During a time of year when it seems like we all spend waaaay too much on presents, holiday decorations and travel, among other things, it’s always nice to get a little something for free.

To that end, I thought I’d take a moment to point out a few free security offerings, courtesy of SearchSecurity.com contributor Peter Gregory, who you may recall produced our Security School lesson this year on Windows Vista intrusion defense, and in his spare time serves as chief of infosec and risk management at Concur Technologies. 

This week Peter offers up a helpful entry on his blog covering free information security tools and services. It’s got a little something for passengers and sailors alike: free antivirus, antispyware and anti-rootkit tools — which will help that distant cousin who will surely ask you over Christmas dessert why his AV-free PC is running so slow lately – and hardened security pros can have some fun with the file eraser and data encryption tools.

And did I mention all this was free?

A very merry Christmas and happy New Year everyone!

Maybe it’s a result of the TV writers’ strike or maybe it’s just the natural next step in a world in which there are reality shows about dueling choirs and kids living alone, “Lord of the Flies” style. Whatever the reason, security is finally getting its due in the form of an upcoming Court TV documentary called “Tiger Team.” The show follows the exploits of a three-man team of penetration testers as they work their black magic on various corporate networks. But, in addition to using tools such as Core Impact to find soft spots in computer security, the team will be using various social engineering techniques to see how much havoc they can wreak on clients’ physical security, as well. The team itself is a group of experts from a company called Alternative Technology in Colorado.
For viewers accustomed to the absurd security-related antics on shows like “24″ and movies such as “Swordfish” and “Hackers,” I’m not sure how exciting the sight of someone using an Apache exploit will be. But it’s got to be better than “Private Practice” or “Rock of Love.” The show premieres on Christmas night at 11 p.m. EST and PST.

Being in the Christmas spirit and all, I’m going to dispense with the usual advice-oriented column this week. Fear not, I’ll get back on theme after the New Year.

For this week, I want to focus on some blog chatter about the latest malicious creation to come out of Russia, because, well, it amuses me. It probably shouldn’t, but it does.

According to security software firm PC Tools, someone in Russia has created malware that flirts with females or males seeking relationships online in order to dupe them out of their personal data.

CyberLover can conduct fully automated flirtatious conversations with chat-room visitors and dating sites to lure them into a set of dangerous actions such as sharing their identity or visiting Web sites rigged with malware. It can establish a new relationship with up to 10 partners in just 30 minutes and its victims cannot distinguish it from a human being.

“As a tool that can be used by hackers to conduct identity fraud, CyberLover demonstrates an unprecedented level of social engineering,” says Sergei Shevchenko, senior malware analyst at PC Tools. “It employs highly intelligent and customized dialog to target users of social networking systems.”

The sad thing is that the creators of CyberLover are certain to make money off this, since there are plenty of gullible people out there looking for love in all the wrong places.

Folks in the blogosphere are talking about how this thing comes close to passing the Turing Test, which I honestly had never heard of before today. According to an entry in Wikipedia, The Turing Test is a proposal for a test of a machine’s capability to demonstrate intelligence. Described by Alan Turing in the 1950 paper “Computing machinery and intelligence,” it proceeds as follows: a human judge engages in a natural language conversation with one human and one machine, each of which try to appear human; if the judge cannot reliably tell which is which, then the machine is said to pass the test.  [On a slightly unrelated note, Turing, an English mathematician, logician, and cryptographer whose life ended in suicide, will be the theme of the RSA security conference in April.]

Technologist Brad Templeton writes about CyberLover and the Turing test in his Brad Ideas blog, noting how it may be having a successful run by fooling people in a language that is a second language to the target, and/or claiming that it is using a second language for itself. With English as the lingua franca of the Internet and world commerce, he notes, it’s common to see two people talk in English, even though it is not the mother tongue of either of them.

“It’s easier to see how a chatbot, claiming to not speak English (or some other ‘common’ language) very well — and Russian not at all — might be able to fool a Russian whose on English is meager,” he wrote, “though you have to be pretty stupid to give away important information within 30 minutes to a chat partner you know nothing about.”

