Security Corner


August 28, 2010  2:48 AM

Ten Web Browsing Myths – Part 1

Ken Harthun Ken Harthun Profile: Ken Harthun

Sophos recently issued a whitepaper called “The 10 Myths of Safe Web Browsing.” It covers everything I have been saying to my clients all along.

The problem with security is often one of complacency (see Why People Are Complacent About Security); no visible infections or problems are manifest, so as far as anyone knows, nothing is wrong. Truth is, nothing could be further from the truth. Most infections these days are invisible. Look at this way: Burglars don’t want to be detected. The vast majority of malware these days is designed to steal valuable information and the more it can get, the better. The crackers don’t want you to know they are stealing your stuff–cuts into their profits–so the malware is very stealthy.

What follows in two parts is my commentary on Sophos’ myths.

Myth #1: The web is safe because I’ve never been infected by malware. Yeah, right. That’s the same illogic as “I’ve never been sick, so I don’t need to live a healthy lifestyle.” Sooner or later, it catches up to you. There are many examples of perfectly healthy athletic individuals collapsing while doing their exercise routines. Likewise, people don’t know their computers have been infected with malware until their bank account balance goes to zero or their credit cards get maxed out.

Myth #2:  My users aren’t wasting time surfing inappropriate content. Wanna bet? I’m not going to give specifics here, but I have seen firsthand that nearly half of the users in any given organization have accessed inappropriate content. Without adequate web filters in place, you just don’t know about it. One organization I worked for had excellent web filtering and still failed to spot a third of the inappropriate content being accessed by its employees.

Myth #3: We control web usage and our users can’t get around our policy. Good luck with that. All you have to do is search for “bypass web filter” to find that you’re really up against the wall. According to Sophos, “Anonymizing proxies make it easy for employees to circumvent your web iltering policy and visit any site they like. Anonymizing proxies are readily available and regularly exploited by school kids and employees alike.  Hundreds of new anonymizing proxies are published daily. . .”

Myth #4: Only porn, gambling, and other “dodgy” sites are dangerous. Yeah? Well, don’t tell my wife, but I’ve tested this myth on a PC with no antivirus and no antimalware protection with no hardware or software firewall. After a surfing session of more than 50 “dodgy” sites, I ran a malware scan and found nothing more than cookies and a small adware application. The truth is, “Hijacked trusted sites represent more than 83% of malware hosting sites,” according to Sophos. Makes sense, though, doesn’t it? It’s part of the overall deception. What better site to infect than one that is “trusted.” The best double agents are trusted by both sides, aren’t they?

Myth #5:  Only naive users get infected with malware and viruses. Another illogical statement. Naivete has nothing to do with it. “Malware from drive-by downloads happens automatically without any user action, other than visiting the site. Therefore, it doesn’t matter what level of computer expertise you have,” says Sophos. “The fact is, if you are visiting sites on the internet, you are at risk.” I recently found some suspicious files on my machine during a routine scan. I have no idea where they came from; they hadn’t been executed. The fact is, I’m not even close to being a “naive” user. I must have gotten the files during a download.

We’ll cover download infections and more in Part 2.

August 25, 2010  11:59 PM

Forty-Six Percent of SMBs Have Been Infected by Internet Threats

Ken Harthun Ken Harthun Profile: Ken Harthun

Panda’s PR department sent me the following yesterday:

Panda Security, the Cloud Security Company, today announced the results of the United States edition of its second annual International Barometer of Security at small- and medium-sized businesses (SMBs). The study, which surveyed nearly 10,000 SMBs around the globe and more than 1,500 in the United States, revealed that 46 percent of U.S. SMBs have fallen victim to cybercrime, up two percent from last year’s survey.

The 2010 survey revealed there has been little to no improvement from last year in SMBs using industry standard protection methods. Thirty-one percent of businesses are operating without anti-spam, 23 percent have no anti-spyware and 15 percent have no firewall.

“Many SMBs simply don’t have the resources in terms of budget, time and human capital to devote to protecting their computers and sensitive data,” said Sean-Paul Correll, threat researcher at PandaLabs. “The study results are proof that IT service providers and vendors have an important role to play in educating small businesses on threats, and helping them determine the best way to protect themselves.”

No question there; I’m in a constant dialogue with my clients about security. In fact, I’m conducting a web chat this evening on that very subject. The problem is that people either don’t listen, don’t get it, or a combination of both. Witness these statistics from the report:

- The infection ratio at U.S. companies has slightly increased since last year (46 percent in 2010 compared to 44 percent in 2009). It has dropped in Europe (49 percent in 2010 compared to 58 percent in 2009);

– U.S. SMBs named the Internet and USBs/external memory devices as the top methods for computer infections to enter the company (32 percent). E-mail (21 percent) and downloads/P2P (14 percent) were the other popular infection points;

– Viruses are the most popular threat SMBs are encountering (45 percent), followed by spyware (23 percent).

