Security Fix

A few days ago, Security Fix heard from a reader who received a breach notification so casual in tone that he asked me to verify whether it was for real.

Sure enough, Burlington, Mass.-based database application company Alpha Software Inc. recently told customers that a data breach had exposed their payment information. That fact was confirmed by similarly confused users posting to the company's online forum. The e-mail notice to affected customers reads:

November 9, 2009

Dear Customer,

We have been informed that there has been a security breach at the Internet Service Provider where our web site is hosted. This may have resulted in your credit card information being compromised. While it is entirely possible that your credit card information has not been stolen, in the interests of caution, we recommend that you contact your credit card provider to discuss what steps, if any, they recommend.

Going forward, we no longer store credit card information on our side. This will eliminate any risk associated with placing credit card orders on our site.

We thank you for your support and look forward to helping you build your businesses and organizations with Alpha Five Version 10.

Sincerely,

Alpha Software

Not only does the company straight away blame someone else for the breach, there is no apology or even sense of remorse.

This is a bit like crashing into someone's car in a parking lot, and then leaving a note on the wrecked car's windshield saying "Gee, it looks like your car got messed up. That really stinks. You might want to have a mechanic look at it. Going forward, I'll try to pay more attention to those lines on the road. This will reduce the chances of your car and mine being in the exact same place at the same time."

I reached out to Alpha Software co-chair Richard Rabins by phone and e-mail, but for the past 10 days he has declined to respond to questions about the incident. Alpha Software did not identify the ISP or the source of the breach. I checked with Alpha's hosting provider, Web.com, to see whether they'd had a breach recently that might explain this. Roseann Duran, chief marketing officer at Web.com, said the company is unaware of any problems.

"There is no security breach at all in terms of how this account has been handled," from Web.com's end, Duran said.

She noted that Alpha has been a customer for a number of years, but that recently the company was unresponsive to several e-mail and snail mail notices stating that Web.com was getting ready to "migrate" or upgrade a number of Web servers, including at least one server holding some of Alpha Software's data (Duran couldn't say whether it was Alpha's payment data or not).

The U.S. Food and Drug Administration is pressuring a number of Internet service providers to shut off nearly 12 dozen Web sites alleged to be selling counterfeit or unapproved prescription drugs.

The FDA's office of criminal investigations said it sent 22 warning letters to the operators of the sites, and alerted the appropriate ISPs and domain name registrars that the sites were selling phony pharmaceuticals, all without requiring a prescription. The agency said none of the sites represent pharmacies located in the United States or Canada, as most claim.

According to the letters sent to owners of the 136 targeted sites, the online stores hawked everything from powerful controlled substances, including Valium and Xanax, to lifestyle drugs like Viagra and Levitra. Some sites even offered prescription drugs that have not yet been approved for distribution or sale in the United States, such as the anti-obesity drug Acomplia.

"Many U.S. consumers are being misled in the hopes of saving money by purchasing prescription drugs over the Internet from illegal pharmacies," FDA Commissioner Margaret A. Hamburg said in a prepared statement. "Unfortunately, these drugs are often counterfeit, contaminated, or unapproved products, or contain an inconsistent amount of the active ingredient. Taking these drugs can pose a danger to consumers."

Many of the sites named in the complaint, such as wellknowndrugs.com and 24-7meds.com, already have been yanked offline. FDA spokeswoman Karen Riley said at least 90 of the sites named in the letters have been taken down so far.

For more on this enforcement action, Security Fix reached out to John Horton, president of LegitScript, an Internet pharmacy verification service. Horton said Legitscript has tracked all of the sites named in the FDA letters back to a pharmacy affiliate program named Rx-commission.com, an organization that bills itself as a leading prescription drug affiliate network that offers a "full range of Popular & Brand Generic Products across All major categories including: Weight Loss, Anxiety, Sleep Aid, Men's Health etc."

Rx-commission.com did not immediately return messages seeking comment. I will update this blog post in the event I hear back from them.

