06/22/2011

Firefox 5 Released by Mozilla Foundation

Despite Firefox 4 having been released just three months ago, the Mozilla Foundation, the organization behind the Firefox web browser, has already rolled out Firefox 5, and here's the kicker, Firefox 4 is no longer being supported.

What does this mean?

It means if you're running Firefox, you must upgrade to keep your PC secure.

No ifs, ands, or buts.

What's different?

As far as looks go, it's pretty much identical to Firefox 4, so there won't be any surprises there.

Computerworld has a brief write-up of the changes, although this bit summarizes everything handily,
Although the company said it added more than 1,000 improvements to the browser, most were minor bug fixes or tweaks.

"Among the most significant changes were enhanced support for HTML5 and new support for CSS (cascading style sheet) animations.
"So now what?" you ask?

If you're running Firefox, upgrade now. Don't wait. Don't put it off. Do it now. Older versions are--as of June 21, 2011--officially unsupported.

Translation: no security updates.

So, if the bad guys start targeting the old version of Firefox, which they will, you're putting yourself at risk. It's not worth it.

Just take care of it. It's free. It's fast. It's easy.

Where do you get it?

Download Firefox here.

06/03/2011

SonyPictures.com Breached... How Does That Affect You?

Sony has had a couple of rough days months.

First the Sony Playstation Network (PSN) was hacked. Then there was disclosure that they were notified weeks in advance that their servers were running outdated software and that they weren't firewalled.

Sometime along the way were disclosures how many accounts were affected. First it was 80, then it was 100 million users.

Then came the news that those stolen accounts included personal information and credit card numbers.

Not too long after that there were U.S. Congressional hearings and a refusal by Japanese officials to allow Sony to relaunch the network in Japan.

Wow. A tough few days indeed.

Finally, the network relaunched. Then it was taken down for a while and relaunched again.

Unfortunately, the story doesn't end there. Sony's SonyPictures.com site has been hacked by a group called "LulzSec," and over 1,000,000 user accounts were compromised.

pcmag.com has excellent coverage of the LulzSec SonyPictures.com hack.

The most important part of the pcmag.com coverage is this (fairly long quote), which should hopefully reduce the amount of FUD being spewed,

What do I do?

Fortunately, the hack does not appear to involve any direct credit card or financial data.

But if you use the same password all over the Web—like for online banking or credit card payments—others accounts could be compromised.

As a result, you might want to change your password asap and enable things like two-factor authentication on services that offer it.

LulzSec isn't exactly keeping your data under lock and key.
'I hear there's been some funny scamming with jacked Sony accounts. That's what you get for using the same password everywhere,'
the group tweeted earlier.

It also urged 'innocent people whose data we leaked' to blame Sony.

So, the bottom line,

  1. Use different passwords in different places. Always.
  2. If you have an account at SonyPictures.com, make sure the password you used there isn't being used anywhere else--especially at a banking or credit card site.

05/18/2011

The Latest on the PSN Break-in and Service Restoration

There has been a whooooole lot that has gone on since the original news broke on the Sony Playstation Network data breach.

Among other things, there's been Congressional testimony, which should give some indication as to the seriousness of what has happened. In these testimonies, the Consumerist reports in a piece on the PSN breach that,

Dr. Gene Spafford of Purdue University [who in his testimony before Congress] said that Sony was using outdated software on its servers — and knew about it months in advance of the recent security breaches that allowed hackers to get private information from over 100 million user accounts.

And, that's not the least of it. It gets much worse. Spafford, the Consumerist piece goes on to say,

...Sony was using outdated versions of the Apache Web server software, which 'was unpatched and had no firewall installed.'

"The issue was 'reported in an open forum monitored by Sony employees' two to three months prior to the recent security breaches, said Spafford.

These accusations raise even more questions, like,

"Whodunnit?"

Reuters in their article on the Playstation Network data theft, Sony points the finger at the hacktivist group Anonymous, who, they say, bears indirect responsibility.

Daily Kos has posted the official, lengthy and articulate response from Anonymous about the PSN Break-in, wherein it says in part,

Whoever broke into Sony's servers to steal the credit card info and left a document blaming Anonymous clearly wanted Anonymous to be blamed for the most significant digital theft in history.

"No one who is actually associated with our movement would do something that would prompt a massive law enforcement response.

