Anticipated Android Apps

2011 has almost come to an end, and we’ve already seen some great Android apps come out this year. But 2012, which is just around the corner and it looks like it will be another eventful year for Android. Now that the latest OS version, Android 4.0 Ice Cream Sandwich (ICS), has hit the market, several device makers are expected to release ICS handsets for a ready consumer market. LG is the latest to reveal its plans around ICS, kicking into high hear during the second quarter of next year. Among the first phones to get the upgrade are the Optimus 2X, which made waves as the world’s first dual-core smartphone earlier this year, and the Optimus LTE. Others in the Optimus lineup, including the 3D, Black and Big, will also receive the ICS update by Q3 of next year.

 

Android’s competition in the mobile and tablet market, Apple has had a long head start in mobile apps over it’s new archival Google. However, new data shows that the number of Android apps has grown 127 percent since August and offerings in Google’s Android Market should outnumber the total for iPhone apps by mid-2012.

2012 has some great apps in store for the open-source mobile platform. (more…)

Adobe Flash Update

Adobe has issued a critical software update for its Flash Player software that fixes at least a dozen security vulnerabilities in the widely-used program. Updates are available for Windows, Mac, Linux,  Solaris and Android versions of Flash and Adobe Air.

The update fixes flaws present in Flash Player versions 11.0.1.152 and earlier for Windows, Mac, Linux and Solaris systems, and in Flash11.0.1.153 and earlier for Android. The vulnerabilities are rated critical, meaning they could give hacked or malicious Web sites an easy way to install software on your machine.

Adobe’s advisory says users of Flash version 11.0.1.152 and earlier should update to v. 11.1.102.55; those using Flash v. 11.0.1.153 and earlier versions for Android should update to Flash Player 11.1.102.59. Users of AIR 3.0 for Windows, Macintosh, and Android should update to AIR  v. 3.1.0.4880. The company says it is not aware of any active attacks against these flaws at this time.

To find out if you have Flash and which version may be installed, visit the About Flash page. Windows users who browse the Web with Internet Explorer and another browser may need to apply the Flash update twice, once using IE and again with the other browser (Google Chrome users should already have the latest version of Flash). Again, check the About Flash page with each browser you use to see whether you need to apply this update. To avoid using Adobe’s Download Manager, which tends to add little “extras” if you’re not careful, IE users can grab the latest update directly from these links; 32-bit IE installer, and 64-bit IE installer. Firefox and Opera users can grab the 32-bit installer here and the 64-bit version here. If you don’t know which one you need, you let Adobe’s site choose for you (although the download manager may try to foist other software unless you uncheck pre-checked options).

The installer for the latest Adobe Air version is available from this link.

Some Flash components also are bundled with Adobe Reader, so I asked Adobe whether current versions of Reader also were exposed to these vulnerabilities. Adobe spokeswoman Wiebke Lips confirmed that some of the issues fixed in today’s Flash Player update do impact the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.x) and 9.x for Windows and Mac. Lips said Adobe feels comfortable that its sandboxing technology built into the latest versions of Reader will protect users until January, when the company expects to issue the next quarterly update for Reader.

“These issues will be resolved in the next quarterly security update for Adobe Reader and Acrobat, currently scheduled for January 10, 2012,” Lips wrote. “Note that the Authplay.dll component is part of the ‘sandbox’ for users of Adobe Reader X (Protected Mode) and Acrobat X (Protected View), which would protect against potential exploits.”

Mac Flashback Trojan

The security by obscurity myth is finally blown out of the water…Mac’s are pretty much mainstream these days and it yet again proves my points about Mac virus resistance, it may be virus resistant, but unless you upgrade the users, no platform is Trojan proof.

Apple has updated the malware protection built into its Mac operating system to flag a recently discovered trojan that hijacks users’ machines by masquerading as a benign document. Malware disguised as an Adobe Flash installer, meanwhile, remained unchecked.

The file quarantine, which Apple snuck into a prerelease version of Snow Leopard in 2009, was updated to include a definition for Trojan-Dropper: OSX/Revir.A, which antivirus provider F-Secure disclosed on Friday. According to an update on F-Secure’s blog, the malware disguises itself as a PDF file in an attempt to trick users into clicking on it.

“The malware then proceeds to install a backdoor, Backdoor:OSX/Imuler.A, in the background,” stated the F-Secure analysis, which was posted Monday. “As of this writing, the C&C of the malware is just a bare Apache installation and is not capable of communicating with the backdoor yet.”

By Tuesday morning, Apple had added a definition for Revir.A into the file quarantine feature, our review of a Mac running OS X Lion, aka 10.7, has shown. By our count, it’s the 10th definition to be included, although two of them cover malware with the identical label of “OSX.HellRTS.” The definitions are stored in a file called XProtect.plist tucked away in the /System/Library/CoreTypes.bundle/Contents/Resources/ folder.

