THE CYBER Information Technology News for Counterintelligence / Information Technology / Security Professionals 24 January 2011

Purpose January 20, H Security – (International) Online banking trojan developing fast. Trojan Educate recipients of cyber events to aid in the construction kit Carberp, which first emerged in the autumn, appears to be undergoing protection of electronically stored corporate rapid development, according to reports from sources that include security services proprietary, Defense provider Seculert. An F‐Secure analyst is already calling it the rising star of the banking Department and/or Personally Identifiable trojan world. Where the first versions of Carberp were very simple in their construction, Information from compromise, espionage, newer versions are equipped with a more impressive list of features. It now runs on all insider threat and/or theft versions of Windows, including Windows 7, where, according to TrustDefender, it is able to

do its work without requiring administrator privileges. The latest version encrypts stolen This publication data prior to transfer using a random key, which the client registers with the control incorporates open source server. These functions have been added to Carberp over a period of just a few months. news articles as a training method to educate readers Source: http://www.h‐online.com/security/news/item/Online‐banking‐trojan‐developing‐ on security matters in compliance with USC Title fast‐1172452.html 17, section 107, Para a

January 20, Help Net Security – (International) malware now targets online payment Publishing Staff providers. The Zeus malware continues to evolve, diversifying away from its target bank * SA Jeanette Greene Albuquerque FBI sites and their customers, and over to sites with user credentials that allow assets that

* Scott Daughtry have a financial value. Money Bookers is an online payment provider allowing users to DTRA Counterintelligence make online payments without submitting personal information each time. Twenty‐six different Zeus configurations targeting Money Bookers have been found. This number Subscription If you wish to receive this does not fall short of some of the highly targeted banks and brands in the world. Another newsletter please send an target is Web Money. This is another online payment solution that claims to have more email to [email protected] than 12 million active users. Web Money is targeted by 13 different Zeus configurations,

with the last one released January 16. As with all the other online payment providers, Zeus Disclaimer steals log‐in information and other sensitive information of Web Money users. Source: Viewpoints contained in this document are not http://www.net‐security.org/malware_news.php?id=1600 necessarily shared by the New Mexico Counterintelligence January 20, Help Net Security – (International) Fake Facebook password change Working Group (NMCIWG) notification leads to malware. An e‐mail purportedly sent by Facebook has been hitting

NMCIWG Members inboxes around the world. An attached .zip file that supposedly contains a new password Our membership includes actually contains a backdoor that downloads a MS Word document and opens it. representatives from these agencies: 902nd MI, AFOSI, According to Avira, the document contains a few words in Russian and is written in Cyrillic. AFRL, DCIS, DOE, DSS, DTRA, FBI, ICE, Los Alamos While users are preoccupied looking at the document and figuring out what it means, a Labs, NAG, NCIS, Sandia Labs, and the U.S. fake AV solution misappropriating the name of Microsoft’s Security Essentials solution is Attorney’s office downloaded, installed on the system, and starts showing false warnings about the

computer being infected. Source: http://www.net‐ Distribution security.org/malware_news.php?id=1599 This product cannot be sent to gMail / Hotmail / Yahoo types of personal email accounts. This product can be forwarded by the recipient to email addresses within their agency / company without permission

You may freely distribute this newsletter within your organization / company / agency Page 1

THE CYBER SHIELD Information Technology News for Counterintelligence / Information Technology / Security Professionals 24 January 2011

January 19, Government Computer News – (International) PDF vulnerability found in Blackberry Attachment Service. Research In Motion has issued a security alert acknowledging a vulnerability in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server. The vulnerability is rated 9.3 (out of 10) on the Common Vulnerability Scoring System (CVSS). That is considered “high” in the National Vulnerability Database severity ratings. The advisory is intended for BlackBerry Enterprise Server (BES) administrators, who are the recommended persons to apply the RIM‐supplied fix. The vulnerability affects BES Exchange, IMB Lotus and Novell GroupWise versions 4.1.6, 4.1.7, 5.0.0 and 5.0.1. BES Exchange and IMB Lotus Domino versions 5.0.2 and the Exchange‐only 5.0.2 are also affected. Source: http://gcn.com/articles/2011/01/19/vulnerability‐in‐ blackberry‐attachment‐service.aspx

