Why is credit card information not secure?

Credit card information prior to Windows 95 was relatively secure. A credit card number was provided to few people, and there were fewer ways in which it could be stolen. Once Windows 95 came, the average personal computer user had a TCP/IP compatible system, and millions of users poured onto the Internet and Web. Internet commerce became widely available, credit card information started being transmitted through many more computers, and the technology used to transmit credit card information became standard.

In previous years, the following were the most common methods used by criminals to steal credit card information:

• Digging through the trash at stores, a.k.a. dumpster diving
• Purchasing information from colleagues that worked at stores that could get receipts

Today, it is now a violation of Visa and MasterCard rules and regulations to print the full credit card number on a receipt. Additionally, most credit cards now have an additional three or four digit number that isn’t even allowed to be stored by a merchant, for added security. The current most common ways for criminals to get working credit card account numbers are:

• Social engineering and phishing 
• Purchasing information from colleagues that deal with credit card information for work
• Hacking into computers and networks that deal with credit card information
• Looking at the credit card of the person next in line at a store’s checkout counter
• Opening credit card accounts in other people’s names through identify theft

Unfortunately, all the precautions in the world won’t stop someone from becoming a victim. The whole credit card system is based on a promise to pay. It’s just too simple for someone to make a promise that someone else will pay, since at most times the security is simply posession of a an account number, with no real authentication mechanism in place.

For face to face transactions, the fear of a security camera and the security features on the credit card itself are supposed to protect the account holder. In telephone and Internet transactions, the shipping of a product only to the account holder’s address and the three to four digit security code are supposed to protect the account holder. For both types of transactions, the valid expiration month and year offers a little protection.

However, credit cards are being counterfeited in order to use stolen credit card numbers, for face to face transactions. Most cashiers at stores are not trained to look for the security features on a credit card and rather improperly concentrate on shopper profiling.

Merchants are incorrectly storing  the three to four digit security number when they’re not supposed to, resulting in successful electronic thievery of all information needed to purchase a service or product online or on the telephone. Additionally, merchants are more often offering to ship goods to addresses other than those on the credit card account in order to keep in business by taking the financial risk in a buyer’s market.

Today it’s also easy to purchase a disposable cell phone or a virtual telephone system in order for the criminals to provide telphone numbers to merchants for “telephone verification”. Telephone verification hasn’t been a good way to rule out credit card fraud for the past couple of years when dealing with even the most basic criminal.

What can be done?

The credit card banks expected the lack in security of the credit card account information. An individual’s credit card usage isn’t safe because criminals don’t have the account information. Credit card usage is safe due to agreements in place between the credit card issuing banks and the merchants that accept those credit cards for payment.

Even though many merchants simply aren’t playing it safe, and not following the rules, it’s these merchants that are taking the financial risk by not ensuring that they are dealing with the account holder. Most credit card account holders are completely protected from criminals purchasing products and services on the victim’s account. Simply reporting any suspiscious activity or the loss of possession of a card completely relieves the card holder of any financial responsibility. Even if the card or card number isn’t reported lost or stolen, the financial responsibility of the card holder is usually limited to only $50.

I recommend that all credit card holders demand that stores verify the signature and check the security features of the card before accepting it for payment. If a store clerk doesn’t do these things, ask why, and then ask for a manager. If a merchant is suspicious, don’t let them ask for identification (ID), which really proves nothing, especially if they haven’t checked the security features of the card or verified the signature. It’s against all of the major card issuer’s rules and regulations that a merchant require ID to accept a credit card for payment, as it leads to lax security and to customer profiling. Having an unsigned card presented for payment is the only time that a merchant should ask for identification and then ask the card holder to sign the card. If a merchant is suspicious, the merchant should call the credit card issuer for further instructions, but never ask for identification.

It’s a common misconception that one can simply write “See ID” on the signature panel of a credit card to ensure that the merchant checks for ID. In theory, this should only work once, since a card presented without a signature can’t be accepted until it’s signed.

Additionally, don’t let a merchant copy down or store the three to four digit security code on the back or front of the credit card.

If someone calls and asks for your credit card information to pay a bill, ask if you can call them back at the number printed on your invoice to pay.

However, most of all, don’t worry. If a criminal gets your credit card information, most likely it won’t be because you weren’t cautious enough. Using a credit card is safe and offers protections not offered by using cash. The fact that credit card theft is on the rise is nothing to lose sleep over, for a card holder. On the other hand, if you’re a merchant, you should call your credit card processor and ask what precautions you can be taking to help prevent fraud.

