This is a crucial win for security experts over hackers and a relief to millions of people who use internet everyday. The network of mariposa botnet is spread around 190 countries infecting over 12.7 million computers. These included computers of the US Fortune 1000 companies to computers of major banks. Spanish police reported the recovery of details like bank account details, credit card numbers, usernames, passwords, etc., of over 800,000 people. The amount of loss due to this botnet network is yet to be determined.

Mariposa is a Spanish word for butterfly. It was announced as a new botnet by Defence Intelligence in May 2009. This bot is known to spread through crucial vulnerabilities in Internet Explorer as well as contaminated USB sticks. It is very hard to nab creators of botnet as these criminals operate disguising the source of their Internet traffic or through an infected computer (called zombie) belonging to another person. It seems that it is the blunder made by one of the operators of mariposa – forgetting to conceal their IP address – that helped Spanish police to catch this gang.

The infected computers still remain tainted. The worst part is that most of the owners are still not aware that their computer is a botnet. Use a reliable, robust and updated version of antivirus solution in your PC to detect any traces of botnet.

Most people, who are new to the online world, have lack of knowledge on setting up a strong password for their online accounts. But the increasing cyber crime can easily trace the passwords. And the results can be as terrible as the attack on Microsoft’s Hotmail and other web-based email services. A recent survey on these missing passwords revealed that many of the accounts had easy-to-guess passwords and the most frequently used password among these was “123456″.

Some general methods that attackers use for identifying a victim’s password include:

• Guessing—The attacker tries to log on using the user’s account repeatedly by guessing probable or expected words and phrases like their children’s names, their birth city, and local sports teams.
• Online Dictionary Attack—The attacker utilizes an automated program, which consists of a text file of many words. The program frequently tries to log on to the target system by testing a different word present in the text file on each attempt.
• Offline Dictionary Attack— It is similar to the online dictionary attack, the attacker extracts a copy of the file in which the hashed or encrypted copy of user accounts and passwords are saved and runs an automated program to find out what password is used for each account. This type of attack can be finished very quickly if the attacker gains a copy of the password file.
• Offline Brute Force Attack—This is a modified form of the dictionary attacks, and designed to discover passwords, which are not present or available in the text file used in those attacks. Even though a brute (very strong) force attack can be tried online, because of network bandwidth and latency they are generally attempted offline utilizing a copy of the target system’s password file. In a brute force attack, the attacker utilizes an automated program, which produces hashes or encrypted values for all possible passwords and analyzes them with the values in the password file.

Microsoft suggests that the use of strong passwords can slow or sometimes break the various attack methods. This shows the importance of having a strong password.

Creating a Strong password:

Passwords are case-sensitive and may be as long as 127 characters. A strong password:

• Should never consist of user name.
• Should be minimum of eight characters long.
• Should compulsorily include both lower case and uppercase alphabets (minimum one from each group is suggested).
• Should consist of minimum one number (0 to 9).
• Should consist of at least one symbol. (Eg: *, ^, $, #)

A string, which has all the above characteristics, is known as strong password. A complex password should not be something, which is difficult to remember. Forgetting a strong or complex password, which is difficult to remember, is as harmful as getting attacked by a weak password.

The password created must be easier to remember but difficult for anybody to guess. It can also be a favorite phrase or quotation or mixture of two words. Substitutes for alphabets can also be used to satisfy the above criteria for a strong password. For example ‘a’ in password can be substituted with ‘@’, similarly ‘i’ can be replaced with ‘!’; and ‘o’ with ‘0’ or ‘()’.

It is a good practice if password is changed periodically like monthly or quarterly.

Risks increased exponentially
Today, any user can get affected by cyber threats through browsing, searching or merely visiting legitimate sites than ever before in the Internet history. Malicious web links are sprouting at a rapid pace. According to CA Internet Security Business Unit (ISBU), 78% of threats came from online interaction during the first six months of 2009. IBM’s ‘X-Force 2009 Mid-Year Trend and Risk Report’, states that there was more than 500% increase in new malicious web links in the first six months of 2009. The vulnerability towards the threats seems to have reached the peak point. In the first half of the year 2009 alone, nearly 3,240 new vulnerabilities were discovered.

