Security

Ho-ho-ho. This isn't an offer for a real coupon book from McDonald's. It's a new mass-mailing e-mail worm.

(Credit: Websense)

On Tuesday security vendor WebSense issued an alert warning that holiday coupon e-mails from familiar companies may be malicious code in disguise, in this case a mass-mailing e-mail worm.

The warning cites one spoofed McDonald's e-mail that claims to present their latest discount menu, and asks the recipient to print out the attached coupon. A similar mailing pretending to be from Coca-Cola asks recipients to print out details about their new online game, and also offers recipients a chance to win Coca-Cola drinks for life. Websense says the attached zip file contains files named either coupon.exe or promotion.exe, both of which contain dropper files for remote access Trojan horses.

Previously, Websense issued an alert for a holiday-themed animated postcard.

This cute holiday card could install a worm on your PC, says McAfee.

(Credit: McAfee)

On Wednesday, McAfee identified a third holiday-themed e-mail using the Hallmark brand. McAfee has named the malware used as W32/Xirtem@MM and says this particular worm carries a built-in SMTP engine that mass-mails copies of itself to e-mail addresses harvested from an infected machine.

In all cases the e-mail appears to be legitimate, using images taken from the McDonald's, Coca-Cola, and Hallmark sites.

To avoid compromise, antivirus experts recommend not opening e-mail attachments as well as keeping your desktop's antivirus protection up-to-date.

Updated 3:36 p.m. PST with SonicWall comment.

An outage at SonicWall's licensing server disabled subscription-based security services for customers for at least several hours on Tuesday, according to the company and an angry customer.

Beginning around 2 a.m. PST, "some SonicWall products contacting a particular SonicWall licensing server began receiving erroneous responses," the company said in an e-mail notice to customers sent around 5:40 p.m. PST on Tuesday.

"You are receiving this mail because our monitoring systems indicate that your SonicWall product(s) may have been affected. This may have caused the product license key to be reset, and in some cases may have affected the products' operation," the notice said. "The issue has been corrected and all servers and licensing functions have been restored."

The notice listed affected products as SonicWall UTM Firewall Appliances-PRO series, TZ series and NSA series; all SonicWall Email Security Appliances and Email Security software; SonicWall Content Security Manager Appliances; all Continuous Data Protection Appliances; and SGMS managed appliances.

It was unclear how long the outage lasted and how many customers were affected.

SonicWall spokeswoman Colleen Nichols sent CNET News this statement Wednesday afternoon: "Yes, very early yesterday, one server in SonicWALL's licensing server pool that handles distribution of signatures and license keys malfunctioned. This malfunction caused some customers' license keys to be reset, requiring them to be resynchronized. SonicWALL shut off this server shortly after it began malfunctioning, and at the same time proactively stopped automatic license key updates while we verified the integrity of the rest of our licensing servers. During this period, customers were still able to manually download updates and resynchronize their licenses through mysonicwall.com. As of noon yesterday, our license server pool is online and available, and affected customers can resynchronize their licenses through their product user-interface."

Customers who believe they are affected can go to SonicWall's Web site to get more information about resynchronizing their licenses keys, she said.

At least one customer was wondering why the operation of vital services would be tied to a server used for validating licenses.

"I was shocked this would happen," John Wilson, president of Avalon Technology Consultants, told CNET News. "It's like buying a car and because General Motors servers go down your car stops working."

Avalon, which manages about 50 SonicWall firewalls for its customers, noticed at about 10 a.m. PST on Tuesday that the firewalls were reporting that the antivirus, antispyware, and intrusion prevention services were not longer functioning, he said.

SonicWall advised customers to check all devices to be sure they were functioning, which "is not an insignificant task," he added.

"We have been recommending and installing SonicWall firewalls for our clients for several years, and we had no idea that the devices would stop working when SonicWall's servers went offline," Wilson wrote in an e-mail to CNET News.

"We believe that this is a serious security flaw with the potential to compromise security for tens of thousands or even millions of networks, and we believe this should be brought to the industry's attention," he wrote.

