Yesterday's Security Alert

>>Today's Alerts

6/21 Do you shred your confidential financial documents? If you want to depend upon shredding to keep you safe, make sure you know the risks. E-Week Secure Your Shredding describes new technology that makes simple shredding not-so-effective.

6/19 Happy Father Day from your FTC. Don't get hooked by the phishers.

6/16 Last month, I alerted you to how the bad guys are getting personal, in their attempts to deceive you. Now we see how personal, as SecurityFocus Phishers look to net small fry discusses how the phishers are targeting customers of the smaller credit unions and other small businesses. Since your account is in a small credit union that nobody would know about, you're safe, right? Wrong. No longer going after Citibank customers, thy're going after customers of YOUR credit unon. And maybe even YOU.

The good news is, software is being developed to look for deceptive email. And you're getting smarter, too. At least, you read this column.

6/14 Bad news from the home front today. The experts have admitted that the bad guys are winning.

Citing examples like Glieder aka Bagle, and Mytob, SecurityFocus Stealthy Trojan horses, modular bot software dodging defenses provides the opinion that "the battle is one that the good guys are losing", because money drives the bad guys now.

The attackers are well motivated--no longer by fame, but by money, said Amit Yoran, former director of the National Cyber Security Division of the U.S. Department of Homeland Security and now an independent consultant.

Moreover, because the effort to clean an infected computer is much greater than the effort to infect one, PCs claimed by an attacker are much more difficult to restore to a user's control, especially if the user does not understand security issues.

In other words, while the protection provided by Routers and Firewalls, and by AntiVirus and AntiSpyware products are still essential parts of a layered defense, you cannot ignore the importance of Common Sense and Education.

Keep reading this blog, but bookmark the websites that I link. Start exploring those websites too - thats where you will find the details that you need to protect yourself effectively. The future depends upon YOU.

6/13 A couple of weeks ago, I mentioned how insecure WEP is, and how easy it is to crack, and provided links to the Toms Networking WEP Cracking For Dummies, which is now in 3 parts (links to parts 2 and 3 in the referenced article).

Now an unknown benefactor (we think), calling himself Digi, has thoughtfully made WEP Cracking For Dummies: The Video where you can watch an entire WEP crack being done before your very eyes. You may not totally understand it the first time you watch, but you can at least catch the gist of it, and see how simple a WEP crack is to execute, with the right tools.

The example shown uses packet injection, which is an active attack. A properly monitored WLAN would detect a packet injection attack in progress, but the only option upon detecting an attack would be to shut down, and upgrade to WPA. A passive attack would be undetectable, but would take a bit longer.

It's a 25M Flash file, so if you have a slow broadband connection, give it a few minutes and get a cup of coffee while it loads. But it's worth the time spent to download and watch it. Excepting a few typos, it's pretty well done, with good captioning and editing; total watching time is less than 5 minutes. The Flash control provides good video manipulation; besides the standard Play and Pause, you have a slider which lets you (with the video paused) move back and forth one frame at a time, to more easily watch any portion of the process that interests you.

After you watch the video, check out SecurityFocus: WEP: Dead Again (published just 6 months ago), and compare the tools mentioned in that article to what is shown by Digi's video.

Again, folks, if you have a wireless LAN with WEP for "protection", upgrade to WPA. Tomorrow, if not today.

6/10 If you're using software products to protect yourself against malware, as you should be in any layered defense, please be selective about what software you depend upon for protection.

Today, Eric Howes Rogue/Suspect List reached a dubious milestone, in that Eric has now identified 200 anti-malware products that you should absolutely not depend upon.

For those of you who aren't familiar with Eric, he's probably the #1 recognised expert, on useless and harmful anti-spyware products, in the world. Before installing any product that will clean your computer, or remove unwanted software, please consider his advice. And bookmark his website.

6/10 And the hackers keep up with current events. Just recently, hackers used rumours about Osama's capture to spread their products. Now, a massive spam campaign is spreading rumours about Michael Jackson's attempted suicide, and attempts to lure the unwary to a website which will download yet another botnet agent onto your computer.

In my accelerating opinion, using blogs will soon become the only way for friends to communicate about current events.

