Apple fixes iPhone SMS flaw

If you own an iPhone you may want to connect your phone  to your computer and click “check for updates”. Recently, a flaw related to SMS revealed that a hacker could take control of someone’s iPhone, make calls, send texts, and more. Friendly Computers read about this and we think you will find this useful:

Apple on Friday fixed an SMS-related security flaw in the iPhone that had been at the center of one of the most talked-about exploits at this week's Black Hat security conference.

"We appreciate the information provided to us about SMS vulnerabilities which affect several mobile phone platforms," Apple representative Tom Neumayr told CNET.

"This morning, less than 24 hours after a demonstration of this exploit," Neumayr continued, "we've issued a free software update that eliminates the vulnerability from the iPhone. Contrary to what's been reported, no one has been able to take control of the iPhone to gain access to personal information using this exploit."

The security flaw involved malicious SMS messages that could allow hackers to take control of an iPhone. The flaw could have let them make calls, send text messages, or almost anything they wanted on the victim's iPhone.

Security researchers Collin Mulliner and Charlie Miller showed the flaw in action at Black Hat earlier this week. Miller said the flaw could take control of the iPhone because of the way the device handled the SMS message. Researchers at Black Hat also showed how SMS-related vulnerabilities can affect Windows Mobile smartphones including those from HTC, Motorola, and Samsung.

Miller said that Apple was first notified of the flaw six weeks ago.

According to Apple, the iPhone 3.0.1 update released today improves the device's memory handling, essentially fixing the exploit.

The update is available by plugging your iPhone into your computer and clicking on the Check for Update button in iTunes.

Source: http://news.cnet.com/8301-1009_3-10301001-83.html?tag=mncol;title

Clampi Trojan stealing online bank data from consumers and businesses

Friendly Computers recently learned of a scary Trojan that has been circulating around the web for a few years. This Trojan, known as Clampi, can steal bank info and is already responsible for the loss of many large sums of money. Read more about it below…

LAS VEGAS--Hundreds of thousands of Windows computers are believed to be infected with a Trojan called "Clampi" that has been stealing banking and other log-in credentials from compromised PCs since 2007, a security researcher said on the eve of the Black Hat security conference.

Clampi, also known as Ligats, Ilomo, or Rscan, infects computers in drive-by downloads when people visit Web sites hosting malicious code that exploits vulnerabilities in browser plug-ins Flash and ActiveX, said Joe Stewart, director of malware research for the Counter Threat Unit of SecureWorks.

When the infected computer is used to access a targeted banking or other site, the log-in and other information is stolen.

Clampi has spread quickly through Microsoft-based networks in a worm-like fashion in recent months, Stewart said. It uses domain administrator credentials that were either stolen by the Trojan or based on an administrator logging into an infected system. It then uses a Windows executable SysInternals tool, "psexec," to copy itself to all the computers on the domain, he said.

Clampi also serves as a proxy server for criminals to anonymize their activity when logging into stolen accounts.

Stewart has identified 1,400 Web sites in 70 different countries out of 4,500 sites being targeted by the Trojan attack. The sites include banks, credit card companies, online casinos, retail sites, utilities, ad networks, stock brokerages, mortgage lenders, and government and military portals.

Based on the techniques they are using, Stewart said criminals in Eastern Europe are believed to be behind Clampi.

Because it can take days or weeks to get a sample of the latest version of the Trojan, antivirus protection is often delayed, arriving after a PC is already infected, according to Stewart.

"This type of Trojan, banking Trojans in general, are the biggest threat to home computer users and businesses doing banking online," he said. "You can't rely on antivirus. At some point you are going to visit the wrong site and they'll get a Trojan on your computer."

The Trojan uses three types of encryption and sophisticated virtual machine-based packing technology to disguise itself in order to get through antivirus filters, according to Stewart.

SecureWorks' intrusion prevention software doesn't stop computers from getting infected but it prevents the stealing of the data by blocking the encrypted traffic that it deemed suspicious, he said.