New threats
With the evolution of web based communities and explosion of Internet services, users are spending more time online and engaging in social networking activities on the Internet than ever before. This is resulting in new threats that exploit these services and communities. When a reputed website hosts third-party content, users often let down their guard while following hyperlinks in the third-party content or installing applications offered by them. Malware authors follow social networking buzz and the most popular activities online to attack the users. They are always ready to exploit significant and popular news stories to trap the netizens. Thus many people become victims of cyber traps.

The attackers are constantly upgrading their tools to attack the unwary users. This criminal activity is scaling new peaks constantly. According to IBM, the SQL injection attacks almost doubled from first quarter to second quarter of 2009. Through SQL attacks, malicious code is injected into genuine web sites to infect the visitors.

For the past few years, Botnets are the primary tools for many cyber criminals. They are always a challenge to the cyber security professionals as it is very difficult to track them down. Botnets can launch almost every type of cyber attack including data exfiltration, sophisticated espionage, and spam.

Targeted attacks
Although targeted attacks were rare earlier, they are seen often these days. Apart from the common people, top management of companies, governments, industries and even journalists are being targeted for private information. Emails with Malware attachments is the popular and preferred method for targeted attacks. According to CA (ISBU), 17% of the infections are distributed through E-mail. There is also an increase in attacks targeting client software using Adobe products including Flash and Acrobat Reader.

Criminals are adapting more effective methods to target online banking system. Trojans are the result of new tactics that go beyond the simple key logging-with-screenshots efforts, which prevailed earlier. CA (ISBU) reported that Trojans were the most common threats representing 71% of the total infections in the first half of 2009. When it comes to Phishing, IBM says that 66% of the phishing attacks targeted financial industry and 31% targeted online payment in the first half of 2009.

Over the years, Internet security issues have been growing. Initially, virus was the only problem. Later with the explosion of Internet, many newer threats have evolved increasing the security vulnerability such as malicious domains or untrusted web sites, presence of malicious content on trusted sites, including popular search engines, blogs, bulletin boards, personal Web sites, mainstream news sites and online magazines. Today you are in a high-risk zone as soon as you are online. It is always advisable to be alert while you are browsing.

Remote back up service are mostly suitable for individuals and small businesses. However, any of them trying these services without a good broadband connectivity as well as a high performing system – will for-sure visit the hell on earth.

In fact many people and many companies have been relying on some of the services mentioned above. The security of backing up data online is also questioned when services of even bog companies like Google and Twitter are being hacked.

Many of Remote backup services, for example – Mozy, encrypts the files that are to be backed up, in your PC itself so that they are not easily accessible even when steals them in mid of the back up process. In addition, some services even scramble the encrypted data through a SSL connection. This is the same mechanism that is used by online merchants to move credit card information.

What if the data is accessed at the data centers by their employees? Well, there are some services that offer remedy for this too. When they are encrypting the data on your PC, the encryption key will be given by yourself so that decrypting and encrypting can be done by none other than you.

However, there are certain precautions that are required to be taken up before opting for a service.

• Ensure that the service providers are firm at their policies.
• Use strong passwords or encryption keys for files that carry vital or sensitive data.
• Try to add an extra protection like password protecting your documents or using some third party applications to pre-encrypt your data.

A recent online scam which promises viewers to download the recent “Twilight – New Moon” movie is found to install malware in PCs.

The entire process of this scam is as follows…

• Viewers are lured with the text websites, chat rooms and blogs that read: “Watch New Moon Full Movie.” Comment posts with related keywords are also used simultaneously to attract more search engines.
• Search results for the movie then link users to stolen images from the movie itself, convincing the fan that the movie is only one click away.
• When they click on the “movie player” they are told to install a “streamviewer”.
• The streamviewer, however, installs malware on the user’s computer.

Don’t get enticed by such scams to get downloads without verifying if the sources are genuine or not. It can turn up to be more hectic not only in terms of cost but also in terms of toil and time. And the entire accountability will fall upon none other than you.

Courtesy: PCTools.com

Why to update systems with patches given by Microsoft?
The windows operating system we use in the computer is fundamentally made up of millions of lines of programming code. For example, Windows Vista is made of about fifty million lines of code. Errors are inevitably made, while typing out these 50,000,000 lines, thus making the software vulnerable.

Hackers try to exploit these vulnerabilities created by the mistakes in the software. They use the hacked computer to send spam, steal passwords of the owners/users in order to take over their identities and make online purchases.

In order to repair these errors, Microsoft regularly releases updates/patches for its products. These updates automatically take care of the vulnerable part of the code by repairing or replacing it with safer one.

