Security

With most computers threatened by attacks coming through Web applications, it's no surprise that security would be a key piece of Chrome OS, Google's browser-based operating system that stores data in the cloud.

Google showed off its new lightweight operating system designed for Netbooks and cloud computing on Thursday. As anticipated, it will rely on many of the same security features and concepts used by the Chrome browser.

"The browser is the operating system. We've expanded the browser to add operating system functionality," Caesar Sengupta, a group product manager at Google, said in an interview.

Chrome OS uses a combination of operating system-level protections and exploit mitigation techniques to limit the attack surface, or amount of code that can be targeted in an attack, and to reduce the likelihood of an attack being successful. "The biggest security impact is that all applications run within the browser," Sengupta said.

Chrome relies heavily on sandboxing, keeping different processes and applications in separate partitions. This limits the interaction between applications and the OS kernel.

For example, with conventional operating systems, if an application crashes, it can crash or otherwise affect other programs that are running, Sengupta said. "But if everything is sandboxed, that becomes more difficult to do," he added.

Many systems are compromised by deceptive attacks, such as when a user opens an innocent-looking PowerPoint file which unleashes a virus or other malware that can get access to everything on the computer.

With Chrome, "applications can't just download any binary and run it," Sengupta said.

Chrome has a verified boot process that uses cryptography to ensure that the Linux kernel, the nonvolatile system memory, and the partition table are not tampered with when the system starts up, according to a security overview of Chrome. (Google security engineer Will Drewry explains the security concepts of Chrome OS in a video on YouTube.)

"Right now, on your conventional operating system, any kind of process can run, which makes it difficult to predict what any process will do," Sengupta said. "On Chrome, because the whole operating system is essentially signed by Google, there is a lot we can do to make it secure."

If an application manages somehow to break out of the browser sandbox, to get through the kernel hardening and processing infrastructure, and manages to change something on the operating system, the changes will be detected the next time the user boots up the machine. "As soon as it detects something is different and not signed by Google, it will warn the user and try to clean itself again," Sengupta said.

Cleaning up is easier than with a standard operating system, too, because the system data is separated from the user data, which includes user preferences, system settings, and a local cache of data stored on the Google servers in the cloud, he said.

All user data stored by the operating system, browser, and any plug-ins are encrypted and users cannot access each others' data on a shared device, according to the Chrome OS security page.

Meanwhile, Chrome will automatically update to get the most recent software and patches for the operating system, just like the Chrome browser updates in the background while users are online, Sengupta said. Users will not run the risk of having their system get infected or compromised before they can install updates, as happens with Windows and other software.

In addition, the antiphishing technology found in the Chrome browser will protect Chrome OS users from inadvertently visiting malicious Web sites, he said.

Google is publishing detailed design documents on Chrome OS, which will allow security experts to scour the code for weaknesses over the next year before the operating system is released to the public, according to Sengupta.

There are some security and networking technologies that are supported in other operating systems that Google is passing on, at least for now.

Google will keep an eye on biometric authentication technologies, but believes that the cost/reliability trade-off is not where it needs to be just yet, according to the security overview for Chrome OS. Smart cards and USB crypto tokens are "interesting technology, but we don't want our users to have to keep track of a physically distinct item just to use their devices," the overview concludes.

Google is likewise not interested in Bluetooth, a wireless protocol widely used in laptops and handheld devices, for authentication. "Bluetooth adds a whole new software stack to our login/screenlocker code that could potentially be buggy, and the security of the pairing protocol has been criticized in the past," the security overview says.

Updated November 24to clarify that Bluetooth is not being considered for authentication.

Cisco is offering a free iPhone app that will allow people to get customized alerts on new security threats and other information for safe Web browsing.

The app, which will be available on Friday in the Apple iTunes store, provides information about new malware signatures, bulletins for how to mitigate against threats, ways to see if particular Web sites are compromised, as well as links to podcasts and videos.

The Cisco SIO To Go iPhone app gets its information from the company's Security Intelligence Operations (SIO) system which gathers information in real time from 700,000 sensors located at customer sites, ISPs, and other sites around the world. The data from the disparate sources allows Cisco engineers to do threat correlation to detect Internet attacks and spam campaigns.

The app is designed for professionals and security geeks, not the average consumer, said Michael Weir, Cisco security marketing director.

