It’s tax time in the U.S. and with that generally comes an increase in the number of phishing scams directed at taxpayers. The IRS, whether we like them or not, has an excellent anti-scam/anti-phishing web site. One key thing to remember is that the IRS does not initiate taxpayer communications through e-mail. Here’s an excerpt from their site:
The IRS does not initiate taxpayer communications through e-mail.
* The IRS does not request detailed personal information through e-mail.
* The IRS does not send e-mail requesting your PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.
If you receive an e-mail from someone claiming to be the IRS or directing you to an IRS site,
* Do not reply.
* Do not open any attachments. Attachments may contain malicious code that will infect your computer.
* Do not click on any links…
Additional information is provided by the IRS in a recent press release:
IR-2009-41, April 13, 2009
WASHINGTON — The Internal Revenue Service today issued its 2009 “dirty dozen” list of tax scams, including schemes involving phishing, hiding income offshore and false claims for refunds….
The IRS urges taxpayers to avoid these common schemes:
Phishing is a tactic used by Internet-based scam artists to trick unsuspecting victims into revealing personal or financial information. The criminals use the information to steal the victim’s identity, access bank accounts, run up credit card charges or apply for loans in the victim’s name.
Phishing scams often take the form of an e-mail that appears to come from a legitimate source, including the IRS. The IRS never initiates unsolicited e-mail contact with taxpayers about their tax issues. Taxpayers who receive unsolicited e-mails that claim to be from the IRS can forward the message to email@example.com. Further instructions are available at IRS.gov. To date, taxpayers have forwarded scam e-mails reflecting thousands of confirmed IRS phishing sites. If you believe you have been the target of an identity thief, information is available at IRS.gov.
I highly recommend you visit the IRS site and heed their excellent advice: How to Report and Identify Phishing, E-mail Scams and Bogus IRS Web Sites
More than a week after Conficker’s much-hyped April 1st activation date, the botnet has come to life and is using a P2P communication system to update itself on what is believed to be millions of infected PCs. Along with the update, the worm is downloading scareware known as SpywareProtect2009, according to Alex Gostev of Kaspersky Lab:
One of the files is a rogue anti-virus app, which we detect as FraudTool.Win32.SpywareProtect2009.s. The first version of Kido (Conficker), detected back in November 2008, also downloaded fake antivirus to the infected machine. And once again, six months later, we’ve got unknown cybercriminals using the same trick.
As is typical with scareware, once SpywareProtect2009 is downloaded, the victim will start seeing the usual popup warning messages asking if they want to “clean and protect” their PC (see screen shot below). Of course, this will cost them $49.95. The criminals will no doubt make millions on these fees alone while amassing a huge database of valid credit card numbers that will likely be sold for additional profit.
No one knows for sure, but we do know that *something* is going to happen on April Fools’ Day. Conficker is a new breed of malware; the people behind it are of exceptional intelligence. They aren’t a crew of script kiddies out to make a quick buck. Whatever Conficker is specifically designed to do, you can bet its actions will be directed toward: 1. Maximizing proliferation of its binaries (survival); 2. Avoiding detection; and, 3. Maximizing profit (or damage).
The worm has been pretty effective at #1, by some estimates having already infected several million PCs. It has done this through exploitation of a Windows vulnerability, MS08-067 that was patched back in October and about which I wrote Will They Ever Learn to Patch? in January. However, it’s possible that those computers in the most concentrated areas of infection–China, Russia, India, Brazil, and Argentina–are impossible to patch because they are running pirated copies of Microsoft Windows software, and Microsoft does not allow updates of any kind to its pirated software. Seems to me this is a self-defeating policy, but I’m just a sensible Geek, not a Microsoft executive.
As for #2, the latest variant has added new anti-detection features. According to Larry Seltzer writing in PCMag.com, “Avoiding detection is a major theme with Conficker.C. It’s not the first malware to try to defend itself in-memory against security software and diagnostic tools, but “C” does a lot of this. For instance, it disables Windows Automatic Updates and the Windows Security Center.”
