First Trojan For Seriers 60 Users Discovered

Series 60 users beware. Kaspersky Labs has just discovered the Troja-SMS.Symb.OS.Viver which is the first Trojan for the S60 OS. It can easily be downloaded from the Net and unknowingly installed in your phone. Users may download it unknowingly as the trojan could be labeled anything from a picture editing software to a codec of some kind.

The Viver virus has been specially designed for the S60 Smartphone OS. What it primarily does after being installed, is send out SMSes from your phone to premium SMS numbers, the ones that cost more than just 50 paise or 1 buck.

It’s a simple set up for the author. SMSes would be sent to a premium number that’s rented by the author thus generating his income. So if you’’e a regular download junkie of freeware from the internet for your phone, you may want to think twice. Let’s just hope the guys down at Kaspersky can come up with something to take care of Viver ASAP.

Viruses, Spyware, Phishing Cost U.S. Consumers $7 Billion Over Two Years

The survey, based on a national sample of 2,000 U.S. households with Internet access, suggests that consumers face a 25% chance of being victimized online

U.S. consumers lost $7 billion over the last two years to viruses, spyware, and phishing schemes, according to Consumer Report’s latest State of the Net survey. The survey, based on a national sample of 2,000 U.S. households with Internet access, suggests that consumers face a 25% chance of being victimized online, which represents a slight decline from last year.

Computer virus infections, reported by 38% of respondents, held steady since last year, which Consumer Reports considers to be a positive sign given the increasing sophistication of virus attacks.

Thirty-four percent of respondents’ computers succumbed to spyware in the past six months. While this represents a slight decline, according to Consumer Reports, the odds of a spyware infection remain 1 in 3 and the odds of suffering serious damage from spyware are 1 in 11.

Phishing attacks remained flat, duping some 8% of survey respondents at a median cost of $200 per incident. And 650,000 consumers paid for a product or service advertised through spam in the month before the survey, thereby seeding next year’s spam crop.

Perversely, insecurity means money for computer makers: Computer viruses and spyware turn out to be significant drivers of computer sales. According to the study, virus infections drove about 1.8 million households to replace their computers over the past two years. And over the past six months, spyware infestations prompted about 850,000 households replace their computers.

Insecurity means anxiety for parents. Despite efforts by social networks like Facebook and MySpace to limit their services to those 14 and older, households with minors online said that 13% of children registered on MySpace were younger than 14 and 3% were under ten.

The inability of social networks to police their sites is mirrored by inability of many adults to police their own Internet connections. Some 33 percent of survey respondents did not use anti-spyware software. Consumer Reports estimates that 3.7 million U.S. broadband households are not using a firewall.

Consumer Reports singled out Trend Micro’s $50 security suite for excelling in every category that it tested and said that, in general, paid security software performed better than free security software. It also praised security products from Check Point and McAfee.

Beyond obvious tips like activating firewalls, shutting computers down when not in use, and exercising caution when downloading software or using public computers, Consumer Reports offered one safety tip that’s sure to inflame online passions: Consider a Mac.

“Although Mac owners face the same problems with spam and phishing as Windows users, they have far less to fear from viruses and spyware,” said Consumer Reports. “Because Macs are less prevalent than Windows-based machines, online criminals get less of a return on their investment when targeting them.”

Of course if that’s true, it becomes less so with every Mac bought.

What’s Next From Google? Perhaps Reader Search, Hosted Google Enterprise

Some new services are in the works, but there are other capabilities that Google seems wary of right now. Google is pushing search in new directions with universal search and personalization. It’s the leader in Web search by a large margin, and doesn’t look to give up its crown anytime soon. And the company has more search tricks up its sleeves, including Google Reader search and potentially a hosted enterprise search product.Google Reader, the company’s syndicated newsreader, is search-less today, despite significant demand for the ability to search through news feeds and other RSS subscriptions. A few hacks to search through Google Reader feeds have even popped up on the Internet. The Google Reader team “gets the message,” according to Google software engineer Matt Cutts, and Google Reader search is one of the top priorities on the team’s list.

Today, Google’s enterprise search product is a piece of integrated hardware and software. Tomorrow, it could well be a hosted service, if and when Google figures out a model that properly maintains the privacy of corporate documents. The beginnings of this are already there: Google recently released its Custom Search Engine Business Edition, an ad-free, $100 per year and up service to search corporate Web sites.

