Tag Archives: internet

The scourge of Ransomware

From Wikipedia:

Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back. Some ransomware encrypts files.

To say that Ransomware has become a serious problem in recent times is putting it mildly. In the last year, numerous SA businesses and users have become victims of this nasty type of malware. According to BlueCoat, a security vendor, Ransomware is now the leading mobile threat and ranks very high on the list of desktop/server threats.

Briefly, Ransomware infection is primarily by email link or email attachment. Once the user clicks a link in the infected email or runs the attachment, the infection silently takes place. From there, files accessed by the user are encrypted with a key, known only by the malware author. A message ( in the form of a file typically called HELP_DECRYPT.TXT ) is left in the folder where the file was first encrypted – the message provides details of how to send payment, often in bitcoins, to the malware author, so that they will send the key to unencrypt your files.

CryptoWall 3 and earlier versions, as well as some competing malware, targeted specific files that you accessed. Newer variants like CrytoWall 4 will now encrypt an entire folder and not just the files you access. They also have the ability to infect/encrypt files on the network shares of servers. Chimera is a new type of Ransomware that threatens to post copies of your documents and images on the Internet unless a ransom is paid. PowerWorm has recently come to light as another variant that encrypts files – but it has a bug in that the key is destroyed ( mistakenly ) after encryption.  Which means that paying a ransom will not get you your files back – ever.

Another method of infection is through websites that are compromised by the Angler exploit kit. Just visiting the site results in a drive-by attack called Pony which scours the infected computer for any login credentials for websites, banking, network resources and applications. Once done, the infected computer is then redirected to alternate sites where Angler will install CryptoWall 4 which in turn will result in encrypted files. CryptoWall 4 also renames files with randomly generated characters meaning that you don’t even know which files have been encrypted.

This is real scary stuff …

Paying, what amounts to around R 5,000 – 30,000 ( 1 – 6 bitcoins ) per infection, is beyond the ability of most.  Another issue is that there is no guarantee that the perpetrator will actually send you the encryption key. Paying a ransom is not a good idea …

 

What can I do to protect myself?

  • always keep your Operating System and installed applications up to date
  • do not use Adobe Flash and plugins for browsers, and try to limit your usage of Java
  • make sure you have  a good Anti-Virus package installed and make sure it is updated continuously
  • do NOT click on links in emails ( even if they look genuine ) and do not save or run attachments from emails that appear to be from friends, family or known business connections
  • use common sense and logic when accessing email and visiting websites; look for things that are out of the ordinary and double check items that look ordinary
  • attend Security Awareness Training which gives you the tools to navigate email, websites and other internet applications safely
  • backup your data regularly

What can I do if I’m infected?

The answer to this is: nothing – if you’ve not followed the last recommendation above. The only option is to clear out the infection and restore data from backups. Clearing out the infection often means rebuilding the infected device from scratch, reinstalling all applications and restoring your data.

If you don’t have a backup, then there are no further options. Unless you want to take a chance and have the funds available to pay the ransom ….

Adobe: Stop using Flash

Wow! This is one for the books – Adobe telling everyone to stop using a product of theirs!

http://blogs.adobe.com/conversations/2015/11/flash-html5-and-open-web-standards.html?scid=social_20151201_55826586&adbid=671559505906282496&adbpl=tw&adbpr=63786611

This is just reinforcing what we’ve known all along – Flash is a security nightmare! Mozilla and Chrome have been actively blocking flash for some time now and I must say, I don’t really miss it. Considering the huge amount of Flash placeholders on the sites I visit, it’s still very much in use … which means that website builders are not getting the message.

The bulk of internet users out there may still not understand the implications, and they continue to use Flash even though it’s probably one of the most insecure and hacked pieces of software ever. Time for awareness and change.

Flash triple threat

The last week has been a very interesting one ( read OMG it’s almost the end of the world ) in the security world. There were new threats from all corners but Adobe Flash stole the show with 3 critical issues in 2 days.

All 3 issues could result in remote code execution or DoS attacks. Grim stuff.

