Graham Cluley’s blog

Hacker invitation to Twitter carries malware danger

Hackers are exploiting the name of the blossoming micro-blogging website Twitter in their attempt to infect innocent computer users with malware.

Although we have in the past seen hackers hijack Twitter accounts, and malicious attacks spread via the Twitter service, on this occasion cybercriminals appear to have spammed out malware posing as an invitation to join the site.

The emails which have the subject line "Your friend invited you to twitter!" and pretend to come from invitations@twitter.com, come with an attached file called Invitation Card.zip.

What should raise your suspicions is that the email says:

To join or to see who invited you, check the attachment.

Surely if you wanted to join Twitter, you would just visit their website? Why would you need to open an attachment?

If you do make the mistake of opening the attached file you are risking the security of not just your computer, but potentially your company's data too.

Sophos detects the attached ZIP file proactively as Mal/ZipMal-B and the file within as Mal/VB-AD. Users of security products from other vendors are recommended to check that their protection is up-to-date.

So far we've only seen a small number of these attacks in our global network of spamtraps.

Posted on July 2nd, 2009 by Graham Cluley, Sophos
Filed under: Malware, Spam, Web 2.0

                                         

Michael Jackson email-aware worm hits inboxes

Since the death of pop icon Michael Jackson last week there has been an avalanche of spam, scams and malware attacks exploiting interest in the contoversial figure.

Now we have encountered a mass-mailing worm that spams out messages with the following characteristics:

Subject: Remembering Michael Jackson
Attached file: Michael songs and pictures.zip

The email, which claims to come from sarah@michaeljackson.com, says that the attached ZIP file contains secret songs and photos of Michael Jackson.

However, the reality is that opening the attachment exposes you to infection - and if your computer is hit you will be spreading the worm onto other internet users. Besides spreading via email, the malware is also capable of spreading as an Autorun component on USB memory sticks (an increasingly common trend for malware as use of these devices has become more and more popular).

Sophos detects the malware proactively as Mal/ZipMal-B and Mal/VB-AD, and recommends that users of other anti-virus products ensure that their defences are properly updated.

In light of the huge interest in Jackson since his sudden death, there are likely to be many computer users who are tempted into opening the attachment.

Long time followers of the computer security scene will be aware that although there has been much cybercriminal activity following Michael Jackson's death, he was not immune from having his name exploited by hackers when he was alive either.

For instance, in 2004 a Trojan horse was spammed out claiming to contain photographic evidence of Jackson abusing a young boy. The following year a malware campaign was spammed out claiming to contain breaking news that the music superstar had committed suicide.

And earlier this year, we exposed that scammers had managed to advertise their offers on Jackson's official website promoting his (now cancelled) concerts at the O2 in London.

Posted on July 1st, 2009 by Graham Cluley, Sophos
Filed under: Malware, Spam

                                         

Guest blog: Beta test Sophos products, get Amazon vouchers

Camera-phobic guest blogger Kim Charlton, who manages the beta program at Sophos, is trying to bribe you into helping us improve our products. Over to you Kim..

So, originally I wrote a begging email to Graham asking if he could mention the forthcoming beta programs for Endpoint Security and Control 9.0 and Small Business Solutions 4.0.

He was obviously a bit busy because he suggested that I write a "guest blog" myself. I was a bit reluctant - mainly about having my photo online but I was told they can do wonder with Photoshop these days! :) Phew! Not that I’m vain or anything...

Anyway, really I want to appeal to any existing or potential customers of Sophos products to join the beta program – provided all last minute testing completes on time, we are expecting to release the software within the next few weeks.

You will then get a period of six weeks in which to evaluate the new features on your test network. We then ask you to complete an online feedback form which should take no more than 15 minutes of your precious time.

We are offering Amazon vouchers to those who return feedback to us within the given timescales. So not only do you have fun trying our new 'whiz bang' features but you get a gift for doing it too! What are you waiting for?

For details on the new product versions and to sign up, please visit:

http://www.sophos.com/products/beta

We are extremely keen to receive registration from Small Business customers who can spare some time to review this latest version – you can even tell us what you’d like to see in the next version!

If anyone has any questions, you can email me. I'm going to go back to beta world now and leave the blogging to the experts!

