If you’re an SSH and Linux user, this is not a good week for you. Not only did Debian announce that a flaw in its OpenSSL implementation allows attackers to easily guess cryptographic keys, but now HD Moore has posted a list of SSH keys that he was able to brute-force by reverse engineering the list of blacklisted keyspace that Debian published. Oh, and there also is a large spike in the volume of active SSH probes at networks around the world, which may or may not be related to the Debian situation.

The OpenSSL flaw is the more serious of the two problems at this point, with experts recommending that affected users regenerate both their SSH keys and their SSL certificates immediately. The bottom line with this vulnerability is that any SSH key or SSL certificate generated between September 2006 and May 13, 2008, should be considered compromised.

“The situation with web certificates is even worse – the public key is really that: public. So, for a weak key generated on Debian, an attacker could derive the private key and construct a Man-In-The-Middle attack without any problems in the browser,” the folks at the Internet Storm Center wrote in a post about the problem. “Very very scary. Makes one wonder how many people used Debian to generate their SSL keys.“

The increase in SSH probes seems to be a separate issue at this point, as those brute-force attempts mostly involve password guessing. A number of posts on the Unisog security mailing list described spikes of 10 or 20 times the normal number of login attempts per day, beginning sometime in April. These attacks are mainly classic dictionary attacks, in which the attacker runs a script that attempts a remote login to an SSH server using a large list of possible passwords.

In other words, run, don’t walk, to the console and update those keys and certificates. If the good guys have already developed scripts and tools for brute-forcing the keys, you have to assume the crackers have as well.

Security vendor Marshal says the Srizbi botnet has grown to be the worlds largest spam botnet, outpacing the Storm Trojan in sending unwanted email and compromising computers. Srizbi now accounts for half of all spam. In comparison, Storm accounted for 20% of all spam at its peak.

In figures released by Marshal’s research team, Srizbi compromised more than 300,000 machines and sends more than 60 billion spam messages per day, according to Marshal. The botnet is also spreading malware, using social engineering tactics to get computer users to click on a malicious link in the spam email.

Marshal points to efforts to combat the Storm botnet as the reason for its decline. Microsoft’s Malicious Software Removal Tool has been successful in slowing Storm.

What is clear now is that no botnet has a firm footing as the number one player on the block. Marshal said the Storm botnet was outpaced in January by the Mega-D botnet, otherwise known as Ozdok. Srizbi came grew strong enough to be recognized in February.

Other researchers, Damballa for example, are tracking far more malicious botnets. Kraken has been spreading dangerous malware and is more sophisticated, allowing its maker to evade detection by simply moving its command and control function to another domain in a hard-coded list.

Damballa saw more than 400,000 unique infected IP addresses on one day in March, with the number continuing to trend upward from about 300,000 in early March.

Which botnet is the biggest? It depends on what month and which security research team you talk to. I’m not sure it really matters.

The trend toward large-scale attacks against Web sites through the use of SQL injection is continuing, as experts at both the SANS Internet Storm Center and Shadowserver Foundation are tracking a newly discovered SQL injection worm that appears to be exploiting a RealPlayer flaw and dropping malware on vulnerable sites. The attacks are focusing on ASP pages and are using the familiar iFrame exploitation method that has been involved in a number of the recent mass SQL injection attacks. After a successful exploitation of a vulnerable PC, the infected Web site installs a binary on the user’s PC. The analysis of the attack done by the folks at Shadowserver shows that the binary is named “test.exe” and is just one link in a long chain of downloaders and malware.

“This binary that is download by this attack appears to be part of a kit we have seen in the Chinese malware family for some time now. The first thing this malware does once installed is download a configuration file. This configuration file has several commands and tells the system what to do next. In our instance it [tells it] to download yet another file and to report in to a URL,” the Shadowserver analysis says.

Fun for the whole family. Shadowserver also has a good list of some of the malicious sites and IP addresses that are serving the malware, for your filtering pleasure.

Users of social networking sites may be irritated to find that an increasing number of invitations to be a friend or contact turn out to be ads.

Spammers are turning their attention to social networking sites to hawk their products, according to Cloudmark, a messaging security company. As email antispam technology has improved, spammers have branched out to other areas, said Adam O’Donnell, director of emerging technology at Cloudmark. “The social networking side provided a fertile ground for spammers,” he said.

Junk emailers are using multiple messaging vectors available on social networking sites, including direct messaging to friends, bulletin board posts and profiles, O’Donnell said. For example, a spammer will create a profile, which includes a link to a porn or dating site, then invites a bunch of people to be their friend or contact.

