Citigroup denies it, but its Citibank unit was reportedly robbed of tens of millions of dollars, the victim of a cyberattack by members of a Russian criminal gang, says Tuesday's Wall Steet Journal (subscription required).
The attack was discovered this past summer, says the Journal, but investigators for the FBI and National Security Agency believe it could have happened months or a year prior. The two agencies have reportedly shared information with the Department of Homeland Security and Citigroup to defend against the attack. The investigation is supposedly ongoing, with no word on whether or not any of the stolen money has been found.
Investigators initially became suspicious after spotting traffic coming from IP addresses once used by the Russian Business Network, a Russian gang of cybercriminals who went off the radar back in 2007, notes the Journal. But reports have surfaced that members of the gang have since regrouped to launch a wave of new attacks.
One of the tools allegedly used by the hackers to break into Citibank was Black Energy, says the Journal, a $40 piece of software that launches Distributed Denial of Service (DDoS) attacks to prevent access to a specific Web site. Designed by a Russian hacker, Black Energy is commonly sold on certain Russian language forums. But Black Energy is now being sold as part of a $700 kit called the YES Exploit System. The kit includes other crimeware that steals bank account credentials, making it an especially dangerous threat to firms like Citibank.
But Citigroup denies that such an attack ever took place. In a prepared statement e-mailed to CNET, Citigroup said: "Allegations of a breach of Citi systems and associated losses are false. Denial-of-service attacks are directed against companies around the world. While there have been attempts to interfere with the availability of our systems, none of these have resulted in any breaches, compromise of customer information, or losses to Citi."
A company spokesperson further denied any involvement from the FBI. "We had no breach of the system and there were no losses, no customer losses, no bank losses," said Joe Petro, managing director of Citigroup's Security and Investigative services. "Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true."
Phone calls to the FBI and NSA were not returned.
New cybersecurity chief Howard Schmidt
(Credit: The White House)The White House's new cybersecurity chief faces a tough agenda, but will be able to draw on the lessons of a 40-year career, including stints at Microsoft and eBay.
Former security adviser Howard Schmidt is returning to the White House as President Obama's new cybersecurity coordinator, the White House announced Tuesday.
In his new role, Schmidt will report to the National Security Council. Schmidt will also "have regular access to the president," said an official who spoke to The New York Times.
Earlier this year, President Obama initiated a review of the government's cybersecurity policies in an effort to streamline operations. Turf wars among various agencies and a perceived weakness in the Department of Homeland Security had raised red flags, prompting the president to declare that the country was not adequately prepared on the cybersecurity front.
Following that review, the White House identified a need for a new cybersecurity chief, then plunged into a tricky, months-long process that now brings Schmidt back to public service.
President Barack Obama greets his new White House cybersecurity chief Howard A. Schmidt in the Cross Hall of the White House.
(Credit: Official White House Photo by Lawrence Jackson)In a recorded speech introducing himself, Schmidt said he sees information technology as offering great opportunities but also great dangers to national security, public safety, economic competitiveness, and personal privacy. As dependence on technology increases, he said, the need to protect our security and privacy also increases.
As such, Schmidt said that the president has directed him to focus on several key areas:
• developing a new and comprehensive strategy to secure U.S. networks to ensure an organized response to future cyber incidents;
• beefing up both public and private partnerships in the U.S. and abroad;
• promoting research and development of next-generation technologies;
• and leading a national campaign to promote cybersecurity, awareness, and education.
Acknowledging that Washington can't solve cybersecurity problems on its own, Schmidt said his agenda is to bring together the government, the private sector, and other stakeholders as part of a new and comprehensive cyberstrategy to strengthen online defenses.
Following Schmidt's appointment, a variety of security analysts offered their thoughts.
In a Tuesday blog post, Randy Abrams of security vendor ESET said that Schmidt is very smart and personable, possessing a depth of knowledge and experience that makes him one of the best possible candidates for the job. But Abrams cautioned people not to expect miracles or fast changes as Schmidt will face huge obstacles trying to coordinate security across different government agencies, most of which have people who think their way is the only way to do things.
Phillip Dunkelberger, president and CEO of security vendor PGP, where Schmidt serves on the board of directors, said: "Howard's familiarity with public sector, private sector, large vendors and small innovative companies should be a great asset to this unique position; one that will just expand as our nation's dependency on cyber communications continues to grow." He also stressed that Schmidt will need to jump in quickly and form a solid working relationship with the Department of Defense and with the federal government's chief information officer, Vivek Kundra, and chief technology officer, Aneesh Chopra.