Apple engineers pushed out the update around the same time that a new trojan was discovered menacing Mac users. According to Mac antivirus provider Intego, the Flashback trojan is built on a sophisticated code base that installs a backdoor on infected machines, and covers its tracks by using encryption when communicating with remote servers.

“The backdoor is able to download further software, but, for now, we are not seeing this activity,” Intego’s analysis stated. “It is also able to update itself, and creates an Sha1 hash of the malware to see if it has changed. If the Sha1 of the software version on the server is different from that installed, this means that an update is necessary.”

With the explosive growth of Macs, iPhones, and iPads, malware purveyors have finally begun targeting Apple products after years of almost exclusive focus on Microsoft users. Earlier this year, an outbreak of fraudulent Mac antivirus products ignited a huge spike in support calls from frantic Mac users who had been tricked into installing a piece of malware called MacDefender. Apple eventually added definitions for it to its file quarantine, as well.

I think the difference between Microsoft and Apple here is that Microsoft weren’t the ones to create a condescending “I’m a PC” commercial insinuating that their operating system was virus free…With the amount of braindead Apple fans who claim that Apple Virus / Malware is an oxymoron, that 30 second spot could turn out to be some of history’s most damaging tech-related FUD.

Early I wrote that actually most targeted vulnerabilities are in Flash, PDF or Java these days via Internet Explorer (IE) and once you take IE out of the equation, Windows does quite well, especially given the rich rewards and vast selection of low-hanging fruit users can offer.

How Windows gets malware

When a Microsoft Windows machine gets infected by viruses/malware it does so mainly because users forget to update the Java, Adobe Reader/Acrobat and Adobe Flash. This is revealed by a survey conducted by CSIS Security Group A/S. This group has been collecting data for 3 months on actual infections of computers by drive-by attacks on browsers.  Drive-by attacks are when you go to an innocent website and get a virus anyway.  This is typically from ads or hacked links.

Basis of the study

CSIS has over a period of almost three months actively collected real time data from various so-called exploit kits. An exploit kit is a commercial hacker toolbox that is actively exploited by computer criminals who take advantage of vulnerabilities in popular software. Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits.

The purpose of this study is to reveal precisely how Microsoft Windows machines are infected with malware and which browsers, versions of Windows and third party software that are at risk.

CSIS monitored more than 50 different exploit kits on 44 unique servers / IP addresses. Figures come from the underlying statistical modules, thereby ensuring an as precise overview of the threat landscape as possible. The statistical material covers all in all more than half a million user exposures out of which as many as 31.3 % were infected with the virus/malware due to missing security updates.

Among the vulnerabilities we have observed abused by the monitored exploit kits, we find:

CVE-2010-1885 Microsoft Help & Support HCP
CVE-2010-1423 Java Deployment Toolkit insufficient argument validation
CVE-2010-0886 Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
CVE-2010-0842 Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
CVE-2010-0840 Java trusted Methods Chaining Remote Code Execution Vulnerability
CVE-2009-1671 Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll
CVE-2009-0927 Adobe Reader Collab GetIcon
CVE-2008-2992 Adobe Reader util.printf
CVE-2008-0655 Adobe Reader CollectEmailInfo
CVE-2006-0003 IE MDAC
CVE-2006-4704 Microsoft Visual Studio 2005 WMI Object Broker Remote Code Execution Vulnerability
CVE-2004-0549 ShowModalDialog method and modifying the location to execute code

The report above describes those operating systems, browsers, and applications that are vulnerable in the real world scenarios they have observed.  Here it is slimmed down:

Internet Explorer is the worst offending browser. Mozilla is second.
Windows XP, Windows 7, and Windows Vista are the worst offending operating systems.
Java, Adobe Reader, and Adobe Flash are the worst offending applications.

Salient point is that, fully updated and patched installs let 70% of the infections through. Mainly because the technology is reactive. Even more salient is that only 13% of the successful infections relied on software that was Windows only (10% were IE exploits, 3% were Windows Help exploits) All you folks encourgaging your friends and families to buy Macs for the specific reason of their security are in for a world of hurt in a few years when Mac hits ~30+% market share. Kits are already starting to appear.

Conclusion: 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages:

Java JRE 37%
Adobe Reader/Acrobat 32%
Adobe Flash 16%
MS Internet Explorer 10%
Windows HCP (Help) 3%
Apple Quicktime 2%

For the sake of security, I would not run Java, Adobe anything or Internet Exploiter.

We don’t want you getting viruses because it’s difficult to remove and more importantly, expensive and time consuming.

1. Uninstall java. Most end users never have a need for it and don’t update it.

2. Use Chrome to read PDFs or use Foxit. No need for Adobe, but to be fair Adobe’s new sandbox model in version X is resistant to viral infections and exploits.

