home

=Welcome to the IT SECURITY Wiki started 10-27-2010=

// May 4, Macworld // – (International) **Apple releases iOS 4.3.3 to patch location bugs.** Apple released the iOS 4.3.3 update to fix a handful of bugs related to the storage of location data, Macworld reported May 4. The update addresses three bugs related to the database of location information on iOS devices. Firstly, it reduces the amount of the cached location information to a week’s worth, rather than relying on a size limit, as it previously did. Secondly, it no longer backs up the cache to a user’s Mac or PC via iTunes upon syncing, so the information is not available to anyone with access to their computer. Finally, the cache is now deleted from the device when Location Services are disabled in iOS’s Settings app. Apple has also announced plans to encrypt the location information on iOS devices itself in the next major update to the operating system. Source: [] // May 4, Softpedia // – (International) **Fake FBI emails distribute backdoor.** A new malware distribution campaign is producing rogue e-mails purporting to come from the FBI and attempting to scare users into opening malicious attachments. Cyber criminals behind this attack are hoping to scare people into believing they are being investigated by federal authorities because they accessed illegal online content. The subject of the rogue e-mails reads “you visit illegal websites” and their header is forged to appear as if they originate from an FBI address. The attachment is called document(dot)zip and according to security researchers from e-mail and Web security vendor ApprRiver, it contains a version of Bredolab. Bredolab is a trojan downloader commonly used as a malware distribution platform. In this case, it installs a backdoor on the PC through which attackers can deploy even more threats. In order to trick users into believing they are dealing with a document, the executable found inside the .zip archive bears a PDF icon. “It’s intent is to slip past your human defenses and create a permanent backdoor on your PC in order to further download malicious payloads such as keyloggers and spyware,” an AppRiver security researcher noted. Source: [] // May 4, Softpedia // – (International) **Fake FBI emails distribute backdoor.** A new malware distribution campaign is producing rogue e-mails purporting to come from the FBI and attempting to scare users into opening malicious attachments. Cyber criminals behind this attack are hoping to scare people into believing they are being investigated by federal authorities because they accessed illegal online content. The subject of the rogue e-mails reads “you visit illegal websites” and their header is forged to appear as if they originate from an FBI address. The attachment is called document(dot)zip and according to security researchers from e-mail and Web security vendor ApprRiver, it contains a version of Bredolab. Bredolab is a trojan downloader commonly used as a malware distribution platform. In this case, it installs a backdoor on the PC through which attackers can deploy even more threats. In order to trick users into believing they are dealing with a document, the executable found inside the .zip archive bears a PDF icon. “It’s intent is to slip past your human defenses and create a permanent backdoor on your PC in order to further download malicious payloads such as keyloggers and spyware,” an AppRiver security researcher noted. Source: [] // May 2, IDG News Service // – (International) Sony cuts off Sony Online Entertainment service after hack. The widely publicized hack of Sony’s computer networks is worse than previously thought, also affecting 24.6 million Sony Online Entertainment network accounts. Sony — which has kept its Sony PlayStation Network offline for nearly 2 weeks as it investigates a computer intrusion — took a second gaming network offline May 2, saying it too appears to have been hacked. It said banking and credit card information belonging to more than 23,000 customers outside the United States may have been compromised. The Sony Online Entertainment network, used for massively multiplayer online games, has been suspended temporarily, Sony said May 1. Add this to the 77 million accounts that may have been compromised the week of April 24, and Sony is responsible for one of the largest recorded data breaches. The entertainment network is separate from the PlayStation Network, but both hacks have similar traits, a spokeswoman for Sony Computer Entertainment said. In both cases, the stolen data includes customer names, e-mail addresses, and hashed versions of their account passwords. That data could be used to spam customers or trick them with phishing e-mails. Source: [] // May 2, threatpost // – (International) **Report: Vishing attack targets Skype users.** Skype users are being targeted in an ongoing voice-phishing, or ―vishing,‖ attack, according to a report by ZDNet’s Zero Day blog. Skype users reported receiving a pre-recorded call informing them that their computer had been infected with malware. In order to remove this malware users are advised to visit a site which pushes rogue AV and malware cleanup services, according to the report. So-called ―vishing‖ attacks are akin to phishing attacks and use voice messages — rather than e-mail messages or Web links — to lure unsuspecting users to malicious Web sites. Skype users report receiving calls from unknown numbers. Pre-recorded messages tell those who answer the call that they are infected with a ―fatal virus‖ and direct them to a Web address to get disinfected. Source: [] // May 2, Network World // – (International) **VMware causes second outage while recovering from first.** VMware’s attempt to recover from an outage in its new cloud computing service inadvertently caused a second outage the next day, the company said. VMware’s new Cloud Foundry service — which is still in beta — suffered downtime over the course of 2 days the week of April 24. Cloud Foundry, a platform-as-a-service offering for developers to build and host Web applications, was announced April 12 and suffered ―service interruptions‖ April 25 and 26. The first downtime incident was caused by a power outage in the supply for a storage cabinet. Applications remained online, but developers were unable to perform basic tasks, like logging in or creating new applications. The outage lasted nearly 10 hours and was fixed by the afternoon. But the next day, VMware officials accidentally caused a second outage while developing an early detection plan to prevent the kind of problem that hit the service the previous day. Source: [|http://www.computerworld]. // May 2, Next Web // – (International) **Bogus MacDefender malware campaign targets Mac users using Google Images.** Apple computer owners are being subjected to a number of specialized malware attacks that insists Mac users download a malware version of the popular MacDefender antivirus application, infecting their computers as a result. News of the malware campaign surfaced as scores of Mac computer owners flooded the Apple Discussion Forums, asking members for advice on how to delete the MacDefender application from their systems. Early reports show users have been targeted as they search Google Images, one user stating the bogus MacDefender application was automatically downloaded as he browsed images of Piranhas. Further searching through the Apple Discussion boards suggests the malware campaign is targeting users of Apple’s Safari browser, displaying warnings the user’s computer has been infected with viruses that only the unofficial MacDefender application can remove. Safari users can set their browser to automatically open software they trust, it is thought that many have been infected without their knowledge by this route of attack. Upon downloading, the application asks users to pay for protection, possibly giving attackers credit card details as a result. To reassure users of the official MacDefender software, its creator has taken to the official Web site to warn users of the malware campaign. It is not thought the malware application is able to infect Mac computers with a virus, instead it is posing as scareware, which preys on disrupting the confidence of Mac users but also getting them to hand over their credit card details. Source: [] // April 29, Computerworld // – (International) **Yahoo says 1M users affected by email outage.** A day after Yahoo’s e-mail service suffered a partial outage, the company reported that about 1 million users were affected. The problem began at 7:30 a.m. Pacific time April 28, and was at its worst at 11 a.m., according to the senior product manager for Yahoo Mail. At the problem’s peak, about 1 million users were without e-mail service, she added. It is unclear when Yahoo got e-mail back up for all of its users. Yahoo also did not specify what caused the problem. Source: [] // February 14, Darkreading // – (International) **New ‘boy in the browser’ attacks on the rise.** A new but familiar type of attack on the rise is a spin-off of the proxy trojan, keylogger, and man-in-the-browser (MITB) attack. The “boy-in-the-browser” (BITB) attack — so named as a less sophisticated form of MITB — may be immature, but it is efficient, easy, and targeting users visiting their banks, retailers, and even Google. “It reroutes a [victim’s] traffic without them being aware ... It’s so effective because it’s quick to modify itself so antivirus can’t detect it. It’s great for a quick-hit attack,” said a senior security strategist with Imperva, which issued a security alert February 14 on this attack technique that its researchers spotted in the wild. BITB is basically a “dumbed-down” MITB where the attacker infects a user with its trojan, either via a drive-by download or by luring the user to click on an infected link on a site. The trojan reconfigures the victim’s “hosts” file and reroutes the victim’s traffic for a specific Web site — say, a bank or an online retailer — and to the attacker’s own server posing as that site. Then the BITB attacker can intercept or modify the transaction. “It’s difficult to detect,” the researcher said, because the victim sees the same URL he or she was requesting. Source: []

** How long has it been since we patched Joomla? ** // February 14, Softpedia // – (International) **(dot)edu space filled with adult spam.** Security researchers from GFI Software warned an increasingly large number of (dot)edu Web sites are being abused to push adult spam because of their poor security and lack of oversight. Searching for adult-oriented terms in the (dot)edu domain space reveals entire pages of results, most of which are on discussion boards. “Most of this seems to have kicked in since around the 4th or 5th of February, and there doesn’t seem to be much in the way of spam control or preventative measures going on right now so please be careful if looking around your university forums, official or otherwise,” a security researcher at GFI said. It is not only forums that have been abused. Among search results users can also find what appear to be compromised Web sites. Most of them are installations of popular content management solutions that have been left unpatched for a long time. The same security holes can be leveraged to create malicious doorway pages that are part of malware distribution and black hat SEO attacks. A similar trend has also been observed for governmental Web sites, which are being abused by spammers and other crybercriminals not just in the United States, but internationally as well. Source: []

** Do we use WSUS? Who is reviewing and following up on WSUS daily reports? ** // February 14, Darkreading // – (International) **Long-patched vulnerabilities continue to dominate threat list.** According to the new Security Labs Report from M86 Security, the top six most frequently observed vulnerabilities on the Web were all discovered at least 4 years ago, and have all been patched for at least 2 years. Most of the top 15 flaws detected by M86 Security were on Windows or Adobe applications, and most have been around for some time — MS Office Web Components active script execution, for example, has been known since 2002, yet it still ranks second on the most frequently detected list. “Despite the fact that these vulnerabilities were patched years ago, many of them are still targeted today,” the report said. “This is likely a result of their success rates, and it reinforces the importance of updating software applications, from browsers to PDF readers.” The report also lists the top 10 exploit kits, where Eleonore remains the most popular and Phoenix comes in at number 2. Source: []

// February 11, Help Net Security // – (International) **Fake scanned documents lead to Zeus infection.** A new spam e-mail campaign is currently underway, and takes the form of a document scanned and sent by a Xerox WorkCentre Pro scanner. The attachment is a specially crafted PDF document, BitDefender warned, and it is able to exploit four Adobe Acrobat Reader vulnerabilities — all of which can be used by an attacker to remotely execute arbitrary code on a vulnerable system. In this case, the ultimate goal of the people behind this spam campaign is to spread the credentials-stealing Zeus trojan. Source: []

// February 11, Softpedia // – (International) **Security experts fear iframes on Facebook pages could spell trouble.** Security experts fear the introduction of iframes for Facebook pages will open the door to abuse and will make the job of attackers on the social network much easier. Facebook announced February 10 Page administrators could start creating Page Tabs that load apps inside iframes instead of the more restrictive Facebook Markup Language. “While this is no doubt great news for legitimate developers, it will undoubtedly make life for those with malicious intent much easier too,” a senior security advisor at antivirus vendor Trend Micro said. “No more likejacking required, no more having to persuade users to install your app, if a criminal can make the bait sweet enough just to get you to visit the page, that is all they will require to start the chain that leads to your computer being compromised and used for criminal purposes,” he explained. Source: []

// February 9, Panda Security // – (International) **January malware update: PandaLabs found 43 percent of US PCs were infected.** PandaLabs, Panda Security’s anti-malware laboratory, announced findings February 9 based on data from scans completed by Panda ActiveScan, the free online scanner offered by Panda Security, The Cloud Security Company. In January, PandaLabs found 43 percent of U.S. computers scanned were infected with malware, compared to 50 percent of total global users scanned. Trojans were found to be the most prolific malware threat, responsible for 58 percent of all U.S. cases, and 59 percent globally. The next most common culprits were traditional viruses and worms which caused 12 percent and 9 percent of cases worldwide, respectively. Although the United States made the top 10, Thailand, China, Taiwan, Russia, and Turkey held the top 5 highest rates of infection, ranging from 60 to 67 percent of cases. And with a 43 percent infection rate, the U.S. ranked tenth, only a few percentage points below historical “malware havens,” such as Brazil and Poland. Of the most prevalent malware threats detected this January, generic Trojans topped the list, followed by downloaders, exploits, and adware. Panda found the “Lineage” Trojan continues to spread and infect systems, indicating a lack of basic antivirus protection for even the most longstanding threats. Source: []

