Sunday, June 29, 2008
Saturday, June 28, 2008
Prosecutors say peer-to-peer hacker in plea deal
A hacker suspected of infecting thousands of personal computers with malicious software to obtain private financial information will plead guilty to fraud under a plea agreement, the U.S. attorney's office said.
Under the deal filed Thursday, Jason Michael Milmont, 19, agreed to plead guilty to a federal charge of unauthorized access to a computer to further a fraud, according to a statement from the U.S. attorney's office.
Prosecutors said the case was the first in the U.S. in which a person was prosecuted for using peer-to-peer software to deliver so-called "malware."
Milmont, of Cheyenne, Wyoming, agreed to pay $73,866 in restitution and could face up to five years in federal prison and a $250,000 fine. Sphere: Related Content
Google Gadgets: Google Media Server
Google today introduced Google Media Server. Google Media Server is a windows based gadget application that will bridge the gap between Google and your TV. It's a Google desktop gadget which includes Google desktop search for searching media files from your desktop. Sphere: Related Content
Friday, June 27, 2008
Thursday, June 26, 2008
Tuesday, June 24, 2008
FBI worried as DoD sold counterfeit networking gear - Network World
The U.S. Federal Bureau of Investigation is taking the issue of counterfeit Cisco equipment very seriously, according to a leaked FBI presentation that underscores problems in the Cisco supply chain. Sphere: Related Content
Home Network Security
Monday, June 23, 2008
Saturday, June 21, 2008
Thursday, June 19, 2008
Wednesday, June 18, 2008
Tuesday, June 17, 2008
Monday, June 16, 2008
Sunday, June 15, 2008
Saturday, June 14, 2008
Friday, June 13, 2008
Thursday, June 12, 2008
Security firm asks for help cracking ransomware key
Kaspersky Lab, a Moscow-based antivirus firm, put out the call for assistance after it discovered a new variant of Gpcode, a Trojan horse that has been used in isolated "ransomware" attacks for the past two years.
In ransomware attacks, hackers plant malware that encrypts files and then displays a message demanding money to unlock the data. In the case of the newest Gpcode, 143 different file types are encrypted, including .bak, .doc, .jpg and .pdf. The encrypted files are marked by the addition of "_CRYPT" in their file names, and the original unencrypted files are deleted. As a camouflaging move, Gpcode also tries to erase itself.
Finally, the ransom note appears on-screen. "Your files are encrypted with RSA-1024 algorithm," it begins. "To recovery [sic] your files you need to buy our decryptor. To buy decrypting tool contact us at: xxxxx@yahoo.com."
Last Thursday, a Kaspersky analyst identified as "VitalyK" said that although the company had analyzed samples of Gpcode, it wasn't able to decrypt the files the malware encoded. "We can't currently decrypt files encrypted by Gpcode.ak," said VitalyK in an entry to the company's research blog. "The RSA encryption implemented in the malware uses a very strong, 1024-bit key."
One rival researcher, however, took exception to the call to arms. In a message posted to Kaspersky's support forum, Vesselin Bontchev, a Bulgarian researcher who works for Frisk Software, an Icelandic antivirus company, called it a stunt.
A Kaspersky employee identified as "Codelancer" replied, thanking Bontchev for his opinion, but then closed the thread. Kaspersky Labs' U.S.-based public relations representative wasn't available Sunday for additional comment.
Kaspersky told users that backing up their data is the surest way to sidestep ransomware scams. "That way, if you do fall victim to Gpcode and your files get encrypted, at least you won't have lost any valuable information," said a third Kaspersky analyst, David Emm.
Wednesday, June 11, 2008
New Malware Silently Changes Router Settings
The malware, a variant of the "Zlob" Trojan, also known as DNSChanger, rang a bell with me. That's because an earlier variant of this malware did the same thing with the system DNS. Switching to the network DNS is not quite a revolutionary move, but it is a powerful upgrade of technique.
According to Krebs, who consulted with Sunbelt Software, the attack relies on the routers having default usernames and passwords for the admin pages, and on standard file names for those pages. Users who take the wise precaution of changing the router password are not vulnerable to this aspect of the Trojan.
Image and Data Manager
Known as ransomware, the virus takes over a users computer, locking up their files and giving them an email address in which to organise payment for the key.
The virus first surfaced two years ago, however, that time it was defeated as its author made some mistakes implementing the encryption algorithm according to Kaspersky. Unfortunately, it looks like the lesson was learned back then. “The author has bided his time, waiting almost two years before creating a new, improved variant of this file encryptor,” writes the firm on its official blog.
The company says that it will try to help those infected recover data.