Wow, it’s been nearly a month since I have blogged. I’d like to apologize, and I have no excuses other than things are busy here at SpamStospHere with a new e-mail archiving and e-mail business continuity product. Additionally, I’m trying to get used to working a new shift and there were some holidays in there. I was mostly surprised at how much time had flown. In any case, there has been revealing SSL research, the findings of which were presented at the Chaos Computer Congress in Berlin.

SSL and the the Chain of Trust

Secure Sockets Layer, also known as SSL, is a public and private key encryption method. Additionally, public keys can be digitally signed by an entity, turning them into a certificate. This certificate then can be used to encrypt data, but the signing can also be used for identity purposes. This ensures that you’re not only encrypting your data, but you’re also sending it to the proper entity, for decryption.

At the top of the chain of trust is the certificate authority, also known as a CA. A CA certificate is used by a certificate authority to sign the certificate of another entity, showing in some way that the certificate authority trusts that entity’s certificate. By default, most web browsers and other applications that use SSL have a dozen or so locally trusted certificates, that recognize these certificate authorities as trusted. When establishing an SSL connection with a remote computer, if the remote computer is using a certificate that is signed by one of these trusted CAs, and as long as the hostname of the remote computer matches the name in the certficate, the remote computer is going to be trusted with accepting encrypted data without any warnings or security alarms going off.

In addition, if a CA certificate is signed by a trusted CA certificate, this establishes a longer chain of trust where certificates signed by the secondary CA would also be trusted by the browser or other SSL implementation.

The vulnerabilty

For many years, computer research has shown the weakness of using MD5 for hashing. The 128 bits used by MD5 hash lead to a high number of collisions. A collision is when two different sets of data are processed that result in the same hash. However, MD5 was superior to the 56 bits of Digitial Encryption Standard, also known as DES, which it had generally replaced. The MD5 hashing was also exportable outside the U.S., where DES was not. Additionally, MD5 was still very computationally fast for computers available at the time.

In 2005, some researchers at the Technische Universiteit Eindhoven (University of Technology) in the Netherlands, had published a paper on how MD5 collisions made it possible to have two certificates with the same signature, although the same owner name. In this case, the certificates are being signed with an MD5 hash function, which some CAs use to sign certificates.

In 2007, the same research team published a paper showing how an MD5 collision allowed two certificates with different common names and organization.The researchers used different sized keys for each of the two certificates, the only way to get the math to work out so that both certificates have the same signature.

In December of 2008, at the Chaos Computer Conference, the Technische Universiteit Eindhoven research team spoke on their latest research. Using new attack methods on the MD5 cryptographic hash function, the team was able to create a CA certificate that is signed by a CA that most Web browsers trust by default. This allows them to sign any certficate and have it trusted by web browsers. They did this by having a CA sign a non-CA certificate that had a collision with their rogue CA certificate. Once the non-CA certificate was signed, they then applied the signature to their rogue CA certificate.

Interestingly, the research team used a cluster of 200 Sony Playstation 3s to do the math computations. The PS3s did the hardest part of the math in only 18 hours.

The implications

In the past, you could be sure that you were actually providing your SSL encrypted data to the computer listed in the location bar in your Web browser, as long as you didn’t receive any warnings from your Web browser. Now, you can’t be sure. It’s as simple as that. Are you really connected to your bank’s Web site, or are you connected to a computer posing as your bank’s Web site? There’s no way to be sure.

Although not all CAs are still signing certificates with MD5 hashes, it was easy to target one that was. The research team said that they won’t release the more scientific information for a few months, in order to allow the affected certificate authorities to remedy the vulnerability. Like the DNS research from last year, it may not be long before many other researchers start reverse engineering the limited information and making fairly accurate guesses as how this might be accomplished. Surely exploits will be available in a few months after the more detailed paper is available.

Who is involved and how to solve?

RapidSSL, FreeSSL, TC TrustCenterAG, RSA Data Security, Thawte, and Verisign all had issued certificates in 2008 that had been signed with MD5. In theory, these CAs would need to revoke their certificates and issue new ones to resolve the issue, as well as offer resigning of all certificates previously signed. However, this problem will likely simply fall in the hands of the average user and the SSL implementation developer. Web browsers will likely simply stop trusting all certificates signed by MD5, requiring many web site owners to get their certificates resigned. Older browsers, like Internet Explorer 6, are unlikely to be patched.

