication service Thursday, embedding malicious code that sought to exploit a newly discovered security flaw in Adobe Reader and Acrobat, Security Fix has learned.
On Monday, Adobe Systems Inc. said it was investigating reports that criminals were attacking Internet users via a previously unknown security flaw in its Adobe Reader and Acrobat software. Experts warned that the flaw could be used to foist software on unsuspecting users who visit a hacked or booby-trapped Web site.
Albany, N.Y.-based Hearst publication Timesunion.com now reports that on Thursday readers of its comics section began complaining of being prompted to download malicious software. In an update posted to its site, Timesunion.com said the attack took advantage of the recently disclosed Adobe flaw. The news outlet said it had traced the attack back to a problem at King Features, which serves comics on its Web site, and that King Features had since corrected the problem.
Rose Croke, brand development manager for King Features, said the malicious code was somehow injected into the company's Web server that handles content for its Comics Kingdom clients. Croke said the Comics Kingdom content is syndicated by roughly 50 different news sites, including Timesunion.com.
"We're working on finding the source of the injection," Croke said.
Adobe said it does not plan to issue a software update to fix the flaw until Jan. 12, 2010.
Alternatively, Internet users may want to consider uninstalling Adobe Reader in favor of another free PDF reader program, such as Foxit Reader.
Twitter.com hijacked by 'Iranian cyber army'
Hackers hijacked the Web site of micro-blogging community Twitter.com early Friday, briefly redirecting users to a Web page for a group calling itself the "Iranian Cyber Army."
The attackers apparently were able to redirect Twitter users by stealing the credentials needed to administer the domain name system (DNS) records for Twitter.com. DNS servers act as a kind of phone book for Internet traffic, translating human-friendly Web site names like "Twitter.com" into numeric Internet addresses that are easier for computers to handle.
"Twitter's DNS records were temporarily compromised but have now been fixed," the company said in a brief statement on its Web site. "We are looking into the underlying cause and will update with more information soon."
Twitter's DNS service is provided by Manchester, N.H. based Dyn Inc. Tom Daly, chief technology officer at Dyn, said the incident was not the result of a security failure on its services. Daly said it appears someone changed Twitter's DNS records to point visitors to a different Internet address using the proper account credentials assigned to Twitter (image above courtesy Trend Micro).
"Someone logged in who purported to be a legitimate user of their [DNS] platform account and started making changes," Daly said. "It was not a failing on our systems whatsoever."
Daly told Security Fix that the redirection lasted about 90 minutes.
"We had seen some interesting activity coming in, and said 'Hmm, there's something going on here,'" Daly said. "As soon as we detected what the issue was, we snapped into action and contacted Twitter."
It remains unclear how the user name and password needed to change Twitter's DNS records were intercepted. There are a number of possible explanations, but perhaps the most likely is that a Twitter administrator with authorized access to those credentials had his or her e-mail account hijacked. Security Fix will update this post in the event that more information becomes available.
Group IDs hotbeds of Conficker worm outbreaks
Internet service providers in Russia and Ukraine are home to some of the highest concentrations of customers whose machines are infected with the Conficker worm, new data suggests.
The report comes from the Shadowserver Foundation, a nonprofit that tracks global botnet infections. Shadowserver tracks networks and nations most impacted by Conficker, a computer worm that has infected more than 7 million Microsoft Windows PCs since it first surfaced last November.
"Conficker has managed to infect, and maintain infections on more systems than any other malicious vector that has been seen before now," Shadowserver stated on its Web site.
Shadowserver's numbers indicate that the largest numbers of Conficker-infested PCs are in the East, more specifically China, India and Vietnam. For example, Chinanet, among the nation's largest ISPs, has about 92 million routable Internet addresses, and roughly 950,000 -- or about 1 percent of those addresses -- appear to be sickened with Conficker.
Security Fix decided to use the group's data in a slightly different way, to showcase the concentration of Conficker victims as viewed against the total number of each ISP's customers. Viewed this way, Russian and Ukrainian ISPs have the highest concentration of customers with Conficker-infected systems (click the chart below for a larger version of the data, based on Shadowserver's own data).
Shadowserver is but one member of the larger Conficker Working Group, a collaborative effort comprising security experts, anti-virus and software vendors, infrastructure providers that sprang up shortly after it became clear that the worm was well on its way to becoming a massive weapon in the hands of its criminal creators.
