Security

Europe is getting a cybercrime alert system as part of a European Union drive to fight online criminals.

According to plans, European law enforcement body Europol will receive 300,000 euros ($386,430) to build an alert system that pools reports of cybercrime, such as online identification and financial theft, from across the 27 member states.

Police will launch more remote searches of suspects' hard drives over the Internet, as well as cyberpatrols to spot and track illegal activity, under the strategy adopted by the European Union's council of ministers Thursday.

The strategy, a blueprint for fighting cybercrime in the EU over the next five years, also introduces measures to encourage businesses and police to share information on investigations and cybercrime trends.

"The strategy encourages the much-needed operational cooperation and information exchange between the member states," said Jacques Barrot, vice president of the European Commission. "If the strategy is to make the fight against cybercrime more efficient, all stakeholders have to be fully committed to its implementation. We are ready to support them, also financially, in their efforts."

Plans for the EU alert system follow the recent establishments of the Police Central E-crime Unit and National Fraud Strategic Authority, which aim to fight cybercrime in the United Kingdom.

Nick Heath of Silicon.com reported from London.

Quang Tu Nguyen has changed the landscape of network and computer security in Vietnam.

(Credit: Dong Ngo/CBS Interactive)

Editors note: CNET editor and Crave contributor Dong Ngo is spending the next month in his homeland of Vietnam and plans to file occasional dispatches chronicling his impressions of how technology has permeated the culture there. Click here for more of Dong's stories from abroad.

HANOI, Vietnam--If you use any Internet-connected computer in Vietnam--and there are lots of them, with Internet cafes and Wi-Fi spots abounding in any city--chances are you'll find a little red plus sign at the bottom-right corner of the screen.

That's the icon of the most popular antivirus software here. It's called BKAV.

(A bit of background: if you've recently read reviews of Internet security products by our security editor Rob Vamosi, know that I am the one who designed the methodology involved in testing these applications. It's therefore natural for me to be curious about how people in various parts of the world are protected against malicious software.)

BKAV is short for Bach Khoa AntiVirus, with "Bach Khoa" being the Vietnamese name for the Hanoi University of Technology. The software was originally developed as a hobby by Quang Tu Nguyen, a student-turned-lecturer at the school. It's currently the flagship product of Bach Khoa Internetwork Security center (BKIS), of which Quang, now 33, is director.

Quang still lectures once in awhile, but he's primarily known as the man who has changed the landscape of network and computer security in Vietnam. His creation, BKAV, is in many ways just about the best security software you can find.

The new Iridium 9555 satellite handheld looks and acts like a cellular, but operates virtually anywhere in the world.

(Credit: Marc Weber Tobias)

Iridium has begun delivering its latest generation handset, which signals a new era for the global satellite carrier. It has been several years since any significant changes have been made in its handheld equipment, so for current users, this should be welcome news. I received one of the first 9555's that was delivered to World Communications in Chandler, Ariz., by Iridium. It has been a primary vendor for Iridium from the first implementation of the network. The new handsets, with accessories, sell for about $1,700, and according to Iridium, are available now.

The Iridium network, conceived, engineered, and built by Motorola, launched in 1997 as the first commercial constellation of 66 low earth orbit (LEO) satellites, crisscrossing the planet at about 500 miles above the Earth. The network was designed to provide secure communications on a global basis from a handheld that weighed about 12 ounces and could fit in your back pocket. While traditional geostationary satellite services, such as Inmarsat, requires the radio to be in one position during use so that the antenna can lock into a satellite beam, Iridium is entirely different. The system works while flying, driving, walking, or onboard a ship. I have had extensive experience with the Iridium network since it commenced operations, and have used each of the three different handsets (the 9500, 9505, and 9505A) that were available prior to the 9555. This system currently offers voice and data communications virtually anywhere, even in the most remote regions of the world, as I can personally attest.

There are several noticeable improvements in the latest phone in terms of design, operation, software, and functionality. After placing a few calls on the new handset, I can say that the audio quality seems to be much improved from my older 9505 unit. I recorded one of the calls that I made to an associate so you can judge this for yourself. The handset closely resembles a larger cell phone, but works very differently with regard to its communications path and network infrastructure. The menu system, display, and software of the 9555 have also been updated. The package is about 30 percent smaller than its predecessor, the 9505, and the special antenna has been redesigned to retract into the body of the radio, rather than rotating and swinging upward to a vertical position. The battery charging system is also better in terms of size and connector. The handset now has a USB data port and new software for simplified Internet access. Although the transmission speed is still very slow, at 9600 baud, it is acceptable for e-mail when there is no other available service.