Posted on July 1st, 2009 by Kim Charlton, Sophos
Filed under: Guest blog, Shameless plug

                                         

Sophos and Utimaco in perfect harmony

It's an exciting day at Sophos, because we've completed the operational integration of Utimaco. That means that our global support, sales operations, HR, IT, marketing and finance teams are truly working as one, and we're operating as one company. Huzzah!

As you probably know, Sophos already incorporated Utimaco's encryption capabilities into our product lines.

One of my new colleagues shared with me a song that their team produced a while ago, promoting the wonderfulness of Utimaco. To my mind it's a classic example of Germanic eurocheese technopop. It is definitely worth a listen.

So put your dancing shoes on, roll back the carpet, and join us in celebrating the integration..

Learn more about how our encryption solutions can help your company, and read more about the integration in this article that quotes my big boss, Steve Munford.

Posted on July 1st, 2009 by Graham Cluley, Sophos
Filed under: Encryption, Oddball, Podcast, Shameless plug

                                         

Legal arguments over Sarah Palin email "hack"

Remember when Sarah Palin's Yahoo email account was hacked last year, and details of her private emails were distributed across the internet? If you were reading the Clu-blog last September you'll remember that her account was broken into by a hacker who correctly guessed the answers to her "secret questions" about her date of birth, her postal code, and information about where she met her husband.

A university student called David Kernell, in the city of Knoxville, Tennessee, was identified by the authorities as the main suspect.

Kernell has now appeared in court, asking for the charges against him to be dismissed.

Kernell's legal team are arguing that because an email address isn't a name or a number (which apparently is the legal definition of an identity), accessing it can't be classified as identity theft. Hmm - maybe it's time for the legal world to catch up with the real world in that case. I know a lot of people who only seem to have an identity online these days. :)

Fascinatingly, according to media reports, the court has agreed not to use the word "hacking" in the trial.

Instead they're going to use the phrase "unauthorized access to a protected computer." The only exception? - and you should make sure you're not drinking a cup of coffee over your keyboard before you read this - it turns out that the prosecutors can quote David Kernell himself, who allegedly told people he hacked into the Republican Vice-Presidential candidate's email account.

Funny.

I hoped at the time that news of Palin's lax attitude to her web email security (a problem she shares with Paris Hilton, as demonstrated in the video below) would warn others to take more care in future.

David Kernell's trial is scheduled for 27th October, which in a cruel twist of fate is also his 22nd birthday. Personally I find it rather ironic that in a newspaper report about alleged identity theft, they reveal the full date of birth of the defendant - but there you go.

Posted on July 1st, 2009 by Graham Cluley, Sophos
Filed under: Identity Theft, Law and Order, Video

                                         

Why it's a **** idea not to mask passwords

Web usability guru Jakob Nielsen has challenged websites to stop masking passwords as internet users type them in to login.

Nielsen claims that web surfers make mistakes when all they can see are asterisks rather than the characters of their password, and this results in a bad usability experience. Masking passwords makes websites unfriendly, Nielsen says, and ultimately means lost business and users choosing overly simple passwords.

Jakob Nielsen's opinion is supported by security expert Bruce Schneier who says on his blog that shoulder-surfing (where someone watches as you type your password) isn't very common, and that entering passwords in cleartext greatly reduces errors.

I'm afraid that wise as these two gents are, I have to disagree with them.

Imagine you're logging in at an internet cafe - would you want your password to be visible to the person sitting in the row behind you? It turns out that Nielsen has thought of that scenario:

"[Offer users] a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there's a tension between security and usability, sometimes security should win.", he suggests.

Then, in a work environment, there will be people in your IT team who know the all-powerful system passwords that have a God-like power to mess around with all kinds of things on the computers.

When an IT guy comes to visit my desk, and he needs to log in to fix whatever I've broken on my PC - should the system password be visible to me and for the inhabitants of Sophos HQ to see? I bet I'm not the only one to be sitting in a completely open plan building - anybody could be passing by and looking over my shoulder.

Or what happens when I am at a friend's house and I want to quickly log in to my web email account to forward him something I have been discussing with him? Sure, he's my friend and I trust that he's not going to misbehave - but I really don't think I should be sharing my password with him.

Equally I don't want to be put in the awkward social position of going to the extra effort of ticking a box to obscure my password from him. Much better that I had no option to see the password at all!

