It hasn’t been a good week for the Bank of India and a number of embassy IT shops around the world. According to several researchers, embassy Web sites are getting compromised and the Bank of India Web site has been taken over as a launching pad for malicious exploits.

According to Computerworld, usernames and passwords for more than 100 email accounts at embassies worldwide have been posted online. Using the information, the publication noted, anyone can access the accounts that have been compromised. The foreign ministry of Iran, the Kazakh and Indian embassies in the U.S. and the Russian embassy in Sweden are among those who have been hit.

Details of the Bank of India compromise are outlined in the blog of Sunbelt Software:

“We have discovered that the Bank of India’s site, bankofindia(dot)com is compromised and is serving malware. DO NOT VISIT THIS SITE,” Sunbelt warns.

The bank’s Web site is being used to drop all kinds of malicious software on victoms’ machines, including:

Email-Worm.Win32.Agent.l
Rootkit.Win32.Agent.dw
Rootkit.Win32.Agent.ey
Trojan-Downloader.Win32.Agent.cnh
Trojan-Downloader.Win32.Small.ddy
Trojan-Proxy.Win32.Agent.nu
Trojan-Proxy.Win32.Wopla.ag
Trojan.Win32.Agent.awz
Trojan-Proxy.Win32.Xorpix.Fam
Trojan-Downloader.Win32.Agent.ceo
Trojan-Downloader.Win32.Tibs.mt
Trojan-Downloader.Win32.Agent.boy
Trojan-Proxy.Win32.Wopla.ah
Trojan-Proxy.Win32.Wopla.ag
Rootkit.Win32.Agent.ea
Trojan.Pandex
Trojan-Proxy.Win32.Cimuz.G
TSPY_AGENT.AAVG (Trend Micro)
Trojan.Netview

“We’ve cataloged over 22 pieces of malware. Mostly spam-related malware but we did find a pinch Trojan variant,” wrote Sunbelt President Alex Eckelberry, adding that Windows computers that are fully patched should be protected against infection.

UPDATE, 10:12 a.m. ET: Eckelberry says the Bank of India site is now clean, “thanks to the hard work of a number people involved in security and takedown.”  He offered up this screen shot of the Web site:

This is a bittersweet kind of week for Windows administrators.

On one hand, many are happy to see that Microsoft is readying the first service pack for Vista, a move that will push many more companies to deploy the latest OS. On the other hand, many are upset because Microsoft has forced the demise of AutoPatcher, a revered alternative to Windows Update.

The big hope is that Vista SP1 will address a lot of the compatibility kinks that have dogged IT shops trying to deploy Vista. Many an expert in recent months has advised people to hold off on Vista until the release of the first service pack.

Microsoft confirmed Wednesday that the service pack will be out sometime in the first quarter of 2008, along with a third and final service pack for Windows XP. Before that, a beta version will be released for those who want to take a test run.

Early reaction in the blogosphere is positive.

Blogger Ryan Block expressed relief in the Engadget blog that Microsoft is ready to reveal “what the hell is going on” with Vista’s first service pack. At first glance, he wrote, it appears Vista SP1 will be “chock full o’ bug fixes, performance optimizations, and improved reliability.”

Susanne Dansey, a member of the UK and global SBS community wrote in her UK SMB Girl blog that Vista SP1 will continue to improve upon the IT administration experience.

“Windows Vista SP1 improves the reliability of Windows Vista in many areas,” she wrote. “According to Microsoft, many of the crashes and blue screens experienced by users stem from problems with 3rd party applications and drivers, and so they are working with partners to solve these together. Other problems occur entirely in Windows code so they are aggressively working to solve as many of them as possible.”

While people are upbeat about Vista SP1, they are also furious that Microsoft has forced the closure of AutoPatcher.

Antonis Kaladis, project manager and lead developer for AutoPatcher, informed users of Microsoft’s demands in the AutoPatcher blog in an entry titled “Sad Day.”

“Today we received an email from Microsoft, requesting the immediate take-down of the download page, which of course means that AutoPatcher is probably history,” he wrote. “As much as we disagree, we can do very little, and although the download page is merely a collection of mirrors, we took the download page down. We would like to thank you for your support. For the past four years it has been a blast. Unfortunately, it seems like it’s the end of AutoPatcher as we know it.”

