Antivirus software companies are warning customers about a new e-mail worm that targets unpatched Microsoft Windows machines with either of two recently disclosed software vulnerabilities.
The new worm, known as both "Plexus" and "Explet.A," was first detected on Wednesday and spreads by exploiting Windows machines with vulnerabilities used by two recent worms, Sasser and Blaster, according to alerts. Network Associates' McAfee Antivirus Emergency Response Team and Symantec both say the new worm does not pose a serious threat, but issued software updates to detect it.
Like Sasser, Plexus can exploit the recently disclosed hole in the Windows component called Local Security Authority Subsystem Service, or LSASS, which Microsoft patched in April.
And, like the Blaster worm that appeared in August 2003, Plexus can also crawl through a hole in a Windows component called the DCOM (Distributed Component Object Model) interface, which handles messages sent using the RPC (remote procedure call) protocol.
Spreading Itself
Plexus spreads in files attached to e-mail messages with faked sender addresses and vague subjects such as "RE: order," "For you," and "Good offer." When users open the virus file, the worm is launched and alters the configuration of Windows so that the worm program runs each time Windows starts. It also scans the hard drive of infected computers, harvesting e-mail addresses from a variety of files, including stored Web pages written in Hypertext Markup Language.
The worm then uses those e-mail addresses to target other users, sending out a flood of messages using a built-in SMTP engine. It is also able to spread to other computers on a network using shared folders and the copies itself to the shared folder file on the Kazaa peer-to-peer network using a variety of file names, including Shrek_2.exe, playing on the popularity of the recently released animated film.
Antivirus companies recommend that Windows users who have not done so already apply software patches for the LSASS and DCOM and update their antivirus software to spot Plexus.
Written by: Paul Roberts, IDG News Service
Friday, June 04, 2004
Wednesday, June 02, 2004
Microsoft Windows Media Player 10 (BETA) version is out!
UPDATE Microsoft released the first test version of its new Windows Media Player software Wednesday, marking a significant upgrade aimed squarely at the burgeoning portable device market.
As previously reported, the revamped Windows Media Player 10, which will be released in final form to the consumer market later this year, contains substantial changes to the way music, videos and other media can be organized and retrieved. But the biggest changes in the new "technical beta" software will be invisible to most users until new portable music and video players reach store shelves this summer and fall.
"Our real rallying cry here for the player is letting you discover media, play it and take it with you," said Jonathan Usher, director of Microsoft's Windows Media Division.
The software, which incorporates recent advances in Microsoft's digital rights management tools and a new technology allowing computers to communicate with devices such as MP3 players, forms a key component of the company's response to Apple Computer's strong successes with its iPod music player and software.
One of the iPod's key selling points has been its extraordinarily simple ease of use, which lets people load the device with music without having to take anything but the most rudimentary technical steps.
The new Windows Media Player builds on that idea, adding the ability to automatically keep portable devices up to date with changing music and video and photograph collections on a PC.
Some of these automatic synchronization features will be available to a limited number of devices--largely those that Windows can view as an extra data drive--when the software is released on Wednesday. Those devices range from small, flash-based USB storage devices to larger hard-drive-based MP3 players.
More advanced features will be available with the release of a new generation of hardware later in the year, such as the Windows-based Portable Media Center, however. For those devices, the company has created a new technology dubbed Media Transfer Protocol, which will govern the automatic exchange and synchronization of media files.
Analysts said the tight integration between PC software and a wide range of portable media devices was a key goal for Microsoft, but that it would also be important for the company to match the iPod's ease of use. Because so many different hardware manufacturers use Microsoft technology, that goal could be difficult, they noted.
"Microsoft is clearly moving in the right direction," Jupiter Research analyst Michael Gartenberg said. "But the key here is that Microsoft will have to work with its partners to create something that's the equivalent of the iPod. None of (the rival products) have captured hearts and minds of consumers the way the iPod has."
The new software will also support new digital rights management features that allow subscription-based content, such as that from Napster, to be played on portable devices. Similarly, those features will not be available until the release of new hardware later this year.
