According to a recent report from computer security vendor Symantec, bot-networks are being used more frequently to carry out criminal activities. Symantec recorded a 50 percent increase in DOS attacks in the second half of 2005. In a bot-network, a criminal infiltrates hundreds or thousands of computers around the world, transforming each one into a sort of “zombie” client, and then uses the network to carry out a DOS attack, or to threaten to do so for the purpose of extorting money.

Symantec also noted an increase in phishing attacks, where a cyber criminal sends out emails disguised to look as if they originated from a trusted source, such as a bank. The cyber criminal then attempts to convince each victim to enter private account information, which is then diverted to a criminal enterprise and used for identity theft.

Although many cases of online extortion do not get reported, there have been several high-profile cases in the news. Last year, an extortion scheme originating in Russia was discovered, where victims’ computers would become infected via a web site containing malware. The malware would lock up the victim’s data files, and the criminal would then send an email demanding money in exchange for instructions on how to recover the files.

If you are the recipient of this type of attack, the first thing to do is not to give in to demands, and then notify law enforcement authorities and your ISP. However, these attacks are opportunistic, and the best protection against them is to be proactive. Many of these criminal attacks are carried out with Trojans, social engineering, or infected web sites. A good anti-virus package and firewall will prevent most of these attacks, and adhering to standard best practices–such as exercising caution before launching email attachments–will go a long way towards avoiding becoming the next victim of cyber crime.

According to the IRS, criminals using phishing attacks sometimes pose as IRS representatives to gain the trust of an individual taxpayer. Typically, the scam revolves around a fictitious e-mail correspondence sent out, which appears to be from the IRS. The e-mail tells the taxpayer they have an outstanding refund, and provides them with a hyperlink to click on. The hyperlink connects them to a bogus Web site that has been made to look like an official IRS Web site. Once there, the taxpayer is asked to provide their social security and credit card number.

There are several variations of the scam in existence, and they are continuing to escalate as the tax deadline of April 15 draws near. The online tax scams are growing in number because of the large potential audience, and also because more than half of all tax returns are being filed electronically. One variation of the phishing scam informs taxpayers that they can click on a hyperlink to find out the status of their tax return, another claims that individuals are eligible to claim an unexpected additional refund. In either case, the phishing scam site asks the taxpayer to provide private information, such as social security number, credit card number or bank account number. The phishing scamster then uses that information for identity fraud, and proceeds to drain the victim’s bank account or make charges to their credit card.

Last November, a security flaw on a legitimate government website led to a phishing scam, which claimed to be a notification about an IRS refund. The e-mail, like most of the others, provides a hyperlink. The difference is that this hyperlink is actually a link to a legitimate government web site, but the flaw allows the phisher to bounce the user to a different site when they try to access it. The scam is fairly obvious, since a redirect (commonly looks like this: ?url=) can be seen in the link.

According to the IRS, the agency never uses e-mail to initiate any contact with taxpayers, so any e-mail coming from the IRS should be viewed as suspect.

The worm is disseminated through e-mails that contain subject lines such as “school girl fantasies gone bad”, “the best videoclip ever,” or “Miss Lebanon 2006.”

Once the worm has been launched, the code may do several things. It will harvest email addresses from the infected system and then send itself to those email addresses, attempt to disable anti-virus and file sharing programs, use available Windows network shares to further replicate itself, and modify the Active Desktop. The worm also corrupts files on the third day of every month, starting on February 3, 2006. If activated, the worm’s payload will destroy a wide variety of files by overwriting their content with the false error message string “DATA Error [47 0F 94 93 F4 K5]. The worm targets DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP files–meaning that if you are infected, on the third day of the month you could lose virtually all of your data.

Users who follow best practices for security will not be vulnerable to the worm. Most anti-virus programs have already updated their databases to block the worm. Using anti-virus software and keeping the signature files up to date is the best way to prevent the worm from infecting your system. In addition, firewalls should be set as always to block executables and unknown file types at the gateway. Also, users should be educated to not click on suspicious attachments or follow unknown links in an email, even if it appears to be from a trusted source.

It is important to note that if the worm gets through and infects your system, it can disable your anti-virus program. Having an up-to-date anti-virus program installed in the first place will prevent the worm from getting through. If your anti-virus program is out of date however, and the worm gets through, the anti-virus program could be subsequently disabled.

The worm is said to have already infected at least half a million systems around the world, although some reports claim much higher numbers.