"I can make it applicable to my needs and the security needs of my [enterprise] network," he said.

Updated November 18 at 11:19 a.m. PST to clarify that the data was sold by workers at T-Mobile UK, which is operated separately from T-Mobile USA.

T-Mobile workers sold personal data on thousands of customers to third parties who then called the individuals as their wireless contracts were due to expire, a T-Mobile UK spokesman has confirmed.

T-Mobile notified England's Information Commission, the watchdog agency responsible for safeguarding consumer privacy, and said the activity was done "without our knowledge," according to the BBC.

Information Commissioner Christopher Graham told the news agency his office will prosecute the individuals responsible.

It's the latest black eye for the T-Mobile brand in recent months. (T-Mobile UK and T-Mobile USA are operated separately.)

Last month an outage with T-Mobile USA network left Sidekick users unable to access the Web or their address books for several days.

And earlier this month T-Mobile's network in the U.S. suffered a major outage that left customers unable to send or receive text messages and access voice messages for part of a day. The outage was due to a software error in the back end system that generated abnormal congestion on the network, the company said in a statement.

If you have received an e-mail from the Internal Revenue Service or the Federal Deposit Insurance Corporation, chances are it was a phishing attempt. If you received e-mail from your bank, PayPal, or Facebook urging you to immediately verify information or risk having your account suspended, it was undoubtedly phishing.

Phishing attacks have spiked this year, according to recent reports. The Anti-Phishing Working Group reports that there were more than 55,600 phishing attacks in the first half of 2009 alone. Phishing is particularly dangerous because once criminals get a victim's password for one Web site they can often use it to get into other accounts where people have re-used the password.

And anyone can be at risk. The wife of FBI Director Robert Mueller banned him from doing online banking after he came close to falling for a phishing attempt.

Here is some basic information that can help people avoid being tricked by phishing attacks.

What is phishing?
Phishing is an attempt, usually via e-mail, to trick people into revealing sensitive information like usernames, passwords, and credit card data by pretending to be a bank or some other legitimate entity. The e-mails typically include a link to a Web site that appears to be legitimate and which prompts users to provide information. Sometimes, the phishing e-mail will include a form in an attachment to fill out. One common tactic phishers use is to pretend to be from the fraud department of a financial institution or online retailer like PayPal and ask for information to be provided to prevent identity fraud. In one case, a phishing e-mail purporting to be from a state lottery commission asked recipients for their banking information so their "winnings" could be deposited into their accounts.

Phishers also are increasingly exploiting interest in news and other popular topics to trick people into clicking on links. One e-mail purportedly about swine flu asked people to provide their name, address, phone number, and other information as part of a survey on the illness. And users of social networks are becoming popular targets. Twitter users have been directed to fake log-in pages.

Attackers are also turning to instant messaging to lure people into their traps. In one recent scam a live chat window was launched via the browser. The scammer communicated to victims via the chat window, pretending to be from a bank and asking for additional information.

What are other recent examples of phishing attacks?

• A recent e-mail scam asks PayPal customers to provide additional information or risk getting their account deleted because of changes in the service agreement. Recipients are urged to click on a hyperlink that says "Get Verified!"

• E-mails that look like they come from the FDIC include a subject line that says "check your Bank Deposit Insurance Coverage" or "FDIC has officially named your bank a failed bank." The e-mails include a link to a fake FDIC site where visitors are prompted to open forms to fill out. Clicking on the form links downloads the Zeus virus, which is designed to steal bank passwords and other information.

• E-mails that look like they come from the IRS tell recipients that they are eligible to receive a tax refund and that the money could be claimed by clicking on a link in the e-mail. The link directs visitors to a fake IRS site that prompts for personal and financial information.

• A legitimate-looking Facebook e-mail asks people to provide information to help the social network update its log-in system. Clicking the "update" button in the e-mail takes users to a fake Facebook log-in screen where the user name is filled in and visitors are prompted to provide their password. When the password is typed in, people end up on a page that offers an "Update Tool," but which is actually the Zeus bank Trojan.

What are some tell-tale signs of a phishing attempt?
Many phishing attempts originate from outside the U.S. so they often have misspellings and grammatical errors. Some have an urgent tone and they seek sensitive information that legitimate companies don't typically ask for via e-mail.

