STE WILLIAMS

Web-based attacks are on the rise, but according to Microsoft security researchers, the risks involved with casual browsing are nothing compared to the dangers of downloading and sharing illicit software, videos, music, and other media.

In the latest edition of the Microsoft Security Intelligence Report, published on Monday, Redmond’s Trustworthy Computing Group warns of a growing trend of malware infection via “unsecure supply chains,” which the report defines as “the websites, protocols, and other channels by which software and media are informally distributed.”

Examples of these so-called supply chains include underground websites, peer to peer networks, bootleg discs, and unreliable software archives – in short, anywhere media might be found that’s off the beaten track.

Sometimes the victims of these malware attacks are wholly innocent, such as when a user attempts to download a free software package but is duped into installing malware instead. For example, in the first half of 2012, Microsoft’s researchers spotted 35 different types of malware disguised as “install_adobeflash.exe.”

Far more often, however, the researchers found that malware had likely come bundled with illegal copies of commercial software or media that had been downloaded by users looking for a free lunch.

“Preying on the desire to ‘get a good deal’ is a form of social engineering that has been around for a long time, but it’s proving to be a perennially popular method for malware distributors,” writes Joe Blackbird of Microsoft Malware Protection Center, adding that people hoping to download media for free or at reduced cost are putting their PCs at risk.

Naturally, Microsoft has a vested interest in making such claims. Between Windows and Office alone, Microsoft products are among the most frequently pirated software in the world. But Redmond’s latest Security Intelligence Report attempts to back up its assertions with real-world research.

Who’s been naughty, then?

To get a sense for how widespread malware infection is among illicit downloaders, Microsoft’s security team studied data reported by PCs running Microsoft antimalware software, looking for six “indicator families” of malware – that is, certain types of malicious or unwanted software that are closely correlated with illegal downloads.

One such indicator family is Win32/Keygen, a generic name for a category of software designed to generate license key codes for various commercial software packages, such as Microsoft Office, Adobe Photoshop, and so on.

Technically, Win32/Keygen is classified as “potentially unwanted software,” rather than malware. Software in this category does not necessarily carry any kind of harmful payload (although it can). But key generators are highly correlated with illicit software trading – naturally, since legitimate software purchasers don’t need them – making them good markers for studying the threats associated with software piracy.

The other malware families the researchers tracked follow a similar theme. Some are designed to bypass Microsoft’s Windows Activation process, while others try to patch trial copies of software to unlock their full features. One family, Win32/Pameseg, is a scam that tricks users into paying to install illicit software. As with Win32/Keygen, the presence of any of these families is good evidence that someone has been up to some funny business.

In their study, the first thing Microsoft’s researchers noticed was that these indicator families were widespread and commonplace. Of all the PCs that reported malware detections in the first half of 2012, around 17 per cent detected at least one of the indicator families. Win32/Keygen, in particular, was the most frequently detected potential threat across every version of Windows studied.

More crucially, of those PCs that detected one or more indicator families, more than 76 per cent also detected some other form of malware threat. That’s a common pattern; users who become infected with one form of malware often pick up others. But PCs that detected one of the indicator families were actually 10 per cent more likely to detect multiple infections than PCs that didn’t detect an indicator family.

Of course, correlation is not causation. Nobody is saying the indicator families were directly responsible for downloading other malware (although it’s possible). But the data does suggest that people who are involved in illicit file trading are at high risk for malware infection.

It’s a scary underworld out there

Microsoft’s report goes on to explain that illegal software isn’t the only risk vector. A category of malware called ASX/Wimad can disguise itself as a number of popular media file formats – including MP3, AVI, and WMV, among others – and exploit a Windows Media Player bug to download a malware payload. While this type of malware wasn’t as prevalent as Win32/Keygen in Microsoft’s research, it was still in the Top Ten threats detected on most versions of Windows.

Furthermore, Microsoft’s Blackbird says, users who want something for nothing may put themselves at risk simply by the act of searching for illegal media. Sites that purport to offer free downloads often hide exploits that can install malware on users’ PCs without their knowledge, he said.

For example, in Microsoft’s research, PCs that detected Win32/Keygen were twice as likely to also encounter “Blacole,” a comprehensive web-based exploit suite that can install malware by attacking a variety of different browser and plugin vulnerabilities.

