Archive for the ‘E-Mail’ Category

IT Consulting Case Studies: Microsoft SharePoint Server for CMS

Friday, February 14th, 2014

Gyver Networks recently designed and deployed a Microsoft SharePoint Server infrastructure for a financial consulting firm servicing banks and depository institutions with assets in excess of $200 billion.

Challenge:  A company specializing in regulatory compliance audits for financial institutions found themselves inundated by documents submitted via inconsistent workflow processes, raising concerns regarding security and content management as they continued to expand.

http://officeimg.vo.msecnd.net/en-us/files/819/194/ZA103888538.pngWith many such projects running concurrently, keeping up with the back-and-forth flow of multiple versions of the same documents became increasingly difficult.  Further complicating matters, the submission process consisted of clients sending email attachments or uploading files to a company FTP server, then emailing to let staff know something was sent.  Other areas of concern included:

  • Security of submitted financial data in transit and at rest, as defined in SSAE 16 and 201 CMR 17.00, among other standards and regulations
  • Secure, customized, compartmentalized client access
  • Advanced user management
  • Internal and external collaboration (multiple users working on the same documents simultaneously)
  • Change and version tracking
  • Comprehensive search capabilities
  • Client alerts, access to project updates and timelines, and feedback

Resolution: Gyver Networks proposed a Microsoft SharePoint Server environment as the ideal enterprise content management system (CMS) to replace their existing processes.  Once deployed, existing archives and client profiles were migrated into the SharePoint infrastructure designed for each respective client and, seamlessly, the company was fully operational and ready to go live.

Now, instead of an insecure and confusing combination of emails, FTP submissions, and cloud-hosted, third-party management software, they are able to host their own secure, all-in-one CMS on premises, including:

  • 256-bit encryption of data in transit and at rest
  • Distinct SharePoint sites and logins for each client, with customizable access permissions and retention policies for subsites and libraries
  • Advanced collaboration features, with document checkout, change review and approval, and workflows
  • Metadata options so users can find what they’re searching for instantly
  • Client-customized email alerts, views, reporting, timelines, and the ability to submit requests and feedback directly through the SharePoint portal

The end result?  Clients of this company are thrilled to have a comprehensive content management system that not only saves them time and provides secure submission and archiving, but also offers enhanced project oversight and advanced-metric reporting capabilities.

The consulting firm itself experienced an immediate increase in productivity, efficiency, and client retention rates; they are in full compliance with all regulations and standards governing security and privacy; and they are now prepared for future expansion with a scalable enterprise CMS solution that can grow as they do.

Contact Gyver Networks today to learn more about what Microsoft SharePoint Server can do for your organization.  Whether you require a simple standalone installation or a more complex hybrid SharePoint Server farm, we can assist you in planning, deploying, administration, and troubleshooting to ensure you get the most out of your investment.

Change your passwords: Comcast hushes, minimizes serious hack

Tuesday, February 11th, 2014

Are you a Comcast customer? Please change your password.

On February 6, NullCrew FTS hacked into at least 34 of Comcast’s servers and published a list of the company’s mail servers and a link to the root file with the vulnerability it used to penetrate the system on Pastebin.

comcast hackComcast, the largest internet service provider in the United States, ignored news of the serious breach in press and media for over 24 hours — only when the Pastebin page was removed did the company issue a statement, and even then, it only spoke to a sympathetic B2B outlet.

During that 24 hours, Comcast stayed silent, and the veritable “keys to the kingdom” sat out in the open internet, ripe for the taking by any malicious entity with a little know-how around mail servers and selling or exploiting customer data.

Comcast customers have not been not told to reset their passwords. But they should.

Once NullCrew FTS openly hacked at least 24 Comcast mail servers, and the recipe was publicly posted, the servers began to take a beating. Customers in Comcast’s janky, hard-to-find, 1996-style forums knew something was wrong, and forum posts reflected the slowness, the up and down servers, and the eventual crashing.

The telecom giant ignored press requests for comment and released a limited statement on February 7 — to Comcast-friendly outlet, broadband and B2B website Multichannel News.

The day-late statement failed to impress the few who saw it, and was criticized for its minimizing language and weak attempt to suggest that the breach had been unsuccessful.

From Comcast’s statement on Multichannel’s post No Evidence That Personal Sub Info Obtained By Mail Server Hack:

Comcast said it is investigating a claim by a hacker group that claims to have broken into a batch of the MSO email servers, but believes that no personal subscriber data was obtained as a result.

“We’re aware of the situation and are aggressively investigating it,” a Comcast spokesman said. “We take our customers’ privacy and security very seriously, and we currently have no evidence to suggest any personal customer information was obtained in this incident.”

Not only is there a high probability that customer information was exposed — because direct access was provided to the public for 24 hours — but the vulnerability exploited by the attackers was disclosed and fixed in December 2013.

Just not by Comcast, apparently.

Vulnerability reported December 2013, not patched by Comcast

NullCrew FTS used the unpatched security vulnerability CVE-2013-7091 to open what was essentially an unlocked door for anyone access to usernames, passwords, and other sensitive details from Comcast’s servers.

NullCrew FTS used a Local File Inclusion (LFI) exploit to gain access to the Zimbra LDAP and MySQL database — which houses the usernames and passwords of Comcast ISP users.

“Fun Fact: 34 Comcast mail servers are victims to one exploit,” tweeted NullCrew FTS.

If you are a Comcast customer, you are at risk: All Comcast internet service includes a master email address.

Even if a customer doesn’t use Comcast’s Xfinity mail service, every Comcast ISP user has a master email account with which to manage their services, and it is accessible through a “Zimbra” webmail site.

This account is used to access payment information, email settings, user account creation and settings, and any purchases from Comcast’s store or among its services.

With access to this master email address, someone can give up to six “household members” access to the Comcast account.

NullCrew taunted Comcast on Twitter, then posted the data on Pastebin and taunted the company a little bit more.

Because there were “no passwords” on the Pastebin, some observers believed — incorrectly — that there was no serious risk for exploitation of sensitive customer information.

NullCrew FTS: 2 — big telecoms: 0

On the first weekend of February 2014, NullCrew FTS took credit for a valid hack against telecom provider Bell Canada.

In the first strike of what looks like it’ll be a very successful campaign to cause pain and humiliation to big telecoms, NullCrew FTS accessed and exposed more than 22,000 usernames and passwords, and some credit card numbers belonging to the phone company’s small business customers.

Establishing a signature game of cat and mouse with clueless support staff, NullCrew FTS contacted Bell customer support two weeks before its disclosure.

Like Comcast’s robotic customer service responses to NullCrew FTS on Twitter, Bell’s support staff either didn’t know how to report the security incident upstream, had no idea what a hacking event was, or didn’t take the threat seriously.

Bell also tried to play fast and loose with its accountability in the security smash and grab; it acknowledged the breach soon after, but blamed it on an Ottawa-based third-party supplier.

However, NullCrew FTS announced the company’s insecurities in mid January with a public warning that the hackers had issued to a company support representative about the vulnerabilities.

NullCrew FTS followed up with Bell by posting a Pastebin link on Twitter with unredacted data.

Excerpt from zdnet.com

Crackdown successfully reduces spam

Friday, December 6th, 2013

Efforts to put an end to e-mail phishing scams are working, thanks to the development of e-mail authentication standards, according to a pair of Google security researchers.

Internet industry and standards groups have been working since 2004 to get e-mail providers to use authentication to put a halt to e-mail address impersonation. The challenge was both in creating the standards that the e-mail’s sending and receiving domains would use, and getting domains to use them.