Horton said Rx-commission is one of dozens of affiliate programs in existence today that handle everything from processing of purchases to order fulfillment. Affiliates often use pre-fabricated templates to set up Web sites advertising various prescription drugs for sale. Horton said while some pharmacy affiliate programs are promoted through junk e-mail, Rx-commission.com affiliates have typically promoted their sites using a variety of methods aimed at manipulating Internet search engine results.

"This particular program has been around since at least 2006, and the drugs you get if you order from them all come from India," Horton said. "Our own buys and analysis indicated that the proprietors of this program are definitely outside of the United States and have a strong Russian connection."

While LegitScript is currently tracking some 55,000 Web sites promoting rogue Internet pharmacies connected to competing pharmacy affiliate programs, Horton called the FDA action a great first step, and praised the agency for putting the sites' domain name registrars and hosting providers on notice as well.

"If those registrars don't shut the websites down, the registrars themselves could be held responsible," Horton said. "The FDA should be applauded for taking this approach."

The chairman of the House Oversight and Government Reform Committee introduced legislation on Tuesday to prohibit the use of peer-to-peer (P2P) file-sharing software across all federal government computers and networks.

The "Secure Federal File Sharing Act" would direct the White House's Office of Management and Budget to issue guidelines barring the use and/or installation of P2P software on federal systems, unless otherwise approved for a specific purpose. The bill also calls on OMB to develop a policy that would extend to networks and computers operated by agency contractors, as well as to personal computers of federal employees remotely accessing federal networks.

"We can no longer ignore the threat to sensitive government information that insecure peer-to-peer networks pose," said Rep. Edolphus Towns, the Democrat from New York who chairs the House oversight panel, in a statement. "Voluntary self-regulations have failed so now is the time for Congress to act."

The bill comes in response to a series of high-profile and embarrassing P2P breaches that have compromised sensitive government and personal information. Most recently, a document containing the names of at least 30 lawmakers who have been investigated by a House ethics committee was inadvertently leaked to P2P networks.

Other recent P2P breaches include the disclosure of electronic schematics to the President's helicopter, "Marine One;" the financial information belonging to Supreme Court Justice Stephen Breyer, and the location of a U.S. Secret Service safe house for the First Family.

A bill passed by the House Energy & Commerce Committee in September, called the Informed P2P User Act, would require P2P software makers to provide "clear and conspicuous" notice about files being shared by the programs, and get the user's consent before sharing them. That bill also would crack down on P2P vendors that silently bundle adware or other software with their programs, or make the software difficult to remove.

The full text of the new bill, H.R. 4098, is available here.

Technologists already are worried about the security implications of linking nearly all elements of the U.S. power grid to the public Internet. Now, privacy experts are warning that the so-called "smart grid" efforts could usher in a new class of concerns, as utilities begin collecting more granular data about consumers' daily power consumption.

"The modernization of the grid will increase the level of personal information detail available as well as the instances of collection, use and disclosure of personal information," warns a report (PDF) jointly released Tuesday by the Ontario Information and Privacy Commissioner and the Future of Privacy Forum (FPF), a think tank made up of chief privacy officers, advocates and academics.

Smart grid technology -- including new "smart meters" being attached to businesses and homes -- is designed in part to provide consumers with real-time feedback on power consumption patterns and levels. But as these systems begin to come online, it remains unclear how utilities and partner companies will mine, share and use that new wealth of information, experts warn.

"Instead of measuring energy use at the end of each billing period, smart meters will provide this information at much shorter intervals," the report notes. "Even if electricity use is not recorded minute by minute, or at the appliance level, information may be gleaned from ongoing monitoring of electricity consumption such as the approximate number of occupants, when they are present, as well as when they are awake or asleep. For many, this will resonate as a 'sanctity of the home' issue, where such intimate details of daily life should not be accessible."

According to the study, examples of information that utilities and partner companies might be able to glean from more granular power consumption data include whether and how often exercise equipment is used; whether a house has an alarm system and how often it is activated; when occupants usually shower, and how often they wash their clothes.