According to Redmond’s report, avoiding all of these malware threats is largely a matter of following the usual advice. Users should have antimalware installed and their definition files should be up to date. They should also make sure that they have the latest security patches installed, both for their OS and for all of their applications.

But according to Microsoft’s security team, it’s equally important that users don’t go out of their way to find malware threats by looking for illegal downloads. In fact, they should avoid digging around the wrong corners of the web altogether.

“In other words,” Blackbird writes, “it’s not just downloading license key generators, cracked software or free media files that expose users to malware; the act of visiting web pages of unknown origin, claiming to provide this type of free software download, is risky activity.”  ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/10/ms_security_intel_report_v13/

Politically correct security experts have come up with a Voight-Kampff version of CAPTCHAs, the popular but sometimes irritating challenges designed to make sure that a human and not a bot is behind a request to sign-up for an online service or post a comment on an online forum.

The Civil Rights Defenders CAPTCHA asks respondents how they feel about gay people being beaten with sticks instead of simply asking punters to decipher the visually distorted letters in an image. Another challenge invites respondents to type in one of three options that best expresses their opinion about a proposed ban on “homosexual propaganda” in Russia.

Disappointingly respondents are not asked to examine their feelings about turning a tortoise on its shell in the middle of a desert, as depicted in a test using the Voight-Kampff machine in seminal Sci-Fi flick Blade Runner. The main similarity between the PC CAPTCHA systems and the polygraph-like machine as imagined by Philip K. Dick is the use of emotionally provocative questions. Both tests bill themselves as a test for human empathy.

The Swedish group behind the technology said that its CAPTCHA system “takes a stand for civil rights issues across the globe”.

The Civil Rights CAPTCHA is as safe as traditional versions, but also informs users about human rights violations that occur daily around the world. The Civil Rights CAPTCHA also aims to be more user friendly than some of the impossible-to-read versions available today.

(Politically) incorrect responses mean that a user needs to wait five seconds before being prompted with a fresh challenge. The correct response to the multiple-choice question for one of three selections allows punters to gain access to an online service which relies on the technology, a Civil Rights Defenders group affiliate. The whole set-up means members of the Westboro Baptist Church – for example – are unlikely to want to access content their views are out of step with in the first place. For right-on sites that make use of the technology it can act as a filter, according to the Civil Rights Defenders.

The CAPTCHA was launched during Belgrade Pride, a week of festivities that culminated on 6 October. More on the technology can be found here.

The main issue with the technology, at least for the moment, is the challenge relies on a small set of questions, meaning it might not be especially hard for robots to defeat it.

“If I have any issue with the Civil Rights Defenders’ CAPTCHA system it would be that at the moment there seems to be a very limited selection of questions – and all the ones I saw required a negative response,” writes Graham Cluley, security consultant at Sophos.

“A wider gallimaufry of questions for web users to ponder – both negative and positive – would probably be a more effective challenge for automated bots.”

The irony of application of politically correct technology to challenge-response systems is, as Cluley notes, that CAPTCHAs are frequently defeated by spammers and other low-lives by outsourcing the cracking of the technology to online sweatshops in India and elsewhere. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/09/pc_captchas/

Intel-owned security firm McAfee is planning to lay off some of its 7,000-strong global workforce, a company spokesman in the US has said.

The No 2 maker of antivirus software would not give any further details about the planned redundancies, only admitting that a “small percentage” of staff would be axed.

The US spokesman confirmed the job losses after a Reuters report suggested staff would be let go. A McAfee spokeswoman in the UK told The Register: “We have no further comment to add.”

With interest in traditional personal computers waning worldwide, software firms that offer desktop protection against malware are suffering. Rival Symantec is already in the middle of one of those “strategic reviews”, kicked off by shiny new chief Steve Bennett, who took the reins in July after the board ousted CEO Enrique Salem.

Intel agreed to snap up McAfee in August 2010 for $7.7bn, the biggest purchase in Chipzilla’s history.

The processor maker, due to report quarterly earnings on 16 October, warned last month that revenue would be less than it previously predicted. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/09/mcafee_layoffs/

Natwest has pulled a feature on their banking app that let users get cash without a bank card. The removal of “Get Cash” from the app comes 2 days after reports that a fraudster used the feature to “get cash” – from another person’s account.