3. Update flash as often as it says or switch to Chrome.

4. Use ESET NOD32 & HitmanPro for protection

Adobe Pushes Update

How can anyone stay on top of all the attack vectors on a Windows computer? Every machine I touch these days, never gets consistently updated, especially if it is a personal computer. Today I find that Adobe pushes an unscheduled security update.

“As expected, Adobe today released a security update for its Flash Player. The out of cycle update addresses critical security issues in flash player as well as an important universal cross-site scripting issue. Adobe reported that one of the vulnerabilities (CVE-2011-2444) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message. To illustrate the importance of keeping systems up to date, including Adobe Flash products, the fact that the RSA cyber attack was executed using a spear phishing attack with an embedded flash file should serve as a friendly reminder. RSA was breached after an employee opened a spreadsheet that contained a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability.

Also, this just in. “Software maker Adobe Systems has launched Flash Player 11 and Adobe AIR 3 even as the industry is shifting to HTML 5 on the Web that lessens the reliance of developers on Flash.” Flash Player 11 and AIR 3 are scheduled for release in early October. Adobe didn’t give the date, but you should expect release at Adobe’s annual Max conference, between 1 and 5 October. Both support full hardware acceleration for 2D and 3D graphics, which Adobe claims provides rendering performance 1,000 times faster than Flash Player 10 and AIR 2.

Do you know what Flash version you have installed? No? Then use Adobe’s version test page. You can also check here.

Once you have the current version, you may also wish to adjust your configuration. Flash’s settings are rather curious as the controls themselves aren’t located on the computer but are instead accessed through a Flash object hosted by Adobe.

Adobe: “The Settings Manager is a special control panel that runs on your local computer but is displayed within and accessed from the Adobe website. Adobe does not have access to the settings that you see in the Settings Manager or to personal information on your computer.”

Right-clicking a Flash object and selecting “Global Settings” opens a page to Adobe’s Flash Player Settings Manager.

Just as flaws in the ubiquitous Adobe Flash were exploited to infiltrate RSA Security and compromise the encryption keys used in RSA’s SecurID two-factor authentication tokens, Flash may also have been the Achilles heel of Diginotar.

Adobe Flash is nearly universal. With Adobe Flash Player software and browser plug-ins available for virtually every operating system and browser, this zero-day flaw could potentially impact 90 to 95 percent of the PCs in the world.

Andrew Storms, director of security operations for nCircle, connects the dots. “Adobe said that today’s bug ‘could be used to act on the user’s behalf with webmail providers.’ I think we can interpret this to mean that a successful attack using this zero-day bug could allow the attacker to access the user’s Gmail account.”

I implore you to patch Flash as soon as possible.

Software updates: Adobe

Adobe issued it’s monthly update last week, to eliminate 13 security flaws in its PDF Reader and Acrobat products. Adobe’s patches for Reader and Acrobat correct critical vulnerabilities in the programs that could be exploited by attackers just by convincing users to open a booby-trapped file. Updates are available for Adobe Reader X (10.1) and earlier versions for Windows, Macintosh, Adobe Reader 9.4.2 and earlier versions for UNIX, and Adobe Acrobat X (10.1) and earlier versions for Windows and Macintosh.

Affected software versions

• Adobe Reader X (10.1) and earlier 10.x versions for Windows and Macintosh
• Adobe Reader 9.4.5 and earlier 9.x versions for Windows and Macintosh
• Adobe Reader 8.3 and earlier 8.x versions for Windows and Macintosh
• Adobe Acrobat X (10.1) and earlier 10.x versions for Windows and Macintosh
• Adobe Acrobat 9.4.5 and earlier 9.x versions for Windows and Macintosh
• Adobe Acrobat 8.3 and earlier 8.x versions for Windows and Macintosh

Severity rating
Adobe categorizes these as critical updates.

Acrobat users should check out the Adobe security advisory. Heads up for users of older versions of Reader and Acrobat: support for Adobe Reader 8.x and Acrobat 8.x for Windows and Macintosh will end on November 3, 2011.

Online Safety – 5 Secrets

In any given week, I get dozens of requests for help. The #1 question typical is this:  “How do I protect myself online?” These days I’m getting that question in equal numbers from PC and Mac owners who are concerned about the best way to avoid being sucker-punched by social engineering attacks.

Many people think that security begins and ends with antivirus software. I disagree. Should you run antivirus software? As I’ve said before, if you don’t know the answer to that question, then the answer is yes.

So let’s stipulate that you’re running a well-supported, up-to-date security program—whether you use a PC or a Mac. What else do you need to do? In this post, I share the five steps I teach to friends, family members, and clients who want to avoid malware, scareware, phishing sites, and other online scams.

If you’ve been paying attention to the current threat landscape, much of the advice in this post will be familiar, even obvious. A lot of it is just common sense, but some is unconventional wisdom. Yes, of course you should expect to be attacked if you download porn or pirated software. But just staying out of bad online neighborhoods isn’t sufficient anymore.

