Read 5 remaining paragraphs | Comments

Customers of remote PC administration service Logmein.com and electronic signature provider Docusign.com are complaining of a possible breach of customer information after receiving malware-laced emails to accounts they registered exclusively for use with those companies. Both companies say they are investigating the incidents, but so far have found no evidence of a security breach.

Some LogMeIn users began complaining of receiving malware spam to LogMeIn-specific email addresses on Dec. 3, 2012. The messages matched spam campaigns that spoofed the U.S. Internal Revenue Service (IRS) and other organizations in a bid to trick recipients into opening a malicious attachment.  Multiple LogMeIn users reported receiving similar spam to addresses they had created specifically for their LogMeIn accounts and that had not been used for other purposes. The first LogMeIn user to report the suspicious activity said he received a malicious email made to look like it came from DocuSign but was sent to an address that was created exclusively for use with LogMeIn (hat tip to @PogoWasRight).

“I have an email account that allows me to put anything in front of the @ (at), which helps keep track of what/who I sign up to,” wrote LogMeIn user “Droolio” in a thread on the company’s support forum. “This way, not only do I know who leaks my email addresses (as did happen with Dropbox a few months back), spammers can be blocked after they get ahold of it. My PC is malware-free and I hardly use LogMeIn (although it is installed albeit disabled) and the last time it was used was months ago.” [link added].

LogMeIn user Justin McMurtry, a realtor in Houston, Texas, said he received a Trojan-spam message to his LogMeIn-specific email address at the same time he received the same message at an address he used exclusively for DocuSign.

“It is especially worrisome to consider the possibility that LogMeIn and/or Docusign account passwords could have been leaked as well,” McMurtry wrote on LogMeIn’s support forum. “Attackers able to actually log in using someone’s LogMeIn credentials could conceivably have full interactive access to any number of computers and mobile devices.”

LogMeIn spokesman Craig VerColen, said that while the investigation remains open, the company has so far found no signs of any compromises to its users’ information.

“It is worth noting, as part of the investigation, we did find some commonality with the naming conventions of the emails associated with the reports,” VerColen wrote in an email to KrebsOnSecurity. “Many (nearly 30%) of the reports – and this includes all reports, not just the handful of people reporting the unique email claim – included variations of LogMeIn in the name, e.g. logmein@acme.com, LMI@acme.com, logmeinrescue@acme.com.  The majority of the others used either common prefixes, e.g. info@acme.com, sales@acme.com, tech@acme.com, or common first names, e.g. joe@acme.com.  While this is not the case with all of the email addresses, the commonality would seem to suggest a pattern.”

For its part, DocuSign released a statement saying that it is investigating the incident and is working with law enforcement agencies to take further action. But it chalked the incident up to aggressive phishing attacks, noting that “antivirus vendors report malicious code incidents have been increasing by as much as 3600% in recent weeks.”

“The investigation is still underway, but we have not seen any kind of indication of a data breach,” said Dustin Grosse, DocuSign’s chief marketing officer.

In July, users of file syncing and sharing service DropBox.com began complaining of receiving spam emails to addresses they’d registered for exclusive use with the service. DropBox initially said its investigation turned up no internal breach, but two weeks later the company disclosed that an employee misstep caused the inadvertent leak.

Enjoy the latest security news in brief by watching 60 Second Security!

This episode: the German Bundestrojaner controversy, Sony breached (again!), Duqu dubbed “Son of Stuxnet”, OS X anti-anti-virus and Microsoft videos hacked.

Back in 2001, when BitTorrent was first announced, it seemed inevitable – and, at the same time, implausible – that a commercial company based around its social approach to file sharing would emerge and succeed, despite its novelty.

Inevitable, because the sheer popularity of peer-to-peer file sharing means that the potential return for any company successfully commercialising a popular P2P client is enormous.

Implausible, because the indelible association between P2P and piracy means that potential risk of burning out in lawsuits from copyright holders is vast.

But the creator of BitTorrent, Bram Cohen, did create a company out of his codebase, and BitTorrent, Inc. is effectively today’s Torrent mothership.

The company is also the custodian of two popular Torrent clients: the so-called Mainline version, and its extremely popular compact cousin, uTorrent.

