Microsoft has not yet patched the .lnk vulnerability I wrote about last week. In the meantime, though, AV vendor Sophos has released a free tool that they claim will fix the problem.

This has been a serious issue. A number of malware writers have already released exploits targeting this flaw. Everyone should exercise even more caution than usual and avoid opening documents or clicking on links in email messages. Simply opening an infected MS Office document can lead to infection. Once computer is infected, it will infect any USB drives that are mounted and hide the infected files, using rootkit technology. This is a HUGE risk for businesses that allow users to transfer files back and forth between office and home computers.

Another word of caution involves a new rogue anti-virus - this time masquerading as a Firefox / Flash update. Check it out here. We are (and should be) always encouraging Clients to keep their brower plugins up to date - especially Flash, so you can see why this ruse would be effective.

Anyone who is tricked into purchasing one of the fake anti-virus programs can usually have the credit card charges reversed. Surprisingly, most do not. As long as people don't bother to fight back, the fake anti-virus game will continue to generate profits, and as long as it is profitable, the bad guys will continue to find new and better ways to trick users into installing the rogues.

Dennis H in West Virginia, US

July 29, 2010

Several folks responded to the previous post with the same question regarding the CVV code on credit cards. This is the three-digit code stamped on the back of the card. Actually, Visa calls it a CVV. It is also referred to as a CVC, CVC2, CVV2, or CID by other card issuers.

It often appears that this information is being stored when you enter information into a web form. NerdsBackup is a good example. When information is entered, there is a field for this information. You will note, though, that when you go back to a client record, the card number is partially masked and this field is always blank.

This number is NOT stored by any processing company that is operating in accordance with the PCI-DSS (Payment Card Industry Digitial Security Standard). It is used for the initial authorization, but it is NOT stored permanently on the system. Subsequent charges are sent through without this information. Use of this code is not required to process a transaction - it is simply an additional fraud-prevention control. The very fact that PCI-DSS standards prohibit storing the code in association with the card number in any form (written, encrypted, etc.) is why it has value. A hacker that manages to compromise other credit card date cannot only obtain this through physical possession of the card.

This code is NOT recorded on the magnetic strip. "Swiped" transactions ensure physical possession of the card and to not use this code. Some processing companies require it for "non-swiped" or "keyed" transactions as verification that the person keying the transaction has physical possession.

I hope this clears things up.

Dennis H in West Virginia, US

July 28, 2010

We hear about compromises of credit card information all the time. The biggest headlines seem to be precipitated when financial indstitutions or large retailers are attacked. According to a study released eariler this year by the data-security consulting company Trustwave, though, the industry that sees the most compromises is actually hotels. According to the study - 38% of breaches involve hotels, 19% financial institutions, 14.2% retailing, and 13% restaruants and bars.

Why hotels? There are many possible explanations. Like car rental companies, hotels have a legitimate need to be able to add charges to your card after you leave (to cover damage or theft). This means their transaction systems must be able to store credit card information. The hospitality industry has been hit hard by the recession, resulting in budget cuts in security and delays in adopting newer and more secure technology. Employee turnover is this sector is high, making it difficult to ensure all employees are properly trained. Even within major chains, the security practices can vary widely. Consistent policies and policy eforcement are as important as the technology used to secure data.

What can travelers do to protect themselves? Here are some tips to help lower the risk.

1. The most important measure for preventing credit card fraud is vigilance. Check your statement as soon as you receive it. Do not ignore small charges that you do not recognize. Criminals will often test the waters with small charges to see if they go through before attempting large ones. If you see something suspicious, follow up immediately. Generally, you will not be held liable for fraudulent charges, AS LONG AS YOU NOTIFY THE CREDIT CARD COMPANY PROMPTLY.

2. Keep separate credit cards for business and personal expenses. If possible maintain a card with a low credit limted for routine travel expenses.

3. Keep your card in your possession as much as possible. If you must give up possesion of the card, try to keep an eye on it and watch for suspicious activity. "Card skimmers" are small, easily hidden devices that can be used to capture the data from the magnetic stripe on the card.

4. Don't be afraid to ask about security practices. The CVV code (the last three digits of the number on the signature line on the back of the credit card) should NEVER be written down or stored with other credit card information (even in encrypted form). Make sure your full credit card number does not appear on any bills or invoices.