Schmidt brings to his new post a lengthy resume of government service, with a particular niche in computer crimes and forensics. Early in his career, he worked for the FBI's National Drug Intelligence Center, where he ran the Computer Exploitation Team. He also was a special agent and program director for the Air Force, where he set up one of the government's first dedicated computer forensic labs.
His new post will be Schmidt's second stint at the White House. In December 2001, just after the 9/11 attacks, he was appointed vice chairman for President Bush's Critical Infrastructure Protection Board and deputy to former White House cybersecurity czar Richard Clarke. Schmidt left his post in February 2003 to return to the private sector. During his tenure with the Bush administration, he helped create a new cybersecurity plan, which at the time was criticized as being too watered down, a charge that Schmidt disputed.
In the private sector, Schmidt served as chief security officer for Microsoft from 1997 to 2001 before joining the White House. After leaving his government post, he joined eBay in 2003 as vice president for security.
More recently, Schmidt was the president and CEO of the Information Security Forum, an international nonprofit organization that focuses on risks and research in the cyberworld.
Updated December 23, 4:00 a.m. PST with comments from security analysts.
Adobe warned of reports of an attack exploiting a hole in Reader and Acrobat on Monday.
"This afternoon, Adobe received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild," the company said in an advisory on its Security Incident Response Team blog. "We are currently investigating this issue and assessing the risk to our customers. We will provide an update as soon as we have more information."
Three different security vendor partners reported the alleged exploit to the company on Monday afternoon, said Adobe spokeswoman Wiebke Lips. She said she could not provide more details.
Last week, Adobe released a critical update affecting Flash Player and Adobe AIR.
Meanwhile, some Macintosh users were reporting on the Adobe Forums site that they were having problems installing an update from October that resolved a critical vulnerability in Adobe Reader and Acrobat 9.1.3 that had reportedly been exploited in the wild.
Updated 6:01 p.m. PST with Mac user problems installing update.
The folks who run Amazon's EC2 cloud service must be happy the week is nearly over.
The cloud-based EC2 (Elastic Compute Cloud) was kept jumping this past week by two incidents: a compromised internal service that triggered a botnet, and a data center power failure in Virginia.
On Wednesday, security researchers for CA found that a variant of the infamous password-stealing Zeus banking Trojan had infected client computers after hackers were able to compromise a site on EC2 and use it as their own C&C (command and control) operation.
Don DeBolt, Director of Threat Research for CA Internet Security Business Unit, told CNET that the botnet first came to light while his firm was reviewing spam and found one with a URL for a piece of malware called xmas2.exe, described in a blog. After examining the file, DeBolt discovered it was a variant of the Zeus bot that was calling home to a computer inside Amazon Web Services, which houses EC2.
As a keylogger, Zeus is known to specifically capture bank account information, noted DeBolt, and was trying to perform the same crime in this case. The bot was also attempting to report the IP addresses of any clients that were infected via spam. The cybercrooks reportedly snuck their way into EC2 by gaining access through a site hosted on Amazon's service.
Once the bot was discovered, DeBolt and his team contacted Amazon to provide all the information from their client-based analysis. Since then, the files that were serving up the botnet on Amazon's side are no longer active.
... Read more
Cloud computing and virtualization are just two technologies that cybercriminals are anxious to exploit, forecasts a report released Wednesday by security vendor Trend Micro.
The year ahead offers new opportunities for cybercrooks as they hunt for more targets and new challenges as people try to protect themselves, says Trend Micro's 2010 Future Threat Report (PDF).
Cloud computing and virtualization can be cost effective. But since they're beyond the confines of a company's own firewall, they could be potentially open areas for cybercriminals to attack. October's Sidekick data outage highlighted the vulnerabilities of the cloud, which cybercrooks are likely to abuse, according to Trend Micro.
Social networks have proved to be an appealing area for bad guys, a shift that Trend Micro thinks will increase through the use of social engineering. Cybercrooks will try to enter people's communities and circles of friends at sites like Facebook in an attempt to steal personal information.
Malware outbreaks will shift from the global landscape to more local, targeted attacks, similar to the strategy employed by Conficker, which Trend Micro calls a "carefully orchestrated and architected attack."
Trend Micro also believes the move toward international domain names orchestrated by ICANN will open up the playing field for more phishing attacks as crooks create look-alike domains names using the Cyrillic alphabet instead of Latin characters.
A few other trends for 2010 and beyond to keep us all on the alert:
- Windows 7 will have an impact since it is less secure than Vista in the default configuration (presumably because User Access Control (UAC) in Win 7 is not set to its most restrictive level by default).
- Drive-by infections are the norm--one Web visit is enough to get infected.
- Malware is changing its shape--every few hours.
