Free! (Fake) Antivirus Software!

Hopefully you've heard about the plethora of fake AV programs making the rounds these days that are used to infect PCs -- I have come across this kind of thing three times in the last couple weeks and it's pretty impressive how the crooks manage to hijack the browser. Let's take a look at how it goes down.

Let's say you're looking for images of, oh say some famous person that just got capped, and Google reports back with a bunch. You click on one, and -- well, because the one you picked points to a site that has been compromised, the fun begins.


From this point on, you're pretty much just along for the ride. No matter what you click on in that dialog -- even the "X" that's supposed to close the window -- you will end up with a free malware scan of your system! How generous! Except that it's not really scanning anything.

That screen will crank along, pretending to find a whole slew of bad things on your system, and will eventually display this "window", saying that 405 files was found, and that you can download something called Windows Defender:

Once again, it doesn't matter what you click on -- the "Windows Security Alert" is not actually a conventional Windows dialog, it's just a simulated one that is really one big clickable area. Assuming you don't have "automatically download files" turned on in your browser (please tell me you don't), after clicking pretty much anywhere, you'll get something like this -- but don't press Run for crying out loud!:


Hopefully by this time you've realized that things are not what they seem to be, so you decide to close and restart your browser. Nope, not gonna happen - from the point that you get that free "scan", any effort to close the browser results in


At that point the only way to close IE is to use the Windows Task Manager and do an "End Task" on it.

This whole chain of events depends on something called "scripting", which allows websites to automate some behaviors in the browser. By default, IE uses its "Medium High" security setting for Internet web sites, but this setting will allow the above sequence of events to occur. You could set IE to "High" but that locks things down to the point where the web is not very usable.

So yet again I will recommend using something other than IE as your default browser; as I've said at least a couple times my favored setup is Firefox with the NoScript plugin. If you're reading this in IE, don't wait another minute to go to http://www.mozilla.com/firefox/. Install that and then go to http://noscript.net/ and install that. By default, NoScript blocks all scripted behavior but with some simple clicks you can either temporarily or permanently allows the various scripting elements that most websites have to work. The latter option causes NoScript to remember the pages that you've allowed so that the next time you go to one it will behave the way you want it to without having to Allow it again.

Firefox can import all of your IE Favorites (bookmarks) very quickly, and then you can set it to be your default browser by going to Options in Firefox > General tab and enabling "Always check to see if Firefox is the default browser on startup".

Finally: even without NoScript, the fake AV thing doesn't work in Firefox - apparently this malware is targeted at IE only.

I Gotcher Security/Privacy Checklist for 2011 Right Here, Pal

Another year, another cou-ple dollars, another couple or three or six hundred serious security flaws in Windows/MacOS X/*nix/Adobe Reader/Adobe Flash/Photoshop/Microsoft Office/Internet Explorer/Safari/Firefox/JavaScript/etc/etc that have been (and in many cases, still are) leveraged by the crooks to separate you from your money and personal/private information.

With the roller coaster ride known as 2010 winding down, I thought I'd summarize many of the things I've posted about thus far in a "yearly review" item - let's call it the 2011 12-Step Internet Security and Privacy Checklist:

1. STOP USING IE. Assuming you're a Windows user - surely you're not still using Internet Explorer as your default browser? (Mac-o-philes need not smirk here - I will predict that Safari will become more and more targeted by the criminal world; you have been warned.) I suggest Firefox + the NoScript plugin, or possibly Google Chrome + its NotScript plugin - although I have far less experience with Chrome so I can't unequivocally recommend it.

2. STAY UPDATED. No matter what your operating system is, make sure it's always got the latest updates. Windows can be configured to automatically download and install priority updates, or just download them and let you know that they're ready. I suggest at least the latter. The same goes for whatever browser(s) you use. (Chrome doesn't give you a choice - it updates itself transparently whenever a new version is published.)

