New Zeus malware attacks Smart phone and LinkedIn users

London, September 29, 2010 – The ZeuS malware is coming of age and the infections are going to get a lot worse says Trusteer, the secure browsing services specialist. ZeuS malware has already been pushed extensively to users of Web 2.0 and/or social networking sites plus services such as Facebook, Twitter and, most recently, to users of the business social networking site, LinkedIn. Malware is also being modified by cybercriminals using coding toolkits to attack smartphone users. Recent postings by our IT security colleagues at S21sec about ZeuS targeting smartphone users are just the tip of the iceberg when considering the potential of these attacks.

ZeuS Mitmo.

“The spread of Zeus into mobile platforms marks the beginning of a new era of malware mobility,” said Mickey Boodaei, Trusteer's CEO. “What's dangerous in this approach is that the same malware controls two communication channels - the PC and the mobile device and as a result can launch extremely effective attacks against banks and organizations that rely on these two channels for authentication and transactions.”

“Many enterprises rely on two-factor authentication to protect against unauthorized remote access to their networks and sensitive corporate applications. Malware such as Zeus which can reside both on the PC and the mobile device can easily bypass these protections. For online banking the potential of the attack extends way behind authentication. Criminals can also control incoming voice calls and re-direct them to the attackers. So when the bank detects a suspicious transaction and calls the customer for confirmation, the criminals can pick up the phone on the other side and do that on behalf of the customer.

By controlling both the phone and the PC criminals achieve devastating power. Frankly, I'm amazed that it took them so much time to do this,” continued Boodaei.

LinkedIn

“Social networks are easy targets for malware. As a Linked In user I've received a few email alerts where I didn't really know if they're genuine or not. The first thing you want to do when you get a Linked In invite from someone you're not sure you know is to click the View Profile link embedded into the email. These emails also include links to accept and reject invitations,” said Boodaei.

Linked In are not alone here and many of the social networks send emails with links and even experienced users may be fooled into clicking one of these really well crafted emails. Once the criminals gain control of a social network account they have access to the victim's list of friends and they can send out more targeted messages to these friends, and raise the risk of getting infected even higher.

“Targeting social network users for distributing financial malware is a smart move for the criminals. These attacks are much more likely to succeed than phishing attacks on banks. Once Zeus installed on the user's computer then the criminals get access not only to login information but also to real-time transactions and other sensitive information on the victim's computer, said Boodaei.”

To defend against attacks web 2.0 attacks like this enterprises and users need to use secure browsing services in addition to gateway level firewalls, anti-virus and anti-spam defences. Trusteer works directly with leading banks around the world to identify targeted online banking attacks such as Zeus, block them, and remove them from your computer.

Trusteer, the world’s leading provider of secure browsing services, helps prevent financial malware attacks through its array of services. Trusteer enables banks and online businesses to protect sensitive data such as account holder credentials from malware by locking down the browser and creating a tunnel for safe communication between the web site and customers’ machines. It also prevents phishing by validating site authenticity. Trusteer also allows remote, effective, and instant investigation of malware-related fraud incidents. Trusteer’s solutions are used by more than 70 leading financial organizations in North America and Europe and by more than 12 million of their customers. Trusteer is a privately held corporation led by former executives from RSA Security, Imperva, and Juniper. Follow us on www.Twitter.com/Trusteer. For more information about our products and services, please visit www.trusteer.com.

Source: Eskenzi PR Ltd.

Fake LinkedIn invite leads to ZeuS Trojan

by Michael Smith (Veshengro)

London, UK, 09/29/2010: A major new malware spam campaign mimicking invites sent via business networking site LinkedIn.com leverages user trust and a multitude of browser exploits in order to install the password-stealing ZeuS Trojan.

The spam campaign began on the morning of Monday 09/27, according to security experts at networking giant Cisco Systems, and for a while the fake LinkedIn invitations, apparently, accounted for as much as 24% of all spam. Recipients who click links in the message are taken to a Web page that reads, “Please Waiting, 4 seconds,” and then sent on to Google.com.

On the way to Google, however, the victim’s browser is silently passed through a site equipped with what appears to be the SEO Exploit Pack, a commercial crimeware kit that tries to exploit more than a dozen browser vulnerabilities in an attempt to install ZeuS.

This attack will no doubt fool a large number of people. Even a reporter for IT World said that he was tricked into clicking the link and possibly infecting his system.

In addition to this it would appear that the LinkedIn emails are not the only ones. Others purport to come from Twitter stating that the recipient has x-number of unread Direct Mails. Links in the email lead to sites with the .ru ending, amongst others, and not to Twitter.com.

It’s a good idea to avoid clicking social networking site invites that arrive by e-mail, especially if you don’t recognize the name of the person who’s inviting you. Instead, consider just browsing to the social networking site and handling any invites there. Also, this attack is a good reminder that it pays to stay up-to-date on the latest security patches.