Despite the group's best efforts, whoever is responsible for releasing Conficker remains at large. Compounding the cleanup effort is the fact that the worm really hasn't done anything overtly malicious other than spread quite virulently.
"Given any large number of infected systems, remediation becomes a very difficult task, and even harder to justify when the infection does nothing," Shadowserver said.
Shadowserver said its statistics were "not intended to shame, or embarrass any company or organization, but simply illustrate the depth and extent of how Conficker truly affects a worldwide scope of providers." Then again, shaming may be exactly what is needed for ISPs that are seeing anywhere from 10 percent to 27 percent of the customer base infected with Conficker.
Obviously, a big part of fixing a problem is knowing that you have one in the first place. To that end, Shadowserver offers all ISPs and Web hosting providers free daily feeds that can alert network providers to new bot infections on their networks.
Hackers target unpatched Adobe Reader, Acrobat flaw
Adobe Systems Inc. said Monday it is investigating reports that attackers are exploiting a previously unidentified security hole in its Acrobat and PDF Reader software to break into vulnerable computers.
The acknowledgment coincided with an alert published by the Shadowserver Foundation, a nonprofit group that tracks the spread of malicious programs that criminals use to control infected systems remotely. Shadowserver member Steven Adair said the flaw is present in the most recent versions of Adobe Acrobat and Reader.
Adair warned that security experts have observed cyber crooks using the vulnerability in targeted attacks since at least Dec. 11, but that more widespread attacks are likely to emerge over the next few weeks. In addition, few anti-virus vendors currently detect malicious PDF files harboring this exploit.
At the moment, there is no patch available for this flaw, and Adobe's brief advisory offers little in the way of mitigation advice.
Check your Facebook 'privacy' settings now
If you use Facebook and care about your privacy, take a moment to read this blog entry. Facebook has made some major changes that may allow a great deal more people to see your personal photos and videos, date of birth, family relationships, and other sensitive information.
While logged in to Facebook, click the "Settings" link and you should see a box that looks like the one pictured below. You may see that Facebook has reset your privacy settings, so that the everyone can now see the information on your "About Me" page, as well as your "Family and Relationships" data; "Work and Education"; and most importantly "Posts I Create," which includes status updates, links, photos, videos and notes. Below is a screen shot of what my privacy settings looked like when I recently logged in.
The new privacy settings instituted across the Facebook network may also expose your birthday, religious and political views, and "photos and videos of me" to your "Friends of friends," meaning that any one of your friend's friends can now view this information.
This "Friends of friends" setting may be perhaps the most important, as it has the potential to dramatically expand the number of people who now have access to this data.
If you do not wish to accept these new privacy settings, change all or some of the relevant radio buttons to the "Old Settings" selection, and then click the "Save Settings" button at the bottom of the page.
The changes may have even caught Facebook.com Chief Executive Mark Zuckerberg by surprise: Valleywag features a story Friday noting that the new privacy settings exposed a cache of more than 290 photos of Zuckerberg that were uploaded by people who had tagged him in their pictures but that were previously hidden (the photos don't appear to be accessible at the moment).
"Information set to 'everyone' is publicly available information, may be accessed by everyone on the Internet (including people not logged into Facebook), is subject to indexing by third party search engines, may be associated with you outside of Facebook (such as when you visit other sites on the internet), and may be imported and exported by us and others without privacy limitations."
"The default privacy setting for certain types of information you post on Facebook is set to 'everyone.' You can review and change the default settings in your privacy settings. If you delete 'everyone' content that you posted on Facebook, we will remove it from your Facebook profile, but have no control over its use outside of Facebook."
Judging from the user comments posted to the Facebook Site Governance page, these changes have not been well received by the Facebook community overall.
Paper-based data breaches on the rise
More than one quarter of data breaches so far this year involved consumer records that were jeopardized when organizations lost control over sensitive paper documents. Experts say those incidents came to light in large part due to a proliferation of state data breach notification laws, yet current federal proposals to preempt those state measures would allow paper-based breaches to go unreported.
According to the Identity Theft Resource Center, a San Diego based nonprofit, at least 27 percent of the data breaches disclosed publicly in 2009 stemmed from collections of sensitive consumer information printed on paper that were lost, stolen, inadvertently distributed or improperly disposed of.
Some 45 states and the District of Columbia have enacted laws requiring companies that lose control over sensitive consumer data such as Social Security or bank account numbers to alert affected consumers, and in some cases state authorities. Concerned about the mounting costs of complying with so many different state breach regulations, businesses often find it easier and cheaper to adhere to the strictest state laws.
