The Broken Web Browser Model

On episode #217 of Security Now, there is a great discussion about a recently-publicized idea that the web browser is inherently broken and easily susceptible to man-in-the-middle attacks. A hacker that goes by the moniker Moxie Marlinspike recently released a paper and demonstration at Black Hat 2009 about how easy it is to fake an SSL certificate, and how easy it is to intercept a user’s traffic on a LAN, even when the user thinks he is visiting a secure site.

Since most web pages are not encrypted over an SSL/TLS connection by default (for example, going to www.paypal.com takes you to an unencrypted page), the traffic on that page is in the clear and can easily be monitored by anyone with the right tools sniffing the network traffic on your local area network (such as in a coffee shop or other public Wi-Fi hot spot). If you login to Paypal, it isn't until you click the login button that your credentials get passed to the server via an encrypted HTTPS connection. Since the web page is not initially encrypted, an attacker who has inserted himself can intercept the network traffic, strip out the HTTPS request (the secure SSL/TLS request), and replace it with an HTTP (unencrypted) request. The attacker now has the login credentials of the PayPal user and the attacker then seamlessly passes on the request to PayPal, and then passes it back to the user. The only clue the user has that he has been compromised is the fact that the page that gets returned is not encrypted (by looking for the https:// prefix in the address bar, or the “padlock” icon).

Most users just assume when they go to PayPal that the web site will handle security. However, Steve Gibson of Security Now proposes a fundamental change in the way web browsers work, requiring that all pages be encrypted HTTPS from the beginning, and not just when you click the login button, which everyone assumes will be encrypted. Watch an interview with Moxie Marlinspike.

Microsoft Security Essentials Out of Beta

Free anti-malware application, Microsoft Security Essentials, is now out of the beta phase, and is available free to download. Reviews of Microsoft Security Essentials seem to be mostly favorable so far. Will you dump AVG, Avast!, or Symantec/Norton in favor of Microsoft Security Essentials?

Internet Safety Podcast

"Because children have high levels of exposure, media have greater access and time to shape young people's attitudes and actions than do parents or teachers, replacing them as educators, role models, and the primary sources of information about the world and how one behaves in it." (AAP) In our hyper-connected world, protecting our families, especially children, and ourselves from unsavory influences and real threats becomes a top priority. While teaching children self-control and the correct usage of technology is important, the risks of unintentional exposure can be mitigated by putting certain practices and tools in place.

The Internet Safety Podcast aims to "educate parents, teachers, and teens about the benefits and risks of technology...[and] make technical issues and solutions accessible in an educational, entertaining, and useful way." Dr. Charles D. Knutson, professor of Computer Science at Brigham Young University and Joe Brockbank help make "the world a safer place, one podcast at a time." Check it out!

Software Inspector Finds Vulnerable Software

You probably already have Automatic Updates turned on to automatically update Windows or other Microsoft products, but what about all the other programs installed on your computer? Secunia has a tool called Software Inspector that scans your computer for software with known security vulnerabilities and then tells you what you must do to fix the problem. I found two programs that had vulnerabilities on my computer. In most instances, simply upgrading to the latest version fixes the problem. Software Inspector runs as a Java applet from Secunia's web site, although downloadable "Personal" and "Network" versions are also available. (Larry Seltzer, PC Magazine, Nov. 20, 2007, p. 95)

U got pwned!

Check out this video demonstrating how a compromised bank web site maliciously infects a visitor. The Bank of India's web site was "pwned" ("owned" for you non-leet-speakers). If a user were to visit such a compromised web site without having the latest security patches installed on their machine, an attacker would be able to completely take control of their computer, possibly logging and monitoring all activity and using the computer for malicious purposes. Likely the malicious payload would be disguised as a rootkit, effectively masking it from the operating system. Keep your systems patched! (Source: AppScout)

Clean, Safe Web Browsing for Your Family (free)

Joel Dehlin, a former Microsoft employee and co-founder of Microsoft Surface, and now CIO for the LDS Church recently posted a very interesting question on his blog. He asked readers what they do to manage Internet usage in their homes. Protecting your family, especially little children, from potential danger while accessing the Internet is no doubt a top concern of parents everywhere. Threats range from pornography, pedophilia, and stalking, to identity theft and computer security breaches. Due to the ever-evolving nature of technology, it is impossible to be completely protected from indecent content or other security risks associated with Internet usage. One must constantly be vigilant. Teaching correct principles and following some basic rules (such as no unsupervised, aimless web surfing or no installation of unknown, risky software) seem to be the most effective way to combat exposure to obscenity and security threats. Nevertheless, there are some technology-based tools that definitely make the battle a lot easier.