But the biggest misunderstanding that Nielsen and Schneier seem to have made is that it's not the websites that mask the passwords - it's browsers like Firefox and Internet Explorer that interpret the HTML of a webpage and choose how to obscure the field's contents.

If there were an option to display password input fields as cleartext rather than asterisks, then that should be set in the user's browser not decided by individual websites. Even then, I can't imagine many situations when it wouldn't actually be more of an inconvenience (asking friends and colleagues to turn around or wear a bucket over their head for the next ten seconds) than the masking of passwords we have at the moment.

Update: Clu-blog reader John got in touch to say, "You do realise, of course, your desk is as camp as Graham Norton presenting Eurovision. What's with the balloons and tinsel?".

The explanation is that the photo was taken on my tenth anniversary at Sophos. :)

Posted on June 30th, 2009 by Graham Cluley, Sophos
Filed under: Data leakage, Identity Theft, WWW

                                         

A good use for a keylogger?

Normally when I discuss keyloggers on the Clu-blog it's in relation to identity thieves stealing your usernames and passwords as you bank online.

But Lenovo appears to have found a positive use - as they've used keylogging software to help them redesign the tried-and-trusted keyboard.

Take a moment or two to check out the keyboard on Lenovo's new ThinkPad T400s notebook. Do you notice anything unusual?

Well done to any eagle-eyed readers who noticed that the DEL key appears to have been pumped full of steroids. Apparently the ESC key is similarly enhanced.

Lenovo chose to make these changes to what has become a fairly standard cross-industry design to the computer keyboard after installing keystroke capturing software on to the PCs of 30 of its employees. According to media reports, the company discovered that workers were using the small Escape and Delete keys about 700 times each week.

Their conclusion? The size of both the DEL and ESC keys should be doubled. Rumour has it that they may also ditch the rarely-used Pause/Break and Caps Lock keys in the future.

By the way, I was pleased to see that the keyboard monitoring was done with the knowledge and permission of the computer users.

Posted on June 29th, 2009 by Graham Cluley, Sophos
Filed under: Oddball

                                         

Britney Spears isn't dead - but her TwitPic *is* hacked

She may very well be the name associated with more spam, virus and hack attacks than anyone else in history. Yes, step aside Paris, Angelina and Bill, my guess is that the name that hackers choose to exploit for their own ends more than any other is Britney Spears.

In a tasteless stunt that was seen by her two million followers earlier today, a hacker managed to post the following message to Britney Spears's Twitter stream earlier today:

Britney has passed today. It is a sad day for everyone. More news to come.

Interestingly, the fake story of Britney's death was posted to her Twitter followers via the TwitPic service, which automatically forwards messages to the associated Twitter account. There are a number of ways in which you can post a message on TwitPic - which is then echoed on Twitter - including logging on to the service or sending a picture to a unique email address.

It's possible that that last method of updating TwitPic may be the prime suspect in this case, as
the service just tweeted that they have fixed a vulnerability with their email posting functionality. There certainly has been a concern in the past that TwitPic relies upon a four digit PIN that could be cracked through brute force.

That would mean that I could post a message (and TwitPic link) on Britney's Twitter page if I could crack her four digit PIN and use it to email britneyspears.XXXX@twitpic.com (where XXXX are the four digits). That certainly doesn't seem like very good security.

The picture on Britney Spears's TwitPic account and the fake post to Twitter have since been deleted, but followers of the popstar have been reassured that she has not died by the following update on the micro-blogging service:

The Twitter accounts of fellow celebrities Ellen DeGeneres and Diddy (also known as P Diddy or Puff Daddy or even Sean Combs - can't he make his mind up? Does he keep changing his name in an attempt to avoid income tax?) are also said to have published similar messages about their owner's demise.

I guess that the millions of people who follow these celebrities on Twitter have to be grateful that all that they saw was a sick prank by hackers, rather than put in danger by being exposed to a malicious link to a website containing malware or a phishing page.

Curiously, Lindsay Lohan claimed last week to have also been on the receiving end of a hacker after someone posted a controversial picture on her TwitPic account (which was retweeted widely on Twitter).

