This week brought some bad news for mobile phone users. German security expert Karsten Nohl showed how easy it is to eavesdrop on GSM-based (Global System for Mobile Communications) cell phones, including those used by AT&T and T-Mobile customers in the U.S.
Nohl, who has a doctorate in computer engineering from the University of Virginia, made headlines last year publicizing weaknesses in wireless smart card chips used in transit systems around the globe.
Karsten Nohl
(Credit: Kingsley Liu)CNET interviewed Nohl via e-mail on Thursday about his latest work and what the implications are for the more than 3 billion GSM mobile phones worldwide, representing about 80 percent of the market, according to the GSM Alliance.
Q: You made quite a splash at the Chaos Communication Congress hacker conference in Berlin this week. What happened?
Nohl: We showed that GSM, the widely used cell phone standard, is insecure, and explained how your neighbor might already be listening in on your calls. After GSM's security was declared outdated several times before, we were the first to make tools available for people to verify its insecurities.
Q: In August you launched an open-source, distributed computing project designed to crack GSM encryption and compile it into a code book that can be used to eavesdrop on calls. Is this week's announcement related to that?
Nohl: Yes, at the conference a code book was released--a data set previously only available to well-funded organizations. This code book has been computed in just a few months thanks to many volunteers on the Internet.
Q: And this is to determine the key used to encrypt GSM communications, right?
Nohl: That's correct. The code book reveals the encryption key of a call.
Q: What is the problem with the GSM encryption technology exactly?
Nohl: GSM's A5/1 encryption function uses a 64-bit key that is too short to withstand the computing power available today. When the algorithm was designed 20 years ago when CPU [central processing unit] cycles and storage were much more expensive, it must have seemed a lot more secure. However, the A5/1 function should have been replaced years ago when researchers first discussed practical attacks.
Q: What does this mean for users of GSM phones? What is the real-world threat?
Nohl: Cell phone calls can be intercepted--not just since this week, but more cheaply every month. Sensitive information, say, from politicians, can be overheard from, say, foreign embassies. Others willing to cross the line into illegality and listen in on a call could be industry spies or even private snoops.
Q: Exactly how would someone use this technology to spy on mobile phone conversations?
Nohl: You record a call and then decrypt it. Recording requires some advanced radio equipment, which can be as cheap as the $1,500 suggested retail price [Universal Software Radio Peripheral] device. One direction of a call can potentially be intercepted from a kilometer away while catching both directions requires the eavesdropper to be in the vicinity of the victim. Decryption is then done using the code book the community produced.
Q: What should people do to protect themselves against this?
Nohl: In the short-term, there is not much users can do to protect themselves other than being aware of the threat and keeping their most confidential calls and text messages off the GSM network. To improve GSM security in the long run, customers should go to their operators and create demand for improvements.
Q: What are the practical implications of your work? In other words, does your research make it cheaper and easier to eavesdrop and if so, how much cheaper and how much faster to crack the encryption? (One expert had estimated that the code book would let someone crack the code in hours now instead of taking weeks.)
Nohl: Our results don't necessarily make decryption faster; current commercial interceptors decrypt within seconds, often faster than the time a user takes to answer the call. Our project makes the technical background of these systems more accessible and aims to inform about the fact that GSM intercept is widespread. As a side effect, interception might become cheaper, too.
Q: What exactly does someone need to eavesdrop? (In other words, the code book/tables, antennas, special software, and $30,000 worth of hardware?)
Nohl: The more you spend on hardware, the faster you can decrypt calls. Two USRP radios, a beefy gaming computer, and a handful of USB sticks can already decrypt many calls. For $30,000 you can build a sub-minute decryptor.
Q: I understand it is illegal to intercept mobile phone calls in the U.S. and many other countries. Is what you did legal?
Nohl: Intercepting the phone calls of others should be illegal everywhere, and we do not plan to do that. Our research instead exposes that nothing in GSM is keeping criminals away from doing illegal intercepts. Fortunately, such security research is still legal.
Q: What did you do to make sure you have good legal standing? Did you consult with the Electronic Frontier Foundation?
Nohl: The EFF indeed helped us understand the legal implications of researching GSM technology.
Q: Have you been in touch with the GSM Alliance or any other pertinent entities?
