A new rootkit that overwrites an infected PC's master boot record is making the rounds. According to Oliver Friedrichs, Symantec's security response team director, the rootkit executes before the operating system loads, which makes it undetectable by most antivirus programs. The rootkit also installs a Trojan that steals bank account information. The rootkit installs after users visit compromised Web sites.
Competition is spicing up the botnet world. The operators of Nugache, a worm originally designed for chat protocols, are adding new features and offering price discounts in an effort to challenge the Storm worm's dominance. Nugache is now available with encryption, a rootkit, and the ability to spread via Web-based malware. Paul Henry, Secure Computing's vice president of technology evangelism, says botnet operators are lowering their prices as well. "It's creating a bargain basement for spam," he says.
In December, attackers broke into geeks.com, a Web site devoted to selling computer manufacturers' excess inventory and closeouts, and stole the names, addresses, and Visa credit-card numbers of customers. The site boasted a "Hacker Safe" seal from security vendor, ScanAlert. Nigel Ravenhill, a ScanAlert spokesperson, says the site had the seal pulled for failing to meet the security vendor's security requirements several times in the past year. "Preliminary evidence uncovered while investigating this matter suggests that the breach most likely occurred during one of these periods," he says. The Web site has brought in an outside security firm to determine how the breach occurred.
Security researchers have pinpointed an automated SQL injection attack as the culprit behind a mass Web site hack that has hit tens of thousands of sites, including sites with .edu and .gov domains and several security vendors' CA pages. The attack attempts to exploit unpatched vulnerabilities and hijack users' PCs after they've visited infected sites.
Aviv Raff, a security researcher, unveiled a Firefox spoofing flaw that could let attackers steal passwords and usernames. Raff says the vulnerability is in how the browser handles single quotation marks and spaces in an authentication header's "realm" value. "This makes it possible for an attacker to create a specially crafted realm value which will look as if the authentication dialog came from a trusted site," he says. In a posting on his blog, Raff offers two possible attack scenarios; a You- Tube video is also available, showing a spoof of Google's Checkout system.
Kaspersky Labs has identified a Windows-based Trojan—Trojan-Downloader.Win32.Diehard—that has exploded on the malware scene with a vengeance. After being introduced in mid-December, the Trojan and its variants grabbed the second, fourth, and seventh spots on Kaspersky Labs top virus list for the month. The security vendor says that after only a few days, the Trojan constituted roughly 80 percent of all malicious traffic for December.
Within hours of the assassination of Pakistani Prime Minister Benazir Bhutto, attackers were using the news to lure users into downloading malware. Users drawn to sites looking for video of the assassination were tricked into downloading a video codec that was, in fact, a Zlob Trojan variant. Other sites bypassed the phony codec angle and tried to directly install malware via an ActiveX vulnerability that Microsoft issued a patch for in 2006.
The US Department of State's decision to use vicinity-read RFID technology in passport cards has raised concerns from privacy advocates. As part of a homeland security initiative—the Western Hemisphere Travel Initiative (WHTI)—passport cards will be used for US residents who frequently travel between the US and Canada, Mexico, and the Caribbean and don't have passports. Vicinity-read technology will let border and customs officials read the cards' information from roughly 20 to 30 feet away, reducing wait time at the border. However, Ari Schwartz, deputy director at the Center for Democracy and Technology (CDT), says the technology is less secure than the proximity-read RFID technology used in e-passports. The vicinity-read RFID passport cards can be read from a distance, without consent or notice, and information is transmitted without encryption. "[Y]ou have a situation where you are sending out identity information in the clear over a long distance," Schwartz says. The US Department of State says the passport cards won't carry identity information but rather a unique identifying number that border agents will use to access personal information on a secure system. However, the CDT says the passport cards' identification number is in itself personal information because it corresponds directly to a database file that contains personal information.
The UK is reeling from a series of privacy data breaches due to lost discs. In November, Her Majesty's Revenue and Customs (HMRC) office lost the personal and financial information of 25 million individuals. In a one-week span in December, Britain's Driving Standards Agency lost the names and addresses of 3 million individuals, and the HMRC announced it had lost the personal information of more than 6,500 pensioners.
The US Federal Bureau of Investigation (FBI) is building the world's largest biometrics database. The project, dubbed Next Generation Identification, aims to collect biometric information and store it in a single database for forensic purposes. In addition, the agency will also keep the fingerprints of employees who have undergone criminal background checks for employers who request it. The FBI has already started to collect digital images of faces, fingerprints, and palm patterns.
Two years ago, the Chinese government issued an order that required all Chinese computer manufactures to include a legitimate pre-installed operating system before leaving the factory. According to a study released by the Business Software Alliance and marketing analysis firm IDC in December, the piracy rate in China dropped to 82 percent in 2006 from 90 percent in 2004. Microsoft appears to be benefiting from the effort, reporting that roughly US$164 million of its $822 million revenue gain for the third quarter of 2007 was from antipiracy improvements.
In January, the Transglobal Secure Collaboration Program (TCSP) published a secure email standard that will let private-sector companies and government agencies communicate with each other securely. TCSP lists among its members the UK Ministry of Defense (MOD), the US Defense Department (DoD), Boeing, Lockheed Martin, and the Dutch government. The standard, dubbed Secure E-Mail, uses off-the-shelf email products, and open source software; CertiPath acts as the certificate authority. MOD plans to use Secure E-Mail on desktops across its organization this year and the DoD plans to test the standard this year with other TCSP companies.
The Chaos Computer Club (CCC) is seeking an injunction to stop the use of e-voting machines in state elections to be held in late January. The CCC says the government lacks the technical knowledge to ensure the accuracy of the voting machines and the software used on them. A court date for the injunction hearing hasn't been set, but CCC spokesman Frank Rieger expects a decision before the elections.
In December, the US Department of Defense, NASA, and the General Service Administration proposed an interim rule requiring federal agencies to buy energy-efficient PCs and monitors constructed with reduced levels of toxic chemicals. The rule establishes the government's use of the Electronic Product Environmental Assessment Tool (EPEAT), which is a rating system that classifies tech equipment on environment-friendly criteria. To receive a bronze rating, products must conform to 23 of the 51 conditions; silver and gold ratings require stricter standards, such as a minimum of 90 percent of the system's materials must be recyclable or use lead-, cadium-, or mercury-free batteries. Dell offers six products with gold ratings and 72 with silver ratings, HP has one gold-rated desktop and 73 silver ratings, and Apple has 17 silver-rated products.
In January, a new federal rule went into effect in the US that prohibits air passengers from carrying extra lithium batteries in their checked luggage. The rule doesn't affect travelers' abilities to carry laptops or digital cameras with lithium batteries already installed. The US Department of Transportation (DOT) says passengers must put extra batteries in plastic bags and carry them on the plane as hand luggage. Each passenger is limited to two lithium batteries. The DOT says the rules were put in place to limit the risk of fires in aircraft flights.
In January, Network Solutions, a domain name registrar, started a new policy that has critics accusing it of front running—a practice in which scammers track domain name searches and register them in the hope of selling them to the original searchers at inflated prices. Network Solutions' new policy snatches up domain name searches done through its site and registers them for four days, preventing the original customers from registering the names. The policy, critics say, keeps customers from registering with lower-cost registrars. Network Solutions spokeswoman Susan Wade says the practice is to prevent front running by keeping scammers from snatching up domain names before the original searchers. For the time being, the company has no plans to change its policy.