Simple steps to keep your identity safe online

June is Internet Safety Month, and simple identity theft protection steps such as shredding your mail and keeping careful tabs on your bank accounts and credit cards are essential first layers of protection against identity thieves. But there is an open door in many homes that is inviting criminals into personal information, and it is often left unprotected - the computer.

A recent study by online security provider Tiversa found more than 13 million online files have been breached over the last year, and P2P sharing services seem to be a popular way for criminals to get in.

There are steps consumers can take to reduce their risk for identity theft through the use of P2P file sharing services. LifeLock offers the following online safety tips:

* Install file-sharing software carefully, taking special note of default settings and permissions
placed on shared folders

* Use security software and make sure you keep it up-to-date. You can set most anti-virus and
anti-spyware protection programs to update automatically and regularly

* Be sure to close your connections when you are done with a file-sharing session. Closing the
window doesn't automatically close the connection, which could leave your computer's information vulnerable

* Maintain backups of all important documents. This will ensure your information is maintained
for your personal use should you need to delete it from your computer or any file

* Talk with your family about safe file-sharing practices, and create separate user accounts for
others who may use your computer. By separating accounts you can prevent others from
installing software on your computer that may expose your information

* Before providing personal information to your doctor, attorney, insurance company, employer
or anyone else make sure to ask for details on how they will keep this data secure

Identity theft is costing Americans more than $1.8 billion annually, according to the Federal Trade Commission, and the latest FTC reports show the number of identity theft complaints has grown by 80 percent since 2000. Among the forms of identity theft and fraud reported to the FTC in 2008 are credit card fraud, medical benefit fraud and falsified government or employment documents.

Hackers Targeting Social Network Users

Users of online social networks may be more vulnerable to financial loss, identity theft and malware infection than they realize, according to a new survey from security software firm Webroot.

The survey found two-thirds of respondents don't restrict any details of their profiles from being visible through a search engine like Google and over half are not sure who can see their profile.

About one third include at least three pieces of personally identifiable information and more than one third use the same password for multiple sites. In addition, one quarter accept "friend requests" from strangers.

"The growth of social networks presents hackers with a huge target. The amount of time spent on communities like Facebook last year grew at three times the rate of overall Internet growth," said Mike Kronenberg, chief technology officer of Webroot's Consumer business.

"Three in ten people we polled experienced a security attack through a social network in the past year, including identity theft, malware infection, spam, unauthorized password changes and 'friend in distress' money-stealing scams. The first step to staying protected is being aware of what the threats are and knowing how to help prevent them."

Cybercriminals use various types of trickery and malware to take advantage of risky behaviors. One common tactic is phishing, which hackers use to entice victims into downloading an infected file, visiting a risky site outside the social network, or wiring money to a "friend in distress."

Webroot says in recent months it has seen an increase in these types of attacks on social networks, including "Trojan-MyBlot," which targeted users of MyYearbook.com and others targeting Facebook users.

"Hackers lure users into taking actions they shouldn't by making it appear as if a friend within their social network has sent them a message - only the message is from a hacker who's hijacked the friend's account," continued Kronenberg.

"We've seen instances where a salacious yet poorly worded message like, 'This video of u is evrywhere' includes a link that, when clicked, prompts the user to download a seemingly legitimate file which, once on your PC, can do a number of things -- spam your friends, monitor your online activity or record your personal information."

Survey reveals social networkers' risky behaviors

Members of online social networks may be more vulnerable to financial loss, identity theft and malware infection than they realize, according to a new survey from Webroot.

Surveying over 1,100 members of Facebook, LinkedIn, MySpace, Twitter and other popular social networks, Webroot uncovered numerous behaviors that put social networkers' identities and wallets at risk. Among the highlights:

* Two-thirds of respondents don't restrict any details of their personal profile from being
visible through a public search engine like Google;
* Over half aren't sure who can see their profile;
* About one third include at least three pieces of personally identifiable information;
* Over one third use the same password across multiple sites; and
* One quarter accept "friend requests" from strangers

Social Networks Present New Opportunities for Cybercriminals
Cybercriminals employ various types of trickery and malware to capitalize on risky behaviors. One common tactic is phishing, which hackers use to entice victims into downloading an infected file, visiting a disreputable site outside the social network, or wiring money to a "friend in distress."

In recent months, Webroot has seen an increase in these types of attacks on social networks, including "Trojan-MyBlot," which targeted users of MyYearbook.com, and others targeting Facebook users including "Koobface" and several spread through the domains "mygener.im," "ponbon.im" and "hunro.im."

Sophisticated means to execute attacks on social networks: The Webroot survey respondents who reported experiencing identity theft, a hijacked account and unauthorized username or password changes may have been victimized by hackers who were able to access their profiles and guess their passwords based on the personal information they included.

For a summary of the key findings, pls read here.

Microsoft's launches free AV offering

Microsoft launched a beta version of its forthcoming free antivirus software on Tuesday, aiming to protect users who, for one reason or another, have not installed security applications on their computers from other providers.