To protect yourself, Trend Micro dispenses the usual advice we've all heard before. But it bears repeating--keep your PC patched and updated, don't click on strange e-mail attachments, make sure the online stores you shop at are secure (https vs http), and don't use the same password for all Web sites.
A couple of years ago, I wrote a post running down the best places to store your files online. Of the six that I covered, two have since closed up shop and one has changed its name.
It's a constantly changing space. Since then, we have seen a lot of new entrants into the online file storage and backup game. Norton Online Backup is a fairly new product that is getting a very strong upgrade Wednesday with version 2.0 of its product. The new version includes support for Mac and Windows, 90-day file versioning, and the ability to send file download links via e-mail.
Norton Online Backup's home page allows the user to see the status of every machine on their account.
(Credit: Screenshot by Harrison Hoffman/CNET)Norton has put together a very solid offering with version 2.0 of Norton Online Backup. It is introducing support for Intel-based Mac for the first time with this release. This is huge, especially when the company is trying to offer a solution for the whole household. Where most other online storage or backup services focus on serving one user, Norton has placed the focus on protecting the whole family or household. When you buy a year of the service, you are allowed to manage and back up up to five computers on your account. Jeff Kyle, a group product manager for the product, said that support for Ubuntu should be coming around March.
File versioning is a welcome addition to Norton Online Backup. This allows you to see previous versions of backed-up files for up to 90 days. This means that if you accidentally make changes that you don't want anymore, then you can just go back to the previous version. This is similar to the functionality that Apple offers with Time Machine.
Additionally, Norton Online Backup 2.0 allows you to send files via e-mails. You can select multiple files to be sent, and they will be presented to the recipient on an easy-to-use landing page. You can even password protect these files or control how long they are available for download.
Norton Online Backup's landing page for files sent via e-mail.
(Credit: Screenshot by Harrison Hoffman/CNET)My current solution for file storage and backup is Live Mesh, which continually monitors your machine for changes in backed-up files and automatically uploads them. While this feature is great, it can sometimes result in your machine slowing down since the application tends to use a lot of resources. Norton Online Backup's client is fairly lightweight and works on a scheduled backup system, which means that it checks for changes in your backed-up files at a designated time and does everything at once. This results in less overhead for your system.
Other, more minor features included in this release are open file backup, which backs up a file even if it is in use on your computer, file purging, and a simplified set-up/user interface.
Norton Online Backup has a 30-day trial and the full version costs $50 for one year, which gives you 25GB of storage and allows up to five computers on your account.
This is what the recipient see when you send them a file via e-mail.
(Credit: Screenshot by Harrison Hoffman/CNET)PC Tools' Internet Security suite for 2010 gets some things right, and frustratingly drops the ball on others. It's hard not to like the feature set, which is robust, and the recent efficacy badge from Virus Bulletin. However, some of the problems in the suite are glaring and will potentially scare aware users who might otherwise find it a good security tool.
The default landing page should appeal to those who like quick glances to ensure everything is running smoothly. Green checkmarks or red Xes make it easy to see if you're at risk. Drilling deeper down to the settings pages could be better, though. Too often, the plain text felt squished by the chunks of white space on the right, and made it unnecessarily hard to parse logs and fine-tuning controls like the firewall or advanced scan settings.
The performance benchmarks weren't horrible, but they didn't impress, either. Falling somewhere in the middle of its competitors, and notably slow especially on computer start-up times, the suite could be much more nimble. Also annoying is that when held up against most of its competitors, the trial version is noticeably hamstrung. You only get 15 days to make a decision with the suite, and it won't remove any threats it detects.
What PC Tools fans will like is that although two earlier tests by Virus Bulletin this year gave PC Tools Internet Security 2009 failing marks, the first test of the new version passed the test on Windows 7. So for those with new computers, PC Tools' slightly lower price point of $50 for three licenses for its premium product may stand out as a good deal. Read the full review at CNET Reviews.
You wouldn't necessarily expect it, but Avast and Google Chrome might be the next peanut butter-and-jelly combo in the software world. Google's nascent browser has paired with one of the most popular free security programs in the world so that when users run the Avast installer on a computer that has neither Chrome nor Avast, they'll be offered a chance to install Chrome simultaneously. This is the first such bundling for Avast in its 21-year existence.
The Chrome installation window in the Avast installer is cleverly polite.
(Credit: Screenshot by Seth Rosenblatt/CNET)The Chrome option in the Avast installer does two things differently from the more familiar opt-out user experience that many programs provide in an installer in exchange for financial sponsorship. For one thing, the Chrome window only turns up if you don't already have it installed, but more importantly, it forces users to actively choose installation. Neither the "yes, install" nor the "no, don't install" radio buttons are checked by default. Of course, users are forced to check off "no" if they don't want it, but this should dramatically cut down on the incidence of accidental installations that tend to plague otherwise-similar piggybacking installs.
