http://news.yahoo.com/s/nm/20100923/us_nm/us_education
Thu Sep 23, 2:57 pm ET
BANGALORE/WASHINGTON (Reuters) – The U.S. Education Department's schedule for implementing proposed regulations on for-profit schools is not final, according to a media report that caused share prices in the sector to rise.
"We are keeping our options open," Education Secretary Arne Duncan was quoted as saying when asked about a possible delay in finalizing the regulations. His comments appeared in a blog run by Washington publication The Hill.
The remark pushed up share prices for the schools, which have been volatile on news that the Education Department may declare some programs ineligible for financial aid.
Shares of Corinthian Colleges were up 10.53 percent at midafternoon at $6.80. Apollo Group was up 2.91 percent at $51.91. DeVry Inc was up 3.7 percent at $45.96 and Career Education Corp was up 6.22 percent at $22.01.
The share prices rose on hope that the Education Department would push back plans to implement the rules.
"There has been a hearing scheduled for next week in the senate. ... I think there is a continued optimism perhaps that the gainful employment rules maybe delayed or perhaps modified. And I think that is what is driving the group up a little bit," said ThinkEquity LLC analyst James Maher.
The Education Department declined to comment on the scheduling. "Tomorrow we will announce our timeline for moving forward with gainful employment," said spokesman Justin Hamilton in an email.
The scrutiny follows criticism that the schools produce poorly prepared students with big debts, often financed with federal aid.
The department's proposed rules said for-profit schools would have to prove that their former students were either paying off loans or were capable of doing so in order for the schools' current students to receive federal loans. Duncan has predicted that 5 percent of programs would lose those funds.
Under the proposed rules, the federal government would no longer lend to programs if more than 65 percent of former students failed to pay the principal on federal loans, and if their graduates' debt was more than 30 percent of discretionary income and 12 percent of total income, the department said.
The department is also tightening rules against deceptive advertising and would close loopholes on paying recruiters in hopes of removing incentives for them to enroll unqualified pupils or deceive prospective students.
The institutions would be required to ensure that their students have a valid high school diploma or otherwise show that they are ready for college.
For-profit schools enroll around 12 percent of all U.S. post-secondary students, but receive 23 percent of all federal student aid.
(Reporting by Megha Mandavia in Bangalore and Diane Bartz in Washington; Editing by Saumyadeb Chakrabarty, Vyas Mohan and Robert MacMillan)
Monday, September 27, 2010
Wednesday, September 22, 2010
New For-profit Education Loan Rule Brought About Party Conflict
New For-profit Education Loan Rule Brought About Party Conflict
The Government's drive to mediate student loan defaults and for-profit schools has brought about contradicting stands from the Democrats and spawn a new list of clientele for Washington's top firms.
An unusual mix of Liberals, Blue Dogs, members of the Congressional Black Caucus and committee chairmen, all critics of the new rule are now urging the Obama administration to postpone changes to give way to further studies. They postulated that changes with the ruling would affect college enrollment among low-income students attending for-profit institutions.
The issue at hand is the new rule that would entail for-profit schools show their graduates’ annual loan payments to be less than 8% of their starting salaries. The reason behind this is the ballooning loan debts of for-profit graduates. Also, this is to ensure that students enter a well paying job for them to be able to pay their off their loans.
For-profit school programs who fail to meet the standards is at the risk of losing the financial aid they receive from the government. This is a colossal hit to for-profit schools since they were receiving billions of dollars from government aid- $24 billion federal tuition subsidies to be exact was given to them last year.
The Podesta Group, Heather Podesta + Partners and Brian Moran, former gubernatorial candidate of Virginia and brother of Representative Jim Moran (D-Va.) are working hand in hand with for-profit institutions to lobby the delay of the new ruling.
Meanwhile, former special counsel to President Bill Clinton (and columnist for The Hill), Lanny Davis, is advising the Coalition for Educational Success, which represents for –profit institutions.
Industry schools like the University of Phoenix, Kaplan Inc. and the Career College Association (CCA), the main industry organization have exhausted a rough estimate of $2.25 million in order to lobby for the first half of the year. Other investors and industries are also turning to K Street for back up.
