Vietnam tersely rejected charges from Google that tens of thousands of Vietnamese-speaking PC users around the world were targeted by hackers.

The country’s Foreign Ministry published a statement on Saturday after fielding a question from the press about Google’s blog post, which was published on its online security blog on March 30.

“Such comments are groundless,” said Vietnamese Foreign Ministry spokesperson Nguyen Phuong Nga. “We have on many occasions clearly expounded our view on issues relating to access to and use of information and information technology, including the Internet. Vietnam law puts in place specific regulations against computer virus and malware as well as on information security and confidentiality.”

A Google security official, Neel Mehta, wrote that the company had discovered a type of malicious software that was disguised as Vietnamese keyboard language software. The software was used to spy on the owners of computers and to conduct distributed denial-of-service attacks “against blogs containing messages of political dissent.”

“Specifically, these attacks have tried to squelch opposition to bauxite mining efforts in Vietnam, an important and emotionally charged issue in the country,” Mehta wrote.

Following up on Google’s research, security vendor McAfee said the malware created a botnet whose command-and-control systems were located within IP (Internet Protocol) address blocks assigned to Vietnam.

“We believe that the perpetrators may have political motivations and may have some allegiance to the government of the Socialist Republic of Vietnam,” wrote McAfee CTO George Kurtz.

McAfee said the attacks do not appear to be related to Aurora, an extensive hacking network linked to China and outed by Google in January. The company two weeks ago defied Chinese law and stopped censoring its search results in China in protest. Google said that hackers targeted the Gmail accounts of human rights activists along with intellectual property of at least 20 other companies.

The Vietnamese malware purports to be the VPSKeys driver used to create accent marks in the right locations on Windows machines, according to McAfee. The code is less sophisticated than the malware used in the Aurora attacks, McAfee said.

On Tuesday, computer security researchers released a report on a new cyber-espionage network that once again targeted entities such as the Indian military, the Office of the Dalai Lama and the United Nations.

The Shadow network was traced to Chengdu, in China’s Sichuan province, where the perpetrators used a variety of social networking tools to control compromised computers. As of Tuesday, China’s National Computer Network Emergency Response Technical Team (CNCERT) said it had not been notified of the report by the researchers.

(Source: http://www.pcworld.com/businesscenter/article/193526/vietnam_rebuffs_hacking_claims_from_google.html )

The myth that to delete data really securely from a hard disk you have to overwrite it many times, using different patterns, has persisted for decades, despite the fact that even firms specializing in data recovery, openly admit that if a hard disk is overwritten with zeros just once, all of its data is irretrievably lost.

Craig Wright, a forensics expert, claims to have put this legend finally to rest. He and his colleagues ran a scientific study to take a close look at hard disks of various makes and different ages, overwriting their data under controlled conditions and then examining the magnetic surfaces with a magnetic-force microscope. They presented their paper at ICISS 2008 and it has been published by Springer AG in its Lecture Notes in Computer Science series (Craig Wright, Dave Kleiman, Shyaam Sundhar R. S.: Overwriting Hard Drive Data: The Great Wiping Controversy).

They concluded that, after a single overwrite of the data on a drive, whether it be an old 1-gigabyte disk or a current model (at the time of the study), the likelihood of still being able to reconstruct anything is practically zero. Well, OK, not quite: a single bit whose precise location is known can in fact be correctly reconstructed with 56 per cent probability (in one of the quoted examples). To recover a byte, however, correct head positioning would have to be precisely repeated eight times, and the probability of that is only 0.97 per cent. Recovering anything beyond a single byte is even less likely.

Nevertheless, that doesn’t stop the vendors of data-wiping programs offering software that overwrites data up to 35 times, based on decades-old security standards that were developed for diskettes. Although this may give a data wiper the psychological satisfaction of having done a thorough job, it’s a pure waste of time.

Something much more important, from a security point of view, is actually to overwrite all copies of the data that are to be deleted. If a sensitive document has been edited on a PC, overwriting the file is far from sufficient because, during editing, the data have been saved countless times to temporary files, back-ups, shadow copies, swap files … and who knows where else? Really, to ensure that nothing more can be recovered from a hard disk, it has to be overwritten completely, sector by sector. Although this takes time, it costs nothing: the dd command in any Linux distribution will do the job perfectly.