These days, threats can come from unexpected places: Google (and Bing) search results, compromised websites, deceptive ads, seemingly innocent downloads. You don’t have to be doing anything out of the ordinary to inadvertently stumble across one of these potential threats.

If I had to summarize my guidance in a single sound bite, it would go something like this: Pay attention to your surroundings, don’t be stupid and don’t run around on the web with full administrative rights on your computer. Better yet, give Linux Mint a try http://jet-computing.com/linux/linux-mint/

Alright then, let’s break that down.

Step 1: Don’t panic.

To borrow from a classic Monty Python sketch,  the two … no, three chief weapons of online criminals are “fear and surprise…and ruthless efficiency.” Their goal is to appear when you don’t expect them and convince you to act hastily. Online criminals often play on fear (your PC or Mac is infected with malware!) or simple social engineering (try these smileys! oh, and you need this codec—fake, of course—to play an enticing video clip).

The antidote to Monty Python, of course, is Douglas Adams, for whom “Don’t panic” was the secret of successful intergalactic hitchhiking.

When in doubt, stop. Think. Ask for help. If you’re truly worried, pull the plug on your Internet connection temporarily until you can call a knowledgeable friend or drag the machine in to a specialist for a thorough diagnosis.

You should, of course, have a regular backup routine. Mechanical failures (a crashed hard drive or a dropped notebook) can be even more devastating than a malware attack. With Windows 7, you can use the built-in backup program to save an image backup on an external hard drive; you can do the same thing on a Mac using Time Machine. Restoring a full backup is easy, especially if the alternative is spending hours trying to track down a well-hidden infection.

And don’t be paranoid. I can’t count the number of times I’ve heard from otherwise smart people who break out all sorts of terrible tools—registry cleaners and system optimizers being the worst offenders—at the first sign of trouble. Those snake-oil programs, in my experience, tend to make the problem worse.

Drive-by downloads and other sneak attacks are, fortunately, extremely rare. Yes, they happen, but the overwhelming majority of attacks aim at vulnerabilities that have been patched months or even years earlier.

Bad guys prey on the weak, technically unsophisticated, and ill-informed who don’t update regularly. You really,really want to avoid being a part of that group. It’s easy:

  • If you use Windows, turn on Windows Update and set it to automatically download and install updates. Those updates include Windows components like Internet Explorer. If you use other Microsoft software (Office, Silverlight, Windows Live Essentials, and so on) enable Microsoft Update, which is available from the Windows Update configuration screen.

 

  • If you use OS X, turn on Apple Software Update and set it to automatically download and install updates.

 

And don’t overlook potential attacks from third-party software. On any platform, it is essential to regularly update not just the operating system and its components, but also any popular Internet-connected program.That means browsers like Chrome and Firefox, utilities like Adobe’s Flash and Reader, runtime environments like Java and Silverlight and Adobe AIR, and media players like iTunes and QuickTime (on Macs, the latter two programs are included with system updates).

To make the process a little easier, I enthusiastically recommend Ninite, which automatically updates third-party software using the same URL you use to install the originals. It keeps unwanted add-ons and third-party programs at bay, too.

 

Since I wrote that post, Ninite has introduced a new product, the Ninite Updater, which “alerts you when any of the 92 Ninite-supported apps become out of date. It doesn’t matter if your apps were installed with Ninite or not.”

Alas, this utility is not free. The single-user package is $10 per year, and a 5-PC family pack is $30 a year. But it might be worth it for the peace of mind.

Home users can find a free alternative in Secunia Personal Software Inspector (PSI). Although it’s nowhere near as comprehensive as Ninite’s offering, it’s a good way to cover the most important threats.

3. Learn how to make smart trust decisions.

As I mentioned at the beginning of this post, social engineering is the weapon of choice for online criminals these days. Attacks can take all sorts of forms, from conventional phishing e-mails to sophisticated and convincing malicious download sites. The best countermeasure? Education.

You’re asked to make trust decisions many times every day. Some of those decisions involve programs, people, and businesses with whom you have lots of experience already. But others involve complete strangers, and still others ask you to decide with only limited information.

Any time you open an e-mail message or visit a web page, you face a possible trust decision.

Should you trust the sender of an e-mail?

Spam is one of the primary vectors for phishing attacks and financial scams, but it’s also a way to lure unsuspecting PC and Mac users to sites that deliver malware.

Spam filtering services have become very effective and can do a credible first pass on your inbox. The better your spam filter, the more likely it will recognize a fraud that could have sucked you in.

Based on my recent experience, both Hotmail and Gmail use extremely accurate spam-blocking technology. If your e-mail provider can’t properly filter spam, consider forwarding your e-mail through a Hotmail or Gmail account.

