Security

Google's free code hosting Web site for developers is being used to distribute malware, a security researcher said on Friday.

Google Code is a place where programmers can host projects and code. Along with the legitimate code are links to fake videos that direct users to download a missing codec, said Dave Marcus, director of security research for McAfee Avert Labs. The codecs turn out instead to be password stealing Trojans and programs geared toward stealing financial information for identity fraud, he said.

"They're using it as a way to send out links or as a place to house their links and redirects because it's Google and obviously it gets highly ranked in the index," he said. "The bad guys look for services like this as a way to push out code."

A Google spokesman said the company has removed malware-distributing projects from Google Code and search results.

"Google works hard to protect our users from malware. Using Project Hosting on Google Code, or any Google product, to serve or host malware is a violation of our product policies," the spokesman said in a statement. "Using automated tools, we actively work to detect and remove sites that serve malware from our network. We have removed many of these projects from Google Code and from our search results. Additionally, we'll continue to explore new ways to identify and eliminate such content."

The problem is similar to one that was found to be plaguing Microsoft's MSN Spaces site a year ago and continues to occur there, according to a McAfee Avert Labs blog posting.

Fake sex videos are being used to entice people to download Trojans on Google Code, McAfee says.

(Credit: McAfee)

A new e-mail that is circulating looks like it comes from CNN and links to a fake CNN Web page offering "graphic" video related to the Israel-Hamas conflict but instead hosts a Trojan that steals sensitive data, RSA said on Thursday.

When someone clicks on the video link on the fake CNN site an error message pops up urging the visitor to download the latest version of Adobe Flash Player. Clicking on the download link installs an "SSL stealer" Trojan that captures financial and other sensitive information, RSA said in a blog.

The Trojan looks for encrypted communications between the computer and known financial institutions and when it sees data being sent it diverts it to a malicious third-party, said Sam Curry, vice president of product management and strategy at RSA.

The social-engineering attack is different in that the e-mail pretends to come from a media company and then tries to steal financial data, he said. "Normally when you get phished they send you an e-mail pretending to be from a bank or other financial institution," he said.

RSA discovered the attack early on Wednesday and has worked with others to get the fake site shut down. At a peak on Thursday as many as 80,000 of the phishing e-mails were being sent out, according to Curry.

This screen shot shows the error message that pops up on the fake CNN Web site. Instead of a legitimate download of Adobe Player a Trojan that steals sensitive data is installed.

(Credit: RSA)

Microsoft will issue a patch on Tuesday for Windows vulnerability that could allow a hacker to gain control of a computer remotely, the company said in an alert on Thursday.

Microsoft also plans to host a Webcast at 11 a.m. PST as part of Patch Tuesday, which comes the second Tuesday of every month. There will be just one security update.

The vulnerability is considered critical for Windows 2000, Windows XP, Windows Server 2003, and moderate for Windows Vista and Windows Server 2008, Microsoft said.

The software maker will also release nonsecurity updates on Windows Update and Windows Server Update Services, as well as an updated version of the Microsoft Windows Malicious Software Removal Tool.

In 2007, U.S. officials recalled melamine-laced pet food that caused the deaths of cats and dogs and lead-coated toys that endangered toddlers. Now, digital photo frames infected with computer viruses are the latest problem import from China.

"That phenomenon apparently has bled over to the digital side as well," Marcus Sachs, director of the Internet Storm Center at the SANS Institute (SysAdmin, Audit, Network, Security), said of the Chinese manufacturing problems that get exported. "Essentially, it's a supply chain problem. We've become dependent on a cheap source coming out of Asia."

The culprit is believed to be poor quality-assurance testing procedures in which one of every 1,000 or so devices is plucked off an assembly line and tested on a computer that is infected with a virus, he said.