The security software, dubbed Microsoft Security Essentials, will block known viruses and prevent some malicious behavior normally associated with stealthy malicious software known as rootkits, the company stated. Microsoft will create the definitions for the product using samples collected from more than 450 million PCs around the world.

The company flagged rogue security software as a key problem that its software could eliminate by offering a free, trusted alternative.

"With malware attacks increasing in both number and severity and the increasing incidence of rogue security software, quality anti-malware protection delivered from a trusted source is a must-have for today's PC users," the company stated.

Microsoft announced in November that it would be phasing out its Windows Live OneCare service, instead offering a limited free antivirus service to Windows users. The software will not provide other security measures — such as managed firewalls, performance tuning and data backup services — common in other security products, include Microsoft's Windows Live OneCare service. Instead, the company aims to create a basic anti-malware service that does not impact PC performance in hopes that attackers will have more trouble infecting customers' computers.

The company plans to allow customers to download the initial beta of the software on Tuesday, starting from 9 a.m. PT and launch the final product by the end of the year.

Although Facebook is supposed to have clear privacy restrictions, it appears that a loophole has been identified.

FBHive reported the following: "With a simple hack, everything listed in a person’s “Basic Information” section can be viewed, no matter what their privacy settings are. This information includes networks, sex, birthday, hometown, siblings, parents, relationship status, interested in, looking for, political views and religious views."

In the next few days we can expect to see how this hack worked and how the problem was uncovered in the first place.

It took Facebook 15 days to fix the problem and today they issued the following statement: "We have identified this bug and closed the loophole. We don’t have any evidence to suggest that it was ever exploited for malicious purposes."

Finjan Finds Infected PCs Selling For Half A Cent

Most people know that powerful computer criminals don't all have setups similar to those of James Bond villains; a lot of damage can be done with just a little bit of outdated equipment. But a new report from Finjan drives home how very accessible botnets have become.

People who live in certain Asian countries are able to buy batches of 1,000 infected PCs for just $5, according to Finjan. This means just about anyone who can touch a computer, whether it be at a friend's apartment or an Internet cafe, can afford "in."

The highest price Finjan found elsewhere was in Australia, where the same number of infected PCs go for $100. A middle-class eight-year-old might be able to handle that with his Christmas money.

This is all possible due to the existence of the Golden Cash network. A Finjan statement explains, "The trading platform utilizes all necessary components (buyer side, seller side, attack toolkit, and distribution via 'partners')." And if that sounds pretty sophisticated, the statement does continue, "This advanced trading platform marks a new milestone in the cybercrime evolution."

Yuval Ben-Itzhak, CTO of Finjan, also added, "Looking at the list of compromised PCs we found, it is clear that no individual, corporate or governmental PC is safe."

Unfortunately, such trading platforms are probably here to stay. Cybercriminals can make as much as $400 in profit off of each batch of infected PCs, and so will be sure to keep at it for as long as possible.

Finjan just recommends using a Secure Web Gateway to help stop your computers from becoming infected in the first place. The full second issue of Finjan's Cybercrime Intelligence Report is also available for free if you'd like additional information regarding the problem.

Mass-Mailing Worm in Fake Twitter Account Invite

Last month we reported that spammers had used Twitter as bait to lure innocent victims into a phishing trap, and now we’re seeing a wave of fake Twitter invitations that come carrying a mass-mailing worm. The observed messages appear as if they have been sent from a Twitter account; however, unlike a legitimate Twitter message, there is no invitation URL present in the body. Instead, the user will see an attachment that appears as a .zip file that purportedly contains an invitation card.

Invitation Card.zip is the name of the malicious attachment, and it is being identified as W32.Ackantta.B@mm, which was first discovered in an e-card virus attack in February. W32.Ackantta.B@mm is a mass-mailing worm that gathers email addresses from the compromised computer and spreads by copying itself to removable drives and shared folders.

Here is what the message looks like in an inbox:

And here is a sample header:

From: invitations@twitter.com
Subject: Your friend invited you to twitter!

As Twitter continues to gain popularity among social networking users, people are regularly receiving invitations and email updates from fellow users. We expect that spammers will continue to use Twitter and other popular social networks as bait in their attacks.

Researchers To Unleash New SMS Hacking Tool At Black Hat

iPhone-based auditing tool tests mobile phones for vulnerabilities to SMS-borne attacks

Texting just keeps getting riskier: Researchers at next month's Black Hat USA in Las Vegas will demonstrate newly discovered threats to mobile phone users, as well as release a new iPhone application that tests phones for security flaws.

"We set out to create a graphical SMS auditing app that runs on the iPhone," says Luis Miras, an independent security researcher. The tool can test any mobile phone, not just the iPhone, for vulnerabilities to specific exploits that use SMS as an attack vector.

The researchers say they are currently working with mobile phone vendors on the bugs they discovered in their research, and say they expect the vendors to patch the flaws before Black Hat.

