Updated 5:22pm PT with comment from WordPress.

Hackers are targeting major blogging platform WordPress using a botnet aimed at stealing login credentials for admin-level accounts.

Those who use WordPress to run the back-end of their blogs may want to pay close attention to their accounts. Attackers are accessing the login portals for those blogs, entering the username “admin,” and then using a tool that “brute forces” its way into the account. The tool is programmed with dictionary words, which it then enters into the login portal by the thousands to guess your password. Many people still use “password” for their, well, password, and other easy-to-remember words.

WordPress founder Matt Mullenweg released a blog post saying, “If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem.”

He explained that in the WordPress 3.0 update, the company began allowing you to create your own login username when you first set up your WordPress backend — “admin” used to be the default. If you took the opportunity to make your own username, your account will be unaffected for now.

CloudFlare — a company that filters your web traffic to make sure your pages are loaded speedily, but also watches for bots stealing your bandwidth — released a blog post saying that it believes the attacker behind this botnet likely wants to take over your website’s servers, not mess with your WordPress site. The botnet as it stands now, according to CloudFlare, is made up of home PCs that aren’t as powerful as full servers. With that server capability, however, the botnet would be able to execute more impactful attacks such as strong denial of service attacks that can knock a website offline.

CloudFlare explained to me in an email that over 100,000 IP addresses are currently detected in the botnet.

“It’s a big attack directed at a significant percentage of the WordPress installs worldwide,” a company spokesperson said in the email.

We have reached out to WordPress and will update this post upon hearing back.

hat tip TechCrunch; Bot image via Shutterstock

Researchers at security firm Spider.io released details on a new botnet called Chameleon today, which it says has cost advertisers over $6 million in revenue — the first of its kind to impact “display advertisers at scale.”

We see botnets steal advertising revenue through text-only advertising, such as the search engine advertising you might see at the top of Google. But display advertisers are more difficult to target, says Spider.io. Those behind the display advertising use different techniques to judge their target audience and decide whether they are human or not.

The bot is able to mimic human interaction with a website so that no one suspects there is a bot behind the click, hence the name Chameleon. The bot only clicks on advertisement 0.02 percent of the time, and it re-creates “normal” mouse traces — or where the mouse hovers on the webpage — as well as “random” click-throughs on a specific advertisement. That is, it doesn’t click the ad in the same spot every time.

The firm first started investigating the botnet in December and say the program has cost advertisers up to $6.2 million so far. The botnet specifically targeted 262 unnamed websites and accounted for 65 percent of the traffic served to those websites. Spider.io was able to detect at least 120,000 “host machines,” thus far, and it says the majority of them are from United States IP addresses.

hat tip Ars Technica; Chameleon image via Shutterstock

In the two weeks leading up to RSA, a major security conference in San Francisco, corporate giants such as Microsoft, Apple, Facebook, Twitter, The New York Times, and others admitted that they were hacked.  Cyber attacks are wreaking havoc on nations, businesses, and consumers alike. But just the fact that people are paying attention might be a bright spot in our fight against this adversary.

President Obama stated that cyber-crime itself is a $1 trillion problem. Even if the amount is only in the hundreds of billions – Sony alone incurred $171m in damages related to its 2011 PlayStation Network breach – it is clear that the threat is at an all-time high.  The “bad guys” are more organized and better-funded than ever before, and their methods of attack are growing more and more sophisticated.

The good news, it seems, is that chief security officers (CSOs), chief information officers (CIOs), and more importantly, chief executives and corporate boards, have finally moved from denial to rage to facing up to the magnitude of the problem.

Industry leaders are recognizing that traditional approaches, technologies and solutions are insufficient. RSA Chairman Art Coviello, for example, acknowledged the shortcomings of the standard firewall and intrusion detection/prevention systems when he said “perimeter-based security reached its limits.”

As a partner at venture capital firm Jerusalem Venture Partners, which focuses on investments in cyber-security in a country known for its cyber-prowess, I watch developments in the industry very closely in an effort to locate the startups that can address security problems as they emerge – in what seems to be a dizzying pace.

