Yet another email worm has been circulating via email with the subject line “Here You Have”–an obvious misunderstanding of the English idiom “here you go” on the part of a non-native English speaking cracker. Another subject line being used is “Just For You.” Besides the text shown above, this also appears in some messages: “This is The Free Dowload Sex Movies,you can find it Here.
Here is what McAfee says about it:
When a user chooses to manually follow the hyperlink, they will be prompted to download or execute the virus. When run, the virus installs itself to the Windows directory as CSRSS.EXE (not to be confused with the valid CSRSS.EXE file within the Windows System directory). Once infected the worm attempts to send the aforementioned message to email address book recipients. It can also spread through accessible remote machines, mapped drives, and removable media via Autorun replication.
The good news is that the site hosting the malware has been taken down, effectively killing the worm. However, infected machines will still be spewing the emails, so need to be cleaned. If you suspect you or a client or family member is infected, run a malware scan on the system.
Privacy has been dead for a long time thanks to the Information Age. More personally-identifiable information than ever before is now accessible online through free and paid searches. The simple fact that most people post their intimate personal details on FaceBook, MySpace, Twitter, and other social networks contributes to the overall erosion of privacy. But, personally-identifiable information is only one aspect of the problem; perhaps an even bigger privacy threat is the leakage of machine-specific fingerprints that are used to track your online habits.
I went to their research site and found that my browser was uniquely identifiable among more than 1.1 million others: “Your browser fingerprint appears to be unique among the 1,161,450 tested so far. Currently, we estimate that your browser has a fingerprint that conveys at least 20.15 bits of identifying information.” What this means is that using the information listed below, my browsing habits can be tracked using only information gleaned from my browser’s interaction with web servers.
Steve Gibson of GRC.com covered this research in minute detail in Security Now! Podcast Episode #264 last week and I highly suggest you listen to it. But, until you get a chance to do so, here is all the information you need to uniquely identify any machine on the Internet with amazing accuracy:
- User agent
- HTTP_ACCEPT headers
- Browser plug-in details
- Time Zone
- Screen size and color depth
- System fonts
- Whether or not cookies are enabled
- Supercookie (Flash cookies) test
Commercial services are already using this information to track your online habits–no matter how you try to block them–using technology to fingerprint your system, and they are building huge databases. While none of this information is tied to your personal identity, the profiles are nevertheless useful to advertisers who will use it to more accurately target web surfers with relevant marketing messages.
In the next post, I’ll detail what you can do about this (not much, unfortunately) and why, for now, you probably shouldn’t be too concerned.
If you’re a security wonk like me, you’ll definitely want to pick up a copy of Scrappy Information Security — The Easy Way to Keep the Cyber Wolves at Bay (ISBN 978-1-60005-132-6) by Michael Seese. Not just another dry tome produced in a boring, didactic style, this book is–as its name implies–written with an attitude and nowhere is the attitude more evident than in the first paragraph of the first chapter:
You have to learn to crawl before you can walk. It’s no different when learning about information security. But your first baby steps probably should not include thumbing through some of the tomes out there with upwards of 500 pages. . . Let us assume that you have a life, and don’t want to spend it flipping through such a text until you are well into your nineties.
The author’s approach to security focuses on the essentials and leaves out all of the unnecessary theory and discussion that don’t serve any purpose in the real world. He starts off by answering the standard reporter questions of who, what, when, where, and why, leading off with “Why do we need InfoSec?” I won’t spoil it for you and tell you the answer he gives, but I will tell you that it’s one of those answers that is so simple and so obvious that it escapes most people. From there, he breaks down security into three main divisions: Physical Security, Technical Security and Administrative Security, and his explanation of the components in those areas comprise the bulk of the book. Everything that matters from fences to firewalls, passwords to phishing and how to deal with social engineering is covered.
What impressed me most, besides the practicality of the information, was the way it’s presented. Each section starts off with a relevant, pithy quote, then proceeds into “Why it matters.” Next, is “The Technobabble” wherein the author details the technical elements of the subject. This is followed by a “What it means” explanation of the technology. Sometimes, the section will include a “Scrappy Tip” about how to apply the information or expanding upon some particularly relevant aspect. Bottom line: The book is technical enough for a Geek, but written in a way that almost anyone who’s at least somewhat computer-literate can understand.
