Online merchants who have used a Debian-based operating system to generate secure sockets layer (SSL) certificates for encrypting customer communications should check to make sure the private key needed to decrypt those transactions isn't already posted on the Web for all to see.

Normally, even if an attacker is able to intercept https:// traffic between a commercial Web site and a customer, the bad guy is unable to make sense of it without the private key held by the Web site owner. But new research published this week points to a weakness in Debian's cryptographic process that potentially gives eavesdroppers the tools to quickly discover the key needed to unlock https:// transactions and view the traffic in plain text.

Most cryptographic systems work by generating a set of public and private keys, with the trick to generating strong, virtually unbreakable keys being randomness. The process starts with an extremely long random number -- known as a "seed" -- that is fed into various mathematical algorithms to generate two keys -- one that is shared with the public (i.e., anyone who attempted to connect to the https:// site), and one that is kept private by the site owner and used to decrypt the incoming traffic and transaction data).

On Tuesday, the Debian project said there had been a slight problem with the randomness portion of that equation. Apparently, one line of code in the component used to create random seeds was coughing up strange error or warning messages for a subset of Debian users, and at some point, developers simply removed the troublesome line of code. But in doing so, they inadvertently reduced the number of random seed values from a near infinite number down to 32,768 possibilities. To compound the situation, a security researcher has released a tool that could be used by attackers to quickly deduce the private key from the subset of the 32,768 possibilities.

This means that any commercial sites using cryptographic key generated with a Debian based operating system (including the popular Ubuntu and xUbuntu systems) between Sept. 2006 and this week need to go back and regenerate those keys. This includes not only SSL keys, but secure shell (SSH) keys typically used to securely log in to computer systems over the Internet.

The Debian project has published a blacklist of all exposed keys, and a tool to test for weak keys.

More on this at the SANS Internet Storm Center and from researcher HD Moore.

Three men have been indicted for hacking into a number of cash registers at Dave & Buster's restaurant locations nationwide to steal data from thousands of credit and debit cards, data that was later sold or used to cause more than $600,000 in losses, the Justice Department said this week.

The government's 27-count indictment unsealed this week names Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, and Aleksandr "JonnyHell," Suvorov, of Sillamae, Estonia, with wire fraud conspiracy, wire fraud, conspiracy to possess unauthorized access devices, access device fraud, aggravated identity theft, conspiracy to commit computer fraud, computer fraud and counts of interception of electronic communications.

The government also unsealed a complaint against Albert "Segvec" Gonzalez of Miami, who, according to the U.S. Secret Service, was responsible for creating the software used to steal credit and debit card data.

The complaint alleges that sometime between April and September of 2007, Yastremskiy and Suvorov hacked into cash register terminals at 11 Dave & Buster's locations and installed Gonzalez's "sniffer" programs to steal payment data as it was being transmitted from the point-of-sale terminals to the company's corporate offices.

According to the government, Gonzalez wasn't that great of a programmer: His sniffer program contained a bug, which would fail to start each time an infected point-of-sale system was rebooted. The Justice Department says that Yastremskiy and Suvorov kept at it, and that their persistence paid off: At one restaurant location alone, the sniffer program captured data for approximately 5,000 credit and debit cards, data that was later resold to cyber thieves, who used the data to make fraudulent purchases.

The stolen card data, known as "Track 2" data, is stored in the magnetic stripe on the back of each credit and debit card. It's stored unencrypted and in plain text. Consequently, it can be read and re-encoded onto a counterfeit card that can then be used to make purchases at main street stores. It includes the customer's account number and expiration date, but not the cardholder's name or other personally identifiable information.

As a result, Dave & Busters had no way to notify the individual affected customers. Rather, in Sept. 2007, the company alerted its payment processor, Santa Monica, Calif., based Chased Paymentech Solutions, LLC, which in turn notified the credit card companies.

