A Method for Critical Data Theft

The technique, which could undermine security software protecting critical data on computers, is as easy as chilling a computer memory chip with a blast of frigid air from a can of dust remover. Encryption software is widely used by companies and government agencies, notably in portable computers that are especially susceptible to theft.

The development, which was described on the group’s Web site Thursday, could also have implications for the protection of encrypted personal data from prosecutors.

The move, which cannot be carried out remotely, exploits a little-known vulnerability of the dynamic random access, or DRAM, chip. Those chips temporarily hold data, including the keys to modern data-scrambling algorithms. When the computer’s electrical power is shut off, the data, including the keys, is supposed to disappear.

In a technical paper that was published Thursday on the Web site of Princeton’s Center for Information Technology Policy, the group demonstrated that standard memory chips actually retain their data for seconds or even minutes after power is cut off.

When the chips were chilled using an inexpensive can of air, the data was frozen in place, permitting the researchers to easily read the keys — long strings of ones and zeros — out of the chip’s memory.

“Cool the chips in liquid nitrogen (-196 °C) and they hold their state for hours at least, without any power,” Edward W. Felten, a Princeton computer scientist, wrote in a Web posting. “Just put the chips back into a machine and you can read out their contents.”

The researchers used special pattern-recognition software of their own to identify security keys among the millions or even billions of pieces of data on the memory chip.

“We think this is pretty serious to the extent people are relying on file protection,” Mr. Felten said.

The team, which included five graduate students led by Mr. Felten and three independent technical experts, said they did not know if such an attack capability would compromise government computer information because details of how classified computer data is protected are not publicly available.

Officials at the Department of Homeland Security, which paid for a portion of the research, did not return repeated calls for comment.

The researchers also said they had not explored disk encryption protection systems as now built into some commercial disk drives.

But they said they had proved that so-called Trusted Computing hardware, an industry standard approach that has been heralded as significantly increasing the security of modern personal computers, does not appear to stop the potential attacks.

A number of computer security experts said the research results were an indication that assertions of robust computer security should be regarded with caution.

“This is just another example of how things aren’t quite what they seem when people tell you things are secure,” said Peter Neumann, a security researcher at SRI International in Menlo Park, Calif.

The Princeton researchers wrote that they were able to compromise encrypted information stored using special utilities in the Windows, Macintosh and Linux operating systems.

Apple has had a FileVault disk encryption feature as an option in its OS X operating system since 2003. Microsoft added file encryption last year with BitLocker features in its Windows Vista operating system. The programs both use the federal government’s certified Advanced Encryption System algorithm to scramble data as it is read from and written to a computer hard disk. But both programs leave the keys in computer memory in an unencrypted form.

“The software world tends not to think about these issues,” said Matt Blaze, an associate professor of computer and information science at the University of Pennsylvania. “We tend to make assumptions about the hardware. When we find out that those assumptions are wrong, we’re in trouble.”

Both of the software publishers said they ship their operating systems with the file encryption turned off. It is then up to the customer to turn on the feature.

Executives of Microsoft said BitLocker has a range of protection options that they referred to as “good, better and best.”

Austin Wilson, director of Windows product management security at Microsoft, said the company recommended that BitLocker be used in some cases with additional hardware security. That might include either a special U.S.B. hardware key, or a secure identification card that generates an additional key string.

The Princeton researchers acknowledged that in these advanced modes, BitLocker encrypted data could not be accessed using the vulnerability they discovered.

An Apple spokeswoman said that the security of the FileVault system could also be enhanced by using a secure card to add to the strength of the key.

The researchers said they began exploring the utilities for vulnerabilities last fall after seeing a reference to the persistence of data in memory in a technical paper written by computer scientists at Stanford in 2005.

The Princeton group included Seth D. Schoen of the Electronic Frontier Foundation, William Paul of Wind River Systems and Jacob Appelbaum, an independent computer security researcher.

