This USB battery charger from Eveready has been sold in the US and Europe since 2007. The software that comes with it includes a trojan that stays active, listening for commands on port 7777, even when the device is not connected. I aways found that cute bunny with the sunglasses to be a little suspicious.

We trust Mr. Google to find us what we are looking for, but even the venerable Mr. Google gets attacked by the bad guys. It is called search engine poisoning, and it can trap the unwary. Think before you click, and don't always assume Mr. Google is right.

Anyone can digitally sign a file. The question is whether the digital signature traces back to a trusted Certificate Authority. Virus writers are becoming more sophisticated all the time, and some are now digitally signing their poison, making it look more official to those who are not careful about examining the signature. Fake signatures are easy to spot - IF you take the time to look. Your browser / OS will usually warn you as well, IF you pay attention. Education and awareness are still the best defense. More information can be found here.

Patching is a real pain - that is no secret to any of you. I have recommended Secunia PSI on numerous occasions for keeping third-party applications up to date. Secunia is working on an update that will make these updates automatic. Easy is good.

Endpoint Security - clients need to gain control over all those portable devices (USB drives, smart phones, MP3 players, etc.) that come and go from the work place. Along with them, malware can come and sensitive data can go. Here is an article that offers more information. The GOOD NEWS is that Nerds On Site will soon be able to offer endpoint protection as part of NerdCare.

This last one is not security-related, but it is worth noting. Microsoft is pulling the plug on the Windows Essentials Business Server product.

Dennis H in West Virginia, US

March 8, 2010

DON'T press the F1 key - there is a current vulnerability in Windows XP / IE that has not been patched. If an attacker can convince the user to press the F1 (the default help key in Windows...well, you know the rest of the story. There is no definite word about when there will be a patch available.

On a positive note, Microsoft has been taking the battle against botnets to the courts. Let's hope that others follow suit. This certainly will not cure the problem, but it sure helps.

Thick clients, thin clients, and now...zero clients.. This device has no OS, no memory, no drivers. I simply connects a keyboard, mouse and display to a remote server via standard TCP/IP protocols. Now this is centralized management - and centralized security.

Have a Lenovo Thinkpad? Don't forget the supervisor password - Lenovo says the only fix is to replace the motherboard.. Ouch!

Which is more secure - open source or commercial software? According to this article, open source software is patched more quickly.

Could your use of social networking raise your insurance premiums? According to this article, it could - at least in the UK.

Microsoft Security Essentials - it's free, it's good, but is it the REAL Security Essentials? Watch out, because there is a rogue pretending to be MS Security Essentials..

Another small chink has appeared in the armor of WPA / TKIP. This protocol is still pretty secure, but best practice is now to move on to WPA2 and AES encryption.

Are two malware programs better than one? Well, of course - we knew that (but then again, we know stuff).

Spam + drive-by download + Zeus = empty bank account. Watch out for fake IRS (Revenue Canada, etc.) email messages. Zeus is a nasty password-stealing trojan that has emptied many a bank account. It is also being spread through fake AIM updates.

Want to know more about how SQL injection attacks work? Here is a good place to learn more. SQL injection attacks are among the most common web attacks.

Dennis H in West Virginia, US

March 3, 2010

Green is good, but not for security. Here is an example of why turning off computers at night can save a few dollars in power costs, but at a much higher cost. Turning off computers can prevent updates from installing correctly.

Watch out for Chuck (Norris, that is). This malware target routers, rather than computers. Make sure t default passwords are not used and that remote administration is turned off (duh). The good news is that a reboot will send Chuck packing.

Did you know that Windows 7 has a new feature that allows it to act as a wi-fi client and as a wi-fi access point at the same time? The result is a bridged network. Think about the security implicationsof that.

There is a new zero-day exploit in Firefox 3.6.

There is also an issue with Adobe Dowload Manger that yo should know about.

The Kneber botnet is major new threat that is reported to have infected more than 74,000 computers. It is a Zeus variant a may work cooperatively with Zeus.

On the other hand, this new Russian botnet tries to kill the rival botnet Zeus.

Finally, I have written about ATM fraud several times, but check out the numbers in this article.. ATM fraud is a serous problem costing banks millions. Take a close look before you put in that card!

Dennis H in West Virginia, US

February 23, 2010

Let's start with this cool device I found: Imagine this scenario - you copy your client's precious data for a wipe and reload, reformat their drive, and when you begin to restore the data, your backup drive dies. Sound unlikely? It is - but this actually happened to me. I vowed to never format a client drive again unless I had at least TWO known good backups. That may be a good policy, but backing up twice would take twice as long - unless you had one of these adapters that creates a USB RAID 1 cofiguration. It will copy that precious data to two SATA drives at once.

