Sunday, January 27, 2008

Virus Found in Some Best Buy Digital Frames

Barry Levine
News Factor Network

You can add to the growing list of things you need to do to keep your computer safe -- scan the digital picture frame.

Best Buy has confirmed that some units of its Insignia 10.4-inch Digital Picture Frame, purchased over the holidays, had a computer virus. Last weekend, the retailer noted an advisory from its private label, Insignia, which stated that "a limited number" of the frames, model number NS-DPF-10A, were "contaminated with a computer virus during the manufacturing process."

According to news reports, Best Buy is not recalling the frames, but it has pulled the remaining units. It said this was the only Insignia frame product affected, and the product has been discontinued.

Precautionary Measure

The company said that once it was informed of the contamination, it "immediately" withdrew the product from stores and Web sites "as a precautionary measure to protect our customers." Best Buy did note that "some affected units" were purchased from either its brick-and-mortar stores or from the retailer's Web site before the virus was detected.
Best Buy reportedly learned of the infection after customer complaints, but there is no indication of how the virus was acquired during manufacturing, or what the consequences may have been for customers.

The company pointed out that the virus can only get to a computer if the digital frame is connected. The frames connect to PCs as well as cameras so photos can be downloaded for display. But Best Buy said cameras, USB drives and memory cards cannot be infected by the virus.

Use Up-to-Date Protection

Even if a consumer does attach a contaminated frame to a computer via a USB cable, Best Buy said, any up-to-date antivirus software, such as Norton, McAfee or Trend Micro, should be able to detect and remove the infection. It added that the units contained "an older virus which is easily identified and removed by current antivirus software."

The specific virus was not identified by either Best Buy or the manufacturer, although there are reports on the Web that it was a Trojan that could induce a crash on Windows machines.
Macintosh-owning picture lovers can rejoice, at least temporarily, because the virus only affects Windows operating systems. Similarly, Linux-based systems are also immune to this particular infection.

Virus-infected products may be the next frontier for consumer caution.

Last year, Seagate admitted that some of its 500-GB Maxtor hard drives had a Trojan house that could swipe online passwords for games, and some Apple iPods were infected with a virus in 2006. Other consumer products that have reportedly had viruses include GPS devices, digital cameras, memory cards, MP3 players and other brands of digital picture frames.

Worm fears shut down Skype video feature

Robert McMillan

San Francisco - Skype has been forced to turn off a video-sharing feature in its software because it could be misused to launch a self-copying worm attack against Skype users, security researchers said Tuesday.

A bug in the software, which was first reported last Thursday by security researcher Aviv Raff, stems from the way Skype uses an Internet Explorer component to render HTML.
Skype's video-sharing feature allows users to share videos hosted on two sites -- and -- while chatting with other Skype users.

Last week Raff showed how attackers could exploit the bug to run unauthorized software on a Skype user's PC. But on Tuesday, the security researcher said the flaw was more serious than he'd first thought. It can "be triggered by simply visiting a Web site, or clicking on a link from your instant messaging application," he wrote in a blog posting, "Which basically means that this vulnerability is now wormable."

Skype appeared to have pulled the video feature from its client software on Tuesday as a result of the bug. Users who attempted to click on the "videos" button within a chat window were greeted with a message that the feature was unavailable "because of some security concerns."
"Our brightest engineers are rattling their wrenches to make things all right and bring the beloved videos back. Soon," the message read. "Sorry about this."

Skpe representatives did not return calls seeking comment. Last week, Skype spokesman Villu Arak confirmed that there was a security problem for Skype 3.5 and 3.6 users who visited the Web site, but users were still able to share videos using
On Tuesday, however, Skype pulled the video feature altogether after being informed of the new problem, Raff said.

Because Metacafe had a cross-site scripting flaw, a common type of programming error, Raff was able to run JavaScript on, which could then be used to run unauthorized software on the victim's computer. Attackers could then forward a link to the malicious Web page to all of the Skype contacts in the victim's computer, spreading the infection.