(Original Post )

Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency.

The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.

The demonstration is only the latest attack to highlight fundamental security weaknesses in some of the internet’s core protocols. Those protocols were largely developed in the 1970s with the assumption that every node on the then-nascent network would be trustworthy.  The world was reminded of the quaintness of that assumption in July, when researcher Dan Kaminsky disclosed a serious vulnerability in the DNS system. Experts say the new demonstration targets a potentially larger weakness.

"It’s a huge issue. It’s at least as big an issue as the DNS issue, if not bigger," said Peiter "Mudge" Zatko, noted computer security expert and former member of the L0pht hacking group, who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. "I went around screaming my head about this about ten or twelve years ago…. We described this to intelligence agencies and to the National Security Council, in detail."

The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper’s network.

Anyone with a BGP router (ISPs, large corporations or anyone with space at a carrier hotel ) could intercept data headed to a target IP address or group of addresses. The attack intercepts only traffic headed to target addresses, not from them, and it can’t always vacuum in traffic within a network — say, from one AT&T customer to another.

The method conceivably could be used for corporate espionage, nation-state spying or even by intelligence agencies looking to mine internet data without needing the cooperation of ISPs.

BGP eavesdropping has long been a theoretical weakness, but no one is known to have publicly demonstrated it until Anton "Tony" Kapela, data center and network director at 5Nines Data , and Alex Pilosov, CEO of Pilosoft , showed their technique at the recent DefCon hacker conference. The pair successfully intercepted traffic bound for the conference network and redirected it to a system they controlled in New York before routing it back to DefCon in Las Vegas.

The technique, devised by Pilosov, doesn’t exploit a bug or flaw in BGP. It simply exploits the natural way BGP works.

(Read More )

Your precious firewall can’t save you now!

Weak or nonexistent implementations in computer security software can leave otherwise-secure computers wide open for attack – so open, in fact, that in some cases it’s as if there’s no firewall running at all.

Speaking at the annual HOPE (Hackers on Planet Earth) conference in New York, security researcher Joe Klein of Command Information said that the internet is full of computers surreptitiously running IPv6, unbeknownst to their owners. Compounding the problem is the number of operating systems shipped with IPv6 enabled by default, which includes Windows Vista, Linux’s 2.6 kernel, Sun’s Solaris, Mac OS X, and a variety of cell phones operating systems, including Windows Mobile 5 and 6.

Computers with a lackluster IPv6 setup – even if they have a strong IPv4 firewall or Intrusion Detection System (IDS) in place – are just as naked in IPv6 space as they would be in IPv4-space without a firewall, with any program that listens for connections allowed to accept them. Most operating systems, by default, use a handful of “listeners” used for networking and internal processes – and it is these listeners that are frequently the first to be targeted in an attack.

A number of computer worms, including Blaster and its follow-up Welchia, worked by exploiting a buffer overflow with Windows’ internal RPC infrastructure, which listens on port 135 and is ordinarily covered up by a firewall.

Network administrators who don’t keep tabs of their systems face a huge risk, said Klein. Operational dangers aside, administrators who work for organizations that have to comply with regulations like HIPAA or Sarbanes-Oxley risk non-compliance if they don’t secure their IPv6 implementations – whether they realize they have one or not.

“Essentially, we have systems that are wide open to a network,” said Klein. “It’s like having wireless on your network without knowing it.”

Security researchers have for some time found hackers exploiting IPv6. A 2002 post from Lance Spitzer of the Honeynet project observed a hacker that broke in to a Solaris-based honeypot through normal means, enabled IPv6 connectivity in the OS, and then set up a tunnel out of the network that went into another country. The break-in was only discovered due to network packet-sniffing, and even then Spitzer says he was unable to decode the data being sent out.

One of the biggest threats is the variety of backwards-compatibility schemes designed to tunnel IPv6 traffic through an IPv4 system, like Teredo or the 6to4 system: the very act of tunneling often circumvents firewalls by nature.