Before Christmas, Samsung and Amazon issued alerts warning customers that some Photo Frame Driver CDs for Samsung's SPF line of digital photo frames contained a virus in the frame manager software. Customer PCs running Windows XP are at risk of being infected by the virus, W32.Sality.AE, which drops a keylogger or backdoor onto the system.

Element and Mercury brand frames sold at Circuit City and Wal-Mart, respectively, also were reported to be infected, according to the San Francisco Chronicle.

Sales of digital photo frame are increasing and Chinese suppliers produced more than 8 million in 2007, according to MarketResearch.com. Their plug-and-play use and the fact that they serve as a digital replacement for paper albums make electronic picture frames popular holiday gifts.

A year ago, Insignia digital picture frames were pulled from shelves and online sites after Best Buy learned they could be carrying a virus. Also reported to be infected then were digital frames from Advanced Design System, Digital Spectrum, and Castleton. But digital frames aren't the only electronic items found to carry a hidden payload. Other malware-infected devices have included MP3-playing sunglasses, a flip video camera, and Maxtor external hard drives, according to the SANS Internet Storm Center.

"Anything that has flash storage or bootable storage is exposed to this kind of threat," said Dave Marcus, director of security research for McAfee Avert Labs. "It doesn't mean you shouldn't buy them. You should just realize before you plug it in that you might want to disable the Windows auto-boot functionality and run an antivirus scan on it, just to be safe."

For instance, the ubiquity and convenience of USB thumb drives make them a growing propagation vector. A virus outbreak on a U.S. Department of Defense network prompted officials to temporarily ban the use USB drives, CDs and removable storage devices in November.

Attrition.org offers a long and growing list of malware-infected products that have hit store shelves.

(Credit: Attrition.org)

Security Web site Attrition.org maintains a list of products shipped to customers that were found to be infected with viruses and other malicious or odd programs. The list, which goes back to 1990, includes a credit card terminal that contained a bug to steal credit card information, MP3 players, USB drives, and other hard drives with computer worms, and a Cisco VPN Client CD that had MP3s of Mexican drug-runner folk music known as "Narcocorridos," all in 2008. Then there are the infamous Video iPods that shipped in 2006 with a Windows virus. (And just last April, a colleague bought a re-conditioned iPod Nano that arrived with a virus.)

"This list is not complete, yet it should make you realize that nothing is safe," the Attrition.org site says in a cynical warning. "Every piece of electronics you buy and every piece of software you install may come with malware pre-installed. Rather than manufacturers introducing a higher set of quality controls to prevent such incidents, we will no doubt see companies produce new products that will help keep you 'safe' from such threats. These 'controls' would no-doubt be another band-aid on top of band-aids that make up a lucrative market, which is sad commentary about how customers perceive and receive 'electronic security.'"

The problem is getting serious enough to merit congressional hearings on how to protect consumers against getting harmed from the electronic products they buy, said Sachs of the SANS Internet storm.

Right now the best protection against being infected by viruses in new devices is to keep antivirus software up to date, and disable Windows' AutoRun features and instead manually launch programs and installers when devices are inserted. The CERT security research organization has more information on the risks associated with AutoRun on its Web site.

Reports of data breaches in the United States increased 47 percent in 2008 from the year before, mostly as a result of lost or stolen equipment, and accidental exposure of data online, according to a new study from the nonprofit Identity Theft Resource Center.

There were 656 reports of breaches last year, compared with 446 for 2007, and an estimated 35.7 million records were potentially breached based on notification letters and information from breached companies, the study released this week found.

The breaches run the gamut, including: laptops stolen from Merrill Lynch and Starbucks; bank card information stolen from fake card readers at gas stations in Georgia; Ohio State University student Social Security numbers exposed on the Internet; a former Library of Congress employee using co-workers' data to open bogus credit card accounts; a Seattle school district inadvertently releasing teacher data to a union; financial information on mortgage files abandoned outside a Boise recycling center; and the World Bank Group's computer network being penetrated.

