Computer Security Weblog

Well Happy 4th of July to all the folks here in the US.  Hope everyone has a safe one today.  Just a little warning.  The Storm Worm still lives and as expected, a wave of e-mails trying to get you to download an executable called fireworks.exe.  Just remember, do not click on links or attachments in unsolicited e-mails.  Click here for the Internet Storm Center story relating to this subject.

Happy 4th everyone!!

A story hitting close to home for me. Lawrence, Kansas is the home of my beloved Kansas University Jayhawks. I just heard on the news that several residents of Lawrence have been called over this past few days telling them they either have a problem with a VISA credit card account or their bank account an the KU Credit Union. Click here for a link to an online story. This scam has been around in parts of the country but this one is a bit closer to home.

Attackers can setup a call center on their PC or one that they control, then call random residents that is targeted to a certain location. I guess the attacker asks for personal identifiable information like credit card number or account number. Then those who fall for it, have had money transferred out of their account. With these call centers that attackers use, they can spoof the number that is making the call just like a phisher in e-mail can appear to be coming from PayPal.com for example.

This is just another social engineering scam that attackers are starting to use because people have been warned over and over about these phishing e-mails appearing to be coming from banks and credit card companies.

Create your own “need to know” basis where you refuse to give up information from any unsolicited e-mail, phone call, or SMS messages (text messages on mobile phones) because these are known attack vectors. If you think it is true, hang up and call your bank or credit card company directly.

Rock Chalk Jayhawk and hope not too many of the citizens of Lawrence have fallen for this scam. Take care and stay safe this weekend.

A vulnerability has been reported in Adobe Flash Player versions 9.0.124.0 and older, which is the current version available for download now. Adobe has not yet released a patch nor an official advisory. Symantec has also said that this vulnerability is currently being exploited by the bad guys as we speak. Soon they will have an update out but at this point, it is up to you to protect yourself. Don’t click on unsolicited links or attachments in spam e-mail. Your behavior can go a long way in protecting yourself when on the Internet.

Stay safe and have a great Wednesday!

UPDATE Wednesday, May 28, 2008 16:30 CST

Well as the day went on, it was found that current release of Adobe Flash Player ( 9.0.124.0) is not vulnerable to the attacks that are ongoing at this time. Here is a list of the nasty sites serving up the exploits. WARNING!! Do not visit these sites no matter what!!

tongji123.org
bb.wudiliuliang.com
user1.12-26.net
user1.12-27.net
ageofconans.net
lkjrc.cn
psp1111.cn
zuoyouweinan.com
user1.isee080.net
guccime.net
woai117.cn
wuqing17173.cn
dota11.cn
play0nlnie.com
0novel.com

UPDATE: 053008

Well this story has more turns in it than a NASCAR event.  Some are even right turns.  First we thought all versions of Adobe Flash Player were vulnerable.  Then we are told that the current version is OK and not vulnerable.  Then, Adobe doesn’t come right out and say it and Symantec is saying that these exploits are working so just be careful out there.  Seems that the bad guys are using these in new SQL injection attacks.  Have a great Friday!!

A new twist to on old scam, I had someone report SPAM e-mail that was sent that appeared to come from Microsoft. A quick little research online led me to know this has been around for a few years but it has a different twist.

As you can see, this was the entire body of the e-mail.  Nothing to sell.  No e-cards to click on.  No official document from some bogus US Court.  Just 3 innocent looking links from everyone’s friend Microsoft. The text makes you think you subscribed to MSN Featured Offers and they are being kind enough to add an Unsubscribe link. Since you never really subscribed to this in the first place, they are hoping to get people to click the Unsubscribe link so they won’t have this sent anymore.  All because they respect your privacy. Taking a closer look at the 3 links, they all lead you to the same URL. The IP for the URL was registered in the USA. A quick Google search of the domain showed a lot of Russian language found on references to this domain.  After taking a closer look, all this URL did was to redirect you to a site that was registered in Korea. This gives you a little more insight on how SPAM e-mail can be a threat.  If this trail would have been followed all the way through, exploits for Microsoft, QuickTime, RealPlayer, and possibly Adobe Reader would have run against the PC and if it were not patched, then remote code execution could be possible, meaning the PC would have been added to someone’s criminal botnet and used in nefarious ways.

Remember what we say, never click on unsolicited links or attachments in e-mail.  Stay safe.