Anne Duncan, DOE Secretary said that the purpose of this ruling is to prevent schools from burdening students with debts they can’t pay in exchange for a degree and some certificates they cannot purely utilize. But many Democrats are not in favor of this, warning that instead of helping students, this “would dramatically limit the programs available to minority and other at-risk students.” 47 other Democrats agreed to similar conclusions including Sen. Bill Nelson and Rep. John Spart and Debbie Wasserman Schultz.
“These programs are vital to educational achievement of students who would otherwise consider postsecondary education out of reach,” wrote one group of lawmakers, led by Rep. Edolphus Towns (D-N.Y.), chairman of the House Oversight Committee.
Change “could end up closing down hundreds of programs and leave hundreds of thousands of students without options” said Harris Miller, CEO and President of CCA.
Stirring the debate, a series of recent reports have suggested that the industry is plagued by aggressive recruiting and even fraud, which puts taxpayers on the hook when students can’t pay back their federal loans.
Last month, for instance, the Government Accountability Office (GAO) detailed cases where for-profit recruiters obscured the true costs to attend institutions; exaggerated post-graduation salaries and employability in the fields students were entering; and encouraged applicants to lie on submission forms to tap federal loans for which they weren’t eligible.
Top Senate Democrats including Dick Durbin and Tom Harkin, who chairs the Education Committee, recommended that the Government adopt the new gainful employment rule as written
“High student loan debt coupled with low repayment rates signal a questionable investment for students and taxpayers,” the senators wrote. “We encourage swift implementation of the gainful employment regulation and would be concerned with any efforts to weaken the proposal.”
Harris argued Wednesday that many of the industry criticisms — particularly the charge of fraud — target practices that are already illegal.
“You don’t need new rules for that,” he said. “That’s just plain-old against the law.”
Meanwhile, some of the Democratic strategists lobbying against the reforms are defending their break from the White House.
“If you’re a well-connected person or well-connected Democrat and you don’t have a client, you might want to rethink your line of work,” said one such lobbyist.
By the start of November, the Department of Education is expected to finalize the rules. They did not return requests for comment.
SOLARIA SUN
Sources:
Solaria Sun
The Government's drive to mediate student loan defaults and for-profit schools has brought about contradicting stands from the Democrats and spawn a new list of clientele for Washington's top firms.
An unusual mix of Liberals, Blue Dogs, members of the Congressional Black Caucus and committee chairmen, all critics of the new rule are now urging the Obama administration to postpone changes to give way to further studies. They postulated that changes with the ruling would affect college enrollment among low-income students attending for-profit institutions.
The issue at hand is the new rule that would entail for-profit schools show their graduates’ annual loan payments to be less than 8% of their starting salaries. The reason behind this is the ballooning loan debts of for-profit graduates. Also, this is to ensure that students enter a well paying job for them to be able to pay their off their loans.
For-profit school programs who fail to meet the standards is at the risk of losing the financial aid they receive from the government. This is a colossal hit to for-profit schools since they were receiving billions of dollars from government aid- $24 billion federal tuition subsidies to be exact was given to them last year.
The Podesta Group, Heather Podesta + Partners and Brian Moran, former gubernatorial candidate of Virginia and brother of Representative Jim Moran (D-Va.) are working hand in hand with for-profit institutions to lobby the delay of the new ruling.
Meanwhile, former special counsel to President Bill Clinton (and columnist for The Hill), Lanny Davis, is advising the Coalition for Educational Success, which represents for –profit institutions.
Industry schools like the University of Phoenix, Kaplan Inc. and the Career College Association (CCA), the main industry organization have exhausted a rough estimate of $2.25 million in order to lobby for the first half of the year. Other investors and industries are also turning to K Street for back up.
Anne Duncan, DOE Secretary said that the purpose of this ruling is to prevent schools from burdening students with debts they can’t pay in exchange for a degree and some certificates they cannot purely utilize. But many Democrats are not in favor of this, warning that instead of helping students, this “would dramatically limit the programs available to minority and other at-risk students.” 47 other Democrats agreed to similar conclusions including Sen. Bill Nelson and Rep. John Spart and Debbie Wasserman Schultz.
“These programs are vital to educational achievement of students who would otherwise consider postsecondary education out of reach,” wrote one group of lawmakers, led by Rep. Edolphus Towns (D-N.Y.), chairman of the House Oversight Committee.
Change “could end up closing down hundreds of programs and leave hundreds of thousands of students without options” said Harris Miller, CEO and President of CCA.