If in doubt; don't click and even then, check on the website of the service or, like I do with Twitter, where possible have a 3rd party client, in my case TweetDeck. My DMs arrive there and I do not miss one. Also, Twitter does not send out reminders of unread DMs.

LinkedIn and other email invites go and ignore and check, in your time, on the website direct. Much safer.

© 2010

Mouse-Over Exploit Hits Twitter website

by Michael Smith (Veshengro)

London, 09/21/2010: A Java Script exploit has allowed all kinds of pop up sites and text through Twitter.com web client, and force a re-tweet, even if all a user does is move their mouse over a particular link. Many of those sites and pop-ups certainly were not at all safe for use at work and could make the user fall foul of ICT policies in their places of work.

The exploit has spread to thousands of accounts by early afternoon UK time – some with hardcore porn pop-ups, other with jokey references to the exploit – so it is advisable to stick with a third-party Twitter clients for the time being to read and send your short updates.

Some users have reported that simply visiting Twitter.com, with certain tweets from followers loaded, could be enough to trigger an incident. Thus is is advisable to avoid Twitter.com entirely until the exploit is repaired.

While by mid-afternoon UK time according to Twitter the the exploit has been patched, I would still say that it is a good idea to let the fix propagate through DNS servers before heading back to Twitter's web client.

Stay with third-party clients for maybe a day or two.

© 2010

Plug ‘N’ Go

DESlock+ Unveiled Solution For Sharing Data On USBs

by Michael Smith (Veshengro)

Taunton, UK: In April 2010 Data Encryption Systems Limited (DES), the UK-based leader in software copyright protection, data encryption, secure messaging and data storage solutions, revealed its latest innovative new solution to combat data breaches. DESlock+ Go addresses the problem of securely sharing data on any USB removable storage device without requiring users who access it needing to install additional software. Like all DESlock products, DESlock+ Go conforms to international regulatory standards so customers can confidently distribute and share data on a USB stick or CD/DVD without compromising on security.

DESlock+ Go allows users to encrypt information with an encryption key and a password. This means the license holder who possesses the key can transparently share the data with others and if they don’t have the key, they simply input the password which can be changed as and where necessary. This allows both parties to see encrypted stored files. DES Managing Director David Tomlinson explained where this intuitive technology will be most beneficial and said: “We have designed and tested DESlock+ Go to work for every market. It is a simple tool available free of charge to all DESlock+ customers to add to their existing license. If an employee needs to take some sensitive information to a client meeting on a USB stick to pass on to their customer, that information can be transported safely because it is encrypted and can be easily shared given the password feature. It’s ideal for where data needs to be distributed in large numbers and to those who don’t have the necessary encryption software but where data needs to be used, modified or shared. The beauty is in the portability of this innovation.”

DESlock+ Go allows those with no technical training to decrypt securely and simply. The key holder remains in control of the information because only those with the password will be able to decrypt the stored files. You can resave and encrypt the data back onto the USB stick seamlessly.

David Tomlinson added: “You could describe this as a bubble of security. With increasing numbers of employees becoming mobile workers away from the security of their office, the number of data breaches will undoubtedly rise. Ensuring that your corporate data is safe will soon set board level agendas as the ICO powers extend their reach into an increasing number of businesses. Organizations just cannot now afford to risk their security and gamble on the belief that it’ll never happen to them. USB memory and other removable media devices pose one of the greatest threats to corporate data. While the low cost of these devices make a lost unit seem trivial, the value of the content and damage to a business caused by its loss may be enormous. DESlock+ Go is another asset to the proven and acclaimed arsenal of DESlock+ products available to prevent data leakage.”

In a survey by the Identity Theft Resource Center, 82 percent of respondents who had lost data said that if it had been encrypted, the risk to the company would have been far reduced and according to a Ponemon Institute Study, a third of respondents terminated their relationship with an organization on learning about the breach of data security. This clearly begs the question; can you afford not to safeguard your data? Encrypting data is simple and with mobile working increasing, the need for it to become part of every company’s IT infrastructure will become ever more pressing. DESlock+ Go is responding to the evolving demands of today’s mobile business by providing a solution to the problem of sharing data with those who don’t share the same security procedures as your firm.

DESlock+ helps organizations to protect against all types of data breach by offering simple, yet extremely powerful, encryption of documents, folders, disks and removable storage media, and computer systems. The solution is both Windows 7 compatible and FIPS 140-2 approved. The United States Federal Government is required to only purchase cryptographic products which are validated to the FIPS 140-2 standard and so this is a highly sought after and significant accreditation.