Stewart recommends that consumer and business Web surfers use a dedicated computer for their banking and other sensitive financial online activities that is separate from the computer where e-mail is accessed and Web surfing is done. People should also be careful using removable drives on those isolated computers as Trojans can spread that way.

By now, the criminals "probably have way more accounts than they can actually clean out," Stewart said.

Even so, the losses from Clampi are starting to be publicized. The Trojan was behind the theft of nearly $75,000 from Slack Auto Parts in Gainesville, Ga., according to the Security Fix blog at The Washington Post.

Source: http://news.cnet.com/8301-27080_3-10298233-245.html

Microsoft to fix critical hole in IE

Although Microsoft usually only releases security updates once a month, it has stated that it will be releasing an out-of-cycle patch tomorrow to fix a vulnerability in Internet Explorer and Visual Studio. Friendly Computers has more information below…

In a rare move, Microsoft on Friday said it would be releasing security updates on Tuesday--outside of its monthly patch cycle--for a critical vulnerability in Internet Explorer and a moderate vulnerability in Visual Studio.

The two security bulletins will address one overall issue and are being released separately "to provide the broadest protections possible to customers," Microsoft said in a statement.

The vulnerabilities affect Windows 2000, Windows XP, Vista, Windows Server 2003 and 2008, Internet Explorer 6, 7 and 8, Microsoft Visual Studio .NET 2003, Visual Studio 2005 and 2008 and Visual C++ 2005 and 2008, according to the security bulletin advance notification.

"While we can't go into specifics about the issue prior to release, we can say that the Visual Studio bulletin will address an issue that can affect certain types of applications," the statement said. "The Internet Explorer bulletin will provide defense-in-depth changes to Internet Explorer to help provide additional protections for the issues addressed by the Visual Studio bulletin."

"The Internet Explorer update will also address vulnerabilities rated as critical that are unrelated to the Visual Studio bulletin that were privately and responsibly reported," Microsoft said.

Customers who are current with their security updates are protected from known attacks related to the updates, the company said. The updates will be released through the Microsoft Update, Windows Update, and Windows Server Update services.

A Webcast to address customer questions is scheduled for Tuesday from 1 p.m. PDT to 2 p.m. at this site.

Microsoft typically releases security patches on a monthly basis, the second Tuesday of every month, and did not say why it is making this rare, out-of-cycle release.

Source: http://news.cnet.com/8301-27080_3-10295592-245.html

Adobe to fix critical Flash hole next week

Friendly Computers learned that Adobe will finally patch a security hole that has been around since last year. Read more below…

Adobe said Thursday that it will issue fixes next week for a critical hole in Flash that is being exploited in attacks against Adobe Reader version 9 on Windows.

The vulnerability exists in current versions of Flash Player for Windows, Macintosh, and Linux and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for those same platforms, Adobe said in an advisory.

The vulnerability could cause a system to crash or allow an attacker to take control of the computer, Adobe said.

An update for Flash Player v9 and v10 for Windows, Mac, and Linux will be released by July 30, while a fix for Solaris is pending. Adobe should have an update for Reader and Acrobat v9.1.2 for Windows, Macintosh, and Unix by July 31.

An attacker can exploit the vulnerability by luring someone to a Web site hosting a specially crafted Shockwave Flash file, US-CERT said in an advisory Thursday.

"The Adobe Flash browser plug-in is available for multiple Web browsers and operating systems, any of which could be affected," CERT said. "An attacker could also create a PDF document that has an embedded SWF file to exploit the vulnerability. This vulnerability is being actively exploited."

The vulnerabilities can be mitigated by disabling the Flash plug-in or by using the NoScript extension for Mozilla Firefox or SeaMonkey to whitelist sites that can access the Flash plug-in, CERT said.

To disable Flash, US-CERT recommends:

• Disabling Flash in Adobe Reader 9 on Windows platforms by renaming the following files: "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll" and "%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll".

• Disabling Flash Player or selectively enabling Flash content as described in the "Securing Your Web Browser" document.

"Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF that contains SWF (Shockwave Flash) content," the Adobe advisory said.

Typically, the authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll or C:\Program Files\Adobe\Acrobat 9.0]\Acrobat\authplay.dll, Adobe said.

Windows Vista users can mitigate the impact of the exploit by enabling UAC (User Access Control), according to Adobe. Flash Player users should be careful when browsing unfamiliar Web sites.

Researchers on Wednesday reported that they had uncovered attacks in the wild in which malicious Acrobat PDF files were exploiting a vulnerability in Flash and dropping a Trojan onto computers.

The bug used in the exploit has been around since December 2008.

Source: http://news.cnet.com/8301-27080_3-10294212-245.html?tag=mncol;title

How do I know if my computer has a virus?

As usual, Friendly Computers reminds you to regularly update your antivirus and operating system software to avoid getting viruses and other malware. In addition, we found a great article outlining the signs to look for to determine if your computer is infected with a virus. Read more below…

Do you think you may have a virus? The following are some ways you can tell you may have a virus

1. Your Anti-virus software won't come up when you try to start it.
2. You get a lot of returned e-mails that you did not send. NOTE: this might also be spoofing, meaning someone else is infected and is giving out your address.
3. You get e-mails back letting you know you have a virus. This could also be spoofing If there are attachments, do not click on them or open them. Delete the messages immediately.
4. Your computer is unusually slow, or exhibiting strange behavior. Spyware will also commonly cause these symtoms.
   If your computer does have a virus, you should purchase anti virus software and install it on your computer if you do not have any. You can find it at places like most retail outlets, and allcomputer stores. In the meantime, you can immediately do a free virus scan by simply typing "free virus scan" into your favorite search engine. You can also instantly purchase the software at various sites such as Free AVG, Norton AntiVirus and Macafee. Check with your ISP, as they may offer free virus/security protection. Comcast for instance offers Macafee for free to all her customers.

1. If you have anti-virus software make sure, it is updated regularly. In fact, most programs have an option to perform automatic updates.
2. The best way to keep a virus from spreading through your computer and to remove it is to boot the computer into safe mode, by hitting the boot menu key at startup (usually F8)
3. If you cannot get it to remove a, send or take it in to a computer repair shop and have them clean it out.

Source: http://www.examiner.com/x-5426-Internet-and-Technology-Examiner~y2009m7d19-Gadgets-101-How-do-I-know-if-my-computer-has-a-virus

'Harry Potter' Computer Virus Plagues Would-Be Downloaders

The latest Harry Potter movie is not only attracting raging fans – it’s also enticing hackers and cybercriminals. The latest virus plaguing internet users claims to be a video player needed to watch the movie online. In actuality, it is malware that scans your computer for credit card and bank information. Friendly Computers found more information about the virus, which you can read below…

Harry Potter's latest cinematic adventure is already breaking box-office records, as the boy wizard encounters murder, betrayal and heartbreak at a theater near you. But a very different danger is plaguing his fans in cyberspace — where hackers are using the blockbuster to cast a spell on computers worldwide.

"It's definitely the most targeted film that we've seen," explained Michael Greene, VP of Product Strategy at PC Tools, whose virus fighters have been hard at work battling "Harry Potter hackers" over the last few weeks. "This is pretty scary stuff."

Here's how it works: These days, millions of people are searching the Web for info on "Harry Potter and the Half-Blood Prince," which is certain to become the #1 film in the country. Knowing this, cybercriminals are using search optimization tactics to target popular sites like Digg.com with headlines like "Watch 'Harry Potter and the Half-Blood Prince' online free!" and comment posts filled with related keywords to attract Google. Seeing professional-looking images from the film, Potter fans are convinced that the movie is one click away — but as they keep clicking, a virus is being installed on their computers.

"A couple of weeks ago I started to notice it; there was a Digg post about viewing the new 'Harry Potter' movie in advance," Greene explained. "It tells you to download a video player — which is actually pretty common — if you watch a Flash movie or don't have the right software. But in this case, you're not getting a Flash plug-in or anything like that — what you're getting is the malware of the day.