Curt Monash, a leading analyst of and strategic advisor to the software industry, wrote in the Text Technologies blog that it might be fun to point two copies of the bot at each other and watch them chat each other up.

Meanwhile, a visitor to the Slashdot blogging forum was reminded of a bot he created years ago that would randomly send people messages until the person at the other end stopped responding.

It spewed out nonsense sentences and most people ignored them from the start, the blogger noted, but even those that didn’t quickly got the idea when it cycled back on the same message more than once. One time, however, he remembered “this one guy replying back to this bot as if it was a real person for almost two hours!”

What I’m reminded of, though, is a conversation I had with security luminary Eugene Kaspersky in October. During a visit to Kaspersky Labs’ Massachusetts office, I asked Kaspersky why so much malware comes from his homeland.

A dismal economy and lax law enforcement is fueling the problem, nudging Russian computer programmers into an underground market where easy money can be made creating programs used to steal credit card and Social Security numbers.

“[Russian hackers] don’t see themselves as doing anything criminal,” Kaspersky said at the time. Many Russian programmers compare themselves to weapons manufacturers — they build the technology but are not the ones using it. In other words, they’re not responsible if someone else is pulling the trigger. Meanwhile, Kaspersky said, the Russian economy is still shaky enough that people are looking for ways to make a steady living, and building malware for online gangsters is one way to do it.

And so you can expect a lot more of this malware in the new year and beyond.

My take: If you can’t see the person in front of you, it’s probably best not to flirt with them in the first place.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Mozilla has delivered on its promise to release the second beta for Firefox 3 by year’s end. Security is to be a major part of Firefox 3, and I recently asked some IT professionals to play around with it and offer some additional impressions. The reviews were mainly positive.

Check out the report here.

Apple users tend to have a false sense of security superiority when it comes to their beloved Mac machines. But you gotta give Apple some credit — when a security hole is discovered, the company is pretty good about patching it quickly.

This time around, Apple has released Security Update 2007-009 to fix some 41 flaws in Mac OS X and the Safari Web browser.

The SANS Internet Storm Center (ISC) Web site has a pretty good summary of what’s been fixed:

2007-009 10.5.1 includes fixes for CF Network, Core Foundation, CUPS, Flash Player Plug-in, Launch Services, perl, python, Quick Look, ruby, Safari, Samba, Shockwave Plug-in and Spin Tracer.

2007-009 10.4.11 Universal and 10.4.11 PPC include fixes for Address Book, CUPS, ColorSync, Core Foundation, Desktop Services, Flash Player Plug-in, gnutar, iChat, IO Storage Family, Launch Services, Mail, perl, python, ruby, Samba, Safari, Shockwave Plug-in, SMB, Spotlight, tcpdump and XQuery.

“Several of these issues are rather serious, so we strongly advise installing these updates at your earliest convenience,” ISC handler Maarten Van Horenbeeck wrote, adding that users can read up on the individual CVE numbers and vulnerability descriptions here.

Every once in a while someone gets it so right that there really isn’t much to add. This post by Chris Hoff is as good as it gets. If you’re not reading his frequent posts on security, survivability and other assorted topics already, here’s the perfect chance to get started.

It’s that time of year where we in the news business love to make lists of the top news stories of the year. I’ve drawn up a Top 5 list of my own for your amusement, but admit that my judgment could be off. And so I ask you, the reader, to look over my list and tell me if there’s anything you would add or detract. I’ll work your feedback into our final Top 5 story.

My list:

5.) Problems slow the deployment of Windows Vista

IT professionals struggled mightily to make sense of Microsoft’s Windows Vista, but compatibility problems slowed enterprise-wide deployments to a crawl.

4.) Security of the iPhone in doubt

Apple’s iPhone — the year’s most hyped piece of technology — quickly gained the attention of hackers eager to find security weaknesses. It didn’t take them long to find something.

3.) The pain of PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) got plenty of attention as the list of data breaches grew and compliance deadlines approached. By year’s end many were still struggling to meet all of PCI DSS’s requirements, but that didn’t stop some experts from insisting on even tougher provisions.

