News Security

Symantec Warns Of Spam Campaign Using Shortened URLs

Symantec MessageLabs has warned that the proportion of spam containing shortened hyperlinks has increased significantly over the last year

In an effort to beat spam filters, Symantec’s MessageLabs has warned that spammers linked to the Storm botnet are increasingly turning to shortened URLs.

According to Symantec’s July 2010 MessageLabs Intelligence Report, spam with shortened hyperlinks reached a peak of 18 percent 30 April, translating to 23.4 billion spam emails. An analysis of the spam campaign has linked some of it to the notorious Storm botnet, which first appeared in 2006 before declining in 2008. The botnet re-emerged in May, and now accounts for 11.8 percent of all the spam containing shortened hyperlinks circulating the web.

Shortened URLs

“While botnets are often the source of short URL spam, 28 percent of this type of spam originated from sources not linked to a known botnet such as unidentified spam-sending botnets or non-botnet sources such as webmail accounts created using CAPTCHA-breaking tools,” said Paul Wood, MessageLabs Intelligence Senior Analyst for Symantec Hosted Services, in a statement.

The peak of 18 percent this year is more than double last year’s highpoint of 9.3 percent recorded last 28 July. In the second quarter of 2009, there was only a single day when shortened hyperlinks appeared in more than 1 in 200 spam messages, Symantec reported. In the second quarter of 2010 however, there were 43 days when that happened.

Dodging Filters

Security pros have repeatedly warned users to be wary about shortened URLs in emails and on social networks because they are sometimes used to trick people into visiting malicious sites. That wariness however should not necessarily transform into panic, as an analysis of shortened URLs in Twitter’s public timeline by Zscaler revealed they were far less likely to lead to malicious sites than search results on Google.

Still, for spammers pushing pharmaceuticals and other goods, using shortened emails can be relatively effective. According to the report, researchers found an average of one website visit for every 74,000 spam emails with the shortened URLs. The most frequently visited shortened links from spam received more than 63,000 website visits.

When it comes to spam, the name of the game is dodging filters, and any tactic that can make it harder to block email messages is going to be adopted by the spammers out there, Wood said.

“When spammers include a shortened URL in spam messages, these shortened hyperlinks contain reputable and legitimate domains, making it harder for traditional anti-spam filters to identify the messages as spam based on the reputation of the domains found in the spam emails,” he said.

News Security

US And Russia In Talks To Prevent Cyber Arms Race

The US is in talks with Russia and the UN to improve Internet security and prevent the breakout of cyber warfare

The US is in secret talks with Russia and the United Nations about strengthening Internet security and limiting military use of cyberspace, according to a report in the New York Times. The content of the talks is still unknown but the news marks a significant policy shift in the US, which has resisted entering into such talks for years.

Many countries, including the US, are developing weapons for use on some of the computer networks that are integral to large-scale operations, such as banks, electrical power systems, government offices and military organisations. These include “logic bombs” that can freeze computers at crucial times or damage circuitry, “botnets” that can disable or spy on websites and networks; and microwave radiation devices that can burn out computer circuits from miles away.

While the dangers of virtual conflicts are recognised, none of the countries involved wants to hinder any future deployment by revealing the technologies they have developed, according to James Lewis, a senior fellow at the centre for strategic and international studies and a cyber security expert. Both the US and Russia have sophisticated cyber warfare capabilities they are reluctant to document, Lewis told the Guardian.

Despite this, the Russians have long been pushing for an international treaty, similar to treaties that have limited the spread of nuclear, chemical and biological weapons, to tackle the increasing challenges posed by military activities to civilian computer networks. The US had previously resisted, arguing that it is impossible to distinguish between the commercial and military uses of software and hardware.


However, back in May, President Barack Obama declared an end to the country’s uncoordinated attempts to “deter, prevent, detect and defend” against cyber-attacks, promising a new approach to online security. “In this information age, one of your greatest strengths – in our case, our ability to communicate to a wide range of supporters through the Internet – could also be one of your greatest vulnerabilities,” Obama said at the time.

Since then, some commentators have begun to see signs of a move towards resolving what has been described as an international arms race. “In the last months there are more signs of building better cooperation between the US and Russia,” said Veni Markovski, a Washington-based adviser to Bulgaria’s Internet security chief and representative to Russia for the organisation that assigns Internet domain names. “These are signs that show the dangers of cybercrime are too big to be neglected.”