That’s just the start, though. “Just like other applications, search is a natural fit for software-as-a-service,” said Nitin Mangtani, lead product manager for Google Enterprise, in an interview. “We are a little bit further away from us crawling intranet search in a hosted service, but that’s not out of the question. You could see that coming from us.”

Another goal for Google is to make its search engine able to parse meaning in the language of queries and results. The beginnings are there: Google results can include synonyms and variations of words, but there’s much more to be done. “We really want to go into language and understand what people mean,” Cutts said. Other companies like Hakia and Powerset are currently developing search engines that use language rules to try to figure out the meaning of queries and indexed pages.

In other developments, Google is pushing heavily into personalization with products like iGoogle that let people see their own search history and have results catered to them personally. Google also recently introduced universal search, which brings back results that go beyond simple Web pages. Now, a search for Paris Hilton will return an aggregated list of images, Google Desktop results, Web results, and news about the socialite hotel heiress.

Google also has longer range plans. Google Enterprise can “cluster” results, automatically organizing them into categories. A search for Apple may come back with clusters labeled “fruit” and “computer,” for example. Don’t expect this from Google Web search in the near future, however. “We have a really pragmatic approach, if you put out a query, how long does it take for a person to get to the information, and it turns out clustering doesn’t always help with that,” Cutts said.

Tagging is another search technology of which Google seems wary. “One of the worries about tag clouds [visual depictions of multiple tags] is that whenever something gets big, inevitably people will show up to try to make money off of it by gaming the system,” said Cutts, who heads up the company’s Web spam team along with his role as search ambassador. He said that any tagging mechanism would have to be protected from spammers, for example by employing captchas — those little scrambled images of a random sequence of letters — to make sure taggers are human.

Mozilla Releases Fixes For Thunderbird Bugs

Mozilla released an update to its Thunderbird e-mail client, patching two security vulnerabilities.

Both flaws were patched in Mozilla’s browser earlier this week, with the release of Firefox 2.0.0.6. Thunderbird is getting a similar update with release 2.0.0.6 of its own.

Both vulnerabilities are related to another bug that Mozilla fixed in mid-July. That bug, rated “highly critical,” had been plaguing both Firefox and Microsoft’s Internet Explorer. After days of fervent online debate, Mozilla admitted about a week ago that Firefox was as much to blame as IE for the problem that caused dangerous data to be passed to third-party applications.

One fix — MFSA 2007-27 — takes care of an issue where Mozilla didn’t percent-encode spaces and double-quotes in URIs handed off to external programs for handling. While Mozilla’s advisory noted that the level of danger depends on the arguments that the receiving program supports, Thunderbird 2.0.0.4 and older versions could be used to run arbitrary script.

Mozilla is crediting researcher Jesper Johansson for pointing out the flaw, and Billy Rios and Nate McFeters for discovering a similar issue with URIs passed to external handlers.

The second fix — MFSA 2007-26 — takes care of a bug that was introduced by the patch for MFSA 2007-20. The vulnerability could enable privilege escalation attacks against add-ons that create “about:blank” windows. A Mozilla researcher, called moz_bug_r_a4, is credited with reporting this bug. Just last week, Mozilla effectively gave Thunderbird the boot. In a blog post, Mozilla CEO Mitchell Baker wrote, “We have concluded that we should find a new, separate organizational setting for Thunderbird; one that allows the Thunderbird community to determine its own destiny.”

It’s a move that Mozilla said actually is for Thunderbird’s own good. The organization is putting so much of its muscle behind the push for Firefox that Thunderbird simply hasn’t been getting the attention it needs.

Notorious Spammer And ‘Drug Kingpin’ Sentenced To 30 Years

A man who made about $24 million illegally selling pharmaceuticals online and then fled the country to avoid prosecution faces 30 years in prison.

A notorious spammer who made millions of dollars illegally selling medications online was hit with a 30-year prison sentence this week.

Christopher William Smith, 27, who ran Xpress Pharmacy, was sentenced in U.S. District Court in Minnesota, according to a court clerk in an interview. Assistant U.S. Attorney James Alexander told HackingNews that prosecutors asked for a higher sentence because Smith made a death threat against a witness’ children.

Smith was convicted last November on nine charges of conspiracy, illegal distribution of drugs, money laundering, and operating a “continuing criminal enterprise.”

