Or so a story circulating on Facebook states. You might wonder how is that related to the usual subjects covered in my articles. It turns out it’s a social engineering effort.

If you click on the link in the news item, it will take you to a page where you will be told there is  a Java update to be installed since your current one is out of date. Although the number of suspicious-raising elements in such statement are numerous, many people will go ahead and “update”. Needless to say the request is not legit and you should, of course, not do it. If you must update Java at all, go to the source (http://www.java.com) and update from there. Or ask me if you need help.

Oh, and for the Game of Thrones fans, it has not been cancelled. 🙂

Hopefully you read my last article. If not, read it first and then continue with this one.

Microsoft has just released an update to patch the Internet Explorer vulnerability that affects all versions from 6 to 11 in all Windows operating systems, from XP to 8.1. Surprisingly, even though support for Windows XP has just ended, Microsoft decided to make an exception and include XP in the list of operating systems covered by this update.

If you have automatic updates enabled there should be no action needed on your part. If you don’t, it is highly recommended you turn on Automatic Updates or manually download and install the update.  If you need help with this, let me know.

In case you’re wondering what the hell does “use-after-free” means, it’s when a program is no longer using previously used computer memory which then can be used for malicious purposes. Thus, use-after-free.

So, a vulnerability exploiting this type of scenario has been uncovered for all versions of Internet Explorer, and is currently being exploited in the wild by hackers. There is no current patch or remedy for it, other than, as I’ve advised before, stopping the use of Internet Explorer altogether by installing an alternate web browser such as Mozilla Firefox, Google Chrome, Apple’s Safari, Opera, etc.

Interestingly, every now and then somebody will ask me if it’s possible to infect a computer simply be opening (displaying) the wrong email. This is one of the cases where, given the right circumstances and with a properly crafted email, the vulnerability could be exploited by just opening that email, especially if you’re using an older version of Microsoft Outlook (2003 or older).

Similarly, this can be exploited by luring a user into the wrong page of a website, and displaying it using Internet Explorer.

I’ll advise once a patch is available for this vulnerability.

I have seen so many people write about this that I was purposely not writing about it… I should know better – every time there’s a major issue in the field of computer security, if I don’t write about it I get a ton of emails asking me for my viewpoint on the issue or my viewpoint on what others write about the issue… It’s all good though. It’s my fault for being lazy and not writing about it in the first place. So here it is. I’m staying away from any technobable and keeping it simple.

The first thing you need to know is that HeartBleed is a vulnerability that, when exploited, can be used to steal information from websites. This is accomplished by accessing the memory of the computers where the websites’ data  is stored (ALL websites are stored in computers, “servers”, although not all websites are vulnerable to this “bug” ). What does that mean to you? If you deal with a particular website that is vulnerable,  let’s say your bank’s website, or your email’s website, and so forth, the information you provide to that website on a regular basis,  such as your username and password and potentially more, could be compromised (stolen).

I read somebody writing about the fact that the vulnerability was discovered by “good guys” and therefore has not been exploited by hackers. I laugh at that statement. The people attributed to discovering the vulnerability might be good guys, but I bet anything the bad guys know about it too.

And because of where the vulnerability is being exploited, i.e. not in your computer, it doesn’t matter what kind of security measures you have in place in your computer(s), the vulnerability is still a threat because it’s been exploited “server side”, meaning at the computers where the websites are stored.

So what do you do? The first thing that comes to mind to most users will be, since we’re talking about a potential information leak of your data, to change your passwords for all the websites that you use (that require a username and password). And that’s not a bad idea but let’s not rush into that. The reason for not doing that as a first immediate step is that there is an ongoing global evolution to fix the cause of the vulnerability so you want to make sure a particular website has been fixed before you change your password for it, otherwise your information could be stolen again and you’d be in the same spot.

Therefore the thing to do is to check every particular website you plan to change your password for, and make sure it has been fixed before proceeding to change your password for it, and so forth. How do you do that?

There are many websites that have been provided where you can enter a particular website address and it will tell you whether or not the website is vulnerable, or has been patched or is not affected to begin with. https://lastpass.com/heartbleed/ is one that comes to mind that you can use. Also, here’s a list of the top 100 websites people normally use, and their status as to whether they have been fixed or not (scroll down when you click on this link to see the list): http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

It is always a good idea to change your passwords periodically anyways, so go ahead and change them once you know a particular website you deal with has been fixed. And, don’t forget. If you’re the typical user that only has 1, 2 or 3 passwords for everything, change your passwords for the websites that are labeled as “were never affected” if you have used the same password in a website that was vulnerable.

Hope this helps. Feel free to ask any questions on the subject.

A cautionary tale. Yesterday a client forwarded me an email that he considered fishy, and asked for my opinion. The email contained an attachment, and so I set out to find out what opening the attachment did.

Now normally I take extra precautions when doing something like that, so that any bad “jujus” contained in suspicious files are not allowed to damage my computer. But I guess I had gotten overconfident with time and so I opened the attachment, with just the normal defenses I have in place, as per my own security model. Nothing seemed to happen, which made me suspicious. Anyways, I analyzed the attachment with a service that scans it against 49 different antivirus programs, and it did turn out to be a malicious file. I got rid of it but missed the fact that it had already delivered its payload and that in turn was now waiting to hack my computer. Ha.

Long story short, when I came to the computer this morning I found evidence that a hack attempt had been performed on my computer, emphasis on attempt. AppGuard had blocked the execution of a password stealer that was going to be used to attempt to steal the passwords stored in Internet Explorer, Firefox, Chrome, etc. (not that there are any, I have a standalone password manager and never use the browser’s capability to store passwords for that very reason).