We have our work cut out for us, fellow security wonks!


August 25, 2010  1:18 AM

Skype Phishing Attempts and Account Hacking – Part 2

Ken Harthun Ken Harthun Profile: Ken Harthun
Security

The news today is not good for many of those who have had their Skype accounts hacked. As part of my investigation in one wave of Skype phishing attempts, which I detailed in Skype Phishing Attempts and Account Hacking – Part 1, I attempted to recover a Skype ID. I was not successful for the test account (thanks again to my friend Allen D. for his help). Apparently, if you have never bought any credits from Skype–in essence, making you a “free” member–they don’t extend to you the ability to recover your password. So, if you get hacked, the hacker pwns your Skype ID forever. Not good, especially if you have used your real name (many people use IDs like mine: ken.harthun1). Fortunately, since I use Skype credits for regular calling, I have full access to the recovery features. I subscribe to the plan that allows me unlimited calls to regular phones in the U.S. and Canada. This costs $8.40 quarterly. I consider that cheap insurance.

Besides purchasing something at least once from Skype, there are other steps you must take for maximum security and “recoverability.” Here they are.

1. Sign up for a Gmail account and secure it with at least a 10-character RANDOM password. I’m talking like gtJ62kl9xL or something similar. Yes, you really need to do that.

2. Use the Gmail account to sign up for your Skype account and then don’t use it for anything else.

3. Use a 10-character RANDOM password when you sign up for your Skype accounts.

4. Use something other than your real name for your PUBLIC Skype ID; i.e., don’t use joe.blow, use jblow2341 or something of the sort. You can set up a second PRIVATE Skype ID with your real name.

5. Use the PUBLIC Skype ID for rooms, forums and chat; reserve the PRIVATE Skype ID for trusted contacts only.

6. If you have a PayPal account and don’t already have the PayPal Security Key, get one immediatley. The PayPal Security Key creates random temporary security codes that help safeguard your PayPal account when you log in. If a hacker ever gets your PayPal information, they won’t be able to log in without the security key. This is important if you plan to use PayPal for purchasing any credits on Skype.

7. For both your PUBLIC and PRIVATE Skype IDs, immediately purchase Skype credits or subscribe to a calling plan so you have a purchase record/history with Skype. Use PayPal or a credit card. The reason you want to do this is so that you have information that identifies you without a doubt–information that the hacker won’t have. You don’t have to make ongoing purchases, just a one-time purchase.

8. As soon as the purchase has been completed, immediately delete your stored payment details under the Settings and Extras section in each account. This prevents a hacker from getting any sensitive information.

If you do these things, you will have a verifiable identity with Skype because you will have information that only you know. If your account is ever hacked, you will be able to provide this information to verify your identity and reset your password; otherwise, you’re at the mercy of Skype’s support to recover your identity and you may or may not be able to do that. In any event, it will be an ordeal.

One more thing: Never click on any link anyone sends you asking you to log into Skype. This is especially true for one that does not begin with https:// and end with skype.com. Anything else is suspect.

Questions welcome here, or via Skype @ken.harthun1.

Be safe.


August 23, 2010  1:46 AM

Skype Phishing Attempts and Account Hacking – Part 1

Ken Harthun Ken Harthun Profile: Ken Harthun

Friend of mine got this message the other day, purportedly from someone they knew:

hey how are you

http://www.skype.com.betta.prod.bz/?id=79826&lc=us

sign in there to can see it
this is my page contains my pictures videos of my family....
i like you to see now for me
if you had ot the time take just a look

Do I have to say what happened next? I didn’t think so. I sandboxed my browser and hopped over to take a look at the page source.

My friend was taken to a fake Skype login page that was an exact copy of the real thing. In fact, everything worked exactly like the real Skype login page because all the links, etc. were correct. However, the username and password fields were actually inputs to a script that sent the information to the hackers.

Once the hackers had her password, they logged into her Skype account, changed the password and sent the link to everyone on her contact list. Of course, other people fell for it, thinking it was from someone they trusted, so the thing spread virally until I and several other savvy people got the word out.

It’s easy to stop the hacker and recover your access if you know how; problem is, most people don’t even know where to start. Part 2 will show step by step how to recover a hacked Skype account After I simulate an actual hack with a trusted friend as the “hacker,” I will post part 2 which will give details on what can and can’t be done. Unfortunately, it appears that unless you have an “upgraded” Skype account–meaning you have bought Skype calling credits at some point–you won’t be able to recover your original ID without Skype’s intervention (an ordeal, I’m told).  Stay tuned.