3. FIX YER ACROBAT/READER SOFTWARE. If you use Adobe Acrobat or Adobe Reader to view .pdf files, (a) update to the latest "X" version, and then immediately do this:

• open Edit > Preferences
• in the JavaScript part, turn off "Enable Acrobat JavaScript"
• in the Trust Manager part, turn off "Allow opening of non-PDF file attachments with external applications"

If you're running version 9 and don't want to update to version X*, please do still do the above steps.

Adobe continues to doggedly leave these things turned on by default in each new version of Acrobat and Reader, which is just plain irresponsible on their part.

* that link points at an installer that doesn't require you to first load the !@#$% Adobe Download Manager. Just say NO to ADM.

4. Another thing about Acrobat and Reader - there are alternatives. I have tried FoxIt a couple times but the rendering quality is noticeably poorer than what Adobe does. More recently I've started using the Google Docs Viewer for reading PDF files in Firefox (it works in all of the other browsers as far as I know).

5. WEAR PROTECTION. For Windows users - now that Microsoft has its free MS Security Essentials anti-malware software available, there is no excuse to not be running some kind of antivirus/antimalware protection. I will go further and say that I personally see no reason to pay anyone for this kind of functionality - e.g. Symantec, McAfee, etc. By all accounts MS does a very good job with MSSE.

6. CONNECT SECURELY. There is another nice utility plugin for Firefox called HTTPSEverywhere. If you do financial stuff on-line, you might've noticed that your browser's address bar will (hopefully) say something like "https://www.yourbank.com" when you're logged into the financial site... The "s" in "https" means "secure". Many other non-financial sites support the https protocol, as well as the usual "http" protocol.

Here's what HTTPSEverywhere does for the sites it knows about, that can support https connections: It will force you to connect with https rather than http. At the moment the list includes Facebook, Google Search, Twitter, Meebo, NY Times, Washington Post, bit.ly, Hotmail, Microsoft, Wikipedia, Wordpress.com, Google APIs, and quite a few others. When you are connected via https your connection cannot be snooped, which is very nice if you're connected to the 'net using an open wifi hotspot that does not provide a Virtual Private Network connection to the Internet.. In general you always want "https" if it's available, no matter what you're doing.

7. BE SELFISH. Turn off any unnecessary "network shares" on all of your computers.

8. USE PASSWORDS. Make sure every machine on your network is login password-protected.

9. MASSAGE YOUR ROUTER. Make sure your router (or modem/router - i.e. the box that you got from your cable or phone company that hooks you up to the internet) is properly configured.

Typically the router configuration is accessed through a mini-web server that is built into the router - and typically it will have an address of something like 192.168.1.1.

In that particular case, you can go to your browser and type in "http://192.168.1.1" and the web interface will show up. (Other addresses are possible; consult the router or router/modem manual for more details about your particular box.) Here are some things to keep in mind:

• Change the default administrative password for the router. E.g. for Linksys routers, all of the ones I've used have a default password of "admin". If you don't do anything else, do this.
• Make sure that you're using at least WPA encryption if your router has wi-fi capability. WPA2 is better, WEP is sorta kinda better than nothing, but not much. IMO the wireless interface of a router is its weakest link in terms of people getting onto your network and possibly stealing private (e.g. financial) information from other computers connected to your network.
  
• turn off anything that says "Plug and Play".
• Make sure the NAT firewall is enabled. It might just say "Firewall".
• Don't have any more ports (holes) opened in your firewall than absolutely necessary. If you open one or more up and then stop using whatever program needs them open, close them.
  

10. USE "LASTPASS". I continue to love this free, secure, backed-up-in-the-cloud password and private data manager product. I won't go into it here since I already did that not too long ago.