For Raff's attack to work, an attacker would have to post a maliciously encoded video file to either of the Metacafe or Dailymotion Web sites. Metacafe said Tuesday that it's "highly unlikely" that this kind of malicious video would make it through the site's content-filtering process.

In a statement, the company said it expects Metacafe videos to be available to Skype users as early as Wednesday morning.

Raff said that because the attack could lead to a widespread worm outbreak, it would be better for Skype to fix the underlying problem before bringing Metacafe back online.

Raff believes that Dailymotion was probably susceptible to this type of attack as well, although he was unable to confirm this after Skype cut off access to the Web site.

The problem lies in the fact that Skype uses a Windows Internet Explorer component with inappropriate security settings, researchers say. Instead of processing pages it renders with the more secure "Internet Zone" security setting, Skype uses IE's "Local Zone" security setting, usually reserved for more trustworthy content.

Until Skype engineers make some changes to their software, more of these problems will continue to pop up, Raff said.

Another security researcher who has been studying the flaw agreed.
"If they keep their Skype client running in the Local Zone of IE, we will see more of these," said Petko Petkov of GNU Citizen via instant message. "Before killing Metacafe, anyone who owns the server would have been able to own every Skype user on the planet."

Apple growth will draw malware attacks

Matt Hines

San Francisco - As Apple continues to grow its worldwide market share and the company's products find their way into more business environments, attackers are certain to follow and create greater volumes of exploits aimed at vulnerabilities in the company's software, security experts contend.

According to industry analyst firm Gartner, Apple shipped just over 1 million Mac OS X-based computers during the fourth quarter of 2007, a gain of 227,000 over the fourth quarter of 2006. The analyst firm reported that Apple's U.S. market share for 2007 jumped by 28 percent compared to 2006, rising to just over 6 percent.
And with Apple CEO Steve Jobs stating at last week's Macworld Expo and Conference that the company has already sold 4 million iPhones and 5 million copies of Leopard (Mac OS X 10.5), its latest OS, since launching the products last year, the company's prospects look stronger than ever.

However, malware researchers and industry analysts warn that as the sheer number of Apple end-point devices in use worldwide rise, so will the security concerns tied to the company's products.

"It's hard to get around market share. At the end of the day, malware writers don't care what operating system you are using; it's about whether or not you have valuable information on your machine and whether there is an opportunity to take advantage of it," said David Marcus, security research manager for McAfee's Avert Labs group.
"Microsoft Windows has been targeted so aggressively because it has a much broader deployment than the Mac OS," he said. "But the malware authors watch trends just like everyone else, and they know more people are considering a move to Apple, including government institutions and businesses; if it makes financial sense to go after that opportunity at some point, they will move in that direction."

The Mac's vulnerabilitiesIn some cases, attackers will seek to exploit vulnerabilities such as currently unpatched flaws in Apple's QuickTime multimedia player application. In other cases, malware writers will use threats based more on social engineering, such as with the MacSweeper rogue cleanup tool that appeared during Macworld Expo, the researcher said.
MacSweeper serves as evidence that developers -- both credible and not -- have already begin to turn more of their attention to Apple platforms, anticipating Mac users' security fears, Marcus said. Although MacSweeper is pitched by its creators as a utility for cleaning malware programs and other unwanted software off of Mac OS computers, it has proven to do almost nothing of the sort, despite its $40 asking price.

David Maynor, chief technology officer of research and consulting firm Errata Security, said that one area where attackers may seek to assail the Mac OS is via flaws found in some of the older open source libraries of software code used in the platform.
Apple also typically lags in patching issues found in those code libraries, such as with the Samba networking protocol used in the company's Mac OS X.
Even when the Samba open source community has created a fix for a known security issue, it often takes Apple three to four months to introduce a related patch for its products, giving any attackers looking to subvert Mac systems a lengthy window of opportunity to do so, Maynor maintained.

