Security Awareness Post 3: Recognizing Your Surroundings (Virtual)

If you have ever taken a survival course you have probably heard the instructor talk about how you need to be aware of your surroundings. Much of survival is about recognizing where you are, what is safe, and what is not. The Internet is no different. By far the most important factor in safe use of the web is recognizing where you are, and making appropriate decisions about what is safe and what is not; what is to be expected, and what is extraordinary. Unfortunately, most people either do not know how to tell where they are, or do not do so on a regular basis.


In  the first post, we discussed fake e-mail and how to recognize them.There are similar cues to tell what web sites you are visiting. Consider this picture:



 First, look at the address bar, the part that says http://www.microsoft.com/en/us/default.aspx. This part is called the Uniform Resource Locator (URL). You probably already know that this is the address of the server you are connected to. What you may not know are which parts of it are interesting when making a decision about whether to trust this site. The first part of the URL is the "protocol" used: http in this case. A "protocol" is essentially the "language" that defines the words a client, in this case your web browser, can use to ask the server, in this case the web site, to send it some information, in this case a web page. The protocol above, http, is the standard protocol used on the web. Unless the protocol is https it is useless in making a safety decision.


The second part you see is the name of the web server: www.microsoft.com. It has three parts. From right to left, it defines ".com" which originally meant "commercial" to distinguish it from edu (educational), gov (government) and so on. These days, it really is just what is known as a "top level domain" or TLD used to denote many sites on the Internet. There are some generic TLDs, such as .org (typically used for non-profits), .com, .edu, and a lot of national ones, such as .uk (United Kingdom), .fr (France), .ru (Russia), .cn (China), and many others.  The TLD used in this case is not useful in making a safety decision.


The rest of the name of the web server, however: www.microsoft.com, is very useful. The "microsoft" part, in particular, identifies the organization or service that you are connected to. In other words, you are connected to a Microsoft server.


When you use the URL to make a decision about where you are, be careful with what you are looking for though. Criminals will often try to modify the name. For example, it may be “m1crosoft.com” (1 instead of ‘I’), “micorsoft.com” (misspelled name), or “g00gle.com” (zeros instead of ‘o’). Any time you see a misspelled URL it is almost certainly a fake!.


There is only one secure way to determine whether you trust the URL, however, and that is if it uses https as the protocol. Consider this picture:



The protocol used now is https. https is actually another protocol (either Secure Sockets Layer – SSL – or Transport Layer Security – TLS) layered on top of http. It is not crucial right now to know the technical details of that; merely what features it provides, which is two things: First, https provides a way for the web browser and the web server to encrypt all traffic between them so it cannot be intercepted and read in between the two. http, on the other hand, is unencrypted. Second, and most importantly, https gives YOU a way to identify the web server you are connecting to. When you use https, you get the little padlock in the address bar. Most people ignore the padlock, but if you go to a URL that you do not recognize, such as perhaps “live.com” it can give you the crucial information you need to make a decision.If you click on the padlock you get a screen like this:



This screen is the really important part. It tells you who issued the Digital Certificate, and the name of the entity it was issued to.In this case you can tell that VeriSign has issued a certificate to Microsoft Corporation. This is the conclusive information on which business you are connecting to. Of course, you can only trust that as far as you trust the issuer of the certificate. Generally, however, it is safe to trust any certificate that does not cause your browser to say the certificate should not be trusted. The browser vendor has already decided which issuers you should trust, and unless you have good reason to, there is usually no point in doubting that decision. If a certificate should get stolen, your web browser will throw a warning because it can only be used on the site it was originally issued for. In other words, while the criminals may be able to register "m1crosoft.com" and even get a certificate for it, they cannot use a certificate that says "microsoft.com" in it. The browser will complain if they do.


In the picture above, the address bar is green. It is not always green. That only happens if the site uses a special identifier (known as a “Digital Certificate”, which I will explain in a later post) called an Extended Validation Certificate (EV Cert). An EV Cert means that the business has paid a lot more for the certificate than a standard one, and in return, the issuer of the certificate has performed some additional validation, such as ensured that the business has a physical office somewhere. The color of the address bar actually provides little value to you when trying to determine which site you are on though. Some browsers, such as Internet Explorer, will show you information such as the business name in the little popup when the site uses an EV Certificate. However, the same information is typically available in the Details tab if you click the "View certificates" link in the pop-up. Click the "Subject" row and you will see it, as in this picture:



Using the padlock and evaluating which organization you are connected to is the only safe way to decide which site you are on. In many cases, you probably do not need that, but in some situations, such as when you are downloading software, and shopping or banking online, it is crucial.


