STE WILLIAMS

Facebook to scrub itself clean of filthy malware links

Facebook has recruited Websense to scan its vast social network for links to malicious sites.

Scammers are increasing using Facebook as a means to drive traffic towards malware and exploit portals or internet scam sites. In response, Facebook is tapping Websense for technology that will soon analyse the jump off points to links. Cloudy technology will assign a security classification to sites, presenting users with a warning if the location is considered dangerous.

This warning page will explain why a site might be considered malicious. Users can still proceed, at their own risk, to potentially dodgy sites. The approach is similar to Google Safe Browsing warning technology, which is integrated into Firefox and Chrome.

Previously, individual users had the option to add additional security filtering apps, such as Bitdefender Safego, to their profiles as a means to scan for spam and malicious links. Facebook is now offering this type of technology by default as an extension of its previous relationship with Websense.

More details on how Websense’s technology works can be found in a blog post by the security firm here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/04/facebook_websense_scam_scanning/

Scotland Yard cyber-crime squad ‘saved £140m’

The Metropolitan Police’s e-crime busting squad claims to have saved £140m in its last six months of fighting cybercrime.

The figure, based on the theoretical earnings of the ne’er do wells collared by the team of cybercops, is ahead of the unit’s full year target and 30 per cent of its four-year £504m goal.

The Cabinet Office’s National Cyber Security Programme (NCSP) allocated £30 million to the fight in cybercrime earlier this year. The unit of 85 coppers is tasked with probing the most serious incidents of computer intrusion, distribution of malware, denial of service attacks and internet-enabled fraud.

In a statement, the Police Central e-Crime Unit (PCeU) talks about the business case for its task, saying it is well ahead of its target of delivering £21 in ‘harm reduction’ for every £1 invested. PCeU boasts it has completed a number of high-profile operations, including the arrest and conviction of five members of an underground carding ring (Operation Pagode), to cite just one example.

Estimating the extent of cybercrime losses – much like trying to figure out the costs of malware attacks or losses due to piracy – is a notoriously inexact science. But let’s not quibble.

Last year the PCeU lost out on a planned £1m increase in funding from the Home Office as part of a round of spending cuts. By using the language of accountancy and business, Scotland Yard is hoping to strengthen against future spending cuts.

Police chiefs want to use early successes of the unit to press for funding in order to expand the unit’s capabilities.

Deputy Assistant Commissioner Janet Williams, ACPO e-crime lead for law enforcement, said: “In the initial six month period the PCeU, together with its partners in industry and international law enforcement, has excelled in its efforts to meet this substantial commitment and have delivered in excess of £140 million of financial harm reduction to the UK economy. We hope to be able to better this result in the future as we expand our national capability.”

Security industry figures lobbied for years to establish a PCeU after the closure of the National Hi-Tech Crime Unit in 2006.

Paul Vlissidis, technical director of NGS Secure, a security consultancy and penetration testing firm, welcomed the recognition of the unit as a “valuable investment that would benefit from more funding”.

“This shows what can be achieved with a concerted effort dedicated to fighting cybercrime,” he said. “When people take information security seriously, solid results can be delivered. Taking down groups is a key step as it’s those structured, organised criminals who can cause really sustained damage.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/04/uk_cybercops_toast_success/

Microsoft updates Hotmail to deal with grey spam

Microsoft is making a series of changes to its Hotmail service aimed at cutting down the amount of old mail stuck on servers, falsely labeled spam.

Redmond reckons that only about two per cent of inbox email is actually bona fide spam, with the bulk unwanted newsletter deals and alerts that were signed up for and are now either forgotten or no longer of interest – what Microsoft calls “grey mail”.

“What really characterizes graymail is that the same message that one person thinks is ‘spam’ could be really important to another person. It’s not black and white, hence the name,” Hotmail group program manager Dick Craddock writes in the Windows Live blog.

“Despite the drastic decrease of true spam in the inbox,” he says, “we found that most customers are still seeing newsletters, product offers, and other clutter. In fact, 75 per cent of email identified as spam by our customers actually turns out to be unwanted graymail that they receive as a result of having signed up on a legitimate website.”

Over the next few months Microsoft will roll out new features to combat this problem. First, the company will apply its anti-spam engine to newsletters and set up a separate folder in users’ inboxes especially for such content. A single-click unsubscribe function is also being added so that users can clean their own email, and the results will be fed back to other accounts to improve the service.

To clean existing mail, a Scheduled Cleanup function will delete emails older than three, 10, 30, or 60 days, and can scan through multiple emails from the same sender and just keep the most recent one. Important emails, such as bank statements can be automatically archived as well.

Email classification has been upgraded, so that users can select their own email categories and index to suit themselves, and file-management tools have been beefed up to allow in-file cleaning and folders within folders. Important emails can also be pinned on the main inbox page to stop them from getting lost.

All these changes should clean out some user’s inboxes, and will also coincidentally free up a lot of space on Hotmail servers, saving Microsoft money. But they come at a time when Hotmail is still seen as being yesterday’s web email service. Redmond is keen to get Hotmail back on people’s radar, and further improvements have been promised.