“Teredo/ISATAP is currently and will continue to be a major red flag for networks that have both IP versions enabled, because tunneling confuses the heck out of a lot of firewalls and IDS deployments,” said an unnamed DoD security specialist, in an interview with Wired’s Threat Level.

With internet progressives trying to switch the internet to IPv6 as fast as it can – a widget on Command Interface’s web site estimates that the internet will run out of IPv4 addresses in about two and a half years – some fear that technological progress may be outpacing the security that keeps it safe.

(Original Post )

WASHINGTON -(Dow Jones)- Federal Communications Commission Chairman Kevin Martin Friday said he would not seek to fine cable giant Comcast Corp. (CMCSA, CMCSK) for slowing some Internet traffic.

Instead, Martin said he wants the Comcast to stop its practice of prioritizing certain applications that tend to use a lot of bandwidth. "It is not a reasonable network management practice," he said at a press conference to discuss his recommendation.

"We would tell Comcast that they have to stop engaging in that practice. They have to disclose to the commission where they are engaging in that practice."

Martin has proposed that Comcast change the practice within a "reasonable time frame," which could be the end of the year.

"We would say that as they are moving to a new network practice that they need to disclose to us and to consumers," Martin said.

The other four commissioners must weigh in on Martin’s proposal before it can take effect.

Comcast has said it would challenge the order if the other commissioners agree to it.

Comcast argues that Martin is unfairly imposing a new rule and punishing the company at the same time.

"You can’t enforce this because there aren’t any rules," said Comcast Spokeswoman Sena Fitzmaurice. "It violates all sorts of due processes in the way you are supposed to create rules."

Martin said he is aware of Comcast’s concern. "I think that’s one of the reasons why I have not proposed that we put a fine," he said.

Comcast A shares recently were off 2.5% at $18.19.

(Original Post )

NEW YORK —  This doesn’t sound good: The nonprofit agency in charge of the Internet’s addresses recently lost track of its own.

The Internet Corporation for Assigned Names and Numbers, or ICANN, said it happened when an Internet registration company it oversees got fooled into transferring the domain names to someone else.

The attack was quickly noticed, and ICANN’s domain names were restored within 20 minutes. However, because many Internet directories retain information for a day or two, visitors could have been redirected to an unauthorized site for longer.

ICANN said Thursday that new, unspecified security measures should prevent such attacks in the future. The organization also said it was reviewing other security procedures.

The domain names hijacked were ICANN.com and IANA.com — for the ICANN subdivision known as the Internet Assigned Numbers Authority.

Visitors to those addresses are normally redirected automatically to the organization’s main sites at ICANN.org and IANA.org, neither of which was affected by the attack.

(Original Post )

Eva Chen, chief executive of Trend Micro, has strong views about how effective the antivirus industry has been over the past 20 years.

According to Chen, the security industry has over-hyped how effective its products are — and so has been misleading customers — for years.

Chen believes that no single company can offer adequate protection against the sheer volume of new viruses that are being churned out by cybercriminals. According to the security industry, five and a half million new samples were detected in 2007.

Q: Trend Micro has recently moved to an ‘in-the-cloud’ service . Surely traditional security methods are still effective enough?
A: In the antivirus business, we have been lying to customers for 20 years. People thought that virus protection protected them, but we can never block all viruses. Antivirus refresh used to be every 24 hours. People would usually get infected in that time and the industry would clean them up with a new pattern file.

In the last 20 years, we have been misrepresenting ourselves. No-one is able to detect five and a half million viruses. Nowadays there are no mass virus outbreaks; [malware] is targeted. But, if there are no virus samples submitted, there’s no way to detect them.

But how about analysis using other methods? You don’t need to rely solely on antivirus.
Every year there’s a new industry buzzword, but they always fail. Heuristics use a rule to inspect the file, but virus writers know this. They split the complete malicious program into different files, and download each file to test it against the heuristic rule. Each file looks innocent but, when combined, they become a virus.

Three years ago, the buzzword was ‘personal firewalls’, but you can’t block everything. To have an effective personal firewall, you’d have to block port 80, but HTTP uses port 80. If you blocked that, no-one could use [the internet].

