What's the best Conficker news headline you've seen?

The hours are ticking down to April 1st - in fact, in some parts of the world it's already April Fool's Day. (Wave to our friends in eastern Australia and New Zealand!)

But Conficker works at its own pace, and doesn't pay too much attention to the time setting of the computers it infects. Instead it queries internet sites to determine if it's gone past 00:00 April 1st 2009 GMT. (That's 1am British Summer Time, for example).

So, only once its sure that March 2009 is history will Conficker change its operation and begin to look for instructions in a new way.

However, that's not going to mean very much unless it finds some instructions to obey. And so far the hackers behind Conficker have been very lazy in giving the worm any orders at all. So it's quite possible that nothing much will happen. Sorry about that, but we did try and tell you.

Which means that most of the Conficker-related action is actually happening not on users' computers, but in the newspaper headlines.

Yes, some real creativity there with "computers melting" and "internet chaos" a-plenty. They always put those bits in quotes, but it's hard to find out who the people are that they're actually quoting in those headlines - certainly not members of the computer security community.

If you've seen an amusing newspaper headline related to Conficker either online or in print please let me know (providing a link or image if possible). I'll choose my favourite and send the lucky winner an exclusive super-duper Sophos T-Shirt for their trouble.

Posted on March 31st, 2009 by Graham Cluley, Sophos

Sophos.com

Where do all these Russian brides come from anyway?

Regular readers of the Clu-blog will know that recently I have been receiving a number of invitations from Eastern European women hoping to make friends with me.

Natalya and Oksana didn't tell me how old they were, but from their photographs they look like they could be in their twenties. Evgeniya was more helpful, telling me she was 28 years old - which is probably still a bit young for me these days.

Now I've been contacted by Elena, a 27-year-old blonde, from some mystery land far away. None of the women have been forthcoming in revealing where in the world they are based, but I'm assuming Russia.

Much as I would love to imagine it were true, I somehow think it's unlikely that they've all suddenly taken a shine to hitching up with a computer security dude.

Scams like this rely on tricking someone vulnerable into responding. It's sad to imagine, but there are people out there who are so desperately unhappy or disadvantaged that rationality has flown out of the window, and who might genuinely believe that someone they have never heard of before has decided to email them out of the blue with the offer of a relationship.

In the old days, people like this were protected by the community around them - their friends and family could keep an eye on them to try and stop them getting into trouble. But now, with the internet, it's all too easy for scammers to prey on the elderly, the confused, the desperate and the vulnerable to make a quick buck out of them without caring eyes noticing what's going on.

Posted on March 30th, 2009 by Graham Cluley, Sophos

Sophos.com

GhostNet: Who is really behind it?

Today saw the publication of a fascinating research paper by the Information Warfare Monitor project.

The paper, entitled "Tracking GhostNet: Investigating a Cyber Espionage Network", investigates claims of alleged Chinese spying against Tibetan organisations including the Tibetan government-in-exile and the private office of the Dalai Lama.

However the investigation also uncovered evidence of a more widespread cyber espionage network, which the paper's authors dubbed GhostNet.

According to the paper, GhostNet consisted of at least 1,295 compromised computers in 103 different countries. Many of the affected computers are said to belong to foreign ministries and embassies, as well as the offices of the Dalai Lama and the Tibetan goverment-in-exile.

Although the research paper examining GhostNet makes interesting reading, there's one thing missing. There's no smoking gun.

At no point does it gather enough evidence to prove, conclusively, that the Chinese government or the People's Liberation Army are behind the attacks. Just because Chinese computers are used in the scheme, does not mean that the Chinese authorities are behind the operation.

Let me give you an illustration which helps explain this point.

If you were to investigate the IP address of the computer which sent spam into your mailbox today you'd probably find a good proportion of it came from a PC based in China. Going by the latest stats that we produced, 9.9% of spam is coming from that part of the world.

But you probably aren't finding that 9.9% of your spam is in Chinese, or selling Chinese goods. You'll probably find that a lot of it is promoting pharmaceuticals coming out of North America, Russian brides, or a cheap college diploma.

In other words, cybercriminals around the world are taking advantage of poorly-protected computers in China (and elsewhere) to launch their attacks. Just because a Chinese computer is implicated, it doesn't mean that China itself is behind the attack.

At the same time, lets not fall into the trap of naivety. We would be fools to believe that countries would consider the internet and spyware "off-limits" as a tool for espionage. Countries are spying on each other all across the world for political, commercial and military advantage - and they would be nuts not to try and exploit the power of the internet to increase their chances of success.

I'm sure China is using the net to spy on governments and businesses overseas for commercial, diplomatic and possibly military advantage. But then I'm sure that the United States, Israel, the United Kingdom and others are doing it too.

But lets not make the mistake of thinking that an investigation like this necessarily proves a country's involvement.

What can be learnt from this paper, however, is the importance of properly protecting your organisation with a layered defence, including proactive and reactive anti-virus technology, firewalls, security patches, network access control, encryption and so forth.

If you want to find out more about GhostNet, I would recommend you read this article by the New York Times and the Associated Press.

Some further reading from the archives:

• Critical infrastructure organisations targeted by hackers
• Businesses warned by MI5 of Chinese espionage threat
• Fingers pointed at Chinese military after hacking reports

Posted on March 29th, 2009 by Graham Cluley, Sophos

Sophos.com

Don't open dhl_n756512.zip

We have been watching a large scale malicious spam campaign posing (once again) as an email from courier firm DHL.

Just like last time the messages claim that DHL tried to deliver a parcel from you on the 14th of March, and that you need to print out the attached invoice (contained inside dhl_n756512.zip) and bring it to their office.

Of course, opening dhl_n756512.zip is not to be recommended. It contains the Troj/Agent-JJP Trojan horse and will put the security of your computer into remote hackers.

