The Legacy Sunbelt Software Blog

Homeland Security could become regulatory agency

A bill submitted in the U.S. Senate would give the U.S. Department of Homeland Security responsibility for security of the Internet and give the president emergency authority over private networks, according to TheHill.com.

The bill was introduced by members of the Senate Homeland Security and Governmental Affairs Committee. Senators Susan Collins (R-Maine), Joe Lieberman (I-Conn.) and Thomas Carper (D-Del.) made a floor statement introducing the legislation.

Lieberman said “Our economic security, our national security, our public safety are all at risk as a result from new kinds of enemies with new kinds of names like cyber warriors cyber spies, cyber terrorists and cyber criminals. And that risk may be as serious to Homeland security as anything we face today.”

TheHill.com wrote: “Privacy advocates are likely to raise concerns about the emergency provisions; the decision to house operational security at DHS will also likely meet with opposition. Critics point to (Gen. Keith) Alexander’s role as proof the intelligence community already has too much influence over cybersecurity.”

Alexander is the head of the National Security Agency and commander of the new U.S. Cyber Command.

Story here: “Cybersecurity legislation that would put DHS in charge of civilian cybersecurity to get hearing”

Tom Kelchner

Just in case you weren’t sure about it, this story from the BBC tells us in no uncertain terms the alarming finding that porn sites might host malware and – shock – are visited mostly by guys.

Alex Eckelberry

Without wanting to turn into this guy, it’s fair to say that World Cup scams are underway. A friend of mine contacted me in relation to an Email that dropped into his mailbox – good job he did.

VISA Brazil are running a number of promotions that involve picking up “travel points” every time you use their cards with the ultimate aim of winning a trip to the World Cup. Of course, this has “phish target” written all over it – enough that the official site pops a warning message that I can share with you thanks to the wonders of Google Translate:

“Visa will never ask the full number of your card and bank details or send direct links in mail and promotional campaigns.”

Good advice. Anyway, this is the site his email was directing him to:

The site is located at visaevocenacopa2010(dot)110mb(dot)com, and as you can see it asks for various bits and pieces of personal information along with the all important card details. Seeing a fake “You have been registered” message appear onscreen isn’t going to be much consolation when the phisher is going into extra time with your card details, so please take care.

Christopher Boyd

It seems someone compromised the ministryofrum(dot)com recently, replacing an understanding and appreciation of rum with malicious PDF files instead.

The site is fixed now, but compare the clean site results here with the results served up while the page wasn’t looking too healthy.

The PDFs were coming from korvet(dot)in, and you can see some of the VirusTotal results here (6/40) and here (24/41). Those are Alureon and Sasfis variants, typically linked to scareware installs, banking trojans and keyloggers – not really what you want ending up on your computer. It seems that the files loaded up are a little bit random, so detection rates could go up or down depending on what happens to be served at the time (and I’m certainly not talking about rum).

Thanks to Todd Towles for the heads up!

Christopher Boyd

The Australian Attorney-General’s Department is working on a controversial data retention requirement that would have Internet service providers in the country hold on to users browsing histories for years for law enforcement investigations.

ZDNet.com.au is reporting that the AG’s department has been in discussions with industry representatives who are generally not in favor of it.

The AG’s department said in a statement: “The Attorney-General’s Department has been looking at the European Directive on Data Retention, to consider whether such a regime is appropriate within Australia’s law enforcement and security context. It has consulted broadly with the telecommunications industry.”

ZDNet wrote: “Currently, companies that provide customers with a connection to the internet don’t retain or log subscriber’s private web browsing history unless they are given an interception warrant by law enforcement, usually approved by a judge. It is only then that companies can legally begin tapping a customer’s internet connection.”

Colin Jacobs, chair of the Electronic Frontier Australia said, “At some point data retention laws can be reasonable, but highly-personal information such as browsing history is a step too far. You can’t treat everybody like a criminal. That would be like tapping people’s phones before they are suspected of doing any crime.”

Story here: “Govt wants ISPs to record browsing history”

Tom Kelchner

The Finnish Ministry of Justice, citing the fact that there doesn’t seem to be much harm done by the unauthorized use of unsecured Wi-Fi networks, is investigating the possibility of decriminalizing it.

The ministry pointed to the difficulty in monitoring networks and the ease with which someone can use an unprotected network undetected. They also pointed out that users could find it difficult to know when an open network is public or private since there are many networks available in public places in the country.

