AP+IMPACT%3A+Framed+for+Child+Porn+_+by+a+PC+Virus+-+ABC+News

AP+IMPACT%3A+Framed+for+Child+Porn+_+by+a+PC+Virus+-+ABC+News

Pirates get a taste of Microsoft COFEE

Microsoft's Computer Online Forensic Evidence Extractor (COFEE) software, which helps law enforcement officials grab data from password protected or encrypted sources, has leaked.

Microsoft's Computer Online Forensic Evidence Extractor (COFEE) has made it into the hands of pirates, and their virtual ships are distributing it quickly for everyone to get a taste. The COFEE application uses common digital forensics tools to help law enforcement officials at the scene of a crime gather volatile evidence of live computer activity that would otherwise be lost in a traditional offline forensic analysis. In other words, it lets officers grab data from password-protected or encrypted sources. That means you can now break the law twice over: download the software and then use it to steal information from other people's computers.

Chances are you won't have any use for the tool, but pirates get a thrill from having something they shouldn't, and a forensics tool only distributed to police departments around the world is pretty high up on the list of things you shouldn't have on your computer. The forensics tool is approximately 15MB in size and works best with Windows XP. Microsoft is working on a new version of COFEE for next year that fully supports Windows Vista and Windows 7. Here's the official description of COFEE:

With COFEE, law enforcement agencies without on-the-scene computer forensics capabilities can now more easily, reliably, and cost-effectively collect volatile live evidence. An officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device. This enables the officer to take advantage of the same common digital forensics tools used by experts to gather important volatile evidence, while doing little more than simply inserting a USB device into the computer.

The fully customizable tool allows your on-the-scene agents to run more than 150 commands on a live computer system. It also provides reports in a simple format for later interpretation by experts or as supportive evidence for subsequent investigation and prosecution. And the COFEE framework can be tailored to effectively meet the needs of your particular investigation.

Microsoft first revealed the tool back in April 2008, so we have to say that the software giant did quite a good job keeping it away from pirates for over two years (that has to be some kind of record for Redmond). In April 2009, Microsoft announced that it will aid global law enforcement in fighting cybercrime by providing its COFEE tool free of charge to International Criminal Police Organization's (Interpol) Global Security Initiative (GSI), a project that addresses international security challenges, and the participating 187 countries. Now though, the valuable tool is available to more than just government crime fighting bodies, and we can't say we're comfortable with the possible implications.

Secure computers aren’t so secure

Even well-defended computers can leak shocking amounts of private data. MIT researchers seek out exotic attacks in order to shut them down

You may update your antivirus software religiously, immediately download all new Windows security patches, and refuse to click any e-mail links ostensibly sent by your bank, but even if your computer is running exactly the way it’s supposed to, a motivated attacker can still glean a shocking amount of private information from it. The time it takes to store data in memory, fluctuations in power consumption, even the sounds your computer makes can betray its secrets. MIT researchers centered at the Computer Science and Artificial Intelligence Lab’s Cryptography and Information Security Group (CIS) study such subtle security holes and how to close them.

In 2005, Eran Tromer, now a postdoc at CIS, and colleagues at the Weizmann Institute in Rehovot, Israel, showed that without any breach of security in the ordinary sense, a seemingly harmless computer program could eavesdrop on other programs and steal the type of secret cryptographic key used by one of the most common Internet encryption schemes. Armed with the key, an attacker could steal a computer user’s credit card number, bank account password — whatever the encryption scheme was invoked to protect.

Computer operating systems are supposed to prevent any given program from looking at the data stored by another. But when two programs are running at the same time, they sometimes end up sharing the same cache — a small allotment of high-speed memory where the operating system stores frequently used information. Tromer and his colleagues showed that simply by measuring how long it took to store data at a number of different cache locations, a malicious program could determine how frequently a cryptographic system was using those same locations. “The memory access patterns — that is, which memory addresses are accessed — are heavily influenced by the specific secret key being used in that operation,” Tromer says. “We demonstrated a concise and efficient procedure for learning the secret keys given just this crude information about the memory access patterns.” Complete extraction of the private key, Tromer says, “takes merely seconds, and the measurements that are needed, of the actual cryptographic process being attacked, can be carried out in milliseconds.”

The encryption system that Tromer was attacking, called AES, was particularly vulnerable because it used tables of precalculated values as a computational short cut, so that encoding and decoding messages wouldn’t be prohibitively time consuming. Since Tromer and his colleagues published their results, Intel has added hardware support for AES to its chips, so that Internet encryption software won’t have to rely on such “lookup tables.”