Going by the nickname “Rizler,” Smith made about $24 million selling medications to customers without proper prescriptions and selling drugs without a license. During his sentencing, U.S. District Judge Michael Davis called Smith a “drug kingpin,” according to a report in the Minneapolis Star Tribune.

Court records show that in 2005, Smith fled the country and hid out in the Dominican Republic. He went on the lam just days after federal authorities executed a search warrant on his home, seizing his passport and $4.2 million in assets, including a $1.1 million house and luxury vehicles worth $1.8 million. The FBI also closed down his online operation, which employed 85 people. Soon after the search, Smith was forced to appear in federal court to face charges. He fled the country, using a false passport, a few days later.

He was eventually arrested, when he flew back into the country and touched down in the Minneapolis-St. Paul International airport.

“If anyone is in any doubt about the riches that criminal spammers can make for themselves, then they should read the story of Christopher ‘Rizler’ Smith,” said Graham Cluley, senior technology consultant for Sophos, in a written statement. “Pharmacy spammers are amongst the lowest of the low when it comes to Internet crime — not only deluging people with millions of unwanted e-mails, but also potentially putting lives at risk through dangerous medications. The authorities should be applauded for finally bringing this spam king to justice.”

The Star Tribune also reported that Smith discussed with a cohort ways to shut up a witness by threatening her children’s lives. “It’s a kill-or-be-killed world,” Smith reportedly said. The newspaper also reported that Smith told the judge that he was not serious in the phone call and blamed his comments on a bipolar disorder.

This past May, the feds arrested the man dubbed the “spam king.” Robert Alan Soloway, 27, the owner of Newport Internet Marketing Corp. of Seattle, is looking at five counts of identity theft, mail fraud, wire fraud, fraud in connection with e-mail, and money laundering. If convicted on all the charges, he could face up to 75 years in prison.

Mozilla Delivers Security Tools, Previews Firefox 3 At Black Hat

Now Mozilla is making its JavaScript fuzzer available to anyone who wants to use it, and it’ll be followed later this year by fuzzers for the HTTP and FTP protocols.

Browser security has long been criticized as a flawed construct, but that hasn’t stopped browsers from being the default interface for most of the Web’s users.

In a bid to improve browser security, both within Firefox and among competing browsers, the Mozilla Foundation Thursday announced several open-source security testing tools, in addition to several security enhancements coming with Firefox 3, scheduled for availability by the end of the year.

Mozilla has been using an open-source application security testing tool, known as a fuzzer, for JavaScript to detect and fix dozens of security bugs in Firefox, Mozilla director of ecosystem development Window Snyder said Thursday at the Black Hat USA 2007 conference in Las Vegas. The JavaScript fuzzer found 280 bugs in Firefox, 27 of which were exploitable.

Now Mozilla is making that JavaScript fuzzer available to anyone who wants to use it, and it’ll be followed later this year by fuzzers for the HTTP and FTP protocols.

“The FTP and HTTP protocol fuzzers act like fake servers that send bad data to sites,” Snyder told HackingNews .The HTTP fuzzer emulates an HTTP server to test how an HTTP client handles unexpected input. The FTP fuzzer likewise tests how an FTP client handles unexpected data.

Mozilla worked with Microsoft, Apple, and Opera before making the JavaScript fuzzer widely available in order to reduce the possibility that the tool might be used to expose vulnerabilities in those browsers. All of these browser vendors reviewed the tool and let told Mozilla know that they were okay with the release, Snyder said.

Mozilla’s presentation also included a look at some of the new security features for Firefox 3. Expect Firefox 3 to include new phishing and malware protection, extended validation certificates, improved password management, and a security user interface. Knowing that Web users rarely look at the symbols and other information located around the perimeter of the browser page, also known as the chrome, Firefox 3 is designed to make sure that suspected Web forgeries aren’t missed, “even though users don’t look for them,” Mozilla Project co-founder Mike Shaver said Thursday at Black Hat.

In some cases Firefox 3 will not only issue a warning that a site is unsafe, it will prevent the user from accessing that site, “so the users can’t just ignore the warnings,” Shaver said. “This feature is not without controversy of course.”