The emails that are currently arriving in our spam traps, battering down like hailstones on a tin roof, all use the subject line "DHL Tracking number" but have a randomly generated reference number.

Of course, the hackers are bound to use this trick again. And it's trivial for them to change the filename - so it's not as simple as simply avoiding files called dhl_n756512.zip. You actually have to be careful about *any* unsolicited file attachment you are sent.

Posted on March 27th, 2009 by Graham Cluley, Sophos

Sophos.com

Memories of the Melissa virus

It all started with just one file being uploaded to the internet.

An infected Word document was posted to the alt.sex usenet newsgroup. Most people probably thought a Word .DOC file was harmless, even though simple macro viruses had been circulating since mid-1995, and were all too eager to open the file to look through the list of passwords for pornographic websites.

That was the trigger which lead to the Melissa virus spreading like wildfire around the world.

Because when you opened the Word document it forwarded itself to the first 50 people in your Microsoft Outlook address book.

There were some other curiousities about Melissa which are sometimes forgotten. The virus occasionally corrupted documents by inserting the phrase 'twenty-two, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.'. This was a reference to an episode of "The Simpsons" cartoon show, where Bart is playing Homer at Scrabble and puts down the "word" KWIJYBO to represent a balding, North American ape.

Melissa was the first one of the first* successful email-aware viruses, forcing some large companies to shut down their email gateways because of the colossal amount of email the malware was generating.

Virus writers couldn't fail to notice the impact that Melissa was having, and the virus cast a long shadow as it inspired thousands of other malware attacks such as Anna Kournikova, The Love Bug, Netsky, and Bagle in the years to come.

I hadn't quite started working for Sophos at the time of the Melissa virus outbreak (I was in-between security companies, minding my garden) but I still remember how internet discussion groups like alt.comp.virus were dominated with discussion of this fast-spreading piece of malware, and how other hackers posted of their concern that Melissa's author may have bitten off more than he could chew.

And, funnily enough, it was that initial posting to the alt.sex internet newsgroup that was to help the authorities identify the mastermind behind the Melissa virus.

The Word document that had been uploaded to Usenet had come from the account of an AOL user, skyrocket@aol.com. Police contacted AOL and quickly determined that the owner of the account had not been the person who had uploaded the file - instead his account had been compromised by an unknown hacker. Fortunately, AOL were able to provide information which pointed in the direction of a house in New Jersey.

Less than a week after the Melissa virus oubreak began, 30-year-old David L Smith was arrested at his brother's house in Eatontown, New Jersey, and it was soon confirmed that Smith had released the virus (which he had named after a stripper he had known in Florida) from his apartment.

I remember at the time being surprised at how old Smith was. Most virus writers at the time were teenage boys, not emotionally mature enough to have grown out of writing viruses which were predominantly designed to show off rather than make money. Remember, at the time financially-motivated malware was extremely rare. Melissa was just written "for kicks" rather than to make money.

Without at least a financial motivation for his actions, it's hard not to think of a thirty-year-old man hanging out on the internet with virus-writing buddies to be anything other than a bit sad.

But it seems Smith was smart enough to realise he should cooperate with the authorities to minimise any possible punishment. Within weeks of the FBI arresting him, he was using a fake identity to communicate with and track virus writers around the world.

According to court documents released some years later, Smith gave the FBI the name, home address, email address of Jan de Wit (also known as "OnTheFly"), the Netherlands-based author of the Anna Kournikova virus. The FBI passed the information on to authorities in the Europe, who arrested de Wit, who was later sentenced to 150 hours community service.

Furthermore, in 2001 David L Smith is claimed to have assisted in another investigation into a virus writer - having recorded online discussions with part-time DJ Simon Vallor, the author of three viruses. The FBI shared the information with British detectives, who arrested Vallor in February 2002. Vallor subsequently pleaded guilty and was sentenced to two years imprisonment.

In return for his services, the FBI paid for David L Smith's rent, insurance and utilities, totalling over $12,000.

No doubt, Smith's assistance to the FBI contributed to a tardiness in sentencing him. It wasn't until 2002, over three years after the Melissa virus spread across the globe, that he finally received his punishment of a 20 month jail term.

The words I wrote at the time seem to me to be a fitting coda for the story of Melissa:

"The Melissa worm was a serious security breach, inconveniencing millions of computer users the world over - it's important that Smith has been dealt with in an appropriate manner by the US courts," said Graham Cluley, senior technology consultant at Sophos. "It's just a shame that the authorities couldn't have worked quicker to bring him to book. Smith has already been a dark inspiration to a whole generation of script kiddies - these copycat virus writers would have undoubtedly thought twice before distributing their malicious code if their hero was serving time."

I don't know what happened to Smith after jail, but I hope he managed to rebuild his life. He may have written malware in a more innocent era than today, but there's no doubt that his creation helped spawn the imagination of many other cybercriminals. In many ways, Melissa was the Grandmother of email-aware malware, which continued to plague companies and home users for years to come.

* Footnote: Thanks to colleague Paul Ducklin who correctly points out that Melissa wasn't the first email-aware virus. For instance, Happy99, although not a mass-mailer since it only transmitted one email for each one you sent yourself sent predates Melissa by at least two months.

It's quite neat to mention Happy99, as its author Spanska, is the fellow I quote above who hopes that Melissa's creator will not be caught. Presumably reflecting his hope that he would continue to evade prosecution too!

But going even further back in time, the CHRISTMA EXEC worm which took out BITNET/EARNET (and could be argued to be even more "successful" than Melissa, in terms of the extent to which it affected the overall functionality of the internet) can probably be described as the first successful mass-mailing malware, back in 1987.

Posted on March 26th, 2009 by Graham Cluley, Sophos

Sophos.com

Inconsistent treatment for hackers?

