Friday, February 24, 2012

Signature data files no longer represent adequate anti-virus strategy

Webroot has a recent security blog posting discussing the increasing difficulty anti-virus companies have with keeping up with threats merely with virus signature files.  Most computer users notice, with some annoyance, that often their web security companies replace entire engines, with longer downloads and restarts and possible interruptions of use. 

Webroot calls the newer techniques “dumping the barrel upside down” , focusing on application behaviors rather than just signatures. 

The link is here.

Thursday, February 23, 2012

Trojan has compromised DNS access for maybe millions of home users, "Clickjack" botnet operation; more on "walled gardens"

Dan Goodin has a story in Ars Technica reporting that about a half million home users have been infected with a botnet Trojan that had usurped their DNS resolution. In March, they will lose normal Internet access unless a judge allows a California non-profit to continue operating a surrogate doman name server, story here

The FBI seized over 100 rogue servers under “operation ghost click”, but the government allowed a temporary bridge to be built to allow infected computers still have Internet access. 

The government may encourage setting up a “walled garden” to which infected machines will be directed.
There’s a tangentially related article in Information Week on Apple’s approach to “walled gardens” with its iPhone, and the idea that it isn’t as secure as it sounds. The author goes on to talking about the advantages of “jailbreaking” anyway, here

A major potential weakness in the DNS system was discovered in 2008, and discussed on my "id security" blog in August 2008.

Update: Feb. 24

A judge has allowed the DNS Bridge to operate until July 9, IT News story here.

The original story of the FBI's "clickjack" botnet takedown appears in Computer World in November 2011, here

Wednesday, February 22, 2012

Kaspersky warns of an "Iframe.yi" trojan

This morning, an older XP machine with Kaspersky from 2009 gave a warning about “Trojan.JS. Iframe.yi” on a blog displaying ads, which came from places appearing to be normally reputable.

The same site (and ads) did not give the warning on a nearby Windows 7 machine with Webroot, and have not on an Apple Mac with Norton.

I could not find much information on it.  There is a forum which suggests that it is a script which helps certain kinds of graphics load faster (link). 

Here is Kaspersky’s description (from its Australian site),link.  The item seems to date from 2009. 

Update: June 14, 2012

There is a blogspot discussion, too, here.  This item seems to be code that affects the loading of a webpage and may send you to a lynktracker product which advertisers use to count visits.  It's unclear at this point why Kaspersky and some other vendors view this as dangerous.  I am talking to Geek Squad about it now. 

Friday, February 17, 2012

Safari's anti-tracking default does have a loophole

The Wall Street Journal reported Friday (Feb. 17) that Google used a “back door” to get around Safari’s anti-tracking feature (by default) in some situations. WSJ offers a video, and Wired offers a technical explanation here, using a fun metaphor of the "hand in the cookie jar".

Much of this has to do with the fact that Safari is the only major browser to block third-party cookies by default.  But Safari has a “loophole” that allows third party cookies if it thinks the user is filling out an e-form (as to send email).  Safari is dominant in the mobile world but has only 6% of the desktop market.

Is this of practical importance?  Probably not to most users, but any security hole could be exploited against a party that someone wants to target.  So to a small minority of users the loophole on desktops might be significant.

Some media reports say that the problem has affected only iPhone users, but they also point out that there is still no comprehensive federal Internet privacy law. 

I had some trouble with Safari recently on my MacBook because of a bad gadget in one blog (which would cause Safari to freeze and have to be stopped, with dump).  An upgrade to a new release fixed it (just resetting Safari didn’t).  The problem did not occur on Windows, but Kaspersky had given a warning about the gadget (McAfee and Webroot had not).

I also have Safari on one Windows machine, and it is faster than Firefox or IE, about like Chrome. 

(Pictures: had an upload problem today, now seems fixed.  I also had a problem when a cleaning service cleaned the stove.  It didn't work.  I had to read the manual and figure it out.  Took 20 minutes.)

Don't be evil!

Saturday, February 11, 2012

The "weaknesses" of https; company offers trial of VPN

It had to happen.  Someone has an article on why you can’t rely on https.

