Archive for the ‘Malware’ Category

h1

Keystroke Loggers Are Back – This Time in Real Time

August 24, 2009

From Slashdot, the New York Times and the what’s-olde-is-new-dept: The NY Times has a story… on a weapon now being wielded by bad guys (most likely in Eastern Europe, according to the Times): Trojan horse keyloggers that report back in real-time. Real-time keyloggers were first discovered in the wild last year, but the …Times article should bring new attention to the threat.

So now that the Bad Guys™ are hoovering up your validation credentials in real-time (not “real” real-time, but faster than before), they’ve managed to break one particular implementation of a Two-Factor Authentication scheme.

Not bad, but the real threat is quite a bit less esoteric: continuous reporting of keystrokes gives miscreants a larger window of time to operate in.  The dangers presented by keystroke loggers could be largely mitigated by using some not-so-common sense: Keeping your computer clean and healthy and maybe even switching to a minority · operating system (while keeping your newly developed good habits) means that you’ve just eliminated a large majority of your security threats.

So you think getting people to “do the right thing” by their computers and data is impossible?  It wasn’t too long ago that people weren’t washing their hands before eating or preparing food, nor were they covering their mouths when they sneezed.

Good computer hygiene practices can be learned.  And understood.

h1

From April Fools to April's Close: Conficker's History in 150 Words or Less

April 30, 2009

From the that’s-quite-a-joke-you-got-there-dept: 60 Minutes said that “The Internet is infected“.  Meanwhile, Conficker was getting quite a bit of press in other venues too.  Towards the end of May, Univision interviewed me about the danger it represented.  Many [Windows] computer users waited for the impending doom and then…

nothing happened. And many had a good laugh.

Except that something important did happen, and quietly too: Conficker began calling home and morphing into something else.  And an interesting homemade diagnostic eyechart was published.  And discussed.

The important thing to remember is that people were warned and had ample opportunity to mitigate their risk – As far back as January 2009, 1 in 3 Windows PCs were still vulnerable to Conficker, a full 80 days after a patch was published by Microsoft.  That means the patch was issued in October of 2008.

Talk about a slow motion train wreck that could have easily been avoided.

Of course, if you’re running Linux or OS X, you probably snickered, felt superior and/or laughed up your sleeve, because you ducked this one.  This time.

h1

Out of the Office: Simple Electronic Security and Practical Data Protection Workshops

February 3, 2009

Knowledge is powerFrom the what-you-don’t-know-can-hurt-you department: I’ve recently returned from presenting my third successful “Simple Electronic Security and Practical Data Protection (SES & PDP) workshop in as many months: two abroad, and one here in Washington D.C.

Truly effective privacy protection and security strategies require more than “silver bullet” software, they require an understanding of the ecosystem in which they’re deployed and implemented.

That’s where these workshops come in: by helping you to understand how the different parts of the privacy and security food chain interact, you’re more likely to protect what’s valuable to you, in addition to feeling empowered and in control of your digital life.

Knowledge is power, and I love sharing it.  Drop me a line here for more information.

2009.03.16: I’ve just conducted two more workshops in the last month and have now decided to offer them as a short, free introductory seminar, and as a paid, hands-on workshop.   Go here to see how I can help you and your organization protect yourselves.

h1

Most PCs Run Outdated, Exploitable Software

December 11, 2008

From wired.com: Hardly anyone runs a PC without known holes that hackers can exploit, a Danish security company reports. Of those who run the company’s free security-scanning tool, nearly half have more than 11 out-of-date programs.

Secunia Software’s Personal Software Inspector (PSI) checks programs installed on a user’s computer to see if the latest, patched version is installed. More than 98 percent of users had at least one program that wasn’t the latest version, the company found in a study of 20,000 users of its software.

Notice that the headline says “Most PCs...” I’ve always been a software minimalist and an advocate of preventative security.  You know, the smug “an ounce of prevention is worth a pound of cure” kind of guy.  That’s why I depend upon a pair of hardened Linux boxes for about 75% of my work on the VaultletSuite 2 Go, and on my OS X PowerBook for another 15% of my daily information gathering routine. For those of you out there keeping stats, that only leaves about 10% of my day for compatibility testing on other operating systems.

Even though I only use Windows XP and Vista exclusively in virtual machines (hosted on Linux) to test the VaultletSuite 2 Go, I’m still quite serious about keeping those disposable virtual installations squeaky clean.  After all, life is short, and my clients expect my software to work everywhere; they also count on me to have an informed opinion as to how to keep them and their Windows PCs safe and secure.