Stirring the debate, a series of recent reports have suggested that the industry is plagued by aggressive recruiting and even fraud, which puts taxpayers on the hook when students can’t pay back their federal loans.
Last month, for instance, the Government Accountability Office (GAO) detailed cases where for-profit recruiters obscured the true costs to attend institutions; exaggerated post-graduation salaries and employability in the fields students were entering; and encouraged applicants to lie on submission forms to tap federal loans for which they weren’t eligible.
Top Senate Democrats including Dick Durbin and Tom Harkin, who chairs the Education Committee, recommended that the Government adopt the new gainful employment rule as written
“High student loan debt coupled with low repayment rates signal a questionable investment for students and taxpayers,” the senators wrote. “We encourage swift implementation of the gainful employment regulation and would be concerned with any efforts to weaken the proposal.”
Harris argued Wednesday that many of the industry criticisms — particularly the charge of fraud — target practices that are already illegal.
“You don’t need new rules for that,” he said. “That’s just plain-old against the law.”
Meanwhile, some of the Democratic strategists lobbying against the reforms are defending their break from the White House.
“If you’re a well-connected person or well-connected Democrat and you don’t have a client, you might want to rethink your line of work,” said one such lobbyist.
By the start of November, the Department of Education is expected to finalize the rules. They did not return requests for comment.
SOLARIA SUN
Sources:
Solaria Sun
Enzi Blasts 'Gainful Employment' Proposal on For-profit Schools
http://www.careercollegecentral.com/news/enzi_blasts_gainful_employment
Enzi Blasts 'Gainful Employment' Proposal on For-profit Schools
Sen. Mike Enzi (Wyo.), senior Republican on the Senate education committee, is slamming a White House proposal designed to prevent students at for-profit career colleges from defaulting on their loans.
The proposal, Enzi said in comments submitted this month to the Department of Education (DOE), would not only disadvantage for-profit schools relative to their nonprofit competitors, but also limit access for many low-income and minority students, who tend to enroll in for-profits disproportionately.
"Admissions at for-profit institutions may become more selective, and otherwise academically qualified students may be denied admittance," Enzi wrote. "This outcome is contrary to nearly 50 years of Congressional efforts to make postsecondary education accessible to all Americans."
The comments echo those of scores of other lawmakers — many of them Democrats — who are pushing the administration to delay the rule until the issue can be studied further.
The issue is of great importance for the health sector because an enormous number of the nation's health professionals — from nurses to medical technicians — get their training at for-profits.
Under the proposed rule, for-profit programs would have to demonstrate that annual loan payments among recent graduates are less than 8 percent of their starting salaries. The idea is to ensure that graduates will be earning enough to pay off their debts after graduation.
The penalty for non-compliance is steep: Programs that fail to meet the standards could lose access to federal financial aid — of which 23 percent ($24 billion) went to for-profit schools last year.
Enzi said applying the new standards only to for-profit schools "will be sending the message that the Federal government is not concerned with the outcomes for over 75 percent of the Federal investment in student financial assistance."
Moreover, Enzi argued, it's not the government's role to ensure that students' educational choices "pay off."
"Federal student financial assistance has historically been provided to increase access and help make postsecondary education more affordable," Enzi wrote. "It does not remove the responsibility of students and their families to make informed choices and to understand the financial consequences of those decisions."
The comments put Enzi at sharp odds with Sen. Tom Harkin (D-Iowa), the chairman of the Senate education committee who's urging the White House to adopt the so-called "gainful employment" rule as quickly as possible.
“High student loan debt coupled with low repayment rates signal a questionable investment for students and taxpayers,” Harkin wrote to the DOE on Sept. 9. “[W]e encourage swift implementation of the gainful employment regulation and would be concerned with any efforts to weaken the proposal.”
Bolstering Harkin's argument, the Education Department this month issued new figures showing that the student-loan default rate at for-profits rose from 11 percent in 2007 to 11.6 percent in 2008 — much higher than default rates at nonprofit schools.
"While for-profit schools have profited and prospered thanks to federal dollars, some of their students have not," DOE Secretary Arne Duncan said in a statement announcing the figures.
Still, not all liberals are supporting the rule. Jesse Jackson, head of the Rainbow PUSH Coalition, is on Enzi's side, arguing that the change, while well intended, would hurt minority students.