Nohl: We have not yet been able to start a discourse with the GSMA. Through the press, though, we hear that a GSMA meeting in February might decide to ramp up upgrade efforts toward A5/3, the better encryption function. That would be great!
Q: Why did you do this research and public disclosure?
Nohl: We aim to make users of GSM aware that the GSM cannot be fully trusted. After other researchers have called a hack [questioned the security] of GSM for many years, we thought it was time to go one step further and provide tools for customers to "try at home" how insecure GSM's current encryption function is.
Q: Can the tables be used against the A5/3, the successor to A5/1? What is the difference between the two crypto standards?
Nohl: Fortunately, we cannot crack A5/3. This newer encryption is used in 3G networks and is currently considered a security patch for GSM networks. So there is [hope].
Q: What should mobile phone operators or carriers do about this?
Nohl: Carriers should now do the security patch that is overdue 15 years by upgrading to a new encryption function. I suspect they will only do so if customer demand is significant. Hopefully the customers will make it clear to their provider that they want 21st century security for their phone calls.
(Credit:
RockYou)
An Indiana man filed a lawsuit against RockYou this week alleging that the provider of social-networking apps failed to secure its network and protect customer data, enabling a hacker to grab passwords of 32 million users earlier this month.
The suit seeking class action status was filed Monday in U.S. District Court in San Francisco by lawyers for Alan Claridge, of Evansville, Ind., who registered with RockYou in August 2008 to use a photo-sharing application. RockYou is a publisher and developer of online apps and services like "SuperWall" on Facebook and "Slideshow" on MySpace.
Claridge said he received an e-mail from RockYou on December 16 informing him that his sensitive, personally identifiable information, including e-mail address and password, may have been compromised in a security breach, according to the suit.
Security firm Imperva notified RockYou on December 4 that it had learned of a breach of RockYou's network from underground hacker forums. RockYou had been hit with a common type of exploit known as a SQL injection flaw that targets information stored in databases and hackers were regularly discussing the fact that the hole at RockYou was being exploited, the lawsuit said.
After being informed of the breach, RockYou admitted that customer data had been stored in an unencrypted database.
The suit claims RockYou failed to protect sensitive user data including e-mail addresses, passwords, and login credentials for social-networking sites like Facebook and MySpace and was negligent in storing data in plaintext.
"RockYou recklessly and knowingly failed to take even the most basic steps to protect its users' PII (personally identifiable information) by leaving the data entirely unencrypted and available for any person with a basic set of hacking skills to take the PII of at least 32 million customers," the lawsuit alleges.
"Because a majority of Internet users utilize identical passwords across a wide range of Web sites, gaining access to a user's e-mail account name and password has a high likelihood of providing access to a user's personal and/or work e-mail account," the suit said.
RockYou also took at least one day to take action to fix the problem, and failed to notify customers of the breach in a reasonable time frame, not posting notice on its Web site or warning customers for 10 to 12 days after it was notified, the lawsuit alleges.
Wendy Zaas, a spokeswoman for Redwood City, Calif.-based RockYou, provided this statement when asked for comment on the lawsuit: "RockYou is aware of the class action suit brought by Alan Claridge and plans to defend itself vigorously. The company takes its users' privacy seriously."
The lawsuit includes nine counts including negligence, breach of contract, violation of California's Computer Crime Law, and California's Security Breach Information Act, among other allegations. It asks the court to order RockYou to protect customer data and seeks unspecified damages.
The suit was first reported by Wired. Com.
John Hering, co-founder and chief executive of Lookout
(Credit: James Martin/CNET )SAN FRANCISCO--In July, John Hering and Kevin Mahaffey demonstrated an SMS attack targeting a variety of smartphones at a security show. This week they are launching a company, with backing from some heavyweight investors, that will offer a fix for that problem, as well as protect smartphones from many other security issues.
Lookout has received $5.5 million in Series A funding from Khosla Ventures, Trilogy Partnership, and angel investors including Phil Paul, founder of Paul Capital Partners; Chris Sacca, former head of special initiatives at Google; and Joseph Ansanelli, former chief executive of Vontu.
Lookout is a cross-platform, Internet-connected application that offers advanced security and backup services, as well as the ability to locate devices that go missing or get stolen, and over-the-air management capabilities. The service is currently in private beta in more than 170 countries across 400 mobile networks, Hering, Lookout's chief executive, said in an interview.