The communications security of the Iridium network is assured because of the way it transmits data from the handset to one or more satellites, then to a network gateway and the public switched telephone network. The satellites all talk to each other across the constellation in order to relay signals to a gateway facility, but the information is not repeated down to the ground, so intercept is extremely difficult. Even if the 1,640Mhz signal could be captured directly from a handset, it would not provide much intelligence because of the way in which the network is configured. As an example, I was in Havana, Cuba last year and needed to make secure telephone calls back to the U.S. Cuban authorities routinely monitor cell phone traffic but are unable to listen in on Iridium. If you routinely travel to countries where you require the ability to communicate by voice or data without fear of eavesdropping, then Iridium is an excellent solution.

The prime North American competitor is Globalstar, which was originally launched at about the same time as Iridium. The Globalstar network is also based upon a LEO satellite constellation, but the infrastructure and transmission protocol are quite different than Iridium. Their 48 satellites operate about twice the distance from Earth than those of Iridium, and talk to different ground stations that are operated by various Globalstar partners. The network filed for bankruptcy in 2002 but came back two years later after an infusion of capital from Thermo Capital Partners. Unfortunately, Globalstar has been experiencing significant technical problems which have affected its coverage and reliability of service.

Iridium filed for bankruptcy in 1999. When it shut down, the network consisted of 13 planned or constructed gateway facilities throughout the world. The system was supposed to be decommissioned, but at the last minute, it was decided that Iridium could be a vital military communications asset, especially since one of the network operation centers was built in Hawaii specifically to handle all of the government traffic. An entrepreneur purchased the entire Iridium system for about $25 million and then signed an agreement with the Department of Defense to supply communications to the DOD, state, and other government agencies. When it resumed operation, the system was locked into the original two handsets. The 9500 and 9505 (and the slightly modified 9505A) were all that were available because the prime supplier, Motorola, was out of the picture. The network and current handsets have continued to provide primary handheld satellite communications for the Defense Department and state in Iraq and virtually everywhere else in the world. Iridium is utilized for mission-critical applications by many government agencies and private industries. The cost of a call is $1 to $2 a minute, depending upon pricing plan. It is competitive with cellular, but offers a much more cost-effective solution for portable-to-portable communications when roaming overseas on GSM networks.

This graph shows how spam volumes dropped 80 percent after McColo was shut down and are crawling back up two weeks later.

(Credit: MessageLabs)

Spammers knocked offline two weeks ago when their hosting company, McColo Corp., was shut down are finally coming back online, security researchers said on Wednesday.

San Jose, Calif.-based McColo was believed to be responsible for up to 75 percent of all spam, according to Brian Krebs of The Washington Post, who broke the initial story.

Spam volumes, which dropped about 80 percent when McColo was shut down on November 11, remained relatively flat since then until a few days ago when they started climbing up, said Matt Sergeant, senior antispam technologist at MessageLabs, now owned by Symantec.

Since Sunday, the spam volume has risen to about 37 percent of what they were before McColo was unplugged, MessageLabs said.

McColo was hosting command and control servers that were being used to send instructions--like send spam or Trojans--to bot software that has been planted on PCs, mostly in the U.S., according to Sergeant. "With no work orders to process, the machines simply stopped spamming," he said.

Some of the botnets, with names like "Srizbi," "Asprox," "Rustock," and "Mega-D," are back up after connecting to different domains, Sergeant said. Some are connecting to ISPs outside the U.S., which will make it very difficult to shut them down again, he said.

"The problem now is that it was a lot easier to get a U.S.-based ISP shut down than it will be to get, for example, this Estonian ISP shut down," Sergeant said.

"We've stunted the spammers for a couple of weeks, which is a good thing for the Internet," he said. "We've increased their costs and, hopefully, that might put some spammers out of business."

Researchers are collaborating on the matter and providing information to U.S. law enforcement agencies, said Paul Ferguson, an advanced threat researcher at Trend Micro.

Some of the bots are programmed to connect to a new domain after a certain amount of time of inactivity, he said.

Researchers have been able to get some registrars to suspend some domains being used and have filed abuse complaints with some ISPs that appear to be unwitting hosts, Ferguson added.

A worm dubbed Win32/Conficker.A is making the rounds on Windows machines, exploiting a security hole that Microsoft released a patch for in October, Microsoft said on Wednesday.

The number of attacks have increased over the past couple of days, exploiting a critical vulnerability that was addressed by security update MS08-067.