Google translation of Finnish article on yle.fi here: “Extracts from the wireless network becoming legitimate”

This probably isn’t a bad idea. The BAD idea is carelessly USING public Wi-Fi networks where malicious operators could easily be sniffing traffic. They are places where road warriors should be using VPN connections to communicate with company networks and nobody should be logging on to their bank web account or doing credit card transactions

Tom Kelchner

The FBI has said that it will investigate the hack of AT&T servers that compromised account details of 114,000 iPad 3G users.

Intruders extracted the data by entering batches of iPad ICC-IDs by way of specially formatted HTTP requests. AT&T fixed the exposure Tuesday, according to news accounts.

FBI spokesman Jason Pack said, “The FBI is aware of these possible computer intrusions and has opened an investigation to address the potential cyber threat.”

The hackers obtained the addresses of prominent federal government, military, media and corporate officials.

Story here: “FBI investigating AT&T security breach that revealed iPad owner emails “

According to the story yesterday on the Gawker blog:

“The subscriber data was obtained by a group calling itself Goatse Security. Though the group is steeped in off-the-wall, 4chan-style internet culture—its name is a reference to a famous gross-out Web picture—it has previously highlighted real security vulnerabilities in the Firefox and Safari Web browsers, and attracted media attention for finding what it said were flaws in Amazon’s community ratings system.

“Goatse Security obtained its data through a script on AT&T’s website, accessible to anyone on the internet.”

Hmmm, lets see: a group hacks a server with email details of early adopters of the hottest new product on the planet, chortles about the military and White House accounts it found and exposes them. And maybe they were expecting the FBI NOT to jump on this?

Wow! That’s world class stupid! They can’t even claim they were looking for information about UFOs.

Tom Kelchner

I saw a phish randomly posted to an IRC session, and just had to share. There’s good, there’s bad then there’s this:

Sign me up. I’m not entirely sure what I’m signing up to (or indeed how it’s going to be upgraded), but have my login information anyway.

Christopher Boyd

Not so long ago, script kiddies would happily give away their leet haxing tools to all and sundry – the only cost was using up some bandwidth to grab them, though of course sometimes their programs came with something a little extra and the cost would rise dramatically for the unfortunate “victim”.

These days it’s a growing trend to see people attempting to make money from their downloads in a very specific way that infuriates both researcher and script kiddie alike. Here’s a typical Youtube video advertising some sort of hack related shenanigan.

Notice it has two different download links, because they want to make as much money as possible. If you visit the links, you’ll see lots of pages that look like this:

“Regular download” means you’ll have to fill in a survey to access the download link:

Every time you fill one in, the uploader makes some money. More often than not, files uploaded to pay-to-access sites are worthless, or don’t perform as advertised. This is bad for security researchers, who don’t particularly want to generate income for the uploader to get their hands on the file. It’s also bad for random web users who have no real way of knowing what they’re going to end up with before signing their life away to adverts, spam and marketing databases.

With that in mind, I was rather amused to see someone advertising a program designed to get around pay-to-download services such as Sharecash:

Download the program, run it and you’ll be working your way around all of those surveys in no time. It’s a hacking / cracking tool buffet and everyone is invited!

It sounds good. However, clicking the link on the video takes you to the homepage (which has been around since 2009):

What do you think happens when you hit the Download button?

You couldn’t make it up.

Christopher Boyd

Number one: “WordPress-based, GoDaddy-hosted websites hacked”

Sucuri Security revealed that GoDaddy servers were hacked yesterday afternoon and thousands of WordPres blogs and other PHP-based sites were loaded with a malicious script aimed at infecting visitor’s machines with rogue security products.

Help here:

“Simple cleanup solution for latest WordPress hack”

Number two: “Massive Malware Hits Media Web Sites”

Researchers have estimated that intruders used SQL injection attacks to compromise about 7,000 Web pages. The Jerusalem Post and Wall Street Journal sites were among them.

Number three: “Apple’s Worst Security Breach: 114,000 iPad Owners Exposed”

Gawker reported that they were given data on 114,000 iPad 3G user accounts by intruders who hacked an AT&T server. The accounts included those of CEOs, top political figures and military personnel.

Gawker said “…it’s possible that confidential information about every iPad 3G owner in the U.S. has been exposed.”

They also said AT&T fixed the security vulnerability

Tom Kelchner

Update:

Number four: “Turkish Hacker Hijacks .CO.IL MSN and Hotmail Domains”

Softpedia is reporting that hacktivists hacked the MSN and hotmail sites of Israel, msn.co.il and hotmail.co.il, (both belong to Microsoft) and posted a pro-Palestinian message and photograph.

