Security Watch

PCs Targeted by Hackers Every 39 Seconds

Plus Trend Micro flaw and patch, worm creator gets probation and anti-phishing methods prove ineffective.

• By Russ Cooper
• 03/12/2007

The study found that the most common criminal attempt was a brute force dictionary attack to log into the machine. "Root" was attempted 12 times as much as any other username, and the password was usually simply the username.

Successful attacks yielded common actions: The criminal would inventory the machine's configuration, change the password and then install some program -- often a backdoor.

No real surprises here. It does show that perhaps default installations should be dynamically generating a password upon install -- something which could be reported on-screen to the installer -- to avoid systems that are subject to trivial compromise while they are being set up or before the installer has a chance to harden them.

Trend Micro Anti-Virus UPX Handling Buffer Overflow Vulnerability
Trend Micro AntiVirus Scan Engine 8.3 and earlier can be exploited by a criminal to cause code of their choosing to run in the security context of the scan engine, typically the highest privileges available. An exploit could be triggered by sending a specifically formatted UPX-packed executable -- a very common format for malware. Patches are available here.

This is obviously a very serious issue since exploitation occurs while malware is being scanned. However, it serves to remind us that outright blocking of executable files is more effective than trying to scan all that are seen. By blocking executables prior to scanning, not only is the performance impact of scanning reduced, this vulnerability is largely avoided. It is also worth pointing out that vulnerabilities in anti-virus software are a prime target for malware.

MySpace Superworm Creator Gets Probation
Despite disrupting millions of consumers' Web pages on MySpace, not to mention forcing MySpacers themselves to spend hours recovering from his actions, the man responsible for the worm was sentenced to a mere three years probation and 90 days of community service by the Los Angeles Superior Court.

When is the court going to learn that such sentences will only encourage more such acts rather than act as any form of deterrent? "Samy" received his 15 minutes of fame, as was his intent, and probation is likely a small price to pay. Incarceration of any length of time is the only way to bring such criminals down from the ether of cyberspace to the solid ground of the real world, making them realize that cybercrime has physical repercussions.

Study Finds Web Anti-Fraud Measure Ineffective
A group of Harvard and MIT researchers have conducted a study to determine the effectiveness of authentication and anti-phishing measures employed by bank sites. The study focused on three key elements: HTTPS indicators, user-specified image(s) and the bank's actual login page itself. The study (PDF download here) found that neither HTTPS nor user-specified images significantly contribute to more secure online banking.

None of the study participants stopped entering their passwords because HTTPS indicators were removed. They either didn't notice they weren't present, didn't understand their meaning or didn't care.

At least 92 percent of participants entered their passwords despite site images not being present. Site images are used by some banks as a way for a user to know whether they are on the official site of the bank or a forgery. The user picks an image they want the bank to present them when they come to log in. The premise being that if the image isn't present, the site is being spoofed.

The most effective measure was placing a warning page in front of the bank's official login page. The study placed a page that indicated that the site's certificate was causing a problem for Internet Explorer. The page contained two recommended options to close the page, and a third not recommended option to continue. Of those using their own accounts, and therefore with the greatest to lose, only 37 percent proceeded to choose the not recommended option and log in.

Despite the lower number after the warning page, it is still amazing that 37 percent did continue. Clearly a large number of people have no idea at all what to look out for when doing online banking. This probably extends to an even larger extent with other activities; those involving less of a chance of personal loss. User education is critical, but so is some form of consistency.