10/07/2014

Shellshock and Heartbleed: Are You At Risk?

By the time news of most exploits hit mainstream media, the exploits have long been "in the wild," infecting computers the world over.

By this time, the media seizes on the news and goes after it like a pack of sharks who've smelled blood in the water.

So, are these exploits worth being worried about?

Let's get the answer to this question by asking two more:
  1. Are you at risk?
  2. What's the best way to protect yourself?
Heatbleed and Shellshock are very different exploits, each with different attack methods and each with different techniques needed to thwart them.

Let's start with:

What Is Heartbleed?

Although not a virus or malware in the traditional sense, the heartbleed vulnerability is a mechanism by which attackers can gain accesss to your confidential information when you access vulnerable websites, email, and other servers.

If one of these websites hasn't patched this vulnerability and you access it over a secure (https) connection, attackers can intercept your (otherwise secure) communication with that website, decode the information, and impersonate you with that server.

Confused? Let me put it in real world terms.

Let's say you go to your bank or credit card online.

You put in your username and password, do your business, and get on with your day. Fine. Or so you thought.

Meanwhile, silently in the background someone was listening in right through the "secure" connetion and stealing your username and password.

And, as you've moved on to other sites and the rest of the day, the bad guys are now logging into your bank account, and draining it.

It's not just bank accounts either.

According to the highly regarded Netcraft, over 500,000 widely trusted websites were vulnerable. No doubt some of them still are.

Many websites you visit to check your email or log into to conduct personal business is potentially vulnerable.

Now, some good news.
  1. Microsoft web server are not vulnerable. (This doesn't mean people using Windows as their desktop OS aren't vulnerable. It just means the web sites themselves aren't.
  2. Most banks and other financial institutions that were at risk have now patched their servers, eliminating the vulnerability.
  3. There's a Plug-In for Google's Chrome Browser called, "Chromebleed," that tests for the vulnerability.
As for other things you can do, Tom's Guide has an outstanding effective list of things you should do to protect yourself against heartbleed.

I recommend you take a look at Tom's Guide for complete details, but here's the list in condensed fashion (with some edits I've thrown in for good measure.)
  1. Change your Google, Facebook, Yahoo!, and Dropbox passwords.
  2. Log out of all apps on your phone, iPad, etc., then log back in.
  3. If a website asks you to update your password, do it.
  4. Update your OS (regardless of what you run, Windows, Mac, Linux, BSD, whatever.
  5. Set up two-factor authentication. (This is just a smart thing to do anyway.)
Conspicuously absent from the list, you'll notice, is run/update your antivirus software. Since Heartbleed isn't a virus, there's nothing gained by antivirus software or an Internet Security Suite; however, good ones like those from VIPRE, ESET, and Bitdefender will protect you against other types of attacks, viruses among them.

What About Shellshock?

Shellshock, also called "Bashdoor," is an attack, primarily on servers, that leverages a series of flaws in software called, "Bash," that's commonly installed on web, email, and other servers.

Without boring you to tears with all the technical details of Shellshock, let's just address the important question here: are you at risk?

Unless you're running Cygwin on Windows, Xcode on OS X, or a Linux/BSD variant, chances are no. (If you don't know what these are, you're probably not at risk, since they aren't built into Windows or OSX.)

The bigger problem though is that many, many of the web sites you visit daily are (or at least were) vulnerable.

On top of that, unlike Heartbleed, where there's a very small risk of the server itself being compromised, Shellshock by design does compromise vulnerable servers and allows attackers to take them over.

In an outstanding article on Shellshock by Troy Hunt, he says,
The worry with Shellshock is that an attack of this nature could replicate at an alarming rate, particularly early on while the majority of machines remain at risk.

"In theory, this could take the form of an infected machine scanning for other targets and propagating the attack to them.

OK, brass tacks, what does this mean?

First, it means your computers, laptops, phones, and tablets are probably not directly vulnerable.

HOWEVER, it does mean that many ordinary websites out there that we all think are safe and virus free are now places that are vulnerable to attack and that, once compromised, can harbor malware used to infect ordinary users' computers.

This is a strong case for considering Internet Security software over garden varity antivirus.

