Archive for December, 2012

Google Chrome – New security controls to prevent malicious extensions

This popular complementary browser has been further strengthened as noted below:

http://securitywatch.pcmag.com/none/306341-google-acts-against-malicious-chrome-extensions

QUOTE: Google’s latest steps will make it harder for malicious developers trying to exploit Chrome users via browser extensions. Extensions are plugins for Google Chrome and allow developers to add extra functionality to the Web browser. Many Chrome extensions are supremely useful, such as Ghostery, which quickly and easily detects and blocks Web trackers tagging your movements across the Web, the goo.gl URL shortener, and ViewThru, which displays the full URL when mouse-overing a shortenend link. Others, like the “Change Your Facebook Color” extension pointed out by Webroot, are privacy-violating scams peeping at the browsing history and data from other Web sites. Spam-spewing extensions also exist

AV-Test 2012 Security Suite Endurance Test

AV-Test recently published test results for leading AV security suites as noted in following link:

http://securitywatch.pcmag.com/none/306431-security-suite-endurance-test-winners

QUOTE: Once you settle on your preferred security suite, most likely you’ll stick with it for the long haul. It’s important to choose a tough, effective suite. Researchers at AV-Test evaluated 17 major security suites over a period of 22 months and just published their results as “The Ultimate Endurance Test for Internet Security Suites.” Each suite underwent ten rounds of testing under various Windows versions between January 2011 and October 2012, so in most cases the tests spanned multiple product versions. Bitdefender Internet Security earned the highest score, but others weren’t far behind.

Android Security – SpamSoldier Botnet steals SMS premium services

For safe mobile phone experiences, users should be careful with every application they install (esp. non-mainstream apps which promise free games or other services)

http://securitywatch.pcmag.com/none/306149-sms-botnet-spamsoldier-lures-victims-with-fake-games https://blog.lookout.com/blog/2012/12/17/security-alert-spamsoldier/

As botnets go, the Android SMS botnet was “an unsophisticated attack,” Andrew Conway, a security researcher with Cloudmark, wrote on the company blog Dec. 16. An SMS message offering free games or other scams tricks users into downloading a malicious app from a third-party app store onto their Android devices. Once installed, the app can send SMS spam messages to other users without the user’s permission or knowledge. Lookout Mobile Security has dubbed this family of malware SpamSoldier and noted that the malicious app takes steps to hide its stealthy activities. The icon is removed from launcher so the user doesn’t know the app is running, outgoing spam texts are not logged, and incoming SMS replies are intercepted so that the user “remains blissfully unaware,” said Lookout’s senior product manager Derek Halliday. “You better have an unlimited message plan or your phone bill may come as a bit of a shock,” Conway wrote on Cloudmark’s blog.

CAPTCHA – More difficult to read as malware agents grow in sophistication

To ensure real folks are using resources, rather than a malcious program, CAPTCHA controls continue to become more complex and may even challenge users with math problems.  This is to keep automated spam agents from joining email or forum groups.  As the article notes, this is also challenging for users to invoke these resources.

http://www.nbcnews.com/technology/technolog/why-captchas-are-getting-harder-read-1C7657741

The CAPTCHA system was invented around 2000 by a team of researchers at Carnegie Mellon University in Pittsburgh. The team came up with the CAPTCHA acronym, which stands for “Completely Automated Public Turing Test to Tell Computers and Humans Apart.” (It’s not a perfect acronym.)   According to the Carnegie Mellon website, the first CAPTCHAs were developed for Yahoo to prevent automated programs from rapidly setting up free email accounts, which would in turn be used to pump out spam.

Then I was confronted with a “CAPTCHA” — one of those hard-to-read, squiggly collection of letters and numbers that ensure you’re a real person and not a “bot” trying to game the system.  “To tell you the truth, they are getting harder to read, even for me, but the ‘bots’ that leave spam on your site are getting better at recognizing the CAPTCHAs as well,” Lyons said.  “When we first started using them, a functional CAPTCHA just used a couple of funny fonts and some lines through the text to make it hard for machines to read. Then the bots got smarter, and [now] we are all struggling with reading the CAPTCHAs.”

Mayan Calendar and End of World links may be malicious

While a number of humorous links and photos are circulating on Facebook and in email, please be careful and avoid selections of any suspicious items

http://www.komando.com/tips/index.aspx?id=13792

QUOTE: If you haven’t been paying attention to the news for the last year, or haven’t been visiting my always-updated Breaking Tech News page, you might not know that the world is supposed to end tomorrow. At least that’s what some people believe based on sensationalized and inaccurate information about the Mayan calendar

My rule is if you aren’t sure, don’t click. Whatever cool pictures or information you might miss isn’t worth the risk of accidentally grabbing a virus instead.  It goes without saying – but I’m going to say it anyway – that you should have up-to-date security software installed to catch viruses and other dangers before they infect your system. If you don’t have security software, you can download excellent free programs from my Security Center.

Online Charitable Giving – ISC Safety Tips

Some excellent tips on safety and techniques to ensure gifts go to the folks who are in need

https://isc.sans.edu/diary/A+Consumer+s+Guide+to+Spotting+Fake+Charities/14737

QUOTE: Earlier in the week we’ve mentioned that people should be on the lookout for “fake” charities trying to exploit the Sandy Hook tragedy. About 150 or so domains have been registered that are “suspect” and about a dozen I can safely say are fraudulent. Some basic steps we already know about how to deal with this:

* Only deal with charities that are already known to you (i.e. the Red Cross) or that you have a personal relationship (your church or church-related organization, local civic group, etc).