The malware mostly was spreading inside corporations, but also hit several hundred home PCs, Microsoft said in a posting on the Microsoft Malware Protection Center Blog.

"It opens a random port between port 1024 and 10000 and acts like a Web server. It propagates to random computers on the network by exploiting MS08-067. Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .JPG extension when copied over and then it is saved to the local system folder as a random named dll," the posting said.

"It is also interesting to note that the worm patches the vulnerable API in memory so the machine will not be vulnerable anymore. It is not that the malware authors care so much about the computer as they want to make sure that other malware will not take it over too," Microsoft said.

Most of the infections are in U.S. PCs, but there have been reports from Germany, Spain, France, Italy, Taiwan, Japan, Brazil, Turkey, China, Mexico, Canada, Argentina, and Chile. The worm avoids infecting Ukrainian computers, for some reason, Microsoft said.

Several bots, under the generic name Backdoor:Win32/IRCbot.BH, also are exploiting the security hole. They drop a backdoor Trojan that connects to an IRC server to receive commands.

Reports that a purported Gmail vulnerability was being used by unauthorized third parties to hijack domains turned out to be nothing more than a phishing scam, Google announced Tuesday.

The alleged vulnerability reportedly allowed an attacker to set up filters on users' e-mail accounts without their knowledge, according to a proof of concept posted Sunday at the blog Geek Condition. In the post, Geek Condition's "Brandon" wrote that the vulnerability had caused some people to lose their domain names registered through GoDaddy.com.

However, after consulting with those who claimed to be affected by the so-called vulnerability, Google determined that they were victims of a phishing scam, Google information security engineer Chris Evans explained in a blog:

Attackers sent customized e-mails encouraging Web domain owners to visit fraudulent Web sites such as "google-hosts.com" that they set up purely to harvest usernames and passwords. These fake sites had no affiliation with Google, and the ones we've seen are now offline. Once attackers gained the user credentials, they were free to modify the affected accounts as they desired.

A Google representative contacted me early Monday to let me know the company was trying contact "Brandon" to get more information on his claim, but there was no word whether that blogger helped Google arrive at its conclusion. As of this writing, the blog has not been updated to mention Google's finding.

While this security breach was apparently unrelated to Gmail's operation, Google reminded users to enter Gmail sign-in credentials only at Web addresses starting with "https://www.google.com/accounts," and not to ignore warnings their browsers may raise regarding certificates.

Someone is using Orkut to spread Trojan links in a message disguised as an official e-mail from the Google-owned social network, according to an alert from security firm Websense released Tuesday.

The message, written in Portuguese to appeal to Orkut's many Brazilian members, looks like it is sent from an Orkut member who is looking for love, Websense says.

"The message contains several links that appear to lead to the official Orkut Web site. Clicking on a link actually leads to a malicious executable file, which is a Trojan Downloader named 'imagem.exe,'" the Websense alert says. "The malicious file opens the legitimate Orkut network log-in page, and in the background downloads a password stealing Trojan named 'msn.exe.'"

The Trojans are hosted on a compromised labor union Web site from southern Brazil, according to Websense.

A Google spokesman said the company was investigating the matter.

Microsoft is listed fifth in the Top 10 list of the worst spam service ISPs compiled by Spamhaus.org.

Spammers are advertising links to sites that "peddle fake pharmacy products, porn, and Nigerian 419 scams" on Microsoft's Live.com and Livefilestore.com sites because they know that the Microsoft sites won't get blocked by antispam groups, writes Brian Krebs on his Security Fix Blog at the Washington Post.

Spamhaus has been alerting Microsoft to the problem for some time, but to no avail, Richard Cox, Spamhaus' chief information officer, told Krebs. Other security companies, including McAfee and Marshal, have also been warning about increases in spam and scams on Microsoft-hosted sites.

A Microsoft spokesman responded to a request for comment with this e-mailed statement:

Spam and other abuse scenarios are not Microsoft-specific. Microsoft offers Windows Live, a suite of software and services that provides opportunities for customers to post and share their own content through Windows Live Hotmail, Windows Live Spaces, Windows Live SkyDrive, and other free services. As such, spammers have multiple avenues to target consumers with malicious activities. We take protecting our customers' security and privacy seriously and are continually working to improve their experiences while making industry-leading progress to mitigate such attacks through both oversight and technology advancements. Using Windows Live services for spam is explicitly prohibited by the terms of service, and Windows Live accounts that are found to be used by spammers are aggressively removed.

Interestingly, Verizon.com is listed at No. 9.