I found chapter 5 – “Inform and Inspire–Training That Gets Results” particularly useful since I am often tasked with training people on various aspects of technology.
The author wraps it all up by saying, “Personally, I’m mad as hell and I’m not taking it any more! So if just one person reads this book, takes the lessons to heart, and [applies 13 principles] then my effort was worth it.”
Well, Mr. Seese, I assure you, it was.
On August 13, 2010, David Ulevitch, Founder & CEO of OpenDNS announced in a blog post that their community-driven site, PhishTank.com, had just caught its 1-millionth phish: “Today I’m excited to announce that the 1 millionth phish has been submitted to PhishTank. The “winning” submission was a fake Citibank UK website, which was quickly verified by the PhishTank community,” he wrote.
I’ve written about OpenDNS before: DNS rebinding defenses still necessary, thanks to Web 2.0, at SearchSecurity.com in Jul. 2008; OpenDNS Service to Track and Block Conficker Worm, here in Feb. 2009; and, Top Ten Security Tools at DavesComputerTips.com in Apr. 2009. Most recently, I posted How to Combat Phishing Attempts on Sep. 3, 2010, mentioning OpenDNS as a tool to help combat phishing attempts. I’ve never mentioned PhishTank before, so I think it’s time I did.
Using OpenDNS means you and your network are protected against phishing attempts. One of the ways we identify which sites are fraudulent, and which ones are legitimate, is through PhishTank.com, the community-driven site we operate that we’re proud to report is the world’s largest and fastest-moving clearing house of phishing data.
OpenDNS launched the site four years ago in October of 2006 to create a clearinghouse for phishing data that could be made available to other services via an API. At the time, there was no existing common source of phishing data that was fast-moving, accurate and reliable. I’m a member, and I hope you’ll consider joining. It is an important contribution to the entire web community and, unlike many community sites out there, the OpenDNS people realize this and appreciate their community members:
Thank you to the thousands of security pros, researchers, academics and concerned Internet users for their contributions to PhishTank. It’s you who have made this possible. You’ve protected tens of millions of people around the world, lending your expertise to help take the guesswork out of identifying phishing scams. It’s a credit to the community that we’ve reached this milestone. And in doing so, we’ve together helped protect not only people who use OpenDNS, but millions more, since the phishing scams reported and verified are also blocked by all of the Internet services PhishTank shares the data with.
Security online is analogous to security in the real world. The first thing any law enforcement professional will tell you is that you cannot make your home or business absolutely crime-proof; all you can do is increase the difficulty and risk to a level where most of the would-be intruders simply go looking for an easier target.
This same principle applies to security online. There are unknown vulnerabilities that make it impossible for your to completely hack-proof your networks; but, if you make sure your perimeter and internal defenses are strong, hackers are likely to leave you alone and go looking for an easier target.
It’s often easier to explain cyber-security to people using such analogies, especially when you’re being grilled about the need for that new, expensive Intrusion Detection System. Here are some useful comparisons:
- Guardhouse at the entrance gate = Firewall with stateful packet inspection
- Burglar alarm = Intrusion Detection System (IDS)
- Security cameras = IDS sensor points
- Automatic lock-out/lock-in doors = Intrusion Prevention System controls
- Fire suppression system = Antivirus/Antimalware/Antispam
- Safe = Disk or file encryption technology
- Safe deposit box = Symmetric key encryption technology
- Locked mailbox with open slot = Public key encryption technology
The easiest analogies are the ones regarding encryption, of course. A safe requires a combination; decryption of a disk or file requires the passphrase. A safe deposit box requires that both you and the bank have a key; symmetric encryption requires that both ends have a key. A locked mailbox with an open slot means that anyone can put mail in, but only the person with the key can read the message; public key encryption allows anyone to encrypt the message, but only the holder of the private key can decrypt it.
The other analogies are more open to interpretation and undoubtedly opinions will differ.
What do you think? Have you ever used such analogies? Leave a comment with your favorite comparisons.
