SANS NewsBites | March 25, 2011 | Vol. 13, Num. 024: “SSL Security Compromised…Attackers compromised a partner of SSL certificate authority, Comodo and issued themselves fraudulent SSL certificates. The certificates vouch for a site’s authenticity, and would have allowed the thieves to set up sites that fool visitors into believing they have reached major Internet presences, like Google, Microsoft and Skype. Comodo has revoked the stolen certificates.”
Microsoft released an advisory on March 23, 2011 (2524375) noting that the following domains were affected:
- login.yahoo.com (3 certificates)
- addons.mozilla.org (already known from an earlier announcement by Mozilla)
- “Global Trustee”
Now, here’s where it gets interesting. The IP traced to the attacker was that of an Iranian ISP. Think about it. Here’s what Comodo had to say in their blog post:
The IP address of the initial attack was recorded and has been determined to be assigned to an ISP in Iran. A web survey revealed one of the certificates deployed on another IP address assigned to an Iranian ISP.
Of course, this could be just that the attacker was laying a false trail, which would be smart, but how about this?
It does not escape notice that the domains targeted would be of greatest use to a government attempting surveillance of Internet use by dissident groups. The attack comes at a time when many countries in North Africa and the Gulf region are facing popular protests and many commentators have identified the Internet and in particular social networking sites as a major organizing tool for the protests.
It’s a Brave New World.
Here are the first five tips from my new work in progress, “101 Internet Security Tips.” These are unedited and I am posting them here to solicit feedback. The book can become a huge tome, or it can be kept small. I would like you to help guide the direction I take. So, here are the first five entries:
1. Activate protection systems.
If your operating system comes standard with a built-in ﬁrewall, spam
blocker, anti-virus software or other security application, be sure that it’s
activated. Your Internet service provider may provide an e-mail spam
ﬁltering service that should also be turned on.
2. Upgrade your protection.
Using security software won’t help if it’s not up to date. Be sure that
you are using the latest versions of spam, spyware and virus-detection
software. The most current software will be ready to handle the most
current on-line threats. Also remember to renew subscriptions if the
software registration expires at some point.
3. Use anti-virus software.
You should always have anti-virus software on your computer. These
programs scan all ﬁles that are downloaded from e-mail or opened from
the hard drive to ensure that they are safe from malware before use.
When these programs detect a virus, they are able to isolate and
destroy it so it does not infect your computer.
4. Use anti-spyware programs.
Just like anti-virus programs, spyware protection is also necessary.
These programs scan your computer for spyware, browser hijackers
and other malicious programs. Both free and commercial anti-spyware
products are available.
5. Update automatically.
Set both your operating system and security programs to update
automatically. Your virus-detection software needs to adapt as new
threats become known. Allowing the software to do automatic updates
will ensure that you always have the highest level of protection
What do you think?
Surprised? You shouldn’t be. This type of thing seems to happen every time there is a major disaster anywhere in the World. We saw it with Katrina, the Indonesian tsunami, and countless others. The slime-bag criminals have no scruples and will take any opportunity to steal a buck from unsuspecting, good-hearted people.
Best thing to do is set up an email filter and send the emails to the junk bin. If one really wants to help, contact the local Red Cross chapter, or other lawful and recognized charitable groups.
At any rate, direct contact with those organizations is your best bet. Consider any email solicitation a scam.
Kaspersky Lab has detected a malicious spam campaign whereby if someone clicks on the link, the malicious website uses JAVA exploits to install malicious applications on their machine:
My friend and colleague, Jim, over at Dave’s Computer Tips had this to say in our forum:
DO NOT under any circumstances:
*Follow any Web links included in these e-mail messages.
*Open any attachments or click on photos and videos that claim to show dramatic images or footage of disasters.
*Provide any sensitive information, such as bank account information or credit card details.