However, Britney's latest hack occurred - one thing is pretty clear. It's a pretty sick and tasteless joke. When I saw her Twitter feed had been tampered with it reminded me of how MacWorld's news feed got hacked in January in an equally tasteless stunt, claiming that Steve Jobs had died.

Posted on June 29th, 2009 by Graham Cluley, Sophos
Filed under: Identity Theft, Web 2.0

                                         

Guest blog: Losing a BlackBerry in a black cab

Guest blogger Malte Pollmann, VP of Product Development at Sophos, has lost his BlackBerry - but doesn't seem to be that bothered. I'll let Malte explain why..

Now they have finally got me.

After years of wondering how the hell it can be true that people lose more then 10,000 notebooks, smartphones and BlackBerries in London taxi cabs every year, it happened to me the other night.

I left my black Blackberry in a black "Black cab"...

Which reminds me of the first reason why I lost it. Everything is so black in these cabs and they are so horribly uncomfortable that you just forget your stuff on the seat when you finally try to stumble out of it.

Okay, so I admit that having had a nice night in London probably didn't help and may have been the other reason. :)

But as the weekend started it came in handy having my second mobile phone with me. Yes, I use my BlackBerry only for business reasons and carry around an iPhone for private reasons (and music) as well.

While it's still annoying to lose stuff, I have to say that I felt fairly relaxed by the fact that my Blackberry is not only locked with a secure password but also has all of its contents encrypted

That meant I didn't worry at all. Anyone trying to use my BlackBerry to make long-distance calls or hoping to make use of my emails would have no luck at all.

The only thing which will work is the alarm bell at 5am in the morning (yes - I had to get up early for the airport the following morning :-)) I apologise to the thief it's not already ringing in the lost-and-found property of the London cab organisation.

But back to the main point that I would like to make.

Working in the data security industry, I listen to customer concerns every day about how difficult encryption is, how cumbersome key management is, etc

I can tell you this - Experience the feeling of losing a device with your confidential business content on it. You are horrified that it might get exposed, but it's a big relief and extremely satisfying feeling to know that it is properly encrypted and your device is essentially a brick to anyone who finds it.

My second relief, which probably needs no explanatioin, was that I got to spend the weekend without my CrackBerry addiction. :-)

Posted on June 26th, 2009 by Malte Pollmann, Sophos
Filed under: Encryption, Guest blog, Mobile

                                         

Does the UK attack other countries in cyberspace?

Yesterday, the British government published its cyber security strategy, announcing its intentions to create a central body to liaise with industry (the Office of Cyber Security or OCS) and a separate body, the Cyber Security Operations Centre (CSOC), based at the the UK's surveillance headquarters GCHQ in Cheltenham.

There has been a lot in the newspapers about this (see the article in The Register, for instance).

When I tuned into BBC Radio 4, I heard the mischievous presenter of the PM show, Eddie Mair, interviewing Security minister Lord West.

Baron West of Spithead appears in the headlines occasionally for putting his foot in his mouth (It was recently revealed that he placed a bet that the Labour Party he represents would lose the next general election, and in the past he has had to deny rumours that he is engaged in an affair with Anni-Frid Lyngstad - the brunette from Abba).

It is this capacity for public goofs which probably encouraged Eddie Mair to get into the following tussle during the radio show:

Well, that's cleared that up then.. ;-)

Joshing aside, one of the things I would really like to see is much more emphasis being put on raising awareness of internet threats and cybersecurity amongst the general population. There can be a tendency for governments (and Barack Obama's recent speech on computer security was guilty of this) to emphasise the threat posed by other countries and terrorist groups who might use the internet for their own purposes.

My belief, however, is that there is a significant problem much closer to home. Over 99% of all spam is being sent from botnet computers owned by regular members of the public. Those computer users don't know that their PCs have been hacked into, and are under the control of cybercriminals who are using them to spread spam, distribute malware, steal identities and launch distributed denial-of-service attacks.

Lets hope that the different strategies being run around the world to protect countries from interent attack don't emphasise purely "cyberwarfare" but also look at they might clean up their own back yard.

You can read more about the National Cyber Security Strategy by visiting the Cabinet Office's website. If it helps to better secure Britain from internet threats then it will have been a very good thing.

Posted on June 26th, 2009 by Graham Cluley, Sophos
Filed under: Law and Order, Video