"The amount of debt a student incurs and the student’s ability to repay that debt are not reflections of the quality of an institution," Jackson wrote in his own comments submitted to DOE. "To apply a standard that looks at debt and repayment as a measure of quality misses a greater opportunity to hold all institutions to a higher standard of student outcomes, namely, graduation rates and successful post-graduation careers."
The DOE is hoping to finalize its rule by Nov. 1.
THE HILL
Sources:
The Hill
Enzi Blasts 'Gainful Employment' Proposal on For-profit Schools
Sen. Mike Enzi (Wyo.), senior Republican on the Senate education committee, is slamming a White House proposal designed to prevent students at for-profit career colleges from defaulting on their loans.
The proposal, Enzi said in comments submitted this month to the Department of Education (DOE), would not only disadvantage for-profit schools relative to their nonprofit competitors, but also limit access for many low-income and minority students, who tend to enroll in for-profits disproportionately.
"Admissions at for-profit institutions may become more selective, and otherwise academically qualified students may be denied admittance," Enzi wrote. "This outcome is contrary to nearly 50 years of Congressional efforts to make postsecondary education accessible to all Americans."
The comments echo those of scores of other lawmakers — many of them Democrats — who are pushing the administration to delay the rule until the issue can be studied further.
The issue is of great importance for the health sector because an enormous number of the nation's health professionals — from nurses to medical technicians — get their training at for-profits.
Under the proposed rule, for-profit programs would have to demonstrate that annual loan payments among recent graduates are less than 8 percent of their starting salaries. The idea is to ensure that graduates will be earning enough to pay off their debts after graduation.
The penalty for non-compliance is steep: Programs that fail to meet the standards could lose access to federal financial aid — of which 23 percent ($24 billion) went to for-profit schools last year.
Enzi said applying the new standards only to for-profit schools "will be sending the message that the Federal government is not concerned with the outcomes for over 75 percent of the Federal investment in student financial assistance."
Moreover, Enzi argued, it's not the government's role to ensure that students' educational choices "pay off."
"Federal student financial assistance has historically been provided to increase access and help make postsecondary education more affordable," Enzi wrote. "It does not remove the responsibility of students and their families to make informed choices and to understand the financial consequences of those decisions."
The comments put Enzi at sharp odds with Sen. Tom Harkin (D-Iowa), the chairman of the Senate education committee who's urging the White House to adopt the so-called "gainful employment" rule as quickly as possible.
“High student loan debt coupled with low repayment rates signal a questionable investment for students and taxpayers,” Harkin wrote to the DOE on Sept. 9. “[W]e encourage swift implementation of the gainful employment regulation and would be concerned with any efforts to weaken the proposal.”
Bolstering Harkin's argument, the Education Department this month issued new figures showing that the student-loan default rate at for-profits rose from 11 percent in 2007 to 11.6 percent in 2008 — much higher than default rates at nonprofit schools.
"While for-profit schools have profited and prospered thanks to federal dollars, some of their students have not," DOE Secretary Arne Duncan said in a statement announcing the figures.
Still, not all liberals are supporting the rule. Jesse Jackson, head of the Rainbow PUSH Coalition, is on Enzi's side, arguing that the change, while well intended, would hurt minority students.
"The amount of debt a student incurs and the student’s ability to repay that debt are not reflections of the quality of an institution," Jackson wrote in his own comments submitted to DOE. "To apply a standard that looks at debt and repayment as a measure of quality misses a greater opportunity to hold all institutions to a higher standard of student outcomes, namely, graduation rates and successful post-graduation careers."
The DOE is hoping to finalize its rule by Nov. 1.
THE HILL
Sources:
The Hill
Wednesday, September 15, 2010
Hiring and raises are starting to perk up but only modestly
http://www.washingtonpost.com/wp-dyn/content/article/2010/09/11/AR2010091100013.html
By Anne Kates Smith
Sunday, September 12, 2010
In a welcome change for recession-weary workers, employers are hiring again. What's more, instead of the non-cash rewards that companies have been doling out to prized employees (or at least the ones still standing), the little something extra next year might actually be money. "Salary increases are back," says Mercer compensation consultant Loree Griffith.
Hiring is starting to perk up. A recent survey by Mercer found that 27 percent of companies are expanding their overall workforce, and only 3 percent are in the midst of broad-based staff reductions. A year earlier, just 12 percent of firms surveyed were expanding and 15 percent were cutting back. Caution prevails, however, as 45 percent of companies are hiring just enough newcomers to replace workers who have left, and 25 percent are hiring only in critical areas.