August 20, 2010  1:15 AM

Intel to Acquire McAfee

Ken Harthun Ken Harthun Profile: Ken Harthun

I thought you may be interested in the reaction from Juan Santana, CEO of Panda Security, on Intel’s unexpected $7.68 billion acquisition of McAfee this morning.

“It is an unexpected move that highlights the importance of IT security and underscores the health of the industry going forward. In a world where most appliances and gadgets that consumers use have some kind of Internet connectivity, security becomes a differentiator.

Intel recognizes this and they have taken a step forward to position themselves well for this evolution. Computer security can’t be ignored and this move highlights once again the need for it to be top of mind for consumers. We don’t expect any changes in the offering to consumers as a result of the transaction.”

My personal opinion (based on past experience with McAfee’s products) is that this won’t help Intel’s reputation any.

But we’ll see what the market says.


August 18, 2010  1:57 AM

Beware This American Consumer Opinion Imposter

Ken Harthun Ken Harthun Profile: Ken Harthun

You get an envelope in the mail from American Consumer Opinion. Enclosed is a letter that starts like this:

Congratulation!!! You have been selected to participate in a paid Consumer Research Program. As one of the people selected to represent our firm; you will be acting as a Customer service Evaluator of selected Companies in your area.

There’s a check enclosed along with a “Customer Service Evaluation Form“. In this case, the check was for $1,895.00 made payable to a family member. Looks real and probably is real check security paper. The check is shown above. You can see a full-size version here.

It’s completely bogus. That should be obvious from the start. Misspelled words, improper capitalization, and using a semicolon as a comma just screams “I no speak English.” The supposed contact person, Mr. Chris Nelson, is later referred to in this manner: “. . . you contact Mr. Chris for activation.” Again, another mistake.

Further along in the letter are “instructions” on what to do: “CASH WITHDRAWAL $1,645 Your survey payment is $250; keep that in your account.” If you look at the letter, you’ll see $1,435.00 listed as “SURVEY FOR WESTERN UNION Receipt required.” Presumably, “Mr. Chris” is going to explain to you where you’re supposed to wire that money.

So, if you fall for this scam, assuming you have sufficient money in the bank to make the cash withdrawal before the check clears, you’ll wire $1,435 plus wire fees to someone and you’ll go shopping as instructed with the rest, thinking you just made an easy $250. A few days later, the “check” bounces and the bank debits your account. You’ve just been robbed.

I spoke with my banker about this earlier today and she told me that I would be surprised at how many people fall for these things. She sees them all the time. Of course, I’m not the least bit surprised.

Thank heaven my family member called me first.


August 16, 2010  12:05 AM

What the Heck is FakeAV?

Ken Harthun Ken Harthun Profile: Ken Harthun

I’d love to have a dollar for every time I’ve had to clean off FakeAV junk from a PC and then (diplomatically) explain to the user that they’ve been tricked. “But Windows Security Center popped up and said my PC was infected,” they cry. I feel for them; it’s definitely a slimy trick by slimy Internet criminals. So, I figured I’d better explain what this threat is and how to spot it before it lightens the wallet.  First, a definition from Sophos’ excellent publication (recommended reading) What is FakeAV? :

FakeAV or Fake AntiVirus, also known as Rogue AntiVirus, Rogues, or ScareWare, is a class of malware that displays false alert messages to the victim concerning threats that do not really exist. These alerts will prompt users to visit a website where they will be asked to pay for these non-existent threats to be cleaned up. The FakeAV will continue to send these annoying and intrusive alerts until a payment is made.

For those of us who are savvy, these things are easy to spot; we’re usually aware of what AV software we use and know that what’s warning us isn’t our system. But, for the uniformed, such convincing names as those listed below usually work:

  • AntiSpyWarePro
  • Antivirus Plus
  • Antivirus Soft
  • Antivirus XP
  • Internet Security 2010
  • Malware Defense
  • Security Central
  • Security Tool
  • Winweb Security
  • XP Antivirus
  • Digital Protector
  • XP Defender

Pop-ups also catch people especially because they resemble what Windows would do. Here’s what one unlucky user had to say in a forum: “I learned a $90 lesson yesterday. If a window pops up (even if it looks just like Windows) and tells you your computer is ‘infected’, DON’T acknowledge it. Don’t click ‘Yes/Scan’, ‘No’ or anything. Just turn off your computer. ” To that, I would add one more step:  Call your friendly local Geek for a good PC clean up and protect session. Here’s a shot of a typical “System Scan” screen.

And one more thing: Please don’t click on links or open files in emails if you don’t know where they came from, even if they look legitimate.


August 15, 2010  2:53 AM

What’s Your System’s Survival Time?

