Internet Security News

How to protect your company's data

As with any sophisticated machine, data safeguards for MFPs are available to IT administrators and users. Manufacturers, dealers and retailers are all capable of providing support to implement a successful security strategy. Just as you would install a virus scan on your laptop or PC, there are tools that can be used to help protect data on MFPs.

Features available to help protect data include:
- Image Overwrite: The Image Overwrite feature electronically "shreds" information stored on the hard disk(s) of MFPs as part of routine job processing. The electronic erasing can be performed automatically when each print job is completed, or reset manually as needed.
- Encryption: All data that interacts with the MFP, as well as data stored within the device, is secured with state-of-the-art encryption.
- Network Authentication and Authorization: Access to scan, e-mail and fax features can be restricted by verifying network user names and passwords in network directories prior to use of these functions. Access permissions can be controlled on a per-user and per-service basis, all managed centrally at the network domain controller. Additionally, all activity is monitored and recorded in a security audit log.
- Fax/Network Separation: MFPs should include a firewall to prevent unauthorized access to your system through the network connection. However, unprotected fax connections in MFPs can be an open back door into the network, so purchase a machine that provides complete separation of the telephone line and network fax connection.
- Secure Print: Jobs are safely stored at the MFP until the owner enters a personal number to release them. This controls unauthorized viewing of documents sent to the printer.
- Hard Drive Removal: Some manufacturers offer options for removal of the hard drive before the MFP is disposed of or turned in after a lease. While the owner of the MFP is ultimately responsible for their data, choosing a vendor that will help understand the risks associated with data when returning machines, and will provide recommendations on the most effective way to rid the hard drive of information, is something to keep in mind during the purchasing process.
In addition to the above tools, it's also important to keep in mind the value of updating the software that runs on MFPs. With new threats developing on a daily basis, there will always be a need to update the software that runs your copiers, or any networked peripheral including printers, fax machines and scanners. Responsible MFP manufacturers make new patches available for their customers to easily download, through a website or even RSS feed, so machines can easily be updated with the latest protection.

MFPs are intricate machines that use a hard drive for many functions, making them valuable tools to streamline business processes and share information. By taking advantage of the available options, users can benefit from these sophisticated machines, while ensuring their company's and customers' information is secure.
Wikileaks Suffers DDoS Attack, Dropped from Amazon Servers

The controversial website, wikileaks.org, has been affected by a highly effective DDoS attack that crippled the site for the first half of the week. This attack is still under investigation, but looks to be the work of a sole hacker who calls himself "Jester".

A distributed denial of service (DDoS) attack is carried out in two stages. First, a virus must be spread to multiple computers using the standard methods for doing so. Once that is complete, a central control computer issues a command for all the infected computers to begin the attack. At this point, all the computers begin simultaneously requesting data from the target in large amounts. This blocks other systems from being able to communicate with the targeted server, effectively taking it offline. This is not the first time the Wikileaks has been the victim of such an attack, although they did seem to be more vulnerable this time around.

Wikileaks hoped to find some relief in the cloud by utilizing the Amazon Elastic Cloud Computing (EC2) service. This proved to be a short-lived venture. As of December 1st, Amazon decided to revoke Wikileaks' ability to use EC2. This came after much political pressure was put on Amazon by Congressmen like Senator Joe Leiberman, who released a written statement saying that "[Amazon's] decision to cut off WikiLeaks now is the right decision and should set the standard for other companies WikiLeaks is using to distribute its illegally seized materials." This move has been met with outcry from Wikileaks supporters who have taken up the cry of government censorship and quoting the First Amendment in blogs and new story comments across the internet.

Now that Wikileaks has been removed from the cloud, where they sought refuge from the DDoS attacks that they have fallen prey to, it remains to be seen whether there will be more such attacks.
Facebook Messaging System Opens New Security Concerns

The next big thing in social media has been revealed in Facebook's new Messages system, which combines email, texting, and instant messaging into one threaded experience. They want to let people talk to each other without having to worry about whether the recipient prefers email or SMS, etc. This also opens the way for new security challenges to be overcome as more and more people start using this new service.