It is reported that a teenage hacker who made headlines for accessing computers around the world without permission for dishonest purposes, has been given a job by a New Zealand telecoms company.

Ninteen year old Owen Thor Walker, from New Zealand, was exposed as "AKILL", a hacker who had written malware to steal bank account information and was said to have played a role in controlling a botnet of over a million computers worldwide. Walker escaped jail, but was ordered to pay $11,000 in fines.

Now it has been revealed that TelstraClear, New Zealand's second-largest telecommunications firm, hired Walker to conduct security seminars and assist them with advertising.

You have to raise an eyebrow at this point, and ask if there is possibly an inconsistency at play in the way in which different countries are punishing their cybercriminals.

After all, British hacker Gary McKinnon is facing extradition after breaking into NASA and Pentagon computers shortly after 9/11 in his hunt for evidence of UFOs.

My guess is that McKinnon would be extremely happy to receive a fine, and get a job advising people about security - but no-one seems to be offering him that yet.

And regardless of whether McKinnon and Walker are being treated differently by the authorities, is anyone else concerned that some hackers might be using their notoriety a fast track to employment in the IT industry? Is that a good message to be sent out to young people?

I'd rather skilled youngsters got a good job based upon them putting their talents to a positive use, rather than as an apparent reward for past crimes.

Posted on March 25th, 2009 by Graham Cluley, Sophos

Sophos.com

My love triangle just became a square

As if my life wasn't complicated enough trying to choose between two Russian women, a third has entered the ring.

Meet Evgeniya, who has just sent me an email out of the blue. She has carefully chosen me out all of the millions of people on the internet, as she would "like to begin our acquaintance".

But lets let Evgeniya tell her story in her own words:

I would like to begin our acquaintance, with the small story about me. My name is Evgeniya. To me 28 years. I the quiet, young, purposeful girl. I conduct a healthy way of life. I do not smoke and I do not take alcohol. I have work which very strongly I love. But I do not have not enough love. I am assured, that on our planet, there is a person who can present to me happiness and love!

I search for the real man who will love, and to respect me. I consider, that this main thing in relations. I would like to find out you in more details. I wish to get acquainted with you more close, by means of e-mail. It will be for us easier variant.

Ahh, you can just imagine the twinkling sound of balalaikas as the wind blows over the Urals can't you? Well, don't get too misty-eyed if you receive an email like this, because it's unlikely that Evgeniya (or, more likely, the burly Russian walrus-moustached fraudster who his hiding behind her picture) has your wellbeing foremost in her mind.

You should never reply to emails like this, even if you are feeling downtrodden and heartbroken. There have been plenty of examples in the past of people who have been fooled into cyber-relationships, only to find their bank accounts emptied, their identities stolen, or a nasty dose of malware in that next photograph they send over.

Graham Cluley, Sophos

Sophos.com

Suspected Pentagon hacker "Wolfenstein" arrested

According to media reports, a 23-year-old man has been arrested in Romania, suspected of hacking into US Department of Defense systems in 2006.

According to investigators, Eduard Lucian Mandru, of Iaşi, Romania, is not just a student at the local Faculty of Economy and Business Management, but also the hacker nicknamed "Wolfenstein" who broke into the DoD's secure network in 2006, infecting computers with a spyware Trojan horse.

It is reported that the hacker accessed networks at the Pentagon via compromised servers in Japan, making it more difficult to identify his true location. Investigators claim that one of the few leads they had was a Yahoo email address linked to the hacker - wolfenstein_ingrid@yahoo.com.

In what appears to have been a blunder of extraordinary proportions, Mandru posted his CV on a number of job-seeking websites when looking for employment including - you guessed it - the email address wolfenstein_ingrid@yahoo.com.

Judging by the scale of this blunder, if Mandru was the hacker who broke into the Pentagon then he may well be Romania's answer to Homer Simpson.

If found guilty of hacking, Mandru faces a jail sentence of between 3 and 12 years.

Graham Cluley, Sophos

Sophos.com

Has Australian list of banned websites been leaked?

A list of some 2400 websites, said to have been deemed unsuitable by the Australian Communications and Media Authority (ACMA) for containing illegal content related to child abuse, rape and other criminal activities, has been published on the internet.

The ACMA blacklist is supposed to be strictly confidential - as it contains the URLs of illegal and prohibited websites. The Australian government has been creating a list of censored websites, which it has distributed to a number of ISPs who are looking into the technical issues regarding filtering the content from users.

Of course, the content of the list of illegal, prohibited and potential prohibited web pages is supposed to remain strictly confidential - if it were public knowledge then it would effectively be equivalent to a telephone directory of illegal content, including child abuse material. Under Australian law, anyone who republishes the list is liable to face up to 10 years imprisonment.

What is unclear is whether this is really ACMA's blacklist or not. Although Federal Minister for Communications Stephen Conroy has confirmed that the list published on the internet does contain URLS which match those on the ACMA list, it contains others that the organisation has received no complaints about.

If it is confirmed that there has been a security breach, and details of illegal websites collated by ACMA have made it into the public domain then there will inevitably be questions asked regarding the dangers of creating such lists and sharing them with internet service providers.

Lets put it this way.

Honourable intentions might be the motivation behind building a dam to stop a flow of water. But if that dam is not properly built, springs a leak, and inevitably releases torrents of water upon those downstream, then it is the dam-makers who will bear the brunt of the blame .

So, what of the contents of the list published on the internet?

Well, SophosLabs has acquired it, and can confirm that the the majority of websites listed of an inappropriate or illegal nature (many are related to child abuse) are already blocked by our WS1000 Web Security Appliance. We strongly recommend that readers do not download the list and check out the links out of curiousity, as accessing some of the websites may be illegal in your country.