Most workers will receive raises in 2011: 98 percent of organizations surveyed by Mercer are planning increases. But few employees will consider their pay bump generous. Surveys show that employers are projecting median salary increases of about 3 percent or a little less for 2011, up from about 2.5 percent this year. Employees with the highest performance ratings will do better. Mercer projects that average pay increases for the highest-rated employees will be 4.5 percent in 2011, compared with 2.7 percent for workers receiving an average rating and just 1.5 percent for those deemed to be less competent.
In 2010 bosses have been most generous in the oil-and-gas and pharmaceutical industries, where raises have averaged 3.2 percent and 2.7 percent, respectively. At the bottom of the scale, health-care and education employees are seeing 2.1 percent pay increases. Companies are once again focusing on money as the best way to retain workers and keep them happy. Over the past 18 months, limited budgets for raises have meant more perks, such as flexible work schedules, more time off, training and career development, and opportunities to participate in special projects. Career training is still big, but so is cold, hard cash.
How can you get your fair share? Don't be afraid to ask, ask at the right time and frame your request in the right way. Most raises are awarded in the spring, after an annual review. But you should plant the idea with your supervisor when you see the health of the company starting to rebound. A good time to make the request is just after you've won accolades for a significant accomplishment.
Remember that performance is measured in terms of quantity, quality, cost and timeliness, says executive coach Robert Lorber, of Lorber Kamai Consulting Group, in El Macero, Calif. Have you pitched in to cover for laid-off colleagues or helped to increase your company's market share? Reduced errors or improved production? Gotten customers to pay more quickly or shaved your division's budget through cost savings? Have you continued to meet or beat deadlines despite staff reductions?
Document each success. Now more than ever, companies emphasize variable pay models based on contributions to the bottom line. Show that you're moving the needle in the right direction, and your boss just might show you the money.
-- Kiplinger's Personal Finance
By Anne Kates Smith
Sunday, September 12, 2010
In a welcome change for recession-weary workers, employers are hiring again. What's more, instead of the non-cash rewards that companies have been doling out to prized employees (or at least the ones still standing), the little something extra next year might actually be money. "Salary increases are back," says Mercer compensation consultant Loree Griffith.
Hiring is starting to perk up. A recent survey by Mercer found that 27 percent of companies are expanding their overall workforce, and only 3 percent are in the midst of broad-based staff reductions. A year earlier, just 12 percent of firms surveyed were expanding and 15 percent were cutting back. Caution prevails, however, as 45 percent of companies are hiring just enough newcomers to replace workers who have left, and 25 percent are hiring only in critical areas.
Most workers will receive raises in 2011: 98 percent of organizations surveyed by Mercer are planning increases. But few employees will consider their pay bump generous. Surveys show that employers are projecting median salary increases of about 3 percent or a little less for 2011, up from about 2.5 percent this year. Employees with the highest performance ratings will do better. Mercer projects that average pay increases for the highest-rated employees will be 4.5 percent in 2011, compared with 2.7 percent for workers receiving an average rating and just 1.5 percent for those deemed to be less competent.
In 2010 bosses have been most generous in the oil-and-gas and pharmaceutical industries, where raises have averaged 3.2 percent and 2.7 percent, respectively. At the bottom of the scale, health-care and education employees are seeing 2.1 percent pay increases. Companies are once again focusing on money as the best way to retain workers and keep them happy. Over the past 18 months, limited budgets for raises have meant more perks, such as flexible work schedules, more time off, training and career development, and opportunities to participate in special projects. Career training is still big, but so is cold, hard cash.
How can you get your fair share? Don't be afraid to ask, ask at the right time and frame your request in the right way. Most raises are awarded in the spring, after an annual review. But you should plant the idea with your supervisor when you see the health of the company starting to rebound. A good time to make the request is just after you've won accolades for a significant accomplishment.
Remember that performance is measured in terms of quantity, quality, cost and timeliness, says executive coach Robert Lorber, of Lorber Kamai Consulting Group, in El Macero, Calif. Have you pitched in to cover for laid-off colleagues or helped to increase your company's market share? Reduced errors or improved production? Gotten customers to pay more quickly or shaved your division's budget through cost savings? Have you continued to meet or beat deadlines despite staff reductions?
