Up to 88% of Fortune 500 companies may have been affected by the Zeus trojan, according to research by RSA's FraudAction Anti-Trojan division, part of EMC. The trojan installs keystroke loggers to steal login credentials to banking, social networking, and e-mail accounts.

The botnet was first identified in 2007 and is still around today. The malware tends to be difficult to detect and remove, and several million machines worldwide are believed to be infected. The Zeus server-side components, used to collect the stolen data, surprisingly mimic techniques more commonly seen in the world of commercial software; the software is licensed (with fees ranging from several hundred to a few thousand dollars), and each installation is tied to the hardware it's installed on in a system reminiscent of Microsoft's software activation. The malware itself predominantly attacks Windows XP machines, though Windows Vista and Windows 7 variants are available for sale too.

The value of Zeus control servers is such that they have themselves become targets for hackers, seeking to steal the large caches of stolen data.

RSA's study examined data found on Zeus control servers, finding e-mail addresses and IP addresses belonging to many major corporations. There was evidence of some form of infection from almost all the Fortune 500 companies, with stolen e-mail in particular from around 60% percent. About 20 companies with significant consumer-focused brands such as Google were excluded from the study as the sheer volume of data prevented any meaningful analysis.

Smaller companies (those with fewer than 75,000 employees) appeared to have a higher proportion of infected employees, suggesting that perhaps larger corporations are more effective at securing their systems and data. Home computers not subject to corporate IT policy but used to access corporate mail and networks are a particularly high risk.

Read the comments on this post

Apple issued Security Update 2010-003 on Wednesday afternoon for Mac OS X v.10.5.8 client and server, as well as Mac OS X v.10.6.3 client and server. The updates address an issue in the way Apple Type Services handles embedded fonts, preventing the “arbitrary execution of code” after a document is viewed or downloaded. Complete details about the update are available in the support section of Apple’s website. 

Apple confirmed that the exploit was none other than the one that was discovered on the first day of the Pwn2Own contest that we reported on last month. The event marked the third year in a row in which security researcher Charlie Miller was able to compromise a Mac running OS X. At the time, many believed the hack exploited an issue in Safari but, as we discovered today, the problem stemmed from the Apple Type Services that Safari makes use of.

With this update, Apple has effectively patched half of the exploits found during this year's Pwn2Own. Still, Apple has yet to patch an iPhone vulnerability discovered by Vincenzo Iozzo and Ralf Philipp Weinmann, which allows undesired access to text messages in the iPhone OS. 

Read the comments on this post

The people who uncovered GhostNet, an extensive cyber espionage network that targeted the Tibetan exile community, are back with a sequel. Starting with an infected machine that was found during that investigation, an international team of researchers has uncovered a completely separate network that primarily targeted the Indian government, and turned up some classified documents that had been obtained by the hackers. By reconstructing the network, the team was able to trace things back to the hacking community in Chengdu, China.

The work involved a collaboration between the Information Warfare Monitor and the Shadowserver Foundation, but, over the course of its work, involved dozens of other security groups and experts. It also benefitted from extensive cooperation with the Office of His Holiness the Dalai Lama, which had previously approached the security researchers in response to security lapses that unearthed GhostNet. The researchers take what they term a "fusion methodology," which is basically a combination of fieldwork—studying infected systems in situ—with standard security approaches.

Three foreign journalists and one analyst, all of whom focus on China, have recently reported problems with Yahoo e-mail accounts, at least two of which were confirmed hacking attempts. The source of the problems isn't known, but all four report hearing of similar problems from colleagues that report primarily on China-related issues.

One of the journalists, Clifford Coonan, received a notice that there was an "issue" with his account when attempting to log in Tuesday, according to an Associated Press report. Yahoo confirmed there were suspicious login attempts on his account. Coonan serves as a China correspondent for both The Independent and the Irish Times.

Two other unnamed journalists told AP that they had received similar notices in January and February respectively. A financial analyst that focuses on China confirmed with Yahoo that his account had been hacked. For its part, Yahoo has said that it will "take appropriate action" for any confirmed hacking attempts.

Coonan speculated that he might merely be the target of broad hacking attempts, but worried of the implications if foreigners with ties to China were being specifically targeted. "It's obviously annoying, but if it's just journalists and academics, that's scary," he told AP.

The problems happened shortly after Google complained of hacking attempts originating from China and moved to end its practice of censoring search results in China.

Read the comments on this post

SSL is the cornerstone of secure Web browsing, enabling credit card and bank details to be used on the 'Net with impunity. We're all told to check for the little padlock in our address bars before handing over any sensitive information. SSL is also increasingly a feature of webmail providers, instant messaging, and other forms of online communication.