In addition to deploying the free software fix available from Cisco, users should also secure the CallManager through standard best practices to minimize the possibility of a successful attack. In the advisory, Cisco noted that there have been no known attacks to date based on the vulnerability.

The widespread use of VoIP in general has given rise to a whole new wave of threats and potential threats. In addition to DoS attacks such as the one described by Cisco, VoIP systems from all vendors are potentially vulnerable to the same sorts of attacks that take place on the Internet, including hacking, theft, viruses and even spam. Although VoIP attacks have not been the primary focus of hackers to date, attacks that have taken place have been focused on stealing service, or altering configurations. V-bombing, or launching huge numbers of voicemails into the system to cause a crash, is also a favored technique of VoIP hackers.

VoIP users, both at the corporate and household level, should also be aware of call spoofing. In this attack, an attacker spoofs the system’s caller ID to make it appear that a call is coming in from a trusted source. The attacker then uses social engineering methods to trick the call recipient into divulging private account information. And while not yet a major threat, Spam over Internet Telephony (SPIT) represents a potential threat; using SPIT, spammers turn to VoIP to spread thousands of voice messages to Internet phones at the same time.

Regardless of what type of VoIP equipment you have and which vendor it comes from, you can protect your VoIP environment and preserve its benefits to your enterprise through adhering to good security practices. One recommended practice is to segment voice and data traffic through virtual LANs, to prevent an attack on the data network from spilling over into the voice network. VoIP systems should also be connected to firewalls with intrusion prevention systems, integrated anti-virus and anti-spyware software. Another recommended practice is using access lists to control access to the VoIP device. And as always, security and software patches for all VoIP hardware and software should always be up to date.

In court papers filed in the U.S. District Court of San Jose, the Department of Justice noted that Google has not complied with a subpoena it issued last year. Justice had requested Google to turn over one million random Web addresses from their databases, and records of all searches that took place during a one week period. Search competitors AOL, Yahoo! and Microsoft have all complied to some degree with the government’s request. The government’s reason for the request is to further its case to enforce the 1998 Child Online Protection Act (COPA), which has been blocked by the Supreme Court due to constitutional problems in the legislation. The government said it wants the information to determine the frequency with which pornography appears in online searches, as part of its effort to present a case that COPA does not violate the constitution.

Under the Patriot Act, the government can ask private companies to turn over data, even if it is about someone who is not suspected of wrongdoing, and the companies are then barred from making any disclosure about the request. According to Attorney General Alberto Gonzales, the government is not violating any individual privacy rights with the Google request, since they are not asking for individual identities of users. The subpoena requests the text of each search string entered over the one week period, but does not request any data that would identify individuals who entered the terms. Google however, is concerned that some of the search strings themselves would contain information that could be used to personally identify users. Google is fighting the request, stating that not only does it violate user privacy rights, it also could reveal Google trade secrets. Google also says that because they are not party to the lawsuit, the request is unreasonable, and the demand for information is overreaching.

Privacy advocates are concerned that if Google complies, subsequent requests from the government may be even farther reaching and may ask for personal data on individual citizens. Most of those queries can be personally identifiable through cookies, IP addresses and Google account data.

In fact, Google and other search engines maintain a tremendous amount of information about searches, much of which could be traced back to individual users. Some privacy advocates, including the Electronic Frontier Foundation, suggest that Google and other search engines collect less information to begin with, delete it as soon as possible, and minimize how much of it can be traced to individual users. A bill in Congress, introduced by Rep. Edward Markey (D-Mass.), would prohibit search companies from storing data that could be traced to an individual beyond a reasonable amount of time.

The European Union, on the other hand, is going in the opposite direction from Rep. Markey. New laws passed in December by the EU require Internet companies to retain data for as much as two years, specifically so the EU governments can use that data in their own fights against terrorism. Law enforcement would have the right to access this information automatically.

Microsoft has not released a fix for the vulnerability, which has already caused significant damage. The company has recommended that users wait until they release their official patch on January 10. Pending availability of Microsoft’s update, users are advised to take the step of disabling .WMF file handling by unregistering the shimgvw.dll file. However, doing so will prevent Windows Picture and Fax Viewer from functioning properly, and will not allow IE to show thumbnails of digital photos. Blocking .WMF files at the firewall would meet with only partial success, because attackers can easily re-name the infected files with a different graphics extension. Referred to as a “zero day” exploit because of the window of opportunity that exists for attack, hackers have been stepping up their efforts to take advantage of the problem before the patch becomes available. Source code and kits for creating attacks based on the vulnerability are widely available on the Internet.