The reports of insider theft more than doubled to represent 15.7 percent of the breaches, while more than a third of the breaches were a result of data on the move, such as stolen laptops, and accidental exposure.

Breaches from data theft by employees doubled, to nearly 16 percent, while hacking and use of data-stealing software represented about 14 percent of the breaches. Only 2.4 percent of all breaches had encryption or other protection methods in use, and only 8.5 percent of victims using password protection.

More than 80 percent of the breaches were electronic in nature, with the rest involving paper documents.

The breaches are broken into five different data loss categories and industry areas.

(Credit: Identity Theft Resource Center)

A security researcher has discovered fake profiles for celebrities on LinkedIn that have links to malicious code, according to a blog posting on Trend Micro's site.

The celebrity profiles that are not to be trusted include ones created using the names: Beyonce Knowles, Victoria Beckham, Christina Ricci, Kirsten Dunst, Salma Hayek, and Kate Hudson. They were uncovered by Trend Micro Advanced Threats Researcher Ivan Macalintal.

In its blog posting late on Monday, Trend Micro said it was continuing its investigation. The links on the professional networking site attempt to lure viewers by purporting to be nude shots of the celebrities.

McAfee's Avert Labs Blog has more details and screenshots.

"So when an unsuspecting user gets tricked to follow the lure, he will end up on different malicious Web sites trying the classical social-engineering tricks of either the 'missing video codec' or of showing a fake AV scan and telling the user (that) his computer was infected with malware and offering a 'free' AV scanner software, which in fact is the real threat," the McAfee blog says.

Graham Cluley of Sophos also found many other fake celeb profiles and says that as recently as Thursday, the Troj/Decdec-A malicious JavaScript code was being found on them.

"It's a shame that LinkedIn (isn't) keeping a closer eye on obviously bogus profiles being created on (its) site," Cluley writes. "Undoubtedly, spammers, malware authors, and other cybercriminals may be abusing the system to link to their Web pages in the hope that it will generate a higher ranking in search engines like Google."

Representatives from LinkedIn did not immediately return a call seeking comment on Tuesday.

Fake Beyonce LinkedIn profile that contains links to malware.

(Credit: Trend Micro)

(Credit: Topherchris.com)

Some nasty pranksters, likely associated with Web forum 4Chan, have hacked into Apple gossip mainstay MacRumors' live-blog coverage of Tuesday's Macworld keynote. Hosted on a separate domain, MacRumorsLive.com, the site was plagued by offensive messages about Apple CEO Steve Jobs' health and general inanity (i.e. "SEX ME") before finally succumbing to "technical difficulties."

It remains uncertain whether the pranksters actually brought down the site, or whether MacRumors voluntarily took it down to keep things under control.

It's pretty clear, however, that this was the work of 4Chan, which has gained both respect and notoriety (depending on who you ask) over the past year for its persistent protests against the controversial Scientology sect in the form of an offshoot group called "Anonymous."

Over on 4Chan's labyrinthine forums, a couple of threads (warning: contains explicit language) hint at members' collusion to take down MacRumors Live, and the hacked live blog was peppered with declarations of "4CHAN FTW" (that's "for the win," for those who stepped in late).

This year's Macworld Expo has gained particular attention because Apple has announced that it's the last in which it will have a presence. Additionally, iconic CEO Steve Jobs bowed out of the keynote presentation. Marketing executive Phil Schiller took his place.

The 4Chan skulduggery appears to have first been noticed by Twitter users and independent blogs like Topherchris.com, which took the screenshot above.

One Twitter user pointed to rumors on social-news site Digg that 4Chan members had been circulating MacRumors passwords on Monday night.

It's a silly prank, yes. But it could have a big impact on MacRumors: this is likely the site's biggest day of the year, and the event could have an impact on both ad revenues and server costs.

