Wednesday, June 30, 2010

Legitimate websites attacked much more often than "adult" sites; Acrobat security update

Help Net Security has a couple of major stories today, including an interesting one “Infected legitimate websites outscore adult 99:1” with link here.  For example, in the UK there were more infected (probably by SQL injection) sites with the word “London” than with “sex”.

The story discusses the infection of Vodafone, as a recent example of “HTML:Script-inf” as an evolution of JS:illRedir and JS:ilIiframe exploits, which apparently have been known in Microsoft Windows systems for only about two weeks. So expect more security patches this week.

Adobe released a major reader patch today to Acrobat reader, one requiring a restart to take effect. Dan Kaplan has an article "New versions of Reader, Acrobat close publicized flaws" in SC Magazine (web url) here.

Monday, June 28, 2010

Windows Firewall warnings; DoS RST warnings on logs from home routers

Today, I got an unusual warning from Windows Firewall and Internet Explorer when going to a particular television station website. I had to allow it, and then I restarted the machine. I did not get the warning again, and Webroot Spysweeper found no malware (other than the usual few spy cookies). I did not encounter any problems with Firefox or Chrome, and Web of Trust marks the site as green (good).

I went and looked at my home router logs, and found a few entries like this at about that time:

"[DoS Attack: RST Scan] from source: 65.55.197.115, port 80, Monday, June 28,2010 07:55:21"

Domain Tools showed that the IP address belongs to Microsoft, so I can only guess that an ad on the television station website tried to open an unusual and non-permitted port. Or perhaps it’s a real “Microslop” bug, since it’s not repeatable. The logs showed no evidence of neighborhood "wardriving."

NetGear’s own forum is here.

Apparently iPillion (here) collects complaints by ISP.

According to this writeup routers  normally warn of attempted attacks. But why the Firewall problem? The warnings are usually on Port 80.

Thursday, June 24, 2010

Watch those Twitter tiny url's (World Cup scam)

Webroot warned followers today about a tweet purporting to sell a vuvuzela horn filter, referring to an obnoxious horn familiar to viewers of the World Cup soccer match. The "Threat Blog" entry is (web url) here.

A site called “Next Advisor” has a story on the matter with a picture of the tweet, talks about similar scams involving weight-loss products, and recommends using url-lengtheners or previews before clicking on tweet tiny-urls (unless you know the person or company you’re following, and you should.)

Even the president uses twitter, as he mentioned today at the White House.

Tuesday, June 22, 2010

Firefox offers "https everywhere" protection for web surfing (EFF has article, links)

Peter Eckersley has an important piece on the Electronic Frontier Foundation (EFF) site today “Encrypt the Web with HTTPS Everywhere Firefox Extension”, link here.

The article provides a link to install an app that forces every web access from Firefox to presume that the access is encrypted. Once installed, unencrypted sites will provoke a warning with Firefox allows you to override (the security certificate check) if you trust the site.

The article warns that https access from sites that say they have security certificates do not always have completely adequate encryption.

The feature would be particularly helpful in wireless environments, particularly when “on the road”. Windows firewall has been criticized as not able to protect users from tapping of unencrypted output from their computers. (Home wireless networks, which Comcast and other isp’s are encouraging customers to install, raise a good security question, since their router range can be considerable, although in residential areas the risk is probably rather minimal. It’s a good idea to pay attention to physical traffic in your neighborhood, as good home security requires anyway. Another remote risk is that a parked party could monopolize your bandwidth; I’ll look in to how to check for unauthorized remote access to your home network later.)

My own doasktotell.com does not have a security certificate because it never collects personal information, does not require a user login, and in particular does not process credit cards. (All my commercial activity goes to third party sites like bn, amazon, and iuniverse.)

You must actually access the EFF link from (while browsing from) Firefox to install the “sub-app” (an xpi file) successfully. From IE, Windows Vista cannot figure out what kind of file xpi is. You don’t get prompted to restart the machine, but that’s probably a good idea, since it would have to change your registry. The sub-app also works on the Mac.

I suspect that Microsoft will soon offer a similar feature for IE with a scheduled security update (for Vista, 7, and XP). It will probably be a large and somewhat complicated update.