Security Hole Exposes Utilities to Internet Attack - The Associated Press
Attackers could gain control of water treatment plants, natural gas pipelines and other critical utilities because of a vulnerability in the software that runs some of those facilities, security researchers reported Wednesday.
Experts with Boston-based Core Security Technologies, who discovered the deficiency and described it exclusively to The Associated Press before they issued a security advisory, said there's no evidence anyone else found or exploited the flaw.
Citect Pty. Ltd., which makes the program called CitectSCADA, patched the hole last week, five months after Core Security first notified Citect of the problem.
But the vulnerability could have counterparts in other so-called supervisory control and data acquisition, or SCADA, systems. And it's not clear whether all Citect clients have installed the patch.
SCADA systems remotely manage computers that control machinery, including water supply valves, industrial baking equipment and security systems at nuclear power plants.
Customers that use CitectSCADA include natural gas pipelines in
For an attack involving the vulnerability that Core Security revealed Wednesday to occur, the target network would have to be connected to the Internet. That goes against industry policy but does happen when companies have lax security measures, such as connecting control systems' computers and computers with Internet access to the same routers.
A rogue employee could also access the system internally.
Security experts say the finding highlights the possibility that hackers could cut the power to entire cities, poison a water supply by disrupting water treatment equipment, or cause a nuclear power plant to malfunction by attacking the utility's controls.
That possibility has grown in recent years as more of those systems are connected to the Internet.
Tuesday, June 10, 2008
Faster, cheaper iPhone portends IT security headaches
The new 3G iPhone announced on Monday by CEO Steve Jobs at Apple's Worldwide Developers Conference will sell for $199 for the 8GB model and $299 for the 16GB model -- a $200 discount on each model. That brings it within the reach of a much larger audience, including corporate users, according to analysts.
Moreover, the iPhone will support faster download over AT&T's 3G network, substantially enhancing users' web browsing experience. This makes the iPhone more appealing for workers accessing web-based enterprise applications via smart phone, Amrit Williams, CTO at vendor BigFix told SC Magazine.
That may be all well and good, but the new, faster iPhone models also portend problems for enterprise IT professionals who'll inevitably be forced to deal with them, Williams said. "What it boils down to, even though everyone is focusing on faster and cheaper, this creates a tipping point for a new era of mobile data threats and mobile malware," he said.
In addition, the iPhone lacks third-party verification that it is secure, no matter what Apple claims, Ken Dulaney, vice president and distinguished analyst at Gartner, told SC Magazine.
"For Apple to say it's secure is one thing, but to have independent people with secure products is another," he said.
Still, enterprise IT security pros probably won't have a choice whether they'll have to support the iPhone, Williams adds. In the past, IT was able to prohibit such personal devices from connecting to corporate networks, but not now, he added, because tech-savvy workers expect to use the latest in connectivity devices to get their job done.
"That opens a whole wealth of headaches to IT," he said. "Managing devices like the iPhone is not easy."
With 3G support, Apple opens the door for "malicious software to proliferate in the iPhone, just as it does on desktops and notebooks," Williams said.
The iPhone's support for GPS is also problematic, he said. Combining the iPhone's ability to receive email and GPS capabilities allows attackers "to send targeted email and adds a level of knowledge to the attacker, who knows where you're located," he said.
Dulaney said Apple's new support for WPA2 security protocol is positive. "It gives them a secure link over Wi-Fi in the enterprise," he said.
But he has some doubts about the iPhone's support for Cisco's IPsec VPN capability. "I'm not sure IT should give users unrestricted access to back-end applications via cell phone VPN -- most cell phone VPNs haven't worked that well," he said.
A better approach is to build dedicated applications that secure remote cell phone connectivity into enterprise data stores, he said.
"It's very hard to gauge how secure this product is for an enterprise application," he said. "We have some indication that just for email it's fine. But for other applications, it's still not clear how secure or not this device is."
Frankly Speaking: Theory and reality for storing personal information- Computerworld
Meanwhile, back here in reality, 155 students have actually lost their very real tax refunds because of another data breach.
They're among 1,132 graduate students at the University of California, Irvine, who participated in a university health insurance program in 2006. That program was run by United Healthcare, which admits that some students' personal data "may have been accessed without authorization."
Whoever grabbed the information apparently used it to file phony tax returns. Result: When the students tried to file their legitimate returns, the IRS told them that returns had already been filed using their Social Security numbers.
No one is talking about specifics of the data breach at United Healthcare. The IRS won't talk about its investigation or how much the crooks got away with, though it probably comes to a few hundred thousand dollars at most. The university says it's arranging emergency loans for students who need their tax refunds to pay their bills, but it isn't divulging many details either.