Cisco System's Security Monitoring for Threat Identification, Mitigation, and Compliance (aka MARS) product is the company's offering for security and compliance management, competing with the likes of ArcSight, RSA Security, and Symantec. The MARS product came via Cisco's acquisition of Protego for $65 million in December 2004.

Through 2005 and 2006, Cisco pushed this product into end-user accounts through an aggressive scorched-earth effort. Cisco intended to get the product out into the market quickly, establish a base, and then continually add product enhancements over time. This seems to be where the strategy hit a speed bump.

The product languished behind competitive offerings, causing problems with the installed base. This opened the door for aggressive competitors: Enterasys, Juniper, and Nortel established partnerships with Q1 Labs in a direct attack on MARS. Log management vendors like LogLogic and LogRhythm out-flanked Cisco with incremental products. Worst of all, some Cisco sales executives and channel partners eschewed MARS in favor of more popular Cisco products. When you have a portfolio of hundreds of products, it is easy to lead with your best stuff and never mention those in the doghouse.

This brings up a reasonable question: What should Cisco do with MARS? As I see it, Cisco has three choices:

1. Admit defeat and get out. Cisco could bury MARS and partner with others in the industry. GE would take this route but I can't imagine that Cisco will.

2. Double down on MARS development. MARS 6.0 was released earlier this year and it did move the ball forward but the product remains way behind others in the market. Management software has always been a bit of an Achilles' heel for Cisco.

3. Replace MARS with another acquisition. There are plenty available at bargain prices. Cisco could bid on publicly traded ArcSight, grab a legacy Security Information Management vendor like Intellitactics or NetForensics, pick up a log management player, or take a chance on a wildcard like Nitro or Splunk.

Updated 7:45 p.m. PST with expert comment, at 7:20 p.m. PST with context on previous coverage, and at 7:08 p.m. PST with background.

"We have removed the KnowledgeBase article because it was old and inaccurate," Apple spokesperson Bill Evans said.

"The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box," he said. "However, since no system can be 100 percent immune from every threat, running antivirus software may offer additional protection."

Apple's previous security message in its KnowledgeBase, which serves as a tutorial for Mac users, was: "Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult."

Security experts, while pleased that Apple would urge Mac users to install antivirus software, had warned that running multiple antivirus products could cause problems and recommended against it.

Apple's antivirus support note was initially published last year and was updated last month, despite reports that it was a new note.

One Apple expert speculated that Apple was merely removing a poorly worded support note and said it probably wasn't ever Apple's intention to tell Mac users they need antivirus.

"I bet you it was a low-level support note and it hadn't gone through the right approvals," said Rich Mogull, security editor of Apple news site TidBITS. "That's my guess."

To some, Apple's latest move will be seen as back-tracking given that it comes one day after those misleading reports circulated. The motive remains unclear, particularly because Apple didn't replace the previously published suggestion with an updated one.

The message that remains is that Mac users don't really need to take additional steps to protect against viruses and other malware. Telling customers they can run antivirus for "additional protection" could be interpreted as a way to protect against any liability.

There are no known viruses in the wild that exploit a vulnerability in the Mac OS, and Windows continues to be the overwhelming preference for malware writers to target their programs. But malware isn't just taking advantage of operating system weaknesses anymore. In fact, the majority of such threats now come from code that targets weaknesses in browsers and other applications that aren't platform specific.

Mogull said he doesn't recommend that the average Mac user install antivirus software because of the low-level of malicious software seen for Macs at this time.

To me, this new Apple statement poses more questions than it answers.

Regardless of the meaning of Apple's latest action, I'm pleased to now have open lines of communication with the company. Over the last few months, I have had an increasingly difficult time getting any response to my e-mails and phone calls. For instance, I got no response to my requests for comment on Monday's article about this topic. However, after talking to several Apple spokespeople on Tuesday about the matter I am confident that the situation has been cleared up.