It will be offered publicly on a subscription basis in early 2010 and an enterprise version will come later in 2010 or early 2011, he said. Pricing will be announced later.
Hering, Mahaffey, and the third co-founder, James Burgess, all met while attending the University of Southern California, and have honed their skills in the mobile space over the past five years, initially calling the company Flexilis.
They conducted research, helped handset makers with diagnostic tools, and discovered vulnerabilities in mobile devices and software--including uncovering a serious hole in the iPhone's implementation of Bluetooth in 2007 and hitting a world record by hacking a mobile phone from more than a mile away via Bluetooth in 2004.
With the funding and name change comes a move to San Francisco from Orange County in Southern California. The twentysomething executives were busy interviewing prospective employees in their sparse, new offices in the South of Market area in San Francisco. They have taken over part of the offices formerly occupied by Twitter.
"Hopefully, the Twitter luck will rub off on us," Hering said, as he gave a tour of the digs.
Lookout works on all the major smartphone platforms.
(Credit: James Martin/CNET )The Lookout software is downloaded to the device and gets updates and backs up data in real-time via Lookout servers in the cloud. Antivirus and firewall software protects against electronic threats such as hackers, malware, and spyware. A dashboard allows for easy management of multiple devices.
Security veterans like Symantec and McAfee, as well as a host of smaller companies, are quickly moving into the mobile security space. But Hering isn't worried.
"Other companies offer a more PC-based approach," he said. "We're protecting the device and data, and we're multi-platform."
Lookout silently blocks malware in the background, but particularly serious threats prompt a notification to the user. The software also will protect against bad or unauthorized apps that might be downloaded, and attacks attempted via Wi-Fi or Bluetooth.
The missing device locator function will most definitely attract attention. If the device is lost, the owner can use the Web app to make it "scream," and a truly obnoxiously loud siren will sound that will annoy everyone within earshot. If the device is set to silent or mute mode, the scream feature overrides that.
For people who think their device may have been stolen and want to track it down, there is a nifty way to trace it via an online map. Device owners can pull up the Find My Device Web app to see the approximate location of the device on a map, and either lock the device so no one can use it or access the data, or wipe the data entirely. If the device is recovered, the data is easily restored. A combination of Global Positioning System, cell tower, and Wi-Fi technology is used to track the devices.
For backup and recovery purposes, the data and settings on the device can be set to what they were at any point of time in the past, and data can be transferred to other devices.
As phones become increasingly powerful computers and storage devices that accompany users everywhere, they become even more attractive targets for attackers and thieves.
"Smartphones are the next computing platform," Hering said. "Ultimately, I think this will be the primary platform. It's in my pocket, and goes everywhere with me. There are not many computing devices that have that power and personal connection."
Chief Technology Officer Kevin Mahaffey and Chief Executive John Hering, co-founders of mobile security firm Lookout, which now occupies the former offices of Twitter in San Francisco.
(Credit: James Martin/CNET )You and just about everyone else, it seems, are spending more and more time on Facebook and Twitter, updating statuses and checking friends' tweets. That's all well and good, of course, but the amount of personal information that all of you share in real time, and the level of trust implicit with the social networking sites, do pose particular security and privacy problems.
A recent study from Sophos found that Facebook users reveal a lot of personal information to new friends, including ones they really don't even know or have never met. Using fake profiles, Sophos sent out friend requests to 100 random Facebook users, and more than 40 percent blindly accepted, giving the company access to birth dates, e-mail addresses, phone number and addresses--private information strangers shouldn't have.
The openness of Twitter--anyone can follow anyone else, and posts are indexed in search engines--makes it a nirvana for spammers. Kaspersky says there are nearly 500,000 new unique URLs that appear in Twitter posts daily, and of those, anywhere between 100 and 1,000 are malware attacks.
Here's a look at some of the specific threats users of the sites face and what they can do about it.
A rogue app that appeared early in the year sent notifications to Facebook users reporting they were violating terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users.