That's OK. We already know enough to say this:
We've got to stop using Social Security numbers as a single-factor identifier. And allowing access to Social Security numbers on anything but a need-to-know basis. And storing unencrypted personal information.
That's no longer theory. It's just reality.
Look, we all love hearing impossibly big numbers like the ones in the TransUnion settlement. Billions of dollars? Hundreds of millions of people? Those stratospheric numbers don't seem real.
Our reality comes at a smaller scale, hundreds or thousands of data records at a time. Names. Addresses. Birth dates. Social Security numbers. Credit card numbers. Bank account information. We tell ourselves that it's safe — that our employees are trustworthy, our security is good enough, our piddling collection of data too small to worry about.
But that's exactly what's being stolen, as those 1,132 students have painfully learned.
And week by week, year by year, the number of data breaches grows — and thieves grow ever more efficient at converting stolen information into stolen money.
They're getting better at this. We're not.
We know what we need to do. We need to abandon the use of Social Security numbers for customer identification and authentication — this means you too, IRS.
We need to treat Social Security numbers and other personal information like the highly valuable, easily stolen commodities they are, and make them much harder to access in our systems.
And we need to encrypt, encrypt, encrypt.
None of this is rocket science for corporate IT shops. None of it will be cheap, either. At a time when business is down and belts are being tightened yet again, it'll be a hard sell to the CEO.
But it's time to budget money for it. Not money for theoretically perfect data security — but for a realistic response to a real threat.
Because there's nothing theoretical about this: If thieves can steal 1,132 students' information and convert it into $100,000, they can do it again and again — and they will.
And that $9 billion is getting closer to reality every day.
Sphere: Related ContentTier-3: Cybercrime syndicate scoops millions from South African government
The frauds, which were revealed on Tuesday by the South African Minister for Finance and Economic Development, has resulted in 32 arrests in connection with more than 80 fraud counts.
Commenting on the case - thought to be South Africa's largest reported cybercrime spree by a single gang - Geoff Sweeney, CTOwith IT security vendor Tier-3, said that spyware attacks are notoriously difficult to stop in their tracks owing to their unpredictable nature.
"The evolution of malware has reached the point where the lines are blurring between viruses, trojans and what we call multi-vector IT security threats. These fraudsters appeared to be using a sophisticated combination of attacks that consisted of a physical device and a malware component, as witnessed by the fact they have been getting away with their crimes for nigh on three years," he said.
According to Sweeney, like many of the more sophisticated IT security attacks, frauds of this nature are very difficult to stop using a traditional single line of defence security strategy.
"Companies need to rethink their strategy in the light of the increasing sophistication on the part of the fraudsters. They should consider installing multiple layers of defence, including looking at behavioural analysis technology which can look for abnormal patterns of hardware change or network behavior such as those that may have been used in this attack," he said.
"Behavioural analysis is fast becoming a security technology in the ascendant, for the simple reason it acts as a safety net for all forms of IT security threats. Had the South African government and its agencies installed this form of security technology, they could have avoided the fraud from taking place," he added.
For more on the South African spyware-driven fraud:
http://tinyurl.com/5m7495
ABOUT TIER-3
Tier-3, with headquarters in Sydney, is the inventor of Behavioural Anomaly Detection (BAD) technology which is the cornerstone of the HUNTSMAN Threat Management System. HUNTSMAN enables enterprises to scale security management while, at the same time, improving its effectiveness by offering for the first time, insight into enterprise ICT infrastructure and real-time risk-based threat management. Tier-3s significant customer base includes government, financial institutions, major corporations, and organisations in the critical infrastructure and intelligence areas around the world. www.tier-3.com
Monday, June 9, 2008
Sunday, June 8, 2008
Saturday, June 7, 2008
Security Fix - Brian Krebs on Computer and Internet Security
A nuclear power plant in Georgia was recently forced into an emergency shutdown for 48 hours after a software update was installed on a single computer.
The incident occurred on March 7 at Unit 2 of the Hatch nuclear power plant near Baxley, Georgia. The trouble started after an engineer from Southern Company, which manages the technology operations for the plant, installed a software update on a computer operating on the plant's business network.
The computer in question was used to monitor chemical and diagnostic data from one of the facility's primary control systems, and the software update was designed to synchronize data on both systems. According to a report filed with the Nuclear Regulatory Commission, when the updated computer rebooted, it reset the data on the control system, causing safety systems to errantly interpret the lack of data as a drop in water reservoirs that cool the plant's radioactive nuclear fuel rods. As a result, automated safety systems at the plant triggered a shutdown.