According to the U.S. government, "Turkish officials arrested Yastremskiy in Turkey in July 2007, and he remains in jail on potential violations of Turkish law. A formal request for extradition of Yastremskiy to the United States has been made to the Turkish government. At the request of the United States, Suvorov was arrested in March 2008 by German officials while he was visiting the country. He remains in jail in Germany, pending German action on a formal U.S. extradition request. U.S. Secret Service officials arrested Gonzalez in Miami in May 2008."

Avivah Litan, a fraud analyst with Gartner Inc., said stolen Track 2 data typically is not useful for online fraud, as Track 2 data thieves most often do not obtain the names and address of the victims whose account numbers have been stolen. That's an important distinction because most Internet stores use address verification systems (AVS) to ensure that the credit card offered by the purchaser matches the name and address on file for that card.

In physical, in-store transactions, the person operating the cash register will at best check to make sure the name on the card matches the name on the purchaser's drivers license, Litan said. As a result, fraudsters armed with Track 2 can simply encode that data onto the magnetic stripe of a new, fabricated card that lists the fraudster's real name, or at least one for which he has a matching photo ID.

This trick works remarkably well for fraudsters who have stolen debit card Track 2 data, Litan said.

"The scammer will go into a bank branch and say "Oh, my PIN doesn't work any more,' or 'I forgot my PIN,' and the teller will say, "Okay, let me see your driver's license.' In a lot of cases, as long as the name on the license matches the name on the card, they'll just say 'Okay, swipe your card through the reader and we'll reset your PIN."

Microsoft today issued four updates to fix at least six security flaws in its Windows operating system and Office software. The bundle includes a patch for a critical flaw that hackers already are exploiting to break into vulnerable Windows systems.

The latest updates are available through Microsoft/Windows Update, or via Automatic Updates.

Four of the vulnerabilities fixed in today's roundup earned Microsoft's most dire "critical" label, which means hackers could use them to break into Windows systems with little or no help from the user, save from convincing the user into clicking on a link or opening a file or e-mail.

Among the most serious of the critical updates is a fix for a known flaw in Microsoft's Jet Database Engine, a component built into Windows 2000, Windows XP and Windows Server 2003 that provides data access to applications such as Microsoft Access, Microsoft Visual Basic, and many third party applications. Instructions showing attackers how to exploit this flaw have been available online since November 2007, and Microsoft has acknowledged that cyber crooks are actively attacking this vulnerability, which can be exploited by convincing people to open malicious database files (those ending in ".mdb").

The other three critical vulnerabilities reside in Microsoft Office applications and affect nearly every version of Office, including Office 2007. One of the updates even affects Office applications such as Word Viewer 2003 and Office 2004/2008 for Mac.

People who still run Microsoft Office 2000 will not be able to get the Office updates through Microsoft/Windows Update or through Automatic Updates. Office 2000 users will need to pay a special visit to the Office Update page and let the site scan for missing updates. Depending on which installation option chosen, Office 2000 users may need to have the original Office installation disk handy.

Finally, if you run Windows XP and have not already installed Service Pack 3, Microsoft is apt to offer it to you if you scan for updates or switch on Automatic Updates. Given the large number of people who have reported problems after installing Service Pack 3 -- and the tiny benefit users receive from installing the potentially destabilizing update -- I'd urge XP users to avoid the service pack for now. Hopefully, over the next few days I can compile a list of the most common sources of SP3 installation problems.

For those who want to go ahead anyway, or for those who have already installed SP3 and are experiencing problems, check out these two links. The first describes a common reboot loop problem experienced by many users who install SP3 on a Windows XP system powered by an AMD processor. The second is a massively long Microsoft support thread that essentially reminds people that Microsoft provides free online (chat and e-mail) and telephone based support for people having trouble installing Service Pack 3. The toll-free support phone number is (866) 234-6020.

