There is a major security vulnerability in Adobe Flash / Reader that is being actively exploited. Hmmm, that sounds familiar. Sorry to have to say - there is another one which was announced on Friday. You can find out more here.

Here is another announcement that will seem familiar - this Tuesday's patch cycle from Microsoft will be a BIG one - 34 vulnerabilities fixed - at least three of which are critical. Make sure everyone gets updated.

Here is some more news that's not new. Smartphones are about to become the next frontier for malware. There's an app for that!

In keeping with this theme, here is something that is (not) news - Internal fraud is a problem that continues to grow. Small businesses are especially vulnerable because they often do not have anti-fraud controls in place. Look for an upcoming article on preventing fraud in small businesses.

Well, that's the recycled old news / new news. Why do we keep treading in the same circles? Because the bad guys are still bad and we just don't pay enough attention to protecting ourselves. The next time you are face-to-face with an SME client, spend a little time talking about security.

Dennis H in West Virginia, US

June 7, 2010

Companies, System Administrators, (and your Clients) could all learn a lesson from the "Click-It or Ticket" campaign - launched a few years ago in the US to encourage the use of seat belts in automobiles to save lives. This article by Bruce Schneier discusses the fact that states with the strongest enforcement had the greatest success. The amount of money spend on media advertising was a less important predictor of success. Of course, with security awareness, or with any other attempt to change behavior, it's not an either / or proposition. The important point is that enforcement is a key component. Without it, rules have little benefit.

Of course, the popularity of the iPad has brought about a new attack vector for the purveyors of malware. The attack does not actually affect the iPad, but is another way to trick Windows users into downloading malware. I suppose there is a touch of irony in using the iPad to attack Windows.

This story is a bit US-centric, but I suspect it's only a matter of time until the same issue pops up in Canada and in other countries. The state of Massachusetts in the US has passed a law requiring ANYONE storing or transmitting Personally Identifiable Information about its residents to encrypt and protect that information. The fines for failing to do so are substantial. This is interesting because this law seeks to reach beyond the borders of the state. It will be interesting to see how this plays out in the courts over time. In any case, the growing problem is identity theft is likely to spawn similar laws around the world.

If you have clients who redact data from PDF documents before sending them, they should know that the "redacted" data may still be visible.

In an other round of the ever-escalating "armor vs. ordinance" malware battle, some malicious websites are now able to detect search engine "bots" and hide the malware from them. Detecting malware on websites is a priority for Google and Firefox, who use APIs to blacklist malicious sites.

On another front of that same battle, fake malware vendors are gaining ground and the legitimate AV products are having more difficulty detecting the "rogues".

Breaches are going to happen. Here is an example of what a responsible dissemination of information looks like. Sadly, you rarely see this sort of transparency.

Dennis H in West Virginia, US

April 28, 2010

Zeus + PDF = another security challenge. PDF files have become one of the leading attack vectors on the internet, and everyone needs to know to be careful. Zeus, one of the nastiest banking trojans, is now being spread this way.

"No updates for you!" Microsoft is a bit gun-shy after recent blue-screen problems that were actually the result of underlying malware infections. Some new updates will not install if "certain abnormal conditions" exist in the kernel (a likely indication of a malware infection). Running "mrt" from the "Run" box on XP or from the search bar on Vista / W7 will remove most of these infections.

Here is a good summary of the security features of W7 that we should all be familiar with.

Not many Nerds are big fans of Norton Internet Security, but it's good to see what they are up to. The 2011 version has some interesting new features, which are likely to consume even more resources that with previous versions. The additional complexity will probably confuse users as well.

Fix a problem - create a bigger one. Microsoft has incorporated cross-site scripting (XSS) protection into IE8, but researchers have found a way to turn this "fix" into an even bigger problem. Security is not easy.

In case you were wondering - yes, there are "security / spyware (depending on your perspective)" apps for the Blackberry.