Some sites use it only for log-in.  Once past log-in, you can still be hacked, if the attacker is on the same wireless connection and has a product like Firesheep.

The article says HTTPS can be broken, but it’s not easy for the uninitiated. I guess hackers have their own rites of passage and “tribunals”.

HTTPS also depends on a certificate system that can be forged.

I’ve used it in motels with no problems (with motel WiFi).  But I prefer to use my secure Verizon MiFi card most of the time.  It’s fast enough for blogging and email.   The best hotels (like a Holiday Inn Express I used in NYC's Chelsea area) have a hard-wired cable for Internet. 

The authors recommend use of a personal VPN, their own product “Private WiFi”.    I cannot speak for it personally, but the site offers a “free trial”.

The main article (indirectly tweeted by Webroot recently) is here

Electronic Frontier Foundation transmits all of its content under https without requiring a logon. I’m not sure this is necessary. 

I do think that these days smaller business sites will consider outsourcing their credit card processing so they don’t have to require logons or keep information. 

Wednesday, February 08, 2012

Zuckerberg's "endorsement" of Romney was a real accident, not a hack; but web visitors should be wary when they see something like this

So, Mark Zuckerberg’s “unusual” endorsement of Mitt Romney last night (with a Facebook “like”) was not the result of hackers. It was just a “simple mistake” and a subtle programming issue within Facebook.  Gawker has an explanation here. Zuckerberg was trying to “like” a post on Slate’s FB page by Farhad Manjoo (here, and it’s funny). OKay, I didn’t click on the Mitt Romney domain because I was “suspicious”.  Should I have been?  Probably.  False alarms don't mean you don't have to be careful; they just lower the guard for the next problem.  Nevertheless, I had already tweeted Webroot about the "problem" before I saw Gawker's explanation. 

A CEO of a service provider probably would not endorse a specific poltical candidate.  But this “endorsement” almost seemed reasonable.  After all, Romney is perceived as pro-business but moderate (despite his religious background) on social issues, perhaps almost liberal on some.   And Romney, like Zuckerberg, understands money unusually well.  They have some things in common.

An amusing coincidence was that Romney lost all three primaries/caucuses to Rick Santorum last night, and Santorum is socially conservative.  I wondered if there was a hidden message.

But, if you see a post on a major site from the owners of the site that does not look reasonable, you probably should beware.  It could be a hack.

I often get spam from “AOL customer service” on my AOL account, without the blue official signal.  I don’t know why AOL doesn’t catch it.

Picture: My AOL spam file.  

Thursday, February 02, 2012

Security experts give advice on preventing domain name hijacking

Webroot has tweeted the location of an “IT News” story by Meridith Levinson, “4 Ways to Prevent Domain Name Hijacking”, link here.

The recommendations apply more to enterprises than to small businesses or individuals.  It is a good idea to use an “enterprise-class registrar” (the best known is Network Solutions in northern VA) and if a smaller business, shared web hosting, or at least professionally assisted secure hosting (for example, Verio, also in northern VA and Colorado). 

The book that I just reviewed on my book reviews blog (Jan. 28) by Torrenzano and Davis, “Digital Assassination”, warned ordinary users about the risks about letting their credit cards expire just before their automated domain name renewals come up, and recommended private registration if possible. Check your account occasionally.

Levinson tells the story of the hacking of “” and the redirection to the “hactivist UGNazi” site.  It’s odd that Coach was supposedly targeted for supporting SOPA (discussed on my main blog) because many of its products are heavily counterfeited, for “political motives” only.

SOPA and Protect-IP have both detriments and benefits for online security, depending on how you look at things. Of course, meddling with the DNS mechanism itself would be dangerous, and invite another crisis like the one that led to an emergency meeting at Microsoft in the summer of 2008. The Obama administration has heavily opposed proposals to force redirection from domain names.

The article also recommends getting DNSSEC Security Extensions from your registrar, to prevent a user from being hijacked after clicking on your site (even if he or she has poor home security?)   The website is here, and we'll come back to this later.