The exploit can take place if a user opens a malicious .WMF file in the Windows Picture and Fax Viewer utility, or previews the file in Windows Explorer. The vulnerability allows an attacker to hide malicious code in an ordinary graphic file that can be spread through e-mail, instant messaging, or on Web pages. There have been hundreds of reports of infected Web sites. An attack can also be triggered simply from visiting a Web site that hosts an infected graphic or by opening up an email displaying the graphic. Unlike many other hacks, which require users to take an overt action such as clicking on an attachment, the attack can be triggered simply from the corrupted file being served to the computer.

The vulnerability can be used to deliver a wide variety of malicious payloads. Early reports of the vulnerability showed that it was being used to install adware and spyware on machines, although it could potentially be used for delivering Trojans and other types of malware as well. The vulnerability is especially dangerous, since antivirus software and IDS signatures do not recognize it.

The SANS Internet Storm Center (www.sans.org) has made available an unofficial patch. Applying the patch will not negatively affect Windows graphics functions. Microsoft does not recommend using any unofficial patches, but other security experts advise against waiting for Microsoft to deliver, and take immediate action to prevent attacks.

[Click here for a Tutorial on disabliling the shimgvw.dll file]

[Click here for the updated Microsoft Patch]

The Trojan arrives in an e-mail with the words “MERRY CHRISTMAS” in the subject line. The message reads, “Merry Christmas and a Happy New Year!” and includes an animated graphic that shows the words “Merry Christmas” surrounded by festive lights. The payload is delivered through a self-extracting RAR file, which contains a Flash animation, and a Trojan file named SQLServer.exe. The Flash animation shows Santa Claus leaving presents under a Christmas tree.

But that’s not all this electronic Santa leaves behind. The Trojan then commences to record data about the computer, including IP address and hardware data, and sends that data to a remote host. The Trojan also downloads files from other Web pages, opening the door to additional malware. The Trojan is also capable of functioning as a keystroke logger, which is a spyware that can potentially steal passwords and other valuable information.

Seasonal holidays or current events often make a perfect cover-up for a Trojan, and this isn’t the first time senders of malware have taken advantage of the Christmas spirit. Earlier in the month, the Christmas-themed IM.GiftCom.All worm was spread through instant messaging programs, and last year, the Zafi.D worm spread throughout the Net disguised as a Christmas card. IM.GiftCom.All steals contact information from IM applications, and sends messages to all listed contacts to encourage people to visit an infected Web site.

In addition to deploying regularly updated anti-virus software, users are cautioned against opening e-mails and attachments unless they are from a known source.

The first bulletin, MS05-054, resolves four separate, moderate and critical vulnerabilities. A file download dialog box manipulation vulnerability exists in the way IE displays download dialog boxes and takes user input. By exploiting this vulnerability, an attacker could create a custom dialog box to be placed in front of another dialog box. An attacker could create a “phishing” attack to lure users to a malicious Web site, through which the attack could be executed. As such, the attack depends largely on social engineering. Ultimately the attacker could gain the same user privileges as the victim. One of the best precautions against social engineering attacks of this nature is educating users to recognize potential social engineering attacks when they see one. Outside of that, changing settings to issue a prompt before any active code is run will help users be aware of potential attacks.

The second item details a moderate HTTP proxy vulnerability would allow an attacker to read Web addresses in clear text when sent from IE to a proxy server, even when there is a secure HTTPS connection. This attack cannot be targeted to a specific user, and requires an attacker to be on the same network as the victim. The client system must be configured to use an authenticating proxy server that is using Basic HTTPS authentication. An immediate workaround is to not use Basic authentication. Basic authentication uses simple Base64 encoding, which is functionally equivalent to clear text in terms of security, to send credentials to the proxy server.

The third item in the bulletin addresses a critical remote code execution vulnerability that involves how IE instantiates COM objects that are not meant to be instantiated. An attacker could potentially create a malicious Web page that would allow remote code execution to take control of a system. Like the first vulnerability, this vulnerability depends largely on social engineering to be successful, but could allow an attacker to gain the same rights as the local user. Changing settings to prompt for active code, or setting the security zone higher will mitigate the possibility of the attack occurring. The fourth item is also a critical remote code execution vulnerability involving IE mismatching Document Object Model (DOM) objects. Like the previous vulnerability, it requires social engineering and an attacker to create a malicious Web page to allow remote code execution to gain control over a target system.