"At that point, your computer has been infected," he added. "And even worse, you don't get to see the 'Harry Potter' movie."

The reason it's particularly scary is that these virus downloads are brazenly creeping onto legitimate Web sites — and teasing a largely youth-oriented fanbase with the forbidden fruit of a free, legal download. "In the old days, people would go to gambling sites or pornography sites and get infected — the dark underbelly of the Internet," Greene said of the new hackers. "Viruses and malware would just trash your computer, and you might lose some data. Nowadays, it's a lot worse than that."

The Potter virus is categorized as crimeware, which searches your computer for credit card or bank information, Greene said. "[The hackers] will collect credit card details, social security numbers. Then they'll turn around and sell that to another group, a 'carding operation' they call it, and these guys will buy blank credit cards from a third group; they'll put them together, print out the credit cards and then sell physical credit cards with your numbers on the street."

The lesson, Greene explained, is a basic one: If you want to see "Half-Blood Prince," pay 10 bucks and get yourself to a movie theater. And if you're one of the many who've already attempted to download something too good to be true — get yourself a good antivirus program and begin cleaning up your computer, immediately.

"As long as there is money to be made, havoc to be created, there will be Voldemorts out there," Greene joked, comparing the Harry Potter hackers to the boy wizard's evil nemesis. "To keep Hogwarts running, we have to train the magicians to keep themselves safe."

Source: http://www.mtv.com/movies/news/articles/1616331/story.jhtml

Mozilla closes security hole with Firefox 3.5.1

Mozilla has released a new version of Firefox, which patches the security flaw that was found recently and also improves on some other aspects of the browser. Friendly Computers has more information below…

Mozilla updated Firefox to version 3.5.1 for Windows, Mac, and Linux on Thursday, fixing a security problem, improving stability, and speeding launch time on some Windows systems, according to the release notes.

"We strongly recommend that all Firefox 3.5 users upgrade to this latest release," browser director Mike Beltzner said in a blog post Thursday.

Firefox 3.5 embodies Mozilla's hope to build a better foundation for Web applications, but about two weeks after its debut, a vulnerability in the browser's JavaScript engine came to light. Mozilla rated it "critical" because an attacker could create a Web site that would run malicious code on the computer.

The new version can be installed from Mozilla's download site or by selecting "Check for Updates" in the Help menu. Unfortunately, when I did so, the Firefox warned me that the newly updated Gears 0.5.29.0 plug-in from Google becomes incompatible again.

Source: http://news.cnet.com/8301-1009_3-10289205-83.html

Critical JavaScript vulnerability in Firefox 3.5

Friendly Computers recently learned of a major security flaw in Firefox 3.5. While there is not yet a fix for it, there are a few workarounds to avoid the problem until Mozilla releases a patch. Read more below…

Issue

A bug discovered last week in Firefox 3.5’s Just-in-time (JIT) JavaScript compiler was disclosed publicly yesterday. It is a critical vulnerability that can be used to execute malicious code.

Impact

The vulnerability can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code. The vulnerability can be mitigated by disabling the JIT in the JavaScript engine. To do so:

1. Enter about:config in the browser’s location bar.
2. Type jit in the Filter box at the top of the config editor.
3. Double-click the line containing javascript.options.jit.content setting the value to false.

Note that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure.  Once users have been received the security update containing the fix for this issue, they should restore the JIT setting to true by:

1. Enter about:config in the browser’s location bar.
2. Type jit in the Filter box at the top of the config editor.
3. Double-click the line containing javascript.options.jit.content setting the value to true.

Alternatively, users can disable the JIT by running Firefox in Safe Mode.  Windows users can do so by selecting Mozilla Firefox (Safe Mode) from the Mozilla Firefox folder.

Status

Mozilla developers are working on a fix for this issue and a Firefox security update will be sent out as soon as the fix is completed and tested.

