General discussion

NEWS - November 01, 2010

Bredolab Mastermind Was Key Affiliate

The man arrested in Armenia last week for allegedly operating the massive "Bredolab" botnet - a network of some 30 million hacked Microsoft Windows PCs that were rented out to cyber crooks - appears to have generated much of his clientele as an affiliate of, the global spamming operation whose members are blamed for sending a majority of the world's pharmaceutical spam.

Armenian authorities arrested 27-year-old Georg Avanesov on suspicion of being the curator of Bredolab, a botnet that infected an estimated 3 million PCs per month through virus-laden e-mails and booby-trapped Web sites. The arrest resulted from a joint investigation between Armenian police and cyber sleuths in the Netherlands, whose ISPs were home to at least 143 servers used to direct the botnet's activities. In tandem with the arrest and the unplugging of those servers, Dutch service providers began redirecting local Internet users to a disinfection and cleanup page if their PCs showed signs of Bredolab infections.

Investigators allege that Avanesov made up to US$139,000 each month renting the botnet to criminals who used it for sending spam and for installing password-stealing malicious software. Avanesov, who is thought to have made millions over a career spanning more than a decade, was arrested after hopping a flight from Moscow to his home in Yerevan, Armenia's capital.

Discussion is locked

Reply to: NEWS - November 01, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - November 01, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
US civil rights organisation prepares for new 'crypto war'

The Electronic Frontier Foundation (EFF) reports that it has filed lawsuits against three agencies of the US Department of Justice demanding the release of documents justifying the need for stronger internet surveillance measures. The civil rights organisation justifies its action by citing the head of the FBI, who has publicly claimed that it is necessary to install back doors in electronic communication systems in order to preserve the ability of the security services to intercept information. The FBI is now being called on to provide evidence of the posited gaps in protection. The EFF is also using the Freedom of Information Act to demand examples from the Drug Enforcement Administration (DEA) and the Department of Justice Criminal Division that show their staff have been impeded in performing surveillance of online communications by the lack of these requested measures.

The EFF has been prompted to take action by reports that the government is working on a law to make it easier to eavesdrop on internet telephony, encrypted email and instant messaging (IM). The legislation would require developers of peer-to-peer (P2P) communications solutions, such as instant messaging or internet telephony applications, to design their applications to be susceptible to surveillance. The FBI wants suppliers and ISPs to ensure that investigators can be provided with plain text versions of all messages. The EFF sees echoes of the 'crypto war' in the 1990s, when government agencies spent several years demanding either, the integration of deliberate vulnerabilities into, or the provision of spare keys for, cryptographic products. The EFF has reiterated its arguments from the debate held at that time ? that the plans create security risks, will not stop criminals and will harm law-abiding businesses and citizens.

- Collapse -
Facebook discovers and "punishes" UID-selling developers

The recent discovery that some Facebook application were inadvertently forwarding users' UIDs to advertising agencies and data collection companies has spurred the social network to investigate the matter thoroughly and to try to think of a platform-wide solution that would prevent that from happening ever again.

But, the investigation uncovered a surprising fact - some developers were sharing the UIDs with data brokers for a fee. "While we determined that no private user data was sold and confirmed that transfer of these UIDs did not give access to any private data, this violation of our policy is something we take seriously," said Facebook engineer Mike Vernal.

"As such, we are taking action against these developers by instituting a 6-month full moratorium on their access to Facebook communication channels, and we will require these developers to submit their data practices to an audit in the future to confirm that they are in compliance with our policies."

According to him, less than a dozen developers have been found guilty of sharing the UIDs. Most are small developers and their applications can't be found in the list of the top 10 most popular applications on Facebook.

- Collapse -
RIAA and Anonymous sites both downed by DDoS assaults

Hacktivists briefly took out the two main Recording Industry Association of America (RIAA) websites on Friday afternoon as revenge for the organisation's long-running legal offensive against Limewire, which led to the closure of the controversial P2P service earlier in the week.