The CVE details are:

http://www.cvedetails.com/cve/CVE-2015-5123/

http://www.cvedetails.com/cve/CVE-2015-5122/

http://www.cvedetails.com/cve/CVE-2015-5119/

What’s really scary is that CVE lists 30 critical issues of level 10 for Flash in July alone. If ever there was a time to stop using Flash, it’s now. The problem is that many sites are still using it in frames, ads and other areas, including sites that actively promote not using Flash.

To be clear, these vulnerabilities are actively being exploited at this time. We’ve also seen an alarming rise in Remote Trojan/Ransomware attacks locally here in SA, which may or may not be related to Flash vulnerabilities. These result in the encryption of client data and a subsequent blackmail request for payment to unlock the data. The primary injection method for this is spam email and associated attachments.

What can you do?

  • Disable and remove Flash completely – this is the best choice but it may result in some websites breaking – it’s a choice you need to live with ( or not ). Also, disabling Flash in your browser does not disable it in your OS and will result in the OS still being vulnerable to application-based attacks. Complete removal is the only option.
  • Disable Flash in browser and set to ask for activation – Firefox ( I”m not sure about other browsers ) can set a plugin like Flash, to ask for activation on each event. So normally, Flash does not work however you can click a placeholder to activate a particular Flash element on a page.
  • Carry on using Flash – no comment

For applications that rely on Flash in the Operating System, it’s time to send a friendly email to the developers asking them why they are opening their clients up to potential security issues.

For users of Youtube, most browsers already support Google’s HTML5 Flash-less option. You can check the status of browser support here:

https://www.youtube.com/html5

Of course, you also need to update your OS regularly and any other 3rd party applications. And keep an eye open for spam emails.

For those with a few extra minutes, Steve Jobs wrote a fairly famous open letter to Adobe in 2010 criticizing Flash. I’m not a Jobs fan but this hits the nail on the head – well said.

The latest issues are a direct result of the hacking of one of the largest hacking companies ( The Hacking Team ), based Italy. Hacking the hackers – where have I heard that before? Some movie I think …

Home routers: security fail

It’s no secret that I absolutely hate non-business/home-based ( ADSL/3G/other ) routers. From  a security point of view, they have a history of never-ending security issues that result in a variety of malicious attacks including DNS reflection, remote control, spam, malware infections and  other attacks.

There are other serious issues including ( but not limited to ):

  • vendors of these devices are slow to react to vulnerabilities and often don’t even patch these
  • users either don’t know that updates are available, don’t know how to apply patches/updates or just can’t be bothered to apply updates
  • the firewall/protection features of these devices are limited
  • there are common back-doors included in many of these devices which opens up access to attackers

Because non-business grade routers/firewalls don’t carry any sort of guarantee or warranty in terms of performance, vendors do not put ( as much ) effort into these in terms of keeping them secure. The following link describes just how bad the situation is:

http://www.theregister.co.uk/2015/03/05/broadband_routers_sohopeless_and_vendors_dont_care/

If you have any concern over your internet security or use your internet link for any secure services ( like online shopping or internet banking ), consider purchasing/using a business-grade firewall that will:

  • provide you with a decent level of protection
  • be updated regularly by the manufacturer

Keeping your desktop computers, laptops and mobile devices safe is only one part of home security. You also need to look at the security of your network devices  including routers, printers and WiFi access points as these are an important point of access to your home network and can compromise your systems as easily as a virus on your computer.

Invoiceplane takes another step

I took quite some time to find an accounts/invoicing package that suits my work style but I finally came upon Invoiceplane last year. The basic requirements were:

  • product/service database
  • client database
  • create quotes
  • create invoices
  • send invoices via email
  • classification of invoices and quotes ( workflow eg. created, sent, overdue, etc. )
  • list invoices by client
  • list overdue invoices
  • create recurring invoices

And Invoiceplane delivered on all accounts with a nicely designed interface with good usability and ergonomics. The UI includes a top bar menu divided into a few prime categories: clients, quotes, invoices, payments and reports. There is also a one-shot dashboard giving an overview of quotes and invoices, with quick links to various aspects of the quotes and invoices.

Installation is straightforward – you need a LAMP or WAMP system with MySQL, Apache and PHP support. Once installed, there is some basic setup, which includes setting up email and invoice/quote templates and then you can start adding clients. Custom fields are a nice addition allowing one to add fields/parameters to customers that aren’t available by default.