ALWAYS ascertain the legitimacy of the email before doing anything; Most genuine charities have email addresses which emanate from their own domain and typically direct recipients to their own Web site to make donations….e.g. almost all legitimate charities have a web address that ends with “.org” rather than “.com”. Verify the authenticity of an email by going directly to the charity’s web site or by giving them a call on the telephone.
[kml_flashembed movie="http://www.youtube.com/v/pgrOKlV9CNI" width="425" height="350" wmode="transparent" /]
After a good run of more than 5 years, I am shutting down my Ask the Geek the website. I received a fair offer for the domain it rests on, kennyhart.com and have decided to accept it (yes, you read that right–it wasn’t an attempt to scam me). I don’t know exactly when it will be shut down or how it will emerge (if at all) in its new incarnation.
Many times, I have referenced the site here, so if the links are broken, let me know. The new owner intends to set the site up again somewhere and I may be able to redirect the links.
I am NOT giving up on “14 Golden Rules of Computer Security” and will soon also be releasing “101 Internet Security Tips.” The Geek Toolkit is also alive and well and it has been fully updated. If you purchased a copy of it, you already have access to the update and were informed by email.
I am doing this because I have committed to helping expand Dave’s Computer Tips and I think that my time and energy will be better spent working with Dave on this site than it was working on my own. My contract with TechTarget and Security Corner blog will not be affected by this.
As you know, I’m an editor over at Dave’s Computer Tips and have been working with that site for going on four years. We have a forum, of course and this is a relevant thread, more than appropriate for Security Corner:
ozbloke wrote:Does Adobe Flash Player have the worst security record of all time??
Yes, even worse than Microsoft, if that’s even possible…Has Adobe ever released a version of Flash Player that wasn’t riddled with vulnerabilities??
Not that I know of. I dumped all things Adobe a long time ago. Unfortunately, I can’t function without using the Flash player.Adobe has just discovered a “critical vulnerability” in its Flash Player that has the potential to cause all kinds of trouble; the flaw could cause a user’s computer or mobile device to crash and, even more concerning, the vulnerability could “potentially allow an attacker to take control of the affected system.”
Not even remotely surprised.The flaw affects Adobe Flash Player 10.2.152.33 and earlier versions of the platform running on every major operating system, including Windows, Macintosh, Linux, and Solaris. It’s also an issue on Android devices running Flash 10.1 and earlier. To date, Adobe has discovered that the vulnerability is being exploited in Flash files, as well as through Microsoft Excel but the issue hasn’t affected Reader or Acrobat.
Don’t get me started about Reader and Acrobat. Two of the crappiest programs ever made, if you ask me.According to reports; Adobe plans to release a fix for the vulnerability sometime next week. Until then, the company has warned users to “follow security best practices by keeping their anti-malware software and definitions up to date.”………no sh*t Sherlock!!
Ya think?Roll on HTML5!!!
It’s really unacceptable and unfortunate that Adobe has managed to get itself into a position of being the “standard” for Flash. We need a change, don’t we?
Got this email a couple of days ago. I was going to delete it, but somehow it looked legitimate:
I'm interested in purchasing kennyhart.com. I'd likely be able to pay in the $200 - $700 range for it. Let me know whether or not you are open to hearing a formal offer.
Now, that seemed right in the range of what I know the domain is probably worth, so I answered the email:
Sure. I was thinking about flipping it and my website. Let me know what you have in mind.
To which I received this reply back:
Thanks for getting back to me. I can offer you $xxx for KennyHart.com and all associated content. Let me know if you are interested and we can get the ball rolling on the transfer.
I wrote back and told him I was up for it. The offer was a fair one and I was ready to accept it. He wrote back with this:
Great. The easiest way to send the payment will be paypal. Do you have a paypal account?