Denizens from the loosely-affiliated Anonymous collective used its Low-Orbit Ion Cannon (LOIC) tool to swamp the websites of and with spurious traffic. The assault began an hour later than originally planned at around 5pm EST on Friday, instead of at 4pm as the organisers originally planned, reports.

- Collapse -
Is it legal to use Firesheep at Starbucks?

"Legal experts debate legality of Firefox add-on that steals Facebook, Twitter account access at public hotspots"

People using the Firesheep add-on may be breaking federal wiretapping laws, legal experts said today.

Or maybe not.

"I honestly don't know the answer," said Phil Malone, a clinical professor of law at Harvard Law School as well as the director of the school's Cyberlaw Clinic at the Berkman Center for Internet & Society. Malone also served for more than 20 years as a federal prosecutor with the U.S. Department of Justice.

Firesheep, which was released just over a week ago and has been downloaded nearly half a million times since, is an add-on to Mozilla's Firefox browser that identifies users on an open network - such as a coffee shop's public Wi-Fi hotspot - who are visiting an insecure Web site. A double-click in Firesheep gives its handler instant access to the accounts of others accessing Twitter and Facebook, among numerous other popular Web destinations.

But while the tool itself is not illegal, using it may be a violation of federal wiretapping laws and an invasion of privacy, experts said.

"There are two schools of thought," said Jonathan Gordon, a partner in the Los Angeles office of law firm Aston + Bird. "The first is that there's no reasonable expectation of privacy in a public insecure Wi-Fi connection."

Gordon, who regularly counsels clients on their Internet business practices, cited the U.S. statute pertaining to wiretapping , which states that it's not a violation of the law "to intercept or access an electronic communication made through an electronic communication system that is configured to that such electronic communication is readily accessible to the general public."

- Collapse -
Search engine Blekko launches; eliminates spam

The result is an improved search experience that delivers results from high quality sites, leaving behind spammers, aggregators and content farms.

Blekko bases its technology on a simple tool called a slashtag. Slashtags are curated sets of web sites organized around a particular topic. These cover topics as broad as health, money, and autos, and as narrow as gluten-free and neurotechnology. Slashtags are added to search queries and limit search results to only the curated sets of sites.

With the launch of the public beta, Blekko is also automatically applying slashtags to improve results in seven initial search categories: health, colleges, autos, personal finance, lyrics, recipes and hotels. For example, searching "cure for headaches" on Blekko will provide results only from the top quality sites in the health category.

For searches that don't fall within one of Blekko's pre-defined categories, Blekko uses its proprietary ranking algorithms to deliver relevant results from its 3 billion page web crawl. As users create and refine more slashtags, Blekko plans to expand "auto-slashing" to improve results in more categories.

Also : Blekko launches the biased search engine

- Collapse -
Spamhaus blocks fellow antispam outfit

The owner of a spam-prevention website says it has been taken down following unfounded complaints from fellow anti-junkmail organization Spamhaus. owner Ian W. Rudge said the site and an unrelated property for his IT consultancy were taken down after their IP address was added to the Spamhaus Block List on October 24. He said US-based, which had been hosting the sites, ultimately restored the business site but has refused to bring Spamwise back online because, it said in an email, it has been reported for "sending unsolicited email messages to a large number of recipients."

Rudge said Spamwise aimed to alert webmasters who oversee the large number of sites that leak employee and member email addresses. Spammers routinely harvest the addresses for use in phishing and junkmail campaigns. A page on Spamwise allowed visitors to test whether a given site needlessly revealed addresses. The tool was set up to email the results only once to the webmaster.

Rudge said Spamhaus representatives told him his site was being blacklisted because the emails it generated were unsolicited. He said he explained that the emails were designed to raise awareness about a widespread practice that results in spam and that a website owner would never receive more than one. He went on to say that Spamhaus, in sending unsolicited notices to admins of unsecured SMTP email servers, does much the same thing.