11. BACK UP YER STUFF. This is a huge topic, and I won't go into detail, but - do you have at least two, recent backup copies of all of the stuff on your computer(s)/mobile devices that you can't live without? E.g. photos, financial data files, the latest version of the Great Novel that you're working on, critical account information for on-line resources that you use (LastPass can help here), address book/contact database, etc. I say two backups because many people would tell you that if you only have one copy "somewhere", you're not really backed up. You need to have two copies of all of the important stuff, ideally on different kinds of media (DVD-R, CD-R, CD-RW, USB memory stick, cloud backup....), and certainly not in the same location - i.e. carry one of the copies in your car or keep one at your mom's house or something.

12. DONT EVER CLICK ON A LINK IN AN EMAIL. E.g. if you get a notice that seems to be from Microsoft or Adobe or whoever (whomever?) that you need to update something, don't click on the link that is provided. Instead, navigate to the vendor's website in your browser and find the update - if it actually exists - yourself. You might even try googling it - e.g. "acrobat x update".

OK, that's your twelve steps. I'm sure I left something important out - there are so many things to worry about when you're toodling around the World Wide Web - but any and all of these things will help at least a little bit in keeping you and yours safer in the new year to come.

Firefox Saves the Day

I just got to see a new feature in Firefox 3 at work, and it's pretty cool.

I had an email in my GMail spam folder that looked like this:


Looks pretty legit, right? The link text appears OK. However, the actual link looks something like (part of the URL intentionally deleted):

http://smtp.cremadescalvosotelo.com/bankofamerica=JSPR53/e-online-banking...

So obviously it's at best a personal information phishing site. Well, I decided to see where that would take me, so I clicked on it. However, Firefox saved me from myself:


Clicking on the "Why was this page blocked?" button shows this:

I tried this in Internet Explorer and I'm happy (and a bit surprised) to report that it gave a similar "you really don't want to go there" message.

However, even though our browsers sometimes try to protect us from ourselves, links in emails should never be clicked on. If you get a message from your bank that wants you to log in for whatever reason, go to your browser and type in the URL that you know to be the correct one for your bank (if you don't have it bookmarked) rather than click on anything in an email.

Stuxnet Worm - still in the news

I have posted three times about the Microsoft Windows "Shortcut (LNK)" vulnerability since July. A lot has transpired since then; it's been found to be one of six security issues in Windows that are leveraged by the Stuxnet worm (some of which were previously unknown in the security community).

Stuxnet is in the press right now as being one of the most serious security threats ever unleashed, and is said to be a sort of "new animal" in cyber-warfare. I'll provide some links for further reading below, but the apparent intent and sophisticated behavior of Stuxnet is so, well, awesome (in a bad way) that I do want to summarize what's been learned:

• Its targeted behavior is very specific - although it propagates via Windows (using USB memory sticks and/or network connections), its ultimate target is a particular brand of industrial controller computer made by Siemens, that are network-connected to those Windows systems
• Not only is it Seimens "SCADA"-system specific, but its end target are "variable-frequency drives" made by two specific companies, that regulate the speed and operation of electric motors
• Only motors that are programmed to run within a specific speed band are targeted
• The speed band corresponds to speeds used by uranium refinement centrifuges
• The end result is that Stuxnet causes those motors to periodically overspeed and underspeed

It's still not known who wrote Stuxnet, but there is universal agreement that its sophistication and complexity are unprecedented, and unfortunately is probably the first shot fired in a new level of cyber-warfare.

As promised, here are some links if you want to dig deeper:

• Wired Magazine article
• Stuxnet Wikipedia entry
• Symantec dossier on Stuxnet (very technical)
• very recent news about a possible 2nd "payload" in Stuxnet

I promise we have not heard the end of this "worm".

"Shall we play a game?"

WPA Wireless Password Cracking For Fun & Profit

Many of my friends and family have heard or read my whinings about how using WEP encryption for your wireless network is a short hair away from "extremely stupid", and that you should really be using WPA (or better, WPA2). Well, I am hoping that the message has gotten through to most folks, although I must say that when I do a site survey around my neighborhood even now, I still see the occasional WEP-"protected" hotspot pop up.

