Malwarebytes is accusing China-based computer security firm IObit of intellectual property theft, but IObit denied the allegations and said there were problems with its malware submission site.
Malwarebytes claims IObit stole from its database of signatures of malicious applications that its software uses for detecting malware on customer computers.
Malwarebytes discovered that IObit's Security 360 free anti-malware software was flagging a specific key generator piece of code for Malwarebytes' Anti-Malware software and using the same naming scheme, which includes the phrase "Don't Steal Our Software," according to a blog post on the Malwarebytes.org site.
This screen shot shows IObit's product uses the same naming scheme as Malwarebytes.org.
(Credit: Malwarebytes.org)After finding additional evidence, Malwarebytes conducted a test and added fake definitions for a fake rogue application to its database of malware. Within two weeks, IObit was detecting the fake files and using "almost exactly" the fake names, Malwarebytes said.
"We soon became convinced that this was not a mistake, it was not a coincidence, it was not an isolated event, and it persisted presently in their current database," the blog post says. "They are using both our database and our database format exactly."
Malwarebytes, which said it uncovered evidence that IObit may have stolen proprietary databases of other security vendors as well, said it plans to pursue legal action against IObit
IObit denied the allegations, saying it was a "mistake," and accused Malwarebytes of spreading "malicious rumors."IObit said it would soon release a legal letter an explanation about the technical aspects that proves its case. In the meantime, IObit temporarily deleted all disputed items in its database to avoid "dispute and possible problems" and disabled its malware submission page, the company said in a blog post.
Basically, someone submitted samples with the name used by another vendor, the post says.
"Unfortunately, IObit database analyzer carelessly used the names provided by the submission. This mistake can be understood because it is very normal--Many enthusiastic IObit users find there are samples missed by IObit Security 360 but detected by other anti-malware products, then they would submit these samples to us and provide names defined by other anti-malware vendors."
"There are holes and problems with IObit malware submission procedure and database management," the post concluded.
Malwarebyte's found that IObit's product detected the fake malware Malwarebytes put in its database as a test.
(Credit: Malwarebytes.org)The feature-rich versions of popular security program AVG have been updated, with AVG Technologies claiming faster scan times, faster boot times, and other under-the-hood improvements. While version 8 introduced a consolidated product line, making those features work better together takes the attention of AVG Internet Security 9 and AVG Anti-Virus 9.
AVG is making some bold claims for these updates. The company is touting scan times that are "up to 50 percent" faster, based on marking files safe until their file structure changes, and boot times that are "10 to 15 percent" faster. Memory usage is also expected to be "10 to 15 percent" better, as well. The built-in firewall, available only in the Internet Security version, uses a new database for automatically determining if certain programs are safe to access the Internet without user input. This trusted database, called TrustedDB by AVG, should be less intrusive by querying for user input 50 percent less often than in the previous version, says AVG. Also, the installation process has been shortened from 22 screens to 11.
There are few wholly new features available in version 9, but an interesting one is the Identity Theft Recovery Unit. Included in AVG Anti-Virus and AVG Free, but only for users in the United States, ITRU is a business partnership with Identity Guard which provides "consumer identity theft solutions." Accessible only from the browser toolbar, which only works in Firefox or Internet Explorer, the service provides "a dedicated identity theft recovery unit with fraud experts," to assist handling, getting and analysing a credit report, enrolling in credit file monitoring, and offering report-filing support.
In hands-on testing last week, I found AVG to be relatively easy to navigate around, although the interface could be simpler. When you click on one of the items in the main window, you must double-click on one of the features to access more information on it. A single click, or even a mouse-over pop-up, would make the experience faster. Before I even ran my first scan, AVG detected icons associated with Pidgin as threats.
AVG 9 looks very similar to AVG 8. Most of the changes are under the hood.
(Credit: Screenshot by Seth Rosenblatt/CNET)Double-checking them against Avira and McAfee revealed those detections as false positives, and when I finally ran the Fast Scan it took longer than 20 minutes. That doesn't compare favorably to competitors, some of which can complete a first Fast Scan in around 60 seconds. I was also surprised to find that Mozilla Thunderbird was not automatically approved to go through the firewall, despite the new firewall trusted database. While the installation process offers to install the browser toolbar for you, it doesn't seem possible to opt out during the installation and then install it later from the AVG interface, a strange oversight.