In a statement, Intel told the MIT News Office that its decision “was mainly motivated by the performance/efficiency benefits achieved,” but that “in addition, there is a potential security benefit since these new instructions can mitigate the possibility of software side channel attacks on AES that have been described in research papers, including those discovered by Tromer, Percival, and Bernstein.”

“I think it’s fair to say that it’s a direct response to the cache-timing attacks against AES,” Pankaj Rohatgi, director of hardware security at the data security firm Cryptography Research, says of Intel’s move.

Together with CIS cofounder Ron Rivest and CSAIL’s Saman Amarasinghe, Tromer is trying to develop further techniques for thwarting cache attacks by disrupting the correlations between encryption keys and memory access patterns. A couple weeks ago, at the Association for Computing Machinery’s Symposium on Operating Systems Principles, the researchers announced that they had a “proof-of-concept prototype” of a defense system, but they plan to continue testing and refining it before publishing any papers.

Tromer has also been investigating whether cloud computing — the subcontracting of computational tasks to networked servers maintained by companies like Amazon and Google — is susceptible to cache attacks. Many web sites rely on cloud computing to handle sudden surges in their popularity: renting added server space for a few hours at a time can be much cheaper than maintaining large banks of proprietary servers that frequently stand idle.

The word “cloud” is supposed to suggest that this vast agglomeration of computing power is amorphous and constantly shifting, but Tromer and colleagues at the University of California, San Diego, were able to load their eavesdropping software onto precisely the same servers that were hosting websites they’d targeted in advance. In part, their approach involved spreading their software across a number of servers, then assailing a targeted website with traffic. By spying on the caches of the servers hosting their software, they could determine which were also trying to keep pace with their fake traffic spikes. Once they’d identified the target site’s servers, they could use cache monitoring to try to steal secrets.

“Imagine a stock broker that specializes in a specific company,” Tromer says. “If you observe that his virtual machine is particularly active, that could be valuable information. Or you may want to know how popular your competitors’ website is. We’ve actually demonstrated that we can very robustly estimate web server popularity.”

“This has sparked the imagination of both the research community and industry,” Rohatgi says. “I interact with a lot of people in industry, and when they say, ‘Give me the technical basis for this,’ I point to [Tromer and colleagues’] papers.”

Finally, Tromer is continuing work he began as a graduate student, on the use of a “hundred-dollar commodity microphone” to record the very sounds emitted by a computer and analyze them for information about cryptographic keys. So far, Tromer hasn’t been able to demonstrate complete key extraction, but he believes he’s getting close.

Any information at all about a computer’s internal workings “is actually fairly damaging,” Rohatgi says. “In some sense, some of these cryptographic algorithms are fairly brittle, and with a little extra information, you can break them.”

Larry Hardesty, MIT News Office

Phishing

10 Ways to Spot an E-Mail Scam

The increasing flood of e-mail hitting your inbox can lower the guard of even the most cautious person. In the rush to keep up with important notes, it's easier than ever to fall prey to the scam artists and identity thieves who lurk online.

E-mail scams and phishing attempts evolve constantly, hoping to take advantage of the latest trends and current events. Although the e-mails change, the people behind them inadvertently send up the same warning signs again and again. We dug through mountains of spam to find the most prevailing trends. We've collected some actual scam e-mails and highlighted the warning signs to help you spot a hustle the next time one lands in your inbox.


1. Requests for personal information

No legitimate organization will ask for your social security, bank account or PIN number via e-mail – and none will include a link, sending you to a form to enter it. No matter how authentic these emails may look, ignore 'em.


2. Watch for typos or spelling mistakes

Scam artists are street smart, but many flunked basic grammar (or barely speak English). Look for mistakes like inappropriate hyphens or confusing "your" and "you're." If the note has multiple typos or grammatical errors, odds are it's not legitimate.


3. Clickable Web links in e-mails

Don't trust links to Web sites in e-mails. What might look like a legitimate address is often linked to a third-party site that looks official, but is actually run by thieves and scammers. These are the fast track to identity and financial theft.


4. 'Market research' or surveys that ask you for personal information.

Disguising scam e-mails as marketing is a classic ploy. You'll be asked to fill out a survey or enter a contest – requiring you to give personal information or "log on" to your account. Once you've done so, the scammers can use it themselves.


5. Stock tips from random people or companies

Got a "hot stock tip" via e-mail? It's probably a "pump and dump" scheme. The sender already owns shares – and when you and others act on the "tip," the stock price soars and he sells fast – leaving you with virtually worthless shares.


6. Attachments in e-mails from anyone you don't know

It should be common sense, but just in case, we'll remind you again: Don't open an attachment from someone you don't know – even if it appears to be your bank or credit card company. It's almost always a virus or spyware meant to steal your personal information.


