Security

Nothing has ever changed the world as quickly as the Internet.

Less than a decade ago, "60 Minutes" went to the Pentagon to do a story on something called information warfare, or cyberwar as some people called it. It involved using computers and the Internet as weapons.

Much of it was still theory, but we were told that before too long it might be possible for a hacker with a computer to disable critical infrastructure in a major city and disrupt essential services, steal millions of dollars from banks all over the world, infiltrate defense systems, extort millions from public companies, and even sabotage our weapons systems.

Today it's not only possible, all of that has actually happened. And there's a lot more we don't even know about.

It's why President Obama has made cyberwar defense a top national priority and why some people are already saying that the next big war is less likely to begin with a bang than with a blackout.

"Can you imagine your life without electric power?" Ret. Adm. Mike McConnell asked "60 Minutes" correspondent Steve Kroft...

Watch CBS News Videos Online

Read more of "Cyber War: Sabotaging the System" at CBSNews.com.

Microsoft said on Thursday it will issue six patches next week for 15 vulnerabilities, including three critical bulletins affecting Windows and two important Office-related bulletins.

Affected software includes Windows 2000, XP, Server 2003, Vista, Server 2008, Office XP, Office 2003, 2007 Microsoft Office System, Office 2004 for Mac, and Office 2008 for Mac, the company said in an advisory.

November's Patch Tuesday is a contrast to the record number of fixes issued last month--13 bulletins for 34 vulnerabilities.

Updated 2:52 p.m. PST to correct that there will be six patches fixing 15 vulnerabilities.

Google's biggest threat is no longer Microsoft. It is itself.

As the company harvests copious quantities of personal data, it becomes dramatically better at serving customer needs...

...and at freaking them out over privacy concerns.

In other words, Google gets stronger with every Google Doc created, every Google Voice call dialed, and every Gmail e-mail sent. It becomes stronger because data is the heart of the Web's biggest businesses, as Redmonk analyst Stephen O'Grady implies.

But in so doing Google also becomes more threatening to the very consumers it is trying to serve.

Google Dashboard is meant to change this by putting consumer data back in the hands of consumers. It's a move that follows on Google's earlier pledge to "open data" and its Data Liberation Front.

Yes, but will he give me better search?

(Credit: U.S. Army)

As CNET reports, Dashboard lets people review the personal data Google has stored for them, delete it, and alter future collection policies. It's a great way for Google to mollify concerned users, putting control back in their hands.

Still, it's almost certainly never going to be used by the vast majority of Google users. Ever.

Why? Because for all our hand-wringing over privacy--and for good reason--the reality is that most of us, most of the time, really don't care. Or, rather, if accessing useful services or getting work done more efficiently requires some privacy concessions, we gladly concede.

It's not that we don't value our privacy. It's just that in many contexts, we value other things as much or more. We weigh the risks versus the benefits, and often the benefits trump the privacy risks.

It's the same thing with file formats. For years we've been agonizing over Microsoft's lock-in of customers through proprietary file formats (.pst, .doc, etc.). Now Microsoft is opening up the specifications for file formats like .pst (Outlook file format), and yet it will almost certainly change little to nothing in what products most people use most of the time.

People don't use Microsoft Office because they're forced to. They do so because it's convenient. (Yes, an argument can be made that it's convenient because Microsoft has forced network effects through lock-in.)

This, incidentally, is exactly the reason that Wednesday night I declared a ban on Microsoft Office in our family in favor of Google Docs--and didn't opt for OpenOffice (which we also use). I got sick of having to recover documents and perform other IT tasks related to a locally installed office suite, open source or proprietary. And I find it easier to let Google handle the back-end IT operations.

I wasn't trying to evade lock-in. I was trying to increase personal happiness.

Am I concerned about Google snooping on the documents we write and store in Google Docs? Let's just say I worry more about my time fixing Office than whether Google gleans any information from my 12-year old's seventh-grade essay.

Dashboard leaves Google in the prime position of being able to honestly say that it doesn't control user data, while still delivering increasingly beneficial services based on that data. It will not change the way that the vast majority of consumers use Google, but it just might change the way they think about Google.

A very smart move by Google, one that all data-driven businesses should emulate.

Follow me on Twitter @mjasay.

A zero-day flaw in the TLS and SSL protocols, which are commonly used to encrypt Web pages, has been made public.

Security researchers Marsh Ray and Steve Dispensa unveiled the TLS (Transport Layer Security) flaw on Wednesday, following the disclosure of separate, but similar, security findings. TLS and its predecessor, SSL (Secure Sockets Layer), are typically used by online retailers and banks to provide security for Web transactions.

Ray, who works with Dispensa at two-factor authentication company PhoneFactor, explained in a blog post this week that he had initially discovered the flaw in August and demonstrated a working exploit to Dispensa at the beginning of September.