Update, May 14, 4:29 p.m. ET: I just received this clarification from Microsoft, about the situations in which Windows XP users would be offered Service Pack 3 in conjunction with this month's updates: "When visiting the Windows Update Web site, Windows XP customers have the option to run either an "Express" or "Custom" check for available updates. Selecting "Express" will take XP SP2 customers to a screen that lists only XP SP3, since it is the default install. Selecting "custom" will present the customer with more options. Windows XP customers who are set to receive automatic updates will automatically receive the relevant XP SP2 security updates -until XP SP3 is published to Automatic Update. This process is by design as and worked the same way when XP SP2 was released."

If you sell enough stuff online at sites like Craigslist and eBay, eventually you will receive an offer for your wares that far exceeds your asking price. Such offers are often the first stage of a scam in which the fraudster sends a counterfeit check along with some elaborate explanation for offering such a high amount. The scam artist then asks the seller to wire back the difference after the check is deposited.

It should surprise no one that the checks always bounce, leaving anyone who falls for the scam liable to their bank for the entire amount. This is not a new scam, but I had never seen one of these fake checks in person until my colleague here at washingtonpost.com - Dan - recently received one of these fairly official-looking checks after advertising an $300 bike frame for sale on Craigslist.com. The outer envelope was hand addressed with a postmark from somewhere in Michigan.

Being a relatively cyber-savvy guy, Dan played along for a bit after receiving the scammer's initial e-mail, replying back to the fraudster and inquiring why he had overpaid for the item.

"Sorry for replying you late, the shipper are shipping it internationally for charity home, they are also shipping my other stuffs i bought that is why the fee is that amount," the scammer "Keith" wrote from an address at onlinewithmary28@yahoo.com. "I am doing this to help the need, kindly cash the check and let me know so that i can send you my shipping company payment details where you will send the remaining fee to so that they can come for the pickup."

According to the Federal Trade Commission, a big reason these scams succeed is that the checks look very official, and even draw upon legitimate account numbers assigned to real companies. For example, the company name printed on the check was Mouser Electronics Inc. in Mansfield, Texas. If you Google the account number that appears on the bottom of the check - 1891494252 - you indeed find two results (and hopefully three soon, including this one), one of which links directly to Mouser's official Web site.

But a call to Mouser's finance department proved that the scammers had merely appropriated the information from the company's site. Tamara LeClair, finance administrator for Mouser, said the company places that account number on its site so that customers can pay invoices via bank wire. She said the account is set to receive funds only, and that it cannot be used to release funds.

"We get waves of calls from people selling stuff on eBay where someone will send the caller a check for more than they asked and then ask them to send back the difference in cash," LeClair said.

If you receive one of these offers, just ignore it. If you feel the need to report it somewhere, you can file a complaint with the FTC and/or the FBI.

This post was updated at 12:20 p.m. to clarify what's new in this Adobe patch. See the update below the original post.

Adobe has issued an update to plug at least eight security holes in its PDF Reader software. The latest patch brings the current, patched, version of Adobe to 8.1.2.

If you're reading this post on a system that has Adobe Reader installed, please take a moment now to download and apply this update. Cyber crooks have recently added Adobe vulnerabilities to "Neosploit," a tool that automates the exploitation of outdated browser plug-ins when users visit certain malicious or hacked Web sites.

As Symantec notes, you don't have to be doing anything risky to get burned by running an outdated copy of Adobe Reader these days. Symantec writes: "If a user is enticed to a hostile Web site (who knows which ones are hostile these days) using the browser of their choice, it is reasonably likely that their computer will become infected provided that they have Acrobat installed on their computer."

If you're looking for a slimmed-down, free alternative to Adobe Reader that consumes far fewer system resources (and may be quite a bit more secure), I would wholeheartedly recommend Foxit Reader.

Update:

A clarification is in order here. I saw the date on this advisory (May 6), and assumed we had a new update for Adobe Reader. Turns out, that is only partly true. The vulnerabilities addressed in this update were fixed by Adobe back in February, so if you applied that patch, there is no reason to take any action here.

However, the company did not release details about those flaws at the time. This advisory changes that. More importantly, this advisory clarifies that Adobe has finally issued updates to fix these vulnerabilities for people still running version 7 of Adobe Reader. If you are running Adobe Reader 7, fixes for these eight security holes are now available.