What should I look for in an e-mail?
Check the sender information to see if it looks legitimate. Criminals will choose addresses that are similar to the one they are faking. For instance, phishers have used "Alerts@Paypal.co.uk." However, legitimate PayPal messages in the U.S. come from Service@paypal.com" and include a key icon. Most phishing e-mails come from outside the U.S. so an address ending in ".uk" or something other than ".com" could indicate it's a phishing attempt.

The e-mail address may also be obscured. Hitting "reply all" may reveal the true e-mail address. You can also set your e-mail preferences to show "full header" to see the full e-mail address and other information. If you are at all unsure whether the e-mail is legitimate, go to the company's Web site to see the address listed.

Legitimate companies tend to use customer names or user names in the e-mail, and banks often will include part of an account number. Phishing emails typically offer generic greetings, like "Dear PayPal customer."

Inspect the hyperlinks inside the body of the e-mail. Phishers typically will use subdomains or letters or numbers before the company name, and sometimes the words in the links are misspelled. For example, www.BankA.security.com would link to the 'BankA' section of the 'security' Web site. Often, it's difficult to tell if the link is legitimate just by looking at it. By mousing over the link you can see the real address on the bottom of most Web browsers.

In addition, PayPal, Amazon, banks, and many other businesses use the SSL (Secure Sockets Layer) protocol which is designed to ensure that customers are visiting the real site. That means https:// will be seen in the URL address bar instead of just http:// and usually there will be some other change in the address bar. For instance, PayPal displays a "P" and its name is highlighted in green at the front of the URL. The major browsers have antiphishing measures designed to detect malicious sites. Some phishers also try to hide the real Web address they are sending victims to by using URL shortening services.

If the e-mail has an attachment, be wary of .exe files. Scammers like to hide viruses and other malware there so it executes when opened.

Do not be fooled by the look of the Web site you may be directed to. The Web site may look just like a real bank or PayPal page, including the use of the real logos and branding. It could be a good fake page or it could be a legitimate page with a phishing pop-up window on top.

How can phishing attacks be avoided?

• Try to stay off spam lists. Don't post your e-mail address on public sites. Create an e-mail address that is less likely to get included in spam lists. For instance, instead of bobsmith@xyz.com, use bob.smith.az@xyz.com.

• If an e-mail looks reasonable contact the company directly if you receive an e-mail asking you to verify information. Type the address of the company into the address bar directly rather than click on a link. Or call them, but don't use any phone number provided in the e-mail.

• Don't give out personal information requested via e-mail. Legitimate companies and agencies will use regular mail for important communications and never ask customers to confirm log-in or passwords by clicking on links in e-mail.

• Look carefully at the Web address a link directs to and type in addresses in the browser for businesses if you are uncertain.

• Don't open e-mail attachments that you did not expect to receive. Don't open download links in IM. And don't enter personal information in a pop-up window or e-mail.

• Make sure you are using a secure Web site when submitting financial and sensitive information.

• Change passwords frequently. Don't use the same password on multiple sites.

• Regularly log into online accounts to monitor the activity and check statements.

• Use antivirus, antispam, and firewall software and keep your operating system and applications up-to-date.

(My colleague Larry Magid has more tips and a podcast interview with Symantec on avoiding phishing attacks.)

What can I do if I think I've been victimized by phishing?
The Anti-Phishing Working Group has a comprehensive site explaining exactly what steps people should take based on what type of information they have given out.

Where can I report phishing attempts?
You can forward suspected phishing e-mails to reportphishing@antiphishing.org and spam@uce.gov. Companies typically have an address to forward phishing examples to, such as "spoof@company.com." Always include the entire phishing e-mail. Complaints can be lodged with the Internet Crime Complaint Center at the FBI.

Here are additional resources.

http://apwg.org/consumer_recs.html

http://www.irs.gov/newsroom/article/0,,id=154848,00.html

http://www.microsoft.com/mscorp/safety/technologies/antiphishing/guidance.mspx

Major countries and nation-states are engaged in a "Cyber Cold War," amassing cyberweapons, conducting espionage, and testing networks in preparation for using the Internet to conduct war, according to a new report to be released on Tuesday by McAfee.

In particular, countries gearing up for cyberoffensives are the U.S., Israel, Russia, China, and France, the says the report, compiled by former White House Homeland Security adviser Paul Kurtz and based on interviews with more than 20 experts in international relations, national security and Internet security.