The Avast/Chrome combo may strike some as an odd couple, or at least more beneficial for Avast than for Chrome, but keep in mind that Avast has more than double the users that Chrome does. Google's Vice President of Product Management Sundar Pichai said Chrome had more than 40 million users at the Chrome OS press conference at the end of October, and the end of November saw NetApplications peg Chrome at 3.93 percent of the browser market, a 0.35 percentage point increase. Meanwhile, on Avast's Web site, the Czech Republic-based security vendor is preparing to fly its 100 millionth user to Prague on an expenses-paid trip.
A Google spokesman indicated that other deals might be in the works. "Users' response to Google Chrome has been outstanding, and we're continuing to explore ways to make Chrome accessible to even more people. This could potentially include distribution via a number of channels, such as the distribution we are currently doing with Avast."
CNET News staff writer Stephen Shankland contributed to this report.
Red means danger. And orange offers plenty of risk, too. (Click for a larger view of the map.)
(Credit: McAfee)You may want to think twice if you hit a site with a .cm extension. That belongs to Cameroon, pegged by McAfee as the world's riskiest domain.
McAfee's third annual "Mapping the Mal Web" report, released Wednesday, looks at riskiest and safest domains across the globe. The small nation on the west coast of Africa reached the top spot this year with 36.7 percent of its sites posing a security risk. Because .cm is often a typo for .com, McAfee said, cybercrooks like to use that domain to set up typo-squatted sites to hit you with malware.
The generic and widely used .com domain itself isn't much safer, according to McAfee, jumping from ninth last year to second this year in riskiness, with 32.2 percent of its sites potentially hazardous to your PC's health.
(Credit:
McAfee)
Romania (.ro) is tagged as the riskiest domain for malicious downloads, with 21 percent of its sites delivering payloads of viruses, spyware, and adware. The information (.info) domain is seen by McAfee as the most "spammy," with 17.2 percent of its sites generating junk mail.
On the positive side, the government (.gov) is the safest generic domain with essentially 0 percent risk, while Japan (.jp) proved the safest country domain with a rating of only 0.1 percent. Last year's riskiest domain, Hong Kong (.hk) dropped to 34th place with a risk rating of only 1.1 percent, which McAfee attributed to the country's aggressive steps to stop scam-related domain registrations.
(Credit:
McAfee)
"This report underscores how quickly cybercriminals change tactics to lure in the most victims and avoid being caught. Last year, Hong Kong was the riskiest domain and this year it is dramatically safer," Mike Gallagher, chief technology officer for McAfee Labs, said in a statement. "Cybercriminals target regions where registering sites is cheap and convenient, and pose the least risk of being caught."
Overall, looking at 27 million Web sites and 104 top-level domains, McAfee found that 1.5 million sites, or 5.8 percent, were risky. That's up from 4.1 percent from the past two years, although the comparison is not direct since McAfee said it changed its rating methodology since then.
McAfee noted that cybercriminals who create domains to scam people prefer registrars with cheap prices, volume discounts, and hefty refund policies. Crooks also like registrars with a "no questions asked" policy and that act slowly or not at all when informed of malicious domains.
Microsoft said Tuesday that its investigation has turned up no evidence that anything in its November security updates should be causing users to encounter a so-called "black screen of death."
"Microsoft has investigated reports that its November security updates made changes to permissions in the registry that that are resulting in system issues for some customers," Microsoft security response communications lead Christopher Budd said in a statement. "The company has found those reports to be inaccurate and our comprehensive investigation has shown that none of the recently released updates are related to the behavior described in the reports."
Microsoft said it was not contacted by British security firm Prevx before that company went public with its claims. Microsoft said it has reached out to them to let them know the results of its investigation.
The company said on Monday that it would look into the matter, but issued an update later in the day saying it could not verify any issues.
"Our support organization is also not seeing this as an issue," Budd said on Tuesday. "The claims also do not match any known issues that have been documented in the security bulletins or (knowledge base) articles.
Update, 3:15 p.m. PT: Prevx posted an updated blog saying that it has done additional testing.
"Having narrowed down a specific trigger for this condition we've done quite a bit of testing and re-testing on the recent Windows patches," the comapny said. "Since more specifically narrowing down the cause we have been able to exonerate these patches from being a contributory factor."
The company also offered up a mea culpa to Redmond and said it also recommends users keep patching their systems promptly. "We apologize to Microsoft for any inconvenience our blog may have caused."
