Security

Chinese networking vendor Huawei Technologies has slammed as "ludicrous and inaccurate" claims that it had links to the Chinese military and government that could cause security problems for the National Broadband Network.

The Australian newspaper reported on Thursday that security agencies would "closely examine" any Huawei involvement in Optus' bid to build the National Broadband Network due to international concerns about the company's links with Chinese authorities.

But in a statement released Thursday afternoon under the name of its vice director of public relations for the Asia-Pacific region, Thong Poh Wah, Huawei denied the claims. The company, which supplies equipment to a number of Australian telecommunications specialists and other companies, employs 230 staffers in Australia.

"Huawei is privately held and 100 percent owned by its employees, administered through an employee share ownership plan," the company said. "No other organizations, including the government, army, or business hold stakes in Huawei."

Referring to The Australian's report that Huawei founder Ren Zhengfei had a military background, Huawei pointed out that prior military service was common among many North American and European business leaders.

"Huawei only manufactures telecom equipment for commercial public use, and its main customers include 35 of the world's top 50 telecom operators," the company said, noting that sales related to the Chinese government accounted for only 0.5 percent of its income in 2007.

"Before Huawei can work with those companies, it must meet a strict auditing process that reviews the company's strategic planning, process, management system, quality control, and human resources," the statement said.

Earlier this year, security concerns raised by the U.S. government helped put an end to Huawei's bid to take a stake in 3Com, which makes network security equipment that is sold to the U.S. Department of Defense.

Shadow Communications Minister Nick Minchin on Thursday claimed that The Australian's report contained "potentially very concerning revelations." Australians needed to be assured the NBN was free of any potential for cyberespionage, he said.

Renai LeMay of ZDNet Australia reported from Sydney. CNET News' Jon Skillings contributed to this report.

Microsoft released a critical security patch on Wednesday to plug vulnerabilities in Internet Explorer, a move that comes amid malicious attackers taking advantage of the security flaws.

The patch is designed to prevent attackers from downloading malware onto users' computers if they visit a malicious Web site, or a legitimate Web site that has been infected.

This zero-day exploit has been in circulation since the first week of December and potentially could have infected a wide swath of users.

The vulnerabilities are found in not only IE 7, Microsoft's latest browser, but also Internet Explorer 5.01, Internet Explorer 6, and Internet Explorer 6 Service Pack 1.

The bootlegging in operation at a store in Hanoi, one of many such shops that sell pirated goods.

(Credit: Dong Ngo/CBS Interactive)

HANOI, Vietnam--You say you can't afford the $699 price tag on Adobe Photoshop CS4? How about a $698 discount?

That's the kind of deal you'll get here in Hanoi, where pirated software--and virtually any other kind of digital content--is sold indiscriminately at many local shops for about $15,000 dong (90 cents) per DVD, or half of that for a CD.

These shops are open, just like any legitimate business. I checked one out and was impressed by the number of software titles it carried. While there, I also learned a thing or two about the piracy industry here in Vietnam.

The store I visited is a small shop facing a busy street, with walls covered in CD and DVD sleeves--all black and white copies of those found in the original software package.

Virtually any PC software application I've ever heard of can be found here: Windows operating systems, popular Office suites, and high-end professional software such as Photoshop, AudoCad, and Corel Draw, are available in any versions. I even found different builds of Windows 7, which is currently still in pre-beta and is supposedly available to only a limited few.

These software applications, of course, come with "crack"--a hacking application that allows for bypassing the vendors' antipiracy mechanism. All are guaranteed to work; if not, you'll get another copy that does or get your money back.

Out of curiosity, I asked one of the shop's two operators, Nam--a friendly 24-year-old man--where this copious amount of software comes from. He said there's somebody who gets his shop the "master" copy of any titles he wants, and the master copy costs just about $5.

I made up a fancy name of a nonexistent software title and asked for it. After searching his large database to no avail, Nam indeed picked up the phone and made a quick call. After that he told me to come back the next day. "They don't have it now, but they probably will soon, don't worry!" he said, sounding very sure.

This was originally posted at ZDNet's Between the Lines.

Yahoo said Wednesday that it will make its user logs anonymous within 90 days as it ups the ante on data retention policies.

In a statement, Yahoo said it would also make user data on page views, page clicks, ad views, and ad clicks anonymous as well as its user logs. The only exceptions would be for "fraud, security, and legal obligations."

Clearly, Yahoo, Google, and others are racing to the bottom on data retention policies. In particular, Google and Yahoo have been playing a game of privacy leapfrog.

In September, Google said it would make its user logs anonymous after 9 months, a vast improvement over its previous 18-month policy. Google, which was pressured by regulators, said that 9 months was a good balance between "sometimes conflicting factors like privacy, security, and innovation." In July 2007, Yahoo went with a 13-month purge policy.