DESlock+ Go is included with the DES business desktop license and does not require users to be running the Enterprise Server. For more information visit www.des.co.uk

Since 1985, Data Encryption Systems has been the UK’s most successful manufacturer of software protection dongles, software copyright protection systems, and secure handset reprogramming accessories. Data Encryption Systems markets and supports products used by tens of thousands of businesses worldwide to protect applications, copyrighted materials, medical records, government files and other confidential and personal information. The company’s flagship product, DESlock+, has been awarded SC Magazine’s Best Buy for three successive years.

The problem though remains that (1) individuals, businesses and government agencies seem to be totally oblivious to the need of encrypting data and (2) that, even with the encryption software in place they often opt against encrypting data.

The losses of data, however, in Britain and elsewhere, on CDs, USB drives, and laptops, should make us all aware of the need of securing our data, and especially data in transit.

© 2010

Computer stuff you should not be paying for

by Michael Smith (Veshengro)

There are a number of things as far as computing goes that you do not have to and also should not have to be paying for.

Basic Computer Software

If you are thinking of purchasing a new computer think twice before you fork out hard earned cash for a bunch of extra software.

There is no need for anything paid for. Theoretically not even the operating system needs to be bought as even for that there is an alternative to the proprietary ones such as Microsoft Windows and Apple Mac in the way of the Penguin and others. For penguin read Linux, which is an Open Source Operating System based on Linux.

For anything else as regards to software that you might need and want there are some great alternatives to the name brand software programs available, as free Open Source programs or as free basic programs.

One of the most notable ones here is OpenOffice, the Open Source alternative to those other, often rather expensive, proprietary office programs such as Microsoft Office, for example.

Open Office is completely free and files can be exported in compatible formats. Open Office reads all Microsoft Office files, for instance, bar the silly ones no one really needs, as far as I am concerned.

Any new computer, whether desktop, laptop, notebook or netbook, should come with basic software such as, at the very least, the Operating System (OS) pre-installed with Internet browser and such.

Often trial versions of this or that piece of proprietary software are also included, but I would suggest that you DO NOT even activate any of those. Obtain free Open Source equivalent programs straight away and the easiest way is, if you have a decent Internet connection, is to download those.

Secondhand and older computer can be made to work, as far as the Operating System is concerned, and thus have their lifespan extended considerably, by years to decades even, by use of Open Source Operating Systems such as the previously mentioned Penguin and by use of other Open Source software.

Most distros of Linux come bundles with office software (Open Office), photo editing program (The Gimp) and most other things that you could ever wish for; and it is all FREE.

If you consider that Microsoft Windows Vista requires four DVDs, the equivalent of around 16GB, Linus Ubuntu, with most additional software you will ever need built in, comes on a single CD and is about 700MB or less.

As said, in reality, there are many programs out there that you do not have to pay for and a great many Open Source ones are better even, especially considering the cost of FREE, than the equivalent proprietary software. The old adage of “you get what you pay for” does not apply in this instant.

Let's look at some of those programs, so of which are Open Source while others are not but which, in their basic form, are also, nevertheless, free.

OPEN OFFICE

Open Office is an Open Source alternative to Microsoft Office, though it does not have an integrated email client, that is to say, the Outlook program part equivalent of MS Office. Otherwise, however, it can entirely replace that program. If you need an Outlook equivalent then another calendar program may need to be found.

For a zero price tag, I think, this is not a problem, and Open Office, as said, is capable, otherwise to open and understand all Microsoft Office formats.

Open Officer users have told me that, for instance, the equivalent to PowerPoint is better than MS PowerPoint though I cannot judge this as I have, so far, have had not need to do PowerPoint presentations; not with MS PowerPoint nor any equivalent.

Templates for Open Office are now, slowly, becoming available and many Microsoft Office ones can be translates too.

The other program equivalent that Open Office does not have is Publisher but, to be perfectly honest, Open Office Writer can do as good a job as Publisher so I can never understand the reason for such DTP programs.

If you must have a DTP program then there are also Open Source versions available that can be had just for the download.

THE GIMP

The Gimp is a powerful Open Source photo manipulation program and, basically, a free equivalent to Adobe Photoshop.

In fact, The Gimp has built-in feature for which you would have to buy ad-ons for Adobe Photoshop in order to do the same.

There is one difference, for lack of a better word, between Adobe Photoshop and The Gimp – and no, it's not the price – and that is that The Gimp cannot export a picture in Post Script for publishing. Most of us though, I am sure, would not even have any use for that feature.

AUDIO RECORDING FOR COMPUTER

Need a recording program for your computer to record from a microphone to, say, make podcasts in MP3.

Audacity is the answer for sure. It is another Open Source program, available free to download, and works very well indeed and, for the size of the program, is very powerful too, and easy to use.

Once again the cost is zero.