Now for news:

This one just makes you shake your head - a rogue anti-malware vendor that actually provides live (fake) technical support. Of course, many people assume that this support indicates that the vendor is legitimate, which is, of course, why the ploy works.

The so-called "chip and pin" method of credit card authentication is used widely in Europe, and has been considered for use in the US (I am not sure about Canada). The method is considered to be a strong, two factor authentication method and banks often refuse to refund questionable charges when it is used. There have been several articles about the compromise of this system in the past couple of days, but this one from Bruce Schneier is the most informative.

It is worth noting that Adobe has some important patches available (don't delay on these), and that one of the patches issued byf Micrsoft on Tuesday resulted in a number of BSOD problems. The problem was not with the patch, but an interaction with a piece of malware that was already present on some XP computers.

I am not sure this is even news, and it surely is not good news, but ID fraud hit a new high in 2009.

We used to feel that two-factor authentication made for reasonably safe banking, but even two-factor authentication and one-time passwords do not ensure safety. Attacks against banks are becoming increasingly sophisticated. The problem is that everything is done in the browser. If the browser has been compromised, there is no guarantee of safety. How can you ensure that the browser has not been compomised? The best way is to boot from a live Linux distibution on a CD. The browser cannot be compromised when the files are read-only.

Who pays when bank accounts are compromised? That is often a question for the courts. Here is a case with more than a half-million dollars at stake. Both the bank and the bank's client would have benefitted from some good securiyt consulting and education. Both parties broke common-sense security rules. The courts will have to decide who pays for their errors.

Dennis H in West Virginia, US

February 16, 2010

Tomorrow is Patch Tuesday (again). This is going to be another big one - 13 patches, 5 of which are critical.

Here is another reason that access to commercial bank accounts should be limited to computers that are used for nothing else. Online bank accounts should NOT be accessed by computers used for general-purpose web surfing! Having a dedicated computer may seem like an extreme measure, but not to the City of Poughkeepsie, NY (at least not now)!! Instead of retiring that old desktop or laptop, install a hardened and restricted version of Linux and make it the only computer that has access to bank accounts.

We all love those Firefox add-ons, but watch out for the ones in the "experimental" section - user beware.

Made in China? That may be a reason to think twice when it comes to hardware.

Think banks and retailers are the biggest target for hackers? Think again - think hotels and the hospitality industry. For those of you who have hotel clients, this is worth bringing to their attention.

Why should employers invest in the technology and your services to make SURE P2P and social networking are not part of the workplace? Show them this and this.

Think the dangers of public wifi are limited to the time you are connected to them? Then you MUST read this.

This has NOTHING to do with security, and I by no means want to encourage anything you consider a bad habit, but some or you will consider this good news - beer is good for your bones (but too much of it may lead to breaking them).

Dennis H in West Virginia, US

February 09, 2010

ATM fraud continues to grow. Take a close look at that ATM machine before you feed it your card. This bank in Texas lost $200,000 to this scam.

Here is a social-networking risk you may not have considered. Hackers may attack your friends if you have access to sensitive data and visit social networking sites.

If you are a Chrome user, make sure you are up to date.

Have I mentioned the importance of keeping browser add-ons up to date? Here is an article about the exploit packs that can be purchased and installed on compromised websites. These exploit packs send barrage of attempted exploits at your browser. If one does not work, the nest one may. It is effective - many of these vulnerabilities have long-since been fixed, but there will always be some folks who are not up to date.

100% accurate spam filtering? Well, for the time being, anyway - turning the spammers dirty tricks against them.

Who pays when a bank account is compromised? There are a number of pending cases in which the account holder has filed suit against the bank for not maintaining adequate security, but this Texas bank has preemptively sued the account holder.

Dennis H in West Virginia, US

January 27, 2010

First, a couple from Micrsoft:

This one dates back no less than 17 years and is related to a virtualization technology that allows 16-bit applications to run on 32-bit Windows platforms (virtualization is NOT a new technology). 64-bit versions of Windows are only minimally affected, but 32-bit versions that have 16-bit execution enabled are vulnerable.

This vulnerability in IE is serious enough to prompt Micrsoft to issue an emergency patch today. Yes - that means it is serious.

If you are a Mac user feeling smug about those MS security woes, you should know that Apple has also issued a security update that addresses a dozen serious security issues as well.

More "stuff you should know" coming soon.....