This problem is similar to the DNS vulnerabilities researched last year, that had people unable to trust where they were sending their unencrypted data for several months. Due to the limited number of vulnerable recursive DNS servers, this possible nightmare was resolved rather quickly, and likely only cost hundreds of thousands of dollars and hundreds of thousands of man hours.

The damage caused by these CAs continuing to use a known insecure hashing functions will have people unable to trust where they’re sending their encrypted data for many years. The likely cost will be in the millions of dollars and it will take millions of man hours to make SSL secure again for the average computer user.

I had heard about green power supply units (PSUs) for computers back when I was building a “silent pc” using the information from SPCR. It only made sense that in order to have a quiet computer, you needed to get rid of the moving parts such as constantly running fans. In order to get rid of the constantly running fan on the PSU, it was necessary to have a PSU that didn’t run hot. In order to accomplish this, the power supply had to be efficient. Most power supply units only convert AC to DC power with 70% efficiency. The other 30% is lost and primarily converted directly into heat. Most fanless power supplies use heatsinks to deal with the heat, but they’re also typically more efficient, by converting 80% of the AC power into DC power. Depending on how many watts your power supply is pulling, a 80% efficient unit put out half the heat as a 70% efficient unit. There are some fanless power supply units that are marketed as being 89% efficient.

Besides the obvious cost savings in electricity used by the device, using more efficient power supplies can also offer the following benefits:

• Less heat generated also means less electricity used to cool the server room
• Not having a fan in the computer’s power supply can help lower the amount of dust in the computer, increasing the life of the system
• The cooler the system is, the better it is likely to operate under load
• A cooler system will likely increase the life of the system
• Less electrictiy means a greener earth, and lower carbon footprint for your company

There are a lot of eight port gigabit port switches to chose from, but I could only find one that was advertised as being “green”. The DGS-2208 from D-Link is a 8 port gigabit switch that only sends power to the ports that are being used, unlike most switches that will send power to all ports regardless. Additionally, it determines the cable length and uses less power to transmit signals over shorter cables. The DGS-2208 uses the least power when using cables under 20 meters, which is longer than most home users require. The switch also offers a 144KByte buffer per port and jumbo frames up to 9600 bytes, which are quite acceptable. When I touch this switch after it’s been running for weeks, it’s just slightly warmer than room temperature, and I no longer worry about extra cooling.

A new study by GreenFactor, an ongoing global technology and environmental research initiative, found that consumers are getting savvy about green and are demanding that electronics brands provide more clear information about their products’ engery savings.

The GreenFactor study found that saving energy is the most important reason why consumers are considering green electronics, but that the barriers to purchasing green are primarily from manufacturers not providing information, from the additional cost of green products, and from lack of availability. I recommend reading the rest of the results of the study at GreenFactor’s Web site.

I definitely am having a difficult time finding network security products that are advertised as being green. Although I can highly recommend that everyone start going green with their next hardware purchases, I’m not sure that there are that many options out there. If anyone knows of any, please contact me.

Of course there is no substitution for energy savings when it comes to turning systems off when not in use. An Internet server that is shut off when not in use is also generally more secure. Don’t forget that some extras steps are needed to monitor a system that is turned off, in order to detect when the server goes missing.

It’s a fact that whomever wants to gain access to your systems or data can accomplish this if enough resources are put to the task. The amount of resources that your company spends on protecting your systems and data is typically the only factor that determines whether or when your company experiences its first or next security compromise and also whether that security compromise is even detected.

The first step at avoiding a security compromise is determining your company’s risk, the value of your data or systems, the amount of damage caused by any compromise, and then using that as a basis on determining the resources spent at protecting against a security compromise. How many security professionals does your company want to hire? How much freedom will they be given to interrupt business processes to improve security? How much money and time will they be given to accomplish their goals? How much time will be spent continuously improving the system and training personnel? I know that many company members are reading this article right now that know that their company hasn’t spent anything on information security. There is no perfect security, and no company has limitless resources to throw at it. Your company must simply pick a reasonable plan for the situation at hand.

Hind sight is 20/20. After something goes wrong, it’s going to be easy to see where your company’s plan wasn’t perfect. Or if the plan was sufficient, perhaps the plan was improperly executed, or perhaps the proper amount of resources hadn’t been utilized to execute the plan. Whatever you do, don’t blame the plan, as long as it was reasonable given the information available at the time. It’s time to assess how the plan needs to be adjusted.

