The Great Years: 2004-2010
We have been running an experiment to see what you can get for $5 on Fiverr. In the process, we have probably created irreperable damage to not only our reputation, but possibly eardrums around the world.
However, we can’t help ourselves. Here’s the latest entry, a rap song about VIPRE.
So that’s another example of what you can get for $5 on Fiverr.
Alex Eckelberry
Use workarounds
Microsoft has taken the rather unusual step of pulling a security bulletin for Windows 2000 Server (issued last week) and telling users to use the mitigations and workarounds until the bulletin can be reissued next week.
MS10-025 was aimed at fixing a vulnerability in Windows Media Services running on Windows 2000 Server that could allow remote code execution if an intruder sent a specially crafted transport information packet to a system.
Jerry Bryant, Microsoft Response Communications group manager, said on the company’s Technet site: “Today we pulled the update because we found it does not address the underlying issue effectively. We are not aware of any active attacks seeking to exploit this issue and are targeting a re-release of the update for next week.
“Customers should review the bulletin for mitigations and workarounds and those with internet facing systems with Windows Media Services installed should evaluate and use firewall best practices to limit their overall exposure. We will continue to share updates here on the blog as available.”
Post here: MS10-025 Security Update to be Re-released
Microsoft Security Bulletin MS10-025 here.
Tom Kelchner
In yesterday’s blog post “Internet café wi-fi and your security,”
we advised road warriors and others who use public wi-fi hot spots to communicate (without a VPN) that they should encrypt documents before sending them to avoid the possibility that they could be intercepted by someone sniffing the public network.
A former colleague of mine left a comment on the Sunbelt Blog that I feel is important enough to highlight in its own blog entry. Basically, encryption on older versions of Microsoft Office (before Office 2007) is no longer safe to use.
The colleague (Phil) has pointed me to “David LeBlanc’s Web Log” piece from April 16 entitled: “Don’t Use Office RC4 Encryption. Really. Just don’t do it.” As you might guess from the title, David points out the weakness of RC4 encryption, which is what is available in older Microsoft Office (2003 and before) applications.
He wrote: “If you need to encrypt an Office document, then use the new file format, and get real encryption as we’ve documented in more than one place. If you need to encrypt an older file format, then use a 3rd party tool that will do proper encryption. If you merely need obfuscation, perhaps to keep your kids out of the Christmas list, it might suffice for that, but not if you have a really bright kid.”
That “bright kid” line isn’t a joke because for $49 you can buy “password recovery” software that can crack weak Office 2007 and all passwords from earlier versions. (For sale here: http://www.lostpassword.com/kit-basic.htm)
One can be sure that fact has not been lost on the darkside, or bright kids. If you explore that lostpassword.com site, it becomes very obvious what password cracking is all about.
Thanks Phil!
So what SHOULD you do to encrypt a document?
You should use the safer AES encryption (Office 2007 and later) algorithm and a password (or phrase) as long as you can tolerate, with caps, numbers and punctuation — something like: “My_cat_Fluffy_likes_canned_tuna_!_12345.”
In versions of Office before Office 2007, Excel, PowerPoint, and Word offered the choice of several flavors of the RC4 encryption algorithm – not good. In Office 2007, documents are encrypted with the AES 128-bit algorithm. AES 128 is acceptable by the federal government for documents with classifications up to and including secret.
To encrypt a document in Office 2007, go to prepare | encrypt document:
Want a little history of Microsoft encryption? Here’s a site with a concise, fast read:
“History of password protection in MS-Word”
Tom Kelchner
Reports from the Lower Marion School District in Pennsylvania now say that 56,000 photos and screen shots were taken from security software on student’s school laptops.
The district was sued in federal court in February by the parents of a student who was disciplined after school security personnel accused him of taking drugs. They showed him photos of himself taken from the web cam on his school-issued laptop. He claimed the images show him eating candy and his family said in court filings that they were never told there was monitoring software on the machine.
As we reported in February, the FBI is investigating.