Progress has not been made on all fronts, however. In May, Obama also promised to appoint an official in the White House to handle all matters relating to cybersecurity, but has so far failed to do so. “The urgency for progress in cyber security remains, and, therefore, so does the need for the appointment of a qualified, credible, senior level official to the cyber security coordinator post,” wrote TechAmerica President Phil Bond in a letter to Obama in October.

News Security

Burglars Take Tory Liam Fox’s Laptop

‘Crime is down’ says Labour. ‘No it isn’t,’ says Liam Fox, who lost his laptop and car in a break-in on Wednesday

The Conservative shadow defence secretary, Liam Fox, has had his laptop stolen, along with his mobile phone and car, after his home in South London was burgled whilst he was asleep upstairs.

Laptops Most At Risk Whilst At Home

First reports suggested that he had left his laptop inside his car, but it has emerged that the thieves actually broke into his house, and according to the Daily Telegraph, armed themselves with his kitchen knifes in order to threaten the Tory politician if he confronted them, whilst they ransacked his property.

Fox woke up just before 7am to discover he had been burgled. Fox’s wife, Jesme, was not in the property as she is stuck in Hong Kong due to the travel chaos caused by the volcanic ash.

It is believed that the intruders climbed on to Fox’s balcony, having spotted an open window.

In February, research from Absolute Software warned that the place where laptops were most likely to be stolen was not at airports or on the train, but rather in people’s own homes. It found that the number of laptops stolen from British homes is significantly higher than in other countries. British homes are the most dangerous locations for laptops (32 percent of most recent laptop thefts), compared to France (22 percent), the US (18 percent), Germany (17 percent) and Canada (17 percent).

Meanwhile Symantec’s latest Global Internet Security report found that the largest percentage (37 percent) of data breaches that could possibly lead to identity theft, was still being caused by the physical theft or loss of that information.

Common Burglary

Meanwhile the Metropolitan Police have confirmed they are treating the incident as a burglary. Forensics officers are at the scene and detectives are understood to be studying CCTV footage from outside the gated apartment block in Bermondsey.

“I feel like anyone else who has been the victim of an opportunistic burglary, said Fox, speaking outside the flat in Bermondsey. “”It’s not very nice to have someone in your house, particularly when you have been in it. “It’s even less nice when they have taken kitchen knives out of the kitchen drawer and left them close so that they can threaten you.”

“But I’m not the only person in this country to have been the victim of crime and now have even greater sympathy in the future with people who are,” he added.

Sensitive Data Stolen?

Of course, question marks have been raised if any sensitive information was on the stolen laptop and whether Fox’s stolen laptop was encrypted.

When asked if any sensitive documents have been stolen Fox replied: “No. There were a number of documents in the house, but nothing was taken containing sensitive information.”

Fox had been due to outline the Tories’ armed forces manifesto on Thursday morning but the launch was cancelled at short notice.

“For Liam Fox’s sake, I hope that this laptop was encrypted. Laptops will always be stolen, the important thing is making sure that the data on them can’t be accessed and abused. If this laptop was encrypted, then Liam Fox has nothing to worry about,” said Chris McIntosh, CEO of hardware encryption expert Stonewood, which provides encryption for the UK armed forces.

News Security

Twitter Users Infected With New Worm Attack

Twitter users were infected over the weekend with a new worm attack that posted sexual messages on victims’ profiles

Security measures at micro-blogging website Twitter have been exposed again after Twitter users were hit with yet another worm over the weekend.

This time, the tweets came bearing the message “WTF” with a link in tow. Clicking on the link automatically generated a post from the victim with a pornographic message.

Infected Twitter Links

“Clicking on the WTF link would take you to a webpage which contained some trivial code which used a CSRF (cross-site request forgery) technique to automatically post from the visitor’s Twitter account,” explained Graham Cluley, senior technology consultant at Sophos. “All the user sees if they visit the link is a blank page, but behind the scenes it has sent messages to Twitter to post from your account.”

Though Sophos did not know how many users were impacted, Sophos Senior Security Analyst Beth Jones said it was not “nearly as widespread” as last week’s onMouseOver worms, which affected hundreds of thousands of Twitter users.