Sophos, an internet security company that advertises a variety of email and encryption services, has released an article concerning the new Facebook Messages system which focuses on the new security issues that need to be considered for people who opt to use it. In it, senior technology consultant Graham Cluley discusses that the burden of security lies more with the user than with Facebook itself. He says, "Before signing up, users need to realize that these new features increase the attack surface on the Facebook platform, and make personal accounts all the more alluring for cybercriminals to break into. Facebook accounts will now be linked with many more people in the users' social circles - opening up new opportunities for identity fraudsters to launch attacks." Basically, spammers now have more of an incentive to hack into Facebook accounts using phishing attacks and exploiting weak passwords.

The other security issue that Cluley discussed was the fact that "users also need to be aware that Facebook will be storing a complete archive of all of their communications with one person - this raises concerns as to how this data could be misused if it fell into the wrong hands." Imagine every conversation you've ever had with anyone being recorded and stored on servers you have no control over. All that vital information in the wrong hands could most certainly spell trouble for anyone unfortunate enough to fall victim to such a situation. For more security-based information about the new Facebook Messages system, check out the Sophos FAQ about it.
Patch Tuesday Visits Office, Forefront

Microsoft has gone through with its most recent round of Patch Tuesday updates, this time focusing on two software products. Microsoft Office contained seven vulnerabilities which were patched and Microsoft Forefront Unified Access Gateway (UAG) was also affected.

Microsoft Office is the collection of several productivity software products: Word, Excel, Outlook, PowerPoint, and OneNote. The vulnerabilities recently patched spanned two security bulletins, MS10-087 and MS10-088. MS10-087 patches five bugs, all of which can allow remote code execution. They affect all versions of Office, including Office for Mac. There are three vulnerabilities having to do with the mishandling of maliciously crafted office files, meaning that a person would need to open that file on their system, but once they did they would have complete control over that system. The other two vulnerabilities deal with the loading of "Rich Text Format" files and DLL files, and are just as dangerous as the others. MS10-088 is specific to PowerPoint and only contains two bugs, although they both can allow remote code execution as well. These are both dealing with maliciously crafted PowerPoint files, one being a buffer overflow and the other an integer underflow.

Microsoft Forefront is a security software suite for Windows Networks. You read that correctly, Microsoft sent out a security patch to fix their security software (something that should probably have been secure to begin with). UAG is a service that provides security to people remotely accessing those networks. MS10-089 details several cross-site scripting (XSS) vulnerabilities plaguing this software. Basically, a hacker can gain elevated privileges on your machine if you go to a certain URL. This seems like it would fall into the 'critical' category of bugs, while Microsoft placed it in the 'important' group. It may seem that this was an underwhelming Patch Tuesday in volume of patches, but looking at the serious nature of the vulnerabilities, I would have to say I'm glad they have been fixed.
Android Falls Short in Security Analysis

We've seen enough news about how Apple's iOS is vulnerable to attack. I think it's only fair that we talk about the shortcomings in its biggest competition, Android. According to a report by Coverity, the popular mobile operating system is home to hundreds of bugs in its kernel with a quarter of those bugs listed as 'high risk' that can be used to exploit user privacy.

Coverity Inc. is in the business of scanning software for potential security vulnerabilities. They recently scanned the open-source Android operating system and discovered 359 bugs. 88 of these are listed as high-risk which according to the report, "include four categories that we have found, through experience and consultation with our customers, to be ones that can cause the most damage and are most likely to be fixed first by developers. These include memory corruptions, illegal memory accesses (e.g., reading beyond the bounds of a memory buffer), resource leaks, and uninitialized variables. "

Let's look at how those bugs compare in the open source world. Coverity claims that the industry average 'defect density' is one defect per every 1,000 lines of code. Android has only half that number, which is impressive until you look at the areas those bugs were found. Most of the code in the operating system is a Linux kernel with custom additions added in, and in the Android specific code, the defect density is twice as high.

Fragmentation of accountability is listed as one of the main conclusions of the report. Coverity basically says that, just like the rest of open source software, with so many people contributing so many different elements to the project, it is almost impossible to keep track of who is in charge of fixing what. This is definitely a problem as open source becomes more and more popular.

The Coverity report can be found here.

Internet Security News - Security News

Facebook Becomes A Favorite Target Of Phishers

Due to widespread concerns about its thoughts on users' privacy, Facebook has been under all sorts of fire lately, facing criticism from U.S. senators, European data protection authorities, and many tech experts. Now, yet another problem's cropped up, as Facebook's been called a top target of phishers.