We’ll find out Wednesday, April 1st, what–if anything–happens with #3. My bet is that it’ll be another Y2K-type event. Then again, who knows?
Got NoScript? If not, get it–the latest Firefox bug, an XML tag remote memory corruption vulnerability released on Wednesday, is mitigated by having the NoScript addon installed.
The bug can be exploited by a malicious website and can cause the browser to execute malware with no user intervention. All 3.0.x versions of Firefox running on Windows, Mac, and Linux operatintg systems are vulnerable. According to the Mozilla Wiki, the patched version, Firefox 3.0.8, “…is a high-priority firedrill security update to Firefox 3.0.x” and will be rolled out April 1.
The 3.0.8 release also fixes the Pwn2Own bug discovered at CanSecWest 2009, an issue that NoScript also mitigates.
I’ve said it before (see “Software for Secure Computing: Firefox & NoScript“); now’s a good time to say it again: install NoScript, and enjoy secure computing.
SecurityFocus bulletin: http://www.securityfocus.com/bid/34235/info.
The Register article: http://www.theregister.co.uk/2009/03/26/new_firefox_exploit/.
Mozilla Security Blog post: http://tinyurl.com/mozillasecurityblog
As reported yesterday in The Register, the “psyb0t” worm targets home routers and modems and may be the first piece of malware to do so. Researchers from DroneBL, a real-time tracker of abusable IPs, say that as of March 22 100,000 hosts had been infected.
Whether or not your equipment is vulnerable depends on three things:
- Your device is a mipsel (MIPS running in little-endian mode, this is what the worm is compiled for) device.
- Your device also has telnet, SSH or web-based interfaces available to the WAN, and
- Your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.
“This technique is one to be extremely concerned about,” the researchers say, “because most end users will not know their network has been hacked, or that their router is exploited. This means that in the future, this could be an attack vector for the theft of personally identifying information.”
If you believe your equipment is vulnerable or has been compromised, you should immediately take the following actions:
- Power cycle your router.
- Disable WAN-facing telnet, SSH or web-based configuration interfaces.
- Change the passwords to something unguessable (see this article).
- Upgrade to the latest firmware.
Since the early days of Windows (3.x and forward), the operating system has relied upon vritual memory in the form of files stored on the hard drive to compensate for the lack of a machine’s physical memory. When the machine’s physical memory begins filling up, pages of data are moved from physical memory to the virtual memory file. Until Windows NT, this file was called win386.swp; when NT came along, it was renamed to pagefile.sys. While the pagefile generally enhances performance, it’s a security risk.
For one thing, Windows’ default behavior leaves the pagefile intact when a user logs out, so there’s a good chance of viewing information in any files the user opened while logged in.
Encryption doesn’t necessarily mean the data is safe, either. Sure, the file itself is encrypted, but in order to work with encrypted files, the system must first decrypt them and this unencrypted copy may be stored in the pagefile.
There’s a simple registry setting that will clear your pagefile when you shutdown your computer. Why this setting isn’t enabled by default only makes sense from a performance standpoint. It may take Windows slightly longer to shut down, but you’ll rest easier knowing your confidential data isn’t at risk.
Start regedit and navigate to:
Set the key ClearPageFileAtShutdown to 1
Close regedit and reboot your computer to apply the change.
Why, all of a sudden, is everyone concerned about secure file deletion? I hesitate to say it’s a sign of the poor economy, but perhaps people consider it even more important to protect their personal information when the idea of losing control of their assets—and their lives–through the incompetence of corporate “managers” and well-intentioned but clueless politicians is more abhorrent than losing control through the outright thievery of Internet gangs. It’s weird. I harped on people about securing their data all along and mostly, my advice fell on deaf ears. Now people are worried. And it’s not because they see more spam email phishing attempts, it’s because they feel they can’t trust anyone anymore, not their formerly respected captains of industry, and certainly not their elected officials.
But, I digress. This post is about security tools, not politics, so I’m now officially off of my soapbox.
