Saturday, January 30, 2010

Media has more stories on password security; problem at "Rock You"


Ashlee Vance ran a story about password security in the Jan. 20, 2010 New York Times, “If Your Password is 123456, Just Make It Hack Me.” The story discusses weak passwords, and the difficulties many home users have in keeping track of many different passwords for different sites. The link for the story is here.

The story reports an incident where about 32 million passwords for social networking sites like Facebook and Myspace were stolen recently from a company named Rock You. The story recommends that users of these sites change their passwords, and use only the strongest passwords. Here is the Rock You statement on the problem, web URL (link).

In the Washington DC area there have been news stories about how some students at a Maryland high school (Churchill), by Michael Birnbaum and Jenna Johnson, link here.

Friday, January 29, 2010

Ransomware and Rogueware: Holding your computer hostage


Here’s another scary story from “The Red Tape Chronicles”, by Bob Sullivan and Panda Labs, “Can your computer be held hostage?: Give me your money, or your computer gets it,” link on MSNBC here.

The latest fad is rather brazen: ransomware. Rather than just phishing attacks and fake anti-virus products, now criminals try to infect machines with programs that disable the machine or encrypt all files until a “ransom” is paid. This is even more aggressive than a category that the FBI calls “rogueware”

F-secure has a report (link “Ransomware: Buy Back Your Own Files”, (web URL)link) on a particular virus called Trojan:W32/DatCrypt which make the user believe that certain common files (like Word documents) have been corrupted. It will invited the user to download and install “recommended file repair software”.

Earlier this month I had an encounter with “FakeAvJs” which Webroot was able to quarantine immediately (see Jan 6).

Wednesday, January 27, 2010

Phishers become even more subtle, especially with banks


“Phishing attacks” continue to become more subtle. Today, I saw an email purporting to come from Wachovia, and saying that random bank accounts had been selected for “audits” and offering a link to log in for the “audit.”

It’s probably a good idea not to even allow hyperlinks and html to show if your email viewer (AOL) allows you to keep this disabled. I don't know how effective ISP email virus scanners for embedded malware (as in AOL's filter) really are.

Monday, January 25, 2010

Another serious teen cyberbullying case in Massachusetts


The media has reported another serious incident of cyberbullying (apparently with Facebook and text messages) at a high school in South Hadley, MA, resulting in the self-inflicted death of Irish immigrant Phoebe Prince.

ABC News has a video story here, and Boston.com has a story by Kathy McCabe here.

Internet lawyer Parry Aftab commented that cyberbullying sometimes leads to “cyber mobs.”

Saturday, January 23, 2010

A quirk in the Windows Update process on Vista: another vulnerability?


I noticed a little vulnerability in the Windows Update procedure for Vista this morning. While I walked away from the computer, it installed a Cumulative Security Update, and restarted the machine. But after the Step 3 of the configuration process and restart, it brought up all the Internet windows that had been open before. In the meantime, it takes Webroot Spysweeper up to a minute to reload, while Windows Security Center says that the computer is not protected.

The websites open were MSN Dell and Google, so I don’t think there could have been any harm. But there is a slight chance that had the computer had a riskier and less known website open, that during that minute that it took Webroot to reload, infection could have occurred.

The automated reboot process should not re-open Internet Explorer and other browser windows that were open before. The user should open them manually after security is reloaded.

Thursday, January 21, 2010

AT&T, Facebook mixup makes case for much tighter authentication tracking


Here’s an interesting mixup: over this past weekend, some AT&T smartphone users found themselves logged on to other people’s Facebook accounts.

Ars Technica has an interesting discussion (here) by IIjitsch von Beijnum on how this might have happened, here, and it seems both AT&T and Facebook have some explaining to do AT&T has a text statement here). Some of the problem is that websites do a lot of user authentication themselves before throwing web pages at users. In communications between two companies, there may be a “catching proxy” that doesn’t check the cookies closely. Ars likes the practice of Amazon, demanding reverification before a purchase (which I noticed they started about six months ago).