Elie Bursztein, Google’s anti-abuse research lead, and Vijay Eranti, Gmail’s anti-abuse technical lead, wrote that these standards — called DomainKey Identified Email (DKIM) and Sender Policy Framework (SPF) — are now in widespread use.

http://asset2.cbsistatic.com/cnwk.1d/i/tim2/2013/12/06/chart.jpg“91.4 percent of nonspam e-mails sent to Gmail users come from authenticated senders,” they said. By ensuring that the e-mail has been authenticated, the standards have made it easier to block the billions of annual spam and phishing attempts.

While social media gets all the buzz, the statistics they shared tell the story of the enormous use of e-mail and the challenges in preventing e-mail address fraud.

More than 3.5 million domains that are active on a weekly basis use the SPF standard when sending e-mail via SMTP servers, which accounts for 89.1 percent of e-mail sent to Gmail.

More than half a million e-mail sending and receiving domains that are active weekly adopted the DKIM standards, which accounts for 76.9 percent of e-mails received by Gmail.

Another 74.7 percent of all incoming e-mail to Gmail accounts is authenticated using both DKIM and SPF standards, and more than 80,000 domains use e-mail policies that allow Google to use the Domain-based Message Authentication, Reporting and Conformance (DMARC) standard to reject “hundreds of millions” of unauthenticated e-mails per week.

The pair cautioned domain owners to make sure that their DKIM cryptographic keys were 1024 bits, as opposed to the weaker 512-bit keys. They added that owners of domains that never send e-mail should use DMARC to create a policy that identifies the domain as a “non-sender.”

Questions about the origins of the unsecured e-mails were not immediately returned by Google.

Source:  CNET

IT managers are increasingly replacing servers with SaaS

Friday, December 6th, 2013

IT managers want to cut the number of servers they manage, or at least slow the growth, and they may be succeeding, according to new data.

IDC expects that anywhere from 25% to 30% of all the servers shipped next year will be delivered to cloud services providers.

In three years, 2017, nearly 45% of all the servers leaving manufacturers will be bought by cloud providers.

“What that means is a lot of people are buying SaaS,” said Frank Gens, referring to software-as-a-service. “A lot of capacity if shifting out of the enterprise into cloud service providers.”

The increased use of SaaS is a major reason for the market shift, but so is virtualization to increase server capacity. Data center consolidations are eliminating servers as well, along with the purchase of denser servers capable of handling larger loads.

For sure, IT managers are going to be managing physical servers for years to come. But, the number will be declining, based on market direction and the experience of IT managers.

Two years ago, when Mark Endry became the CIO and SVP of U.S. operations for Arcadis, a global consulting, design and engineering company, the firm was running its IT in-house.

“We really put a stop to that,” said Endry. Arcadis is moving to SaaS, either to add new services or substitute existing ones. An in-house system is no longer the default, he added.

“Our standard RFP for services says it must be SaaS,’ said Endry.

Arcadis has added Workday, a SaaS-based HR management system, replaced an in-house training management system with a SaaS system, and an in-house ADP HR system was replaced with a service. The company is also planning a move to Office 365, and will stop running its in-house Exchange and SharePoint servers.

As a result, in the last two years, Endry has kept the server count steady at 1,006 spread through three data centers. He estimates that without the efforts at virtualization, SaaS and other consolidations, they would have more 200 more physical servers.

Endry would like to consolidate the three data centers into one, and continue shifting to SaaS to avoid future maintenance costs, and also the need to customize and maintain software. SaaS can’t yet be used for everything, particularly ERP, but “my goal would be to really minimize the footprint of servers,” he said.

Similarly, Gerry McCartney, CIO of Purdue University is working to cut server use and switch more to SaaS.

The university’s West Lafayette, Ind., campus had some 65 data centers two years ago, many small. Data centers at Purdue are defined as any room with additional power and specialized heavy duty cooling equipment. They have closed at least 28 of them in the last 18 months.

The Purdue consolidation is the result of several broad directions: increased virtualization, use of higher density systems, and increase use of SaaS.

McCartney wants to limit the university’s server management role. “The only things that we are going to retain on campus is research and strategic support,” he said. That means that most, if not all, of the administrative functions may be moved off campus.

This shift to cloud-based providers is roiling the server market, and is expected to help send server revenue down 3.5% this year, according to IDC.

Gens says that one trend among users who buy servers is increasing interest in converged or integrated systems that combine server, storage, networking and software. They account now about for about 10% of the market, and are expected to make up 20% by 2020.

Meanwhile, the big cloud providers are heading in the opposite direction, and are increasingly looking for componentized systems they can assemble, Velcro-like, in their data centers. This has given rise to contract, or original design manufacturers (ODM), mostly overseas, who make these systems for cloud systems.

Source:  computerworld.com

Brute-force malware targets email and FTP servers

Monday, September 30th, 2013
A piece of malware designed to launch brute-force password guessing attacks against websites built with popular content management systems like WordPress and Joomla has started being used to also attack email and FTP servers.

The malware is known as Fort Disco and was documented in August by researchers from DDoS mitigation vendor Arbor Networks who estimated that it had infected over 25,000 Windows computers and had been used to guess administrator account passwords on over 6,000 WordPress, Joomla and Datalife Engine websites.

Once it infects a computer, the malware periodically connects to a command and control (C&C) server to retrieve instructions, which usually include a list of thousands of websites to target and a password that should be tried to access their administrator accounts.

The Fort Disco malware seems to be evolving, according to a Swiss security researcher who maintains the Abuse.ch botnet tracking service. “Going down the rabbit hole, I found a sample of this particular malware that was brute-forcing POP3 instead of WordPress credentials,” he said Monday in a blog post.

The Post Office Protocol version 3 (POP3) allows email clients to connect to email servers and retrieve messages from existing accounts.

The C&C server for this particular Fort Disco variant responds with a list of domain names accompanied by their corresponding MX records (mail exchanger records). The MX records specify which servers are handling email service for those particular domains.

The C&C server also supplies a list of standard email accounts—usually admin, info and support—for which the malware should try to brute force the password, the Abuse.ch maintainer said.

“While speaking with the guys over at Shadowserver [an organization that tracks botnets], they reported that they have seen this malware family bruteforcing FTP credentials using the same methodology,” he said.

Brute-force password guessing attacks against websites using WordPress and other popular CMSes are relatively common, but they are usually performed using malicious Python or Perl scripts hosted on rogue servers, the researcher said. With this malware, cybercriminals created a way to distribute their attacks across a large number of machines and also attack POP3 and FTP servers, he said.

Source:  pcworld.com

Spear phishing poses threat to industrial control systems

Tuesday, August 27th, 2013

Hackers don’t need Stuxnet or Flame to turn off a city’s lights, say security experts

While the energy industry may fear the appearance of another Stuxnet on the systems they use to keep oil and gas flowing and the electric grid powered, an equally devastating attack could come from a much more mundane source: phishing.

Rather than worry about exotic cyber weapons like Stuxnet and its big brother, Flame, companies that have Supervisory Control and Data Acquisition (SCADA) systems — computer systems that monitor and control industrial processes — should make sure that their anti-phishing programs are in order, say security experts.

“The way malware is getting into these internal networks is by social engineering people via email,” Rohyt Belani, CEO and co-founder of the anti-phishing training firm PhishMe, said in an interview.

“You send them something that’s targeted, that contains a believable story, not high-volume spam, and people will act on it by clicking a link or opening a file attached to it,” he said. “Then, boom, the attackers get that initial foothold they’re looking for.”

