Category Archives: Computer Security

Virus, malware in general and all evil programs, begone!

Game of Thrones Cancelled

Or so a story circulating on Facebook states. You might wonder how is that related to the usual subjects covered in my articles. It turns out it’s a social engineering effort.

If you click on the link in the news item, it will take you to a page where you will be told there is  a Java update to be installed since your current one is out of date. Although the number of suspicious-raising elements in such statement are numerous, many people will go ahead and “update”. Needless to say the request is not legit and you should, of course, not do it. If you must update Java at all, go to the source (http://www.java.com) and update from there. Or ask me if you need help.

Oh, and for the Game of Thrones fans, it has not been cancelled. 🙂

Microsoft Releases Security Update for Internet Explorer Use-After-Free Vulnerability

Hopefully you read my last article. If not, read it first and then continue with this one.

Microsoft has just released an update to patch the Internet Explorer vulnerability that affects all versions from 6 to 11 in all Windows operating systems, from XP to 8.1. Surprisingly, even though support for Windows XP has just ended, Microsoft decided to make an exception and include XP in the list of operating systems covered by this update.

If you have automatic updates enabled there should be no action needed on your part. If you don’t, it is highly recommended you turn on Automatic Updates or manually download and install the update.  If you need help with this, let me know.

Microsoft Internet Explorer Use-After-Free Vulnerability Being Actively Exploited

In case you’re wondering what the hell does “use-after-free” means, it’s when a program is no longer using previously used computer memory which then can be used for malicious purposes. Thus, use-after-free.

So, a vulnerability exploiting this type of scenario has been uncovered for all versions of Internet Explorer, and is currently being exploited in the wild by hackers. There is no current patch or remedy for it, other than, as I’ve advised before, stopping the use of Internet Explorer altogether by installing an alternate web browser such as Mozilla Firefox, Google Chrome, Apple’s Safari, Opera, etc.

Interestingly, every now and then somebody will ask me if it’s possible to infect a computer simply be opening (displaying) the wrong email. This is one of the cases where, given the right circumstances and with a properly crafted email, the vulnerability could be exploited by just opening that email, especially if you’re using an older version of Microsoft Outlook (2003 or older).

Similarly, this can be exploited by luring a user into the wrong page of a website, and displaying it using Internet Explorer.

I’ll advise once a patch is available for this vulnerability.

HeartBleed, All You Need To Know

I have seen so many people write about this that I was purposely not writing about it… I should know better – every time there’s a major issue in the field of computer security, if I don’t write about it I get a ton of emails asking me for my viewpoint on the issue or my viewpoint on what others write about the issue… It’s all good though. It’s my fault for being lazy and not writing about it in the first place. So here it is. I’m staying away from any technobable and keeping it simple.

The first thing you need to know is that HeartBleed is a vulnerability that, when exploited, can be used to steal information from websites. This is accomplished by accessing the memory of the computers where the websites’ data  is stored (ALL websites are stored in computers, “servers”, although not all websites are vulnerable to this “bug” ). What does that mean to you? If you deal with a particular website that is vulnerable,  let’s say your bank’s website, or your email’s website, and so forth, the information you provide to that website on a regular basis,  such as your username and password and potentially more, could be compromised (stolen).

I read somebody writing about the fact that the vulnerability was discovered by “good guys” and therefore has not been exploited by hackers. I laugh at that statement. The people attributed to discovering the vulnerability might be good guys, but I bet anything the bad guys know about it too.

And because of where the vulnerability is being exploited, i.e. not in your computer, it doesn’t matter what kind of security measures you have in place in your computer(s), the vulnerability is still a threat because it’s been exploited “server side”, meaning at the computers where the websites are stored.

So what do you do? The first thing that comes to mind to most users will be, since we’re talking about a potential information leak of your data, to change your passwords for all the websites that you use (that require a username and password). And that’s not a bad idea but let’s not rush into that. The reason for not doing that as a first immediate step is that there is an ongoing global evolution to fix the cause of the vulnerability so you want to make sure a particular website has been fixed before you change your password for it, otherwise your information could be stolen again and you’d be in the same spot.

Therefore the thing to do is to check every particular website you plan to change your password for, and make sure it has been fixed before proceeding to change your password for it, and so forth. How do you do that?

There are many websites that have been provided where you can enter a particular website address and it will tell you whether or not the website is vulnerable, or has been patched or is not affected to begin with. https://lastpass.com/heartbleed/ is one that comes to mind that you can use. Also, here’s a list of the top 100 websites people normally use, and their status as to whether they have been fixed or not (scroll down when you click on this link to see the list): http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

It is always a good idea to change your passwords periodically anyways, so go ahead and change them once you know a particular website you deal with has been fixed. And, don’t forget. If you’re the typical user that only has 1, 2 or 3 passwords for everything, change your passwords for the websites that are labeled as “were never affected” if you have used the same password in a website that was vulnerable.

Hope this helps. Feel free to ask any questions on the subject.