HIPS [host-based intrusion-prevention systems] have a lot of rules to tell if this application is trying to touch another application. HIPS behavioural monitoring requires files to be executed, so virus writers make sure they evade the rules.

So isn’t ‘in-the-cloud’ computing suffering from the same hype?
Trend Micro has gone to cloud computing because it’s a necessity. Usually, hackers now infiltrate websites. When a user clicks on a URL they are redirected to a malware-hosting site. They download the first components, usually a downloader, which downloads more components and a recompiler.

Two Trend Micro sites were infiltrated in March , weren’t they?
That shows that it’s everybody’s problem. Our websites were outsourced and, in [website code], there are a lot of commands that can be compromised. An attacker can insert an Iframe through SQL injection. It was an Iframe-injection attack on the page we outsourced to a developer. I don’t know which development company it was.

Do you know who attacked the Trend Micro sites?
We don’t know who did it. It was a mass attack — 20,000 sites — so very hard to trace.

Trend Micro is in the process of a lawsuit against Barracuda Networks over a patent dispute. As Barracuda uses the open-source ClamAV engine, there has been disquiet in the open-source community that any company that incorporates ClamAV into a gateway-security product will be sued by Trend Micro. Is this the case?
I’m suing Barracuda, not ClamAV. The patent is about how to stop viruses in transmission. We’ve traded patents with IBM and Symantec, and settled with McAfee when they were Network Associates. We won the litigation with Fortinet. We respect other people’s intellectual property; we just want people to respect ours. This has nothing to do with free software. It’s about the implementation.

(Original Post )

The author of a Trojan that broke new ground in botnet circles has agreed to plead guilty to secretly infecting thousands of victims’ machines so that he could steal their personal data and launch attacks on websites.

Jason Michael Milmont, 19, of Cheyenne, Wyoming, admitted to creating the so-called Nugache Worm, a Trojan that spread through AOL instant messenger and modified Limewire installation programs. Once clicked on, the malware made unwitting users part of a botnet, which Milmont used to steal user names, passwords and account numbers of those who were infected.

Nugache was being circulated as early as early 2006 and spawned one of the first botnets to use a decentralized system to send instructions to drones, according to security researcher Dave Dittrich. Rather than relying on a single command and control channel, the zombie network used a peer-to-peer mechanism to communicate. Such fast flux technology, as it eventually came to be called, fundamentally changed the cybercrime landscape by making it much harder to shut down botnets. (Other botnets such as Storm also use fast flux.)

Over time, Milmont added new features to Nugache. A graphical user interface made it easy to access infected machines from his home server. It allowed him to issue a command to a single machine, which would then transmit the command to other machines, until it had spread through the entire network. The program contained a keylogger and was also capable of sniffing sensitive information stored in Internet Explorer to spare users the hassle of having to remember passwords for online banks and other sensitive websites.

The software was invisible to the Windows task manager in versions NT, XP and 2000. At any given time, Milmont had anywhere from 5,000 to 15,000 machines under his control.

According to a plea agreement signed by Milmont, he used his botnet to launch distributed denial-of-service attacks against an unnamed online business located in the Los Angeles area. The agreement went on to document the way he used personal information he lifted from his victims to fatten his wallet.

After sending a command that instructed infected machines to transmit captured passwords and other information, he would order items online and take control of victims’ accounts by changing the addresses and other details that were associated with them. In April 2007, for example, he used stolen credit card information to make a $1,422 purchase from Hinsite Global Technologies and had items shipped to a vacant residence in the Cheyenne area.

To prevent victims from discovering his scheme, Milmont replaced phone numbers associated with compromised accounts with Skype numbers he created and purchased using credit card data he had harvested from his botnet.