 "On the other hand, a group of standard online thieves would have every reason to frame Anonymous in order to put law enforcement off the track.  

 "The framing of others for crimes has been a common practice throughout history. 

In other words: Anonymous didn't do it.

So, back to the PSN and when it's coming back online.

Initially, there was discussion--and ultimately success--in bringing part of the Playstation network back online starting on May 14th, as reported by Joystiq.

It was short-lived though, when a lot of users (again as reported by Joystiq in a posted called PSN website sign-ins disabled) were greeted with a message on May 18th, telling them, The server is currently down for maintenance.

Perhaps most interestingly of all was that Sony wasn't given permission to restart services for the Playstation Network in Japan (where Sony is headquartered) 'til it met two conditions,

  1. Preventative measures
  2. Steps taken "..."regain consumer confidence over personal data such as credit card information."

Where does it stand now?

Accordingly to Engadget, which appears to have the latest as of May 18th, the PSN had to be taken offline again.

According to Sony's official blog response on the outage,

We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved.

"In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.

"Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3.

"Otherwise, they can continue to do so via the website as soon as we bring that site back up.

We're glad service has been restored and sorry to see it came to this.

All-in-all, the whole thing is ugly.

100 million accounts appear to've been compromised, Sony appears it may've been negligent, and definitely bears some blame here, and it has reached a point where both U.S. and Japanese agencies are getting involved at a high level.

What should consumers do? Is this even worth thinking about?

For starters, yes, it's worth thinking about.

Security experts are definitely very concerned about phishing--and more targeted spear-phishing--attacks coming from all the confidential data cleaned from the break-in.

The most obvious step would be to change your email address and close the old account, but let's be honest, that's impractical.

Short of that, the next smartest thing to do is to make sure your antivirus software is updated and your realtime protection and anti-phishing filters are turned on.

I certainly expect this data to be exploited. Practically speaking, it's a gold mine, and I for one don't believe it's a question of "if" attacks will happen but a question of "when."

04/28/2011

Major Data Breach: 70 Million PSN Accounts Stolen

On the heels of the Epsilon data breach comes one of equal, and perhaps greater, severity: Sony's PSN (PlayStation Network) had what they're calling, an illegal and unauthorized intrusion into our network.

The gang at GamrFeed have more on the PSN Data Breach Details, including that, There is a laundry list of compromised personal information, including the loss of logins, passwords, street addresses, and purchase histories. Even credit card information could be at risk

Bleh.

Being a gamer myself, and a PlayStation owner, too, my first reaction was a sigh and a feeling of resignation. "This kind of stuff happens," I thought to myself.

Then, I read deeper into the PSN Blog about the Data Breach.

[Editor's Note: the following is a verbatim quote from Sony's blog that has been re-formatted for easier readability than their multi-line lawyereese. Bold added for emphasis is ours.]

We believe that an unauthorized person has obtained the following information that you provided:
  • name
  • address
    • city
    • state
    • zip
    • country
  • email address
  • birthdate
  • PlayStation Network/Qriocity password
  • [PlayStation Network/Qriocity] login
  • handle/PSN online ID
"It is also possible that your profile data, including
  • purchase history
  • billing address
    • city
    • state
    • zip
  • your PlayStation Network/Qriocity password security answers
may have been obtained.

"If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained.

"While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility.

"If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained
.

Now why the heck does any of this matter?

It's just a gaming network, right? Who cares what games I've bought or when!

Not so fast there, Sparky.

The real danger here isn't even in the possibility of the credit card info having been stolen. (Look, if there's a possibility it was stolen, just call it what it is and say the data was stolen, ok?)

The real danger is for those folks who use the same usernames and passwords in multiple places, like at PSN and for their Hotmail account--or any other, for that email account for that matter. Now with that, cyber thief can dig into your email account and from there easily spring board to bank accounts and all sorts of other places.

How will they find me amongst 70 million accounts?

Forget about digging through them by hand. Think of it happening programmatically. Just trust me on this one: it's easy to do.

It's trivial for a skilled programmer to grab the information they've gleaned from your PSN account and use it to try to login to your email account. From there, getting to your bank accounts and whatnot isn't all that hard. (Who hasn't used a "reset password" link at a website that gets sent to your email?)