What I see is that the industry does seem to be rising to the challenge in an effort to provide better solutions for governments, enterprises, and consumers. But those answers are not necessarily coming from established security vendors and so aren’t surfacing as quickly as they should.

A new favorite attack vector: BYOD

One attack vector being used more and more by hackers is through our mobile devices. Smartphone sales surpassed PC sales two years ago and, according to industry sources, 80 percent of employees use personal devices for work purposes. That compares with the 60 percent of enterprises that allow it. This BYOD (bring your own device) phenomenon allows cyber-criminals easy access to contact lists, critical enterprise information, transactions, and credentials.

Many of the current solutions to the BYOD problem rely on problematic rooting, or kernel-level access, or crippled user experience offered by dual-persona or container models. No wonder the winner of the RSA Conference 2013 Innovation Sandbox was a young start-up, Remotium, which tackles BYOD by using a virtual machine to run your “work phone,” which you can remotely access through your personal phone.

Its innovative approach has a real shot at making our smartphones more secure by essentially taking both data and processing to the cloud. Other similarly innovative approaches which attempt to protect our data rather than the personal devices themselves may better equip organizations for the BYOD phenomenon as well as burgeoning trends towards virtual organizations.

The shift to cloud-based enterprise infrastructure and apps creates even more attack vectors. Organized cyber-crime is taking advantage of the cloud and becoming a real revenue source for many rogue organizations. Cyber-attack infrastructure is already offered as a service by many of these groups. For example, botnets-for-hire, or a string of zombie computers used to launch attacks on healthy computers, can create damages in excess of half of a billion dollars a year (especially related to AdClick fraud).

Is anti-virus software cutting it?

What about anti-viruses – the classic cyber-defense? Unfortunately, existing anti-virus solutions has fallen out of favor with many given that it can only block malware it knows. Because it looks at digital signatures and stops those it recognizes to be malware, it misses a lot of the new threats that come through. According to Bret Hartman, CTO of the security technology group at Cisco, organizations have lost control of their end-points. The cat and mouse game is becoming more difficult and expensive to play.

We see many of the most promising end-point security solutions are moving away from signature-based approaches, like anti-virus software, and focusing on heuristics-based or behavior-based white-listing methodologies. While these solutions are not quite ready to take the place of current anti-virus solutions, especially not on the consumer level, they certainly act as a much-needed complement to available protection and will certainly one day vie for a place as the industry standard.

In parallel, industry-wide collaborative efforts helping cyber-intelligence systems to ferret out insidious malware, hand-in-hand with big-data based analytics and solutions are gaining significant ground in this ongoing battle. According to RSA’s Coviello, adaptive machine-learning and predictive analytics based on big-data are the secrets to success.

Where the startups really stand

Interestingly, many of the innovative new solutions being provided today are actually coming from the more nimble and dynamic startups in the field. The problem is, these startups often have a tough time convincing CISOs of their value. Unproven track records and prematurely released enterprise solutions offered by these unknown (and often under-financed or unstable) companies are problematic for large enterprises.

Startups also seem to form in clusters, latching on to the latest buzzwords. This makes it hard to explain exactly how they do things differently.

But none of that takes CISOs off the hook. To succeed in their jobs, they must engage with these innovative startups to help themselves and the industry find the right set of solutions. The enormous scope of the problem and its continuously evolving nature dictates the need to work with innovative startups, side-by-side with incumbent players.

In the end, it takes a global village. As the intensity and ferocity of cyber-attacks continue to grow, the “good guys” must understand that only through a concentrated, collaborative, cross-industry effort can we rise to meet these very serious challenges. Such partnership-based models joining VCs, strategic enterprises, academia and government will allow the industry to create a robust, proactive eco-system which can foster breakthrough technologies and approaches capable of meeting today’s cyber threats — and tomorrow’s. This multi-disciplinary, collaborative approach is the only way to stay one step ahead of the bad guys.

Yoav Tzruya is a partner at JVP, Israel’s leading venture capital firm. Yoav brings more than 20 years of executive-level experience in the IT industry, with extensive experience in cyber security, digital media, and enterprise software verticals.

Happy code image via Shutterstock

Ted Schlein, investor with Kleiner Perkins Caufield and Byers, built one of the first anti-virus products at Symantec. Today, he says the likes of Symantec and McAfee will run out of gas if they don’t get rid of their anti-virus divisions.

“They will either need to realize their core anti-virus business is going away and make massive shifts, or they will continue to lose market share,” said Schlein at the RSA Conference in San Francisco this week. “You’ve got to change with the times. You can’t be static in security,” he said.

The security community is starting to look down on anti-virus technology simply because such tools don’t get any better until you get hacked. Traditionally, anti-virus software looks at digital signatures to determine whether or not the file entering your system is malware or safe. But it only learns that bad signature if it has seen it. Any new pieces of malware slip in under the radar.

Companies like Symantec and McAfee are running the risk of becoming irrelevant if they don’t change course. Both companies dabble in mobile security and are trying to figure out the answer to the bring-your-own-device (BYOD) trend. But Symantec, as Schlein noted, has more pressure to pivot than McAfee, which is owned by Intel. In the end, Intel can decide what to do with McAfee’s technology — and employees — whereas Symantec is still independent.

Other companies have tried behavioral anti-virus techniques, or studying the typical actions a piece of malware performs to stay relevant. For the most part, however, the overall anti-virus market seems to be slowly becoming the kid no one wants to play with.

“I believe security has to be done from the inside out, not outside in,” said Schlein.

He also said we should do away with firewalls. In fact, he won’t invest in any. Instead, he said, we should focus on protecting the information on the inside of the system — care less about what gets into our systems and more about stopping it from executing once it’s there.

This is especially important in the days of automated attacks, which Schlein said are some of the scariest threats in the industry today.

Botnets are able to storm your system, they’re cheap to use, and they don’t require much heavy lifting on the criminal’s part. Botnets are a huge threat because they let hackers be fast and more economical in attacks, say against banks, that could lead to big financial gains.

Schlein suggests the industry forget about firewalls and instead build “botwalls” that don’t try to keep the bots at bay but instead break them down once they’re on the inside.

“A botwall will be able to figure out these automated attacks,” he explained. “You need to look at these automated bots and how they work. You’re not trying to stop a bot from executing, you’re trying to stop a bot from being successful.”

Image via Meghan Kelly/VentureBeat

(Updated)

The U.S. Department of Homeland Security’s Computer Emergency Readiness Team says no one should use Java until Oracle fixes a hole that permits attackers to jump inside your computer and steal information.

“We estimate that about 100 million computer users are now in immediate danger of getting exploited. Given the current circumstances – wide availability of the exploit code and no fix from Oracle scheduled for the near future – disabling the Java feature in the browser is the wisest choice,” Bitdefender senior e-threat analyst Bogdan Botezatu told VentureBeat in an email.

Java is a widely-used programming language, now overseen by Oracle, that runs on many different platforms, including PCs, Macs, and mobile devices. Java programs are supposed to run in a secure “sandbox,” but security researchers recently found a vulnerability that allows attackers to infect that computer’s systems with software that further allows them to steal personally identifiable information. Of course, that can lead to bank accounts being drained or identity theft.

Beyond that, however, the hole also lets the attacker hook your computer up to a botnet, or a string of computers that can be used to do the bidding of the cyber criminal.

The malicious software is distributed through infected websites that Homeland Security points out could be made to look like legitimate websites.

“This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered,” the Homeland Security advisory states. “To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available.”

This vulnerability only affects PCs, but a recent and similar incident involving the “Flashback Trojan” showed that Java has weaknesses in Macs as well. According to MacRumors Apple isn’t taking any chances this time and has blacklists Java entirely for its OS X.

We have contacted Oracle and will update the post if we hear back from the company.

UPDATE 1/12/2013: Oracle has stated that “a fix will be available shortly” for the Java flaw, Reuters reports.

via Reuters; Oracle image via Peter Kaminski/Flickr

It sucks when viruses clog your PC, slow it to a crawl, and generally make your life miserable. But what if it put your life in danger? With medical facilities all around the United States running outdated software that can’t install new security patches, that very well may become the case.