Don’t pick a scape goat. It’s unfortunately easy for a company’s executives to decide to fire the security personnel after the company suffers a financial loss due to security compromise. In my opinion, that is the worst thing to do. When a company has a security compromise, the company has found that it did not put sufficient resources on the task. It’s time to hire more security personnel, not fire the ones that it has. It is extremely rare for a company to have a security compromise that was caused by the negligence of security personnel. Usually, compromises are the result of short sightedness and apathy by the company to establish a plan, or to execute it. Usually the security peronnel knew what needed to be done, but the company was hesitant to put the resources into accomplishing those things that were needed. Again, hindsight is 20/20. As long as your security personnel did what the company told them to do and gave them the resources to do, they can’t be blamed for a security compromise that was unexpected. All security compromises are going to be unexpected. A compromise will never show where your protections against them were sufficient, but rather only where they were not sufficient. If you weren’t ready to fire the security personnel before the compromise due to the lack of a reasonable plan given the information at hand, then they shouldn’t be fired just because there is new information.

When an organization has a security compromise, it’s time to hire a security consulting firm and probably some lawyers. It’s time to adjust the plan and to keep moving onward with the mission. It’s not time to have a blamestorming meeting.

However, it’s never too late or too soon to put more resources toward preventing your first or next security compromise.

In June of 2003, Microsoft announced plans to purchase GeCad Software, a Romanian based antivirus firm. Microsoft did this as part of it’s “Trustworthy Computing” initiative, a plan to fix the nearly two-thirds of Windows users who don’t have current antivirus software installed. If Microsoft could get this product out to its operating system users for a fee, it would stand a good chance of not only making a profit, but also securing millions of connected PCs.

Most computers users are home users that will faithfully use the McAfee or Norton antivirus products that came installed on their new PC, or at least until the free trial of the software ends. Most antivirus software being run by home computer users is not the latest version and is not receiving any updates for new viruses due to a lapsed subscription.

In November of 2003, Microsoft partnered with Computer Associates to offer a free year of eTrust EZ Armor antivirus software as part of its “Protect Your PC” campaign for Microsoft’s Windows operating system users. This move was apparently to fill the gap that Microsoft would need to roll out its own antivirus technology garnered from the GeCad deal. The partnership briefly sent share prices down for CA’s competitors, and got the CA name out to regular computer users regarding security products. Unfortunately, most Windows users never took advantage of this free download, and the “Protect Your PC” campaign was only mildy successful.

In May of 2006, after a long beta program, Microsoft started offering Windows Live OneCare, the company’s fee based antivirus, anti-spyware, and firewall solution which satisfied the needs of Windows security center alerts. Unfortunately, even though the product was offered by Microsoft itself, their antivirus software was still installed far less often than other trial version products installed by computer manufacturers and retailers.

Tuesday, November 18, 2008, Microsoft announced “To address the growing need for a PC security solution tailored to the demands of emerging markets, smaller PC form factors and rapid increases in the incidence of malware, Microsoft Corp. plans to offer a new consumer security offering focused on core anti-malware protection.” The product will be released in the second half of 2009 and will be code-named “Morro”. The software promises to have a small footprint and not require high bandwidth Internet connectivity to maintain.

Based on the information in the press release, Morro will use the same engine as it’s OneCare product, borrowing from technology purchased from GeCad Software. Although this technology has not performed as well as other free antivirus products currently on the market, I’m hoping that Microsoft will finally push this product as part of the core Windows operating system. Unfortunately, most users just aren’t aware of free antivirus products for their PCs. If Microsoft can get the word out through it’s update system, we could see a decrease in the number of malware infected Internet hosts, and protect millions of computer users from privacy and security problems that often lead to credit card fraud, theft of funds, and identity theft.

Free antivirus products are currently available for home users from Avira, AVG, Avast, and many more vendors. I personally recommend Avira, due to it’s high catch rate for malware threats.

A VPN is a virtual private network. In the most basic terms, it is a tool that makes a network that is accessible over a public network to be accessible as if you were on that private network. This is usually done by tunneling the traffic, securely, through the public network.

If you’re slightly familiar with Internet networking, you’ll know that TCP/IP stands for TCP over IP, indicating that Transmission Control Packets are encapsulated within the Internet Protocol to be routed over the Internet. This is similar to the way that a postal letter is encapsulated in an envelope. The postal service routes letters without looking inside the envelope, allowing confidential information to be passed, and this can be done over the Internet as well. To ensure privacy, the postal letters could be ecnrypted, and so can the data within the IP packets. This private route through the public network is often visualized to be a tunnel through the cloud that is the Internet.

