YAFC-Y (Yet Another Facebook Clipjack - Yawn)

Hi folks,

Today, with Amy Winehouse's passing, another young star burned out entirely too soon. Whether we were fans or not is irrelevant. The salient point is that there is a group of greedy, covetous, rapacious, insatiable, avaricious, penurious, gluttonous vultures who eagerly await some misfortune, such as Amy, or yesterday, the cruel events in Norway.



Within hours of these events, they flood Facebook with promises of prurient or sensational videos, but the real goal is to trick kids or teens into agreeing to a $10 a month charge to the cell phone bill. They assume they won't read the fine print.

So, as the title says, on one hand it's YAFC-Y ... Yet Another Facebook Clipjack - Yawn..., but by golly, they're not much more than sociopathic animals. I wonder how they can sleep at night.

Truly, these people (and I use the word loosely) are the lowest of the low, and I can only hope that someone like FTC has them squarely in their crosshairs.

Grrrr.

Hardening iOS

Hi folks,

iOS is the operating system that powers iPhones, iPods and iPads. These things, along with Android powered devices, are clearly a critical part of the future of computing, and how we go about securing them is an emerging issue. We may be confident that the Bad Guys (tm), whether they be criminals or State-level cyber-warriors are looking hard at how to attack them. With that in mind, I was pleased to see this document, prepared by DSD, the Australian Defense Department Intelligence group, about how to harden these devices against attacks and probes.

It's 36 pages of very interesting reading (if you're a security geek), and definitely worth studying (if you're said security geek). If, however, you're either a simple consumer, or ADD, or both, the critical points seem to me to be these...

(1) When you travel overseas, you need to keep in mind that foreign ISPs and carriers may not provide the same levels of user rights that we often take for granted. Being blunt, foreign governments may well sniff your traffic, so be .... thoughtful... about what you say / type / tweet. (On the other hand, if you are of a mischievous bent, and your friend happens to be traveling in one of these countries, it could well provide much entertainment if you sprinkle seditious words like "revolution" and "protest" in your emails/ IM chats with him... but I digress)

(2) Keep in mind that "Smart Phones" tend to synch (in other words, mirror) lots of data that you might otherwise think was just on your desktop, and if you lose your phone, or it's stolen, you might well be off-network, and thus unable to send a remote-wipe command to it. What this means is that it's a pretty good idea to set a pin on the phone, and set it to automatically wipe itself after 10 failed attempts to guess the pin. A few hundred dollars gets you a new phone, but a lost bank account UID/PW might cost you much more.

(3) Be cautious about what apps you allow on your devices. How do we know what data these apps are transmitting, and how do we know who they are transmitting to? The answer is that we don't. A good rule of thumb is to consider how the app developers are getting a return on their development investment. It costs money, time and resources to build an app, and oddly, not many folks do it for free. If you can't see how they're getting a return, it might be a good idea to pass it by. If I can mix metaphors for a moment, there aren't a whole lot of free lunches on the Internet.

When I first started in anti-virus in 1987, there were only a few viruses... Brain, LeHigh, Jerusalem. By the end of the first year, there were only about twelve in total, and we would wonder each month if there would be any more. Today, every anti virus lab in the world gets about 300k samples every day, 25-30k of which are new and unique. Every day!

For a long while, we only had to worry about Dos, and then Windows viruses, but now we have ubiquitous Windows, plus Apple OSX malware, and a fast-growing Android malware problem. iOS is still fairly safe, but history shows that any platform that has the characteristics of being both widely adopted, and cheap and easy to develop on, becomes a target.

Apple does their best to keep it all safe, but it's in our interests to employ whatever hardening steps we can now. Special thanks and shout-outs to Australia DSD for a fine document.

Keep safe folks.
Roger

A trap for young players

Hi folks,

Today, on my iPhone (note: not my laptop), I got this message from the friendly folk at Facebook Support...



