About

Subscribe to InfoSec

  • Enter your email address:

    Delivered by FeedBurner

Bookmark and Share

Recent Posts

Westfield Links

Westfield Blogs

Categories

Blogroll & other links

27 posts categorized "Malware"

06 April 2010

At the Nexus of Social Networking and Business

In a recent blog post I suggested that, while social networking (e.g., facebook, myspace, twitter, orkut, LinkedIn, etc.) is here to stay, one needs to be somewhat circumspect in using them.  I focused mostly on “apps” within these social networking communities.   These apps often want access to your personal information or want you to install or run some program at their behest.

As a follow-up, I’d like to discuss some general ways in which you can improve the likelihood that you will not get your personal or business systems hacked while still being able to enjoy the fruits of these dynamic, fast-growing communities.

  • Think before you click on anything asking:

- for access to your personal information (on various sites, they may be called “applications”, games, “e-cards”, “gifts” like a virtual cup-of-coffee, virtual bouquet of flowers, a snowball).  Do you trust the requestor?  Do you even know their privacy policy?

- you to install some “missing piece of software” (e.g., a dll, driver, codec) and perhaps offering to forward you to the site where you  can install it now and then proceed with your original task.  Do you know the software provider?

  • Review your privacy settings periodically, there are many recommendations  in this regard in the mainstream media (see table at bottom).
  • When the social network provider notifies you that their privacy policy has been changed – READ the new privacy policy!  There have been cases where the provider has retroactively instituted new default access rules rendering previously private parts of user profiles open to the public!
  • Don’t lend the use of your computer (laptop, desktop) to anyone that might be reckless with it.  If the borrower surfs to an infected web site and your account on the PC becomes infected then they have unwittingly put your personal information at risk.  To mitigate the danger – always create a separate account for other users (either one account per person for regular users, or) a shared guest account for people that just want to use a browser for short time.  When creating such accounts do be sure they are not endowed with any administrative powers.  Delete all the files they leave behind and perform a virus/spyware scan.  Don’t think of it as being distrustful, think of it as good hygiene.
  • Taken to its logical extreme, you might seriously consider having a completely separate system for when you are working on your high privacy stuff (employee personal info., online banking, personal/business financials,  tax returns, medical bills/records, …).   This will almost guarantee that your private information stays that way. **

Although it may sound like I need to lighten up, if you read some of the horror stories about people that have  experienced ID theft, you may decide I am not being adamant enough!  Of course, you have to find a happy medium for your circumstances.  Hopefully, the list above will help you make more informed decisions before you click.

--------------------------

Site Policy

Privacy Recommendation

facebook

High level: NY Times

Very detailed: AllFacebook

MySpace

For better privacy control, switch from profile 1.0 to profile 2.0. 

MySpace recommendation

LinkedIn

Walk-through: Network World

LinkedIn recommendation

twitter

Creating a non-public  twitter account

** If you are computer savvy enough to know about virtual machines (VM) – you can get much of the same degree of isolation using a separateVM, instead of a separate piece of physical hardware.

Posted by John Brady | | Comments (1)

| | | | |

05 March 2010

The Overly Eager Bird Catches a Worm

The social network phenomenon has shown many benefits.  These sites, such as facebook (FB), have great potential for people seeking friends to hang out with online.  Businesses too are finding it desirable to create a company presence on FB, myspace, twitter, etc.  Given their explosive growth, however, these sites have also attracted an unsavory element looking to exploit such new fertile ground.

Do you recall, back in the early 2000s, when email phishing was a relatively new phenomenon?  Eventually people became savvy about not following links that arrived in email messages from businesses with which they had no established relationship.  You see, in order to compromise your system, eventually the bad guys have to get you to act on their behalf ... so at some point, they have to present you with some “stuff to click on” ... thereby tricking you into giving your operating system (Windows, MacOS, linux, etc.) the go-ahead to install their evil code.

In a similar vein – have you noticed that when you go to play a game on a social site, say FB, you are presented with a dialog-box saying something like "This application requires access to your FB profile.  Do you wish to grant access?”  This is the FB security layer warning you that this application is trying to access your FB profile.  This is like a stranger asking to look through your wallet and record whatever they feel like while they’re in there browsing.  Alarm bells should be sounding in your head!  Let’s see ... a game that’s all sorts of fun to play and has really nice graphics, and which must have taken some people a lot of time to develop, all apparently, “for free”!  Too good to be true?  Gee whiz -- that's a little like those emails I occasionally get from "banks" promising to consolidate all my debt into a "Zero down, 0% APR loan” ... too good to be true indeed.

So, while most FB applications/games are not bogus fronts for bad guys that want access to your personal information, it is also true that some of those ostensible applications are in fact phony.  So be very careful before deciding to unleash these apps on your private information.

