Tuesday, May 31, 2011

Webroot produces video on firewalls

Monday Webroot tweeted that it had produced a 4 minute YouTube video “Webroot Threat Reply: Firewalls” (actually the word "Threat" is spelled "Thre@t"), with Armando Orozco, directed by Andrew Brandt.

The video makes the point that additional vendor firewalls (above the level provided by Windows Vista and 7) prevent outside Internet contacts from using authorized programs on your computer.  It’s normal to want your browser to have access to most executable applications, but not for other programs to.

The video also shows Webroot’s headquarters on the plains near Denver.  It also makes the physical analogy, through animation, to Medieval moats and castle walls. 

Tuesday, May 24, 2011

The low-down on Mac security is crawling out of the woodwork

PCWorld  and InfoWorld have a story by Robert Grimes assessing the situation with Malware and Mac OS X, here. There is a general feeling that the Apple’s “sudo” approach to privileges makes it less easy a target than Microsoft’s UAC (user account control) concept. 

There was also a major story in Computer World by Greg Keiser about fake anti-virus software for the Mac here. When I bought the MacBook in February, I did pick up a Norton Security Suite, but I haven’t installed it yet.  I haven’t really used the Mac that much, so I ought to get with it. Will report on it soon .  

Many of the security concerns have to do with phishing and sites with poor reputations, which could affect either platform. And now we have a new topic, which doesn't even require your PC to be on: home router safety.

Update May 25:

Yahoo! has a news story saying that Apple will soon release patches to OS X "feline" operating systems to deal with MacDefender. The link from Digital Trends is here. This story will surely develop further.

Thursday, May 19, 2011

Windows 7 hibernation and security

Noticed something interesting about Windows 7 today. I left the computer idle for a while, and when CNN tried to reload a webpage, it said “network access suspended” because of hibernation.

I’ve never seen that before. Usually, when I come back to the computer and unlock it, all websites (such as Weather channel animated storm maps) are current.

But it is safer that it behaves this way. It could prevent malware from being loaded.  Maybe this is a function of Webroot and not Windows 7 firewall, not sure.  

Tuesday, May 17, 2011

Some corporate Facebook accounts take users out of https

Today, I logged onto Facebook in a normal way with https, and when I searched for an insurance company, its Facebook site insisted on logging me out of https, promising I would go back to https after leaving. I did so. But the next time I went to Facebook, it defaulted to http.  No problem, I can still key in https.  But I wonder why companies don’t want https for their Facebook accounts.

I have also not been able to make automatic https work for Twitter. I have to key it in. 

Saturday, May 14, 2011

White paper discusses who "crimeware" works

There is a white paper by Gunter Ollman, VP Research Damballa, “Behind Today’s Crimeware Installation Lifecycle: How Advanced Malware Persists to Remain Stealthy and Persistent”, link here.

Ollman discusses “droppers” and “downloaders”, their ability to disable anti-virus programs and run at the command of master servers, often to participate in DoS attacks. The packages are “rented” by criminals from the “authors”, and activated by CnC (command and control) orders. They may send personal information to organized crime even when disabled by home or business users.

As with wireless wardriving of routers (which does not happen on your computer and is not affected by antivirus software), the enterprise raises questions whether users could become viewed as liable for allowing their machines to be used for criminal purposes, inviting lawsuits and visits from police, often on legally incorrect grounds. Of course, there is “plausible deniability”.

New computer warranties may not cover covert virus infection, and many services will not remove viruses without wiping out hard drives.

CircleID has an introduction page for the story, here.  

The summary story was tweeted by Webroot. 

Wednesday, May 11, 2011

AOL on "why do I get spam from myself?" You don't

AOL has a useful article this morning, “Why am I getting spam from myself?”  You aren’t, and after all these years the email industry doesn’t have a consistent Sender-ID  technology that had been proposed eight or so years ago.