So I decided to take the challenge and see just how up-to-date my two minimalist virtual Windows installations were.  Good news: I scored 100% up to date on my Vista installation, and only had 1 out of date vulnerable component installed on my XP partition: the Flash ActiveX plugin for Internet Explorer.

Now, I ask you: if I am fastidious (bordering upon obsessive) about never using Internet Explorer for anything other than viewing VaultletSoft’s web pages and testing VaultletSuite applets, does that unpatched vulnerability really count?  In practical terms, no.  But just the same, I promptly enabled ActiveX, updated the Flash plugin, and then re-disabled ActiveX in Internet Explorer.  Upon finishing that 3 minute task, I re-ran the PSI and received my expected 100% up to date gold star.

That’s squeaky clean.

And another free, easy to use tool to help you keep your computing house in order too.

h1

Macs Gain Market Share, and Two New Trojans to Boot

July 28, 2008

Straight from the good news/bad news department, PC World and Slashdot: Apple Computer again cracked the top three in U.S. PC sales for the second quarter, according to surveys released Wednesday by both Gartner and IDC, which gives Apple an 8.5 percent or a 7.8 percent market share, according to the respective firms data.

On a related note, F-Secure is reporting that there are two new Mac OS X · trojans.

If you consider different computer Operating Systems to be part of a larger electronic ecosystem, then the more hosts of a given type there are, the more likely it is that a malware outbreak can be sustained and propagated. This is why virus writers currently and largely target Windows.

That could be subject to change if Macs continue to occupy a larger piece of the ecosystem.

h1

A Baker's Dozen of Identity Theft and Privacy Protecting Tips for 2008

January 9, 2008

If you read my recent post “Theft of Personal Data More Than Triples This Year“, you may have been left with the impression that the current situation is beyond repair. No need to despair though, as there’s still quite a bit you can do to protect yourself.
I’ve compiled for you a baker’s dozen of simple, mostly cheap, and important things you can do to both shield yourself from identity theft and protect your privacy.

You don’t have to take on the entire list in one sitting. Instead, you can resolve to implement the following tips in groups: do the first group one month, the second group in another, and the third over the course of the following couple of months.

Bonus points and a Good Night’s Sleepâ„¢ to all those who finish the first 12 tasks!

Note: while the first group (identity theft) is fairly U.S.-centric, the other sections are not.

Group One – Identity Theft:
Credit Reports, Freezes & Passing on Pre-approved Credit

  • Read Your Credit Reports: Check your free annual credit reports from the big three. Benefits: you’ll know what’s being reported about you; and you have a reference point and resource for spotting suspicious activity taking place in your name.
  • Freeze out Fraud : Request a credit freeze from the big three: Equifax, TransUnion and Experian. Read this to understand the pros and cons of doing so first. Benefits: Identity thieves can’t open new accounts in your name if access to your credit report is frozen.
  • Pass on Pre-approved Credit: Tell the big three that you do not want to receive any more pre-approved credit card offers. Here’s some good background information on this issue. Benefits: Dumpster divers can’t run up outrageous charges on your pre-approved card offers.

Group Two – Computer Security:
Must-have Software & Keeping it up to Date

  • Anti-Virus & Spyware Software are Prophylactics, Too: If you use Windows, get and use anti-virus and spyware software, and keep it up to date. Some free versions are quite good too, and many have an upgrade path to the more “deluxe” versions. Benefits: A secure computer does a better job of helping you to protect your privacy, as a virus and spyware infested computer can siphon off all sorts of personal information, passwords, credit card and social security numbers.
  • Firewalls are Your Friend: Make sure your computer has a firewall installed, running, and set to auto updating itself. Benefits: Cuts down on the speed with which malware propagates on your private network (and the internet), and makes it harder for malware to “phone home” with your valuable personal information.
  • Swiss Cheese is Great for Sandwiches, Not Operating Systems: Set your computer to update its operating system on a regular, perhaps nightly, basis. There’s no excuse to not run the latest security patches for your computer, whether it’s Windows, OS X, or Linux. Even computer users with dialup connectivity can set aside an hour or two on a weekly basis (maybe on a weekend morning?) when they can schedule the update to take place while they’re doing something else. Benefits: Reduces the number of weak links in the security chain protecting your data and your privacy. And, it simplifies your life.
  • Sometimes the Best Things in Life Are Free : Use Firefox, VaultletSuite 2 Go and Thunderbird instead of Internet Explorer, Outlook and Gmail. Benefits: Fewer ports of entry for viruses and spyware, no popups, less spam, and you get more control over who can see the contents of your email. And there’s the added benefit that they’re all free too!