 

It Can Happen to Anyone

A cautionary tale. Yesterday a client forwarded me an email that he considered fishy, and asked for my opinion. The email contained an attachment, and so I set out to find out what opening the attachment did.

Now normally I take extra precautions when doing something like that, so that any bad “jujus” contained in suspicious files are not allowed to damage my computer. But I guess I had gotten overconfident with time and so I opened the attachment, with just the normal defenses I have in place, as per my own security model. Nothing seemed to happen, which made me suspicious. Anyways, I analyzed the attachment with a service that scans it against 49 different antivirus programs, and it did turn out to be a malicious file. I got rid of it but missed the fact that it had already delivered its payload and that in turn was now waiting to hack my computer. Ha.

Long story short, when I came to the computer this morning I found evidence that a hack attempt had been performed on my computer, emphasis on attempt. AppGuard had blocked the execution of a password stealer that was going to be used to attempt to steal the passwords stored in Internet Explorer, Firefox, Chrome, etc. (not that there are any, I have a standalone password manager and never use the browser’s capability to store passwords for that very reason).

With a chuckle at the clever attempt to hack my computer, I proceeded to scan and clean up any infected files. This was no doubt the closest I had come in years to an actual computer security breach. Mind you, the attempt failed, but only because the last layer in my security model, AppGuard, had stopped the unauthorized run of the password stealer that had been placed in an obscure location in my computer. Which brings me to the point of the story.

If it can happen to me, it can happen to anyone. Except the classic, usual outcome in most cases, if you open the wrong attachment or click on the wrong link, is an infected computer, passwords or other information stolen, and so forth. So when it comes to online related activities, always be alert, always be careful, never let your guard down. Oh, and implement my security model 🙂

Monthly Windows Updates for April, and a Special Note on Windows XP and Office 2003

This coming April 8th the monthly scheduled Windows updates will be released for Windows XP, 7, 8, and the different versions of Office. But it’s worth mentioning they will be the last ones for Windows XP and Office 2003. On that date the official support for Windows XP and Office 2003 ends, so there will be no more updates after that. For those users still using Windows XP and Office 2003, what does that mean?

Don’t worry, your computer won’t explode, or stop working. BUT, in the never ending fight between good and evil, how does this translate? The bad guys (hackers) are always looking for vulnerabilities in Microsoft products in order to subvert computers. And Microsoft is always playing catch by devising and implementing updates to remedy the vulnerabilities found by the hackers. So what do you think it’s going to happen when Microsoft stops updating Windows XP and Office 2003?

Well, it’s predictable that there will be an invigorated effort to find and exploit new vulnerabilities in these programs, thus making users of it more likely to get infected with malware that will successfully exploit said vulnerabilities. And while there are actions that can be taken to mitigate that possibility (such as implementing my security model) the truth is, the security level will be lower for system running on Windows XP or with Office 2003 installed, after April.

Once again, I recommend upgrading to Windows 7 (not 8, 8.1 or 8.1 Update 1). And chances are, if your computer is as old as Windows XP, that it means a new computer as well. In any case, if you were playing with the idea of doing this, now it’s the time to do it.

Test Drive – Webroot SecureAnywhere Antivirus 2014

Avid readers of mine who have followed my articles over the last few years know that periodically I’ve been known to review Security Suites, i.e. antivirus programs. For those who didn’t know, well, now you do too.

Today I’m writing about Webroot SecureAnywhere antivirus 2014. This program came to my attention a few months ago. I gave it a quick whirl and was impressed on the light footprint it has and yet how it manages to have plenty of different functions. But I never put it under a formal test, like I usually do when evaluating security programs. Today, however, its turn finally came.

As many of you know, my basic test consists of installing the security program in question in my Windows-7-based test computer, and then proceeding to visit malicious websites and in general try to infect the test computer while keeping records of the security program’s behavior. The only passing grade is 100% success in thwarting efforts to infect the computer. And in this case… Webroot kind of failed. Let me explain what I mean by “kind of”.

On the plus side, its very, very light footprint makes it ideal for old and basic computers, since the average antivirus program these days will take a good amount of memory and computer processing power to operate. Not Webroot though. The claim that it doesn’t slow down one’s computer is true.

On the negative side, I was, strictly speaking, able to infect the test computer after a few attempts. But it’s not black and white, so allow me to explain what happened. I visited a couple of malicious websites that initiated infected files downloads onto the test computer. Initially Webroot caught and blocked the first attempts. But then came a particularly deceiving trojan.

I downloaded and opened the infected file without Webroot protesting or alerting me at all. Bad. But when the program tried to connect to the Internet to “call home”, Webroot did alert me that an untrusted program was trying to connect to the Internet (the antivirus has an outgoing firewall, meaning it monitors outgoing connections. More on that later). That was good. The bad part is, Webroot is designed to block any suspicious action by default while prompting the user for a decision on whether or not to let the program carry on with the suspcicious action. That’s not so bad. The bad part is that by default, after 2 minutes, if there is no response from the user one way or the other,  Webroot’s default action is to allow it (and I didn’t find anything in the program interface to change that behavior, i.e. a setting that would allow one to change the default action if there is no response from the user).