Anyone who downloaded the Vietnamese language pack for Firefox 2 needs to run an anti-spyware and anti-virus scan, then disable the pack for now. Mozilla warned yesterday that all versions of that language pack downloaded from its servers since Feb. 18, 2008, were infected with pop-up ad serving software.

Window Snyder, Mozilla's chief security officer, said the Vietnamese language pack was contaminated as the result of a virus infection. "This usually results in the user seeing unwanted ads, but may be used for more malicious actions."

Snyder said Mozilla doesn't know how many people downloaded the compromised language pack, but said there have been 16,667 downloads of the pack since November 2007.

Mozilla is working on getting a replacement language pack up on the site soon. Snyder said that while Mozilla does virus scans when add-ons are uploaded to its servers, the scanner for whatever reason didn't catch this nasty until several months after the upload. Mozilla is now adding post-upload scans to everything on its download servers, she said.

Language packs are add-ons in Firefox. Add-ons can be removed by clicking "Tools" and then "Add-ons." According to the discussion on this in the Bugzilla database, the culprit here is something called "Trojan.Win32.Xorer," which disables security software on the infected PC and spreads by infecting files, programs and removable drives. Instructions for manually removing Xorer are online here.

There is an interesting discussion about this going on today at news-for-geeks site Slashdot, which "highlights the risk on relying on user-submitted Firefox extensions, or a lack of peer-review of the extensions, many of which receive frequent upgrades."

Anyone who doubts that Internet click fraud has become a big money maker should take a look at a Russian Web site called Robotraff.com, which bills itself as "the first stock exchange of Web traffic."

Set up a free account at Robotraff and you're ready to buy or sell Web traffic. Got 30,000 hacked personal computers under your thumb? Super! Now you can use those systems to generate a steady income just by pointing them at Web sites requested by a buyer.

Or maybe you're just getting started and you can't be bothered to build your own army of hacked PCs the old-fashioned way? No problem! Now you can set up a Web site that tries to exploit Web browser or browser plug-in vulnerabilities and simply buy all the traffic you need.

So let's have a look at the transactions Robotraff is handling today: User #704 is selling "search mix" traffic from Google.com for $13 per 1,000 hits. Not close to making your quarterly traffic stats or ad traffic quotas? No sweat: $130 buys you 10,000 hits that look like they came from Google searches.

The details page for each item on the exchange shows the traffic speed, total traffic available, price, and a breakdown by country and Web browser. Different sellers have specialties, such as non-IE traffic and traffic exclusively from specific countries.

The terms and services that all Robotraff users must agree to in order to use the site's services plainly state (well, in poorly translated English) that buying traffic to send people to malicious Web sites is not allowed, nor is redirecting people to porn sites ... or maybe not. I couldn't help but chuckle when I read the porno ban, because directly to the left of that notice, under a section labeled "Top 5 Wanted Traffic," is a buyer offering $5.20 per 1,000 visits destined for a mix of Russia-based adult Web sites.

Mike LaPilla, director of malicious code operations for iDefense, a unit of Verisign, said those disclaimers are common on all kinds of sites that facilitate cyber crime.

"It's to dart responsibility against breaking any laws," LaPilla said. "If someone ever reported [Robotraff to the authorities], they could simply say a user broke their terms of service, and then delete them to avoid any legal trouble."

LaPilla said the brains behind Robotraff is a guy who goes by the online nickname "Bryaks," and that this individual is thought to be one of the original founders of a similar distribution network called "IFramecash" (pronounced eye-frame). IFramecash pays "affiliates" to drive traffic to their network of sites, which launch a volley of Web browser exploits in an attempt to install malicious software on the visitor's machine. IFramecash's download sites were at one time hosted off of the same Web space as the infamous Russian Business Network, and the site's operators are thought to have close ties to RBN.