Group Three – Physical and Psychological Security:
Reducing Your Risks and Minimizing Your Electronic Footprint

  • Better Shred than Read : Get (and use!) a paper shredder for your bills and other paperwork that contains valuable personal information. Benefits: Helps to keep dumpster divers at bay.
  • Just Say “No (Thank You)!” to Social Security Numbers: Don’t use, or at the very least question and resist the use of, your SSN (at least in the U.S.) for identification purposes other than banking, payroll and taxes (this is a generalization). SSNs shouldn’t be used for identification purposes; they’re supposed to be a secret, albeit one that’s hard to keep when it’s stored in thousands of insecure databases. Benefits: Not only do you raise business and their employee’s awareness of the importance of protecting our SSNs, but when you succeed in not giving it out, that’s one less database to have it leaked, sold or stolen from.
  • Cash is King: Use cash as much as possible, keep the number of credit cards you have to an absolute minimum and avoid loyalty cards (or at least those which actually reveal your true identity). Benefits: Fewer companies managing your financial data means reduced possibilities of data breaches, and the less data you give data brokers, the less detailed are the profiles they buy and sell based upon your consumer choices.
  • Gullibility is Expensive: Be skeptical. if it looks too good to be true, it probably is. Benefits: Phishing scams are far less effective when you’re skeptical.
  • You Gotta Keep’em Separated: Segregate your file sharing, video gaming, pornography, and other experimental software activities from the computer you use for your work, banking, and online shopping activities. If you can afford it, use a separate, cheap, sacrificial computer for this purpose. Benefits: A simpler, safer, more secure life. If your sacrificial computer becomes unusable, just reformat and re-install the operating system.
  • Diversity in Ecosystems Is a GoodThingâ„¢ : Run Linux or buy a Mac. Benefits: by using a minority operating systems you become almost invisible as a target for viruses, spyware, and other privacy invading and/or annoying programs. On top of that, using Linux gets you geek bragging rights, and Macs are beautiful consumer electronics that “just work.” Take your pick. Quick note: While it’s nice to be able to dual boot Windows on your shiny new Intel-based Mac using BootCamp, doing so exposes you to the same security risks as any other Windows PC.

h1

More criminals use keystroke loggers

December 1, 2005

(Source: Washington Post) Keystroke loggers –programs that secretly record every character you type– are getting much more common, security analysts say, as criminals use them to steal user names and passwords for financial and other accounts.

There are a number of ways of reducing the risk presented by software based keystroke loggers, including booting from a live CD and making sure that you’re doing your best to keep your home network secure.

Here’s the article in the WashingtonPost.

h1

Mandriva Move live CD and the VaultletSuite: a perfect fit!

October 14, 2005

We’ve tried running the VaultletSuite from a Mandriva Move CD and it works quite nicely. Within a couple of minutes of popping the bootable CD in the computer, gone were our worries about software based keystroke sniffers, memory scanners, clipboard copiers and video buffer recorders.

While it doesn’t solve the problem of hardware based keystroke sniffers, it’s does help to mitigate the dangers inherent in using someone else’s computer when you have no idea where it’s been or what they’ve been doing with it.

For further reading, check out this article that reviews 5 live Linux CDs, and a good overview of Live CDs on Wikipedia

Here’s Mandriva’s Move page.

h1

Police backdoor discovered on italian ISP server

June 29, 2005

On the 21st of June, 2005, the Italian collective Austistici/Inventati discovered a major police backdoor [involving their SSL certificate] on their server. The server hosts a large number of websites, mailboxes, mailing lists and Internet services for NGOs, grassroots activists and public interest associations.

This type of exploit is possible in messaging systems that make the following three fatal assumptions: 1) SSL is sufficient to protect all transmissions, 2) the SSL private key doesn’t need to be password protected, and 3) that there’s no need to encrypt the data before storing it on the server.

The VaultletSuite, however, goes to greater lengths to protect your valuable information: 1) The only data that is stored on our server is encrypted to our users’ public keys, 2) our SSL certificate’s passphrase is only known to us (and not our ISP), and 3) only our users can decrypt their encrypted data using the VaultletSuite client on their computer by using their private key (whose passphrase only they know).

Read more here on EDRI’s website.

The ISP’s (Austistici/Inventati) statement regarding this matter.

Follow

Get every new post delivered to your Inbox.