// February 10, Computerworld // – (International) **Vendors tap into cloud security concerns with new encryption tools.** A handful of vendors have begun rolling out technologies designed to let companies take advantage of cloud computing environments without exposing sensitive data. One vendor, CipherCloud, a Cupertino, California-based start-up, launched a virtual appliance technology February 10 that companies can use from within their premises to encrypt or to mask sensitive data before it hits the cloud platform. Unlike the case with encryption services offered by cloud providers, CipherCloud’s technology lets enterprises have complete control over the encryption and decryption process, the CEO and founder of the company said. The only set of encryption keys resides with the enterprise and not the cloud provider, ensuring that only authorized users can view the data, he said. CipherCloud’s algorithm works in a way that encrypts data without fundamentally altering the data format or function, he added. Source: []

// February 11, The Register // – (International) **Malware endemic even on protected PCs.** Many users remain infected with computer malware despite the fact the vast majority are running machines protected by anti-virus software, according to a study by European Union statistics agency EUROSTAT. The study found one-third of PC users (31 percent) were infected even though the vast majority (84 percent) were running security software (anti-virus, anti-spam, firewall) on their PCs. Of the survey’s respondents, 3 percent reported financial loss as a result of farming or phishing attacks, while a further 4 percent reported privacy violations involving data sent online. Bulgaria (58 percent) and Malta (50 percent) top the list of most infected users. By comparison, Finland (20 percent), Ireland (15 percent), and Austria (14 percent) did relatively well. Trojans (59.2 percent) were the most common types of infected found on compromised PCs, followed by viruses (11.7 percent). Source: []

** Why Mike still won’t use or recommend an iPhone for enterprises. ** // February 10, IDG News Service // – (International) **IPhone attack reveals passwords in six minutes.** Researchers in Germany say they have been able to reveal passwords stored in a locked iPhone in just 6 minutes and they did it without cracking the phone’s passcode. The attack, which requires possession of the phone, targets keychain, Apple’s password management system. Passwords for networks and corporate information systems can be revealed if an iPhone or iPad is lost or stolen, said the researchers at the state-sponsored Fraunhofer Institute Secure Information Technology. It is based on existing exploits that provide access to large parts of the iOS file system even if a device is locked. The attack works because the cryptographic key on current iOS devices is based on material available within the device and is independent of the passcode, the researchers said. This means attackers with access to the phone can create the key from the phone in their possession without having to hack the encrypted and secret passcode. Using the attack, researchers were able to access and decrypt passwords in the keychain, but not passwords in other protection classes. Source: [] // February 7, Homeland Security News Wire // – (International) **More than half of iPhone apps track users.** A recent study found that more than half of all iPhone apps could track users and collect data without an individual’s knowledge. Researchers analyzed more than 1,400 iPhone apps to determine how they handle sensitive data, and found that more than half collect an individual’s unique device ID or track a user’s location. When combined with links to a Facebook account, the app could gain a lot of sensitive data. Researchers found that 36 apps blatantly violated privacy rights by accessing an individual’s location without informing the user, while another 5 went so far as to take data from the user’s address book without first seeking permission. Source: []

// February 9, Softpedia // – (International) **Microsoft moves to kill AutoRun malware propagation vector.** Microsoft released an optional software update February 8 that restricts the AutoRun functionality on older Windows operating systems, therefore blocking a common malware propagation vector. AutoRun is the feature responsible for automatically parsing autorun(dot)inf files found on removable media devices, such as USB memory sticks, external HDDs, portable audio players, mobile phones, and optical discs. For years, security experts have campaigned against AutoRun, because it poses more security risks than usability benefits and is constantly abused by malware. Microsoft recognized the dangers and limited the functionality by default in Windows 7 and Windows Server 2008 R2. However, for older versions of Windows, such as XP, Vista, Server 2003, and Server 2008, the company only provided a fix that needed to be manually downloaded and installed. That changed February 8, when KB971029 was released as optional through Windows Update. Source: []

// February 8, Reuters // – (International) **Cellphone security threats rise sharply: McAfee.** In its fourth-quarter threat report, released February 8, McAfee said the number of pieces of new cellphone malware it found in 2010 rose 46 percent over 2009’s level. “As more users access the Internet from an ever-expanding pool of devices — computer, tablet, smartphone or Internet TV — Web-based threats will continue to grow in size and sophistication,” the report said. McAfree attributed the trend to Adobe’s greater popularity in mobile devices and non-Microsoft environments, coupled with the ongoing widespread use of PDF document files to convey malware. Source: []

// February 8, Help Net Security // – (International) **Malware increases by 46% in only one year.** There is a steady growth of threats to mobile platforms, according to a new McAfee report. The number of pieces of new mobile malware in 2010 increased by 46 percent compared with 2009. The report also uncovered 20 million new pieces of malware in 2010, equating to nearly 55,000 new malware threats every day. Of the almost 55 million total pieces of malware McAfee Labs has identified, 36 percent was created in 2010. Concurrently, spam accounted for 80 percent of total e-mail traffic in Q4 2010, the lowest point since the first quarter of 2007. Source: []

// January 27, H Security // – (International) **50 million viruses and rising.** IT security lab AV-Test registered the 50 millionth new entry into its malware repository January 27. The malware in question is a PDF file which exploits a security hole in Adobe Reader to infect Windows systems. It has not been given a name yet because it has not been fully identified. So far, only the heuristics of Authentium, Eset, F-Prot, Kaspersky, and McAfee have issued a generic message such as: “HEUR:Exploit.Script.Generic.” This new item of malware confirms the trend that attackers trying to infect PCs no longer use mainly the security holes in operating systems or browsers as their point of entry. Instead, malware authors are focusing on third party applications. Source: []

// January 27, IDG News Service // – (International) **Smart cards no match for online spies.** The U.S. government has been stepping up its use of smart cards to help lock down its computer networks, but hackers have found ways around them. Over the past 18 months, security consultancy Mandiant has come across several cases where determined attackers were able to get onto computers or networks that required smart cards and passwords. In a report released January 27, Mandiant calls this technique a “smart card proxy.” The attack works in several steps. First, the criminals hack their way onto a PC. Often they will send a specially crafted e-mail message to someone at the network they are trying to break into. The message will include an malicious attachment that, when opened, gives the hacker a foothold. After identifying the computers with card readers, the criminals install keystroke logging software on them to steal the password typically used in concert with the smart card. When the victim inserts the smart card into the hacked PC, the criminals then try to log into the server or network that requires the smart card for authentication. When the server asks for a digital token from the smart card, the criminals redirect that request to the hacked system, and return it with the token and the previously stolen password. Source: []

// January 25, Network World // – (International) **Low-cost SSL proxy could bring cheaper, faster security; defeat threats like Firesheep.** Researchers have found a cheaper, faster way to process SSL/TLS with off-the-shelf hardware, a development that could let more Web sites shut down cyber threats posed by the likes of the Firesheep hijacking tool. The technology, dubbed SSLShading, shows how SSL proxies based on commodity hardware can protect Web servers without slowing down transactions, according to a presentation scheduled at the USENIX Symposium on Networked Design and Implementation in Boston March 30 through April 1, 2011. SSL/TLS — the cryptographic protocols used to protect online Web transactions — encrypts traffic from visitors’ machines all the way to Web servers. That makes it impossible to pick up data such as session cookies by preying on unencrypted wireless networks, which is what Firesheep does. Based on an algorithm devised by researchers in Korea and the United States, SSLShading is software that directs SSL traffic being proxied either to a CPU or a graphics processing unit, whichever is most appropriate to handle the current load. The researchers will discuss the algorithm in their paper “SSLShader: Cheap SSL Acceleration with Commodity Processors.” Source: []

// January 26, Computerworld // – (International) **Intel developing security ‘game-changer’.** Intel’s chief technology officer said the chip maker is developing a technology that will be a security game changer. He told Computerworld January 25 that scientists at Intel are working on security technology that will stop all zero-day attacks. And, while he would give few details about it, he said he hopes the new technology will be ready to be released in 2011. He noted the technology will not be signature-based. Signature-based malware detection is based on searching for known patterns within malicious code. The problem, though, is that zero-day, or brand-new, malware attacks are often successful because they have no known signatures to guard against. Intel is working around this problem by not depending on signatures. Source: []

// January 24, Softpedia // – (International) **New Buzus distribution campaign generates wave of fake emails.** Security researchers from antivirus vendor Sophos warn of a new wave of e-mails distributing a new variant of the Buzus malware, which masquerade as official communications from major Web sites. Some of the rogue e-mails pose as a job application response from Google and purport to come from a resume-thanks@google(dot)com address. The message instructs recipients to open the attached file which is allegedly a review of the submitted application. The file, called CV-20100120-112.zip, contains an installer for the Buzus worm which spreads by sending the e-mails through an external SMTP server and copying itself to removable USB devices. The malware, detected as W32/AutoRun-BHX by Sophos, is also known to create copies of itself within folders usually shared by P2P applications with names suggesting cracks for popular applications. Source: []

// January 20, The Register // – (International) **Chinese Trojan blocks cloud-based security defenses.** A Trojan has been released that is specifically designed to disable cloud-based anti-virus security defenses. The Bohu blocks connections from infected Windows devices and cloud anti-virus services. Bohu — which was spotted by anti-virus researchers working for Microsoft in China — is hardwired to block access to cloud-based net services from Kingsoft, Qihoo, and Rising. All three firms are based in China. The malware poses as a video codec. If installed, Bohu applies a filter that blocks traffic between the infected machines and service provider. The malware also includes routines to hide its presence on infected machines. Source: []

// January 19, Government Computer News // – (International) **PDF vulnerability found in Blackberry Attachment Service.** Research In Motion has issued a security alert acknowledging a vulnerability in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server. The vulnerability is rated 9.3 (out of 10) on the Common Vulnerability Scoring System (CVSS). That is considered “high” in the National Vulnerability Database severity ratings. The advisory is intended for BlackBerry Enterprise Server (BES) administrators, who are the recommended persons to apply the RIM-supplied fix. The vulnerability affects BES Exchange, IMB Lotus Domino and Novell GroupWise versions 4.1.6, 4.1.7, 5.0.0 and 5.0.1. BES Exchange and IMB Lotus Domino versions 5.0.2 and the Exchange-only 5.0.2 are also affected. Source: []

** What is easier than building a rogue botnet? Maybe stealing one. ** // January 19, The Register // – (International) **Bot attacks Linux and Mac but can’t lock down its booty.** Researchers from Symantec have detected a Trojan that targets Windows, Mac, and Linux computers and contains gaping security vulnerabilities that allow rival criminal gangs to commandeer the infected machines. Known as Trojan.Jnanabot, or alternately as OSX/Koobface.A or trojan.osx.boonana.a, the bot made waves in October when researchers discovered its Java-based makeup allowed it to attack Mac and Linux machines, not just Windows PCs as is the case with most malware. Once installed, the trojan components are stored in an invisible folder and use strong encryption to keep communications private. The bot can force its host to take instructions through Internet relay chat, perform DDoS attacks, and post fraudulent messages to the victim’s Facebook account, among other things. Now, Symantec researchers have uncovered weaknesses in the bot’s peer-to-peer functionality that allow rival criminals to remotely steal or plant files on the victim’s hard drive. That means the gang that took the trouble to spread the infection in the first place risks having their botnet stolen from under their noses. Source: []

// January 18, BBC News // – (International) **Facebook U-turns on phone and address data sharing.** Facebook appears to have decided to allow external Web sites to see users’ addresses and mobile phone numbers. Security experts said such a system would be ripe for exploitation from rogue app developers. The feature has been put on “temporary hold,” the social networking firm said in its developers blog. It said it needed to find a more robust way to make sure users know what information they are handing over. “Over the weekend [January 15 and 16], we got some useful feedback that we could make people more clearly aware of when they are granting access to this data. We agree, and are making changes to help ensure you only share this information when you intend to do so,” the firm said. The updates would be launched “in the next few weeks,” it added and the feature will be suspended in the meantime. Source: []

// January 18, Help Net Security // – (International) **ICQ’s critical flaw allows attackers to serve malicious software update.** ICQ — the popular instant messaging application — has a gaping security hole that can allow attackers to execute malicious code on the targeted system, a researcher said. The flaw affects the application’s automatic update mechanism, and affects all versions of ICQ 7 for Windows up to the latest one. The problem is the application does not verify the identity of the update server or the origin of updates through digital signatures or similar means. “By impersonating the update server (think DNS spoofing), an attacker can act as an update server of its own and deliver arbitrary files that are executed on the next launch of the ICQ client,” explained the researcher in a BugTraq post. “Since ICQ is automatically launched right after booting Windows by default and it checks for updates on every start, it can be attacked very reliably.” He even developed (and published) a PoC ICQ update builder and shared step-by-step instructions on how to run a HTTP server to serve the malicious updates. Since there is no way to switch off the automatic updating mechanism, the researcher advises users to stop using the application until a fix is issued. Source: []