Southern Company spokeswoman Carrie Phillips said the nuclear plant's emergency systems performed as designed, and that at no time did the malfunction endanger the security or safety of the nuclear facility. .
Phillips explained that company technicians were aware that there was full two-way communication between certain computers on the plant's corporate and control networks. But she said the engineer who installed the update was not aware that that the software was designed to synchronize data between machines on both networks, or that a reboot in the business system computer would force a similar reset in the control system machine.
"We were investigating cyber vulnerabilities and discovered that the systems were communicating, we just had not implemented corrective action prior to the automatic [shutdown]," Phillips said. She said plant engineers have since physically removed all network connections between the affected servers.
Computer security experts say the Hatch plant incident is the latest reminder of problems that can occur when corporate computer systems at the nation's most critical networks are connected to sensitive control systems that were never designed with security in mind.
Specifically, experts worry that vulnerabilities were introduced into the systems that regulate the electrical grid as power companies transferred control of generation and distribution equipment from internal networks to supervisory control and data acquisition, or SCADA, systems that can be accessed through the Internet or by phone lines, according to consultants and government reports.
The move to SCADA systems boosts efficiency at utilities because it allows workers to operate equipment remotely. But experts say it also exposes these once-closed systems to cyber attacks.
"Part of the challenge is we have all of this infrastructure in the control systems that was put in place in the 1980s and '90s that was not designed with security in mind, and all of sudden these systems are being connected to [Internet-facing] business networks" said Brian Ahern, president and chief executive of Industrial Defender Inc., a Foxborough, Mass.-based SCADA security company.
Joe Weiss, managing partner at Cupertino, Calif.-based Applied Control Solutions, said Hatch is not the only plant that has suffered this type of unusual event. But he said it is one of a handful of public events of this type because the Nuclear Regulatory Commission documents all unusual events, in contrast to non-nuclear facilities that do not make their unusual events public.
"Consequently, it is expected that non-nuclear facilities have experienced similar events," Weiss said. "The Hatch event illustrates the unintended consequences that could occur when business information technology systems interconnect with industrial control systems without adequate design considerations."
Weiss said unplanned, automatic shutdowns such as what happened at the Hatch plant are costly, forcing utilities to purchase power from other parts of the grid to the tune of about $1 million a day. But more importantly, Weiss said, automatic shutdowns unnecessarily challenge nuclear safety systems.
"Anytime you have to shut down, especially with an automatic shutdown, you're challenging the safety systems," he said. "What happened [at Hatch] was absolutely what the plant was designed to do, but there's always that chance that something could go wrong."
The NRC has for years had regulations in place that require that all plants be able to defend against cyber attacks. But the agency is still in the final stretch of implementing more specific cyber-security regulations that would require plants to detail their plans for defending their digital networks as a condition of maintaining their operating license, said Scott Morris, deputy director for reactor security at the NRC.
"The plants are expanding their use of digital technology to put more megawatts on the grid, and because of that these lessons are going to occur," Morris said. "But our expectation is that when these types of events happen, that [plant operators] correct the problem and share the information broadly with the rest of the industry."
Unplanned nuclear plant shutdowns used to be a fairly common event, but not anymore, Weiss said. In fact, he said, another shutdown of a U.S. nuclear plant was also precipitated by a cyber event. In August 2006, Unit 3 of the Browns Ferry nuclear plant went into a shutdown after two water recirculation pumps failed. An investigation found that the controllers for the pumps locked up due to a flood of computer data traffic on the plant's internal control system network.
Weiss said many people in charge of SCADA systems have sought to downplay the threat that hackers pose to these complex networks. But he cautioned that internal, accidental cyber incidents at control system networks can be just as deadly as a carefully planned attack from the outside.
In June 1999, a steel gas pipeline ruptured near Bellingham, Wash., killing two children and an 18-year-old, and injuring eight others. A subsequent investigation found that a computer failure just prior to the accident locked out the central control room operating the pipeline, preventing technicians from relieving pressure in the pipeline.
"To people in the IT world, cyber means 'attacks,' but what I tell people is that in our world the predominant cyber events are unintentional," he said. "The flip side of that is if it can happen unintentionally, it can probably be caused intentionally and be a whole lot worse."
News of the Hatch incident also comes as the cyber-security posture of the electric and nuclear power industry is coming under increasing scrutiny from Congress and government investigators. Last month, the Government Accountability Office issued a scathing report about cyber security weaknesses at the Tennessee Valley Authority, the nation's largest public power company and operator of three nuclear plants, including Browns Ferry.