The two things most commonly found in Internet Security software absent in most antivirus programs are:
  1. malicious website blocking
  2. software firewall
...both of help make your PC safer from attack and infection.

06/04/2012

Five Great Firefox Add-Ons You're Not Using... (But Should Be)

Like anything, some Firefox Add-Ons are great, some are meh, and some are crap.

What we've got here, my friends, is a list of the top five Add-Ons we like most (and use.)

In one way or another, the ones we've chosen are all geared towards improving your online privacy, security, or both.  Sure, some of our favorites are popular and used by a lot of people; chances are though that even most security conscious uber geeks haven't heard of all of 'em we list.

Have a look at our list and feel free to throw your own $.02 in if there are ones you know of we missed.

Five Great Firefox Add-Ons

(At Least Some of Which You've Never Heard Of)
Add-On Name / Link About The Add-On

Perspectives Project

Perspectives Project

Is that secure site really who it says it is?
The SSL system is imperfect. At its core are the Certificate Authorities (CAs). The first problem: it's possible to perform a Man-in-the-Middle (MiTM) attack against a CA.

The second problem: the CAs, while historically among the most secure organizations online, are also not impervious to attacks. Crackers have breached the gates and gotten into CAs.

In either case, all bets are off. That site you think is secure is anything but. Once a CA is compromised, any communcations you have with a "secure" site can be intercepted and read like it's on the front page of Yahoo.

The Perspectives Project solution is a system of public network notaries to monitor the world's SSL certificates and help ensure the certificates are legit.

Running the Firefox Add-on is a cinch, and once you've used it even for a few minutes, you'll likely have the same, "Oh!" feeling like we did when we first started running it.

ShareMeNot

ShareMeNot

The ubiquitous social media icons you see on just about every site (including ours), are tracking what we do and where we go online. How can you keep their functionality and lose Big Brother?
To web geeks, it's no surprise that these little icons are tracking our every move online. What may be a surprise? It's very easy to keep their functionality and ditch their privacy-invading tracking with ShareMeNot.

Aside from how easy to use it is, the best part is that even if you forget to log out of your Facebook, Twitter, LinkedIn, Google/GMail, or Digg account (among others), ShareMeNot has still got your back.

In fact, that's when it works best. You can stay logged into your Facebook or GMail account and keep the great functionality of the "Like" and "+1" buttons as you surf but don't let 'em track where you're going online or what you're doing.

NoScript

NoScript

Scripts are everywhere. Some are good; some are evil.
Tip the scale in your favor.

NoScript creator Giorgio Maone and the folks who develop NoScript take a unique approach to scripts: don't trust any. Until you do.

On every site you visit, Javascript, Java, Flash, and others are all prevented from loading 'til you explicitly grant them permission to load on a given web site.

And, interestingly, not only do most sites still work even when scripts are disabled, but enabling necessary scripts on sites you trust is a piece of cake.

All-in-all it's a beautiful piece of work.

Adblock Plus

Adblock Plus

Get the content, kill the ads.
Advertising is one thing. Intrusive, annoying ads are another.

Adblock plus is a great answer to the problem.

Sure, there's overlap between what NoScript and Adblock can do, but Adblock is geared more towards stopping ads than NoScript.

Another interesting feature is it lets you "collapse" (i.e. hide) sections of a web page. Great for getting the content you want and avoiding the seemingly unavoidable in-your-face ads.

Using it is easy, too--just start with any of the 50+ existing lists. Then if and when you want to customize it, you can do that, too.

BetterPrivacy

BetterPrivacy

There are cookies, and there are evil LSO cookies. Luckily, dealing with them isn't as hard as it once was.
Local Shared Object (LSOs) are a special, particularly evil type of cookie. Known as "Super Cookies," they're Flash, and they get placed onto your system's central folder. Thus, they're much, much more permanent than regular browser based cookies. Super Cookies go where you go, and you can't see or delete them with a garden variety "delete cookies."

This is where BetterPrivacy comes in.

With it you can manually manage LSOs, or set it up to automatically delete 'em when anytime you close (or open) a browser. And you can keep the LSOs/Super Cookies where they belong... not on your system.

