Today we are publishing the PandaLabs report, where you can enjoy an overview of the main figures and security news that have happened in the last 12 months, as well as some figures. You will see how malware creation hit a new record high in 2011 with 26 million samples, that Trojans continue to be the most pervasive malware threat, and some nice stories about cybercrime and cyberwar, as well as some other information about social networks.

I really hope you enjoy it, you can download the report here.

Read the rest here:
PandaLabs Annual Report – 2011

In the last months we have seen an increase of ransomware attacks. While the first ones we saw were posing as Microsoft to threaten the user because it had been detected a pirated version of Windows, and in case you didn’t pay the fine they would contact the local law enforcement agencies, the new ones are posing as the very same law enforcement agencies.

While we are use to see this kind of fake messages in English, in this case the attacks are localized, we have seen English, German, Spanish or Dutch language (among others), depending on the targeted country. All of the attacks are targeting some European country, so it looks like that all of them are related and the same cibercriminal gang could be behind them.

The last one has appeared a couple of days ago, this time it is targeting Spain. The file is using as icon the following Internet meme:

Once infected, this is what you will see in your desktop:

In the message it says that it has been detected access to illegal material (such as child pornography and spam about terrorism) from that computer, and that the computer will be locked to prevent such a use. To solve that you have to pay a fine of €100:

The worst thing for the user is that it actually blocks the computer, so it is not easy to remove. To do it, restart the computer in safe mode and run a scan with an antivirus solution that is able to detect it.

These are different examples we have seen in the last months:

English

Italian

Dutch

German

Spanish

Originally posted here:
The Rise of the Ransomware

We read that Zappos.com was breached on Sunday, to the tune of 24+ million users’ worth of information. But it seems at first blush they responded well. Of course, a company would hope to never have a breach at all, but when it happened at Zappos.com, here are some of the things they appear to have done right.

#1 – Notify your customers quickly: It may seem obvious, but more than a few companies that have breaches are slow to admit it. In this case, the Zappos CEO sent out an internal email describing the breach details that were relevant, along with outlining steps they planned on taking to remedy the breach. This was followed by a notification email sent to the users affected.

#2 – Reveal the extent of the breach: Zappos.com outlined in the customer notification email the extent of information that may have been compromised, and what appeared to have been safe. They said in their communication “The database that stores your critical credit card and other payment data was NOT affected or accessed.”

#3 – What they’re doing to protect you: Zappos.com outlined specific details about how customers could protect themselves, in this case by changing a password. Even though the passwords that may have been accessed were “scrambled”, if users changed them quickly, the black market value of the passwords would be significantly reduced. Also, it would hinder further attempts access personal data using the existing passwords.

#4 – Tell users where to find more information: They put up a special website to disseminate information as it becomes available. This does two things: 1) established a central clearinghouse for relevant information, and 2) reduced the repetitiveness of the requests their support staff may receive.

#5 – Beef up incident response staff: Speaking of support personnel to handle incident management, Zappos asked employees, regardless of department, to assist with offloading the burden of the sheer number of breach-related communication they anticipated receiving in response to the situation.

In short, they handled this better than many. Although the goal would be to never have a breach in the first place, if it happens, there is a crisis of confidence among the customers. Acting quickly and decisively can work wonders toward restoring that confidence, as customers sense they are receiving current, relevant, and honest communication about the incident. Still, restoring confidence can take years, but this style of communication can make things much better. In 2012 we hope to see fewer breaches, but it also may be wise to determine internally how your company would respond to a breach, what you would tell your customers, and what extra staff might you need to handle the extra support involved.

Link:
Zappos.com breach – lessons learned

Recently we noted that unencrypted credit card storage was on the rise in 2011, and also highlighted the expense involved to the company in the event of a credit card breach. Now we see personal data – including unencrypted credit card information – being paraded out as a part of the recent Stratfor hack.

Also, we note the hackers say they used a dictionary attack to crack the passwords that were leaked. One of the leaked passwords was – you guessed it – “password”, and another only slightly more complex “Password1”, trivial for dictionary-based attacks to crack.

