Security

As the economy worsens and more people get laid off online fraud and financial scams are rising, security experts say.

Many of the scams lure people in with promises of quick and easy money. For instance, there has been a marked increase in money mule recruitment scams for people to transfer funds online between countries, and other illegal work-related spam in recent months, security firm Panda said on Thursday. Such offers promise $225 or more a day for what they call "rebate processing" work at home.

"The schemes are aimed at people who are desperate in rough times and who are likely to respond as they lose jobs," Ryan Sherstobitoff, chief corporate evangelist at Panda.

While the U.S. unemployment rate increased by over 6 percent between August and October, reaching a 14-year-high of 6.5 percent, dubious work recruitment scams rose 514 percent over that same period, according to statistics from the Honeypot Project, a security focused research group.

Those types of recruitment spam hit an all-time high as a percentage of total spam, topping 0.31 percent, up from 0.23 the previous month and 0.13 percent in August, reports PandaLabs, the malware analysis laboratory of Panda.

Meanwhile, the success rate for the money mule operations in North America was on average 66 percent higher than the success rates of such scams in other regions, said PandaLabs, which analyzed a sample population of seven large mule networks around the world. Recipients respond to about one in three of the money mule e-mails, he said.

This is an example of a money mule laundering e-mail, the type of which has risen along with the U.S. unemployment rate, PandaLabs says.

(Credit: PandaLabs)

In the money mule scams, e-mails offer jobs as independent contractors and commissions for processing rebates that are supposedly from purchases made at legitimate companies. "Applicants" are asked to provide their bank account information and are then instructed to wire money that is deposited into their accounts to drop boxes via Western Union, said Sherstobitoff.

Rather than processing actual rebates, the operation is designed to launder stolen money from one country into another through legitimate bank accounts, he said. The "contractor" may or may not receive a small sum in exchange, but it won't be enough to make up for the risk posed by participating in an illegal scheme, he said.

Also believed to be related to the economic downturn is a spike in phishing attempts, whereby fraudsters lure people into providing sensitive bank and personal information on malicious Web sites that appear to be legitimate bank sites. The phishing e-mails lately have been made to look like they come from banks that have been involved in mergers, such as Chase and Washington Mutual, and are preying on bank customers who may be confused.

Over the last month there has been a significant increase in phishing attacks, or malicious Web sites discovered that victims are directed to via e-mail, according to security firm Cyveillance.

The daily average number of phishing attacks detected has risen from 400 or fewer in the first quarter of 2008 to more than 1,750 in the past month, the firm said. On one day the number of attacks spiked to greater than 13,000, said Cyveillance, which helps commercial customers get phishing sites taken down.

It is unknown how many people are actually falling for the phishing scams and losing money, Brooks said.

The attacks are easy to do once e-mail addresses are obtained, and the risk of getting caught is incredibly small while the payoff can be huge, said James Brooks, director of product management at Cyveillance.

"Phishers are getting rich and are very organized," he said. Meanwhile, "no one is going to jail over it."

Firefox and Internet Explorer have built-in features that warn Web surfers when a site they are visiting is potentially harmful, and Google has a Firefox extension that alerts people when a page appears to be requesting personal or financial information under false pretenses.

"None of these (technologies) are foolproof, but they're a step in the right direction," Brooks said.

USB thumb drives are convenient, popular and often free--and they're spreading viruses like sailors on shore leave.*

The US-CERT (Computer Emergency Response Team) issued a warning on Thursday that malicious code is increasingly propagating via USB flash drive devices.

Meanwhile, the U.S. Department of Defense has temporarily banned the use of thumb drives, CDs, and other removable storage devices because of the spread of the Agent.bzt virus, a variant of the SillyFDC worm, according to Wired.

We've seen this before with portable external storage devices. Floppy disks were the culprit in the early 1990s, followed by CDs. The fact that USB thumb drives are being used by so many people makes them an attractive target for virus writers.

"The bad guys are intentionally developing new flavors of malware designed to propagate through USB devices," said Gunter Ollmann, chief security strategist for IBM's ISS security division. "They are today's floppy drives."

(Credit: CNET News/James Martin)

But USB drives are even handier. Their small size makes them easy to slip into a pocket or carry on a lanyard around your neck. A common swag item in the tech industry, they also are mainstream consumer storage devices. They literally litter my desk drawers.

There are a couple of ways USB thumb drives can be used to spread viruses and other malicious software.

... Read more

British prime minister Gordon Brown spoke on Thursday (at least indirectly) about the future of Gary McKinnon, a 42-year-old UFO enthusiast accused of hacking into several U.S. military sites. It was the prime minister's first public comments on the case which, after six years, took a twist over the summer.