The BBC reported that a Natwest customer had been diddled out of £900 through a thief abusing the cardless cash helpline. The Observer had a tale from a guy who lost £1500 the same way. One victim hadn’t even signed up for mobile banking, though both did bank online.

Natwest says that the removal of the mobile feature days after these stories is a pure coincidence and down to planned maintenance.

Get cash: though preferably your own, not other people’s

The Get Cash feature was introduced to Natwest’s mobile banking app in June and is intended to help people get cash from their account in emergencies. By phoning a number accessible through the mobile app, and answering some security questions, customers get a six figure PIN number delivered to the app.

Entering the PIN into an ATM belonging to Natwest, RBS or Tescos lets the customers take out amounts of cash between £10 and £100 without a card. In the BBC story, the thief did this at least nine times over three days to take out the £900 he filched.

Natwest has said that an updated version of the service would be out next week at the earliest, and confirmed that this would have new security features, though stressed this was all routine security work:

The updates we’re making are with regards to how they have seen seen customers using the app. Some of those will be security enhancements.

We believe this could include a lower limit on the amount that can be withdrawn through Get Cash.

According to a Natwest spokesperson it was likely that the fraud victim interviewed on the BBC’s Moneybox programme had given out his details to phishers which is how his account got hijacked.

Natwest would only say this on record:

The GetCash feature of the RBS and NatWest mobile app is temporarily unavailable to customers as a result of a planned update.

®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/09/natwest_get_cash_removed/

Huawei has hit back at the US Congress’House intelligence Committee report labelling it a business US companies should avoid if they value their privacy and security.

In a canned statement, the company says “… despite our best effort, the Committee appears to have been committed to a predetermined outcome.”

The company says those best efforts involved a significant kimono-opening effort that saw:

“ … our top management team carried out multiple rounds of face-to-face communication with the Committee members in Washington D.C., Hong Kong, and Shenzhen; we opened our RD area, training center, and manufacturing center to the Committee and offered a wealth of documentation, including the list of members of the Board of Directors and the Supervisory Board over the past 10 years, and the annual sales data since our establishment in 1987; we also made the list of our shareholding employees, the shares they hold, as well as information about our funding resources and financial operations available to the Committee.”

That effort seems to have been fruitless, as the statement says “Unfortunately, the Committee’s report not only ignored our proven track record of network security in the United States and globally, but also paid no attention to the large amount of facts that we have provided.”

Huawei also argues the Congressional committee included “many rumors and speculations“ and concludes that “We have to suspect that the only purpose of such a report is to impede competition and obstruct Chinese ICT companies from entering the US market.”

The statement says Huawei nonetheless “remains committed to being a long-term investor in the U.S. Market”.

In its sign off, Huawei tries to picture itself as an enterprise as American as a Silicon-Valley-baked Apple pie, stating:

“Huawei is no different from any start-up enterprises in Silicon Valley, and our growth and development relies very much on our entrepreneurial spirit, the commitment and hard work of our employees, as well as our unwavering dedication to innovation.

“ Moving forward,” the statement concludes, “we will continue to do the best we can to provide our customers with safe, convenient, and equal access to information and communications services.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/09/huawei_fights_back_against_adverse_security_finding/

Microsoft surprised Windows 8 and Windows Server 2012 users on Monday by issuing a patch that fixes 25 security vulnerabilities found in the Adobe Flash Player component of Internet Explorer 10, mere hours after Adobe issued its own patch for the Flash Player plug-in used by other browsers.

Unlike earlier versions of Internet Explorer, IE10 bundles Flash Player as an integral part of the browser, much like how Google bundles Flash with Chrome. That means Adobe’s patches, which are designed for the plug-in version of Flash, won’t work on IE10. As with other IE10 security flaws, security fixes for IE10’s Flash component can only come from Microsoft.

Redmond issued its first such patch in September, but only after weathering intense criticism from users over its poor response time. Initially, Microsoft had said that it did not intend to patch the flaws until after Windows 8’s official launch on October 26. Even after it relented and provided a prerelease fix, Microsoft’s patch for IE10 arrived more than a month after Adobe shipped its patch for other platforms.

In response to growing user concerns, Yunsun Wee, director of Microsoft’s Trustworthy Computing group, issued a statement explaining that Microsoft planned to work closely with Adobe to develop patches for future Flash vulnerabilities and that the two companies would “coordinate on disclosure and release timing.” But no one was really sure what that meant until now.