In another example of social networking abuse, there was recently a worm blazing its way through FB accounts called KoobFace ("facebook" spelled sideways, sort of).  KoobFace arrives as a FB message from a FB friend in your FB inbox.  When you open it, you are told to check out a YouTube video.  When you click on the link to the video you are sent to a fake YouTube site.  When you try to start the video playback, you are told that your system is missing an important piece of video playback software called a codec (engineering speak for coder-decoder).  It asks if you want to install the missing codec.

Let’s step back here.  At the request of a site that looks like YouTube, you are about to install and run some piece of software!  Are those internal alarms bells clanging loud and clear yet?  They should be.  The supposed missing codec is really a worm.  If you OK installation -- your system is infected.  The worm begins executing immediately, making a few "adjustments" to your Windows Registry to make sure it gets restarted whenever you reboot.  It then proceeds to wander about in your browser cookie cache finding out which social networking sites you belong to.  For each site, it authenticates and then sends messages, in your name, to all your friends!  Of course, those messages are just more infect-o-grams like the one you fell for.  And so the worm turns...

The lesson here is: think twice before accepting requests to "access" your social networking profile(s) from applications, games and gifts.  Moreover, think three times about saying yes when some web site that you have followed a link to recommends you OK installation of software you supposedly need!  If you believe you really might be running an old version of a plug-in, anti-virus program, etc., you should still always refuse the unsolicited pop-up style request.  Instead, you should explicitly type in the URL for the software maker and check if there you are missing codecs or updates to the software.  If there are updates then update your software and retry playing the video. 

If your software is already up-to-date, or if you get the pop-up again after updating, then assume the pop-up is malicious and just skip playing it!  It cannot be worth the inherent risk.  You might even go the extra step to inform the sender of your suspicions.  For example, in this particular case, the “sender” would be surprised you even got an email from them!  You’ll recall, in our scenario, it was the worm that sent it.  This is often how people find out their system is infected so you are doing them a big service.

To read further, here is a link to a technical explanation of how the koobface worm works.

Posted by John Brady | | Comments (0)

| | | | |

11 November 2009

3 Ways to Help Avoid Unauthorized Software

Last week at work, I received an e-mail letting me know of a "lost and found" item that I needed to claim.  So I stopped down at the security office thinking, “Hmm ... did I lose something with my name on it? Did someone see me drop my umbrella or something else I wouldn't have missed yet?”

 

Long story short; I had turned in 2 dollar bills found on the ground back in April, and since nobody had claimed it, I was now the owner.  As Earl would say, “Karma did that.”  But this made me think about all of the things people do to cut corners, or take advantage of someone else’s misfortune.  I'm by no means a knight in shining armor, but I try to be as honest as I can. 

 

I thought about this more as I read an article about a virus infecting the iPhone.  The virus only affected the phones which had been "hacked" or modified to run unauthorized software knowingly by the owner.  Many of us have called, e-mailed or asked the big software companies like Microsoft and Apple to protect us from security vulnerabilities, and they've tried, but often people install unapproved software which removes any chance they had at protecting their own information.  The software industry often calls this "Piracy", but in reality it's also hurting the people taking advantage of it in the long run.  Sure you can get access to all the cool new features of a "hacked" iPhone, xbox or any number of other devices, but in the end is it worth losing any or all information on your device, or even voiding your warranty?

 

Sometimes people don’t realize that they are running unauthorized software on their iPhone or other device.  Here are 3 ways to help determine if software is unauthorized:

 

1. Avoid installing packages with the words "Hacked" or "Free", unless they are approved by the company who sells the device.  All too often people create applications without considering the security ramifications. Despite their best intentions, they may be opening you up to some big vulnerability.

 

2. Avoid those e-mails which offer you a link to the latest software download or add-on for your device.  Remember if you didn't request the e-mail, it's probably a scam.

 

3. When in doubt, ask questions and search for answers. Vendors have customer support for a reason; they are often the best resources for those hard-to-find answers.

 

How are you keeping your information safe this holiday season?

Posted by Jake Harris | | Comments (0) | TrackBack (0)

| | | | |

04 November 2009

Information Security Concerns in a Pandemic

For a while now, we have been working on the development of a pandemic plan for our company.  Information Technology supports this plan in many ways.  Through the use of technology we can increase the number of employees who can “work at home” and use Virtual Private Networking (VPN) software to remotely connect into our systems to perform their work.  Getting employees out of the office but still having them be productive is a form of “Social Distancing” that can reduce the risk of exposure to disease.

A component of any pandemic plan needs to be communication on what can and can’t be done from an Information Security perspective, even in a pandemic situation.  For example, we only allow company configured machines to connect to our network, even over a VPN connection.  However, not all of our employees have laptops so many, therefore, cannot work at home.   It must be reinforced that information security policy is still policy even in a pandemic, and employees who do not have company laptops must not use email to send documents or data to themselves to work on using their home (or any non-company owned) computer.  This is the same for taking work home on portable USB drives or other media.  Even if you have the best intentions and only want to help your company, you are putting your company at risk of your data being intercepted, copied or lost resulting in a privacy breach.