Dennis H in West Virginia, US

July 27, 2010

Update to the most recent Windows vunerability: I wrote about this earlier in the week and wanted to add some updates. This vulnerability, which exploits a flaw in the way .lnk (all those shortcut files in windows that point to a file in another location, including desktop and browser shortcuts) are displayed, originally targeted software that controls large power installations and manufacturing facilities and was spread via infected USB drives. As I suspected, this has become a much generalized attack vector. Here are some points worth noting:

- All versions of Windows from 2000 on are affected (and possibly even older versions)

- Windows 2000 and XP SP2 will not be patched - these are officially no longer supported by Microsoft. There are quite a few devices out there still using XP SP2 because of compatibility issues with SP3

- This vulnerability can also be be exploited via Windows Office documents, file shares, WebDAV (used in Sharepoint) and anything else that can accommodate embedded .lnk files

- There speculation that the favicons used on websites might also be able to exploit this vulnerability, according to Steve Gibson in this week's episode of Security Now!

- There is no "fix" yet - Microsoft has a registry modification that is a "workaround". It disables the rendering of all icons (that will change the look of your desktop!).

For all those Macintosh users out there who are feeling a little smug - don't. If you are using Safari, here is something you should know. Both versions 4 and 5 have a feature enabled by default that could allow a malicious website to exploit the auto-fill feature of Safari to extract personal information from your address book. Fortunately, you can disable this feature. Thanks to Jay Holtslander for bringing this to our attention. Apple is reportedly working on a fix.

Dennis H in West Virginia, US

July 26, 2010

There is a new Window attack against Windows that exploits a vulnerability Windows .lnk files (all those shortcuts on the desktop, in the start menu, and elsewhere are .lnk (link) files). Currently, this attack is being spread via USB drives, and is not a network attack. In theory, though, it could also be spead via network shares or WebDAV. All versions of Windows are vulnerable, including fully patched versions of Windows 7 and Server 2008.

Current versions of the attack utilize a rootkit to hide the malicious files on both the USB drive and on infections machines. Simply inserting an infected USB drive into a Windows computer ahd viewing its contents is generally all it takes to spread the infection. Any other USB drive that is inserted will also be infected. Initial samples of this "worm" (so classified because it can spread without any specific user action) are targeted attacks - looking specifically for software that is used to manage large distributed systems, such as power plants and manufacturing facilities. Broader attacks are almost sure to follow.

USB "drives" (which can incude other devices, such as smart phones, which incorporate solid state drives) are an increasingly dangerous vector for the spread of malware. "Thumb drives" or "USB sticks" have become a cheap, compact, and easy means of moving large amounts of data between computers. Smart phones are becoming ubiquitous and are commonly plugged into multiple computers to sync email, contact lists, and calendars.

One of the drivers that the rootkit installs is as signed driver - signed by Realtek Semiconductor Corp., a legitimate company. This is a good example of why it is so important to protect certificate private keys. Verisign has since revoked the compromised certificate. AV vendors are also scrambling to add this to the list of threats their products will detect.

We will have to wait to see how widespread the attacks which exploit this vulnerability become. Microsoft has not released any date for a fix. There are workarounds, but some of them will preclude the use of Sharepoint, a service upon which many organizations depend. The best solution is to implement some form of endpoint security. Endpoint security is used to lock down USB and other devices by limiting their ability to write files. Endpoint security can also limiting what can be written to external devices as part of a Datat Loss Prevention program.

One additional note - any systems running on Windows 2000 or Window XP without SP3 will NOT receive updates to patch this flaw - ever. Microsoft has officially ended support for those operating system.

Want to read more?
krebsonsecurity.com
www.computerworld.com

Dennis H in West Virginia, US

July 20, 2010

- Old school phone fraud meets modern cyber-crime. How can I steal from thee? Let me count the ways. If the scammers can't trick you into installing fake antivirus software by flashing warnings on your screen, well, then they will call you on the phone instead. This is cold-calling at its worst - REALLY cold. (Spread the word.)

- Be careful where you get those plug-ins! Both Chrome and Firefox have lots of cool plug-ins to extend the functionality of their browsers, but beware. This hacker wrote one to steal passwords. At least he told us about it. One would hope that a plug-in this malicious would not last long, but it is an open community, and there have been some bad apples in the plug-in barrel from time to time - just none quite so pernicious as this one.

- Credit Card skimming - it's not just for ATMs any more. This article brings an interesting problem to light - all those self-service credit card devices and who has access to them. 180 pay-at-the-pump gasoline (petrol for some of you) pumps were compromised by skimmers and bluetooth transmitters because access to these pumps is not securely managed. How would you spot one? You wouldn't and you couldn't, because the skimmers were inside. Your only defense is to watch those credit card statements (well, or use cash - of course, thieves can steal that as well).

Dennis H in West Virginia, US

July 13, 2010

There is a major security vulnerability in Adobe Flash / Reader that is being actively exploited. Hmmm, that sounds familiar. Sorry to have to say - there is another one which was announced on Friday. You can find out more here.

Here is another announcement that will seem familiar - this Tuesday's patch cycle from Microsoft will be a BIG one - 34 vulnerabilities fixed - at least three of which are critical. Make sure everyone gets updated.