UPDATE: It's not totally clear who's actually responsible for this attack. We've been getting a handful of e-mails indicating that it may have been a non-4chan group called Myg0t that was using the 4chan forums to organize, and another e-mail claimed credit on behalf of another forum community, Ebaumsworld. Indeed, screenshots show that one of the hacker messages read, "We are from Ebaumsworld. We are hackers on steroids."

Honestly? The world may never know.

This post was updated at 2:13 p.m. PT.

A standard magnetic trip is based upon a sealed reed switch. Two or three contacts are sealed in a glass envelope containing an inert gas. The sensor is placed on a fixed object such as a door frame, and the magnet on the movable surface. These switches provide the lowest level of security.

(Credit: Marc Weber Tobias)

The U.S. product safety testing organization Underwriters Laboratories has redefined the security requirements for magnetic switches used in many alarm systems because some of these devices can be easily defeated. If your facility employs reed switches or Balanced Magnetic Switches (the high-security version of these devices) you may wish to review the requirements of the new standard. UL 634 has established a second security level (2) to define more stringent requirements to protect against covert attack. Current BMS switches are covered under Level 1.

It appears that only one switch can currently meet the new Level 2 section of the standard. It is produced by Magnasphere in Waukesha, Wis., in conjunction with Harco Labs of Branford, Conn., and is likely to be specified for use in embassies, federal facilities, and other high security applications. The Magnasphere switch was just certified by UL as compliant with Level 2. I became familiar with this technology almost three years ago when I first interviewed the CEO of the company, Rick Kirschman, and documented the ability to bypass (video) current reed switch technology (video) with simple magnets. The issue is especially critical for Sensitive Compartmented Information Facilities (SCIFs) because of the capability of surreptitiously bypassing these devices.

Alarm switches and connectors for use on doors, windows, safes, vaults and other areas are classified and tested by Underwriters Laboratories, in Standard UL 634. The standard was updated to reflect concerns by the Department of Energy, state, and other federal agencies because of the capability of bypassing reed-based switch designs. Prior to release of the new standard, only one level of security was defined for magnetic switches. In the latest edition of Locks, Safes, and Security, a simple method was demonstrated to defeat the Balanced Magnetic Switch (BMS (video)), which is the standard device that is used in high security applications by government agencies, banks, and many commercial facilities.

A Balanced Magnetic Switch (BMS) is used in high security applications. The device incorporates five reed switches, as shown in the X-ray view. Proper placement of three magnets, shown inserted between the reed element and activator, can defeat this switch.

(Credit: Marc Weber Tobias)

Magnetic switches, or "trips," are an essential element in virtually all electronic alarm systems. They are utilized to secure perimeter and interior doors, windows, safes, and vaults. They are often the first line of protection in residential, commercial, and government facilities. Their operation relies upon the presence or absence of a magnetic field to determine whether they are in a closed or open condition, indicating a normal or "tripped" state. Switches have two components: the sensor and activating magnet. Normally, the sensor is mounted on the fixed door frame, and the magnet is placed in close proximity on the moving door, window, or other element. As long as the sensor is captured by the magnetic field, the electrical circuit is completed. When the field is broken, the alarm is tripped.

Reed switches are not secure, and can be easily defeated, as demonstrated in the accompanying videos. These switches can be bypassed by electrical, magnetic, or mechanical tampering, and should not be relied upon for any measure of security, especially against attack from within an organization.

The revised UL 634 standard establishes two levels of security for magnetic switches in sections 49-65. Level 1 covers the current BMS designs, and Level 2 has been added for a higher security switch that is immune from several forms of tampering, nuisance alarms, and foreign magnetic field compromise. The new switches also require extended endurance testing for reliable operation after 1,000,000 cycles.

The Magnasphere high security switch is impervious to normal methods of attack that can be used to defeat traditional reed switches.The design was just certified by UL as complaint with Level 2 of UL 634.

