Anonymity and the Internet
February 4th, 2010
In a recent blog post, security guru Bruce Schneier draws a bleak picture for supporters of universal identification on the net. According to him, anonymity has always been here and is also here to stay mainly because of the structure of the web, making each packet of data incredibly difficult (if not impossible) to truly track down to a person. In particular, he refers to ‘onion routing’, a technique that uses multiple intermediaries (bouncing off servers, or proxies) which renders identification of the originator ever so complex. While I agree with the technical challenges, I do not believe we should give up on the goals behind personal identification. There must be a social responsibility for having a device (whether it be a Mac, PC, smart-phone etc.) and how it is being used. Sure enough, you can’t always figure out who is using the device (for example at a kiosk) but you can track down where the machine is located, what ISP it belongs too, and ultimately who owns that machine. Continuing on this, the lack of knowledge or care, is not an excuse for having an infected PC sending spam, for example. Whether or not the machine owner is also the criminal, having a computer that is a bot, makes you responsible for it. The thing is, we do have this information today. We know which machines are bots, through their IP addresses. It is not that complex to track them down. What is more difficult is to take action. In a perfect world, you would notify the Internet Service Provider (ISP) that one of their customer has a machine participating in malicious activities, and the ISP would promptly warn its customer to get their machine offline and cleaned, otherwise they would take action and directly cut their Internet access. Unfortunately, this is not the case. Granted, some ISPs are more involved now than they were a few years ago. We see partnerships between ISPs and security firms that do result in take downs. However, there are many regions in the world where things happen and not much can be done about them. In fact, some ISPs are fully aware of the malicious activities of some of their customers, but that is also how they sign them up, allowing criminals total impunity. Let’s not throw our arms up in the air though. We, security researchers are doing an important job to make the work of criminals more difficult and hopefully more risky. By exposing the bad guys and working with the authorities we are making their activities less worthy. Since criminals are smart enough to hide behind good people’s infected PCs, let’s take those away from them. The more we educate end-users, the more we get those machines cleaned, the less resources and impact can the bad guys have. Jerome Segura
Clearing House Feedback
February 3rd, 2010
We’ve had a lot of requests for our URL Clearing House service. When I first announced the service some people got upset because it required a veto process where we would grant access to whom we wanted. Some folks complained that the information (the URLs) is public domain, and so we should share it for free anyway. Well, almost everybody has been given access, except for those few who failed to reply to our email for more details about them. Oh, and maybe for those emails that have been lost in cyberspace (if it’s the case, please contact me directly). Anyway, we’ve got people from all other the world. Some folks are working for big name companies, others are researchers or students. The chart below gives you an idea of where most of them come from (click to enlarge): We are continually working on making the site better. Lately there have been some URLs that have been “polluting” the rest, especially coming from the same domain, so we’re working on filtering those out, to only show the most relevant ones. Another feature I’d like to point out is the ability for you to share URLs (or malware) with us by clicking the following button: The next page will allow you to paste a URL or attach any files you may wish to send. I hope you like the service and feel free to share your feedback and suggestions with us!
A malware patch for Flash Player
February 1st, 2010
Beware if a site warns you that you need a patch to play a video. Many rogue security programs are using this trick to get you to download and run a piece of malware. Some sites may even go as far as just enabling sound, but showing no picture. If you really, really need to watch the video and think the site is legit, then please download the file but do not run it right away! Send it up to VirusTotal.com where the file will be checked against a large panel of anti-virus solutions. Why not just use your current AV to scan it locally? Well, most of those files are new and cleverly packed to avoid detection, therefore it is likely that your AV software will not detect it. For example the file illustrated in this example was only detected by 8 out of 41 AV engines, with some of industry’s big guns failing. Virus Total analysis here. On a side note about this site hosted at white-xxxx{sanitized}.biz, several of the fake comments were in French… All the rest in English of course, but still I wonder why that French touch? Security researchers that want to download this malware sample and more can get it at: http://mdl.paretologic.com Jerome Segura
Online dating tips
February 1st, 2010
I was asked to give tips about Online Dating. So here is what I have, as a security researcher: Online dating sites have made it into mainstream as an acceptable way of finding one’s soul mate. For example, you can now see TV adverts during prime time, something that was not very common few years back. However, certain precautions ought to be taken before signing up for a dating service. - Never trust a site that came as a pop-up while you were browsing. - Never click on an ad from a Torrent / Warez / Streaming site. - Beware of ads about Eastern European women (Russian Brides well known scams). - If you sign up for one site, complete a basic profile at first to check it out. Then over time, you can enter more personal information. - Look around, maybe Lady Luck lives just next door! Jerome Segura
What to do when your PC is hijacked by a rogue
January 28th, 2010
