Microsoft has not yet patched the .lnk vulnerability I wrote about last week. In the meantime, though, AV vendor Sophos has released a free tool that they claim will fix the problem.

This has been a serious issue. A number of malware writers have already released exploits targeting this flaw. Everyone should exercise even more caution than usual and avoid opening documents or clicking on links in email messages. Simply opening an infected MS Office document can lead to infection. Once computer is infected, it will infect any USB drives that are mounted and hide the infected files, using rootkit technology. This is a HUGE risk for businesses that allow users to transfer files back and forth between office and home computers.

Another word of caution involves a new rogue anti-virus - this time masquerading as a Firefox / Flash update. Check it out here. We are (and should be) always encouraging Clients to keep their brower plugins up to date - especially Flash, so you can see why this ruse would be effective.

Anyone who is tricked into purchasing one of the fake anti-virus programs can usually have the credit card charges reversed. Surprisingly, most do not. As long as people don't bother to fight back, the fake anti-virus game will continue to generate profits, and as long as it is profitable, the bad guys will continue to find new and better ways to trick users into installing the rogues.

Dennis H in West Virginia, US

July 29, 2010

Several folks responded to the previous post with the same question regarding the CVV code on credit cards. This is the three-digit code stamped on the back of the card. Actually, Visa calls it a CVV. It is also referred to as a CVC, CVC2, CVV2, or CID by other card issuers.

It often appears that this information is being stored when you enter information into a web form. NerdsBackup is a good example. When information is entered, there is a field for this information. You will note, though, that when you go back to a client record, the card number is partially masked and this field is always blank.

This number is NOT stored by any processing company that is operating in accordance with the PCI-DSS (Payment Card Industry Digitial Security Standard). It is used for the initial authorization, but it is NOT stored permanently on the system. Subsequent charges are sent through without this information. Use of this code is not required to process a transaction - it is simply an additional fraud-prevention control. The very fact that PCI-DSS standards prohibit storing the code in association with the card number in any form (written, encrypted, etc.) is why it has value. A hacker that manages to compromise other credit card date cannot only obtain this through physical possession of the card.

This code is NOT recorded on the magnetic strip. "Swiped" transactions ensure physical possession of the card and to not use this code. Some processing companies require it for "non-swiped" or "keyed" transactions as verification that the person keying the transaction has physical possession.

I hope this clears things up.

Dennis H in West Virginia, US

July 28, 2010

We hear about compromises of credit card information all the time. The biggest headlines seem to be precipitated when financial indstitutions or large retailers are attacked. According to a study released eariler this year by the data-security consulting company Trustwave, though, the industry that sees the most compromises is actually hotels. According to the study - 38% of breaches involve hotels, 19% financial institutions, 14.2% retailing, and 13% restaruants and bars.

Why hotels? There are many possible explanations. Like car rental companies, hotels have a legitimate need to be able to add charges to your card after you leave (to cover damage or theft). This means their transaction systems must be able to store credit card information. The hospitality industry has been hit hard by the recession, resulting in budget cuts in security and delays in adopting newer and more secure technology. Employee turnover is this sector is high, making it difficult to ensure all employees are properly trained. Even within major chains, the security practices can vary widely. Consistent policies and policy eforcement are as important as the technology used to secure data.

What can travelers do to protect themselves? Here are some tips to help lower the risk.

1. The most important measure for preventing credit card fraud is vigilance. Check your statement as soon as you receive it. Do not ignore small charges that you do not recognize. Criminals will often test the waters with small charges to see if they go through before attempting large ones. If you see something suspicious, follow up immediately. Generally, you will not be held liable for fraudulent charges, AS LONG AS YOU NOTIFY THE CREDIT CARD COMPANY PROMPTLY.

2. Keep separate credit cards for business and personal expenses. If possible maintain a card with a low credit limted for routine travel expenses.