Alright, what-if's aside, aside from Sony's recommendations, which only take part of the problem into account, here's what you should do immediately if you're on the Sony PSN:

1. Change username and password especially on bank and email accounts where they're the same as on PSN Keep the bad guys out of your email... and bank.
2. Change your security questions/answers anywhere else you use the same questions/answers as on PSN Make it harder for someone to reset your bank/email/other password and steal from you (or steal your info.)
3. Change your PSN security questions/answers on PSN Make it harder for someone to reset your PSN account and gain access to it.
4. Change username and password on PSN Make it harder for someone to reset your PSN account and gain access to it.

The last important take-away from this data breach is that you should already assume the data is in the hands of a spammer and cyberthief. 

As such, you need to expect that you'll receive many extremely targeted spearphishing emails. After all, according to Sony's own statement on the breach, the thieves probably have your name, email, credit card billing address, and date of birth.

What's to stop them from sending, "Happy Birthday!" emails offering to give you something free in exchange for your credit card info (for age verification only, of course...)?

Or for that matter from sending you, "Your data was stolen. Please click this link to reset it. Oh, and enter your new payment information while you're there, too?"

Or, how about, "Your data was stolen. We need your social security number now to ensure you're who you say you are."

The number of different ways this information can be abused is just about limitless, and while your antivirus software or Internet security suite can help you avoid a phishing attack to some extent, the best way to avoid them is to be smart about the links you're clicking and to look and really read the web site addresses you're going to.

The age of the spearphishing attack is upon us. Your information's security is, ultimately, no one's responsibility but your own.

04/25/2011

For Crying out Loud... Password Protect Your Wireless Router!

A debate that somehow always seems to pop up in my own life is the importance of securing your WiFi / wireless router. My friends have all gotten my lecture. My family has all gotten my lecture.

My friends-of-friends have all gotten it, too. Over the years, I've dialed it down from, Leave now. Just leave. Go home. Password protect your router before you do anything else, to something like, Oh no, it's fiiiiiine. The only thing you risk is some jailtime and a few phone calls to the ACLU. Otherwise, it's fine to run an open router.

And somehow despite stories showing up in MSN like this one about the Buffalo man who didn't secure his wireless router, people still think I'm exaggerating the risk and/or that, "it won't happen to me... I know my neighbors!"

Right. Ok. Copy that. Roger. Gotchya. You can leave yours open then. Really. It's fine.

For the record, once and for all: being lazy is never a valid excuse in the eyes of the law. Being inept seldom works either. Same goes for ignorance.

The single biggest thing YOU need to understand about wireless security is this:

Just because you can't see someone else using your wireless connection doesn't mean it isn't happening.

The same thing goes for PC security, too:

Just because you can't see the person who's infected your PC with some sort of spyware or trojan doesn't mean it hasn't happened.

Now let's talk about the poor guy in Buffalo, NY. According to the MSN piece,

For two hours that March morning in Buffalo, agents tapped away at the homeowner's desktop computer, eventually taking it with them, along with the iPads and iPhones belonging to him and his wife.

"Within three days, investigators determined that the homeowner had been telling the truth: If someone was downloading child pornography through his wireless signal, it wasn't him. About a week later, agents arrested a 25-year-old neighbor and charged him with distribution of child pornography.

"The case is pending in federal court.

All this because, again according to the piece, That new wireless router. He'd gotten fed up trying to set a password.

How many other people have had similar things happen is anyone's guess. Here are a couple of more stories the MSN article mentions specifically,

  1. A Sarasota, Florida, man, got a similar visit from the FBI last year after someone on a boat docked in a marina outside his building used a potato chip can as an antenna to boost his wireless signal and download an astounding 10 million images of child porn.
  2. A North Syracuse, New York, man who... opened his door to police who'd been following an electronic trail of illegal videos and images. The man's neighbor pleaded guilty April 12.

The fact of the matter is, yes, it can be tricky, but it's not that hard. In fact, we have a simple six-step article at our site on, "How to Secure Your Wireless Connection."

You could read it and take the steps to secure your connection. Or you could spend the time thinking of what your excuse is going to be when someone steals your Internet connection and does terrible things with it.

04/19/2011

Epsilon Email Break-In... Updated List of Affected Companies

It comes as no surprise that a lot of people and businesses have been affected by the Epsilon break-in.

What may be a surprise to some is the breadth of the affected industries. In our previous blog on the Epsilon break-in, I said,

It's just about every type of business imaginable, and chances are very, very, very high you've dealt with at least one of these companies.

Given the growing size of the list, that looks more true than ever.  Take a look at the list below.

If you have an account with one of these banks or have shopped with one of these retailers/e-tailers, you're more susceptible to a highly targeted spear-phishing attack.

They know your name and email address, and they know the banks, credit card companies, and other financial institutions you deal with. They know where you've shopped.

You, like me, are a prime target for someone looking to contact you by email and trick you into giving up your highly confidential information or steal from you. It's a fact. Because they know more about you, it's much, much easier to gain your trust.

Today, I came across this updated list of companies affected by the Epsilon Breach at CAUSE.org (The Coalition Against Unsolicited Commercial Email). [Thanks to CAUSE.org for doing the tremendous leg work to put this list together.]

 

Banks/Financial Institutions
  • Ameriprise
  • American Express
  • Barclay's L.L. Bean Visa card
  • Barclays Bank of Delaware
  • Best Buy Canada Reward Zone
  • BJ's Visa
  • Capital One
  • Catherine's card
  • Citi
  • Express card
  • ExxonMobil card
  • Home Depot card
  • JPMorgan Chase
  • MoneyGram
  • MyPoints Reward Visa
  • NTB card
  • Scottrade
  • Smile Generation Financial
  • Stonebridge Life Insurance
  • TIAA-CREF
  • TD Ameritrade
  • US Bank
  • Victoria's Secret card
  • Visa
  • World Financial Network National Bank
  •  

    Retailers / e-Tailers
  • 1-800-FLOWERS
  • Abe Books
  • Abercrombie & Fitch
  • AIR MILES Reward Program (Canada)
  • Ameriprise
  • Ann Taylor
  • AshleyStewart
  • Avenue
  • Beachbody
  • bebe
  • Benefit Cosmetics
  • Best Buy
  • Borders
  • Brookstone
  • Chadwick's
  • Charter Communications
  • City Market
  • College Board
  • Crate & Barrel
  • Crucial
  • David's Bridal
  • Dell Australia
  • Dillons
  • Disney Destinations (The Walt Disney Travel Company)
  • Domestications
  • Dressbarn
  • Eddie Bauer Friends
  • Eileen Fisher
  • Ethan Allen
  • Eurosport Soccer
  • Fashion Bug
  • Food 4 Less
  • Fred Meyer
  • Fry's
  • Gander Mountain
  • Giant Eagle
  • Giant Eagle Fuelperks
  • GlaxoSmithKline Consumer Healthcare
  • Hilton Honors
  • Home Shoppers Network (HSN)
  • J.Crew
  • J.Jill
  • Jay C
  • Jessica London
  • Justice
  • King Soopers
  • KingSize Direct
  • Kroger
  • Lacoste
  • Lane Bryant
  • Marks & Spencer
  • Marriott Rewards
  • Maurice's
  • McKinsey Quarterly
  • New York & Company
  • OneStopPlus
  • PacSun
  • Palais Royal
  • Polo Ralph Lauren
  • PotterBarnKids
  • PotteryBarn
  • QFC / Quality Food Centers
  • QualityHealth
  • Radio Shack
  • Ralphs
  • Red Roof Inn
  • Reeds Jewelers
  • Ritz-Carlton Rewards
  • Robert Half International
  • Sears
  • Shell
  • Smith Brands
  • Sportsman's Guide
  • Stage
  • Target
  • Tastefully Simple
  • The Limited
  • The Place
  • TiVo
  • Trek
  • TripAdvisor.com
  • United Retail Group
  • Value City Furniture
  • Verizon
  • Viking River Cruises
  • Walgreens
  • Woman Within

  • For the companies involved, there's no shame in my opinion. They put their trust in a company with, at that point, an excellent record for systems and information security. 

    It just so happens that even with that, someone (or more likely a group) broke into their systems and stole the data Epsilon had been recording, storing, and using on their customers' behalves.

    Is Epsilon to blame, definitely, but I don't feel the companies are. Outsourcing to what you believe is a competent third party is often not just a good but actually the best business decision.