6/9 A couple weeks ago, I alerted you to the Mytob email worm. The earlier variants of Mytob would arrive as a simple email from a friend, with an attachment. When you would innocently open the attachment, it would infect your computer, and email itself to all of your friends. That's almost too easy to identify - hopefully, any of you would look suspiciously at any email with an attachment, even if it came from me (especially if it came from me).

Well, the authors of Mytob have not been lazy - they've been diligently crafting new versions of their work, for your enjoyment. The Symantec database currently lists over 80 versions of Mytob, with more arriving daily.

The latest variants, according to SecurityFocus Mytob variant hides sting in the tail, have replaced the bulky attachment with a sleek and sophisticated URL. Now arrinving in your Inbox crafted as a notice from your IT department or ISP, you are urged to click on a URL to confirm your account. Just as many phishing emails, the URL that you see contains a hidden URL, that takes your browser not to the apparent server belonging to your IT department, or your ISP, but to a server with malicious code that downloads Mytob to your computer. Your computer then starts distributing Mytob, as previous variants would do, to all of your friends.

Please carefully examine any email from your IT department, or your ISP, before clicking on any URLs in the message.

6/2 The Bagle worm, which has been around many months and has come in so many versions, has now become worse. The new version is more complex, and leaves a more lasting effect on your computer, and one security company has given it a new name.

Glieder, as Computer Associates now calls it, as described in ZDNet Security Bagle variants punch, punch and punch again, combines several elements in a way not seen before. In this staged approach, viruses seed their victims, then disarm them, and then finally exploit them.

Glieder starts as its predecessor Bagle, by emailing itself to all of your address book contacts. But it doesn't stop there.

Glieder then downloads two additional worms, one which blocks antivirus software updates, and Microsoft updates; and a second worm which disables firewalls and antivirus software, and then joins your computer to the latest botnet.

Please make sure that your antivirus software is up to date at all times. Mine has updated itself several times daily this week. If yours doesn't update itself at least daily, please get a new antivirus product. For all your friends sake.

5/29 Have you gotten any interesting email from Microsoft recently? The Gibe worm, which infects by posing as an emailed security update, is apparently still in the wild, and looking for new victims.

The worm will arrive as an email from Microsoft, mentioning security vulnerabilities affecting Internet Explorer and MS Outlook/Express.

And I restate, for those of you who don't know (and there are apparently some who don't): Microsoft does not email security updates.

5/27 Most rabid antispam activists in forums like news . admin . net-abuse . email have been blocking all email from countries like Brazil, China, Nigeria, etc for some time. The rationale behind that was three-fold.

  1. They needed to control the amount of spam hitting their customers email boxes.
  2. Their customers had no legitimate need to get email from any of those countries.
  3. There weren't any real senders of email in those countries - just spam haven ISPs, that were abusing US, by providing safe harbour for OUR spammers.

Now, third world countries, just like the USA etc, use email in business and other daily activities. And, thanks to heavy handed attention by Spamhaus, SPEWS, and other blocklist publishers, developing countries are becoming very abused. See Developing nations losing spam battle, report says for more discussion about this situation.

In short, our economic system (which has employed the spammers for a long time) is providing a hindrance to what could be a major tool in helping third world countries take a step up economically.

5/26 The bad guys are getting personal. They've realised that form letter email, especially written badly, won't get them as many vicitims as personal sounding email. So they're starting out with details about you, and dropping those details into the email so you'll believe that they're legit.

Where do they get those details, like what is your favourite sports team, where do you live, or how do you like to spend your time? Not from hacking some super secret database - they make their own database, based upon the traces that you leave on the Internet.

Stephen H. Wildstrom of BusinessWeek Online invented a person, and registered him in a dozen or so websites. Then found that those websites, popular ones like Major League Baseball, The Post, Victoria's Secret, and L.L. Bean, would happily verify to anybody that the fictious person (email address) had registered with them.

In Leaky Web Sites Tell All About You, he describes how easy it is for the bad guys, with a little automation and network time (both of which the bad guys have in surplus), to find all about you. Once they have the details, they can use your email address to attack you, masquerading as someone who legitimately knows about your preferences.

Once again, can you say "Identity Theft"?