Microsoft Bulletin MS05-055 details a newly discovered vulnerability, which like the previous ones, allows an attacker to take over a target system. This is a Windows kernel vulnerability, which could jeopardize authorization procedures to allow an authorized user to gain additional privileges. This bulletin especially highlights the risks that are present from internal users. The attack, which cannot be exploited anonymously or remotely, requires an attacker to have a valid logon. It takes advantage of how Windows processes items in the asynchronous procedure call (APC) queue list.

In addition to educating users about social engineering attacks and best practices, and setting systems to issue prompts before running active code, users should apply Microsoft’s updates to close the vulnerabilities. The MS05-054 update is available at http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx; the MS05-055 update at http://www.microsoft.com/technet/security/Bulletin/MS05-055.mspx.

One of the group’s products was called Elitebar, a deceptive type of adware that propagates through social engineering methods, Java scripting errors and dialog boxes.

The U.S. District Court for the Central District of California in Los Angeles, at the request of the FTC, shut down the operation as of November 10, 2005. The courts have frozen the organization’s assets, and the FTC will ask that the deceptive practices be barred permanently. The agency claims that the practices are unfair, deceptive, and violate the FTC Act.

According to the FTC complaint, the defendants created software code that tracked the behavior of Internet users, hijacked home page settings, inserted toolbars and advertising side-frames, and generated pop-up ads. The complaint further stated that the malware often interfered with proper functioning of targeted computers.

The case was made with the assistance of Microsoft Corporation, Webroot Software, and Google Inc. The FTC recommends that consumers take steps to address the spyware risk, including setting browser security to detect unauthorized downloads, using anti-virus software and a firewall, downloading free software only from trusted sites, avoiding clicking on links inside pop-up windows or from spam links claiming to offer anti-spyware software, and to consider deploying a legitimate anti-spyware software solution from a trusted company. In addition to deploying anti-spyware programs, consumers and companies can combat spyware by avoiding use of peer-to-peer sites and instant messaging, which are often conduits of spyware.

The FTC action against the group reflects only a small portion of the growing spyware problem. EarthLink reports that the average PC has 28 spyware programs; a Dell report shows that 12 percent of tech support calls were due to the presence of spyware. In most cases, users do not realize they are downloading spyware. It is often downloaded into the computer automatically in the form of a trojan, along with some sort of nominally useful free program. Spyware can also be launched when users click on email attachments or share files through peer-to-peer networks. In can also take the form of “active code” and hidden inside a Web page, so that it launches automatically when the page is viewed. Because of the latter variation, many companies have taken the step of deploying URL filtering, which blocks many sites that are known to host spyware.

Spyware is a description of programs that monitor computer usage. It is a software installed on a computer without the knowledge or consent of the computer user. This software has the capacity to record the websites a person visits and can be used by criminals to look for a credit card, social security number or a bank password. But the catch is – with diligence one can avoid virus infection. The difference between spyware and adware is that while spyware can log keystrokes and even has the capabilities to track e-mail and instant messaging conversations; adware captures the preferences of the users over time and sends it to third parties.

Spyware and adware are a potential threat to computer users but in a way, spyware is more lethal than adware because of the intensity of the damage that it could cause.

The users who visit particular websites for downloading free programs - everything from screensavers to file sharing are more prone to the threats of spyware as this software generally gets downloaded with these programs. The general diagnosis of this problem is that the computer often slows down or crawls and finally completely halts.

Finally the check and balances – one should run both anti-virus and anti-spyware software and check that the programs are kept up to date. This will at least ensure that the system does not get victimized by spyware in the short run.

This Global service division supervises and maintains business network in Boulder admitted that the number of attacks it had handled have increased to 50% in the first half of 2005 as compared to the last six months of 2004.

The report titled “Global Business Security Index”, measures security attacks in broad terms, ranging from investigation work done by hackers to see if there are security flaws, to breaking into a network and stealing private information.

Out of 237 million attacks this year , the government agencies have to face around 54 million malicious attacks, manufacturing firms around 36 million attacks and economic service providers like credit – card companies and banks have faced 34 million attacks approximately.

Amongst all the attacks around 35 million attacks were specially meant to steal important data and private information to earn some financial profits.

Mr. David Mackey, head of the IBM team made it clear while compiling the report that these attacks are very straight forward and cautious as they are heavily attacking only certain business sectors.

If an organization had the word “banking” associated with its name then it’s an open invitation to the security attack. For example; Colorado Bankers association, which represents a bank but is not specifically a bank, used to receive around 15,000 to 17,000 security threats every day.