Milmont faces a maximum of five years in federal prison and a fine of $250,000. He’s also agreed to pay almost $74,000 in restitution. Milmont has agreed to appear in federal court in Cheyenne, where he will plead guilty to one felony charge. The case was brought in Los Angeles and was investigated by the FBI. ®

(Original Post )

SANTA CLARA, Calif., July 1 /PRNewswire-FirstCall/ — McAfee, Inc. (NYSE: MFE) today released the results of its S.P.A.M. (Spammed Persistently All Month) Experiment, in which 50 people from around the world surfed the Web unprotected for 30 days. By taking part in the experiment, participants were given permission to go where most Internet users would not dare, in order to discover how much spam they would attract and what the effects would be. Having studied the daily blogs and analyzed the spam itself, McAfee(R) researchers confirm that spammers are as active as ever; they are increasingly using psychological tricks to lure Internet users to part with their contact details, identity information and cash. The experiment clearly shows that spam continues to evolve, utilizing more local languages and cultural nuances, as well as becoming much more targeted in a bid to avoid detection.

In the first experiment of its kind, the participants from 10 countries received more than 104,000 spam e-mails throughout the course of the experiment. That’s 2,096 messages each — the equivalent of approximately 70 messages a day.

One of McAfee’s goals was to highlight that, contrary to what people might think, spam is not only a nuisance but it also poses a very real threat and is showing no sign of slowing down. For anyone that has ever wanted to ‘click’ and find out if an offer really is "too good to be true," the McAfee S.P.A.M. Experiment satisfies that curiosity, without any of the risks.

A Pain or Perilous?

Many of the spam messages received were phishing e-mails; e-mails which pose as a trustworthy source to criminally acquire sensitive information such as usernames, passwords and bank account details. Other e-mails carried viruses and many allowed malware to be silently installed on the computers by persuading participants to surf unsafe Web sites. A number of participants noted a decrease in their computers’ processing speeds, as well as an increased number of pop-ups.

"Many of our participants noticed that their computers were slowing down, which means that while they were surfing, unbeknownst to them, Web sites were installing malware," said Jeff Green, senior vice president of McAfee Avert(R) Labs. "In just 30 days there was quite a noticeable change in the system performance of their computers. Notably showing just how much malware was being installed without their knowledge. Spam is much more than a nuisance; it’s a very real threat."

Especially For You

The results of the experiment also reveal a shift away from mass spam e-mails towards more targeted campaigns. Foreign language and social engineering spam are two areas in which participants received a larger than anticipated number of e-mails. France and Germany were the two countries that received the most foreign language spam, with 11 percent and 14 percent respectively, something which McAfee expects to increase substantially across the globe in the future.

"If we’d have done this experiment two years ago, I would have expected a much smaller percentage of the spam to be written in a foreign language," said Guy Roberts, director of Avert Labs. "Although this is a small percentage of the overall spam, it’s something we expect to grow."

Global Spam League

With the United States being the traditional territory of spammers, participants there were unsurprisingly at the top of the "Global Spam League." Emerging economies such as Brazil and Mexico also took their place in the top five of the Global Spam League, suggesting that spammers are increasingly targeting new regions.

Congratulations … You’ve Been Approved For

The most popular subject received was financial spam. For example, pre-approved loans or credit card offers were common, which may be symptomatic of spammers taking advantage of the current personal finance climate and global credit crunch.

Despite its notoriety, people are still being fooled by the ‘Nigerian’ spam e-mails, where someone supposedly from Nigeria contacts a user to let them know they are a beneficiary of a long lost relatives’ will, in a bid to extract money from them. Internet users in the United Kingdom are most likely to be targeted by a spam e-mail of this nature, with the United Kingdom participants receiving 23 percent of these scams.

The diversity of so-called ’social engineering’ e-mails (e-mails that play on people’s emotions to manipulate them into divulging confidential information) received during the experiment gave McAfee researchers valuable insight into this type of spam; something that they have seen grow significantly in the last five years.

Dave DeWalt, chief executive officer and president of McAfee said: "The McAfee S.P.A.M. Experiment proves to us that even though people think they know the dangers of spam, they don’t understand the true extent. Our participants came from all walks of life, from all over the world and, given their interest to take part in the experiment, they were well aware of the problem. Despite this, they were all shocked by the sheer amount of spam they attracted in such a short timeframe and the lengths the spammers would go to in order to achieve success."

"I think we can see from the experiment that spam is undeniably linked to cybercrime, however it is an immense problem and it’s simply not going away. It’s no longer a question of ’solving’ it, but one of ‘managing’ it."

(Original Post )