Here are 3 reasons employees break security rules: They don't know about them, the rule are not enforced, and the rules hinder productivity.

Public networks + smart phones = business risk. Everyone likes to be mobile, and what we used to call a "cell phone" is now a portable computer. The problem is, security on smart phones is often less robust and / or mis-configured.

Finally, here is a link to part two (so you can link back to part one) of a two-part series on protecting children online. It is a good summary and should be passed on to your clients who have young children.

Dennis H in West Virginia, US

April 20, 2010

PDF files have become the de-facto standard for sending documents. We think of them as being relatively innocuous because they are generally not editable. The specs for these documents are very powerful, though. Contained within these specifications is the power to run code within the document. If that sounds a little scary - it should.

PDF documents have become one of the most widely-used attack vectors for malicious code writers. This has been mostly related to security holes in the programs used to interpret .pdf files, specifically Adobe Acrobat Reader and (to a lesser degree) Foxit Reader. Most of these attacks can be thwarted by disabling the javascript execution features of these readers.

The native code-execution features of PDF files are supposed to be sandboxed. We have seen, though, that a "sandbox" is not the digital equivalent of a maximum-security prison. There have been several instances where Java code has managed to "escape" from the sandbox.

Recently, Didier Stevens showed that it is possible to embed malicious code within .pdf files without relying on javascript. Jeremy Conway has also shown that it is possible to create PDF worms that can overwrite and infect other PDF files.

The bottom line - advise all clients to be very cautious about opening PDF files, especially those that are unexpected or from untrusted sources. Attacks have been surfacing in the wild and we may reach the point where even PDF files from trusted sources are a threat.

Both Adobe and Foxit are scrambling to address this issue. In most cases, Adobe (and now Foxit, with the latest patch) will warn before executing code, but the attacker can manipulate the text in the warning dialogue, so there will be efforts to trick users into allowing the code to execute. Warn clients about this!!!

Dennis H in West Virginia, US

April 07, 2010

I sat down to write an article on Virtual Machine security / insecurity (coming soon), but there was just too much interesting news to pass up.

Charlie Miller - hacking genius, good guy, or bad guy? Charlie Miller, perhaps the best-known white-hat hacker, took the $10,000 prize for the fastest compromise of OS X 10.6 for the third year in a row. Charlie says he is fed up with the poor security practices from Apple, Microsoft , and Adobe. He is declining to reveal the flaws he has uncovered, but will tell the vendors how to find the vulnerabilities. He thinks they will benefit more from this than they would if he simply told them what the flaws are.

Charlie found most of these flaws by using a "dumb fuzzer" that he wrote. Vendors use fuzzers as well, but apparently Charlie's is better.

We are always telling clients to update their applications, as well as their operating systems. The bad news is that there is now malware that overwrites software updaters. This is doubly bad news - people will be infected by doing the "right thing" and updating. Worse, they will be afraid to update in the future because of the experience. Let's hope that software vendors find a way to solve this problem quickly.

Mozilla Plugin Check is a place where you can go to check Firefox for the latest versions of plugins. Mozilla is going to take this service one step further and check other browsers as well.

Spam pays. Why? Because even savvy users can't resist the temptation to CLICK THOSE LINKS, OPEN THOSE ATTACHMENTS, AND FORWARD THAT MESSAGE ON TO INFECT OTHERS! People just won't learn.

Another threat warn clients about: Rogue toolbars. Sheesh!

What are the biggest scams on the internet? Fake anti-virus popups are one of them, but I was shocked to see that "hitman" "pay me or I will kill you" scams are also on the list. Double sheesh!

If you want to read the sick stats on SPAM, here is an article for you. What is the probability that a .rar email attachment is infected with malware? Almost 97%. Go figure. It not one of the most common malware-laced attachments, though. Those would be .xls, .doc, .zip, .pdf, .exe, .jpg, and .ppt.