Peter Eckersley at Electronic Frontier Foundation adds some more suggestions, including the idea that Facebook and other social networking sites use https for everything (that would be a big help on wireless security, too). The article is “Some lessons from the AT&T/Facebook Switcheroo”, link here.

All of this reminds me of the discussion of how to prevent email sender spoofing, which seems to have lost traction in security discussions these days; it was a hot topic five years ago.

Wednesday, January 20, 2010

Tech Republic offers discussion of Flash cookies and privacy


Bill Detwiler’s TRDojo has a video today on Flash cookies, which are more elaborate than html cookie, even though they use the same .sol extension. (“SOL” is the acronym for “standards of living” in Virginia, so it’s a funny pun.) They are larger, and can store and invoke more information on the visitor’s computer through applets. Adobe, however, offers users many ways to control the use of flash cookies on their machines, including monitoring the websites that place them. The link for the video is here.

Better Privacy 1.45 of the Firefox browser also offers ways to control privacy cookies. The link is here.

I presume that Webroot Spysweeper can identify them as spy cookies; a search shows up a reference under Window Washer here.

Monday, January 18, 2010

Businesses consider installing Faraday cages to cut down on computer microwave or wireless attacks; would home users be next?


Steve Lohr has a Business Day article in the New York Times today, Jan. 18, “Companies fight endless war against computer attacks,” web URL link here. The print version has a humorous intro: “The Lock that Says ‘Pick Me’” – with a bump key.

Some of the newest malware turns on and off cell phone cameras or webcams, for spying. The article discusses the idea of businesses building Faraday cages to stop drive-by wireless or cell phone spying. Now, Faraday cages have been developed for the military, government and large businesses, to protect infrastructure from possible EMP (electromagnetic pulse) or microwave attacks (optical data is not affected, just magnetic). From the article, it sounds feasible that computer manufacturers like Dell could consider designing and manufacturing smaller cage like devices to protect home or small business users.


Popular Science had written about Faraday Cages back in September 2001, just before 9/11.

Picture: Jupiter, at least, is well protected by its electromagnetic fields.

Update: Jan 19

I've noticed that whenever I turn on my repaired XP computer, Kaspersky checks for updates and updates (through Internet) immediately. In my experience, neither mcAfee nor Webroot Spysweeper are as consistent in doing this so promptly.

Sunday, January 17, 2010

A homework report on Kaspersky, with an older computer


I finally got my old Dell 8300 computer (from 2003) back and set up again, with the hard drive replaced by Best Buy. I’ll have to get with Mozy on recovering all the data, as the hard drive was unrecoverable, but I set up Kaspersky today.

A couple of interesting points came up. It asked me to activate online and asked for a customer code in the parsed format. What I found on the Best Buy green CD was a “product code” in that format. It did not activate the first time, but Microsoft insisted on catching up with its XP updates. Upon restart, it took the code, and then went into a long update, updating the virus signature files and entire engine. In the meantime, Windows was reporting no anti-virus protection and no firewall. The update sat at 99% for a long time (about ten minutes) with a left-moving graph of the transfer. It didn’t tell the customer how big in meg the update was. Finally it finished and asked me to Restart, but the Restart button did not remain visible for more than a couple seconds. So I restarted it through windows, and then all the protections (anti-virus and Firewall) came up normally.

I loaded Microsoft Windows 2002 from my old CD’s, as well as Front Page (neither any longer supported, but I had the original boxes and product keys) and Final Draft 6 (again, an old licensed CD). Kaspersky warned me that Final Draft was a potentially “dangerous” program.

I then loaded some data from my zip drives, as well as Firefox and Google Chrome. Finally, I ran the Kaspersky Quick Scan, and then the Full Scan, which took about a half hour. The scan reported some vulnerabilities in the 2002 Microsoft Word and Excel, and gave the numbers. That makes sense, as these are old versions of the products. I should not open any .doc or .xls documents found on the Web by search engines on this computer unless I pay for Microsoft’s upgrade on this machine, too.

