Jason Fisher
Director of Product Management, Symantec Backup Exec

• Sensationalized "fake" news headlines
• Use of seemingly real news headlines
• Purported download for the latest version of Internet Explorer
• Malware + spam + phishing = The triple security threat for financial institutions
• Airline e-ticket connects malicious code and spam

Based on the contents, the victim is invited to click on the links to get additional information, but ends up getting fake pop-up messages generated by fake Web sites hosting misleading applications. Here is an example of one such pop-up message:



When the victim clicks the OK button, a fake antivirus installer is downloaded to the victim's machine. The link on the "Microsoft Windows History" page contains a link to "hxxp://anitspy.com". This link will redirect the page to "hxxp://llab.com". If it is a user's first visit to the site, then the site will redirect that Web page to a malicious Web site (hxxp://pc.com), which serves up a misleading application. In other instances the page will be redirected to a search site called "hxxp://searcher.com," where the user will see an advertisement to download fake antivirus software. The complete scenario makes it seem as if attackers are running underground affiliate networks to promote misleading applications.

Social engineering attacks that involve victims who are tricked into clicking on malicious links are not new; however, now the attackers have started using free service sites as a new attack vector to push their misleading applications. Symantec has built excellent safe browsing features in its 2008 solutions and continues to enhance protection technologies in its upcoming 2009 product offerings. Symantec continues to detect misleading applications, including those mentioned above. We recommend that you keep your computer and Internet security products and definitions up-to-date, patch your systems, and run your Web browser with limited options enabled.

What we have observed are spam messages that contain a link to an .swf file. This file is hosted on a popular image hosting site. When clicked, the link redirects to various Web sites and so far we've seen medical supplement and adult-oriented sites as the destination of the redirects.

The .swf attack with the largest volume observed is the German pharmacy attack, with over 300 million instances seen. The body of this message is in German and includes a list of medications that are offered for sale along with the price and assurances that the transaction will be discreet. To order a product, you are directed to click the link of the .swf file, which then redirects you towards an online ordering site. These sites, as well as the .swf links, seem to be rotating fairly often which is a common spammer technique.

Another spam sample seen hosting a .swf link was what appeared to be a job recruitment advertisement that required "no professional skills" and instructed the recipient to click the link to fill out the job application. When clicked, the link redirected to a medical supplement site:

If you are interested in our job offer, please click on link and fill application form
http://imgXXX.[removed].us/imgXXX/9823/[removed].swf

Reality video site starring real swinging couples
http://imgXXX.[removed].us/imgXXX/5742/[removed].swf
2-4 eggs beaten (extra yolks or whites are welcome) 45 minutes. Set aside =
to cool. Note: you can also use cooked white rice. I you use for storing =
the starter!

Subject: We have hijacked your baby
Content-Type: application/zip; name="photo.zip"

"Hey We have hijacked your baby but you must pay once to us $50 000. The details we will send later...
We has attached photo of your fume"

Well, now that my dreams of an early retirement are shattered and I'm back on Reality Street, there are some sober lessons to be learned from this. It is probably not news to you that there is a heck of a lot of scams out there and identity theft is rife. Recently I posted an article about an Olympic ticketing scam that ripped off many unsuspecting people, but this job scam might not necessarily rip you off. In fact, if you "cooperate" with the "processing department" of Mortgagee Union Trust you might even actually make a bit of cash by transferring funds from one account to another when instructed. (The job title should actually be "Money Mule," but it doesn't have the same air of self importance that "Monetary Operator" does.)

Whether you can make much, if any, money by taking part in this scheme is uncertain. What is certain is that you will inevitably be playing the pawn in a global game of scams, online crime, and money laundering. Next time an offer that's too good to refuse comes a-calling, save the precious gas and reduce your carbon footprint by using the Internet to visit the company, check out their credentials, and satisfy your curiosity that they are indeed a legitimate organization. Only when you have checked and double checked should you part with your valuable personal information.

And, the tried-and-true method by which the Storm team successfully infects machines hasn't changed either. The method consists of bulk emailing with "interesting" content aimed at enticing the victim into either visiting a Web site or opening an attachment.