The next step is to add services/products – these can be created ( and saved ) while generating invoices or you can pre-create them in the Products section.

And finally, start creating invoices selecting pre-created products from the database or creating these on the fly. VAT and Tax are catered for in invoices as well as invoice terms ( I use this field to include my bank details ) and due date.

The latest version 1.2 includes the ability to lock invoices to read-only once created as many tax authorities require that an invoice not be altered once it’s created. As payments are processed on the system ( which includes amount, payment date and type ), these are offset against the invoices which have their status altered to Paid. Any invoice can also be converted into a recurring invoice with variable generation terms ( ( eg. monthly or yearly ).

For reporting, there is invoice ageing available as well as payment history and sales by client. All invoices, quotes and reports are generated as PDF files which can be tailored with logos and some other items. One really neat feature if the quote system is that a URL is generated at which a client can approve or disapprove the quote. Once approved, you can convert the quote into an invoice.

All in all , this is a fantastic piece of software that does the basics and does it well.

Online security in the shopping season

Online security should always be the focus of anyone using the internet.  Yet major holidays tend to be more important seeing as there are many who only shop online around this time. Black Friday especially is a big draw-card.

The fact is that online security is part common sense and part preventative maintenance. If you get the basics right, then you’re 90% there …

Richard Henderson @ Fortinet has put a great list together that will help perennial shoppers, daily buyers and those just dipping their toes into the water.

Take a look …

A fascination with special characters

In the computer world, special characters can have a certain usefulness or can be a hindrance. The very first special character I learnt 25 years ago, was the colon. It was ( still is ) used as the delimiter to change drive letters in DOS.

eg. if you were in drive C and wanted to go to drive D, you would type:

d:

Simple? Yes

But not always so. Because of the special intent of certain characters, using them in a non-content fashion can be problematic ( sometimes catastrophic ).

What do I mean by non-content? Well consider a document – the text in the document is the content and the title of the document is ( part of ) the metadata or non-content.

System administrators or programmers will know that #! has special meaning. If you want to use it in a non-content fashion, you have to take extra steps. If you don’t, you may not get the result you expect.

This brings to mind a recent story from a colleague. A client had gone to a web development firm to ask about pricing for a web site. Not having done anything similar before, they got quite a shock when the quote was presented.

The client decided to look for other avenues and ended up doing the site themselves using an online templating service. It was a reasonable site but had many links and pages, and was a bit complex. Nevertheless, the client then approached an SEO firm ( search engine optimisation ) to make sure that the site was successful from a search and marketing point of view.

But the site never appeared in search results at all. The client was quite upset with the SEO firm but after much troubleshooting the SEO firm determined the issue was not with them. So the client asked my colleague to take a look and he found the issue: the client had prefixed all page titles on the site with #! – those in the know  understand that this means “Do not index this site under any circumstances!” And so the search engines blissfully ignored the site.

And so the client had to go back and re-title around 300 web pages – quite a bit of not-so-enjoyable work.

It often occurs that someone is not happy with the pricing of a service but there might be a very good reason for that pricing – the service provider has experience and understands the ins and outs of their industry. That experience costs money and is of value. Doing things yourself can sometimes end up costing you more in the end.

Not to digress, special characters should be avoided at all cost. Do NOT use them!!!

My philosophy is to only use lower case and no special characters at all, especially when naming things. Keep it simple.

Security issues in ADSL and other routers

I’ve never been a fan of using ADSL/Wifi routers as the main firewall for a network ( which unfortunately ends up being the case for most home users ). These are devices built to the cheapest price, using the cheapest software development and generally, there are very few ( if any updates ) for security issues on these devices. Even if there are firmware updates available, end-users tend not to update these either through ignorance or lack of skill.

There are many vulnerabilities relating to ADSL/Wireless routers in the wild, often causing havoc with DNS and other systems. The latest bug relates to open DNS proxies on routers resulting in a 24-million router DNS denial of service attack on ISPs.

A backdoor in some Linksys and Netgear wireless routers that allows malicious users to reset the devices’ configuration to factory settings and, therefore, to default router administration username and password, has been discovered and its existence shared with the world.