Microsoft's Live.com and Livefilestore.com are riddled with spam and online scams, Spamhaus.org says.

(Credit: Spamhaus.org)

A Connecticut substitute teacher arrested four years ago for allegedly showing students porn on a classroom computer has been cleared of the felony charges--for now--after experts pointed the finger at spyware.

Julie Amero, 41, agreed to plead guilty to a misdemeanor count of disorderly conduct, pay a $100 fine, and surrendered her teaching license, according to the Hartford Courant. The ordeal left her hospitalized for stress and heart problems, the report said.

The Superior Court judge in Norwich on Friday tossed out the charges that she had endangered children by intentionally causing "pop-up" pornography to display on her computer and ordered a new trial after computer forensics experts presented evidence about the spyware. Judge Hillary B. Strackbein said the conviction was based on "erroneous" and "false information."

Despite the expert evidence, and the fact that state prosecutors never conducted a forensic examination of the hard drive, New London County State's Attorney Michael Regan said he remained convinced of Amero's guilt and was prepared to take the case to trial again.

The security expert who led a team of forensic volunteers in the case is outraged that officials are dismissing the evidence about the dangers of spyware.

"Regan's pronouncement of his certainty of her guilt speaks to his ignorance and unwillingness to learn the facts of this case, and the facts of what PC viruses can do to a computer and, in some cases, a life," Alex Eckelberry, chief executive of security firm Sunbelt Software, wrote on The Julie Blog, a site spawned by the Amero case and which is focused on seeking fairness in the intersection of law and technology.

"All of our forensic investigators felt it was a complete miscarriage. It was clear she was absolutely innocent," he told the Hartford Courant. "The mistakes and misinformation that occurred in that courtroom were astounding."

Amero suffered because the school system failed to keep the computer updated with software to block the pornography, experts said.

The case serves as an important lesson for everyone--use antivirus, antispyware, and other security software and update it regularly.

(Via Brian Krebs' Security Fix blog at The Washington Post.)

China is actively conducting cyber espionage as a warfare strategy and has targeted U.S. government and commercial computers, according to a new report from the U.S.-China Economic and Security Review Commission.

"China's current cyber operations capability is so advanced, it can engage in forms of cyber warfare so sophisticated that the United States may be unable to counteract or even detect the efforts," according to the annual report (PDF) delivered to Congress on Thursday.

The report cites news articles and testimony from U.S. officials like Col. Gary McAlum, chief of staff for the U.S. Strategic Command's Joint Task Force for Global Network Operations. It concludes that Chinese cyber attacks, authoritarian rule, and trade violations are impediments to U.S. economic and national security interests.

A spokesman for the Chinese foreign ministry, Qin Gang, said the report was misleading, impeding cooperation between the U.S. and China, and "unworthy of rebuttal," according to an article published late Monday in Secure Computing Magazine.

China is targeting government and private computers in the U.S., including systems operated by the biggest U.S. defense contractors, according to the report, which cited news articles. In 2005, hackers from China nabbed NASA files on the propulsion system, solar panels, and fuel tanks, and an aviation mission planning system for Army helicopters and Army and Navy flight planning software were stolen from the Army Aviation and Missile Command at Redstone Arsenal in Alabama, the report said.

China can access an unclassified U.S. military network called the NIPRNet (Non-secure Internet Protocol Router Network) and "views is as a significant Achilles' heel and as an important target of its asymmetric capability," according to the report. This "gives China the potential capability to delay or disrupt U.S. forces without physically engaging them--and in ways it lacks the capability to do conventionally."

The U.S. government also is at risk as a result of the global computer supply chain, the commission said. Computer components used by the U.S. and manufactured in China are "vulnerable to tampering by Chinese security services, such as implanting malicious code that could be remotely activated on command and place U.S. systems or the data they contain at risk of destruction or manipulation," the report said. Hundreds of counterfeit routers made in China were found in systems throughout the Defense Department, it said.

The Chinese government is training citizens in cyber operations at military academies, and tolerates, or even encourages, actions taken by an estimated 250 hacker groups there, the report said.

Chinese military officials believe the U.S. is doing cyber espionage against China, and believe that by striking first with a cyber attack they can plant misinformation and hide their tracks, according to the report.

U.S. officials and lawmakers have complained about specific incidences where they believed Chinese representatives breached their systems. This summer, two congressmen who have been longtime critics of China's human rights record accused China of compromising computers that had information related to political dissidents. In the spring, government sources told the Associated Press that they were looking into allegations that Chinese officials copied data from a laptop left unattended in China by the commerce secretary.