Susan Bradley, a Microsoft MVP and IT administrator at Tamiyasu, Smith, Horn and Braun Accountancy Corp. in Fresno, Calif., appealed to Microsoft to back off in her SBS Diva blog.

“Microsoft, we need an offline patching solution,” she wrote. “If you aren’t going to do one, and if XP SP3 is now out next year, how about you knock off the legal threats on AutoPatcher until XP SP3 comes out, will ya? AutoPatcher is just doing your job for you.”

Brad Linder lamented in the Download Squad blog that AutoPatcher provided a safe and easy way for users to download Windows updates without connecting to Microsoft’s servers. “This came in handy if you wanted to update multiple computers,” he said, adding, “You could download AutoPatcher, put it on a disc and install it on PCs before connecting them to the Internet, thus avoiding any vulnerabilities that may exist in pre-patched systems.”

Unfortunately, he said, Microsoft has decreed that Windows updates should only be downloaded from Microsoft’s servers.

Jake Ortman, an IT director at Discover Sunriver Vacation Rentals in Oregon, wrote in his UtterlyBoring blog that the move looks like a ploy by Microsoft to convince people to start using their “clunky services more or to try to move people in the corporate world to their Update Services systems.”

He wrote, “Thanks, Microsoft, but if I’m going to get an automated patch solution, I’ll use Net-Chk Protect (from Shavlik).”

Unfortunately for AutoPatch users, it may prove impossible to find another tool like it. I don’t know of any myself, but if anyone out there is aware of any, please share.

I do know that Windows admins can get help with their patch management from a variety of vendors. One example, as Ortman mentioned, is Shavlik. Another is Patchlink.

As for the conventional wisdom that it’s best to wait for the first service pack before dealing with Vista, I’ve heard the same advice from many of those I’ve interviewed for my ongoing Vista Deployment series. But through my series work I’ve also met IT professionals who have found ways to roll out Vista despite the challenges they’ve encountered.

Check out the series, and please offer up some feedback on your Vista deployment work and about other patch tools admins should know about.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Early last week I wrote about some aggressive phishing attacks against Monster.com users in which 1.6 million bank account records had been stolen. In an interview with Reuters, Monster Worldwide Chief Executive Sal Iannuzzi suggested the damage may be far worse.

While investigating the recent theft, he says the company discovered that its Web site had been hacked in the past. Of those affected, he told Reuters, “We’re assuming it is a large number. It could easily be in the millions.”

He said Monster.com users should play it safe and just assume their information was compromised and watch out for potential fraud against them.

Of course, this should serve as a lesson to never, ever stick your most personal information into Web pages like those found on Monster.com.

Update, Aug. 31 at 11:43 a.m.: Below is a copy of a letter one of my relatives received from Monster.com in response to the attacks:

Dear Valued Monster Customer, Protecting the job seekers who use our website is a top priority, and we value the trust you place in Monster. Regrettably, opportunistic criminals are increasingly using the Internet for illegitimate purposes. As is the case with many companies that maintain large databases of information, Monster is from time to time subject to attempts to illegally extract information from its database. As you may be aware, the Monster resume database was recently the target of malicious activity that involved the illegal downloading of information such as names, addresses, phone numbers, and email addresses for some of our job seekers with resumes posted on Monster sites. Monster responded to this specific incident by conducting a comprehensive review of internal processes and procedures, notified those job seekers that their contact records had been downloaded illegally, and shut down a rogue server that was hosting these records. The Company has determined that this incident is not the first time Monster’s database has been the target of criminal activity. Due to the significant amount of uncertainty in determining which individual job seekers may have been impacted, Monster felt that it was in your best interest to take the precautionary steps of reaching out to you and all Monster job seekers regarding this issue. Monster believes illegally downloaded contact information may be used to lure job seekers into opening a “phishing” email that attempts to acquire financial information or lure job seekers into fraudulent financial transactions. This has been the case in similar attacks on other websites. We want to inform you about preventive measures you can take to protect yourself from online fraud. While no company can completely prevent unauthorized access to data, we believe that by reaching out to job seekers like you, the Company can help users better defend themselves against those who have attacked Monster as well as other databases. We are committed to maintaining an ongoing dialogue with all of our job seekers about Internet security and the steps Monster is taking to protect its job seekers. The Company has placed a security alert on Monster sites offering information to educate you about online fraud. This information can be found at http://help.monster.com/besafe/. We have also included information on Internet safety and examples of fraudulent “phishing” emails at the bottom of this letter. Monster has launched a series of initiatives to enhance and to protect the information you have entrusted to us. Some of these steps are being immediately implemented, while others will be put into place as appropriate. We believe these actions are the responsible steps to protect the trust you place in Monster. We are also working with Monster’s hundreds of thousands of employer customers to ensure a safe and effective online job search. We will continue to share information with you about the enhancements we are making as we serve as your online career resource partner. We invite you to keep reading to learn more about how to use the Internet safely. Sincerely, Sal Iannuzzi Chairman and CEO Monster Worldwide