Although many of the new Media Player's features will be muted until the release of new hardware, users will be able to browse through new ways of organizing media libraries and take advantage of a considerably simplified interface. The company said it wants to get feedback from "digital music enthusiasts" on those features before a final release.
Along with new customization features, the player will include a new "digital media mall" containing links to services such as Napster, MusicNow and CinemaNow that distribute online content in Microsoft's media formats. The company hopes that link, which replaces the "premium services" section in the old player, will help users find online content more easily.
As previously reported, the revamped Windows Media Player 10, which will be released in final form to the consumer market later this year, contains substantial changes to the way music, videos and other media can be organized and retrieved. But the biggest changes in the new "technical beta" software will be invisible to most users until new portable music and video players reach store shelves this summer and fall.
"Our real rallying cry here for the player is letting you discover media, play it and take it with you," said Jonathan Usher, director of Microsoft's Windows Media Division.
The software, which incorporates recent advances in Microsoft's digital rights management tools and a new technology allowing computers to communicate with devices such as MP3 players, forms a key component of the company's response to Apple Computer's strong successes with its iPod music player and software.
One of the iPod's key selling points has been its extraordinarily simple ease of use, which lets people load the device with music without having to take anything but the most rudimentary technical steps.
The new Windows Media Player builds on that idea, adding the ability to automatically keep portable devices up to date with changing music and video and photograph collections on a PC.
Some of these automatic synchronization features will be available to a limited number of devices--largely those that Windows can view as an extra data drive--when the software is released on Wednesday. Those devices range from small, flash-based USB storage devices to larger hard-drive-based MP3 players.
More advanced features will be available with the release of a new generation of hardware later in the year, such as the Windows-based Portable Media Center, however. For those devices, the company has created a new technology dubbed Media Transfer Protocol, which will govern the automatic exchange and synchronization of media files.
Analysts said the tight integration between PC software and a wide range of portable media devices was a key goal for Microsoft, but that it would also be important for the company to match the iPod's ease of use. Because so many different hardware manufacturers use Microsoft technology, that goal could be difficult, they noted.
"Microsoft is clearly moving in the right direction," Jupiter Research analyst Michael Gartenberg said. "But the key here is that Microsoft will have to work with its partners to create something that's the equivalent of the iPod. None of (the rival products) have captured hearts and minds of consumers the way the iPod has."
The new software will also support new digital rights management features that allow subscription-based content, such as that from Napster, to be played on portable devices. Similarly, those features will not be available until the release of new hardware later this year.
Although many of the new Media Player's features will be muted until the release of new hardware, users will be able to browse through new ways of organizing media libraries and take advantage of a considerably simplified interface. The company said it wants to get feedback from "digital music enthusiasts" on those features before a final release.
Along with new customization features, the player will include a new "digital media mall" containing links to services such as Napster, MusicNow and CinemaNow that distribute online content in Microsoft's media formats. The company hopes that link, which replaces the "premium services" section in the old player, will help users find online content more easily.
Tuesday, June 01, 2004
Sasser, Netsky Continue To Dominate
Authorities may have arrested those responsible for the destructive Sasser and Netsky e-mail worms -- but their effects still linger, according to security firm Sophos.
"Sasser proved to be a major nuisance in May, affecting even more users than even the Netsky worms," said Chris Kraft, senior security analyst. "Requiring no user intervention and taking advantage of a relatively new Microsoft (Nasdaq: MSFT - news) hole, it sneaked onto unprotected PCs, inundating Internet connections."
Young and Powerful
Sasser, apparently launched by an 18-year-old young man from Germany, wound up disrupting not only countless home users' PCs, but also systems at Delta Airlines and the Coast Guard. Indeed, the story of Sasser is a sorry lesson for all concerned, illustrating that even the slightly skilled now are able to disrupt corporate networks.
At least that is what Panda Software CTO Patrick Hinojosa finds so maddening about Sasser. "It is very simple to write these things," he told NewsFactor, "and with some worms -- e-mail worms in particular -- it takes hardly any skill at all. You can do it from a kit, in fact."
The Sasser worm easily could have been stopped in its tracks from the outset, Hinojosa says, as Microsoft identified the vulnerability and offered a patch for it a few weeks before the worm appeared. "This element of network security is not rocket science -- it is a default configuration."