Mozilla’s Black Hat announcements follow the release earlier this week of Firefox 2.0.0.6, designed to fix vulnerabilities that could allow the Firefox browser to pass dangerous data to third-party applications like Microsoft’s Internet Explorer. Mozilla’s new workarounds and patches come just a few weeks after the organization delivered Firefox 2.0.0.5, which included patches for several other vulnerabilities.

The company is hoping this proactive approach to security will alleviate the need for such incremental browser updates

Number Of Hackers Attacking Banks Jumps 81%

Hackers no longer need to be technical wizards to set up an operation to steal people’s banking information and then rob their accounts.
The number of hackers attacking banks worldwide jumped 81% from last year, according to figures released at the BlackHat security conference Thursday. Researchers from SecureWorks also reported that hackers going after the company’s credit-union clients increased by 62% from last year.

So why are there so many more hackers this year than last? Joe Stewart, a senior security researcher at SecureWorks, told HackingNews that highly technical and savvy hackers are no longer the only ones in the game.

Hackers no longer need to be technical wizards to set up an operation to steal people’s banking information and then rob their accounts or sell their identifying information to an even bigger cybercriminal. Hacking toolkits and malware are for sale in the online underground. All hackers need are basic technical skills and the knowledge of where to go to buy what they can’t build themselves.

“You go to a Web site and pay a $100 to several hundred dollars, and you can buy a turnkey exploit package,” said Stewart. “You can buy the malware too, and then you’re in business You put these components up on a Web site and immediately start infecting people. All you really need to know how to do at this point is set up a Web site.”

This new ease-of-use is evident in the numbers.

SecureWorks reported that between June 2006 and December 2006, they blocked attacks from about 808 hackers per bank per month. From the beginning of this year through June, there’s been an average of 1,462 hackers launching attacks at each of the company’s bank clients. As for the credit unions, SecureWorks reported blocking attacks from 1,110 hackers per credit union per month. That number rose to 1,799 this year.

“The amount of stolen financial data we have found since the first of the year has been daunting,” said Don Jackson, a security researcher with SecureWorks and the discoverer of the Gozi and Prg Trojans. “With the Gozi, Prg, and BBB Trojans alone, we found millions of dollars of data sitting in their stolen repositories. These data caches contained thousands of bank-account and credit-card numbers, Social Security numbers, online payment accounts, and user names and passwords, and we’re finding new caches of stolen data every day — evidence that more and more criminals are getting into the game.”

RSA, the security arm of EMC, reported earlier this year finding a new and more dangerous phishing toolkit that made online fraud a point-and-click process. Researchers said it was a bad omen for consumers. The kit, which RSA dubbed “Universal Man-in-the-Middle Phishing Kit,” was being sold for about $1,000 on various hacker sites, according to RSA executive Marc Gaffan.

Microsoft Readies Patches For Windows Vista, IE Bugs

In next week’s Patch Tuesday release, Microsoft will release six bulletins that contain fixes for critical bugs and another three that patch flaws with a top rating of important.

Microsoft announced Thursday that it will be releasing nine security bulletins next Tuesday to patch bugs in Windows Vista, Internet Explorer, and Visual Basic.

In its monthly Security Bulletin Advance Notification, Microsoft announces how many security updates or bulletins will be released the next week, but does not go so far as to say how many vulnerabilities will be patched.

The advisory did note that six of the bulletins will contain fixes for critical bugs and three of them will patch flaws that are given a security risk rating of ‘important’ and under.

Six of the bulletins affect Microsoft Windows. Five of them have a maximum security rating of critical, meaning that at least one of the flaws being fixed is rated as “critical”, and one has a maximum rating of important. One bulletin, which has a maximum rating of important, affects Microsoft’s new and highly touted Windows Vista. That vulnerability could allow remote code execution, according to the advance notification.

One of the bulletins affects Visual Basic, and two affect Internet Explorer. The IE bugs both cause remote code execution. One bulletin, which has a critical security rating, affects Microsoft Office, also enables remote code execution. Other bulletins affect XML Core Services, Office for Mac, Virtual PC and Virtual Server.

In Microsoft’s monthly Patch Tuesday release last month, software company issued six security bulletins, patching 11 vulnerabilities.

Security researchers warned IT managers to patch all of the bugs that were fixed in the July release, but to turn their immediate attention to two vulnerabilities in Active Directory implementations in Windows 2000 Server and Windows 2003 Server. Amol Sarwate, manager of vulnerability research lab at Qualys, called this the most important of the 11 bugs that Microsoft patched last month.