AVG Internet Security 9 is available for $49.99, and AVG Anti-Virus costs $34.99. Both come with a one-year license and a 30-day trial, although AVG Anti-Virus lacks the firewall, identity protection, antispam, and system tools that come in AVG Internet Security. Fans of the free version of AVG 9 will have to wait a bit longer, as AVG always delays the release of Free until after the full suites have been made public.
Albert Gonzalez, the alleged ringleader of one of the largest known identity theft cases in U.S. history, has agreed to plead guilty to all 19 counts of related charges against him, according to court documents filed Friday.
Gonzalez, 28, of Miami, was accused in August 2008 of helping steal millions of credit card and debit card numbers from major U.S. retail chains. Among the retailers hacked were TJX Companies (owner of T.J. Maxx), BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever21, and DSW.
Under the plea agreement filed with the U.S. Attorneys Office in Boston, Gonzalez would serve a sentence of 15 to 25 years after pleading guilty by September 11 to charges of conspiracy, wire fraud, aggravated identity theft, and money laundering (PDF).
Gonzalez, who is already in jail, would also have to forfeit a range of possessions, such as almost $3 million in cash, his Miami condominium, a 2006 BMW, several computers, and three Rolex watches.
The agreement also resolves 2008 charges pending against Gonzalez in federal court in New York for hacking the computer network of Dave & Buster's restaurant chain.
A former federal government informant, Gonzalez was also recently indicted in New Jersey, along with two unnamed Russian men, on charges of hacking into Heartland Payment Systems, as well as systems for 7-Eleven, the Hannaford Brothers supermarket chain, and two unnamed corporate victims. They also allegedly stole data related to more than 130 million credit and debit cards. This is considered to be one of the biggest data breach cases in U.S. history.
Rene Palomino, who is listed as Gonzalez's attorney within Friday's plea agreement, did not immediately return a call seeking comment.
Cisco Systems wireless local area network equipment used by many corporations around the world is at risk of being used in denial-of-service attacks and data theft, according to a company that offers protection for WLANs.
Researchers at AirMagnet, which makes intrusion-detection systems for WLANs, discovered the vulnerability, which affects all lightweight Cisco wireless access points, as well as the exploit that could be used against networks that have the Over-the-Air-Provisioning (OTAP) feature turned on.
"We found it in our labs," Wade Williamson, director of product management at AirMagnet, said on Monday. "We don't know about it being exploited in the wild."
Basically, the Cisco access points generate an unencrypted multicast data frame that is sent over the air and includes unencrypted data like the MAC address and the IP address of the wireless controller, as well as some configuration options, he said. The controller is used to manage the access points.
With that information, someone listening to the network could easily find the internal addresses of the WLAN controllers in the network and potentially target them with a denial-of-service attack, Williamson said.
"Someone out in the parking lot or a neighbor can look at the packets and see information about the controller on the wired side," he said. "This is giving anybody that's listening to the environment some pretty detailed information about the wired network that we want to keep protected."
If an access point has the OTAP enabled, the wireless LAN is also at risk of a "skyjack" exploit, Williamson said. With the OTAP feature enabled, a newly deployed Cisco access point will listen to the multicast data being broadcast to find the address of its nearest controller.
However, the access point could end up connecting to an outside controller if it hears multicast data from that network instead, and thus it would be under someone else's control, he said.
Someone could skyjack a corporation's access point and "use the wireless LAN to create a wired path into your network," Williamson said.
AirMagnet has informed Cisco about the problems and Cisco is working on a solution, Williamson said.
"As a matter of policy, Cisco takes security vulnerabilities very seriously and we continue to take active measures to safeguard the security and reliability of our equipment," a Cisco spokesperson said.
"Our standard practice is to issue public Security Advisories or other appropriate communications that include corrective measures so customers can address any issues," he said. "For that reason we do not provide comment on specific vulnerabilities until they have been publicly reported, consistent with our well-established disclosure process."