The Securelist division of Kaspersky Labs issued a report yesterday, and the identities of the top three organizations that have been targeted by phishers may not come as a surprise to anyone; they're PayPal (with 52.2 percent of all attacks aimed at it), eBay (with 13.3 percent), and HSBC (with 7.8 percent).

The report, which covered the period between January and March of this year, next stated, though, "Facebook popped up unexpectedly in fourth place. This was the first time since we started monitoring that attacks on a social networking site have been so prolific."

By way of explanation, the report then continued, "Having stolen users' accounts, the fraudsters can then use them to distribute spam, sending bulk emails to the account owners and their friends in the network. This method of distributing spam allows huge audiences to be reached. Additionally, it lets the fraudsters take advantage of the social networking sites' additional options, like being able to send different requests, links to photo's and invitations, all with the advertisement attached, both within the network and to users' inboxes."

Obviously, this isn't good news for Facebook's users or the security community as a whole. Facebook acts as a sort of point of entry to information about a whole lot of people (the social network had 400 million users in early February).

This isn't good news for Facebook, either, though - nothing that makes its users uncomfortable or unhappy, and therefore likely to leave, is - so perhaps we'll at least see the company make some attempt(s) to address this problem.

Anyway, if you're curious, the list of phishers' targets picked up after Facebook with Google, the IRS, Rapidshare, Bank of America, UBI, and Bradesco.
Google Goes After Impersonator Scammers

As huge corporations go, Google's a pretty cuddly one, but according to the search giant itself, everyone should be careful about offers of employment or wealth that involve its name. "Google Money" scammers represent a growing problem that the company is trying to combat.

A post on the Official Google Blog announced today, "[D]espite hundreds of consumer complaints and our own efforts to keep these sites from tricking people, some scams continue. To fight back, we're working to stop various fraudulent 'Google Money' schemes, and this week filed suit against Pacific WebWorks and several other unnamed defendants."

The post then added, "[W]e're still working constantly to remove scammy URLs from our index, and we'll permanently disable AdWords accounts that provide a poor or harmful user experience, whether or not they use Google's trademarks illegally."

The problem continues to exist, though.

So fair warning: The scams are known to operate under names like the Earn Google Cash Kit, Google Adwork, Google ATM, Google Biz Kit, Google Cash, Google Fortune, Google Marketing Kit, Google Profits, Google StartUp Kit, Google Works, and the Home Business Kit for Google. From there, they tend to be fairly standard make-money-from home affairs.

As always, stay sharp.
Senate Uncovers Online Credit Card Tricks

A report issued by a U.S. Senate committee only uses the word "scam" when quoting different consumers; the report's title employs the phrase "aggressive sales tactics," instead. Still, it looks like a number of big online companies have been caught profiting off people's confusion.

An investigation ordered by Senate Commerce Committee Chairman John D. Rockefeller IV discovered that Affinion, Vertrue, and Webloyalty "gain access to online consumers by entering into financial agreements with reputable online websites and retailers," according to the official report.

Then, "[T]he three companies insert their sales offers into the 'post-transaction' phase of an online purchase, after consumers have made a purchase but before they have completed the sale confirmation process. These offers generally promise cash back rewards and appear to be related to the transaction the consumer is in the process of completing. Misleading 'Yes' and 'Continue' buttons cause consumers to reasonably think they are completing the original transaction, rather than entering into a new, ongoing financial relationship with a membership club operated by Affinion, Vertrue, or Webloyalty."

So individuals wind up paying $9 a month, and companies make millions. Millions upon millions, really. 1-800-Flowers.com, Buy.com, Priceline, and US Airways (among many others) were all given more than $10 million by Affinion, Vertrue, and Webloyalty. Barnes & Noble, eHarmony, and Pizza Hut received between $1 million and $10 million.

It's a bit scary to see this sort of trickery employed by such mainstream organizations. Hopefully the committee's report will force them to clean up their act.
McAfee: Cyberwarfare A Big Threat

It might not be long before we return to the days of schoolchildren diving under their desks in warfare preparedness drills. Only now, instead of hiding from nukes, the kiddos may be unplugging their computers, since McAfee has indicated that a cyberarms race is taking place.