The FBI has delivered a treasure trove of documents on its DCS-3000 electronic surveillance system, which paint a fairly distressing picture of the system itself and the ways in which it is used. The system comprises a massive nationwide private network that connects FBI wiretapping facilities and gives agents the ability to activate remote wiretaps with the click of a mouse, pulling in active voice conversations, text messages and other traffic. Wired News details the system’s capabilities thusly:

Together, the surveillance systems let FBI agents play back recordings even as they are being captured (like TiVo), create master wiretap files, send digital recordings to translators, track the rough location of targets in real time using cell-tower information, and even stream intercepts outward to mobile surveillance vans.

FBI wiretapping rooms in field offices and undercover locations around the country are connected through a private, encrypted backbone that is separated from the internet. Sprint runs it on the government’s behalf.

All of which is pretty impressive. But, the documents also include descriptions of the DCS-3000’s security features, which a number of experts have said are painfully lacking. For example, instead of requiring strong authentication such as smart cards or biometrics from users, the system relies on passwords. Steve Bellovin, a security pioneer who spent years at AT&T Labs before moving to Columbia University, writes in his blog entry on the DCS-3000 that the real threat to the system is from insiders.

The most obvious example is the account management scheme described in the DCS-3000 documents: there are no unprivileged userids. In fact, there are no individual userids; rather, there are two privileged accounts. Each has different powers; however, as the documents themselves note, each can change the other’s permissions to restore the missing abilities. Where is the per-user accountability? Why should ordinary users run in privileged mode at all? The answers are simple and dismaying.

Instead of personal userids, the FBI relies on log sheets. This may provide sufficient accountability if everyone follows the rules. It provides no protection against rule-breakers. It is worth noting that Robert Hanssen obtained much of the information he sold to the Soviets by exploiting weak permission mechanisms in the FBI’s Automated Case System. The DCS-3000 system doesn’t have proper password security mechanisms, either, which brings up another point: why does a high-security system use passwords at all? We’ve know for years how weak they are. Why not use smart cards for authentication?

We can’t even rely on just the log sheets: the systems support remote access, via unencrypted telnet.

My biggest concern, though, lies in the words of one of the FBI’s own security evaluations: the biggest threat is from insiders. The network is properly encrypted for protection against outside attackers. The defenses against insiders — yes, rogue FBI agents or employees — are far too weak.

To sum up: we have a system that accesses very sensitive data, with few technical protections against inside attacks, and generic defenses that don’t seem to fit the threat model.

There are more documents to come as a result of the Electronic Frontier Foundation’s FOIA request, and it will be fascinating to see what other revelations they contain. Stay tuned.

Symantec Chief Executive John Thompson has gambled his company’s success in part on some large acquisitions in recent years, most notably the acquisition of Veritas in 2005. But during a round-table chat with reporters Tuesday, he suggested future acquisitions would involve smaller companies.

Future deals will probably be the size of Altiris or smaller, he said. That transaction closed in April and was valued at about $970 million.

“You should expect us to do things that are more like that,” he told a small group of reporters at a round-table discussion with company executives in New York, as reported by Reuters. “That’s certainly the benchmark of a deal that we think very highly of.” He said that there are no active deals under consideration. “Having said that, we are a very acquisitive company,” he added.

The folks at VMware have been in the news quite a bit of late, thanks to their big IPO and their discreet acquisition of Determina a couple of weeks ago. Now, the company’s core virtualization product is getting some attention, but not the kind company executives will like. Mark Burnett, an independent security consultant and author, recently posted a long description of a vulnerability in VMware’s scripting automation API that he found.