The LANrev monitoring software on the machines was to be used only to track stolen machines and only two members of the IT staff had access to it, the district said. IT staff had switched on the cameras of missing computers 42 times this school year and recovered 18 machines, they said.
“In addition, discovery to date has now revealed that thousands of webcam pictures and screenshots have been taken of numerous other students in their homes, many of which never reported their laptops lost or missing,” an attorney wrote in a filing in the case.
TechHerald story here.
The suggestion that the software was activated and webcams switched on for voyeurism has hung over this case since the beginning. The possibility of a class action suit also is hanging over the district.
Tom Kelchner
Not too long ago, a relative of mine fell for a Rogue AV “pay up to get your computer back to full health” scam, handing over $69 / £45 in the process.
Whoops.
After a bit of a clean up and some silliness with the credit card company (who originally told them they couldn’t get their money back – not true), all was well again. However – it occured to me that despite having read something in the region of six million Rogue AV blogposts (and counting), I’d never actually seen the really basic stuff. You know, emails they send you once you’ve paid up. Support pages, things like that. Did support portals even exist for Rogue AV programs?
Honestly, I had no clue.
I suppose that’s because our primary function when a Rogue AV hits is to tell you what the scam is, then advise to steer clear. The only way we could show you those things is if someone we know managed to get tangled up in one of these fiascos.
Well, step forward helpful family member and bring your scam trophies along for the ride. If you ever wanted to see a “Congratulations, you just bought nothing” email then you’ve come to the right place:
Click to Enlarge
I like the part where they advise you to remove and / or switch off Firewalls and other security products. I can imagine a regular end-user being somewhat baffled by this mail – already, a number of domains are thrown at them.
They list the reason for showing the card charges from “Spy-wipe(dot)com” as being for YOUR “safety and privacy”. Softhelpcenter(dot)com directs you to an E-Ticketing system, and the link which allows the end-user to grab their purchased product – members(dot)getavproduct(dot)net – is unsurprisingly bland and content free:
I was very curious at this point – would the login page actually take me to a support section? Or was it non functional? The answer is: here comes a bunch of screenshots from inside a Rogue AV support section.
Click to Enlarge
The victim actually does get a fully functional “support” page (although truth be told, it doesn’t do much supporting). If you have a problem, the Help page is less than spectacular:
Yes, that really is the whole thing. Clicking the link will take you to a similar page to the E-Ticket site mentioned at the start of the blog entry:
One can only imagine the kinds of attachments disgruntled “customers” send them, but anyway. This is, for the record, a fully “activated” version of Antivirus Soft:
Note that it doesn’t actually look any different than the free version except for one key difference; before you pay up, your PC is supposedly infected with six thousand pieces of malware. After? Yeah, that scan is 100% finished and – amazingly –hasn’t found a single infection file.
Funny, that.
If you try to update your definitions, it performs an occasional party trick of Rogue AVs and downloads the Clam AV database.
They’ll even allow you to uninstall with no apparent issues or continued nag screens:
As for the domains involved, the majority mention “Taras Frinov”, who appears in this wonderful list of rogues. While there’s a lot of identikit support sites for the end-user to download their purchase from – backsoftdownload(dot)com and getavsoft(dot)com, to name but two – it’s a better idea to not end up on these sites in the first place.
Always be suspicious when presented with popups handing out dire warnings and demanding your cash – because one “Congratulations, you just bought nothing” email is already one too many.
Christopher Boyd
Today, I’m pleased to announce a new partnership with Malwarebytes.
The details are in the press release, but basically the partnership is starting with a new portal for consumers to clean their systems (http://vipre.malwarebytes.org). In addition to this initial first offering, we are also working together on a broad range of initiatives for sharing information on emerging threats, methods to mitigate risk, and other joint efforts.
Right now, the partnership is evolving in its nature, and I am very excited about the future opportunities to work with the team at Malwarebytes — a very impressive organization run by a brilliant hands-on CEO, Marcin Kleczynski.