Congress, though, is considering several federal data breach notification measures that would preempt existing state regulations.The three leading federal proposals, including a bill passed this week by the House of Representatives -- and a pair of measures passed by the Senate Judiciary Committee last month, would require notification only when data stored electronically is lost or stolen.
"Computers were supposed to take us to a paperless society, yet computers probably create more paper than before we had them, because now we want a hard copy as well as what's on the computer," ITRC co-founder Linda Foley said. "It's a double danger of course, because paper - especially when it's just tossed in a dumpster somewhere - is not like data on a hard drive. It's ready to use, it often contains the consumer's handwriting and signatures, which can be very useful when you're talking about forging credit card and mortgage applications."
Still, it is frequently difficult to determine precisely how many consumer records are jeopardized in paper-based breaches. Indeed, often the closest measure of the size of paper-based data breach is the number of pounds of documents involved, Foley said.
"There was a case earlier this month in Missouri where 2,000 pounds of credit reports, blank checks and copies of Social Security statements were found in a dumpster," Foley said. "Unfortunately, you pay by the pound for shredding these documents, and that's the best measure we have sometimes."
That incident, reportedly involving the former Battlefield, Mo. -based Nationwide Credit Counseling, exposes a frequent source of paper breaches: Companies that go belly-up. And with the ongoing recession claiming more and more companies each day, paper-based breaches are only going to grow as a percentage of overall data spills, Foley predicts.
"What we're seeing is companies are going out of business and then they take these papers and just toss them, or leave them for the building's cleaning crew to deal with," Foley said. "This is a trend that's only going to get worse."
According to the ITRC, 17 percent of data breaches reported last year were solely paper-based.Continue reading this post »
Critical updates for Adobe Flash, Microsoft Windows
Microsoft released six software updates on Tuesday to fix at least a dozen security vulnerabilities in Windows, Internet Explorer, Windows Server and Microsoft Office. More than half of the flaws earned a "critical" rating, meaning criminals could exploit them to break into vulnerable systems without any help from users. Separately, Adobe Systems Inc. issued critical security updates to its Flash Player and AIR Web-browser plugins.
Probably the most important update for most users is the one for Internet Explorer, which corrects five critical flaws in IE 6, 7 and 8. These are vulnerabilities that attackers could exploit to quietly install malicious software on your machine if you browse with IE to a hacked or booby-trapped site.
A description of the rest of the vulnerabilities patched in this month's release from Microsoft is available here.
Adobe also issued security updates to its ubiquitous Flash Player and its Adobe AIR software. Updates are available for Windows, Linux and Mac versions of these programs.
The Flash update corrects several critical vulnerabilities in Flash versions 10.0.32.18 and earlier. Users should upgrade to the latest version - 10.0.42.34 - available here. Not sure whether you have Flash installed or which version you need? Visit this link.
A couple of notes about the Flash update are in order. First, Windows users will need to apply this update twice if they use another browser in addition to Internet Explorer. Those users will need to visit the Flash Player Download Page and install the update once with IE, and a second time while visiting that link with Firefox or Opera (the non-IE installer is designed to update Mozilla-based browsers).
Also, Adobe's installer typically pre-checks some third party software -- such as Google Toolbar or a trial of some anti-virus product -- so if you don't want these "extras," make sure to uncheck that option before agreeing to install the update.
Adobe also shipped an update to its AIR browser plug-in, which updates AIR version 1.5.2 to the newest version, cleverly named 1.5.3. Users can download the latest AIR version from this link.
As always, please drop a note in the comment section below if you experience any problems or weirdness with your system after installing any of these updates.
Security Fix author named 'cybercrime hero'
Networking equipment maker Cisco Systems Inc this week bestowed a generous honor on the Security Fix author. In its 2009 annual security report released Tuesday, Cisco names Yours Truly as a "cybercrime hero," citing an ongoing investigative series detailing the plight of small businesses that have lost hundreds of thousands of dollars at the hands of malicious software.
The mention comes in a section announcing Cisco's first-ever "Cybercrime Showcase," which the company said aims to "shine a spotlight on individuals and entities who have made significant positive contributions during the past year toward helping make the Internet a safer place for all users."
Clearly, I am long overdue to design a decent superhero costume. In all seriousness, I am grateful for the mention, and for the recognition of my work.