Why be so paranoid?  Our employees are only trying to be more efficient and effective in a time where 20%-30% of the company might be out sick.  It can't be that bad, right?  Wrong.  A big reason why is “endpoint protection”.  Your company’s endpoints (workstations and laptops) have known, approved and licensed software on them, they have anti-virus software running on them, they are regularly patched for security vulnerabilities and they are free of peer-to-peer sharing software.  Some of your employees' home machines MAY be up to your company’s standards, but what if even one is not?  When your employee is done with their work, are you sure that no backup or temporary files will linger behind?  How many of your employees have children that use the home computer to share music or files?  How about viruses or malware infecting your corporate network once this work is brought back into your production environment?  What if the employee actually loses the USB drive?  Not to mention the risk of a shared or compromised gmail or yahoo mail account.

All of these scenarios can cause data leakage or data loss that can lead to a privacy breach.  According to the most recent Ponemon study that reports on the costs and causes of privacy breaches, “Over 88% of all cases this year involved incidents resulting from negligence.” This leaves only 12% as a result of malicious activity.  This 88% is composed of employees who think that they are doing the right thing, are trying to help and believe that nothing bad can happen.

So, please reinforce to your employees and peers that it is not safe to trust public networks, infrastructure or non-company owned equipment to store or work on company confidential materials.   Even in a pandemic situation were your workforce may be diminished and people are looking for innovative ways to “keep the lights on”, information security policy is still in effect and information security risks, and their consequences, outweigh lost productivity.

Posted by Bill Murray | | Comments (0) | TrackBack (0)

| | | | |

20 July 2009

Ahoy There Me Hearties!

Several weeks ago, I logged into Twitter (@jodoan1) to learn that The Pirate Bay had been sold to a legal software manufacturing company.  For those unfamiliar with The Pirate Bay; they are a website dedicated to tracking torrents which facilitate the piracy or illegal sharing of software and movies.  Like Kazaa and Napster before them, The Pirate Bay has turned over a new leaf and appears to be going down the road of legal file sharing.

So if they can do it; what is stopping you?  I have admittedly violated an end-user licensing agreement or several in my lifetime.  It started when I made a copy of a friend’s Def Leppard tape which he dubbed from his brother’s friend.  The audio quality was about as good as an MP3 ripped at 10kbps for the younger crowd or a Heathkit AM radio for the more mature.  As a poor college student I may have borrowed a friend’s software installation disk to install on my hand-me-down computer.  Likewise, I have burned a few disks for friends and family.  I am remorseful of my poor judgment in the past and I have made it a point to live a pirate free life moving forward.

Is this blog a step in my twelve-step program to pirate recovery?  No.  Well, maybe.  The thought came to me as I was looking to purchase a photo editing program recently.  The software license cost is $300.  WOW!  What a penny to pay when I can find a license key on the Internet for free or have a family member, who is a teacher, purchase the software at the discounted education price of $99.  But why should I implicate loved ones in a crime?  Would you ask a family member to help you steal from the grocery store?  The problem is people see these crimes differently; when in reality, they are very much the same.  “Borrowing” software that is not properly licensed IS a crime and it costs consumers and manufacturers billions of dollars every year.

Besides the obvious ethical concerns around pirated software, videos, music, etc; there are many information security related risks as well.  Users who download media from peer-to-peer or bit torrent sites are more likely to become infected by viruses or other malicious software.  Additionally, the lack of support may outweigh the initial cost of the software if you incur any downtime.  Like any other crime, there is always the risk of being caught.  Those who are caught may find themselves owing tens if not hundreds of thousands of dollars in fines and penalties.  It makes $300 seem like a real deal to me.

You live your life righteously and have never borrowed or copied software; but that doesn’t necessarily mean you aren’t violating copyright law.  How often do you audit your computer network for installed software?  Just because Joe in accounting purchased Quick Books at Staples doesn’t mean that you are properly licensed to have it installed on YOUR company asset.  Users may be downloading freeware tools and evaluation software on your behalf if you aren’t preventing them from doing so.  Ad-Aware offers a no cost consumer version of its software, but commercial installations must be licensed and paid for.

To end an otherwise lengthy debate on ethics and law; I will recommend a few things to keep yourself out of hot water.

1)      Properly license your and your company’s software if you are in a position to do so

2)      Audit your environment regularly to determine whether unauthorized software has been installed.  If the user has a legitimate reason for installing a particular application, see step 1.

3)      Think about your business or your employer’s business the next time you are tempted to borrow a copy of software or other copyrighted material

Finally, the software industry is evolving.  Competition has driven down the cost of many software applications.  There are many “open source” or free applications that are compatible with their expensive name brand counterparts.  Offerings like Open Office, Picasa and AVG are just a few examples of affordable applications that are available.

Posted by John Doan | | Comments (0) | TrackBack (0)

| | | | |

01 December 2008

Security hype

Bill Brenner of CSO Online ran a column recently about fear and hype by the security vendors, especially around the need to "immediately patch the latest critical vulnerability" in a piece of software.