According to President and Chief executive of the association Mr. Don Childears, in spite of the increasing number of attacks, the number of successful breaches is very low. In fear of these attacks different banks are continuously improving their networks. In order to check the security levels, they are appointing people to test security by trying to break existing security systems.

Spread thourgh a network plug and play (PnP) vulnerability, certain versions of Windows machines not protected by a firewall are at risk unless the security patch is applied. Even networks with firewalls are at risk if netw0rked computers such as laptops travel outside the firewall protected area, become infected and return “home” to infect computers inside the company.

On Aug 9, 2005 Microsoft released Security Bulletin MS05-039 and marked the flaw as “Critical”. Affected computers are listed as Windows 2000, Windows 2003, XPPro64 and early installations XP which have not been updated(sp1 and sp2). Windows 98 and Windows ME are listed as not vulnerable.

Microsoft’s summary states that “A remote code execution vulnerability … could allow an attacker … to take complete control of the affected system.” In short, the worm can install itself with no user action giving hackers complete control of an infected system.

Since the initial discovery of ZOTOB, other variants have emerged which are exploiting the PnP vulnerability.

Computers at CNN, ABC and the New York Times have been hit and CNN reported that infected computers were restarting repeatedly around 5 PM Tuesday and that it took IT staff about 90 minutes to return the computers to normal operations..

McAfee, which is calling the virus W32/IRCbot.worm!MS05-039, has raised the Risk Assessment to High for both corporate and home users.

Patches are available for the Affected systems and Microsoft recommends that you utilize a firewall to protect systems which have not yet had security updates installed. Specifically, Microsoft recommends blocking inbound and outbound communications on TCP ports 139 and 445 (Common Internet File System ports) as an immediate protective measure against this worm. This may interfere with normal activities so applying the security patch is recommended.

The speed of which this exploit was utilized raises further questions about a policy of full disclosure of software problems. Issues surrounding full disclosure were in the news last month when Cisco threatened legal action to stop a researcher for a rival tech firm from discussing how hackers could seize control of Cisco’s routers. In that case, the researcher went ahead and explained the vulnerability to his audience and Cisco followed through on its threats.

Virus writers often rely on such disclosures when looking for ways to create new exploits. Arguments exist both for and against companies and others quickly and fully disclosing discovered vulnerabilities. In the Cisco case, the researcher argued that due to the lack of willingness by Cisco to fully disclose the fault, system administrators didn’t realize the urgency of patching their systems.

As the window of time between disclosure of a vulnerability and follow-up attacks utilizing the information disclosed shrinks, it is more important for each computer owner to have proactive steps in place to protect your computer from being a victim of the attack even in the absence of having applied security patches. Regularly applying security patches is only a part of good computer security.

As we here at PCSecurityNews have been watching the more recent attacks we are becoming increasingly convinced that full disclosure or not, patch announcements or not, the only way to be protected is to run at a minimum, three programs on your computer: anti-virus, anti-spyware and a firewall. In addition, watch for announcements of operating system (Windows) patches and apply them as soon as they become available.

A recommendation from Microsoft “[users should] block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports.” This means running a firewall.

Related Resources:

What You Should Know About Zotob: http://www.microsoft.com/security/incident/zotob.mspx
Find out if you have it: http://go.microsoft.com/fwlink/?LinkId=40587

The company responsible for the discovery, Sunbelt Software, creates anti-spyware programs for computers and was doing research on a spyware program known as CoolWebSearch (CWS) when the server was found. On August 4, 2005, the senior Sunbelt researcher, Patrick Jordan, infected a test computer with CWS then noticed that the system has been converted into a spam zombie (meaning the computer is being remotely used to send out spam messages) and was contacting a remote server. Jordan tracked the server and was astounded by what he uncovered. Sunbelt’s president, Alex Eckleberry, said of Jordan’s discovery: “Patrick is a veteran of spyware, and even he admits to never having seen something like this before. It’s pretty staggering.”(see SpywareWarrior)

The server contained an enormous amount of personal information that had been collected through the use of a keylogger which recorded every key stroke made by the users. This information contained bank account numbers, birth dates, social security numbers, user names and passwords, ebay account information, credit card numbers, even entire chat room and instant message conversations. The server also held details about one family’s vacation plans and lists of pornographic web sites visited by users.

When Jordan and the Sunbelt staff investigated the server further, they found that all of the incoming information was being neatly organized into separate files that were growing at incredible rates. Thousands of computers were reporting back to the remote server daily and adding new information to the files without the users even being aware of a problem.