"If someone has a list of these open source security issues in the projects included in Mac OS, they could use that against OS X users," said Maynor. "Samba is a perfect example, as there is generally a large window there."

A rise in underground malware activityMaynor said that he observed an increase in Apple-related activity in the underground malware research community last year around several previous QuickTime vulnerabilities.
"It's not that the number of Mac vulnerabilities is rising. If you look at their own security archives, you'll see that there were always a lot that were reported, but no one cared in the past," Maynor said. "One of the problems is that a lot of users buy into the misconception that Mac OS is more secure because of Apple's development process, but that's not really the case. Some people also feel that they are protected by Apple's smaller market share, but with more of these computers out there, more attention is being paid to it."

According to officials with Lumension, a software vendor that specializes in vulnerability scanning and patching, Mac OS has actually had far more security flaws reported in the last year than Microsoft Windows. Don Leatham, director of solutions and strategy at Lumension, formerly known as PatchLink, said that Mac OS X had nearly five times as many vulnerabilities reported than Windows during 2007. He noted, however, that many of those issues were considered minor, and that the Microsoft Windows security problems were notably more critical.
But Leatham agreed that publicly reported holes in Mac OS products tend to stay unaddressed longer than their Windows counterparts. "It's not always about the sheer number of exploits anyways; it's more about the speed at which real exploits are being created. That's what people will need to be worried about going forward," Leatham said. "If you get to the point where you have professional malware development kits being sold on the underground, as we have today for Windows, that's when there could be real problems for Mac. But we haven't seen any of those just yet."

Leatham added that, as with other mobile devices, Apple's iPhone has yet to see any truly dangerous malware attacks. However, when Apple releases its mobile applications development toolkit for the handhelds in February, he said it will be interesting to see if anyone tries to take advantage of the package to aim new threats at the phones.
"It would obviously still be a bigger deal if someone created a successful attack that targeted the Research in Motion BlackBerry platform, because those are the devices of choice in most businesses, but with 4 million devices sold by Apple, some of these handhelds are already finding their way into the enterprise," said Leatham. "iPhone has been considered very safe thus far because of Apple's rigorous applications white-listing approach, but we'll be curious to see the security features open to developers in the new toolkit and whether it will attract the interest of any malware writers."

Short-term safety, longer-term concernFor now, Apple users likely have little to worry about, the industry watchers agreed. Even with Apple's dramatic market share gains, the majority of its computers are being purchased by consumers, and malware professionals are more concerned with trying to exploit Windows vulnerabilities to steal valuable data from business users, experts contend.
"We're nowhere near a tipping point where, from an economic standpoint, it will be a better strategy for attackers to target Macs vs. PCs," said Andrew Jaquith, an analyst with the Yankee Group. "People who write malware for a living are professionals, they want to get the best return on investment from their work, and there are still much higher returns to be found in the Windows space.
"We will probably see some opportunistic things being developed on the Mac side as the market share numbers increase, but it's still nowhere near the epidemic we've experienced with Windows," Jaquith said. "Mac is still a safer platform, although not necessarily a more secure one."

Reached for comment, an Apple spokesman said that the company takes security "very seriously" and defended that the company has "a great track record of addressing potential vulnerabilities before they can affect users." However, the spokesman reiterated that the firm always welcomes feedback on how to improve security on the Mac.

Tuesday, December 4, 2007

Shell, Rolls Royce reportedly hacked by Chinese spies

Jeremy Kirk


San Francisco - Britain's domestic intelligence agency is warning that cybercrime perpetrated by China is on the rise following hacking attacks against Rolls-Royce and Royal Dutch Shell.

The agency, known as MI5, recently sent letters to some 300 banks, accounting and legal firms warning that "state organizations" of China were plying their networks for information, according to the Times of London on Monday.