Cisco has 65 percent to 70 percent of the install base for wireless LANs, according to Stan Schatt, security practice director at ABI Research.
"What this really shows is that more and more companies have to have 7/24 monitoring of their LANs," he said. "They can't just periodically walk around the facility with a laptop and check to see if there's a problem."
An attack on a wireless LAN would be particularly dangerous for hospitals, which are increasingly moving critical apps onto the network for use by doctors and nurses with Wi-Fi-enabled handhelds, Schatt said. "A denial-of-service attack could impact mission critical phone systems," he said.
To mitigate against any attacks, Cisco customers should disable the OTAP feature and use a separate intrusion detection system that can detect whether someone is snooping on the network, as well as monitor that all access points on a network are authorized, AirMagnet said.
Updated 11:02 a.m. PDT August 25: Cisco released an alert on Tuesday that describes the finding as a low-risk vulnerability that could allow unauthorized control of a wireless access point and which could allow an unauthenticated, remote attacker to cause a denial of service condition.
"Any clients attempting to register to the AP (access point) will be unable to access network resources, but the AP is still unable to authenticate wireless clients," the company said in a statement. "There is no risk of data loss or interception. Cisco believes the vulnerability is easily avoided or mitigated and has provided techniques for this purpose."
Software updates and patches were not yet available, Cisco said.
Editors' note: This is a guest column. See Ari Juels' bio below.
Internet denizens and urban dwellers alike need to recognize that an era of anonymity is ending.
The population of the world stands at about 7 billion. So it takes only 10 digits to label each human being on the planet uniquely.
This simple arithmetic observation offers powerful insight into the limits of privacy. It dictates something we might call the 10-Digit Rule: just 10 digits or so of distinctive personal information are enough to identify you uniquely. They're enough to strip away your anonymity on the Internet or call out your name as you walk down the street. The 10-Digit Rule means that as our electronic gadgets grow chattier, and databases swell, we must accept that in most walks of life, we'll soon be wearing our names on our foreheads.
A study of 1990 U.S. Census data revealed that 87 percent of the people in the United States were uniquely identifiable with just three pieces of information (PDF): five-digit ZIP code, gender, and date of birth. Internet surfers today spew considerably more information than that. Web sites can pinpoint our geographical locations, computer models, and browser types, and they can silently track us using cookies. Banking sites even confirm our identities by verifying that our log-ins take place at consistent times of day.
Database dossiers, too, carry surprising amounts of identifying information, even when specifically anonymized for privacy. Researchers at the University of Texas at Austin last year studied a set of movie-rating profiles from about 500,000 unnamed Netflix subscribers (PDF).
Knowing just a little about a subscriber--say, six to eight movie preferences, the type of thing you might post on a social-networking site--the researchers found that they could pick out your anonymous Netflix profile, if you had one in the set. The Netflix study shows that those 10 deanonymizing digits can hide in surprising places.
Our physical belongings also betray our anonymity by silently calling out identity-betraying digits. Small wireless microchips--often called radio frequency identification, or RFID, tags--reside in car keys, credit cards, passports, building entrance badges, and transit passes. They emit unique serial numbers.
Once linked to our names--when we make credit card purchases, for instance--these microchips enable us to be tracked without our realizing it. One popular book inflames imaginations with the lurid title, "Spychips: How Major Corporations and Government Plan to Track your Every Move with RFID."
But wireless microchips also highlight the futility of anonymity protections. To begin with, concerns about RFID tracking miss the forest for the trees. After all, mobile phones are ubiquitous and can be tracked at much longer ranges than standalone chips. Many people have GPS receivers in their phones and are signing up for location-based services, voluntarily (if selectively) disclosing their movements. There's little point in hiding the serial numbers of chips when your mobile phone squeals on you.
Many scientists (including me) have developed antitracking techniques for mobile phones and microchips. Instead of fixed serial numbers, wireless devices can call out changing pseudonyms, such as the rotating license plate numbers on spies' cars in the movies. The problem is that the plates may change, but the car always looks the same. In this regard, chips are like cars.
... Read more
Using a data backup program helps recover lost data but can also help get a stolen laptop back--if you're lucky.