The GAO found that TVA's Internet-connected corporate network was linked with systems used to control power production, and that security weaknesses pervasive in the corporate side could be used by attackers to manipulate or destroy vital control systems. The agency also warned that computers on TVA's corporate network lacked security software updates and anti-virus protection, and that firewalls and intrusion detection systems on the network were easily bypassed and failed to record suspicious activity.
Man Allegedly Bilks E-trade, Schwab of $50,000 by Collecting Lots of Free 'Micro-Deposits' | Threat Level from Wired.com
A California man has been indicted for an inventive scheme that allegedly siphoned $50,000 from online brokerage houses E-trade and Schwab.com in six months -- a few pennies at a time.
Michael Largent, 22, of Plumas Lake, California, allegedly exploited a loophole in a common procedure both companies follow when a customer links his brokerage account to a bank account for the first time. To verify that the account number and routing information is correct, the brokerages automatically send small "micro-deposits" of between two cents to one dollar to the account, and ask the customer to verify that they've received it.
Largent allegedly used an automated script to open 58,000 online brokerage accounts, linking each of them to a handful of online bank accounts, and accumulating thousands of dollars in micro-deposits.
I know it's only May, but I think the competition for Threat Level's Caper of the Year award is over.
Largent's script allegedly used fake names, addresses and Social Security numbers for the brokerage accounts. Largent allegedly favored cartoon characters for the names, including Johnny Blaze, King of the Hill patriarch Hank Hill, and Rusty Shackelford. That last name is doubly-fake -- it's the alias commonly used by the paranoid exterminator Dale Gribble on King of the Hill.
The banks involved included Capital One, Metabank, Greendot and Skylight. Largent allegedly cashed out by channeling the money into pre-paid debit cards.
A May 7 Secret Service search warrant affidavit (.pdf) says Largent tried the same thing with Google's Checkout service, accumulating $8,225.29 in eight different bank accounts at Bancorp Bank.
When the bank asked Largent about the thousands of small transfers, he told them that he'd read Google's terms of service, and that it didn't prohibit multiple e-mail addresses and accounts. "He stated he needed the money to pay off debts and stated that this was one way to earn money, by setting up multiple accounts having Google submit the two small deposits."
The Google caper is not charged in the indictment. (.pdf)
According to the government, Largent was undone by the USA Patriot Act's requirement that financial firms verify the identity of their customers. Schwab.com was notified in January that more than 5,000 online accounts had been opened with bogus information. When the Secret Service investigated, they found some 11,385 Schwab accounts were opened under the name "Speed Apex" from the same five IP addresses, all of them tracing back to Largent's internet service from AT&T.
Largent is free on bail. He's charged in federal court in Sacramento with four counts each of computer fraud, wire fraud and mail fraud. He didn't return repeated phone calls Tuesday; Representatives of E-trade, Schwab.com and Google also didn't return phone calls.
Friday, June 6, 2008
Study secretly tracks cell phone users - Wireless- msnbc.com
WASHINGTON - Researchers secretly tracked the locations of 100,000 people outside the United States through their cell phone use and concluded that most people rarely stray more than a few miles from home.
The first-of-its-kind study by Northeastern University raises privacy and ethical questions for its monitoring methods, which would be illegal in the United States.
It also yielded somewhat surprising results that reveal how little people move around in their daily lives. Nearly three-quarters of those studied mainly stayed within a 20-mile-wide circle for half a year.
The scientists would not say where the study was done, only describing the location as an industrialized nation.
Researchers used cell phone towers to track individuals' locations whenever they made or received phone calls and text messages over six months. In a second set of records, researchers took another 206 cell phones that had tracking devices in them and got records for their locations every two hours over a week's time period.
The study was based on cell phone records from a private company, whose name also was not disclosed.
Ethicists might have given the researchers an earful, suggested bioethicist Arthur Caplan at the University of Pennsylvania.
Latest 'lost' laptop holds treasure-trove of unencrypted AT&T payroll data | NetworkWorld.com Community
It's just another in a long line of stolen laptops ... unless you work in management at AT&T and you're worried about your social security number falling into the hands of identity thieves. Or, you're worried that your coworkers might find out how much -- or how little -- you actually earn.
While AT&T has declined to disclose the number of management employees put at risk by the May 15 theft from an employee's car, one manager who is among them tells me he knows of others located throughout every corner of AT&T's vast empire in the U.S. "I have found one individual who was not impacted," says the manager, who asked not to be named. "This is probably big, but not everyone."
"I'm very disappointed in my company," he adds. "Eight days passed before we were notified ... and it took up to another 10 days to be informed about requesting a fraud alert and to be given instructions for signing up for credit watch."