"We don't believe we've seen cases of cyberwarfare," said Dmitri Alperovitch, vice president of threat research at McAfee. "Nations have been reluctant to use those capabilities because of the likelihood that [a big cyberattack] could do harm to their own country. The world is so interconnected these days."

Threats of cyberwarfare have been hyped for decades. There have been unauthorized penetrations into government systems since the early ARPANET days and it has long been known that the U.S. critical infrastructure is vulnerable.

However, experts are putting dots together and seeing patterns that indicate that there is increasing intelligence gathering and building of sophisticated cyberattack capabilities, according to the report titled "Virtually Here: The Age of Cyber Warfare."

"While we have not yet seen a 'hot' cyberwar between major powers, the efforts of nation-states to build increasingly sophisticated cyberattack capabilities, and in some cases demonstrate a willingness to use them, suggest that a 'Cyber Cold War' may have already begun," the report says.

Because pinpointing the source of cyberattacks is usually difficult if not impossible, the motivations can only be speculated upon, making the whole cyberwar debate an intellectual exercise at this point. But the report offers some theories.

For instance, Alperovitch speculates that the July 4 attacks denial-of-service on Web sites in the U.S. and South Korea could have been a test by an foreign entity to see if flooding South Korean networks and the transcontinental communications between the U.S. and South Korea would disrupt the ability of the U.S. military in South Korea to communicate with military leaders in Washington, D.C., and the Pacific Command in Hawaii.

"The ability of the North Koreans to disable cybercommunications between the U.S. and South Korea would give them a huge strategic advantage" if they were to attack South Korea, he said.

There have been earlier attacks that smack of cyberwarfare too. Estonian government and commercial sites suffered debilitating denial-of-service attacks in 2007, and last year sites in Georgia were attacked during the South Ossetia war, orchestrated by civilian attackers, the report says.

The report concludes that if we aren't seeing it already, cyberwarfare will be a reality soon enough.

"Over the next 20 to 30 years, cyberattacks will increasingly become a component of war," William Crowell, a former NSA deputy director, is quoted as saying. "What I can't foresee is whether networks will be so pervasive and unprotected that cyberwar operations will stand alone."

Microsoft on Friday said it is working on a fix for a vulnerability in the Server Message Block file-sharing protocol in Windows 7 and Windows Server 2008 Release 2 that could be used to remotely crash a computer.

The software giant had said on Wednesday that it was looking at the bug, discovered by researcher Laurent Gaffié, who published proof-of-concept code on a blog.

"Microsoft is aware of public, detailed exploit code that would cause a system to stop functioning or become unreliable. If exploited, this [denial-of-service] vulnerability would not allow an attacker to take control of, or install malware on, the customer's system but could cause the affected system to stop responding until manually restarted," Dave Forstrom, group manager for public relations at Microsoft Trustworthy Computing, said in a statement. "It is important to note that the default firewall settings on Windows 7 will help block attempts to exploit this issue."

Microsoft is not aware of attacks to exploit the hole at this time, he said.

In an advisory, Microsoft criticized the way Gaffié handled the discovery.

"Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk," the advisory said. "We continue to encourage responsible disclosure of vulnerabilities."

The advisory suggests that customers block Transmission Control Protocol, or TCP, ports 139 and 445 at the firewall, as a workaround until a patch is ready.

RSA FraudAction Research Lab has uncovered the workings behind a recent re-shipping scam in which U.S. residents were used as mules to send goods purchased with stolen credit card numbers overseas.

The operation began a year ago and received applications from more than 1,900 people, though only 33 people were "hired," according to an RSA FraudAction Research Lab blog post on Thursday.

Laptops, iPods, iPhones, Nokia smartphones, digital cameras, Sony PlayStation 3 devices, and DJ equipment were among the items shipped to addresses in Russia and Belarus. RSA estimates that more than $36,000 worth of merchandise was cashed out every month before the scam ended earlier this year.

The operation masqueraded as a company called "Air Parcel Express," and it had an authentic-looking Web site, RSA said. However, there is a legitimate shipping firm with the same name that is completely unassociated with the scam.

The use of unwitting accomplices to re-ship items purchased fraudulently in the U.S. to other countries is not new. However, the degree to which the scammers went in creating the illusion of legitimacy is noteworthy, RSA said.