There are many ways to implement the encryption required to establish the private tunnel, but SSL is one of the most recently popular ways to do it. Using the same public and private key encryption used by your Web browser to securely visit your bank’s web site, a secure tunnel can be established between two gateways, or between a host and a gateway. Since encryption technology must be available on both ends, SSL makes for an easy implementation since most computers already have SSL available. Combined with a JAVA application to implement the SSL technology, you end up with a rather platform independant solution. This is the solution offered by SSL-Explorer, provided by 3SP Limited.

This means that I don’t have to bring anything with me on my vacation. From a public terminal, I can use a virtual keyboard to enter password authentication (to fight anti-privacy keyloggers), and then establish a VPN from any JAVA enabled web browser with SSL. Other authentication mechanisms are available, and many organizations with road warriors may want to use digital keys. With the VPN established, I can access resources on my private network that are back at the office and even use the Web proxy on my private network to help ensure the security of any Web usage.

SSL-Explorer is easily installed on any Linux or Windows gateway, although I don’t know who would be using a Windows server as a gateway. It comes with an entire VPN solution, including the client for the roaming user. A two user license is complimentary, and additional licenses are available. The software has many advanced features that should meet the needs of the user of almost any other VPN product available.

Today, I’m writing about OTFE for Linux servers. The benefits of OTFE are that you only have to type a password once, and then the encrypted data is easily accessible for the entire session. However, if someone steals your hard disk, the data is as secure as your encryption key.

If you’re running Ubuntu or OpenSuse, I recommend TrueCrypt for everyone. It’s easy to install and allows you to encrypt a file or a partition as a virtual file system. It even includes a timeout unmount, which FreeOTFE for my PDA doesn’t.

If you’re running an enterprise Linux, such as Red Hat Enterprise Linux or Suse Enterprise, you will need to compile TrueCrypt from source, which is quite difficult and not recommended for your average user, as there are several dependencies:

GNU Make
GNU C++ Compiler 4.0 or compatible
Apple XCode (Mac OS X only)
pkg-config
wxWidgets 2.8 library source code
FUSE library

Several of which have further dependencies that are quite difficult to work out.

If you use an OTFE product, I recommend operating without swap, or use TrueCrypt to encrypt your swap partition. Otherwise, you may inadvertantly under some situations have your sensitive data stored unencrypted on your hard disk.

Although many organizations are likely to protecting data with passwords and a network firewall, there are many network access controls that are overlooked. I’m going to cover some of the most common ones.

Centralized Control

Many organizations allow their users to store company data on computer workstations. Unfortunately, the company usually has no way to monitor logins on those computer workstations, even multiple failed logins in a row. Addtionally, there is no way to audit access to the information stored on the computer workstations.

Most organizations would do well to have only applications installed on the computer workstations, and then store all data for those applications on a centralized server that requires authentication and is in a secure facility. A criminal, including any disgruntled employee, should be able to run away with a computer workstation and have nothing of value other than the hardware itself.

If data is stored on the computer workstations, they should have encrypted file systems and your users should log out of the system when it’s not in use. Auto log out after periods of inactivity should be enabled.

Passwords for access should be changed on a regular basis.

Data Encryption

Most data access control is simply a software mechanism that allows access to the data stored on a hard disk. The easiest way to steal data is usually by stealing the entire hard disk, bypassing the access mechanism. All valuable data should be stored encrypted with a strong encryption key.

Additionally, it’s very important that your off-site backups are encrypted. It’s very common to have a centralized server protected with excellent physical security and then to periodically just let all of that data out the front door on it’s way to the secure off-site storage. This weak link in the physical security can be protected with proper encryption.

Remote Access

Make sure that any wifi routers on your network are necessary and that they use WPA for encryption. Change the key on a regular basis and retain strict control over it, by not allowing it to be copied.

Make sure that any VPN access to your network is tightly controlled. Maintain strict control over any certificates and expire ones that are no longer needed.

Ensure that any dial-up modems on your network allow only proper access, and that any authentication mechanisms are expired when no longer needed or on a regular basis.

Usage Policies

Users should not be allowed to install any software on their computer workstations that hasn’t been authorized by the company. Additionally, no storage media or personal computing devices should be allowed on the company’s premises that haven’t been authorized for use by the company. No company data should ever be allowed on a personal computing device.

Monitoring

Companies should monitor all access of the company’s network and data. This can include MAC address monitoring at the switch which can help show unauthorized devices on the network, as well as include failed and successful logins, and what data was accessed and when.