Lucian Constantin, Softpedia Security News Editor speculated that the intruders could have used stolen credentials to log into the control panel or social engineered an employee at the domain registrar.

Facebook and the PTA have announced a joint long-term project aimed at teaching kids Internet safety. The partnership was announced at the Parent Teacher Association’s national convention in Memphi, Tenn., today.

Topics included are: cyber-bullying, Internet safety and security and “citizenship online.”

According to the joint news release, “The partnership is founded on the belief that awareness is essential to supporting safe and responsible Internet use. Thus, in addition to creating comprehensive and engaging resources, PTA and Facebook are committing to aggressively promoting Internet safety information to their respective audiences. National PTA will use its Website (www.pta.org), and actively reach out to the 24,000 local PTAs across the country with a goal of reaching every American public school. Facebook will raise awareness of the resources among the hundreds of millions of parents, teachers and children using its service through an in-kind Facebook commitment equivalent to $1 million and promotion on other parts of the site, including the safety center.”

News release here.

Thanks Wendy

Tom Kelchner

The U.S. Federal Trade Commission has issued an alert to consumers and businesses to be alert for scammers using the BP oil spill in the Gulf of Mexico as a subject for their con schemes.

“Scammers will likely use e-mails, websites, door-to-door collections, flyers, mailings and telephone calls to solicit money by claiming they’re raising money for environmental causes or offering fraudulent services related to the oil spill. In reality, many could be trying to get inside consumers’ homes or get access to their personal information. The consumer alert advises consumers to check with the Better Business Bureau to get information on businesses and charities, and offers tips on how to avoid these scams,” they said.

Alert here: “FTC Urges Consumers to Watch Out for Scams Related to Gulf Oil Spill”

Tom Kelchner

Update:

Our good friends at McAfee AV have blogged about some dodgy affiliate marketing spam they’ve seen with oil spill themes.

Sam Masiello wrote:

“We’ve seen emails offering legal advice for those who have been affected by the spill, using subject lines such as:

File your lost income claim against BP Oil
Gulf Coast Oil Spill Information
Gulf coast oil spill legal information
Have you been effected by the oil spill?
Oil Spill Injury Representation
Oil Spill Lawsuit Compensation
Oil Spill Lawsuit Information for
Oil Spill Lawsuit Information
Will the oil spill hurt your business?

“These emails typically contain one or two short lines of text and a link to information on filing a lost-income claim against those responsible. Once the link is clicked, the fog of redirection and obscurity begins. One particular example contains a link to a URL on jellydrum.com, which redirects to lynxtrack.com, then to chilaytrk.com, before finally hopping to http://www.consumerinjuryalert.com/oil/index.php.”

He cautioned:

“As we frequently recommend, be careful whom you give your personal information to. You have no control over your data once you give it away, so provide it only to vendors that you feel you can trust. Never provide sensitive information that you are not comfortable giving out, and if you feel that your email address may be used for unwanted marketing, use a throw-away address that you check only as needed or not at all. You do not have ultimate control over how your data is used or to whom it is given, but you do have control over how personal the information is that you provide.”

McAfee blog piece here: Peering Into the Affiliate Marketing Window

Costin Raiu at Kaspersky Labs blogged about this malicious little gimic and I though it was insidious enough that it should be publicized further.

Raiu uploaded his first HD movie to YouTube and immediately got an email from YouTube that said “Congratulations on your first YouTube upload!” and gave some hints and tips.

Several hours later he got another email that said: “Hello, Have you tryed (sic) YouTube Toolbar?” The misspelling set off alarm bells in his head, he investigated and found that the email message that he received included a link that would download a variant of Backdoor.IRC.Zapchast.

Raiu blog post: “YouTube Toolbars”

Sunbelt description of Backdoor.IRC.Zapchast here.

It’s just one more instance that supports the security rule: “don’t click on links in email from strangers and think twice about clicking on links from those you know.”

Tom Kelchner

“Hi, and welcome to my online pictures portfolio. Please enjoy your stay.”

Those are the words that leap from your speakers (along with some tinkly relaxing music) as you open up what appears to be a rather nice looking online art gallery – a gallery pack that has been traded on hacking forums over the last couple of weeks as a “great way to infect people”. While I’m not entirely sure if the people distributing it have gone to all the trouble of creating it from scratch, there’s definitely a scam in the offing.