I've asked AT&T for comment. At the end of this post is a long excerpt from a Q&A the company provided to employees, who learned of the breach via an e-mail, which reads in part:
"This is to alert you to the recent theft of an AT&T employee's laptop computer that contained AT&T management compensation information, including employee names, Social Security numbers, and, in most cases, salary and bonus information. ... We deeply regret this incident. You will soon hear about additional steps we're taking to reinforce our policies to safeguard sensitive personal information and ensure strict compliance in order to avoid incidents like this in the future."
Regrets were not enough to allay the anger of this manager.
"It is pathetic that the largest telecom company in the world -- with more than 100 million customers -- doesn't encrypt basic personal information," he says.
Failure to encrypt and otherwise better protect such data is inexcusable at this point in time, agrees Kelly Todd, a staff member at attrition.org, a security site that maintains a database of data-breach incidents.
"Lack of encryption of personal data is generally troubling, especially when the data is being stored on any mobile device with a 'steal me' bulls-eye on it," says Todd. "According to part of the AT&T e-mail, 'It was not encrypted, but the laptop was password protected. AT&T is currently in the process of encrypting such systems.' Good for them, but larger companies can sometimes have tens of thousands of systems to identify, plan for, and then execute an encryption process. It seems to me that they should have been 'in the process' a year ago.
"Even more troubling is that AT&T mentions that the laptop was password protected in their letter," he adds. "It might make some people feel better, but just password protection alone is generally considered a security joke."
The AT&T manager whose data was exposed sees an even larger issue in play here.
"I receive company internal e-mails reminding me to contact our legislators about relieving the company of the burdens of regulation," he says. "What happened here shows the company isn't ready to have those burdens lifted."
New crypto virus a looming threat
Kaspersky Lab says the new variant of the Windows-based encryptor virus Gpcode, which hasn't been spotted for about 1 ½ years, is more of a threat than it was in the past because this time it is using strong encryption that so far has defied efforts to crack it. (Check out our antivirus buyer's guide.)
Earlier versions of Gpcode — which first appeared about 3 ½ years ago — used far weaker encryption than what it has today, plus it wasn't well implemented, making it fairly easy to crack, Schouwenberg says.
The Gpcode.ak is hard to detect because it attempts to self destruct after encrypting, according to Kaspersky Lab. So far only a handful of computers with files that have been maliciously encrypted have been identified so far. Most evidence about it is originating in Russian-speaking countries, Europe and Africa, he says, but it may be spreading further.
So far, the primary means it uses to spread is unclear, but Kaspersky Lab believes it's a form of "social engineering" that may involve trickery to induce computer users to make use of software they shouldn't.
The text file that the criminals leave tells the victim that the file has been encrypted and offers to sell them a "decryptor." Kaspersky Lab would advise against yielding to blackmailers in any ransomware situation.
Kaspersky Lab says efforts are continuing along with others in the antivirus industry to analyze Gpcode.ak further for technical weaknesses, but that users should now be extra careful in opening files and Web activity.
Thursday, June 5, 2008
Read me first: Taking your laptop into the US? Be sure to hide all your data first | Technology | The Guardian
"Taking your laptop into the US? Be sure to hide all your data first"
US court ruled that border agents can search your laptop, or any other electronic device, when you're entering the country. They can take your computer and download its entire contents, or keep it for several days. Customs and Border Patrol has not published any rules regarding this practice, and I and others have written a letter to Congress urging it to investigate and regulate this practice.
But the US is not alone. British customs agents search laptops for pornography. And there are reports on the internet of this sort of thing happening at other borders, too. You might not like it, but it's a fact. So how do you protect yourself?
Encrypting your entire hard drive, something you should certainly do for security in case your computer is lost or stolen, won't work here. The border agent is likely to start this whole process with a "please type in your password". Of course you can refuse, but the agent can search you further, detain you longer, refuse you entry into the country and otherwise ruin your day.
You're going to have to hide your data. Set a portion of your hard drive to be encrypted with a different key - even if you also encrypt your entire hard drive - and keep your sensitive data there. Lots of programs allow you to do this. I use PGP Disk (from pgp.com). TrueCrypt (truecrypt.org) is also good, and free.
While customs agents might poke around on your laptop, they're unlikely to find the encrypted partition. (You can make the icon invisible, for some added protection.) And if they download the contents of your hard drive to examine later, you won't care.
Be sure to choose a strong encryption password. Details are too complicated for a quick tip, but basically anything easy to remember is easy to guess. (My advice is at tinyurl.com/4f8z4n.) Unfortunately, this isn't a perfect solution. Your computer might have left a copy of the password on the disk somewhere, and (as I also describe at the above link) smart forensic software will find it.