In a case study cited by Belani, he recalled a very narrow attack on a single employee working the night shift monitoring his company’s SCADA systems.

The attacker researched the worker’s background on the Internet and used the fact he had four children to craft a bogus email from the company’s human resources department with a special health insurance offer for families with three or more kids.

The employee clicked a malicious link in the message and infected his company’s network with malware. “Engineers are pretty vulnerable to phishing attacks,” Tyler Klinger, a researcher with Critical Intelligence, said in an interview.

He recalled an experiment he conducted with several companies on engineers and others with access to SCADA systems in which 26 percent of the spear phishing attacks on them were successful.

Success means that the target clicked on a malicious link in the phishing mail. Klinger’s experiment ended with those clicks. In real life, those clicks would just be the beginning of the story and would not necessarily end in success for the attacker.

“If it’s a common Joe or script kiddie, a company’s IDS [Intrusion Detection Systems] systems will probably catch the attack,” Klinger said. “If they’re using a Java zero-day or something like that, there would be no defense against it.”

In addition, phishing attacks are aimed at a target’s email, which are usually located on a company’s IT network. Companies with SCADA systems typically segregate them from their IT networks with an “air gap.”

That air gap is designed to insulate the SCADA systems from the kinds of infections perpetrated by spear phishing attacks. “Air gaps are a mess these days,” Klinger said. “Stuxnet taught us that.”

“Once you’re in an engineer’s email, it’s just a matter of cross-contamination,” he added. “Eventually an engineer is going to have to access the Internet to update something on the SCADA and that’s when you get cross-contamination.”

Phishing attacks on SCADA systems are likely rare, said Raj Samani, vice president and CTO of McAfee’s EMEA.

“I would anticipate that the majority of spear phishing attacks against employees would be focused against the IT network,” Samani said in an interview. “The espionage attacks on IT systems would dwarf those against SCADA equipment.”

Still, the attacks are happening. “These are very targeted attacks and not something widely publicized,” said Dave Jevans chairman and CTO of Marble Security and chairman of the Anti-Phishing Work Group.

Jevans acknowledged, though, that most SCADA attacks involve surveillance of the systems and not infection of them. “They’re looking for how it works, can a backdoor be maintained into the system so they can use it in the future,” he said.

“Most of those SCADA systems have no real security,” Jevans said. “They rely on not being directly connected to the Internet, but there’s always some Internet connection somewhere.”

Some companies even still have dial-in numbers for connection to their systems with a modem. “Their security on that system is, ‘Don’t tell anybody the phone number,'” he said.

Source:  csoonline.com

Universities putting sensitive data at risk via unsecure email

Tuesday, July 30th, 2013

Survey finds half of institutions allow naked transmission of the personal and financial data of students and parents

Colleges and universities are putting the financial and personal information of students and parents at risk by allowing them to submit such data to the school in unencrypted email.

That was a finding in a survey released Monday by Halock Security Labs after surveying 162 institutions of higher learning in the United States.

Half the institutions allowed sensitive documents to be sent to them in unencrypted emails, the survey said, while a quarter of the schools actually encouraged such transmissions.

“Typically, they do what they need to do to comply with regulations, but they’re weak on risk management and actively controlling  and managing risk,” Terry Kurzynski, a partner with Halock Security Labs, said in an interview.

Security at larger universities tends to be better than at smaller schools and community colleges, he continued.

“Smaller colleges are breached all the time,” Kurzynski said.”They can’t develop the right level of security until they’ve been breached several times and someone at the president or board of trustee level says, ‘Enough is enough.'”

In addition to budget constraints, culture at universities works against solid security.

“Universities are unique because their purpose is to build and disseminate knowledge which means they must operate in a culture of openness and sharing,” said Rob Reed, worldwide education evangelist for the big data security firm Splunk.

That open culture can work against the kind of centralization needed for good security. Policies can vary from school to school within a university. “It doesn’t make a lot of sense, but a lot of these units strive to maintain a degree of autonomy,” said Larry Ponemon, founder and chairman of the Ponemon Institute.

“Each school or department can be a silo for data,” he said. “So it’s hard from a data protection point of view to have central control over information and as a result, a lot of these universities have data losses.”

Ponemon has been performing data breach studies for years and he said universities typically place in industry comparisons  as some of the riskiest places for sensitive data.

Even at a schools with university-wide policies requiring encryption of sensitive data, it can be tough to run a secure ship. “You’ve got all sorts of units engaging in all sorts of practices and it’s difficult in a highly distributed environment like that to police all of it,”   Mike Corn, chief privacy and security officer at the University of Illinois, said in an interview.

“It’s a simple thing for someone to say in the interest of customer service, ‘Why don’t you scan that and send it to me,'” Corn added. “It isn’t that anyone is intentionally violating a policy. In an environment where you have a lot of high touch customers, it’s easy to fall back on what works easiest for the customer and not think about security implications.”

Not everyone was worried, however, by Halock’s findings. “I’m not very alarmed by what they found,” Marc Gaffan, founder of Incapsula, a cloud security company, said in an interview. “Email encryption is overkill.”

He argued that there are practical concerns when considering widespread use of encryption.

“The usability aspects around email encryption are not trivial,” Gaffan said.

Encrypting email is only a small part of the problem, he continued. “The real problem is what happens to that email when it hits the university.”

“It’s like keeping a key in the lock,” Gaffan said. “The fact that the door has a lock on it doesn’t protect it if the key is in the lock and anyone can unlock it.”

Source:  csoonline.com

Microsoft helped NSA circumvent its own encryption, report says

Friday, July 12th, 2013

Microsoft helped the U.S. National Security Agency circumvent the company’s own encryption in order to conduct surveillance on email accounts through Outlook.com, according to a report in the Guardian.

Microsoft-owned Skype also worked with U.S. intelligence agencies last year to allow them to collect video conversations through the service, according to the U.K. newspaper, citing secret documents. Microsoft also worked with the U.S. Federal Bureau of Investigation this year to allow easier access to its cloud storage service, SkyDrive, the Guardian reported.

Microsoft and Skype have both emphasized their privacy protections as a benefit of using their services. Microsoft has criticized Google’s privacy practices, saying in its Scroogled campaign that Google shares personal information on the Android mobile operating system with app developers.

Skype’s privacy policy reads: “Skype is committed to respecting your privacy and the confidentiality of your personal data, traffic data and communications content.”

Microsoft, in a statement, said it follows “clear principles” when responding to government demands for customer information.

“First, we take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes,” the company said. “Second, our compliance team examines all demands very closely, and we reject them if we believe they aren’t valid. Third, we only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks.”

Microsoft does not provide “any government with blanket or direct access to SkyDrive, Outlook.com, Skype or any Microsoft product,” the company added. “There are aspects of this debate that we wish we were able to discuss more freely.”

The NSA routinely shares information it collects from Prism, its email and Web communications monitoring program, with the FBI and Central Intelligence Agency, the newspaper reported. One NSA document described Prism as a “team sport,” the Guardian said.

The NSA’s Prism program targets Internet communications of people outside the U.S., according to recent reports in the Guardian and other outlets. The U.S. Foreign Intelligence Surveillance Court has allowed the NSA to collect mass Internet communications when NSA officials believe that there is a 51 percent chance those communications come from outside the U.S., according to news reports.

A spokesman for the U.S. Office of the Director of National Intelligence didn’t immediately respond to a request for comments on the new report.