Now Stratfor has begun the long slow process of rebuilding trust. It has tapped CSID for help, an indentity protection firm, which has offered 12 months of free identity protection for those affected. Free to the affected users, not free to Stratfor. Breach costs can rise fast and reach lofty heights quickly. Also, the upfront costs of the immediate remediation are only part of the equation, with customer confidence and bad publicity lingering for months or years after the events. Organizations that respond quickly and proactively tend to do better at restoring confidence, but it still takes its toll.

Since Stratfor was involved in the intelligence community, it may also serve as a reminder for those in trusted sectors to run through a year-end check to make sure the basics are in place. It might be a good time to revisit the password complexity and update frequency policy. Also, taking time to encrypt your credit card data seems like good insurance. Both of these are far cheaper and less embarrassing than being paraded about as the latest victim of a breach, and won’t impact next year’s budget much at all. But they will impact your peace of mind, knowing the protections are in place. It would certainly be a good way to start the new year.

Read the original here:
Stratfor hack – lessons learned

I want share with you what ESET Latin America’s Research team thinks will be the main trends in malware and cybercrime in 2012. In our office it is usual to produce an analysis of emerging trends in a year-end report and so, in keeping with recent postings by my ESET colleagues, I present a summary of the report we published a few days ago entitled (translated from Spanish, of course): “Trends for 2012: mobile malware”.

Citing a “serious lack” of attorney expertise in prosecuting cybercrime, New Jersey Prosecutor John Molinelli decided it was time for attorneys to go back to school. He states, “There was a serious lack of prosecuting attorneys – there’s probably a lack of attorneys, in general, who really know this area,” and decided to do something about it. Using a piece of the asset forfeiture regulations that allow a percentage of the proceeds from the sale of forfeited assets from drug dealers, money launderers and other criminals to be allocated for educational purposes, he set to work.

John, along with colleague Seton Hall University law professor David Opderbeck, decided to approach Rutgers School of Law-Newark about putting together what became the Cybersecurity Law Project, funded with the spoils of the forfeitures. The idea stuck.

While many members of the legal system are closet (or not-so-closet) techies, according to John “they don’t really know how to connect that to the policy and legal space, and part of that is because part of the policy and legal space is still evolving under our noses.”

Watching cybercrime legislation and corresponding education efforts these days is an exercise in hitting a fast-moving target. As senior legislators wrangle with effective ways to limit damage being meted out by cyber criminals, documented daily in news headlines, while also trying to keep step with angered constituents, they have their hands full. Similarly, education efforts that need to move fast are struggling to keep up.

Hopeful that the idea spreads out to other universities, Mr. Molinelli is happy to see progress. Many of the cyber realms of the future still need to be considered in the courts. For example, “How are the kinds of problems you might face in the brick-and-mortar world made different, amplified, made more difficult, by virtue of the cyber environment?”

While supporting (and evolving) case law for future cyber legal action plods through the court system, cybercrime races ahead. Expect there to be significant pressure on the courts for more expedient legal action against cybercrime. This should establish case law to be used in future prosecutions. But many of the current case law examples that attempt to extend into cyberspace fall short. Issues like mass-surveillance, privacy aspects of mobile devices and social networking practices, legal limits to tracking technologies, all have serious, compelling and far-reaching implications, now and in the future. Complex issues like these are inherently resistant to being fast-tracked through a court that has checks and balances. And maybe that is as it should be, these issues will be the subject of some of the defining legislation of the coming (and current) generation, so we have to get it right.

More:
Lawyers go back to school for cybercrime

Awhile back we noticed signals from the US Pentagon that they were considering the possibility of a traditional military response to cyber attacks on US physical infrastructure. Basically, a cyber attack on infrastructure could be considered an act of war. We now see the official report released, confirming this.

The report states, “When warranted, we will respond to hostile acts in cyberspace as we would to any other threat to our country. All states possess an inherent right to self-defense, and we reserve the right to use all necessary means—diplomatic, informational, military, and economic—to defend our Nation, our Allies, our partners, and our interests.” Basically, they will be treating cyber attacks like any other act of aggression.