I've been doing a bunch of things on FB recently, so I thought "I wonder what they want? Did I do something wrong?", and clicked it.

To my shock and chagrin, I was taken, not to FB, but to a Pharma page!



Wait ... I'm much too cunning to be caught by that! What happened?

The issue, friends, is that I was reading FB on my smart phone, and not my laptop. If it had been the laptop, I would, as a matter of course, simply hovered the mouse over the link, and after a small pause, my mail client would have shown me the true URL behind the link. (In non-geeky talk, what that means is that whenever you get a suspicious email, you point the mouse at the link in the email, but _don't_ click it. Just wait a couple of seconds, and it will pop up a message showing the _real_ URL behind the link. If it's not Facebook, or eBay, or whatever you thought it should be, just delete the email)

Because, however, I was on my smart phone (dumb phone might be more correct, perhaps?), there is _no_ way to do a mouse hover, and therefore no way to see what's really behind the link.

Because so many people are moving to either Android or iPhone, this is an emerging problem. In this case, all I had to do to fix it was to close the browser, but if there had been an exploit, or even convincing social engineering behind it, they might have caught me. And I'm a little bit more cunning than lots of users.

What is needed is some way to view the source of the message. If no one builds such an app, maybe I will.

Keep safe folks, and be cautious. When Obi-Wan Kenobi said "There has never been a more wretched hive of scum and villainy", I'm pretty sure he was talking about the Internet.

Roger

You just can't believe everything you read

Hi folks,

Over the weekend, our friends over at Sophos noticed that Fox News got one of their Twitter accounts "hacked". The "hacker" posted four or five bogus tweets about the President being assassinated, over a ten hour period, before the Fox guys noticed. I guess we could say that it took them ten hours to tweak that their tweets were being twampled. (Sorry)

Once they realized what had happened, they (presumably) changed their password, and deleted the dud tweets.

Their public response was that they had been "hacked", and they were demanding a full explanation from Twitter about what happened.

Well, I can tell you what happened. You weren't "hacked". Your person, or people, running that Twitter account got his or her password phished.

It hurts a bit, but it wasn't Twitter's fault, so there's no point in blaming them.

What it really underscores is the danger of password re-use. It's dangerous, and you simply must adopt the idea that you'll have one password per website that you want to use. If that's 50 websites, then you need fifty passwords. It sucks a but, but the alternative is that if you only have a few passwords, and one website fails, then that all the other websites that password accesses, are compromised.

Use a password manager, or even write them down and keep them in your wallet, but the rule has to be ...

No password re-use! Ever.

Keep safe folks,

Roger

Ok, now that was interesting!

Over the weekend, several people noticed attacks originating from a malicious ad placed at nytimes.com. Viewers were redirected to what we call a fake, or rogue antispy page, where the webpage _pretends_ to scan your computer, and then tries to convince you to install some nifty antivirus program to clean it up-oh-but-you-have-to-register-first-put-your-credit-card-here-mr-victim. Nothing new there... it's the most common thing we see _every_ day.

We've been watching this particular style of rogue attack since about March, and just happened to have them under the microscope over the weekend, and here's the interesting thing... normally, we see 10-15,000 such detections each day, but from about last Thursday thru Sunday, it spiked to 160-170,000 per day. It dropped off today to about 20,000.

The attacks seemed to come from two main types of lures, with the first being advertisments, including the fake one on nytimes, and lots of Flash banner ads, and the second being searches for "newsie" events like Kanye and Taylor, and Patrick Swayze, and Serena Williams.

It's ever so impressive how quickly they not only react, but also point the news search results at their hijacked lure machines. In other words, not only are they quick to react to something news worthy, but they are somehow able to get their hijacked machines right up to the top of the google and bing searches. These guys are flat-out clever.

In summary, not only was there a huge spike in activity by this particular group (or groups), but they quickly were able to manipulate the search engines.

It goes without saying that LinkScanner is able to detect and block these attacks, but it's a dangerous Web folks.