Thursday, June 17, 2010

Web and mobile personal location tracking presents home and identity security issues

Paul F. Roberts has a piece in Infoworld “Location services: The security risks of oversharing: The vulnerability of Web applications and the sensitive nature of personal location information will prove a disasterous combination”. Webroot guided its followers to a tweet on this story today (link).

For example, you register for a conference, the website for the conference sends your registration notice to Facebook and your friends find out. For professional reasons, that’s good; for home security for some people or families in some situations, it isn’t. Same, Twitter offers location tracking (voluntary), but that tells people you are out of town. If you’re an entertainer trying to attract gigs, you want to be found. But you don’t want to be found by a stalker. The same goes for cell phone and blackberry devices, and even iPad.

The other risk is hacking of mobile devices and laptops (or their theft) while you’re out and about, with the usual dangers to identity security and even maybe bank accoutns.

Still another conceivable risk is to one’s own confidential information on the job. In some jobs, one’s actual location might imply a breach of confidentiality.

Lest this sound paranoid, remember there are hundreds of millions of users of these services; it’s a few bad incidents that get the media attention. But there’s nothing like having good home security, and being able to keep up with everything when you “play on the road.” Every professional plays “visiting team” and bats first a lot of the time.

Tuesday, June 15, 2010

Webroot notes a trojan that runs only on the newest plaforms, but not even on XP

Webroot’s blog has a story about the Trojan-Downloader-Tacticlol which is unusual in that it runs in Windows Vista or 7 environments but simply stops as done (and does nothing) in an XP environment. Sometime older operating systems are safer, maybe? The link is (web url) here.

Webroot notes that antivirus companies will now have to focus their research on new platforms as well as older, more familiar systems.

Saturday, June 12, 2010

Wave of "SQL injection" attacks, loading scareware, reported recently against some major companies; also Wordpress sites get attacked

On Friday June 11, at midday, Webroot sent a tweet advising followers of a new wave of malware attacks on major corporate sites with a technique called “SQL injection”. The source story is by Angela Moscaritolo, and is titled “New wave of website attacks seek to spread malware”, with link in SC Magazine here.  One company providing news about this wave is Sucuri Security (website ) which offers services protecting websites from hacks and blacklisting. A blog at this website has an entry yesterday giving a technical explanation of the attacks. The title of the posting is “Mass infection of IIS/ASP sites – 2677.in/yahoo.js”. The blog posting names some major corporate sites attacked, including Ameristar, servicewomen, Chicago Public Radio, Industry Week, Book Seller and Publisher, and Spain Holiday. (No, I won’t give links to the urls!) The posting also displays the source code of the yahoo.js script (which loads the malware from “2677.in/ie.html”) and shows a demonstration sucuri scan against Ameristar. On June 8, Sucuri had reported a number of sites infected with a similar hack to “robint.us/u.js”.

Microsoft is saying that the hacks demonstrate vulnerabilities from third party applications and not with asp or iis itself. Nevertheless, next week I would expect more big patches from Microsoft (with the lengthy restart and reboot times at home!).

The SC Magazine article has a link to another story by the same writer, “Widespread attacks continue against Wordpress sites” and some other sites based on PHP platforms. Sites hosted by a number of well known WP hosts were affected, and these include DreamHost, GoDaddy, Bluehost, Media temple and HostGator. I had discussed these hosts for WordPress on a March 11, 2010 posting on my “IT Job Market” blog (see my Profile). WordPress might have become vulnerable because it often uses MySQL, which could open it to SQL injection attacks. Blogger does not seem to have been implicated, since it has a different kind of database engine.

To my knowledge, IBM mainframe database DB2 (and similar mainframe products) has not been vulnerable to this sort of attack, and I have never encountered a discussion of it in a textbook or encountered a question about it on a Brainbench certification test. IBM mainframe security for database products still seems a leap ahead of many Unix and especially Windows-related products, and this should be born in mind by companies (and government agencies) where security breaches would be disastrous (as with banks). This is true even though direct-connect to DB2 from the web is possible (and I have worked with it in the past myself). But from my own experience, Sybase (on Unix plafforms, which I have worked with in conjunction with java and powerbuilder) also provides similar very reliable security, to a degree considerably safer than common with smaller and cheaper SQL databases offered by ISP’s.

A company named Acunetix can scan sites for SQL injection vulnerabilities (link ).