According to the Technology Review, 664 medical machines at Beth Israel Deaconess Medical Center in Boston ran outdated operating systems that it could not upgrad despite that many older Windows operating systems are huge targets for malware.

The main issue is that the manufacturers of medical equipment don’t often allow the hospitals to upgrade their operating systems or patch security holes, said Kevin Fu, a researcher and associate professor at the University of Massachusetts, Amherst, at an industry conference last week. The fear here is that if the hole is patched, or the software somehow changes, that the device will no longer be FDA complaint. If it isn’t FDA complaint, a hospital can’t use it. But the huge downfall is that without these security updates and the latest operating systems, malware is literally slowing down the machines that doctors and nurses are using to save lives.

Botnets, or strings of computers that can be controlled to launch mass attacks or otherwise work in unison for the hacker’s profit, are a particular problem for hospitals.

Indeed, Fu says its “not unusual” for these machines to not perform properly, the hospitals relying on a “fallback model,” otherwise known as someone watching over the patient. Malware hinders the devices to a point where they can no longer record data.

As the Technology Review points out, hospitals don’t have to report security issues unless someone has actually been hurt as a result of the device’s malfunction. In 2009, the FDA also encouraged hospitals to work it out with the manufacturers themselves.

via Technology Review; Hospital image via Shutterstock

Sometimes it’s hard to imagine just how contagious a botnet can be, and then sometimes you see them from space. Security researchers at F-Secure created this look at ZeroAccess botnet infections today, across the United States and the world.

Image if each one of those red triangles represented the flu. That’s essentially what they are, little indications of virtual wheezes and sneezes your computer is suffering from under ZeroAccess’s infiltration. The botnet was first discovered in 2010, and continues to evolve and pop up in the hundreds of thousands around the world.

It is considered a trojan, downloaded when a person visits a secretly compromised site. Once installed on the computer, it pushes advertisement pop-ups to the user, and will redirect browsers to advertising websites. The malware writers make money off of the advertising, and for every installation that can trick people into.

While the botnet isn’t new, the representation shows just how real and destructive a botnet like this can be. Its creators are smart enough to change the malware frequently to make sure it gets through anti-virus software.

As per usual, people should be careful about what websites they visit, vetting links and pop ups to make sure they’re trustworthy. ZeroAccess, like most malware, is generally distributed on “high risk” websites, such as pornography sites, but can also be found on legitimate websites that have been compromised.

Don’t hold your breath for a vaccination.

Sept. 9 - 10, 2013 San Francisco, CA

Early Bird Tickets on Sale

On Friday of last week, U.S Marshalls entered office buildings in Pennsylvania and Illinois that are believed to be home to some of the biggest botnet armies on the web. But the law enforcement was just backup for the real investigators, Microsoft, who had secured a warrant from a federal judge to gather evidence and deactivate servers used by the criminals to infect people’s computers and harvest their personal data.

Since when did Microsoft enter the front lines of fighting cyber-crime? The new initiative was created by Richard Boscovich, formally a federal prosecutor, now a senior lawyer in Microsoft’s digital crimes unit. Microsoft brought a civil suit against the alleged botnet rings, arguing that the criminals violated its trademark by impersonating Microsoft in emails they used to spread their virus.

“Taking the disruption into the courthouse was a brilliant idea and is helping the rest of the industry to reconsider what actions are possible, and that action is needed and can succeed,” Richard Perlotto, director at the Shadowserver Foundation, told the NY Times.

The Friday raids targeted the Zeus botnet, which is franchised out by its creators to criminal gangs for anywhere from $700 to $15,000, depending on the level of customization desired. In its legal complaint, Microsoft said that the Zeus botnets had enabled the theft of more than $100 million from victims since 2007 and that 13 million computers were infected with some form of software associated with it.

Image via Flickr user aanjhan

“Just the very fact that I could get the domain name “trustworthy internet” says it all,” Courtot told VentureBeat.