Ken Harthun Ken Harthun Profile: Ken Harthun

Since Microsoft began to ship versions of Windows with its firewall enabled by default (Windows XP Service Pack 2, August 25, 2004), there hasn’t been much attention put on system survival time. That’s not to say the issue is dead, it’s just not as big an issue as it used to be. I have often said that any system connected to the Internet is under attack 24/7; in fact, I have published some of my own statistics in the past (see Unpatched PC “0wn3d” in Four Minutes or 16 Hours; Which is it?). So, what is survival time? Thanks to dshield.org for this excellent definition: “The survival time is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe.”

How long would your unpatched system survive today if it’s plugged directly into the Internet? Let’s look at some historical data:

  • August 30, 2004 (five days after SP2 release) – 58 minutes
  • February 6, 2007 (1 week after release of Windows Vista) – 42 minutes
  • October 29, 2009 (1 week after release of Windows 7) – 74 minutes
  • August 7, 2010 (5 days after release of out-of-cycle patch for .lnk vulnerability) – 78 minutes

This tells me that while things appear to be improving, you still have an average of around an hour to get an upatched machine up and running on the Internet, assuming you’re not behind a firewall or NAT router (which would be the average consumer, I think).


August 14, 2010  7:14 PM

What the Heck Are Botnets?

Ken Harthun Ken Harthun Profile: Ken Harthun

Yes, I know that this is an old topic and almost everyone knows about them by now. Or do they? In my tech support activities, I run into all different levels of PC savvy (and lack thereof). The other day, I was explaining in detail a phishing attack that a client had fallen for. I pointed out all of the obvious hints that the email was bogus and gave her some great tips on how to spot them. She was insistent that the email “came from [a family member]” and that’s why she opened it. I told her that it likely came from one of the spam botnets, not a family member and that the address was spoofed. I was greeted with one of the blankest blank stares I think I’ve ever seen, followed by “What the heck is a botnet?”

So, for those of you who may not know, here’s a rundown of what botnets are and where you can go for even more in depth information.

Botnets are networks of computers that criminal hackers (Crackers) have infected and grouped together under their control to propagate viruses, send illegal spam, and carry out attacks that cause web sites to crash. Most phishing emails like my client received are sent through spam botnets.

You can think of them in this way: “A botnet is comparable to compulsory military service for windows boxes” – Stromberg (http://project.honeynet.org/papers/bots/). The users often have no choice in the matter; their machines are surreptitiously infected when they click on a link or visit an infected website.

What makes botnets exceedingly bad is the difficulty in tracing them back to their creators as well as the ever-increasing use of them in extortion schemes. How are they used in extortion schemes? Imagine someone sending you messages to either pay up or see your web site crash.

Botnets can consist of tens, or hundreds of thousands of compromised machines. With such a large network, botnets can use Distributed denial-of-service (DDoS) as a method to cause mayhem and chaos. For example a small botnet with only 500 bots can bring corporate web sites to their knees. They do this by using the combined bandwidth of all the computers to send a continuous stream of requests to corporate systems and thereby cause their web site to appear offline.

One well-known technique to combat botnets is a honeypot. Honeypots help discover how attackers infiltrate systems. A Honeypot is essentially a decoy machine that one intends to be compromised in order to study how the hackers break the system. Unpatched Windows 2000 or XP machines make great honeypots given the ease with which one can take over such systems.

If you’re interested in finding out more about honeypots, a great site to visit is The Honeynet Project which describes its own site’s objective as “To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.”

Know your Enemy: Tracking Botnets is an in-depth paper written by several members of The Honeynet Project. Here’s what they say about it: “In this paper we look at a special kind of threat: the individuals and organizations who run botnets.”

Botnets are, after all, run by criminals for criminal purposes. It’s a fascinating study.


August 14, 2010  6:14 PM

Bogus Emails Look Legitimate, But Contain Malware

Ken Harthun Ken Harthun Profile: Ken Harthun

I’m always curious what these bogus emails contain and lately I’ve gotten several variations on this theme:

From: ruminateh@rogue-research.com
Subject: Status
Attachment: IMG_1746.zip

Hi,

I have your DVD's ready but I'm burning the Blu-Ray's today. I expect them to be ready for tomorrow.

Here is a pictures of my wife and I at my wedding since you had mentioned you'd like to see a picture.

Marquita

One of the messages’ subject lines read, “FW: Resume as discussed.” Since I had just sent out a couple of them, I almost fell for that one:

Attachment: Resume.zip
I have forwarded your resume to Jerel for consideration. He is the Worley Parson’s director for NNSA work all over the country. Would you consider moving?

These look legitimate at first blush; but, as you might suspect, they contain malware. In the first case, the file contained IMG_1746.exe which Sunbelt Labs reports as FraudTool.Win32.AVSoft (v). The second one contained Resume.exe which is the same Trojan in a different guise.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: