Computer Security Articles

Right now there's a scam making its way across Facebook linking to a video titled "The Hottest & Funniest Golf Course Video – LOL" (example screen shot below). Websense customers are protected with by ACE, Advanced Classification Engine. During the 15 minutes it took to write this post over 7,000 new users liked the page so it's clear this is a successful campaign.

This latest scam is very much like a lot of others we see on a regular basis on the world's most popular social networking site. But this one seems to be especially popular for some reason.

When clicking on the link you're taken to the following page, tricking you into not only liking the page but also sharing it with your friends. It's doing this by using standard Facebook APIs.

The page that you are tricked into liking has been liked by over 272,000 users and doesn't really have anything to do with the scam itself but is perhaps there to make it look more legitimate. The quote "<name>, are you scared? Of course I'm scared. I'm not Superman" is a quote by the actor Jackie Chan. 

After liking and sharing the page, and attempting to view the video, the user is taken to a typical CPA Survey scam so in the end there's no video at all. Note that the attackers haven't even bothered to change the title of the last payload site. The title still says "Look What Happens When a Father Catches her Daughter on Webcam" which is another scam that went around Facebook months ago.

As always, if a video forces you to like, share, or install an app to view it, DON'T DO IT! And of course, install Defensio, our free security app for Facebook. It will keep scams like this from ever appearing on your news feed in the first place.

Today Adobe announced a new 0-day vulnerability (CVE-2011-0611) in Adobe Flash Player and Adobe Acrobat that, similar to the previous 0-day from less than a month ago, was found embedded in a Microsoft Office file. The vulnerability allows an attacker to execute malicious code on a computer and has been spotted in limited targeted attacks. Websense customers are protected against the known samples that use this vulnerability.

Adobe says in their security advisory that Adobe Acrobat Reader X and its new Sandbox feature prevent the attack from exploiting the system when using PDF files. However, since the vulnerability exists in Flash, a machine can be exploited in other formats and applications that support flash, such as Web pages and Office documents.

The vulnerability has only been seen used in very limited targeted attacks. Here is a VirusTotal report (1/43) of one reported attack file.

Adobe hasn't announced when they will release a patched version of Adobe Flash and Adobe Reader/Acrobat but they did say that they won't fix this until June 14 in Adobe Reader X, as the Sandbox feature prevents the attack.

Alas, the news was published on April 1^st. But it is not a joke.

Curious, I spent a bit of time today researching it (when I really was supposed to be doing other things), and while the “lizamoon” url is down, there are still a number of other URLs active on this one.

Without a lot of effort, I found infections using other URLs, which include

t6ryt56.info/ur.php
tadygus.com/ur.php
milapop.com/ur.ph
books-loader.info/ur.php

(These are all malicious, so obviously don’t go to them unless you know what you’re doing, etc.)

However, I doubt the infection is as massive as is being stated. For unique sites, perhaps a few thousand. More pages than that, but in terms of unique domains, not a million, as might have been inferred from articles.  

What’s curious is I found something else that was interesting —  encoded View State with malicious URLs injected into the site.

For example, here’s a screenshot of an example encoded View State that I found on one of the injected sites.

First, an infected page (with VIPRE yelling away that there’s a problem in the corner — sorry, can’t help the shameless self-promotion).

So let’s take a look at the page source:

Yuck! What’s all that? It’s encoded View State.

So we go to a handy-dandy decoder, paste the offending text, do a little “where’s Waldo” and there you have it:

How cool is that?

And yes, that is really painfully sloppy stuff.

Alex Eckelbery
(Obligatory hat tip to Jose)

Our February 23rd post noted that Facebook’s SSL “Secure Browsing” preferences had some issues remaining persistent.

There’s been some encouraging progress since then, and this is now what happens when a non-HTTPS application is accessed:

So at least the setting is persistent. Hopefully the feature will be more dynamic in the near future.

If you have a Facebook account, and want to update your settings for HTTPS, you’ll find the option under Account Security.

Well, actually we expect some more updates as some security vulnerabilities have been revealed at the Pwn2Own contest during the CanSecWest security conference. Google is the first and pushes out version 10.0.648.133 – which fixes one security vulnerability within WebKit (the base of the Blackberry, Chrome and Safari webbrowsers). As usual, the update is spread via the built-in automatic update mechanism. Users can make sure to use the latest version by clicking on the tool symbol and choosing the “About Chrome” menu entry.

Microsoft advises users to switch to Internet Explorer 9 which is soon to be released as final version according to the media. The company says that the flaw which has been abused for hacking the laptop during the Pwn2Own contest isn’t present in the new version.

Hopefully RIM, Google and Apple will deliver updates for the browsers for example on the smartphones based upon their operating systems soon, too.

Dirk Knop
Technical Editor

A friend who is new to Facebook asked, “How is it possible? I just created a Facebook account a few days ago, but my profile has been visited more than 15,000 times. I feel like a celebrity!”

“wow, i just found out that i had total 15158 visits to my profile and among these my ex was one that visited my profile the most with 121 visits just for last 7 days. You can check also your visits here http://apps.facebook.com/XXXXXXXXstalkers/”

My friend then realized that he visited one Facebook application that claimed to be able to know who and how many people visited your profile. This scam application is known as “List your stalkers”. Previously, similar applications have also been closed by Facebook. But the bad guys out there never cease creating the same application under different names.

When users want to visit an application page on Facebook, normally the application will ask for permission from the user. When the user allows it, it can then access all the information about you, from biographical data, to allowing the application to be able to post on your wall.

Before being able to use these applications, users are asked to fill out surveys, which they say is a verification method called “Facebook Verification Spam Bot”, which is of course nonsense. Because, they just want to get money from every survey that are successfully completed by visitors.

After a user visits the application, there will be a post on the wall, with a link that leads to the application. If your friend sees this and is curious, he will also visit the application and follow the same prompts that you just followed. This is one reason why this kind of application spreads so quickly.

It can’t be denied, until now there are still many people who still wonder, “Is it true?”

Is it true that it can be done? Facebook has the answer here:

“Facebook does not provide applications or groups with the technical means to allow people to track profile views or see statistics on how often a particular piece of content has been viewed and by whom. If an application claims to provide this functionality, please report the application by going to the application’s About page and clicking “Report Application” at the bottom of the page, or by clicking “Report” at the bottom of any canvas page within the application.

Applications you use may ask for permission to access content from your News Feed and Wall. Granting this permission does not allow applications to see who has viewed your profile. It simply allows applications to see which friends have interacted with posts, such as which friends liked or engaged with a particular wall post.”

Most of them believe what they read or see on the wall of their friends. Be careful, it’s not entirely true! And remember – if it looks suspect, it probably is.

Join Emsisoft Facebook page, and don’t forget to follow our Twitter to keep you stay update.

While we wait for the Japanese Earthquake scams to begin, we noticed another on-going spam campaign. We wrote about the ACH Transaction Rejected spam back in February, but another round is active, with another 350+ freshly registered domains.

The body of the email this time around reads:

The ACH transfer (ID: 65388185980), recently sent from your checking account (by you or any other person), was cancelled by the other financial institution.

Please click here (link) to view details

If you have any questions or comments, contact us at info@nacha.org. Thank you for using http://www.nacha.org.

/This messages is intended for use by addressee only and may contain privileged and confidential information. If you are not the intended recipient, dissemination of this communication is prohibited. If you have received this communication in error, please delete all copies of the message and attachments and notify the sender immediately. /

The spam has one of the following ten subject lines:

ACH payment canceled
ACH payment rejected
ACH transaction canceled
ACH Transfer canceled
ACH transfer rejected
Rejected ACH payment
Rejected ACH transaction
Rejected ACH transfer
Your ACH transaction
Your ACH transfer

Each claims to be from “nacha.org” – the National Automated Clearing House Association – the people who handle electronic payments between banks.

The from addresses are:

ach@nacha.org
admin@nacha.org
alert@nacha.org
alerts@nacha.org
info@nacha.org
payment@nacha.org
payments@nacha.org
risk@nacha.org
risk_manager@nacha.org
transactions@nacha.org
transfers@nacha.org

Here are the domain names we are seeing this time around. I haven’t checked all of them, but the ones I checked were GoDaddy. (GoDaddy and Affilias have been notified, and many of the domains are already disabled.)

machine
———————————–
ACHDESCRIBES.INFO
ACH-DETAILS-EMERGE.INFO
ACHDETAILSEMERGE.INFO
ACH-DETAILS.INFO
ACHDETAILS.INFO
ACH-DETAILS-MAGAZINE.INFO
ACHDETAILSMAGAZINE.INFO
ACHDETAILSNOW.INFO
ACHDETAILSONLINE.INFO
ACHDETAILSSHOP.INFO
ACHDETAILSSITE.INFO
ACHDETAILSSTORE.INFO
ACHDETAILSTODAY.INFO
ACHELEMENTS.INFO
ACH-INFORMATION-ARCHITECTURE.INFO
ACHINFORMATIONASSURANCE.INFO
ACHINFORMATIONBLOG.INFO
ACH-INFORMATION.INFO
ACHINFORMATION.INFO
ACHINFORMATIONLITERACY.INFO
ACHINFORMATIONNOW.INFO
ACHINFORMATIONONLINE.INFO
ACH-INFORMATION-SCIENCES.INFO
ACHINFORMATIONSCIENCES.INFO
ACH-INFORMATION-SHARING.INFO
ACHINFORMATIONSHARING.INFO
ACHINFORMATIONSHOP.INFO
ACHINFORMATIONS.INFO
ACHINFORMATIONSITE.INFO
ACHINFORMATIONSTORE.INFO
ACHINFORMATIONTODAY.INFO
ACHINFORMATIONWARFARE.INFO
ACHINFORMS.INFO
ACHREPORTBLOG.INFO
ACH-REPORT-CARD.INFO
ACHREPORTCARD.INFO
ACH-REPORT-CARDS.INFO
ACHREPORTCARDS.INFO
ACH-REPORT-COVERS.INFO
ACHREPORTCOVERS.INFO
ACH-REPORT.INFO
ACHREPORT.INFO
ACHREPORTNOW.INFO
ACHREPORTONLINE.INFO
ACHREPORTSHOP.INFO
ACHREPORTS.INFO
ACHREPORTSITE.INFO
ACHREPORTSTORE.INFO
ACHREPORTTODAY.INFO
ACHREVIEW.INFO
ATRANSFERADMISSION.INFO
ATRANSFERAGENT.INFO
ATRANSFERAPPLICANTS.INFO
A-TRANSFERBLOG.INFO
ATRANSFERFILES.INFO
ATRANSFERGUIDES.INFO
ATRANSFER.INFO
A-TRANSFERNOW.INFO
A-TRANSFERONLINE.INFO
ATRANSFERPRICING.INFO
ATRANSFERREQUEST.INFO
A-TRANSFERSHOP.INFO
A-TRANSFERS.INFO
A-TRANSFERSITE.INFO
A-TRANSFER-STATION.INFO
ATRANSFERSTATION.INFO
A-TRANSFERSTORE.INFO
A-TRANSFERTODAY.INFO
B-ACH-ACCOUNTS.INFO
BACHACCOUNTS.INFO
B-ACHBLOG.INFO
B-ACH.INFO
B-ACHNOW.INFO
B-ACHONLINE.INFO
B-ACH-PAYMENT.INFO
BACHPAYMENT.INFO
B-ACH-PAYMENTS.INFO
BACHPAYMENTS.INFO
B-ACHSHOP.INFO
B-ACHS.INFO
B-ACHSITE.INFO
B-ACHSTORE.INFO
B-ACHTODAY.INFO
B-ACH-TRANSACTIONS.INFO
BACHTRANSACTIONS.INFO
BESTACHDETAILS.INFO
BESTACHINFORMATION.INFO
BESTACHREPORT.INFO
BESTA-TRANSFER.INFO
BESTB-ACH.INFO
BESTD-PAYMENT.INFO
BESTG-PAYMENT.INFO
BESTP-ACH.INFO
BESTQ-ACH.INFO
BESTQ-PAYMENT.INFO
BESTQ-TRANSFER.INFO
BESTR-TRANSFER.INFO
BESTT-TRANSFER.INFO
BESTV-ACH.INFO
BESTW-ACH.INFO
BESTZ-PAYMENT.INFO
D-PAYMENTBLOG.INFO
D-PAYMENT.INFO
DPAYMENT.INFO
DPAYMENTMETHOD.INFO
DPAYMENTMETHODS.INFO
D-PAYMENTNOW.INFO
D-PAYMENTONLINE.INFO
DPAYMENTOPTION.INFO
DPAYMENTPROCESSING.INFO
DPAYMENTPROCESSOR.INFO
D-PAYMENTSHOP.INFO
D-PAYMENTS.INFO
D-PAYMENTSITE.INFO
DPAYMENTSOLUTION.INFO
DPAYMENTSOLUTIONS.INFO
D-PAYMENTSTORE.INFO
DPAYMENTTERMINAL.INFO
D-PAYMENTTODAY.INFO
DPAYMENTTRANSACTION.INFO
ELECTRONIC-ACH-DETAILS.INFO
ELECTRONICACHDETAILS.INFO
ELECTRONIC-ACH-REPORT.INFO
ELECTRONICACHREPORT.INFO
FREEACHDETAILS.INFO
FREEACHINFORMATION.INFO
FREEACHREPORT.INFO
FREEA-TRANSFER.INFO
FREEB-ACH.INFO
FREED-PAYMENT.INFO
FREEG-PAYMENT.INFO
FREEQ-ACH.INFO
FREEQ-PAYMENT.INFO
FREEQ-TRANSFER.INFO
FREER-TRANSFER.INFO
FREET-TRANSFER.INFO
FREEV-ACH.INFO
FREEW-ACH.INFO
FREEZ-PAYMENT.INFO
G-PAYMENTBLOG.INFO
G-PAYMENT.INFO
GPAYMENT.INFO
GPAYMENTMETHOD.INFO
GPAYMENTMETHODS.INFO
G-PAYMENTNOW.INFO
G-PAYMENTONLINE.INFO
GPAYMENTPROCESSING.INFO
GPAYMENTPROCESSOR.INFO
G-PAYMENTSHOP.INFO
G-PAYMENTS.INFO
G-PAYMENTSITE.INFO
GPAYMENTSOLUTIONS.INFO
G-PAYMENTSTORE.INFO
GPAYMENTTERMINAL.INFO
G-PAYMENTTODAY.INFO
GPAYMENTTRANSACTION.INFO
MASTER-P-ACH.INFO
MASTERPACH.INFO
MYACHDETAILS.INFO
MYACHINFORMATION.INFO
MYACHREPORT.INFO
MYA-TRANSFER.INFO
MYB-ACH.INFO
MYD-PAYMENT.INFO
MYG-PAYMENT.INFO
MYP-ACH.INFO
MYQ-ACH.INFO
MYQ-PAYMENT.INFO
MYQ-TRANSFER.INFO
MYR-TRANSFER.INFO
MYT-TRANSFER.INFO
MYV-ACH.INFO
MYW-ACH.INFO
MYZ-PAYMENT.INFO
NEWACHDETAILS.INFO
NEWACHINFORMATION.INFO
NEWACHREPORT.INFO
NEWA-TRANSFER.INFO
NEWB-ACH.INFO
NEWD-PAYMENT.INFO
NEWG-PAYMENT.INFO
NEWP-ACH.INFO
NEWQ-ACH.INFO
NEWQ-PAYMENT.INFO
NEWQ-TRANSFER.INFO
NEWR-TRANSFER.INFO
NEWT-TRANSFER.INFO
NEWV-ACH.INFO
NEWW-ACH.INFO
NEWZ-PAYMENT.INFO
P-ACH-ACCOUNTS.INFO
PACHACCOUNTS.INFO
P-ACHBLOG.INFO
P-ACH.INFO
P-ACHNOW.INFO
P-ACHONLINE.INFO
P-ACH-PAYMENT.INFO
PACHPAYMENT.INFO
P-ACH-PAYMENTS.INFO
PACHPAYMENTS.INFO
P-ACHSHOP.INFO
P-ACHS.INFO
P-ACHSITE.INFO
P-ACHSTORE.INFO
P-ACHTODAY.INFO
P-ACH-TRANSACTIONS.INFO
PACHTRANSACTIONS.INFO
Q-ACH-ACCOUNTS.INFO
QACHACCOUNTS.INFO
Q-ACHBLOG.INFO
Q-ACH.INFO
QACH.INFO
Q-ACHNOW.INFO
Q-ACHONLINE.INFO
Q-ACH-PAYMENT.INFO
QACHPAYMENT.INFO
Q-ACH-PAYMENTS.INFO
QACHPAYMENTS.INFO
Q-ACHSHOP.INFO
Q-ACHS.INFO
Q-ACHSITE.INFO
Q-ACHSTORE.INFO
Q-ACHTODAY.INFO
Q-ACH-TRANSACTIONS.INFO
QACHTRANSACTIONS.INFO
Q-PAYMENTBLOG.INFO
Q-PAYMENT.INFO
QPAYMENTMETHOD.INFO
QPAYMENTMETHODS.INFO
Q-PAYMENTNOW.INFO
Q-PAYMENTONLINE.INFO
QPAYMENTOPTION.INFO
QPAYMENTPROCESSING.INFO
QPAYMENTPROCESSOR.INFO
QPAYMENTSCHEDULE.INFO
Q-PAYMENTSHOP.INFO
Q-PAYMENTS.INFO
Q-PAYMENTSITE.INFO
QPAYMENTSOLUTION.INFO
QPAYMENTSOLUTIONS.INFO
Q-PAYMENTSTORE.INFO
QPAYMENTTERMINAL.INFO
Q-PAYMENTTODAY.INFO
QPAYMENTTRANSACTION.INFO
QTRANSFERADMISSION.INFO
QTRANSFERAGENT.INFO
QTRANSFERAPPLICANTS.INFO
Q-TRANSFERBLOG.INFO
QTRANSFERFILES.INFO
QTRANSFERGUIDES.INFO
Q-TRANSFER.INFO
QTRANSFER.INFO
Q-TRANSFERNOW.INFO
Q-TRANSFERONLINE.INFO
QTRANSFERPRICING.INFO
QTRANSFERREQUEST.INFO
Q-TRANSFERSHOP.INFO
Q-TRANSFERS.INFO
Q-TRANSFERSITE.INFO
Q-TRANSFER-STATION.INFO
QTRANSFERSTATION.INFO
Q-TRANSFERSTORE.INFO
Q-TRANSFERTODAY.INFO
RTRANSFERADMISSION.INFO
RTRANSFERAGENT.INFO
RTRANSFERAPPLICANTS.INFO
R-TRANSFERBLOG.INFO
RTRANSFERFILES.INFO
RTRANSFERGUIDES.INFO
R-TRANSFER.INFO
RTRANSFER.INFO
R-TRANSFERNOW.INFO
R-TRANSFERONLINE.INFO
RTRANSFERPRICING.INFO
RTRANSFERREQUEST.INFO
R-TRANSFERSHOP.INFO
R-TRANSFERS.INFO
R-TRANSFERSITE.INFO
R-TRANSFER-STATION.INFO
RTRANSFERSTATION.INFO
R-TRANSFERSTORE.INFO
R-TRANSFERTODAY.INFO
TERMINAL-B-ACH.INFO
TERMINALBACH.INFO
THEACHDETAILS.INFO
THEACHINFORMATION.INFO
THEACHREPORT.INFO
THEA-TRANSFER.INFO
THEB-ACH.INFO
THED-PAYMENT.INFO
THEG-PAYMENT.INFO
THEP-ACH.INFO
THEQ-ACH.INFO
THEQ-PAYMENT.INFO
THEQ-TRANSFER.INFO
THER-TRANSFER.INFO
THET-TRANSFER.INFO
THEV-ACH.INFO
THEW-ACH.INFO
THEZ-PAYMENT.INFO
TTRANSFERADMISSION.INFO
TTRANSFERAGENT.INFO
TTRANSFERAPPLICANTS.INFO
T-TRANSFERBLOG.INFO
TTRANSFERFILES.INFO
TTRANSFERGUIDES.INFO
TTRANSFER.INFO
T-TRANSFERNOW.INFO
T-TRANSFERONLINE.INFO
TTRANSFERPRICING.INFO
TTRANSFERREQUEST.INFO
T-TRANSFERSHOP.INFO
T-TRANSFERS.INFO
T-TRANSFERSITE.INFO
T-TRANSFER-STATION.INFO
TTRANSFERSTATION.INFO
T-TRANSFERSTORE.INFO
T-TRANSFERTODAY.INFO
V-ACH-ACCOUNTS.INFO
VACHACCOUNTS.INFO
V-ACHBLOG.INFO
V-ACH.INFO
V-ACHNOW.INFO
V-ACHONLINE.INFO
V-ACH-PAYMENT.INFO
VACHPAYMENT.INFO
V-ACH-PAYMENTS.INFO
VACHPAYMENTS.INFO
V-ACHSHOP.INFO
V-ACHS.INFO
V-ACHSITE.INFO
V-ACHSTORE.INFO
V-ACHTODAY.INFO
V-ACH-TRANSACTIONS.INFO
VACHTRANSACTIONS.INFO
W-ACH-ACCOUNTS.INFO
WACHACCOUNTS.INFO
W-ACHBLOG.INFO
W-ACH.INFO
W-ACHNOW.INFO
W-ACHONLINE.INFO
W-ACH-PAYMENT.INFO
WACHPAYMENT.INFO
W-ACH-PAYMENTS.INFO
WACHPAYMENTS.INFO
W-ACHSHOP.INFO
W-ACHS.INFO
W-ACHSITE.INFO
W-ACHSTORE.INFO
W-ACHTODAY.INFO
WACHTRANSACTIONS.INFO
WARRENGPAYMENT.INFO
ZPAYMENTARRANGEMENT.INFO
Z-PAYMENTBLOG.INFO
ZPAYMENTCARD.INFO
ZPAYMENTCARDS.INFO
ZPAYMENTDATES.INFO
ZPAYMENTDEADLINE.INFO
ZPAYMENTDEFINITION.INFO
ZPAYMENTINSTRUMENTS.INFO
ZPAYMENTLOCATIONS.INFO
Z-PAYMENTONLINE.INFO
ZPAYMENTPLATFORM.INFO
ZPAYMENTPROTECTION.INFO
Z-PAYMENTSHOP.INFO
Z-PAYMENTS.INFO
Z-PAYMENTSITE.INFO
Z-PAYMENTSTORE.INFO
Z-PAYMENTTODAY.INFO

Since posting about the Justin Bieber likejacking campaign, we have observed similar campaigns cropping up.

Apparently, This Guy Took A Picture Of His Face Every Day For 8 Years

Most recent and notable is a new campaign, which purports to showcase a time lapse video of a man that took a picture of his face everyday for 8 years. From the power of celebrity to outrageous and shocking headlines, scammers have managed to strike the right chord for luring in users.  This particular version shows just how successful they are.

Similar to the Justin Bieber campaign, there seems to be multiple versions of this one floating around.  In addition, the multiple versions all seem to reside on the “.info” top-level domain.

Look Familiar? Same Template for FouTube found in the Justin Bieber "Likejack" Campaign

The user is presented with the same template we’ve seen before of a Fake YouTube (FouTube) page.  The end result is no different – the users’ mouse click is hijacked and they automatically “like” this page, which is then posted to their Facebook Wall and reaches the news feeds of their friends and family. Once again, there is a survey component to this, which helps put money into the pockets of the scammers.

However, what’s different this time around is that this version also tries to push the Free iPad/iPhone 4 scam.

Pushing the Free iPad scam onto Likejacking Victims

Unfortunately, there is no such thing as a Free iPad/iPhone 4. While the site above claims to have over 800,000 likes, in actuality, less than 100 people have actually liked the scam page.

This was discovered late last night and our research indicated there were at least 9 versions of it floating around. As of this morning, 3 of those are no longer active (the .info sites remain up, the social graph components have been disabled).  The remaining 6 versions continue to fool users into clicking through, racking up more likes than the Justin Bieber campaign.

6 Active Versions of this Likejacking Campaign Remain

The reason for so many different versions is simple – strength in numbers. Going from 9 active versions to 6 still allows the campaign to spread, as showcased above.  Garnering over 220,000 “likes” for one page would have raised some red flags and may have been taken down quickly. Having multiple versions out there allows these pages to stay active longer, giving them more time to spread and to fool more users.

We continue to urge Facebook users to remain skeptical of posts such as these.  Warn your friends and family about these scams, and if someone you know has fallen for one, tell them to remove the post from their Facebook Wall and warn their friends and family about it.  Knowledge is power, and so long as users are unaware of these types of scam campaigns, the more difficult it will be to stop them from spreading.

Cloud computing presents its share of risks that concern infosec professionals. At the same time, the cloud billing model offers a major security benefit to small and medium-sized businesses (SMBs) by making security more affordable for them.

Pricing Enterprise Security Products

Historically, enterprise security products have been expensive. (I wrote earlier how vendors can use low price as a competitive advantage.) In particular, the initial purchase and setup price—the capital expenditure (capex)—has prevented SMBs from deploying more than the bare essential security tools, say network firewalls and anti-virus. Adopting other security technologies, such as those mandated by PCI Data Security Standard, has been a significant financial burden.

Pricing a product usually involves extracting the maximum possible amount that the customer is willing and able to pay. This is why vendors often employ price discrimination practices. For example, the vendor might offer a full-featured version of the product at a high price for customers who value the features and can afford them. The vendor might also offer a lightweight version at a lower price; this allows the company to capture the portion of the market that’s comprised of the customers who cannot justify or afford the higher expense.

Enterprise security vendors have had a hard time offering lower-priced versions for SMBs that include an attractive feature set. The cloud makes this easier by providing an alternative billing model with inherent price discrimination characteristics.

The Advantages of Cloud’s Billing Model for SMBs

One of the essential aspects of cloud computing, according to NIST SP 800-145, is measured service. It involves “leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts).” In other words, cloud providers can bill customers based on how much of the service was actually used.

SMBs that do not use many units of a security service find it more affordable use the pay-per-use billing model than paying for the product outright. This model also provides the product’s vendor with inherent price discrimination, since the customers who make greater use of the service pay more for it than the lower-volume customers.

A related aspect of cloud services billing model is its conversion of the initial expense of obtaining the product (capex) into a stream of regular payments called operating expenditure (opex). In the current economic climate, avoiding capex in favor of opex is attractive to many companies. This is particularly beneficial for SMBs, who might lack the cash flow to make a large capex payment, but who can keep up with opex payments.

For instance, consider the two-factor authentication feature that Google provides for its customers. Most SMBs wouldn’t have the money or the expertise to implement this security control for their systems. Yet, they get access to it by paying a relatively low monthly fee for Google Apps on per-user basis. (Google even offers this feature to its non-paying users.)

These financial aspects of cloud services give SMBs access to security technologies even when they would’ve been unable to afford to buy the tools outright. As cloud providers incorporate security services such as vulnerability scanning, log management and web application firewalls (WAFs) into their offerings, I expect to see more SMBs making use of the security services they wouldn’t normally consider for purchase. When that happens, everyone wins.

— Lenny Zeltser

The UK government has today published a report into the cost of cybercrime, concluding that the overall cost to the UK economy from cybercrime is £27bn per year.

Wow. £27 billion a year is a huge amount of money. It’s even more staggering when you compare it to other problems that Britain faces. For instance, drug-related crime is estimated to cost the UK £13.9 billion a year.

Unfortunately the report, which was compiled for the Office of Cyber Security & Information Assurance by security consultancy Detica, doesn’t give any real detail of how it came by the number.

It does break the £27 billion cybercrime total down into different categories – for instance, £9.2 billion comes from theft of intellectual property (IP), and £7.6 billion is calculated for industrial espionage – but the report acknowledges that calculating such figures is “complex” because such incidents are typically not reported.

Well, hate to ask an obvious question but… if they’re not being reported, how have they been counted?

Yes, IP theft and industrial espionage are real concerns for businesses, and cybercriminals are perfectly capable of engaging in them, but there needs to be a proper mechanism for reporting cybercrime (both for home users and businesses) before we can begin to whisk up grand totals like this.

Maybe I’m being a bit cheeky comparing the cost of cybercrime to the cost of fighting drugs, especially as the report itself doesn’t make the comparison.

However, there has been an ongoing myth, that has been repeated time-and-time again, that the money made by cybercriminals exceeds those of the global drugs trade.. so it seems fun to compare the cost of cybercrime with the cost of the war against drugs.

The UK government report into the cost of cybercrime is right that businesses need to take the threat seriously. It’s not just the spam and malware attacks that trouble home users that can also cause problems in the office environment. It’s also about hackers gaining remote access to your company systems, spying on your activities and stealing information. These are serious concerns.

And although I cast a querulous eyebrow at the statistics being given in the report (at least, I’m fascinated as to how they were calculated), where I strongly agree with the report is in its conclusion that a proper picture of cybercrime in the UK needs to be built up.

Businesses often don’t report cybercrime because they are worried about the damage to their reputation. Home users don’t report phishing attacks and virus infections because they think no-one gives a damn, or don’t know to whom they should turn.

An accurate measure of cybercrime is required in order to provide the proper support that computer users – in business and at home – need to defend against the threats. Once we know the true scale of the problem, and can produce reports that aren’t dealt with skepticism, we can fund the computer crime authorities appropriately, and we can begin to measure if the UK’s attempts to fight the problem are really working or not.

You can download the “Cost of Cyber Crime” report for yourself from the Cabinet Office’s website.

Lush, the handmade cosmetics firm, has shut its Australian and New Zealand websites after hackers apparently gained access to online customers’ personal data.

In a statement posted on its website it “urgently” warns customers who have made online purchases to check with their banks to see if their credit card details have been abused.

It is less than a month since the firm had to issue a similar warning to its UK online customers.

LUSH WEBSITE PRIVACY BREACH
Our website has been the target of hackers

We are sorry to have to announce that the Lush Australian and New Zealand websites have been hacked. We have been alerted today to advise us that entry has been gained and customer personal data may have been obtained by the hackers.

We urgently advise customes who have placed an online order with Lush Australia and New Zealand to contact their bank to discuss if cancelling their credit cards is advisable.

Whilst our website is not linked to the Lush UK website, which was recently compromised, it appears that the Australian and New Zealand Lush sites have also been targeted. As a precautionary matter we have removed access to our website while we carry our further security checks.

There’s some interesting wording in the advisory. For instance, Lush says that its Australian and New Zealand websites are not linked to the UK website, but it doesn’t say that they haven’t suffered from the same vulnerability that allowed the hackers to gain access on the British site.

Furthermore, you have to wonder if Lush was storing its customers credit card information with secure encryption if they are concerned that customers could find that their details are being abused.

Lush says that it has contacted the police regarding the incident, and will send emails to all customers that they believe may have been affected

Last month, Lush attempted to cheer the spirits of affected customers by sharing a video of puppet lemmings singing a song.

Social media: more power than we thought

There are news stories today of demonstrations building in at least five Middle Eastern or North African countries in the wake of “Facebook” revolutions that brought down the leaders of Tunisia and Egypt. New stories on the web are being updated rapidly in many cases.

In general, the demonstrators are protesting their poverty and want to topple governments that fix elections, rule autocratically and make themselves, family members and friends rich through corrupt rule. Hot spots include:

Algeria

Monday the government of Algeria announced that it would end the state of emergency that has been in effect there since 1992. Demonstrators have filled the country’s capital of Algiers and clashed with police. Clashes have also been reported in Annaba in the east of the country, according to the Times of India.

Armenia

Armenian authorities are monitoring Internet traffic looking for such terms as “revolution” and “rally” as the Armenian National Congress (HAK) is organizing a rally February 18th, to protest the rigged presidential elections two years ago, according to The Armenian Observer Blog.

The blog said dozens of HAK supporters have been posting the word “revolution” in their Facebook statuses in protest.

The AllFacebook site (not part of Facebook) said the number of Armenians on Facebook doubled in the past six months. Only about four percent of the country uses it, however.


Bahrain

Security forces in Bahrain have used tear gas and rubber bullets against protesters in several villages today. The protesting groups (largely Shiite”) have declared a “Day of Rage” to protest lack of democratic reform Sunni rulers, according to Voice of America’s web site.

King Hamad bin Isa al-Khalifa recently gave every Bahraini family $ 2,600 and larger food subsidies. Yesterday his government also said it would reduce state control over the media industry and expand freedom of the press, VOA said.

Iran

Iranian leaders have sent security personnel into the streets to use riot sticks and tear gas on scattered groups of protestors. They also placed under house arrest two opposition figures, Mir Hossein Mousavi and Mahdi Karroubi, according to the Jerusalem Post.

Yemen

About 2,000 people are demonstrating against Yemeni President Ali Abdullah Saleh in the country’s capital of Sanaa. It’s the fourth day of protests there, according to Deutsche Press-Agentur.

Tom Kelchner

When the only tool you have is a hammer, it’s tempting to treat everything as if it were a nail, wrote Abraham Maslow a few decades ago. Given this observation, it’s not surprising that most of today’s information security efforts seem to focus on networks and systems. Gunnar Peterson observed that this is because infrastructure is the “background and hobby interest of the majority of technical people in the industry.”

In addition to the infrastructure security “hammer,” our toolbox needs to incorporate the following elements:

• Domain expertise related to the industries and business functions supported by information security efforts. Security cannot function as a standalone discipline. Merely having technical security expertise isn’t enough.
• Data and analytics for determining which security and risk management approaches actually work. E.g., Malware defense metrics.
• Application security skills to develop software with fewer vulnerabilities and to mitigate the risks associated with the flaws that find their way into applications. E.g., Building a Web Application Security Program by Securosis.
• Practical security guidance to individuals who interact with sensitive data. For instance, we need security awareness training that doesn’t put people to sleep. For some ideas, check out SANS’ Securing the Human blog.
• Security tools that work according to users’ expectations and that are tied to the ecosystem of people and processes that rely on them. Security Scoreboard might be a piece of this puzzle.
• A “yes” mentality that positions infosec as an enabler of business processes ins a risky world. Too many security practitioners seem to strive for absolute security. E.g., security pros might be too cautions of cloud computing.

These ideas are congruent with the concerns I expressed when outlining the worrisome state of the information security industry. However, that note pointed out problems without saying much about solutions. Looking at ways of expanding the security toolbox might be a more constructive way of tackling the issues.

Update 1: For more thoughts on this topic, read Gunnar Peterson’s post He Who is Not Busy Being Born is Busy Dying, as well as Christofer Hoff’s response.

Update 2: In a follow-up post I offered my tips for how to Down the Walls Between Application and Infrastructure Security.

— Lenny Zeltser

My initial post on measuring the effectiveness of enterprise malware defenses generated very helpful feedback, which I’d like to share in this note. Good metrics provide an objective way of understanding the extent to which the measured security controls are working. I proposed a number of metrics that would help the organization to keep an eye on its anti-malware efforts.

The Scope of Collected Metrics

Jennifer Bayuk pointed out the importance of carefully deciding the scope of data that will be collected and the actions that will be taken as the result. For instance, consider the following metric I proposed earlier:

On what percentage of known infected systems did the user have local administrator privileges?

If the enterprise is already certain that local administrator privileges increase the severity of infection, then it might broaden the scope of this metric to include all systems, rather than measuring only at the infected ones.

I prefer tracking administrative privileges only on known infected systems because it’s often impractical to strip away admin rights everywhere. And maybe that’s OK, if in a particular organization the users who have admin rights don’t get infected anyway. I’d rather focus on those situations where the user gets infected while possessing administrative privileges.

Infection Characteristics on Workstations

Another friend, who prefers to stay anonymous, recommended tracking additional characteristics of infections on workstations:

• Where on the local system was the malware present? Was it in the Temporary Internet Files folder? Java cache folder? Email temporary attachment folder? Tracking the number of infections that involved these locations can help you understand which of your malware defenses are failing (browser, Java, email, etc.)
• What is the ratio between the number of malware samples detected in real time vs. scheduled scans? Most organizations prefer to catch malware in real time, as the user attempts to save or execute the malicious program. Detecting the presence of malware later during a scheduled scan indicated that the system is already infected; removing the malware might not fully clean the host.

Additional Malware Metrics

Phil Waterbury recommended additional metrics for measuring enterprise malware defenses, which included:

• What percentage of systems are reinfected within 3 days of the initial infection?
• How long does it take to deploy a custom anti-virus signature across the enterprise?

Phil pointed out that to collect and track such metrics, the enterprise needs to standardize the process its help desk follows when responding to, classifying and tracking malware-related incidents. He also emphasized the importance of standardizing on the approach for handling malware incidents from the perspective of tools and techniques—otherwise the collected metrics won’t be consistent across incidents.

Thanks for everyone’s feedback on the topic of malware metrics! If you’re interested in learning more on the topic, take a look at the paper Security Metrics: An Overview by Clare E. Nelson (PDF). Oh, and did I mention that I teach a course on combating malware in the enterprise?