(Credit: Trend Micro)Problems: Malware, account hijacking, phishing, and social engineering
The biggest malware risk is Koobface, (an anagram of Facebook), which is a worm that targets social networking sites and affects Windows-based computers. Once a computer is infected, it hijacks the Facebook account and sends messages to other friends of the victim, enticing them to click on a link. The link redirects to a Web site where they are prompted to download software ostensibly to watch a video. However, there is no video; only malware that infects the system, blocks access to security sites, and can be used to steal sensitive information from the computer, such as credit card numbers. Infected machines can then be used to spread the worm to others on Facebook, send spam and distribute fake antivirus alerts, said Rik Ferguson, a security researcher at Trend Micro. Koobface now can automatically create new profiles using infected machines, he said.
Facebook accounts can be hijacked in several ways. A brute-force attack can be used to guess passwords. Users can fall for phishing attacks by clicking on links in messages or e-mails purportedly coming from friends that redirect to a fake Facebook log-in page. Or malware such as Koobface can steal passwords.
Social engineering is a huge problem for social networks because the trust that users have for messages and posts from friends can be easily exploited by scammers. Hijacked accounts are used to send everything from spam touting weight loss plans to links that install malware and steal passwords to fake emergency messages saying a friend is stranded in another country and needs someone to send money. Scammers are also sending e-mails that look like they come from Facebook and include an attachment that contains a Trojan.
Solutions: Use antivirus and anti-malware software and keep it up-to-date. Install security updates for operating system and other software. Use software like AVG Linkscanner or McAfee Site Adviser to protect against phishing and malware attacks. Become a fan of the Facebook Security page, which has posts related to all sorts of security issues, tips, resources and other information. If you think you've been infected with Koobface or other malware you should reset your password and notify friends who may have been affected.
Use an up-to-date browser that features an antiphishing black list, such as Firefox 3.0.10 or Internet Explorer 8. Be aware of where you enter your password. Check to see that you are logging in from a legitimate Facebook page with the Facebook.com domain. Be wary of unusual stories or offers that are too good to be true. Verify information with sources directly. Be cautious of any message, post or link that looks suspicious, requires an additional log-in or asks you to download or upgrade software. If a link seems odd or lacks context, don't click on it. Don't click on links or open attachments in suspicious e-mails. You can add a security question from the "Account Settings" page if you would like an additional layer of protection.
Problem: Rogue applications
Facebook doesn't vet every app that appears on the site, which means there is a risk that some apps will have bugs in them or will violate Facebook's privacy policies. Facebook has proven diligent in removing rogue and problem apps quickly when it is notified, but unlike iPhone apps, pretty much anyone can write a Facebook app. "Because the code is not always of professional standard or hosted or audited by Facebook, we've seen innocent apps compromised externally and used to deliver malware, such as fake antivirus," Ferguson said. One rogue app that appeared early in the year sent notifications to Facebook users reporting them in violation of terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users, according to Trend Micro.
Solution: See solutions above, and be cautious about adding applications. Research the developers and perform Web searches to see if anyone has complained about the app. And ask yourself, what value does the app provide? Do I really need to play zombie?
Problem: Privacy leaks due to user error
Because people control who they are friends with on Facebook it is easy for users to have a false sense of security about the privacy of their data and activities on the site. Social engineering attacks, lax security practices by users like using weak passwords and design or implementation problems with the site itself can undermine the privacy protections users rely on. Users who fall for phishing scams and get their accounts hijacked have everything in their account exposed to strangers who can then use the different types of data for identity fraud or to target the victim's friends with social engineering attacks.
Solution: See solutions above. Also, use unique logins and passwords for each Web site you access. Use strong passwords, change them often and don't share them with anyone.
These instructions explain how to keep most people from viewing your friends list on Facebook.
(Credit: CNET)Problem: Privacy leaks due to design or implementation issues
Privacy advocates contend that Facebook's lenient apps approval process, privacy policies and confusing privacy settings put users at risk. Two weeks ago, Facebook asked users to configure their privacy settings. The options were confusing and many people were inclined to just keep the default settings, which are set to make the data visible to the Web rather than opting to use the old settings established by the user. Screenshots and descriptions are detailed on this photo gallery.
Many people have complained that it is difficult to figure out how to change the privacy settings, that they are not intuitive and that there doesn't seem to be one central place for that. And using Facebook Connect with outside apps, like the iPhone app Foursquare, can expose more information than a user expects to share. The new privacy changes at Facebook have prompted the Electronic Privacy Information Center to ask the Federal Trade Commission to investigate.