On Monday, Adobe issued a security bulletin disclosing 25 new vulnerabilities located in the Flash Player across all of it supported platforms, along with a patch that fixed those vulnerabilities on platforms that use the plug-in version of Flash.

Later that same day, Microsoft revised its own security advisory from September to include fixes for all of the problems identified in Adobe’s bulletin, putting IE10 back on par with other platforms in terms of security with virtually no delay.

“We remain committed to taking the appropriate actions to help protect customers and will continue to work closely with Adobe to deliver quality protections that are aligned with Adobe’s update process,” Wee wrote in a blog post.

Although Wee stopped short of saying that “aligned” meant users should expect all future IE10 Flash patches to arrive the same day Adobe issues them, Monday’s action should go a long way to assuage fears that Microsoft’s latest browser would perpetually lag behind the latest security fixes.

According to Wee, users of Windows 8 and Windows Server 2012 – the only platforms that currently can run IE10 – should receive the Flash patches automatically via Windows Update. Users who have disabled automatic updates should follow the instructions in the advisory to download and install the patches by hand. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/09/ms_ontime_ie10_flash_fix/

Bing search results are more affected by poisoning than those of other search engines, according to a study by SophosLabs.

Search engine poisoning attacks are designed to skew results so that dodgy sites – anything from malware infected websites to payday loan sites – appear prominently in the index of sites related to popular search terms. In many cases the tactic is so successful that malware sites appear in the first page of results for popular search terms, in sometimes much higher than legitimate websites. More recently, miscreants have began trying to manipulate image search results.

SophosLabs blocks attempts to “redirect” surfers from search engines to dodgy sites and can therefore monitor the scale of search engine poisoning attacks. Two thirds (65 per cent) of the poisoned search results blocked by Sophos appliances over the last two weeks originated from Bing while 30 per cent came via Google. The other 5 per cent came via alternative search engines. The true state of play is probably even worse than these raw statistics suggest because Google is the most popular search engine, a factor not accounted for in these raw figures.

The vast majority of dodgy redirects (92 per cent) blocked by Sophos related to image searches. Only eight per cent related to text searches.

Search engines attempt to remove malicious sites from their indexes but this involves playing a game of cat and mouse in which the search engines are by no means always successful.

“Search engine poisoning can be very dangerous for internet users, as they trust the search engine they’re using to filter out malicious links, and in this case it seems to be Bing which is letting internet users down,” said Fraser Howard, principal virus researcher, Sophos. “All search engines will miss attempts to poison their search results however, and with very few give-away clues to spot infected image searches for example, the users themselves may also struggle to detect and avoid infected search results.”

Fraser compiled these figures after being asked to look into the use of search engine result poisoning in the promotion of payday loan outfits, an issue covered in a recent Daily Mirror article.

A run-down of Sophos’ results (along with illustrated examples of search engine poisoning in action) can be found on the security firm’s Naked Security blog here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/08/bing_worst_search_poisoning/

An innocent explanation has emerged after a security expert linked a group of Islamic extremists to Iran after supposedly discovering the crew on a list of state-sanctioned leased telephone lines in the Middle East nation.

Mike Kemp, a co-founder of UK-based Xiphos Research, found two entries for “Ansar Al-Mujahideen” in a spreadsheet of Iranian X.25 lines while looking into the venerable packet-switching protocol. He checked his results with a Syrian friend, who helped him translate the Arabic and Farsi in the file.

The listing for Ansar al-Mujahideen – the name of an online forum of jihadi cheerleaders – was buried deep in a document of 2,800 records compiled four years ago by security consultant S. Hamid Kashfi.

But it turns out Ansar al-Mujahideen was lost in translation to English: the entry is actually Ansar al-Mojahedin, the name of a banking institution in Iran between 2002 and 2009. The organisation is now known as the Bank of Ansar.

Kashfi, who is a security researcher rather than a hacker as initially incorrectly reported, told El Reg: “I should clarify that the ‘Ansar’ name in that list represents an official bank in Iran, and that bank has nothing to do with ‘Ansar al-Mojahedin’. It’s just similar name.”