The issue of protecting information with disk encryption technology became prominent recently in a criminal case involving a Canadian citizen who late in 2006 was stopped by United States customs agents who said they had found child pornography on his computer.

When the agents tried to examine the machine later, they discovered that the data was protected by encryption. The suspect has refused to divulge his password. A federal agent testified in court that the only way to determine the password otherwise would be with a password guessing program, which could take years. (byJOHN MARKOFF)

Virus and Threat Info

I-Worm/Nuwar

New Nuwar variant spreading method is similar to Nuwar.L last month propagation. Spammed emails are brief containing link in IP format to currently working pages with worm. Compromised page code is changed and as a result user is prompted to download file with worm. Downloaded filename is valentine.exe it's about 110 - 130kB long and it's detected by AVG as I-Worm/Nuwar.N.

February 12, 2008

I-Worm/Nuwar

We have a new wave of spammed mail messages containing link directing users to website where the worm could be downloaded. Emails contains short text and IP address of currently working pages with worm. In this case downloaded filename is withlove.exe and it's about 115kB in size. Websites and worm files changes every few minutes. AVG detects withlove.exe as I-Worm/Nuwar.L.
January 15, 2008

Downloader.Tibs

A new Downloader.Tibs variant is spreading today thanks to massive spamming. Infected emails contains about 130-140kB long attachment, usually with name happy2008.exe, which is trojan horse itself. There are also emails with links directing users to a malicious web pages. The files are already detected as Downloader.Tibs.
December 25, 2007

Win32/Mabezat.A

In last few days we`ve registered a larger amount of PE files infected by this virus. Win32/Mabezat is polymorphic file infector which infects PE files. More information could be found in our Virus Encyclopedia.
November 14, 2007

Trojan Downloader.Agent.UZM

A new Trojan Downloader was spammed today. Trojan is attached in zip archive to emails in HTML format with subject "Hot game" and body text that claims some Angelina Jolie or Lara Croft undressing game. xgame.zip attachment contains xgame.exe (20992B) which drops executes and deletes kernel driver C:\WINDOWS\System32\drivers\runtime.sys and downloads another downloader smartdrv.exe. runtime.sys runs injects and hides Iexplore.exe process and downloads another components. xgame.exe is detected as Trojan Downloader.Agent.UZM, smartdrv.exe is detected as Trojan Downloader.Agent.UZN, runtime.sys is detected as Trojan Downloader.Agent.THW and other downloaded components are detected as several variants of Trojan Backdoor.Ntrootkit.
November 10, 2007

I-Worm/Stration downloader

Next Stration downloader variant spreads by email in messages with randomly generated subject and body with two attachments. PDF attachment is harmless but EXE attachment which is 18708B long is downloader itself and AVG detects it as I-Worm/Stration. More information about Stration worm familly can be found in the Virus Encyclopedia.
November 5, 2007

I-Worm/Stration downloader

Latest Stration downloader spreads by email in messages with randomly generated subject and body with one EXE and one PDF file attached. EXE file is 20992B in size and it`s downloader itself which is detected by AVG as I-Worm/Stration.FJA. The file downloader tryes to download is already detected as I-Worm/Stration. More information about Stration worm familly can be found in the Virus Encyclopedia.
November 1, 2007

Stration downloader

A new Stration downloader was seeded during todays morning using mail messages where subject and body are variable and which contains two attachments, one with pdf extension and second with exe extension which is 4096B in size and it`s downloader itself. AVG detect this threat as Trojan horse Downloader.Generic6.PFM. Downloader tryes to download and install Stration to affect system, but Stration download link is no longer active. More information about Stration worm familly can be found in the Virus Encyclopedia.
October 19, 2007

Win32/Virut

There were several new variants of Virut parasitic infector discovered in last days. We've added detection routines for this threat in last program update 7.5.484 so please update your AVG. Win32/Virut is polymorphic file infector which infects PE files with .exe extension. More information could be found in our Virus Encyclopedia.
August 16, 2007

How can I recognize a phishing email?