A Berkeley, Calif., man recently recovered his stolen laptop after seeing photos the thief took of himself with the built-in camera via his Internet-based data backup program.
That's according to a police officer's article in an e-mail newsletter from Berkeley City Councilmember Susan Wengraf that was posted to the Web by open-source advocate Bruce Perens.
It all started on May 5, when the victim left his laptop in the back seat of his car (tsk tsk). Two hours later, the thief smashed the car window and grabbed the computer. It's not clear what else was done with the laptop, but the big break in the case came when the laptop owner later spotted the self-portrait photos of the thief on the storage service Web site.
Detectives working the case were shown the photos and recognized the man, who had been released from jail earlier in the year. They noticed that in the photos he appeared to be in a motel room and began trying to track down the IP address used by the laptop hoping that it would lead to the motel.
Before that could be accomplished, however, the detectives spotted the man getting into a car in a motel parking lot in Oakland and arrested him. In his car and the motel room they found the laptop along with stolen property from other auto burglaries.
Case solved.
This post was updated at 2:16 p.m. PDT with comment from an outside database security software vendor.
Hackers broke into the University of California at Berkeley's health services center computer and potentially stole the personal information of more than 160,000 students, alumni, and others, the university announced Friday.
At particular risk of identity theft are some 97,000 individuals whose Social Security numbers were accessed in the breach, but it's still unclear whether hackers were able to match up those SSNs with individual names, Shelton Waggener, UCB's chief technology officer, said in a press conference Friday afternoon.
(Credit:
University of California at Berkeley)
The attackers accessed a public Web site and then bypassed additional secured databases stored on the same server. In addition to SSNs, the databases contained health insurance information and non-treatment medical information, such as immunization records and names of doctors patients had seen. No medical records (i.e. patient diagnoses, treatments, and therapies) were taken, as they are stored in a separate system, emphasized Steve Lustig, associate vice chancellor for health and human services.
"Their ID has not been stolen," he added. "Some data has been stolen."
The server breach began on October 9, 2008, and continued through April 9, when a campus computer administrator doing routine maintenance discovered messages left by the attackers. Logs indicate that the hacks originated from overseas, "primarily in the Asian theater," Waggener said, later specifying traces to China.
While campus police and the FBI were immediately notified of the breach, it wasn't until April 21, Waggener said, that officials learned data had been stolen. Since then, the focus of the investigation has been figuring out what was taken and who is at risk. The hackers' specific techniques are still being determined as part of the ongoing criminal investigation, he said.
From the looks of it, however, one outside database security software vendor, Sentrigo CTO Slavik Markovich, suspects an SQL injection, in which a small malicious script is inserted into a database that feeds information to the Web site. Markovich also questions whether the university has appropriate monitoring tools in place to have not noticed the hack for six months, and why it hosted data with different levels of sensitivity on the same server.
The university started notifying the 160,000 people at risk via e-mail and snail mail on Friday. Victims include an assortment of current and former Berkeley students--as well as their parents or spouses, if linked to insurance coverage--who had University Health Services health care coverage or received services. Also included are 3,400 students of Mills College in Oakland, Calif., which contracts with the university for health services.
The university has warned those affected to put a fraud alert on their credit reporting accounts. It has also set up a Web site and hotline to help the victims.
In 2005, a PC was stolen from a Berkeley graduate admission office that held sensitive data on some 98,000 people, stretching back three decades. And the university has dealt with security viruses and the like, Waggener said. But this was the first such server breach.
With this, Waggener said, Berkeley joins a long list of prestigious institutions suffering from such increasingly sophisticated and malicious attacks. "We're defending against attacks from around the world," he said.
Correction 2:19 p.m. PDT: An earlier version of this story and its headline significantly mischaracterized a key metric used in the IC3 report. The overall finding of the report was that complaints regarding Internet-related crimes rose 33 percent in 2008.
Complaints of Internet-related crimes soared 33 percent last year, countering two years of consecutive declines, according to a report released Monday by the Internet Crime Complaint Center (IC3).