3. Keep your card in your possession as much as possible. If you must give up possesion of the card, try to keep an eye on it and watch for suspicious activity. "Card skimmers" are small, easily hidden devices that can be used to capture the data from the magnetic stripe on the card.

4. Don't be afraid to ask about security practices. The CVV code (the last three digits of the number on the signature line on the back of the credit card) should NEVER be written down or stored with other credit card information (even in encrypted form). Make sure your full credit card number does not appear on any bills or invoices.

Dennis H in West Virginia, US

July 27, 2010

Update to the most recent Windows vunerability: I wrote about this earlier in the week and wanted to add some updates. This vulnerability, which exploits a flaw in the way .lnk (all those shortcut files in windows that point to a file in another location, including desktop and browser shortcuts) are displayed, originally targeted software that controls large power installations and manufacturing facilities and was spread via infected USB drives. As I suspected, this has become a much generalized attack vector. Here are some points worth noting:

- All versions of Windows from 2000 on are affected (and possibly even older versions)

- Windows 2000 and XP SP2 will not be patched - these are officially no longer supported by Microsoft. There are quite a few devices out there still using XP SP2 because of compatibility issues with SP3

- This vulnerability can also be be exploited via Windows Office documents, file shares, WebDAV (used in Sharepoint) and anything else that can accommodate embedded .lnk files

- There speculation that the favicons used on websites might also be able to exploit this vulnerability, according to Steve Gibson in this week's episode of Security Now!

- There is no "fix" yet - Microsoft has a registry modification that is a "workaround". It disables the rendering of all icons (that will change the look of your desktop!).

For all those Macintosh users out there who are feeling a little smug - don't. If you are using Safari, here is something you should know. Both versions 4 and 5 have a feature enabled by default that could allow a malicious website to exploit the auto-fill feature of Safari to extract personal information from your address book. Fortunately, you can disable this feature. Thanks to Jay Holtslander for bringing this to our attention. Apple is reportedly working on a fix.

Dennis H in West Virginia, US

July 26, 2010

There is a new Window attack against Windows that exploits a vulnerability Windows .lnk files (all those shortcuts on the desktop, in the start menu, and elsewhere are .lnk (link) files). Currently, this attack is being spread via USB drives, and is not a network attack. In theory, though, it could also be spead via network shares or WebDAV. All versions of Windows are vulnerable, including fully patched versions of Windows 7 and Server 2008.

Current versions of the attack utilize a rootkit to hide the malicious files on both the USB drive and on infections machines. Simply inserting an infected USB drive into a Windows computer ahd viewing its contents is generally all it takes to spread the infection. Any other USB drive that is inserted will also be infected. Initial samples of this "worm" (so classified because it can spread without any specific user action) are targeted attacks - looking specifically for software that is used to manage large distributed systems, such as power plants and manufacturing facilities. Broader attacks are almost sure to follow.

USB "drives" (which can incude other devices, such as smart phones, which incorporate solid state drives) are an increasingly dangerous vector for the spread of malware. "Thumb drives" or "USB sticks" have become a cheap, compact, and easy means of moving large amounts of data between computers. Smart phones are becoming ubiquitous and are commonly plugged into multiple computers to sync email, contact lists, and calendars.

One of the drivers that the rootkit installs is as signed driver - signed by Realtek Semiconductor Corp., a legitimate company. This is a good example of why it is so important to protect certificate private keys. Verisign has since revoked the compromised certificate. AV vendors are also scrambling to add this to the list of threats their products will detect.

We will have to wait to see how widespread the attacks which exploit this vulnerability become. Microsoft has not released any date for a fix. There are workarounds, but some of them will preclude the use of Sharepoint, a service upon which many organizations depend. The best solution is to implement some form of endpoint security. Endpoint security is used to lock down USB and other devices by limiting their ability to write files. Endpoint security can also limiting what can be written to external devices as part of a Datat Loss Prevention program.