So your best defence is to clean up your laptop. A customs agent can't read what you don't have. You don't need five years' worth of email and client data. You don't need your old love letters and those photos (you know the ones I'm talking about). Delete everything you don't absolutely need. And use a secure file erasure program to do it. While you're at it, delete your browser's cookies, cache and browsing history. It's nobody's business what websites you've visited. And turn your computer off - don't just put it to sleep - before you go through customs; that deletes other things. Think of all this as the last thing to do before you stow your electronic devices for landing. Some companies now give their employees forensically clean laptops for travel, and have them download any sensitive data over a virtual private network once they've entered the country. They send any work back the same way, and delete everything again before crossing the border to go home. This is a good idea if you can do it.
If you can't, consider putting your sensitive data on a USB drive or even a camera memory card: even 16GB cards are reasonably priced these days. Encrypt it, of course, because it's easy to lose something that small. Slip it in your pocket, and it's likely to remain unnoticed even if the customs agent pokes through your laptop. If someone does discover it, you can try saying: "I don't know what's on there. My boss told me to give it to the head of the New York office." If you've chosen a strong encryption password, you won't care if he confiscates it.
Lastly, don't forget your phone and PDA. Customs agents can search those too: emails, your phone book, your calendar. Unfortunately, there's nothing you can do here except delete things.
I know this all sounds like work, and that it's easier to just ignore everything here and hope you don't get searched. Today, the odds are in your favour. But new forensic tools are making automatic searches easier and easier, and the recent US court ruling is likely to embolden other countries. It's better to be safe than sorry.
· Bruce Schneier is a security technologist and author: schneier.com/blog Sphere: Related Content
Five free penteration-testing tools
For scanning in the first steps of a security assessment or pen test, Nmap and Nessus share the crown. Nmap is a simple, powerful and very well-reviewed scanner that one finds in the toolbox of any serious security consultant. Nmap and its Zenmap graphical interface are free and available at nmap.org for virtually any platform from Vista and OS X to AmigaOS, and will happily run on low-power systems.
Nessus performs scans and up-to-date vulnerability testing in one interface, through a purchased "feed" of vulnerability modules for the freely downloadable application. A free but delayed noncommercial "home feed" of updates will continue to be available at nessus.org after Tenable Inc. changes the Nessus license this coming July.
The Metasploit Framework provides more operating system and application exploit information than most analysts would know what to do with. Recently rewritten in Ruby with a graphical interface, it comes with several hundred common exploit modules in the basic download available at metasploit.com. For testing Web applications specifically, the well-regarded Nikto has also undergone recent updates and is available at cirt.net/nikto2.
Wireshark provides top-notch network protocol capture and analysis, and its filtering and search functions make a good noninvasive tool for beginners interested in TCP/IP. This high-quality successor to the long-running Ethereal tool is available for Windows, Linux and Mac. The "Buy" button at wireshark.org leads to a happy reminder that it's free and open source.
KisMAC's simple interface belies its powerful wireless assessment and penetration testing features. This OS X application is available at trac.kismac-ng.org, where one can also find an active support community. Kismet, its more powerful but less friendly progenitor, is available at kismetwireless.net for Linux and Windows. There are active communities and numerous add-ons for each.
For more information, Fyodor, the author of Nmap, maintains a somewhat dated but good list at sectools.org of the top hundred open-source and low-cost security tools other than Nmap.
Hong Kong, China Web domains cited as "most dangerous" - Network World
"We looked at the major categories, including exploits by drive-by downloads, spam, and downloads that come with malware such as viruses," says McAfee analyst Shane Keats about the security company's new report, titled "Mapping the Mal Web Revisited." He describes the report as a bit like a "Lonely Planet" travel guide for the Web, adding, "Danger on the Web is very fluid."
The report, based on the Web-crawling and analysis technologies that power McAfee's SiteAdvisor tool for safe Web surfing, looked at 9.9 million heavily trafficked Web sites in 265 countries ending in country domain codes, such as .br for Brazil.McAfee also analyzed the malware consequences of visiting the more generic top-level domains, such as .com and .org. While McAfee doesn't claim to have crawled over the entire Web, it believes it viewed 95% of Web traffic in the top 74 countries where the Web is used the most.
While the "Information" (.info) domain name is judged by McAfee to be the most dangerous among the generic ones with 11.7% risky sites, it's Hong Kong and China that stand out in this year's study as dangerous on the country level.
As to why the situation in Hong Kong worsened over the past year, McAfee pointed to statements provided by Bonnie Chun, an official with the Hong Kong Domain Name Registration Company, about decisions that might have inadvertently encouraged scammers.
