Hacked GOP Site Infects Visitors with Malware
The now-infamous Storm Trojan horse is using new distribution methods to attack unsuspecting victims. Where it once used e-mail attachments or embedded links in spam, it has now turned to website exploits, recently infecting PC users through a Republican party website in Wisconsin, USA.

Read More

Germany Arrests 10 in Global Internet Scam Raids
After an 18-month probe, German police have arrested 10 people in Russia, Ukraine, and Germany in connection with an international Internet scam that may have cost hundreds of thousands of Euros from victims. The accused used phishing techniques to lure bank customers into answering fake Ebay or Deutsche Telekom e-mails, and then installed a Trojan horse to record their personal data.

Read More

Great Firewall of China More Like Chain-Link Fence
Researchers at the University of California at Davis and the University of New Mexico have proven that banned terms can slip through the government-imposed firewall for Internet surfing in China. Even with the occasional slip in security, most citizens still avoid searching for banned terms and concepts for fear that their Internet activity is being monitored by the Chinese government.

Read More

Financially Motivated Malware Thrives
As malware becomes more and more lucrative, software programs are being released that allow any unskilled hacker to earn a living sending spam. In September, a group of Russian hackers released a malware kit for $200 U.S. with information on how to become a master spammer.

Read More

“We suspect an unauthorized transaction on your account.  To ensure that your account is not compromised, please click the link below and confirm your identity.”

An e-mail communication that reads like this has probably appeared in your inbox recently.  Sounds official, doesn’t it?  Judging from the header on the e-mail, a trusted source has sent it – a government agency, your bank, your Internet service provider.

What will you do?

Anytime you receive an online request for personal information, you should treat it with a healthy dose of suspicion.  What appears to be a trusted source may, in fact, not be what it claims to be.  Chances are high that you have become a target of a highly individualized and persuasive attempt to steal your personal information for malicious purposes.  Phishing, as this type of attack is called, has become increasingly common.

A phishing attack can originate when personal data is stolen. Not much is required.  Bits of data can be simple enough, such as your e-mail address, telephone number and birthday. But those bits hold the potential for creating a profile of you that can be easily expanded through access to other sources of online information.

Resumes and CVs are a reservoir of useful data.  As recently as August of this year, resumes and CVs were the target of an attack on Monster, a popular employment website.  The attack, which began with stolen login credentials, enabled hackers to gain access to the Monster site and gather the personal information of over a million of its users.  According to news agency Reuters, Monster responded by shutting the server that was used to access the information, and contacting the affected users.

But the Monster security breach was only the start of the phishing attack.

Phishing e-mails can be tailored to exploit the information at hand.  For example, a Monster user could receive an e-mail that claims to be from a recruiter.  Upon clicking a link in the e-mail, the user could be directed to a fraudulent website that looks legitimate. From there the possibilities for acquiring additional data are limitless.

Some phishing e-mails contain software that can harm your computer or others, or track your activities on the Internet without your knowledge.

How can you avoid being the victim of a phishing scam?   The U.S. government, through its OnGuardOnline.gov website and National Cyber Alert System, has some practical tips to keep you safe online.

Responding to E-mail – If you are not sure whether an e-mail is legitimate, try to verify its identity.  Contact the source directly by using any previously obtained information – telephone number or type in the correct web address – instead of using the information provided in the suspicious e-mail.

Providing Information – Do not provide personal or financial information in an e-mail, or by clicking on a link included in an e-mail. E-mail is not a secure form of communication and legitimate companies do not ask for information in that way.  Also, do not send sensitive information over the Internet before checking a website’s security policy or looking for evidence that your information is being encrypted.

To help identify a malicious website, take note of its URL and see if it uses a variation in spelling or domain (such as .com versus .net).

Checking your Records – Review your bank and credit card statements as soon as you receive them and check for unauthorized charges.  Since victims of phishing can also become victims of identity theft, check your credit report periodically to see if any new accounts have been opened in your name.