Problems with Site Identification


Some sites use other techniques than https to help you identify them. For example, some banks have you type your username on a form that does not have a password field. Once you do it shows you a picture that you selected and the password field. The idea is that you selected the picture when you set up the account, and since the bank now shows you this picture you are supposed to trust that you are connected to the bank. Unfortunately, this system is not secure at all. Any attacker can probably guess your username (is it first initial+last name or last name+first initial?). If an attacker can guess your username, which is not really a secret, they can obtain your picture, steal it, and show it to you on his site. The criminals can even fake out the entire system by tricking you into going to their site and typing your username. They then submit your username to your bank, retrieve your picture, and show it to you on the attackers’ site. It is trivial to circumvent the system of using pictures to identify sites. The only trustworthy way to identify the site is to inspect the certificate.


Unfortunately, many sites, including some very large credit card issuers, do not use https to serve the login form. Using https for the form is strictly speaking not required to encrypt the password when you send it to them. However, it misses the second part of https: the part where the site identifies itself to you. If the site does not server the login form over https you cannot verify where you are sending your password because you do not yet have a certificate to verify it with. If a company does this, complain to them and request that they serve the login form over https. If they refuse, take your business elsewhere. For example, Discover Card not only refuses to serve the logon form over https, but even redirects you from https to http if you type https in the address bar. After repeated complaints I decided to just cancel my Discover Card and use American Express instead, which redirects you to https should you accidentally type http in the address bar. Discover Card does not care about my privacy and safety, while American Express actually helps protect me against my own typos.

Security Awareness Post 2: Beware of malicious software

October is National Cyber Security Awareness Month, and as I stated in the last post, I decided to celebrate by writing some Security Awareness posts. Almost as if they knew what I was going to write about, I received this spam comment on my last post this morning:


"such a very informative and valued article, regards"


The poster's name, which is undoubtedly fake, was hotlinked to: hxxp://www.antivirus-finder.blogspot.com. That, in turn, turns out to be a blog that links to various unknown and quite possibly shady anti-malware programs. ("Malware" is a collective term for malicious software, such as viruses, worms, trojan horses, spyware, adware, etc. Consequently, "anti-malware" is software that, at least purports to, remove or stop malware). The latest post on the site points to something called "ClamWin Antivirus" which I have never heard of. I tried scanning it using a public malware scanner but it was so large that it could not be scanned.  A quick analysis was unable to tell me whether it was malicious, but I would never install it based on these tell-tale signs:


  1. The underhanded way in which the link was sent to me, hidden in a comment on an unrelated blog-post
  2. Never having heard of it before
  3. It is too large to scan, which could be intentional to make it more difficult to tell whether it is malicious
  4. It installed additional unwanted software when I put it on a test system:

    Any software that automatically tries to install additional software you did not ask for should be immediately considered suspicious.

It turns out in this case that I was a little extra paranoid. ClamAV is legitimate, but given the choice, I will always tend toward not installing something.


Malicious anti-malware is epidemic on the Internet. I wrote an article on it a couple of years ago. The problem has not gone away, however, and the authors have become craftier than ever in their attempts to get You to install their wares. My all time favorite is "Green AV" which claims to donate part of the money you pay to rainforests.