January 20, The Register – (International) Chinese Trojan blocks cloud‐based security defenses. A Trojan has been released that is specifically designed to disable cloud‐based anti‐virus security defenses. The Bohu blocks connections from infected Windows devices and cloud anti‐virus services. Bohu — which was spotted by anti‐virus researchers working for Microsoft in China — is hardwired to block access to cloud‐based net services from Kingsoft, Qihoo, and Rising. All three firms are based in China. The malware poses as a video codec. If installed, Bohu applies a filter that blocks traffic between the infected machines and service provider. The malware also includes routines to hide its presence on infected machines. Source: http://www.theregister.co.uk/2011/01/20/chinese_cloud_busting_trojan/

January 20, Computerworld – (International) Trapster hack may have exposed millions of iPhone, Android passwords. Millions of e‐mail addresses and passwords may have been stolen from Trapster, an online service that warns iPhone, Android, and BlackBerry owners of police speed traps, the company announced January 19. California‐based Trapster has begun alerting its registered users and has published a short FAQ on the breach. “If you’ve registered your account with Trapster, then it’s best to assume that your e‐mail address and password were included among the compromised data,” the FAQ stated. Trapster downplayed the threat, saying it was unsure the addresses and passwords were actually harvested. “While we know that we experienced a security incident, it is not clear that the hackers successfully captured any e‐mail addresses or passwords, and we have nothing to suggest that this information has been used,” Trapster said. Source: http://www.computerworld.com/s/article/9205660/Trapster_hack_may_have_exposed_millions_of_iPhone_Andr oid_passwords

January 19, The Register – (International) Bot attacks Linux and Mac but can’t lock down its booty. Researchers from Symantec have detected a Trojan that targets Windows, Mac, and Linux computers and contains gaping security vulnerabilities that allow rival criminal gangs to commandeer the infected machines. Known as Trojan.Jnanabot, or alternately as OSX/Koobface.A or trojan.osx.boonana.a, the bot made waves in October when researchers discovered its Java‐based makeup allowed it to attack Mac and Linux machines, not just Windows PCs as is the case with most malware. Once installed, the trojan components are stored in an invisible folder and use strong encryption to keep communications private. The bot can force its host to take instructions through Internet relay chat, perform DDoS attacks, and post fraudulent messages to the victim’s Facebook account, among other things. Now, Symantec researchers have uncovered weaknesses in the bot’s peer‐to‐peer functionality that allow rival criminals to remotely steal or plant files on the victim’s hard drive. That means the gang that took the trouble to spread the infection in the first place risks having their botnet stolen from under their noses. Source: http://www.theregister.co.uk/2011/01/19/mac_linux_bot_vulnerabilities/ You may freely distribute this newsletter within your organization / company / agency Page 2

THE CYBER SHIELD Information Technology News for Counterintelligence / Information Technology / Security Professionals 24 January 2011

January 20, The Register – (National) WikiLeaky phone scam targets unwary in U.S. A new voicemail phishing scam uses the threat of non‐existent fines for visiting WikiLeaks to pry money out of panicked marks. Prospective marks are robo‐dialed by an automated system that states their computer and IP address “had been noted as having visited the Wikileaks site, and that there were grave consequences for this, including a $250,000 or $25,000 fine, perhaps imprisonment.” Potentially panicked victims are given a number to phone to discuss payment options. The scam, which involves the use of spoofed phone numbers, takes advantages of VoIP systems to minimize the cost of calls to crooks, who are probably using stolen access to corporate PBX systems. Source: http://www.theregister.co.uk/2011/01/20/wikileak_vishing_scam/