Source:  computerworld.com

US agency baffled by modern technology, destroys mice to get rid of viruses

Tuesday, July 9th, 2013

The Economic Development Administration (EDA) is an agency in the Department of Commerce that promotes economic development in regions of the US suffering low growth, low employment, and other economic problems. In December 2011, the Department of Homeland Security notified both the EDA and the National Oceanic and Atmospheric Administration (NOAA) that there was a potential malware infection within the two agencies’ systems.

The NOAA isolated and cleaned up the problem within a few weeks.

The EDA, however, responded by cutting its systems off from the rest of the world—disabling its enterprise e-mail system and leaving its regional offices no way of accessing centrally-held databases.

It then recruited in an outside security contractor to look for malware and provide assurances that not only were EDA’s systems clean, but also that they were impregnable against malware. The contractor, after some initial false positives, declared the systems largely clean but was unable to provide this guarantee. Malware was found on six systems, but it was easily repaired by reimaging the affected machines.

EDA’s CIO, fearing that the agency was under attack from a nation-state, insisted instead on a policy of physical destruction. The EDA destroyed not only (uninfected) desktop computers but also printers, cameras, keyboards, and even mice. The destruction only stopped—sparing $3 million of equipment—because the agency had run out of money to pay for destroying the hardware.

The total cost to the taxpayer of this incident was $2.7 million: $823,000 went to the security contractor for its investigation and advice, $1,061,000 for the acquisition of temporary infrastructure (requisitioned from the Census Bureau), $4,300 to destroy $170,500 in IT equipment, and $688,000 paid to contractors to assist in development a long-term response. Full recovery took close to a year.

The full grim story was detailed in Department of Commerce audit released last month, subsequently reported by Federal News Radio.

The EDA’s overreaction is, well, a little alarming. Although not entirely to blame—the Department of Commerce’s initial communication with EDA grossly overstated the severity of the problem (though corrected its error the following day)—the EDA systematically reacted in the worst possible way. The agency demonstrated serious technical misunderstandings—it shut down its e-mail servers because some of the e-mails on the servers contained malware, even though this posed no risk to the servers themselves—and a general sense of alarmism.

The malware that was found was common stuff. There were no signs of persistent, novel infections, nor any indications that the perpetrators were nation-states rather than common-or-garden untargeted criminal attacks. The audit does, however, note that the EDA’s IT infrastructure was so badly managed and insecure that no attacker would need sophisticated attacks to compromise the agency’s systems.

Source:  arstechnica.com

Spamhaus hacking suspect ‘had mobile attack van’

Monday, April 29th, 2013

A Dutchman accused of mounting one of the biggest attacks on the internet used a “mobile computing office” in the back of a van.

The 35-year-old, identified by police as “SK”, was arrested last week.

He has been blamed for being behind “unprecedentedly serious attacks” on non-profit anti-spam watchdog Spamhaus.

Dutch, German, British and US police forces took part in the investigation leading to the arrest, Spanish authorities said.

The Spanish interior minister said SK was able to carry out network attacks from the back of a van that had been “equipped with various antennas to scan frequencies”.

He was apprehended in the city of Granollers, 20 miles (35km) north of Barcelona. It is expected that he will be extradited from Spain to be tried in the Netherlands.

‘Robust web hosting’

Police said that upon his arrest SK told them he belonged to the “Telecommunications and Foreign Affairs Ministry of the Republic of Cyberbunker”.

Cyberbunker is a company that says it offers highly secure and robust web hosting for any material except child pornography or terrorism-related activity.

Spamhaus is an organisation based in London and Geneva that aims to help email providers filter out spam and other unwanted content.

To do this, the group maintains a number of blocklists, a database of servers known to be being used for malicious purposes.

Police alleged that SK co-ordinated an attack on Spamhaus in protest over its decision to add servers maintained by Cyberbunker to a spam blacklist.

Overwhelm server

Spanish police were alerted in March to large distributed-denial-of-service (DDoS) attacks originating in Spain but affecting servers in the UK, Netherlands and US.

DDoS attacks attempt to overwhelm a web server by sending it many more requests for data than it can handle.

A typical DDoS attack employs about 50 gigabits of data per second (Gbps). At its peak the attack on Spamhaus hit 300Gbps.

In a statement in March, Cyberbunker “spokesman” Sven Kamphuis took exception to Spamhaus’s action, saying in messages sent to the press that it had no right to decide “what goes and does not go on the internet”.

Source:  BBC

Trigger word: E-mail monitoring gets easy in Office 365, Exchange

Tuesday, March 5th, 2013

It’s now simpler than ever for the boss to watch what you send in e-mail.

Exchange 2013 and Office 365 (O365) include a new feature that can peek into e-mail messages and enclosed documents and then flag them, forward them, or block them entirely based on what it finds. This sort of data loss prevention technology has become increasingly common in corporate mail systems, but its inclusion as a feature in Office 365’s cloud service makes it a lot more accessible to organizations that haven’t had the budget or expertise to monitor the e-mail lives of their employees.

As we showed in our review of the new Office server platforms, the data loss prevention feature of Microsoft’s new messaging platforms can detect things like credit card numbers, social security numbers, and other content that has no business travelling by e-mail.  Because of how simple it is to configure rules for Microsoft’s DLP and security features, administrators will also have the power to do other sorts of snooping into what’s coming and going from users’ mailboxes.

Unfortunately, depending on the mix of mail servers in your organization—or which Exchange instances you happen to hit in the O365 Azure cloud—they may not work all the time. And they won’t help defeat someone determined to steal data via e-mail.

In tests we performed with DLP and security features, we found that Exchange and O365 were pretty good at catching credit card numbers and other personal identifiable information. However, some of the rules we set for testing didn’t take for all of our users. That in part may have been because of the limited rollout of the new Exchange within Microsoft’s O365 infrastructure when we were performing the testing. When setting rules, we got a warning from the Exchange Administrative Console:

So in other words, if you’re rolling out Exchange 2013 in your organization or are using Office 365 from multiple locations, your mileage with DLP may vary. And even when the rules do work, there are some limits to what you can stop from going out the SMTP gateway.

Exchange 2013 and Office 365 allow rules to be applied to direct mail flow. Those rules can be used for all sorts of things, like rerouting inbound e-mail from one mailbox to another based on the sender, keywords in the subject or contents, and a number of other parameters. For data loss prevention, those rules can be triggered by filters checking for keywords or specific patterns. Those patterns can require some calculations to be made with the text. For example, you won’t set off the credit card detection filter provided by Microsoft out of the box unless the numbers properly validate as “real” credit card numbers based on the rules for each issuer.

Exchange and O365’s filters can read both message bodies and common file attachments by scanning their content. The filters can also check compressed files for content. We ZIP-compressed documents with content banned by rules put in place to stop them from getting out, including credit card numbers, and the filters caught them with no trouble.

Source:  arstechnica.com

Microsoft suggests fix for iOS 6.1/Exchange problem: Block iPhone users

Thursday, February 14th, 2013

iOS 6.1 hammering Exchange, dragging down server performance.

iOS 6.1 devices are hammering Exchange servers with excessive traffic, causing performance slowdowns that led Microsoft to suggest a drastic fix for the most severe cases: throttle traffic from iOS 6.1 users or block them completely.

“When a user syncs a mailbox by using an iOS 6.1-based device, Microsoft Exchange Server 2010 Client Access server (CAS) and Mailbox (MBX) server resources are consumed, log growth becomes excessive, memory and CPU use may increase significantly, and server performance is affected,” Microsoft wrote on Tuesday in a support document.

The problem also affects Exchange Online in Microsoft’s Office 365 cloud service. Office 365 customers may get an error message on iOS 6.1 devices stating “Cannot Get Mail: The connection to the server failed.” The Microsoft support article says both Apple and Microsoft are investigating the problem.