Alex Eckelberry
ComputerWorld is carrying a good feature story on public wi-fi security practices that is worth reading whether you’re a road warrior who needs a place to work or just a regular schlep looking for Internet access and a caffeine buzz. (“Hot spot dangers: That Internet cafe could cost you way more than a cup of coffee”)
When you use a public Internet connection of any kind, you simply don’t know who is sniffing the network, looking for login information, personal data or sensitive documents. It would be a really good idea just not to work without an encrypted connection or do your banking or any transaction using credit/debit cards from these public places.
The ComputerWorld article has some interesting numbers from a 2009 Ponemon Institute study of security breaches suffered by 45 organizations. According to the study, “Cost of a Data Breach.” It said the cost of a data breach per compromised record was $204, up from $202 in 2008. The total cost per break-in was over $6 million.
If you’re communicating with your company network through a public hot spot the basic drill for beginners is:
— be aware that your unencrypted Internet traffic CAN be sniffed by anyone with the expertise and a connection to the wi-fi network
— be sure all software and operating system updates have been installed on your machine
— connect through your company’s VPN
— use air cards to avoid the dangers of a public network entirely if possible.
Encryption on the cheap
At minimum, if you MUST use a public hot spot and are not using an encrypted connection, it is fairly easy to encrypt the documents from many common applications before you email them. You can contact the recipient by phone and give him or her the password, or simply agree on a password in advance.
For Microsoft Word, Excel and PowerPoint:
Tools | Options
Click on the “Security” tab.
Fill in the edit box “Password to open”
By clicking on the “Advanced” button, you can choose an encryption scheme and key length. Choose a scheme that allows a 128 bit key (see below.)
If you’re expecting to send encrypted documents to someone while you’re on the road, it might be a good idea to do a dry run with a test document before you leave to make sure your systems are compatible and everyone knows how to do it.
There also are compression utilities that allow you to create encrypted archives with passwords. In the common WinRAR utility go to: File | Set default password
Enter your password.
Can this encryption be cracked? Yes, if the malicious operator who sniffs the files has some very considerable resources. But it isn’t especially easy. At least your data won’t be low-hanging-fruit.
Tom Kelchner
Update 04/22:
As Phil has pointed out in the comments (below), the RC4 encryption used in Office 2003 and before is no longer safe. See our April 22 blog entry: “A note (correction) from the crypto world on Internet Café security.”
VIPRE premium has been granted ICSA certification! That includes ICSA certification for cleaning infected files as well as detections.
Curt Larson, Sunbelt Software VIPRE product manager said: “VIPRE was built with the consumer in mind to provide excellent endpoint protection without unnecessary features and functionality that slow down the performance of PCs. The ICSA Labs certification is a benchmark that confirms the reliability of Sunbelt’s powerful security product.”
Sunbelt designed VIPRE Antivirus Premium to focus on the core features that provide users with good, basic protection – desktop firewall, host-based intrusion prevention, malicious URL filtering and an intrusion detection system.
ICSA Labs, an independent division of Verizon Business, offers vendor-neutral testing and certification of security products.
VIPRE also has achieved VB 100, West Coast Labs and other certifications. To see them all, go here.
News release here.
Tom Kelchner
Actually your computer will run MUCH BETTER without this adware crap
Our researcher Adam Thomas found this little nugget while investigating a botnet that auto installed FLV Direct Player. As an added bonus, the player bundles Zugo Search adware on victims’ machines. FLV Direct is available freely on the web. The bot, however, uses an AutoIT script to script through the installation screens so the victim never sees the install:
It also changes the victim machine’s home page to bing.zugo.com.
Apparently this is some kind of affiliate operation – the malefactor affiliates get paid for installing LoudMo adware on the machines of unknowing victims and they just decided to do it wholesale with a botnet.
Affiliates also are spamming heavily on Twitter (and who else knows where else) trying to get people to install the FLV Player:
The FLV site (http://www.loudmo.com/products/flv/) describes their program:
“Use this free FLV Player to promote and target a wide variety of niches.