VLC Media Player 1.1.6 fixes critical vulnerabilities Heise Security, 24 Jan 2011: The VideoLAN project developers have announced the release of version 1.1.6 of their VLC Media Player, a free open source cross‐platform multimedia player for various audio and video formats. The seventh release of the 1.1.x branch of VLC is a maintenance and security update that includes various bug fixes and improvements. VLC 1.1.6 addresses security issues in the Real demuxer, the subtitle decoder and two previously reported critical heap corruption vulnerabilities; these are in the relatively rarely used CDG format decoder. Using VLC to play manipulated video in this format could cause heap corruption, which could in turn be exploited to inject and execute malicious code. At the time of this posting, the VideoLAN security information page has yet to be updated. Other changes include visualisation improvements for projectM and , PulseAudio output updates, faster WebM / VP8 decoding and support for audio/L24 in RTP. The update also includes fixes for Audio CD playback on Windows systems, Mac OS X SSA fontcache, as well as Qt4 and Media Keys processing improvements. More details about the update can be found in the official release announcement and on the What's new in 1.1.6 page. VLC 1.1.6 is available to download from the project's home page for Windows, Mac OS X and Linux. VLC is released under version 2 of the GNU General Public License (GPLv2). Source: http://www.h‐online.com/security/news/item/VLC‐Media‐Player‐1‐1‐6‐fixes‐ critical‐vulnerabilities‐1175821.html

Twitter scareware wave Heise Security, 21 Jan 2011: Yesterday (Thursday), an apparently large number of links leading to scareware sites were spread via Twitter. The page links were disguised using short URLs from goo.gl and advertised as "Cool", "Very Nice" or "Google's search page has done it again" in varying tweets by different users. Clicking on the link transferred users to a web site that pretended to find numerous viruses after performing a bogus scan on a Windows PC. According to the Internet Center (ISC), one of the files offered to solve the alleged problem contained the SecurityShieldFraud scareware. Once installed, the malware contacted other servers; no further functional details have so far become available. It remains unknown how many Windows users have fallen victim to the attack. Whether the attackers used hacked accounts or stolen access data to send out the links via Twitter, or exploited existing Twitter accounts on infected PCs, is yet unclear. All scareware sites discovered in connection with this attack have now been shut down. Source: http://www.h‐online.com/security/news/item/Twitter‐scareware‐wave‐1174562.html

Tech Insight: Layering Up For Malware Protection DarkReading, 21 Jan 2011: Malware has traditionally entered the enterprise through two main avenues, Web and email. In the early 2000's, email was the favorite vector for malware writers: controls were low, email was everywhere, and it was easy to convince someone to open an email and run the attachment. Attackers still use email to infect machines, of course, but also have moved to more sophisticated drive‐by downloads. They inject their malware into legitimate websites through advertising networks or by compromising the site, and unsuspecting visitors download the malware unknowingly and join the malware creator's army of infected systems. The most cost‐effective method of preventing

You may freely distribute this newsletter within your organization / company / agency Page 3