// January 18, Help Net Security // – (International) **Vulnerabilities in the Boonana Trojan increase the danger.** First spotted almost 3 months ago, the Boonana Trojan stood out because of its capability to infect computers running Windows, and machines running Mac OS X. The Trojan nestled itself in the system, and allowed outside access to all files on it. It also seems it has vulnerabilities that can be exploited by other attackers to collect information about the system or — according to a Symantec researcher — even be used to create a completely functional parallel botnet or takeover of the existing one. The Boonana bots are designed to take part of a P2P network and to communicate with each other via a custom-designed communication protocol. Apart from making the identification of infected hosts on a particular IP range almost trivial, the P2P protocol also contains an information-disclosure vulnerability that can be used to detect which operating system the computer is running. According to Symantec, in December 2010, 84 percent of infected systems were running Windows, and 16 percent were running a version of OS X. Source: []

// January 13, Forbes // – (International) **Web security cams are a voyeur’s delight: Is your IP cam password protected?** Web security cameras can be insecure, a researcher from Ars Technica found. The researcher took a spin around the Web checking out live feeds from cameras focused on a number of commercial locations. He was even able to tap into police cameras monitoring an intersection in Texas. In most instances, these cameras were not meant to be offering live video for public consumption. Within the surveillance community, many are turning from closed-circuit/analog cameras to Internet protocol (IP) cameras. While IP cameras are cheaper to install, they can also be easy to locate and to hack into if they are not properly protected. “Finding IP cameras with Google is surprisingly easy,” the researcher noted. “Though the information the search engine provides on the cameras themselves is typically little more than an IP address and a camera name or model number, Google still provides those who know how to ask with extensive lists of IP cameras and Web-enabled surveillance systems throughout the world.” Source: []

// January 18, IDG News Service // – (National) **Criminal charges filed against AT&T iPad attackers.** The U.S. Department of Justice (DOJ) will file criminal charges against the alleged attackers who copied personal information from the AT&T network of approximately 120,000 iPad users, the U.S. Attorney’s Office, District of New Jersey announced January 17. A suspect will be charged in U.S. District Court in New Jersey with one count of conspiracy to access a computer without authorization and one count of fraud. Another suspect will be charged with the same counts at the U.S. Western District Court of Arkansas. The second suspect made headlines last June when he discovered that AT&T’s Web site was disclosing the e-mail addresses and the unique ICC-ID numbers of multiple iPad owners. Claiming he wanted to help AT&T improve its security, he wrote a computer script to extract the data from AT&T and then went public with the information. AT&T said nobody from the hacking group contacted it about the flaw. The hacker was arrested January 18 at an Arkansas courthouse, where he had been facing drug possession charges. Those charges have now been dropped. Source: []

// January 14, Softpedia // – (International) **First toolkit resulting from ZeuS-SpyEye merger hits the underground market.** Security researchers from McAfee warned the first crimware toolkit to result from the ZeuS-SpyEye merger is now available for purchase on the underground market. Earlier in 2011, the security community was surprised to hear rumors ZeuS and SpyEye, two rival threats in the cybercriminal world, would be joined together under a single developer. This unexpected turn of events was supposedly the result of the ZeuS author’s intention to retire from the malware-writing scene after a successful run. The new “SpyEye / ZS Builder” was released January 11, which is a SpyEye version enhanced with some of ZeuS’ functionality. New features include brute force password guessing, Jabber notification, VNC module, auto-spreading, auto-update, unique stub generation, and an enhanced screenshot system. The builder is much cheaper than ZeuS used to be. The basic version without VNC (remote desktop) and ability to inject code into Firefox pages costs $300, while the price for the full version is $800. Source: []

// January 14, Help Net Security // – (International) **Ransomware continues to pose a threat.** Symantec warns against attackers using ransomware. This type of malware blocks access to computers and then asks users to pay for having that privilege returned. Some ransomware locks the computer’s desktop and asks the user to send a text message to to a premium rate number to receive back a code that will restore access to the system. Other ransomware adds to that a change of the desktop background image, which contains the request for money, instructions on how and where to send it, and an embarrassing pornographic image that makes the user less willing to ask for technical help. There is also ransomware that encrypts user files and holds them ransom. Sometimes the encryption key is stored on the computer and the user can decrypt the files if he knows where to look for it, but other times the files are lost for good because there is no guarantee the criminals will send the key to decrypt them even if the victim sends the money. Some ransomware does not even allow the operating system to boot. Source: []

// January 13, Softpedia // – (International) **RIM fixes vulnerabilities in BlackBerry OS and BlackBerry Enterprise Server.** Research In Motion has released security updates for BlackBerry OS and the BlackBerry Enterprise Server (BES) software in order to address two moderate and high risk vulnerabilities. The vulnerability affecting BlackBerry devices consists of a denial of service condition that can crash the browser application. It affects BlackBerry Device Software versions earlier than 6.0.0 and can be exploited by tricking users to visit a maliciously crafted Web page. The vulnerability has a score of 5.0 on the CVSS scale, which equates to a moderate risk because the DoS condition is only partial. Meanwhile, the vulnerability patched in the BES is critical and caries a CVSS base score of 9.3 out of 10. It stems from a buffer overflow error in the Attachment Service of the portable document format (PDF) distiller component. Exploitation involves tricking a user to open a specially crafted PDF file. Source: []

// January 12, Softpedia // – (International) **Microsoft issues workaround for actively exploited 0-day IE vulnerability.** Microsoft is investigating reports of a zero-day Internet Explorer vulnerability being exploited in the wild and has released a workaround for customers to protect themselves until a permanent patch is ready. The vulnerability, identified as CVE-2010-3971, was originally reported on the Full Disclosure mailing list December 8 as a denial of service condition. However, vulnerability researchers who later analyzed it, discovered it can also be exploited to execute arbitrary code. The flaw stems from a use-after-free memory error within the “mshtml.dll” library and affects all versions of Internet Explorer running on all supported Windows variants. A group called Abysssec Security Research developed a working exploit capable of bypassing the DEP and ASLR protection mechanisms and added it to the Metasploit open source penetration testing framework. Microsoft released a workaround January 12 in the form of a “Fix It” tool that companies can deploy throughout their networks. Source: []

// January 11, Softpedia // – (International) **Fake Coca-Cola survey emails lead to phishing page.** Security researchers from e-mail security vendor AppRiver warned of a new phishing campaign which produces e-mails offering a reward taking part in a Coca-Cola opinion poll. The fake e-mails began hitting people’s in-boxes January 10, and bear a subject of “Happy New Year.” Their header has been spoofed to appear as if they come from a customer[at]cocacola[dot]us e-mail address. The message contained within is a bit confusing, as it portrays the well known company as a polling organization interested in peoples opinion about current events. Recipients are provided with a link to the poll page and in order to convince people to complete it, the e-mails offer $150 to every participant. Users are taken through a series of redirects before landing on a page reading “Coca-Cola’s Customer Satisfaction Survey.” This pages asks for a wealth of personal information, including full name, address, driver’s license number, mother’s maiden name, home phone number, date of birth, as well as full credit card details. Source: []

// January 11, The Register // – (International) **Spam volumes double as Rustock botnet wakes.** Spam volumes have returned to normal following a holiday lull that saw a drastic reduction of junk mail. The Rustock botnet is out of hibernation and back in business, spewing copious volumes of useless junk mail courtesy of hundreds of thousands of compromised Windows machines. Rustock (which specializes in spamvertising unlicensed pharmaceutical Web sites) is the biggest single source of global spam. Its return January 10 resulted in the doubling (98 percent increase) of global junk mail volumes over the course of just 24 hours, MessageLabs reported. Source: []

// January 11, AfterDawn // – (International) **Security researcher uses Amazon cloud to hack WPA-PSK passwords.** A security researcher in Germany is warning Amazon’s cloud service can be used to brute force weak passwords used to protect Wi-Fi security. Short and weak passwords would be vulnerable to a brute force attack, especially at the speeds offered by Amazon’s services, which is capable of testing 400,000 potential passwords every second. The researcher claims to have found the key for a network in his neighborhood using his method and Amazon’s service. The brute force attack took about 20 minutes to get the correct key, but he is making changes to his code which he reckons could bring the time down in such a case to about 6 minutes. He will distribute his software publicly and give demonstrations on using it at the Black Hat conference in Washington, D.C. He is releasing it to convince skeptical network administrators that such attacks will often be successful against protected networks. Source: []

// January 4, Softpedia // – (International) **Adware and Java trojans dominated the web threat landscape in December.** According to statistics from Kaspersky Lab, adware programs and Java-based downloaders were the most common threats encountered on the Web during December 2010. The most frequently encountered one was AdWare.Win32.HotBar.dh, which tried to infect a number of 203,975 distinct users. It includes HotBar, Zango, and ClickPotato and was the most prominent threat overall, including all categories. The other two samples are AdWare.Win32.FunWeb.di and AdWare.Win32.FunWeb.fq. The second most common threat was Trojan-Downloader.Java.OpenConnection.cf, a dropper that uses the OpenConnection method of an URL class to download malware on the computer. The third place was filled by rogue IFrames injected into compromised Web sites. Source: []

//January 3, Softpedia //– (International) **Recent spam campaign points to new Storm botnet.** While analyzing a recent spam campaign, security researchers found what seems to be a new version of the Storm or Waledac botnets. According to the Shadowserver Foundation, a recent junk e-mail campaign distributed links that led to a new Waledac or Storm variant. The e-mails come with a subject announcing a holiday e-card, while their body message direct users to links to view the alleged greeting. These links lead to HTML pages hosted on compromised Web sites, which in turn execute a meta redirect towards one of multiple domain names controlled by the attackers. The domains are using fast flux hosting — they respond to multiple IP addresses and are difficult to shut down. The landing pages on these domains display a message reading “Can’t view the greeting? Download Flash Player!” If the visitor does not click on the link to download the alleged Flash Player installer within 5 seconds they are redirected to a secondary page which serves several exploits for outdated software installed on their computer. If they do click on the link, a file called install_flash_player.exe is downloaded. If executed, this file opens an Internet Explorer connection to the same exploit page. In both scenarios, successful exploitation downloads the new Storm variant. Source: []

// December 29, Softpedia // – (International) **Old apps can pose privacy risks for Facebook users and their friends.** People who own a Facebook account since before April 2010 should remove older apps and install new versions, because they still have unrestricted access to a wealth of information about them and their friends. Back in April, Facebook announced a new data control system where users would be notified at install of how an application needs to interact with their account and information in order to work properly. This allows people to weigh the privacy versus functionality trade-off of certain apps, and was part of the company’s work with the Canadian privacy commissioner. The new permissions dialog became mandatory starting June 1, 2010, but it did not affect the access granted to already installed apps. While Facebook was clear about this aspect with developers, it failed to include it in their announcement to users. Source: []

// December 29, Bloomberg // – (International) **Apple sued over applications giving information to advertisers.** Apple Inc., maker of the iPhone and iPad, was accused in a lawsuit of allowing applications for those devices to transmit users’ personal information to advertising networks without customers’ consent. The complaint, which seeks class action, or group, status, was filed December 23 in federal court in San Jose, California. The suit claims Cupertino, California-based Apple’s iPhones and iPads are encoded with identifying devices that allow advertising networks to track what applications users download, how frequently they are used, and for how long. Apple iPhones and iPads are set with a Unique Device Identifier, or UDID, which cannot be blocked by users, according to the complaint. Apple claims it reviews all applications on its App Store and does not allow them to transmit user data without customer permission, according to the complaint. Source: []

// December 27, SpamfighterNews // – (National) **Kindsight research reveals 33% home PCs hacked.** Kindsight, the developer of “Identity Protection” recently announced 30-day research outcomes after surveying about 200,000 North American households that use the Internet. As a result, it was revealed that 33 percent of household personal computers contracted malware infections and were in severe danger of cyber-crime, ID-theft, and other attacks. Furthermore, after classifying the attacks into four groups, the research found spyware was behind 47 percent of the assaults, whilst Trojans along with other malware leading to ID-theft was behind 21 percent. Botnet attacks, which enable malefactors to seize control over home computers, successfully targeted 26 percent of the contaminated home PCs, while conventional viruses accounted for merely 6 percent of the assaults. Source: []