It seems that phishing attempts just keep increasing. Yesterday, more of my friends on Skype were sent this link:
http://miw.host.sk/www.skype.com/?id=79826&lc=us along with the usual broken-English message, “hi how are you, i send to you link please sign in ok.” Recall my posts on the Skype phishing/hacking last month, which you should read and apply first:
The first thing you have to learn here is to NEVER CLICK on any links sent to you in email, chats, Skype, whatever until and unless you have verified their source and authenticity. The link above is obviously fake to those of us in the know, but to a normal user, it looks like it came from Skype.
The second thing you have to learn is how to recognize these bogus links. The casual observer will see www.skype.com in what looks like the right place. It would be, except for the single slash in front of it. The web server treats anything after the “/” as a directory. What you have here is the real URL,
http://miw.host.sk, pointing to a directory called
www.skype.com which contains a fake Skype login page. You can ignore the
/?id=79826&lc=us. It doesn’t matter to anyone but the hacker. If you fall for this ruse, they get your password. This is typical of most phishing attempts.
The third thing you have to learn is that you absolutely MUST NOT use the same password for everything. If the hacker gets your password and is able to find out where you bank or find other sites that you log into, they will try that password out. In fact, the first place they are going to go is your PayPal account and heaven forbid if they know your PayPal email address!
You have two tools at your disposal to help combat this menace: OpenDNS and their excellent service, PhishTank. (I’ll do a separate post on PhishTank next week.) OpenDNS Basic is a free service that gives you all this:
- Reliable DNS Infrastructure
- Web Content Filtering
- Phishing Protection
- Basic Customization
- Typo Correction
Head on over there, sign up for the free account and learn how to set it up on your system. Once you have it set up, you’ll get a message like this if you try to visit a phishing site:
This is actually working with PhishTank to determine whether it’s a known phishing site. I’ll tell you how to join the community and help report phishing sites in a future post. Also, look for a video or two on how to configure OpenDNS and how to recover a hacked Skype account.
Want to stop spam? Dumb question! Sure you do. Everyone except the spammers, that is. But the only really effective way to do it is to keep it from starting in the first place. That sounds like a pipe dream, but it’s not; there is a way to do it. The catch is you have to start with a clean slate. That means your existing email addresses have to go. If you don’t want to take it quite that far, you don’t have to, just use the new address you set up as a super-private one and give it to no one but trusted insiders.
First, you’ll need a clean email account, either on your email server (if you’re a Geek like me) or with one of the many fine webmail providers. I have several Gmail addresses that are known only to a few people. Now, make it your personal policy to never give the address to anyone you don’t absolutely trust to keep it to themselves. If spammers can’t get your address, there’s little chance they can send you spam. Finally, use disposable email addresses on web pages that force you to provide a valid email address to “register.”
Probably the best known disposable email service is Mailinator. To use it, all you have to is send mail to it. For example, you could use firstname.lastname@example.org. Most services work in this manner. I also like to use spam.la email addresses for throw-away site registrations. All email sent to email@example.com is publicly readable right there on the page. They provide a filter option so you can just look up things you’ve sent there. The other day, someone told me about dispostable.com.
The only drawback to using these is that some sites are wise to the tactic and will complain if you try to enter such an address. In that case, just choose a different one. A search for “disposable email address” will give you plenty to choose from. If you’re diligent in doing this, you may never again see another spam email.
It's that time again! We need to lighten up. I was ROTFL at this Japan airport "security" video. Great visual gags. You don't need to understand what is being said to get the joke. Enjoy!
[kml_flashembed movie="http://www.youtube.com/v/2UyXfd3p7M4" width="425" height="350" wmode="transparent" /]
Here is my commentary on the remaining myths from Sophos’ recently issued whitepaper, “The 10 Myths of Safe Web Browsing.”
Myth #6: You can only get infected if you
download files. Well, that used to be the case, but these days, most infections are via the “drive-by” download. No one is safe from this because the code is injected into the web page and it executes automatically when the page is viewed. For example, I once visited a site that has funny pictures of cats and was immediately infected by an adware trojan. The pop-ups took over my browser. A hard shutdown and start up scan fixed the problem. That site is fixed, but there are many others that aren’t.