Quick Facts:
As of 2008, Windows Update has about 500 million clients, processes about 350 million unique scans per day, and maintains an average of 1.5 million simultaneous connections to client machines. On Patch Tuesday, the day Microsoft typically releases new software updates, outbound traffic can exceed 500 gigabits per second. Approximately 90% of all clients use automatic updates to initiate software updates, with the remaining 10% using the Windows Update web site. The web site is built using ASP.NET, and processes an average of 90,000 page requests per second.

How to perform windows update – for Dummies:
There are many ways through which you can update your windows manually.

• Go to all programs in start menu and find “Windows Update” and click on it. (OR)
• Right click on “My Computer”. Go to “Automatic Updates” tab. Click on “Windows Update Website”. (OR)
• Open “Internet Explorer“. Type windowsupdate.microsoft.com in the address bar and hit Enter.

All the above steps will direct you to Windows update site of Microsoft. Click on “Express” button. The site will provide all the recommended updates for your computer. Click on ‘Review and Install Updates’ and then on ‘Install Now.’

Precautions while performing windows updates:

• Log in as Administrator into your system.
• Make sure there is no interruption in power or internet while updates are going on. That may make things messy for later updates.
• Some updates require restarting of your computer. Make sure you save and close all your work and applications before you start installation process.
• Use Internet Explorer only as updates don’t work on other browsers.

PS: The above mentioned process is for people without much idea on “windows updates”.

KeePass is an open source utility that works on almost any platform, including your smartphone ( Clients available for Windows, Ubuntu, Linux, MacOS X, J2ME (Cell Phones), Blackberry, Windows Mobile and more). You can store your passwords in a password protected and encrypted database and use the passwords when needed. It will even generate a complex password for you. KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithms to encrypt its password databases. There are many plugins available that will allow things like filling forms, onscreen keyboard, etc.

Click here for more information on Keepas.

Keepas Demo Screenshot

Source: http://vjalagam.blogspot.com/2009/09/keepass-opensource-password-safe.html

Related Links:
Wan optimization

The superficial flaw is in the browser’s security User Interface (UI) that is insufficient to deal with today’s strong threats. There are 3 parts for secure authentication: first,indication that the connection is in authenticated mode,second, the site which the user is connected to and third,which authority says it is the site that it claims to be.

Secure Connection: The user easily misses the padlock that was the standard display for secure browsing from the mid-1990s to mid 2000s. Mozilla featured a yellow URL bar in 2005 as a better indication that the connection is secure. However, unfortunately, this innovation was then reversed due to the EV Certificates, which replaced high value certificates with a green display and the rest with a white display.

Which Site: The user is expected to be sure that the domain name in the browser’s URL bar is in fact where they wanted to go. URLs can be too complex to be parsed and users often do not know or recognize the URL they intend to go making authentication meaningless. Many e-commerce sites will change the domain names within the overall set of websites making it harder for the user to trace himself. Also simply displaying the domain name of the visited website as some anti-phishing toolbars do is insufficient.

Firefox offers an alternative- a pet name extension which lets users type in their own labels for websites that they can recognize when they later return to the website. In addition, if the site is not recognized then the software warns the user or detects it outright. This symbolizes the user-centric identity management of the server. A graphical image selected by a user could be a better identification.

With the introduction of EV Certificates, browsers display the organization’s name in green making it more visible ad hopefully more consistent with the user’s expectations. But then the browser vendors have limited this display to only EV Certificates, leaving the user groping in the dark for other certificates.

Who is the Authority As far as the user is concerned, the browser is the authority at the simplest level since no authority is stated at this stage. The current practice is for the browser vendors to control a root list of acceptable Cas. The problem is that all Certification Authorities (CAs) employ neither good nor applicable checking. In addition, neither do all CA s subscribe to the same model and concept that certificates are only about authenticating web sites or e-commerce organizations. Certificate Manufacturing is the term given to low value certificates that are delivered on a credit card and an email confirmation, which can be easily perverted by fraudsters. Thus, a valid certificate issued by another CA may spoof a high value site. This could happen because the CA is in another part of the world and it is unfamiliar with high value e-commerce sites. Nevertheless, since the CA is charged with protecting its own customers and not the customers of another CA there is an inherent flaw in this model.

The solution to the above problem is that the browser should show and the user must be familiar with the name of the authority that issues the certificate. This projects that the CA as a brand and allows the user to come in contact with the handful of CAs in their country. The use of brand provides the CA with an incentive to improve their checking and the user would demand good checking for high value sites.