Here is some more news that's not new. Smartphones are about to become the next frontier for malware. There's an app for that!

In keeping with this theme, here is something that is (not) news - Internal fraud is a problem that continues to grow. Small businesses are especially vulnerable because they often do not have anti-fraud controls in place. Look for an upcoming article on preventing fraud in small businesses.

Well, that's the recycled old news / new news. Why do we keep treading in the same circles? Because the bad guys are still bad and we just don't pay enough attention to protecting ourselves. The next time you are face-to-face with an SME client, spend a little time talking about security.

Dennis H in West Virginia, US

June 7, 2010

Public wifi networks – you find them at airports, coffee shops, and even at fast food restaurants. Public networks don’t have to be wireless. Hotel networks are often wired, but they are public, and the same precautions apply. You never know who else is on the network capturing your traffic. Are public networks safe? What can you do to protect yourself?

First, know the risks. There are three ways others can steal your data or compromise your privacy when you are on a public network.

• The first one is old-school and low-tech (or even no-tech).  Someone who wants to steal your passwords or just see what you are up to can simply look over your shoulder (it is called shoulder-surfing).  There is a more advance version, though.  It involves a small video camera strategically positioned to record what others are doing - sometimes from a distance of several meters.  Watching the display and playing back video of the keystrokes while entering passwords can be an effective attack.  In a crowded place, and with the right equipment, this is easier than you might think.
• The second one is simply capturing the traffic that you are broadcasting through the air (that’s why it’s called wireless, you know) and analyzing it later for passwords, etc.  Many public networks are open (all the traffic is in “plaintext” and can be read) or use shared passwords (if you all have the same password, it is more or less the same as an open network).  Assume any password given to you by someone else is not secure, since you have no way of knowing who else may know it.
• The third one is a little more difficult, but not much.  Anyone can pretend to be a free wifi access point.  It just takes a little configuration on a laptop to set up a network that others can connect to.  The attacker calls it “Free Public Wifi” and then connects any victims who fall for the trick to a real public network.  The victim surfs happily, but the attacker is recording everything.

Ouch! That sounds dangerous.  What can you do to avoid being the victim?  Here are five tips:

1. Avoid doing sensitive work when on a public network.  Do you really need to check you stocks or your bank account from the hotel or the coffee shop?   Only do this when it is really necessary.
2. Look around. Be aware of your surroundings.  Lean over the keyboard when typing passwords.  Sit with your back toward the wall.  Don’t make it easy for others to see what you are doing.
3. Know what you are connected to.  Make sure you know the name (also referred to as the SSID) of the network you want to use.  Beware if you see a duplicate or similar name.  Avoid unknown networks.  In addition, your laptop should be configured to connect to “access points” only (also known as infrastructure mode).  Do not allow your computer to connect directly to other computers (also known as ad-hoc mode.

• On a Macintosh, go to System Preferences > Network > Advanced and made sure “Create computer-to-computer networks is not checked.

• On Windows, double-click the wireless adapter icon > click the “Wireless Networks” tab > click the “Advanced” button, and make sure that “Access point (infrastructure mode) networks only” is selected.

4. Learn about https.  In the address bar of the browser, the address starts with either http:// or https://.  The “s” stands for secure.  In this mode, all the traffic to and from your computer is encrypted and cannot be read by anyone else – even if they record it and analyze it later.  Any sensitive information should ONLY be sent over an https connection.  A word of caution, though – if you are tricked into making a https connection to an attacker, they will be able to read what you send.  You must be SURE you know who is at the other end of the https connection.  If you receive an error about a “certificate” when on a public network, DO NOT ignore it.  You may be about to become a victim.  Checking email?  Remember that even though you may sign in to your account using https, the mail is usually sent over http, in cleartext.  The exception is Gmail, which defaults to https for everything.  It is the most secure email service for use in public locations.  If the last two tips sound a bit complicated – well, they are.  The good news is that you can skip them both if you want and just go to tip number five.

5. Use a VPN or a secure connection service.  If you really want to be safe, use a VPN or a secure connection.  With a VPN, your computer does not connect directly to the internet.  Instead, it makes a completely secure (encrypted) connection to some other computer, which then connects to the internet from a non-public network.  Examples are LogMeIn, and GoToMyPC.  There are many others.  There are free versions and paid versions with more advanced features.  You install these on a home or office computer, but you may have to do some configuration of your home or office router to make it all work.  There are also secure services that work the same way, except that their servers establish the actual connections to the internet.  They are usually easier to configure.  Examples areHotSpot VPN, Witopia, andHotspot Shield.  Again, some are free, and some are paid subscription services.