Friday, January 15, 2010

Chinese attacks exploit Adobe "zero-day" weakness, Microsoft IE vulnerability; could be on web as well as attachments


There are numerous media reports that a supposedly patched vulnerability in Adobe’s PDF software was used to spread viruses that would give attackers access to critical intellectual property resources of a number of US technology companies, including but not limited to Google (and GMail). The scuttlebutt is that the attacks originated in Taiwan and somehow had the blessing or backdoor participation of the Chinese government.

Generally, home users, mostly overseas and mostly in China, got infected by clicking on PDF attachments to emails as in phishing attacks. But infected PDF’s could be out on the Web and be brought up by any search engine. Any user in the world could be infected. It’s not clear in McAfee, Norton, Webroot, Kaspersky, etc. have fully updated their definition files for all threats associated with these attacks yet.

In the past, Adobe has been considered safe. Microsoft Word documents have long been known to be capable of being infected (as with the “concept virus” of the mid 1990s) but home users have felt less reason to be wary of PDF’s. Until the problem is completely resolved users should be comfortable that PDF’s they click on come from reputable sources.

An article in Webpronews (by Chris Crum) gives some details, relating to a hole in Microsoft Internet Explorer and a “zero-day vulnerability” in Adobe Reader. The link is here. This would imply that browsing PDF files through Mozilla would not bring about the vulnerability, and computers which use Mozilla or Chrome as default browsers may be safer right now.

Wired News has a similar "Threat Level" story by Kim Zetter here.

Microsoft has a Security Advisory 979352 about the IE vulnerability here. In looking at the Update History on my own machine (Vista) I could not see that it had been applied yet.

Last summer US-CERT also published a report of a vulnerability in Adobe Flash Player, here.

Thursday, January 14, 2010

Windows Firewall and Ipswitch: an incident at home


Last night, while connecting to my doaskdotell domain with Ipswitch WS_FTP_12, I saw that the domain pane refused to populate, and then Windows Firewall warned me that it needed permission for me to continue. I did. The FTP stalled for about twenty seconds, then gave the notorious FTP “train horn” sound (minus Doppler effect), but the directory (the movies directory on the site) still would not populate. When I navigated up the site map populated, and then back down the movies directory populated normally.

I suppose that my ISP’s FTP server could have had some connectivity problems momentarily, but is that how Windows Firewall is supposed to behave? Normally Ipswitch does not require permission from the Firewall (or maybe I gave it permission once when I installed it). Does someone know how it Windows Firewall behaves in this sort of situation?

Wednesday, January 06, 2010

Troj/FakeAvJs-A virus pops up


Tonight I was surfing for information about the History Channel’s “Apocalypse Man” when on a particular site, I suddenly got warnings that my computer was infected, that ran in a loop and did not really come from Windows Vista, but pretended to. I saw a warning from Webroot Spysweeper to run the sweep immediately.

Besides the usual spy cookies, The sweep found one virus in the registry keys: “Troj/FakeAvJs-A”. The quarantine report also listed “Mal/FakeAvJs-A” and a level 5 adware program “FakeAlert.gen”. Webroot reports that the items were successfully quarantined. The computer was restarted and then rebooted cold without incident.

The site that seemed to cause the FakeAvis script is rated as green by McAfee.

I notice also that Webroot uses anti-virus resources from Sophos, story (url). Apparently this virus was involved in a fake ad attack on the New York Times last fall, sophos labs story here.

Sunday, January 03, 2010

Do Jihadist sites distribute malware?


In view of the discussion today of jihadist websites in relation to Yemen and the recent Detroit Incident, I thought it would be interesting to look around to see if there were many reports of malware on some of these sites, reportedly having weapons information for “do it yourself” operatives.

A Wordpress blog called “The Black Flag” has an entry from November 2006, “The Electronic Jihad (that wasn’t)”, link here.

Most of the tools deal with DDoS (Distributed Denial of Service) or defacement attacks against “anti-Islamist” sites. But the post writer did some gumshoeing, throwing and receiving packets from servers in Helsinki and London, using techniques used by ISP’s or companies to stop DDoS events on their servers. He said that the “tools” were unimpressive. But they could create problems for sites with bandwidth limits and overage charges.