    It really doesn't make sense for most companies to spend the time and resources to devote to something as mundane as email address collection and marketing. It really doesn't.

    No matter how good each individual company's staff gets, because of the scale of Epsilon's operations, they see more, and so they're more likely to make the right decisions about security.

    What this really boils down to is a question of personal responsibility. Each of us, as individual consumers and businesses, need to be smart about what we do with our information and what to do when we're contacted.

    That means thinking before you click. Thinking before you type. And thinking before you hit "submit" on a form.

    And it also means keeping your PC patched and your antivirus software up to date, too. Together, being smart about what you do online and keeping your PC secure can be just the difference between being safe and being someone's identity theft prey.

    04/07/2011

    Epsilon Break-In... What's the Lowdown?

    By now you've probably gotten notice, as I have, from at least one bank / credit card company / financial institution that, Epsilon, the company they use to send email messages to you had a network breach.

    Looking at even a short list of affected firms, Epsilon, a company most consumers have never heard of, appears to have (or to have had) a sizable portion of top banks in the U.S. amongst its client base.

    But, it wasn't just banks that were hit.

    It's just about every type of business imaginable, and chances are very, very, very high you've dealt with at least one of these companies. (Major hat tip to Brian Krebs of Krebs on Security who has been doing a stellar job keeping atop this list as more companies are added to the growing list of companies affected by the Epsilon break-in.)

    Companies Affected by the Epsilon Break-In (So Far)
    • 1800-Flowers
    • Abe Books
    • Air Miles CA
    • Ameriprise Financial
    • Barclays Bank of Delaware
    • Beachbody
    • Bebe Stores Inc.
    • Benefit Cosmetics
    • BestBuy
    • Brookstone
    • Capital One
    • Charter Communications (Charter.com)
    • Chase
    • Citibank
    • City Market
    • The College Board
    • Crucial.com
    • Dell Australia
    • Dillons
    • Disney Vacations
    • Eurosport/Soccer.com
    • Eddie Bauer
    • Food 4 Less
    • Fred Meyer
    • Fry’s
    • Hilton Honors
    • The Home Shopping Network
    • Jay C
    • JP Morgan Chase
    • King Soopers
    • Kroger
    • LL Bean
    • Marks & Spencer (UK)
    • Marriott Rewards
    • McKinsey Quarterly
    • Moneygram
    • New York & Co.
    • QFC
    • Ralphs
    • Red Roof Inns Inc.
    • Ritz Carlton
    • Robert Half
    • Smith Brands
    • Target
    • TD Ameritrade
    • TIAA-CREF
    • TiVo
    • US Bank
    • Verizon
    • Viking River Cruises
    • Walgreens
    • World Financial Network National Bank

    Alright, so what's the big deal?

    Well, for starters, it means spear-phishing risk for Y-O-U if you've ever had dealings with any of these firms.

    While it's not yet perfectly clear what personal information was stolen from Epsilon, it's definitely clear names and email addresses were. What also isn't clear is if the companies with whom you have the relationships were stolen.

    And, that's where a part of this becomes especially tricky.

    If the spammers know you're a Target customer, for instance, and they know your name, and of course, your email, they can send you an email that looks perfectly like legitimate email from Target.

    (N.B. We use Target only for illustrative purposes in this piece, not for any other reason. You can replace "Target" with the name of any of the other companies above with whom you've personally done business.)

    Now image your email sent to your-name@example.com addressed to YOU in the email and looking and sounding like it's coming from Target.

    Imagine something like the following:

    Subject: Get a $100 Target gift card... on us!
    From: Target Stores <"survey-rewards@target.com">
    Date: April 7, 2011
    To: Nicole Campbell <"ncampbell@example.com">
    Hi Nicole,

    Thanks again for your recent Target purchase!

    We're writing from the customer satisfaction division with a brief survey of your online or in-store shopping experience.

    As a way of saying, "Thank you!" all survey participants will receive a free $100 gift card from Target for use anytime.

    Click here to get started.

    Thanks again,
    Your friends at Target and Target.com


    And, here's where the scam is just unfolding.

    Kroger, for instance, recently saw its customers lured by spams apparently from the Epsilon breach.

    Quoting Krebs from his piece, he says, In most cases, the spam sent to customers of these companies pushed recipients to buy dodgy services and software.