7. Wordless e-mails

Some legitimate looking "e-mails" are actually just images. The danger with these is that clicking anywhere in the body takes you to a suspect Web site – where you may be fooled into entering personal information, or the scammer may slip spyware onto your machine.


8. Outdated information

Some scammers like to pose as technical- or customer support from a company you associate with – but fail to keep up with current events. For example, in the example above, the senders forgot that Earthlink bought Mindspring in 2000.


9. Red-flag phrases

If you see the phrases "verify your account," "you have won the lottery" or "if you don't respond within XX hours, your account will be closed," it's a scam – every time. Hit the delete button and don't look back.


10. Generic greetings

While you can't trust every e-mail that knows your name, you can definitely ignore the ones that start "Dear member" or "Hello friend." If your bank or credit card company is writing you, it knows who you are. So do your friends.

by Chris Morris

Nigeria actually arrests, shuts down online scammers

Nigerian officials have launched a new initiative called "Project Eagle Claw" that will target Internet scams coming out of the country. The Economic and Financial Crimes Commission has already made a number of arrests and shut down 800 websites, with many more to come.

It turns out Nigeria is taking measures to fight Internet scams—law enforcement there has shut down close to a thousand websites and made 18 arrests as part of a new initiative to save the nation's reputation and crack down on Internet scammers. The program, called "Project Eagle Claw," has only just begun, but Nigerian officials expect it to be fully operational in 2010.

Nigeria's Economic and Financial Crimes Commission (EFCC) described the initiative as "a renewed bid to clap down" (*clap clap*?) on Internet fraudsters. So far, the agency claims to have shut down 800 scam sites in addition to making the arrests, with many more apparently to come.

EFCC Chairman Farida Waziri said Wednesday during a US address to the National Conference of Black Mayors that Nigeria was working with Microsoft to fully deploy Project Eagle Claw, and that it will soon be able to take down up to 5,000 fraudulent e-mails per month. She also expects the system to send up to 230,000 advisory e-mails to victims every month.

Waziri explained that the EFCC's previous strategy for fighting cybercrime involved "cyber raids" and petitions—slow and ineffective in today's fast-moving Internet world—and that Eagle Claw would be much more proactive. "We expect that Eagle Claw as conceived will be 100 percent operational within six months and at full capacity, it will take Nigeria out of the top 10 list of countries with the highest incidence of fraudulent e-mails," Waziri said.

Indeed, if you live outside of Africa, Nigeria is practically synonymous with various scams, some of which predate the Internet. Thanks to the explosion of online connectivity in the last several decades, however, so-called "Nigerian scams" have taken on a new life of their own—fraudsters have managed to grift millions of dollars out of unsuspecting victims in recent years, with even major banks coming dangerously close to wiring their own cash halfway around the world.

This has caused an entire culture of scam baiters to spring up in order to troll scammers and distract them from the real victims (something that we here at Ars briefly dabbled in ourselves), showing that scams out of Nigeria are indeed more than a minor law enforcement annoyance. At this point, it's just nice to see Nigerian officials trying a more realistic strategy towards curbing cybercrime than merely blaming the victim, even if it may take years worth of enforcement before we see any tangible results.

By Jacqui Cheng

Malware worldwide grows 15 percent in September

A rise in malware has caused the number of infected PCs worldwide to increase 15 percent just from August to September, says a report released Tuesday from antivirus vendor Panda Security.

Across the globe, the average number of PCs hit by malware now stands around 59 percent, an all-time high for the year. Among 29 countries tracked, the U.S. ranked ninth with slightly more than 58 percent of its PCs infected. Taiwan hit first place with an infection ratio of 69 percent, while Norway came in lowest with only 39 percent of its PCs attacked by malware.


(Credit: Panda Security)

The study found that in the U.S., Trojans and Adware were the two most pernicious types of malware, followed by worms and viruses.

(Credit: Panda Security)

"This is a clear sign that hackers are becoming more and more sophisticated," said PandaLabs Technical Director Luis Corrons. "Cybercriminals have found news ways to spread their creations, frequently exploiting the latest news stories to launch attacks through social networks, videos, and e-mail. The huge amount of Trojans in circulation is due to the spectacular increase in the number of banker Trojans aimed at stealing user data."

The company based its results on data taken from users who scanned their PCs with the free Panda ActiveScan online tool. The results for September were gathered from August 28 to September 28 and compared with the results from July 28 to August 27.

by Lance Whitney
http://news.cnet.com/8301-1009_3-10363373-83.html