12/07/2011

Ask the Experts: Can I replace the antivirus software that came on my PC/laptop?



Sheryl writes in to ask, OK, so I'm not happy with the anti-virus software that came on my laptop, and it's nagging me all the time to "renew my subscription"--one I didn't even know I had.

"I'd love to get rid of it just because I'm fed up with their nagging me.

"I'm assuming it's possible to replace with a new anti-virus program, but I don't know how.

"Can you help?? Please??





Here's my reply:

Yes, it's possible. It's easy, and I'm glad to help.

STEP 1: PICK THE NEW SOFTWARE
For starters, you'll want to figure out what antivirus software (or Internet security suite) you're going to get to replace what's on there now with.

Doesn't make sense to rip the old one out 'til you know what's going in its place.

My suggestion would be to start with our antivirus software Buyer's Guide. (It's on the right side of every antivirus software review page of our site.)

STEP 2: UNINSTALL THE OLD SOFTWARE
We'll assume you've got the new software chosen, so next we'll get rid of the old software.

The easiest way to get rid of uninstall any (legitimate) program on Windows is to use the "Uninstall a program"1 link within the Windows Control Panel.

Here's how:

[Shown here: Accessing the Windows Control Panel]


[Shown here: Accessing the "Uninstall a Program" link]


[Shown here: Find the program in the list. Click "Uninstall".]


STEP 3: INSTALL THE NEW SOFTWARE
"Duh... of course," some of you might be thinking, but here's the deal: in Step 1, your goal is to figure out what A/V software you're going to use NOT to install it then and there.

First we've got to get rid of your old antivirus software. In the mean time, we want the PC to go without security software for as little time as possible.

Since figuring out what antivirus program is best for your needs takes more than a few seconds, you don't want to uninstall the old 'til you know what the new program is going to be.
1If you're using a versions of Windows prior to Vista, you'll find it in the "Add/Remove Programs" button in the Control Panel.

12/06/2011

Ask the Experts: How can you make sure your antivirus software is working?



April asks,
Other than using a real virus, which seems crazy to me, is there a way for me to test to make sure my antivirus software is actually working?
Another great question! And another one of our most frequently asked ones, too.

Here's my reply:

Yes, there's actually a harmless little test virus called, "EICAR," that's designed to do just that.

As long as it's downloaded from the right place, it's completely benign. It's only purpose is to trigger an alert from your antivirus software. That's it.

The official site, and only safe place to download it, eicar.org, describes EICAR as a ...legitimate DOS program, [that] produces sensible results when run (it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!").

We actually use EICAR ourselves when we take our screenshots of each antivirus program successfully detecting a virus.

(We don't use real viruses for our screenshots because we don't want overly curious visitors to, upon seeing real virus names, then go searching for those real viruses on the Internet to try for themselves.)

So, leave the real antivirus software testing to us, but use EICAR when you want to test that your A/V software is really working.


Got a question about antivirus software or PC security? Why not Ask the Experts?

12/05/2011

Ask the Experts: What's the difference between antivirus and Internet Security software?


5

Easily one of the most Frequently Asked Questions we get is,

What's the difference between antivirus software and an Internet security suite?

Right on the heels of that is the next one, Is the upgrade worth it?

Each security software company puts their own spin on things, but generally it boils down to the addition of two critical features:

  1. firewall software
  2. malicious website filtering

firewall software

Creates a virtual "moat" between your PC and the Internet (or the rest of a network if you're on an open wireless network somewhere like a coffee shop or the airport.)

Sure, some malware can beat a software firewall, but it's another layer of defense to help keep your PC safe.

The other benefit to the best firewalls: you can record (and block) traffic both going to your PC and traffic leaving from it, too.

What's the point?

You'd be surprised how many programs are installed on your PC that make connections all on their own to check for updates, etc. Viruses, worms, keyloggers, spambots, and other malware do this, too.

So, if you suspect a virus may've infected your PC and gotten past your antivirus software, a firewall can help you track down if and when it's making connection attempts from your PC back to a master server somewhere.

malicious website filtering

You're out reading some news and checking out your favorite sites. Maybe you're clicking around and visiting some sites you've never been to, maybe you just made a typo did "yuorbank" instead of "yourbank."