The vulnerability comes down to this: The API allows any script on the host machine to execute code and take other actions on any virtual machine that’s running on the PC, without requiring any credentials on the guest operating system. This presents a number of problems, as Burnett points out:

The problem is that a malicious script running within the context of a regular user on my desktop can run administrator-level scripts on any guest I am currently logged in to. Using Ctrl+Alt+Del to lock the desktop of those machines does not prevent VIX from executing commands on the guest. Even if I log out of each guest machine the malware can just queue the command to run the next time I log in at the console of the guest OS.

However, this is in fact a feature that the VMware developers intentionally included. VMware told Burnett that, in essence, anyone who can access the virtual machine APIs on a machine can access the virtual hard disks anyway and would be able to attack the PC from that direction. But it seems to me that Burnett is on to something here. Sure, there are plenty of other methods for attacking virtual machines, but that doesn’t mean this should be ignored.

Burnett also has found a way to mitigate the problem by adding a switch to the VMX config file.

The bad guys have been using the Storm malware quite successfully all year through a variety of social engineering tricks. Researchers say the latest example involves YouTube.

Researcher Vinoo Thomas writes in the McAfee Avert Labs blog that his organization observed a new trend over the weekend involving Storm, which it calls W32/Nuwar.

“The authors of this malware have resorted to spamming HTML formatted emails that pretend to be from a friend sending a link to a video from YouTube,” he said. “To the average computer user, the link in the email would seem perfectly legitimate as it points to Youtube.com, but if one were to hover the mouse over the URL, it would point to a numeric IP address. This is achieved by using special HTML anchor tags in order to obfuscate the malicious URL so that what the victim sees is usually not what they get.”

Of course, the advice here is to be very skeptical if you get any emails directing you to something on YouTube.

Up to this point I’ve resisted writing about last week’s Skype outage, simply because I found it hard to see clear security implications. I could see no solid evidence that the outage was caused by malicious activity. It simply looked like a glitch in Skype’s back-end machinery that was triggered by a botched Microsoft patch rollout.

Sure, people have been frustrated by the outage, especially in the blogosphere. But much of what I read looked more like groans of the inconvenienced than fears that bigger security issues were involved.

But in the final analysis, I think this incident does illustrate the kind of trouble we could see in the future at the hands of malicious people, so it’s time to add my two cents to the bigger discussion.

First, some background:

Skype’s immensely popular Internet phone service crashed on Aug. 16 and stayed that way for two or three days. The folks at Skype posted a message on the company’s blog blaming the outage on a botched deployment of some Microsoft patches.

“The disruption was triggered by a massive restart of our users’ computers across the globe within a very short timeframe as they re-booted after receiving a routine set of patches through Windows Update,” wrote Skype’s Villu Arak. “The high number of restarts affected Skype’s network resources. This caused a flood of log-in requests, which, combined with the lack of peer-to-peer network resources, prompted a chain reaction that had a critical impact.”

A lot of Skype users didn’t buy that, of course, and Arak came back with a blog post clarifying the official Skype position.

“We don’t blame anyone but ourselves,” he wrote. “The Microsoft Update patches were merely a catalyst — a trigger — for a series of events that led to the disruption of Skype, not the root cause of it. And Microsoft has been very helpful and supportive throughout.”

The Microsoft Security Response Center’s Christopher Budd weighed in with his own blog posting, saying that Skype did what any affected party should do when encountering patch deployment problems — contacted the Microsoft support center. “Fortunately, Skype has identified the cause,” Budd wrote. As Villu Arak notes, a previously unseen software bug within the network resource allocation algorithm was the cause, and they have corrected it.”

The second Skype posting wasn’t enough to satisfy tech blogger Ben Metcalfe, who wrote that the official explanation has too many holes for his liking.

“Having blamed Microsoft windows updates for the collapse of the Skype network, the beleaguered p2p VoIP company has spun another yarn now ‘clarifying’ that it’s not really Microsoft’s fault after all,” he wrote. Their second explanatory post contains more hot air than a dodgy data center with a broken air conditioner.”

He urged readers to inspect both Skype posts and see the contradictions he found, including:

Post 1:
“The disruption was triggered by a massive restart of our users’ computers across the globe within a very short timeframe as they re-booted after receiving a routine set of patches through Windows Update.”

Post 2:
“How come previous Microsoft update patches didn’t cause disruption? That’s because the update patches were not the cause of the disruption.”

Metcalfe said it all looked odd, given that every Microsoft update requires a restart. “There was nothing different with this latest windows update on that front,” he noted. “Thus to say that the reboots caused the outage makes no logical sense without the addition of a further factor (which they don’t appear to be disclosing).”