Source: http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/

Cisco report: text message scams on the rise

Friendly Computers always recommends being very cautious when replying to email or website that you are not positive came from legitimate companies that you do business with. We also wanted to warn you about new text messaging scams which will also try to get you to provide personal information. Read below to learn about text messaging scams:

Cyber scammers are banking on the notion that many people who may not fall for a phishing scam via e-mail may still be easy targets through their mobile phone, according to security report Cisco released on Tuesday.

Text message scams are on the rise, particularly fake messages that appear to come from a legitimate bank, said the report, which covers a wide variety of cyber crime topics.

In many of the scams, the SMS messages direct the recipient to call a telephone number where an automated message prompts the caller to provide login ID or account number and PIN. Other messages provide a URL that leads to a phishing site looks like a legitimate site.

Specific scams have targeted cell phone users in Fargo, North Dakota and First Community Credit Union, Buffalo Metropolitan Federal Credit Union in New York and BCT Federal Credit Union customers in New York and Pennsylvania, the report said.

"People are giving up information through the voice channel in a way they never would do through e-mail or the Web," said Patrick Peterson, Cisco chief security researcher.

Meanwhile, cyber criminals are continuing to get more sophisticated and borrowing from real-world business models. For instance, researchers have come across a service called VirTest that will test malware and viruses against products from the major anti-virus vendors for a fee, Peterson said.

 

Source: http://news.cnet.com/security/?tag=hdr;snav

Botnet worm in DOS attacks could wipe data out on infected PCs

Friendly Computers found some alarming info about the botnet attack coming from South Korea. Read more below…

The denial of service attacks against Web sites in the U.S. and South Korea that started last weekend may have stopped for now, but code on the infected bots was set to wipe data on Friday, security experts said.

There were no immediate reports of any of the compromised PCs in the botnet having files deleted, but that doesn't mean it wasn't happening or won't in the future, said Gerry Egan, a product manager in Symantec's Security Technology Response group.

There are only about 50,000 infected PCs around the world being used in the attacks, which is relatively small compared to the millions that were infected with Conficker, he said.

The attacks started over the July 4 weekend launching distributed DOS attacks that led to outages at more than two dozen government and commercial sites in the U.S. and South Korea. The attacks, which resurged during the week at least twice, affected sites including the White House, the Federal Trade Commission, the Secret Service and The Washington Post.

One of the files dropped on infected PCs is programmed to wipe out files on the PC, including a master boot record, which will render the system inoperable when the PC is rebooted, Symantec said. "Basically, your system is in trouble if this executes," Egan said.

Botnet expert Joe Stewart of SecureWorks told The Washington Post that he tested the self-destruct Trojan and found it capable of erasing the hard drive on an infected system, but that that function wasn't being triggered. He speculated that either there is a bug in the code or that the feature is set to activate at a later date.

Researchers are finding that the botnets launching the attacks are infected with several types of malware. The MyDoom worm is being used to spread infections between computers via e-mail, Symantec and other anti-virus vendors have reported.

A dropper program called W32.Dozer that contains the other components is sent by W32.Mytob!gen to email addresses it gathers from the compromised computer, the Symantec Response Blog says. If a user executes the attachment, W32.Dozer drops Trojan.Dozer and W32.Mydoom.A@mm on the system.

The Dozer Trojan serves as a backdoor and connects to IPs through certain ports, allowing it to update itself and to receive instructions on sites to attack, according to Symantec. It's unclear if the DOS attacks will happen again because the infected PCs can receive new instructions at any time, Egan said.

"There is nothing new or novel in the technology," he said. Judging by the high-profile sites attacked it's likely the attackers are just trying to get attention, he added.