So potentially, if the user could not or would not respond to the prompt ,the malicious action would be carried out. That’s not good. Anyways, since I was evaluating, I allowed the action. Next I got an alert that a change to the registry was being attempted by this suspicious file. Again good. And again, unfortunately Webroot waited for 2 minutes for a decision as to what to do (allow or block the action) and when no response from the user, it allowed the action.

I then proceeded to ask Webroot scan the downloaded file to see if it would be recognized as a malicious file. Webroot failed to recognize the file as malicious. Then again a percentage of these malicious files get missed by the antivirus because they’re too new to be recognized as malicious, a subject I’ve covered extensively in earlier articles.

Circling back to the firewall, it is a good thing to have Webroot’s firewall in and the fact that it’s an outgoing firewall makes it a perfect complement of the firewall that comes built into your Windows computer, since that one is only incoming. So they complement each other and in fact one is normally supposed to have only one active firewall to avoid conflicts in function. But in this case, not only is it possible to have both the Windows firewall and Webroot’s at the same time – it is advised.

So all in all the program performed very well and under normal circumstances probably provides good protection at a ridiculously low resources consumption. But again, strictly talking, it did not pass the test. If, for example, you’re the type of user who pays attention to all windows pop-ups and alerts from their antivirus program, this might be sufficient, and a plus if your computer resources are somewhat scarce. If you abide by my security model, the protection provided by Webroot as an antivirus would be sufficient as well.

Microsoft’s Support for Windows XP Ending Soon, Implications for You

So Microsoft’s support for Windows XP, at some point the most widely used operating system Microsoft has ever put out,  is ending early next year – April 8, 2014 to be precise. But what exactly does that mean?

Well, let’s break it down. It means that after April 8, 2014, there will be no

New security updates: These are part of the typical monthly updates Microsoft releases to address known vulnerabilities in Windows XP that a hacker could exploit to take control of your computer or steal information from it. But in fact any Windows XP based computer that otherwise abides by the security model I laid out 4 years ago, is well protected against these exploits. However it’s always a good thing to plug the holes in the fence that might otherwise allow scoundrels to get in. It’s just an extra layer of protection that might make the difference between a computer that is more likely to be affected by malicious programs and one that is not.

Non-security hotfixes: These are also updates, but normally try to mend a performance or stability problem in the operating system and not necessarily a security issue. They, in other words, try to fix “bugs” that have been uncovered, or developed.

Free or paid assisted support options: Not much to explain here. Microsoft provides support for issues related to Windows XP, some issues for free, some for a fee. This won’t be available as an option after the April 2014 deadline.

Online technical content updates: This refers to technical publications that Microsoft publishes online, mostly for computer type guys like me, who can use them as a resource to look for solutions to issues related to the operating system when providing support to end users.

 The bottom line

If you’re still using Windows XP, it’s probably a good idea to upgrade to a newer operating system at some point in the near future, namely Windows 7. I don’t recommend Windows 8 (or 8.1 for that matter), but I do recommend Windows 7.

 

Philippines Typhoon Disaster Email Scams

As it has been a practice before on disasters of magnitude, malicious/fraudulent email scams are being spread over the recent Philippines typhoon disaster. These emails might contain malicious links or attachments. Beware of such social engineering attempts.

To help you distinguish whether the email is a scam or not, you can do the following:

1. Review the Federal Trade Commission’s Charity Checklist.

2. Verify the legitimacy of the email by contacting the organization directly through a trusted contact number. Trusted contact information can be found on the Better Business Bureau’s National Charity Report Index.

Two Reasons Why it’s a Bad Idea to Leave Your Backup Drive Always Connected to Your Computer

This applies mostly to those who have an USB external hard drive that is used for periodical backups of your data. I myself use that method for my daily computer data backups. However, I only plug it in at the time of the backup and otherwise keep it disconnected from my computer. Why, you might wonder?

1. In power surge prone areas, if one hits your computer, and your external hard drive is connected to it, and it’s powerful enough, it will fry your computer AND your external hard drive.

2. There are malware infections that will encrypt your files and then ask you for a ransom to decrypt them (aptly named ransomware). The recent versions of it will encrypt files in any drive connected to your computer, not just your internal hard drive. So your only hope for recovery from such infection would be thwarted since the backup data in your backup drive will also be encrypted.

So know your backup schedule, and do what I do, put a reminder in your calendar so it reminds you a few minutes before your scheduled backup, and only then connect your external hard drive to your computer. And unplug it from your computer (and from any power source if it has its own power adapter) when done. Doing this might save the day if disaster strikes.

And if you don’t have a backup plan in place for your computer data, well, I suggest you get going on that. Don’t say I didn’t warn you. 🙂