// December 22, Softpedia // – (International) **Webmasters largely unresponsive to infection reports from security researchers.** Security researchers from Sophos claim that webmasters are generally unresponsive when contacted about their infected Web sites, or if they respond, they do so in a hostile way. Legitimate infected Web sites have become one of the primary vectors for spamming and spreading malware online. They are commonly used as doorway pages in black hat search engine optimization (BHSEO) campaigns or to launch drive-by download attacks. The problem with such Web sites is that they can remain infected over long periods of time if their owners are not persuaded into cleaning them. According to a principal virus researcher at Sophos, adding to the problem is the fact that spotting the signs of infection is not always straight forward. For example, some scripts hide the malicious code unless the user arrives to the site through a search engine. The researcher notes that most Web masters seemed to care only if their Web site was up and appeared normal, without any interest into what happens in the background. Source: []

//December 21, Softpedia// – (International) **New URL shortener hijacks browsers for DDoS.** In order to outline the dangers of implicitly trusting shortened URLs, a student has launched a service which generates links that take users to their destination, but also hijack their browsers for DDoS. Called d0z.me, the service is the creation of a computer science major at the University of Tulsa, who describes himself as a security enthusiast. This recently created JavaScript-based LOIC allows people to voluntarily join a DDoS effort by visiting a Web page instead of installing an application on their computers. The tool works by modifying an image tag’s src attribute in order to force the browser to continuously send HTTP requests to the targeted server. D0z.me was released as a proof-of-concept and works by loading the destination page in a transparent iframe. The source code is freely available under GPL. To use the service, attackers must specify the destination link and the URL to be targeted. The title of the page can also be configured. The resulting short URL can then be spread on social media Web sites in order to attract as many visitors as possible. People who click on the link will have no indication that something is wrong, except for the url in the address bar, which does not change from d0z.me. Meanwhile, in the background, their computer will send hundreds of requests per minute to the target URL. The more time spent on the legit destination page, the more effective the attack is. Source: []

//December 21, Help Net Security// – (International) **Database of routers’ embedded private SSL keys published.** The recent publishing of a database containing over 2,000 private SSL keys hard-coded into various routers — with their corresponding public certificates and hardware/firmware versions — has made an attack that involves decrypting the traffic going through the device very easy to execute. “While most of these certificates are from DD-WRT firmware, there are also private keys from other vendors including Cisco, Linksys, D-Link, and Netgear,” said a member of the /dev/ttyS0 group that is behind this project called LittleBlackBox. “Many routers that provide an HTTPS administrative interface use default or hard-coded SSL keys that can be recovered by extracting the file system from the device’s firmware. Private keys can be recovered by supplying LittleBlackBox with the corresponding public key. If the public key is not readily available, LittleBlackBox can retrieve the public certificate from a pcap file, live traffic capture, or by directly querying the target host,” he wrote. He offered the LittleBlackBox’s code for download. Source: []

//December 20, United Press International// – (International) **Most hacker attacks are quietly blocked.** The WikiLeaks battle has put the spotlight on cyberattacks, but most hacker blitzes are foiled and pass without public notice, U.S. experts said. Hackers assaulted five big online retailers as the holiday shopping season began November 30. But a global network run by Akamai Technologies of Cambridge, Massachusetts, intercepted the data deluge, The Boston Globe reported. Akamai, an Internet infrastructure company, is one of many that defend the Internet against distributed denial of service, or DDOS, attacks like the one employed by the WikiLeaks backers. When a DDOS attack hit the retailers November 30, the spike in traffic was spotted immediately at Akamai’s operations center in India. Akamai, with about 80,000 servers in 70 countries, instantly assigned extra ones to handle the traffic, ensuring that the retailers would not be overwhelmed. The sites were assaulted for 3 days, but not knocked offline. Akamai would not reveal who the retailers were. Source: []

//December 20, Infosecurity// – (International) **Symantec researcher spots C&C botnet toolkit in the wild.** Security researchers from Symantec claim to have spotted a new crimeware toolkit being sold in the underground marketplace. The toolkit — known as Dream Loader — generates a Trojan exclusively used to distribute malware. According to a security researcher with Symantec, the toolkit is a command-and-control (C&C) botnet engine that is flagged up as Trojan.Karagany by Symantec’s software. The malware generated by the toolkit is already circulating in the wild. The engine itself is said to come in a pack that contains both a builder to build an executable bot, as well as a Web interface to control all a hacker’s bots by sending commands across the Internet. The security researcher said the pack — now into version 0.3 — is relatively new and seems to have originated from Russia. The first edition of the toolkit, he said, was discovered in November and is designed to be modular and load plugins. Source: []

//December 17, Infosecurity// – (International) **One-quarter of consumers have turned off their anti-virus software.** Twenty-five percent of consumers surveyed by anti-virus software provider Avira turned off their anti-virus software because it was slowing down the computer, while 12 percent considered abandoning the Internet because of safety concerns. In addition, 63 percent of consumers have tried multiple anti-virus security products in a 1-year span on the same computer, according to the survey of 9,091 Avira customers worldwide. “It’s not surprising that consumers try multiple security products each year since everyone is trying to find the right security product which can effectively balance protection and a computer’s resource usage”, said a data security expert with Avira. “The scary take-away from this survey is that 25 percent of the respondents admitted to turning off their security products because they feel that it hurt the performance of the machine.” He said vendors must be careful not to overload anti-virus software with features that could have a significant effect on system performance. Anti-virus vendors should focus on offering products providing the minimum necessary protection, rather than protection “with all the whistles and bells” that users deactivate to use their computers. Source: []

//December 16, SC Magazine// – (International) **Malware targeting Google Android quadruples in 2010.** Malware aimed at Google’s Android mobile operating system rose fourfold in 2010, compared to 2009, research has shown. This represented the most significant jump in comparison to other platforms, claimed mobile security specialists AdaptiveMobile. Reported exploits targeting the iPhone fell, as did new Symbian malware, which dropped by 11 percent. However, the overall number of mobile malware infections reported went up 33 percent, again compared with 2009 figures. Source: []

//December 15, Social Barrel// – (International) **Yahoo image search hacked.** Yahoo’s image search began to display pornographic images December 14, the same day Yahoo laid off over 600 employees. The pornographic images seemed to appear no matter what someone searched on Yahoo. They would not appear immediately, but if a user clicked on a thumbnail image at the top of the search results, what has been described as a XXX photo would appear. Yahoo first pulled down the image thumbnails to avoid any further appearance of the images, and by December 15 it appeared the issue had been fixed. Many industry observers are suggesting, although there does not appear to be any concrete evidence as of now, that it could have been a disgruntled Yahoo employee who was let go during the series of layoffs. Yahoo released about 4 percent of the company’s workforce December 14 in an attempt to streamline operations and better compete with rivals such as Facebook and Google. Source: []

//December 15, The Register// – (International) **Feds probe ‘100 site’ data breach.** FBI agents looking into the theft of customer data belonging to McDonald’s are investigating similar breaches that may have hit more than 100 other companies that used e-mail marketing services from Atlanta, Georgia-based Silverpop Systems. “The breach is with Silverpop, an e-mail service provider that has over 105 customers,” said a special agent in the FBI’s Atlanta field office, told The Register. “It appears to be emanating from an overseas location.” He declined to provide further details. Over the past week, at least two other sites – one known to have ties to Silverpop and the other that appears to – offered similar warnings to their customers. deviantART, a Web site that boasts more than 16 million registered accounts, warned its users that their e-mail addresses, user names, and birth dates were exposed to suspected spammers as a result of a breach at the e-mail provider. Source: []

//December 13, Softpedia// – (International) **Fake Hallmark Christmas card emails carry malware.** Security researchers warn about a new wave of fake e-mails purporting to come from Hallmark, which try to pass a computer Trojan as a Christmas card. According to Belgian e-mail security vendor MX Lab, the e-mails began circulating the week of December 6 and have a subject of “1st Christmas Card.” Their header is spoofed to appear as if they originate from card@hallmark(dot)com and they are using a Hallmark e-mail template that mimics the look of the company’s Web site. The message suggests the attackers do not only spread these fake e-mails on their own, but also try to socially engineer recipients to do it for them. The e-mails carry an attached archive file called SnowFairy.zip, which contains a 610 kB-large SnowFairy.exe executable. The file is a Trojan that has a relatively high AV detection rate, according to Virus Total. Source: []

//December 14, Help Net Security// – (International) **Hacktivism and social engineering emerge as top threats.** Hacktivism and more profit-oriented malware, social engineering, and malicious codes with the ability to adapt to avoid detection will be the main threats in the coming year, according to PandaLabs. There will also be an increase in the threats to Mac users, new efforts to attack 64-bit systems and zero-day exploits. The major security trends of 2011 are: malware creation, cyber war, cyber-protests, social engineering, BlackHat SEO attacks, Windows 7 influencing malware development, mobile phones, Mac, HTML5, and highly dynamic and encrypted threats. Source: []

//December 13, V3.co.uk// – (International) **RealPlayer receives big security fix.** Real Networks has issued a security update for its RealPlayer media tool. The company said that users who update to the latest versions of the Windows, MacOS X, and Linux versions of RealPlayer will be protected from the 27 reported flaws. Real Networks said that none of the vulnerabilities has been reported as being actively targeted for exploits in the wild. Among the 27 vulnerabilities addressed in the patch are flaws which, if exploited, could allow an attacker to remotely install and execute code on a targeted system. The company said that users can protect against all of the vulnerabilities by upgrading to the latest version of the software. Source: []

//November 29, Computerworld – (International) **Scammers can hide fake URLs on the iPhone, says researcher.** Identity thieves can hide URLs on the iPhone’s limited screen real estate, tricking users into thinking they are at a legitimate site, a security researcher said November 29. In a proof-of-concept, the researcher showed how legitimate Web applications such as Bank of America’s mobile banking application hide Safari’s address bar after rendering the page. He speculated that developers use this practice to use as much as possible of the limited screen real estate on mobile devices like the iPhone. “Note that on the iPhone, this only happens for sites that follow directives in HTML to advertise themselves as mobile sites,” said the researcher on his personal blog and in an entry on the SANS Institute’s blog. The ability to hide the address bar in iOS is by design, noted the researcher. “I did contact Apple about this issue and they let me know they are aware of the implications, but do not know when and how they will address the issue,” the researcher said. He suggested that Apple modify iOS to prevent Web applications from hiding the URL. Source:// [|//http://www.computerworld.com/s/article/9198380/Scammers_can_hide_fake_URLs_on_the_iPhone_says_researcher//]

//November 29, PC World – (International) **Ransomware attack resurfaces to hold files hostage.** The latest ransomware attack seems to be a variant of the GpCode Trojan that has made seemingly annual reappearances to extort money for the past few years. A compromised system will show a Notepad pop-up, or change the desktop background to display a message that reads “Attention!!! All your personal files were encrypted with a strong algorithm RSA-1024 and you can’t get an access to them without making of what we need!” This message is followed by more broken English instructions directing the user to read a text file explaining that a ransom of $120 is required to get the decryption key. Past ransomware extortion efforts created an encrypted copy of the file, but left the original intact. This latest version, however, encrypts the original file — making any recovery efforts significantly harder, if not virtually impossible. Users are directed to shut the computer down as quickly as possible once the ransom alert appears. In the background, the malware is still busy doing its dirty work, and by shutting the system down — yanking the plug from the wall if necessary — the user might be able to save some of the data. Source:// [|//http://www.networkworld.com/news/2010/112910-ransomware-attack-resurfaces-to-hold.html?hpg1=bn//]

//November 29, The Register – (International) **Feds seize 70 ‘filesharing, dodgy goods’ sites.** The U.S. government has seized 70 sites allegedly offering counterfeit goods or links to copyright-infringing material. Among the domains seized was a BitTorrent meta-search engine Torrent-Finder.com, along with other music linking sites. Other sites on the hitlist allegedly sold fake designer clothes. Surfers visiting the seized sites were confronted by a notice from Immigration and Customs Enforcement (ICE), instead of the expected content. ICE told the New York Times the seizures were part of an “ongoing investigation” but declined to elaborate, beyond saying court-issued seizure warrants were involved. The seizures happened as a new bill addressing this issue, the Combating Online Infringements and Counterfeits Act, has been introduced in Congress. Source:// [|//http://www.theregister.co.uk/2010/11/29/ice_piracy_domain_seizures///]