But you, being smarter than the average bear, are now sitting behind a WPA-protected router at home or in your office - life is good! Welllll... maybe not. What kind of passkey did you lock it down with? Please tell me it's not your dog's name, or maybe favorite gourmet dish, or your Mom's maiden name... Is it?

The reason why I ask is this: there is at least one company out there that offers a WPA password-cracking service, for $17 a crack. Apparently it takes 40 minutes or less if your password is in their 135 million word "dictionary".

All that's required is to provide them with a "sniff" file of a wireless network that is to be infiltrated. This sniff (.pcap) file can be easily created using a laptop with a wireless card and open-source software such as aircrack-ng (even I've done it, purely in the interest of research and learning of course - and I did it using my own wireless router as the target).

Now you may be saying, "but Igor, who is going to go to the trouble of trying to hack into my network?" That's a good question, but IMO the wireless part of any network is potentially its weakest link, so why not lock it down as best you can so you don't have to worry about it?

That means you need a decent password. I won't say "excellent" or even "very good" password - you probably don't want to use the kind of gobbledegookeley password that LastPass can generate, because you might want to give some (highly) trusted person access to your wireless network. So you want a password that can be verbally relayed to someone without too much difficulty.

Remember that the kind of WPA cracking we're talking about depends on a dictionary. Even a dictionary that has 135 million words in it is not going to have bizarre combinations of words and letters (let alone punctuation marks). So how could you create a Bizarre Combination? One suggestion is to use some kind of easily rememberable number followed by a string of easily rememberable words - yet numbers and words that are not blatantly obvious to everyone that knows you. I'll throw this out:

the first address number you lived at that you remember +

high school name +

favorite gradeschool teacher

So in my case (and no I don't use this password anywhere) it would be

648ravenswoodhackworth

Now that's a pretty good password. Throwing in some punctuation and capitalization, e.g.

648.Ravenswood.Hackworth

makes it far more unlikely (I would submit, impossible) for any dictionary to have that particular sequence in it. Easy Cheesy! And pretty easy to remember as well.

Heck, write it down on a piece of paper and put it in your desk drawer - if the miscreant who's trying to break into your network has physical access to your desk drawer, you have far bigger problems that I'll attempt to address here!

Escaping Password Hell with "LastPass"

There are two or three people out there that recognize the importance of using robust passwords for important on-line resources like banks and PayPal and eBay and such (as well as using different passwords for each site). Most everyone else uses their dog's or first born child's name for every single thing they have to log into on the net... Because it's really hard to remember passwords that are robust, such as E5A@/6Z(aKj&^]RO+V. So in the end most people don't even try.

Admittedly, I was somewhat lax about robust passwords too, until recently - I had one password that I used for casual sites, and a much longer one that involved a combination of numbers and characters for my financial sites. But still, I used that one password at a lot of different places.

Via episode #256 of the Security Now podcast, I've become aware of the free LastPass product, and am now using it for all of my password needs. Here, I'll try to summarize what it does and hopefully how easy it is to use, in the hopes that you'll take the time to start using it too.

Firstly - before we continue - here's what LastPass supports: Windows, Mac OS X, Linux, Firefox, Safari, Chrome, and even Internet Explorer 8^) . So most people will be able to use this cool utility.

OK - onwards... The thing I like most about LastPass (which I'll call "LP" from here on out) is that all of my passwords are stored in encrypted form "in the cloud". This lets me access them from any browser that I have the LP plugin installed on, so I can be anywhere in the world. Since the encryption is done "locally" - i.e. on my computer rather than by the LP site, they are extremely well protected. Not even the LP people have any way of getting my passwords unless I tell them my Master Password. When I need to use a password, LP goes up to my cloud-stored Password Vault, grabs the encrypted password, sucks it down the Internet Pipes, decrypts it, and fills in the password field on a web page.