South Korea officials told reporters on Friday that the DOS attacks used 86 IP addresses in 16 countries, including South Korea, the U.S., Japan and Guatemala, but not North Korea, according to an Associated Press report.

source: http://news.cnet.com/8301-1009_3-10284281-83.html

Shortened URLs spike in e-mail spam

 

Short url’s like the ones used on twitter are starting to become more common in spam messages. One reason may be because they can mask the actual web address. Friendly Computers thinks this information may be useful to you:

 

In yet another piece of anecdotal evidence of the increasing threat from shortened URLs, e-mail security provider MessageLabs said on Tuesday it saw a dramatic spike in the number of spam e-mails that include truncated Web addresses.

Shortened URLs, which allow spammers to hide the real Web address from Web surfers and are commonly used on social media sites like Twitter where message character length is restricted, began a sharp rise last week and now appear in more than 2 percent of all spam caught in the company's spam trap, according to MessageLabs.

"Usually when we see a spike of this nature it tends to indicate that a spammer has found some method of automating the creation of these short URLs," said Matt Sergeant, a senior antispam technologist at MessageLabs.

The many URL shortening services make it more convenience to post long URLs on sites like Twitter, but they also make it easy for attackers to lead Web surfers to sites hosting malware.

A major spam botnet called Donbot has aggressively moved to using this technique, Sergeant said. Donbot appears to be primarily focused on displaying advertisements, but could be linking to sites that drop malware onto visitors' computers too, he said.

Spam-filtering software can block spam from getting into inboxes and programs like Long URL Please and shortText make it easy to see what the real URL is.

 

 

Source: http://news.cnet.com/security/?tag=hdr;snav

Cyber attackers target South Korea and US

 

Friendly Computers found out that cyber attackers in South Korea may be responsible for the web attacks in the US was well as in South Korea. The United States was able to deflect cyber attacks on the White House, Pentagon, & NY Stock Exchange. See the details below:

North Korean hackers are suspected of launching a cyber-attack on some of the most important government offices in the US and South Korea in recent days, including the White House, the Pentagon, the New York Stock Exchange and the presidential Blue House in Seoul.

The attack took out some of South Korea's most important websites, including those of the Blue House, the defense ministry, the national assembly, Shinhan bank, Korea Exchange bank and the top internet portal Naver.

Ahn Jeong-eun, a spokeswoman for Korea Information Security Agency, said the websites of 11 organizations had either gone down or had access problems.

The Associated Press reported that the White House, Pentagon and New York Stock Exchange were also targeted, but apparently deflected the electronic barrage. South Korea's Yonhap news agency said military intelligence officers were looking into the possibility that the attack may have been carried out by North Korean hackers and pro-North Korea forces in the South.

It resembles an attack that began last Saturday on government websites in the US, including some that are responsible for fighting cyber-crime.

John Bumgarner, director of research at the US Cyber Consequences Unit, said: "There's been a lot chatter recently about cyber-war. The North Koreans may have felt they were not getting enough attention launching missiles so they moved into another potential warfare – cyber. It's a form of sabre rattling. But the big question is, did the North Koreans launch it themselves or did someone do it for them?"

Yang Moo-jin, a professor at Seoul's University of North Korean Studies, said he doubted whether the North had the capability to knock down the websites.

But Hong Hyun-ik, an analyst at the Sejong Institute thinktank, said the attack could have been carried out by either North Korea or China, saying he "heard North Korea has been working hard to hack into" South Korean networks.

South Korea's National Intelligence Service told a group of politicians today that it believes that North Korea or its sympathizers were behind the attacks, a source at the meeting told Associated Press.

The agency refused to comment, but it confirmed it was working with US authorities to investigate the attack. It said it believed the attack was thoroughly prepared and committed "at the level of a certain organization or state".

The attacks appeared to be linked to problems on the US sites, although investigators were still unsure who was behind them, Ahn said.

In the US, the treasury department, secret service, Federal Trade Commission and transport department websites were all down at varying points over the 4 July holiday weekend. Some of the sites were still experiencing problems last night.

The website of the Washington Post was also affected. Its computer security writer Brian Krebs blamed "malicious software" that ordered infected PCs to repeatedly visit targeted websites. A large proportion of the PCs involved were located in South Korea, he reported.