I’m not exaggerating how nice it is, either – this Flash gallery allows you to slide the images on a track at the bottom, and they’re also divided up into numerous galleries. Classical paintings, fantasy landscapes and pictures of blue floaty lights all lie in wait to stimulate your mind. There’s also this guy:

Unfortunately, Clint doesn’t look too happy and that’s never a good sign. The wheeze here is that to view additional imagery, you’ll need to say “Yes” to this Java prompt:

You’d think people would avoid dubious Java prompts, but oh well. It’s worth noting that because the gallery files are being used by lots of random people, there is no way to know what kind of infection is lurking when the java prompt appears – it could be absolutely anything at all. However, below is what happened when we visited one of the live sites.

Should the victim hit the Run button, they’ll end up with a file called Winconfig.vbs in their Temp folder. This is what you’ll see if you examine the code:

“Update.exe” arrives on the system to little fanfare, again in the Temp folder and carries all the characteristics of a password stealing Trojan.

Currently there are 19/41 detections listed in VirusTotal.com (although it’s called svchost.exe on there), and we detect this as Trojan.Win32.Generic.pak!cobra.

I’m a big fan of art myself, but I’m not so sure I’d want my computer to be turned into a performance piece…

Christopher Boyd

It wasn’t you, it was them

Twitter’s status page reported that the micro-blogging service had latency and error problems today and was down for a number of hours:

“Update 12:29 PM PDT / 19:29 UTC: We’ve identified the cause of today’s incident as an error with networking equipment. This networking error prevented us from serving at full capacity.”

Tom Kelchner

“Violent video games are like peanut butter”

For tens of millions of people worldwide, video gaming – on consoles, PCs, phones or online – is a big piece of life. For those not close to the gaming scene it might be hard to understand how captivating that world is for the enthusiasts. Everybody in every region of the planet with electricity appear to be asking the question: “is it really good for you to spend so many hours playing those games?” Researchers and commentators have been taking a hard look at the good and bad mental health aspects of gaming.

Violent Video Games May Increase Aggression in Some But Not Others, Says New Research

American Psychological Association this month published a special issue of its Review of General Psychology devoted to the effects of video games. Some of the articles:

(Video games as learning tools)

— “Video games serve a wide range of emotional, social and intellectual needs, according to a survey of 1,254 seventh and eighth graders. The study’s author, Cheryl Olson, PhD, also offers tips to parents on how to minimize potential harm from video games (i.e., supervised play, asking kids why they play certain games, playing video games with their children).”

— “Commercial video games have been shown to help engage and treat patients, especially children, in healthcare settings, according to a research review by Pamela Kato, PhD. For example, some specially tailored video games can help patients with pain management, diabetes treatment and prevention of asthma attacks.”

— “Video games in mental health care settings may help young patients become more cooperative and enthusiastic about psychotherapy. T. Atilla Ceranoglu, M.D., found in his research review that video games can complement the psychological assessment of youth by evaluating cognitive skills and help clarify conflicts during the therapy process.”

(Games and violence)

— Christopher J. Ferguson, PhD, of Texas A&M International University and guest editor of the issue, found “Recent research has shown that as video games have become more popular, children in the United States and Europe are having fewer behavior problems, are less violent and score better on standardized tests. Violent video games have not created the generation of problem youth so often feared.”

He said, “violent video games are like peanut butter. They are harmless for the vast majority of kids but are harmful to a small minority with pre-existing personality or mental health problems.”

— Patrick Markey, PhD, found that a combination of personality traits can help predict which young people will be more adversely affected by violent video games.

He used the most popular psychological model of personality traits – the Five-Factor Model – to examine the effects. The five traits in the model are: neuroticism, extraversion, openness to experience, agreeableness and conscientiousness.

“Analysis of the model showed a ‘perfect storm’ of traits for children who are most likely to become hostile after playing violent video games, he said. Those traits are: high neuroticism (e.g., easily upset, angry, depressed, emotional, etc.), low agreeableness (e.g., little concern for others, indifferent to others feelings, cold, etc.) and low conscientiousness (e.g., break rules, don’t keep promises, act without thinking, etc.)”

Chinese Boot Camp Prison Break

On the GamePron.com blog, someone writing under the name Jessica Citizen relates a story in which 14 “patients” (ages 15-22) of the Huai’an Internet Addiction Treatment Centre in east China’s Jiangsu province tied up their supervisor and escaped from the facility. They tried to take a taxi to a nearby town, but since they had no money and were dressed in identical uniforms, the taxi driver turned them in to police.

The story quotes the mother of the ringleader as saying that she had paid 18,000 yuan ($2,635 US) for six months of treatment for her son.

Chang Ping on how “Internet addiction disorder” is a joke

Not everyone in China agrees that treating “Internet Addiction” is sound medicine.