The victims were not all individuals either. For example, the computer contained information for one business’s bank account that contained over $350,000. All of the data needed to access that chunk of money was available for the taking by any identity thief.

Also, the victims don’t seem to be limited to any one geographical area either. One California business appeared on the server, along with the information that the firm had $11,000 of cash readily available. All of the personal information for a family in Arizona, whose patriarch had just undergone open-heart surgery, was also on the server. The server itself is located in the United States, according to Sunbelt, but the domain is registered in China which may make it more difficult to track down the responsible parties. Both the FBI and the Secret Service are in contact with Sunbelt and are investigating the situation.

Although Sunbelt’s research staff discovered the server while studying a CWS variant, Eckleberry stated in his blog on August 6, 2005 that they were still trying to determine whether the problem was directly related to CWS. CWS is a scumware/Trojan hybrid, which usually pretends to be a harmless program while redirecting users to affiliate sites. Currently, there are more than 1,000 sites affiliated with CWS. Computers can be infected by CWS through pop-up ads without the user’s knowledge. Once infected, computers can begin to experience a wide variety of problems, including unwanted additions to the “Favorites” list, Internet Explorer slowdowns, and altered home pages.

Computer users can protect themselves against CWS in the following ways:

1. By using an additional firewall – The firewalls on most routers and provided through Microsoft XP do not prevent information from leaving computers. A firewall that stops both incoming and outgoing information is a necessity.
2. By staying up-to-date with security updates through the Microsoft web site – CWS and many other spyware programs access computers because of “security holes” in Microsoft’s products. Updates are made available to patch these holes and to keep Microsoft users’ secure.
3. By using a pop-up blocker – Because CWS infiltrates computers through pop-up ads, the best way to stop an infection is to block the ads from appearing on the computer in the first place.

The virus, named ‘Duts (W32/Duts-A)’ was developed by someone called ‘Ratter’, belonging to the well known ‘29A VX’ virus coding group. This group is also reported to have compiled coding for viruses that could spread between smartphones running Symbian software.

The infected file on being run displays a message: “Dear User, am I allowed to spread?’ If the user agrees to this, the virus will try to infect other programs on the Personal Digital Assistant (PDA).

The virus has been developed by 29A VX group as a ‘proof of concept’, and hence, it presents no real threat.

The virus has been coded to show that it is possible to generate programs that could spread via handhelds and mobile devices. It is estimated that there are 17 million Windows Pocket PC devices worldwide.

A senior executive at an anti-virus research firm said that a major outbreak is not expected. He added that Duts is unable to spread independently, only infects a limited number of files, and signals its presence in the system when attempting to propagate.

A positive aspect outlined in the CSI report is the decrease in the amount of financial losses resulting from security breaches. The financial losses declined by more than 60 percent in the year 2003-2004, as compared to 2002-2003. However, the report did point out some pertinent issues including unauthorized access and theft of proprietary information.

Conducted among 700 computer security practitioners, the survey also suggests that IT departments are focusing more on costs and returns than on actual implementation of security plans. This is in line with the fact that IT security still comprises about 3 percent of total IT budgets. Many felt that this percentage is insufficient, stating that 6 percent should be optimal.

Banks, credit card companies and brokerage firms are all faced with the threat of criminals hacking into their computer systems and retrieving personal account information. But, as the survey suggests, organizations may choose not to disclose security breaches for fear of negatively impacting their reputations. Further, it is always possible that organizations may not be aware of the security breach.

But in all these circumstances, the customers are the real victims. Although regulations are there that the customers should be informed in case a hacker makes some unauthorized purchases, this is not strictly adhered to or uniformly implemented in all the US states. At present, only a few states - including California, Alaska, Arkansas and Washington - require companies to alert the public.

Historically, companies have failed to invest money and resources into information assets and data security measures. Most companies would rather react to a major security problem than deal with the difficulty and costs associated with protecting and storing data.

The Bank’s new online security system known as Sitekey is being launched in different locations and is expected to cover the United States by the end of this year. The basic idea of Sitekey is to provide an extra layer of security in case an unknown person attempts to access an online account. The technology created by PassMark Security, a California based company, does not make use of the traditional user-password system of accessing accounts. Rather, it requires the customers to select one of a thousand different images and answer three challenging questions. According to Mark Goines, chief marketer for PassMark Security, “SiteKey uses a secure cookie to link a user’s PC to the Bank of America Web site. The cookie can only be read by a server with a specific security certificate and not by a malicious Web site set up by an attacker.”