In a recent six-month period, Cloudmark tracked a 300 percent increase in spam on a large social networking site that it works with. Also, at several major social networking sites, about one-third of new accounts created are fraudulent, designed for spam and other attacks, the company said.

On Monday, Cloudmark released what it said was the only commercial product to combat spam, phishing and other attacks on social networks. Cloudmark Authority for Social Networking Providers, which extends Cloudmark’s carrier-grade platform, is designed to protect all communication channels on a social networking site. The company said the technology has been deployed at one of the largest social networking sites, but wouldn’t identify it.

There’s no spam filter that end users can deploy to protect themselves on social networking sites, O’Donnell said. Some sites like LinkedIn are used as business tools, he said, adding, “If it came to a point on social networks where 80 percent of inbound content is spam, they’re no longer a useful business tool.”

Jamz Yaneza, a senior threat researcher at Trend Micro who uses several social networking sites including Facebook and MySpace, said he’s noticed an increase in friend invitations that push products. There have been a lot of exploits against social networking sites, he said, citing last year’s hack of singer Alicia Keys’ MySpace page.

Paul Ferguson, also a threat researcher at Trend Micro, said the growth of users on social networking sites “far outpaces their ability to keep the platform secure.” He added, “The back-end mechanisms that allow the interactivity also allow people to use them for malicious purposes.”

There has been a lot of interesting work going on in the research community of late on a handful of really specialized and esoteric application attacks, like Mark Dowd’s NULL pointer attack and David Litchfield’s lateral SQL injection technique. These two methods have a few things in common, specifically the fact that they both exploit things that were thought to be unexploitable. One other similarity is that some people seem to be dismissing these techniques as theoretical or purely academic thought exercises that will never see the light of day. Proponents of this line of thinking say that enterprises don’t need to worry about crazy, multi-step attacks that are hard to understand. It’s things like buffer overflows and worms that really need your attention, they say.

This is, ah, how should I put it, ridiculous. These new attacks are exactly the kind of things that should worry you if you’re charged with protecting a corporate network. Hackers pay good money for reliable attack methods like this, particularly when they are brand new and not well understood. Security specialists know what a buffer overflow attack looks like, and there are any number of products out there that are capable of stopping these attacks. But the complex techniques like Litchfield’s and Dowd’s are the ones that find the cracks in network defenses and by the time they’re recognized for what they are, it’s game over. And who’s to say that some hacker in the Ukraine or Brazil or China hasn’t been using the same techniques for months?

Sure, worms and viruses and phishing are still threats, but to ignore new attacks because they look difficult or complex is foolish at best and negligent at worst.

The Web now hosts an “unprecedented” number of threats, according to a report recently released by Sophos. In the first quarter of this year, Sophos researchers discovered a newly infected Web page every five seconds, three times more than last year.

What’s especially unsettling is that a whopping 79% of these sites are legitimate ones that have been hacked. Sophos cites a March attack on a European soccer ticket site that tried to infect visitors’ computers and a February attack on UK broadcaster ITV that targeted Windows and Mac users. The top two malware threats found on the Web, Mal/Iframe and Mal/ObfJS, are used by criminals to infect Web sites by exploiting vulnerabilities, according to Sophos, a maker of antivirus software and other products.

The U.S. was the top country hosting Web-based malware in the first quarter. This year, it was responsible for hosting 42% of infected websites, up from last year, when it hosted less than 25%.

But while the number of infected Web pages is up this year, Sophos researchers tracked a decrease in the number of infected emails. One in every 2,500 emails was infected, a 40% drop from last year. Instead of sending a malicious attachment, criminals are sending links to compromised websites.

We’ve seen the protests in the streets, but now MessageLabs is warning that it has tracked 13 Olympic themed attacks, designed to spread malware and ultimately steal data.

The attacks are originating from IP addresses in Asia, but there’s no surprises here. The attackers are using social engineering to trick end users into clicking on a malicious link in an email message.

I was in San Francisco, attending RSA Conference 2008 when the Olympic torch was carried through the streets. All the security detail had to do to avoid protestors was to change the running route at the last minute. Unfortunately there’s no real “safe zone” in cyberspace.

Messages are being sent with legitimate-sounding subject titles such as “The Beijing 2008 Torch Relay” and “National Olympic Committee and Ticket Sales Agents,” MessageLabs said. Some attacks purport to be from the International Olympic Committee, based in Lausanne Switzerland.

Let’s be honest here, these guys aren’t protesting the Beijing Olympics, they’re trying to steal identities and make a quick buck. They’re also doing a good job staying under the radar, according to MessageLabs. They’re using Microsoft Office Database (MDB) files–usually hidden within a ZIP files–in order to avoid detection by traditional antivirus engines.

IBM’s X-Force security research team and IBM Research are studying ways to protect virtual computing environments. Code named Phantom, the research project has been ongoing and could result in new products and best practices designed to leverage the hypervisor to improve security. In this interview at RSA 2008, Joshua Corman, principal security strategist with IBM’s ISS team, explains Project Phantom and how IBM says it could help alleviate some of the risks associated with virtual environments.

I recently tripped over a blog write-up from independent analyst Eric Ogren about his irritation with security vendors using FUD to sell products. It’s an older posting from 2006 but his message is as relevant today as it was two years ago.

Building his case around a threat report Websense released at the time, he wrote, “I’m not sure that the world is better off with yet another security vendor telling us that Phishing, malicious websites, malicious code, hacking tools, P2P, IM and Chat attacks have all increased.”

He dismissed the report as FUD marketing designed to create demand for security products, but that he believed the reports could actually have the opposite effect by pointing out the futility of security products to stop attacks.

He’s not the first security expert to rail against the FUD factor. Security luminary Bruce Schneier has devoted huge chunks of his time speaking out against security ‘theatre’ — policies and products that are more about offering the perception of security rather than addressing the actual risks.

And, rightly or wrongly, the Apple crowd is constantly crying FUD whenever something is written about a security flaw or malware affecting their beloved Macs.

I bring up the issue because it’s long been a source of irritation for me. As a security writer, I’m constantly buried beneath tons of voicemail and email from vendors looking for attention, and the PR machinery almost always uses FUD to make a case for buying the latest compliance-out-of-the-box appliance or the “first of its kind” bot/spyware/worm/common cold zapper.

Along the way, the PR community likes to invent new words or phrases to define the threat, many of which start with the letters “ph” (phishing, pharming, phlooding).

I’ve been looking back through four years of writing for the sake of nostalgia. The big thing that strikes me is that we’ve written a lot of stories about the latest flaw or exploit and someone is always banging on the alarm bell with a hammer.

In the final analysis, it’s prudent to flag the latest flaws and exploits because IT security professionals need to be aware of these things and incorporate the information into their patch management process. Heck, alerting them to these things is what we’re here for. But the tone and level of alarm that should go into these stories is always something we wrestle with.

Everyone has a role to play in information security, from the IT pros to the vendors, analysts and media. But from the content I look back on, I see little evidence that vendor-generated fear has ever made a difference.

Warnings about some flaw or exploit opening the door for a catastrophic Internet-ending event are never followed by the big doom. On the other side of the spectrum, the epidemic of data security breaches shows that all the FUD and security spending in the world can’t prevent the bad guys from punching through. The recent Hannaford supermarkets breach proves you can respond to the fear and spend a lot of money on new technology and still get whacked.

I recently asked Rhode Island-based network engineer Edward Ziots whether he jumps at every exploit warning. Here’s what he told me by email:

“We don’t jump, it would be imprudent to do so. Basically I read up on how the exploit works, even look at the code offline to ascertain if it would be available to be downloaded or how much effort would it take to be in a working exploit. Next, you basically need to adjust your risk assessment based on the controls you have in house, and how many systems could be affected and in what manner.

“Lastly communicate the adjusted risk assessment to management, security and await decision on whether to raise priority for patching, or to deploy other security measures to mitigate until all systems can be patched.

“Honestly, it makes it very difficult with exploit code in the wild and reports of working exploits not to raise your risk level and deploy extra manpower and time and effort to get all systems patched. It’s just due diligence.”

My advice is to take the FUD with a grain of salt and remember that while cyberspace is a dangerous place and you’ll sometimes have to raise your level of alertness as Ziots does, most enterprises will survive with the proper mix of security tools, policies and a calm awareness of the risks.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

A couple of notable security fixes to flag this morning:

First, Apple has patched the Safari Web browser flaw that famously earned a researcher $10,000 at the CanSecWest conference last month. Independent Security Evaluators researcher Charlie Miller used the vulnerability to compromise a MacBook Air laptop. The flaw is rooted in the WebKit open-source HTML rendering engine Safari and several other Mac OS X programs use.

Next, Mozilla has released Firefox 2.0.0.14, fixing a critical security hole in the JavaScript engine of Firefox. The advisory said, “Fixes for security problems in the JavaScript engine described in MFSA 2008-15 (CVE-2008-1237) introduced a stability problem, where some users experienced crashes during JavaScript garbage collection. This is being fixed primarily to address stability concerns. We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past.”