The National Cyber Security Alliance (NCSA) announced study findings that 71 percent of consumers lack the knowledge on cyber criminals’ weapon of choice and the Internet’s fastest growing threat — botnets. This is sadly telling a story that I and many other computer security professionals already know. Botnets have comprised mostly of consumers’ computers and are increasingly being used to perpetrate identity theft and spread viruses.
“Last June, the FBI identified more than one million computers infected with malware which could have been hijacked and used as part of an army of bots to attack other computers, spread malware, or attack our nation’s infrastructure,” said Ron Teixeira, executive director of the NCSA. These results were announced at the RSA conference last week. “Botnets continue to be an increasing threat to consumers and homeland security. Consumers’ unsecured computers play a major role in helping cyber criminals conduct cyber crimes not only on the victim’s computer, but also against others connected to the Internet.”
The study also shows that Americans are largely unaware their computer’s security plays a role in our nation’s security and preventing online crime. The scary think is a majority of respondents think it is not likely their computer could affect homeland security while only 51 percent think it is possible for a hacker to use their computer to launch cyber attacks.
“It is alarming that consumers do not know how to secure their computers,” said Teixeira. “It is important for consumers to understand that safe cyber security practices not only protect them from identity theft, but also prevent cyber crime and attacks. By taking simple steps, consumers can protect themselves from cyber crimes and join our effort to protect other Internet users.”

Additional findings from the study* include: — 71 percent have never heard the phrase “botnet” — the weapon of choice for cyber criminals — 59 percent think it is not likely their computer could affect homeland security — 47 percent believe it is not possible for a hacker to use your computer to launch cyber attacks or crimes against other people, businesses and our nation — 51 percent have not changed their password in the past year — 48 percent do not know how to protect themselves from cyber criminals — 46 percent of consumers are not sure of what to do if they became a victim of a cyber crime.

I say this to you… your biggest weapon against the criminal attackers is knowledge. Educate yourself on the steps you can take to secure your PC at home.

Congrats to my Kansas University Jayhawks for winning the NCAA National Championship. Gotta love those Hawks! As we like to say around this part of the country, Rock Chalk Jayhawk. GO KU!!! Have a safe week.

One thing that criminal computer attackers like to use in their phishing e-mails is some current event.  All around the world, there is a lot of support for Tibet against the Chinese government.  With news coming out being restricted by the Chinese, people are hungry for information.  What a perfect setup for a social engineering tactic to get people to click on either attachments or links in phishing e-mails.

Never trust unsolicited e-mail period.  Never, never, never trust it.  No matter what the topic in e-mails, never click.  Computer attackers have to have your help before YOU can be taken advantage of.  Clicking things many times installs the attackers downloaders that then downloads and installs the really nasty code.  Gone are the days where e-mails that have misspelled words, broken English that really gave us a clue that something isn’t right.  Attackers have linguists, psychologist, and some really smart people who can code the malware (criminal malicious software) and you are the target.

Remember that they need you to click on either an attachment or link to a malicious site to take advantage of you.  You are your own best defense.  Know the tactics being used.  Be prepared and don’t click.  NEVER.

It was a short night for me because I was watching my Kansas University Jayhawks win the National Championship game last night.  Gotta love those Hawks and I’m so happy for Coach Self and every single kid on that team but especially the 5 seniors on the team.  Rock Chalk Jayhawk.  GO KU!!!  What a season and what a dramatic finish.  Now the story is, what will Coach Self do when he gets offered TONS of money to move to coach Oklahoma State University.  Personally I think he will stay and be there for a long time.

Stay safe out there.  Rock Chalk!!  We’ll talk again in a few days.

I am signed up for regular online newsletters through SANS.org which is a computer security site that I reference daily.  In this current issue I found this story to be applicable to many people out there today.

Here is the story:

John Y. at a US community college writes us:
A computer used by one of our staff was compromised in December, and began sending email advertisements for Viagra and Cialis to large numbers of addresses. We caught it fairly quickly because we have monitors that look for that kind of behavior on our network.  An analysis of the computer showed that it had been infected when the user visited a small Mom-and-Pop type arts & crafts store on the web. The
Mom-and-Pop website had been “re-programmed” by someone in Ukraine to send a blast of software attacks at anyone unlucky enough to visit it.  One of these attacks was directed against a vulnerability in a version  of Apple QuickTime released just two weeks before the attack. Symantec Anti-Virus stopped all of the attacks except the QuickTime attack.  Sadly, it only takes one successful attack to compromise any computer.

Lessons We Learned
- - - Small Mom-and-Pop websites can pose a greater risk than the sites of big vendors like Amazon.com. Owners of small businesses often don’t have the expertise or resources to protect their sites from being
compromised and used by Bad Guys. Once a website has been compromised, it can then be used to attack your computer.

- — Anti-virus is still a necessary defense, but it can’t do the whole job.  In the past, computer criminals wrote viruses that broadcast themselves all over the Internet, making it easier for anti-virus companies to identify them and develop a countermeasure quickly.  Now, attacks are much more targeted and the criminals have gotten better at making attack software that is harder to detect. Anti-virus makers are
finding it difficult to keep up with the criminals.