Sitekey has already been launched in Tennessee and is being rolled in Virginia, Maryland and Washington, D.C., this week.

There have been a number of online security breaches in the recent past and so it is a top priority for all the banks in the United States including Bank of America. Bank of America, in particular, had faced a series of security threats. In May 2005, Bank of America and Wachovia Corp had to alert 100,000 of their customers when a few bank employees were allegedly charged with stealing records of bank customers. Similarly, in February 2005, Bank of America lost data tapes containing important personal details of federal employees. Wachovia Corp is also in the process of researching various online authentication programs to provide the level of security that is desired in the banking industry.

The proactive efforts of various banks to deal with online frauds suggest the relevance of this issue. As Jim Stickley of TraceSecurity Inc., a computer security company not involved with SiteKey says, “Although SiteKey would not have prevented recent high-profile security breaches, it shows how seriously the bank considers security”.

“Spyware and adware are more than an annoyance,” Spitzer said. “These fraudulent programs foul machines, undermine productivity and in many cases frustrate consumers’ efforts to remove them from their computers. These issues can serve to be a hindrance to the growth of e-commerce.”

To find out about an average consumer’s experience on the Internet, Spitzer set up three computers in the storeroom of his office in Manhattan. His investigators spent six months surfing web sites that are likely to contain spyware and adware (such as sweepstakes and free giveaway sites). The hard drives of these computers were frequently scanned for unwanted downloads.

As a result of this investigation, Spitzer’s office is suing Intermix Media Inc. of Los Angeles for installing many ad-delivery programs along with the free cursors, games and screensavers their web sites (including mycoolscreen.com, cursorzone.com and flowgo.com) offer for download. This adware causes pop-up ads, redirects users to their search pages, and also proves extremely difficult to uninstall.

The Attorney General’s civil suit claims that Intermix has violated New York’s General Business Law by using false advertising and deceptive business practices as well as being guilty of trespass under the state’s common law provisions. The suit seeks a court order requiring Intermix to stop secretly installing spyware, give an accounting of all revenues made on these products, and pay penalties.

Intermix responded by insisting that its toolbars and redirect applications are not spyware because they do not collect or report any information from users. They also stated that the software in question will be taken off the market until every precaution is taken to ensure that users are fully informed about and consent to the installation of the applications during the download process and that the applications, once installed, can be located and removed easily.

“One of Internet users’ biggest frustrations today is unwanted software that sneaks onto computers without their owner’s consent and cannot be uninstalled.” said Ari Schwartz, of the Center for Democracy and Technology in Washington, D.C.

Companies have gotten away with unethical and illegal software download practices for too long. The practices alleged in this case are widespread on the Internet and we hope that both federal and state authorities follow Attorney General Spitzer’s lead in making this a priority.

CSI/FBI survey clearly shows that cyber crime continues to be a significant threat to American organizations but survey respondents appear to be getting real results from their focus on information security. Their average dollar losses per year have dropped in each survey for four straight years.

Denial-of-service attacks has surpassed theft of proprietary information as the most costly computer crime among survey respondents. This reflects the proliferation of viruses that implant on computers time-triggered programs that launch denial-of-service attacks against targeted networks.

The survey found that of the 481 respondents who answered a question about whether or not their organization had experienced unauthorized use of its computer systems during the prior 12 months, 53 percent said yes, compared with about 57 percent the year before.

About 35 percent said there had been no unauthorized use during the preceding 12 months, up from about 29 percent a year earlier; and 11 percent said they didn’t know if there had been unauthorized use, versus approximately 14 percent in 2003.

The number of security breaches originating from within the reporting organizations and those originating from the Internet or outside those organizations were about evenly split in the latest year, respondents indicated.

Surveyors said the 269 respondents willing or able to quantify their estimated losses from computer crimes in the latest year reported that their aggregate costs reached $141.5 million, down from the aggregate $201.8 million reported by about 249 respondents a year ago. Respondents cited in the 2002 survey attributed more than $455 million in aggregate losses to computer crime.

The five most costly categories of computer crimes and the estimated losses attributed to such crimes by survey respondents were as follows: denial-of-service attacks, $26.1 million; theft of proprietary information, $11.5 million; insider network abuse, $10.6 million; abuse of wireless network, $10.2 million; and financial fraud, $7.7 million.

Of the 132 respondents reporting security problems at their organizations’ Internet Web sites, 89 percent reported one to five incidents, 6 percent cited six to 10, and 5 percent acknowledged more than 10 cases of unauthorized activity.