Myth #8: When the lock icon appears in the browser, it’s secure. This one can get you in trouble fast. All that lock means is that there is an SSL encrypted connection between the browser and the server. The information still flows. A real disadvantage to this type of connection is that any malware coming along will also be encrypted and could possibly bypass security scanners. Recently, spoofed SSL certificates have made it possible for hackers to give what appear to be valid SSL connections to fake bank, credit card, and PayPal sites.
Myth #9: Web security requires a trade-off between security and freedom. I’m going to disagree with their calling this a myth. Security always involves some trade-off with freedom. In their context, a suitable web security solution ( meaning their product, of course) gives the freedom to grant access to sites people need for business while keeping the organization secure. A rather vague argument in favor of making this one a myth.
Myth #10: Endpoint security solutions can’t protect against web threats. Again, their calling this a myth is simply expedient to their promotion of their web filtering product. As long as scripts can pass through to the browser–which is what has to happen or you’ll break most of the web sites–endpoint security solutions can’t do much.
As in all whitepapers, license is taken to put a spin on certain terms to make one’s product look more favorable. Sophos’ whitepaper does this with their calling those last two statements myths. However, they have given real value in their paper with the publication of the other eight myths.
Sophos recently issued a whitepaper called “The 10 Myths of Safe Web Browsing.” It covers everything I have been saying to my clients all along.
The problem with security is often one of complacency (see Why People Are Complacent About Security); no visible infections or problems are manifest, so as far as anyone knows, nothing is wrong. Truth is, nothing could be further from the truth. Most infections these days are invisible. Look at this way: Burglars don’t want to be detected. The vast majority of malware these days is designed to steal valuable information and the more it can get, the better. The crackers don’t want you to know they are stealing your stuff–cuts into their profits–so the malware is very stealthy.
What follows in two parts is my commentary on Sophos’ myths.
Myth #1: The web is safe because I’ve never been infected by malware. Yeah, right. That’s the same illogic as “I’ve never been sick, so I don’t need to live a healthy lifestyle.” Sooner or later, it catches up to you. There are many examples of perfectly healthy athletic individuals collapsing while doing their exercise routines. Likewise, people don’t know their computers have been infected with malware until their bank account balance goes to zero or their credit cards get maxed out.
Myth #2: My users aren’t wasting time surfing inappropriate content. Wanna bet? I’m not going to give specifics here, but I have seen firsthand that nearly half of the users in any given organization have accessed inappropriate content. Without adequate web filters in place, you just don’t know about it. One organization I worked for had excellent web filtering and still failed to spot a third of the inappropriate content being accessed by its employees.
Myth #3: We control web usage and our users can’t get around our policy. Good luck with that. All you have to do is search for “bypass web filter” to find that you’re really up against the wall. According to Sophos, “Anonymizing proxies make it easy for employees to circumvent your web iltering policy and visit any site they like. Anonymizing proxies are readily available and regularly exploited by school kids and employees alike. Hundreds of new anonymizing proxies are published daily. . .”
Myth #4: Only porn, gambling, and other “dodgy” sites are dangerous. Yeah? Well, don’t tell my wife, but I’ve tested this myth on a PC with no antivirus and no antimalware protection with no hardware or software firewall. After a surfing session of more than 50 “dodgy” sites, I ran a malware scan and found nothing more than cookies and a small adware application. The truth is, “Hijacked trusted sites represent more than 83% of malware hosting sites,” according to Sophos. Makes sense, though, doesn’t it? It’s part of the overall deception. What better site to infect than one that is “trusted.” The best double agents are trusted by both sides, aren’t they?
Myth #5: Only naive users get infected with malware and viruses. Another illogical statement. Naivete has nothing to do with it. “Malware from drive-by downloads happens automatically without any user action, other than visiting the site. Therefore, it doesn’t matter what level of computer expertise you have,” says Sophos. “The fact is, if you are visiting sites on the internet, you are at risk.” I recently found some suspicious files on my machine during a routine scan. I have no idea where they came from; they hadn’t been executed. The fact is, I’m not even close to being a “naive” user. I must have gotten the files during a download.
We’ll cover download infections and more in Part 2.