The IC3 Web site received 275,284 complaints last year, up from 206,884 the previous year. The organization referred 72,940 of those 2008 complaints to federal, state, and local law enforcement agencies. The IC3 is a partnership among the Federal Bureau of Investigation, the National White Collar Crime Center, and the Bureau of Justice Assistance.
Referred complaints, which ranged from online auction fraud to identity theft to non-delivery of goods purchased online, cost consumers about $264.6 million last year, with the median dollar loss reaching $931 per complaint, according to the report. In 2007, the losses were less: $239.1 million.
(Credit:
Internet Crime Complaint Center)
(Credit:
Internet Crime Complaint Center)
As far as complaint categories of Internet crimes, non-delivered merchandise after sending a payment or delivering the goods but never receiving a payment, were at the top of the list, according to the report. Of all complaints received, 32.9 percent were related to this offense.
Internet auction fraud accounted for 25.5 percent of the complaints, while credit card and debit card fraud made up 9 percent, according to the report.
(Credit:
Internet Crime Complaint Center)
Even though complaints of crimes involving non-delivered goods occurred the most, that category didn't hit consumers in the pocketbook like check fraud, which carried a median loss of $3,000.
And the most common means to engage in an Internet crime was e-mail, the report noted. In 74 percent of the reported crimes, e-mail was used, followed by Web pages in nearly 29 percent of the cases.
More than 10 million Internet users worldwide were hit with identity fraud-related malware last year, according to a new estimate from Panda Security.
The number of computers infected with active programs designed to steal personally identifiable or financial information that can be used for identity fraud, such as banker Trojans for stealing bank account information, rose by 800 percent from the first half of the year to the second half, the study found.
Of the 67 million computers that PandaLabs analyzed in 2008 for the study, 35 percent of those infected had up-to-date antivirus software installed. The number of users who have been actively exposed to identity fraud malware is about 1 percent of the worldwide population of Internet users, according to the study.
The researchers predict that the infection rate will increase by 336 percent per month throughout this year, based on the trend of the previous 14 months.
Researchers predict that the infection rate will increase by 336 percent per month throughout this year.
(Credit: Panda Security)About 7.5 percent of U.S. adults lost money as a result of financial fraud last year, mostly due to data breaches, according to a new Gartner study to be released on Tuesday night.
In the survey of nearly 5,000 consumers, 70 percent said they had never been a victim of identity theft fraud. Meanwhile 14 percent said they had had their credit card information used to charge purchases or get money, 7 percent said their debit card was used, 6 percent said a new account had been opened in their name, 5 percent had money transferred out of their account, and 4 percent had had checks forged.
Recovering losses was easier for people victimized by brokerage, credit card, and debit card account fraud compared to victims of new loan account fraud, check forgery, and checking/savings account fraud, partly because victims didn't try to recover money.
Of those who had new accounts opened in their name, 35 percent suffered from a damaged credit rating and slightly more than half were able to restore their rating, usually in less than one month. For about 20 percent it took more than a year, and for 9 percent it took three to five years, the survey found.
Overall, less than one-third of the victims reported the crimes to law enforcement and about 5 percent reported it to the U.S. Federal Trade Commission.
Not only do many victims not report the crime, but many of the crimes go unprosecuted. There were only 564 convictions made for about 800 identity-theft-related fraud cases in 2007, according to the National Institute of Justice's Electronic Crime Program, a part of the U.S. Justice Department.
"The chances of a criminal getting arrested and convicted for identity theft-related fraud are much less than a half of 1 percent," the study said.
Not surprisingly, the survey found that financial fraud victims were twice as likely to change their behavior as a result of security incidents as the average consumer. Many of them opt to use PayPal because they believe it is more secure, the survey found.
The study also looked at why people switch banks and concluded that security and financial health of a bank were of about equal importance to consumers, said Gartner analyst Avivah Litan.
Six percent said they changed banks as a result of their security concerns, compared to 5 percent who cited concerns regarding the financial health of their banks. Twenty-eight percent said they switched banks after being victims of checking/savings account transfer fraud, and 21 percent cited excessive fees.
A recent FTC study found that identity theft was by far the biggest complaint to the agency, representing 26 percent of total problems reported.
Much financial fraud occurs from data breaches at merchants and other service sites.
(Credit: Gartner)