I am looking for GOOD NEWS in the security world to match the title of the post, but not seeing much. I guess the Good News is that YOU are there to HELP your clients be the ones who STAY SAFE. Come to think of it, that really is Good News.

Dennis H in West Virginia, US

March 29, 2010

Your grandmother could run a botnet. Really? You probably thought hacking skills and technical know-how were needed to be botmaster. Nope - just $2500 US, an email address, and a desire to do some evil. Don't worry - Nana's (probably) not herding bots, but it's not because she lacks the necessary skills.

This may explain why cyber crime losses almost doubled last year. The number of web-based botnets doubled in the second half of 2009 and web-based bodnets now outnumber the "old school" irc-based botnets. Really? Yeah, really.

You might want to hold off on Firefox 3.6 for a while. Really? There is a known vulnerability that will not be patched until March 30.

100% guaranteed malware detection? Really? That is the claim that Dr. Markus Jakobsson makes for his new technique. He is being taken seriously by some major companies, too. This is a nerdy read, but an interesting one.

Humans are still the weak link in security. Really? That's not exactly big news, but it is worth repeating.

Lock down the security on that......copier? Really? Think about it - high end all-in-one office machines are copiers, scanners, and printers. They often have hard drives containing TONS of sensitive data and they are generally not on the radar screen when it comes to security. Permissions are often wide open. The next time you visit your SME clients, CHECK THE COPIER! If it has a hard drive, there is probably a lot of stuff on there that your client would like to keep private.

Takin' names and kickin' a** - Really?Publicizing the names of ISPs that allow their clients to do mischief is one way to get them to stop taking money from the bad guys - at least in places where people care about that sort of thing.

One more time - be careful where you put that payment card. Really? Here is another case of credit card fraud involving fake PIN pads that were planted in a chain of stores in the UK. Actually, the fake pads were visually identical to real ones, so no amount care would have saved you. Some are now arguing that credit cards are safer than debit cards, since the crooks cannot empty your bank account and credit card companies provide more protections against credit fraud than against debit fraud, especially if a PIN number was entered. This article explains further.

Dennis H in West Virginia, US

March 23, 2010

This USB battery charger from Eveready has been sold in the US and Europe since 2007. The software that comes with it includes a trojan that stays active, listening for commands on port 7777, even when the device is not connected. I aways found that cute bunny with the sunglasses to be a little suspicious.

We trust Mr. Google to find us what we are looking for, but even the venerable Mr. Google gets attacked by the bad guys. It is called search engine poisoning, and it can trap the unwary. Think before you click, and don't always assume Mr. Google is right.

Anyone can digitally sign a file. The question is whether the digital signature traces back to a trusted Certificate Authority. Virus writers are becoming more sophisticated all the time, and some are now digitally signing their poison, making it look more official to those who are not careful about examining the signature. Fake signatures are easy to spot - IF you take the time to look. Your browser / OS will usually warn you as well, IF you pay attention. Education and awareness are still the best defense. More information can be found here.

Patching is a real pain - that is no secret to any of you. I have recommended Secunia PSI on numerous occasions for keeping third-party applications up to date. Secunia is working on an update that will make these updates automatic. Easy is good.

Endpoint Security - clients need to gain control over all those portable devices (USB drives, smart phones, MP3 players, etc.) that come and go from the work place. Along with them, malware can come and sensitive data can go. Here is an article that offers more information. The GOOD NEWS is that Nerds On Site will soon be able to offer endpoint protection as part of NerdCare.

This last one is not security-related, but it is worth noting. Microsoft is pulling the plug on the Windows Essentials Business Server product.

Dennis H in West Virginia, US

March 8, 2010

DON'T press the F1 key - there is a current vulnerability in Windows XP / IE that has not been patched. If an attacker can convince the user to press the F1 (the default help key in Windows...well, you know the rest of the story. There is no definite word about when there will be a patch available.