Another is the Wifi hacking trojan, RBrute which infects Wifi routers and then distributes the Sality malware family which can subsequently infect Windows systems with web/dns redirection, remote access, information theft, rootkit capabilities, disabling firewalls/av and downloading additional malware. The list goes on and on. This stuff is nasty to say the least.

This doesn’t stop at low-end routers like TP-Link, Netgear and Dlink – others like Linksys and Belkin are also often targeted. The main problems with these routers come in 2 areas:

1. mis-configuration

2. software issues

The mis-configuration issue can be laid at both the end-users’ and manufacturers doors. First, end-users aren’t always skilled enough to configure these systems properly. Second, manufacturers often add additional accounts to routers that aren’t normally used and end-users are unaware of. These then present back-doors for malware and attackers to misuse.

The quality of software development in these systems is of a very low quality resulting in all sorts of vulnerabilities such as cross-site scripting issues to DNS amplification attacks. Manufacturers also tend to update their routers very seldom ( if at all ) resulting in the bulk of routers out there having some issue or other.

If you are going to use an ADSL/Wifi router, then make sure you update its firmware to the latest available, and clsoe/change passwords for any accounts on the unit. Better yet, you should put the unit into bridge mode and use a proper firewall for your protection.

The people we trust

The right to privacy in the new social era is no longer a given. In fact, many say that you should expect to have no privacy with information made available on the Internet. I’m a half and half kinda guy in this argument. On the one hand, pure social media information should be assumed to be public although service providers in this area have to give users control over privacy settings. On the other hand, Internet services deemed to be private by the majority ( eg. email services, closed forums, etc. ) should be private by default and have a reasonable amount of security attached. Encrypted and salted passwords are a given.

The number of breaches in recent times of services that one expects privacy and security from however, should make you think twice about the information you put out there. Not only are service providers struggling with availability, but they’re also struggling with security and privacy. And many service providers are still not salting their password databases, which means that compromised service providers run the very real risk of having their databases hacked, and published online.

Trust is something else completely. This is where we expect the service provider to consider our personal information and data sacred. Microsoft’s recent admission that it snooped on emails inside a Hotmail users’ mailbox without permission, is a stunning indictment of service providers’ accountability when it comes to our privacy and security. This should by all accounts, be a criminal event, no matter the fact that Microsoft owns the infrastructure that your data is stored on.

In testimony before the Privacy and Civil Liberties Oversight Board, the NSA general council Rajesh De and his colleague stated on Wednesday that the tech companies that denied giving access to user data via the PRISM program were, in fact, lying. Ok so we’re not really impressed by the NSA’s actions over the last year or so, and their track record in terms of trust stinks, however I would quite easily accept that service providers were complicit in the NSA’s collection of communications. It would be difficult to intercept comms on the scale that the NSA has without support from service providers.

Dropbox? Gmail? LinkedIn? etc. Think twice about the security and privacy of your data when storing it online. Unless it’s stored in your own private solution, your data is seemingly no longer private, even when there is a good expectation of that privacy.

UPDATE: So Microsoft have covered themselves as follows:

We may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the Service; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers, or the public.

You have it from the horses mouth – your data is not safe when stored on Microsoft’s systems.

Personal security, Digital Security and Identity Theft

We live our lives in an always-on digital world these days. Medical, banking, shopping, services, mobile, multimedia – all of these are engaged with and executed on-line. Along with a whole host of threats including viruses, malware, phishing, pharming, advanced persistent threats and more. Not only do we have to deal with threats from the bad guys, but now it seems we have to deal with these threats from the good guys as well ( our governments ).

Former NSA contractor Edward Snowden’s world-wide expose and whistle-blowing on the NSA and other US government organisations has everyone up in arms and scurrying for answers. It’s clear now that

  • the national intelligence’s then director lied to Congress about whether or not they were spying on US citizens
  • communications companies and Internet Service Providers have been unwitting ( or not ) participants in the collection of data and the access of that data by the US government
  • the UK’s GCHQ bugged and tapped G20 summit visitors for email and phone traffic in 2009
  • on-line sites and services are being compromised at a phenomenal rate

And we’re getting a bigger picture of how bad things are on a daily basis as more and more documents are released regarding the alleged spying fracas. Yesterday, it was  reported that Microsoft ( and I’m sure they’re not alone ) has assisted US authorities with large scale interception of data running on Microsoft networks and services including but not limited to:

  • Skype audio and video chats
  • Outlook.com emails and chats
  • SkyDrive cloud storage

This puts security agencies’ complaints, about not being able to do their work due to encrypted communications, in a new light – they’ve circumvented the issues by going to the source of the data!