One additional note - any systems running on Windows 2000 or Window XP without SP3 will NOT receive updates to patch this flaw - ever. Microsoft has officially ended support for those operating system.

Want to read more?
krebsonsecurity.com
www.computerworld.com

Dennis H in West Virginia, US

July 20, 2010

- Old school phone fraud meets modern cyber-crime. How can I steal from thee? Let me count the ways. If the scammers can't trick you into installing fake antivirus software by flashing warnings on your screen, well, then they will call you on the phone instead. This is cold-calling at its worst - REALLY cold. (Spread the word.)

- Be careful where you get those plug-ins! Both Chrome and Firefox have lots of cool plug-ins to extend the functionality of their browsers, but beware. This hacker wrote one to steal passwords. At least he told us about it. One would hope that a plug-in this malicious would not last long, but it is an open community, and there have been some bad apples in the plug-in barrel from time to time - just none quite so pernicious as this one.

- Credit Card skimming - it's not just for ATMs any more. This article brings an interesting problem to light - all those self-service credit card devices and who has access to them. 180 pay-at-the-pump gasoline (petrol for some of you) pumps were compromised by skimmers and bluetooth transmitters because access to these pumps is not securely managed. How would you spot one? You wouldn't and you couldn't, because the skimmers were inside. Your only defense is to watch those credit card statements (well, or use cash - of course, thieves can steal that as well).

Dennis H in West Virginia, US

July 13, 2010

A good question was recently posed by Twitter user, Keenan Wellar of Ottawa (@KeenanWellar), regarding our requirement for clients who host their domain with us to also transfer their domain name to our registrar. I would like to explain why this is the case.

Any customer who has their own domain, such as ABCcompany.com, can have as many as four different providers and are often frustrated because they don't know whom to call when a question or issue arises. Confusion and irritation occur for the customer when the different providers point fingers at one another as to who’s responsible.

The (possible) four distinct providers involved as follows:

1. Registrar - think of this company as the bank that holds your mortgage or lease - you pay them monthly or annually for your Internet "real estate"
2. DNS services - just like a directory listing such as a phonebook, this is essential so computers know where to find your website and where to send your email to
3. Web host - When you publish your website, this is where the files actually "live" and are served up to browsers that try to get to your website
4. E-Mail host - Your e-mail host or provider is your company's "post office" where you collect and send your email

Nerds On Site does not require that all of the above four are with us, but only the domain and DNS services. We point the WWW and MX records for many of our clients to other points of the globe.

Having been in IT, domain registrations and hosting for 14+ years, we recognize the challenges and obstacles customers face in the barrage of keeping up with the annual registrations, licenses, renewals and the like. At our customers' request, they wanted to run their business with fewer of these headaches, and a single point of contact for everything.

In our past experience, the #1 reason for websites to go down or for email to stop functioning, is that clients forget to renew the domain. Since our policy changed to require migration to our registrar, this has not happened to a single client of ours.

Unlike the incident which happened this past May in Tennessee, USA, when the Bluff City Police Department had their domain name, emails and entire website taken over by an upset member of the community.

While web hosting company, GoDaddy, sent many notices to the Police Department informing them that their domain would soon expire and thus become available for anyone in the public to register and own, the Bluff City Police did not get the message and thus their domain expired, allowing disgruntled citizen, Brian McCary, to register it and setup his own website in opposition to the Department's use of speed traps. 

For more on this story: click here

We, at Nerds On Site, recognize that these services appeal to our target client base (SMEs worldwide who do not want to be concerned about IT), but to the IT-savvy person may not be a fit. If you're already technically inclined, I have two thoughts:

1. How do we get you on our team? Seriously. Contact us.

http://www.iwanttobeanerd.com

2. You could get a cloud instance running on Amazon or Rack Space, keep your own registrar, and manage the entire website, DNS and email quite easily at almost the same cost, maybe even lower

So thank you for the question, twitter, and we hope this answers it for you.