With a chuckle at the clever attempt to hack my computer, I proceeded to scan and clean up any infected files. This was no doubt the closest I had come in years to an actual computer security breach. Mind you, the attempt failed, but only because the last layer in my security model, AppGuard, had stopped the unauthorized run of the password stealer that had been placed in an obscure location in my computer. Which brings me to the point of the story.

If it can happen to me, it can happen to anyone. Except the classic, usual outcome in most cases, if you open the wrong attachment or click on the wrong link, is an infected computer, passwords or other information stolen, and so forth. So when it comes to online related activities, always be alert, always be careful, never let your guard down. Oh, and implement my security model 🙂

Avid readers of mine who have followed my articles over the last few years know that periodically I’ve been known to review Security Suites, i.e. antivirus programs. For those who didn’t know, well, now you do too.

Today I’m writing about Webroot SecureAnywhere antivirus 2014. This program came to my attention a few months ago. I gave it a quick whirl and was impressed on the light footprint it has and yet how it manages to have plenty of different functions. But I never put it under a formal test, like I usually do when evaluating security programs. Today, however, its turn finally came.

As many of you know, my basic test consists of installing the security program in question in my Windows-7-based test computer, and then proceeding to visit malicious websites and in general try to infect the test computer while keeping records of the security program’s behavior. The only passing grade is 100% success in thwarting efforts to infect the computer. And in this case… Webroot kind of failed. Let me explain what I mean by “kind of”.

On the plus side, its very, very light footprint makes it ideal for old and basic computers, since the average antivirus program these days will take a good amount of memory and computer processing power to operate. Not Webroot though. The claim that it doesn’t slow down one’s computer is true.

On the negative side, I was, strictly speaking, able to infect the test computer after a few attempts. But it’s not black and white, so allow me to explain what happened. I visited a couple of malicious websites that initiated infected files downloads onto the test computer. Initially Webroot caught and blocked the first attempts. But then came a particularly deceiving trojan.

I downloaded and opened the infected file without Webroot protesting or alerting me at all. Bad. But when the program tried to connect to the Internet to “call home”, Webroot did alert me that an untrusted program was trying to connect to the Internet (the antivirus has an outgoing firewall, meaning it monitors outgoing connections. More on that later). That was good. The bad part is, Webroot is designed to block any suspicious action by default while prompting the user for a decision on whether or not to let the program carry on with the suspcicious action. That’s not so bad. The bad part is that by default, after 2 minutes, if there is no response from the user one way or the other,  Webroot’s default action is to allow it (and I didn’t find anything in the program interface to change that behavior, i.e. a setting that would allow one to change the default action if there is no response from the user).

So potentially, if the user could not or would not respond to the prompt ,the malicious action would be carried out. That’s not good. Anyways, since I was evaluating, I allowed the action. Next I got an alert that a change to the registry was being attempted by this suspicious file. Again good. And again, unfortunately Webroot waited for 2 minutes for a decision as to what to do (allow or block the action) and when no response from the user, it allowed the action.

I then proceeded to ask Webroot scan the downloaded file to see if it would be recognized as a malicious file. Webroot failed to recognize the file as malicious. Then again a percentage of these malicious files get missed by the antivirus because they’re too new to be recognized as malicious, a subject I’ve covered extensively in earlier articles.

Circling back to the firewall, it is a good thing to have Webroot’s firewall in and the fact that it’s an outgoing firewall makes it a perfect complement of the firewall that comes built into your Windows computer, since that one is only incoming. So they complement each other and in fact one is normally supposed to have only one active firewall to avoid conflicts in function. But in this case, not only is it possible to have both the Windows firewall and Webroot’s at the same time – it is advised.

So all in all the program performed very well and under normal circumstances probably provides good protection at a ridiculously low resources consumption. But again, strictly talking, it did not pass the test. If, for example, you’re the type of user who pays attention to all windows pop-ups and alerts from their antivirus program, this might be sufficient, and a plus if your computer resources are somewhat scarce. If you abide by my security model, the protection provided by Webroot as an antivirus would be sufficient as well.

As it has been a practice before on disasters of magnitude, malicious/fraudulent email scams are being spread over the recent Philippines typhoon disaster. These emails might contain malicious links or attachments. Beware of such social engineering attempts.

To help you distinguish whether the email is a scam or not, you can do the following:

1. Review the Federal Trade Commission’s Charity Checklist.

2. Verify the legitimacy of the email by contacting the organization directly through a trusted contact number. Trusted contact information can be found on the Better Business Bureau’s National Charity Report Index.

This applies mostly to those who have an USB external hard drive that is used for periodical backups of your data. I myself use that method for my daily computer data backups. However, I only plug it in at the time of the backup and otherwise keep it disconnected from my computer. Why, you might wonder?

1. In power surge prone areas, if one hits your computer, and your external hard drive is connected to it, and it’s powerful enough, it will fry your computer AND your external hard drive.

2. There are malware infections that will encrypt your files and then ask you for a ransom to decrypt them (aptly named ransomware). The recent versions of it will encrypt files in any drive connected to your computer, not just your internal hard drive. So your only hope for recovery from such infection would be thwarted since the backup data in your backup drive will also be encrypted.

So know your backup schedule, and do what I do, put a reminder in your calendar so it reminds you a few minutes before your scheduled backup, and only then connect your external hard drive to your computer. And unplug it from your computer (and from any power source if it has its own power adapter) when done. Doing this might save the day if disaster strikes.

And if you don’t have a backup plan in place for your computer data, well, I suggest you get going on that. Don’t say I didn’t warn you. 🙂