You should consider several factors when deciding whether or not an email is authentic. This example email has some telltale signs of a phisher at work:

Unofficial "From" address: Look out for a sender's email address that is similar to, but not the same as, a company's official email address. Fraudsters often sign up for free email accounts with company names in them (such as "ysmallbusiness@yahoo.com"). These email addresses are meant to fool you. Official email from Yahoo! always comes from an "@yahoo-inc.com" email address.

Note: Fraudsters can forge the "From" address to look like a legitimate corporate address (like "@yahoo-inc.com"). Because of this, the "From" address is just one factor to consider when deciding if an email is trustworthy.

Urgent action required: Fraudsters often include urgent "calls to action" to try to get you to react immediately. Be wary of emails containing phrases like "your account will be closed," "your account has been compromised," or "urgent action required." The fraudster is taking advantage of your concern to trick you into providing confidential information.

Note: Legitimate companies will never ask you to verify or provide confidential or financial information in an unsolicited email.

Generic greeting: Fraudsters often send thousands of phishing emails at one time. They may have your email address, but they seldom have your name. Be skeptical of an email sent with a generic greeting such as "Dear Customer" or "Dear Member."

Note: Sophisticated fraudsters can get your name from public records and target you directly, so even if an email includes your name, it may not be authentic. Whether an email addresses you generically or by name is just one factor to consider when deciding if an email is trustworthy.

Link to a fake web site: To trick you into disclosing your user name and password, fraudsters often include a link to a fake web site that looks like (sometimes exactly like) the sign-in page of a legitimate web site. Just because a site includes a company's logo or looks like the real page doesn't mean it is! Logos and the appearance of legitimate web sites are easy to copy. In the email, look out for:
Links containing an official company name, but in the wrong location. For example: "http://www.yahoo.com:login&mode=secure&ib35" is a fake address that doesn't go to a real Yahoo! web site. A real Yahoo! web address has a forward slash ("/") after "yahoo.com" — for example, "http://www.yahoo.com/" or "https://login.yahoo.com/."
Masked links that look like they go to the real web site, but don't. In the sample email, the link says "smallbusiness.yahoo.com," but if you place your mouse pointer over the link, you can see the real address (in the yellow box) — "http://218.246.224.203/yahoo/accountupdate." You usually can see a link's real destination by placing your mouse pointer over it.

Note: All Yahoo! sign-in pages are served over SSL (Secure Sockets Layer), a standard used to encrypt data transmissions. A genuine Yahoo! sign-in page always starts with "https," such as "https://login.yahoo.com." However, the presence of "https" should be only one factor to consider in deciding if a web site is trustworthy, because some phishing sites illegitimately use SSL.Learn about the other ways to recognize a phishing web site.

Legitimate links mixed with fake links: Fraudsters sometimes include authentic links in their spoof pages, such as to the genuine privacy policy and terms of service pages for the site they're mimicking. These authentic links are mixed in with links to a fake phishing web site in order to make the spoof site appear more realistic.
And look for these other indicators that an email might not be trustworthy:
Spelling errors, poor grammar, or inferior graphics.
Requests for personal information such as your password, Social Security number, or bank account or credit card number. Legitimate companies will never ask you to verify or provide confidential information in an unsolicited email.
Attachments (which might contain viruses or keystroke loggers, which record what you type).
It can be very difficult to discern a phishing email from the real thing. Remember that if you have any doubt about the authenticity of a web site, close your web browser, reopen it, and type the web site address in your browser's Address bar.

Security Warning 2008: Top 11 Malware

Lieware

In 2007, there was a lot of "rogue anti-virus software," which is sometimes also referred to as "fake anti-virus software." But these terms are confusing because there's too much negation going on. Fake anti-virus software is not anti-virus software at all. So what is it? "Lieware" is a much less unwieldy term to describe software that purports to be something that it isn't. With only 420 mentions in Google, the term has nowhere near the recognition of "adware" or "spyware." But thanks to the growing need for anti-virus products, we're sure to see more lieware trying to trick its way onto our systems.