Other privacy risks could result from the combination of information from two separate users of the smart grid: For example, roaming smart grid devices, such as electric vehicles recharging at a friend's or acquaintance's house, could create or reveal additional personal information.

At a recent smart grid conference in Madrid, FPF co-chair Jules Polonetsky showed how researchers have already mapped unique load patterns of different equipment, showing that for instance washing machines pull power in different ways than other devices (graphic below courtesy FPF).

In an interview with Security Fix, Polonestsky said some utilities have adopted the stance that existing regulations already prevent them from sharing customer data without prior authorization. But he noted that as power companies transition to the smart grid, those utilities are going to be collecting -- and potentially retaining -- orders of magnitude more data on their customers than ever before.

"Relatively speaking, [utilities] aren't big marketing companies with big back end databases ready to handle the tidal wave of data that's coming," he said. "But we're a little worried that without some serious planning now, there's going to be quite a challenge in a couple of years when people start realizing that maybe should think about developing some solid data retention policies that address what's going to be done with all of this data."

Microsoft has confirmed reports of a security flaw in its Windows operating system that hackers could use to temporarily destabilize Windows 7 PCs. The software giant also acknowledged that blueprints for exploiting the flaw are now available online.

At issue is a so-called "denial-of-service" vulnerability in the component of Windows that handles the sharing of files and folders. Microsoft said attackers could use exploit code now publicly available to cause vulnerable systems to stop functioning or become unreliable. The flaw is present in Windows 7 and Windows Server 2008 R2, and does not exist in older versions of the operating system, the software giant said.

In a security bulletin published Friday, Microsoft said the vulnerability would not let attackers install malicious software or take control over an affected system, and that any ill effects from an attack on this flaw could be remedied by simply restarting the PC. In addition, the kind of computer network traffic that would be needed to exploit this flaw is easily blocked by using firewall software, such as the Windows firewall that ships with Windows 7 systems.

Apple has shipped a new version of its Safari Web browser that fixes at least seven security vulnerabilities.

The Safari 4.0.4 update is available for both Mac and Windows versions of the browser. Mac users can grab the latest version through Software Update; Windows users will need to use the bundled Apple Software Update application.

Cyber thieves on Thursday began blasting out millions of e-mails impersonating NACHA - The Electronic Payments Association, a not-for-profit group that develops operating rules for organizations that handle electronic payments, from payroll direct deposits to online bill pay services.

The missives in this latest scam arrive with various subject lines, but all complain about an unauthorized, rejected or failed ACH transaction. Most regular Internet users probably will ignore this message, as few people probably even know what ACH stands for (ACH, or "automated clearing house" refers to the electronic network used by banks to process credit and debit transactions in batches). That's likely just fine with the attackers, who appear to be targeting bookkeepers at small to mid-sized companies -- people who actually recognize what a failed or rejected ACH transaction can mean for their business's bottom line and reputation.

According to an alert at the real NACHA Web site, the bogus messages look something like this:

From: nacha.org [mailto:report@nacha.org] Sent: Thursday, November 12, 2009 10:25 AM To: Doe, John

Subject: Rejected ACH transaction, please review the transaction report

Dear bank account holder,

The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below.

Unauthorized ACH Transaction Report (this is the how the link is presented)

Recipients who click the link in the e-mail are brought to a counterfeit NACHA Web site that offers a phony "transaction report" that harbors a copy of Zeus/Zbot. This same piece of malware has been responsible for attacks on thebanking accounts of dozens of businesses chronicled by Security Fix over the past few months, exploits that have cost individual companies hundreds of thousands of dollars.

Researchers at the University of Alabama, Birmingham are tracking more than 30 fake NACHA sites that are serving malicious software in connection with this attack. The school reports that only about 16 out of 41 popular anti-virus products currently detect the "transaction report" as malicious.

The Brazilian government is refuting a report aired on Sunday by the CBS news magazine 60 Minutes, which stated that power blackouts in the South American nation in 2005 and 2007 were caused by hackers. Meanwhile, a large swath of Central Brazil is still reeling from another massive blackout that occurred in the region Tuesday evening.