And don’t overlook the client program you use. Microsoft’s flagship e-mail programs, Outlook and Windows Live Mail, display HTML-formatted messages differently when they are in the Junk folder.

Here’s a crude but unremarkable phishing message as it appears in the Outlook Inbox folder. An unsophisticated recipient might be tempted to overlook the bad grammar and click.

 

But in Outlook’s Junk E-Mail folder that same message is displayed in plain text, without graphics or HTML formatting. In addition, the hyperlinks show the actual target address in the message window. That turns the once-slightly-convincing message into a laughable mess, complete with bogus hidden text.

 

If the message appears to be from a friend or other known contact, it’s possible that the sending account was hijacked. If you have even the slightest doubt about the actual target of a link, don’t click it. That’s doubly true if it’s from a social network.

Should you trust a web page?

When using a browser, you need to learn how to read the address bar, especially at two key decision points.

First, anytime you are asked to enter your login credentials, your Spidey sense should tingle. You need to be able to spot a website that is trying to masquerade as someone else. If you have any doubt that a login page is legitimate, close the browser window and open a new session by manually typing the domain name and navigating to a login page from there.

Both Internet Explorer and Chrome provide important information in the address bar, displaying the actual domain name in black and muting the rest of the address to a still-readable shade of gray. Here’s how it appears in Internet Explorer 9:

Second, learn how to identify a secure connection, where traffic is encrypted from end to end. Every modern browser displays visual cues (including a padlock icon) when you’re using a secure SSL connection. For sites that use Extended Validation certificates, you get additional feedback in the form of a green address bar, as shown here for Chrome.

The final online trust decision people make regularly is so important it deserves its own page…

4. Never install any software unless you’re certain it’s safe.

The biggest trust decision of all arises when you’re considering installing a new piece of software on a PC or a device. If you have any doubts about a software program, you should not install it. Period.

One great way to remain safe online is to set a high bar for software. You need solid, up-to-date information to help you decide whether a file is safe, unsafe, or suspicious. Then you need information about whether the program is reliable and useful, whether it’s compatible with other software you use, and whether it can be easily removed.

Here are the three key questions to ask about any program before clicking Yes on the installer:

Did it come from a trusted source?

It’s hard to believe that someone would actually say yes to a software installer that randomly appears when they visit a web page. But people do, which is why fake antivirus software is a thriving business. The simple act of clicking No—or forcibly closing an installer window if necessary—can save you hours of cleanup.

Is it signed with a valid digital signature?

In developing the SmartScreen technology used in Internet Explorer 9, Microsoft security researchers discovered a startling fact about the dangerous downloads they were blocking.

[T]he IE9 version of SmartScreen includes a new set of algorithms designed to test the reputation of this executable file. Has it been seen before? Is there anything about the file name or the domain that looks suspicious?

In fact, one of the most important questions to ask is this one: Is the executable file digitally signed? Microsoft’s researchers found that roughly 96% of all those red warnings are attached to unsigned, previously unseen files. The algorithm assumes that a file—signed or unsigned—is untrustworthy until it establishes a reputation. No domain or file gets a free pass—not even a new signed release from Microsoft or Google. Every file has to build a reputation.

In Windows, you can check for the presence of a digital signature by right-clicking a file and choosing Properties. Here, for example, is the digital signature information for the officially released Xvid codec installer, the rogue version doesn’t have a digital signature.

 

A digital signature doesn’t mean a file is safe. It does, however, mean that you have important information, and a chain of trust, about the person or company who created the file. A digital signature also guarantees that the file hasn’t been tampered with since it was signed.

In some cases, you might be willing to trust an unsigned file. You should only do so if you are confident that it is exactly what it claims to be and nothing more.

What does the security community say about the download?

If running a possible program through one antivirus scanner is good, then checking with 43 separate scanners must be, well, 43 times as effective. That’s the theory behind Virustotal (VT), a free and independent web-based service. In a matter of minutes, you can upload a questionable file and have it checked by a large cross-section of scanning engines using up-to-date definitions.

Here’s what a Virustotal report looks like:

 

One detail worth looking for when you submit a program is whether it’s been analyzed by VT before. If the executable file you’re analyzing is a well-known, established program, you can bet it’s been examined already. Here, for example, is what I saw when I submitted a signed Xvid codec installer, obtained from a well-known and trusted site:

If you’re uncertain about a file, one option is to set it aside for 48 hours and then resubmit it to Virustotal. That’s usually enough time for antivirus engines to identify a new strain of malware and add it to their definition files.

5. Be smart with passwords.

Has your favorite website been hacked lately? These days, it might be easier to make a list of the high-profile web sites that haven’t been broken into.

Thanks to LulzSec and Anonymous, millions of people have had the dubious pleasure of seeing their usernames and passwords posted publicly on the Internet. Last month, LulzSec snagged more than 1 million accounts from Sony Music and Sony Pictures servers. The usernames, passwords, and personal details stored there were posted on the Internet for anyone to see.

