Monthly Archives: July 2012

EU to Banks: Assume All PCs Are Infected

July 12, 2012

An agency of the European Union created to improve network and data security is offering some blunt, timely and refreshing advice for financial institutions as they try to secure the online banking channel: “Assume all PCs are infected.”

The unusually frank perspective comes from the European Network and Information Security Agency, in response to a recent “High Roller” report (PDF) by McAfee and Guardian Analytics on sophisticated, automated malicious software strains that are increasingly targeting high-balance bank accounts. The report detailed how thieves using custom versions of the ZeuS and SpyEye Trojans have built automated, cloud-based systems capable of defeating multiple layers of security, including hardware tokens, one-time transaction codes, even smartcard readers. These malware variants can be set up to automatically initiate transfers to vetted money mule or prepaid accounts, just as soon as the victim logs in to his account.

Microsoft Patches Zero-Day Bug & 15 Other Flaws

July 10, 2012

Microsoft today issued a security patch to fix a zero-day vulnerability in Windows that hackers have been exploiting to break into vulnerable systems. The company also addressed at least 15 other flaws in its software, and urged customers to quit using the desktop Sidebar and Gadget capabilities offered in Windows 7 and Windows Vista.

Plesk 0Day For Sale As Thousands of Sites Hacked

July 10, 2012

Hackers in the criminal underground are selling an exploit that extracts the master password needed to control Parallels’ Plesk Panel, a software suite used to remotely administer hosted servers at a large number of Internet hosting firms. The attack comes amid reports from multiple sources indicating a spike in Web site compromises that appear to trace back to Plesk installations.

How to Break Into Security, Grossman Edition

July 9, 2012

I recently began publishing a series of advice columns for people who are interested in learning more about security as a craft or profession. For the third installment in this series, I interviewed Jeremiah Grossman, chief technology officer of WhiteHat Security, a Web application security firm.

A frequent speaker on a broad range of security topics, Grossman stressed the importance of coding, networking, and getting your hands dirty (in a clean way, of course).

Court Ruling Could Be Boon to Cyberheist Victims

July 6, 2012

A decision handed down by a federal appeals court this week may make it easier for small businesses owners victimized by cyberheists to successfully recover stolen funds by suing their bank.

The U.S. Federal Court of Appeals for the First Circuit has reversed a decision from Aug. 2011, which held that Ocean Bank (now People’s United) was not at fault for a $588,000 cyberheist in 2009 against one of its customers — Patco Construction Co. The appeals court sent specific aspects of the earlier decision back to the lower court for review, but it encouraged both parties to settle the matter out of court.

New Java Exploit to Debut in BlackHole Exploit Kits

July 5, 2012

Malicious computer code that leverages a newly-patched security flaw in Oracle’s Java software is set to be deployed later this week to cybercriminal operations powered by the BlackHole exploit pack. The addition of a new weapon to this malware arsenal will almost certainly lead to a spike in compromised PCs, as more than 3 billion devices run Java and many of these installations are months out of date.

Who Says Email Is Eating at Postal Revenues?

July 3, 2012

Shadowy online businesses that sell knockoff prescription drugs through spam and other dodgy advertising practices have begun relying more heavily on the U.S. Postal Service to deliver prescription drugs to buyers in the United States direct from warehouses or mules within the U.S. The shift comes as rogue online pill shops are seeking ways to lower shipping costs, a major loss leader for most of these operations.

Traditionally, a majority of the counterfeit pills advertised and sold to Americans online have shipped from India. But the process of getting the pills from India to customers in the United States is so expensive and fraught with complications that it has proved to be a big cost center for the largest rogue pharmaceutical operations, according to a study I wrote about last month.

How to Break Into Security, Schneier Edition

July 2, 2012

Last month I published the first in a series of advice columns for people who are interested in learning more about security as a craft or as a profession. In this second installment, I asked noted cryptographer, author and security rock star Bruce Schneier for his thoughts.

I regularly receive e-mail from people who want advice on how to learn more about computer security, either as a course of study in college or as an IT person considering it as a career choice.