Patches fix holes in the vendor's software and keep hackers from being able to walk through the back door of your system. Applying patches is important. Security vendors want you to apply the patch immediately in case the hackers are pounding on your door right now. Every minute you wait is a minute of exposure.

But most of us don't apply the patches immediately. It takes your IT shop a few days of testing to make sure the patch won't break something else and to tweak the network so everything runs properly again. With so many companies ignoring the vendors, why haven't we had a catastrophic zero-day attack yet?

The truth is that most responsible IT departments use a layered approach to security. They have tools and policies that will generally keep out the malicious software for long enough for IT to complete the tests and apply the patches in an orderly fashion.

So who does get hacked? According to a recent Verizon report, nine out of ten data breaches could have been prevented if the company had taken reasonable security measures, most often applying patches that had been available for years. As Brenner points out, why should a hacker bother to write a complicated new virus to exploit the latest hole when you can still make money walking through holes that should have been patched four years ago?

If you have a solid approach to computer security, you can take the time to test the latest patches properly. On the other hand, if you don't have a dedicated IT team, you probably also don't have the staff to conduct the testing so you should set the patches to automatically update themselves.

Of course, if you're not guarding your infrastructure with the basics (strong passwords, current anti-virus and anti-spyware, firewalls, up-to-date on patches even if not up-to-the-minute, etc.), you need to start now.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

22 September 2008

Rootkits - defined

Every once in a while, security geeks talk about "rootkits" in tones of fear or loathing. Here's what we're talking about and why we worry about them (and why you should, too).

A rootkit is a particular type of malicious software. It is different from an ordinary virus in that it is specifically designed to seize control of your computer at the highest possible level. (In the old unix terms, this was called 'root' access - the equivalent level of authority in Windows is 'administrator'.) Once the hacker has a rootkit on your computer, he/she has full access to everything on the computer. More than that, the hacker can usurp control of the computer and make it run other malicious programs (perhaps as part of a botnet) or can use it as a jumping-off point to attack other data on your network. The hacker can do anything on the computer that you can do – and many things that most of us can't.

Rootkits are also different in that they generally limit themselves to seizing and holding control of one system - a virus, on the other hand, is will try to spread itself to other computers. Rootkits are also often kits, that is, combinations of multiple malicious programs that work together. Ordinary viruses are usually single programs. That said, an ordinary virus can be sent out to infect your computer and can, as its first act, load a rootkit onto your computer. Using a virus as a component of a rootkit is a fairly common attack now. According to some researchers, as many as one in five PCs are infected with a rootkit.

Rootkits frequently masquerade themselves as other files and/or deliberately hide files from programs that are used by legitimate administrators to hunt for viruses. This makes them particularly difficult to clean out once your computer has become infected.

Not all rootkits are created by hackers. In 2005, Sony BMG included rootkit software on some music CDs in an attempt to prevent music piracy. Unfortunately, the rootkit exposed every one of their customers' computers to exploitation by anyone who knew to look for the backdoor the rootkit created.

To defend against rootkits:

  • Practice safe surfing - don't go to virus-infected websites. Music-sharing, video, software, porn, hacker and other 'gray' websites are frequently loaded with virus-infected downloads. While there are some legitimate freeware sites, "there ain't no such thing as a free lunch". If they're not making money through sales or advertising, they're probably getting something else out of the deal – don't let that something be your computer.
  • Keep your antivirus program on and up-to-date. But recognize that this is probably incomplete. Rootkits are specifically designed to defeat the major antivirus programs.
  • Keep all the applications on your computer fully patched.
  • Keep your firewall turned on and locked down as far as you can go. This won't necessarily stop you from picking up that first infection but it might prevent the virus from sending out the command to download the rest of the kit.
  • Turn off your computer when you're not using it. First, restarting the computer each day triggers a number of cleanup activities. More importantly, the computer isn't exposed to exploit while it's turned off.
  • If you are infected, take your computer to an IT specialist. Rootkits are especially difficult to clean out and will often reinstall themselves if part is missed. The usual practice is to wipe and rebuild the machine – they're that hard to get rid of.
based in part upon content from Wikipedia

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

28 July 2008

AntiVirusXP2008 warning

Last month, we wrote about scareware and hackers using fake update notices. In the past few days, we've seen a sudden increase in one of these attacks coming from one of the former Soviet republics. This group is exploiting a "DNS hole" to hijack visitors who are attempting to visit legitimate websites (such as a hotel in a common vacation destination like Hilton Head). The hacker redirects the victim to the hacker's virus-infected website, then automatically loads a virus onto your computer. From what we've seen so far, this virus first disables your existing anti-virus program, then slows down your machine and finally starts to present you with a false warning that your computer is badly virus infected and needs to run AntiVirusXP2008 to clean it up (for only $50 which they want you to send to them in Russia). The warning message lists hundreds of "infected" files on your machine. Many of those files are, in fact, on your machine but are legitimate files needed by the operating system.

At Westfield, we normally have to clean up about one infected computer a month. It's jumped to 6 in the past week. Worse, this virus has proven particularly difficult to clean out. Our IT department has found it necessary to completely reimage the machine in order to fix the problem.