McKinnon lost his last fight against extradition in July but has yet to arrive in the United States to stand trial. His lawyers are continuing to appeal within the E.U. courts. McKinnon, who has been diagnosed with Asperger's syndrome, has said he would prefer to stand trial within the U.K., or at the very least serve his sentence in the UK.

Brown spoke while taking questions at the House of Commons. While he did not address McKinnon's case directly, he did say the "U.K. and the U.S. are signatories to the Council of Europe convention on the transfer of sentenced persons, which enables a person found guilty in the United States of America to serve their sentence in the U.K."

Colin Barker of ZDNet.co.uk has more details.

White lists will be on every desktop within the next five years, according to Patrick Morley, CEO of Massachusetts-based Bit9. Morley was in town to address the Dow Jones VentureWire Technology Showcase in Redwood City, Calif., on Tuesday. He stopped by CNET News afterward to discuss why he believes white listing will be important in the next few years.

The basic idea behind "white listing" is to define a set of software, a set of vendors, and allow only those trusted applications or files from those vendors to run on your machine. If a file or application is not approved, it will not run. This is the opposite of how we've blocked malware from our machines in the past.

Patrick Morley, CEO of Bit9, believes white listing will be important in the next few years.

(Credit: Bit9)

Of the more than 1 million viruses detected by antivirus vendors last year, more than two-thirds were new. Loading 1 million antivirus signatures (or even a percentage of that if generic signatures are used) is a pretty serious undertaking. The idea with white listing is to identify the applications and files we know to be good, which, in theory, should be considerably less than a million.

Over the years Bit9 has created one of the largest catalogs of "known good" and "known bad" applications. Its Global Software Registry (GSR) serves as the policy enforcement center for Bit9's enterprise offerings, ranging from Fortune 100 companies to retail companies like Marks & Spencer, 7-Eleven, and Ritz Camera.

Morley told me his company will continue to concentrate on enterprise solutions, but it is open to licensing agreements with consumer security companies. Already one agreement is public: Kaspersky is using a limited subset of the Bit9 GSR in its Kaspersky Anti-Virus 2009 and Kaspersky Internet Security 2009 product.

The challenge with commercial applications, Morley said, is not to turn the end user into a system administrator. In this case, Kaspersky made policy decisions for the end user and further allows the more advanced end user to customize the settings based on overall comfort level, not individual files.

During our talk, Morley took issue with antivirus vendors who are saying they too have white listing within their products. He said most have lists of good and bad software, but that they stop monitoring the applications after checking it once.

And many of the antivirus products are using community feedback to determine reputation. So if 1,500 users are showing this file on their PC, then Symantec, for example, is going to be more inclined to say that file probably should be on a person's desktop. Symantec says community feedback is just one of the criteria; there are researchers who will be confirming the reputation of a file as well.

"We look at the executable," Morley said. This gives Bit9 the ability to block an application even after it has launched, and then pass that knowledge to all its customers so everyone is protected.

(Credit: AOTA)

Extended certificate validation for Web sites has boosted online confidence in 2008, according to a statement released Thursday by the Authentication and Online Trust Alliance (AOTA).

This could help online consumers looking for sites to trust on Cyber Monday, the first shopping Monday after Thanksgiving when online purchases are at their peak.

Sites with Extended Validation Certificates (EV) added to Secure Socket Layers (SSL) encryption display their URLs in a green bar in the address field of compatible browsers. This signals to the user that there is increased scrutiny of the Web site. In Firefox 3, a user clicks the green bar to see additional certificate information. Same with Internet Explorer.

The idea here is that a trusted third-party certificate authority will vouch for the Web site beyond the minimal "domain validation only" in place today with traditional SSL certificates. EV SSL sites must establish a legal identity and a physical presence for the site owner, establish that the owner has exclusive control of the site, and confirm the identity of the owner.

A study last year by Tech Ed Research found that participants were more likely to click on a link with a green EV SSL link than sites with the paddle lock icon traditionally associated with SSL.

The AOTA also announced that starting in January 2009, the US Internal Revenue Service will require all authorized IRS e-file providers participating in online filing of individual income tax returns to have a valid and current EV SSL certificate. The IRS is also requiring e-file sites to publish privacy information and safeguard policies, to obtain a privacy seal signifying an IRS-approved service, and to report all security and privacy breaches directly to the IRS.

PayPal and eBay have both been early supporters of EV SSL. In April, PayPal announced it would block users who did not use an EV SSL-compatible browser on its site. In May, a researcher found a vulnerability with EV SSL that affected PayPal and other sites, a flaw that was quickly remedied.

Browsers supporting EV SSL include Microsoft's Internet Explorer 7, Internet Explorer 8, Safari 3.2, Firefox 3, Opera 9.5, and Google Chrome.

Want to watch a high-definition show from iTunes on an older external display? Good luck!