The Danwei.org site ran a story last year about Chang Ping, an editorial writer who has been critical of China’s use of extreme methods such as electro-shock therapy (discontinued last year) to cure young people of “Internet addiction.”

In an article entitled “Where has the debate on Internet addiction gone?” he wrote:

“The Ministry of Health has stopped using electro-shock therapy to cure ‘Internet addiction’ and the many young people who adore using the Internet will no longer be threatened by ‘computers,’ and they are ecstatic. But, perhaps they didn’t look at the notice too closely: it stated that the safety concerns of electro-shock therapy cannot be determined and its effectiveness cannot be defined. What this really means is that they are announcing a different standard for treating Internet addiction, and the officials will still decide that ‘Internet addiction’ is a kind of disease.

“Like most medical terms, ‘Internet addiction disorder’ was imported. The difference is, when it started it was a joke. In 1995, a mental illness doctor from the US, Ivan Goldberg, mocked the Diagnostic and Statistical Manual of Mental Disorders and its standard description of gambling addiction, and created Internet Addiction Disorder, IAD. He didn’t predict that this would be used seriously when his colleagues liked the term and it quickly proliferated in the media.”

Tom Kelchner

The New York Daily News is reporting that Omer Zaheer Meertold, a 25-year-old Pakistani man, has launched a version of Facebook for Islamic people. He told the HinduStan Times that he was motivated by the Facebook “Everybody Draw Mohammed Day” controversy that resulted in Facebook being banned in Pakistan briefly.

Meertold said: “People from all faiths are welcome to come and interact with one another and understand Muslims.” The site is “to provide a platform to decent people of different faiths to come in harmony.

Observers, however, have found anti-western and anti-Israel material on Millatfacebook.

NY Daily News story here.

The two stories we’re going to be seeing here shortly will be:

— “Facebook sues Islamic rival over name theft”
— “Hacktivists from Facebook and Millatfacebook duke it out”

It would be nice if “…sweet people from other religions” on both social media outlets prevail.

Tom Kelchner

The chief operating officer of Twitter, Dick Costolo, has announced that Twitter has 190 million visitors per month and the service pumps out 65 million tweets per day. The 190 figure doesn’t represent registered users, since many visitors only get on the site to read tweets that are posted.

ComScore, however, estimated 83.6 million unique visitors to Twitter.com in April, according to Tech Crunch.

Story here.

Tom Kelchner

Eight bulletins:

MS10-032 (Microsoft Windows)
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (979559)
Important — Elevation of Privilege

MS10-033 (Microsoft Windows)
Vulnerabilities in Media Decompression Could Allow Remote Code Execution (979902)
Critical — Remote Code Execution

MS10-034 (Microsoft Windows)
Cumulative Security Update of ActiveX Kill Bits (980195)
Critical — Remote Code Execution

MS10-035 (Microsoft Windows, Internet Explorer)
Cumulative Security Update for Internet Explorer (982381)
Critical — Remote Code Execution

MS10-036 (Microsoft Office)
Vulnerability in COM Validation in Microsoft Office Could Allow Remote Code Execution (983235)
Important — Remote Code Execution

MS10-037 (Microsoft Windows)
Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Elevation of Privilege (980218)
Important — Elevation of Privilege

MS10-038 (Microsoft Office)
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (2027452)
Important — Remote Code Execution

MS10-039 (Microsoft Office, Microsoft Server Software)
Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2028554)
Important — Elevation of Privilege

MS10-040 (Microsoft Windows)
Vulnerability in Internet Information Services Could Allow Remote Code Execution (982666)
Important — Remote Code Execution

MS10-041 (Microsoft Windows, Microsoft .NET Framework)
Vulnerability in Microsoft .NET Framework Could Allow Tampering (981343)
Important – Tampering

More details here: Microsoft Security Bulletin Summary for June 2010

Tom Kelchner

The Computer Entertainment Suppliers Association, a Japanese trade group, has estimated that piracy of video games for consoles such as Nintendo DS and PSP cost the gaming industry $41.5 billion between 2004 and 2009.

The numbers came from a research study done with the Tokyo University Baba Lab, which tabulated downloads of the top 20 Japanese games from 114 piracy sites.

The trade group and the Baba Lab said peer-to-peer sharing could make the total much higher.

The U.S. and China host 60 percent of the piracy sites, they said. The largest number of Internet users accessing the piracy sites were from U.S., while Japan had the second highest and China third.

Story here: “CESA: Portable Piracy Cost Game Industry $41.5 Billion”

Tom Kelchner