- Collapse -
Google Extends Bug Bounty to Web Properties

Google is extending its nascent bug-bounty program to the Web applications that the company owns, including its flagship search service, YouTube and Blogger. The program will pay researchers rewards of up to $3133.7 for bugs that they find in Google Web services and report directly to the company.

Google announced the new bounty program Monday, about 10 months after it launched its initial reward program for vulnerabilities identified in Chromium. That program has been quite successful, drawing a lot of interest from security researchers who have identified some interesting bugs in the open-source software.

Now, Google is hoping that those same researchers will take their talents to the company's Web properties.

"Today, we are announcing an experimental new vulnerability reward program that applies to Google web properties. We already enjoy working with an array of researchers to improve Google security, and some individuals who have provided high caliber reports are listed on our credits page. As well as enabling us to thank regular contributors in a new way, we hope our new program will attract new researchers and the types of reports that help make our users safer," the company said in a blog post attributed to several of Google's security team members, including Chris Evans, Neel Mehta and Michal Zalewski.

- Collapse -
Internet Explorer info leak festers for 2 years

For almost two years, Microsoft's Internet Explorer browser has been vulnerable to attacks that steal digital security tokens and other sensitive data, a security researcher said recently.

Researcher Chris Evans said he alerted Microsoft to the information disclosure vulnerability in IE in December 2008. As of October 21, it remained unfixed, making his disclosure a "600-day" vulnerability, he quipped.

The bug resides in the IE mechanism for handling Javascript and runtime errors. In some cases, cross-origin content can be echoed back to attackers, allowing them to retrieve sensitive javascript variables. Once upon a time, this proof of concept exploited the vulnerability to steal a security token Google Reader uses to prevent XSRF, or cross-site request forgery, attacks. It has since been neutered by changes Google made, but when it worked, it forced the user to subscribe to a goat-farming feed without asking for permission.

"There are a varied number of text structures which can be stolen (iteratively if necessary) with this trick," Evans warned.

- Collapse -
Apparently not important
- Collapse -
Antivirus scanning becoming inadequate, says Webroot CEO

"Buys Prevx to provide alternative"

US antivirus vendor Webroot has bought UK-based Prevx in an acquisition that looks like the latest symptom of the growing dissatisfaction among security companies with the current signature-based scanning model for detecting malware.

On the face of it a 20-person software security company based in Derby is an unlikely bride for an ambitious US outfit looking to grow. But since its founding as long ago as 2001, Prevx has been a pioneer of the application fingerprinting technology that in the cloud services era has suddenly become ultra-fashionable.

Webroot will now spend the next six months integrating Prevx's cloud-oriented application profiling into its own development program. The Derby employees will be retained and the technical effort spread to engineers based in the US and Austria.

Webroot Buys Prevx for Cloud Security
Webroot Acquires Prevx

- Collapse -
Rogue AV rides the US Midterm Elections wave

On the eve of the 2010 US Midterm Elections, Websense Security Labs? ThreatSeeker? Network has discovered that some search terms related to the ongoing event return sites employing black hat SEO. Websense customers are protected against this attack through our Advanced Classification Engine. [Screenshot]

As you can see, some of the infected sites already come with a warning. However, there are still a handful of Web sites that do not have warning messages attached to them. Search terms used in this attack include:

2010 midterm election
midterm election results
midterm election 2010
midterm election latest polls
midterm election 2010
midterm election season
midterm election latest polls gallup

At the time of writing, the black hat SEO'd sites appear benign, only redirecting users to what appears to be a blank page. A closer look at the code reveals that the page contains a URL to a rogue AV site. [Screenshot]

If you copy and paste this URL in your browser, it will redirect you to the rogue AV download page which prompts the user to download inst.exe, identified by 10 of 43 VirusTotal engines.

CNET Forums

Forum Info