THE CYBER SHIELD Information Technology News for Counterintelligence / Information Technology / Security Professionals 24 January 2011 and detecting this type of malware is a Web filter. Using an open‐source system such as , or purchasing an enterprise offering from Barracuda, Websense, Webroot, or others provides the ability to block known malware distribution sites and in some cases, analyze traffic for malicious content, such with M86's offering. Some tools let you provide filtering to your users even when they are off the corporate network. Desktop detection is the next most common step, and the one more organizations have invested some time and money to set up. If the Web filter misses a threat, hopefully the desktop protection will catch it. Stand‐alone anti‐virus is becoming a thing of the past, as desktop protection suites complete with buffer overflow prevention, anti‐virus, anti‐malware, and intrusion prevention are becoming more the standard. These suites allow enterprises to prevent malware from exploiting the system even if the product doesn't detect it as malware. Complex malware kits such as those for Zeus leverage multiple exploits in the OS and products to gain rights, inject malware into the system, and carry out data‐stealing tasks. Utilizing a desktop protection suite, which detects known malware as well as prevents known attacks, can increase an organization's chances of avoiding exploitation that much more. But these tools are generally not as effective when it comes to catching unknown, or zero‐day malware threats. Email attacks still employ infected attachments or open an email with malicious VBS, and increasingly direct users to URLs of sites controlled by the attacker. Web filters can help block the known malware distribution URLs, but in some cases they are behind the email‐filtering systems that are able to flag the email as spam and not even deliver it to the user. Email‐filtering capabilities have improved drastically in the past few years and enterprises now have both on‐premise and cloud offerings from companies like Barracuda, Symantec, Postini (Google), and AppRiver. These services and products prevent the malicious URL from reaching the user in the first place, and thus work no matter where the user is, or from what device the user is reading his email. Mobile phones are the newest target for attackers. Always on, always connected, and lacking security controls, these are an attacker's dream. Some platforms, such as BlackBerry, are closed and designed to be secure. The iPhone is a closed platform, but users can jailbreak it and decrease the security. The Android line of devices is considered to be the most open and also regarded as having the most risk. Products such as Lookout, Zenprise, and MobileIron provide security features and management for phones. Network monitoring using intrusion detection or network analysis tools provides insight into malware that may run rampant on your network. Snort is a free IDS that has virus, malware, and spyware signatures. By monitoring and alerting on network traffic, enterprises have a way to tell that malware has invaded the enterprise, and even though other controls may have failed, the enterprise can react and has some insight into where the malware resides. But IDS and IPS tools also can miss unknown threats. As malware has become one of the largest threats to organizations, single offerings can't keep up with all threats and protect organizations. A layered approach—although not foolproof—to protecting your organization from data theft, identity theft, and intrusion, provides the best results. Source: http://www.darkreading.com/vulnerability‐management/167901026/security/antivirus/229100009/tech‐insight‐ layering‐up‐for‐malware‐protection.html

Next‐Generation Threats: The Inside Story DarkReading, 24 Jan 2011: When Iranian President Mahmoud Ahmadinejad announced in November that the nation's nuclear program had been hit by a software attack, he confirmed what many security researchers suspected: that Stuxnet had struck, modifying key systems that controlled the motors of the centrifuges used to process uranium. Ahmadinejad downplayed the attack's impact, but security researchers think the damage is far more extensive than he let on. A steady increase in Iranian traffic to Web sites dealing with securing industrial control systems indicates that the country's IT experts are searching for an answer to a persistent threat, says Eric Byres, CTO and co‐founder of Tofino Industrial Solutions, which secures manufacturing and control systems. There's no way that the Iranians cleaned it up, says Byres. Wiping Stuxnet from one machine is easy, he says, but "on a network, it's a living hell, because it's aggressive and it spreads in so many different ways." Stuxnet, which was first identified in July, exploits four previously unknown vulnerabilities, spreading via USB memory sticks and network shares. It infects Windows systems used to manage industrial control systems, overwriting embedded controllers to sabotage those systems. Welcome to the future of You may freely distribute this newsletter within your organization / company / agency Page 4

