TomTom, makers of a popular (if over-advertised) GPS navigation device, have admitted to a UK security journalist that a number of TomTom GO 910 units shipped with two trojans pre-installed.

“It has come to our attention that a small, isolated number of TomTom GO 910’s, produced between September and November 2006, may be infected with a virus. The virus is qualified as low risk and can be removed safely with virus scanning software. Appropriate actions have been taken to make sure this is prevented from happening again in the future.”

Seriously, folks. Every single software distributor should have anti-virus installed and updated on every single machine, as a matter of standard policy. The bad PR, combined with the cost of returns and helpdesk calls, costs way more than corporate anti-virus solutions.

The bad guys are joining forces.

Aleksey Kamardin reaped $13,158 in just 104 minutes buying and selling penny stocks.

The 21-year-old bought 43,000 shares in a small Wisconsin equipment company that makes, among other things, potato harvesters. He sold the shares less than two hours later at nearly double the investment.

Kamardin and his accomplices allegedly hacked into four online trading accounts of unsuspecting investors, selling off their holdings in higher-valued companies to purchase shares in Thomas Equipment, a firm whose stock that day soared from 26 cents to 80 cents a share, authorities said. The trading volume of Thomas increased tenfold.

Kamardin, allegedly part of an East European ring, repeated this scheme on 13 other occasions in July and August, defrauding investors of $82,960, according to a civil complaint filed yesterday by the Securities and Exchange Commission.

Remember “cyber-criminal” is two words. The “cyber” part is this kid Kamardin, the “criminal” part is the reason he is sitting in Russia right now and doesn’t have to worry about extradition.

The worst part? He can continue attacks against people in the US (where he just fled from) and all over the world, with all of the backing and financing he could need. This is something unique to cyberspace. You can commit a crime, flee the scene as it were, then attack the scene again – but this time remotely.

Extradition laws and global standards defining what constitutes a cybercrime and the penalties for each one will help a lot.

But, what us ‘good guys and gals’ really need to do is take a cue from those hackers gone bad. We need backing and financing too, often IT security is the first to get cut from the budget and the most to get groans from the business/marketing people.

By focusing spending on smart prevention rather than throwing money around after the fact on ineffective make-people-feel-better security measures, everyone saves in the long run. It helps consumers by protecting their money and privacy, businesses by bolstering public confidence in online commerce, and makes committing crime all the more expensive for criminals.

See, right now what we have is the reverse. The bad guys use a small amount of money (for them) to pay an opportunistic kid with some computer skills to make them a wad of cash (and take the fall if he/she fails). What the business side does after an attack is pay for the cleanup, pay back the customers all of the money they were robbed of, and forces them into a public relations nightmare. Public relations are expensive, period.

So who is being more efficient here?

Business should take a lesson from the bad guys, some money and smarts before hand causes the other side to use much more money to counter.

And yes, there is a back-and-forth going on here, but the proactive side always has the advantage. Right now cyber security is the punching bag that tries to beat the boxer by wearing the boxer down. We try to change the punching bag from time to time making it thicker each time.

Imagine how much more effective (and cheaper) it would be to hire a boxer to fight the boxers?

...and yes, 2007 isn’t off to a great start…

Most people who have had their computers compromised it don’t know it either. So long as the machine works, users don’t care – and security isn’t the first thing to come to their minds either.

According to Vint Cerf, of the 600 million computers that are connected to the internet, up to 150 million are part of botnets, and in most cases the owners of these computers have not the slightest idea what their little beige friend in the study is up to.

Machines operating part of a botnet can do so very subtlety and it is easy to overlook. The processor running harder than it should, slow network connection, etc.

Hollywood has taught us that hackers use viruses that flash big red warning messages to steal government secrets.

Don’t think that your computer at home isn’t valuable to the bad guys – because it is. 150 million machines can attest to that.

A Swedish bank has been hit by the biggest ever online heist — approximately $1M USD.

The attack started by a tailormade Trojan sent in the name of the bank to some of its clients, according to McAfee. The sender encouraged clients to download a “spam fighting” application. Users who downloaded the attached file, called raking.zip or raking.exe, were infected by the Trojan, which some security companies call haxdoor.ki.
Haxdoor typically installs keyloggers to record keystrokes, and hides itself using a rootkit. The payload of the .ki variant of the Trojan was activated when users attempted to log in to the Nordea online banking site. According to the bank, users were redirected to a false home page, where they entered important log-in information, including log-in numbers.

Be careful out there, folks. It looks like Anil was right.

That is a new one (for me at least). I got a spam message telling me that spammers were “targeting me and threatening my online security and that I should click here” (to some questionable link).

Clever, but no cigar – plus it was caught by my spam filter.

Dentists, doctors, lawyers and other professionals in the Pittsburgh area have been targeted by a “hit man” e-mail scheme, receiving messages that tell them to pay up to spare their lives, the FBI said.

No one has reportedly lost money or been harmed in the scam, but some recipients were unnerved by the messages, said Special Agent Bill Shore, who supervises the computer crime squad in the Pittsburgh FBI office.

“You think, ‘What did I get into? What do I gotta do to get out of this?’ “ Shore said.

Who worries about hit men ??

The more people learn not to click on links in emails, the more enticing spammers, phishers, and the like will have to make them.

This is cool – and likely a new trend with much more innovation and sophistication down the road.

The Intel prototype, called Distributed Detection and Inference (DDI), uses Bayesian probability to detect more stealthy worms. The idea is that if just one node is seeing a big increase in connections, that could be a temporary, random fluctuation, but 50 nodes experiencing even a modest increase in traffic very likely means that the network is under attack and that a protective response is warranted.

“Anomaly detectors” at local nodes on a network look for evidence of worms, such as unusual spikes in activity. A machine that normally makes just a few network connections per second might suspect that something is amiss if it is suddenly instructed to make connections at a higher rate. So, using a peer-to-peer “gossip” protocol, it transmits to other machines its so-called belief, in the form of a probability, that the network may be under attack. If the total number of beliefs that any given machine receives from other nodes is high enough, it will assume that an attack is under way and take some defensive action, such as sounding an alarm or disconnecting from the network.

The NSA’s 60 Minute Security Guide is probably not going to be used or useful by “normal” people.

I think that it is however a great tool for recent college graduates, people looking to get into the info sec field, and admins in general who may not have “security” folks around giving them suggestions (those of you who work on campuses for example).

NSA’s 60 Minute Security Guide (pdf)

For the sections that don’t make sense though, there are great blogs written by information security professionals that can help

With all of the holiday shopping that has taken place over the last few weeks users are probably checking their accounts more frequently these days. Phishers know this and are casting their lines everywhere.

Don’t be fooled, always go to websites by typing in the url, www.mybank.com then save them as bookmarks. It’s safer and easier (good combo).

Never login to anything that you were led to by a link – even if grandma sends you an email that will help you save money on Viagra.

Banks have been picking up on this (pdf) trend lately, that is, having a “personalized” picture to greet you when you login to your online checking account. As pointed out by Laura, it is a cheap and fake version of two factor authentication.

The idea is that after you enter your account number (or something similar) you are presented with a customized picture that “proves” you are logging into the correct site. The problem is that users only notice the image once or twice and then are quickly desensitized to the fact that it is even there.

It also teaches people to trust what they see on the screen. “If it looks like my banking site, it must be my banking site” mentality. Users (everyone) are/is lazy and will do everything possible to avoid picking up a phone.

If your picture is not the cute little Pug you selected you’d most likely wait until Ms. Bad Lady goes and buys 15 iPod with your checking account number before you even think of calling the bank.

...and grudgingly at best.