The various topics used per spam round included war, politics, murder, adult entertainment, romance, public holidays, sporting events, business transactions, surveys, terrorism and natural disasters and these are certainly a contributing factor to the prevalence and persistence of infections. Such topics, based both on real-world current events and false-but-interesting scenarios, still appear to be a fairly successful propagation technique and are clearly favoured by those behind Storm.

At the heart of the rootkit are two files: in this case, glok+serv.config and glok+767-4e80.sys. The first file contains a list of encrypted peers with which the infected host maintains contact with and is updated periodically with new nodes, and the second is the rootkit-based service which performs all of the primary functions of the zombie including spamming, denial-of-service and component updates. A range of API calls are hooked by the rootkit in an attempt to hide its presence on the system, such as ZwEnumerateValueKey and ZwQueryDirectoryFile.

The botnet itself runs its main operations over UDP, communicating via a fairly aggressive peer-to-peer network. The resulting traffic surge is fairly easy to spot:

The sale of spam-capable services that run from public hosts can net a bot controller a nice income, because fresh zombies can send upwards of 10,000 emails a day. And even if a particular Storm zombie is added to one of the many available spam blocking lists, the bot controller can still run distributed denial-of-service attacks with devastating speed. Also, the variances in the operation of Storm aren't restricted to email subjects, as we have watched its operators use polymorphic packers to defeat CRC-based detection, then experiment by removing the rootkit functionality to leave a plainly visible executable, and then return once again to a rootkit-enabled version.

We get quite a few questions in the form of "Yes, but if I get infected what does this actually mean?" To sum it all up, it means that:

• Complete control of your computer system is in someone else's hands.
• Any unprotected private information stored on your system is effectively no longer private.
• Your machine can be used to attack other machines on the Internet.

This particular link (circled in red in the above image) points to one of a range of fraudulent pages hosting the file install.exe (detected as Trojan.Pandex) which, once executed, gets down to work.

After an encrypted check-in with one of the control servers, several DNS lookups are performed for the malicious domain, which points to a range of fluxing IP addresses under the control of the attackers. The "stub" retrieves a copy of the file 14scan1.exe (detected as Trojan.DesktopHijack.), which changes the victim's desktop:

Then, fake security software known as "Antivirus XP 2008" (detected as AntivirusXP2008) is downloaded and installed on the victim's machine:

The results from this supposed scan are, of course, fraudulent and rely on unsuspecting victims to pay the activation fee in order to mitigate these non-existent threats. To add to the confusion, a fake "Blue Screen of Death" screensaver is silently installed and activated, and some of the graphical display controls in the Display Properties tab are disabled so the user cannot change the screensaver back to the original one easily.

As mentioned above, Symantec has a number of detections for the malicious files. In addition, Symantec Browser Detection triggers on malicious pages as HTTP Fake Codecs WebPage.

You may also have seen reports of malicious spam doing the rounds with updates to Microsoft products, including the Malicious Software Removal Tool and Internet Explorer 7, videos with adult material, and news alerts from CNN and MSNBC. The links contained within these spam emails also end up downloading and installing the fake Antivirus XP 2008 software.

Whether the group behind Antivirus XP 2008 are controlling this entire campaign or have employed the services of additional malicious parties to enhance the success of their spam delivery service, over 500,000 spam emails have been recorded via our probe network with links to Antivirus XP 2008 in the past 14 days, representing quite a large spike in activity for a single threat. As always, make sure you update your security products regularly to ensure you are protected against the latest threats.

Felix began his talk by explaining the impact of successful exploitation of Cisco IOS vulnerabilities, providing some details about Cisco IOS internals, and then explaining why the flat memory format is so dangerous. For example, even the smallest memory corruption bug could potentially be leveraged to overwrite critical structures anywhere in memory. "Just how often are routers hacked?" was covered with some very interesting points, such as the threat of TCL backdoors and patched IOS firmware. He also brought up an example of an old vulnerability that continues to see exploitation, namely, the old HTTP level 16 bug that is still being exploited in the wild, as well as the new SNMP HMAC issue. So, routers are being targeted in the wild and I believe this will only get more common, especially as other targets become increasingly difficult to exploit. A path of least resistance, if you will.