THE CYBER SHIELD Information Technology News for Counterintelligence / Information Technology / Security Professionals 24 January 2011 network security, where today's most sophisticated and successful attacks will be everyday challenges. Cybercriminals are likely to try to duplicate Stuxnet's ability to persist in a network and hide in embedded devices. And it's inevitable that they'll try to copy techniques used in other attacks‐‐Zeus' skill at manipulating browser sessions and Conficker's resistance to being shut down, for example. Attackers also are changing how they operate, adopting new ways to develop and disseminate attacks. Cyberespionage operations increasingly leverage social networks to find easy targets. With Operation , for instance, attackers suspected of being from China used social networks to identify employees at Google and other companies and then sent them targeted e‐mails aimed at infecting key computers at those companies. In addition, software developer communities are supporting sophisticated plug‐and‐play malware like the Zeus banking Trojan. Dynamically generated domains, à la Conficker, will make it even more difficult to take down botnet command‐and‐control networks. In the end, Stuxnet's impact on the Iranian nuclear program may be far less than its long‐term impact on the type of cyberattacks we'll have to deal with in the future. With Stuxnet, it's become less about attacks on industries like financial and power, and more about "in‐the‐weeds attacks," says Dean Turner, director of Symantec's Global Intelligence Network. "Stuxnet was targeted at the details‐‐the frequency component of a motor." Security experts have long warned that embedded control systems are vulnerable. In 2007, Department of Energy tests showed that embedded systems attacks could take control of a power company's generator and cause it to self‐ destruct. Most factories are also controlled by embedded systems and programmable logic controllers. Until Stuxnet, the danger was theoretical. Now anyone who gets their hands on the code has a blueprint for attacking embedded systems. And the code has spread widely, infecting computers worldwide. Stuxnet has provided a "crash course" in writing programmable logic controllers code, says Tofino's Byres. It's only a matter of time before we start seeing all sorts of "specialty worms" going after control systems. All components of your digital and physical systems are now at risk Embedded systems typically link physical and digital systems, so when attackers take control of them, they also get control of critical systems. In addition, code can be hidden in embedded systems, allowing attacks to persist and making it difficult to clean them up. Private companies aren't likely to remain unscathed by Stuxnet for long, says Jon Ramsey, CTO of managed security provider SecureWorks. He points to Operation Aurora as the first of the most sophisticated attacks to hit a private company. With Aurora, the attackers are saying, "Why not go after the industrial base … large corporations that have a lot of intellectual property, that are highly competitive in global markets," Ramsey says. Knowledge about these advanced attacks and the techniques they use is spreading rapidly. A major reason is that attackers have created an infrastructure of chat rooms, forums, drop boxes, and technical publications that support and expand their operations. There, they share ideas and develop areas of expertise. One group helps members hone their skills in attacking popular software. Another develops exploits to plug into popular malware. Others focus on growing and maintaining botnets to steal data. Zeus is a prime example of this specialization. The banking Trojan, which spreads via phishing and drive‐by download attacks from legitimate sites, has an ecosystem of underground programmers who create spam campaign templates that plug into Zeus and exploit kits that capitalize on specific vulnerabilities. Criminals can buy one exploit kit to attack computers running Mozilla's Firefox and another to attack Adobe Acrobat vulnerabilities. Zeus' openness has driven its popularity and dramatic increases in functionality. More than 90,000 variants of it now exist, according to Symantec. Zeus' development infrastructure lets users do more for less money, says Symantec's Turner. That's part of a trend whereby cybercriminals are becoming more efficient, optimizing their operations to get the maximum value from each compromise. Some advanced malware will remove competing and inefficient programs from the systems they infect, and even go so far as to patch those systems in order to get the most out of infected machines, says Brian Contos, director of global security strategy and risk management at McAfee. The malware uses a single computer for multiple crimes, such as stealing data and capturing log‐on credentials. Unsuspecting victims end up benefiting, too, since their machines‐‐albeit infected‐‐run better, Contos says. Attackers also are using automation to increase efficiency. Rather than attack every Internet address in the world, they focus on ones known to belong to computers that use specific vulnerable software, such as WordPress and other popular blogging platforms. Spammers buy out‐of‐the‐box spam campaigns. And bot operators use Web interfaces to monitor You may freely distribute this newsletter within your organization / company / agency Page 5

THE CYBER SHIELD Information Technology News for Counterintelligence / Information Technology / Security Professionals 24 January 2011 and control their networks of compromised systems. Driving all this innovation in cyberattack software development, support, and infrastructure is money. Rather than sharing techniques, many cybercriminals are becoming more secretive, treating their code and approaches as intellectual property. It used to be you could go to a conference like DEF CON and people would share tools, Contos says. Not any more. Instead, they're busy developing zero‐day threats, he says, "because they want to make money."