However, our investigation has discovered that there are a number of sites on the published list which it would not be appropriate for us to protect customers against, as we have been unable to find any illegal or questionable content on their sites. These include a Queensland dentist's website, a caravan park, and webpages related to subjects as diverse as poker-playing and euthanasia.

Earlier this week, ACMA's censorship list made headlines after it was revealed that it was blocking access to an anti-abortion website, and several pages on the anonymous whistleblower site, Wikileaks.

Graham Cluley, Sophos

Sophos.com

More details on the Diebold ATM Trojan horse case

Yesterday, Vanja Svajcer of SophosLabs described how he had discovered malware which appeared to be designed to steal information from users of Diebold ATM cash machines. I also published some discussion here on the Clu-blog about how the Trojan horses could potentially be exploited by a criminal gang.

Last night, Vanja and I spoke to Bob McMillan, a journalist who had seen me post on Twitter about our discovery, who then went one stage further and uncovered that Diebold had contacted customers in January warning them about the urgent security threat to their systems.

Diebold issued an update to its ATM software, and recommended that it be installed on all of its Windows-based ATMs globally. According to the company, the update should prevent the Skimer-A Trojan horse from successfully stealing information from cash machine users.

In addition, they confirmed that hackers from Russia had attempted to plant the malicious software on ATMs in an audacious attempt to steal money. What isn't publicly known yet is how the hackers - who have been apprehended according to Diebold - managed to gain physical access to a number of ATMs in Russia.

Was it a breach in security along the supply-chain that delivers ATM hardware to banks, or an inside job? All Diebold has said so far is that there was not a network-level security compromise.

In a cover letter which accompanied the critical security update, Diebold reminded customers to follow best practices to minimise the chances of security breaches:

"This latest offense against Diebold ATMs is another example of the growing level of sophistication and aggression involving ATM-related crime. Security is one of Diebold's absolute priorities and our engineers are working constantly to address emerging ATM security threats. Diebold continually emphasizes the customers' role in reducing the risk of attacks by following industry-standard security procedures related to managing physical access to ATMs, password management and software updates."

My opinion is that we shouldn't be that surprised that some hackers might now be targeting the ATMs directly, rather than just the bank customers using the internet to manage their online finances. After all, as legendary American robber Willie Sutton answered when asked why he robbed banks, "that's where the money is."

Graham Cluley, Sophos

Sophos.com

Your PIN or your life!

Life has become more dangerous for ATM card holders in the UK.

As muggers require the Personal Identification Number (PIN) of a stolen card to make withdrawals, they are tempted to resort to violence against the card owners to get hold of it.

The case of two French exchange students in London who are believed to have been tortured to death for not revealing their ATM card PINs shows that this threat is real.

Major British banks are unintentionally helping these muggers, as they distribute card readers among their clients that serve as generators of one-time codes used for transaction authentication. Although distributed with the best intentions by the banks, these readers can also be used by criminals to instantly verify whether an extorted PIN is correct. Now it is a lot easier for them to keep their victims captive in a secret place, to press them to reveal the PIN and to verify its accuracy instantly.

Three Cambridge researchers revealed [pdf] that these card readers suffer from more than only this weakness.

Designed after the Chip Authentication Programme (CAP) standard, these card readers for 'Chip & PIN' smart cards expose further weaknesses like the reuse of authentication tokens and the ability to store one-time codes for an unnecessarily long period of time, which helps phishers to misuse the stolen codes.

The secret CAP specification is basically a strong simplification of the public EMV (Europay, MasterCard, Visa) standard, which is established and known to be secure.

CAP, however, allows for a wide range of interpretation, which the designers of the UK variant exploited, sadly, for the worse. In their intention to create a cheaper and more versatile device they ignored some seemingly unimportant details of the initial protocol, resulting in remarkably lower security.

Please don't get me wrong. I generally appreciate any attempt to increase security in homebanking by adding more intelligent devices to the authentication process. The failure of the UK variant of CAP is that its designers used a public, known to be secure standard and optimised it until it lost major security elements. Had they published their protocol variant in the first place, the crypto community may have been able to correct the flaws before they eventually went into the product.

Exchange students in Berlin might rest easier. The German CAP variant, ZKA-TAN-Generator [pdf], lets the banks decide whether the device should verify the PIN instantly or go ahead with the false PIN. In addition, this device addresses some other flaws, too, such as the time-invariance of the one-time code.

The flaws in the British CAP devices show one more time how dangerous it is to abandon established security standards in favour of proprietary, seemingly optimised ones. Time will tell whether these devices will eventually undergo the same mutations as the initial Wireless LAN adapters with their flawed 'Wireless Equivalent Privacy' security standard.

WEP -> WEPplus -> TKIP -> WPA1 -> WPA2 - pooh, that's still a long way to go.

Michael Alfred Schmidt, Utimaco

Sophos.com

Dirty bomb news report leads to PC infection

Dmitry from our Vancouver offices has covered this in some detail on the SophosLabs blog, but I thought it was worth sharing with a wider audience.

Hackers are spamming out emails posing as breaking news stories about a bomb blast in your city, in the hope that you will follow the link and infect yourself with malware.

The emails, which have subject lines like "Why did it happen in your city?", "Take Care!", "Are you and your friends in good health?", claim that 18 people have been killed in an explosion and link to what appears to be a Reuters-related news website.

However, clicking on the link takes you to a dangerous website whose only intention is to infect your Windows PC with malicious code. Clicking on what appears to be a video about the breaking news story actually leads to a malicious download.