"In all of the issues, we're working through with responsible disclosure -- working with all of the [affected] vendors," says Zane Lackey, senior security consultant with iSEC Partners. "[And] they are going to be resolved with patched [phones]."

SMS has evolved into more than just simple text messaging, helping to make it an attractive vehicle for attacks. For example, new features allow graphics, sound, and video to be sent via the protocol. And SMS is live by default, so it requires almost no user interaction to be attacked. Miras and Lackey say the weaknesses they will expose are in specific SMS implementations, however, and not the protocol itself.

SMS hacking has captured the attention of security researchers lately. In March, Tobias Engel demonstrated an exploit that lets an attacker crash SMS text inboxes on several Nokia mobile phone models. Called the "Curse of Silence" attack, the exploit uses a specially crafted SMS message to launch a denial-of-service (DoS) attack on the victim's phone. While the SMS/MMS messaging features go dark, the phone itself remains operational after the attack.

And with mobile phones increasingly storing more sensitive personal and business information, they will inevitably become a bigger target for attackers, Lackey says. "SMS is interesting -- it's an 'always-on' attack surface," he says, and can be used for a DoS or for executing malware on a victim's phone, for example.

Mobile phones are also even more difficult than laptops to manage and protect, leaving them wide open to compromise. Unlike a company-issued laptop, however, mobile phones are sometimes privately owned by users and are under little or no corporate control, Miras says. The best way for users to protect themselves from SMS-based attacks today, he says, is to keep their phones patched.

But, he says, patching has always been a challenge for mobile phones "because of the many people involved -- the OS vendor, the OEM, and the carriers, which all have different aspects of control in the process," Miras says. "It's a difficult job, and it's still maturing."

Meanwhile, Miras and Lackey haven't yet christened their new SMS hacking tool with a catchy name. They also are writing some other minor tools for SMS security: "We're still working on those, but the [graphical SMS auditing app] is our flagship tool," Lackey says.

New Facebook URLs raise cyber-squatting fears

Facebook's new personalised URLs feature has already come under fire from experts who believe it could be abused by cyber-squatters.

The new service, which went live on Saturday, allows account holders to register more distinctive URLs for their profiles by choosing a specific username, which will then be displayed in the URL link to their profile.

"Your new Facebook URL is like your personal destination, or home, on the web," wrote Facebook designer Blaise DiPersia in a blog post.

"People can enter a Facebook username as a search term on Facebook or a popular search engine like Google, for example, which will make it much easier for people to find friends with common names."

However, experts from law firm Eversheds have warned that businesses could be at risk from the malicious registering of company names.

"There is a real risk that well-known brands may be targeted by Facebook users to gain a financial benefit or damage the interests of brand owners, problems which brand owners are already only too familiar with in the context of cyber-squatting," said Evershed partner Antony Gold.

Birgit Schluckebier, a solicitor at the firm, added that, although Facebook has put in place certain measures to counter the efforts of cyber-squatters, such as no transferability for usernames, brand owners must move quickly to mitigate the risk of abuse.

Facebook had given trademark owners the chance to submit their trademarks so that it could block unauthorised requests to register associated usernames. However, this service has been closed now that the registration process has begun.

Facebook has now said that any firm that wishes to report that a third party has registered a username which infringes on their rights, and wants to request the removal of a page, will need to fill out an automated IP infringement form.

MSFT, Adobe and Apple patch together

Three major software companies issued updates this week, with Microsoft fixing 31 vulnerabilities in its operating system and applications, Adobe patching more than a dozen issues in its document reader software, and Apple closing over 50 serious security holes in its Safari browser.

With ten patches, Microsoft fixed more than two dozen flaws, including ten vulnerabilities voided by a trio of patches. The flaws are rated Critical by Microsoft only for Office 2000 and rated Important for other versions of the productivity program. Perhaps the most serious vulnerabilities fixed by the software giant are seven security issues in the company's flagship browser, Internet Explorer 8, said Andrew Storms, director of security operations for network protection firm nCircle.

"Topping this month's moderately large release cycle from Microsoft is the critical IE update that affects even Microsoft's latest and most secure browser, IE 8," Storms said in a statement sent to SecurityFocus. "Client side, browser based vulnerabilities continue to top the charts for threats, so every user should put this patch at the top of their 'install immediately' list."

In its first quarterly patch, Adobe shuttered 13 security holes in Adobe Acrobat and Reader. The quarterly patch, which Adobe announced last month, is scheduled to fall on the same day as Microsoft's Patch Tuesday. Some of the flaws could allow an attacker to run code on the vulnerable system, while others appear to only be denial-of-service issues.

Adobe still needs to work out the kinks in its quarterly patch process, Storms said.

"While the scheduled release cycle for Adobe updates is a big improvement in helping enterprise security teams effectively manage resources, today's security bulletins are still missing information," Storms said in a statement. "Security managers need Adobe to step up and provide mitigation steps and more detail on both the bugs and the patches."

Apple rounded out the patch parade with an update, released on Monday, that fixed more than 50 flaws in its latest browser, Safari 4.