Thursday, September 30, 2010

Dozens Charged In Use Of Zeus Trojan To Steal $3 Million


The FBI and the U.S. Attorney's office in southern New York announced charges today against 37 people accused of being part of an international crime ring that stole $3 million from bank accounts by infecting computers with the Zeus Trojan and other malware.

Between federal and state charges, more than 60 people total are being charged in the operation, officials said.

Ten people were arrested today by federal and New York law enforcement officers and another 10 were previously arrested in the U.S. as part of a coordinated takedown, authorities said. Seventeen people are still being sought in the U.S. and abroad, officials said. The defendants named in the documents, unsealed by the court today, were all listed as being from Eastern Europe and face federal charges.

Separately, 10 people were charged earlier today in England for similar Zeus-related crimes.

The Zeus Trojan was identified earlier this year as a key factor in the construction of a botnet that infected tens of thousands of computers around the world.

The defendants charged in Manhattan federal court today include alleged managers of the operation as well as alleged money mules recruited to open bank accounts for laundering money and a person accused of obtaining false foreign passports for mules.

The group allegedly recruited mules by placing ads on Russian language Web sites seeking students with J-1 visas, who could open bank accounts in the U.S.

One of the purported victims was identified as a municipal entity in Massachusetts.

Some of the alleged mules are accused of retrieving money from breached brokerage accounts at eTrade and TD Ameritrade. Other defendants allegedly received stolen money from wire transfers to bank accounts in Asia or by withdrawing money from ATMs in New York, the documents indicate.

The investigation appears to have been triggered when New York police detectives went to a Bronx bank in February to investigate a suspicious $44,000 withdrawal, according to a news release issued by the FBI, the U.S. Attorney's office, the New York Police Department, and other agencies.

The charges range from bank fraud and false use of passport to money laundering and conspiracy to commit wire fraud. Maximum prison sentences range from 10 years to 30 years and fines from $250,000 to $1 million per count.


Read more: http://news.cnet.com/8301-27080_3-20018177-245.html?tag=mncol;title#ixzz112wQTfox

Monday, September 27, 2010

Stuxnet Worm Hits Iranian Nuclear Plant


Iran's official news agency said today that a sophisticated computer worm purportedly designed to disrupt power grids and other such industrial facilities had infected computers at the country's first nuclear-power plant but had not caused any serious damage.

The Stuxnet worm, which some see as heralding a new era of cyberwarfare, appeared in July and was already known to be widespread in Iran. In fact, its high concentration there, along with a delay in the opening of the Bushehr plant, led one security researcher to hypothesize that Stuxnet was created to sabotage Iran's nuclear industry.

In addition to emphasizing the threat posed by the worm, which could be used to remotely seize control of industrial systems, today's news could well add to speculation about Stuxnet, the sophistication of which has caused some to suspect that a nation state, such as Israel or the U.S., might be behind its creation.

The worm exploits three holes in Windows, one of which has been patched, and targets computers running Siemens software used in industrial control systems.

Mahmoud Jafari, the project manager at the Bushehr plant, said the worm "has not caused any damage to major systems of the plant" and that a team was working to remove it from several computers, according to Iran's IRNA news agency, which was cited in a report by the Associated Press.

Jafari said the infection involved the personal computers of several staff members working at Bushehr and would not affect plans to open the nuclear plant in October, the AP reported.


Read more: http://news.cnet.com/8301-1009_3-20017651-83.html?tag=mncol;title#ixzz10lUCBP1g

Wednesday, September 22, 2010

Report: Half Of Apps Have Security Problems


This chart shows the source of application and the failure rate for security acceptance based on how critical the app is to the business.
(Credit: Veracode)


More than half of software used in enterprises has security problems, according to a new report to be released today from Veracode, an application security company.

Veracode looked at more than 2,900 applications over an 18-month period that were used by its cloud-based customers and found that 57 percent of all the apps were found to have unacceptable application security quality.

Eight out of 10 Web apps failed to meet the OWASP (Open Web Application Security Project ) Top 10 requirement that is necessary to achieve PCI (payment card industry) compliance for use in financial and e-commerce sites, Veracode said.

The report finds that third-party code, which is growing in use in enterprises, is often insecure. Third-party suppliers failed to achieve acceptable security standards 81 percent of the time, the report said.

Meanwhile, cross-site scripting remains the most common of all application vulnerabilities, and .NET applications showed "abnormally high" numbers of flaws, Veracode said.

"A lot of work still needs to be done around the work of software security," Sam King, vice president of product marketing at Veracode, told CNET.

Also on Wednesday, WhiteHat Security released a report that found that the average Web site had nearly 13 serious vulnerabilities.

Wednesday, September 15, 2010

Security Fixes Land In Chrome 6


Google updated the stable and beta builds of its Chrome browser on Tuesday evening, making a fix marked as critical to the Mac version and numerous repairs marked as high-priority across all platforms. Chrome 6.0.472.59 for Windows, Mac, and Linux also repaired a Linux-specific memory corruption bug.

At the time of writing, the critical Mac bug was still blocked from public view. This is not uncommon with bugs that can represent serious security risks. Judging by its public security logs, Google appears to be releasing details on fixed bugs no earlier than a week after the bug has been repaired.

Other security issues that were addressed include multiple high-level bugs involving use-after-free in document APIs, SVG styles, and nested SVG elements. Two high-level memory corruption bugs were also fixed, one in the HTML5 Geolocation feature, and another in language handling for Khmer. Finally, a small number of users who experienced browser crashes when blocking pop ups should now see that fixed. The Chrome 6.0.472.59 changelog can be read at Google's Chrome updates blog.

Wednesday, September 8, 2010

Adobe Warns Of Zero-Day Hole In Reader, Acrobat


Adobe on Wednesday warned of a zero-day hole in Reader and Acrobat that is reportedly being exploited in the wild.

The critical vulnerability is in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh, and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh, according to the security advisory. The hole could allow an attacker to take control of an affected computer and potentially affects millions of computers using the Adobe software, which is the most popular PDF (portable document format) viewer.

The company said it is evaluating the schedule for releasing a security update to resolve the issue.

"Unfortunately, there are no mitigations we can offer," the advisory said. "However, Adobe is actively sharing information about this vulnerability (and vulnerabilities in general) with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available."
Adobe learned of the issue on Tuesday, according to a company statement.