(The character u is commonly, if confusingly, used in Latin alphabets to represent the Greek letter μ. Short for micro, it’s pronounced in English as mew, as in cat. So much for internationalisation.)

In its ten-year history, BitTorrent – the protocol, not the company – has become well known for facilitating the unregulated sharing of arbitrary material. Indeed, it’s become quite the way to find all the ripped-off software, films, TV shows and porn you might need. Unsuprisingly, the cybercrooks love that sort of neo-anarchic mix, because it makes it easy for them to expose you to your fair share of malware.

Unfortunately, however, even if you are one of the several many entirely law-abiding users of BitTorrent, the folks at BitTorrent, Inc. may recently have put you in harm’s way.

According to a really-ought-to-be-more-visible warning on the download pages of www.bittorrent.com and www.utorrent.com, a breach of the two servers resulted in a two-hour window in which downloading BitTorrent’s software would have given you a fake anti-virus program instead.

This morning [13 Sep 2011 on the US West Coast] at approximately 4:20 a.m. PT, the uTorrent.com and BitTorrent.com Web servers were compromised. Our standard software download was replaced with a type of fake antivirus "scareware" program.

Just after 6:00 a.m. PT, we took the affected servers offline to neutralize the threat. Our servers are now back online and functioning normally

BitTorrent, Inc. identifies the malware as belonging to the Security Shield scareware family. Program files under this “brand” of fake anti-virus should be mopped up by Sophos Anti-Virus as CXmal/FakeAV-A.

Confusingly, the BitTorrent blog has recently been updated to claim that the software available from the www.bittorrent.com URI was not affected, implying that only those who downloaded utorrent during the infection window would be at risk.

Since the two sites share the same network infrastructure – both resolve to the same IP number in Limelight Networks’ cloud – you might want to ignore that blog update and assume that any recent downloads from Bittorrent, Inc. were dodgy and give yourself a thorough anti-malware checkover.

I’d also ignore the time window, since BitTorrent used the annoyingly ambiguous abbreviation “PT” to denote the timezone. I’m guessing they meant to say UTC-7, but they didn’t.

Update. Allison at BitTorrent got in touch to say she’s updated the official report to make it clear: Pacific Daylight Time, UTC-7. Thanks for listening, Allison!

PS. If you will forgive some mild commercialism, you can download a fully-functional trial of Sophos Endpoint Security and Control – with detection AND cleanup included, unlike with scareware! – from our website. Registration is required, and you will get contacted by Sales. But for one month, you can use the product as widely as you like at home or in your business. And you’re entitled to our award-winning 24/7 support by email and phone throughout. Give it a go. You know it makes sense. (Did I get that right? Is that how salespeople speak?)

Follow @duckblog

The Linux world is in a bit of a security spinout at the moment.

Last month, the brains behind the Linux kernel discovered malware on the PC of at least one kernel maintainer, as well as on some of the kernel.org servers themselves.

Now, the Linux Foundation, a not-for-profit which bankrolls the main developers of Linux so that they can remain independent of any particular vendor or commercial group, is in the security soup, too.

The Linux Foundation sites have been replaced with holding pages since late last week, suggesting that finding out what actually happened hasn’t been as easy as the Foundation’s techies might have hoped.

Linux Foundation infrastructure including LinuxFoundation.org, Linux.com, and their subdomains are down for maintenance due to a security breach that was discovered on September 8, 2011. The Linux Foundation made this decision in the interest of extreme caution and security best practices. We believe this breach was connected to the intrusion on kernel.org.

The connection to the malware infection amongst the kernel maintainers themselves is echoed by the holding page for kernel.org, which says, simply, “Down for maintenance”. The Linux Foundation and Kernel.org sites are internet neighbours in the 140.211.169.0/25 network block.

In a creditable fit of caution, the Linux Foundation advises that you should consider the passwords and SSH keys used on its sites to be compromised. It also advises that “if you have reused these passwords on other sites, please change them immediately.” Of course, much better advice is never to reuse passwords on multiple sites in the first place.