At home, fix your firewall, update your antivirus and patches and practice safe surfing. If google or yahoo (or your existing antivirus program) give you a warning that you are about to go to a sight that might contain malicious code, heed the warning. Do not override it just because you think that you're going to a "safe" site like the hotel.

At work, shut your computer off every day. (Your IT department probably pushes updates to your computer's defenses every day but many of those updates can't take effect until you restart your computer. If you leave your computer on for an extended period, you will be missing those critical updates.) And, of course, practice safe surfing.

If you get one of these pop-up warnings, never allow it to scan your computer. If you think you might have triggered one of these scams, call IT.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

07 July 2008

Fake update notices

A few months ago, we started seeing a new trend where the hacker seeds the internet with websites which will trigger a fake Microsoft alert. When you open the website, you also get a pop-up box which looks just like an authentic Windows pop-up and tells you that you need to update the software on your computer. The security guys are always saying that you should keep your computer fully patched so many people click the link, thinking that they are protecting their computer. According to Tad Heppner of McAfee Labs, clicking on the box prompts an executable window requesting users to install the updates but actually leads to "a true malware cocktail."

Spoofing of the Microsoft Malicious Software Removal Tool (MSRT) is particularly common but all the Microsoft updates have been spoofed in one form or another.

In one recent case, the spoof was triggered by infected 'friend' requests on MySpace. Users triggered the trap when they went to check on the profile of the person trying to befriend them. If you are a MySpace or Facebook user, beware of friend requests from people you don't know and be cautious when surfing other people's profiles.

If you get a request to update software on your work computer, ignore it unless you also received an email from your IT department explaining the update. If you receive the pop-up on your home computer, go to your Control Panel and look for the Security Center. Once there, initiate the check for updates yourself rather than trusting the pop-up. Never click a pop-up that shows up on your computer unexpectedly.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

02 June 2008

Scareware - defined

Have you ever seen a "free" offer to scan your computer for security vulnerabilities? The most common one that I get is a pop-up ad that reads "Your computer may be infected with harmful spyware programs. Immediate removal may be required. To scan, click 'Yes' below." It looks like a great idea. You're offering to test my machine for free so I know what, if anything, needs fixing. Doctors, mechanics, even the lawn guy offers that kind of free screening as a legitimate way to build a relationship with new customers.

Unfortunately, most if not all of these computer scanning offers are scams. They are rogue programs that will always report something that needs to be fixed or cleaned whether the flaw is real or not. They are designed to scare you into believing that there is something terribly wrong with your computer that only their software can fix.

Examples that attack Windows computers include SpySheriff, WinFixer, IEDefender and Cleanator. Interestingly, Mac users ran into this problem for the first time in January with a product called MacSweeper. MacSweeper is so "thorough" that it even finds flaws when it's run against a PC – flaws that can only exist on a Mac.

Most of these are simple attempts to con you out of money or credit card numbers. Some are more malicious and will load spyware onto the computer or even disable your existing antivirus programs.

Never run software from unknown sources. If you do suspect that your computer may be vulnerable, use your own anti-virus and anti-spyware software. Don't trust that "free" offer.

Note: The word "scareware" also includes more harmless pranks such as the program that pops up and says "Erase everything on hard drive?" with two buttons labeled "OK" and "OK". (Nothing is actually deleted in this prank.) Just ignore those pranks.

A few more popup examples:
Infosec_scarewareerrorsafe_2
Infosec_scarewaresystemdoctor_2

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

07 April 2008

Hoax messages about viruses

At some point, all of us have received a "helpful" message from a co-worker or family member warning us about the latest internet virus. Unfortunately, the overwhelming majority of these messages are hoaxes - scare alerts started by malicious people and then passed on by well-intentioned users who think they are helping by spreading the warning. The message itself is the virus, and it depends on your goodwill (and gullibility) to spread.

Do not forward hoax messages. Some hoax messages carry malicious instructions about how to delete certain "corrupt" files - files that actually are not only safe but even necessary to your computer. In others, the hacker offers a convenient link or tool to "check your computer and remove the virus" or "improve your performance". Instead of downloading an anti-virus tool, you're actually loading the malicious software itself.

Even "innocent" messages with no direct malware attached have caused the e-mail systems at some companies to collapse when hundreds of users forwarded a false alert to everybody in their address book.

If you receive an alarm email about a virus from anyone except your own IT department, just delete it, especially if the message includes any "special" instructions. (The instruction to run your own anti-virus program is probably safe but I'd never trust someone else to tell me to load a piece of software.)

If you suspect that the message might be legitimate, forward it to your IT department and let them determine if a wider announcement is appropriate. You can also check at f-secure.com for a good list of known virus alarm hoaxes.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

17 March 2008

Protect your computer from Spyware

Spyware is Internet jargon for advertising-supported software. This type of software often automatically installs itself on your computer without your knowledge in order to collect your personal information and provide it to a website or advertiser. Spyware is hidden in the background and keeps track of your web browsing, what information you enter into forms and even the configuration of your hardware and software. The company receiving this information may use it directly or, more likely, will sell this information about you. Based on this information, you may begin to see incessant pop-up ads, giving the false impression that the Web page being viewed is responsible for the constant annoyances.