Some Mac users are teed off that they are getting error messages saying the iTunes movie they rented or bought can't be played on their display because it is not HDCP (High Digital Content Protection) authorized.

And some people are complaining they are only able to play certain standard definition iTunes content on their laptop or via an HDMI connection.

As a result, some Apple forum participants have threatened to boycott iTunes.

"And here we are now with Apple users who have spent thousands of dollars on Apple hardware (30" Cinema displays are not cheap!), buying films legitimately through Apple's store only to find themselves screwed when they just want to watch the film!" wrote "non-troppo" on the Apple Discussions Forum.

Forum participant Jim Beggans complained that Apple expanded the usage limitations of iTunes without updating the published usage terms.

"It is imperative that Apple address this customer concern with NEW terms of service (which will require them to offer some remedy for existing purchases) and clarify that HDCP is a now a standard part of their products regardless of which mode of the DisplayPort is in use," Beggans wrote.

ArsTechnica, which first covered the issue, reports that Apple's new MacBook is using DPCP, or DisplayPort Content Protection, which was developed by Philips.

The Mini DisplayPort connector used on Apple's new MacBooks and MacBook Pros uses DPCP to prevent iTunes files from being played on devices that are not compliant with either DPCP or HDCP, a copy-protection technology used with the HDMI standard. DPCP supports the HDCP technology, but is considered a stronger level of encryption according to the Video Electronics Standard Association (click for PDF) .

"While Apple's own Apple TV has used HDCP to protect video files playing from its HDMI port, this is the first time we've heard of Apple bringing HDCP DPCP to its hardware," David Chartier writes on ArsTechnica.

Basically, Apple is moving forward with a new standard that is not compatible with older displays. In the past, Apple has shown a willingness to forge ahead with new technology that doesn't always play nice with the older stuff, and the decision to use the Mini DisplayPort connector on the new MacBooks and MacBook Pros ensured that DPCP and HDCP would come along for the ride.

"Apple's compliance with HDCP--a necessary but appalling condition of the content companies that deliver the HD movies and TV shows--is beginning to close out the 'analog hole' and cause real aggravation for laptop owners with legitimate use cases, writes Michael Rose on The Unofficial Apple Weblog site.

Andy Foster sums the situation up on his Computer Blog: "In other words, the only way any of us can guarantee we can play the stuff we buy that is HD is to ensure we have the newest in hardware."

What does Apple have to say for itself? We don't know and likely won't. Apple representatives did not return repeated phone calls and e-mails seeking comment over two days.

(CNET News' Tom Krazit contributed to this report.)

(Credit: Finjan)

Finjan, which sells Web gateway security software to the corporate market, announced Wednesday a $22 million investment round.

HarbourVest Partners led the round, which also includes Benchmark Capital, Israel Seed Partners, Benhamou Global Ventures, and Cisco Systems.

San Jose, Calif.-based Finjan said it plans to expand its sales and marketing infrastructure with the money.

Green Hills Software announced this week that it is spinning off a new company to bring its military-grade Integrity operating system to the enterprise market.

Integrity, which sits on top of the processor controlling access to hardware and devices, has received the EAL6+ (Evaluation Assurance Level), the highest rating for an operating system.

It's already being used in the B1 bomber, the F35 joint strike fighter, the Airbus 380, Boeing 767, and NASA's next-generation shuttle, and now will be available for use on computers running Windows, Linux, and other desktop operating systems.

The operating system's virtualization features can protect corporate networks by isolating viruses and other malware from other parts of the computer system, said David Chandler, chief executive of Integrity Global Security.

The software can be particularly beneficial for critical infrastructure and call centers, which are often outsourced and staffed by contractors, he said. "We can provide a secure environment and only show the information necessary for someone to do their job," he said.

"What Integrity has is much better than what's currently available on the market," said Neil MacDonald, a vice president of analyst firm Gartner.

"The challenge will be convincing people that they need this; that they have to be doing something different from what they're doing now with commercial software like VMware or Microsoft's Hyper-V technology," he said. "In the commercial world there is the challenge of 'good enough' security and do they really need military-grade or gold-plated security versions of what commercial companies have to offer."

The University of Texas at San Antonio launched a new incubator that will help commercialize security technologies.

Ravi Ganesan, head of the incubator at the Institute for Cyber Security at the University of Texas at San Antonio

(Credit: Institute for Cyber Security)

The Institute for Cyber Security's (ICS) new incubator will provide start-ups access to seed capital, business advise, and office space and infrastructure on the campus. It is getting $5.5 million in funding from the state of Texas.

The first two start-ups being incubated are Denim Labs, which developed technology that protects PHP-based Web sites against certain types of intrusions, and SafeMashups, which enables Web mashup applications to authenticate with each other before exchanging data.