5/25 Two Instant Messenging attacks have been reported today. Users of AOL IM and Yahoo IM may get references to the new Star Wars move, "Star Wars Episode III: Revenge of the Sith", both with links that take the unwary recepient to malicious websites.

The website referenced in the AOL IM attack will try to download a worm to the computer, which will then continjue to propogate itself to those in the Contacts list. The website in the Yahoo IM attack will ask for Yahoo credentials, and mail the provided information to another email address.

5/24 Are your systems up to date with their patches? Here's an example why you should be.

You surf to a malicious website (said website has since been taken offline), which loads malware based upon an exploit that was patched late last year, encrypts some of your key files using a password known to the bad guys, and leaves you a ransom demand. Your money or your data.

This is real life, not a bad late night made for TV movie. Patch your systems, please.

5/24 Good news or bad? You decide.

The U.S. House of Representatives on Monday voted to establish new penalties for purveyors of Internet "spyware" that disables users' computers and secretly monitors their activities.

Superficially, this looks like good news. But,

  • I doubt that our lawmakers can regulate a media that extends outside the borders of the country.
  • The contents of this bill are vulnerable to modification by the lawyers for the industries that will be affected by the bill. It's highly unlikely that the bill will make it into final form in any useful state.
  • Here's what makes me worry. Once there is a bill, effectively defining what is and what isn't spyware, look out. Anything that can't be defined as spyware may have a legal footing, to prevent us from removing it from our computers. This is one case where I think I agree with Microsoft. I just hope we don't get to the point where you have to worry Is Deleting Spyware A Crime?.

5/23 The Sober worm, previously being used to distribute German language political spam related to a German election today, is also scheduled for reactivation today. TechWeb recently published Aggressive, Mass-Mailed Sober.p Worm Poised To Smack Users, which provides a very interesting overview about how cummingly the Sober worm was designed, to allow its creator to update it today without any chance of being detected. Included was an interview with Dmitri Alperovitch, a research engineer with an Alpharetta, Ga.-based security firm CipherTrust.

"He's accumulated a number of machines," said Alperovitch, but he wouldn't hazard even an estimate as to the size of the network of infected machines, also called a "botnet."

Good people, if you don't have a layered protection strategy on your computer right now, please put one in place. The reality of botnets like the Sober one, and the casual way Alperovitch referred to its unknown size, is appalling. The private computer owners of the world have to start taking responsibility for their possessions.

5/23 Be careful when you install any Macromedia products as an extension to Internet Explorer.

Macromedia Flash, and Shockwave, are two common and reliable add-ons for every well known browser, and provide useful content (My personal opinion). You have to be a bit more paranoid than I am to block both from your computer. Unfortunately, it looks like Macromedia is bundling other products that you may not want or need, when you install their products.

When you install a Macromedia product, look carefully at the selections offered. If you don't want Yahoo Toolbar, or Weatherbug, be sure to opt-out during the install process (in other words, look for the screen where installation of the extra product is selected by default).

5/18/2005 The Honeynet Project published Know Your Enemy: Phishing, which describes how devious the phishers are becoming, in hiding their identities, and in using botnets and hijacked servers to conduct their fraudulent activities.

5/13/2005 For an answer to many different questions about malware, check out this PandaLabs Malware Trend and Analysis Report for 1Q2005. It's an Acrobat document enclosed in a .zip folder, but it's worth the effort spent opening it.

5/11/2005 ISC SANS has a series of articles that offer a fascinating look at how malware gets loaded onto an unprotected system. The fifth episode in the series Follow The Bouncing Malware was published today.

4/9/2005 BBC-TV interviewed a reformed hacker, connected an unprotected computer to the internet, and watched as their sacrificial computer was hit by 3 worms in 25 minutes, and crashed before 30 minutes had elapsed. Watch the Video, it is not too technical in detail, it's technically relevant, and only 6 minutes long.

11/22/2003 The e-mail began, "Your site is under attack," and it gave Mickey Richardson two choices: "You can send us $40K by Western Union [and] your site will be protected not just this weekend but for the next 12 months," or, "If you choose not to will be under attack each weekend for the next 20 weeks, or until you close your doors."