This solution was put into action in early versions of IE7 when displaying EV Certificates where the issuing CA was displayed. Nevertheless, this turns out to be an isolated case. There is resistance for branding CAs on the chrome resulting in a fallback to the simplest level above: the browser is the user’s authority.

People must take appropriate steps to prevent themselves from phishing by slightly modifying their browsing habits and taking correct initiatives. When asked to reveal any personal and sensitive information which may include the account details or any password, wisdom calls for contacting the company from which the email apparently originates to check that the email is legitimate. Alternatively, the address of the website which the user knows to be legitimate can be typed in the address bar rather than trusting any hyperlinks within the suspected message.

Nearly all websites contain information that is not available directly to the phishers. It may be noted that PayPal for example, always addresses the users by their user names and not by any generic names such as “Dear PayPal Customer”. This information can be used as a means of identifying whether the website is real or fake. Some financial institutions may use the account numbers of their customers as a means to authenticate the messages. But according to a recent study the customers typically do not distinguish between the first few digits and the last few digits of an account number which is a significant problem, since the first few digits are all same for most financial institutions. People’s suspicion can be aroused if they do not find any specific personal information in their messages. Yet again, phishing attempts in early 2006 included personal information that made it unsure to assume that if a message carries personal information then it is safe. Furthermore, according to recent research, people hardly pay attention to the fact that personal information is present and hence the presence of this personal information does not bring down the success rate of phishing attacks.

The Anti-Phishing Working Group predicts that the conventional phishing attacks would become obsolete in the future due to the awareness among the people against phishing. They predict that pharming and other forms of malware will become useful in stealing information.

It would be a courteous act for everyone to educate the people about safe practices and avoid dangerous ones. However, as a misfortune, even well known players are known to incite users to hazardous behavior for example, by requesting their users to reveal their passwords for third party services such as email thus aggravating the menace.

This matter has to be taken up seriously these days. The daily flood of junk email has an adverse effect on the corporations by clogging their networks and filling up mail server bandwidth. It can also act as a gateway for serious network related threats such as Trojans, viruses, worms, and phishing scams that penetrate corporate networks. The cost of spam not just involves the cost of providing the extra bandwidth but also encompasses all the IT Departments protecting their organizations from the various threats as just seen.

Spam is a driving force behind the increasing number of data breaches in the corporate world. The impact of international awareness and the enforcement of anti-spam laws in countries like USA have forced the spammers to shift their operations to countries where the law is less regulated. According to the IT security firm Sophos, the spam operators are working hand in glove with hackers and virus’ writers with 60 percent of all spam coming from computers infected with malware. According to Webroot Software’s State of Spyware report 2005 was considered as the biggest year yet for spyware.

Apart from just the security threats the firms face from spam, there are concerns that are even more serious the firms face. In today’s world where corporate ethics matter a lot, firms are increasingly accountable for the actions of their employees. Any offensive message from a disgruntled employee can tarnish the name of the organization. Since there can be no definitive solution, the only way to reduce the threats of the email related threats is to deploy ever more sophisticated server side filtering to filter out spam and malicious emails from reaching the network.

A survey of Bank of Scotland (BoS) has found that about 37% of UK small firms were badly hit due to unsolicited spam, viruses, and faxes. The study has found that though the cost of minor data losses and firewalls is less than 1000 Pounds a year for two-thirds of small firms a full-scale virus attack can be terminal on entrepreneurs on tight budgets. For over fifty firms polled, it was found that there was one firm approximately, for which the cost of the viruses exceeded 10,000 Pounds a year. A further 40 percent of the managers claimed that junk email significantly added to their costs, while one in ten lost an estimated 10,000 Pounds a year through lost productivity and purchasing email filtering systems. Though laws have come up which state that individuals are not allowed to send emails or any other means of communication without prior permission, these are valid only in the UK and did not provide any help in reducing the flood of spam in the USA.

According to Eddie Morrison of BoS computer viruses are clearly one of the scourges of our business age. He observes that it has become increasingly easy for small firms to be bombarded with multiple unsolicited emails and faxes for advertising and other purposes.

Small firms are even more vulnerable to spam with a junk of them still without a junk email policy. The research conducted by Clearswift has found that 34 percent of small companies do not have measures in place to combat spam, while a further 57 percent of firms with a policy of not communicating about it to the staff.