Part of the text of the website designed to fool the unwary into believing the story to be true, reads as follows:

At least 12 people have been killed and more than 40 wounded in a bomb blast near market in Amsterdam. Authorities suggested that the explosion was caused by a "dirty" bomb. Police said the bomb was detonated from close by using electic cables. "It was awful" said the eyewitness about blast that he heard from his shop. "It made the floor shake. So many people were running"

You'll notice that the hackers did not do a brilliant job in their wording - which might ring alarm bells in some people. But I wonder how many others would be blind to such a clue, and just click on the video regardless?

What is particular clever about the website is not that it pretends to be connected with Reuters (that's trivial for anyone to do as all you need is a copy of the Reuters logo and some generic news report text), but that it attempts to do a GEO-IP lookup on your whereabouts and customises the story to appear as though it relates to your location.

So, for example, if you visit the webpage from London it is likely to claim that the bomb blast has occurred there.

Sophos detects the malware as Mal/WaledPak-E, but users of other security products might be wise to check that their own defences have been updated.

Graham Cluley, Sophos

Sophos.com

Did BBC break the law by using a botnet to send spam?

The Computer Misuse Act makes it an offence in the United Kingdom to access another person's computer, or alter data on their computer, without the owner's permission.

The legislation has been used on a number of occasions to bring British hackers and virus writers to book, as obviously anyone breaking into a computer or installing malware is in breach of the act.

It is, therefore, somewhat surprising to find that the BBC appears to be have breached the law when making a program about computer crime.

BBC technology show BBC Click was investigating cybercrime and how gangs use networks of compromised computers (known as botnets or zombies) to send spam. As regular Clu-blog readers will be aware, well over 99% of all spam is sent from innocent people's hacked computers without their knowledge.

BBC reporter Spencer Kelly and security company PrevX took over an existing botnet of approximately 22,000 computers, and used them for their spam experiment - ordering the innocent third-party computers to send 500 spam messages each to Hotmail and Gmail accounts under the control of the BBC.

Sure, a TV report like this can raise awareness of the serious problem of computers being controlled by hackers. But is it appropriate for a broadcaster to use innocent people's computers without their permission for the purposes of their experiment?

Sophos has been asked many times by the media to take part in TV programmes like this, and has always made clear that we believe their legality to be questionable. Moreover, to our mind, the dubious ethics of such experiments are without question.

The law says you can't mess around with other people's computers without authorisation. The BBC and PrevX did not have the permission of the computer users to send those spam mesages. Sending spam from someone else's computer obviously gobbles up bandwidth and will use up system resources. Even if the BBC felt the impact would be minimal - it doesn't make it right.

Furthermore, at the end of this next excerpt you'll see that the BBC "warned" the users that their computers were part of a botnet. They did this by changing the desktop wallpaper of affected computers owned by innocent third parties to display a message from BBC Click.

This is clearly an unauthorised modification of computer data, and is - to my mind - a breach of the Computer Misuse Act.

Finally, the BBC says it "managed to acquire its own low-value botnet.. after visiting chatrooms on the internet," but it is unclear whether they paid any money to the criminals who normally have control over such systems.

The BBC and PrevX might argue that it was making this TV show in the public's interest, but surely there are ways of raising awareness of threats without breaking the law? Isn't there enough spam around (I wonder how Hotmail and Gmail feel about this?) without journalists taking over botnets to generate more unwanted email traffic?

Update: According to this report in Out-law.com, I may not be correct in saying that the BBC committed an offence of unauthorised modification as it requires an intent to impair the operation of the computer or the software running on it. However, they do agree that unauthorised access appears to have occurred.

Do you agree with me in thinking the BBC went about this the wrong way? Think I've got it all wrong?

Graham Cluley, Sophos

Sophos.com

Ladies and Gentlemen, update your PDF readers..

Last month we warned you about a critical zero-day vulnerability in the ubiquitous Adobe PDF Reader that was being exploited by hackers to infect computers.

The risk is that hackers could craft a malformed PDF file that could trigger the vulnerability, allowing them to open a backdoor and run malware on your computer. Using this technique it would be simple cor cybercriminals to spam out a PDF file that would infect your PC, or plant malicious PDF content on a website.

There was concern at the time the vulnerability was discovered that Adobe said they would not be rolling out a patch until March 11th, as we had already seen the exploit being used.

So, it's with some relief that we can now confirm that Adobe has issued an update which reportedly fixes the vulnerability. Windows and Apple Mac users can read more and download Adobe Reader 9.1 from Adobe's website. I strongly recommend that if you use Adobe Acrobat Read that you download this update as soon as possible.

The only fly in the ointment is that Unix users have not had their version of Reader updated by Adobe. According to the firm, they may have to wait until March 25th.

One other thing to note is that Adobe's software is not the only PDF-reading solution that requires a security update.

Some internet users decided some time ago to use the PDF reading alternative FoxIt Reader, claiming that it is speedier, requires less of a memory footprint and obviously isn't necessarily vulnerable to the same exploits as Adobe's product.

However, in a useful reminder to us all that every piece of software needs to be kept up-to-date with security patches, FoxIt Software has announced that its product has also been updated to fix a number of security vulnerabilities. Read more and download an up-to-date version of FoxIt Reader from their website.

Graham Cluley, Sophos

Sophos.com

Do you use the same password for every website?

Despite high-profile security breaches such as Jack Straw's Hotmail account being compromised, and cybercriminals gaining access to celebrity Twitter accounts after cracking an administrator password, a third of computer users are still using the same password for every website they access according to newly revealed stats* from Sophos.

Very few computer users seem to have woken up to the risks of using weak passwords and the same ones for every site they visit. With social networking and other internet accounts now even more popular, there's plenty on offer for hackers and by using the same password to access Facebook, Amazon and your online bank account, you're making it much easier for them.

Once one password has been compromised, it's only a matter of time before the fraudsters will be able to gain access to your other accounts and steal information for financial gain.