Citing six unnamed sources in the intelligence, military and cybersecurity communities, 60 Minutes claimed that a two-day outage that affected 3 million people in the Brazilian state of Espirito Santo was caused by hackers hitting a utility company's control systems. Another, smaller outage in January 2005 also was caused by hackers, the report said.

According to the Wired.com Threat Level blog, the utility company involved, Furnas Centrais Elétricas, said it "has no knowledge of hackers acting in Furnas' power transmission system."

"Brazilian government officials disputed the report over the weekend, and Raphael Mandarino Jr., director of the Homeland Security Information and Communication Directorate, told the newspaper Folha de S. Paulo that he's investigated the claims and found no evidence of hacker attacks, adding that Brazil's electric control systems are not directly connected to the internet.

The earliest explanation for the blackout came from Furnas two days after the Sept. 26, 2007, incident began. The company announced that the outage was caused by deposits of dust and soot from burning fields in the Campos region of Espirito Santo. "The concentration of these residues would have been exacerbated by the lack of rain in the region for eight months," the company said.

In a development that is sure to encourage even more speculation on the matter, Brazil suffered another massive blackout on Tuesday evening that plunged much of central Brazil into darkness for several hours. The incident is being blamed on a failure at a major hydroelectric dam in the region. CNN reports that neighboring Paraguay and Uruguay also reported related blackouts.

"Rio's main streets and avenues were in a total blackout. Video footage showed long lines of cars at a near standstill on the roads, and the subway system in Rio came to a stop," CNN said.

Internet infrastructure monitoring company Renesys Corp. notes that Tuesday's blackout also caused serious instability or unreachability in large portions of Brazil's telecommunications infrastructure.

A year ago today, the Internet community witnessed a remarkable event: The unplugging of McColo, a Web hosting facility in Northern California that for a long time controlled a majority of the spam-sending operations on the planet. McColo's two main Internet providers abruptly yanked the cord after Security Fix presented them with scads of evidence collected by security researchers tying massive amounts of spam and other illicit activity to McColo's network.

The outcome, of course, is now well known: The volume of spam sent worldwide tanked overnight, and remained at diminished levels for many weeks. All sorts of other badness diminished as well (more on that later). But since then, the sizable chunk of virtual real estate previously occupied by McColo has remained eerily quiet.

A review of more than 3,000 Internet addresses previously assigned to the hosting firm reveals an Internet ghost town, as if the entire neighborhood had been contaminated by some kind of toxic sludge that frightened off any potential future occupants.

And maybe it has. The Internet community typically shuns networks known to harbor spammers and organizations that host malicious software and other nastiness, usually by including their numeric Internet addresses on "blocklists." Many organizations configure their e-mail servers to reject messages from addresses included on one or more of these blocklists. A heavily blocklisted network quickly becomes unattractive to legitimate businesses, since any e-mail sent out of that network will most likely be refused by the intended recipients.

"The problem is once an address block gets so polluted and absorbed into all these blocklists, it's difficult to get off all of them because there is no central blocking authority," said Paul Ferguson, an advanced threat researcher at Trend Micro. "That space won't be toxic for all time to come, but certainly it is going to be tainted for whoever ends up with it."

Don Bertier, chief security officer at Savvis Inc., a networking and managed hosting provider, said it's not uncommon for a once-blighted block of Internet addresses to remain unoccupied long after the abuse that caused the listing has gone.

"What you'll find is some blacklists out there are derivatives of other lists, and it's hard to get those cleaned up," Bertier said, recalling a case last year in which a customer was given a swath of Internet addresses, only to find it was impossible to send e-mail from that space. "Typically in those cases, we'll work with the customers to get them new space and mark that allocation as something that really shouldn't be used for e-mail."

Then again, perhaps there are other, less scandalous reasons why McColo's main chunks of Internet space remain unoccupied. In any case, a scan of the space shows that none of the addresses are currently listed on any of more than 100 blocklists.