I also was reminded of how much collective knowledge CNET readers have about Apple and would like to extend an invitation for people to feel free to contact me directly at elinor.mills@cnet.com with any feedback and tips related to Apple security issues.

This is me being enrolled by the Y430's Lenovo Veriface III authentication software to be a legitimate user of the computer.

(Credit: Dong Ngo/CBS Interactive)

Editor's note: CNET editor and Crave contributor Dong Ngo is spending the month of December in his homeland of Vietnam and plans to file occasional dispatches chronicling his impressions of how technology has permeated the culture there. Click here for more of Dong's stories from abroad.

HANOI, Vietnam--Regardless of what some people seem to think, we Asians do not all look the same. But according to the current face recognition algorithm used in laptops, our faces are all about as flat as a piece of paper.

That's according to BKIS, the Vietnamese Internetwork Security Center that makes the antivirus software I mentioned in a blog post Monday. At a press conference here Tuesday, the company demonstrated vulnerabilities in laptops' face recognition-based authentication mechanisms that let anyone log in to a computer easily with a "special" photo of the legit owner, even at the highest authentication level.

Using your face as the password to log in to a computer--an alternative to the fingerprint method or the traditional username and password--marks a new trend found in laptops from Lenovo, Asus, and Toshiba. As far as I know, only these three vendors currently offer this technology in their laptops. These computers come with a built-in Webcam that's used to capture and analyze faces.

I've been impressed by this new way to log in and have found it to be so much more convenient than the fingerprint reader of my Dell XPS 1330. The finger scanner is a pain when my finger is wet or dirty. Unfortunately, on Tuesday I discovered that this new and exciting technology may not be such an effective security measure.

I participated in a demonstration on a Lenovo Y430, running Windows Vista, and here's how it panned out:

Updated 10:50 a.m. PST December 2 to correct that Apple previously recommended antivirus software to Mac users, and at 1:50 p.m. PST with call back from Apple and link to 2002 Apple anti-virus item. A follow-up blog will be posted that goes into more detail about the coverage.

Apple is recommending that Mac users install antivirus software.

But don't read this as an admission that the Mac operating system is suddenly insecure. It's more a recognition that Mac users are vulnerable to Web application exploits, which have replaced operating system vulnerabilities as the bigger threat to computer users.

On November 21 Apple updated a technical note on its Support Web site that says: "Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult."

The item offers three software suggestions: Intego VirusBarrier X5 and Symantec Norton Anti-Virus 11 for Macintosh, both available from the Apple Online Store, and McAfee VirusScan for Mac.

MacDailyNews unearthed the same note posted by Apple in June 2007 and published it on Tuesday,a long with a link to a March 2002 note from Apple urging people to use an anti-virus program.

Apple representatives did not respond to e-mails seeking comment on Monday, but did return a call on Tuesday. A spokesman said he would look into the matter.

Brian Krebs, who first reported on the Apple antivirus recommendation Monday in his Security Fix blog at The Washington Post, said an Apple store employee told him he didn't need antivirus software when he purchased a MacBook three months ago.

Apple urges Mac customers to use antivirus software.

(Credit: Apple)

Europe is getting a cybercrime alert system as part of a European Union drive to fight online criminals.

According to plans, European law enforcement body Europol will receive 300,000 euros ($386,430) to build an alert system that pools reports of cybercrime, such as online identification and financial theft, from across the 27 member states.

Police will launch more remote searches of suspects' hard drives over the Internet, as well as cyberpatrols to spot and track illegal activity, under the strategy adopted by the European Union's council of ministers Thursday.

The strategy, a blueprint for fighting cybercrime in the EU over the next five years, also introduces measures to encourage businesses and police to share information on investigations and cybercrime trends.

"The strategy encourages the much-needed operational cooperation and information exchange between the member states," said Jacques Barrot, vice president of the European Commission. "If the strategy is to make the fight against cybercrime more efficient, all stakeholders have to be fully committed to its implementation. We are ready to support them, also financially, in their efforts."