Furthermore, it's important that users don't use a word from the dictionary as their password. It's easy to understand why computer users pick dictionary words as they're much easier to remember, but as I explain in this video a good trick is to pick a sentence and just use the first letter of every word to make up your password.

My advice to all computer users to ensure they don't use dictionary words as passwords as it is relatively easy for hackers to figure these out using electronic dictionaries that simply try out every word until they get the right one.

Furthermore, it's important not to choose common passwords like 'admin' or '1234' as cybercriminals also check these first. In fact, the Conficker worm uses a list of 200 common passwords to try and gain access to other computers on the network, meaning that if one employee is infected, the whole corporate network could quickly be compromised if strong passwords are not enforced.

Graham Cluley, Sophos

Sophos.com

Emma Watson condemns Twitter fraudsters

Teenage actress Emma Watson, known around the world for her portrayal of brainbox Hermione Granger in the series of Harry Potter films, has condemned fraudsters impersonating her on Twitter.

The popular actress has claimed that reports that she had accepted a place at Yale University were spread via the micro-blogging site because of fake profile which is using her name.

A spokesperson for Watson posted on Emma Watson's official website, however, debunking the claims.

"Emma does not have a Twitter account and these rumours are false. Emma is still trying to decide whether she wants to attend university in the UK or the USA and hasn't accepted any placements at this time," said the statement.

Of course, this is far from the first time that a fake celebrity has caused mischief on Twitter.

Newspapers were buzzing with news that Twitter had reached a tipping point when it was reported that the Dalai Lama had joined the service, only for the profile to be later revealed as fake.

And late last year I blogged about the various fake Al Gores on Twitter, and when it was reported that Vint Cerf's Twitter account appeared to be spewing spam it took a journalist from The Register to dig around and discover that the account was fake.

More recently Scottish actor David Tennant, has been affectionately lampooned - although, in his case, the fakers were upfront that they were not really the award-winning star of BBC TV's Doctor Who series.

Most of this stuff is pretty harmless, compared to when real celebrity's accounts get hacked like Miley Cyrus, Britney Spears and Barack Obama.

But there is a fundamental issue of too much trust here. People seem to believe what they read on their computer screen - even though anybody can create a Twitter account and claim to be, say, Michael Jackson without any checks done on their true identity.

The message is simple - stop being so trusting. Seek proper confirmation that you're communicating with the person you really think you are.

Graham Cluley, Sophos

Sophos.com

2009 Security threat report: The future

Growth in complexity of attacks

Predicting the future in such a rapidly evolving environment is near impossible. One only needs to count the rate at which new malware appears today compared to five years ago to see how quickly the threat has become more serious.

Some things do seem certain however:

• The variety of attacks and their number will continue to escalate, driven by organized crime’s desire to break into computers to steal information, identities and resources.
  
  
• Data leakage will become an ever-larger concern, especially with the increasing use of mobile technologies. Many countries have introduced strict disclosure laws, or will soon do so. These laws are aimed at stopping companies from sweeping security breaches under the carpet. Even a very restricted data breach, once disclosed, may affect overall trust in an organization’s products and services.
  
  
• Compromised PCs, both at home and at work, will continue to remain the primary source of spam. With many botnets adopting a decentralized, P2P-style of operation, quick wins such as the success of taking down the botnet command-and-control centers hosted by provider McColo will become harder to achieve.
  
  
• Web insecurity, notably weakness against automated remote attacks such as SQL injections, will continue to be the primary way of distributing web-borne malware. Cybercriminals can then send innocent-looking spam which link to legitimate, but hacked, webpages. These hacked sites link invisibly to malicious content.
  
  
• Malicious emails will include an increasing proportion of attachments or web links to nonprogram (non-EXE) files. These will be legitimatelooking data files, such as Word DOCs and PDFs, that are booby-trapped with exploits against software vulnerabilities. Viewing these files, which would be harmless on a patched computer, could lead to an invisible disaster on an unpatched one.
  
  
• Identity theft will continue to adversely affect customer loyalty. In the year ahead, companies must assure their customers that proper and thorough security measures have been taken so that the risk of a breach is minimal.

Computer users will continue to face challenges in securing and controlling their computers, as criminals attempt to capitalize on new technology to make money and cause disruption. In addition, threats like identity theft and fraud will still occur far into the future because of human mistakes.

However, if managed properly, the problem should not be insurmountable. Sound security practices, up-to-date protection and an active commitment to keep informed can all help defend business networks in the year ahead.

The good news is that security software is getting better all the time. Proactive detection of new, unknown malware threats is at an all-time high, and computer users who are sensible and properly defended can dramatically reduce the risks.

Sophos.com

2009 Security threat report: Arrests and the law

Behind bars

With international computer crime authorities uniting to tackle cybercriminals, the past twelve months have seen more arrests and harsher sentences for criminals involved in high-profile and financially rewarding computer crimes.

Below are just some of the cases that made the news in 2008.