An initial investigation in South Korea found that many personal computers were infected with a virus ordering them to visit official websites in South Korea and the US at the same time, the Korean information agency official Shin Hwa-su said.

The US homeland security department confirmed that officials had received reports of "malicious web activity" and said they were investigating. Two government officials confirmed that the treasury and secret service sites had been brought down, and said the agencies were working with their internet service provider to resolve the problem.

Ben Rushlo, director of internet technologies at the website monitoring company Keynote Systems, called it a "massive outage".

Denial of service attacks against websites are not uncommon, and are usually caused when sites are deluged with internet traffic to take them offline. Documenting cyber-attacks against government sites is difficult, and depends heavily on how agencies characterize an incident and how successful or damaging it is.

Source: http://www.guardian.co.uk/world/2009/jul/08/south-korea-cyber-attack

Report: Social Security numbers can be predicted

 

Friendly Computers read about the risk of someone predicting your social security number based on publically available information. It is shocking to see how often they were able to. See the story below:

It is possible to use publicly available data on state and date of birth to predict someone's Social Security number, particularly if they were born after 1988 and in smaller states, according to an article published Monday in The Proceedings of the National Academy of Sciences.

The ability to use statistic inference to predict the sensitive data exposes the Social Security numbers to identity fraud risks on "mass scales," the article said.

Social Security numbers "were designed as identifiers at a time when personal computers and identity theft were unthinkable; today, abused as authentication devices, they enable an 'architecture of vulnerability,' in which losses are incurred even in absence of fraud, because of costs caused by attempts to defend, and exploit, the system," the article concluded.

The researchers from Carnegie Mellon University analyzed Social Security numbers of people who have died to detect statistical patterns in the assignment of numbers. They were then able to use those patterns to predict a range of values likely to include a living person's Social Security number. Birth data, meanwhile, can be inferred from data brokers, voter registration lists, online white pages, and social-networking profiles, the report said.

The researchers identified in a single attempt the first five Social Security digits for 44 percent of the records of the people listed as dead from 1989 to 2003 and the complete Social Security numbers in fewer than 1,000 attempts for 8.5 percent of those records.

On average, the researchers matched on the first attempt the first five digits for 7 percent of all records for people born nationwide between 1973 and 1988.

"Extrapolating to the U.S. living population, this would imply the potential identification of millions of SSNs for individuals whose birth data were available," the article says.

The report goes on to give an example of how someone could get the entire Social Security number by renting a botnet to apply for credit cards impersonating 18-year-old West Virginia-born residents. Following numerous assumptions, including that the attacker can find birth data for 50 percent of the potential targets and that inquiries with the correct first seven of nine digits are sufficient for a credit reporting agency to answer a positive match in half of the cases, an attacker could potentially harvest credentials at rates as high as 47 per minute, obtaining 4,000 credentials within two hours before the IP addresses used in the botnet were blacklisted, the article said.

 

Source: http://news.cnet.com/security/?tag=hdr;snav

Microsoft warns of hole in Video ActiveX control

Friendly Computers recently learned of a hole in Microsoft’s ActiveX control that could result in someone taking control of your computer. Read the article below for more information…

Microsoft on Monday warned of a vulnerability in its Video ActiveX Control that could allow an attacker to take control of a PC if the user visits a malicious Web site.

There have been limited attacks exploiting the hole, which affects Windows XP and Windows Server 2003, Microsoft said on its Security Response Center blog.

This is the second DirectShow security hole Microsoft has announced in the past few months. The company has yet to provide a security update for a vulnerability announced in May that involves the way DirectX handles QuickTime files.

Since there are no by-design uses for the ActiveX Control within Internet Explorer, Microsoft is recommending that users implement a workaround outlined in the security advisory. Customers can automatically implement the workaround by following the instructions under "Fix It For Me" in the Knowledge Base article for advisory number 972890 on the Microsoft support site.

Even though Windows Vista and Windows Server 2008 are not affected by the vulnerability, Microsoft is recommending that users of those products also use the workaround.