In that case, a cross-site scripting vulnerability was exploited by various people to send out multiple worms that among other things redirected users to porn sites.

As in that incident, the most recent attack snared some high-profile Twitter users, including blogger Robert Scoble.

Curiosity Kills The Cat

“Chances are that the reason why this attack spread so speedily is that people were curious to find out what they would find at the end of a link only described as ‘WTF’,” Cluley blogged.

Twitter reported 26 September that the malicious link is disabled and that the exploit has been fixed.

Goverment IT News Security

UK Cyber Security Challenge Launched To Promote Skills

Autumn will see a Cyber Challenge in the UK, designed to create new security professional

A challenge is being launched to persuade users to develop necessary IT security skills in Britain.

The UK Cyber Security Challenge, modelled on the US Cyber Challenge will set tasks, such as treasure hunts or network break-ins, for people who want to establish their information security skills. Winners will get prizes, but will also be up for real jobs in the industry.

Demand for security experts exceeds supply

Details are scanty so far, but the challenge has backing from vendors and government bodies, for a programme which will “bridge the gap between the supply or cyber security experts and the demand,” according to Mohan Koo, managing director in the UK for Australian security firm Dtex – who is on the management team of the challenge.

“There are lots of graduates out there who are skilled, but don’t realise their skills can be harnessed to further a career.” said Koo. The management group surveyed 255 user companies in the UK, and 90 percent of them said they were already having trouble recruiting security professionals, with the majority expecting that difficulty to increase.

The group plans to launch its challenge in autumn, when graduates emerge from university, but aims to sign up more supporting organisations at the Infosec Europe show this week, where the programme will announce its existence.

With sufficient backing, the challenge should be able to offer significant opportunities. The US scheme launched in 2009 has already placed several graduates in jobs as well as creating interesting challenges on the way, said Koo.

Sponsors include the Metropolitan Police, the Cabinet Office, and the Institute of Information Security Professionals.

News Security

UK Link As US Arrests 60 People For Zeus Bank Heist

More than 60 people have been charged in the US as part of an international crime syndicate that used the Zeus Trojan to swipe millions of dollars from bank accounts

Federal prosecutors in New York City charged 37 people in connection with a cyber-crime ring that used the Zeus Trojan horse to loot millions from victims’ bank accounts. All in all, 60 people have been charged by both federal and state authorities in the operation.

The swoop is believed to be part of an international police action that also resulted in the arrest of 19 Eastern Europeans in London last Wednesday.

The timings of the UK and US arrests seem too close to be a coincidence, leading many to speculate the investigation was a coordinated effort between various law enforcement agencies from the two countries.

“From our eyes, it appears the UK arrests by the Metropolitan Police were the ringleaders, the controllers – and the people arrested in the US were the money ‘mules’ of the operation,” said Chester Wisniewski, a senior security advisor at Sophos.

While he has yet to see any “hard evidence” linking these two investigations, Wisniewski pointed to other similarities, such as the nationalities of the alleged criminals. Both groups were primarily Ukranian and Estonian, he said. The indictment mentioned that a package of forged passports was sent from the UK, he said. He also noticed a similarity in the types of visitor visas held by the suspects.

The ones named in the US indictment held J-1 visas. These are non-immigrant visas issued to exchange visitors participating in programmes that promote cultural exchange, especially to obtain medical or business training. All applicants must meet eligibility criteria and be sponsored either by a private sector or government programme.

Still At Large

The defendants in the US heist, mostly in their 20s, are accused of using the Zeus Trojan to steal over $3 million. The victims were primarily small businesses and municipalities, according to the indictment, although there were some breached brokerage accounts at TD Ameritrade and eTrade.

“This group was one of the premier Zeus operators in the underground,” said Alex Cox, principal analyst for NetWitness.

Of the people named in the indictment, 10 were arrested by FBI and New York law enforcement officials yesterday. There are thought to be 17 from the same gang still at large around the world.

The group allegedly recruited mules via Russian language Web sites by placing ads seeking students with J-1 visas who could open bank accounts in the US, according to the indictment. The mules allegedly kept a small percentage of the stolen money and wired the remainder to overseas bank accounts, often in Asia.