There are some very simple rules of thumb you can follow, however, to protect yourself against fake anti-malware:


  1. No web site can scan your computer for malware merely by your going to it. Many web sites claim to, and that is how they try to fool you into thinking you are infected and need to pay for a new anti-malware program. There are a few legitimate ones that do scan your computer, such as Microsoft's OneCare, but they all require you to agree to install something to complete the scan. That leads us to the second rule of thumb:
  2. NEVER permit a web site to install software unless you consider a site trustworthy. You have to look at the address bar to see where you are. In a future post, I will talk about how to recognize fake software and sites.
  3. Never install software that just showed up and that you did not ask for. In fact, be extremely selective about what software you install. The less software you install from the Internet, the less likely you are to get malware.
  4. If you feel you need to install something, don't do it unless you have scanned it using a reputable anti-malware scanner. A good one is http://virustotal.com. Make sure you type the link correctly. Virtually every variant of virustotal.com is registered by malware purveyors or domain squatters. Virustotal scans files you upload using most every commercial anti-malware vendor. Here is an example report from VirusTotal.
  5. Use real anti-malware. The list in the example report from VirusTotal is not a bad starting poing. Perhaps an even easier one is to simply go buy something from a reputable online merchant, such as Amazon. Getting it from Amazon guarantees that you get something that is real.
  6. If you absolutely feel the need to install something, do a quick web search on it first. If you find hundreds of pages dedicated to removing it, chances are it is fake!

In summary, remember these key points: install only the software you absolutely need, and make sure you get it from a reputable supplier.

Security Awareness Post 2

October is National Cyber Security Awareness Month, and as I stated in the last post, I decided to celebrate by writing some Security Awareness posts. Almost as if they knew what I was going to write about, I received this spam comment on my last post this morning:


"such a very informative and valued article, regards"


The poster's name, which is undoubtedly fake, was hotlinked to: hxxp://www.antivirus-finder.blogspot.com. That, in turn, turns out to be a blog that links to various unknown and quite possibly shady anti-malware programs. ("Malware" is a collective term for malicious software, such as viruses, worms, trojan horses, spyware, adware, etc. Consequently, "anti-malware" is software that, at least purports to, remove or stop malware). The latest post on the site points to something called "ClamWin Antivirus" which I have never heard of. I tried scanning it using a public malware scanner but it was so large that it could not be scanned.  A quick analysis was unable to tell me whether it was malicious, but I would never install it based on these tell-tale signs:


  1. The underhanded way in which the link was sent to me, hidden in a comment on an unrelated blog-post
  2. Never having heard of it before
  3. It is too large to scan, which could be intentional to make it more difficult to tell whether it is malicious
  4. It installed additional unwanted software when I put it on a test system:

    Any software that automatically tries to install additional software you did not ask for should be immediately considered suspicious.

It turns out in this case that I was a little extra paranoid. ClamAV is legitimate, but given the choice, I will always tend toward not installing something.


Malicious anti-malware is epidemic on the Internet. I wrote an article on it a couple of years ago. The problem has not gone away, however, and the authors have become craftier than ever in their attempts to get You to install their wares. My all time favorite is "Green AV" which claims to donate part of the money you pay to rainforests.


There are some very simple rules of thumb you can follow, however, to protect yourself against fake anti-malware:


  1. No web site can scan your computer for malware merely by your going to it. Many web sites claim to, and that is how they try to fool you into thinking you are infected and need to pay for a new anti-malware program. There are a few legitimate ones that do scan your computer, such as Microsoft's OneCare, but they all require you to agree to install something to complete the scan. That leads us to the second rule of thumb:
  2. NEVER permit a web site to install software unless you consider a site trustworthy. You have to look at the address bar to see where you are. In a future post, I will talk about how to recognize fake software and sites.
  3. Never install software that just showed up and that you did not ask for. In fact, be extremely selective about what software you install. The less software you install from the Internet, the less likely you are to get malware.
  4. If you feel you need to install something, don't do it unless you have scanned it using a reputable anti-malware scanner. A good one is http://virustotal.com. Make sure you type the link correctly. Virtually every variant of virustotal.com is registered by malware purveyors or domain squatters. Virustotal scans files you upload using most every commercial anti-malware vendor. Here is an example report from VirusTotal.
  5. Use real anti-malware. The list in the example report from VirusTotal is not a bad starting poing. Perhaps an even easier one is to simply go buy something from a reputable online merchant, such as Amazon. Getting it from Amazon guarantees that you get something that is real.
  6. If you absolutely feel the need to install something, do a quick web search on it first. If you find hundreds of pages dedicated to removing it, chances are it is fake!

In summary, remember these key points: install only the software you absolutely need, and make sure you get it from a reputable supplier.