- — Bad Guys are targeting many applications that run on your computer, as well as the operating system. The campus computer that was compromised was completely up-to-date with its Windows security patches.
But in order to keep your computer secure (besides patching Windows, Internet Explorer, and Office, all done automatically through update.microsoft.com, you have to patch commonly installed applications like QuickTime, RealPlayer, Adobe Reader, Adobe Flash Player, and Sun Java, all of which can be attacked through your email or web browser.

—————-

Now we’ve talked about these other applications and the importance of patching.  Many of these vendors are automating their process to update their applications.  It’s not there yet so you need to make sure on your own that these applications are patched.  Most times, you can open them up and go to the HELP option and there you will find an option to Check for Updates.  Do this to protect yourself.

Tonight is the BIG GAME!!! Remember all Tarheel fans can disregard any advice I give.  Tyler Hansborough (Don’t know if that is the correct spelling.  Really don’t care.) is on the cover of SI so hopefully that will be the famous SI Jinx.  ROCK CHALK JAYHAWK!!! GO KU!!!!  Love my Jayhawks and both these games today will be awesome to watch.  Stay safe, patch and may my Jayhawks from the University of Kansas bring home the National Championship.

I wasn’t sure I was going to make it through the game yesterday.  My heart can’t take much more of that.  Well congratulations to my Kansas Jayhawks for making the Final Four and now we focus on the UNC Tarheels.  Please UNC, listen to all the hype.  You are the greatest team ever and KU should not even show up.  Rock Chalk Jayhawk!!!  I’m very excited about Saturday’s games.  Can’t wait and be ready for all that crappy Tarheel hype.

Be careful out there when it comes to spam and even those Google searches.  You may want to go to Finjan.com and click on the Secure Browsing icon at the bottom of the page.  Doesn’t matter if you use Microsoft’s Internet Explorer or Firefox browser, you can install this little addon and when you do searches, you can feel a little safer that a site is not malicious.  Criminal attackers will take advantage of all the interest in the Final Four with their spamming attacks.  Read about what this Finjan addon can do for you.

Now a special message to all those UNC Tarheel fans.  Patching your PC is overrated.  Use an older version of Microsoft’s Internet Explorer.  Spam e-mail is safe.  Click on unsolicited e-mail links and attachments.  You guys rock!  LOL.

I love this time of year.  Stay safe and ROCK CHALK JAYHAWK!!!!!!

Apple has a lot of Windows users who use their Quicktime and iTunes software and Apple pushes out security updates through their Apple Software Updater application.  It is a scheduled task that runs periodically to see if there are updates to these applications.  Something was different this month.  I noticed that there was a new application in the updater window.  It was Apple’s Safari web browser.  All applications were checked so if you didn’t go up and uncheck the Safari download, you got it installed now.

My advice to you from a computer security standpoint is to NOT use the Safari browser.  It has security issues associated with it.  Now if you do choose to use it, you may get away with it since there is such a small percentage of folks out there who actually use it.   Attackers are looking for the higher numbers.  Apple does have security issues with their software.  They sort of opened up their mouths in their commercials that they don’t get those viruses like Microsoft does.  Here is my statement.  All software written probably has security vulnerabilities.  You can’t escape it.

My advice is to uninstall the Safari web browser if you installed it unintentionally.  I just checked and the Apple updater still has the Safari browser for Windows as a choice.  Make sure you uncheck it when you update your other Apple software.  Apple is being ridiculed about their choice to spread their web browser through what has been used to update their software.  But if Jobs wants to continue this, then just be aware you will have to uncheck it.

Rock Chalk Jayhawk Go KU.

Happy Patch Tuesday!  This is just a reminder that we make sure we update our applications.  So look for your Microsoft updates and apply them.

Now to today’s topic.  If you use instant messaging like AOL’s Instant Messenger, MSN Messenger, Yahoo Messenger, or any other messenger, you have probably received unsolicited messages from strangers.  Most appear to be sent to guys.  They promise the same thing that we’ve discussed in previous posts.  It is just a different way of getting some tempting message out to the masses.  So consider this another way attackers try to get you to click a link to take you to a site that probably you don’t want to visit.  So spam comes in many flavors.  We’ve talked about spam e-mail, and spam SMS text messaging on our mobile phones, and now we discuss Instant Message spam.

The outcome is the same in all these cases.  They want you to go somewhere to look at naked pictures of your favorite movie or TV star, or some other tantalizing temptation.  Guys, come on!  Most of these are aimed at you.  Don’t fall for it!!

Remember that spam comes in many flavors, but the outcome is the same.  Don’t click on any unsolicited links.

Off topic, I have sometimes been forced to watch Jon and Kate plus 8 and I just want to make an observation.  They get to go and do so many things but they don’t ever have to pay for it.  Business folks offer up their services for the advertising they get when the show airs.  Do they pay for anything?  Just a thought.  I have a feeling they are given a lot of things and they take advantage of it all.