Something felt a little odd that this was going so quickly and way too easy, but since I have PayPal locked down with 2-factor authentication, I wasn’t too worried about getting hacked. Still, I had to ask a simple question, so I replied with this:
I have PayPal. The PayPal email address is email@example.com. Please clarify what you mean by "all associated content." I assume you mean the content at Ask the Geek and Singing Songwriter web sites. The writer website has no content at this time and copyright for my original music is not subject to transfer, as I do not own 100% of the songs.
No reply. No payment. Nothing. It just stopped dead. As it stands right now, I believe it’s possible that I was targeted with a manual phishing attempt. It’s either that, or he decided my terms were a deal killer. Like I said, it appeared to be legitimate. He does have a website posted that solicits people to sell him their sites.
What could someone do with my PayPal email address? Attempt a brute force attack on my password, that’s what. Though that would never work because of the 2-factor requirement.
I’ll probably never know.
1. Is your car parked, empty, in the driveway right now with its engine on?
2. Is your shower, with no one in it, running?
3. Is your stove, with nothing cooking on it, turned on?
4. Is your attic light on 24/7?
I’m fairly sure that you answered “no” to all of these questions. It just doesn’t make sense to leave something on if you’re not using it. All this does is run up your electric bill for nothing, right?
Then why would you want to leave your PC on 24/7? If your PC has been compromised and is a member of one of the major spam zombie botnets, chances are that you’re spewing spam in a constant stream.
Do us all a favor and use your index finger to switch it off when you’re not using it. If you do nothing else to clean it up, just shutting down the PC if it’s not being used would cut spam volume significantly.
Do you agree or disagree? Hit the comments and put in your two cents.
I just acquired Private Label Rights to an interesting series of media presentations called 101 Internet Security Tips. Because I am constantly faced with the necessity to educate people on security, I thought this would be a good starting point for a useful reference. [Private Label Rights, called "PLR" in Internet marketing circles, is a license granted by the original creator of the material that essentially gives the purchaser the right to do what he will with the material within the license terms. -Ed.]
After I read the entire report, I realized that I would have to bring it up to present time and expand upon the material given to include links to further reference materials and relevant products and utilities. This is typical for most PLR products–you have a framework of ideas, but it’s up to you as editor to develop them into a comprehensive and coherent end product. Moreover, one who is particularly well versed in the subject material will often find misconceptions and errors introduced by the original creator. Nevertheless, 101 Internet Security Tips is good information, even in its raw form.
So, let me present the raw introduction for your comment. Remember this because I plan to post excerpts, including the revised and updated version, in future posts.
Using the Internet for business and leisure is a necessity in today’s world. As the technology that allows you to work more efﬁciently on-line increases, techniques used by Internet criminals also adapts. While some on-line crimes are perpetrated only for the criminal to exert power by making your life miserable through damaging your computer, identity theft is a main focus for most Internet thieves. In addition to identity theft threats from hackers, computers can fall victim to viruses, spyware and phishing programs from Internet misuse. While you may think that high-proﬁle or wealthy individuals are the common targets, most hackers are looking for any easy opportunity. The easiest opportunity, of course, is an unprotected computer. Your computer holds all of your most private personal and ﬁnancial information, so proper security is a must to keep you and your ﬁles safe.
Unless you absolutely need Java, get rid of it. At the very least, update it. Here’s Steve Gibson of Security Now!
So the only real big news is that anyone who is still using or needs to use Java on their system needs to update it. It was just moved by Oracle/Sun, a major update from them, to Java 6 Update 24. It fixed a large collection of vulnerabilities, in total 21, 19 of which can be used to remotely install malicious software. So it’s important. And I did get a kick out of seeing now sort of the wisdom out there, I was reading other people saying, you know, since Java seems to be having so many problems now, and it’s surpassed Adobe in vulnerabilities and exploits, removing it, unless it’s needed, would probably be a good idea. And I’m thinking, hmm, where have we heard that before?
I still need it for some things, so I updated it. And to think I was going to study Java programming…
Things change so quickly in this arena, it’s hard to keep up!