On a positive note, Microsoft has been taking the battle against botnets to the courts. Let's hope that others follow suit. This certainly will not cure the problem, but it sure helps.

Thick clients, thin clients, and now...zero clients.. This device has no OS, no memory, no drivers. I simply connects a keyboard, mouse and display to a remote server via standard TCP/IP protocols. Now this is centralized management - and centralized security.

Have a Lenovo Thinkpad? Don't forget the supervisor password - Lenovo says the only fix is to replace the motherboard.. Ouch!

Which is more secure - open source or commercial software? According to this article, open source software is patched more quickly.

Could your use of social networking raise your insurance premiums? According to this article, it could - at least in the UK.

Microsoft Security Essentials - it's free, it's good, but is it the REAL Security Essentials? Watch out, because there is a rogue pretending to be MS Security Essentials..

Another small chink has appeared in the armor of WPA / TKIP. This protocol is still pretty secure, but best practice is now to move on to WPA2 and AES encryption.

Are two malware programs better than one? Well, of course - we knew that (but then again, we know stuff).

Spam + drive-by download + Zeus = empty bank account. Watch out for fake IRS (Revenue Canada, etc.) email messages. Zeus is a nasty password-stealing trojan that has emptied many a bank account. It is also being spread through fake AIM updates.

Want to know more about how SQL injection attacks work? Here is a good place to learn more. SQL injection attacks are among the most common web attacks.

Dennis H in West Virginia, US

March 3, 2010

Tomorrow is Patch Tuesday (again). This is going to be another big one - 13 patches, 5 of which are critical.

Here is another reason that access to commercial bank accounts should be limited to computers that are used for nothing else. Online bank accounts should NOT be accessed by computers used for general-purpose web surfing! Having a dedicated computer may seem like an extreme measure, but not to the City of Poughkeepsie, NY (at least not now)!! Instead of retiring that old desktop or laptop, install a hardened and restricted version of Linux and make it the only computer that has access to bank accounts.

We all love those Firefox add-ons, but watch out for the ones in the "experimental" section - user beware.

Made in China? That may be a reason to think twice when it comes to hardware.

Think banks and retailers are the biggest target for hackers? Think again - think hotels and the hospitality industry. For those of you who have hotel clients, this is worth bringing to their attention.

Why should employers invest in the technology and your services to make SURE P2P and social networking are not part of the workplace? Show them this and this.

Think the dangers of public wifi are limited to the time you are connected to them? Then you MUST read this.

This has NOTHING to do with security, and I by no means want to encourage anything you consider a bad habit, but some or you will consider this good news - beer is good for your bones (but too much of it may lead to breaking them).

Dennis H in West Virginia, US

February 09, 2010

You may have noticed that the focus and the format of the Security Corner has changed a bit. I will be posting current news items and short tips twice per week, mostly in the form of links. Two or three times per month, I will post longer articles as well.

The MiFi - cool tool, but, it has a GPS, so your provider has a record of where you are and where you have been. As it turns out, they may not be the only ones that know.

Be careful where you get your Quicktime movies. There is a buffer overflow vulnerability in older versions of QT. A malformed .mov file can be used to execute code. The current version has not been shown to be vulnerable to remote code execution, but may crash. If it can be crashed, remote code execution is usually around the corner.

Not all threats come from the outside. "Trusted" employees can represent even greater threats because they have privileged access.

ATM fraud - more common than you think. Check out this skimmer - complete with a camera to record pin number entries. Pay attention when visiting tht ATM!

The "Google attack" had broad implications. The Chinese attack on Google is one of the biggest security stories in recent months. I have had little to say about it, because it has been so well covered by the media. The broader implication is that even a company like Google (not to mention Adobe and many others) is vulnerable to zero-day attacks. Never ASSUME your clients are safe - check for signs of unusual activity and NEVER, NEVER stop raising their level of awareness.

Dennis H in West Virginia, US

January 18, 2010