Anne Toth, Yahoo's head of privacy, said that 90 days was the minimum time it needed to retain user data for business purposes. Yahoo reached that conclusion after a review of its data policies across the globe and consulting business, engineering, governance, and product teams.

As for the exceptions Yahoo said:

To protect users and our business partners, there will be some specific and limited exceptions to the anonymization policy. In order to fight fraud and preserve system security, Yahoo will retain system specific data in identifiable form for no more than 6 months--but only for this purpose. Yahoo may have to retain data for longer periods to meet other legal obligations.

Microsoft issued a critical security warning Tuesday that a malicious exploit is making the rounds and attacking vulnerabilities in Internet Explorer 7.

The risk is believed to be widespread, given that IE 7 is the latest version of Microsoft's browser and is bundled with XP service pack 3 and also Vista, said Dave Marcus, director of security research and communications for McAfee's Avert Labs.

The AZN Trojan, which has been making the rounds since the first week of December, has the potential of infecting users' system with a Trojan horse, or "downloaders" that can download other forms of malware onto a user's system.

Microsoft announced it will release a security patch Wednesday via its automatic update system to patch users computers.

Users can potentially get infected two ways, Marcus said. One is to visit a malicious Web site that already has the malware installed on the site, or visit a legitimate site, in which the attacker has inserted the malicious script to run in the background, leaving visitors unaware their systems have been compromised.

"A lot of Web sites are pushing out this exploit," Marcus noted. Some of the infected sites include Web sites that offer free wallpaper for mobile phones to sites that feature property to product-related sites.

Microsoft is encouraging users to update their systems once the patch is released Wednesday at 10 a.m. PDT.

Updated December 17 at 9:00 a.m. PST with a comment from Lavasoft.

Lavasoft on Monday unveiled a new antivirus application it hopes will do as well as its runaway hit Ad-Aware.

The encore, Lavasoft Anti-Virus Helix, is Lavasoft's first full-fledged antivirus application. The problem is, it's nearly identical to one that already exists: Avira AntiVir.

A Lavasoft vice president told CNET in an e-mail:

Yes, we do have a technology partnership with Avira for the anti-virus engine technology, as our company expertise is in anti-spyware. We have customers who have been asking us for years to release a stand-alone anti-virus, because they do not want to be forced into using other security applications built into a suite that may not meet the standards they require...Lavasoft's contribution to the stand-alone anti-virus is a trusted brand in security software, particularly as we were the first to ever launch a commercial anti-spyware product.

Furthermore, Lavasoft admits to being opaque about their "partnership" except "when asked directly."

This is disingenuous, especially for a respected company that claims to deliver on a customer promise. It would be one thing if Lavasoft borrowed Avira's antivirus engine to complement its own antispyware program. It is another to thinly veil a recognized, proprietary product under a new color scheme and stamp it your own.

Performance

Lavasoft Anti-Virus Helix shares Avira AntiVir's interface, down to malware blockers, on-the-fly detection, a scanner, malware removal, and protection from e-mail viruses and Web threats. It offers full system scanning and, in addition, lets you pick from preset scans or create a profile to scan a smaller portion of your PC, for instance, just your "C" drive.

Like Avira AntiVir, Anti-Virus Helix scans fairly quickly and lets you get hands-on with the results.

(Credit: CNET)

Just like Avira AntiVir, Lavasoft's new antivirus app performed well in our tests. It beeped when encountering a suspicious file and wouldn't budge until we ignored, deleted, or quarantined it. While a good practice, the need to babysit the scan could undo the benefit of any overnight scans you schedule.

Lavasoft Anti-Virus Helix lets you do any number of things with the data, including print, save, and send reports. However, it could use an internal browser to look up information online about discovered threats.

Other extras can be found in the app's configuration menu. When you elect to enter expert mode, you'll be able to turn on rootkit scanning, scan outgoing e-mail messages, and specify MIME types to block (simplistically, any area of an e-mail where malware can hitch a ride). We appreciate being able to add suspicious files from the quarantine interface.

The fact that you have to manually discover and add STMP e-mail and specific MIME details points to one of the app's biggest problems. Compared to Ad-Aware and others in Lavasoft's family, the dowdy Anti-Virus Helix is much less user-friendly in visual appeal, navigation, and organization. In fact, it bucks the trend most publishers embrace to favor icons over text lines in order to configure and start protections.

That's little concern for intermediate and advanced users who thrive on file trees and won't mind consulting the program's thorough help file when the tool tips aren't quite explanatory enough. Casual users who prefer to set it and forget it may wonder why Ad-Aware is so simple to schedule and run but Anti-Virus Helix takes more effort. They may also wonder why this application bundle was marketed under a new name in the first place.