Dennis H in West Virginia, US

January 21, 2010

You may have noticed that the focus and the format of the Security Corner has changed a bit. I will be posting current news items and short tips twice per week, mostly in the form of links. Two or three times per month, I will post longer articles as well.

The MiFi - cool tool, but, it has a GPS, so your provider has a record of where you are and where you have been. As it turns out, they may not be the only ones that know.

Be careful where you get your Quicktime movies. There is a buffer overflow vulnerability in older versions of QT. A malformed .mov file can be used to execute code. The current version has not been shown to be vulnerable to remote code execution, but may crash. If it can be crashed, remote code execution is usually around the corner.

Not all threats come from the outside. "Trusted" employees can represent even greater threats because they have privileged access.

ATM fraud - more common than you think. Check out this skimmer - complete with a camera to record pin number entries. Pay attention when visiting tht ATM!

The "Google attack" had broad implications. The Chinese attack on Google is one of the biggest security stories in recent months. I have had little to say about it, because it has been so well covered by the media. The broader implication is that even a company like Google (not to mention Adobe and many others) is vulnerable to zero-day attacks. Never ASSUME your clients are safe - check for signs of unusual activity and NEVER, NEVER stop raising their level of awareness.

Dennis H in West Virginia, US

January 18, 2010

Microsoft's "patch Tuesday" was pretty low-key this month (unless you are still running Windows 2000, but Adobe has release some critical patches. Keeping applications, especially those used for internet access, patched is now as important as keeping the operating system patched.

Clients often ask why their anti-virus program failed to catch a piece of malware that infected their computer. Here is one of the tools that malware-writers can use to test their wares to see which AV programs are able to detect them as malware. This company does not hide the fact that this service is for malware writers and the results are NOT reported to the AV vendors. This makes it much easier for the "bad guys" to test their code and stay ahead of the AV vendors.

Depending upon your point of view, these "security researchers" are forcing software vendors to address security flaws quickly, helping the "bad guys" wreak havoc on internet users, or are just plain acting irresponsibly. These folks are release one "zero-day exploit" per day for 30 days - without giving the vendors any advance warning. They say that vendors do not respond unless the exploits are release publicly. The next month could be a busy one.

Want to test a site before you visit it? Here are four sites where you can paste URLs before you visit them to get a report.

Dennis H in West Virginia, US

January 14, 2010

News:

W3C Standard for a Database Engine Within the Browser - Cool, but Will it Create More Security Holes?

The Fix for the SSL Renogiation Flaw Has Been Finalized

Ecryption Keys Will Contunie to Get Bigger (Note that This Refers to RSA Asymmetric Keys - 128-bit Symmetric Keys are Still Strong

Google Chrome Takes the Lead in Browser Sandboxing

Google Loalized Search - Do You Want Google to Know Where You Are (and Have Been)?

Controls – What Kind of Armor Do We Need?

Up to this point, we have classified the types of sensitive data under our care, determined where that data lives, and documented the various channels over which it is transmitted. Now that we have found it, how do we keep it safe? The mechanisms used to protect data are controls. Controls fall into three categories:

Administrative Controls: These are policies and procedures that are designed to let everyone who comes into contact with data know what access and what actions are permissible. These have to be backed up by physical and technical controls.

Physical Controls: These are tangible protections mechanisms, such as locks, video cameras, etc. Physical security is often overlooked by IT professionals.

Technical Controls:, In terms of data protection, these generally fall into two categories – access controls and encryption controls.

Access Controls are used to prevent data from being viewed, transmitted, or printed.

Encryption Controls are used where we cannot control access, or as an additional control in case our access controls are not effective. If data is properly encrypted, it does not matter whether it is viewed, copied, or printed. There are two aspects to maintaining proper encryption controls – encryption strength and key management. These have been discussed in depth in other Security Corner articles.

The types of controls available will vary, depending upon the environment. The cost of controls varies greatly. Cost is sometimes measured in terms of dollars (or Rand, etc.), but more importantly, the cost of a control must be measured in terms of the effort required to implement it and the amount of inconvenience it imposed on those who use the system.

The details of these controls are beyond the scope of this article. They have been the focus of past articles and will certainly be the focus of future articles. The important point in terms of our Information Management Plan is to determine what controls are available and which ones have acceptable costs.

In Part 7 of this series, we will take the three types of information we have gathered – data classifications, data locations and transmission channels, and controls, and use them to generate a matrix. From that matrix, we will generate information protection policies.

Dennis H in West Virginia, US

January 11, 2010