Experts have said for some time that the era of pre-installed malware may be right around the corner. Today, there’s no question that corner has been turned, as the Australian Computer Emergency Response Team (AusCERT) has learned that optional USB 2.0 floppy drive keys shipping with certain Hewlett-Packard Co. ProLiant servers have been infected with malware.

According to AusCERT, the keys may be infected by viruses called ‘W32.Fakerecy’ or ‘W32.SillyFDC’. The part numbers of the infected keys are 442084-B21 and 442085-B21. They are shipping with some of HP’s ProLiant class BL, DL and ML servers and other related equipment.

In a post on the SANS Internet Storm Center (ISC) website, handler John Bambenek wrote that since the available information suggests the keys were shipped only with ProLiant servers, it could either be a random effort on the part of attackers, or it’s part of a scheme to target a specific product or group. Regardless, Bambenek wrote, it’s time to be concerned with USB-based attack vectors.

It’s worth noting the growing trend in which attackers focus their efforts on pre-installed malware. Platform security expert Michael Cobb recently addressed the issue of rootkits being pre-installed on USB thumb drives. There’s also the related threat of cross-build injection attacks, in which application developers rely on external dependencies with pre-assembled third-party components that surreptitiously had malicious code added to them. With this news, ISC suggests the hacker battleground may have now moved to the floors of manufacturing facilities worldwide.

Remember ChoicePoint? Four years ago the data broker kicked off what became a years-long deluge of enterprise data breaches by allowing more than 160,000 customer records to be stolen. It seems like small potatoes today, but back in 2005 things were so bleak that ChoicePoint landed at the top of our 2005 IT winners and losers year-in-review column. Hint: it wasn’t a winner.

Today, things are looking up for ChoicePoint, at least in part. This following word that ChoicePoint has settled a class-action lawsuit over the theft, agreeing to fork over $10 million to make it go away. I’m not a math genius, but 10 million divided by 160,000 or so (minus legal costs) doesn’t seem like a very satisfying outcome for the victims.

Adding insult to injury, the SEC has decided against pursuing legal action against CEO Derek Smith and COO Doug Curling, who together pocketed more than $16 million in profit by selling ChoicePoint stock after the company found out about the data breach — but before word of the breach was disclosed to the public.

So as the story closes, victims get enough scratch for a few cups of coffee at Starbucks, and rich executives ride off into the sunset. Hmmm, Hollywood might want to rewrite the ending to this one.

During a time of year when it seems like we all spend waaaay too much on presents, holiday decorations and travel, among other things, it’s always nice to get a little something for free.

To that end, I thought I’d take a moment to point out a few free security offerings, courtesy of SearchSecurity.com contributor Peter Gregory, who you may recall produced our Security School lesson this year on Windows Vista intrusion defense, and in his spare time serves as chief of infosec and risk management at Concur Technologies. 

This week Peter offers up a helpful entry on his blog covering free information security tools and services. It’s got a little something for passengers and sailors alike: free antivirus, antispyware and anti-rootkit tools — which will help that distant cousin who will surely ask you over Christmas dessert why his AV-free PC is running so slow lately – and hardened security pros can have some fun with the file eraser and data encryption tools.

And did I mention all this was free?

A very merry Christmas and happy New Year everyone!

Numerous reports have surfaced regarding what’s being described as an al-Qaeda plot to hatch a cyber jihad Nov. 11, directed at numerous Web sites. According to the initial report by the online publication DEBKAfile, the attack is expected to begin by targeting 15 western, Jewish, Israeli, Muslim apostate and Shiite Web sites, and expand from there.

Have no fear. Johannes Ullrich, Chief Research Officer of the SANS Internet Storm Center and one of this team’s most trusted sources, says there’s no need to cancel your Nov. 11 dinner plans. In a post today on the SANS ISC blog, Ullrich says it’s likely that the attack will never come to fruition, noting similar past claims that went nowhere and that the date Nov. 11 is often known for hoaxes.

“So in short: stay calm, focus on best practices and you don’t have to do anything special on November 11th,” Ullrich says. Well, that is, unless you were planning something special already.

We’ve written quite a bit in the past about how many enterprises are ignoring the dangers of voice over IP (VoIP). While we doubt many enterprises are in the practice of using Vonage, as yet another example that VoIP and its protocols are easy to attack, it’s worth noting a Reuters report today that hackers have figured out how to intercept calls made on the Vonage VoIP service, according to Sipera Systems.

Here are the highlights in a press release from Sipera: “Sipera VIPER Lab determined the Vonage VoIP Motorola Phone Adapter (VT 2142-VD) and Vonage service implementations leave users vulnerable to a form of VoIP identity theft, allowing hackers to take over a user’s phone service with a ‘registration replay attack,’ then make and receive calls while impersonating the victim. Incomplete security practices, such as not encrypting traffic, open Vonage users to eavesdropping on private voice and video communications. Hackers can also send multiple SIP INVITE messages to a user, an Internet version of ‘ringing the phone off the hook’ which creates a DoS attack. Leveraging these vulnerabilities, remote attackers can also send malicious messages directly to Vonage users, subjecting them to spam, social engineering and VoIP scams.” Sipera also noted a similar vulnerability with European provider Globe7’s online account access system.

Let it serve as a reminder that, as our threats expert Ed Skoudis wrote recently, enterprises should proceed with caution on any and all VoIP implementations because of the many exploits in the wild. Since VoIP security still isn’t getting the attention it demands, it wouldn’t be surprising if enterprise VoIP attacks soon become more popular; Infonetics Research says half of small and two-thirds of large organizations in North America will be using VoIP products and services by 2010. Of course VoIP security is an area we’ll continue to watch closely.

Late last week you may have seen Rob Westervelt’s news story on the dangerous Windows URI flaw, potentially enabling remote code execution on Windows XP and Windows Server 2003. As Rob reported, in order for an attack to be successful, an attacker must embed a malicious URI in a Web page or email and trick the user to follow the link.

But, you may be asking, how exactly is a URI different from a URL, or how do application developers often underestimate the complexity of URI protocol handler issues?

In what may be a case of perfect timing, late last week we debuted a brand-new tip by Michael Cobb that discusses how to prepare for and prevent URI exploits. Mike explains how URI identifier exploits like the one last week may start a fresh round of problems for developers and users alike. Obviously we hope this newly discovered flaw isn’t the start of a trend when it comes to URI issues, but either way, as the saying goes, an ounce of prevention is worth a pound of cure.

I wanted to highlight an article that debuted on the site this week that was written by Joel Dubin, which makes the case for identity-enabled network devices. On one hand, as Joel writes, the technology is meant to add an extra layer of security to any kind of network device by requiring both the user and the device to authenticate, but at the same time, it’s worth asking whether the added complexity and hardware requirements (devices dating back before 2006 won’t cut it) make it more of a burden than it’s worth.

We’re always interested in what our readers think, so let us know if this is or isn’t a concept that makes sense (and one you’d like us to write more about in the future).

Keystroke loggers are nothing new. Often surreptitiously installed on a user’s PC, keyloggers record keyboard actions and log them, or subsequently upload the data to a third party. It was more than three years ago when the first federal prosecution involving keylogger crime took place. They’ve been a favorite weapon in the arsenal of malicious hackers for even longer than that; they’ve been incredibly effective as a method for stealing usernames, passwords and other information that can be used to penetrate enterprises and steal identities. However, keyloggers are no longer being used exclusively for evil. Just recently it was revealed that the FBI has used them on a number of occasions, including in the investigation of alleged mafia kingpin Nicodemo Scarfo Jr., and helped lead to the arrest of Josh Glazebrook, a 15-year-old student who pleaded guilty last month to emailing bomb threats to his Washington high school.Lately we’ve seen discussion among IT pros regarding the merits of using keyloggers in the enterprise. It bears asking what keylogger capabilities are coveted by security professionals that would make them desirable over other, more traditional client-based monitoring tools. Are they cheaper, easier, or just more fun?

One of my favorite sayings is, “You can’t beat free!” It’s not always true of course, but as the industry has learned from the many useful open source tools available today, free is often good enough to avoid paying for a commercial product that does the same job.

So it was in the spirit of getting something for nothing that I tried Panda Software Canada’s new free NanoScan at its InfectedOrNot.com Web site.

The site offers two different scans: TotalScan, which looks for active and latent malware, and the NanoScan, an alleged one-minute scan that looks only for active infestations.

Seeing as I wanted to save some time in order to write this blog entry, I went with the NanoScan. But, does it really only take one minute? With my stopwatch in hand, I accepted the user agreement (and the ActiveX control, which I never feel good about) and I initiated the scan. Despite the disclaimer that it may take longer (…depending on the characteristics of your PC and the speed of your Internet connection…), the scan finished in exactly 60 seconds, and confirmed that my PC is malware-free and running up-to-date AV.

I also liked the site’s “Infex” statistics, which showed (at posting time) that more than 56% of scanned PCs were infected with malware, and 52% of those with malware had active, up-to-date antivirus software.

Ultimately the site didn’t tell me anything I didn’t already know, and while it’s hardly unique in offering a free PC scan, infectedornot.com’s effective branding and as-promised quick scan time could make it an effective marketing/awareness tool, especially for SMB users who are often hard-pressed to buy into the complexity of security.

Technorati Tags: ActiveX, malware, nanoscan, infectedornot

Even though it sounds like a plot summary to an upcoming Sarah Michelle Gellar film, Reuters is reporting that mobile phone service providers in Pakistan are getting tons of calls from panicked users. The problem? A number of subscribers received a prank message saying that they could die as a result of a dangerous virus — a real one — being transmitted via mobile phone.

Fortunately, mobile carriers have already issues a joint statement confirming that it’s all a hoax: “These rumors are completely baseless. They do not make any sense in technological terms.”

Since these things have a tendancy to spread, remember folks, it’s just Friday the 13th.

Technorati Tags: Security+hoaxes