Monthly Archives: September 2010

Hotmail Password Reset Security Boosted

To balance the recent avalanche of vulnerabilities I’ve been writing about lately, here’s some good news on the subject of computer security. I’ve written about it in the past, but there are new security measures added to Windows Live Hotmail Web mail service to help users regain control of hijacked accounts.

Citing a trend of spammers seizing legitimate accounts, Microsoft said it was kicking off new techniques to sniff out compromised Hotmail accounts, as well as giving users more ways to reclaim inboxes snatched by criminals.

Rather than rely on an alternate e-mail address and a single secret question-answer pair for resetting an account password, Hotmail now lets a user set one or more “trusted PCs” or a mobile phone as proof that he/she is the real owner of the account.

In one of the most famous abuses of a password reset feature, University of Tennessee student David C. Kernell got control of the Yahoo Mail account of former Gov. Sarah Palin during the 2008 presidential election by answering a single security question.

Kernell was later convicted on a federal felony charge and a federal misdemeanor charge.

Instead, Hotmail users can now tag multiple PCs as proof. Users locked out of their account by a hijacker can regain control simply by logging in from one of the previously-set trusted machines.

To use a PC as proof, users must have installed Windows Live Essentials, a suite of for-free applications Microsoft offers for download.

Users can also enter a mobile number as another proof. That phone will then receive an unlocking code via a text message when the user asks for a password reset.

With those proofs in place, more users will be able to reset their passwords without help from Microsoft support.

To add additional proofs, such as a trusted PC or cell phone, to a Hotmail account, users must click “Options” in the upper right of the Hotmail screen, select “More options…” from the drop-down menu, then click “View and edit personal information” under the subheading of “Manage your account.” The proofs can be added under “Password reset information.”

Microsoft isn’t the only Web mail provider beefing up security. Last week, Google announced two-factor authorization that lets businesses protect Gmail log-ins by delivering a one-time code to a cell phone via text message.

It’s Been a Busy Summer for Vulnerability Attacks to Adobe

Less than a week after warning users that hackers were exploiting an unpatched bug in its Reader PDF viewer, Adobe said 8 days ago that Flash, its other prominent program, was also under fire. Adobe said that the current version of Flash contains a critical flaw already being used in the wild by criminals to attack Windows PCs. “This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system,” the advisory read. All editions of Flash, including those for Windows, Mac, Linux, Solaris and Google’s Android mobile operating system include the flaw.

The company said then it would patch Flash in two weeks. However just got word that they moved it up to today. Go to the download center at http://get.adobe.com/flashplayer/ to get the latest version.

Click here to find out what version of Flash you have installed. If it’s less than 10.1.85.3, you need to update it.

Noteworthy is the fact that Google Chrome browser users got the patch four days ago, one of the benefits of an April Google-Adobe deal. That’s one of the factors that has made Chrome my current official choice of web browser.

New PDF Exploit – “Scary, Clever, Impressive”

The newest zero-day exploit of the Adobe Reader and Adobe Acrobat programs, recently observed for the first time, sidesteps two land mines put there by Microsoft for the Windows operating system. I won’t go into the technical details but the security measures are related to the programs use of memory.  Whether or not you fully understand this paragraph, this is what needs to be understood: the techniques used in this new exploit have been labeled as “scary”, “clever” and “impressive”. Not the kind of modifiers you want to hear when the subject at hand is exploits.

This exploit has been observed circulating in the wild, attached to e-mails touting renowned golf coach and author David Leadbetter with subject:  “David Leadbetter’s One Point Lesson”. In addition to that it comes with a “valid” digital signature (to ascertain authenticity and legitimacy) stolen, of course. So heads up.

Mitigating Actions and Patches

Adobe warned Reader and Acrobat users last week of the vulnerability, but it has not said when it would patch the bug. Nor has it offered any advice about how to stymie attacks.
Disabling JavaScript in Reader and Acrobat would block the current exploit but might not protect people against future attacks. To disable JavaScript in Adobe Reader or Acrobat on Windows, select Preferences from the Edit menu, choose “JavaScript,” then uncheck the “Enable Acrobat JavaScript” option.

And of course security awareness and good habits when it comes to handle emails and surfing the web always help mitigate the propagation of these threats.

Fake Malware Alerts Are Getting Better

It is a known fact that malware creators often appeal to users, trying to lure them into action to aid infection of the target computer. In computer security this is called social engineering. The user is presented with a scenario that looks legit and then he/she is asked to click on something or install something in order to continue/avoid damage/correct what’s wrong, etc. All fake/rogue antivirus use this technique, trying to make the user install the rogue software or pay for the full version, lest an apocalypse of infections will go unhandled in the user’s computer. This subject has been covered before. But over time the techniques are getting better, and that deserves its own article.

One of the newest styles involves your web browser. Internet Explorer, Firefox, Google Chrome, they’re all potentially affected. Here’s how it works: A specific virus (called MSIL/Zeven) auto-detects which browser you’re using, then presents you with the “infected website” or “phishing website” alert, giving you an option to install an update to handle. The update is of course a fake antivirus. The problem is that the alert looks very legitimate (except maybe the Firefox one, which has a typo, “get me our of here”). The landing page if the user opts for installing the fake antivirus looks A LOT like the Microsoft Security Essentials website. Even a trained eye can be fooled. And this new social engineering technique relies on the user’s trust of the day-to-day web browser, a technique that is new. The telltale however is no browser would ever prompt you to install antivirus software.

So it behooves you to double check and be more alert when a computer prompts you for action. If you have doubts  about this ask an expert.