Home (and business) users may experience scareware infection without symptoms.

On Jan. 6, my Vista machine showed scareware fake anti-virus ad, which went away when the browser window was closed. A Webroot scan that day found three viruses (Troj/FakeAvjs.A, Mal/FakeAvJs.A, and Fakealert.gen), and quarantined them. No more symptoms appeared. But on “Blizzard Day” Feb. 6, a Facebook ad would not go away until a browser window was closed. A webroot scan quarantined Troj/ByteVer.g. These trojans seem related to the “New York Times” case last September.

Scareware SQL-injections seem to have been going on since the summer of 2009, judging from quick searches.

It’s advisable to run anti-virus scans frequently, especially after data definition files have been updated or new anti-virus engines have been installed. These may detect and quarantine scareware trojans not causing symptoms. To date, it seems as though ordinary anti-virus scans do remove these trojans. But It seems that “corporate America” – the establishment -- no longer provides completely safe surfing.

Friday, June 11, 2010

AOL suggests clearing browser caches; more questions on cookies (not the same as cache)

AOL Discover today has a brief discussion of the security advantages of deleting your browser cache regularly – including protecting personal information from hackers. I’m not sure it’s such a big deal – it would seem that the quality of wireless security (from “wardrivers”) for stuff going out could be an issue. The article is titled “How to clear your cache (and why you’d want to)”, link (web url) here.

I've noticed that browsers are a little different. Sometimes when a high speed connection is down, Mozilla will keep displaying a cached Google search page, whereas Chrome will not. However, Chrome is display all our "tabs" (those don't require page requests) but if you click on a tab, even if the connection is down, it sometimes will display the static portions of the page from the last time, based on the cache (which is not the same thing as a cookie).

I also wonder, when it comes to cookies, how Weboort Spysweeper decides what's a potential spy cookie. It often flags doubleclick during scans.

Wednesday, June 09, 2010

Email service providers using geographic tools to warn users of hack attempts

Mark Kellner has an interesting and sobering column on p A5 of the Wednesday June 9 Washington Times, “E-mail violators strike quickly”, link here. The main topic of the article was the possibility of hacking into someone’s email account to send spam, which should be understood separately from spoofing the sender address of email accounts. It would sound as though such activity could put an “innocent” user at risk of losing an account for TOS violations or, in rare cases, prosecution –a possibility of some legal controversy (this might happen too because of simply hacking a person’s Internet or wireless connection; actual prosecutions or job terminations have been rare but have been covered on this blog.)

While preaching the usual morality lesson about using strong passwords and sometimes actually changing them, Kellner also mentions a service offered by some email providers to detect sign-ons to email from locations separated geographically by an unreasonable distance. Google offers this for gmail users, as the company explained on March 10 here.

Another topic of importance in spam control is the effectiveness of captchas. There are many instances where spammers have overcome them (by capturing huge amounts of computing power) , and making them stronger and more effective does seem like an important issue.

Monday, June 07, 2010

Scareware and ransomware: major player busted; lax regulation of credit card industry is part of problem (Watchdog report cited by Webroot)

A webroot tweet this evening informed visitors of an article about scareware in “The Last Watchdog”, with the link here

The article describes the takedown of a company called “Innovative Marketing”, which operated from 2004 to 2008 and reported grossed $163,167,539.95 from the “sake” of fake anti-virus programs. The company was able to take advantage of lax security in the credit card industry.

Panda Security says “Scareware continues to flourish because it’s a highly profitable and sustainable business model”, and the “sustainability” is an ironic characterization, given the nature of today’s debates about morality. The article also recounts the activities of Andrej Sporaw and “iframeCASH.biz”. Sporaw put together a scheme to recruiting “affiliates” to infect webpages to serve up pop-ups.

Another variation of scareware is “ransomware” which locks out the victim’s computer until he or she pays a “ransom” for a license key to unlock the computer.

Sometimes cybercriminals have paid to have infected pages turn up high on search engine rankings. And as Josh Levs recently reported on CNN, social media have been compromised for new kinds of phishing attacks.

A Webroot researched named Andrew Brandt is quoted as saying “If the world can demand that Swiss banks reveal the names of customers living in countries other than Switzerland who might be violating tax laws in their home countries, then the world should also be able to demand that ISPs, payment processors, and the whole network of services and businesses that support the scareware industry be held to account for the damage they share responsibility for perpetuating.”