But unless El Reg is wrong it’ll take more than this to make Hotmail as respected as Redmond would like. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/04/microsoft_hotmail_grey_spam/

Check your machines for malware, Linux developers told

Following a series of embarrassing intrusions that hit the servers used to maintain and distribute the Linux operating system, project elders have advised all developers to check their Linux machines for signs of compromise.

Emails sent Friday by Linux kernel lead developers Greg Kroah-Hartman and H Peter Anvin arrived as volunteers with the open-source project worked to bring LinuxFoundation.org, Linux.com, and Kernel.org back online following attacks that gained root access to the multiple servers that host the sites.

Among other things, project leaders are requiring all developers to regenerate the cryptographic keys used to upload source code to the site, and to ensure their systems are free of rootkits and other types of malware.

“The compromise of kernel.org and related machines has made it clear that some developers, at least, have had their systems penetrated,” Kroah-Hartman wrote in one message. “As we seek to secure our infrastructure, it is imperative that nobody falls victim to the belief that it cannot happen to them. We all need to check our systems for intrusion.”

He went on to advise developers follow seven steps to see if their systems have been targeted, including running chkrootkit, a rootkit detection application for Linux machines. A separate email sent by Anvin laid out the process for regenerating a new set of RSA keys after the old ones were compromised in the attacks.

This hygiene lesson comes as kernel.org and linuxfoundation.org came back online on Monday after an outage that lasted at least three weeks. The homepage of the related linux.com said the website remained down for maintenance and would be restored soon.

Kernel.org was shuttered following the discovery in late August that the personal machine used by Anvin and kernel.org servers known as Hera and Odin1 were infected by malware that gained root access. The trojan sat undetected for at least 17 days before it was discovered on August 28.

A week later, project leaders took linux.com and linuxfoundation.org offline after detecting those systems had also been compromised.

It’s fair to say the mass infection and subsequent clean up of Linux developers’ machines and servers don’t stand as the project’s finest hour. The platform is held up by its most ardent fans as a paragon of security that’s largely immune to the types of compromises that routinely hit systems running Microsoft’s Windows operating system. At time of writing, more than five weeks after the hacks first came to light, the SSL certificate used to authenticate https://www.kernel.org was configured incorrectly and git.kernel.org remained unavailable.

Project leaders have yet to say how they were penetrated, so it’s hard for an outsider to know whether they’ve plugged the holes that allowed them to be compromised. If they hope to regain the trust of users, they’d do well to provide the kind of detailed postmortem that followed the rooting of Apache.org last year. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/04/linux_repository_res/

Facebook games teach teens bad habits

A Welsh online safety campaigner is warning that popular Facebook social games encourage bad habits among young users.

Charles Conway, an associate member of the UK Council for Child Internet Safety, says games like Pet Society use virtual cash to reward players interacting with strangers. He says out that in a game designed for the younger Facebook user, basing rewards on “visits” to strangers is a recipe for online “grooming” by strangers.

While Facebook’s rules demand parental permission for any member under age 13, there’s no effective way to enforce such a constraint, Conway told The Register.

“Children mature at different rates,” he explained, “and where a ‘streetwise’ 13-year-old may be able to identify a ‘weirdo’ on Facebook at a glance, another may think a potential abuser is just being friendly.”

Perhaps refreshingly, however, Conway agreed that at least in the home, parental education and supervision are likely to be the most effective defense against online predators.

However, he told The Register that game designers should also consider whether the rewards they offer in child-targeted games are right for the audience. While it’s impossible to interact on Facebook without encountering people you don’t already know, the depth of that interaction in a game environment can be constrained.

For example, game developers could ensure that “connections made [to strangers] are limited to the game environment, and do not create connections on Facebook as a whole”.

Facebook could also play its part, he said. “By choosing to allow developers to access their API and publish those games … Facebook has a responsibility to ensure that users are not exposed to danger from predators by being encouraged and rewarded to connect with strangers, simply to progress in the game environment.”

Facebook’s own troubles continue to hog headlines. While calls for privacy probes are escalating in Europe, Australia’s privacy commissioner Timothy Pilgrim has accepted the company’s assurance that it has revised its cookie use, and suspended his investigation for now. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/03/facebook_games_dangerous_to_kids/

Thailand PM’s Twitter account breached

The Twitter account belonging to Thailand Prime Minister Yingluck Shinawatra has been suspended after someone took control of it and used it to send messages critical of her administration.

A government official said that investigators believe a Thai citizen broke into Yingluck’s email account and used it to access her Twitter account, according to The Bangkok Post.

The Sydney Morning Herald reported The hacker ended the series of tweets with by writing: “If she can’t even protect her own Twitter account, how can she protect the country? Think about it.”