Spyware usually is usually hidden in or behind an application that you want to use (such as a music player). When you install the software, the spyware application also installs itself.

In addition to the annoyances of increased spam and advertising, the spyware application ties up valuable computing power and can eventually make it run slower. It can create conflicts with other software on your machine causing programs to lock up or causing your machine to crash. It can even be abused by hackers to steal your password or to take control of your computer.

If you load software from the Internet, read the license agreement carefully. Some companies actually disclose that they will install an application on to your computer and may allow you the option to "opt-out". For example, RealJukebox has the ability to track how you used the program including the number of recorded songs on the computer, the format that songs are recorded in, the user's musical preferences, the quality level of the recordings, and the type of portable player connected to the computer.

You can use specialized software to find and disable spyware applications and to protect your computer. Two of the better-known free-ware applications are SpyBot Search and Destroy and Ad-Aware. Whatever anti-spyware solution you pick, be sure to keep it updated and run it regularly.

Be sure to read all "End User License Agreements" very carefully and make sure you understand what is actually going to be installed on your home computer.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

04 February 2008

Hackers do it for the money

Every so often, people ask me "why do they do it?" Why do the hackers put so much time and energy into committing crimes and sending spam? Why can't they channel all that innovation for good?

The stereotypical hacker used to be a pimply-faced, pizza-eating kid working late at night in a caffeine-induced frenzy for guts, glory and bragging rights – kids breaking into systems just to prove that they could or writing computer viruses to delete hard drives for the cheap thrill of vandalism. There are still some of those folks out there but the vast majority of hackers and spammers are now in it for the money. They are organized, well-educated and they're making big bucks.

According to McAfee CEO David DeWalt, cybercrime has become a $105 billion business and is now larger than the value of the illegal drug trade worldwide. Unfortunately, computer crimes are relatively safe crimes. Hackers hide behind multiple networks and their digital footprints. Many hackers run at least part of their scam through a foreign country – often one with poor relations with the US, significantly increasing the difficulty in prosecuting any case against the criminal. Law enforcement's ability to find, prosecute and punish cybercriminals has not kept up with the growth of the criminal activity. And even if you do get caught, DeWalt noted that "If you rob a 7-11 you'll get a much harsher punishment than if you stole millions online."

And even if the hacker can't make any money off you directly (by stealing your personal information or using your computer as a point-of-entry into the corporate system), they can still hijack your computer's processing power to attack other systems. The hacker sees your computer as an asset.

Take spam as another example. If we all stopped buying, the spam problem would dry up in a matter of months. Yet 98% of all message traffic on the Internet is now spam. Who buys that junk? According to a study from several years ago, a spammer only needs to make one sale or con per 100,000 messages in order to make a profit. With those odds, they don't even have to be good scams. They just have to find the one gullible person among your 100,000 closest friends.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

14 January 2008

Most Americans overestimate their cyberprotection

Most people think that they're protecting their computers but few are as safe as they think they are. According to a poll conducted by the National Cyber Security Alliance (NCSA) and the anti-virus company McAfee, 87 percent of Americans say they have anti-virus software. When their computers were scanned (with their permission), 94% actually had anti-virus software but only 52% had updated it in the last month. New viruses are released daily. An out-of-date anti-virus package does you almost no good at all. Most anti-virus packages have an option to update themselves automatically. For almost all of us, that's the right choice.

73% of those surveyed said they had a firewall. 81% had a firewall but only 64% had it activated. That's like saying your money is protected by the steel door of the bank vault but leaving the door hanging open. Never disable your firewall.

70%t said they had anti-spyware software but only 55% actually have it.

The poll also reported that 61% believe they have anti-spam software installed but only 21% do. (In this case, the poll question may have been worded poorly. If your spam filtering is done by your ISP or your webmail provider, you may be protected from spam even though the anti-spam software is not on your specific machine.) Regardless of how you run it, the important point is to have an anti-spam solution.

Oddly, the study found that computers of older Americans tend to be more secure than those of the allegedly-more tech-savvy younger Americans.

To be properly protected, you need current anti-virus, an active firewall, up-to-date patches for your operating system and applications and at least one anti-spyware program running. If you don't, you are taking unnecessary risks with your personal information.

Click here to read the full study results.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

19 November 2007

Recovering from a virus

Viruses, worms and Trojan horses don't get much attention anymore but they're still out there. Do you know what to do when your computer becomes infected?