PDF MAKING

Want to make your own PDF files, maybe an eBook or two, but don't have the fortune to spend on Adobe Acrobat? No need to do so either. There is more than one Open Source program that you could download – or basic free program – that will do the same as Adobe as far as the making of PDF files goes.

PDF Creator is an Open Source program that is a very efficient PDF maker – actually a virtual printer – that creates great PDFs and once again for nothing.

When you then combine the PDF Creator with the Nitro PDF Reader with annotation and notes facility and the capability of extracting text and pictures from PDF files you will need little else in that department.

The PDF Creator is one of the best PDF makers that I have tried and compresses the file much more than do many of the other Open Source and other PDF makers.

Open Office does have a “one click” PDF making facility but the compression ratio is, for my liking, not good enough. Otherwise that facility works well enough.

The Nitro PDF Reader, by the way, can also add a signature to a document, your signature, for instance, in the for of a jpeg but the byte size then increases quite a bit. A good feature though.

Sadly so many people think that they have to spend their hard earned cash on such powerful programs, unaware that there are great programs available on the World Wide Web in Open Source that can be theirs for the download time only.

COMPUTER SECURITY

When it comes to security software, anti-virus and anti-malware, for your computer, once again there is no need to run to the likes of McAffee or Symantec and spend lots of money for such protection.

AVG FREE which, as the name suggests, is free though not Open Source is in its basic from, and that is the free one, a powerful anti-virus program that I have been running for many years by now, with the exception of trying out another program here and there, and it has served me well. Better, in fact, than many of the paid for programs that I have test driven.

Microsoft too is bringing out free protection programs. So, hold on to your money. I know you may be confused about Microsoft giving anything away free but so it is rumored.

Microsoft Security Essentials which I have been test driving in Beta for a while now really does a great job, though I still run AVG as well. Other security programs are in development by Microsoft and supposedly going to be free.

Using such protection programs, together with common sense advice as to dangerous websites and Internet practices should keep you safe online without having to spend a single cent.

N.B. This is, by no means, and exhaustive list and is but meant to give you an idea as to what is available on the Internet as to Open Source and other free programs. While Open Source is, theoretically, always safe this cannot, necessarily be said for other free programs which sometimes have spyware attached.

Download for trusted source only, such as Download.com.

EMAIL ACCOUNTS

Email accounts, especially web mail accounts without POP3 or other system enabling importing emails to your computer and sending emails from the computer as well via an email client, you most certainly should NOT be paying for.

Even some free email services can still be had with Post Office Protocol (POP/POP3) or IMAP, etc., that work with email clients such as Microsoft Outlook, Microsoft Outlook Express, Windows Mail, Windows Live Mail, and others.

There are a good number of free email services about with Gmail from Google probably beginning to take the lion share, especially of more business kind of mail accounts, though Hotmail (now Live Mail) and Yahoo Mail (Ymail) not far behind.

In addition to the very big players in the field, as those mentioned above, there are many other free, primarily web-based, email services about. The only problem foreseeable is that smaller providers may not stay up for long and thus mails stored could end up lost as does one's email address should the provider fold.

While there are some folks that raise privacy issues with regards to Gmail, as well as Yahoo Mail and Hotmail/Live Mail, while at the same time maintaining a Facebook account and profile, they are, in general, very reliable services and at least the latter two, Yahoo Mail and Hotmail, have been around for a very long time; as long, I believe, as the Internet almost.

Gmail is part of Google and thus also has the backing of a giant and as a web-based service is integrated with many other Google's Web 2.0 applications, such as Google Docs, Google Calendar, etc. Gmail can also be used via an email client on the computer allowing offline working. Then, however, there is not connection to the Web 2.0 applications.

I must say that I use all three services, that is to say, Gmail, Hotmail/Livemail and Yahoo Mail, though the latter one as a web-mail only. I am not about to pay US$19.95 for a year every year for POP3 access when I can get that free with Gmail and free, via a different protocol, with Hotmail.

CLOUD SERVICES

Cloud computing is one of the big buzzwords in computing for about theh last couple of years or so now and some predict that cloud computing is to be the way to go, the future and it is also touted as ever so green.

As far as I am concerned, the jury is still very much out on this and thus I certainly recommend to go for free services in this category only. You do not want to commit yourself and your money to something that you may not actually need, or want or don't see how to make use of.

When it comes to storage of my data I prefer it close on the hard disc drive or on removable media over which I have got total and utter and only control. On the other hand remote storage can be handy for a variety of reason but I doubt you need 100s of Gigabyte or even a Terabyte or so. Therefore free cloud services should be considered if you must do cloud.

As to cloud computing being ever so green the jury still is out as well and some predict that, instead of decreasing IT's environmental footprint it will increase it 100 fold. I guess where I will be staying; firmly on terra firma.

© 2010