Facebook encourages people to share their full names, date of birth, home town and other information, all pieces of information that are commonly used in identity fraud. Scammers on underground sites even refer to Facebook as a "free date-of-birth look up service," according to Ferguson. People don't realize that their profile information can be accessed by total strangers who happen to be in the same groups or networks unless they specifically change the settings. People who don't trust random apps--which in general have access to profile information even if it isn't necessary to the function of the app--don't realize that the apps their friends are using also have access to their data. "Friends apps can access most of your profile, interests and groups. There is no way to prevent them from accessing your name, profile, photo, town and gender," said Joseph Bonneau, a PhD candidate in security at the University of Cambridge. In response to user feedback, Facebook made a change that allows users to hide their friend lists from everyone but their friends, a Facebook spokesman said.
Solution: CNET has a tutorial on how to hide your Facebook friends list by clicking on the pencil in the friends box on your profile. Detailed instructions and tips on dealing with Facebook privacy settings are available on the DotRights.org site and on the All Facebook blog. Facebook also has a blog post about the privacy changes.
Problem: Privacy leaks related to marketing
The relationship between the apps and advertisers can also cause problems. Adding an app allows the app to show ads inside the Facebook domain, and that can leak a user's profile information to the advertiser, said Peter Eckersley, a staff technologist at the Electronic Frontier Foundation. Meanwhile, cookies and other browsing tracking technology combined with data from social networks can be used by marketers to identify users for targeted advertising and other purposes, Eckersley said, providing details in a blog post on different ways data can be leaked from social networks to third-party tracking firms. Once marketers know a specific person's user name, they can use that identifier in the URL to get to a user's public profile page, according to Eckersley. "They can create a social graph of your date of birth, city, employment, relationship status, all uniquely codified in a way that can be automatically sucked into a database," he said.
Solution: Pick a good cookie policy for the browser, such as manually approving all cookies or only keeping cookies until the browser is closed. Disable Flash cookies. Use Firefox extensions such as RequestPolicy and NoScript to control when third-party sites can include content or run code in the browser page. Use the Targeted Advertising Cookie Opt-Out plugin or AdBlock Plus to block ads. To hide your IP address and other browser characteristics, use Tor via Torbutton.
Problem: Information used to suppress dissent and target political activists
As with e-mail, blog postings and other public expressions of dissent, Facebook and Twitter have been used by governments to target protesters. The Wall Street Journal reported earlier this month that family members of Iranian Americans had been arrested or questioned because of anti-Iranian government posts on Facebook by members outside the country. In other instances, Iranians living abroad were forced to log into their Facebook accounts or reveal passwords to government officials as they arrived at the Tehran airport and some even had their passports confiscated because of their political posts. In the U.S., the EFF says, officials have taken actions against U.S. citizens based on information discovered on their social networks; the group has sued the CIA and other agencies for allegedly refusing to release information about how they are using such sites in surveillance and investigations.
"Basically, every time you post something to Facebook you should assume that the whole world will know what you've posted, your family, employer, the government, people you don't trust," Eckersley said.
Solution: Think carefully about what information you want to share about yourself and consider only posting information you would want to let the general public see.
Twitter has many of the same malware, phishing, hijacking and social engineering issues that Facebook has, and the solutions for those problems would be the same. Because users don't provide much personal information to Twitter, and can even create accounts using all fake information, and because anyone can follow anyone else, there aren't the same issues with privacy, either. But that makes life easy for spammers.
Security does seem to be a worrisome thing with Twitter. The site has had several serious problems from employee accounts getting compromised. In January, someone hacked into the Twitter internal network -- possibly by guessing the password -- and gained access to the Twitter accounts of President Obama, CNN anchor Rick Sanchez, and 31 other high-profile Twitterers. In May, someone broke into Twitter's network and gained access to 10 accounts, which appeared to include Britney Spears and Ashton Kutcher. In that breach, a hacker was able to gain access to a Twitter employee's Yahoo account through the password recovery system and from there get information from other sites, including access to the employee's Twitter account. And last week, the legitimate account of a Twitter employee was used to hijack the site and redirect visitors to an external page displaying a banner for the "Iranian Cyber Army."
Meanwhile, Twitter was crippled (and Facebook and other sites also affected) by a rare politically motivated denial-of-service attack targeting one user in August. However, that incident reflects more on Twitter's ability to keep the site up in the face of an attack and accessibility than it does about security risks to users.