The charges range from bank fraud and false use of a passport to money laundering and conspiracy to commit wire fraud. Maximum prison sentences range from 10 years to 30 years and fines from $250,000 to $1 million per count.

Lucky Break

The indictment marks the culmination of a year-long investigation, dubbed Operation ACHing Mules, conducted by several state and federal agencies. It was triggered when police went to investigate a suspicious $44,000 withdrawal from a New York bank in February, according to the statement issued by the law enforcement agencies. The operations name is derived from the phrase “unauthorised automated clearing house (ACH) transactions”.

Internal fraud alerts used by banks do not always work in cases like this because mule accounts are generally located in the same country as the compromised accounts and  balances are kept  below $10,000.

“I would expect this bust to make existing groups take notice and watch their tracks even more, especially in the short term, but it’s not likely to have any significant sustained effect. The risk versus rewards are still too great,” said Cox.

It is difficult for banks to protect against Trojans like Zeus, as it records keystrokes, said Chris Larsen, senior malware researcher at Blue Coat Systems.  Instead, users need to be proactive about their own security by patching their computers against known exploits and actively monitoring their activity, he said.

News Security

Virgin Media Warns Customers Of SpyEye Infection

Virgin Media has cooperated with SOCA to identify broadband customers who are infected by SpyEye

Virgin Media has sent letters to about 1,500 of its broadband customers warning that their systems are infected by the SpyEye Trojan, which steals banking data.

The letters follow on from an investigation by the Serious Organised Crime Agency (SOCA) which uncovered IP addresses of infected systems. SOCA handed the IP addresses over to Virgin Media which identified a number of its customers among those affected.

Serious risk

Virgin Media previously used written notifications to alert users to the risk posed by the Zeus Trojan last year.

In the letters Virgin Media emphasised the seriousness of the risk from SpyEye and urged customers to update their security software. Customers also have the option of signing up for a help service, using which Virgin Media can remotely identify and eliminate problems.

Virgin Media said customers need increasingly more direct warning methods as the importance of broadband grows.

“Cyber crime is on the rise and the increasing sophistication of malware infections means that all Internet users could be at risk with devastating effects,” said Jon James, executive director of broadband at Virgin Media, in a statement.

SOCA said it isn’t enough for users to rely on service providers to help them.

“It is equally important for consumers to protect their finances and personal information by ensuring their computers are equipped with up-to-date security software,” said Lee Miles, SOCA’s head of cyber, in a statement.

Stealthy Trojan

SpyEye works in stealth mode, is invisible from the task manager and other user-mode applications, hides the files from the regular explorer searches, and also hides its registry keys. It can grab data entered in a web form and automates getting money from stolen credit cards.

In April British police arrested three alleged members of the SpyEye gang. Security researchers consider SpyEye, a banking Trojan that harvests victims’ personal credentials, the de facto successor to the Zeus Trojan.

Two of the men were charged on 8 April, but the third man was released on bail on the condition that he return for further questioning in August, police said. Pavel Cyganoc, a Lithuanian living in Birmingham, England, and Aldis Krummins, a Latvian living in Goole, England, were both charged with conspiracy to defraud and concealing the proceeds of crime.

Cyganoc was also charged with conspiracy to cause unauthorised modifications to computers, police said.

The Police Central e-Crime Unit, a specialised group within Scotland Yard, made the arrests “in connection with an international investigation into a group suspected of utilising malware to infect personal computers and retrieve private banking details”.

Along with the arrests, police also seized computer equipment and data. The investigation is still ongoing.

Last November researchers said the developers behind the Zeus and SpyEye Trojans had joined forces to create one major botnet, with sophisticated capabilities to attack user bank accounts.

Networking News Security

Westminster Abbey Blocks Twitter At Royal Wedding

Signal jamming technology will be deployed at Westminster Abbey to avoid disruptions to the royal wedding

Guests of the royal wedding on 29 April will be prevented from posting live Tweets, after event organisers arranged for signal-blocking technology to be installed at Westminster Abbey.

The move, which was initiated by senior members of the royal family, is intended to cut down the number of news photos and videos featuring mobile phone-toting guests, and also prevent any distracting ringtones from interrupting the ceremony. Those attending the wedding will also be unable to share pictures, send texts or make calls.

