This USB battery charger from Eveready has been sold in the US and Europe since 2007. The software that comes with it includes a trojan that stays active, listening for commands on port 7777, even when the device is not connected. I aways found that cute bunny with the sunglasses to be a little suspicious.

We trust Mr. Google to find us what we are looking for, but even the venerable Mr. Google gets attacked by the bad guys. It is called search engine poisoning, and it can trap the unwary. Think before you click, and don't always assume Mr. Google is right.

Anyone can digitally sign a file. The question is whether the digital signature traces back to a trusted Certificate Authority. Virus writers are becoming more sophisticated all the time, and some are now digitally signing their poison, making it look more official to those who are not careful about examining the signature. Fake signatures are easy to spot - IF you take the time to look. Your browser / OS will usually warn you as well, IF you pay attention. Education and awareness are still the best defense. More information can be found here.

Patching is a real pain - that is no secret to any of you. I have recommended Secunia PSI on numerous occasions for keeping third-party applications up to date. Secunia is working on an update that will make these updates automatic. Easy is good.

Endpoint Security - clients need to gain control over all those portable devices (USB drives, smart phones, MP3 players, etc.) that come and go from the work place. Along with them, malware can come and sensitive data can go. Here is an article that offers more information. The GOOD NEWS is that Nerds On Site will soon be able to offer endpoint protection as part of NerdCare.

This last one is not security-related, but it is worth noting. Microsoft is pulling the plug on the Windows Essentials Business Server product.

Dennis H in West Virginia, US

March 8, 2010

DON'T press the F1 key - there is a current vulnerability in Windows XP / IE that has not been patched. If an attacker can convince the user to press the F1 (the default help key in Windows...well, you know the rest of the story. There is no definite word about when there will be a patch available.

On a positive note, Microsoft has been taking the battle against botnets to the courts. Let's hope that others follow suit. This certainly will not cure the problem, but it sure helps.

Thick clients, thin clients, and now...zero clients.. This device has no OS, no memory, no drivers. I simply connects a keyboard, mouse and display to a remote server via standard TCP/IP protocols. Now this is centralized management - and centralized security.

Have a Lenovo Thinkpad? Don't forget the supervisor password - Lenovo says the only fix is to replace the motherboard.. Ouch!

Which is more secure - open source or commercial software? According to this article, open source software is patched more quickly.

Could your use of social networking raise your insurance premiums? According to this article, it could - at least in the UK.

Microsoft Security Essentials - it's free, it's good, but is it the REAL Security Essentials? Watch out, because there is a rogue pretending to be MS Security Essentials..

Another small chink has appeared in the armor of WPA / TKIP. This protocol is still pretty secure, but best practice is now to move on to WPA2 and AES encryption.

Are two malware programs better than one? Well, of course - we knew that (but then again, we know stuff).

Spam + drive-by download + Zeus = empty bank account. Watch out for fake IRS (Revenue Canada, etc.) email messages. Zeus is a nasty password-stealing trojan that has emptied many a bank account. It is also being spread through fake AIM updates.

Want to know more about how SQL injection attacks work? Here is a good place to learn more. SQL injection attacks are among the most common web attacks.

Dennis H in West Virginia, US

March 3, 2010

Tomorrow is Patch Tuesday (again). This is going to be another big one - 13 patches, 5 of which are critical.

Here is another reason that access to commercial bank accounts should be limited to computers that are used for nothing else. Online bank accounts should NOT be accessed by computers used for general-purpose web surfing! Having a dedicated computer may seem like an extreme measure, but not to the City of Poughkeepsie, NY (at least not now)!! Instead of retiring that old desktop or laptop, install a hardened and restricted version of Linux and make it the only computer that has access to bank accounts.

We all love those Firefox add-ons, but watch out for the ones in the "experimental" section - user beware.

Made in China? That may be a reason to think twice when it comes to hardware.

Think banks and retailers are the biggest target for hackers? Think again - think hotels and the hospitality industry. For those of you who have hotel clients, this is worth bringing to their attention.

Why should employers invest in the technology and your services to make SURE P2P and social networking are not part of the workplace? Show them this and this.

Think the dangers of public wifi are limited to the time you are connected to them? Then you MUST read this.

This has NOTHING to do with security, and I by no means want to encourage anything you consider a bad habit, but some or you will consider this good news - beer is good for your bones (but too much of it may lead to breaking them).

Dennis H in West Virginia, US

February 09, 2010

You may have noticed that the focus and the format of the Security Corner has changed a bit. I will be posting current news items and short tips twice per week, mostly in the form of links. Two or three times per month, I will post longer articles as well.

The MiFi - cool tool, but, it has a GPS, so your provider has a record of where you are and where you have been. As it turns out, they may not be the only ones that know.

Be careful where you get your Quicktime movies. There is a buffer overflow vulnerability in older versions of QT. A malformed .mov file can be used to execute code. The current version has not been shown to be vulnerable to remote code execution, but may crash. If it can be crashed, remote code execution is usually around the corner.

Not all threats come from the outside. "Trusted" employees can represent even greater threats because they have privileged access.

ATM fraud - more common than you think. Check out this skimmer - complete with a camera to record pin number entries. Pay attention when visiting tht ATM!

The "Google attack" had broad implications. The Chinese attack on Google is one of the biggest security stories in recent months. I have had little to say about it, because it has been so well covered by the media. The broader implication is that even a company like Google (not to mention Adobe and many others) is vulnerable to zero-day attacks. Never ASSUME your clients are safe - check for signs of unusual activity and NEVER, NEVER stop raising their level of awareness.

Dennis H in West Virginia, US

January 18, 2010