Asked about the types of security technology they use, nearly all of the 483 respondents to the question cited antivirus software and firewalls. More than half mentioned reusable account and login passwords, encryption for data in transit, intrusion-detection tools and server-based network access control lists.

Of the 481 respondents who reported the percentage of their total information technology budget spent on security, 24 percent said 1 percent to 2 percent; 22 percent said 3 percent to 5 percent; 7 percent said 6 percent to 7 percent; 8 percent said 8 percent to 10 percent; and another 8 percent said more than 10 percent. About 16 percent of the respondents said they allocated less than 1 percent of their overall IT budget for security, and 14 percent acknowledged that they did not know the percentage breakdown.

The percentage of organizations that shared information about security breaches with anyone has remained virtually unchanged since 1999 at 48 percent. But they pointed out that the percentage that shares information about cyber crimes with law enforcement dipped from a high of about 36 percent in 2001 to 20 percent in 2004.

About half, or 51 percent, of the 267 respondents that said they did not report a cyber crime to law enforcement officials cited as an important reason the notion that negative publicity would hurt the company’s stock or image.

According to researchers, some 488 respondents answered when asked to rate the degree to which they agree with the statement, “My organization invests the appropriate amount on security awareness.” Across all the sectors surveyed, on average, the respondents did not believe that their organizations invest enough in such training, the CSI sources indicated.

Just 28 percent of 320 respondents indicated that their organizations have external insurance policies to help manage computer systems security risks, researchers said.

Questioned about their propensity to outsource information security functions, 63 percent of the 478 respondents said they had none, but a full quarter indicated that they paid others to handle up to 20 percent of their security chores. About 5 percent said they outsourced 21 percent to 40 percent, 4 percent said they outsourced 41 percent to 60 percent, 2 percent said they outsourced 61 percent to 80 percent and 1 percent said they outsourced 81 percent to 100 percent.

“Sober-N stormed to the top of the chart in early May 2004, making it one of the biggest outbreaks so far this year,” said Carole Theriault, security consultant at Sophos.

Sober worm is sent to a recipient in an e-mail but it is activated only if the recipient opens the attachment. Sometimes the mail says that the recipient’s account and password information has been stolen and provokes them to open the attachment.

A new variant of the Sober worm (Sober-Q Trojan virus) has also been reported to be infecting computers infected by Sober-N worm (earlier version) to send out masses of spam.

Sober-Q comes in an e-mail with a message in either English or German. The virus stores a file into the infected computer and the German text “Ich bin immer noch kein Spammer! Aber sollte vielleicht einer warden” translating to “I’m not a spammer, but perhaps I should become one”.

It includes subject lines such as “Dresden Bombing Is To Be Regretted Enormously,” “Armenian Genocide Plagues Ankara 90 Years On,” and “Turkish Tabloid Enrages Germany with Nazi Comparisons”.

Upon opening the attachment , the worm shows a fake error message. The messages states that some files of the WinZip software are missing. The worm then copies itself to the Windows System folder in two separate locations. It uses filenames that include strings such as, sys, spool, crypt, host, dir, service, win, run, 32, and data. The extension of the filename is always “exe.”

The worm then generates numerous registry keys to ensure that it will run on startup and searches for e-mail addresses on the infected machine. It then starts mailing itself to all the addresses present in the address book in the system.

It appears that the virus originators have remote control over Sober infected machines, and it gives them a network from which to launch continued spam and denial of service attacks.

This variant of the Sober worm affects computers running Windows 2000, 95, 98, Me, NT, Server 2003 and XP.

At first students of Waikato University were facing a lot of problem in sending and receiving messages through the internet but now it has started creating problems for staff also. Even Microsoft was unable to solve the problem, when called upon to find the cause.

According to the Director of University information technology services the problem is so massive that it is really very hard to detect the fault.

After long research it was found that this virus was caused due to certain reasons i.e. large amount of spam, genuine mail and people not clearing their mails in inbox.

In certain cases, students also have waited up to half an hour to send an e-mail, this delay in sending mails had greatly annoyed the students and they are blaming the university’s web support system for that. In order to solve this problem Microsoft has discovered a short-term solution by changing its web mail program. Now the systems have started working again for students.

According to Waikato University Student’s Association president Shiju Pushpamangalam, “Microsoft is trying to offer information technology support for students and staff. But even though the problem has come to an end for students, it is still a major issue for the staff.”

Microsoft has assured them of providing good research as it’s a part of their teaching and learning environment.