The news has reportedly been welcomed by police, security personnel, and broadcasters, who are keen to avoid any disruptions to the event. Mobile phones can also, of course, be used to set of bombs, meaning that mobile phone jamming will act as an additional security measure.

A police official confirmed to Yahoo on Wednesday that the blocking technology will be in place from early Friday morning and will remain switched on for the duration of the ceremony.

Twittersphere buzzing

The absence of Twitter at the actual event does not mean the web will go silent, however. The wedding will be streamed live on YouTube’s official Royal Channel, and will run for four hours beginning at 10am BST.

Meanwhile, AP Live, CBS News, and the UK Press Association will all have live coverage and commentary of the event, and the BBC, ABC News, Fox News and ITN are all hosting live streams, ensuring that the social media channels will be buzzing.

Talk of the Royal Wedding is already accelerating rapidly on Facebook and Twitter. Overall, tweets about the Royal Wedding have quadrupled since the beginning of the month, averaging nearly 5,000 per hour over the last week and accelerating quickly in recent days. According to data from social media business intelligence platform Trendrr, 46 percent of tweets are positive, 43 percent are neutral and 12 percent are negative.

News Security

White House Outlines Online Identity Strategy

The US government has set out plans to strengthen authentication and identity verification on the web

In an effort to the make the web a safe place, the White House has published a draft of a strategy designed to make the concept of trusted identities and authentication more of a reality in the digital world.

In a 39-page document (PDF) entitled the “National Strategy for Trusted Identities in Cyberspace” (NSTIC), the White House promotes what it calls the Identity Ecosystem, an interoperable environment where individuals, organisations and devices can “trust each other because authoritative sources establish and authenticate their digital identities.”

Three Layers

The ecosystem will consist of three main layers – a governance layer that establishes the rules of the environment; a management layer that applies and enforces the rules of the ecosystem; and the execution layer that conducts transactions in accordance with the rules.

“The Federal government, in collaboration with individuals, businesses, non-profits, advocacy groups, associations, and other governments, must lead the way to improve how identities are trusted and used in cyberspace,” the document reads. “Ongoing collaboration between private and public sectors has already resulted in significant gains towards establishing Identity Ecosystem components. However, much more remains to be done.”

According to national Cyber Security Coordinator Howard Schmidt, the document was created in response to President Obama’s Cyberspace Policy Review issued last May. Individuals should no longer have to remember an “ever-expanding and potentially insecure list of usernames and passwords to log in into various online services,” he blogged.

User Choice

“Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc.) from a variety of service providers – both public and private – to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.),” Schmidt wrote.

The US Department of Homeland Security will be collecting comments from the public on the document until 19 July. The NSTIC is expected to be finalised in the fall, Schmidt blogged.

Goverment IT News Security

Wikileaks: Chinese Government Ordered Google Hack

US embassy documents say a Chinese Politburo member ordered attacks on Google

The Chinese government ordered the hack against Google in January, and backed many other acts of cyber-warfare, according to the US Embassy cables revealed by Wikileaks.

Wikileaks sparked a diplomatic crisis this weekend by releasing more than 250,000  confidential cables from its embassies round the world. Along with Arab leaders urging strikes on Iran’s nuclear plants, and embarassing assessments of foreign leaders, the massive leak shed new light on the incident in January, when Google was subject to hacking from within China.

Hack ordered by Politburo member?

The hack in January, which prompted Google to leave China temporarily, was “orchestrated by a senior member of the Politburo who typed his own name into the global version of the search engine and found articles criticising him personally,” according to a source in China, The Guardian reports.

The campaign used “government operatives, private security experts and Internet outlaws recruited by the Chinese government,” and was part of a concerted pattern of Chinese official hacking dating back to 2002, whose targets included other businesses, the US government and its allies, and the Dalai Lama.

Earlier this month, it was revealed that, in April, 15 percent of Internet traffic was routed through China, an incident which raised fears of further Chinese interventions.

The material in the cables is embarassing to the US government and, in the case of the Google hack, adds evidence to back existing suspicions, rather than providing any proof. Wikileaks is posting 251,000 documents from 274 embassies dating back to 1996, in an action which it says “reveals the contradictions between the US’s public persona and what it says behind closed doors”.

The Chinese hack on Google was alleged to have stolen Google’s source code, and is believed to have originated from two Chinese colleges. Google stopped re-routing its traffic away from China in June.