Microsoft is working on a security update and will release it when the quality is at the appropriate level for broad distribution, the company said.

The Microsoft Video Control object is an ActiveX control that connects Microsoft DirectShow filters for use in capturing, recording, and playing video. The control is the main component used in Windows Media Center for building filter graphs for recording and playing television video.

When it is used in IE, the control can corrupt the system state in such a way that arbitrary code could be run by an attacker. If the user is logged in with administrative rights, the attacker could take complete control of the system.

Antivirus vendor Symantec said it was seeing the flaw being exploited in China and other parts of Asia and cited reports that indicate thousands of Web sites are hosting the exploit.

Internet Explorer versions 6 and 7 are at risk, but people running IE 8 are not vulnerable, Symantec said.

Source: http://news.cnet.com/security/?tag=hdr;snav

Look Ma, I created a botnet!

 

Not too familiar with “bonets” or “trojans”? Friendly Computers thinks this article might help you get a better concept of them and some of the things they can do to your computer:

The abstract concepts of "botnet" and "Trojan" just became a lot more concrete for me.

In less than an hour on Thursday, I was able to use programs readily available on the Internet underground for as little as $300 to infect several Windows clients and take complete control of them in a test environment.

In contrast to the real world, the McAfee Malware Experience event, which was akin to a Malware 101 class (or, in my case, Malware for Dummies), served up printed step-by-step instructions for us nonhacker journalists. But McAfee researchers said the programs used--real samples of malicious code from the wild--were not particularly sophisticated and any script kiddie could manage them easily.

First, I used a tool to infect a PC with a Sub Seven Trojan. With a few clicks it was on the client and I had remote access to everything on that machine via a so-called "back door." A management console provided an easy-to-use interface, including drop down menus with names like "Fun Manager."

Feeling mischievous I used the "flip screen" feature so that everything on the victim's PC was upside down and I changed the colors for the desktop and background to Hello Kitty hues of pink and orange. If I wanted to be nastier I could have directed the victim's browser to a URL of my choosing, turned on the client's Web cam, taken control of a chat session, printed out obscenities on the networked printer, or hidden the desktop or mouse from sight.

McAfee didn't let us save screen shots so I found this one on the Internet. It shows the interface of the Sub Seven Trojan and the "fun" things that can be done to a victim's computer with it.

(Credit: All-Interenet-Security.com)

I tested out the keystroke logger and found it to be particularly empowering and scary. It was thrilling to have so much control at my fingertips. It felt a bit like the electronic equivalent to pranks we did as kids, such as shorting the sheets and drawing on someone while the victim was sleeping. But these digital shenanigans have much more dire consequences.

Next up was creating a botnet, which would give me control over multiple zombies to do things like shut Web sites down with a denial of service attack and blanket e-mail inboxes with spam. I infected the two clients with the bot software and then created a command-and-control center on an IRC room. I then ordered up the system information from the bots, scanned their ports, and downloaded a malicious file onto the computers, as well as a keystroke logger. As they say in hacker lingo, I "pwned" the machines.

Finally, I used a program called "Shark" (also known as "Backdoor-DKG") to create a Trojan and install it on the victim clients by sending it through a Microsoft Outlook e-mail. Using a spreadsheet interface, I was able to set the functions of the Trojan, activate a keystroke logger and could have disabled antivirus software or set it to shut the system down based on certain conditions.

Following the tutorial, McAfee provided some bleak statistics to put my actions into perspective. For instance, the company's Avert Labs sees more than 400,000 new zombies a day, 4,000 new pieces of malware a day and 1.5 million malicious sites a month. There were 1.5 million pieces of unique malware last year and McAfee predicts that number will rise to 2.4 million this year.

The numbers aren't all that surprising to me now that I've seen firsthand how easy the malware is to create and use. All in all, I'd say it was a very sobering experience.

 

Source: http://news.cnet.com/8301-1009_3-10263239-83.html?tag=mncol;txt