An unpatched security hole in Internet Explorer that is being exploited affects all versions of the browser, making it more serious than originally believed when it was first publicized two days ago, Microsoft says.

Microsoft is investigating reports of attacks against a new vulnerability in IE but said in an update to a security advisory issued late on Thursday that all versions of IE are potentially vulnerable.

The company recommends setting the Internet zone security setting to "high" and using access control lists to disable Ole32db.dll to provide the most effective protection against an attack.

"Our latest information is that there are still limited attacks seeking to load malicious software on vulnerable systems," Christopher Budd writes in the Microsoft Security Response Center blog.

Microsoft has seen several hundred detections of exploits from around the globe, though the sites taking advantage of the vulnerability appear to be hosted on Chinese domains, Microsoft said in a Microsoft Malware Protection Center blog.

"The exploit sites we've seen so far drop a wide variety of malware--most commonly password stealers like new variants of game password stealers like Win32/OnLineGames, and Win32/Lolyda; keyloggers like Win32/Lmir; trojan horse applications like Win32/Helpud along with some previously unseen malware which we generically detect as Win32/SystemHijack," the Malware Protection Center blog says. "We fully expect the variety of malware being dropped by this exploit to broaden as the exploit code starts to circulate around the Internet underground."

People visiting trusted sites could be affected as well from sites targeted by SQL injection attacks through which malicious code is injected into sites, Microsoft says.

A Microsoft spokesman said he could not say when a fix would come. The next Patch Tuesday is scheduled for January 13.

Microsoft's updated advisory lists a number of mitigating factors: Protected Mode in IE 7 and IE 8 in Windows Vista limits the impact of the vulnerability; IE on Windows Server 2003 and 2008 runs in a restricted mode known as Enhanced Security Configuration that sets the security level for the Internet to high; the attacker could only gain the same user rights as the local user; known attacks can not exploit the issue automatically through e-mail.

A new report from the Anti-Phishing Working Group is yet another reminder of the information security threats we all face. This latest publication states that the number of compromised URLs used to distribute malicious code nearly tripled in the 12-month period from July 2007 through July 2008.

This data, along with similar research from McAfee, RSA Security, Symantec, and Trend Micro, demonstrate that the bad guys are taking advantage of the global recession with an increase in attack volume and sophistication. Certainly, security professionals recognize this unsettling trend, and according to ESG Research data, security remains a top IT priority for 2009. Based upon recent activities, it appears the federal government also sees the need for countermeasures.

While insiders seem to see the storm approaching, however, I'm worried about the Internet everyman--"Joe the Online User," if you will. Information security tends to be an esoteric topic sure to bore the pants off friends and neighbors at upcoming holiday parties, but there's more in play than ignorance alone.

I am starting to see a whole bunch of no-name security grifters pitching second-tier products and services with Chicken Little, "the sky is falling" scare tactics. You tend to find these guys are on drive-time radio and entertainment Web sites. I'm not alone in this observation. This week the U.S. District Court in Maryland ordered two fly-by-night companies to stop promoting "scareware" through online advertisements. These pop-up ads would warn Web surfers that their systems had been compromised by viruses, spyware, and even "illegal pornographic content." They were even so brazen as to suggest that users could be investigated or outed as some type of degenerate porn addict. Of course, they were happy to sell you software and services to alleviate the problem.

Unfortunately, there will always be a population of low-down dirtbags willing to take advantage of people's fears and hardships. After September 11 they pitched gas masks; they sold bottled water for $10 a piece following Hurricane Katrina. Given the cybersecurity activity out there, we are bound to see more and more of these security scams. The difference here is that security con artists are preying on fears that users really don't understand. Consumers may get scammed or become cynical--neither of which is good.

We need a focused effort to pull together as a security community, educate consumers, and push for strict punishment of these flimflammers. If not, things can only get worse.

Pamela Warren, cybercrime strategist at McAfee

(Credit: Daniel Q. McDowell)

Editor's note: This is part of a series of stories about the recession's effect on the tech industry.

Last month, McAfee cybercrime strategist Pamela Warren sat down with a senior executive at a Sydney bank to discuss the risks to the corporate network from workers using social networking.

After going over the trade-offs associated with allowing insiders to use social networks at work, his team confirmed that they would use data leak prevention technology to monitor the network traffic--balancing the desire to benefit from such new technologies while ensuring company secrets remain protected.

Warren had a similar meeting with a U.S. government agency last week to discuss strategies for dealing with public employees using Web apps at work and mobile devices, which can introduce viruses and other security problems into a corporate network. And she's been preparing for the launch early next year of McAfee's Cybercrime Response Unit, a site where consumers can go when they think they've been victimized by online scams.