Plans for the EU alert system follow the recent establishments of the Police Central E-crime Unit and National Fraud Strategic Authority, which aim to fight cybercrime in the United Kingdom.

Nick Heath of Silicon.com reported from London.

Quang Tu Nguyen has changed the landscape of network and computer security in Vietnam.

(Credit: Dong Ngo/CBS Interactive)

Editors note: CNET editor and Crave contributor Dong Ngo is spending the next month in his homeland of Vietnam and plans to file occasional dispatches chronicling his impressions of how technology has permeated the culture there. Click here for more of Dong's stories from abroad.

HANOI, Vietnam--If you use any Internet-connected computer in Vietnam--and there are lots of them, with Internet cafes and Wi-Fi spots abounding in any city--chances are you'll find a little red plus sign at the bottom-right corner of the screen.

That's the icon of the most popular antivirus software here. It's called BKAV.

(A bit of background: if you've recently read reviews of Internet security products by our security editor Rob Vamosi, know that I am the one who designed the methodology involved in testing these applications. It's therefore natural for me to be curious about how people in various parts of the world are protected against malicious software.)

BKAV is short for Bach Khoa AntiVirus, with "Bach Khoa" being the Vietnamese name for the Hanoi University of Technology. The software was originally developed as a hobby by Quang Tu Nguyen, a student-turned-lecturer at the school. It's currently the flagship product of Bach Khoa Internetwork Security center (BKIS), of which Quang, now 33, is director.

Quang still lectures once in awhile, but he's primarily known as the man who has changed the landscape of network and computer security in Vietnam. His creation, BKAV, is in many ways just about the best security software you can find.

The new Iridium 9555 satellite handheld looks and acts like a cellular, but operates virtually anywhere in the world.

(Credit: Marc Weber Tobias)

Iridium has begun delivering its latest generation handset, which signals a new era for the global satellite carrier. It has been several years since any significant changes have been made in its handheld equipment, so for current users, this should be welcome news. I received one of the first 9555's that was delivered to World Communications in Chandler, Ariz., by Iridium. It has been a primary vendor for Iridium from the first implementation of the network. The new handsets, with accessories, sell for about $1,700, and according to Iridium, are available now.

The Iridium network, conceived, engineered, and built by Motorola, launched in 1997 as the first commercial constellation of 66 low earth orbit (LEO) satellites, crisscrossing the planet at about 500 miles above the Earth. The network was designed to provide secure communications on a global basis from a handheld that weighed about 12 ounces and could fit in your back pocket. While traditional geostationary satellite services, such as Inmarsat, requires the radio to be in one position during use so that the antenna can lock into a satellite beam, Iridium is entirely different. The system works while flying, driving, walking, or onboard a ship. I have had extensive experience with the Iridium network since it commenced operations, and have used each of the three different handsets (the 9500, 9505, and 9505A) that were available prior to the 9555. This system currently offers voice and data communications virtually anywhere, even in the most remote regions of the world, as I can personally attest.

There are several noticeable improvements in the latest phone in terms of design, operation, software, and functionality. After placing a few calls on the new handset, I can say that the audio quality seems to be much improved from my older 9505 unit. I recorded one of the calls that I made to an associate so you can judge this for yourself. The handset closely resembles a larger cell phone, but works very differently with regard to its communications path and network infrastructure. The menu system, display, and software of the 9555 have also been updated. The package is about 30 percent smaller than its predecessor, the 9505, and the special antenna has been redesigned to retract into the body of the radio, rather than rotating and swinging upward to a vertical position. The battery charging system is also better in terms of size and connector. The handset now has a USB data port and new software for simplified Internet access. Although the transmission speed is still very slow, at 9600 baud, it is acceptable for e-mail when there is no other available service.