Lawrence Baldwin, founder of Atlanta-based security company myNetWatchman.com, said that in the process of monitoring hacker networks he has witnessed cyber crooks logging into their accounts at Robotraff to set up deals to distribute the "Zeus" Trojan, a nasty bugger most often used to download malware designed to swipe passwords and other data from infected PCs.

"They call it a traffic distribution system, but it's more like a 'pay-per-compromise' network," Baldwin said.

While many Robotraff customers may be using the exchange to help distribute their malicious software, the exchange also would be a great way to conduct click fraud, an expensive and confounding plague in the Internet advertising space. According to the most recent stats from Click Forensics, more than 16 percent of all online ad clicks in the fourth quarter of 2007 were fraudulent.

A request for comment has been sent to multiple addresses associated with Robotraff.com. This post will be updated if they respond.

Update, May 13, 3:16 p.m. ET: I heard back from an "Alex" at Robotraff, who took rather strong exception to my source's characterization of Robotraff as a pay-per-compromise network. Their initial response was written in broken English, so I asked them to respond in their native tongue and asked a local Russian expert to translate the messages for me (many thanks to Security Fix reader Gary Goldberg for the human translation).

I will try to summarize Robotraff's main points here and then include their entire response after the jump. Alex said Robotraff no longer allows customers to sell Web traffic that uses iFrames, which can be used to seamlessly (and invisibly) load content from another page within the context of the page the visitor is viewing (iframes have many legitimate uses, but they have been a favorite tool of malware writers, who use them to quietly load browser exploits when visitors browse to a malicious or hacked Web site).

Alex said Robotraff also checks all traffic orders for viruses. He added that the marketplace no longer allows traffic for adult Web sites, and that any orders for adult site traffic visible on Robotraff.com were created prior to the exchange's new rules outlawing such trades. As soon as those trades are fulfilled, Alex said, no more adult site traffic trades will be allowed.

More, verbatim responses from Robotraff, after the jump.

Microsoft today finally released Service Pack 3 for Windows XP users. The update should now be offered via both Windows Update or Automatic Updates. The company was expected to release it last week, but pulled the plug at the last minute due to a compatibility problem with an obscure product they offer.

Many readers have asked me whether this update is really necessary, given that there isn't a whole lot new in Service Pack 3 aside from all of the security and non-security updates Microsoft has ever released for the operating system.

The following are some of the things you should know about installing Service Pack 3 for Windows XP.

Microsoft says it is not adding any significant Windows Vista technology into XP with Service Pack 3. No surprise there, given that Microsoft has said Service Pack 3 will be XP's swan song: The company currently plans to stop issuing new licenses for the operating system this summer. However, some consumers and PC manufacturers are starting to make a big fuss about this. I'm sort of in agreement with them: XP isn't perfect, but I've grown used to it, known it like the back of my hand, and it is very stable. I cannot say any of those things for the machine I have that's powered by Windows Vista (Ultimate).

In addition to all the previously released security updates and hotfixes (some of which users may not have, even if they have been keeping up with security patches), SP3 includes "a small number of enhancements, which do not significantly change customers' experience with the operating system," Microsoft said.

So what gives? Most of the security and non-security additions contained in SP3 are features more likely to be used by businesses, not average consumers. So why install this, when there's a chance it could bork my machine, you ask?

I believe that chance is minimal: XP3 was offered to one of my machines via Automatic Updates today. After a short time, the Automatic Update icon disappeared and I began to wonder what was up, so I decided to reboot. Then it told me there were patches ready to install, and did I want to install them and then reboot? After clicking "yes" and waiting for about 15 minutes, the system rebooted. My machine seems to be no worse for the wear after making room for SP3, but then again your mileage may vary.

I think it's fine for people to wait a few days or weeks to install this service pack. Smart money is on the notion that some users with some class of hardware or software installations will have problems, some of them perhaps irreparable or difficult-to-fix.

However, if you were already planning to rebuild an XP system from scratch anyway, Service Pack 3 would be ideal for that task, as it would streamline the process considerably. Even if you install XP without any prior service packs, installing Service Pack 3 brings your system up to date on all security updates.