(Credit: Magnasphere Corporation)

The Magnasphere switch (video) operates on a different principle than the reed, and is infinitely more reliable and secure. It is immune to magnetic tampering, as demonstrated in the video. It took the company more than three years to complete the Standards process, but now it appears they are the only technology that can comply with the Level 2 requirements. Look for these switches to be incorporated in residential, commercial and government installations. They can be embedded within Balanced Magnetic Switches where the higher security requirements for SCIFs and other locations are mandated. According to Rick Kirschman, the Magnasphere switch is virtually tamper-proof because of its unique spherical design.

There's a scam spreading through Twitter. Direct messages (DMs) are showing up in Twitter accounts with appealing come-ons to visit a site on blogspot.com. The text is, "hey! check out this funny blog about you..." The URL in the message then redirects to a page that looks like the Twitter login page, but is actually not on Twitter--it's a site, twitter.access-logins.com, that masquerades as Twitter to steal your login credentials instead.

If you need to log in to Twitter, do it on Twitter.com itself. And to play it safe, double-check your browser address bar to make sure that's where you are.

The phishing site in question also appears to support the theft of Facebook IDs.

I have not received this bogus Twitter message, but the Twittersphere is abuzz over this scam.

This is not Twitter.

Read more on the Twitter Status blog, Chris Pirillo's blog, VentureBeat, or Mashable. Related: Koobface virus hits Facebook

Update: If you are logged in to the real Twitter.com, you'll now see an update about this scam on the page. No warning appears if you use another Twitter client, like Twhirl.

Update 2: The effect of getting taken in by this scam seems to be that affected accounts send messages to their followers with the original phishing message. To date, no other effect of falling victim to the scam has been reported. However, since many people use the same user ID and password for multiple online services, it's possible that credentials collected from this scam could be used to log in to other services, including financial sites.

As Twitter recommends on its blog: "If this has you feeling a bit weirded out, feel free to change your Twitter password."

A denial-of-service attack that limits the number of SMS messages that can be received by Nokia smartphones has been disclosed and demonstrated.

Dubbed the "curse of silence" by German security researcher Tobias Engel, the attack occurs when Nokia Series 60 phones are sent a malformed e-mail message via SMS (Short Message Service). Engel demonstrated the attack on Tuesday at the Chaos Communication Congress in Berlin, according to a blog post by security vendor F-Secure.

An advisory made public by Engel on Tuesday gave details of the attack. After receiving a message from a sender with an e-mail address of greater than 32 characters, Nokia S60 2.6, 2.8, 3.0, and 3.1 devices are not able to receive any more SMS or MMS messages. The S60 2.6 and 3.0 devices lock up after one message, while 2.8 and 3.1 devices seize up after 11 messages.

Affected users must perform a factory reset of the handset to remedy the issue. No firmware fix was available at the time of writing. A Nokia representative told CNET News sister site ZDNet UK on Friday the company was "aware of" the vulnerability, but believed it did not pose a significant risk.

"Nokia is not currently aware of any malicious incidents on the S60 platform related to this alleged issue and we do not believe that it represents a significant risk to customers' devices," said the representative. "Nokia believes that the vulnerability may be valid for some of the S60 on Symbian OS products. We are also working with the Symbian team to further investigate the vulnerability."

Products running S60 3rd edition, feature pack 2, are unaffected, said the representative, who added that the issue can be prevented by network filtering.

"According to our knowledge, many operators are looking into and actually already implementing network filtering to prevent the issue," said the representative.

F-Secure said on Tuesday that Sony Ericsson UIQ devices may also be vulnerable to this type of attack. On Wednesday the security vendor said the vulnerability will "most likely be used by jealous boyfriends," but that support personnel "should know what to look for" in case of harassment of staff.

F-Secure added that, due to Engel's reasonable disclosure, the company had managed to test the flaw and add protection to its Mobile Security product. Engel informed Nokia and several telecommunications operators about the issue in November.

Tom Espiner of ZDNet UK reported from London.