“Both affiliates and users will benefit from this free flash media player. Affiliates can boost revenue with the pay-per-install compensation method, while users will enjoy playing and saving flash videos from various tube sites. There is a completely transparent downloading process and the FLV player is easy to uninstall.
“FLV Player is a media player for MPEG-4 and Flash Videos (FLV). Most video sites on the web (including YouTube) stream FLV content. With the FLV Player, we offer an easy way to download and enjoy this content on your desktop. FLV Player comes with no viruses or spyware, and at just 2.12 Mb, it’s a quick download.”
One FINAL gimmick
When victims uninstall LoudMo, they get the above warning. Obviously it’s one last effort to scare them into leaving the adware on their machines.
VIPRE detects the player as Adware.Win32.FLVDirectPlayer (v) and the included adware as Zugo Ltd (v) or Zugo.
Thanks Adam and Matthew and Eric.
Tom Kelchner
In the UK, there’s a good chance you took out a loan with the Student Loans Company if you went to University. It’s been brought to my attention that there’s currently a number of sites being hacked and becoming hosts for rather nasty phishes.
So far, all of the phish pages we’ve seen look like the below. The scam begins with a page claiming to be a login for “Student Finance”, asking the victim to enter their customer reference number. The page steals design elements from legitimate Directgov websites and looks identical to the real thing:
Should the victim proceed, they’ll find they’re suddenly asked for every type of personal information you can possibly imagine:
Date of birth, National Insurance number, passwords, bank details….the works. Anyone falling for this is going to find themselves well and truly phished. When the victim presses the Save button at the bottom of the page, their details are sent to the phisher and they’re taken to the real Directgov student financess logout page:
This is designed to make the victim think that they’ve been on the real website (because the domain they’re now on is slc.co.uk), and that they’ve logged themselves out (to prevent them becoming suspicious that they might not have actually been logged in at all).
The screenshots above were taken from audiotype(dot)com(dot)au/direct.gov.uk which was the original domain a student friend sent my way (now offline), but a little bit of digging has revealed there’s a number of these sites that have been submitted to antiphish resource Phishtank:
As you can see, there’s one or two in March but the frequency of noted phishes increases in April. It’s probable this is a small selection of many more phish pages out there targeting students so be careful what you click and always check the URL of the site you’re on.
You don’t want to be getting into debt with the phishers too…
Christopher Boyd
Mr. Magnum Campbellin from Gabon would like to split UD$158,000,000.00 with someone! I wonder why his “funds manager” in London uses a hotmail account.
One of our execs here at Sunbelt Software got this in the (snail) mail.
Alex’s observation:
“Old school… I remember these back in the 90s. They would send them by mail and fax.
“So it looks like they’ve started back up again.”
Tom Kelchner
A study of web traffic from enterprises in the first quarter of this year has shown that YouTube videos used 10 percent of bandwidth – more than any other site. Facebook traffic used 4.5 percent, Windows update 3.3, Yahoo!’s image server Yimg 2.7 and Google searches 2.5 percent.
The study, by the Hong Kong-based security firm Network Box, analyzed traffic to and from 13 billion URLs.
The study also analyzed the number of hits:
— 6.8 to Facebook
— 3.4 to Google
— 2.8 percent to Yimg
— 2.4 percent to Yahoo
— 1.7 percent to DoubleClick
Simon Heron, a Network Box internet security analyst said: “The figures show that IT managers are right to be concerned about the amount of social network use at work. There are two real concerns here: firstly that employees will be downloading applications from social networks and putting security at risk; and secondly the amount of corporate bandwidth that appears to be being used for non-corporate activity.”
Network Box release here: “Business internet traffic increases to Facebook and YouTube”
The assumption here is that all this traffic is personal browsing and not work-related. That actually might be a more complicated issue than a first glance indicates. Certainly people use Google for work. I look things up a dozen times a day.
Twelve of my 26 Facebook friends are professional contacts. Keeping up with such professional contacts for possible recruiting is certainly a business function.