If you haven’t seen my previous articles on phishing, you may want to check those out to help your users. Today, I’m going to be writing about protecting your users from themselves.

Unfortunately, in this day and age, many workers with desk jobs where Internet connectivity is readily available will be tempted to use the Internet for non-work related activities during work hours. Although this is or should be against policy at most organizations, our easily distracted work force is finding it easier and easier to get away with it.

Notifying Your Users

The first thing that I would recommend is notifying your users that their Internet use at work is being monitored. Although I’m not an attorney, and don’t know if this covers you legally, it is just common courtesy. If you let your users know what to expect, there won’t be any surprises.

Monitoring

The next step is likely to monitor your users’ Internet activities, to see if your organization has an obvious problem and to help form any new policy.

I would recommend setting up a transparent web proxy. A transparent proxy is set up by having your network firewall intercept all requests for web traffic, sending them through a proxy server that proxies all of the web requests and responses. Logging is then enabled on the URLs being visited, as well as the local network IP addresses that are visiting them.

Squid is a caching proxy that supports HTTP, HTTPS, and FTP. It available as a package for most UNIX/Linux distributions, or can be built from source, which is readily available. There are also instructions available for configuring Squid as a transparent proxy.

Besides the Squid logs, you will also want to monitor and log any other Internet traffic. This will show everything that isn’t web traffic, including Internet applications other than web browsers such as instant messaging clients, as well as attempts to bypass your web proxy. You will want to enable this on your firewall itself. Simply log all other traffic leaving your network workstations that are destined for the Internet.

Policies and Enforcement

Coming up with an Internet usage policy is difficult for employee relations, but it can protect your organization’s assets from malware. If your users aren’t visiting non-work related web sites and aren’t checking their unprotected personal e-mail at work, they’re less prone to being infected by malware.

If you come up with a sensible policy, it can help your workers become more productive. Many organizations choose to allow their employees to use the Internet for non-work related things during their breaks. However, even this usage should be limited to paying bills and checking personal e-mail. I would recommend against allowing any file sharing, gaming, or instant messaging, especially.

One way to do this and still protect your workstations and prevent workers from always being on break, is to have one or two terminals in a common area available for non-work related use. The terminals can be running Windows under a non-administrative user, or have the machines simply be dump terminals capable of running a web browser only. This will ensure that no workstations use the Internet for non-work related purposes. Additionally, it will be easy to see who is using the shared terminals the most, and the users will often police eachother. It will also encourage your users to get up and leave their desk during their break.

Policy enforcement is also very difficult. Many organizations are short staffed, and typical  punishments like unpaid time off are simply not an option. Many organizations choose to instead award those who are following the policies, however this likely is not an option when it come’s to your organization’s information security. Information security policy violations should be stopped immediately, but this doesn’t necessarily require punishment. Try these steps:

• Ask the employee why they broke the policy, and ensure that the policy is clear and can be easily followed.
• Ask the employee what they need from you in order to follow the policy.
• Offer alternatives that can help the employee from repeating the mistake.
• Try retraining the employee and provide goals that must be reached before the training is complete.
• Establish goals and consequences of failing to meet them, such as deduction in pay, change of position or termination.

I will be going into more detail on computer usage and locking down your network in my next article.

The e-mail message reads:

Hello username, the bill is attached.  Password is 123.

Upon analysis, this appears to be the same virus as spread in the forged CNN and MSNBC news alerts from August. The virus is installed as a service named “CbEvtSvc”, which typically runs from a file located at “C:\WINDOWS\system32\CbEvtSvc.exe”.

A long time ago, it became common place for viruses to arrive in password protected zip archives, with a random password in the body of the e-mail message in plain text or in an image. This distribution mechanims was actually working for the virus authors, and getting past many anti-virus products that couldn’t open up the archive.

However, the anti-virus engines caught on and just marked all password protected zip files as suspicious. Additionally, the password protection prevents many users from executing the file, just because it’s an extra step or due to ignorance on how to unzip the virus.

It’s no longer practical for virus authors to send out a virus in a password protected zip file, and these messages don’t even appear to use different random passwords. The new form of this e-mail borne virus is very unoriginal compared to the previous fake news alerts. I have to wonder if the virus writers are simply bored or have thrown in the towel.

This virus is being identified by Microsoft as TrojanDownloader:Win32/Chepvil.H, and by f-prot as W32/Trojan3.AY.