Tomorrow's Attacks In The Making INCIDENT NEXT-GEN DESCRIPTION ATTRIBUTE

Aurora Social network Attackers use social networks and Web reconnaissance sites to go after key personnel inside target organizations. They targeted Google and other companies last year. Conficker Dynamic domains Computer worm uses calculated domain names to make it hard to eliminate. Conficker.C used a randomly selected subset of 50,000 calculated domains to connect with command-and-control servers. Stuxnet Malware targeting Attacks compromise embedded embedded controllers to take control of physical controllers devices. Stuxnet has compromised programmable logic controllers in manufacturing processes and the Iranian nuclear program. WikiLeaks Distributed denial- Attackers carry out coordinated of-service mob cyberprotests. After WikiLeaks' site was action attacked, 2,000 supporters quickly organized to attack MasterCard, Visa, and other sites using a voluntary botnet. Zeus Man-in-the-X Attack incorporates itself into the attack browser, mobile device, or other communications stream to capture and modify traffic. Zeus compromises browser communications to modify bank transaction pages on the , allowing funds to be stolen. Software Developer ecosystems have grown up development around Zeus and other attack software ecosystem to create new features and improvements. Zeus' developers have created exploit packs and out-of-the-box spam campaigns.

You may freely distribute this newsletter within your organization / company / agency Page 6

THE CYBER SHIELD Information Technology News for Counterintelligence / Information Technology / Security Professionals 24 January 2011

Changes in how cybercriminals operate have made another type of attack‐‐cyberprotests‐‐easier to organize and execute. Recent denial‐of‐service attacks against MasterCard's, Visa's, and Amazon.com's sites, in retaliation for their refusals to do business with WikiLeaks, also offer a look at the future of cybercrime. While cyberprotests and denial‐of‐ service attacks aren't new, the technology to support them is getting better and the tools more sophisticated‐‐a trend that will continue. For example, the WikiLeaks attacks, conducted by a group known as Anonymous, used a program called the Low Orbital Ion Cannon, or LOIC. It lets any protester input an IP address and join an attack against the targeted network or system. Three factors are contributing to the effectiveness of distributed denial‐of‐service attacks, say Earl Zmijewski, VP and general manager of Internet security firm Renesys. First, the systems being attacked have more bandwidth than ever before, so attackers need to compromise fewer of them to have significant impact on a target. Second, many users continue to run old software, making it easier for attackers to take over their computers and make them part of a botnet. Third, there's still no easy fix for DoS attacks. Content distribution networks can help, but the most effective defense is to use a specialized network that filters out malicious traffic before it gets to the target's servers. Because of those three factors, botnet operators wield enormous power. Conficker, for example, compromised 6.4 million systems, giving it an aggregate bandwidth of 28 TB per second, says McAfee's Contos. "That's more than Amazon and Google combined‐‐that's massive,"he says. Threats are inserting themselves between the user and the Internet. These "man‐in‐the‐browser" attacks‐‐widely used by the Zeus banking Trojan‐‐let attackers control what users see. A user banking on a Zeus‐infected computer is led to believe he's sending his utility company $100 but, instead, $7,000 is being sent to an account in another state owned by a member of a cybercriminal network. When the user confirms the transaction, he sees only a $100 debit, while the bank receives a request to transfer the $7,000. "You never know you're defrauded until you look at it from a physical branch," says Amit Klein, CTO at banking security firm Trusteer. "Other malware used this technique first, but with Zeus, it's becoming much more widespread." Zeus and other threats are circumventing protections aimed at eliminating bank fraud, such as two‐factor authentication. Because the attack is done in real time and from the victim's PC, conventional protection fails.

