Review

In this post I want to highlight how SEO attacks are working: Pages using server side kits to fool search engine bots into ranking them high in results are uploaded to legitimate web sites. If all goes to plan, when a user searches for a popular term, high up in the search engine results are links to these pages. In the example below, the malicious SEO page was the 2nd item in the search results (highlighted in blue). When the user arrives on such a page (highlighted in green in the example below), the referrer is typically checked to ensure they came from a search engine. If so, there are redirected (302 redirect) to another site (orange below). There are typically additional levels of redirection from this point. In the example shown below, the user is bounced from the .org to the .in site (purple). Finally, the user will be redirected to the fake AV distribution site (red). This is where the user receives the usual visual trickery, in order to fool them into installing the rogue application. ...

Earlier this week Sophos informed a UK Local Police Authority (Hertfordshire) that a website they owned was infected with Troj/IFrame-DY. It turns out that the Police Authority has a new site and the infected site is an old one that just leads the user to the new site: Unfortunately, the old site also contains a malicious script, appended after the closing /HTML tag. There are several ways of migrating users to a new website: ...

Herndon, Va., forensics firm NetWitness has said that the Zeus botnet has breached the networks of nearly 2,500 organizations in nearly 200 countries, including 10 U.S. federal agencies. NetWitness researchers said many victims are Fortune 500 companies in energy, finance and high tech sectors. NetWitness based its conclusions on information from a 75-gigabyte collection of data that they intercepted. It was information the botnet had stolen in one month. The Zeus botnet, which started in 2008, is believed to have 74,000 machines infected. ...

Symantec recently upgraded their scanner on VirusTotal to include their new reputation-based security engine. That has caused a spike in their detection rates, in particular Suspicious.Insight detections, and so I thought I’d take a few minutes to explain some of the background and what is going on. So what exactly is a Suspicious.Insight detection? These detections are derived from Symantec’s new reputation-based security technology. They highlight files that have not yet developed a strong reputation (either good or bad) amongst Symantec’s community of users. their goal is to keep their users’ machines safe, and part of achieving that goal means helping their users make informed choices about the files they allow on to their systems. Suspicious.Insight detections help shine a spotlight on files that have not yet developed a full reputation. ...

Representatives of computer companies and governments meeting at the EastWest Institute security meeting in Brussels said that an industry culture of obscure jargon is preventing the world’s two billion Internet users from putting security measures in place to protect themselves. The group met to figure out how to protect computer users from massive abuse, fraud, online theft, vandalism and espionage. The New York Times story carried the following quotes from those at the meeting: ...

At the ShmooCon hacker conference in Washington, D.C., last week two security researchers showed the very sensitive information that people inadvertently make available over peer-to-peer networks. In their presentation, “Information disclosure via P2P networks: Why stealing an identity via Gnutella is like clubbing baby seals,” pen testers Larry Pesce and Mick Douglas said they found a lot of music, porn, malcode collections and the following: driver’s licenses, passport and tax return forms with Social Security numbers; someone’s will A retirement analysis form with savings account totals and income estimates; An IRS form with taxpayer identification number; A completed Turbo Tax form with personal information filled in. The two have started The Cactus Project to help security specialists do similar research to help organizations tighten up the information they share over P2P. They list best-of-breed tools for conducting the research, including Mutella and the Gnutella Protocol on their site http://pauldotcom.com/cactusproject.html. ...

Many users have complained about Windows 7 strange Battery notification saying “Consider replacing your Batteries” on Laptops and there was a noise about it in Blogosphere but Microsoft has replied to it. There were many Forum posts and blog articles implying Windows 7 is falsely reporting this situation or even worse, causing these batteries to fail. After upgrading to Windows 7, Many users are seeing a** pop-up window that suggests they “consider replacing” their battery**, as capacity has slipped below the 40 per cent level. Butt, official MSDN blog has confirmed that Windows 7 isn’t killing Laptop batteries or causing them to fail but it’s a new intelligent feature of Windows 7. ...

(CNN)(The Frisky) — For anyone who is remotely active on Facebook, you no doubt have been faced at some point with inane updates on one of your friend’s kid’s colds or how wedding-planning was coming along for one of your engaged buddies. That’s why, when parenting Web site Babble published “Facebook’s Most Annoying Parents,” I immediately thought, “But what about all the annoying couples?” So, without further ado, I present to you the top four most annoying couples on Facebook. ** ** The too-much-in-love couple ...

Last week I revealed troubling transmissions by the Google Toolbar: Even when a user specifically “disable[s]” the Google Toolbar, and even when the Toolbar disappears from view, the Toolbar continues tracking users online behavior—including specific web pages visited and specific searches run on other search engines. To Google’s credit, after I posted my article Google promptly fixed these nonconsensual transmissions—but big questions remain. How did this bug slip through Google’s internal testing? What happens to the data Google collected without user consent? And why was Google collecting this data in the first place? ...

Ben Edelman, Harvard privacy researcher and guru has revisited the features of Google Toolbar and was appalled to discover that disabling it doesn’t really disable it. He is recommending that all users uninstall it. In a long, thorough and well-written piece on his blog Edelman discusses how he monitored the Toolbar’s behavior with a network sniffer and documented the transmission of data back to Google (to toolbarqueries.google.com). Not only does it track a user’s Google searches, but it also phones home information about searches done in other search engines. ...