Spham or Spamble

Security researchers foresee a rise in spam targeting mobile devices, particularly via SMS. Although the unappealing term "blogging" has given rise to the even more unappealing "moblogging" (blogging on a mobile device), "mospam" just doesn't work. While some have proposed "spamble" as shorthand for gambling spam, the term also has potential to suggest spam received while ambling about with a mobile device. "Spham" offers a more straightforward way to mix spam and phone, though the fact that it sounds the same as "spam" when spoken may limit its appeal. (Yes, you could emphasize the "h" and say "sp-ham," but people would just wonder whether the cause of your odd pronunciation was contagious.)

Backdoored

Everyone in the computer security business is familiar with backdoors and backdoor Trojans. In 2008, "backdoor," heretofore an adjective or noun, has a shot a being promoted, like the word "google," to verb. Here, in a hypothetical conversation with your company's chief security officer is how it might be used: "You were backdoored? Has anyone spoken for your office?" The reason for this is the success of malware like the Zlob backdoor Trojan, which security researchers expect to see much more frequently in the year to come.

Patch Fix

The patch fix is the patch that fixes the last patch. It may seem redundant, like "pizza pie," but given the number of patches that create more problems and subsequently have to be patched, redundancy appears to be necessary to compensate for the absence of code quality.

"SEO poisoning" and "spamdexing" are both serviceable terms to describe this phenomenon. But few outside the tech and media industries know that SEO stands for search engine optimization, and spamdexing, after more than a decade of use, remains hobbled by legal tolerance for spamming and near universal desire among Web site owners for the benefits of spamdexing, namely better PageRank. Warning that a search site contains "indexically transmissible viruses" seems likely to elicit more caution from searchers, and more action from search engines, than those two older terms of art.

Snookies

Though the term, with 19,000 entries on Google, is the name of a cookie company, it might well be employed in the tech industry to refer to the misuse of Internet cookies, which are files that Web sites deposit on visitors' computers to identify them and to provide services.

Snookies, which stands for sneaky cookies, or subdomain cookies if you prefer something less pejorative, look like they're coming the Web domain of the site visited, but the subdomain they come from -- subdomain.domain.com, for example -- is set to point to a third-party server. The reason this is done is to avoid being blocked by users who have their Web browsers set to reject cookies from third-party sites.

Anti-Social Networking

A term that parodied the social networking craze could see further straight-faced use as cyber criminals step up efforts to pillage personal information from the likes of Facebook, MySpace, and Orkut. Google squashed the Orkut worm that emerged in December quite quickly but it's a safe bet that schemes to steal social networking data will become more common.

Social Graft

The abuse of one's social graph -- as Facebook calls its friend list -- for material gain. This could be used to describe the use of Facebook's Beacon technology as well as outright efforts at identity theft or related fraud. The term just begs to be used as a variation on the Google Social Graph API; calling it the Social Graft API seems to capture the spirit of exploiting one's friends.

Whaling

When you phish for big fish, you're whaling. Alan Paller at the SANS Institute uses the term to refer to targeting phishing attacks directed at high-profile individuals. While it may be unnecessary, given that spear-phishing adequately communicates that the attack in question was targeted, the exclusivity of the term -- not just anyone can be the victim of whaling -- suggests it may prosper among journalists determined to subtly flatter, or apologize to, VIP subjects featured in security breach stories. Even if the term dies as a result of being unnecessary, the trend of trying to trick high-value targets into giving up the keys to the kingdom is sure to increase.

By the end of 2008, McAfee Avert Labs predicts it will have identified some 550,000 malicious programs, a 54% increase from 2007. With all the new malware emerging, we can expect new terminology to describe these constantly morphing threats. Here, then, is our only slightly tongue-in-check attempt to predict some of the rising threats in 2008 and the language that may be employed to describe those threats.