"They had a really professional, highly executed effort in recruiting the re-shippers, which is fairly novel," said Sean Brady, senior manager of identity protection and verification at RSA. "The average re-shipping campaign is based on e-mail or ads that direct people to a crude location" on the Web, he added.

Here's how the scams work. Criminals get credit card numbers through phishing, Trojan attacks, and hacking databases, like that of Heartland Payment Systems and RBS WorldPay. They use the information to make online purchases of items, typically electronics goods that they can resell at a high profit and typically purchased in the U.S., where they are cheaper.

The criminals recruit U.S. residents to receive and re-ship the goods out. Re-shippers are asked to unpack the item from the merchant's box and put it in a plain box, probably so the boxes face less scrutiny at customs, Brady said.

To find the mules, the criminals advertise on legitimate employment Web sites and on search engines. Usually, the re-shippers don't get paid as promised, RSA said.

"What's interesting is that criminals in Eastern Europe can orchestrate the campaign, recruit in the U.S., and ship to Europe without ever needing to have any level of personal contact" with the re-shippers, Brady said.

More information on how job seekers can detect scams is available from the Privacy Rights Clearinghouse, as well as Monster.com and the U.S. Federal Trade Commission.

Updated 1:49 p.m. PST to clarify that Gmail issue was fixed and any attack would be theoretically possible but extremely difficult to accomplish.

A lax security policy in Adobe Flash puts visitors to user-generated content sites at risk, says a researcher who has found a technique exploiting the way browsers handle Flash files.

The problem stems from the origin policy of Adobe Flash, Mike Bailey, a senior security researcher at Foreground Security, said in an interview on Wednesday. "Adobe should change the way Flash Player handles the security policy so it doesn't allow arbitrary content to access the application without permission."

By default, Flash Player trusts anything, but it should only trust what is allowed," he said, providing more technical discussion in a blog post.

For example, someone could upload what appears to be a picture to a social-networking site but which is actually a Flash file designed to execute malicious code in the browser when the file is opened. Anyone who views that picture could be compromised, said Mike Murray, chief information security officer at Foreground Security.

Bailey said that as far as he knows the technique has not been used in the wild as an attack, but that a "huge number of sites are vulnerable." (Gmail previously had an issue that could allow for this type of attack, but that has been fixed. Flash payload could "theoretically" still be executed, but it would be incredibly difficult to do, Baily wrote in his post.)

Adobe has known about the issue for a while but says it can't fix it or risk breaking a lot of existing Flash content and applications around the Web, he said.

Administrators make configuration changes to each Web site to mitigate the risk, Bailey said.

Meanwhile, users should disable Flash completely or use NoScript, a browser plug-in that blocks Flash and Java from untrusted sites, he said.

Asked to comment, an Adobe representative provided this statement:

"Generally speaking, by nature, Flash (SWF) content is powerful, active content and should be handled with the same care as other active content technologies, such as JavaScript, to ensure a site's design does not become vulnerable to abuse scenarios. Adobe has always advised that allowing arbitrary uploads or attachments of Flash (SWF) content to trusted domains should not be performed due to potential abuse scenarios, such as the ones outlined by Mike Bailey. Adobe has published several best practice advisories and blog posts for developers and site owners on how to safely host Flash content. For example, our Flash Player security white paper describes our model in great detail."

Microsoft said on Wednesday it is looking into a report of a vulnerability in Windows 7 and Server 2008 Release 2 that could be used by an attacker to remotely crash the computer.

The company is investigating claims of a "possible denial-of-service vulnerability in Windows Server Message Block (SMB)," the Microsoft spokesperson said, adding that the company was unaware of any attacks trying to exploit the hole.

The bug triggers an infinite loop on the Server Message Block (SMB) protocol used for sharing files in Windows, researcher Laurent Gaffié wrote in a posting on the Full-Disclosure mailing list and on a blog.

"Whatever your firewall is set to, you can get remotely smashed via IE or even via some broadcasting NBNS [NetBIOS Naming Service] tricks," Gaffié wrote.

Gaffié also posted proof-of-concept code for the "Windows 7, Server 2008R2 Remote Kernel Crash."

On Tuesday, Microsoft issued six patches to fix 15 vulnerabilities, including a critical hole in the Windows kernel, as part of November's Patch Tuesday.