A government official said that investigators believe they know who the suspect is, but declined to elaborate, except to say the individual was a Thai national. If convicted, the offender could face five years in prison and a fine of 100,000 baht, or about $3,200. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/04/thailand_pm_twitter_breach/

Bank of America website disrupted for 4th day in a row

Bank of America’s website continued to suffer sporadic outages on Monday, marking the fourth day that some customers have been unable to use its online services to check balances and pay bills.

“We’re sorry, but some of our pages are temporarily unavailable,” a note posted to the homepage for the biggest US bank read. “Thanks for your patience.” The advisory, and sporadic outages, have greeted many people trying to use bankofamerica.com since Friday.

Bank of America spokeswoman Tara Burke declined to discuss the underlying cause of the outages except to say it isn’t related to hacking, denial-of-service attacks, or other incidents related to security.

“The majority of our customers are able to bank online,” she said. “There’s no compromised customer information.”

Friday’s disruption came the same day that BofA said it would begin charging customers $5 per month for purchases billed to their debit card. The fee set off howls of protests and led to unsupported rumors the unavailable webpages were the result of DoS attacks intended to punish the bank for imposing the new fee.

Burke said the access problems are a result of the bank taking measures to manage traffic volume during peak use. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/03/bank_of_america_website_outage/

Better Business Bureau offers rogue script browser peril

Rogue scripts on the scam advice website Better Business Bureau have sparked security concerns.

The issue was brought to our attention by Kevin, a server security consultant who said he informed BBB of the apparent problem on Saturday.

“I noticed a javascript redirect on the BBB Blogs site that seems to attempt to spawn an iframe to download (now deactivated) malware,” he explained.

Kevin reckons the rogue script – captured in a screenshot posted on imageshack here – was still running on the site on Monday afternoon.

“The malware link IS live, but the malware distribution page it’s linking to seems to have gotten shutdown,” Kevin clarified.

The Better Business Bureau was set up to provide small business in the US with advice on avoiding scams so it’s a particular embarrassing place for links to malware to appear.

We exchanged messages with the Better Business Bureau on Monday afternoon and understand these messages have been passed on to the site’s technicians. We’ll update this story as and when we hear more. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/03/bbb_rogue_scripts/

Crazy square barcodes can point your phone to MALWARE

Crazy square barcodes can point your phone to MALWARE

  • alert
  • print
  • comment
  • tweet

Help, help, I’m under attag

Free whitepaper – King’s College LondonUses IBM BNTRackSwitch for HPC

Russian VXers have begun using obnoxious barcode-on-steroids QR codes as a launchpad for mobile malware.

A recently identified malicious Quick Response code on a Russian website links through a series of redirections to a site punting a Trojan version of the Jimm mobile ICQ client. Android users who follow the links and install the application will be infected with a nasty that sends text messages to premium-rate SMS numbers, net security firm Kaspersky warns.

Tricking users into scanning QR codes, which can encode URLs into barcode-like squares, to lure them into installing malicious applications on smartphones is a new threat, dubbed “Attaging” (Attack Tagging). Technically speaking whether a user follows a link in a browser or follows a QR code to reach the same location is no different, apart from the fact users might be more trusting about a non-human-readable QR code than a conventional URL.

QR codes have recently appeared in online Android application catalogues. Smartphone users can read about an application on their PC before scanning a QR code using the camera on their Android device in order to download it. The approach gets around the need to type in a booby-trapped URL on a phone’s keyboard but also creates new security risks. ®

Free whitepaper – Fluid data technology earns top honors with the Alvarado ISD

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/03/qr_code_mobile_malware_risk/

Would you sue to keep your guilty ABBA habit a secret?

Music services that divulge your guiltiest music pleasures to the world may be breaking US state law. Michigan’s Video Rental Privacy Act has been cited in a new class action lawsuit against Pandora, claiming $5,000 damages per person. The lawsuit says that by making playlists and histories public and searchable by Google, privacy was violated.

The lawsuit claims that Pandora promised that playlists and other information would only be available to other users who knew a particular user’s email address, but then went back on this assurance. It also says integration with Facebook in April last year, which displayed the data to users’ ‘friends’, was also a fundamental privacy breach.

It couldn’t be more topical.

Last week Spotify made its users’ private listening data public, at the same time as making Facebook membership mandatory for new signups. The Pandora suit was filed on 20 September, a week before the great Facebook music launch. And while class actions lawsuits are more common than tornadoes in Kansas, this one might have legs.

While there’s much about music that’s social, there’s much that isn’t. The mandatory publication of private experiences is going to upset two groups of people. There’s the social media enthusiasts, for one. What we display on social networks is an artifice – there’s nothing genuine or authentic about it. But this painstakingly elaborated “public face” can be undone when private info we would rather not disclose slips out. What could be more distressing to a prog rock bore than having his cheesy disco playlists published?

And then there’s the rest of us, who don’t care much for this real-time monitoring in the first place. This weird obsession with watching what everyone else is the theme of James Harkin’s Cyburbia – a crap name for a good book – which describes how it leads to a very small world, in which conformism and timidity are the norm.

You can read the lawsuit here [PDF]. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/03/digital_music_services/