In his presentation, FX also covered how the Cisco IOS router is a volatile memory system. From a forensics perspective, this makes it very difficult to find any evidence of an attack after the system reboots. How does an administrator tell the difference between a "normal" router reboot and a reboot that is the result of an exploit attempt? The talk evolved into a compelling discussion about Cisco IOS crash-dump functionality and how it can be used for the purposes of forensics without impacting the performance of the router. Postmortem analysis of a crash dump file that is far too in-depth for the scope of this blog entry was covered in detail. This research is exciting. The Cisco Crash Dump analysis tool dubbed "CIR" (which FX says is a work-in-progress) is available as an online service for free. For those paranoid about uploading their crash dumps to a third party, it is my belief that a professional standalone version of the tool will be made available by Recurity labs. (But, I could be wrong about this-it would be best to contact Recurity Labs for more information.)

I can't end this blog without mentioning two of the other high points of my day. The talk given by Ben Hawkes named "Attacking the Vista Heap" was excellent. The talk came to the conclusion that heap exploitation is no longer generic; instead, it is now application-specific, requiring certain conditions to leverage corruption into code execution. However, lots of interesting techniques were divulged. I followed up his briefing by attending the Alexander Sotirov and Mark Dowds briefing on "How to Impress Girls with Browser Memory Protection Bypasses." Wrapped in droll comedy, this briefing was fantastic. It started out with a demonstration of an exploit achieving code execution on Windows Vista with GS, SafeSEH, DEP, and ASLR enabled. Really, it is far too detailed to cover here along with the Cisco IOS forensics talk. I don't feel that I'm doing the talks any justice in my attempts to describe them, so I'd say that it's best to go explore the Recurity CIR wiki for more complete information on this research and to read the "How To Impress Girls With Browser Memory Protection Bypasses" paper and code. GS, SafeSEH, DEP, and ASLR - all defeated in a client-side exploit. Why are you still reading this? Go read the paper!

As always, customers are advised to follow security best practices, including:

- Avoid sites of questionable or unknown integrity

- Do not open files from unknown or questionable sources

- Run all client software with the least privileges required while still maintaining functionality

Microsoft's summary of the August releases can be found here:

www.microsoft.com/technet/security/bulletin/ms08-aug.mspx

Some of the more notable vulnerabilities this month are:

1. MS08-041 Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617)

CVE-2008-2463 (BID 30114) Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.9/10)

This is a previously documented vulnerability in the Snapshot Viewer ActiveX control that allows an attacker to download a file to an arbitrary location on the victim's computer. An attacker must trick a victim into visiting a Web page containing malicious content to exploit this issue. If the victim does not currently have the ActiveX control installed, and the victim uses Internet Explorer 6, the attacker can install the control without any further user interaction. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Snapshot Viewer for Microsoft Access, Microsoft Office Access 2000 SP3, Microsoft Office Access 2002 SP3, and Microsoft Office Access 2003 SP2 and SP3

2. MS08-046 Vulnerability in Microsoft Windows Image Color Management System Could Allow Remote Code Execution (952954)

CVE-2008-2245 (BID 30594) Microsoft Color Management System Pathname Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote-code execution vulnerability affects Microsoft Color Management System (MSCMS) when handling a malformed image file. An attacker only needs trick a victim into viewing a Web page or email that contains a malicious picture file to exploit this issue, no further user-interaction is required. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Microsoft Windows 2000 SP4, Windows XP SP2 & SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, and Windows Server 2003 with SP1 or SP2 for Itanium-based Systems

3. MS08-044 Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (924090)

CVE-2008-3019 (BID 30595) Microsoft Malformed EPS Filter Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A client-side remote code-execution vulnerability affects Microsoft Office filters when handling malformed graphics images. By tricking a victim into opening a specially crafted Encapsulated PostScript (EPS) file, an attacker can execute arbitrary code in the context of the currently logged-in user.

Affects: Microsoft Office 2000 SP3, Microsoft Office XP SP3, Microsoft Office 2003 SP2, Microsoft Office Converter Pack, and Microsoft Works 8

CVE-2008-3018 (BID 30597) Microsoft Malformed PICT Filter Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A client-side remote code-execution vulnerability affects Microsoft Office when handling specially malformed PICT files. PICT files are normally associated with Apple Quicktime, but if opened with Microsoft Office, arbitrary code-execution can occur. An attacker must trick a victim into opening a malicious file to exploit this issue.