Who knows.

In either case, the bad guys are on the prowl and are:

  1. secretly taking over legitimate sites and installing their viruses onto them
  2. buying domain names that are typos of legitimate sites
  3. sending spams and phishing emails

Regardless of their method, the bad guys are out there, and malicious website filters (including anti-phishing ones), like a firewall, can give you one more layer of protection before the actual virus detection part of antivirus software has to come into play.

Is the upgrade it worth it?

Yes.

In a lot of cases when it comes to technology, there's wiggle room in an answer. In this case though, the "Yes" is clearcut.

Sure, these two features will cost a few bucks more, usually about $10. The $10 is well spent though, since you're getting real benefit from it.

The $10 isn't just fluff on a fancier name; it's $10 on--at least--two different security technologies that you don't get with most basic antivirus protection.

And, they're two technologies that can make all the difference between your PC being compromised (and all the clean-up time, expense, and mess that goes along with it) and not.

10/10/2011

Microsoft Security Essentials (Mistakenly) Labels Google Chrome a Virus

Imagine your web browser suddenly stops working and gets quarantined by your antivirus software.

Do you:
  1. Panic?
  2. Cry?
  3. Scream?
  4. Some combination of the above?
In this particular case, Microsoft's antivirus software, Microsoft Security Essentials, incorrectly nabbed Google's Chrome web browser in its dragnet, labeling it none other than the infamous PWS:Win32/Zbot virus / trojan.

There have been multiple reports of this in large online news outlets including CNet and ZDNet about the false positive, those people affected by it, and MS's reply.

Microsoft's response to the ZDNet inquiry was pretty quick (even though about 3,000 people were affected), with the MS spokesperson saying via email,
On September 30th, 2011, an incorrect detection for PWS:Win32/Zbot was identified and as a result, Google Chrome was inadvertently blocked and in some cases removed from customers PCs.

"We have already fixed the issue — we released an updated signature (1.113.672.0) at 9:57 am PDT — but approximately 3,000 customers were impacted.
While no one is cheering for Microsoft for the goof, it's pretty clear this really was just a goof. It happens.

Sure, given the relationship between Microsoft and Google, it could easily be called intentional or perhaps even a Freudian slip, but let's remember: antivirus software is complex stuff. No question.

And, at least in this case it was remedied relatively quickly. If needed, here's where you can manually update the definitions to your Microsoft Security Essentials.

Lastly, regardless of what antivirus software you're running, if you haven't done it in a while, now's a good time to take a minute and make sure you're running the latest version with the most recent definitions.

10/04/2011

2011 Security Research Grant/Gift Award Winners


Advanced virus detection techniques, Firefox plugins, apps that keep your private data safe on your smart phone, and Wi-Fi network hacking drones are just a start this year.

The list of the ten winning recipients from our 2011 Security Research Grant/Gift Fund this year is incredibly impressive.

Each of the projects is very, very good in its own right; so good that any of them could have won our top award.

As it turns out, our top award went to Kevin Roundy and his research advisor at the University of Wisconsin-Madison Computer Science Department, Dr. Barton P. Miller, for their project SD-Dynist which is helping figure out some of the cunning things the virus writers are up to and what they're doing to try to beat the best antivirus software and avoid detection.

Each of the winning projects we're helping fund offers something unique, but they all have one thing in common: making the Internet safer for us all.

Complete details about winning projects can be found here:

2011 Security Research Grant/Gift Award Winners


Thank you and congratulations to all the great projects of 2011--and the great minds behind them!

07/20/2011

Make the Web Safer, Get $10,000

Well, it's not quite that easy for most of us, but this week I was delighted to learn the Dragon Research Group, a security resarch organization, awarded their 2011 Security Innovation Grant (a $10,000 grant) to NoScript, a free and outstanding security add-on for Mozilla Firefox.

About the $10,000 grant, Giorgio Maone, who leads NoScript's development, said,
The grant will fund the effort to merge the current two development lines, i.e. 'traditional' NoScript for desktop environments and NSA (NoScript 3.0 alpha for Android, generously aided by the NLNet Foundation).