• January 2008. Three men who constructed an elaborate email scam pleaded guilty in a New York court to stealing more than $1.2 million55. The men sent emails that claimed to come from a victim of terminal throat cancer who wanted to distribute $55 million to charity. One of the gang, Nnamdi Chizuba Ainsiobi, is then said to have telephoned recipients, disguising his voice to pretend he was that suffering from the disease.
• February 2008. An American teenager pleaded guilty to seizing control of hundreds of thousands of zombie computers and using them to display cash-generating adverts56. Some of the compromised computers were based at the Weapons Division of the US Naval Air Warfare Center and the US Department of Defense.
• March 2008. A Chinese court handed out jail sentences of between six and a half to eight years to four men who used a Trojan to steal internet bank account information57.
• April 2008. An Israeli court jailed three members of the Modi’in Ezrahi private investigation firm after they were found guilty of using a Trojan to steal commercial information58.
• May 2008. Authorities in the US and Romania charged a total of 38 people suspected of running an international crime ring that targeted hundreds of financial institutions through phishing emails and SMS text messages59.
• June 2008. 19-year-old Jason Michael Milmont admitted to being the programmer of the Nugache malware that infected Windows computers60. The malware turned the computers into a sophisticated peer-to-peer (P2P)-controlled botnet that contained 5,000 to 15,000 compromised computers at any one time. Milmont used stolen bank information to access accounts and buy goods.
• July 2008. A federal court in Manhattan sentenced 17-year-old Adam Vitale to 30 months in prison for sending out more than 1.2 million spam messages in less than a week61. Vitale was looking for a share of the profits made from selling goods via the messages.
• August 2008. Dutch authorities apprehended Leni de Abreu Neto, following assistance from the FBI and the Brazilian Federal Police62. The 35-year-old Brazilian allegedly ran and leased access to a botnet that comprised 100,000 computers.
• September 2008. A gang of alleged credit card data thieves, said to have stolen CDN $1.8 million (approximately US $1.69 million) from a company in Calgary, were arrested by police in Canada63. One of the arrested men was Ehud “The Analyzer” Tenenbaum who had been caught illegally accessing Pentagon computers 10 years earlier.
• October 2008. The Federal Trade Commission (FTC) convinced a court to shut down a group suspected of being a major international spam operation64. The FTC claimed to have received over three million complaints from computer users who had received emails connected with the spam campaign, many of them offering what was described as a “100 percent safe and natural herbal” male enhancement pill.
• November 2008. A US court ordered CyberSpy Software LLC to stop selling its RemoteSpy keylogging software while the FTC investigates whether it is being used to break the law65. In December the ban was overturned66.

Sophos.com

2009 Security threat report: State-sponsored cybercrime

Digital espionage increasing

Countries spy on each other for political, commercial and military advantage and it would be naive to think they do not take advantage of computers and the internet to help them do so.

During 2007 it became common for countries to openly accuse each other of engaging in spying via the internet, such as the Chinese military being blamed for a cyberattack on a Pentagon computer system in September of that year48, for example. Concern about state-sponsored cybercrime climaxed at the end of 2007 with the discovery that MI5, the British Security Service, had written to 300 chief executives and security chiefs at UK companies warning
them of the “electronic espionage attack”.

2008 saw even more reports of alleged governmentsponsored cybercrime. Even though it can be extraordinarily difficult to prove an attack has been endorsed by a state, 2009 is likely to bring more claims of countries attacking and spying on each other via the internet.

• April 2008. Der Spiegel reported that the BND – Germany’s foreign intelligence service – used spyware to monitor the Ministry of Commerce and Industry in Afghanistan49. Confidential documents, passwords and email communications were reportedly compromised by German spies, and sent to the BND’s headquarters. This news followed revelations that the BND had intercepted emails between Spiegel journalist Susanne Koelbl and Afghanistan’s Commerce Minister Amin Farhang, resulting in a diplomatic row between the countries.
• May 2008. Senior Indian government officials in New Delhi were said to have confirmed that Chinese hackers targeted the Ministry of External Affairs and the National Informatics Centre50, which provides the network backbone for central and state government, as well as other administrative bodies in India. The unnamed officials were quoted as saying that this was China’s way of gaining “an asymmetrical advantage” over a potential adversary.
• May 2008. Belgium also accused the Chinese government of cyber-espionage, claiming that hacking attacks against the Belgian Federal Government had originated in China, and were likely to have been at the behest of the Beijing government51. Separately, the Belgian Minister of Foreign Affairs told parliament that his ministry had been the subject of cyber-espionage by Chinese agents several weeks before.
• August 2008. As tensions rose over South Ossetia, Russian and Georgian hackers launched attacks against each other52. Examples include a distributed denial of service attack against the website of the South Ossetian government and the defacement of the Georgian Ministry of Foreign Affairs website with a collage of pictures of Georgian president Mikheil Saakashvili and Adolf Hitler53.
• September 2008. Seoul accused its adversaries in North Korea of stealing documents from military officers through the use of spyware and a female agent54. The spyware attack took the form of a malicious email attachment designed to steal documents from infected computers. The email addresses were supplied by 35-year-old Won Jeong Hwa.

Sophos.com

2009 Security threat report: Data leakage

Unsafe data

Data leakage filled the headlines in 2008 as corporations and government proved themselves to be lax in protecting their confidential data44.

Organizations of all sizes are finding that today’s mobile and collaborative workforce needs access to information inside and outside the office, along with the ability to share data with co-workers and partners.

Users are routinely using and sharing data without giving thought to confidentiality and regulatory requirements. Almost 30 percent store contract and financial data, customer information, sales targets, contact details and personal account data on removable media45. This has led to numerous incidents of data loss that are often accidental rather than malicious.

Used hardware

A number of incidents were reported of confidential data ending up in the public domain after old computer hardware, which had not been securely erased, was sold on auction sites like eBay46.

This has led some observers to suggest that there is a higher demand (and thus higher price offered) for used hard drives on eBay than for brand new ones. This is unsurprising, considering the amount of confidential information that is potentially recoverable47.

Encryption

The most important step in stopping data leakage is to encrypt sensitive information, laptops, removable storage devices and email. If data is encrypted with a password it cannot be deciphered or used unless the password is known. This means that even if all other security measures fail to prevent a hacker from accessing your most sensitive data, they will not be able to read it and so compromise the integrity of your information.

The second step is controlling how users treat information. You want to stop any risky behavior, such as transferring unencrypted information onto USB sticks. Organizations should extend their anti-malware infrastructure in order to:

• Control the use of information.
• Guarantee efficient operations.
• Ensure that they meet regulatory requirements.