Affects: Microsoft Office 2000 SP3, Microsoft Office XP SP3, Microsoft Office 2003 SP2, Microsoft Office Converter Pack, and Microsoft Works 8

CVE-2008-3021 (BID 30598) Microsoft PICT Filter Parsing Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A client-side remote code-execution vulnerability affects Microsoft Office when handling specially malformed PICT files. PICT files are normally associated with Apple Quicktime, but if opened with Microsoft Office, arbitrary code-execution can occur. An attacker must trick a victim into opening a malicious file to exploit this issue.

Affects: Microsoft Office 2000 SP3, Microsoft Office XP SP3, Microsoft Office 2003 SP2, Microsoft Office Converter Pack, and Microsoft Works 8

CVE-2008-3020 (BID 30599) Microsoft Malformed BMP Filter Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A client-side remote code-execution vulnerability affects Microsoft Office when handling specially crafted BMP image files. An attacker must trick a victim into opening a malicious file with Microsoft Office to exploit this issue. A successful attack will result in the execution of attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft Office 2000 SP3, Microsoft Office XP SP3, Microsoft Office Converter Pack, and Microsoft Works 8

CVE-2008-3460 (BID 30600) Microsoft Office WPG Image File Heap Corruption Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A client-side remote code-execution vulnerability affects Microsoft Office when handling specially crafted WordPerfect Graphics (WPG) files. An attacker must trick a victim into opening a malicious file in Microsoft Office to exploit this issue. A successful attack will result in the execution of attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft Office 2000 SP3, Microsoft Office 2003 SP2, Microsoft Office XP SP3, Microsoft Office Converter Pack, and Microsoft Works 8

More information on these and the other vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

Because the control is Microsoft signed, its installation is silent, and does not require any user interaction. Once this vulnerable control is installed on the victim's computer, it is exploited in the same way as if the control was installed all along. To top it off, this attack is carried out as a drive-by attack, so the unprotected user may never know that they were vulnerable, or had been targeted, let alone infected.

While this silent installation ability obviously poses some interesting security considerations, it is actually fairly core to ActiveX operation. For example, a site that wants to provide an Access report for its users may want to install the trusted control and permit the users to simply view the report. This would provide a cleaner experience for the site's users, rather than forcing them to go to the Microsoft site to download and install the control.

This silent install attack is specifically detected by IPS (NIS, NAV, N360, SEP, and SCS) products as HTTP Snapshot Viewer ActiveX Download Request. If the subsequent exploit is encoded, it will be detected by Symantec Browser Protection (NIS 2008, NAV 2008, N360 v2) as MSIE MS Snapshot ActiveX File Download. If the exploit is not encoded, IPS will detect is as HTTP SnapShot Viewer ActiveX File Download. Additionally, Symantec antivirus programs will detect this attack as Downloader.

In July, some of the subject lines observed were:

• Beijing Olympics cancelled
• Beijing postpones Olympics due to McCain-Dalai Lama meeting
• Mccain Says Unsure If Obama A Secret Hippopotamus
• Kick-up - Obama speaks in London - video

In the samples observed, the URLs were hosting malicious code (malware). There is a continuing link between spam and other security threats with a penchant for spammers to utilize current events to lure users to open their messages.

Also seen last month was a spam message containing both a proclamation of the start of World War III in the text and a Trojan virus attached to the message. This is another example of spammers banking on human curiosity to open messages with sensational headlines and click links by utilizing current events, which in this particular case happen to be false.

Important to note is the prevalence of malware associated with such spam types. Victims too frequently succumb to curiosity and sensationalism rather than resisting the lure to open messages and further clicking the links. If the headline - or in this case subject line - seems ridiculously sensational, it probably is. If you do open the email, make very sure not to click any links. Instead, use your browser to navigate to a reputable news source and check to see if the headline is true.

Also observed by Symantec in July was a fraud attack targeting Microsoft's POP3 users. The spam email states that the recipient has a POP3 setting problem and needs to click on the URL in the mail to confirm the account data. The body of the email shows simple warning text informing the recipient that the message comes from Microsoft and detailing what the issue is. There is also a URL for the recipient to click to renew their POP3 data. Of course, the URL does not lead the recipient to the correct Microsoft Web site but a hacked Web site, which is being used to obtain personal information from the recipient.