* Don’t donate to charities simply by clicking on an e-mail; affirmatively go to website to donate directly.

* Always be sure to check for real contact information, if you don’t see anything, don’t donate.

That said, let’s say you find a website and you want to “verify” whether it is suspect or not. There are several things you can do. Advance warning, this is US-centric mostly because I don’t know “charity” laws in other countries, if someone would like to clue me in how to do similar in other countries, feel free to contact me directly.

1. Check the domain registration using WHOIS. On online WHOIS tool is here. If it is a “private registration”, it is suspect and move along.

2. Check with the IRS whether the organization is, in fact, tax exempt. Their lookup tool is here. If the website doesn’t have an organization name, it’s suspect. If they are talking to you, try to get their tax ID (or FEIN) number. Ask for a copy of their IRS Form 990 (which they are required to disclose). Many states also require charities to register themselves and you can search those filings online as well.

3. Check with Guidestar which is sort of a Consumer Reports / Better Business Bureau for charities.

Newtown Tragedy – Possible Fake Charity Sites

The ISC notes several new related domains have been registered and also warns that some may be potentially fake.  My own thoughts and prayers continue for all who were impacted.

https://isc.sans.edu/diary/Watch+for+Newtown+Connecticut+scam+sites+/14716

QUOTE: Following the tragic events in Newtown Connecticut last week several new domain names related to those events have been registered.    I have little doubt that many of these site are owned by charitable and caring individuals or organizations who want to assist families in their time of need.   Other sites may belong to political organizations who will attempt to further their side of an argument as a result of this tragedy.    Still other sites will undoubtedly belong to scammers who will capitalize on peoples desire to help by establishing fake charities.    I spent a few hours going through many of the newly registered domains.   So far most of the sites are still under construction with very little to look at.    I expect that will change over the next few days.

Passwords – Use Unique and Complex control techniques

This MarketWatch article shares many best practices for password protection

http://www.marketwatch.com/story/hacker-proof-your-password-2012-12-19

QUOTE: Don’t believe proclamations that the password is dead. Even with increasingly sophisticated software programs able to rapidly burn through an endless array of possible character combinations, the password is not only alive, but as important as ever. “Passwords are the bane of our existence, but they’re here to stay,” says Hilary Schneider, president of LifeLock, an identity-theft protection company.

Think of the password as a mouse trap. As simplistic as it seems, there’s nothing out there more effective and straightforward for accessing sites likes your bank and favorite retailer. “A better system can be developed but it needs to be easy to use before it can have the widespread adoption to abolish the use of the password,” says Cameron Camp, a security researcher for ESET, an antivirus and Internet security provider. “If it’s not convenient, you won’t transact with the bank as much and the bank loses revenue.”

We’ve been told time and again how important it is to have tricky, unique passwords that are known to no one but ourselves. We should make them long and add numbers and symbols to fool the fraudsters combing the Internet for access to our records. And we should always, always have different passwords for each site. But apparently, we’re not listening very well. The annual compilations of “worst passwords ever” are numerous but remarkably similar in their results. Moreover, the top 25 or so passwords are held by an alarmingly large number of people.

Necurs Rootkit – Infected over 80,000 PCs in November

Once the Necurs rootkit infects a machine, it can hide itself from the operating system, download additional malware and stop security applications from functioning.

http://blogs.technet.com/b/mmpc/archive/2012/12/06/unexpected-reboot-necurs.aspx

http://www.darkreading.com/risk-management/167901115/security/attacks-breaches/240144203/necurs-rootkit-spreading-quickly-microsoft-warns.html

QUOTE:  Necurs is a prevalent threat in the wild at the moment – variants of Necurs were reported on 83,427 unique machines during the month of November 2012. Necurs is mostly distributed by drive-by download. This means that you might be silently infected by Necurs when you visit websites that have been compromised by exploit kits such as Blackhole. So what does Necurs actually do? At a high level, it enables further compromise by providing the functionality to:

1. Download additional malware

2. Hide its components

3. Stop security applications from functioning

In addition Necurs contains backdoor functionality, allowing remote access and control of the infected computer. Necurs also monitors and filters network activity and has been observed to send spam and install rogue security software. Nefariousness aplenty. See our Trojan:Win32/Necurs family write-up for the full details.

Trend Labs – 2013 Security predictions

Some key vectors for attack next year have been identified by Trend Labs

http://blog.trendmicro.com/trendlabs-security-intelligence/observations-on-the-evolution-of-cyber-tactics-in-2013/

QUOTE:  A dramatic shift in the modus operandi of cybercriminals will occur in 2013. I predict five major shifts in attack vectors:

  1. Man-in-the-browser attacks will flourish as automated transfer system attacks become mainstream due to the advent of mobile banking. Inserting nano-ware into the browser allows for criminals to bypass two factor authentication and thus insert themselves into the encrypted channel. This was seen with the Automatic Transfer System module for Zeus and SpyEye.
  2. Watering hole attacks will grow in popularity as polluting trusted websites is a far better targeted attack methodology than targeting individual users.
  3. Mobile malware will metastasize and become more insidious and automated to include proximity attack capabilities.
  4. Cross platform attacks like Jacksbot will become mainstream.
  5. Hypervisor attacks on cloud infrastructures will begin in earnest, in order to move closer to data.

As the modus operandi of cybercriminals evolves, so must our defense in depth strategy. Cybersecurity investments must shift towards continuous monitoring and advanced threat protection if we are to civilize cyberspace and sustain Web 3.0. If we build it they will come, but they will not all be righteous.  To find out more about our 2013 predictions, check our predictions document titled Security Threats to Business, the Digital Lifestyle, and the Cloud.