The language here is interesting for several reasons. First, it reserves the right to defend, not just the nation, but various other related interests as well. That seems like a pretty wide net as defined in the document. As written, it covers the use of proxy force if it meets the burden of being in “our interests.”

Speaking of proxies, chained multiple proxies used to anonymize the origin of the cyber attack traffic could lead efforts at attribution on wild goose chases that could span the globe. If a bad actor is bent on causing larger nations to clobber each other (regardless of reason), this would seem to be low-hanging fruit of the network underworld. Certainly it’s less difficult to scrape up some servers and a laptop as a C&C, than a pallet of black market missiles. After all, the Pentagon says it sees millions of hacking attempts every day, so obviously various folks are poking a toe in the water.

In the best of cases, assigning attribution with the degree of certainty necessary for public support of a traditional military response promises to be a tough test. We have yet to see a test case, but the Pengtagon says they are working on it, “Continuing to improve our ability to attribute attacks is a key to military response options.” Easier said than done.

The report continues, “Deterrence in cyberspace, as with other domains, relies on two principal mechanisms: denying an adversary’s objectives and, if necessary, imposing costs on an adversary for aggression.” While not language of pre-emption, it certainly strikes a potentially aggressive tone.

Also, a stance like this might have a me-too effect on other nations struggling with similar issues relative to protecting critical networks and information. One can only wonder if this will usher in a fresh new arms race, this time not governed by the amount of missiles, tanks, ships and planes, but by networks, hackers, bandwidth and street smart young kids to run the whole thing.

And what about aligning aggressive acts along national borders? Acts of cyber aggression are often carried out by communities of interest, not always groups within a certain national border, so would a military response leveled against a nation as a physical attack work? This has been a long-running diccussion, centering especially on hacktivism groups. But what country would the US attack against that style of group?

These questions (and others) will be entering the radar of public discussion as we grapple with how to deal with potential nasty state (or otherwise) actors who seek real harm to basically peaceful civilian infrastructure. To be sure, the world is filled with billions of people who want basic security and safety for themselves and the ones they love. Unfortunately, it also contains a handful of cyber nut cases. So how should we deal with the few bad actors when they get a little crazy and try widespread cyber destruction? These are major questions of the day, and for the coming generation.

Read more from the original source:
US Pentagon: it’s official, military response to cyber attacks

Well, okay, if you happen to be an extremely fast reader. The Association of Anti Virus Asia Researcher’s (AVAR) 14th AVAR Conference just wrapped up in Hong Kong on Friday. This year, the focus was on security issues in and around the emerging Asian security market, and how to rise to the challenge. As one speaker related, there is a very small percentage of internet users who have been educated and act securely online. As emerging markets surge into the online fray, the pace of new users far outstrip the pace of educated/secure users on the Internet as a whole, so the challenges are huge.

The conference (principally sponsored by ESET & Microsoft) started out with a keynote from Roy Ko, with ASCERT, with points about getting the latest notifications out to the community in a timely manner. Other talks centered around mobile malware, reverse engineering various new malware hitting the streets, including EFI (Extensible Firmware Interface) “bootkit” malware and others targeting various platforms, such as Mac. Google image poisoning also got dissected, as BHSEO makes its way into Google image search results, a disturbing trend. Malware obfuscation techniques were discussed, along with reverse engineering exploit kits. Industry cross-collaboration & multi-scanning was highlighted from the folks at OPSWAT, following an announcement that ESET will also collaborate with them.

The overarching tone of the event was really centered around educating the next generation of Internet users to stay safe online (including my presentation on future education systems with embedded intelligence). As mobile platforms hit the streets en masse, with new and more powerful processors, users and organizations will continually have to grapple with security in new ways. This conference highlighted some of the current and future threats in ways that gave all the major players in the field some substantive food-for-thought for how we will all meet the challenge. If you were there, you enjoyed it. If not, there’s always next year, see you then!

See the article here:
AVAR Hong Kong security conference 2011 – in 30 seconds

Kaspersky Lab, a leading developer of secure content management solutions, announces that its CEO and co-founder Eugene Kaspersky addressed the international conference Cooperation against Cybercrime

Read more from the original source:
Eugene Kaspersky addresses Council of Europe conference on cybercrime