Keep On Coming
The situation is not getting any better, according to Sophos. "Both Sasser and Netsky may have captured the headlines, but there were many other viruses written this month -- 959 in total," Kraft said. "In the month of May, we saw a considerable increase in cyber-criminal activity, which suggests that even the arrest of Sven Jaschan, the German teenager who has owned up to writing Sasser and Netsky, has done very little to limit the problem."
The 959 new viruses Sophos identified in May represent the highest number of new viruses discovered in a single month since December 2001, the firm said.
Written by: Erika Morphy, www.enterprise-security-today.com
"Sasser proved to be a major nuisance in May, affecting even more users than even the Netsky worms," said Chris Kraft, senior security analyst. "Requiring no user intervention and taking advantage of a relatively new Microsoft (Nasdaq: MSFT - news) hole, it sneaked onto unprotected PCs, inundating Internet connections."
Young and Powerful
Sasser, apparently launched by an 18-year-old young man from Germany, wound up disrupting not only countless home users' PCs, but also systems at Delta Airlines and the Coast Guard. Indeed, the story of Sasser is a sorry lesson for all concerned, illustrating that even the slightly skilled now are able to disrupt corporate networks.
At least that is what Panda Software CTO Patrick Hinojosa finds so maddening about Sasser. "It is very simple to write these things," he told NewsFactor, "and with some worms -- e-mail worms in particular -- it takes hardly any skill at all. You can do it from a kit, in fact."
The Sasser worm easily could have been stopped in its tracks from the outset, Hinojosa says, as Microsoft identified the vulnerability and offered a patch for it a few weeks before the worm appeared. "This element of network security is not rocket science -- it is a default configuration."
Keep On Coming
The situation is not getting any better, according to Sophos. "Both Sasser and Netsky may have captured the headlines, but there were many other viruses written this month -- 959 in total," Kraft said. "In the month of May, we saw a considerable increase in cyber-criminal activity, which suggests that even the arrest of Sven Jaschan, the German teenager who has owned up to writing Sasser and Netsky, has done very little to limit the problem."
The 959 new viruses Sophos identified in May represent the highest number of new viruses discovered in a single month since December 2001, the firm said.
Written by: Erika Morphy, www.enterprise-security-today.com
Monday, May 31, 2004
Hacking Sparks Need for Complex Passwords
As more Web sites demand passwords, scammers are getting more clever about stealing them. Hence the need for such "passwords-plus" systems.
To access her bank account online, Marie Jubran opens a Web browser and types in her Swedish national ID number along with a four-digit password.
For additional security, she then pulls out a card that has 50 scratch-off codes. Jubran uses the codes, one by one, each time she logs on or performs a transaction. Her bank, Nordea PLC, automatically sends a new card when she's about to run out.
Scandinavian countries are among the leaders as many online businesses abandon static passwords in favor of so-called two-factor authentication.
"A password is a construct of the past that has run out of steam," said Joseph Atick, chief executive of Identix Inc., a Minnesota designer of fingerprint-based authentication. "The human mind-set is not used to dealing with so many different passwords and so many different PINs."
When a static password alone is required, security experts recommend that users combine letters and numbers and avoid easy-to-guess passwords like "1234" or a nickname.
Stevan Hoffacker follows those rules but commits a different faux pas: He uses the same password everywhere, including access to multiple e-mail accounts, Amazon.com, The New York Times' Web site and E-ZPass electronic toll statements.
In such cases, should hackers or scammers compromise one account, they potentially have one's entire online life.
"This is one of these things that if I stop and think about it, it is not good, but I do my best not to stop and think about it," said Hoffacker, an information technology manager in New York.
But it's difficult to remember dozens of strong passwords — so many sites now require them. Alternatives include writing them down on a sticky note attached to a monitor or in an electronic spreadsheet — practices security experts also deem unsafe.
Software such as Symantec Corp.'s Norton Password Manager and Apple Computer Inc.'s Keychain help store passwords in secure, encrypted form. But if you compromise the master password, you're out of luck. Your entire collection is gone.