Document each success. Now more than ever, companies emphasize variable pay models based on contributions to the bottom line. Show that you're moving the needle in the right direction, and your boss just might show you the money.
-- Kiplinger's Personal Finance
Friday, September 10, 2010
PHP backdoor security surprise uncovered
PHP backdoor security surprise uncovered
by Davey Winder on Sep 10th, 2010, 5:54 am
Everyone loves PHP these days it seems, and that includes the bad guys. So it should come as no surprise to learn that yet another remote access Trojan written using PHP has appeared. However, the fact that this particular bit of PHP backdoor code comes complete with a second, hidden, backdoor within it certainly was surprising to the security researcher who found it. DaniWeb has been talking to that researcher to find out more...
"Is there no honor among thieves anymore?" asks Andrew Brandt, the Lead Threat Analyst for security specialists Webroot, when disclosing the details of his PHP double backdoor discovery. It's a good question, albeit one that just begs an answer of 'was there ever?' to be fair. Being a threat analyst for a leading security vendor, Brandt spends a lot of time picking through exploit code. So it was not unusual for him to find himself examining the internal workings of a PHP remote access Trojan that loads into memory on a target computer when the victim strays upon the iframe which points to the PHP script sitting embedded in a web page. "The code is nicely appointed with such desirable features as the ability to execute shell commands on the host server, send a flood of data packets at another computer, and scan remote computers" Brandt reveals.
In fact, it's fairly standard bad guy stuff, albeit well written bad guy stuff. Until you start to dig a little deeper into the code, as Brandt found himself compelled to do, and find another backdoor embedded within the backdoor itself. "Someone’s bugged this bug with another bug" Brandt says, adding that the second chunk of code looks like a blob of base64-encoded garbage but decoding the base64-encoded text, set into the $dc_source variable, reveals that the bot writes out the commands into a Perl script to execute them. Invoked during the PHP bot's loading routine this commands the original bot to connect to a different control server, operated by another criminal enterprise to the ones that coded the original Trojan. No honor among thieves indeed, using someone else's code and distribution network to spread your own exploit around. You've got to admire the chutzpah of these guys. The 'Data Cha0s Connect Back Backdoor' is not exactly new, it has to be said, as a Google search reveals it first being seen as far back as 2005. The fact that it is still appearing in remote access Trojans being coded and distributed today is, however, rather worrying and suggests the gang behind it are still going strong.
DaniWeb spoke to Andrew Brandt and asked just how dangerous PHP is in the overall security threat landscape scheme of things?
"Many very useful websites or content management systems are built on a PHP framework. That said, PHP can and has been used as a tool for malicious activity, just like Javascript. PHP backdoors, bots, and download code has been part of the threat landscape for some time. There are hundreds of different bots, backdoors, and other malicious server-side PHP code floating around. But this isn't a problem with PHP, inherently, just as Windows malware isn't a C++ or Delphi problem. Malicious people will use whatever tools are at their disposal to engage in malicious activity. PHP happens to be a particularly powerful and useful tool, but whether one uses it for good or evil depends on the human doing the coding at the keyboard" Brandt says.
So what advice does Andrew have for DaniWeb members looking to mitigate the risk?
"There are two people who face risks from this kind of malware: The owners/operators of websites or web hosting companies, and the hapless web surfers who stumble upon these pages" Brandt replies, continuing "Website owners or hosting companies need to enact strict password policies that require users to create passwords of adequate complexity, and to change those passwords regularly. Passwords shouldn't be allowed to persist for longer than 90 days, to mitigate the damage that can be caused when, for example, the admin who normally uploads content to the server finds their computer compromised by the Zbot, Spyeye, or Koobface phishing Trojans. Anyone who uses an FTP client application on Windows needs to be aware of the special level of risks and threats posed by password stealing Trojans. Computers which are used for the purpose of maintaining websites or web content need to be protected with extra care, and not used for casual surfing, checking personal email, logging in to Facebook, or "letting the kids play games."