//November 29, The Register – (International) **Lone hacker theory in Wikileaks DDoS attack.** A denial of service attack against Wikileaks that brought the whistleblower site to its knees November 28 in the run up to its publication of classified State Department documents, may turn out to be the work of a lone hacker. The attack, which rendered the site inaccessible for several hours, might be blamed on an application level assault targeting a vulnerability in Wikileak’s Apache Web server, according to Internet reports. A hacker called The Jester has previously used the XerXeS attack tool to attack jihadist sites. Now, if the rumors are true, this tool was turned against Wikileaks, making the site unavailable at a critical time. “We are currently under a mass distributed denial of service attic,” Wikileaks said November 28 via updates to its Twitter feed. “El Pais, Le Monde, Speigel, Guardian & NYT will publish many U.S. embassy cables tonight, even if WikiLeaks goes down,” it added. Rather than a purely conventional packet flood, it seems probable the site was also hit by the XerXeS tool. The Jester claimed responsibility for an attack on Wikileaks via a Twitter update November 28. Source:// [|//http://www.theregister.co.uk/2010/11/29/wikileaks_ddos///]

//November 28, IDG News Service – (International) **Leaked U.S. document links China to Google attack.** The cache of more than 250,000 U.S. Department of State cables that WikiLeaks began releasing November 28 includes a document linking China’s Politburo to the December 2009 hack of Google’s computer systems. The U.S. Embassy in Beijing was told by an unidentified Chinese contact that China’s Politburo “directed the intrusion into Google’s computer systems,” the New York Times reported November 28, citing a single leaked State Department cable. “The Google hacking was part of a coordinated campaign of computer sabotage carried out by government operatives, private security experts, and Internet outlaws recruited by the Chinese government. They have broken into American government computers and those of Western allies, the Dalai Lama and American businesses since 2002, cables said,” the Times reported. The cable is another piece of evidence, albeit thinly sourced, linking China to the Google attack. Security experts have linked the attacks to servers at a university used by the Chinese military, and both Google and the State Department implied that they thought China was behind the attacks when they were first disclosed in January 2010, but nobody has produced conclusive proof that they were state-sponsored. Source:// [|//http://www.computerworld.com/s/article/9198198/Leaked_U.S._document_links_China_to_Google_attack//]

//November 24, Help Net Security – (International) **34% of all malware ever created appeared in 2010.** According to PandaLabs, in the first ten months of the year the number of threats created and distributed account for one third of all viruses that exist. These means that 34 percent of all malware ever created has appeared in the last 10 months. The company’s database, which automatically detects, analyzes and classifies 99.4 percent of the threats received, now has 134 million separate files, 60 million of which are malware (viruses, worms, Trojans and other threats). In the year up to October, some 20 million new strains of malware have been created (including new threats and variants of existing families), the same amount as in the whole of 2009. The average number of new threats created every day has risen from 55,000 to 63,000. This would all suggest that the cyber-crime market is currently in rude health, although this is also possibly conditioned by the increasing number of cyber-crooks with limited technical knowledge who are turning their hand to these activities. This also means that although more malicious software is created, its lifespan is shorter: 54 percent of malware samples are active for just 24 hours, as opposed to the lifespan of several months enjoyed by the threats of previous years. They now infect just a few systems and then disappear. Source:// [|//http://www.net-security.org/malware_news.php?id=1545//]

//November 24, Help Net Security – (International) **Kids lured to scam site by promises of parental control bypassing.** The latest scam to hit Facebook users is one that supposedly offers a completely free proxy service for those who want to bypass parental controls and blocks set up by schools and at workplaces that prevent users from accessing certain sites such as Facebook. The campaign is specifically targeting kids, luring them into trying out the service located at hxxp:myfatherisonline.com to access Facebook in school. Sunbelt researchers have have poked around the site and discovered a veritable trove of various scamming attempts. The victims are faced with an affiliate site containing malware, surveys, quizzes, and offers for free iPhones that will try to get them to subscribe to a premium rate service or sign up for spam. Source:// [|//http://www.net-security.org/malware_news.php?id=1546//]

//November 24, BBC News – (International) **Facebook news feeds beset with malware.** One fifth of Facebook users are exposed to malware contained in their news feeds, claim security researchers. Security firm BitDefender said it had detected infections contained in the news feeds of around 20 percent of Facebook users. Facebook said it already had steps in place to identify and remove malware-containing links. BitDefender arrived at its figures by analyzing data from 14,000 Facebook users that had installed a security app, called safego, it makes for the social network site. In the month since safego launched, it has analyzed 17 million Facebook posts, said BitDefender. The majority of infections were associated with apps written by independent developers, which promised enticements and rewards to trick users into installing the malware. These apps would then either install malware used for spying on users or to send messages containing adverts to the users’ contacts. Facebook said it had processes and checks in place to guard against the risk of malware. “Once we detect a phony message, we delete all instances of that message across the site,” the site said in a statement. Source:// [|//http://www.bbc.co.uk/news/technology-11827856//]

//November 24, PCWorld – (International) **Android browser flaw exposes user data.** A vulnerability in the Android browser could permit an attacker to steal the user’s local data, according to a report November 23 from a security expert. Specifically, a malicious Web site could use the flaw to access the contents of files stored on the device’s SD card as well as “a limited range of other data and files stored on the phone,” the expert explained. In essence, the problem arises because the Android browser does not prompt the user when downloading a file. “This is a simple exploit involving JavaScript and redirects, meaning it should also work on multiple handsets and multiple Android versions without any effort,” he noted. The Android Security Team responded within 20 minutes of the expert’s notification about the flaw and is planning a fix that will go into a Gingerbread maintenance release after that version becomes available, he said. An initial patch has already been developed and is now being evaluated. In the meantime, the security expert suggests a few steps users can take to protect themselves, including disabling JavaScript in the browser. Source:// [|//http://www.pcworld.com/businesscenter/article/211623/android_browser_flaw_exposes_user_data.html//]

//November 23, The Register – (International) **Network card rootkit offers extra stealth.** Security researchers have demonstrated how it might be possible to place backdoor rootkit software on a network card. A reverse engineer at French security firm Sogeti ESEC was able to develop proof-of-concept code after studying the firmware from Broadcom Ethernet NetExtreme PCI Ethernet cards. He used publicly available documentations and open source tools to develop a firmware debugger. He also reverse-engineered the format of the EEPROM where firmware code is stored, as well as the bootstrap process of the device. Using the knowledge gained from this process, he was able to develop custom firmware code and flash the device so that his proof-of-concept code ran on the CPU of the network card. The technique opens the possibility of planting a stealthy rootkit that lives within the network card, an approach that gives potential miscreants several advantages over conventional backdoors. Chief among these is that there will be no trace of the rootkit on the operating system, as it is being hidden inside the network interface card. Source:// [|//http://www.theregister.co.uk/2010/11/23/network_card_rootkit///]

//November 23, PC World – (International) **iOS 4.2 includes massive security update.** Apple has released iOS 4.2. The update fixes more than 80 vulnerabilities in the iPhone, iPod, and iPad. Apple policy dictates that the vulnerabilities not be publicly disclosed until the patch is available. Many of the vulnerabilities had critical security implications. For example, viewing a PDF file was a potentially risky task on pre-iOS 4.2 devices. ―A heap buffer overflow exists in FreeType’s handling of TrueType opcodes [CVE-2010-3814]. Viewing a PDF document with maliciously crafted embedded fonts may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking,‖ Apple said. There is also a vulnerability which reveals surfing history. ―A design issue exists in WebKit’s handling of the CSS :visited pseudo-class. A maliciously crafted website may be able to determine which sites a user has visited. This update limits the ability of web pages to style pages based on whether links are visited.‖ Source:// [|//http://www.computerworld.com/s/article/9197839/iOS_4.2_includes_massive_security_update//]

//November 23, Network World – (International) **Facebook’s Christmas Tree virus only a hoax.** Security vendor Sophos said Facebook users can relax and stop warning each other about a supposed computer crashing Christmas tree-themed app disguised as a virus since the whole thing is just a hoax. Thousands of Facebook users have raced in recent days to rescue friends by posting warnings of ―one of the WORST Trojan viruses‖ out there, but Sophos said it has seen no evidence that such a malware-bearing app exists (not that one could not be concocted). Sophos said the warnings of this non-existent app actually appear to have traveled faster than past warnings of real threats. Geek Squad is cited by Facebook users as a source warning of the Christmas Tree app. A senior technology consultant with Sophos noted there was a real Christmas tree virus back in the late 1980s that did infect machines on IBM’s internal network and other networks. Source:// [|//http://www.computerworld.com/s/article/9197842/Facebook_s_Christmas_Tree_virus_only_a_hoax//]

//November 22, Help Net Security – (International) **Are malware hybrids the next big threat?** Recent encounters with hybridized malware files have left Trend Micro researchers wondering if they have been designed that way or if they are just an undesirable side effect lurking from heavily infected systems. To demonstrate how both malware may benefit from the symbiosis, they took the recently detected attack involving an IRC bot (WORM_LAMIN.AC) infected by a mother file infector (PE_VIRUX.AA-O) as an example. Because of PE_VIRUX’s polymorphic nature, WORM_LAMIN.AC might be harder to detect. WORM_LAMIN.AC returns the favor by spreading PE_VIRUX. Together they change user and system security settings in a way that makes it easier for them to remain undetected, and payloads carried by both are delivered. It is likely that its appearance will spark other malware developers to try that novel approach. Source:// [|//http://www.net-security.org/malware_news.php?id=1540//]

//November 22, V3.co.uk – (International) **Kroxxu botnet hits a million web users.** Security experts have uncovered a dangerous new botnet which has already infected over 100,000 domains and 1 million systems worldwide, although it is still unclear how the cyber criminals are monetizing their efforts. The Kroxxu botnet has been designed solely to steal FTP passwords but, unlike traditional botnets, it is able to spread through infected Web sites alone rather than individual PCs, according to researchers at Avast Software who have been tracking it for over a year. The stolen passwords enable Kroxxu’s creators to add a script tag to the original Web site content, which then makes it possible to upload and modify files on infected servers and spread to other servers globally. The malware relies heavily on redirects to obfuscate itself, while various components of the network are able to perform different roles, known as “ indirect cross infection”. “Kroxxu’s indirect cross infections are based on all parts being equal and interchangeable,” said the head virus researcher at Avast. Avast has not yet discovered how the botnet organizers are making money from the scam, but the researcher suspects they could be selling stolen credentials or hacked space on infected servers, or using key-loggers to spread other spam. The botnet has infected 1,000 domains a month since its discovery in October 2009, and many of the PHP redirectors and malware distributors placed in the sites have survived for months at a time. By infecting legitimate sites, the botnet could have a serious impact on the success of URL blocking software, warned Avast. Source:// [|//http://www.v3.co.uk/v3/news/2273368/kroxxu-avast-botnet-threats//]

//November 22, The H Security – (International) **Spam hole in Google Mail.** Until recently, a security hole in a Google API allowed e-mails to be sent to GMail users without knowing e-mail addresses. As reported by TechCrunch, victims only had to visit a specially crafted Web site while being logged into their Google account. Apparently, the hole could even be exploited while in Private Browsing mode, which does not usually give access to a user’s cookies. The vulnerability allowed e-mails with arbitrary subject lines and message bodies to be sent from the e-mail address noreply@google.com. As the e-mails included an authentic header, it was virtually impossible for users to distinguish them from an authentic e-mail sent by Google. The hole was discovered by a 21-year-old Armenian, who made his demo exploit freely accessible on Google’s Blogspot / Blogger service. Google shut the blog down shortly after the exploit was reported, and confirmed the problem in an e-mail to TechCrunch. Google said the hole in its Apps Script API has now been traced and fixed. Source:// [|//http://www.h-online.com/security/news/item/Spam-hole-in-Google-Mail-1139762.html//]

//November 19, IDG News Service – (National) **Wiseguy scalpers bought tickets with CAPTCHA-busting botnet.** Three California men have pleaded guilty to charges they built a network of CAPTCHA-solving computers that flooded online ticket vendors and snatched up the very best seats for Bruce Springsteen concerts, Broadway productions, and even TV tapings of Dancing with the Stars. The men ran a company called Wiseguy Tickets, and for years they had an inside track on some of the best seats in the house at many events. They scored about 1.5 million tickets after hiring Bulgarian programmers to build “a nationwide network of computers that impersonated individual visitors” on Web sites such as Ticketmaster, MLB.com, and LiveNation, the U.S. Department of Justice (DOJ) said November 18 in a press release. The suspects pleaded guilty to hacking and wire fraud charges November 18 in U.S. District Court for the District of New Jersey. Two convicts face a maximum of 5 years in prison. The third, who pleaded guilty to just one count of hacking, faces 1 year in prison. The suspects were indicted in February and are set to be sentenced March 15, 2011. A fourth Wiseguy Tickets partner, the chief financial officer, is still at large, DOJ said. Source:// [|//http://www.computerworld.com/s/article/9197278/Wiseguy_scalpers_bought_tickets_with_CAPTCHA_busting_botnet//]