Twitter users are susceptible to getting their accounts hijacked, and the site has been targeted by clickjacking pranks. In these social engineering attacks, users were encouraged to click on links that distributed the original tweet to all of the Twitter user's followers.
Users with large numbers of followers have an added responsibility to be careful, particularly when setting accounts to automatically post items from news feeds. A malicious post on an unmoderated news feed that venture capitalist Guy Kawasaki was re-tweeting distributed a Trojan to more than 139,000 followers in June.
Kaspersky offers a Krab Krawler tool that analyzes tweets as they get posted on Twitter and blocks any malware associated with them. Trend Micro has technology that monitors Twitter posts for malicious URLs, as well as looks for attack patterns in the posts, such as use of popular terms to indirectly lead people to malicious links. And Finjan offers a free browser plug-in dubbed SecureTweets that warns users when they encounter a malicious URL in Twitter, as well as Blogger, Gmail, Google and a host of other popular sites. To keep up with security issues on Twitter follow Twitter's Spam Watch account.
Social networks are also susceptible to other serious security problems that can hit any type of Web site. For instance, last week passwords of 32 million stored in plain text on the RockYou site were exposed by a SQL injection attack, according to security firm Imperva. Because the passwords are used on other affiliate sites to the social networking application maker, the breach jeopardized other accounts, like Gmail, Hotmail, and Yahoo.
Firefox was the application that had the most reported vulnerabilities this year, while holes in Adobe Reader more than tripled from a year ago, according to statistics compiled by Qualys, a vulnerability management provider.
Qualys tallied 102 vulnerabilities that were found in Firefox this year, up from 90 last year. The numbers are based on running totals in the National Vulnerability Database.
However, the high number of Firefox vulnerabilities doesn't necessarily mean the Web browser actually has the most bugs; it just means it has the most reported holes. Because the software is open source, all holes are publicly disclosed, whereas proprietary software makers, like Adobe and Microsoft, typically only publicly disclose holes that were found by researchers outside the company, and not ones discovered internally, Qualys Chief Technology Officer Wolfgang Kandek said late on Wednesday.
Meanwhile, Adobe took the second place spot from Microsoft this year. The number of vulnerabilities in Adobe Reader rose from 14 last year to 45 this year, while those in Microsoft Office dropped from 44 to 41, according to Qualys. Internet Explorer had 30 vulnerabilities.
A shift in focus
The numbers illustrate the trend of attackers turning their focus away from operating systems and toward applications, Kandek said.
"Operating systems have become more stable and harder to attack and that's why attackers are migrating to applications, he said. "Adobe is a huge focus for attacks now, around 10 times more than Microsoft Office. However, other widely used targets like Internet Explorer and Firefox are still far from secure."
Research from F-Secure earlier this year provides further evidence that holes in Adobe applications are being targeted more than Microsoft apps. During the first three months of 2009, F-Secure discovered 663 targeted attack files, the most popular type being PDFs at nearly 50 percent, followed by Microsoft Word at nearly 40 percent, Excel at 7 percent, and PowerPoint at 4.5 percent.
That compared with Word representing nearly 35 percent of all 1,968 targeted attacks in 2008, followed by Reader at more than 28 percent, Excel at nearly 20 percent, and PowerPoint at nearly 17 percent.
As a result, Adobe needs to respond the way Microsoft did in 2002 when it launched its Trustworthy Computing initiative, and make securing its software a company-wide priority, researchers say. F-Secure even recommended that people stop using Reader and use an alternative PDF reader.
Adobe has taken some action, announcing in May that it would release its security updates on a regular schedule, quarterly and coinciding with every third Microsoft Patch Tuesday.
Another study released this week focuses on which applications are the riskiest to users. Based on the most severe vulnerabilities in popular applications that run on Windows and which are not updated automatically, Firefox again tops the list, followed by Adobe Reader and Apple QuickTime, according to Bit9, a provider of application whitelisting technology.
The list of risky software compiled by Bit9 based on the National Vulnerability Database also includes Java, Flash Player, Safari, Shockwave, Acrobat, Opera, Real Player, and Trillian. Last year, the Bit9 list of the most risky apps included Skype, Yahoo IM, and AOL IM, but those three were not on this year's list.