Microsoft on Tuesday released software updates to fix at least 15 security flaws in Windows, Windows Server and Microsoft Office. One of the patches addresses a flaw so serious that users could find their Windows PCs compromised just by visiting booby-trapped Web sites.

Richie Lai, director of vulnerability research for patch management firm Qualys, said the most dangerous vulnerability addressed in this month's updates is a flaw in the way Windows handles so-called "embedded font" files. An attacker could stitch specially made embedded fonts into a Web page and use this flaw to install malicious software when people merely browse the site with Internet Explorer on Windows 2000, Windows XP or Windows Server 2003 systems, Lai said.

Microsoft said it believes hackers will quickly figure out a way to exploit this flaw for criminal gain. Andrew Storms, director of security operations for San Francisco-based security firm nCircle, agreed, saying the novelty value of this bug is likely to attract many researchers.

"A lot of people will try to be the first to publicly post exploit code," Storms said.

A pair of patches for Microsoft Word and Excel products fix a total of nine vulnerabilities in PC and Mac versions of Office. Affected versions include Office XP, Office 2003, Office 2004 for Mac and Office 2008 for Mac.

The two other critical patches fix dangerous flaws that may be a bit harder to exploit. A vulnerability in the way that Windows Vista and Windows Server 2008 look for connected devices such as cameras and printers could be used by attackers to install malicious software, but only if the attacker is on the same network as the victim, and then probably only if the targeted system is unprotected by a firewall, Qualys's Richie said.

The other critical vulnerability, a bug in the license logging server, only resides in Windows 2000 Server systems, and also can be much less of a threat if the target is protected by some type of software or hardware-based firewall.

Windows 7 users can rest easy (for now), as none of these vulnerabilities affects Microsoft's flagship operating system.

Updates are available through Automatic Updates or via the Windows Update Web site. As always, please drop a note in the comments section below if you have any problems downloading or installing these patches.

Eight men have been indicted on charges that they hacked into credit card processing firm RBS Worldpay, and helped steal more than $9 million in a highly coordinated heist nearly a year ago, the U.S. Justice Department said Tuesday.

The 16-count indictment, which names individuals from Estonia, Moldova and Russia, is the first major break in a case federal investigators are calling "perhaps the most sophisticated and organized computer fraud attack ever conducted."

"Today, almost exactly one year later, the leaders of this attack have been charged," said Sally Quillian Yates, acting U.S. attorney of the Northern District of Georgia, in a written statement. "This investigation has broken the back of one of the most sophisticated computer hacking rings in the world."

The men are accused of cracking the data encryption that RBS WorldPay used to protect customer data on payroll debit cards, allowing them to clone the cards. Some companies use payroll cards in lieu of paychecks by depositing employee salaries or hourly wages directly into payroll card accounts, which can then be used as debit cards at ATMs. According to the government, the hacking ring also was able to raise the daily withdrawal limits on compromised accounts.

The Justice Department alleges that 44 counterfeit payroll debit cards were used to withdraw more than $9 million from at least 2,100 ATMs in at least 280 cities worldwide, including cities in the United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan and Canada. The money was stolen over a period of less than 12 hours, investigators say.

Dozens of accomplices -- also known as "cashers" -- who were hired to pull the money out of ATMs remain at large. The indictment alleges that the cashers were allowed to keep 30 to 50 percent of the stolen funds, but transmitted the bulk of the money back to the men named in the indictment.

Indicted on charges of hacking are Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and a person identified only as "Hacker 3". The indictment also charges four other men from Tallinn, Estonia with access device fraud, including Igor Grudijev, 31, Ronald Tsoi, 31, Evelin Tsoi, 20, and Mihhail Jevgenov, 33.

Atlanta-based RBS WorldPay disclosed the breach on Dec. 23, 2008. The company acknowledged that hackers had made off with personal and financial data on 1.5 million customers of its payroll card business. RBS said thieves also might also have accessed Social Security numbers of 1.1 million customers.

A copy of the indictment is available here