//November 19, ITProPortal – (International) **German hacks national security agency’s hashing algorithm.** A German hacker has claimed to have hacked the national security agency’s Secure Hashing Algorithm (SHA1) using rented computing resources. The hacker used GPU-powered rented computing resources to crack 10 out of the 14 SHA1 passwords he was aiming for. He used brute force attacks to achieve the hack in 49 minutes. He managed to hire the computing resources used to hack the SHA1 encryption for $2. Security experts have warned for quite some time that the once powerful password encryption technique is no longer safe to use. Source:// [|//http://www.itproportal.com/2010/11/19/german-hacks-national-security-agencys-sha1///]

//November 18, Computerworld – (International) **Apple patches critical ‘drive-by’ Safari bugs.** Apple November 18 patched 27 vulnerabilities in Safari for Mac OS X and Windows, 85 percent of them critical bugs that could be exploited to hijack Macs or PCs. Of the 27 flaws fixed in Safari 5.0.3 for Mac and Windows, four were patched by Apple in September in its iOS mobile operating system, and at least three had been addressed by Google in its Chrome browser as far back as mid-August. Chrome and Safari share the open-source WebKit browser engine. Apple identified all 27 vulnerabilities it patched as within WebKit. Most of the vulnerabilities addressed in the Safari updates — Apple also patched the older Safari 4 that runs in Mac OS X 10.4, aka Tiger — were accompanied by the phrase “arbitrary code execution,” which is Apple’s way of saying “critical.” According to Apple, the 23 critical bugs can be exploited by “drive-by” attacks that launch as soon as a victim browses to a malicious Web site. Among the non-critical vulnerabilities was one that could be used by unscrupulous site owners to secretly track users’ browsing habits, even when Safari has disabled cookies. Another flaw could let identity thieves spoof the URL showing in Safari’s address bar, a common tactic of phishers who feed bogus sites to users in the hope of capturing passwords to online bank accounts. Source:// [|//http://www.computerworld.com/s/article/9197184/Apple_patches_critical_drive_by_Safari_bugs//]

//November 17, Computer Business Review – (National) **McAfee warns users against 12 online scams this Christmas.** McAfee has revealed the 12 most dangerous online scams computer users should be cautious in this holiday season. The “Twelve Scams of Christmas” include iPad offer scams, “Help! I’ve Been Robbed” scam, fake gift cards, holiday job offers, “Smishing”, suspicious holiday rentals, recession scams, Grinch-like greetings, low price traps, charity scams, dangerous holiday downloads, and hotel and airport wi-fi. McAfee Labs director of security research said scams continue to be big business for cybercriminals who have their sights set on capitalizing on open hearts and wallets. McAfee advised Internet users to follow five tips to protect their computers and personal information in lieu of these cyber threats. The security firm has advised users to stick to well-established and trusted sites, and not to respond to offers that arrive in a spam e-mail, text, or instant message. McAfee also advised online users to preview a link’s Web address before clicking, to stay away from vendors that offer prices well below the norm, and to only use trusted wi-fi networks. Source:// [|//http://security.cbronline.com/news/mcafee-warns-users-against-12-online-scams-this-christmas_161110//]

//November 17, Computer Business Review – (National) **McAfee warns users against 12 online scams this Christmas.** McAfee has revealed the 12 most dangerous online scams computer users should be cautious in this holiday season. The “Twelve Scams of Christmas” include iPad offer scams, “Help! I’ve Been Robbed” scam, fake gift cards, holiday job offers, “Smishing”, suspicious holiday rentals, recession scams, Grinch-like greetings, low price traps, charity scams, dangerous holiday downloads, and hotel and airport wi-fi. McAfee Labs director of security research said scams continue to be big business for cybercriminals who have their sights set on capitalizing on open hearts and wallets. McAfee advised Internet users to follow five tips to protect their computers and personal information in lieu of these cyber threats. The security firm has advised users to stick to well-established and trusted sites, and not to respond to offers that arrive in a spam e-mail, text, or instant message. McAfee also advised online users to preview a link’s Web address before clicking, to stay away from vendors that offer prices well below the norm, and to only use trusted wi-fi networks. Source:// [|//http://security.cbronline.com/news/mcafee-warns-users-against-12-online-scams-this-christmas_161110//]

//November 18, IDG News Service – (International) **China telecom operator denies hijacking Internet traffic.** China’s largest fixed-line phone carrier denied it hijacked worldwide Internet traffic in April 2010 following a U.S. government report that said the company had redirected network routes through Chinese servers. China Telecom rejected the claims in an e-mail statement, but offered no further comment. A report to Congress published November 17 claimed that for 18 minutes April 8, China Telecom rerouted 15 percent of the Internet’s traffic through Chinese servers. The traffic affected U.S. government and military Web sites, said the U.S.-China Economic and Security Review Commission. Computer security researchers cannot say if the act was intentional, the report said. But such hijacking of Internet traffic could enable the surveillance of specific users or sites, or it could be used to conceal one targeted cyberattack. According to the report, what caused China Telecom to reroute Internet traffic, however, originated with a smaller Internet service provider called IDC China Telecommunication. The incident could have been an accident that stems from a weakness of the Border Gateway Protocol (BGP), which is used to help route traffic and connect the Internet together. BGP data is sent from small service providers like IDC China Telecommunication and then shared with larger providers. Small providers generally direct Internet traffic to about 30 routes. For some reason, on April 8 IDC China Telecommunication began directing to tens of thousands of networks. The bad information was then accepted by larger Internet providers like China Telecom, which then propagated the data. Source:// [|//http://www.computerworld.com/s/article/9197119/China_telecom_operator_denies_hijacking_Internet_traffic//]

//November 18, The Register – (International) **Whitehat cracks notorious rootkit wide open.** A malware analyst has deconstructed a highly advanced piece of crimeware believed to be the work of the notorious Russian Business Network. The step-by-step instructions for reverse engineering the stealthy ZeroAccess rootkit is a blow to its developers, who took great care to make sure it could not be forensically analyzed. The tutorial means other malware researchers may also study the malware to close in on the people behind it and to better design products that can safeguard against it. The analysis was written by a malware researcher specializing in reverse engineering at InfoSec Institute, an information security services company. It documents a rootkit that is almost impossible to remove without damaging the host operating system and uses low-level programming calls to create hard disk volumes that are virtually impossible to detect using normal forensic techniques. According to the researcher, malicious URLs unearthed from the disassembled rootkit use IP addresses associated with the Russian Business Network. ZeroAccess is currently being used as a platform for installing fake antivirus software, but it could obviously be used to force install any software of the author’s bidding. Source:// [|//http://www.theregister.co.uk/2010/11/18/zeroaccess_rootkit_deconstructed///]

//November 17, DarkReading – (International) **Possible new threat: Malware that targets hardware.** French researchers said it is possible to write malware that attacks specific hardware processors rather than operating systems or applications. Researchers of Ecole Supyrieure d’Informatique Electronique Automatique (ESIEA) in Paris, have developed a proof-of-concept for hardware-specific malware, which they consider a step up from Stuxnet and a potentially key weapon in cyberwarfare. The malware can easily identify and target specific hardware systems based on the on-board processor chip, the researchers said. They used the so-called floating point arithmetic (FPA) to help identify processors, including AMD, Intel Dual-Core and Atom, SPARC, Digital Alpha, Cell, and Atom. In order to pinpoint the type of processor, the malware would see how a processor handles certain mathematical calculations. This breed of malware is not any more difficult to create than malware that targets software vulnerabilities, one researcher said. The researchers maintain that targeted attacks like Stuxnet are a major threat, but it is not always so simple for the attacker to be sure what software is running on a targeted machine. Hardware malware gives cyberwarfare another weapon. “You can arrange things in such a way that effectively Iran buys a set of computers with Intel processor of a given type and family. Then you can strike them selectively — and only these computers — whatever Iran has installed on those computers, [whether it’s] Linux, Windows, or any application,” he said. Source:// [|//http://www.darkreading.com/vulnerability_management/security/vulnerabilities/showArticle.jhtml;jsessionid=53HQMZG3CYRYFQE1GHPCKH4ATMY32JVN?articleID=228300082//]

//November 17, Nextgov – (National) **Senators mull bill to require private sector reporting of cyberattacks.** U.S. Senators are contemplating legislation to mandate the private sector report cyberattacks in the wake of Stuxnet, a recently detected computer worm with potential to bring down industrial operations ranging from water treatment to manufacturing. At a Senate Homeland Security and Governmental Affairs Committee hearing November 17, the Chairman and Independent Senator from Connecticut, asked representatives from DHS, the computer security community and industry whether DHS needs enhanced powers to respond to threats to private networks. The Connecticut Senator and the ranking Republican Senator from Maine have sponsored the 2010 Protecting Cyberspace as a National Asset Act (S. 3480), which focuses on public-private partnerships and information sharing because industry owns upwards of 85 percent of the nation’s critical infrastructure. The committee is negotiating with other Senate panels to pass comprehensive cyber legislation. The equipment vulnerable to such cyberattacks in the United States includes agricultural systems and electric grids, but the manufacturing sector is the largest user of the networks, according to DHS. Homeland Security officials who analyze and coordinate responses to incidents and threats affecting industrial control systems step in only when asked to by the private sector, said the acting director of the DHS National Cybersecurity and Communications Integration Center. He said DHS is not appealing for more powers at this time, but would not oppose accepting greater responsibilities. Source:// [|//http://www.nextgov.com/nextgov/ng_20101117_5600.php//]

//November 17, The Register – (International) **Hackers hop onto royal engagement search results.** Knaves, scoundrels and others took only minutes to leap onto November 16’s news of the engagement of a prince of England in a bid to expose surfers to malware. Links to malicious sites appeared prominently in Google searches for the prince’s fiancé. Malicious downloads are offered to surfers under the guise of a Firefox update, as explained in a blog post by GFI Software. Net security firm Websense adds that prince-themed search terms have also been poisoned, in many cases towards redirecting surfers towards sites touting rogue anti-virus (scareware). Websense recently reported that 22.4 percent of all searches for current news leads to malicious search results, a figure that probably increases for the biggest stories such as the royal wedding engagement announcement. Source:// [|//http://www.theregister.co.uk/2010/11/17/royal_engagement_malware///] //November 16, SC Magazine UK – (International) **Symantec claims breakthrough in understanding on how Stuxnet operates and what its targets are.** The Stuxnet worm requires the industrial control system to have frequency converter drives from at least one of two specific vendors. According to a Symantec representative, new research that was published late the week of November 8 established that Stuxnet searches for frequency converter drives made by Fararo Paya of Iran, and Vacon of Finland. He said: “The new key findings are that Stuxnet requires particular frequency converter drives from specific vendors, some of which may not be procurable in certain countries. Stuxnet requires the frequency converter drives to be operating at very high speeds. While frequency converter drives are used in many industrial control applications, these speeds are used only in a limited number of applications. Stuxnet also changes the output frequencies and thus the speed of the motors for short intervals over periods of months. Interfering with the speed of the motors sabotages the normal operation of the industrial control process. Symantec’s new detection therefore determined that once operation at those frequencies occurs for a period of time, Stuxnet then hijacks the PLC code and begins modifying the behavior of the frequency converter drives. In addition to other parameters, over a period of months, Stuxnet changes the output frequency for short periods of time to 1,410Hz and then to 2Hz and then to 1,064Hz. Modification of the output frequency essentially sabotages the automation system from operating properly,” he said. Source:// [|//http://www.scmagazineuk.com/symantec-claims-breakthrough-in-understanding-on-how-stuxnet-operates-and-what-its-targets-are/article/190903///]

//November 16, Reuters – (National) **U.S. sees huge cyber threat in the future.** The United States faces a major threat in the future from cyber technologies that will require civil-military coordination to shield networks from attack, the U.S. Defense Secretary said November 16. “I think there is a huge future threat. And there is a considerable current threat,” he told The Wall Street Journal CEO Council. The Defense Department (DoD) estimated that more than 100 foreign intelligence organizations have attempted to break into U.S. networks. Every year, hackers also steal enough data from U.S. government agencies, businesses, and universities to fill the U.S. Library of Congress many times over, officials said. The Secretary said the U.S. military had made considerable progress protecting its own sites and was working with private-sector partners “to bring them under that umbrella.” But how to allow Pentagon know-how to be applied to protecting domestic infrastructure can be tricky for legal reasons, including fear of violating civil liberties. “The key is the only defense that the United States has against nation-states and other potential threats in the cyber-world is the National Security Agency,” he said, referring to the super-secretive DoD arm that shields national security information and networks, and intercepts foreign communications. Last month, the Presidential Administration announced steps to allow greater cooperation between the NSA and DHS. Source:// [|//http://www.reuters.com/article/idUSTRE6AF4UX20101116//]