— Lenny Zeltser

Thanks to industrypace.com for the info (the only thing I would point out is that just because they use a Chinese registrar, doesn’t make the bad guys themselves Chinese…).  There is link to a youtube video in the industrypace.com article which allows you to listen to the voicemail potential victims are directed to when they try to contact various credit references.

Zamma Media (zammamedia.com)
ICANN Registrar: BIZCN.COM, INC
Created 26 July 2010

IP: 72.9.236.181 – Global Net Access Llc

Registrant: Zammamedia Contractors, Paula Contractors (it@zammamedia.com)

*****

Gold Bird Network (goldbirdnetwork.com)
ICANN Registrar: BIZCN.COM, INC
Created 28 July 2010

IP: 72.9.236.168 – Global Net Access Llc

Registrant: Goldbirdnetwork.com (dns@goldbirdnetwork.com)

*****

7 Days Media (7daysmedia.com)
ICANN Registrar: BIZCN.COM, INC
Created 26 July 2010

IP: 72.9.236.178 – Global Net Access Llc

Registrant: Registrar Services, Norman Money (registar@7daysmedia.com)

*****

Some extra names that are in the same IP range and worth treating with caution are:

ad-kemation.com
ICANN Registrar: TODAYNIC.COM, Inc
Created 13 July 2010

IP: 72.9.236.163

Registrant: Frank K Robichaud (frankkrobichaud@gmail.com) (I'm sure I've seen that pseudonym before…)

*****

interceptinteractive.net
ICANN Registrar: TODAYNIC.COM, Inc
Created 29 July 2010

IP: 72.9.236.174

Registrant: Harold A Mcconville (haroldamcconville@gmail.com) (also used to register facilitatedigital.net and netmining.org)

*****

netmining.org
ICANN Registrar: TODAYNIC.COM
Created 29 July 2010

IP: 72.9.236.174

Registrant: Harold A Mcconville

*****

facilitatedigital.net
ICANN Registrar: TODAYNIC.COM, Inc
Created 29 July 2010

IP: 72.9.236.172 – Global Net Access Llc

Shares IP with trueffects.net

Registrant: Harold A Mcconville

A few days ago, we talked about how spammers now use Valentine’s Day. However, it’s not the first time this holiday was used for various attacks and schemes and it won’t be the last.

Our latest Security Spotlight article recaps all of the Valentine’s Day threats we’ve come across throughout the years. From spam that offer discounts on flower and chocolate purchases to Valentine-themed malware and out-and-out scams, plenty of cybercrimes are built around this occasion. We also provide some tips that will help users avoid these kinds of threat.

This is just part of the threat information that we have available as part of TrendWatch, which serves as a portal to research and analyses by TrendLabs engineers on various online threats.

Post from: TrendLabs | Malware Blog – by Trend Micro

Learn More About Valentine’s Day Threats

A few months ago Norman published a security article about the tool Firesheep, an extension to Firefox, which enabled taking over another user’s unsecured session with a web site. Social networks like Facebook etc. were particularly focused upon, due to the personal information often posted to and available in these communities. 

Firesheep’s functionality is possible because the communication between a user’s browser and the web site (e.g. the social network site) is sent in clear text. The data between the user and Facebook are transmitted by means of HyperText Transfer Protocol (http), 

Obviously this has potentially severe implications with respect to privacy and security in general.

Facebook announced its plans to enable secure communication in a blog posting 26 January titled "A Continued Commitment to Security". Facebook users will be able to use the more secure communication method Hypertext Transfer Protocol Secure (https), and the snooping options that Firesheep and similar technologies utilized, are no longer possible.

Secure communication is not implemented for all users yet, nor is https set up as the default communication protocol. Facebook wrote:

We are rolling this out slowly over the next few weeks, but you will be able to turn this feature on in your Account Settings soon. We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future.

Communications through and information on Facebook is often highly personal, and it is of course imperative that this remains secure, and under the users’ own control. It is therefore highly recommended that you enable the Secure Browsing option in Facebook’s Account Settings as soon as this becomes available for you.

(Image taken from Facebook’s blog posting)

Hopefully Facebook will quickly implement https as the default setting. Otherwise lots of users will presumably continue to publish sensitive personal information unsecurely.

Full story: Norman’s security blog

Oracle’s fast growing product set may be hampering its ability to create patches for database flaws in a timely fashion, security experts say.

Full story: Computerworld Security News

Added to the Stuxnet resources page today:

Kim Zetter for Wired on "Did a U.S. Government Lab Help Israel Develop Stuxnet?":
 http://www.wired.com/threatlevel/2011/01/inl-and-stuxnet/
Jeffrey Carr at Forbes on "The New York Times fails to deliver Stuxnet's creators": http://blogs.forbes.com/jeffreycarr/2011/01/17/the-new-york-times-fails-to-deliver-stuxnets-creators/
Bret Stephens at the Wall Street Journal on "The Limits of Stuxnet": http://online.wsj.com/article/SB10001424052748703396604576087632882247372.html?mod=WSJ_Opinion_BelowLEFTSecond

There seems to be something of a second wave of … Read More.

Full story: ESET ThreatBlog

The US federal government seems to have IPv6 on the brain as of late: both the Federal Communications Commission (FCC) and the National Institute of Standards and Technology (NIST) came out with IPv6-related documents recently. The FCC document is a collection of previously known information—it’s not about FCC policy—but they managed to include a few things we weren’t aware of.

Read the comments on this post

Full story: Security