You might not be too concerned that someone can log on to your Sony account and pretend to be you. But what if someone goes to Google Mail or Hotmail and tries your email address and that same password? If you used the same password as the one on your Sony account, the bad guys are in. They can send and receive messages that appear to come from you. They can download your email archives, which can include correspondence from your bank and from online shopping sites like Amazon.com. In a very short period of time, they can do a very large amount of damage.

Repeat after me: Never use the same password in multiple places, and be especially vigilant with passwords for e-mail accounts.

It’s a royal pain to create and remember unique, hard-to-guess passwords, but that is nothing compared to the misery you will experience if a determined thief starts messing with your identity and your finances.

Sadly, an awful lot of people reuse passwords, as software architect and Microsoft MVP Troy Hunt found when he grabbed those leaked Sony files, extracted 37,000+ pairs of usernames and passwords, and did some quick analysis. The entire analysis is a good read, but I zeroed in on this part:

When an entire database is compromised and all the passwords are just sitting there in plain text, the only thing saving customers of the service is their password uniqueness. Forget about rainbow tables and brute force – we’ll come back to that – the one thing which stops the problem becoming any worse for them is that it’s the only place those credentials appear. Of course we know that both from the findings above and many other online examples, password reuse is the norm rather than the exception.

Hunt compared the contents of the hacked Sony database with identical addresses from the Gawker breach of last year and found that two-thirds of the addresses on both lists used the same password. This ratio doesn’t surprise me, and I suspect it might even be a little low.

If you’re guilty of this offense, it might seem overwhelming to try to fix your entire collection of passwords at once. So start small, by creating new, unique, hard-to-guess passwords for your e-mail and bank accounts.

What makes a good password?

  • It’s at least 8 characters long, preferably 14 characters or more.
  • It is not a word that can be found in any dictionary or list of common names.
  • It uses at least three of the four available character types: capital letters, lower-case letters, numbers, and symbols (such as punctuation).
  • It’s easy for you to remember and difficult or impossible for someone else to guess.

And one more tip: if you anticipate that you will be entering a password regularly on a handheld device, consider how the virtual keyboard on that device works. Instead of a password like Rh1ZJk#U, consider grouping the different types of characters together for quicker input: RZUUJ1hk#.

The best way to create and manage strong, unique passwords is with the help of a utility tailor-made for that job. To start I visit, https://www.grc.com/passwords.htm and picked a 8-character block from the 63 random alpha-numeric characters (a-z, A-Z, 0-9) block.

Then, to manage I use a free program called KeePass, http://keepass.info/

What is KeePass?
Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your website’s FTP password, online passwords (like website member account), etc. etc. etc. The list is endless. Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem… A serious problem. The thief would have access to your e-mail account, website, etc. Unimaginable.

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page.

Is it really free?
Yes, KeePass is really free, and more than that: it is open source (OSI certified). You can have a look at its full source and check whether the encryption algorithms are implemented correctly.

Software updates: Adobe

Adobe is a vendor that often plays catch-up with security exploits; issuing emergency patches issued to fix zero-day vulnerabilities. But Adobe, like Microsoft, also has a regular Patch Tuesday update cycle. This regularly scheduled update is a way to give users and enterprises a predictable and stable timetable for Adobe updates.

For August’s Patch Tuesday, Adobe has issued update advisories covering to fix a slew of critical security flaws in its products, including FlashShockwave Player and Adobe AIR.

The Flash update corrects at least 13 critical vulnerabilities present in versions 10.3.181.36 and earlier for WindowsMacLinux and Solaris machines (the bugs exist in Flashversions 10.3.185.25 and earlier for Android devices). Windows, Mac, Linux and Solaris users should upgrade to version 10.3.183.5, and Android users should update to v. 10.3.186.2. According to Adobe, they are not aware of any exploits “in the wild” for the issues addressed in the update. Digging into the vulnerabilities, the vast majority are for memory and five buffer overflows, four memory corruption and three integer overflow issues. There is also a single cross-site information disclosure issue that is fixed that could have potentially led to arbitrary code execution.

To find out which version of Flash you have, visit this page. Windows users who browse the Web with anything other than Internet Explorer will need to apply the Flash update twice, once using IE and again with the other browser (Google Chromeusers should already have the latest version of Flash). To avoid using Adobe’s annoying Download Manager, IE users can grab the latest update directly from this link; the direct link for non-IE browsers is here.

Windows users can furthermore use the Flash Player Settings Manager that is part of the Windows Control Panel to check for updates. Here it is furthermore possible to check the Flash Player version that is installed on the system. The path is Control Panel > Flash Player (32-bit) > Advanced. Users with a 64-bit version of Flash Player installed need to change the 32-bit to 64-bit in the path.