Read more of "Zero-day flaw found in web encryption" at ZDNet UK.

The Lose/Lose game warns players before they launch the application that they are likely to have files deleted.

(Credit: Lose/Lose)

As part of his Master of Fine Arts thesis project, Zach Gage wrote a game to run on Macintosh computers that resembles Space Invaders but with a digital roulette twist--for every alien space ship the player destroys a random file on the computer is deleted.

"Lose/Lose is a video-game with real life consequences. Each alien in the game is created based on a random file on the player's computer. If the player kills the alien, the file it is based on is deleted. If the player's ship is destroyed, the application itself is deleted," the computer technology design major wrote on his Web site.

"At what point does our virtual data become as important to us as physical possessions? If we have reached that point already, what real objects do we value less than our data?" he asks.

On September 14, Gage posted his "Lose/Lose" game on his Web site and at the Experimental Gameplay Project, which links back to his site where he has a big warning in red: "KILLING ALIENS IN LOSE/LOSE WILL DELETE FILES ON YOUR HARDDRIVE PERMANENTLY." The application also displays a warning when it is launched.

This week, Symantec announced that it has flagged the application as malware, a Trojan it has dubbed OSX.Loosemaque. Sophos is calling it a Trojan too, OSX/LoseGame-A and Intego has named it OSX/LoserGame.

"We are concerned that somebody could take this and modify it in some way where users aren't aware of the consequences," Kevin Haley, director of product management at Symantec Security Response, said in an interview on Wednesday. "We want to make people aware of what's on their machine and they can make the decision on whether to run it or not."

Asked to comment on the stir his project was creating, Gage seemed amused.

"I'm kind of OK with it being labeled malware," he said in a phone interview. "I would categorize it as dangerous software, but not malware because it is dangerous if you use it in a certain manner. Whereas malware implies it was designed to be malicious...Calling it a Trojan is really blowing it out of proportion."

Trojan horses are programs, typically masquerading as a benign program or hidden in legitimate software, which provide an attacker unauthorized access to the system. However, Gage's program explicitly says what it does and what the consequences are.

In addition to exploring the nature of risk and reward with regard to war and the notion of how small wins distract from the larger picture, the game provokes discussion about the risks people take with technology every day, Gage said.

"We need to pay attention to how we behave on computers," he said.

Apparently, some people don't mind playing with fire. The list of high scorers on the game site shows more than 40 players, with the highest score having destroyed nearly 5,000 files, or aliens.

"I'm surprised anyone has played it," Gage said. "I'm shocked."

Asked to comment on any possible beneficial merits of the project, Symantec's Haley said: "I don't see the positive aspect of it, but I suppose if it's art we're not supposed to completely understand it."

Symantec created a video that shows how the game works. When an alien ship is destroyed (on the left) a corresponding file is deleted (on the right).

(Credit: Symantec)

(Credit: FBI)

Criminals have tried to steal an estimated $100 million from corporate bank accounts using targeted malware and money mules, the FBI said on Tuesday.

"Within the last several months, the FBI has seen a significant increase in fraud involving the exploitation of valid online banking credentials belonging to small and medium businesses, municipal governments, and school districts," the agency said in a statement.

The FBI is seeing, on average, several new victim complaints and cases every week, according to a report prepared by the Internet Crime Complaint Center and linked to in the FBI release.

Brian Krebs reported on The Washington Post's Security Fix blog last week that the FBI puts losses from online fraud involving malware and money mules at around $40 million. Krebs is keeping a running list of businesses who have been victims of online theft and detailing the attacks.

Here is how the typical scam works. The criminals may find contact information and an organizational chart of a business online, as well as information about who handles the financial transactions for the company or agency. So-called "spear phishing" e-mails are sent to the employees who can initiate funds transfers, either wire transfers or transfers through the Automated Clearing House (ACH) system.

The e-mails contain either an infected file or a link to a Web site hosting malware. Once the file or link is opened, the malware containing a key logger is installed on the recipients' computer. The key logger harvests the user's corporate online banking user name and password and creates another account using that information or initiates a fund transfer masquerading as the authorized user.

The money is typically transferred into accounts opened by willing or unwitting people, known as "money mules," who then forward the deposits overseas. Usually, increments of less than $10,000 are transferred to avoid currency transaction reporting. The money mules are recruited through "work from home" ads or contacted after placing resumes on employment Web sites.

In several cases, banks did not have proper firewalls or antivirus software to protect against such attacks, the FBI said.

Current signature-based anti-virus programs are increasingly ineffective and companies should also consider using heuristic detection, application white listing that allows only known software and libraries to execute on a system, and reducing user privileges, the report advised.