Microsoft suggests several fixes, starting out gently, then escalating to the complete blockage of iOS 6.1 devices. Based on the fixes suggested, the problems may be caused when iOS devices connect to Exchange calendars.

The first workaround is “do not process Calendar items such as meeting requests on iOS 6.1 devices. Also, immediately restart the iOS 6.1 device.”

If that doesn’t work, users are instructed to remove their Exchange accounts from their phones or tablets while the Exchange Server administrator runs a “remove device” command on the server side. After 30 minutes, users can add the Exchange accounts back onto their devices but should be advised “not to process Calendar items on the device.”

If that doesn’t work, the fixes get more serious. The next method is for the server administrator to create a custom throttling policy limiting the number of transactions iOS 6.1 users can make with the server. “The throttling policy will reduce the effect of the issue on server resources,” Microsoft notes. “However, users who receive the error should immediately restart their devices and stop additional processing of Calendar items.”

One Exchange administrator who created a throttling policy through PowerShell to solve the problem provides a guide here, but Microsoft also has a page providing instructions.

Finally, the last method Microsoft recommends is to block iOS 6.1 users. “You can block iOS 6.1 users by using the Exchange Server 2010 Allow/Block/Quarantine feature,” Microsoft notes. (See this post for more detailed instructions.)

Businesses of all sizes limiting or blocking iOS devices

We don’t know exactly how widespread this problem is. It’s clearly not affecting everyone, but the impact seems to run the gamut from small businesses to large.

“We’re using Exchange 2010 in a small software firm with about a dozen iOS users (each with multiple iOS devices),” Shourya Ray, chief administrative officer of Spin Systems in Virginia, told Ars via e-mail. “Last week our Exchange server froze (internal mail was being routed, but external mail stopped flowing).”

It turned out that the 300GB VMware virtual machine hosting the Exchange server was full. “You can imagine our surprise when that VM filled up overnight,” Ray said. “If we were running Exchange in a typical hardware-based server with a 1TB drive, it would have taken us a week to realize the problem.”

How did it happen, and how did the company get things working “normally” again? “The transaction log had 200,000 records and was the indication of a problem,” Ray said. “Our temporary solution has been to ask iOS users to switch to manual pull rather than ActiveSync push. For heavy e-mail users, we are recommending an automatic pull every 30 minutes. So far, that seems to have kept Exchange happy with no other issues since last week. Let’s hope that Apple and Microsoft put their heads to together and fix this soon.”

We heard from several other people on Twitter that they have been bit by the iOS 6.1/Exchange problem. One said, “My 22,000+ employee enterprise has blocked iOS 6.1, execs all have iOS.”

A support thread on Microsoft’s Exchange Server site was opened January 31 to discuss the excessive logging caused by iOS 6.1. The server administrator who began the thread identified an iPad that “caused over 50GB worth of logs” on a single database.

The thread got more than a dozen replies. One Exchange administrator explained that “malformed meetings on a device cause the device to get into a sync loop which causes excessive transaction log growth on the Exchange mailbox servers.” This in turn “will cause Exchange performance issues and potentially transaction log drives to run out of disk space which would then bring down Exchange.”

To solve the problem, this admin simply “disabled all iOS 6.1 on our Exchange system.”

iOS 6.1 was released on January 28. iOS 6.1.1 came out a couple of days ago, but for now it can only be installed on the iPhone 4S and is designed to fix cellular performance and reliability. Apple didn’t mention anything about Exchange fixes when releasing this latest version. Last year, iOS 6.0.1 fixed an Exchange problem that could lead to entire meetings being canceled when even a single iOS user declined a meeting invitation.

The iOS 6.1 problem isn’t the first time iOS has caused Exchange servers to perform poorly. An Apple support article from 2010 describes sync problems in iOS 4 and says, “Exchange Server administrators may notice their servers running slowly.” At the time, Microsoft noted iOS 4 led to “Exchange administrators… seeing heavier than normal loads on their servers from users with iOS devices.” Microsoft got in touch with Apple to fix that problem.

We’ve asked both Apple and Microsoft how many users are impacted by the latest problem, and when a more permanent fix is coming. We also asked Apple if it agrees with the workarounds suggested by Microsoft. Microsoft told us it has nothing else to say, as the “support article contains the latest.” Apple has not responded to our request for comment as of yet.

UPDATE: Apple posted a support document of its own today, describing the problem thusly:

When you respond to an exception to a recurring calendar event with a Microsoft Exchange account on a device running iOS 6.1, the device may begin to generate excessive communication with Microsoft Exchange Server. You may notice increased network activity or reduced battery life on the iOS device. This extra network activity will be shown in the logs on Exchange Server and it may lead to the server blocking the iOS device. This can occur with iOS 6.1 and Microsoft Exchange 2010 SP1 or later, or Microsoft Exchange Online (Office365).

Apple’s suggested fix is to turn the Exchange calendar off and back on again within the iPhone’s settings. An operating system update to fix the problem is on the way. “Apple has identified a fix and will make it available in an upcoming software update,” Apple said.

Source:  arstechnica.com

Forrester: SharePoint faces challenging future

Friday, February 8th, 2013

Mobile, social, and cloud are areas in which Microsoft’s collaboration server must improve to continue its growth

Despite strong support from IT pros, SharePoint faces increased skepticism from business leaders and it’s unclear whether the collaboration product will deliver cloud, social, and mobile advancements needed for future growth.

Those are some of the findings from a new Forrester Research study published on Tuesday titled “SharePoint Enters Its Awkward Teenage Years.”

“Microsoft SharePoint is the centerpiece of many enterprises’ collaboration and content strategies, but it isn’t clear to us that enterprises will continue to invest in SharePoint to provide a broader range of social, web content, and content delivery functionality,” wrote report authors Rob Koplowitz and John Rymer. The study was based on a survey conducted in August 2012 of 153 IT decision-makers involved with SharePoint implementations.

SharePoint has reached mature status as a content management and enterprise collaboration tool, used primarily by companies to corral documents dispersed among file servers, email inboxes and other content management systems, according to Forrester.

As such, its 2007 and 2010 versions are used by organizations of all sizes and in all industries to create and manage intranets, offer collaboration capabilities, and manage content, but there is less satisfaction with and usage of it for other scenarios, such as a custom application platform and as a business intelligence tool for data analysis.

The gap in satisfaction between IT pros and business managers — SharePoint met the expectations of 73 percent of the former, and of 62 percent of the latter — is of concern, according to the authors.

“While ‘if you build it, they will come’ might work in the movies, the approach has yielded neither wide adoption of SharePoint nor satisfaction with the product. Too often, IT provides the latest and greatest SharePoint release only to watch many users turn their backs on the solution,” the report reads.

Dissatisfaction is centered on several areas, including adoption challenges, a dislike for the SharePoint user experience, a preference for other tools like email and skepticism over its business value.

Also of concern is that takeup of SharePoint Online, the cloud-hosted version of the product, is very low — 4 percent of respondents reported using it exclusively, a rate expected to rise to 8 percent after the new SharePoint 2013 comes out at some point this quarter. However, 26 percent of respondents plan to have a hybrid on-premises/cloud deployment, according to the study.

There is also dissatisfaction with the enterprise social networking capabilities in SharePoint, but Forrester predicts that this component of the product will be much better in the 2013 version and beyond as the product gets more integrated with Yammer.

Microsoft also must improve its efforts to deliver SharePoint functionality via mobile applications to smartphone and tablet users of various platforms, the authors wrote.