Much of security is reactionary. McAfee general manager of network security Pat Calhoun likens it to a house break-in. You get the alarm system after your house has been robbed. If you already have an alarm system, you start using it when your possessions go missing. Security is an afterthought. Prevention means admitting that you’re vulnerable, a difficulty for any person or corporation.

But if we don’t build security technology in from the start, we open ourselves up to zero-day attacks, said Courtot. He said it’s like brushing your teeth. Scrub first to prevent issues. “It’s basic hygiene.”

The Trustworthy Internet Movement, like many movements, has a focus but no real solution — yet. Courtot’s $500,000 will go toward recruiting members and providing resources to start creating security technology that is company-agnostic. Members can come from anywhere, any company, but the innovations won’t exist under their title. Courtot is looking for those with expertise in domain-focused enterprises, technology leaders, “stakeholders” or individuals who want to solve a particular problem (such as botnets), anyone willing to make a donation, academic institutions, and non-profits.

Before he’s ready to announce partners and talk more about the initiative, however, Courtot wants a win. A win being a solution to a well-known problem. Currently he’s focused on botnets, e-mail spoofing, and SSL compliance, but he hasn’t chosen the problem he’d like this growing group to attack first. While solving a basic Internet issue like e-mail spoofing might seem laughable, it’s not impossible. Courtot explained that the cause of e-mail spoofing is already known, so finding out “how” people do this is not the problem. Gathering the right people together to make a solution is. By coming up with actual technology, the Trustworthy Internet Movement will be better equipped to pitch venture capitalists.

Despite his quiet start, Courtot said he has the support of Qualys’ big name customers such as Google.

Unlike Qualys’ mission, however, it’s not about protecting the cloud. “The cloud is done,” he said, “The train has left the station.” It’s about solving the Internet’s problems because without starting at the beginning, the cloud will never be safe.

Google Dorks have been around for a while, as the name for an attack where hackers scan web sites, using commonly used links within company networks, to see if there are any unsecure links that can be used to break into a company’s web site. A report being released today by Imperva warns that the combination of the highly automated botnets and the Google Dorks are a new vector for hackers to break into companies on a massive scale.

Hackers sometimes manually scan sites for such stray links, but that’s like looking for a needle in the haystack. They have now figured out how to automate their scanning. They do so by getting botnets, or farms of compromised computers that have been hijacked without the owners’ knowledge. These botnets are used to automatically search through a series of links that may be related to a company’s web site. They use the botnets and Google Dorks to uncover weaknesses, and then they launch conventional hacking attacks against them. The result of these attacks can be contaminated web sites, data theft, data modification, or compromised company servers.

The hackers can efficiently use popular search engines as an attack platform to retrieve sensitive data. Botnets automate the process and can evade anti-automation detection techniques commonly deployed by the search engine providers. By using bots that are distributed throughout the world, the hackers fool the search engines into thinking that the searching is being done by real human individuals, not a herd of bots controlled by a hacker.

“This is what the hackers do to conduct cyber reconnaissance,” said Rob Rachwald, a senior security strategist at security firm Imperva, in an interview. “This used to be a manual process, but now it’s automated.”

With the automation, attackers can get a filtered list of potentially vulnerable web sites in a very short time. Mining search results can expose neglected sensitive files and folders, and unearth network logs and unprotected network-attached devices.

With botnets, the hackers can run 80,000 queries in a day, eluding detection and efficiently fishing for attack targets. Imperva’s Application Defense Center observed a particular botnet in action during the May-June time frame and witnessed its use against a well-known search engine provider. By tracking this botnet, Imperva found how attackers lay the groundwork to simplify and automate the next stages in an attack campaign against web apps.

“We found out because we were observing,” Rachwald said.

Today, search engines detect automated search routines by detecting the searcher’s internet protocol, or IP, address. If the same address is used over and over again for slightly different searches, the search engines block it. But botnets consist of computers scattered around the world, all using different IP addresses. Hackers can hide their identities behind these botnets, which are available on the underground for rental.

The botnets can be used with a distributed search tool to find distinguishable resource names and specific error messages that say more than they should. Dorks are often exchanged between hackers in forums. Some of the lists of Dorks are posted on various web sites. Dorks and exploits go hand in hand.