Reporting Phishing Scams – Report these by sending an e-mail to reportphishing@antiphising.org.  The Anti-Phishing Working Group, a consortium of security vendors, financial institutions and law enforcement agencies, uses that information in their fight against phishing.

Engage with a social networking site such as MySpace or Facebook, and you will undoubtedly change the way you spend your time online. Every time you visit and interact, you will leave a trace behind.  You will expand your digital footprint. As you do this, you will acquire an online identity.Your digital profile will be born.

However unassuming or grand your digital profile is, however private or public, you can be certain of one thing:  Your nuggets of information can be turned against you by hackers with malicious motives.

The tables have turned.  2006 was the year that cyber criminals shifted their attention from e-mail to web traffic.  In that year, the ScanSafe Annual Global Threat Report noted an increase in spyware of 254 percent.  The motives shifted as well.  Over 65 percent of web virus attacks in 2006 aimed at gaining a financial benefit from unsuspecting users.  Displaying technical prowess or causing online chaos was no longer the main driving factor for attacks.

It is little wonder that social networking sites, with attention grabbing headlines that by turns praise and condemn the social changes they are helping bring about, are gaining the attention of hackers looking to spread their malware.

The so-called Web 2.0 provides a grand platform from which to launch attacks.  Social network sites, wikis, blogs, chat, RSS feeds, and instant messaging are, by their open nature, fertile ground for the distribution of malware. The more freely users interact and contribute content, the more information hackers have that can be used against them.

To limit your exposure and avoid being a target, it is wise to refrain from posting information that could make you vulnerable.  This includes what others may be posting on you as well, for example, hobbies, addresses, memberships, routines, schedules, finances, employment – the possibilities are extensive.  Only post information that you feel comfortable with anyone seeing since once you do so, you will not be able to fully retract it.  Even if you remove it from a site, saved or cached versions may still exist elsewhere in the digital universe.

Just as it is important to be critical about what you post, it is also important to be critical about what you consume.  Since much of Web 2.0 content is updatable by the public, it is possible for a hacker to embed links that send users to corrupt sites where they can be tricked into other scams.  By blending with the crowd of users, hackers and cyber criminals can work underground.

Just how widespread is malware in the open Web? The ScanSafe Threat Center has found that up to one in every 600 social networking pages hosts malware.  As the number of pages continues to rise exponentially, so does the potential for malware to spread.

Dan Nadir of ScanSafe told E-Commerce Times in a recent article that many traditional security solutions are not sufficiently capable in the dynamic Web 2.0 environment.  What is required is a proactive solution, a type of real-time Web URL check.

Web pages that appear to be legitimate, can introduce malware and spyware into a network.  The challenge is to tell the legitimate from the corrupt, and it’s not always easy.  Often there’s no way to know one from another. According to Paul Henry of Secure Computing, in some cases hackers are corrupting legitimate technologies for their own gain.  For example, even HTTPS connections, which are meant to be encrypted and secure, can be used by hackers to transmit malware.

Social networking sites pose special challenges for corporations seeking to protect sensitive data and intellectual property.  According to the Reuters news agency, a July poll commissioned by Britain’s Evening Standard newspaper showed that more than two-thirds of London businesses have banned or limited employee access to Facebook and MySpace.  The clamp down comes as the sites have begun catering to professionals.  But while some believe that the sites are distracting and don’t belong in a work environment, others see them as powerful networking tools that can help the business.

Whichever side you favor, be aware that online social networking is a powerful tool and, should you choose to join, be sure to stay safe by checking a site’s privacy policy and letting common sense dictate how you participate.

By Joe Wells, CTO of Lavasoft ABCall them shortcuts. Call them rules of thumb. Call them heuristics. Herein I will call them triggers.

We all have these triggers, we all use them, and, in fact, we all need them to survive in today’s world. Robert Cialdini gives an excellent description of these triggers in his book “Influence: Science and Practice.” He writes:

“You and I exist in an extraordinarily complicated environment, easily the most rapidly moving and complex that has ever existed on this planet. To deal with it we need shortcuts. We can’t be expected to recognize and analyze all the aspects in each person, event, and situation we encounter in even one day. We haven’t the time, energy, or capacity for it. Instead we must very often use our stereotypes, our rules of thumb, to classify things according to a few key features and then to respond to them without thinking when one or another of these features is present.”¹

The above description involves good triggers; the ones we need to survive and thrive in today’s world. However, when these automatic responses are exploited against us, they become bad triggers.

The “science” of exploiting triggers is called social engineering; though it has many other names: influence, persuasion, deception, propaganda, marketing, advertising, etc. Cialdini contrasts good triggers and bad triggers:

“Most individuals in our culture have developed a set of trigger features for compliance, that is, a set of specific pieces of information that normally tell us when compliance with a request is likely to be correct and beneficial. Each of these trigger features for compliance can be used like a weapon (of influence) to stimulate people to agree to requests.”²

But if we’re dependent on automatically responding to triggers, how can we effectively recognize and counter bad triggers?

While there are other ways to counter bad triggers, I will describe one example method, which I developed. It involves adding a new, good trigger based on skepticism.

For some years now, I’ve been experimenting on my family. When watching television, I point out examples of social engineering in advertising.

Take for example, the common phrase “no product is better.” While people often take this to mean the advertised product is “best” my son now immediately points out that it means all the competing products are all equal. “If their product is the best, they’d say it’s the best.” He also triggers on specific words in claims as in “Emerging science suggests that Zap-o-Zit may reduce acne.” He often spots the phrases “results may vary” and “results not typical” in advertising’s fine print.

Such simple recognition based on skepticism has, for my family, mapped directly to our daily computer-based routines. Claims that trigger skepticism are now automatically suspect both on television or online.

Of course the key does not lie in this or any other specific method. It lies in knowing these bad triggers exist, in understanding how they work, and in methodically treating all claims with a modicum of healthy skepticism.

¹ & ² Influence: Science and Practice (4th Edition), Robert B. Cialdini, pages 7 and 17.

3 October, 2007

Great news! LiveSecurity subscribers can download new training videos every Wednesday in October, free of charge, as part of WatchGuard’s participation in National Cyber-Security Awareness Month.

To kick off this innovative passel of edutainment, the LiveSecurity analysts and writers conclude the popular Malware Analysis video series. The Malware Analysis premise is simple: you can hear about hacker attacks, read about hacker attacks, and understand the concepts behind them, but nothing ignites your understanding like seeing the attack right before your eyes. When you understand the threat, understanding the defense is much easier.

Previous Malware Analysis videos have shown the real-world malicious code and techniques behind drive-by downloads and rootkits. Now, joining the four videos that have drawn so many hundreds of emails from enthused viewers, we present a full course on (drumroll please)… botnets.

In “Malware Analysis: Botnets (Part 1),” Network Security Analyst Corey Nachreiner and his Magic White Board cover topics both beginning and advanced:

• What a “botnet” is
• How an attacker builds a bot client
• How an attacker controls and commands remote bots
• How crooks recruit an army of bots and become bot herders

…all covered in a brisk sixteen minutes.

For IT professionals who crave extra depth, we’ve also provided a video supplement to the Botnets Part 1 video. In “Bot Source Code for Overachievers,” Nachreiner provides a line-by-line tour of malicious bot code, so you can understand its modular nature.

How to get the video

Ready to understand botnets like never before? As a LiveSecurity Service subscriber, you can download the video starting today, in your choice of formats, from our fancy-shmancy Video Tutorials page. Once you have your own copy of the video, the terms of your subscription permit you to show it within your organization as much as you want. Enjoy!

Hooked on bots? In Part 2 of the Malware Analysis: Botnets series, you’ll see what attacks botnets can pull off. Watch for it on Wednesday, October 10. Then, one week later on October 17, Part 3 will tell you how to defend against the bot threat. And that’s just the beginning of the video bonanaza we’ve cooked up for National Cyber-Security Awareness Month! Watch your Inbox for further announcements of superb training materials provided to you free as a loyal LiveSecurity subscriber.

We’re working hard to provide innovative, relevant security training for you. Besides keeping the videos coming, we’ve just posted our latest episode of Radio Free Security. So thanks for your enthusiastic support of our media initiatives. Keep sending your comments and suggestions on how we can best help you, and what topics you’d like us to cover, to your.opinion.matters@watchguard.com. ##

Save the date! If your nonprofit or public library is looking to streamline the time-consuming tasks associated with fundraising and donor management, you’ll want to mark October 17 on your calendar. On that day for 8 hours only, TechSoup Stock and Telosa are pleased to offer a special discount on the Exceed!

Basic 2.0 fundraising software. Read on for more details or visit http://ga0.org/ct/spLRaAn1SSG7/.

 

Also this month, I am excited to announce the new CitySoft donation program at TechSoup Stock. CitySoft’s Community Enterprise is easy-to-use Web-based software that empowers social sector organizations to better manage their membership base, online content, and more. Details about this program and its eligibility requirements are below.

 

Finally, see what the top 10 most requested products from the Microsoft Software Donation Program are — perhaps one of them can also help your organization.

 

============================================

TELOSA SPECIAL EVENT: OCTOBER 17

============================================

Get ready for your end-of-year fundraising effort with specially discounted Telosa Exceed! Basic fundraising software!

 

For 8 hours on October 17, from 8 a.m. to 4 p.m. Pacific time

(11 a.m. to 7 p.m. Eastern time), eligible nonprofits and public libraries will be able to place orders for specially discounted Telosa Exceed! Basic fundraising software for only $90. After the special offer ends, our standard administrative fee for this offering of $299 will apply. This extra-generous discount is available for a limited time period thanks to Telosa.

 

Visit TechSoup Stock and place your request on October 17 (8 a.m. to 4 p.m. Pacific time)!

 

Learn more about this Telosa special offer at:

http://ga0.org/ct/spLRaAn1SSG7/

 

ABOUT TELOSA EXCEED! BASIC

Exceed! Basic 2.0 fundraising software enables users to streamline and automate many of the routine, time-consuming tasks associated with fundraising and donor management. As a result, nonprofits and public libraries can focus more time and resources on their missions. With Exceed! Basic, users can organize donor databases, track critical donor and gift information, efficiently communicate with donors via mailings and emailings, and generate reports to analyze fundraising campaigns.

 

ELIGIBILITY

This special offer is available to U.S. 501(c)(3) nonprofits, Canadian charitable organizations, and public libraries (U.S.

and Canada) with annual operating budgets less than or equal to US$500,000. For details on eligibility requirements, visit http://ga0.org/ct/x7LRaAn1SSGm/.

 

LEARN AT TECHSOUP

Want to learn more about using technology to improve your donor management and fundraising capabilities?

 

* Check out TechSoup’s Donor Management Toolkit:

http://ga0.org/ct/xpLRaAn1SSGE/

 

* Also take a look at our Fundraising Toolkit:

http://ga0.org/ct/31LRaAn1SSGU/

 

============================================

INTRODUCING THE CITYSOFT DONATION PROGRAM ============================================

CitySoft’s Community Enterprise is open-source enterprise software for organizations to manage their operations, communications, and fundraising. This easy-to-use, Web-based software empowers social sector organizations to better manage their constituent relationships (CRM), content (CMS), and other related activities. Community Enterprise includes more than 20 distinct modules.

 

Community Enterprise is available through TechSoup Stock for an administrative fee of $200 (compared to a retail value of $5,000), thanks to a generous donation from CitySoft.

 

Learn more about CitySoft’s Community Enterprise:

http://ga0.org/ct/21LRaAn1SSGr/

 

CitySoft is a software company serving the social sector — nonprofits, associations, and government clients. CitySoft’s donation program is meant to reach small charitable organizations that could not otherwise afford the product. It is primarily focused on 501(c)(3), religious, and educational organizations in the U.S. and Canada that have budgets of $500,000 or less.

 

Learn more about the CitySoft donation program:

http://ga0.org/ct/NdLRaAn1SSGB/

 

ELIGIBILITY

* U.S. 501(c)(3) nonprofits, Canadian Registered Charities, and public libraries (U.S. and Canada) with annual operating budgets of US$500,000. For details on eligibility requirements, visit http://ga0.org/ct/xdLRaAn1SSGj/

 

============================================

TOP 10 MICROSOFT PRODUCT DONATIONS OF 2007 ============================================

Ever wonder what donations other nonprofits are requesting? Here are the top 10 most requested products from the Microsoft Software Donation Program — perhaps one of them can help your organization as well:

 

* Microsoft Office Professional Plus 2007 - admin fee $20 vs.

retail value $499

http://ga0.org/ct/2pLRaAn1SSG5/

 

* Microsoft Project Standard 2007 - admin fee $24 vs. retail value $599 http://ga0.org/ct/w1LRaAn1SSGt/

 

* Microsoft Visio Standard 2007 - admin fee $10 vs. retail value $260 http://ga0.org/ct/wdLRaAn1SSGg/

 

* Microsoft Student with Encarta Premium 2008 (DVD) - admin fee

$2 vs. retail value $50

http://ga0.org/ct/27LRaAn1SSGv/

 

* Microsoft Expression Web 1.0 - admin fee $12 vs. retail value

$299

http://ga0.org/ct/2dLRaAn1SSGf/

 

* Microsoft Windows Vista Business Upgrade - admin fee $10 vs.

retail value $259

http://ga0.org/ct/w7LRaAn1SSGb/

 

* Microsoft Windows Server 2003 Enterprise Edition - admin fee $160 vs. retail value $3919 http://ga0.org/ct/s1LRaAn1SSGO/

 

* Microsoft Exchange Server Standard Edition 2007 - admin fee

$52 vs. retail value $1299

http://ga0.org/ct/sdLRaAn1SSGW/

 

* Microsoft Small Business Server 2003 Premium Edition - admin fee $68 vs. retail value $1692 http://ga0.org/ct/s7LRaAn1SSGI/

 

* Microsoft SQL Server 2005 Standard Edition - admin fee $240 vs. retail value $5999 http://ga0.org/ct/wpLRaAn1SSG6/

 

ELIGIBILITY: U.S. 501(c)(3) nonprofits and Canadian charitable and nonprofits organizations. For details on eligibility requirements, visit http://ga0.org/ct/x1LRaAn1SSGu/

 

PUBLIC LIBRARIES: To view products available for public libraries, visit http://ga0.org/ct/N7LRaAn1SSGX/

 

============================================

TELL A FRIEND

============================================

As a nonprofit helping other nonprofits get the technology they need, TechSoup Stock depends on your referrals to reach organizations that might not know about our service. I encourage you to take a moment and forward this email to nonprofits and libraries you know that could benefit from access to these products and savings. Since 2002, TechSoup Stock has helped over 50,000 nonprofits and public libraries take advantage of product donations.

 

============================================

QUESTIONS?

============================================

If you have questions about our donation programs that were not addressed by this email or the program pages on our Web site, please feel free to contact our Customer Service Department via email at newproducts@techsoup.org or call us at 1-800-659-3579, extension 700. TechSoup Stock Customer Service is available Monday-Friday, from 8 a.m. to 5 p.m. Pacific time. In addition, you can get answers to your questions at our online Email and Answer Center at http://ga0.org/ct/NpLRaAn1SSG4/.

 

Sincerely,

 

Rebecca Masisak

Co-CEO, CompuMentor/TechSoup

http://www.techsoup.org/stock

http://www.techsoup.org/stock/libraries (libraries start here)

 

You are receiving this email because your organization is registered at TechSoup Stock.