  • If your anti-virus program is up and running (and there's never any excuse for it not to be), there's a good chance that the anti-virus program will be able to both detect and repair the damage. If you get an alert from your anti-virus program, take it seriously and act on it immediately.
    • Know what your own anti-virus program alerts look like. If you get that obnoxious pop-up when you're browsing the Internet that says "your computer may be infected", ignore that. It's a scam. Clicking the link will install spyware onto your computer.
  • If you are at work, call IT immediately. Do not wait. The sooner they can investigate and clean the computer, the less damage there will be to your computer and to the rest of the network. Do not do anything to the computer until IT tells you to. They may need to try to track down the hacker. Anything you do could muddy the chain of evidence.
  • If you are on your home computer, disconnect it from the Internet immediately. If you are infected, this will minimize the damage by preventing the hacker from sending any more commands to your computer or to stealing any more information from it.
    • If your anti-virus program detects but can not repair the damage, see if there's an update to the virus definitions file that might fix it.
    • If your anti-virus program still can not remove the infection, you could try manual repairs. There are websites which can walk you through the technical steps of manually cleaning up the dlls, registry settings, etc. You will need to know exactly which virus you have and you need to know exactly what you're doing or you might do even more damage to the computer. If you are uncertain, take your computer to someone who can repair it professionally.
    • In the worst case, you may need to reinstall your operating system. Look for a "system restore disk" that probably came with the computer. Reinstalling the operating system usually erases all of your other programs and data files. If you haven't backed up your files lately, it's incredibly stressful – but better than leaving the hacker in control of your computer.
  • Once you've done everything else, it's a good idea to update your anti-virus definitions (again) and run a full scan against your computer. If you haven't checked for software patches and updates lately, you need to do that, too.
  • Finally, you should assume that all your passwords were potentially compromised during the infection. This includes passwords for websites that were cached in your browser. Pick strong passwords when you change them.
based in part on CERT Cyber Security Tip ST05-006

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

20 August 2007

Hackers go commercial

For only $700, you too can become a hacker. New hacker tools are as easy to use and as well supported as any commercial software package. The Mpack toolkit is a particularly easy-to-use hacker kit being sold on Russian e-crime forums. It is "guaranteed to bypass all anti-virus programs at the time of purchase". Like many commercial software packages, it includes a year's worth of free updates and support for the hacker in the price. Mpack is also disturbingly common. It has been discovered embedded in more than 10,000 web sites so far.

Between the increased availability of these tools and the sheer number of vulnerabilities that they are programmed to automatically exploit, it is vital that you keep your computer's operating system and applications up-to-date and fully patched.

Regularly check for updates and immediately load them. Consider setting them to automatically update. And remember that you have to check for updates for every program you have on the computer, not just the Microsoft updates.

Shut down your computer every night. This limits your vulnerability to automated attacks against your computer. Depending on how your network is set up, it may also trigger your update process, making sure that the latest patches are loaded to your computer when you log on in the morning.

Mpack targets security holes in many common software programs including QuickTime media player, plug-ins for the Firefox web browser and Microsoft Windows. According to researchers at one anti-virus company, this toolkit uses simple yet very sophisticated web-based interfaces and allows the hacker to take control of the victimized computer to either steal information, install keyloggers or use your computer as a "zombie" to attack someone else. You can read this technical report for more about Mpack.

Posted by Mike Rossander | | Comments (1) | TrackBack (0)

| | | | |

23 July 2007

New Scams - continued

Last week, we highlighted two of the recent explosion of new scams and frauds. Here are two more examples. Always be alert for suspicious messages and never give out confidential information unless you are absolutely sure who's on the other end of the line.

Dept of Justice spams
The US Department of Justice announced a number of fraudulent emails claiming to be from the DOJ and alleging that the recipients (or their businesses) have been the subject of complaints filed with the DOJ and/or the IRS. The message often contains a "copy of the complaint" as an attachment and offers contact information to resolve the issue. Do not open the attachment. It's a trojan horse and will load malicious software onto your computer. Don't call the contact information either. You'll just open yourself up to a social-engineering scam as the person attempts to scare you into revealing confidential information. The DOJ does not send out email notices for these issues. Read more here.

MySpace worm
Many thousands of MySpace.com websites were successfully attacked by a new and particularly complex computer worm. In this attack, MySpace visitors who are browsing an infected page are redirected to a fake login page that attempts to steal the visitor's username and password. According to one researcher, about one in four falls for the scam. The hacker then changes the code on their MySpace page to trap even more visitors. The redirect works against some recent vulnerabilities in MS Windows and Internet Explorer. The same attack will also install software onto your computer, turning it into a part of a hostile botnet and possibly exposing all the personal information on your computer to the hacker.

Protect yourself by keeping your computer fully patched. By the way, the same research showed that many people choose weak passwords on MySpace, thinking that there's nothing to protect. Remember that hackers use this as an avenue into your personal information. Pick strong passwords even for websites like MySpace. Read more here.

Next week, we'll have an update on the State of Ohio's recent security breach and the relative merits of their "identity theft protection service".