The U.K. government refused on Monday to confirm the letters. However, the reported correspondence comes just a month after the U.K.'s top domestic intelligence officer warned of "high levels" of covert activity by at least 20 foreign intelligence agencies, with Russia and China as the most active.

"A number of countries continue to devote considerable time and energy trying to steal our sensitive technology on civilian and military projects, and trying to obtain political and economic intelligence at our expense," said Jonathan Evans, director general of MI5, in Manchester, U.K., on Nov. 5.

"They do not only use traditional methods to collect intelligence but increasingly deploy sophisticated technical attacks, using the Internet to penetrate computer networks," he said.

The Times, quoting an unnamed source, reported that Rolls-Royce's network was infected with a Trojan horse program by Chinese hackers that sent information back to a remote server. Dutch Shell uncovered a Chinese spying ring in Houston, aimed at pilfering confidential pricing information for the oil giant's operations in Africa, the paper said, citing "security sources."

Representatives for both companies contacted in London on Monday did not return calls for comment.

The rise in hacking originating in China and Russia has been well-documented by security researchers. But its been harder to distinguish between state-sponsored hackers and those just operating in the same geographic region, said Graham Cluley, senior technology consultant for security firm Sophos PLC.

Some 30 percent of the malicious software created is written by Chinese, Cluley said. But about 17 percent of those programs are designed to steal the passwords of users who play online games rather than intended for industrial espionage, he said.

"It's not all James Bond," Cluley said.

Hackers are also tough to trace since they can often control networks of other computers, called botnets, which can be used to carry out commands and attacks.

Botnet investigations are time-intensive and difficult for law enforcement since the computers are often in different countries, requiring international legal cooperation.

Spying to gain an advantage over a commercial competitor is nothing new, and it's hard to definitively blame China for it, said Peter Sommer, who teaches information systems security at the London School of Economics and also wrote "The Industrial Espionage Handbook."

The job of an industrial spy has also become a lot easier with the advent of the Internet, Sommer said. About 90 of intelligence collected by agents is "open source," or already public information.

"You no longer have to get into buildings and try and meet people," Sommer said.

Public Web sites of companies are rife with e-mail addresses of employees who can be "spear-phished," or sent e-mail with a malicious software such as a keystroke logger. The hacker uses social-engineering tricks in order to get the worker to open the attachment, opening up access to a company's network.

McAfee: Vista Likely a Hacker Target in 2008

Jennifer LeClaire
News Factor Network

Windows Vista is being relegated to the doghouse again this week for being slower than XP, and security experts are warning that Vista might face more serious malware in the upcoming year.

New tests show that Windows XP, coupled with the forthcoming Service Pack 3, performs twice as well as Vista with SP1. Devil Mountain Software discovered that a preview version of SP3 for Windows XP offered a 10 percent performance boost. The software development firm said that performance gains with SP1 for Vista were negligible.

However, slower speed is one issue, security is another. Considering the probability that more businesses will begin migrating to Vista in 2008, security analysts say that the security of Microsoft's latest operating system might be a larger problem than performance.

Vista Migration Mixed with Danger?

The release of Service Pack 1 for Windows Vista is likely to accelerate the adoption rate of Redmond's latest operating system and have a corresponding impact on the bottom lines of malware writers, who have largely continued to target Microsoft's earlier operating systems. According to McAfee, if professional malware authors begin to see an impact on their businesses as Vista becomes more popular, they might expand their efforts to find holes in the new operating system.

Of course, the antivirus firm added, that doesn't mean older threats to Windows XP will disappear. It was several years after the Java vulnerability named in Microsoft Security Bulletin M503-011 was patched before exploits targeting that vulnerability fell off the list of McAfee Avert Labs top 10 threats to consumers. The old threats will persist, McAfee warned, but a new crop is on its way.