So what are the issues facing Internet users and businesses today?

  • global, connected and organised criminals
  • advanced persistent threats where an entity is persistently targeted through a number of different methods
  • breaches affecting well-known and used services
  • increase in enforcement risk
  • reduction in on-line privacy
  • identity theft
  • more digital devices and technology
  • business naivety

With all the talk about IT security issues reaching mainstream news, it’s surprising that the last one is still on the table but there is definitely a sense of lacking in the broader business community when it comes to IT security. Why?

  • I don’t need or want to know about IT security
  • I don’t have the skills
  • It doesn’t affect me
  • My IT operations are already secure

Burying your head in the sand, ostrich-style, is not going to make the problem go away. You need to meet it head on and make the necessary changes and improvements to safeguard your digital identity, systems and data. If you’re uncomfortable making the changes yourself, then ask someone to assist.The cost of a loss or compromise of data is likely to be far more than the cost of protecting yourself properly. An average rebuild of a single infected PC is about R2000. Basic security and common sense costs a lot less. So how can you go about this?

Start with a good Internet Security package; one that includes Anti-virus, malware protection, firewall and web filtering. Good choices are BitDefender, AVG and Nod32. Next, practice safe internet access – choose your websites carefully; use complex passwords for service access; update your applications and operating system regularly; do not download applications that are not well-known including browser plugins and tool-bars, and virus-removal apps; do not click on advertising banners; make sure your security package is updating regularly; use private-mode browsing for Internet Banking. And finally, practice good email etiquette and management – archive your email regularly; do not click on links in emails; do not respond to emails from senders you don’t know. In general, never offer information when it’s not  related to you, or offer more information than necessary. Question everything. Follow this through to mobile and landline use, when someone approaches you in the street or knocks on your door.

Even when we think the information we have is unimportant or not relevant to others, that information can still be used in a number of malicious ways. Security is half maintenance and half common sense. Together, these can keep you reasonably safe.

ID Experts have an interesting graphic showing current security issues – find it here.

The cloud and security

Moving your applications and data into the cloud presents a paradox when talking about security. A recent Thales survey found that over 60% of respondents thought that the cloud provider was responsible for protecting their sensitive and/or confidential data. And over 50% said they didn’t know what their cloud provider does to protect their data. That’s a substantial area of unknowns and the reason I said this was a paradox – you’re moving your systems into the cloud for the possibility of less security!

Why is this important? Because many PaaS/IaaS solutions involve putting your beloved data out there where you have less control and security. Witness the new  default  in Windows 8.1 of setting your Documents library to SkyDrive as the default write location. And apparently the contents of files are not stored locally, only the metadata – it looks like the file is local, but only the info about the file is kept locally. You will need to specifically right-click a folder and set it to be available offline if you want a local copy. Stub files or reparse points do the magic in the background.

But this is a serious departure from traditional cloud sync apps for desktop users and requires a certain ( heavy  ) reliance on a good quality internet connection. It also requires heavy reliance on the security and confidentiality of the cloud provider, something that is likely ( and has been proven ) to be in short supply, as can be gathered from recent spying allegations, media reports and lawsuits.

There is the probability that American companies are specifically being caught in broad-ranging requests for customer/user data. And there are reports of the UK following a similar pattern. So the question to ask is how secure do you feel about the confidentiality of your data when stored with a cloud provider. I think this particular issue is going to be shaped by the events around government laws and data interception in the next few years. A word of warning: everything on the internet is available for anyone to see.

WordPress 3.5.2 updates security

For those using WordPress, you’ll be happy to know that version 3.5.2 has just been released with a number of fixes including SSRF ( server-side request forgery ) attacks, a number of components updated to fix XSS ( cross-site scripting ) holes and DoS ( denial of service ) attacks on WordPress’ post password protection system. The project “strongly encourages” users of WordPress to upgrade asap.