Many sites, meanwhile, will e-mail passwords insecurely — without encryption — if you forget. A site called BugMeNot.com even encourages users to share passwords for nonfinancial sites like newspapers.
The tools of password harvesting are many:
Keystroke recorders secretly installed at public Internet terminals can capture passwords, as can "phishing" e-mails designed to trick users into submitting sensitive data to fraudulent sites that look authentic. There are computer viruses programmed to harvest passwords as well as software that guesses passwords by running through words in dictionaries. Though analysts have no hard figures on password-specific fraud, they blame insecure passwords for unauthorized financial transfers, privacy breaches and even the hacking of corporate networks. With two-factor authentication, having a password alone is useless. "We will never play the fear factor here, but still it stays a fact that with our products, phishing is no longer an issue," said Jochem Binst of Vasco Data Security International Inc.
The Belgian company issues devices the size of pocket calculators or keychains. You type your regular password into the device for a second code that is based on the time and the unit's unique characteristics. That's the code you type into the Web site.
Someone who steals your device won't have your password; someone who steals your password won't have your device.
MasterCard International Inc. has been testing similar systems in Britain, Germany and Brazil. Swipe a credit card with a smart chip into a special reader, enter your PIN and obtain a password good only once at Office Max, British Airways and a dozen other merchants.
In Singapore, bank customers wishing to designate new accounts for fund transfers must likewise obtain a second password — through a phone call, e-mail or mobile text messaging.
Biometric systems are similar, except a fingerprint or iris scan replaces one or both passwords.
In the United States, use of two-factor authentication remains limited. RSA Security Inc. has several products, including RSA SecurID, but they are primarily issued to employees for remote network access and to customers with high-value portfolios.
"There's a delicate balance between maintaining security but also providing customers with ease of use," said Doug Johnson, senior policy analyst at the American Bankers Association.
Gartner analyst Avivah Litan said banks are "all afraid of making the first step. They don't want consumers going to other banks because it's too hard."
U.S. banks and e-commerce companies have focused, for now, on making sure passwords are strong. EBay, for instance, now rejects attempts to create passwords such as "ebay" or "password."
Before two-factor authentication becomes commonplace, laptops must come standard with biometric readers, or manufacturers must bring down costs for password-generating devices.
Outfitting 1 million customers with such devices could cost $20 million, while Internet fraud (news - web sites) for those customers amounts to "tens of thousands at most," said Tony Chew, director of technology risk supervision at the Monetary Authority of Singapore. Singapore banks thus limit dynamic passwords to fund transfers, he said.
Companies also need to set standards.
Though Jubran enjoys her bank's scratch-off passwords, she wouldn't want the Amazon.coms of the world all adopting them as well.
"It would be too complicated to have 10 different cards you scrape off," the 24-year-old medical student said.
Jason Lewis, vice president of product management at RSA Security, figures companies will have to create services so a single device can work on multiple sites.
Nordea and other Scandinavian banks already have partnered with government agencies and utilities, and an identity-management coalition called the Liberty Alliance Project has begun to explore standards.
People will pay more attention to security as they keep more of their lives online, said Robert Chesnut, eBay's vice president for rules, trust and safety. He offered this analogy: "The more stuff you have in your house, the better the deadbolt lock you have."
This article is written by ANICK JESDANUN (Associate Press)
To access her bank account online, Marie Jubran opens a Web browser and types in her Swedish national ID number along with a four-digit password.
For additional security, she then pulls out a card that has 50 scratch-off codes. Jubran uses the codes, one by one, each time she logs on or performs a transaction. Her bank, Nordea PLC, automatically sends a new card when she's about to run out.
Scandinavian countries are among the leaders as many online businesses abandon static passwords in favor of so-called two-factor authentication.
"A password is a construct of the past that has run out of steam," said Joseph Atick, chief executive of Identix Inc., a Minnesota designer of fingerprint-based authentication. "The human mind-set is not used to dealing with so many different passwords and so many different PINs."
When a static password alone is required, security experts recommend that users combine letters and numbers and avoid easy-to-guess passwords like "1234" or a nickname.