Yahoo is my backup email on those rare occasions that there are problems with the company email server. There are also business reasons to use an email account that is not linked to your company (at least in research activities in the AV industry it’s pretty common.)
YouTube? There are news- and business-related videos there too in addition to the Roomba-riding cats and “Sunbelt Software Research goes Bowling.”
No, seriously, there are legitimate business reasons for using social media. Really! Have you seen the “Standing Cat is Watching you” YouTube video?
Tom Kelchner
SonicWALL, a company I’ve had a lot of respect for in the past, has apparently decided to improve its revenue outlook by going after other software companies for alleged patent infringement. Disappointing.
The patents are all over the place, and don’t mean much for our products. We are asking them for more clarity as to how exactly our products allegedly infringe on their patents, as we are a bit confused.
You can see the demand letter here (pdf). (I have redacted the attorney’s name from the document in the interest of professional courtesy.)
I assume they are sending this as a form letter to other security companies, so if anyone else has received one, please contact me.
Alex Eckelberry
Several interesting stories are beginning to appear about how people are using the Internet to cope with (or at least report what they’re doing as they DON’T cope with) the shutdown of air travel in the UK, Western Europe and Scandinavia because of airborne ash from the Eyjafjallajokull glacier volcano in Iceland.
1. The prime minister of Norway, Jens Stoltenberg, who is stranded in New York, is “running the Norwegian government from the United States via his new iPad” according to his press secretary.
“Norway Uses iPad to Run the Government During Icelandic Volcano”
2. Graham Cluley of Sophos has reported on his blog that about 600 Sophos employees were attending an annual sales kick-off at the Potsdamer Platz in Berlin Thursday and got stranded when all European modes of transportation were jammed by people trying to get home to the UK. He suggested that friends back home organize a Dunkirk-rescue-type operation and pick them up on the channel coast.
His blog piece contains a good map that shows the extent of the ash cloud that is preventing air travel.
“Hundreds of Sophos employees stranded in Berlin by volcano fall-out”
The Tech Herald is carrying great photos of the eruption. It says over 17,000 flights have been cancelled and it could be Sunday before the Sophos gang will be able to fly home to Oxford.
“In Pictures: The volcanic ash cloud forcing countless delays”
Tom Kelchner
Dr. Johannes Ullrich at SANS brought up a good point in his morning podcast (Stormcast 296 ) about widespread transportation shutdowns and disaster recovery planning.
The Eyjafjallajokull glacier volcano in Iceland, which has stopped all air travel in the UK, Western Europe and Scandinavia, of course is the case in point.
Those writing and updating disaster recovery plans should keep in mind the possibilities of just such widespread transportation shutdowns when they plan for personnel to operate remote (backup) network operations centers. If an enterprise’s plan calls for an IT crew to fly to a backup NOC and they can’t get there, what then?
Good observation.
The New York Times quotes Bill McGuire from Aon Benfield UCL Hazard Research Centre saying that the last Eyjafjallajokull eruption lasted more than a year. Aon is an insurance broker and risk management consultant.
Tom Kelchner
UK security firm Context Information Security Ltd., is making available a browser-based tool that will demonstrate clickjacking techniques that were discussed at a Blackhat Europe 2010 presentation.
On the Context site, they said “Clickjacking is a term first introduced by Jeremiah Grossman and Robert Hansen in 2008 to describe a technique whereby an attacker tricks a user into performing certain actions on a website by hiding clickable elements inside an invisible iframe.
“Although it has been two years since the concept was first introduced, most websites still have not implemented effective protection against clickjacking. In part, this may be because of the difficulty of visualising how the technique works in practice.”
“The tool is currently in an early beta stage, and works best in Firefox 3.6. Full support for other browsers will follow shortly.”
Context Ltd. piece here.
Tom Kelchner
Niels Provos of the Google Security Team has blogged about the rise of malicious web sites carrying rogue security products, which the Google team calls “Fake AV.” Google has been engaged in a constant battle against the sites because the operators who peddle them have been refining their techniques for poisoning Google search engine results in order to victimize Google users by drawing them to malicious download sites.