The same flaws exist in Adobe AIR for Windows, Mac and Android. Using an application that requires Adobe AIR (Tweetdeck or Pandora, for example) should prompt you to update to the latest version, AIR 2.7.1. If you don’t see a prompt to update the program, the latest version of AIR is available here.

Adobe also shipped an update to its Shockwave Player that fixes at least seven critical vulnerabilities in the media player program. Adobe is urging users of Adobe Shockwave Player 11.6.0.626 and earlier  update to Adobe Shockwave Player 11.6.1.629.

I should note that you may not have or want Shockwave installed. I haven’t had it on my Firefox installation for some time now and don’t seem to have missed it. I’m sure it has its uses, but to me Shockwave is just another Adobe program that requires constant care and feeding. What’s more, it demands two separate installation procedures for IE and non-IE browsers.

To test whether you have Shockwave installed, visit this page; if you see an animation, it’s time to update. If you see a prompt to install Shockwave, there is no need to install it. Mozilla Firefox users without Shockwave Player installed may still see “Shockwave Flash” listed in the “Plugins” directory of the browser; this merely indicates that the user has Adobe’s Flash Player installed.

 

Windows Patch Tuesday – August 2011

On Tuesday, August 9 at 10AM PDT Microsoft plans to patch 22 vulnerabilities for Internet Explorer, Windows, Visio and Visual Studio as part of the August Patch Tuesday release.

Microsoft will release 13 security bulletins, two of which are rated “critical,” the company said Aug. 4. Nine were rated as “important” and the final two were listed as “moderate” according to the preview announcement.

Even though there are more bulletins than the July update, the number of vulnerabilities remained the same, which is unusual, considering Microsoft recently has been alternating large updates with small ones. August was expected to be a heavy month.

Considering there were 16 bulletins fixing 34 vulnerabilities in June and 17 bulletins fixing 64 bugs in April, 22 vulnerabilities across 13 bulletins doesn’t sound so big, after all. Even so, IT administrators still have a lot of work ahead of them, as they may still be dealing with the 78 patches from Oracle’s July Critical Patch Update on July 19 and Apple’s update for Mac OS X Lion on July 20, said Paul Henry, security and forensic analyst for Lumension. “Microsoft is making IT admins earn their Labor Day holiday,” Henry said.

The bi-monthly update for Internet Explorer is rated as critical and is most likely the one administrators should deploy first, Storms said. The IE update is critical for all platforms and applies to all versions, from IE 6 through 9 on Windows 7, Vista, XP, 2003 and 2008, according to Microsoft. This would be the second update for IE9 in less than five months since its release.

Two of the 13 bulletins are rated “critical,” Microsoft’s highest severity rating. Microsoft Windows users will want to pay special attention to the Internet Explorer bulletin because the issues can expose users to drive-by download attacks via the browser. The update fixes flaws that introduce remote code execution risks on all versions of Internet Explorer, including the newest IE 9. “If left unpatched, attackers could use this vulnerability to remotely take control of victims’ systems,” said Wolfgang Kandek, CTO for Qualys.

Since the preview announcement doesn’t provide any details on what the actual flaw is being patched, users should limit their use of Internet Explorer to only visit trusted sites and be careful about clicking on links, said Marcus Carey, a security researcher for Rapid7. Servers should never be used to browse the Internet, but many organizations do so anyway, and “compromise their crown jewels,” Carey said.

Concerned users should consider using an alternate browser, such as Firefox or Chrome, until the patches are live, according to Carey. I say quit using Internet Exploiter altogether.

“While multiple browsers can be an administrative headache at times, it comes in handy in situations like this,” said Carey.

The other critical bulletin addresses flaws in the two newest versions of Microsoft’s server operating system, Windows Server 2008 and Server 2008 R2. While Server 2003 has the same vulnerability, Microsoft said the update was only “important” for that version.

“Server administrators should apply patches immediately as this vulnerability also leads to remote code execution,” said Kandek.

Nine bulletins are specific to Windows vulnerabilities, but five of them won’t apply to Windows XP. One of the bulletins addresses issues in Windows 7 and Server 2008 R2, the latest versions of the desktop and server software. Considering Vista shares a lot of code with Windows 7, it was a little puzzling that the bulletin did not patch Vista, according to Storms.

Microsoft is expected to update .NET framework, Visual Studio 2005 development tool and all supported versions of Visio. Microsoft also patched a DLL vulnerability in Visio last month that could have been exploited with a remote code execution attack.

“We have seen other Visio vulnerabilities fairly recently and recommend including the software in your regular patching cycle and/or have users not using that software remove it from their systems,” Kandek said.

A good point is made, if you not using a particular piece of software then remove it.

Another point, JavaScript and Flash are known two ways to infect your computer. I block them by default and maintain a white-list of sites that I allow them to function.