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

09 July 2007

"You've received a greeting ecard" trojan horse

I still remember the first time someone sent me an electronic greeting card. It was kind of hokey but it really brightened up my day. Sending one back was convenient, fun and best of all, free. Unfortunately, someone has recently launched an aggressive campaign that combines the worst aspects of spam and malicious software and is exploiting the popularity of e-cards. The hacker is using pre-packaged software to spam millions of messages across the internet that read with some variation of "You have received an ecard from" a school mate, a colleague or a family member.

If you open the message, you'll see a standard text-only message describing the e-card and offering you a link to a website where you can download your e-card. The messages claim to be from any of several legitimate ecard websites but in the versions that I've seen, the link is a raw IP address (such as http://12.345.67.89), not a domain name (www.example.com). Other versions may get more sophisticated and cover the IP address with a fraudulent domain. The IP addresses trace back to hundreds of different owners. My suspicion is that these are individual machines which have been hijacked as part of someone's botnet.

Opening the email won't do anything immediately bad to your computer (other than waste your time) but following one of the links is another story. Do not under any circumstances follow these links. Merely opening the page will trigger the download of a particularly nasty computer trojan horse which will then attempt to download even more malicious software onto your machine.

If your anti-virus program is up-to-date and running, it should catch and stop this trojan. However, if you get any kind of alert or think that you might have triggered one of these downloaders, you should run a full virus scan on your system. Call your IT department for instructions. Never open a message from an unrecognized sender and never open an attachment or follow a link in a message that you were not expecting.

Note: If you think the email card might be legitimate, you can check by opening a browser and typing the address of the greeting card company (for example, www.hallmark.com or www.bluemountain.com) and follow the instructions on the site to 'pick up an e-card'. This will usually involve entering the email address of the sender and a confirmation number from the email. If the message was legit, it will show up on the website. As long as you type in the address yourself (rather than following a possibly faked link) and you're going to a major company that you trust, it should be safe to check.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

18 June 2007

FBI Botnet Investigation

The FBI just announced the largest ever cybercrime investigation to disrupt and dismantle "botnets" and to prosecute some of the ringleaders in these criminal activities. So far, they have identified about 1 million compromised computers across the country. The FBI is working with the CERT Coordination Center at Carnegie Mellon Univ to notify the victim owners of the computers.

So far, the FBI has charged 3 people with cyber crimes as a direct result of this investigation; one hacker in Texas accused of infecting tens of thousands of computers, one hacker in Seattle accused of using botnets to send tens of millions of spam messages and one hacker in Kentucky accused of using botnets to disable other systems.

Note: The FBI will not contact you online and request your personal information. Nor will they offer to clean your computer for you. As word of this investigation gets out, be wary of fraudulent message appearing to come from the FBI or some other agency and offering to "fix" your computer for you. If you receive such a scam, file a complaint online with the Internet Crime Complaint Center or call the nearest FBI office.

A botnet is a network of other people's computers all controlled by a hacker. In a typical botnet setup, the first hacker uses viruses, worms or trojan horses to install malicious software (the bot) on your computer without your knowledge. The hacker builds up the network as large as possible – tens or even hundreds of thousands of compromised computers. He then rents out the right to use his network of hacked computers to the highest bidder. The second hacker sends out the command messages to all the hacked computers telling them to execute their attack. Examples of attacks might be distributed denial of service (flooding the target with so many requests that the real traffic can't get through), publication of phishing emails, click fraud and mass distribution of spam and spyware.

Unfortunately, the hacked computer's user might not even notice that his/her computer is being used by someone else. Look for slow performance, an outbox full of mail you didn't send or messages saying that you've sent spam. Any of these would be reason to investigate your computer carefully.

If you think your computer might be infected, contact your Technical Support immediately.

Take the following steps to protect your computer from being captured in a botnet:

  • Pick strong passwords
  • Install anti-virus software and keep it up to date.
  • Install a firewall and keep it turned on.
  • Keep your computer's software fully patched.
  • Install and update anti-spyware software.
  • Be careful what you download.
  • Turn off your computer when you're not using it.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

14 May 2007

Sober worm resurfaces

Symantec, a computer security company, recently announced that they have seen a significant increase in message traffic containing a new variant of the old Sober worm. This email (generally written in either English or German) hides the malicious code in an attachment and uses social engineering in order to con the user into opening it.

The known English versions of the message read either
You notified us that you have forgotten your password. We have changed your password to a random sequence of letters and digits! For more detailed information, see the attached password file.
or
Your eMail has occurred an unknown error on our Server. Please read your mail and check the text. The full email is attached!

More variations of the wording of the scam email are likely to appear over time. The message can seem to come from anybody and could appear to come from a trusted institution like your bank. The attachment could be under several different names but so far have all been .zip files. (.Zip files are sometimes not as well screened by anti-virus programs.)

While this is probably not going to be a particularly dangerous worm, it is a reminder to:

  • Never open attachments in unexpected emails
  • Always keep your anti-virus software up to date.

The Sober worm was first released back in October 2003. Variants remained in circulation and caused significant damage for several years. The last major variant of this worm was in 2005. The hackers sending out this worm typically set it to take over PCs, send spam, download keyloggers, install rootkits, etc.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

Next »