I recently posted an article about SDelete, a tool that can be used to securely delete files and folders on a hard drive. There’s another little known, useful tool that has been built into the OS since Windows 2000: cipher.exe. Microsoft provides the following in Knowledge Base article 315672:
How to Use the Cipher Security Tool to Overwrite Deleted Data
To overwrite deleted data on a volume by using Cipher.exe, use the /w switch with the cipher command. Use the following steps:
- Quit all programs.
- Click Start, click Run, type cmd, and then press ENTER.
- Type cipher /w:driveletter:\foldername, and then press ENTER. Specify the drive and the folder that identifies the volume that contains the deleted data that you want to overwrite. Data that is not allocated to files or folders will be overwritten. This permanently removes the data. This can take a long time if you are overwriting a large space.
One more tool you can use to mollify your paranoid clients.
Hey, fellow Geeks,
Now through the end of April, your tech savvy can earn you the chance to win one of three Xbox 360 game consoles being given away by our favorite tech site, IT Knowledge Exchange. Winners will be the top three community members who have the most Knowledge Points earned and have asked five IT-related questions. You still get points for asking other questions, but only those related to IT will be counted for the contest. Full details are in community manager’s Jenny Mackintosh’s ITKE Community blog posting, so go there for rules, etc.
The three winners will receive:
- First Place: Xbox 360 Elite
- Second Place: Xbox 360
- Third Place: Xbox 360 Arcade
This is a chance to show off your IT guru skills and win a neat prize in the process. Go ahead and ask a tough question (remember, you need to ask five of them) by going to the Ask a Question page.
Good luck and have fun!
If you like Security Corner and find it useful, I would appreciate your nomination. I suppose the best category would be the non-technical blog. Here’s info from their blog post:
The nominations for the Social Security Awards are well underway and we currently have more than 450 nominations in hand. People can keep nominating until March 31 at which time we will sift threw the nominations and hand over the final five in each category to our esteemed panel of judges from CSO Magazine, Washington Post, Forrester Research, Dark Reading and TechTarget.
I want to clarify that you need not be present to win one of the Social Security Awards, so get your readers to nominate you in one of the following categories:
- Best Security Podcast
- Best Technical Security Blog
- Best Corporate Security Blog
- Best Non-Technical Security Blog
- Most Entertaining Security Blog
Thanks in advance for your show of support!
Mozilla Foundation released Firefox 3.0.7 today to address multiple vulnerabilities. According to the Security Advisories, the vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or spoof the location bar. Mozilla says that the vulnerabilities also affect Thunderbird and SeaMonkey. No updates have been released for these applications at this time.
The following Security Advisories are addressed in Firefox 3.0.7:
- Mozilla Foundation Security Advisory 2009-07: “Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.”
- Mozilla Foundation Security Advisory 2009-08: “An anonymous researcher, via TippingPoint’s Zero Day Initiative program, reported a vulnerability in Mozilla’s garbage collection process. The vulnerability was caused by improper memory management of a set of cloned XUL DOM elements which were linked as a parent and child. After reloading the browser on a page with such linked elements, the browser would crash when attempting to access an object which was already destroyed. An attacker could use this crash to run arbitrary code on the victim’s computer.”
- Mozilla Foundation Security Advisory 2009-09: “Mozilla security researcher Georgi Guninski reported that a website could use nsIRDFService and a cross-domain redirect to steal arbitrary XML data from another domain, a violation of the same-origin policy. This vulnerability could be used by a malicious website to steal private data from users authenticated to the redirected website.”
- Mozilla Foundation Security Advisory 2009-10: “libpng maintainer Glenn Randers-Pehrson reported several memory safety hazards in PNG libraries used by Mozilla. These vulnerabilities could be used by a malicious website to crash a victim’s browser and potentially execute arbitrary code on their computer. libpng was upgraded to a version which contained fixes for these flaws.”
- Mozilla Foundation Security Advisory 2009-11: “Mozilla contributor Masahiro Yamada reported that certain invisible control characters were being decoded when displayed in the location bar, resulting in fewer visible characters than were present in the actual location. An attacker could use this vulnerability to spoof the location bar and display a misleading URL for their malicious web page.”
Everyone should immediately upgrade to Firefox 3.0.7 to mitigate these issues.