You may freely distribute this newsletter within your organization / company / agency Page 7

THE CYBER SHIELD Information Technology News for Counterintelligence / Information Technology / Security Professionals 24 January 2011

Many companies assume it's enough just to comply with the security controls required by law. But compliance doesn't cut it. Advanced threats will circumvent well‐known security requirements, SecureWorks' Ramsey says. If everybody has the same technology and controls, "then the criminals are going to modify their attacks to subvert those types of defenses," he says. It was the Federal Deposit Insurance Corp.'s mandate that banks use two‐factor authentication and encryption that spurred criminals to develop Zeus to circumvent those protections. Malvertising‐‐online ads that send users who click on them to malicious sites‐‐is another example of attackers circumventing defenses. These attacks avoid firewalls by coming in over the Web. It's the No. 1 attack vector that companies see, according to SecureWorks. Conventional defenses, such as antivirus software, haven't fared well against sophisticated attacks, says Trusteer's Klein. Stuxnet may have circulated for more than a year before it was detected. Zeus regularly dodges signature‐based defenses. Companies need well‐rounded defenses, not just technology, says Symantec's Turner. "We have to start talking about how we share information online, and how we use things," he says. "Policy and implementation are as critical as the technology itself." Protecting the perimeter is key, but even that's getting more complicated as mobile consumer devices like iPads and iPhones find their way into businesses. As the line between personal and business devices blurs, Turner says, "we've increased the number of touch points that our confidential or business data has." Companies must identify their most valuable assets as well as potential threats. They need to understand the threats, what they're going to target, and how they're going to target it, SecureWorks' Ramsey says. Companies also must determine how many users and systems can access critical information, and what's worth protecting. They must implement a data classification system to identify their most valuable intellectual property and focus security dollars and people on that data, Turner says. Businesses have a much better chance of protecting a small subset of their data than trying to protect all of it equally. IT managers also can no longer ignore components on their networks that aren't computers and routers. Security researchers have shown that printers, which increasingly resemble small servers, can be used as a beachhead into corporate networks, and Stuxnet is weaseling its way in via embedded controllers. "We have to start thinking about different pieces of technology," Turner says. "Valves are an engineer's purview, and networks are the domain of an IT guy," and we have to get them speaking the same language. Companies also must focus on better detection and response. Network anomaly detection as well as intelligence services can identify attacks that have successfully found a beachhead in the corporate network, says Ramsey. But detection isn't a good defense against these attacks. "It's cheaper to keep them out than it is to clean them up, and the longer they're in, the more expensive it becomes to take control back of your IT systems," he says. And that's even more important when looking at the sophisticated attacks that will be everyday fare in the future. As Stuxnet has taught us, these programs persist longer and do more damage than ever. Ultimately, must evolve their defenses to stay a step ahead of the bad guys. This year may be the one when cybercriminals turn their attention to the Mac, a platform they've pretty much left untouched. Several articles in the Russian hacker magazine Xakep have focused on attacking Mac OS X, suggesting that eastern European hackers may be developing attacks, says Steve Santorelli, a former Scotland Yard detective and director of global outreach for security research group Team Cymru Research. Because of the dearth of threats, most Mac users don't run anti‐malware programs. "If someone comes out with a browser exploit pack next year, we're going to see a lot of people get infected," Santorelli says. "So you may end up having a Zeus for OS X." Apple's strict control of the Mac, simpler code, and better security model make it more secure than Windows. But OS X isn't fundamentally a more secure operating system than Windows 7, according to Santorelli. The reason there's only a small amount of OS X malware is because the application base is so much smaller. In 2008, computer scientist Adam O'Donnell used game theory to calculate that malware would start to be a problem for OS X when Macs accounted for about 17% of the computer installed base. Macs now comprise about 11.5% of the U.S. installed base and about 5% worldwide, according to NetMarketshare.com. Signs of interest from the criminal underground suggest that Apple users should beware. In October, a version of the Koobface virus, which spreads among Facebook users, targeted OS X users. The attack exploits vulnerabilities in Java software on the Mac to turn it into a command‐and‐control server for a botnet. Source: http://www.darkreading.com/security/vulnerabilities/229100054/next‐generation‐threats‐the‐inside‐story.html You may freely distribute this newsletter within your organization / company / agency Page 8