Recent discoveries by Wired and a paper by security researchers Christopher Soghoian and Sid Stamm suggests that SSL might not be as secure as once thought. Not because SSL itself has been compromised, but because governments are conspiring with Certificate Authorities, key parts of the SSL infrastructure, to subvert the entire system to allow them to spy on anyone they wish to keep tabs on.

The US government disburses a significant amount of foreign aid to many countries and, in recent decades, that money has been used as a carrot to induce more acceptable behavior from its recipients. In a variety of laws, Congress has required that the executive branch certify that a nation has made progress in areas like human rights or narcotics control before different forms of aid to that country can be approved, including continuation of "most favored nation" trading status. Now, there's a move afoot to extend this protocol to another area of concern: cybercrime.

A bill, going by the title "International Cybercrime Reporting and Cooperation Act," has been introduced by a bipartisan group of Senators that includes Utah's Orrin Hatch (R) and New York's Kirsten Gillibrand (D). In its current form, it would require the president to evaluate the state of a given country's efforts to keep cybercrime under control. That evaluation could lead to the identification of "Countries of Cyber Concern," those which aren't doing enough to limit the impact of online crime.

By now, it's practically a mantra that the biggest problem with corporate IT security is the employees themselves. However, we usually assume that's due to ignorant users or poorly enforced policies. Not so for a chunk of the US working population—according to a survey conducted by Harris Interactive, 12 percent admitted to knowingly violating IT policy in order to get work done.

The survey of 1,347 employed adults was conducted on behalf of Fiberlink, a company that hawks services that "help enterprises connect, control and secure laptops and mobile devices." Needless to say, the survey results fit perfectly into the company's agenda, but they are hardly surprising. After all, how many of us know someone who has left a work laptop in an unattended vehicle, sent unencrypted e-mails without permission, or reused the same three passwords over and over instead of choosing new ones every 90 days?

Fiberlink CEO Jim Sheward warned of the obvious. "IT departments nationwide spend a lot of time and money on their compliance, usage, and access policies, but they only work if people follow the rules," he said in an e-mailed statement. [C]ompanies could face dangerous breaches that include the loss of sensitive data, competitive intelligence, or customers’ private information."

Harris' findings are supported by previous reports saying that leaky employees are a bigger threat than malware, that employees (not hackers) cause the most corporate data loss, and that employees' online activities pose the greatest threat to IT security. With 12 percent of those people actively working outside of stated IT policy (and plenty more who do so out of ignorance), IT admins certainly have their work cut out for them if they want to maintain a tight ship.

Read the comments on this post

A massive botnet of up to 12.7 million infected PCs has been dismantled after Spanish police, working in conjunction with a Canadian security firm, have arrested the botnet's operators. The Mariposa botnet first emerged in December 2008, and was used to steal credit card and bank details from infected PCs. The malware driving it was spread through instant messaging, USB thumbdrives, and peer-to-peer networking.

Defence Intelligence, the Canadian firm involved in the bust, started investigating the botnet in spring 2009. The company discovered that the botnet had command and control servers based in Spain, and so joined forces with Spanish firm Panda Security. With their input, the authorities knocked the botnet offline around Christmas. Luck was on the investigators' side; the Internet services used by the hackers were willing to cooperate with the investigation, and most critically, one of the botnet's operators then tried to regain control of the botnet directly from his own PC. This mistake allowed the investigators to identify him and track him down.

The arrest of the operators of such a large botnet is unusual. Operators of smaller networks are easier to identity (smaller networks have less traffic to hide in), so arrests are relatively common. Operations such as Microsoft's recent disabling of the Waledac network may take the botnet offline, but the operators typically remain free to try again. The nature of the Mariposa network made catching the perpetrators particularly important; while botnets like Waledac and Conficker are used predominantly for spamming (annoying and illegal, but relatively harmless as these things go), Mariposa's harvesting of financial information made it much more dangerous.

The hackers themselves—unnamed, per Spanish privacy rules—appeared to be quite ordinary, far from the genius hacker stereotype. They were Spanish citizens with no prior criminal convictions, aged 31, 30, and 25. They depended on their connections in the criminal underworld to get them the resources necessary to start and operate the botnet. Though the network had likely made them rich—investigators are still examining bank records to determine just how much money was made—this was not reflected in their lifestyles. If convicted, they face up to six years in prison for hacking. Further arrests related to Mariposa are also expected.

Read the comments on this post