Zeus Attached To Cancer Email Scam

Thousands of email users have been hit by a sick cancer email hoax that aims to infect the recipients’ computers with Zeus malware.

The email has already hit thousands of inboxes across the UK, and looks like it was sent by the National Institute for Health and Care Excellence (NICE). It features the subject line “Important blood analysis result”.

However, NICE has warned that it did not send the malicious emails, and is urging users not to open them.

NICE chief executive Sir Andrew Dillon said, “A spam email purporting to come from NICE is being sent to members of the public regarding cancer test results.

“This email is likely to cause distress to recipients since it advises that ‘test results’ indicate they may have cancer. This malicious email is not from NICE and we are currently investigating its origin. We take this matter very seriously and have reported it to the police.”

The hoax message requests that users download an attachment that purportedly contains the results of the faux blood analysis.

Security analysis firm Appriver has since claimed that the scam email is carrying Zeus malware that if installed will attempt to steal users’ credentials and take over their PCs.

Appriver senior security specialist Fred Touchette warned, “If the attachment is unzipped and executed the user may see a quick error window pop up and then disappear on their screen.

“What they won’t see is the downloader then taking control of their PC. It immediately begins checking to see if it is being analysed, by making long sleep calls, and checking to see if it is running virtually or in a debugger.

“Next it begins to steal browser cookies and MS Outlook passwords from the system registry. The malware in turn posts this data to a server at 69.76.179.74 with the command /ppp/ta.php, and punches a hole in the firewall to listen for further commands on UDP ports 7263 and 4400.”

Source

Will Google’s Project Shield Work?

Google has opened Project Shield, its service for small websites that don’t have the forces to repel denial of service attacks that might come their way.

Google introduced the service on Google+, saying that it is aimed at websites that might otherwise be at risk of online disruption.

“Project Shield, [is] an initiative that enables people to use Google’s technology to better protect websites that might otherwise have been taken offline by “distributed denial of service” (DDoS) attacks. We’re currently inviting webmasters serving independent news, human rights, and elections-related content to apply to join our next round of trusted testers,” it said.

“Over the last year, Project Shield has been successfully used by a number of trusted testers, including Balatarin, a Persian-language social and political blog, and Aymta , a website providing early-warning of scud missiles to people in Syria. Project Shield was also used to protect the election monitoring service in Kenya, which was the first time their site stayed up throughout an election cycle.”

Interested websites should visit the Google Project Shield page and request an invitation to the experience. They should not try to do the same at Nvidia’s website, as they will probably just come away with a handheld games console. This will not offer much assistance against DDoS attacks.

According to a video shared by Google last night, Project Shield works by combining the firm’s DDoS mitigation technologies and Page Speed Service (PSS).

Source

Twitter’s Authentication Has Vulnerabilities

Twitter’s SMS-based, two-factor authentication feature could be abused to lock users who have not enabled it for their accounts if attackers gain access to their log-in credentials, according to researchers from Finnish antivirus vendor F-Secure.

Twitter introduced two-factor authentication last week as an optional security feature in order to make it harder for attackers to hijack users’ accounts even if they manage to steal their usernames and passwords. If enabled, the feature introduces a second authentication factor in the form of secret codes sent via SMS.

According to Sean Sullivan, a security advisor at F-Secure, attackers could actually abuse this feature in order to prolong their unauthorized access to those accounts that don’t have two-factor authentication enabled. The researcher first described the issue Friday in a blog post.

An attacker who steals someone’s log-in credentials, via phishing or some other method, could associate a prepaid phone number with that person’s account and then turn on two-factor authentication, Sullivan said Monday. If that happens, the real owner won’t be able to recover the account by simply performing a password reset, and will have to contact Twitter support, he said.

This is possible because Twitter doesn’t use any additional method to verify that whoever has access to an account via Twitter’s website is also authorized to enable two-factor authentication.

When the two-factor authentication option called “Account Security” is first enabled on the account settings page, the site asks users if they successfully received a test message sent to their phone. Users can simply click “yes,” even if they didn’t receive the message, Sullivan said.

Instead, Twitter should send a confirmation link to the email address associated with the account for the account owner to click in order to confirm that two-factor authentication should be enabled, Sullivan said.

As it is, the researcher is concerned that this feature could be abused by determined attackers like the Syrian Electronic Army, a hacker group that recently hijacked the Twitter accounts of several news organizations, in order to prolong their unauthorized access to compromised accounts.

Some security researchers already expressed their belief that Twitter’s two-factor authentication feature in its current implementation is impractical for news organizations and companies with geographically dispersed social media teams, where different employees have access to the same Twitter account and cannot share a single phone number for authentication.

Twitter did not immediately respond to a request for comment regarding the issue described by Sullivan.

Source

USA In Danger Of Cyber Experts Shortage

Leading cyber experts warned of a shortage of talented computer security experts in the United States, making it extremely difficult to keep corporate and government networks safe at a time when attacks are on the rise.

Symantec Corp Chief Executive Enrique Salem told the Reuters Media and Technology Summit in New York that his company was working with the U.S. military, other government agencies and universities to help develop new programs to train security professionals.

“We don’t have enough security professionals and that’s a big issue. What I would tell you is it’s going to be a bigger issue from a national security perspective than people realize,” he said on Tuesday.

Jeff Moss, a prominent hacking expert who sits on the U.S. Department of Homeland Security Advisory Council, said that it was difficult to persuade talented people with technical skills to enter the field because it can be a thankless task.

“If you really look at security, it’s like trying to prove a negative. If you do security well, nobody comes and says ‘good job.’ You only get called when things go wrong.”

The warnings come at a time when the security industry is under fire for failing to detect increasingly sophisticated pieces of malicious software designed for financial fraud and espionage and failing to prevent the theft of valuable data.

Moss, who goes by the hacker name “Dark Tangent,” said that he sees no end to the labor shortage.

Source…