//November 16, v3.co.uk – (International) **Zeus malware targets Citrix Access Gateway.** Versions of the Zeus malware have begun harvesting log-in credentials for network appliances, according to researchers. Security firm Trusteer has uncovered new code within certain Zeus configuration files that attempts to collect data from Citrix VPN tools. The company said the code appears to be specific to certain Zeus 2.0 installations, and instructs an infected machine to capture and transmit a screenshot of all mouse clicks whenever the text ‘/citrix/’ appears in the browser’s address bar. Researchers at Trusteer believe the code is an attempt by a Zeus botnet operator to harvest account details from Citrix Access Gateway deployments by using screenshots to capture “keystroke” images from virtual keyboards. The on-screen keyboards are typically used to thwart key-logging malware tools. “This attack code clearly illustrates that Zeus is actively targeting enterprises, and specifically remote access connections into secure networks,” Trusteer said. “Fraudsters are no longer satisfied with simply going after bank accounts. They are also targeting intellectual property and sensitive information contained in company IT networks and applications.” Source:// [|//http://www.v3.co.uk/v3/news/2273166/zeus-malware-citrix-access//]

//November 16, v3.co.uk – (International) **Zeus malware targets Citrix Access Gateway.** Versions of the Zeus malware have begun harvesting log-in credentials for network appliances, according to researchers. Security firm Trusteer has uncovered new code within certain Zeus configuration files that attempts to collect data from Citrix VPN tools. The company said the code appears to be specific to certain Zeus 2.0 installations, and instructs an infected machine to capture and transmit a screenshot of all mouse clicks whenever the text ‘/citrix/’ appears in the browser’s address bar. Researchers at Trusteer believe the code is an attempt by a Zeus botnet operator to harvest account details from Citrix Access Gateway deployments by using screenshots to capture “keystroke” images from virtual keyboards. The on-screen keyboards are typically used to thwart key-logging malware tools. “This attack code clearly illustrates that Zeus is actively targeting enterprises, and specifically remote access connections into secure networks,” Trusteer said. “Fraudsters are no longer satisfied with simply going after bank accounts. They are also targeting intellectual property and sensitive information contained in company IT networks and applications.” Source:// [|//http://www.v3.co.uk/v3/news/2273166/zeus-malware-citrix-access//]

//November 16, The Register – (International) **World’s most advanced rootkit penetrates 64-bit Windows.** A notorious rootkit that for years has ravaged 32-bit versions of Windows has begun claiming 64-bit versions of the Microsoft operating system as well. The ability of TDL, aka Alureon, to infect 64-bit versions of Windows 7 is something of a coup for its creators, because Microsoft endowed the OS with enhanced security safeguards that were intended to block such attacks. The rootkit crossed into the 64-bit realm sometime in August 2010, according to security firm Prevx. According to research published November 15 by GFI Software, the latest TDL4 installation penetrates 64-bit versions of Windows by bypassing the OS’s kernel mode code signing policy, which is designed to allow drivers to be installed only when they have been digitally signed by a trusted source. The rootkit does this by attaching itself to the master boot record in a hard drive’s bowels and changing boot options. Prevx researchers said TDL is the most advanced rootkit ever seen in the wild. It is used as a backdoor to install and update keyloggers and other types of malware. Once installed it is undetectable by most antimalware programs. In keeping with TDL’s high degree of sophistication, the rootkit uses low-level instructions to disable debuggers, making it hard for white hat hackers to do reconnaissance. Source:// [|//http://www.theregister.co.uk/2010/11/16/tdl_rootkit_does_64_bit_windows///]

//November 14, PCWorld – (International) **New Trojan threat emerges.** Internet security specialist BitDefender has warned about the dangers of a new spying Trojan it describes as “a serious enemy” that can be used as a corporate spying tool. BitDefender stated that Trojan.Spy.YEK sniffs for critical data and archives that may hold private information and sends them back to the attacker. BitDefender malware researchers indicated that because Trojan.Spy.YEK has spying and backdoor features, it is a serious enemy. “A spying malware in the local network of a company means danger and unfortunately the number of such threats is constantly increasing,” the researchers said. “With an encrypted dll in its overlay, this Trojan is easily saved in windows\system32\netconf32.dll and once injected in explorer.exe nothing can stop it from connecting (whenever necessary) to a couple of meeting spots with the attacker,” the researchers said. “The backdoor component helps it register itself as a service so as to receive and follow instructions from a command and control center, while the spyware component sends away data about files, operating system, while also making screenshots of the ongoing processes.” Some of the commands Trojan.Spy.YEK is supposed to execute are: sending the collected files using a GET request, sending info regarding the operating system and computer, taking screenshots and sending the results, listing the processes that run on the system and sends them away, finding files with a certain extension. “Shortly put,” the researchers said, “it uploads all the interesting data on a FTP server without the user’s consent. Source:// [|//http://www.pcworld.com/article/210499///]

//November 9, DarkReading// //– (International) **Researchers see real-time phishing jump. **// //Real-time phishing attacks that cheat two-factor authentication are on the rise around the globe as phishers adapt to the latest barriers put in their way, according to a team of researchers. Researchers at Trusteer November 9 said 30 percent of all attacks during the past two-and-a-half months against Web sites using two-factor authentication have been real-time, man-in-the-middle (MITM) methods that allow attackers to bypass this stronger authentication. The data comes from a sampling of thousands of phishing attacks. Phishing attacks typically are static, so they are mostly rendered powerless when a bank uses two-factor authentication, such as one-time passwords. That is because the attacker may be able to capture the first level of credentials, but they are not able to easily capture and use OTPs, which quickly expire. So phishers are adapting their attacks to find ways around stronger authentication, and security experts said it was only a matter of time until they routinely started cheating banks and other transactional sites’ two-factor authentication. This type of real-time MITM attack has been isolated and rare thus far, experts saod. Trusteer researchers have spotted these attacks in South Africa, Europe, and now in the United States, the firm’s CEO said. And while these attacks are not a new concept, this is the first time his team has seen them in such high numbers, he said. Source: [] //

// November 10, Computerworld – (International) **Microsoft forgets to patch Mac Office 2004, 2008.** MicrosofNovember 9 revealed four vulnerabilities in the Mac version of its Office suite, but then failed to produce patches for the 2004 and 2008 editions. Office for Mac 2011, which launched October 26, was the only version updated as part of Microsoft’s monthly Patch November 9. Microsoft did not explain the omission of Office for Mac 2004 and Office for Mac 2008 patches, or say when it would ship updates for those editions. According to that bulletin, Office for Mac contains four vulnerabilities, all rated “important,” the second-highest threat ranking in Microsoft’s four-step scoring system. Microsoft confirmed that each bug could be used by attackers to infect a Mac with malware by labeling them with the phrase “remote code execution.” Along with a fifth bug, the same four flaws were patched November 9 in all still-supported versions of Office for Windows. Source: [] //

// November 10, Network World – (International) **Google SERP’s show malicious URL links.** Cybercrooks continue to abuse the Web, boosting their ability to produce search engine optimization (SEO) poisoning so individuals using search engines such as Google increasingly are ending up with choices that are dangerous malware-laden URL links on the Search Engine Results Page (SERP). Some 22.4 percent of Google searches done since June 2010 produced malicious URLs, typically leading to fake antivirus sites or malware-laden downloads as part of the top 100 search results, according to the Websense 2010 Threat Report published November 9. That is in comparison to 13.7 percent of Google searches having that outcome in the latter half of 2009, said the Websense senior manager of security research. The rising level of SEO poisoning, also known as “Black Hat SEO,” shows that cybercriminals “are fine-tuning their activities and getting better at this,” he said, adding that although search engines such as Google work hard to try and stymie the Black Hat SEO effect, the trend is evident. The irony is that when it comes to getting infected by malware, the chances of that are now less risky at porn and adult content sites, historically viewed as a high source of malware (now at 21.8 percent) than just searching for less scandalous topics, such as news, IT, and entertainment. Source: [] //

// November 9, DarkReading – (International) **Researchers see real-time phishing jump.** Real-time phishing attacks that cheat two-factor authentication are on the rise around the globe as phishers adapt to the latest barriers put in their way, according to a team of researchers. Researchers at Trusteer November 9 said 30 percent of all attacks during the past two-and-a-half months against Web sites using two-factor authentication have been real-time, man-in-the-middle (MITM) methods that allow attackers to bypass this stronger authentication. The data comes from a sampling of thousands of phishing attacks. Phishing attacks typically are static, so they are mostly rendered powerless when a bank uses two-factor authentication, such as one-time passwords. That is because the attacker may be able to capture the first level of credentials, but they are not able to easily capture and use OTPs, which quickly expire. So phishers are adapting their attacks to find ways around stronger authentication, and security experts said it was only a matter of time until they routinely started cheating banks and other transactional sites’ two-factor authentication. This type of real-time MITM attack has been isolated and rare thus far, experts saod. Trusteer researchers have spotted these attacks in South Africa, Europe, and now in the United States, the firm’s CEO said. And while these attacks are not a new concept, this is the first time his team has seen them in such high numbers, he said. Source: [] //

// November 9, Computerworld – (International) **Researchers sound alarm over critical Mac OS X bug.** Security researchers November 9 warned that Apple’s OS X contains a critical vulnerability that attackers could use to hijack Macs running the older Leopard version of the operating system. Although Leopard was supplanted by the new Snow Leopard operating system more than 1 year ago, the older version still accounts for about a third of all installations of Mac OS X. The bug is a variation of one Apple patched last August in iOS. The flaw was used to “jailbreak” iOS 4 devices, and it could also be exploited to plant malware or commandeer an iPhone, iPad, or iPod Touch. According to Core Security Technologies, which issued an advisory November 8, Apple has wrapped up work on a patch. Source: [] //

// November 12, National Defense Magazine – (International) **Cyber experts have proof that China has hijacked U.S.-based Internet traffic.** For 18 minutes in April 2010, China’s state-controlled telecommunications company hijacked 15 percent of the world’s Internet traffic, including data from U.S. military, civilian organizations, and those of other U.S. allies. This massive redirection of data has received scant attention in the mainstream media because the mechanics of how the hijacking was carried out and the implications of the incident are difficult for those outside the cybersecurity community to grasp, said a top security expert at McAfee. The Chinese could have carried out eavesdropping on unprotected communications — including e-mails and instant messaging — manipulated data passing through their country or decrypted messages, McAfee’s vice president of threat research said. Nobody outside of China can say, at least publicly, what happened to the terrabytes of data after they entered China. The incident may receive more attention when the U.S.-China Economic and Security Review Commission, a congressional committee, releases its annual report on the bilateral relationship November 17. A commission press release said the 2010 report will address “the increasingly sophisticated nature of malicious computer activity associated with China.” Source: [] //

// November 11, CNET News – (International) **Get hacked and spill the beans, anonymously.** A new Web site could help turn security breach guesswork into science. In a first-of-its-kind effort, Verizon Business is launching a public Web site for reporting security incidents that could crack open the self-defeating secrecy of data breaches. “This will benefit the overall community,” a principal of research and intelligence at Verizon Business, told CNET. “The valid data helps us all learn from mistakes.” On November 11, Verizon launched its Veris information-sharing site where network or security professionals can provide detailed information about an incident and get back a report that illustrates via charts, graphs, and other information how the reported incident compares with others. Source: [] //

// November 11, CNET News – (International) **Get hacked and spill the beans, anonymously.** A new Web site could help turn security breach guesswork into science. In a first-of-its-kind effort, Verizon Business is launching a public Web site for reporting security incidents that could crack open the self-defeating secrecy of data breaches. “This will benefit the overall community,” a principal of research and intelligence at Verizon Business, told CNET. “The valid data helps us all learn from mistakes.” On November 11, Verizon launched its Veris information-sharing site where network or security professionals can provide detailed information about an incident and get back a report that illustrates via charts, graphs, and other information how the reported incident compares with others. Source: [] //