ScrubIT is a free service that filters out millions of malicious and obscene sites using good ol' DNS, the protocol that translates an easy-to-remember host name such as www.google.com into a numeric IP address like 64.233.167.104. No more accidental stumbling upon obscene web sites because of a mistyped URL. Instead of using your Internet service provider's DNS servers, you use ScrubIT's free DNS servers. For most users who use a router to share their Internet connection, this change can easily be made in the router's configuration page:

This way, all computers behind the router/firewall will be filtered. If you don't have a router, you can automatically configure your computer to use the ScrubIT DNS servers by downloading their config utility. If you know what you are doing, you can also manually enter in the ScrubIT DNS servers (67.138.54.100 and 207.225.209.66) in the connection properties.

The service seems to be fairly new but is indeed promising for those who are fed up with pornography, pop-ups, and other problems related to malicious or obscene sites, or for those who just want to play it safe. The service is completely free and the ScrubIT web site promises that it will stay that way. They are working on implementing a paid service that will allow users to customize what sites get blocked. I will be looking forward to this because one problem is that ScrubIT blocks Blogger.com, and we use Blogger in our family a lot. But, the beauty of a DNS-based solution such as ScrubIT, or a gateway or router-based solution like the Astaro Security Gateway (free for home users), is that you don't have to load any software that could bog down your computer or cause other problems. ScrubIT is not a silver bullet, but it is certainly an efficient and useful tool that can easily be setup to help protect families from potential online threats. I whole-heartedly endorse them.

Disposable Phone Number

If you want to list your phone number online (e.g., in an online classified ad) or in the newspaper but you don't want to give out your actual phone number, consider using a free, disposable number from Numbr. The site will give you a disposable phone number that connects to your real phone number (you can even select a second number in case you aren't available at the first number). You can choose how long you want the number to be active (from one week to one month), and setup other options such as "do not disturb" hours, and even voicemail (they e-mail you the voice message as an attachment). (via Lifehacker)

Panda Anti-Rootkit

Panda Software has released a free anti-rootkit program that you can use to scan for and remove those nasty rootkits. Panda Anti-Rootkit has a simple, clean interface and updates itself before it scans your computer for those nefarious bits of malware that can hide themselves from your antivirus programs. It even has command-line options that can be utilized to automate scans (perfect for corporate networks).

Sysinternals' Mark Russinovich released the first anti-rootkit tool called Rootkit Revealer (Microsoft has since acquired Sysinternals). Rootkits have become more of a security concern as malicious hackers have slipped their damaging code onto more computers via deceptive e-mail attachments and malicious web sites. Rootkit technology allows a hacker to hide malicious files and programs from antivirus scanners and from the operating system itself. This has exacerbated the problem of hackers remotely controlling massive fleets of "zombie" computers and using them to attack other computers or send spam. More security software companies are developing anti-rootkit technology into their security programs, and Panda's latest Anti-Rootkit program is another welcomed tool in the fight against malware. (Sources: Panda Software, Press Release, PC Magazine)

Mac OS X Flaw Puts Macs at Risk

A flaw in the way Mac OS X handles disk image structures could allow an attacker to compromise an Apple computer. Recently-published code is only a proof-of-concept at this point, but could easily be exploited remotely such as through the Safari web browser. One Safari user confirmed the vulnerability in 10.4.8. It is listed as a highly critical vulnerability on Secunia's site. If you use a Mac, be safe! (Sources: CNET, Secunia)

Apple Video iPods, Now With Free Virus!

A recent batch of Video iPods from Apple have shipped with a Windows virus. "The virus has been identified as the Rjump or Rajump worm by antivirus software makers and as RavMonE virus by Apple. Incidents of the virus infecting iPod owners occurred as early as September 22, according to comments on Apple's support forum." Nice. (Source: SecurityFocus, Apple)

UPDATE (10/19/06) Microsoft's Jonathan Poon responds to Apple's statement, "we are upset at Windows for not being more hardy against such viruses".