Koplowitz and Rymer had words of praise for SharePoint 2013, pointing out that an impressive 68 percent of respondents said they plan to upgrade to that new version within two years after its release. Eighty-one percent of respondents are currently on SharePoint 2010, and the rest on 2007 and earlier versions.

In particular, the Forrester analysts like SharePoint 2013’s new development architecture, which is consistent with Web standards and is designed to simplify and make more flexible and secure the creation and deployment of applications.

This new architecture “makes the product a native Web citizen rather than a proprietary world of its own,” as has been the case until now, and will make SharePoint 2013 “more modular and open than any prior release.”

At this juncture, CIOs and other IT executives should rethink the role of SharePoint in their organizations. For example, if SharePoint is used only for document collaboration, it is an expensive proposition for which more affordable options exist, according to the authors. It’s also a good idea to monitor how Yammer is integrated with SharePoint, and assess how comfortable the organization is with providing enterprise social collaboration via a cloud model. In addition, CIOs must keep a close eye on SharePoint’s mobile capabilities.

For Microsoft, the challenges are substantial in areas like social, cloud and mobile, according to Forrester. “At stake is Microsoft’s ability to maintain the strong growth curve SharePoint has enjoyed over the past four years,” the authors wrote.

Dangerous competitors include IBM, Google, Jive Software, and Box. “Despite its rousing success in enterprises, circumstances have changed, and SharePoint must prove its value all over again.”

Microsoft declined to comment for this story.

Source:  infoworld.com

Your antivirus software probably won’t prevent a cyberattack

Friday, February 1st, 2013

During a four-month long cyberattack by Chinese hackers on the New York Times, the company’s antivirus software missed 44 of the 45 pieces of malware installed by attackers on the network.

That’s a stunning wake-up call to people and businesses who think they are fully protected by their antivirus software.

“Even the most modern version of antivirus software doesn’t give consumers or enterprises what they need to compete in the hacker world,” said Dave Aitel, CEO of security consultancy Immunity. “It’s just not as effective as it needs to be.”

The New York Times said it had an antivirus system from Symantec (SYMC, Fortune 500) installed on devices connected to its network. The Chinese hackers built custom malware to, among other things, retrieve the usernames and passwords of Times’ reporters. Since that brand-new malware wasn’t on Symantec’s list of forbidden software, most of it was allowed to pass through undetected.

Symantec responded that it offers more advanced solutions than the one the New York Times (NYT) deployed.

“Advanced attacks like the ones the New York Times described underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions,” the company said in a written statement. “Antivirus software alone is not enough.

“The cold fact is that no single solution can prevent all cyberthreats. Sophisticated attacks on networks routinely bypass network security systems, no matter how rock-solid they are — or claim to be.

“Commercially available solutions are available to everyone,” said Rohit Sethi, head of product development for SD Elements, a security firm. “It’s not hard for attackers to learn how to evade detection, and they’re coming up with ingenious ways of doing just that.”

The solution, security experts say, is to deploy technology that keeps a very, very close eye on what’s happening inside your network. You can’t always prevent attackers from getting in, but you can at least set tripwires to alert you when they do.

In the New York Times’ case, the company suspected that it would be attacked because of its investigation into Chinese Prime Minister Wen Jiabao’s family finances. It asked AT&T (T, Fortune 500) to monitor its network. AT&T quickly picked up suspicious signs. Two weeks later, when the extent of the infiltration became clear, the Times hired security consultancy Mandiant to track the attackers’ movements through its systems.

“Attackers no longer go after our firewall,” Michael Higgins, the Times’ chief security officer, told Times reporter Nicole Perlroth. “They go after individuals. They send a malicious piece of code to your e-mail account and you’re opening it and letting them in.”

From there, the best thing companies can do is track what attackers are doing.

“The question we always ask our customers is, ‘Do you know every program running on your network?” said Immunity’s Aitel. “When you know the answer to that question, you don’t need antivirus software. When you don’t, you’re screwed.”

Experts say that antivirus software is still a good, basic thing to have. Owning an antivirus solution is like putting the Club in your car — it’s not going to stop a determined thief, but it’s going to make stealing your stuff more difficult.

Antivirus software maker Avast, whose free antivirus software is among the most widely used, says there’s a major distinction between the kinds of threats encountered by everyday Web surfers and the carefully targeted attack the Times faced.

“Seatbelts and airbags are wonderful protection and improve the safety of millions, but they will not stop a bullet fired — say by a hired killer,” said Jindrich Kubec, Avast’s threat intelligence director. “Does it mean you will stop using airbags and seatbelts?”

Some antivirus solutions are better than others. In a recent analysts, Immunity simulated attacks against networks protected by the top-of-the-line software built by Symantec, Kaspersky Labs and Intel’s (INTC, Fortune 500) McAfee security division.

Immunity was able to break into the systems protected by Kaspersky and McAfee in two days. Symantec was the best of the breed, with Immunity unable to penetrate it in the several days it gave itself to achieve the task.

“New reputational-based software works to an extent,” Aitel said, referring to systems that aim to contextualize the threats they detect. “But deep down, nothing is as good has having a proper awareness about what’s going on in your network.”

Source:  CNN

Yahoo! email zero-day exploit being sold for $700

Tuesday, November 27th, 2012

http://www.geek.com/wp-content/uploads/2012/11/yahoo-exploit-580x243.jpg

In an unusually candid look at the underground operations of black market exploit selling, there is one user who has been caught selling a major exploit for Yahoo! email accounts for $700 to all interested parties. So far, Yahoo! has not been able to nail down exactly what is causing the vulnerability.

In other words, these transactions have been exposed and are taking place right out in the open, and yet the practice is still ongoing. The user, who goes by the online handle TheHell, gloats the capabilities of his hack saying that it is a “stored XSS” (cross-site scripting) flaw. This means that once a user clicks on a malicious link in an email, the code is injected and permanently stored in the email client’s server and there is very little they can do to reverse its effects. It is also something only Yahoo! can fix internally.

In an interview with KrebsonSecurity, Yahoo! director of security Ramses Martinez said that the issue is now known and his team is working to fix it, but it is very difficult to nail down exactly where it came from and what the best course of action is.

These exploits are not as rare as you might expect, although it is uncommon for them to be exposed as openly as this one is without any immediate fix or patch. TheHell is based in Egypt, which means it would be very difficult to take any sort of legal action that would put at least a temporary end to his behavior.

Krebs also mocked up a video to make it look similar to the one TheHell is using to entice customers. Check it out below, and in the meantime, always remember to be wary of clicking any links inside an email that appear unusual or are from people you do not know.

Source:  geek.com

Coca-Cola ‘targeted’ by China in hack ahead of acquisition attempt

Tuesday, November 6th, 2012

Chinese hackers have been blamed for infiltrating confidential systems within Coca-Cola for more than a month, Bloomberg has reported.

The fizzy drink firm was breached in 2009 when a malicious link was emailed to a senior executive.

Hackers were able to spend a month operating undetected, logging commercially sensitive information.

The US Securities and Exchange Commission (SEC) said Coca-Cola did not publicly disclose the attack.

Last year the SEC outlined guidelines for companies who had been hit by cyber-attacks, saying that transparency on the issue was in the interest of investors and other stakeholders.

However, companies have so far been reluctant to do so – fearing for reputational loss and negative impact on stock price.

“Investors have no idea what is happening today,” Jacob Olcott, a former cyber policy adviser to the US Congress told the financial news agency.

“Companies currently provide little information about material events that occur on their networks.”