(You might be wondering if this mention of possible password compromise means that the Linux Foundation failed to follow its own advice, and stored passwords in plaintext, rather than as an unreversible hash.

Remember, however, that this breach appears to involve a malware compromise, not merely the unauthorised retrieval of data from the servers. If a server is “owned” by malware, even the login process should be considered untrustworthy. Passwords could therefore have been stolen directly from memory during login, even though they were never written to disk.)

I’m still struggling to decide quite what the Loony Linux Lovers – those who insist that Linux is immune to malware – will make of this episode. Whilst Linux malware is not new, this is probably the closest it has ever come to the heart of their beloved operating system.

In a perversely back-handed sort of way, perhaps this incident is just what Linux needs to raise its profile outside the world of cloud service providers.

The “Linux has magic security smoke” proselytisers will be compelled to admit that insecurity isn’t just about Microsoft, and will be forced to improve their public attitude to security in general.

The “Linux is a nothing more than a hobby product” naysayers will be compelled to admit that the operating system really is part of the Big Time. Why else would kernel.org be in the sights of cybercrooks?

And Linux itself will emerge almost entirely unscathed because if any dodgy changes are found in the codebase, there will be a public record of them getting rolled back and order restored.

Mind you, the Linux brains trust could do with getting a move on fixing things.

In the meantime, if you’ve never considered it before, why not take a look at OpenBSD

Follow @duckblog

Another South Korean service provider has reported a large-scale data breach, leaking usernames and passwords for subscribers worldwide.

Late last month, cybercrooks made off with the personal information of up to 35,000,000 users of popular Korean sites Nate and Cyworld.

This time, it’s the turn of Seoul-based streaming media service GOMTV to suffer a data-spilling intrusion.

(That’s ‘GOM TV’, where GOM means Gretech Online Movies, not ‘GO MTV’, where MTV means Music Television. Gretech Corporation is the Korean legal entity which sets the terms and conditions and the privacy policy to which you agree when you sign up for GOM TV.)

According to GOM TV, the breach happened early in the morning of Friday 12 August 2011 Korean time; the company sent out a warning email to its subscribers on Sunday 14 August 2011. That’s not exactly immediate, but it sets a much better notification standard than the week which Sony made its users wait for information after the PlayStation Network was breached in mid-April.

Dear Valued GOMTV.net users:

We regretfully inform you that approximately at 2 AM KST, Aug.12th, there has been an attack against our web site, GOMTV.net.

We have found that some of the user information from GOMTV.net has been compromised from the attack. We suspect that the following information might have been exposed: name, location (country), e-mail address, GOMTV.net nickname and password.

Payment details and credentials were not exposed, as GOM TV outsources its payment services to PayPal. Unless, of course, you used the same password for GOM TV as you did for PayPal. (You didn’t do that, did you?)

GOM TV subscribers can pick their own password for the site itself, or can authenticate against Twitter or Facebook instead. As Gretech points out in its email: “Users who have signed up with Facebook or Twitter do not have to worry about changing their passwords as they did not have to enter separate passwords at the time of sign up.”

It sounds as though Gretech was storing passwords in a directly-recoverable form on its web servers. As we’ve said many times before on Naked Security, this is almost always unnecessary for online authentication.

You don’t need to save a user’s password permanently to be able to validate it later. Instead, you calculate and store a complex cryptographic hash of the password.

If a user can subsequently provide a password which produces the same hash, you have satisifed yourself they know the password they chose originally. You need to have the password very briefly in memory, but you never need to store it .

(Of course, you need to choose a satisfactory password-hashing system. Don’t try to invent your own. Use one which is already well-known and considered secure. Good places to start are the password hashing arrangements used by OpenBSD and Linux.)

As if that weren’t bad enough, GOM TV included a bright-and-shiny Click to change button in its notification email. The button doesn’t actually take you directly to the company’s password reset page, but it nevertheless sets a risky precedent, especially as it uses an unusual-looking redirect to take you to the company’s website.

Fake warnings which urge users to click on links in the email they’ve just received are the hallmark of scammers and phishers. Avoid doing the same thing in your own alerts: this discourages users from entering confidential data on web pages they have reached via uncertain links embedded in email.

Follow @duckblog