So far, the volume of this particular attack is low. Whenever messages such as this are received, please practice due diligence by verifying the origin of the message and checking out the validity of the URLs. You should always use caution when giving out any personal information online because you never know exactly who is asking for it or how the information will be used.

For more on the above and other highlights, please see the August State of Spam Report.

This scam site claims to be able to source tickets for sold out sporting events, playing on the fact that many Olympic event tickets are already sold out due to huge demand. I checked out the site today and found that tickets for the opening ceremony (which were sold out some time ago) are still available from US $1,750 apiece. I guess to many people this looks like a fantastic opportunity to go to a once-in-a-lifetime event. Probing deeper into this Web site, I found many telltale signs that this site may not be quite what it claims to be. Let's look at some of them now.

First off, the "About Us" section of the Web site offers some clues:

I found some of the statements in this page a little suspect, which raised some questions in my mind. For example: "Beijingticketing.com has been trading since 2007. We are part owned by a major international sporting events company who have over 25 years experience in obtaining the best seating at popular and sold out events." Ok, so, if this outfit is part of a major international sporting events company with 25 years of experience, how come there is no mention of whom exactly this major company is?

Plus, as highlighted in various news reports, the contact details are inconsistent. The phone number is UK based, the office address is in Arizona. On this page it mentions that BeijingTicketing has "three international offices" -one in London, New York, and also Sydney. Alright; great, but then how come the only contact address is in Arizona?

Out of interest I decided to call the phone number given to see if I could book some tickets and I had a few questions for the sales person. Unfortunately, while the number in the UK actually connects, it just rings a few times and then goes dead. So, no luck getting tickets using the phone. Instead I decided to try out the e-ticket sales system. I selected tickets for the Tennis event and proceeded with the checkout, filled out a few standard contacts and billing forms. Then I was forwarded to the credit card information page using an SSL connection, and the tell tale padlock made its, usually reassuring, appearance. I filled in the form with obviously bogus information and interestingly, my transaction was successful!

What this suggests to me is that the backend is simply collecting personal information and is not running it through any credit transaction process at the time of collection. At the time of writing I see that this site is still live, and if you run an online search for "Olympic tickets" you will likely find that this scam site features prominently near the top of your search results.

The creators of this site have gone to great lengths to create a site that is extremely convincing, even down to the calendar of events and the amount of legitimate looking content on the site. Clearly this is the work of professional criminals looking to profit from even very savvy online users looking to enjoy an Olympic experience.

Please be careful and only ever purchase tickets to sporting events through the organizer's official ticketing partners and watch out for too good to be true offers such as last minute tickets to sold out events. As is always the case when it comes to buying anything online, buyers beware.

With that, we wanted to offer some tips to keep your online travels safe, even when you are away from home:

1. Don't let your laptop or PDA sprout mysterious legs. Leaving your laptop out in the open in your hotel room can often prove irresistible to a thief. Many thieves are even known to scour popular vacation or conference spots looking for someone who leaves their laptop alone. I'd go as far as to say that it's a good idea to be discreet about even having a laptop in the first place. Finally, along the same lines, with all the hoops people have to jump through at the airport, many passengers simply forget to put their laptops back in their bags at the security checkpoint. As a precautionary measure, you should encrypt your data before you travel. The last thing you would want is a thief getting their hands on a recent bank or credit card statement (or even pictures from your vacation last year).

2. Make sure all the critical software applications on your machine have up to date patches. This includes not only the core operating system, but also third party applications that you run - whether it's the software you use to purchase and play your favorite music, or simply what you use to view documents. Since you may find yourself surfing over less-than-friendly networks, it helps to ensure that you're not an easy mark for a cyber attacker.

3. Accidentally dropping your laptop while running to catch your flight can be hazardous to your data. And let's also not forget the risks associated with the person sitting next to you on the plane - whether they are looking over your shoulder or spilling a beverage on your device. A privacy screen can help keep your information secure. And backing up critical files can keep you calm if there is a spill.