In the attack that Imperva observed, the attackers used dorks that match vulnerable web applications and search operators that were tailored to a specific search engine. For each unique search query, the botnet examined hundreds of returned results. Full told, the number of queries topped 550,000 queries, including one day with 81,000 queries — all via  single botnet.

The attackers targeted e-commerce sites and content management systems. The more success they had, the more the attackers refined their search terms. Imperva saw 4,719 different variations of dorks used in the attacks.

Fortunately, there are some solutions that Google, Bing and Yahoo can use to protect against these attacks. Search engines are in a unique position to identify botnets that abuse their services and can thus find out more about the attackers. The search engines can identify unusual queries such as those that contain terms from publicly available Dork databases, or queries that look for sensitive files. By doing so, search engines can come up with more blacklisted IP addresses. Google can force some searchers to fill out a CAPTCHA form, (where you look at handwritten characters and type the word that you see), to prove they are human searchers.

Rachwald said that web site creators should attack themselves using common Dork search terms and find out if they are vulnerable. They should also mask their links so that they are harder to guess.Web application firewalls should be able to detect and block attempts at finding application vulnerabilities. The web sites can also use reputation controls to block attacks coming from known malicious sources.

For the year, the report says spam messages are projected to account for 89.1 percent of all emails sent, up 1.4 percent from 2009. The global spam rate peaked in August at 92.2 percent, when the portion of spam sent from botnets — herds of zombie computers that have been hijacked by hackers — reached 95 percent. The number of botnets in the world is estimated to be 3.5 million to 5.4 million. One of the big problems is drive-by attacks, which infect legitimate web sites with malware. Of 42,926 domains identified as malicious in 2010, the majority were compromised legit domains. Clearly, there’s still a big opportunity for security entrepreneurs, as malware problems are nowhere near being eliminated.

The report from Mountain View, Calif.-based Symantec also says that this year the average number of new malicious web sites blocked each day rose to 3,066, compared to 2,465 for 2009, up 24.3 percent. Symantec said it identified 339,673 different strains of malware among the 115.6 million emails that it block during the year. About 95.1 billion phishing emails are projected to be in circulation in 2010. The amount of spam was measurably reduced in October when the spam affiliate Spamit was shut down.

Botnet bosses are expected to continue to use steganography, a technique for hiding commands in plain view by embedding them in images or music files, to control their herds of computers. The steganography allows botnets to operate without oversight by an internet service provider. Rustock, the largest botnet with more than 1 million bots under its control, is expected to produce more than 44 billion spam emails per day, double the number it did last year.

Overall, cyber criminals experimented with many tactics in 2010 to keep spam and other malware at all-time highs, said Paul Wood, senior analyst at MessageLabs Intelligence. The scammers took advantage of events like the soccer World Cup to spread malware. they also disguised malware in short links and social networks to lure unsuspecting victims.

Roughly 200 to 300 corporations are targeted each month with specific malware meant for that organization. [illustration credit: itp.net]

IBM researchers said the recent growth of cloud computing and remote desktop access will likely become a sore point for security issues, as hackers cracking into a master rig that controls several virtual desktops could theoretically access all of those desktops.

Web apps had the largest number of security vulnerabilities, growing by 55 percent year-over-year. The report indicated that incidents of malicious code hidden in JavaScript, a common interactive scripting language, and other Web app code rose by 52 percent compared to the same period a year earlier.

Exploits of documents in Adobe’s PDF format rose 37 percent. Most of that increase can be attributed to the use of PDF exploits earlier this year to expand the Zeus and Pushdo botnets, organized networks of infected computers manipulated remotely by hacker gangs.

Phishing activity, which involves tricking users into putting information like bank account logins into a website masquerading as a bank or email service, fell 82 percent from the same period a year earlier. Browser makers have taken measures to discourage phishing attempts by warning users. About half of all phishing attacks in 2010 were coordinated against financial websites, such as those of banks.

More than half of the security vulnerabilities listed in IBM’s X-force report were not patched by suppliers or vendors by the end of the first half of 2010, when the reporting period ended.

[Photo: Clip Works]