2.) Malware takes cyberspace by Storm

When Storm was first discovered in January, it looked like another typical worm outbreak. But Storm kept spreading throughout 2007 and it soon became clear that the malware was the creation of sophisticated botnet builders. By year’s end, it was continuing to spread in the form of smaller, more customized botnets capable of launching a variety of attacks.

1.) TJX data breach exposes 94 million records

TJX acknowledged a massive data breach in January that ultimately exposed more than 94 million records to online fraud. To date, it is the biggest systems breach in history.

Marc Maiffret, the founder and longtime CTO of eEye Digital Security, has left the company to work on other projects. Maiffret is among the best-known hackers on the security scene and made his name in the early part of this decade by exposing a series of serious vulnerabilities in Microsoft products, particularly the company’s Web server product, IIS. Never afraid to speak his mind, regardless of the topic, Maiffret was a gold mine for reporters, including me, over the years and often drew the ire of officials at Microsoft and other software vendors who weren’t happy with the way Maiffret and eEye publicized their findings.

eEye has been going through a transition in the last few months, which has included layoffs and the exit of some top executives, including CEO Ross Brown. The company has struggled to find its footing as enterprise security provider and is now in a position where its competition is coming from heavyweights such as Symantec and IBM with virtually unlimited resources. So it’s not going to get any easier.

Maiffret is still serving as an adviser to eEye.

I absolutely love Christmas, and even have a soft spot for a lot of the tacky stuff that comes with it, like fake silver trees, loud-colored garland and the Coca-Cola version of Santa Claus.

But there is one thing that will bring out the Grinch in me every time — holiday-inspired PR pitches security vendors insist on hurling at me with the glee of kids in a snowball fight. The folks at PGP will probably be mad at me for this, but I can’t help but make an example of them this time around.

Here’s what they sent me Tuesday as I sat anxiously awaiting this month’s Microsoft patch bulletins:

The 12 Threats of Christmas

The twelve threats of Christmas, is networking secure?

The bad guys are shaking their lures.

With the Storm Worm, and rootkits, and crimeware everywhere, We should prepare For infections we’d rather not share!

O the twelve threats of Christmas, what more can we endure?

Twelve hackers hacking

Eleven passwords cracking

Ten laptops leaving

Nine phishers phishing

Eight Web sites crashing

Seven spammers spamming

Six Trojans sneaking

Five breaches more!

Four corp’rate spies

Three bot nets

Two online games

And an unencrypted missing flash drive!

The only gift I can give in return is a groan followed by a Bah Humbug!

Bill Clinton may be the world’s champion when it comes to parsing words and phrases to suit his own purposes, but to give credit where credit is due, executives from software companies are making up ground in this race quickly. One prime example of this is the reaction from a Microsoft executive in a recent story by our Bill Brenner on Vista deployments challenges. Users have roundly criticized the User Account Control technology in Vista for its propensity to throw pop-up boxes at users constantly. This, and other Vista quirks, have led quite a few enterprises to put off their Vista roll-outs until after SP1 at the earliest. Microsoft’s answer to this was both odd and instructive, I think:

Shanen Boettcher, general manager of Windows client product management at Microsoft, doesn’t deny there have been problems. But if the sales figures are any indication, he said, the first year of Vista has been a success.

In addition to having sold 88 million copies of Vista, he said, more than 42 million PCs are now licensed under volume licensing agreements, demonstrating that businesses are buying into the long-term value of Vista.

In other words, as long as the thing is selling, we’re good. It would be interesting to see a breakdown of those sales figures to see how many copies were pre-installed on new PCs and how many were shrinkwrapped. The feeling I get from IT folks is that right now they’re only upgrading to Vista when they have to buy new machines, not by choice. Enterprises tend to move pretty slowly on deployments of major new products like this anyway. Microsoft has, in fact, made a number of changes to the way that UAC behaves in response to user feedback. But it’s interesting that the executive’s first reaction to questions about problems with UAC and other Vista features is, Hey, look how many copies we’ve sold.