Last week, the Federal Deposit Insurance Corp. (FDIC) issued a warning to banks and financial institutions about the increased use of money mules in unauthorized electronic funds transfers.

"Money mule activity is essentially electronic money laundering...," the FDIC statement said.

Criminals are shifting their focus to stealing online bank credentials from businesses instead of consumers because there is more money in the corporate bank accounts to plunder, according to Amit Klein, chief technical officer of browser security vendor Trusteer.

"Therefore, criminals can transfer larger sums of money, with a lower risk of raising red flags and being detected by a bank's anti-fraud systems which look for anomalous or unusually large withdrawals or wire transfers," he said in a statement. "Unfortunately, small-medium businesses do not have any better browser security mechanisms than consumers to protect their banking credentials from being stolen."

This is a screenshot of the SMS the hacked iPhone users received.

(Credit: Tweakers.net)

A hacker in the Netherlands broke into some jailbroken iPhones and sent text messages to the owners asking them to pay to find out how to secure their phones, according to postings in a Dutch forum called Tweakers.net.

One of the victims posted a screenshot from his iPhone of the SMS received. It said: "Your iPhone's been hacked because it's really insecure! Please visit doiop.com/iHacked and secure your iPhone right now! Right now, I can access all your files."

The URL provided now displays a message indicating that it was reported for spam or phishing abuse and has been deactivated.

Ars Technica reports that before the page was removed, it asked that victims send 5 euros ($7.36) to a PayPal account and then await an e-mail with instructions on how to secure the phone. The fix probably would involve restoring the factory settings, according to the Ars Technica post.

"If you don't pay, it's fine by me," the hacker's page said. "But remember, the way I got access to your iPhone can be used by thousands of others--they can send text messages from your number (like I did), use it to call or record your calls, and actually whatever they want, even use it for their hacking activities! I can assure you, I have no intention of harming you or whatever, but, some hackers do! It's just my advice to secure your phone."

Malwarebytes is accusing China-based computer security firm IObit of intellectual property theft, but IObit denied the allegations and said there were problems with its malware submission site.

Malwarebytes claims IObit stole from its database of signatures of malicious applications that its software uses for detecting malware on customer computers.

Malwarebytes discovered that IObit's Security 360 free anti-malware software was flagging a specific key generator piece of code for Malwarebytes' Anti-Malware software and using the same naming scheme, which includes the phrase "Don't Steal Our Software," according to a blog post on the Malwarebytes.org site.

This screen shot shows IObit's product uses the same naming scheme as Malwarebytes.org.

(Credit: Malwarebytes.org)

After finding additional evidence, Malwarebytes conducted a test and added fake definitions for a fake rogue application to its database of malware. Within two weeks, IObit was detecting the fake files and using "almost exactly" the fake names, Malwarebytes said.

"We soon became convinced that this was not a mistake, it was not a coincidence, it was not an isolated event, and it persisted presently in their current database," the blog post says. "They are using both our database and our database format exactly."

Malwarebytes, which said it uncovered evidence that IObit may have stolen proprietary databases of other security vendors as well, said it plans to pursue legal action against IObit

IObit said it would soon release a legal letter an explanation about the technical aspects that proves its case. In the meantime, IObit temporarily deleted all disputed items in its database to avoid "dispute and possible problems" and disabled its malware submission page, the company said in a blog post.

Basically, someone submitted samples with the name used by another vendor, the post says.

"Unfortunately, IObit database analyzer carelessly used the names provided by the submission. This mistake can be understood because it is very normal--Many enthusiastic IObit users find there are samples missed by IObit Security 360 but detected by other anti-malware products, then they would submit these samples to us and provide names defined by other anti-malware vendors."

"There are holes and problems with IObit malware submission procedure and database management," the post concluded.

Malwarebyte's found that IObit's product detected the fake malware Malwarebytes put in its database as a test.

(Credit: Malwarebytes.org)

Web and e-mail security provider M86 Security was set to announce on Tuesday the acquisition of Finjan.

Finjan brings to the table a secure Web gateway product and software-as-a-service solutions, M86 said in a statement. Under the merger, which is effective immediately, Finjan will maintain a development center and operations in Netanya, Israel.

U.S.-based Finjan SW will remain an independent company to retain its malware detection intellectual property, according to a statement.

M86 was created a year ago with the merger of Marshal and 8e6. In March 2009, the combined company acquired behavioral malware detection company Avinti.

Last week, Cisco Systems said it was buying Web-based security software company ScanSafe. And earlier in October, Barracuda Networks, which makes security appliances, announced its purchase of Purewire, a Web security-as-a-service provider.

Meanwhile, vulnerability management provider Rapid7 recently acquired Metasploit, an open-source penetration testing framework and exploit database.