Is this (to the chagrin of libertarians) “know your customer?” That links back to issues I have been examining on another blog about consumer identity security (see my Blogger profile).

Sunday, June 06, 2010

Josh Levs on CNN discusses social media (esp. Facebook) security, especially phishing attacks

Josh Levs on CNN (facebook address link ) did a presentation on social media security Sunday morning, apparently inspired by phishing appeals, such as this one “Phishing for the General” in the New York Times, story by Thom Shanker (link) . Apparently an imposter has used Gen. Ray Odierno’s Facebook page  (link). to create phony offers to get a relative out of a combat zone if you will send “him” money. This is a bit of a surprise, as the Pentagon is supposed to have strict rules on the use of social media just to prevent this sort of thing.

Levs went over the basic security rules for social media, besides understanding the Privacy Settings (which for a site with the “power” of Facebook will always take some effort). One is to use different passwords for different sites (and strong passwords). Another is to be aware of the “context” of emails that appear to be generated by social media sites, especially those that claim “urgency”. Apparently it’s possible for spammers to fake Facebook origination just as they fake banks. Levs also suggested keeping up your security updates on your web browsers, and also said that passwords that require specific security questions (like what your favorite movie is – don’t use the same thing you put on Facebook as your security answer – don’t be too honest, that is) for automated server reset are more secure.

Friday, June 04, 2010

What happens to your quarantine file if you switch anti-virus providers (because your ISP offers the switch for free)?

Here’s a question I wonder about. Many service providers offer customers free anti-virus software. Comcast offers Norton; Bank of America offers McAfee, and Best Buy and Geek Squad vary, going between Webroot and Kaspersky. (BestBuy consistently says that the small anti-virus companies are better.)
But if you switch anti-virus software, what about the old quarantine file? I have four “true viruses” in quarantine on Spysweeper now. Will the new product clean them?

The answers available on the web are underwhelming. I found this forum chat on the problem here.

and this account at the University of Missouri about switching from McAfee to Norton, here ("new medicine for your computer").

I also found this posting on how to test your anti-virus software with a “fake virus”, here.

Thoughts anyone?

Update: June 26

Best Buy says that uninstalling the software for a reinstall or for a new antivirus should physically remove the virus-infected files (personal visit).

Later today, Webroot provided this explanation by email:

"If the viruses are in quarantine, then you do not need to worry about them, anything quarantined cannot hurt your computer.


"Once you are sure that the files in quarantine are not false positives, you can clean them out by doing the following.

"On the Home panel click the Manage Quarantine link above the Sweep Now button. You can then put a check mark next the the item you want to permanently delete and then click Delete Selected Items."

It's reasonable that a similar comment applies to other major antivirus vendors (McAfee, Norton, Kaspersky, etc).  I'm surprised that little is written about this on the web.

Wednesday, June 02, 2010

Use strong passwords; use sound memory enhancement tips

AOL and walletpop have a piece this morning on how to remember strong passwords. More often, services are encouraging users to change passwords frequently and to use strong ones: at least one lower case letter, at least one upper case, at least one special character, and at least one number. Sometimes successive passwords cannot resemble one another too much. This is particularly true on corporate networks. The link is here.


It’s true that it is easier to resemble sequences of numbers than digits one at a time. A healthy brain can memorize about seven characters in one attempt, although remembering them after distraction can be a challenge. Neurologists give tests based on this idea to detect early signs of short term memory loss or dementia.

The article uses “1492” as a sequence that can be remembered easily (since it is the year Columbus arrived). It’s better to use sequences that have personal significance that others are not likely to discover; even use of birthdates carries some risk. Something like the grades you got on your semester exams, for example, may make for a less public sequence for personal memorization. For letters, more obscure characters in books or movies (if they aren’t too well known) might be a good choice. (But don’t use “harry potter” as a pw sequence.)

Here's a video on memory tips from Illustream, on the "Videopedia". It's called "Make your Memory Mighty".  (Sorry, that's not "Shy and Mighty".)  The direct link to "5min.com" is here. (For some reason, the provided embed code does not work here in this blog on my network.)

Here's a YouTube video from "How to Improve Memory":