The ICS also has ongoing projects dealing with combating botnets and social network privacy that could eventually turn into start-ups, said Ravi Ganesan, who runs the incubator.

"San Antonio has the second-highest concentration of intelligence and classified work after Washington, D.C., and a large military presence," he said. "The goal is to...make San Antonio a go-to place for entrepreneurs and jobs."

With the economy in decline and venture capital money getting scarcer, the incubator can give security start-ups the help they need to get off the ground, said Ganesan.

"It feels like 2002 all over again," said Ganesan, who previously ran security at Verizon and co-founded TriCipher along with ICS head Ravi Sandhu. "The advantage we bring to the table is we lived through 2002. We know how to lie low and wait for the VCs to bring capital."

Rebecca Bace, a venture consultant for Trident Capital who formerly headed intrusion detection research at the NSA and is chief executive of the Infidel consultancy, agreed. "It's an appropriate time and actually fills a niche in the market for trying to foster new ideas in security," she said.

Updated at 1:15 p.m. PST Wednesday with comment from Symantec and at 11:45 a.m. PST Thursday with comments from McAfee and Kaspersky.

For some security companies, Microsoft's decision to offer a free anti-malware product, code-named Morro, won't result in a dramatic change in how they do business.

Morro will be available in the second half of 2009 and will protect against viruses, spyware, rootkits, and Trojans, according to Microsoft.

"With OneCare's market share of less than 2 percent, we understand Microsoft's decision to shift attention to their core business," Joris Evers, director of worldwide public relations for McAfee, said in an e-mail.

As for confronting a free malware solution from a software giant, Evers said, "With more malware attacks than ever before, we believe our advanced technology, commitment to consumer education, superior protection, dedicated focus on security, and our 20-plus years in this business will provide consumers the confidence to choose McAfee as their trusted adviser and expert in security."

Justin Priestley, senior vice president of consumer sales at Kaspersky Lab's Americas division, also seemed not that concerned at the prospect of facing a free security solution from Microsoft.

"Having entered the U.S. consumer market at the same time as Microsoft, we initially viewed them as a formidable player. They've continued to hold a very low market share in the consumer market, and we don't expect the exit of OneCare to change the playing field drastically," Priestley said. "With the increasing threat malware and Web attacks pose, security is as important as ever, and we believe people will continue to choose antimalware software based on the quality of protection and will choose the highest-level product available."

Rowan Trollope, senior vice president of Symantec's consumer business, characterized the announcement as a "capitulation by Microsoft, and a reinforcement of the notion that it's simply not in Microsoft's DNA to provide high-quality, frequently updated security protection."

Here's the rest of his statement, provided via e-mail:

Consumers have already rejected OneCare, even though it entered the market at a lower price, because OneCare offered substandard protection and poor performance, as evidenced by scores of third party reviews. The offering only gained modest market share and ultimately was deemed unsuccessful in the marketplace.

Making a significantly scaled-back version of that same substandard security technology free won't change that equation. Simply put, innovation and protection matter. So even if it's free, the Microsoft "OneCare-light" offering will certainly fare worse than its predecessor, essentially putting consumers at increased risk without additional protection.

Additionally, our research clearly indicates that, after effective protection, what consumers care most about in a security product is performance. OneCare is widely recognized as one of the most egregious offenders in hogging system resources.

On Tuesday, Amy Barzdukas, senior director of product management for the Online Services and Windows Division at Microsoft, had dismissed similar criticism from McAfee. "If the current approach isn't working (as far as protecting consumers broadly), we need to go with a new approach," she said.

A representative for AVG Technologies, maker of AVG Antivirus, told CNET News on Wednesday, "We view this as a positive step for the AV (antivirus) landscape. AVG has believed in the right to free antivirus software for the past eight years."

The company said it will be "business as usual" and doesn't plan to make any changes to its own product offerings as a result. "Based on what Microsoft is planning to deliver, we don't feel the need to make any changes to our free product at this time," the company said.

Asked if AVG had any advice for Microsoft, the company said "consumers will use a free product if it's robust and it protects them. The product has to be easy to use, fast, unobtrusive, and be able to address the latest Web threats."

Alex Eckelberry, CEO of Sunbelt Software, maker of Vipre Antivirus + Antispyware, said the move to get out of a profitable business appears to a capitulation on Microsoft's part. "This gives them a chance to do something altruistic while getting out of an unattractive business," he said. He noted that Microsoft will still be selling Microsoft Forefront, a collection of business security products.

Eckelberry said there remain two questions: One, how exactly will Microsoft distribute the product (will it consider bundling it with Windows 7)? And two, will the company make the application available through enterprise group policy management?

In the end, AVG said the market still needs to be educated. "Microsoft will have to do more than simply make the product available," the AVG representative said.

(CNET News' Elinor Mills contributed to this report.)