With the possibility of mounting job losses in 2009, organizations should also be careful to ensure that devices used by departing workers are properly encrypted or securely wiped. Furthermore, the potential risk of disgruntled employees leaving with data or undertaking competitive espionage must also be considered.

Data loss is big money

In August 2008 US authorities charged 11 men with being involved in a hack that stole more than 40 million credit and debit card numbers. The retailers affected included OfficeMax, Barnes & Noble, Boston Market, and TJX, which operates retail stores TJ Maxx (known as TK Maxx in the UK) and Marshall’s.

According to the Secret Service and Department of Justice, the “wardriving” gang (driving through an area in search of insecure wireless corporate networks to hack) installed malicious programs and then sold the stolen information to other criminals in the US and Eastern Europe. Tens of thousands of dollars were then illegally withdrawn from ATMs using forged credit cards.

In another incident, the British Home Office confirmed that a USB memory stick containing the unencrypted personal details of some 130,000 convicted criminals had gone missing. Information included names, addresses, dates of birth and, in some instances, prisoners’ release dates. The USB stick was being used by external contractor PA Consulting, which as a result,
lost a £1.5 million contract with the British government.

Sophos.com

2009 Security threat report: Mobile phones and Wi-Fi devices

Security flaws in smartphones

To great fanfare, 2008 saw the launch of the 3G version of the Apple iPhone, and the first phone to use the Google Android mobile operating system.

Apple iPhone

There is no disputing that the 3G version of the iPhone is more attractive to business and internet users than its predecessor owing to its superior connectivity and cheaper price point. In its most recent set of financial results, Apple reported that its iPhone was outselling RIM’s popular Blackberry device41.

Apple’s increased market share, however, may in turn herald more concerted attempts by criminals to take advantage of their devices in future.

Although simple malware has already been seen, the iPhone has not yet been the target of a significant attack. However, security flaws have been found in Apple’s mobile email application and its Safari web browser, and the company has been criticized for not patching these flaws at the same time as its other computers running Mac OS X.

iPhone users should also be aware that they may be more vulnerable to phishing attacks than their desktop counterparts because:

• They have to enter URLs via the touch-sensitive screen, and may be more willing to just click on email links.
• The iPhone version of Safari does not display URLs that are embedded in emails before they are clicked on. It is therefore harder for users to tell if the link leads, for example, to a bogus banking website.
• The iPhone’s browser only displays partial URLs in its address bar, making it far easier for cybercriminals to fool users into believing they are on a legitimate website.

Google Android

At the time of writing the only mobile phone on the market that uses the Google Android operating system is the T-Mobile G1, giving hackers their first real look at its operating system. Although early reviews have typically concentrated on its cosmetic differences to the Apple
iPhone (such as a slide-out keyboard and less flexible touch screen), a security vulnerability in the G1’s web browser was rapidly discovered42.

Concerns have also been raised that Google’s “open” attitude to applications may mean malicious programs can be distributed amongst its phone’s users far more easily.

Sophos believes that early examples of malware for these operating systems are likely to be written by enthusiasts with a desire to make headlines, rather than financiallymotivated
criminals. However, as millions more people purchase them, creating mobile phone threats will become increasingly attractive for the criminally minded. One example could be the creation of a generic Mac OS X attack, which could threaten the common features and technology of the Mac computer and iPhone43.

Similarly, it would not be a surprise to see experimental attacks against Google Android users.

Such attacks are likely to rely upon social engineering – rather than software vulnerabilities – to fool users into running dangerous code. As such, mobile phone owners who are in the habit of adding third-party applications without caution will be increasing their chances of infecting
their device.

Sophos.com

2009 Security threat report: Apple

Mac users a soft target

The Apple malware problem is tiny compared to the situation for Windows users. However, since the emergence of the first financially motivated malware for Mac OS X in late 2007 there have been more attempts by hackers to infect Mac computers.

In February 2008, a new Flash-based Trojan, Troj/Gida-B36, was designed to scare users into purchasing bogus security software. This scareware attack used poisoned web adverts that worked equally well on Mac and Windows computers.

The OSX/Hovdy-A Trojan37, discovered in June 2008, is also capable of infecting Mac OS X computers and attempts to steal passwords, open firewalls and disable security settings. It takes advantage of the ARDAgent vulnerability in Mac OS X to gain root access. Once a computer has been infected the hacker can gain complete control and cover their tracks by disabling system logging.

In August 2008, Troj/RKOSX-A38, a Mac OS X tool to assist hackers create backdoor Trojans, was discovered. Three months later, Sophos announced the discovery of a new piece of Mac malware being planted on websites – OSX/Jahlav-A39. This Trojan poses as a legitimate
application, but after installation downloads additional components from a server in the Netherlands.

Although there is less Mac malware around, there are several reasons why Mac users should be wary.

• A high level of complacency in the Mac community means many users incorrectly believe they are immune from internet security threats. This makes them a soft target for future attacks.
• The use of Intel-based chips in Apple Mac hardware has made use of Windows on Macs more common. This makes Macs more likely than before to be harboring and spreading Windows malware.
• 2008 saw record sales of Apple Mac computers40, with home users undoubtedly switching from PCs due to disgruntlement with Windows Vista. As the marketshare for Apple Macs increases, Mac users are likely to see more attacks launched against them.

With so many Windows home users seemingly incapable of properly defending themselves against malware and spyware, it seems sensible to suggest that some of them should consider switching to the Apple Mac platform. This is not because Mac OS X is superior, but simply because there is significantly less malware currently being written for it. Cybercriminals looking to maximize their return are likely to stick mostly to attacking Windows computers for the
foreseeable future.

However, malware aimed at Macs will continue to be written, and users should continue to follow safe computing best practices such as running an anti-virus product and keeping up-to-date with security patches.

Sophos.com