  • Disabling JavaScript and Flash for untrustworthy sites. This will help to reduce possible attack vectors for these Trojans, and hence reduce the possibility of you ever seeing ‘Your PC is infected with malicious software and browse couldn’t be launched’ on your browser. Most web browsers will allow you to disable these options by default.
  • Keeping your web browser updated. Updates will often fix security loopholes that are exploited to force malicious security programs like Trojans onto your PC.
  • Avoiding downloads of anti-virus or anti-spyware programs from non-reputable sources. Many rogue security programs are widely-distributed through generalistdownload storehouse websites, and most will even have their own professional-looking home websites. Verify the integrity of an anti-malware program through multiple sources, beforehand. I highly recommend ESET’s offering.

Gmail – LinkedIn Assault

Google warned on Wednesday that hackers were launching targeted phishing attacks against hundreds of Gmail account users, including senior U.S. government officials, Chinese political activists, military personnel and journalists. That story, as related in a post on the Official Google Blog, was retold in hundreds of media outlets today as the latest example of Chinese cyber espionage: The lead story in the print edition of The Wall Street Journal today was, “Google: China Hacked Email.”

The fact that hackers are launching extremely sophisticated email attacks that appear to trace back to China makes for great headlines, but it isn’t exactly news. I’m surprised by how few media outlets took the time to explain the mechanics behind these targeted attacks, because they offer valuable insight into why people who really ought to know better keep falling for them. A more complete accounting of the attacks may give regular Internet users a better sense of the caliber of scams that are likely to target them somewhere down the road.

Google said “the goal of this effort seems to have been to monitor the contents of targeted users’ emails, with the perpetrators apparently using stolen passwords to change peoples’ forwarding and delegation settings. (Gmail enables you to forward your emails automatically, as well as grant others access to your account.)”

This statement freaked me out a little bit. When was the last time you checked whether your email forwarding settings had been modified? If you’re like me, probably never. This might be the most useful aspect of the Google disclosure, and it contains a few helpful pointers about how to check those settings in Gmail. Google also took this opportunity to remind users about the value of enabling 2-step verification, a security precaution.

To my mind, the most valuable content in the Google Blog entry is a footnote that points to the Contagio Malware Dump blog, an incredibly detailed and insightful (if slightly dangerous) resource for information on targeted attacks. It’s worth noting that Google relied on Contagio to reconstruct how the attacks took place, and the author –blogger Mila Parkour— first wrote about these attacks almost four months ago.

Most of targeted email attacks chronicled on Parkour’s blog involve poisoned file attachments that exploit zero-day software flaws in programs like Adobe Flash or Microsoft Word.  This campaign also encouraged people to click a link to download a file, but the file was instead an HTML page that mimicked Gmail’s login page. The scam page also was custom-coded to fill in the target’s Gmail username. Contagiodump has a proof-of-concept page available at this link that shows the exact attack, except populated with “JDoe” in the username field.

Parkour also published an informative graphic highlighting the differences between the fake Google login page and the legitimate page at https://mail.google.com.

Some readers may think they’re not important enough to warrant targeted phishing attacks such as these, but the truth is that such phishing attacks can be automated quite easily. I’d be willing to bet that it won’t be long before more traditional, financially-motivated cyber crooks start incorporating these techniques in their scam emails.

Along these lines comes a blog post today from security vendor Trusteer, which warned that scam artists are once again using cleverly disguised LinkedIn invites to foist password-stealing malicious software. Trusteer said this latest attack started with a simple connect request via email that was made to look it came from another user of the social networking service. Users who click the link are redirected to a site in Russia outfitted with a version of the Blackhole Exploit Pack, which tries to silently install a copy of the ZeuS trojan by heaving a kitchen sink full of browser exploits at visitors.

The image below, taken from Trusteer’s blog, shows the booby-trapped LinkedIn request on the top; the image below is what a legitimate LinkedIn request looks like. Would you have been able to tell them apart?

Here are a few simple tips that can help you avoid becoming the next victim of these attack methods:

  • Keep your software up-to-date. Legitimate, high-traffic Web sites get hacked all the time and seeded with exploit kits. Take advantage of programs like Secunia’s Personal Software Inspector or Filehippo’s Update Checker to stay abreast of the latest security updates.
  • Be extremely judicious about clicking links in emails. Try to avoid responding to invites by clicking links in emails. I notice that Twitter has now started sending emails when someone re-tweets your posts: Avoid clicking on those as well. It’s safest to manage these accounts by visiting the sites manually, preferably using a bookmark as opposed to typing these site names into a browser address bar.
  • Pay close attention to what’s in the address bar: Checking this area can prevent many email-based attacks. Staying vigilant here can also block far more stealthy attacks, such as tabnabbing.
  • Consider using an email client, such as Mozilla’s Thunderbird, to handle your messages. It’s a good idea to have emails displayed in plain text instead of allowing HTML code to be displayed in emails by default.

 

Next Page »