Badvertising

With 38,500 mentions in Google, "badvertising" already has more of a following than a word like "malcode." The phenomenon it describes, advertising with malice, has been around for several years at least. To date, it has been enough to refer to criminal advertising using terms like "spam," "adware," and "spyware."

The trouble with these terns is that they can be used to refer to legal software or activities. Spam, of course, is permitted under the CAN SPAM Act of 2003. Adware and spyware, meanwhile, can perform their functions legally with user notice and consent (at least until the notice and consent is successfully challenged in court as inadequate).

While "crimeware" is becoming a popular term in lieu of the more fuzzily defined "spyware," "badversting" has an appealing specificity. "Crimeware" after all could refer not just to software but to hardware, like an ice pick. What "badvertising" recognizes is that not all advertising is good.

In 2008, we'll need the word because online advertising will become a major security problem. Indeed it is already: about 80% of malicious code online comes from online ads, according to the Q1 2007 Web Trends Security Report published by Finjan, a computer security company. Watch what happens when AdBlock Plus gets re-branded AdBlock Security.

Adsploit

We may also see "adsploit" emerge to refer to exploits delivered over ad networks. Admittedly, the term has a long way to go, with a mere four mentions in Google, none of which seem particularly coherent. But what better word is there to refer to malware like Trojan.Qhost.WU, which replaces Google AdSense text ads with ads from an unauthorized, potentially malicious provider.

Indexically Transmissible Viruses

Cyber criminals are working overtime to get their sites listed in search indexes. Gaming Google's PageRank algorithm to get one's malware site prominent placement on a search result page has proven to be an effective way to compromise the computers of unwary visitors. Google and the rest are fighting back, as suggests Google's purge of tens of thousands of malware-riddled pages from its index in late November. But the ease and speed with which new sites can be created means that the search companies have a hard time keeping up. Referring to "indexically transmissible viruses" seems like a way to blame search engines more and cyber criminals less, but that's the point: searching needs to be safe.

See original article on InformationWeek.com

Red Hat, Ubuntu Win Linux Popularity Open Source

Ubuntu and Red Hat are the most used Linux distributions among the 35,000 members of content-management vendor Alfresco's community, the company found in its second survey of trends in enterprise open-source software usage.

marketing officer. "It's important for us to know which platforms to test against first," he said, adding, "It's in users' interest to give us good data."

Among Linux operating systems, usage of Ubuntu and Red Hat stood at 35 percent and 23 percent, respectively, according to the survey. Suse, OpenSuse and Suse Enterprise collectively garnered 13 percent; Debian, 15 percent; and "other" distributions usage of 14 percent.

Users also reported using a variety of proprietary enterprise software.

Among Windows users, Vista adoption was just 2 percent, compared to 63 percent for Windows XP and 28 percent for Windows Server 2003.

Microsoft's Office suite remained strong, however, with 66 percent usage. Twenty-four percent of the respondents reported they used OpenOffice. However, German and French users were twice as likely to use the latter compared to those in the U.S. or U.K., Alfresco said.

Tomcat held a dominant position in the application server category, logging 72 percent. JBoss' entry stood at 18 percent. Entries from Sun, BEA and IBM rounded out the field.

In the virtualization category, VMware perhaps predictably ranked highest, at 61 percent. Microsoft's Virtual Server took 16 percent, followed by Xen, Parallels, Virtual Iron and "other" offerings, according to the study.

MySQL took home the database prize, with a 60 percent tally, followed by Oracle with 14 percent and Microsoft SQL Server with 13 percent.

"It kind of validates that people want to have a mixed stack," Howells said of the overall results.

Alfresco collected data between July and December of last year, with survey participants coming from 260 countries, according to the company. Fifty percent were from Europe, the Middle East and Asia, while 24 percent were in the U.S., and 26 percent from other nations, Alfresco said.