Keep safe,

Roger

I think I know what the ddos is about

If you've watched any news broadcasts since the 4th of July, you'll be aware that that certain US and South Korean government and commercial websites have been under Distributed Denial Of Service (ddos) attack. Early on, someone pondered for a minute or two about who might be a common enemy to both the US and SK, and the obvious answer was .... gasp... North Korea!!! And if NK is the perp, then clearly this is ... cyberwar!!! Holy Moley Batman!!!! Quick ... run to the bunkers!


It's obviously a great headline, but most actual security folk took the view that it's just a ddos, for goodness sake. If we can't get to Whitehouse.gov for a few days, the world is not going to end. The tourists will still take their photos from the street, and the rest of us will just get another cup of coffee while we wait for it to end. Ddos's are really easy to do, and impossible to prevent up front. It's just that they're not profitable, so no one bothers in this day of "Show me the money for my malcode". And it was silly to blame North Korea, because the whole point of a ddos from a remote controlled botnet is that no one really knows who's driving it.

Now, having had a look at the disparate list of victim websites, my initial thought was that it was a disgruntled businessman targeting the Federal Trade Commission, and shooting at everyone else to conceal their real target, but then we realized that the malcode was programmed to self-destruct, starting July 10th, by erasing the first megabyte of the victim's hard drive!

At least this would effectively clean up these computers.

After we got over laughing about botmasters destroying their own botnet, and making jokes like "Don't these guys understand how retaliation works?", etc, the light slowly dawned on us that maybe they did understand exactly what they were doing.

It's not cyber-war ... it's someone who's worried about the growing plethora of botnets on the Internet, and who's trying to make people care enough to do something about it! A vigilante!

Think about it.

Why bother nuking 60k computers after doing all the work of assembling them? Nuking them only helps the Good Guys, because the victims are forced to re-build, and therefore clean, their computers.

Why bother with a ddos of a bunch of disparate government and commercial websites? Nobody was really impacted ... border routers were reprogrammed to deflect the ddos off any important sites... the only thing it really did was cause a bunch of lawmakers to point the finger at North Korea.

And the only other thing it really did was make lawmakers think "If North Korea could do this with a mere 60k machines, what could Al Qaeda do with a big botnet of 300k machines?"

Big botnets are really common, by the way.

The only reasonable explanation for the whole thing is that it was someone who is worried about the botnet problem, and who wanted to make lawmakers think about it, and do sometihng about it.

A high--tech vigilante.

By the way, the vigilante has a point. Botnets are a real probem, and we need to mitigate them a bit. Most ISPs could do something, except that their give-a-darn bone is broken.

Incidentally, the erase-one-mb thing reminds several of us of the CIH virus. The underground scuttlebut about the CIH author was that he was hired by Taiwanese military intelligence. It's an easy mind-wander to wonder if there's a connection there. Surely not. :-)

Keep safe folks.

Unfortunate brand squatting

Hi folks,

A common practise among enterprising webmeisters is what's known as brand-squatting. That's where you find a domain whose owner has neglected, or not bothered, to renew it, and it's up for grabs. If you get something modestly popular, then you get the beneift of whatever residual traffic they've generated as a starting point. Makes sense for most domains.

This time, however, someone re-registered and re-vitalized one of the most notorious brands in malcode history .... coolwebsearch ! :-) :-) :-)

Not only that, but while it was a search-enginey kind of page, it was also hosting an exploit!!! Whether that was deliberate or accidental is not clear, but it doesn't matter much as it's down now.

coolwebsearch.us was registered on about the 18th of April 2009, and our first detection was 24th April. Our last was yesterday, but as this graph shows, activity has been tapering off anyway.

Here's a graph of the detection events our users told us about.



As you can see, we had about 11,000 hits spread over 40 days, across 106 countries.

It's a dangerous internet folks, but at least it's sometimes funny.

Keep safe,

Roger

Please follow me on Twitter