Stevan Hoffacker follows those rules but commits a different faux pas: He uses the same password everywhere, including access to multiple e-mail accounts, Amazon.com, The New York Times' Web site and E-ZPass electronic toll statements.
In such cases, should hackers or scammers compromise one account, they potentially have one's entire online life.
"This is one of these things that if I stop and think about it, it is not good, but I do my best not to stop and think about it," said Hoffacker, an information technology manager in New York.
But it's difficult to remember dozens of strong passwords — so many sites now require them. Alternatives include writing them down on a sticky note attached to a monitor or in an electronic spreadsheet — practices security experts also deem unsafe.
Software such as Symantec Corp.'s Norton Password Manager and Apple Computer Inc.'s Keychain help store passwords in secure, encrypted form. But if you compromise the master password, you're out of luck. Your entire collection is gone.
Many sites, meanwhile, will e-mail passwords insecurely — without encryption — if you forget. A site called BugMeNot.com even encourages users to share passwords for nonfinancial sites like newspapers.
The tools of password harvesting are many:
Keystroke recorders secretly installed at public Internet terminals can capture passwords, as can "phishing" e-mails designed to trick users into submitting sensitive data to fraudulent sites that look authentic. There are computer viruses programmed to harvest passwords as well as software that guesses passwords by running through words in dictionaries. Though analysts have no hard figures on password-specific fraud, they blame insecure passwords for unauthorized financial transfers, privacy breaches and even the hacking of corporate networks. With two-factor authentication, having a password alone is useless. "We will never play the fear factor here, but still it stays a fact that with our products, phishing is no longer an issue," said Jochem Binst of Vasco Data Security International Inc.
The Belgian company issues devices the size of pocket calculators or keychains. You type your regular password into the device for a second code that is based on the time and the unit's unique characteristics. That's the code you type into the Web site.
Someone who steals your device won't have your password; someone who steals your password won't have your device.
MasterCard International Inc. has been testing similar systems in Britain, Germany and Brazil. Swipe a credit card with a smart chip into a special reader, enter your PIN and obtain a password good only once at Office Max, British Airways and a dozen other merchants.
In Singapore, bank customers wishing to designate new accounts for fund transfers must likewise obtain a second password — through a phone call, e-mail or mobile text messaging.
Biometric systems are similar, except a fingerprint or iris scan replaces one or both passwords.
In the United States, use of two-factor authentication remains limited. RSA Security Inc. has several products, including RSA SecurID, but they are primarily issued to employees for remote network access and to customers with high-value portfolios.
"There's a delicate balance between maintaining security but also providing customers with ease of use," said Doug Johnson, senior policy analyst at the American Bankers Association.
Gartner analyst Avivah Litan said banks are "all afraid of making the first step. They don't want consumers going to other banks because it's too hard."
U.S. banks and e-commerce companies have focused, for now, on making sure passwords are strong. EBay, for instance, now rejects attempts to create passwords such as "ebay" or "password."
Before two-factor authentication becomes commonplace, laptops must come standard with biometric readers, or manufacturers must bring down costs for password-generating devices.
Outfitting 1 million customers with such devices could cost $20 million, while Internet fraud (news - web sites) for those customers amounts to "tens of thousands at most," said Tony Chew, director of technology risk supervision at the Monetary Authority of Singapore. Singapore banks thus limit dynamic passwords to fund transfers, he said.
Companies also need to set standards.
Though Jubran enjoys her bank's scratch-off passwords, she wouldn't want the Amazon.coms of the world all adopting them as well.
"It would be too complicated to have 10 different cards you scrape off," the 24-year-old medical student said.
Jason Lewis, vice president of product management at RSA Security, figures companies will have to create services so a single device can work on multiple sites.
Nordea and other Scandinavian banks already have partnered with government agencies and utilities, and an identity-management coalition called the Liberty Alliance Project has begun to explore standards.
People will pay more attention to security as they keep more of their lives online, said Robert Chesnut, eBay's vice president for rules, trust and safety. He offered this analogy: "The more stuff you have in your house, the better the deadbolt lock you have."
This article is written by ANICK JESDANUN (Associate Press)
Subscribe to:
Posts (Atom)