Collapsed deal

In Coca-Cola’s case, hackers masqueraded as Coca-Cola’s chief executive, sending an email to Paul Etchells, Coca-Cola’s deputy president for the Pacific region.

The email contained a malicious link which was clicked on – allowing for hackers to install keyloggers and other forms of malware on Mr Etchells’ machine.

In the days that followed, hackers took emails and stole passwords to give themselves administrative privileges on the network.

The infiltration was – according to internal documents seen by Bloomberg – blamed on state-backed Chinese attackers.

The hack came at a time when Coca-Cola was looking to acquire the China Huiyuan Juice Group for about $2.4bn. Had the takeover happened, it would have been the largest foreign takeover of a Chinese company.

However, the deal collapsed three days after the cyber-attack, Bloomberg said, citing internal sources.

Coca-Cola told the BBC in a statement: “Our company’s security team manages security risks in conjunction with the appropriate security and law enforcement organisations around the world.

“As a matter of practice, we do not comment on security matters.”

Source:  BBC

The Russian underground economy has democratised cybercrime

Friday, November 2nd, 2012

If you want to buy a botnet, it’ll cost you somewhere in the region of $700 (£433). If you just want to hire someone else’s for an hour, though, it can cost as little as $2 (£1.20) — that’s long enough to take down, say, a call centre, if that’s what you were in the mood for. Maybe you’d like to spy on an ex — for $350 (£217) you can purchase a trojan that lets you see all their incoming and outgoing texts. Or maybe you’re just in the market for some good, old-fashioned spamming — it’ll only cost you $10 (£6.19) for a million emails. That’s the hourly minimum wage in the UK.

This is the current state of Russia’s underground market in cybercrime — a vibrant community of ne’er-do-wells offering every conceivable kind of method for compromising computer security. It’s been profiled in security firm Trend Micro‘s report, Russian Underground 101, and its findings are as fascinating as they are alarming. It’s an insight into the workings of an entirely hidden economy, but also one that’s pretty scary. Some of these things are really, really cheap.

Rik Ferguson, Trend Micro’s director of security research and communications, explains to Wired.co.uk that Russia’s cybercrime market is “very much a well-established market”. He says: “It’s very mature. It’s been in place for quite some time. There are people offering niche services, and every niche is catered for.” Russia is one of the major centres of cybercrime, alongside other nations like China and Brazil (“the spiritual home of banking malware”).

Russian Underground 101 details the range of products on offer in this established market — Ferguson says that they can be for targeting anyone “from consumers to small businesses”. He points to ZeuS, a hugely popular trojan that’s been around for at least six years. It creates botnets that remotely store personal information gleaned from users’ machines, and has been discovered within the networks of large organisations like Bank of America, Nasa and Amazon. In 2011, the source code for ZeuS was released into the wild — now, Ferguson says, “it’s become a criminal open source project”. Versions of ZeuS go for between $200 (£124) to $500 (£309).

Cybercriminal techniques go in and out of fashion like everything else — in that sense, ZeuS is a bit unusual in its longevity. That’s in large part because viruses and trojans can be adapted to take advantage of things in the news to make their fake error messages or spam emails seem more legitimate. For example, fake sites, and fake ads for antivirus software, aren’t as popular as they once were because people are just more computer literate these days. Exploits which take advantage of gaps in browser security to install code hidden in the background of a webpage have also become less common as those holes are patched up — but programs which embed within web browsers still pose a threat, as the recent hullabaloo over a weakness in Java demonstrates.

Ferguson points to so-called “ransomware” as an example of a more recent trend, where the computer is locked down and the hard drive encrypted. All the user sees on the screen is that tells them that their local law enforcement authority (so, in the UK, often the Metropolitan Police) has detected something like child pornography or pirated software on their PC, and if they want to unlock it they’ll have to send money to a certain bank account. No payment, no getting your hard drive back.

Amazingly, if you pay that “fine”, then you will actually get your information back, says Ferguson. “But you’ve labelled yourself as an easy mark, and there’s no telling if they haven’t left behind a backdoor which will let them come back and try again,” he says. Child pornography and pirated software have been in the news a lot over the past few years, for obvious reasons, and that kind of thing directly influences the thinking of hackers and programmers.

Taking the time to adapt these tools to recent trends can be very lucrative. DNSChanger, a popular trojan from 2007 to 2011, would infect a machine and change its DNS settings. When the user went to a webpage with ads on it, that traffic would give affiliate revenue to the scammers. One prominent DNSChanger ring (Rove Digital) was busted in Estonia in 2011 — the FBI had been tracking them for six years, and during that time it was estimated that they’d earned around $14 million (£8.7 million) from this little trick. It also meant that the FBI was left with some critical web infrastructure on its hands — those infected machines (which included machines at major organisations) could only access the web through those Rove Digital servers. Months were spent trying to get people to check their computers for infection and ensuring that when those Estonian servers were shut off, it didn’t take down, say, a bank.

The most recent trends in cybercrime, though, are very much focused on mobile — particularly Android, Ferguson explains: “We’ve seen so far 175,000 malicious threats for Android, and we expect that to be a quarter of a million by next year. Those threats come from malicious apps — if you want to stay safe, stick to official channels like Google Play, don’t just download from any site. Similarly, there aren’t any malicious iOS apps in the wild, on the App Store, but that only applies to iPhones aren’t jailbroken — downloading from other places puts your phone at risk.”

These threats aren’t going away, either. In fact, according to Ferguson, “prices are going down” across the Russian underground: “Let’s not pretend that these people aren’t taking advantage of technology just like normal businesses — improvements in technology are getting faster, and there are things like cloud services which they also use. The bad guys are using technologies to drive down costs in the same way businesses are.”

Ferguson cites the recent case of someone claiming to have bought the personal information of 1.1 million Facebook users for only $5 (£3.19) as further evidence of the growing problem of online information leaking into the hands of these cybercrime communities. Hackers and other cybercriminals make it their job to analyse security measures and find ways around them, because that information is where the value lies.

While hackers and other cyber criminals can save by buying in bulk, the cost to the individual (or the business) that falls victim to one of these techniques is potentially much higher. So, be vigilant, OK?

Here’s some of what you can buy on the Russian underground…

Basic crypter (for inserting rogue code into a benign file): $10-$30 (£6.19-£19)
SOCKS bot (to get around firewalls): $100 (£62)
Hiring a DDoS attack: $30-$70 (£19-£43) for a day, $1,200 (£742) for a month
Email spam: $10 (£6.19) per one million emails
Expensive email spam (using a customer database): $50-$500 (£31-£310) per one million emails
SMS spam: $3-$150 (£1.86-£93) per 100-100,000 messages
Bots for a botnet: $200 (£124) for 2,000 bots
DDoS botnet: $700 (£433)
ZeuS source code: $200-$500 (£124-£310)
Windows rootkit (for installing malicious drivers): $292 (£180)
Hacking a Facebook or Twitter account: $130 (£80)
Hacking a Gmail account: $162 (£100)
Hacking a corporate mailbox: $500 (£310)
Scans of legitimate passports: $5 (£3.10) each
Winlocker ransomware: $10-20 (£6.19-£12.37)
Unintelligent exploit bundle: $25 (£15)
Intelligent exploit bundle: $10-$3,000 (£6.19-£1,857)
Traffic: $7-$15 (£4.33-£9.29) per 1,000 visitors for the most valuable traffic (from the US and EU)

Source:  Wired

Microsoft to make the case for new Exchange version

Monday, September 24th, 2012

Microsoft will lay out the reasons it believes enterprises need to adopt the new version of its Exchange email server at a conference this week devoted to the product.