Among the statements attributed to Chun were making the Hong Kong online registration process "more user-friendly" by allowing registration of several domains at one time as well as "buy-one, get-two domains." As a consequence, "phishers usually registered eight or more domains at one time." Hong Kong last year began to tighten policies to rectify the situation.China may have soared to the top spot because the country is among the most inexpensive places to register, with the wholesale price for .cn "now being about 15 cents," according to the McAfee report.
McAfee also ranked what it considers the top five "least-risky" top-level domains as Slovenia (.sl), Norway (.no), Japan (.jp), Governmental (.gov) and Finland (.fl). Each of these were said to have 0.2% or fewer domains rated as risky.
10 Ways Your Employees Pose a Security Risk for Your Organization
Employees can pose security threats to your enterprise IT infrastructure through mobile devices such as smart phones and laptops, as well as the various networks and applications with which their unsecured devices are liable to interact. Enterprise IT administrators, network administrators, and enterprise security workers and consultants should be aware of these security risks. Sphere: Related Content
Schneier on Security
The War on Photography
What is it with photographers these days?
Are they really all terrorists, or does everyone just think they are?
Since 9/11, there has been an increasing war on photography. Photographers have been harrassed, questioned, detained, arrested or worse, and declared to be unwelcome. We've been repeatedly told to watch out for photographers, especially suspicious ones. Clearly any terrorist is going to first photograph his target, so vigilance is required.
Except that it's nonsense. The 9/11 terrorists didn't photograph anything. Nor did the London transport bombers, the Madrid subway bombers, or the liquid bombers arrested in 2006. Timothy McVeigh didn't photograph the Oklahoma City Federal Building. The Unabomber didn't photograph anything; neither did shoe-bomber Richard Reid. Photographs aren't being found amongst the papers of Palestinian suicide bombers. The IRA wasn't known for its photography. Even those manufactured terrorist plots that the US government likes to talk about -- the Ft. Dix terrorists, the JFK airport bombers, the Miami 7, the Lackawanna 6 -- no photography.
Given that real terrorists, and even wannabe terrorists, don't seem to photograph anything, why is it such pervasive conventional wisdom that terrorists photograph their targets? Why are our fears so great that we have no choice but to be suspicious of any photographer?
Because it's a movie-plot threat.
A movie-plot threat is a specific threat, vivid in our minds like the plot of a movie. You remember them from the months after the 9/11 attacks: anthrax spread from crop dusters, a contaminated milk supply, terrorist scuba divers armed with almanacs. Our imaginations run wild with detailed and specific threats, from the news, and from actual movies and television shows. These movie plots resonate in our minds and in the minds of others we talk to. And many of us get scared.
Terrorists taking pictures is a quintessential detail in any good movie. Of course it makes sense that terrorists will take pictures of their targets. They have to do reconnaissance, don't they? We need 45 minutes of television action before the actual terrorist attack -- 90 minutes if it's a movie -- and a photography scene is just perfect. It's our movie-plot terrorists that are photographers, even if the real-world ones are not.
The problem with movie-plot security is it only works if we guess the plot correctly. If we spend a zillion dollars defending Wimbledon and terrorists blow up a different sporting event, that's money wasted. If we post guards all over the Underground and terrorists bomb a crowded shopping area, that's also a waste. If we teach everyone to be alert for photographers, and terrorists don't take photographs, we've wasted money and effort, and taught people to fear something they shouldn't.
And even if terrorists did photograph their targets, the math doesn't make sense. Billions of photographs are taken by honest people every year, 50 billion by amateurs alone in the US And the national monuments you imagine terrorists taking photographs of are the same ones tourists like to take pictures of. If you see someone taking one of those photographs, the odds are infinitesimal that he's a terrorist.
Of course, it's far easier to explain the problem than it is to fix it. Because we're a species of storytellers, we find movie-plot threats uniquely compelling. A single vivid scenario will do more to convince people that photographers might be terrorists than all the data I can muster to demonstrate that they're not.
Fear aside, there aren't many legal restrictions on what you can photograph from a public place that's already in public view. If you're harassed, it's almost certainly a law enforcement official, public or private, acting way beyond his authority. There's nothing in any post-9/11 law that restricts your right to photograph.
This is worth fighting. Search "photographer rights" on Google and download one of the several wallet documents that can help you if you get harassed; I found one for the UK, US, and Australia. Don't cede your right to photograph in public. Don't propagate the terrorist photographer story. Remind them that prohibiting photography was something we used to ridicule about the USSR. Eventually sanity will be restored, but it may take a while.