Dave DeWalt, the president and CEO of McAfee, said in a statement, "[S]everal nations around the world are actively engaged in cyberwar-like preparations and attacks." These include China, France, Israel, Russia, and the U.S., and it's no secret that the members of this group aren't all on great terms.

What's more, cyberwarfare's barrier to entry is so low in comparison to traditional hostilities (a roomful of computers vs. thousands of men, tanks, and airplanes) that lots of other countries are almost sure to pursue the idea.

Then, if and when the virtual bullets start flying, things could get really nasty. McAfee reported, "Attackers are not only building their cyberdefenses, but cyberoffenses, targeting infrastructure such as power grids, transportation, telecommunication, finance and water supplies, because damage can be done quickly and with little effort."

At least this state of affairs would create a good job market for security professionals. Everybody else might benefit in a physical manner from the dive-and-unplug exercises, too.
ICSA Labs Finds Flaws In New Security Products

It's sometimes fun to be an early adopter, as the long lines and waitlists for things like iPhones and the new Camaro have proven. But where security products are concerned, do yourself a favor and let other folks go first, since a fresh report indicates that it can take more than a single try to get things right.

ICSA Labs, which is based in Pennsylvania and has been around for 20 years, tests and sometimes certifies products. Emphasis on "sometimes."

An ICSA Labs Product Assurance Report indicated that just 4 percent of security products attain certification following a first round of testing. Most have to try again between one and three times before making the cut.

And it's not guaranteed that a product will ever meet the necessary standards, either. According to ICSA Labs, only about 82 percent of products attain certification in the end, meaning about one-fifth of all applicants (and perhaps a much larger percentage of products) aren't up to snuff.

So leave the shakedown cruises to less cautious individuals. Just repeat "patience is a virtue" a few times and read reviews while you're waiting, and remember that things will be less likely to blow up in your face when you finally get onboard.
Nigeria Announces Early Results Of Anti-Scammer Initiative

No one's sure how many there are to go, but according to a Nigerian official, there are about 800 scam email addresses and 18 criminals that can be considered "down." Mrs. Farida Waziri, the chairperson of a government agency, announced that some shutdowns and arrests occurred thanks to an initiative called Project Eagle Claw.

Nigeria's Economic and Financial Crimes Commission is the force behind Project Eagle Claw, and with Microsoft's help, has just started ramping it up. Waziri explained in a statement, "We expect that Eagle Claw as conceived will be 100% operational within six months and at full capacity, it will take Nigeria out of the top 10 list of countries with the highest incidence of fraudulent e-mails."

She then gave some very interesting details, continuing, "[U]pon full deployment, the capacity to take down fraudulent e-mails will increase to 5,000 monthly. Further it is projected that advisory mails to be sent to victims and potential victims will be about 230,000 monthly."

Anything Nigeria can do to address the problem of scammers operating from within its borders will of course be good for the country's image. More than that, it might help honest Nigerians become part of the online world (since some entities have just taken to blocking troubled regions as a whole).

Then there will be the benefit to the rest of the world, with maybe millions of dollars not getting lost. For that reason, Project Eagle Claw is likely to gain a lot of fans.
MessageLabs Names Most- (And Least-) Spammed States

When considering where to live, it's wise to look up stats about an area's climate, the cost of living, and its proximity to other important stuff in your life. Symantec's MessageLabs recently supplied some information about your odds of getting spammed, too.

Somewhat surprisingly, the states you might imagine as being the "most wired" - California, New York, Washington - weren't at the top of the list. Instead, the state in which spam represents the highest percentage of all emails received is Idaho, with 93.8 percent.

In an email to SecurityProNews, a Symantec/MessageLabs representative then listed the other top states (in order) as Kentucky, New Jersey, Alabama, Illinois, Indiana, Massachusetts, Pennsylvania, Arizona, and Maryland.

The U.S. territory of Puerto Rico wound up on the opposite end of the list, followed by Montana, Alaska, Kansas, South Dakota, Tennessee, Vermont, Rhode Island, Wisconsin, and Florida.