Don't Take The Bait: Beware Phishers

We've all heard it before, "Don't open an e-mail from someone you don't know," or "Never click on a link or open an e-mail that asks you to login to your bank or other online account." Well, today I was almost suckered! Surprisingly, with all of the phishing warnings out there, thieves continue to use the same old techniques to try to trick more victims into handing over their important usernames and passwords or other sensitive information. That must mean that it continues to work!

I saw an e-mail in my Inbox from PayPal that said a payment had been sent to So-And-So for $475 for a new Nokia cell phone. What!? I was upset that perhaps someone had fraudulently used my account! By the time I had instinctively opened the e-mail, I realized the mistake I was making. Oops! That's right! Just opening the e-mail is enough to infect your machine in some cases. You see, behind that pretty e-mail message, there is code. The code tells your e-mail program (or web browser) how to display the text, images, etc. on the page. In some e-mail messages the code can send a message back to the author confirming your e-mail address (leading to more spam), or possibly install a virus or exploit another vulnerability on your computer. Note that viewing messages in the "Preview Pane" or "Reading Pane" in some e-mail programs is the same as opening the e-mail messages themselves. I recommend disabling this feature. Since this e-mail was suspect, I should have right-clicked on it to view the message source. Luckily, this e-mail did not contain any malicious code embedded in the e-mail nor did it attempt to "phone home" or install anything. But it did contain something equally disturbing.

The whole purpose of this fraudulent e-mail was to get me to click on the link in the e-mail to "Dispute Transaction" and then enter my PayPal username and password. Examining the message source code I found that behind that "Dispute Transaction" link was some code linking to another site in Germany. Gotcha! The e-mail linked to a fraudulent site that appears to be the actual PayPal site, but was actually stealing my PayPal login credentials. There were a bunch of other things about the e-mail that didn't add up, such as the non-existent shipping address that appeared in the e-mail.

"What should I do?" Remember to never click on a link in an e-mail. It's too easy for someone to mask the actual link so that it appears that you are clicking on something legitimate, but actually linking to a malicious site. If you suspect that someone may have used your PayPal (or other account), open your web browser (Internet Explorer or Firefox), and go directly to the site by typing in www.paypal.com in the browser's address bar. It is wise to not open any suspicious e-mail. With the barrage of messages we receive daily, it's difficult to distinguish the real e-mail from the junk. Use caution when opening all e-mail and remember that simply opening an e-mail message in certain instances is enough to do damage. And as always, do not open any suspicious e-mail attachments. We've all heard this advice before in regards to keeping safe online. This is just a reminder.

BBC's Honeypot

While checking the news this morning I found an interesting article on BBC News that describes their honeypot experience, which is essentially a computer setup on the internet designed to lure attackers for research or other investigative purposes. "When we put this machine online it was, on average, hit by a potential security assault every 15 minutes. None of these attacks were solicited, merely putting the machine online was enough to attract them...Once a day on average, came net attacks that tried to subvert the honeypot to put it under the control of a malicious hacker." This comes as no surprise to the security-aware, and it is not the first time such honeypots have been setup. As a reminder, it's Patch Tuesday tomorrow. (Source: BBC News)

More Attacks on U.S. Gov't Computers from China

An article published today in the Washington Post states that there have been numerous attacks on U. S. government computers originating from China. According to the article, "the attack targeted the computers of the Bureau of Industry and Security, which is responsible for controlling U.S. exports of commodities, software and technology having both commercial and military uses." What is surpising is that the security breach caused enough damage to cause the BIS to replace all their computers. The attackers apparently used rootkit technology to hide their presence once they gained access. This is not the first time such attacks have originated from China. (Source: Washington Post)

Beware of Phone Scams via E-mail

Malicious individuals are always thinking up new ways to steal your information using social engineering. The latest scam is using a technique called "vishing" or voice phishing. The attacker will send a fraudulent e-mail claiming to be from a bank or other organization and state that there is a problem with the victim's account. It will give a phone number to call where the victim is asked to give personal or sensitive information. According to the article, "some vishing attacks don't begin with an e-mail. Some come as calls out of the blue in which the caller already knows the recipient's credit card number — increasing the perception of legitimacy — and asks just for the valuable three-digit security code on the back of the card." (Sources: USATODAY)