The National Vulnerability Database reported 10 Vista vulnerabilities in the first nine months after the OS was released. This compares with 16 XP vulnerabilities during the same length of time. The number of reported Windows XP vulnerabilities more than doubled in the following 12 months. If history repeats itself, McAfee cautioned, businesses can expect far more than 20 Windows Vista vulnerabilities to be reported in 2008.

2008: A Year of Security Challenges?

The way iSight Partners' Director of Global Response Ken Dunham sees it, 2008 is a significant year for Windows Vista. On the business side, he noted, 2008 marks the year when many corporations will start to consider Vista seriously.

Dunham also said that 2008 presents new opportunities for hackers who are looking for corporate assets to attack while companies migrate to Vista. "Vista contains many new important security updates but is not invulnerable to attack," Dunham argued. "Hackers are actively looking for ways to exploit Vista, Internet Explorer 7, and other new features for maximum profit."

Of course, Vista isn't the only software system facing security threats. McAfee said there's a target on Web 2.0, online gaming, and instant messaging. "Threats are increasingly moving to the Web and migrating to newer technologies such as VoIP and instant messaging," Jeff Green, senior vice president of McAfee Avert Labs, said in a statement.

"Professional and organized criminals continue to drive a lot of the malicious activity," Green said. "As they become increasingly sophisticated, it is more important than ever to be aware and secure when traversing the Web."

Google Purges Malware Sites Targeting Searchers


In response to a concerted effort by cybercriminals to infect the computers of Google users with malware and make them unwitting partners in crime, Google apparently has purged tens of thousands of malicious Web pages from its index.

In a blog post on Monday, Alex Eckelberry, CEO of Sunbelt Software, noted that many search results on Google led to malicious Web pages that expose visitors to exploits that can compromise vulnerable systems.

"We're seeing a large amount of seeded search results which lead to malware sites," said Eckelberry. "These are using common, innocent terms -- one researcher landed on a malware site through searching for alternate firmware for a router."

Sunbelt published a list of search terms that returned malicious pages, the result of search engine optimization campaigns by cybercriminals to get their pages prominently ranked in Google -- Sunbelt refers to this as "SEO poisoning." The list includes hundreds of search strings containing the words "Microsoft Excel," along with a number of other popular technology-oriented terms, products, and companies.

On Tuesday, the SANS Institute said that the number of vulnerabilities in Microsoft Office had grown by 300% from 2006 to 2007, particularly in Excel.

A Microsoft spokesperson wasn't immediately available.

Sunbelt researcher Adam Thomas in a blog post attributes the thousands of pages to a bot net designed "to post spam links and relevant keywords into online forms (typically comment forms and bulletin board forums)," in order to place prominently in Google searches for those terms.

Those duped into visiting malicious Web pages from Google search results could, if their systems are vulnerable, acquire malware known as Scam.Iwin, which is designed to use the victim's computer to defraud Google and its advertisers. "With Scam.Iwin, the victim's computer is used to generate income for the attacker in a pay-per-click affiliate program by transmitting false clicks to the attacker's URLs without the user's knowledge," explained Thomas in a blog post. "The infected Scam.Iwin files are not ordinarily visible to the user. The files are executed and run silently in the background when the user starts the computer and/or connects to the Internet."

Google didn't respond to a request for comment.

But it appears Google has deleted the malicious pages from its index. "Google took action on these domains and you won't find them anymore in Google," said Eckelberry.

According to Trend Micro, cybercriminals have been planning for the holiday online shopping season for months.

"Since September, cybercriminals have been boosting their search engine rankings using a variety of methods such as 'comment spam' and 'blog spam' in preparation for the Christmas period," said Raimund Genes, CTO of Trend Micro, in an e-mailed statement. "With shoppers visiting these sites likely to purchase goods online after infection, their credit card details become a main target for cybercriminals looking for financial gains this season."

Eckelberry credits the cybercriminals responsible with being particularly crafty because they attempt to conceal their malicious Web pages from certain types of searches favored by malware researchers.

See original article on