4. Always run a comprehensive Internet security software suite that is up to date. While you are out and about, and connecting to the Internet in entirely unfamiliar locales, you should keep in mind that the network may not be completely secure. Therefore, it's good to keep your machine protected from the large number of malicious threats that surreptitiously traverse the roads of cyberspace.

5. Be careful of machines at the local cyber cafe or free internet kiosk - the last person to have used the machine may have unknowingly (or knowingly!) left a nasty piece of malware on there for you. In general, never use these machines to connect to a web site that requires you to type your password or for that matter don't type any sensitive information into these systems. For all you know, that information could be recorded and sent to an attacker half way around the world. In one instance we are aware of, travelers who failed to heed this advice had their brokerage accounts emptied because their passwords were recorded by keystroke loggers installed on machines in an Internet cafe. If you use your own computer at an Internet cafe, be sure that any sensitive information you enter into it is encrypted, either by using a virtual private network (VPN) or by ensuring that you are communicating over SSL.

The summer is a great time to relax and unwind. So, I hope you employ these tips and keep yourself virtually safe wherever you physically find yourself. Bon Voyage!

Password creation is a constant dance between security and convenience, where good passwords that bridge the gap are hard to come by. On the one hand, strong passwords, changed on a regular basis, do reduce the likelihood of success for a wide range of attacks. On the other hand, if you make something too complex, you run the risk of forgetting it-somewhat ironic evidence of its security.

So, the ultimate question is, how do you come up with passwords that are both strong and straightforward? It's something I've thought about on more than one occasion while staring at those twin text boxes, "New Password" and "Confirm New Password". So I put this question to a variety of folks within Security Response. What follows are methods used by people within the security industry to make passwords with a good balance of security and easy-of-use.

I want to preface this by stating that a strong password isn't the golden ticket to Internet security. There's been plenty of debate about the usefulness of passwords in today's world of exploits and social engineering tricks. Plus, if your password is picked off by a keylogger or spoof Web site, it's DOA no matter how complex. But passwords aren't going anywhere any time soon and strong ones do help keep your information safer.

Character substitution

Straight out of the Password 101 book, substitute numbers and special characters for letters that are similar in shape or sound: 3 for E, + for t, 8 for "ate". Vary capitalization as well. I'm mentioning these up front not because they're original, but to provide a word of caution. Most dictionary attacks these days take such substitution into account, and will often run these variations against common words. Simply put, something like "password" is not much more secure if spelled out as "P@55w0rD". Still, it's good practice, but should be coupled with other techniques.

A pinch of salt

A concept borrowed from cryptography, you can salt your passwords by adding a few pseudo-random characters. It could be anything from the year you got your first car to the number of claws your three-legged cat has. (Easily identifiable personal info, such as birthdates, is best avoided.) For example, I could take "cr4ck3rs", salt it with my weight in kilograms on Jupiter, and come up with "cr41ck36rs5". This technique makes dictionary attacks much more difficult, and significantly slows down brute force attempts.

Phrases from movies/songs

The world of movies and music provide a rich lexicon of phrases, ripe for password picking. There are the ones we all know, like "D0Uf33l|uckyPunk?" or "WH0|3L0++aLuv". Better yet, use lesser-known references ("Ch|03d0n'tKn0wB3++3r") or maybe play upon a plot thread instead ("0MG,Sh3W45aH3?!"). Of course, there's no limit to sources for such password phrases. Grab a sentence out of random book, try a quote from a comedian, or use a cheesy line from a newspaper advertising insert.

First letter sentences

Another twist on password phrases is to use the first letter of each word in a longer sentence. "Another world, another time, in the age of wonder" becomes "Aw,At,i+40W". This one also takes the teeth out of dictionary attacks, since it contains no words.

Other languages

Do you speak a second language? Do you want to? Try writing a sentence in another language, or simply incorporating a word or two into your password. Assuming your Italian is as "brutto" as mine, it's all the less likely it'll be figured out. (Still, be sure to include character substitution to avoid non-English dictionary attacks.) You could even mix it up with constructed languages, txt spk/lolcats grammar, or one of any number of language games.