Not included on the list are programs from Microsoft and Google because of the ability for users of their software to have patches installed automatically. Microsoft software can be automatically and centrally updated via the Microsoft Systems Management Server and Windows Server Update Services, and Google Chrome is automatically updated when users are on the Internet, Bit9 said.
The lists do not take into account the amount of time it takes for companies to release patches, particularly when there is an exploit in the wild. Bit9 noted that Microsoft Internet Explorer was given an "honorable mention" because of a zero-day vulnerability related to ActiveX that went unpatched for three weeks in July.
Microsoft isn't alone in taking longer than customers would like to fix holes. In March, Adobe released a patch for a zero-day vulnerability in Reader and Acrobat--about two weeks after it was disclosed to users and nearly two months after exploits had been discovered in the wild.
Adobe customers will have to wait about a month for a fix to the latest critical zero-day hole in Reader and Acrobat. The company announced on Wednesday it would not patch the vulnerability until its next scheduled quarterly security update release on January 12.
Updated December 21: to clarify in paragraphs one and four that Adobe Reader specifically is ranked second in vulnerabilities, followed by Microsoft Office, and that Internet Explorer alone had 30 vulnerabilities.
Adobe on January 12 will patch a critical hole in Reader and Acrobat that is being exploited in attacks. That date is the company's next scheduled quarterly security update release.
The zero-day hole, which affects Reader and Acrobat versions 9.2 and earlier, could crash the system and allow an attacker to take control of the computer.
Malicious Adobe Acrobat PDF files are distributed via an e-mail attachment that, when opened, executes a Trojan that targets Windows systems, according to Symantec. The rate of infection is extremely limited and the risk assessment level is very low, the company said.
Adobe decided to issue the patch in cycle in about four weeks rather than work on an earlier patch release because that would take between two and three weeks to deliver and would put the regular quarterly update off schedule, the company said in a blog post.
"The team determined that by putting additional resources over the holidays towards the engineering and testing work required to ship a high confidence fix for this issue with low risk of introducing any new problems, they could deliver the fix as part of the quarterly update on January 12, 2010," Adobe's Brad Arkin wrote.
In the meantime, customers can use a new JavaScript Blacklist mitigation feature that allows for easy disabling of JavaScript, Arkin said.
"Additionally, an informal poll we conducted indicated that most of the organizations we talked with were in favor of [releasing the patch in cycle] to better align with their schedules," he wrote.
Meanwhile, Webroot analyzed the payload of the malware and found that it installs three files that look like Windows system files that are digitally signed with a forged Microsoft certificate. Unlike legitimate Microsoft-signed certificates, these lack an e-mail address and a time stamp, the company said in a blog post.
"Authors of Trojan horse apps rarely go to the trouble of digitally signing files in this way," writes Webroot researcher Andrew Brandt. "It's not clear why they would be digitally signing files, but clearly the person or people behind this are up to no good."
Updated 3:50 p.m. PST with Webroot finding forged Microsoft certificates in the malware.
This Google Doodle featuring the Esperanto flag was exploited by scammers to spread malware, according to Barracuda Networks.
(Credit: Google)Online scammers are taking advantage of the public's interest in the Google Doodle to spread malware, a security firm warned on Tuesday.
In so-called "SEO poisoning," scammers use search engine optimization techniques to increase the distribution of malware. They create special malware-rigged Web sites or hide malware on legitimate Web sites they've compromised and then use tags associated with popular search terms to get them listed high up in search engine results.
Typically, scammers capitalize on public interest in news events or celebrities, targeting searches like "Swine Flu" or "Michael Jackson death." But in the latest twist on this technique, scammers are exploiting interest in the Google Doodle, the graphics that often take over the Google logo on holidays or to mark special events.
For instance, the doodle on Tuesday showed a flag for Esperanto, a universal language created by L.L. Zamenhof which is based on parts from a variety of languages. Clicking on the doodle, located near the search box, brings up a list of search terms for "L.L. Zamenhof."
Dave Michmerhuizen, a research scientist at Barracuda Networks, found 31 poisoned sites among the first 100 results, 27 of them in the first 50 sites alone.
On the first results page was a link leading to a compromised Web site that redirects visitors to a fake antivirus site, according to Michmerhuizen. That site displays a fake alert saying the computer might be infected and does a fake scan before prompting the user to pay for antivirus software, he said.