To minimize the slim chances that this update might brick your PC, it's probably a good idea to follow these steps that Microsoft recommends before installing SP3.

As the SANS Internet Storm Center notes, people who for whatever reason are still using Internet Explorer 6 will NOT be upgraded to IE7 after installing this service pack. However, if you already have IE7 on your system when you install Service Pack 3, you will not be able to migrate back to IE6.

Finally, Microsoft hasn't so much as fixed the incompatibility problem that prompted it to delay pushing out Service Pack 3 last week. Instead it put filters in place so that customers running the incompatible software installed won't be offered the update.

If your small to mid-sized business is running Microsoft Dynamics RMS, definitely hold off installing this service pack for now.

A broad coalition of technology groups today told a federal appeals court to toss out a lawsuit that adware maker Zango is continuing to pursue against computer security vendor Kaspersky Lab, arguing that to do otherwise would harm consumers and the future of the security software market.

In May 2007, Bellvue, Wash.-based Zango -- a company that makes software to serve pop-up ads and tracks users' activities on behalf of online marketers -- sued Kaspersky, charging that the company interfered with its business by removing its "adware" without first alerting the user.

In August, the judge assigned to the case dismissed Zango's suit, saying Kaspersky's actions were shielded by the federal Communications Decency Act (CDA). That law contains a "good Samaritan" clause that protects computer services companies from liability for good faith efforts to block material that users may consider objectionable (portions of the CDA have been struck down by the courts as unconstitutional, but this particular section is not one of them).

Earlier this year, Zango took its case up to the 9th Circuit Court of Appeals, saying Kaspersky's software should be labeled "badware" because it disabled Zango's software "without the customer's consent and without the customer's ability to override Kaspersky's invasive actions."

Interestingly, Zango's appeal is being supported by the National Business Coalition on E-Commerce and Privacy, an entity formed in 2000 that counts as members some of the largest corporations in America, including Bank of America, Charles Schwab & Co., Eastman Kodak, Fidelity Investments, General Motors, JP Morgan Chase, and the Vanguard Group. Update, May 6, 11:15 a.m: Removed UPS from this list, as it is no longer a member of this coalition.

Thomas M. Boyd, a partner at DLA Piper US LLP and counsel to the organization, said member companies are concerned that the judge's decision to toss out the suit last year could pave the way for security companies to block things like "cookies" and "Web beacons".

"The district court's decision is such that under the judges interpretation of CDA, a security software company has unreviewable power to decide that any content is objectionable and to deny user access to that content without any accountability for any damages that action may cause," Boyd said.

In a "friend of the court" brief filed with the appeals court today, a diverse collection of technology groups rallied behind Kaspersky in support of preserving the lower court ruling. Signatories to the brief include the Business Software Alliance, the Electronic Frontier Foundation (it's not often the BSA and EFF see eye-to-eye on tech issues), McAfee, Sunbelt Software and the Center for Democracy & Technology (CDT). Their brief is available here (PDF).

While this isn't the first case in which an adware company has sued an anti-spyware or security vendor, Ari Schwartz, CDT's vice president and chief operating officer, said the lower court's ruling is the strongest wording yet in support of protecting security companies from these types of strong-arm lawsuits.

"This is an extremely important case for consumers as to how security software protects them going forward, and whether the onus is put on the security company or [the adware vendor]," Schwartz said. "Congress clearly wanted to take the burden away from the security companies in this respect."

Read Brian Krebs's latest story on washingtonpost.com: "White House Plans Proactive Cyber-Security Role for Spy Agencies."

America's spy agencies for the first time would be tasked with gathering intelligence on threats to the nation's computer networks under a policy set to be detailed by the White House next week, a senior administration official said Wednesday.

Speaking at a security conference in Washington, the official said the Bush administration wants to harness the intelligence community's offensive capabilities in defense of government and civilian computer systems. Continue reading...