He wrote: “we conducted an in-depth analysis of the prevalence of Fake AV over the course of the last 13 months, and the research paper containing our findings, ‘The Nocebo Effect on the Web: An Analysis of Fake AV distribution’ is going to be presented at the Workshop on Large-Scale Exploits and Emergent Threats (LEET) in San Jose, CA on April 27th.”
He went on to say: “Our analysis of 240 million web pages over the 13 months of our study uncovered over 11,000 domains involved in Fake AV distribution — or, roughly 15% of the malware domains we detected on the web during that period.
“Also, over the last year, the lifespan of domains distributing Fake AV attacks has decreased significantly.”
Provos advises Web users not to purchase the rogues when they pop up their persistent, screaming warnings and instead, remove the malicious code from their machines.
“In the meantime, we recommend only running antivirus and antispyware products from trusted companies. Be sure to use the latest versions of this software, and if the scan detects any suspicious programs or applications, remove them immediately,” he said.
Google Online Security Blog piece here.
How do you know what is an “antivirus and antispyware product from a trusted company?”
Check out the Sunbelt paper “How to Tell If That Pop-Up Window
Is Offering You a Rogue Anti-Malware Product.”
There are 2,279 rogues in VIPRE detections. For a description of the latest rogues that Sunbelt has found, check out our Rogue Blog here.
Tom Kelchner
I once heard a great story about the sparse historical record of the world of the “common man.” An “average Jacques” who lived a block or two from the Bastille in Paris apparently didn’t hear the commotion when over 8,000 French revolutionaries spent all day storming the prison in 1789. So, his diary entry for the biggest day in the history of democracy, unfolding in his very own neighborhood, was something like: “Not much happened today. It rained.”
Most of the 55 million daily Tweets that the library of congress is beginning to store may be nothing more than 140-word-or-fewer observations that “not much happened today. It rained,” but there also is other stuff in there that will be a gold mine for future historians and observers of culture. And that could be kind of scary if you wrote it.
The Times quoted Fred R. Shapiro, associate librarian and lecturer at the Yale Law School, “This is an entirely new addition to the historical record, the second-by-second history of ordinary people.”
Most tweets are public and available to anyone who subscribes, so archiving them ALL is certainly no big new exposure. Plus, the collection, for the moment, is only available to bona fide scholars. It does, however, give one pause knowing that they are being preserved in a searchable database. Will it ALWAYS be reserved for scholars? Selling subscriptions could provide a nice revenue stream for some future cash-starved government.
Just as some Facebook and Myspace users have learned, employers and busybody keepers of the public morals are ready at any time to go looking for evidence of past discretions.
Story here: “Library of Congress Will Save Tweets”
Tom Kelchner
Short answer: an infinitesimally small amount.
If you have any sympathy for musicians you’ll buy their CDs from their web sites or at their performances. That’s pretty much the conclusion you’ll draw from a great attempt at quantifying musicians’ pay rates in the online music business(es) by David McCandless of InformationIsBeautiful.net.
McCandless tried to determine how many songs or CDs a musician would need to sell in various ways to make the U.S. minimum wage ($1,600 per month). It was a tough project. He wrote: “As ever, this was incredibly difficult to research. Industry figures are hard to get hold of.”
The musician’s best deal: press and sell the CDs yourself (143 per month).
Second best deal: sell them on eBay (155 per month).
Worst deal: Spotify stream (4,540,020 per month).
Obviously Spotify makes the music available globally and selling CD’s from your own web site involves much less exposure. But four million a month?
McCandless acknowledges that his numbers are crude, but they are certainly an indication of what musicians face. It’s a good data point in the debate about piracy and the efforts of the Pirate Party to give creators less and consumers more.
Also, it’s another indication of why the successful working musician’s business model has always boiled down to: “work a lot of weddings and don’t quit the day job.”
McCandless blog here: “How Much Do Music Artists Earn Online?”
Tom Kelchner