What about the web surfers? "Web surfers should protect themselves by using current, up-to-date antivirus, as well as some sort of scripting controls on their browser" Brandt insists, concluding "businesses can use filtering solutions to protect company computers from various attack scripts employees might stumble upon. Firefox has a great third-party add-on called NoScript which, by default, prevents scripts from running in a web page unless the user has selectively chosen to enable a particular site's scripts to run. This can, for example, prevent a rogue script hosted on an advertising server from running, while permitting you to use your favorite news or information website the way you normally would."
by Davey Winder on Sep 10th, 2010, 5:54 am
Everyone loves PHP these days it seems, and that includes the bad guys. So it should come as no surprise to learn that yet another remote access Trojan written using PHP has appeared. However, the fact that this particular bit of PHP backdoor code comes complete with a second, hidden, backdoor within it certainly was surprising to the security researcher who found it. DaniWeb has been talking to that researcher to find out more...
"Is there no honor among thieves anymore?" asks Andrew Brandt, the Lead Threat Analyst for security specialists Webroot, when disclosing the details of his PHP double backdoor discovery. It's a good question, albeit one that just begs an answer of 'was there ever?' to be fair. Being a threat analyst for a leading security vendor, Brandt spends a lot of time picking through exploit code. So it was not unusual for him to find himself examining the internal workings of a PHP remote access Trojan that loads into memory on a target computer when the victim strays upon the iframe which points to the PHP script sitting embedded in a web page. "The code is nicely appointed with such desirable features as the ability to execute shell commands on the host server, send a flood of data packets at another computer, and scan remote computers" Brandt reveals.
In fact, it's fairly standard bad guy stuff, albeit well written bad guy stuff. Until you start to dig a little deeper into the code, as Brandt found himself compelled to do, and find another backdoor embedded within the backdoor itself. "Someone’s bugged this bug with another bug" Brandt says, adding that the second chunk of code looks like a blob of base64-encoded garbage but decoding the base64-encoded text, set into the $dc_source variable, reveals that the bot writes out the commands into a Perl script to execute them. Invoked during the PHP bot's loading routine this commands the original bot to connect to a different control server, operated by another criminal enterprise to the ones that coded the original Trojan. No honor among thieves indeed, using someone else's code and distribution network to spread your own exploit around. You've got to admire the chutzpah of these guys. The 'Data Cha0s Connect Back Backdoor' is not exactly new, it has to be said, as a Google search reveals it first being seen as far back as 2005. The fact that it is still appearing in remote access Trojans being coded and distributed today is, however, rather worrying and suggests the gang behind it are still going strong.
DaniWeb spoke to Andrew Brandt and asked just how dangerous PHP is in the overall security threat landscape scheme of things?
"Many very useful websites or content management systems are built on a PHP framework. That said, PHP can and has been used as a tool for malicious activity, just like Javascript. PHP backdoors, bots, and download code has been part of the threat landscape for some time. There are hundreds of different bots, backdoors, and other malicious server-side PHP code floating around. But this isn't a problem with PHP, inherently, just as Windows malware isn't a C++ or Delphi problem. Malicious people will use whatever tools are at their disposal to engage in malicious activity. PHP happens to be a particularly powerful and useful tool, but whether one uses it for good or evil depends on the human doing the coding at the keyboard" Brandt says.
So what advice does Andrew have for DaniWeb members looking to mitigate the risk?
"There are two people who face risks from this kind of malware: The owners/operators of websites or web hosting companies, and the hapless web surfers who stumble upon these pages" Brandt replies, continuing "Website owners or hosting companies need to enact strict password policies that require users to create passwords of adequate complexity, and to change those passwords regularly. Passwords shouldn't be allowed to persist for longer than 90 days, to mitigate the damage that can be caused when, for example, the admin who normally uploads content to the server finds their computer compromised by the Zbot, Spyeye, or Koobface phishing Trojans. Anyone who uses an FTP client application on Windows needs to be aware of the special level of risks and threats posed by password stealing Trojans. Computers which are used for the purpose of maintaining websites or web content need to be protected with extra care, and not used for casual surfing, checking personal email, logging in to Facebook, or "letting the kids play games."
What about the web surfers? "Web surfers should protect themselves by using current, up-to-date antivirus, as well as some sort of scripting controls on their browser" Brandt insists, concluding "businesses can use filtering solutions to protect company computers from various attack scripts employees might stumble upon. Firefox has a great third-party add-on called NoScript which, by default, prevents scripts from running in a web page unless the user has selectively chosen to enable a particular site's scripts to run. This can, for example, prevent a rogue script hosted on an advertising server from running, while permitting you to use your favorite news or information website the way you normally would."
Subscribe to:
Posts (Atom)