Interestingly, the two families of malicious software also mentioned as "winners" of Cisco's 2009 "Cybercrime Showcase" are malware families whose authors recently have seen fit to insult the Security Fix author by name, including: the Koobface worm, which spreads on Facebook and other social media sites; and the prolific password-stealing program known as Zeus.
A link to the full report is available here.
La. firm sues Capital One after losing thousands in online bank fraud
An electronics testing firm in Louisiana is suing its bank, Capital One, alleging that the financial institution was negligent when it failed to stop hackers from transferring nearly $100,000 out of its account earlier this year.
In August, Security Fix wrote about the plight of Baton Rouge-based JM Test Systems, an electronics testing firm that in February lost more than $97,000 from two separate unauthorized bank transfers a week apart.
According to JM Test, Capital One has denied any responsibility for the losses. On Friday, JM Test filed suit in a Louisiana district court, alleging breach of contract and negligence by the bank. The firm says it is still out a total of $89,000, and that it has spent roughly $70,000 investigating and responding to the breaches.
"Capital One was not willing to make good on our losses or attempt any type of settlement," said Happy McKnight, JM Test's controller. "The banks are clearly taking a 'Hey, don't look at me!' stance. It is so sad to wonder how many business failures this type of fraud has caused."
Capital One declined to comment for this story.
The lawsuit is the latest to challenge whether banks are doing enough to help customers prevent losses when a virus infection, phishing attack or hacker break-in jeopardizes a company's online banking credentials, said David Johnson, a digital media lawyer with the Los Angeles law firm Jeffer Mangels Butler & Marmaro LLP.
Johnson said that under the Uniform Commercial Code, banks generally are required to maintain "commercially reasonable" methods of providing security against unauthorized payment orders." But he said just what constitutes "commercially reasonable" security practices has only recently been challenged, citing a recent court case in Illinois expected to go to trial soon in which a couple is suing their bank over $26,500 lost when cyber thieves stole the user name and password needed to access their home equity line of credit.
"The banks try to limit their responsibility by saying that customers have to monitor their accounts and notify the bank immediately if there is some kind of suspicious transfer," Johnson said. "And it's very rare that businesses are going to be that diligent in reviewing their online accounts."
For its part, JM Test maintains that it alerted Capital One to the fraud on the same day as the fraudulent activity, and that the bank still failed to stop the fraud. The plaintiffs charge that Capital One violated its own online banking terms and conditions, which it said provide that once a Capitol One customer calls to report fraudulent activity, Capital One will close the affected customer's existing account to prevent further unauthorized charges.
According to court documents, on Feb. 20, 2009 JM Test discovered that an unauthorized $45,640 wire transfer had been made against its account to an account at Alpha-Bank in Moscow. JM Test claims that it alerted Capital One by telephone of the fraudulent wire transfer that same day, and that the bank said it would investigate.
JM Test alleges that five days later, Capital One issued it a new user name and password. But then on March 2, the company found that thieves had broken into its online bank account yet again, this time initiating a batch of unauthorized payroll payments totaling $51,556.44. The money was sent to at least five different money mules, individuals who the attackers had apparently hired via online job Web sites to receive the transfers and then wire them out of the country.Continue reading this post »
Phishers angling for Web site administrators
Scam e-mail artists have launched a massive campaign to trick webmasters into giving up the credentials needed to administer their Web sites, targeting site owners at more than 90 online hosting providers. Experts say the attackers are attempting to build a distributed network of hacked sites through which to distribute their malicious software.
The spam e-mails arrive addressed to users of some of the top Web hosting firms, from hostgator.com to yahoo.com and 50webs.com, and bear the same basic message:
"Due to the system maintenance, we kindly ask you to take a few minutes to confirm your FTP details." Recipients who click the included link are brought to a Web site made to look like a cPanel page (cPanel is a widely used Web site administration software package). People who fall for the scam and provide their credentials are then forwarded on to the actual site of the Web hosting company named in the body and subject line of the scam e-mail.
According to Gary Warner, director of research in computer forensics at the University of Alabama, Birmingham, the perpetrators of this scam appear to be trying to capture the FTP user names and passwords of webmasters, in a bid to enlist the hacked sites in drive-by malware attacks.
If you administer a Web site and fell for this phishing scheme, be sure to contact your hosting provider and have them change your password. It would also be a good idea to review your Web site content for any recent unauthorized changes. Stopbadware.org has some great resources and a very active user community that can help affected Web site administrators clean and secure their pages.