Passwords as affirmations

Think of it as the Stuart Smalley approach. Need to watch the budget? ("S4v3S0m3$$") Spending too much time playing video games? ("L3t'sG0Ou+51d3") Tired of pining over the girl who lives in your building? ("A5kS4||y0ut") I'm not a psychologist, but typing in such a password on an average of eight times a day is bound to stick somewhere in the subconscious. Affirmations are more likely to be the types of things you wouldn't share with others as well, being more personal thoughts kept close to the chest. Just remember to keep them positive. "N0D0nut,ChuBBy" doesn't really help anyone.

Elements in page

Here's a clever one for Web-based accounts: create the password out of a combination of elements in the page. For example, if you were creating a password for the Symantec Technology Network, you could combine the first few letters of the dominant color on the page ("yellow"), the logo ("sphere"), and the last words on the page ("Contact Us"). To separate the different elements, insert a marker between each element ("Y3l!Sph!tUs"). There are two things to remember with this method. First, be sure to choose elements that are unlikely to change when the page is updated. Secondly, if you plan to use this for more than one site, establish a method you'll remember across various sites.

One final thing worth mentioning is that out all the responses I received, not one person used any of the above exclusively. In each case, most folks used a combination of the methods to shore up more secure passwords.

So there you have it. Hopefully there are enough interesting tips to finally retire that four-letter password you've used on multiple online forums for years. Still there's no need to go overboard, churning out the typing equivalent of a tongue twister. The key is to find a good balance between strength and ease-of-use.

The following spam subject lines have been seen:

Secret Plan To Kill Internet By 2012: Leaked?

PLAN TO KILL THE INTERNET BY 2012- Documented

2012: The year the Internet as we know it dies...

2012: The Year The Internet Ends

This certainly sounds devastating because many of us spend a rather large amount of our time, both as part of work and as part of life, online. Addition information on this apocalyptic event continues in the various body texts we have seen, including:

Every significant Internet provider around the globe is currently in talks

with access and content providers to transform the internet into a

television-like medium...

It's heresay, but I heard that the growth of the Internet will bring it to a

dead halt come about 2012. People are going nuts...

The reason why we're releasing this information is because we believe we can

stop it. More awareness means more mainstream media shedding light on it,

more political interest and more pressure on the ISP's to keep

the Internet an open free space...

It's happening and it could be as soon as 2010. There are documented facts

that the internet, as we know it today, will disappear. For those wondering

why we are experiencing "black holes" read on...

ISP's have resolved to restrict the Internet to a TV-like subscription mode

where users will be forced to pay to visit selected corporate websites by

2012...

Then there is the attachment, "doc.pdf." The file contains malicious code that is executed on the system when the file is opened. The malicious code is detected as Trojan.Pidief.A by Symantec products. So far, the attachment being used is the same across the board (MD5 - 4977c984367355f590a8bb159f76d94d9) but there's no guarantee that this will remain the case. As you can see by the graph below, the location of the presumably infected machines that are pumping out the spam emails is quite broad; however, the bulk of the spam is originating from the United States:

On underground economy servers, criminals sell a variety of illegal goods and services including bank account credentials, credit card numbers, and full identities. Typically, these goods are used for identity theft related activities. In the ISTR XIII, Symantec observed that the cost of a full identity was 10 times cheaper than it was at the beginning of 2007 and has gained in popularity to become the number three top ranked item advertised for sale. The contents of a full identity may vary, depending on the seller: it typically consists of a name, address, date of birth, phone number, and/or Social Security number. I've also seen sellers include extras such as driver's license number, mother's maiden name, email address, or "secret" questions/answers to entice buyers.

Most people associate identity theft with money as most reported cases involve criminals using the identity for activities such as obtaining credit cards, applying for loans, obtaining expensive medical or pharmaceutical treatments, or stealing homes. Financial identity theft is only one of the many types of identity theft that exists. The Identity Theft Resource Center (ITRC) categorizes identity theft into five major types: financial (the identity is used to obtain goods and services), criminal (the identity is used during a criminal investigation or arrest), commercial (the identity of a business is used to obtain credit), governmental (the identity is used to obtain government issued documents such as a passport or driver's license), and cloning (the identity is assumed by another and used on a daily basis).

Once a criminal purchases a full identity, it can be used to accomplish a variety of tasks, including making a lot of money. Usually, they change the victim's mailing address to route all mail, including credit card bills and financial statements to another location. The