Mac OS X Hacked in Less Than 30 Minutes

According to ZDNet Australia, hacker "gwerdna" got root on a Mac mini in under 30 minutes allowing him to "take charge of the computer and delete files and folders or install applications." According to the article, "Gwerdna concluded that OS X contains 'easy pickings' when it comes to vulnerabilities that could allow hackers to break into Apple's operating system." The whole thing came about from a contest in which a Sweden-based Mac enthusiast set up his Mac Mini as a server and invited people to try to break into it. In all fairness, though, this could've happened to any computer running any OS. And hey, at least the whole family can look stylish while getting "pwn3d". (Sources: ZDNet Australia, CNet News.com)

UPDATE (3/8/05) Dave Schroeder of the University of Wisconsin conducted his own 38-hour hacking contest to see if his Mac Mini running Mac OS X could be penetrated by outside intruders. The test concluded with no successful attempts. (http://test.doit.wisc.edu/)

Microsoft's Update Trouble

Yesterday, being the second Tuesday of the month, Microsoft released a handful of updates. Among them is Security Update KB913446 (http://support.microsoft.com/?kbid=913446). For some reason, when I went to the Windows Update web site, all updates install correctly except this one (KB913446, MS06-007: Vulnerability in TCP/IP could allow denial of service). The site simply reported that the update failed and gives no reason why (although C:\Windows\WindowsUpdate.log seems to indicate that there is a problem downloading and verifying the update). I had to manually download this update for it to install. This happened on four different machines I tried it on.

I called the (866) PC-SAFETY (727-2338) number Microsoft lists on their site and spoke with a Microsoft Technical Support representative who informed me that there was a known issue downloading this particular update.

On a similar topic, I downloaded the new Windows Defender (beta 2), which is Microsoft's new, renamed antispyware program. After upgrading, I was unable to update spyware definitions from within Windows Defender. I was finally able to get the latest spyware definitions for Windows Defender via the Windows Update site. (Source: BetaNews)

Sniff WiFi Hotspots on Your Nintendo DS

With a homebrew application, you can now use your Nintendo DS to scan for wireless access points showing SSID, MAC addresses, and WEP status and continuously auto-refreshes. (Sources: DS Fanboy, Engadget)

The NSA is Watching

A BetaNews article states that the National Security Agency has been monitoring internet and telephone communications recently in an effort to find terrorists. According to the article, "This included e-mail, instant messages and even phone calls, as most traditional phone communication is routed using voice over IP these days." (Source: BetaNews)

Christmas IM Worm Circulating

If you use instant messaging, be extra careful this holiday season. An IM worm is going around that tricks users into clicking on a seemingly benign Santa Claus site, but it actually installs a rootkit, shuts down antivirus software, and collects personal information. Yikes! Use caution and ignore instant messages, e-mail, or other contact from unexpected or unfamiliar individuals. (Source: BetaNews)

WPA Wireless Security Crackable

This isn't breaking news, but WPA (Wi-Fi Protected Access), a fairly beefy security protocol used to secure wireless networking, is not immune to being cracked. If a weak, short passphrase is used, an attacker only has to capture a relatively small amount of wireless traffic, and then crack it offline. Use random passphrases with a mix of upper and lowercase characters and symbols, and use at least 20 characters. You can even store the key in an encrypted text file and simply copy and paste it when you need to use it. And don't think hiding your SSID and filtering MAC addresses is enough. (Sources: Security Now, Wi-Fi Net News)

Forget your Windows XP password?

Oops! Did you forget your password on your Windows XP computer? No worries! You can reset it using your Windows XP CD by following the instructions in this article. There are other ways of resetting your Windows password as well. This just shows that if you have physical access to a Windows machine, security is out the window. Let's hope Windows Vista will solve some of these vulnerabilities. (Source: Digg)

Don't Forget to Patch

It's the second Tuesday of the month and everyone knows what that means...patch Tuesday! Microsoft has released a fix for some Windows vulnerabilities relating to the graphics rendering engine. If you are a Windows user, make sure that Automatic Updates is configured. (Sources: Microsoft, BetaNews)