Kemp withdrew his supposition that the Iranian state backed Ansar al-Mujahideen, an al-Qaeda-affiliated propaganda and recruitment organisation. He said that he only ever intended to draw attention to a potentially interesting finding.

“I fully appreciate that my several translations were incorrect, and that there was an Iranian bank of similar name – not the best naming convention, but hey ho,” Kemp said.

“I also am moderately explicit about the fact that I never claimed categorically one way or the other on this one. I’m not a native speaker of either Arabic or Farsi, and never claimed to be. I’m also moderately certain that Hamid, who now works with Immunity and is not a black-hat hacker, put together this listing to demonstrate the widespread existence of X.25 in Iran, and although it could be used irresponsibly I would very much doubt that was his intent.”

X.25 was used as a backbone for cash machines, and SMS bulk services, prior to its replacement by IP-based networking equipment in most of the world. The technology is still used in Iran. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/08/iran_leased_line_follow_up/

World of Warcraft players in Europe experienced an unpleasant Sunday afternoon, after an ‘exploit’ resulted in the death of every character in several cities.

Within hours of the incident, the game’s publisher Blizzard issued a statement declaring it an “exploit” that has “has “… been hotfixed, so it should not be repeatable”, but offers no further explanation on the incident’s nature.

WoW Insider has posted the image below, depicting piles of dead in the game.

Blizzard’s slim explanation for the incident means it is not known whether the cause was an external attack or a glitch in the game’s code. The source of the problem has become the topic of considerable speculation in communities dedicated to the game, with a vulnerability in the game’s servers often mentioned as enabling the exploit.

Players now report the game is functioning as usual. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/08/world_of_warcraft_sites_wiped_out_by_exploit/

The next time you find yourself on an airline flight coming in for a landing, consider this: at that very moment, someone on the ground could be training a handheld laser at your aircraft’s cockpit.

It happens more often than you think. The FBI has only been keeping records of laser beams striking planes since 2004, but according to a blog post, the number of reports has gone up 1,100 per cent in recent years, from just 283 cases in 2005 to a projected 3,700 cases this year. Unreported incidents could bring the figure even higher.

The problem is twofold, say the Feds. First, laser technology has plummeted in price in recent decades. Low-powered laser pointers can be purchased for as little as $1, yet even these “toys” can have effective ranges of up to two miles. Meanwhile, individuals can now buy industrial lasers with significantly more power online fairly easily.

Second, an individual aiming a laser from the ground often has no real conception of the effect the beam will have on a faraway target. A laser pointer aimed at a nearby wall looks like a small, glowing dot, no more than a centimeter or two in diameter. But the farther laser light travels, the more diffuse it becomes, causing it to illuminate a larger area.

“At 500 feet,” says Tim Childs of the Federal Air Marshal Service, “that two-centimeter dot you see on your wall can be six feet wide.” That’s wide enough to light up an entire cockpit, with an intensity that’s comparable to a camera flash. 

ZAPPED! A handheld laser aimed from the ground can light up an entire cockpit thousands of feet in the air

So what kind of jerk points a laser at a plane anyway? According to the Feds, criminals have been known to aim lasers at aircraft intentionally to throw off airborne surveillance, but those cases are relatively uncommon. Usually, plane-zappers fit one of two profiles: some are minors with no criminal history, while the rest are usually older men with “a reckless disregard for the safety of others.”

Although there have been no known incidents of an airplane actually crashing due to a laser strike, the FBI says there have been eye injuries, enough to make the current “epidemic” of laser attacks a serious threat to aviation security.

In 2008, the agency founded the first Laser Strike Working Group National Initiative, aimed at reducing the number of incidents. And under federal law put into effect this year, anyone caught flashing a plane with a laser can be fined up to $11,000 and spend up to five years in prison. That’s in addition to an existing law that allows fines of up to $250,000 and prison terms of up to 20 years for interfering with the operation of an aircraft.

“Use a laser pointer for what it’s made for. Aiming a laser pointer at an aircraft is dangerous and reckless. Just don’t do it,” says supervisory federal air marshal George Johnson.

But what are the chances a laser strike could happen to your next flight? According to figures from the National Air Traffic Controllers Association, roughly 70,000 aircraft take off and land in the US each day, putting the odds of your next flight being zapped by a laser at around 1 in 6,900. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/05/laser_strike_epidemic/