Mozilla Aims To Warn Users About Dangerous Sites

The next version of Firefox will identify malware on Web sites and make users stop and think about it.

With the number of malicious Web pages mushrooming over the past several months, the Mozilla Foundation is looking to help users defend themselves. Window Snyder, who is Mozilla’s “chief security something-or-other,” says the company is taking a two-pronged approach.

First, Mozilla developers are working on giving Firefox 3.0, the next version of the open source browser due later this year, the ability to detect malicious code on Web sites that users are trying to access. “In Firefox 2, there’s no mechanism that identifies if malware is present,” says Snyder.

Users won’t ignore this warning, vows Window Snyder.

Users won’t ignore this warning, vows Snyder
Second, developers are working on creating an interface that will warn users that the pages they’re trying to call up are dangerous. “We don’t want to just pop up an alert that gives them an OK or cancel option,” says Snyder. “We want to create a warning that users won’t mistake. … It’s going to be a different kind of warning, and it’s not going to be a click-through.”

Security company Sophos reported last month that the number of malicious Web sites has skyrocketed over the past few months, from 5,000 new ones a day in April to nearly 30,000 a day in early July. One reason, according to Sophos researchers, is that hackers are increasingly turning away from e-mail as their preferred method of spreading malware and putting their focus on malicious sites. In some cases, they’re creating their own sites, but in most cases they’re hacking into legitimate sites and embedding malware into them.

The mock-up of the alert appears as a red-letter warning that doesn’t have a click-through option, and the malicious page wouldn’t be able to load. It’s still a work in progress, and it could change dramatically before Firefox 3.0 ships, Snyder says. Technicians are debating whether there should be an override mechanism that lets users go to malicious pages regardless of the danger.

One of the most difficult aspects of implementing something like this is making sure the interface communicates clearly to the user, that it’s “the sort of thing users won’t be able to sail through without a real context change,” Snyder says.

Mozilla programmers are rewriting a lot of the Firefox code for the upcoming version release, Snyder says. They’re replacing much of the older code to increase performance and make the code base more modular, able to handle new security threats like phishing. In a previous interview, Snyder said some of the browser’s components that are written in native code are being rewritten in managed code to reduce memory management flaws, like buffer overflow vulnerabilities. Managed code executes in a virtual machine, so there’s less space for memory management problems.

10 DAYS
Meanwhile, Mozilla faced another security-related issue recently, one of its own making. An executive appeared to suggest the company could patch any known security vulnerability within 10 days. Snyder, who was quick to try to clear up what Mozilla says was a muddled message, says on her blog that Mozilla doesn’t set such parameters: “We do not think security is a game, nor do we issue challenges or ultimatums.”

That’s not what it sounded like at the Black Hat security conference two weeks ago in Las Vegas. Mike Shaver, director of ecosystem development at Mozilla, passed a business card to security researcher Robert Hansen, known as RSnake, with “ten [expletive] days” written on it. Hansen wrote on his blog that Shaver was claiming that, with responsible disclosure, Mozilla could patch any critical hole in that amount of time. Wrote Hansen, “I told him I would post his card–and he didn’t flinch. No, he wasn’t drunk. He’s serious.”

Snyder says Shaver meant that, since Mozilla got a recent security update out in only 10 days, there’s no reason security researchers should post details of a vulnerability before a patch is available. But security bloggers pounced on what sure sounded like a challenge. Admits Snyder, “His statement has taken on a life of its own.”

Google Acquires Web Security Firm

Web search giant, Google has bought Internet security company, GreenBorder Technologies in order to protect its e-mail and search engine users from malicious or unwanted computer code.

GreenBorder, a Californian company, offers security software that sets up temporary, virtual sessions each time a computer users surfs the Web. It then discards the resulting data once the user has finished surfing. The software allows technicians to insulate corporate networks so that malicious code hidden inside e-mail, instant messages or Web sites is automatically detected and contained.

The software runs Firefox and Internet Explorer in this protected environment, and does the same for downloaded and e-mailed documents.

Industry analysts are speculating on how Google would incorporate GreenBorder into its portfolio. While some are of the opinion that Google will make it a free download for its users and add it in Google pack, others think the software may become a part of Google Apps or Google Desktop.

Google has not disclosed any details on the deal, or how it plans to use the software.