On Monday, the company focused on security, management and compliance issues, trumpeting a number of new and improved features on Exchange 2013 in these areas.

“This is our first real opportunity to talk about the new Exchange,” said Michael Atalla, Microsoft’s director of product management for Exchange, in an interview after delivering a keynote at the Microsoft Exchange Conference (MEC) in Orlando .

Exchange 2013 is in beta testing and Microsoft hasn’t given an official date for its commercial availability.

Its cloud-based counterpart, Exchange Online, which is part of the Office 365 email and collaboration suite, is also being enhanced in lockstep with Exchange 2013.

The products, which have been available for user testing since July, will have full parity of features, except in the case of functionality that is relevant to have only either on premise or in the cloud, Atalla said.

The new Exchange Online Protection is high on the list of enhancements Microsoft will talk about this week. This cloud-based service provides malware and spam detection and protection. It also offers back-up email queueing for on-premises servers and usage analytics data, such as reporting, auditing and message tracing. Exchange Online Protection, which is an upgrade to Forefront Online Protection for Exchange, also features inbound message blocking, content filtering and transport rules.

The new Exchange comes with a data loss prevention (DLP) capability that automates the detection, monitoring and protection of sensitive content and data on email based on pre-established policies, rules and exceptions. The DLP functionality can trigger a variety of actions, including stopping an outbound message or placing it in a moderation queue. It can also inform end users about potential violations of company policies regarding the type of data and content they’re allowed to send via email, to promote awareness among employees.

“This is an entirely new category in the new Exchange,” Atalla said.

Microsoft has merged the two separate management consoles of Exchange 2010 and the existing Exchange Online, so that IT administrators now have a single Web-based control panel to manage both products, Atalla said. This is particularly useful and relevant as more and more enterprises move from purely on-premise Exchange deployments into hybrid ones, in which some mailboxes and functionality are in Exchange Online and others in Exchange 2013, he said.

“Were evolving Exchange to let administrators manage both the on premise and online versions from a common set of management tools,” he said.

“We see the new Exchange giving customers the opportunity to move to the cloud on their own terms,” Atalla added.

Microsoft also plans to highlight Exchange 2013’s architecture, which allows administrators to keep current and archived messages in the same mailbox infrastructure, as opposed to keeping them in separate repositories. With this “in-place archiving” technology, archived messages are more easily and quickly available to end users, and email management is simplified for administrators, who can address compliance and retention from a single repository, according to Microsoft.

Exchange 2013 also has features to simplify the management of email messages that need to be kept indefinitely in a “tamper proof” manner. Instead of having to move these messages to a separate system, Exchange 2013 administrators can keep them in the same system as the other messages by applying “hold” policies to them, either at the end user, group, mailbox or individual message level.

The new Exchange also has expanded e-discovery features, including the ability of compliance officers to not only search for Exchange messages, calendar entries and contacts, but also SharePoint documents, sites, files, wikis and blogs, as well as Lync instant messaging conversations, Atalla said.

As in other areas of enterprise messaging and collaboration, Microsoft faces a variety of competitors like IBM Lotus, VMware’s Zimbra and Google’s Apps, which is in the process of gaining native email security, archiving and compliance features via an ongoing integration of Postini services and technology.

Source:  computerworld.com

Spoofing a Microsoft Exchange server: a new how-to

Friday, July 27th, 2012

The smartphone-based attack wreaks havoc on Android and iOS smartphones.

http://cdn.arstechnica.net/wp-content/uploads/2012/07/exchange_server_spoofing.pngIf you use an Android or iOS device to connect to a Microsoft Exchange server over WiFi, security researcher Peter Hannay may be able to compromise your account and wreak havoc on your handset.

At the Black Hat security conference in Las Vegas, the researcher at Edith Cowan University’s Security Research Institute in Australia described an attack he said works against many Exchange servers operated by smaller businesses.  Android and iOS devices that connect to servers secured with a self-signed secure sockets layer certificate will connect to servers even when those certificates have been falsified.

“The primary weakness is in the way that the client devices handle encryption and do certificate handling, so it’s a weakness in SSL handling routines of the client devices,” Hannay told Ars ahead of his presentation on Thursday.  “These clients should be saying that the SSL certificate really doesn’t match, none of the details are correct.  I won’t connect to it.”

Hannay has developed an attack that uses a WiFi network to implement a rogue server with a self-signed certificate, rather than one issued by a trusted certificate authority. Vulnerable devices on the same network that try to connect to their regular Exchange server won’t reach that intended destination. Instead, it will initiate communications with Hannay’s imposter machine.

The use of an SSL certificate to protect an Exchange server is designed to preclude precisely this kind of man-in-the-middle attack. Devices are supposed to connect only if the certificate bears a valid cryptographic key certifying the service is valid. But that’s not what always happens, the researcher said.

Android devices that connect to an Exchange server with a self-signed certificate will connect to any server at its designated address, even when its SSL credential has been spoofed or contains invalid data. iOS devices fared only slightly better in Hannay’s tests: They issued a warning, but allowed users to connect anyway.  Microsoft Windows Phone handsets, by contrast, issued an error and refused to allow the end user to connect.

Once a phone connects to a rogue server used in Hannay’s experiments, a script he wrote issues a command to remotely wipe its contents and to restore all factory settings.  He said it’s also possible to retrieve the login credentials users need to sign in to their accounts. Hannay said a malicious hacker could then use that information to login to the legitimate account.

“It’s really simple and that’s what’s disturbing to me,” Hannay said.  The whole attack is just 40 lines of python and most of that is just connection handling.”

As stated earlier, the attack works only against phones that have connected to an Exchange server secured by a self-signed SSL certificate.  Hannay said most organizations with fewer than 50 people use such credentials, rather than paying to have a certificate signed by a recognized certificate authority.

Google and Apple didn’t respond to an e-mail seeking comment for this article.  A Microsoft representative said members of the company’s Exchange team are looking in to the report.

Source:  arstechnica.com

Experts take down Grum spam botnet, world’s third largest

Wednesday, July 18th, 2012

Botnet was responsible for 18 billion spam messages a day — about 18 percent of the world’s spam — experts tell The New York Times.

Computer-security experts took down the world’s third-largest botnet, which they say was responsible for 18 percent of the world’s spam.

Command-and-control servers in Panama and the Netherlands pumping out up to 18 billion spam messages a day for the Grum botnet were taken down Tuesday, but the botnet’s architects set up new servers in Russia later in the day, according to a New York Times report. California-based security firm FireEye and U.K.-based spam-tracking service SpamHaus traced the spam back to servers in Russia and worked with local ISPs to shut down the servers, which ran networks of infected machines called botnets.

The tech community has stepped up its efforts of late to take these botnets offline. Microsoft in particular has been quite active, using court orders to seize command-and-control servers and cripple the operations of the Waledac, Rustock, and Kelihos botnets.

The takedown of the Rustock botnet cut the volume of spam across the world by one-third, Symantec reported in March 2011. At its peak, the notorious botnet was responsible for sending out 44 billion spam messages per day, or more than 47 percent of the world’s total output, making it the leading purveyor of spam.

Security experts are confident they have stopped the Grum botnet in its tracks.

“It’s not about creating a new server. They’d have to start an entirely new campaign and infect hundreds of thousands of new machines to get something like Grum started again,” Atif Mushtaq, a computer security specialist at FireEye, told the Times. “They’d have to build from scratch. Because of how the malware was written for Grum, when the master server is dead, the infected machines can no longer send spam or communicate with a new server.”

Source:  CNET