You see, computing from a public location can be safe.  The first and second tips are just good, common-sense ways to avoid unnecessary risks.  The second and third tips are a bit “nerdy”, but good safety practices.  Tip number five is the easiest, and nearly bullet-proof, as long as you also follow tip number two.  You don’t have to spend money, but spending a little may get you some added speed, convenience, and features.

Use your head (to block the view of the keyboard when typing passwords, that is), pay attention, and be safe.

Dennis H in West Virginia, US

June 2, 2010

I included this item in a previous Security Corner article, but I wanted to make it the focus of this one. Several astute eNerds have sent me links to articles on this topic recently and I want to express my appreciation for their involvement.

The issue is simple and apparently has been a HUGE security hole for a long time, but went mostly unnoticed (at least by the security community, but perhaps not by the "bad guys") until a few weeks ago. Most "high end" printers (and copiers, which typically also serve as scanners and printers), have hard drives in them to store images. This is a good feature and makes sense - it is a way to be able to go back and retrieve images for future use. This is also a way to "spool" print jobs as they come in until the copier/printer is able to print them.

These hard drives are typically accessible through the web-based management console, but many users seldom or never access these drives. Many do not even know that there is a hard drive in their printer or copier.

There is probably a LOT of sensitive information contained on that hard drive. If the unit is in a medical office, patient medical records have been printed and scanned. If the unit is in the offices of an insurance or financial services provider, or in a bank, or in the offices of a mortgage broker - well just think of the personal information that is scanned, faxed, and printed!!

This represents a significant risk, even while the unit is just sitting on the network, because most companies do not have this hard drive on their "access control" radar screen. The REALLY BIG problem, though, is that many businesses lease these units and replace them with newer ones when they go "off lease". Where do those units go after the leasing company reclaims them? They are resold as used equipment - often at bargain prices, in bulk lots, and to buyers in other countries.

In a reasonable world, one would think the leasing companies would have the good sense to remove or replace these drives or wipe them securely before sending them on to a new home. NOT SO. It turns out that these units are often re-sold as-is, complete with all that juicy personal information on the drive for anyone to recover (steal).

So warn all your clients - when that unit goes out the door, everything that has been scanned, faxed, or printed (potentially during the entire life of the unit) may be going out with it. This is true for units that are going off-lease, being recycled, being donated, or just headed for the landfill

Lease agreements may prohibit the removal of the drive, and we ALL know that simply deleting the files does not remove them. Clients should insist on WRITTEN guarantees from the lessor that these drives will be securely erased before resale, recycling, or disposal.

Hard drives are not a new feature of these units, and one would have to assume that this problem has just gone unnoticed until recently. One would also have to HOPE that the recent publicity will spur some action (if only to avoid liability) on the part of the manufacturers and lessors of these units.

I was going to include some of the links that have been sent, but just "Google" "copier hard drive security risk" and you will get more than you will want to read / watch.

Dennis H in West Virginia, US

May 10, 2010

Companies, System Administrators, (and your Clients) could all learn a lesson from the "Click-It or Ticket" campaign - launched a few years ago in the US to encourage the use of seat belts in automobiles to save lives. This article by Bruce Schneier discusses the fact that states with the strongest enforcement had the greatest success. The amount of money spend on media advertising was a less important predictor of success. Of course, with security awareness, or with any other attempt to change behavior, it's not an either / or proposition. The important point is that enforcement is a key component. Without it, rules have little benefit.

Of course, the popularity of the iPad has brought about a new attack vector for the purveyors of malware. The attack does not actually affect the iPad, but is another way to trick Windows users into downloading malware. I suppose there is a touch of irony in using the iPad to attack Windows.

This story is a bit US-centric, but I suspect it's only a matter of time until the same issue pops up in Canada and in other countries. The state of Massachusetts in the US has passed a law requiring ANYONE storing or transmitting Personally Identifiable Information about its residents to encrypt and protect that information. The fines for failing to do so are substantial. This is interesting because this law seeks to reach beyond the borders of the state. It will be interesting to see how this plays out in the courts over time. In any case, the growing problem is identity theft is likely to spawn similar laws around the world.

If you have clients who redact data from PDF documents before sending them, they should know that the "redacted" data may still be visible.

In an other round of the ever-escalating "armor vs. ordinance" malware battle, some malicious websites are now able to detect search engine "bots" and hide the malware from them. Detecting malware on websites is a priority for Google and Firefox, who use APIs to blacklist malicious sites.

On another front of that same battle, fake malware vendors are gaining ground and the legitimate AV products are having more difficulty detecting the "rogues".

Breaches are going to happen. Here is an example of what a responsible dissemination of information looks like. Sadly, you rarely see this sort of transparency.

Dennis H in West Virginia, US

April 28, 2010