Some of the most prevalent and annoying malware today is rogue anti-spyware. These pests are hard to get rid of and a lot of people will usually give up and give in (pay for a license) to have their computer back to normal. Here is an example of a rogue called “Control Center”, also known as PrivacyCenter. Upon starting up your PC, you are greeted with a screen full of icons and red warnings, on a black background. You can try to close the program by clicking on the X, but to no avail. At that point, a lot of people will get so frustrated that they will just do whatever the program is asking them to do. And that, usually involves money! So, here are a few tricks to get back on your feet: Press Ctrl+Alt+Del on your keyboard as illustrated below: Depending on your version of Windows you may see one of the following screens: Click the item that says Task Manager. If you’re lucky (that is the malware hasn’t disabled it) you should see the Task Manager panel: Click on File and then (New Task) Run and type explorer: After clicking on OK, you should have your Desktop back. Once there, you are good to run your favorite Anti-Virus program and get rid of the rogueware. Here is a little video I made that shows the steps described above:
More malware for share
January 27th, 2010
We’ve updated a few things with our HoneyPots and you should notice the impact on the URL Clearing House as more *files* are getting caught. So far we’ve had a lot of URLs with their source code which we flagged as malicious, but not too many files. I know a lot of you guys like those binaries, which we cache so that even if the link goes down, we still have a copy. We’ve made a few changes to our engine so that it is able to grab a lot of php pages that download an executable or a PDF. Anyway, we’re still running the tool in debug mode but hopefully we get some stable results: You can access/join our site here: http://mdl.paretologic.com/ Jerome Segura
Haiti malware
January 26th, 2010
Malware authors are taking advantage of top headlines such as the Haiti earthquake to distribute their malware. This file comes as a “screensaver”. A quick upload to VirusTotal confirms that it is malicious: If you want to download this file and many others, join our URL Clearing House: Jerome Segura
Scam sites steal AV vendor’s property
January 21st, 2010
If you see this: you may start panicking and wonder how to get rid of it. Then, as you surf the net, you may see what appears to be a Godsend: This phone line is for a premium number. You will be paying big bucks and your frustration level will skyrocket. This site actually stole its design from a legit AV vendor, namely McAfee: Now about the whole phone support: I admire people who work in this industry. You must be really, really patient! So why is it so difficult: - people have different Operating Systems, and customized menus etc. That button you’re trying to have them click on may actually not show up on their screen! - the language barrier: both technical and linguistic. You may have to really get down to earth (“yes, this thing called a mouse, you slide it on the table and right click… wait! What you don’t have a right button?”). Linguistic, well some people may not be native English. - getting someone to do something is actually a lot harder than people think. There are a lot of misinterpretations and confusion. So, if you still want to get phone support after that, make sure to do some serious checking before hand. Do a full background check about the company, do a Google search of the phone number etc… Thanks to Brendon for the links to the screens. Jerome Segura
When other people’s (lack of) security makes you insecure
January 19th, 2010
Brian Krebs has an interesting (and a little scary) post on his blog. Krebs, whilst at the bank, noticed that the bank manager’s computer was running Internet Explorer 6 (which we know is vulnerable to many attacks, including the current 0 day exploit). How does that make you feel as a customer of that bank? The common excuses always follow: Computer is already too slow, we’re waiting for an upgrade, the IT department is too busy doing whatever, we don’t have time, etc. Maybe, people also have been running their programs on that browser for years, and they fear that if they switch they’ll stop working (which actually can be true). I could see a great business idea (too bad it already exists), a consultancy firm that not only assesses your current security and transitions all your programs, backups etc… without worry of data loss and downtime. The thing is, if you’re a bank or other sensitive institution you may not want external parties to access your data. Makes sense. But you can’t always count on your local IT group, who may be unqualified for that job. It happens that I too was at the bank yesterday. I always like to take a look at what they’ve got And pretty much everywhere you go (hospital, dentist office etc.) you will find PCs on the floor collecting dust, totally accessible! Now last night (after my bank appointment) I was watching a documentary on National Geographic about prisons and how much stuff goes on (drug deals, weapons, corruption) and how you had to watch your back. Anyway, one of the prisoners got his mom to send him a TV that they (I guess the prison guards) locked inside a hard plastic case, thus making it hard to smuggle drugs or other objects inside. We could imagine something similar for a PC, although you want air circulation and the like. All in all, that’s a reminder that physical security is as important as software security. Jerome Segura
IE 0 day and general browser security
January 18th, 2010
There have been a lot of talks about the latest 0 day vulnerability affecting Internet Explorer. According to this article from the BBC, the French and German governments have urged their people to find an alternative to Internet Explorer to keep their computers secure. The fact of the matter is whether or not you use Internet Explorer, you can still be at risk. Telling people to use a different browser is a way too simplistic measure. It may protect you from this vulnerability but there are many more that apply to all browsers. A more sensible approach would be to inform people about the risks and if possible provide a temporary solution to mitigate the attack. It may be as simple as tuning off a feature or enabling another one. People should also think of security as layers. If Internet Explorer fails, most of the time something else will prevail, such as a good AV product. Jerome Segura
|
Archives
Categories
|

