"...it will support the implementation of a desktop UI [and] will allow an unified 'NoScript Anywhere' package to be installed indifferently on PCs and mobile devices, sharing the same configuration and permissions everywhere via secure remote synchronization.
In non-geek speak: your Android phone and your PC will be able to share NoScript configuration data, and they'll be easy to use, too.

If you're a fan of Firefox, which we are here, running NoScript adds another layer of security to your web surfing; it's great to see DRG recognizing how important NoScript is and to help fund its continued development.

If you haven't used Firefox in a while (or haven't updated yours in a while), here's where you can Download Firefox.

As for NoScript, it works by blocking scripts like Javascript and other embedded elements on every web page you encounter 'til you specifically permit them to run. Nice.

The first week or so you're running NoScript, like a software firewall, it needs a little training to get it to understand what sites you regularly visit and are "trusted," but after that, it's always on guard against the rogue site doing things it shouldn't to your PC.

Josh, this site's other editor, likes to call it the "firewall for Firefox." Sure, techies may take umbrage with his metaphor, but it gets the point across: NoScript blocks things from happening in and to Firefox.

Regardless of whether or not you run antivirus or Internet security software, NoScript adds another layer of security to Firefox and to your PC and information security.

It's definitely worth a look.

06/22/2011

Firefox 5 Released by Mozilla Foundation

Despite Firefox 4 having been released just three months ago, the Mozilla Foundation, the organization behind the Firefox web browser, has already rolled out Firefox 5, and here's the kicker, Firefox 4 is no longer being supported.

What does this mean?

It means if you're running Firefox, you must upgrade to keep your PC secure.

No ifs, ands, or buts.

What's different?

As far as looks go, it's pretty much identical to Firefox 4, so there won't be any surprises there.

Computerworld has a brief write-up of the changes, although this bit summarizes everything handily,
Although the company said it added more than 1,000 improvements to the browser, most were minor bug fixes or tweaks.

"Among the most significant changes were enhanced support for HTML5 and new support for CSS (cascading style sheet) animations.
"So now what?" you ask?

If you're running Firefox, upgrade now. Don't wait. Don't put it off. Do it now. Older versions are--as of June 21, 2011--officially unsupported.

Translation: no security updates.

So, if the bad guys start targeting the old version of Firefox, which they will, you're putting yourself at risk. It's not worth it.

Just take care of it. It's free. It's fast. It's easy.

Where do you get it?

Download Firefox here.

06/03/2011

SonyPictures.com Breached... How Does That Affect You?

Sony has had a couple of rough days months.

First the Sony Playstation Network (PSN) was hacked. Then there was disclosure that they were notified weeks in advance that their servers were running outdated software and that they weren't firewalled.

Sometime along the way were disclosures how many accounts were affected. First it was 80, then it was 100 million users.

Then came the news that those stolen accounts included personal information and credit card numbers.

Not too long after that there were U.S. Congressional hearings and a refusal by Japanese officials to allow Sony to relaunch the network in Japan.

Wow. A tough few days indeed.

Finally, the network relaunched. Then it was taken down for a while and relaunched again.

Unfortunately, the story doesn't end there. Sony's SonyPictures.com site has been hacked by a group called "LulzSec," and over 1,000,000 user accounts were compromised.

pcmag.com has excellent coverage of the LulzSec SonyPictures.com hack.

The most important part of the pcmag.com coverage is this (fairly long quote), which should hopefully reduce the amount of FUD being spewed,

What do I do?

Fortunately, the hack does not appear to involve any direct credit card or financial data.

But if you use the same password all over the Web—like for online banking or credit card payments—others accounts could be compromised.

As a result, you might want to change your password asap and enable things like two-factor authentication on services that offer it.

LulzSec isn't exactly keeping your data under lock and key.
'I hear there's been some funny scamming with jacked Sony accounts. That's what you get for using the same password everywhere,'
the group tweeted earlier.

It also urged 'innocent people whose data we leaked' to blame Sony.

So, the bottom line,

  1. Use different passwords in different places. Always.
  2. If you have an account at SonyPictures.com, make sure the password you used there isn't being used anywhere else--especially at a banking or credit card site.