Dodging Spam Using Disposable E-mail Addresses

Target audience: Novice-Intermediate
Don't you hate it when you're trying to access a web page and they make you enter your e-mail address? Well, since this is how the majority of spammers get your e-mail address, you would normally just put in a fake e-mail address and click through. But sometimes, the site has to e-mail you the link or other information that you actually need before you can get to where you want. Here is where a disposable e-mail address comes in handy. Dodgeit, for example, is a great site that lets you use a free, throwaway e-mail address (i.e., whateveryouwant@dodgeit.com). Give the site your dodgeit.com address, go retrieve the e-mail, and after 7 days, the e-mail is automatically deleted. You get your info, and the spammers don't get your real e-mail address. W00t! There are other disposable e-mail services out there as well. (Source: TipMonkies, Dodgeit)

Microsoft's Corporate Antivirus Antispyware Utility

Microsoft is reportedly planning on releasing an enterprise version of the Windows OneCare program, which will help protect computers from viruses, spyware, or other malware threats. This product will be known as Client Protection, and seems like it will greatly help system administrators deal with security issues. (Source: BetaNews)

Windows Vista Security Features

It may take some users of Windows Vista some time to get used to entering an administrator password every time they install programs or make system changes, but the Unix-like feature will greatly increase security. New changes in the next version of Windows will apparently also require antivirus software manufacturers to release new Vista-compatible versions. (Source: ZDNet UK)

Tracking Network Attacks from China

A fascinating article from Time talks about the efforts of a computer security specialist in tracking hackers whose attacks originated from China. A group that is being called "Titan Rain" is supposedly behind a number of highly-organized attempts at breaking in and stealing information from high profile networks in the United States, including government and military systems. There is some speculation that the government of China is behind the attacks on U.S. computer networks. (Source: Time)

Apple's OSX on Non-Apple Hardware & Security

Recently, Apple's OSX operating system was hacked and modified to run on non-Apple PC's. There are numerous sites posting instructions on how to install it on a regular PC natively. If Apple's operating system is being hacked before it's even publicly released, what kind of security issues will Apple face in the future? One tech journalist even went so far as to say that the release of OSX into the wild could be a smart move for Apple, and eventually position them more competitively for desktop dominance. The word on the street is that OSX is running faster on Intel boxes than on other hardware, including Apple computers! While there is still much development to come out of OSX, it will no doubt be interesting to see how Apple deals with securing the operating system and if it will ever be officially released for non-Apple computers.

Don't Forget to Patch

When Microsoft released its latest handful of security updates last Tuesday, as they do every second Tuesday of the month, the vulnerabilities they fix were also disclosed to the public. When malicious individuals get a hold of this information, they go to work trying to find exploits for the vulnerabilities and try to attack machines that are not patched yet. This is called a "zero-day attack." Well, the latest worms that are going around trying to infect machines are called "Zotob" and "Esbot". If you are a Windows user, make sure you have installed the latest security updates from Microsoft. The easiest way is to turn on Automatic Updates so that you receive an automatic notification whenever there are new updates available. Be safe!

Massive Online ID Theft Operation Discovered

Sunbelt Software posted on their blog recently about a huge online identify theft operation that is pretty scary. According to Alex Eckelberry, the President of Sunbelt Software, sensitive information is logged to a file and then sent to a central server: "The server is in the US, but the domain is registered to an offshore entity. It is very sophisticated, however, we aren't sharing a lot of data for obvious reasons. We are in contact with the FBI. The types of data in this file are pretty sickening to watch. You have search terms, social security numbers, credit cards, logins and passwords, etc." It is recommended that you update your antivirus, antispyware, and system software. In addition, you should also use an outbound software firewall program such as the free Sygate Personal Firewall. As always, play it safe by not visiting web sites or opening e-mail attachments or installing programs that you are unsure about or seem shady. Read the fine print. Be paranoid! (Sources: Sunbelt Software, BetaNews)

Hacker claims he found extra-terrestrial mission data on NASA networks

A UK hacker who penetrated several US Government networks recently stated that he found evidence of extra-terrestrial missions. According to a TechSpot article Gary McKinnon of the UK told of his attacks and how he got into a less secure network, then took advantage the trust relationship that some of the networks had with each other and eventually managed to "hop" his way into more secure computer networks. He claims he found names of ships that he believes are "off-planet."

Web Browser Security

If you are still using Internet Explorer, think about using an alternate browser for web surfing such as Mozilla Firefox, at least until Microsoft fixes the latest security vulnerabilities in its web browser. If you must continue with IE, Microsoft advises users to set ActiveX to prompt the user under Tools, Internet Options, Security tab. Let's hope that Microsoft will improve things in IE 7 and Longhorn.