In the SecuriTeam blog Juha-Matti offered up eight reasons why the security community responded so skeptically to the official Skype line:

1. Microsoft has released monthly security updates since January 2004.
2. There were three critical MS patches in July, and four critical in June.
3. Only four August critical patches included a mandatory reboot.
4. Critical patch MS07-044 for the code execution issue in Excel needs no reboot.
5. Critical patch MS07-050 for the VML issue needs a reboot only if files are in use.
6. SecurityLab.ru released a public Skype Network Remote DoS Exploit on Aug 17.
7. There was a new Skype for Windows version 3.5.0.214 out on Aug 17.
8. A lot of home users go to Microsoft Update on Tuesday, not Thursday.

Ed Felten, professor of computer science and public affairs at Princeton University, offered Skype a little sympathy in his Freedom to Tinker blog:

“To deal with the ever-changing population of user computers, Skype has to use a clever self-organization algorithm that allows the machines to organize themselves without relying (more than a tiny bit) on a central authority,” he wrote. “Self-organization has two goals: (1) the system must respond quickly to changed conditions to get back into a good configuration soon, and (2) the system must maintain stability as conditions change. These two goals aren’t entirely contradictory, but they are at least in tension. Responding quickly to changes makes it difficult to maintain stability, and the system must be engineered to make this tradeoff wisely in a wide range of conditions. Getting this right in a huge P2P system like Skype is tricky.”

He cautioned against making too many broad conclusions from a single failure like this, since “large systems of all kinds, whether centralized or P2P, must fight difficult stability problems.”

Regardless of how this outage occurred, there’s a bigger lesson to be had. We’ve written many stories in the last three years about the dangers of VoIP technology, and the lesson is usually that IT shops are rushing this technology into use without considering the security implications.

Former White House cybersecurity advisor Howard Schmidt expressed those concerns when I interviewed him for a podcast earlier this year, and SANS Institute Training and Certification Director Stephen Northcutt admits organizations like his must do more to train people in the art of VoIP security.

VoIP security was also a dominant issue at the Black Hat conference in Las Vegas earlier this month.

The bottom line is that VoIP security has to be top of mind now in any corporate IT operation. The Skype outage may not have been the work of an attacker, but I’m sure the bad guys were inspired by the public outcry that ensued. That inspiration could lead to more sinister activity going forward.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Hey kids, it’s 1995! Well, sort of.

Jim Bidzos is back as the chairman of VeriSign. Bidzos helped found the company in 1995 and spin it off from RSA Security, where he was the CEO from 1986 to 1998. The company started as a certificate authority, selling digital certificates at a time when not many people knew what they were or what to do with them. But VeriSign later diversified into a number of other businesses, eventually getting into domain registrations, managed security services and even mobile-phone content. That strategy led to some rough years, and the company is now back to focusing mainly on security.

Bidzos is a legend in the security industry, both for his involvement in RSA’s early days and the development of the industry as it exists today. For years he served as the MC of the RSA Conference, until the organizers hired a pro to do it. (Big mistake, but that’s another whole story.) He was CEO of RSA from 1986 to 1998 and was also chairman of VeriSign until 2001. He’s been the vice-chairman of the board for the last six years.

“It was Jim’s vision that launched VeriSign over a decade ago, and his leadership and experience make him the ideal person to take over as our new chairman,” said Bill Roper, president and chief executive officer of VeriSign. “Jim has already made significant contributions to VeriSign and to the industry, and we look forward to partnering with him as we bring more focus and discipline to VeriSign’s future.”

Forrester Research has just released a new report that might be of interest to those who like to track where the security market is headed.

The picture painted by Forrester analyst Paul Stamp [with help from analysts Jonathan Penn, Eric G. Brown and Alissa Dill] is of a security information management (SIM) market that will level off at around $1.18 billion by 2011.

Stamp says the market is growing at a rate of around 50% and that growth will continue to accelerate until late 2009, when commoditization will result in smaller deals.

“From 2011, the market will stabilize as SIM becomes a wider part of the infrastructure management and business intelligence disciplines,” Stamp says, predicting that the winners will be the vendors “that can deliver today’s requirements quickly and easily rather than the constant promise of future SIM nirvana.”

The folks at Forrester have offered up a lot of good insight in the past, though I must admit I’m always skeptical when someone makes predictions on what we’ll be doing four years down the road.