A Google spokesperson said the company had already removed many of the allegedly malicious sites from the index using manual and automated processes to enforce the policies.
"As you probably know, the use of popular search terms to target malware is neither a new vector nor unique to any particular search engine. We work hard to protect our users from malware, and using any Google product to serve malware is a violation of our product policies," the spokesperson said in an e-mail.
"Our Safe Browsing technology is capable of detecting malware being served from sites that have been compromised," the Google e-mail said. "In fact, as we've explained publicly, we have been seeing more infections coming from compromised sites" across the entire Web.
The compromised site on the Google Doodle-related search results page leads to a site selling fake anti-virus.
(Credit: Barracuda Networks)Symantec on Tuesday confirmed a vulnerability in Adobe Acrobat and Reader and said it was being exploited by a Trojan hidden in e-mail attachments.
The malicious Adobe Acrobat PDF file is distributed via an e-mail attachment that "drops and executes when opened on a fully patched system with either Adobe Acrobat or Reader installed," Symantec said in a statement.
Symantec identified the file as Trojan Pidief.H, which targets Windows 98, 95, XP, Windows Me, Vista, NT, 2000 and Server 2003.
The rate of infection is extremely limited and the risk assessment level is very low, according to Symantec.
The exploit has been in the wild since at least last Friday, according to the Shadow Server blog.
"Several tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable," the post says. "We did not discover this vulnerability but have received multiple reports of this issue and have examined multiple different copies of malicious PDFs that exploit this issue. This is legit and is very bad."
The vulnerability is in a JavaScript function within Adobe Acrobat Reader itself, the Shadow Server post says, before advising users to disable JavaScript.
Adobe posted a security advisory late on Tuesday saying that it had confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could crash the system and allow an attacker to take control of the computer.
Affected software is Reader 9.2 and earlier for Windows, Macintosh, and Unix, and Acrobat 9.2 and earlier for Windows and Macintosh, Adobe said. The company recommended disabling JavaScript to protect the system.
Adobe had said on Monday night that it was investigating reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild.
Adobe has increasingly had to deal with holes in and exploits targeting its popular software. Adobe issued updates in October that fixed nearly 30 holes in Reader and Acrobat 9.2. Earlier that month, Trend Micro reported on a zero-day exploit targeting Adobe Reader, as well as 9.1.3 and earlier versions of Adobe Systems' Acrobat.
In July, Adobe warned of attacks in which malicious PDF files were exploiting a vulnerability in Flash. And in April a new Reader hole emerged after Adobe fixed a two-month-old critical vulnerability in Adobe Reader 9 and Acrobat 9.
Updated 5:10 p.m. PST with Adobe confirming vulnerability.
Adobe warned of reports of an attack exploiting a hole in Reader and Acrobat on Monday.
"This afternoon, Adobe received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild," the company said in an advisory on its Security Incident Response Team blog. "We are currently investigating this issue and assessing the risk to our customers. We will provide an update as soon as we have more information."
Three different security vendor partners reported the alleged exploit to the company on Monday afternoon, said Adobe spokeswoman Wiebke Lips. She said she could not provide more details.
Last week, Adobe released a critical update affecting Flash Player and Adobe AIR.
Meanwhile, some Macintosh users were reporting on the Adobe Forums site that they were having problems installing an update from October that resolved a critical vulnerability in Adobe Reader and Acrobat 9.1.3 that had reportedly been exploited in the wild.
Updated 6:01 p.m. PST with Mac user problems installing update.
A lawsuit filed against Heartland Payment Systems over what is believed to be the biggest data breach in U.S. history has been dismissed.
The lawsuit was filed in January against Heartland by shareholders who alleged that Heartland failed to adequately safeguard the compromised consumer data and did not notify consumers about the breach in a timely manner as required by law.
The U.S. District Court for the District of New Jersey granted Heartland's motion to dismiss the lawsuit on Monday, Heartland said in a statement on Wednesday. The court said the plaintiffs had not proved their allegations that Heartland executives knew the company had inadequate security and misled the public about it, according to a report on StorefrontBacktalk.
Heartland had disclosed the breach January 20, the day of President Obama's inauguration. The breach occurred last year but company officials said they found evidence of the intrusion the week before the announcement and immediately notified law enforcement and credit card companies.