Email sender spoofing is convenient and seemingly legitimate, as in sites that let you send reminders to yourself and let you fill in your email ID as a sender.

The link for the article is here

It points out that reporting email with your address as sender as spam, you are not “reporting yourself” or incriminating yourself.

If also recommends removing your own email address from your address book. 

Thursday, May 05, 2011

FBI warns of viruses purporting to show pictures of Osama bin Laden; "Blackhole" exploit may be involved

The FBI is warning home computer users about the circulation of computer viruses, worms and Trojans purporting to contain images or videos of Osama bin Laden’s corpse; most or all are likely to include malware. The FBI blog link is here.

The FBI blog entry (May 3) focuses on emails with links and attachments.  It also mentions firewalls and the importance that website owners be wary of how others are allowed to update content on their sites (with comments, forum postings, blog postings, and the like) or the possibility of compromise of their social media sites.  The posting doesn’t discuss the adequacy or Windows’s own firewall (in XP, Vista, or W7).

Stashank Stekhar has a story in “Mid-Day”, “Steer  clear of ‘Osama’ virus”, link here.

The story discusses Kaspersky Labs investigation (I expect to see tweets from Webroot soon), and mentions the possibility that he blog of the person in Pakistan who live tweeted the raid, Sohaid Ahtar  (“@RallyVirtual” on Twitter) may have been compromised with the “Blackhole exploit kit”, and that visitors to his site early Monday may be silently infected.  However, I just checked the “reputation” of the site in Google through Firefox 4 and it still gets a green light from McAfee SiteAdvisor and MyWOT. 

There is a discussion  (Feb. 2011) of Blackhole on Websense here

Tech Herald, in a story by Steve Ragan, has a story about an infection of the United States Postal Service (USPS) Rapid Information Bulletin Board System (RIBBS) by the Blackhole exploit, here.  Apparently a similar infection of the Houston International Film Festival site took place.

It’s not clear what the virus would do on “ordinary” sites; it might not be noticeable. Apparently many AV programs have not been able to detect it n home or small business machines, and its scope may be limited.

Wednesday, May 04, 2011

IBM publishes white paper on website and web application security for (small) business

IBM has published, through Tech Republic, a brief white paper, “an Executive’s Guide to Web Application Security”.  You can download it from (url) here, free, but you may have to fill out a survey.

Generally, the paper says that most corporate applications have vulnerabilities in several areas, including SQL databases themselves (injection attacks), cross-site scripting, “cookie poisoning” (which could compromise visitor or consumer locational privacy and even PII) , and parameter tampering.

Some of the vulnerabilities result from “unsafe code”, and others may result from less than airtight procedures in making deployments of web applications to production (the latter well known from the mainframe world).
Small businesses, many of whom may hire contractors to write their applications that deal directly with consumer interfaces, need to be wary also.

Monday, May 02, 2011

"MS Removal Tool" or "AntiVirus 2011" can be particularly dangerous ransomware; discussion of Malware Bytes

James Derk has an important article “Virus helps scammers get credit-card data” syndicated by Scripps Howard, printed recently in many newspapers (p D7 May 2 in the Richmond Times Dispatch, for example). Here Is an original link. A symptom of infection is sudden change in desktop background and a popup.

He discusses a particularly disturbing rogue or ransomware virus which locks up your computer  (called “MS Removal Tool”, “AntiVirus 2011” or Tool 2011” and demands that you enter a credit card to activate it. It also disables your anti-virus software. He suggests that the victim look (on another Computer) for a product activation code for it on the Web and enter the code as if you had really purchased it.  He also recommends a product called “Malware Bytes” (website  link).

Here is another writeup on the virus. Not all versions of the virus completely lock up your computer.  This writeup also discusses Malware Bytes.

One time a couple weeks ago, a picture that I had taken and clicked on in Explorer became my desktop background (in W7), but I just changed it back and nothing else happened. Webroot showed no infection.