She's sharpening her focus on protecting Internet users because malware attacks are up now that economic times are tough. Online scammers have been going into overdrive with phishing and other online schemes aimed at people confused about the banking consolidation or who are desperate because of a layoff or foreclosure. In fact, there are direct correlations between targeted cyberattacks on consumers and the stock market decline over the past few months.

"It's a ripe economy to take advantage of people," she said.

Consumers are being scammed in a variety of ways. People are receiving phishing e-mails asking them to provide their bank account information so as to avoid having their bank account closed in a merger. They provide their bank information and their account balance is plundered.

People also are getting e-mails and seeing ads on the Web for work-from-home "jobs" where all they have to do to become an "international sales rep" is open a bank account to receive money in and then wire the money to some international third party. In reality, the transaction is nothing more than a money-laundering move, known as a "cyber mule operation," to transfer money to another country and hide the trail in an illegal deal. Typically, the transaction is a payment for some kind of illegal activity such as the exchange of lists of credit card information or personal data that can be used for identity fraud. (McAfee published a report about the rise in cybercrime earlier this week.)

An example of a cybermule ad.

(Credit: McAfee)

People who get involved in the schemes don't always realize that they can be arrested for using their bank accounts in this manner, although most arrests so far seem to have been made outside the U.S. Money mules are much more likely to get caught than the operators of the scheme.

"If this happened five years ago, it would have been different. But today we share so much information online. We are much more comfortable with sharing personal information. We are more susceptible," Warren said. "Then you add the concept of a down economy where people need money. It's like a perfect storm brewing up."

Malware that aims to steal personal data has risen from 130,000 pieces last year to 1.3 million this year, while suspicious money mule solicitations rose 33 percent in the first half of 2008 over all of last year, according to McAfee.

"Our prediction is it is going to get worse," Warren said, echoing what experts are saying about the economy in general.

Click for complete special report

Warren's strong sense of right and wrong and her desire to protect the innocent are in her blood; her father and her younger brother are police officers.

"I was never the kind of person, like my dad or brother, that wants to walk around with a gun every day and go after that kind of criminal, so I chose the intelligence business path," she said. "The core of the entire Warren family is about helping other people. We are just driven by that."

The 43-year-old grew up in Williamsburg, Va., and studied international affairs at Florida State University before getting a master's in telecommunications from George Washington University. She's also a certified information system security professional and certified information privacy professional.

She worked in the U.S. intelligence community for about 10 years, primarily with the National Security Agency looking at threats against the U.S. "I had to understand the security of networks to help track down governments or individuals who were trying to harm the U.S." she said, declining to elaborate due to the sensitivity of the work. Before joining McAfee in January, Warren worked on security programs and consulting at Nortel Networks and security of chipsets at Intel.

Now, Warren, who spends her free time running with her dog, a Shiba Inu named Joey, in the mornings and volunteering at a marine mammal rehabilitation center in Sausalito, Calif., is helping "track the bad guys" on behalf of consumers and private companies.

The recent rise in threats aimed at financially downtrodden consumers offends her moral sensibilities. "You see the growth in identity theft and online fraud and you see what's happening to us worldwide in terms of the economic situation and it makes everything we do here more urgent," she said. "I think it's important to help people day to day around the world protect their privacy and protect themselves from loss.

Warren is adamant that people should not let the security risks associated with Internet applications keep them from taking advantage of what the technology has to offer. For instance, she relies on the Internet to keep connected with her nephew fighting in Iraq and would suffer if she were at a job where access to certain Web applications was restricted.

"Getting to see my nephew when he's in the middle of Iraq fighting in a war zone and I get snippets of his life on Facebook...it all helps motivate me on a daily basis," she said.

Next in the series: A contractor's roller-coaster ride in Redmond.

Microsoft is investigating reports of a flaw in the WordPad Text Converter for Word 97 files, the company said on Tuesday. A Microsoft blog stated "we are aware of very limited and targeted attacks seeking to exploit this vulnerability."

On Wednesday security researchers reported finding a zero-day flaw affecting Microsoft Internet Explorer 7.

According to Microsoft Security Advisory 960906, the flaw only affects users of Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. This issue does not affect Windows XP Service Pack 3, Windows Vista, and Windows Server 2008.

When Microsoft Office Word is installed, Word 97 documents are set by default to open using Microsoft Office Word. Microsoft said Word is not affected by this vulnerability. However, an attacker could rename any malicious file to have a Windows Write (.wri) extension; the malicious file could invoke WordPad. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

The flaw cannot be exploited automatically through e-mail, however. For an attack to be successful, a user must open an e-mail attachment. Microsoft notes that the .wri file type can be blocked at the Internet perimeter.

Microsoft issued its standard disclaimer stating it is investigating the issue and would act upon completion of that investigation. Among the solutions, Microsoft could issue a service pack, include a bulletin in its next monthly security update, or issue an out-of-cycle security update depending on the severity of the issue.