But - there is a caveat: you will need to have one robust Master Password - it's the "key to the kingdom" of all of the rest of your passwords. It really needs to be "strong" and you really really need to be able to remember it. And - your dog's name or mother's maiden name ain't gonna cut it. (A place to start is - combine the home phone number that you had when you were a kid with the names of your three best friends in high school - e.g. 3042732273JamesFredHomer is a pretty good password.)

Once LP is installed (it automatically installed into both Firefox and IE for me) you can get started. I was able to import all of my passwords from the previous password vault utility that I used (Roboform ToGo), which was nice (it can also import from IE's and Firefox's password caches, as well as a bunch of other password products). Once that was done, I could go to my Password Vault in my browser:

From there I can combine my passwords into Groups (e.g. "Shopping", "Travel", etc.), edit them, delete them, and even Share them (securely) with another LP user. Also, just by clicking on a site name, it will bring that site up and fill in your credentials. For new sites, LP will offer to remember the username and password for each one.

But what I did right after installation is use LastPass's built-in password generator to create new passwords for all of the financial sites that I use. Since different sites have different requirements for passwords - and on the flip side, limitations to what characters/numbers/etc. they can understand - the LastPass generator can be easily configured:

Every time "Generate" is pressed, it will generate a fresh password based on what you have setup for length and contents... The green bar gives you an idea of how secure each new password is.

LP can guide you through the process of replacing your old, crummy, too-short passwords that you've used for the last ten years with much more secure ones that it generates. And the beauty is that you don't have to remember any of them - when you next visit any of the sites that are stored in LP, it will automatically fill in the username and password fields (and it can even press the "login" button for you if you want).

One other significant feature is that LP can fill out most web pages that want your name, phone number, credit card, credit card expiration date, credit card CVV number, ship-to address, bill-to address, etc. You can enter that stuff into LP once; from that point on it will fill in all of those fields for you. And, like the contents of the Password Vault, all of that information is encrypted and safe.

So I mentioned at the outset that LP is free, and everything that I've described (and quite a bit more that I won't go into, lest this become even more of a novel-length post) is free. There are, however, some additional features that are only in the Premium version. One of them is the ability to download and install the LP applet for the iPhone/iPad/iPod Touch, BlackBerry, Android, and Windows Mobile devices so that you can always keep your entire Vault with you. Several other Premium features are there too, as described here. Now comes the bad news - it's gonna cost you... drum roll please... a buck a month. Howsa! I'm trying to think of something else that costs a buck a month... Nope, can't.

But if you don't need any of the Premium stuff, all you have to lose by trying LastPass is the time it takes to install it and learn it, and I encourage you to give it a shot.

Finally: a friend of ours was recently "hacked" on-line and was conned out of a few hundred dollars. She was pretty freaked out about it... I asked her what kind of password she was using. You guessed it, the names of her dogs. I told her about LastPass and was going to help her get it installed and running, but she was able to get it going on her own without any assistance (other than my suggesting ways to create an easy-to-remember Master Password). So I think that's a good testimonial that it's pretty straightforward to use.

Microsoft releases "out of cycle" patch for Shortcut Flaw

Hopefully you've already heard about this because you're Paying Attention, but just in cast you haven't: Microsoft released a fix yesterday (Monday) for the shortcut/LNK vulnerability that has been in the news over the couple weeks. I strongly recommend that you get your Windows system(s) patched with this fix. I have patched my WinXP and Win7 systems with no issues, and have subsequently removed the workarounds that I had in place.

Go to MS's Security Bulletin MS10-046 and select your version of Windows from the table there; that will take you to a download/instruction page - or alternatively, run Windows Update, which should get it for you automatically. You will probably have to reboot your system afterwards (I had to for both XP and Win7).

Update: Microsoft has released a fairly technical Q&A for this fix - good reading for those that want to dig into the details.