We're not quite sure what to make of these findings; the states don't appear to be ordered according to Internet penetration rates, GDP per capita, overall population, physical size, or anything else. Still, if you're looking to move, now you have a better idea of how to decrease the odds of getting bombarded with spam at your new home.
Enormous Malware Archive Creates Stir

A Dutch company known as the Frame4 Group has created what's almost the computing equivalent of a Center for Disease Control lab. The Malware Distribution Project is, according to its own site, the "world's biggest private malware archive."

Don't jump to the conclusion that the project's run by a bunch of supervillains; the malware samples are supposed to be "offered for the purposes of analysis, testing and malware research."

Also, customers are screened, and a monthly access fee of about $1,235 should act to keep out some of the riffraff.

It actually seems possible that the Malware Distribution Project could be of great help to the security community. When you consider that medical researchers don't have to wander from house to house, asking people if they have cancer, every time they want to start a new experiment, certain practices start to seem a little outdated.

There is a potential for problems, though. One nightmare scenario relates to the Malware Distribution Project's figurative walls failing and everything getting out. Having all of that malware run amuck at once - particularly if security researchers' computers were the first things it'd come across - would be bad.

Then there's the possibility that some unpleasant person would gain access to the Malware Distribution Project's archive and just sort of go on a shopping spree. This way, some relatively stupid hacker might be able to get his (or her) hands on the most sophisticated viruses in existence.

As you might imagine, the Malware Distribution Project is definitely proving divisive.

Anyway, at last count, the repository contained a whopping 3,336,503 files.

UPDATE (10-13-09): Anthony Aykut, the Managing Director of Frame4 Security Services, got in touch with SecurityProNews this morning to pass along some information. In an email, he wrote, "[T]he malware is neither downloadable via the web site or accessible in any other way via the www; in fact, the (secure) servers where the malware is stored (or analyzed/processed) is not even connected to the outside world."

Aykut also stressed that nothing is sold to the public, and added, "Largely due to the security measure(s) mentioned above, and also based on to the fact that the storage media are protected by biometric devices, getting access to the MD:Pro archive is, well, pretty impossible."
Avsim Hacker (Maybe) Brought Before Cops

Perhaps people who like to spend their spare time in the cockpits of imaginary F-16s should be left alone. The man in charge of a flight simulator site that was attacked claims to have identified the hacker and forwarded information to the authorities.

Avsim is one of the best-known flight sim communities in existence. It's been around for a long time, too. Unfortunately, a hacker managed to wipe about a decade's worth of modification info and forum posts from the site's servers back in May.

Now, though, Tom Allensworth, the publisher and CEO of Avsim, has told the BBC, "We . . . have incontrovertible evidence of the individual that performed the hack. We have protected the forensic evidence and provided that evidence to the London police. We are committed to bringing justice to bear on this case."

Allensworth is confident in the outcome, too, adding, "We fully expect that the criminal complaint . . . will result in the perpetrator spending some time behind bars - under UK law." (Since Avsim's located in the US, this means he's not pushing for extradition or anything of that sort.)

Neither London's Metropolitan Police Service nor the accused individual (who hasn't been publicly named) has made any comment yet.
Email Password Hackers Present Real Threat

The next time you have something really important to tell someone, consider whether a drive over to his or her house wouldn't be a nice way of spending a few minutes. One reporter has found that it's quite easy (and perhaps all too common) for people to buy email accounts' passwords from hackers.

Tom Jackman wrote in an article for the Washington Post, "[S]ervices as YourHackerz.com are still active and plentiful, with clever names like 'piratecrackers.com' and 'hackmail.net.' They boast of having little trouble hacking into such Web-based e-mail systems as AOL, Yahoo, Gmail, Facebook and Hotmail, and they advertise openly."

Jackman found that prices for passwords range from around $30 to $100, which means that even the average ten-year-old can probably afford these hackers' services.

Plus, unless someone important is involved or things get rather serious, law enforcement isn't terribly likely to look into (or at least resolve) the matter, because accessing a computer without authorization is just a misdemeanor in most areas and tracking down a perpetrator can be difficult.

And it doesn't help, of course, that all of these facts have now been publicized in a widely-read newspaper.

So if you've got some nasty business rivals or psycho exes, at least try to play it safe by changing your password often for as long as you're in the person's sights. Then there's always the option of putting a few more miles on the odometer, too.