// November 15, Infosecurity – (International) **Latest rogue Facebook app dissected by IT security expert.** There are many reports of darkware Facebook apps, but it is rare to find a really thorough analysis of a rogue app. But Sophos’ principal virus researcher has analyzed one of the latest apps in some detail. According to the researcher, the latest rogue app on the social networking site specifically targets Croatian users. Compared to some other Eastern European countries, he said, Croatia is not very well known for being a land of malware writers, which makes this particular app all the more surprising. The rogue Facebook app, he explained, invites users to install a new “Love” Facebook button, and uses a malicious Java applet to install a password stealing Trojan. “The Trojan is designed to steal Facebook credentials and other passwords from various sources on the system, including Internet Explorer, Firefox, and Google Chrome,” he said, adding that the attack reminded him of a recent “Dislike” button attack but it is clearly the work of a different attacker. The Facebook application, he said, is actually a simple Web page hosted on one of the free Web-hosting providers. The handcrafted page, he goes on to say, contains a tag to load a Java applet to allegedly install the Love Facebook button, rather than the usual obfuscated Javascript code with a drive-by exploit. Source: [] //

 //November 12, IDG News Service – (National) **Sarah Palin hacker Kernell gets one-year sentence.** The former college student who guessed his way into the former Republican Vice-Presidential nominee’s Yahoo e-mail account during the 2008 U.S. presidential election was sentenced to a1year and 1 day in prison November 12. The hacker’s lawyers had been hoping for probation only; federal prosecutors had asked for an 18-month sentence. The judge in the case recommended that the hacker serve his time at a halfway house rather than federal prison, but that decision is up to the U.S. Bureau of Prisons, the U.S. Department of Justice said. Following his 1-year sentence, the convict must serve 3 years’ probation. The hacker, a 20-year-old college student at the time of the incident, got into the account by guessing answers to the security questions used by Yahoo to reset the account’s password. In chat logs, the hacker said he was hoping to find information that would “derail” her 2008 vice presidential election campaign. Source:// [|//http://www.computerworld.com/s/article/9196334/Update_Sarah_Palin_hacker_Kernell_gets_one_year_sentence//] [|//"Five Ways to Shear Firesheep"//] // Firesheep has made it possible for any moron to raid your Web use, but there are ways you can stop it. Here are a few of them. //

[|//"Firesheep: It's gonna cost you"//] // With the release of Firesheep, end-users need to be more vigilant about forcing Secure HTTP connections, and clients, servers and network infrastructure will need to be upgraded to support the... //

[|//"The end of RAID"//] // Low latency storage, fast multi-core CPUs, high-bandwidth interconnects and larger disk capacity is ending the reign of costly RAID controllers in favor of more elegant data protection. A report... // //---//

//November 9, IDG News Service – (International) **iPhone’s Safari dials calls without warning, says security expert.** A security researcher is asserting that Apple has made a poor security decision by allowing its Safari browser to honor requests from third-party applications to perform actions such as making a phone call without warning a user. Safari, like other browsers, can launch other applications to handle certain URL protocols. These might be in clickable links, or in embedded iframes. An iframe containing a URL with a telephone number, for example, will cause Safari to ask if the user wants to make a phone call to that particular number, wrote a security researcher, on the SANS Application Security Street Fighter blog. Users can tap a button to make or cancel the call. But the researcher found that behavior changes in some cases. For example, if a user has Skype installed and stays logged into the application, Safari does not give an alert when it encounters a Skype URL in an iframe, and immediately starts a Skype call, he said. The researcher said he contacted Apple. The company said third-party applications should be coded to ask permission before performing a transaction. But in the current arrangement, third-party applications can only ask for authorization after a person has been “yanked” out of Safari and the application has been fully launched. “A solution to this issue is for Apple to allow third-party applications an option register their URL schemes with strings for Safari to prompt and authorize prior to launching the external application,” he wrote. Source: [] //

// November 8, IDG News Service – (International) **Zscaler develops free tool to detect Firesheep snooping.** A security company has developed a free Firefox add-on that warns when someone on the same network is using Firesheep, a tool that has raised alarm over how it simplifies an attack against a long-known weakness in Internet security. Firesheep, which was unveiled at the ToorCon security conference in San Diego October 2010, collects session information that is stored in a Web browser’s cookie. The session information is easily collected if transmitted back and forth between a user’s computer and an unencrypted Wi-Fi router while a person is logged into a Web service such as Facebook. While most Web sites encrypt the traffic transmitted when logging into a Web site, indicated by the padlock on browsers, many then revert to passing unencrypted information during the rest of the session, a weakness security analysts have warned of for years, particularly for users of public open Wi-Fi networks. Firesheep identifies that unencrypted traffic and allows an interloper to “hijack” the session, or log into a Web site as the victim, with just a few clicks. The style of attack has been possible for a long time, but because of its simple design, Firesheep has given less-sophisticated users a powerful hacking tool. Zscaler’s The Blacksheep add-on, however, will detect when someone on the same network is using Firesheep, allowing its users to make a more informed security decision about their behavior while on an open Wi-Fi network, for example. Source: [] //

//November 8, Computerworld – (International) **Danger to IE users climbs as hacker kit adds exploit.** An exploit of an unpatched Internet Explorer vulnerability has been added to a popular crimeware kit, a move that will likely push Microsoft to fix the flaw with an emergency update, a security researcher said November 7. Microsoft has warned users of its IE6, IE7, and IE8 browsers that hackers were already exploiting a vulnerability in the programs by tricking them into visiting malicious or compromised Web sites. Once at such sites, users were subjected to “drive-by” attacks that required no action by them to succeed. Symantec was the first to report the IE bug to Microsoft after the antivirus vendor captured spam posing as hotel reservation notifications sent to select individuals within several organizations. On November 7, the chief research officer of AVG Technologies said an exploit for the newest IE flaw had been added to the Eleonore attack kit, one of several readily-available toolkits that criminals plant on hacked Web sites to hijack visiting machines, often using browser-based attacks. Microsoft has promised to patch the vulnerability, but said the threat didn’t warrant an “out-of-band” update, the company’s term for a fix outside the usual monthly Patch Tuesday schedule. Microsoft will deliver three security updates November 9, but will not fix the IE bug then. Microsoft has urged IE users to enable DEP, or data execution prevention, for IE7, use IE8 or IE9, or run one of its automated “Fix-it” tools to add a custom CSS template to their browsers as protection until a patch is available. Source:// [|//http://www.computerworld.com/s/article/9195380/Danger_to_IE_users_climbs_as_hacker_kit_adds_exploit//] //November 8, The Register – (Ohio; National) **Former student jailed for U.S. political hack attacks.** A U.S. student began a 30-month sentence November 5 after he was convicted of using a network of compromised PCs he established to flood the Web sites of conservative politicians and pundits. The convict, 23, of Bellevue, Ohio, had earlier admitted launching denial of service (DoS) attacks against the sites between 2006 and March 2007, Security Week reported. He also copped to launching a DOS attack on the University of Akron, the university where he was enrolled at the time of the March 2007 attack. The assault knocked Akron offline for more than 8 hours, obliging a subsequent clean-up operation that cost the university $10,000. The convict was ordered to pay $10,000 in restitution to the university and a further $40,000 to BillO’Reilly.com. After he gets out of jail, he will spend a further 3 years on parole. The former student also admitted to harvesting personal data from compromised machines including user names, passwords, and credit card numbers. It is unclear how much, if anything, he raked in via fraudulent abuse of this information. It could be the compromised details were used to buy and facilitate his politically motivated hack attacks. Source:// [|//http://www.theregister.co.uk/2010/11/08/us_hacktivist_jailed///]

 //November 8, Techworld – (International) **Boonana Mac Trojan was ‘not Koobface’, says Microsoft.** The widely-reported “Boonana” Trojan was a new piece of malware and had nothing directly to do with “Koobface,” Microsoft and other security companies reported 1 week after the event. However, according to Microsoft, ESET, and SecureMac, the similarity with Koobface does not appear to stretch beyond its general tactics and the fact that it attacks using Facebook and other social media sites. At a code level, what Microsoft now identifies as Trojan:Java/Boonana is a distinct piece of malware. The main significance of Boonana could be its Java design allows it to attack Windows PCs and Apple Mac computers, and at least run on Linux. Where the software hails from is unknown although one of its first actions on infecting computers is to try to contact a Russian FTP server. The fact Boonana is a distinct family of malware rather than a variant matters in a small but important way. A new branch of malware capable of attacking across operating systems suggests a new direction in malware innovation. If Boonana was a simple variant it might count more as a one-off experiment. Programming and platforms apart, Boonana’s use of Facebook shows social engineering skill is its real forte. Originally pushed with basic “watch this video” lures, the malware has subsequently tried more sophisticated messages, including one based on an apparent suicide notice. Source:// [|//http://news.techworld.com/security/3247749///]

//October 29, Infosecurity – (International) **CSI 2010: Panda Labs analyst labels Mariposa masterminds as ‘cyber idiots’.** While detailing Panda Security’s role in taking down the Mariposa botnet, a threat analyst said the crew were hardly criminal masterminds, characterizing their technical skills as somewhat rudimentary. The Panda researcher delivered these comments during his CSI Conference session designed to glean lessons from the Mariposa botnet, whose primary operators were based in Spain, just a short train ride from the company’s labs. Mariposa, Spanish for butterfly, was one of the largest known botnets at the time of its takedown according to the analyst, with more than 13 million unique IP addresses. After authorities seized equipment related to controlling the botnet, the analyst noted that the “cybercriminal was dumb enough to store all of the information unencrypted on his [personal] hard drive”, which made the forensic analysis quite simple. It provided an easy-to-follow roadmap of the crime, including the names of money mules, money transfers, and so on. What the researchers also found were stolen credentials on more than 1 million people, such as banking information, Internet log-ins, and credit card numbers. He also said that over half of Fortune 1000 companies were infected by the Mariposa botnet. Source:// [|//http://www.infosecurity-us.com/view/13595/csi-2010-panda-labs-analyst-labels-mariposa-masterminds-as-cyber-idots///]  //October 28, Computerworld – (International) **Hackers exploit newest Flash zero-dabug.** On October 28, Adobe confirmed hackers are exploiting a critical unpatched buin Flash Player, and promised to patch the vulnerability in 2 weeks. The company issued a security advisory that also named Adobe Reader and Acrobat as vulnerable. “There are reports that this vulnerability is being actively exploited in the wild againsAdobe Reader and Acrobat,” said Adobe in its warning. The company said it has seenno sign hackers are also targeting Flash Player itself. Those reports came from an independent security researcher who notified Adobe after spotting and then analyzingmalicious PDF file. According to the researcher, the rigged PDF document exploits thFlash bug in Reader, then drops a Trojan and other malware on the victimized machinAdobe said all versions of Flash on Windows, Mac, Linux, and Android harbored the bug, and that the “Authplay” component of Reader and Acrobat 9.x and earlier also contained the flaw. Authplay is the interpreter that renders Flash content embedded within PDF files. Adobe promised to issue a fix for Flash by November 9, and updatefor Reader and Acrobat the following week. Source:// [|//http://www.computerworld.com/s/article/9193678/Hackers_exploit_newest_Flash_ze_day_bug//] //October 27, Help Net Security – (International) **Boonana Trojan for Mac OS X spreads via social media.** SecureMac has discovered a new Trojan in the wild that affects Mac OS X, including Snow Leopard (OS X 10.6). The Trojan.osx.boonana.a, is spreading through social networking sites, including Facebook, disguised as a video. It is currently appearing as a link in messages with the subject “Is this you in this video?” When a user clicks the infected link, the Trojan initially runs as a Java applet, which downloads other files to the computer, including an installer, which launches automatically. When run, the installer modifies system files to bypass the need for passwords, allowing outside access to all files on the system. Additionally, the Trojan sets itself to run invisibly in the background at startup, and periodically checks in with command and control servers to report information on the infected system. While running, the Trojan hijacks user accounts to spread itself further via spam messages. Users have reported the Trojan is spreading through e-mail as well as social media sites. Source:// [|//http://www.net-security.org/malware_news.php?id=1509//]

// October 25, IDG News Service // – (International) **Security company strengthens CAPTCHAs with video.** A security company called NuCaptcha is incorporating advertising into a video CAPTCHA system that is much harder for computers to break. CATPCHA stands for “Completely Automated Public Turing Test to Tell Computers and Humans Apart.” It was developed to thwart Web annoyances such as spam and false account registrations, among others. It uses a box of jumbled letters humans must decode to allow, for example, a registration to proceed. When CAPTCHAs were first introduced, it was difficult for optical character recognition (OCR) technologies to break them. Over the last few years, that has changed, and CAPTCHAs are much less effective. In order to halt automated CAPTCHA-solving programs, the puzzles have been made more difficult to solve, so much so that many are nearly unreadable to humans as well. NuCaptcha does CAPTCHAs but with a twist: rather than a static box of text the system runs the text as a streaming banner within a video. The movement of the text throws off automated CAPTCHA-solving software. The text also does not have to be obscured as much, making it much easier for people to read and likely to keep users on the Web site. Source: [] //