The communications security of the Iridium network is assured because of the way it transmits data from the handset to one or more satellites, then to a network gateway and the public switched telephone network. The satellites all talk to each other across the constellation in order to relay signals to a gateway facility, but the information is not repeated down to the ground, so intercept is extremely difficult. Even if the 1,640Mhz signal could be captured directly from a handset, it would not provide much intelligence because of the way in which the network is configured. As an example, I was in Havana, Cuba last year and needed to make secure telephone calls back to the U.S. Cuban authorities routinely monitor cell phone traffic but are unable to listen in on Iridium. If you routinely travel to countries where you require the ability to communicate by voice or data without fear of eavesdropping, then Iridium is an excellent solution.

The prime North American competitor is Globalstar, which was originally launched at about the same time as Iridium. The Globalstar network is also based upon a LEO satellite constellation, but the infrastructure and transmission protocol are quite different than Iridium. Their 48 satellites operate about twice the distance from Earth than those of Iridium, and talk to different ground stations that are operated by various Globalstar partners. The network filed for bankruptcy in 2002 but came back two years later after an infusion of capital from Thermo Capital Partners. Unfortunately, Globalstar has been experiencing significant technical problems which have affected its coverage and reliability of service.

Iridium filed for bankruptcy in 1999. When it shut down, the network consisted of 13 planned or constructed gateway facilities throughout the world. The system was supposed to be decommissioned, but at the last minute, it was decided that Iridium could be a vital military communications asset, especially since one of the network operation centers was built in Hawaii specifically to handle all of the government traffic. An entrepreneur purchased the entire Iridium system for about $25 million and then signed an agreement with the Department of Defense to supply communications to the DOD, state, and other government agencies. When it resumed operation, the system was locked into the original two handsets. The 9500 and 9505 (and the slightly modified 9505A) were all that were available because the prime supplier, Motorola, was out of the picture. The network and current handsets have continued to provide primary handheld satellite communications for the Defense Department and state in Iraq and virtually everywhere else in the world. Iridium is utilized for mission-critical applications by many government agencies and private industries. The cost of a call is $1 to $2 a minute, depending upon pricing plan. It is competitive with cellular, but offers a much more cost-effective solution for portable-to-portable communications when roaming overseas on GSM networks.

This graph shows how spam volumes dropped 80 percent after McColo was shut down and are crawling back up two weeks later.

(Credit: MessageLabs)

Spammers knocked offline two weeks ago when their hosting company, McColo Corp., was shut down are finally coming back online, security researchers said on Wednesday.

San Jose, Calif.-based McColo was believed to be responsible for up to 75 percent of all spam, according to Brian Krebs of The Washington Post, who broke the initial story.

Spam volumes, which dropped about 80 percent when McColo was shut down on November 11, remained relatively flat since then until a few days ago when they started climbing up, said Matt Sergeant, senior antispam technologist at MessageLabs, now owned by Symantec.

Since Sunday, the spam volume has risen to about 37 percent of what they were before McColo was unplugged, MessageLabs said.

McColo was hosting command and control servers that were being used to send instructions--like send spam or Trojans--to bot software that has been planted on PCs, mostly in the U.S., according to Sergeant. "With no work orders to process, the machines simply stopped spamming," he said.

Some of the botnets, with names like "Srizbi," "Asprox," "Rustock," and "Mega-D," are back up after connecting to different domains, Sergeant said. Some are connecting to ISPs outside the U.S., which will make it very difficult to shut them down again, he said.

"The problem now is that it was a lot easier to get a U.S.-based ISP shut down than it will be to get, for example, this Estonian ISP shut down," Sergeant said.

"We've stunted the spammers for a couple of weeks, which is a good thing for the Internet," he said. "We've increased their costs and, hopefully, that might put some spammers out of business."

Researchers are collaborating on the matter and providing information to U.S. law enforcement agencies, said Paul Ferguson, an advanced threat researcher at Trend Micro.

Some of the bots are programmed to connect to a new domain after a certain amount of time of inactivity, he said.

Researchers have been able to get some registrars to suspend some domains being used and have filed abuse complaints with some ISPs that appear to be unwitting hosts, Ferguson added.