    In at least one attempt email recipients were pushed to buy Adobe Reader, which is free software.

    Why? How are they making money if the software is free?

    There's the catch: in most cases like these, you're not really buying anything, and here's what has happened:

    You've just given the spammers/cyberthieves your credit card number and "permission" to charge your card. If you're lucky, they only charge your card for as much as you've given them permission to. If you're really lucky, they don't give you a virus or spyware to download instead of the real software.

    Whatever the case, you may be facing a hefty credit card bill and some serious phone calls and letters to your credit card company to get them to absolve you of the charges.

    Now, back to our Target example.

    There are countless ways the spammers could spin things to get you to (a) give them your credit card number and/or (b) download a virus or spyware

    1. You need our special free "survey software"
    2. Your browser needs a special free plug-in to take the survey
    3. You need to upgrade your Adobe Reader for $10 to take the survey to get the $100 gift card

    The list could go on-and-on.

    So here are the take home messages from the Epsilon break-in:

    1. Use your head when it comes to messages emailed to you
    2. Just because something is addressed to you and addresses you by your name, doesn't make it legit
    3. Does the email have "free" offers or ways to earn gifts or money for very little work
    4. Were you expecting to receive the message? (If you just signed up to get coupons, and a coupon email comes five minute later, it's probably safe.)
    5. How are the grammar and spelling in it? Commonly the bad guys are overseas and their English is often imperfect, and other conventions are often different from ours.

      Commonly you'll see a price in a scam email written as 35$ instead of $35 as is the convention here in the U.S.
    6. Are they asking you to "verify" anything. Let me tell you something: companies don't need you to verify anything. Ever. You got their email, they know who you are. An email asking for verification is almost definitively a scam.

    These are just a few things to be on the lookout for. Most importantly of all, especially given the number of banks and credit card companies involved is: never, ever, EVER put your social security number into a link that you clicked on in an email.

    I cannot even once think of a legitimate bank or credit card email requiring this.

    And lastly, lest it go unsaid, use an Internet security suite. The best ones include good anti-phishing and malicious website filters.

    While nothing is perfect, between the filters built into today's top web browsers and top Internet security software, you can offset the threat posed by scammers, the emails they send, and the sneaky websites they setup.

    03/28/2011

    Mozilla Firefox Takes Steps to Block Fraudulent SSL Security Certificates

    Mozilla reported on March 22, that they were informed about the issuance of several fraudulent SSL certificates intended for public websites.

    These were removed by the issuers which should protect most users. Mozilla has patched their Firefox versions 3.5, 3.6, and 4.0 to recognize and block these certificates, even though it is not a Firefox specific issue.

    The effect to users would be that if on a compromised network, they could be directed to sites using the fraudulent certificates and mistake them for legitimate sites. This in turn, could be used to deceive users into revealing personal information like usernames and passwords or downloading malware if thought to be coming from a trusted site.

    Although current versions of Firefox are protected from this attack, Mozilla is still evaluating further actions to mitigate this issue.

    The Comodo Group, Inc. (the certificate authority) first reported the issue.

    A follow up by Mozilla indicated that on March 15 an RA partner of Comodo Group, Inc.--which is a Certificate Authority--suffered an internal security breach, where the attacker used the RA's account with Comodo to get 9 fraudulent certificates to be issued.

    The domain names of the certificates were identified as:

    • addons.mozilla.org
    • login.live.com
    • mail.google.com
    • www.google.com
    • login.yahoo.com (x3)
    • login.skype.com
    • global trustee

    The attack was discovered immediately by an internal Comodo check, and the certificates were revoked and the RA account suspended.

    To date, Comodo reports the only OCSP activity noted relating to these certificates has been two hits, one from the attacker's IP and another from very close by. Additionally, hits incurred from testing by Comodo and the notified companies. This hints that they have not been deployed in an attack, but it is possible the attackers would block OCSP requests as well.

    Comodo has identified the IP address as an ADSL connection and originating from Iran. From the OCSP traffic mentioned, Mozilla thinks the attacker is aware the certificates have been revoked.

    Mozilla does not believe there has been a root key compromise. However, an attacker armed with fraudulent certificates and an ability to control their victim's network could easily impersonate sites in a very inconspicuous way.

    Risk mitigation actions implemented:

    1. Revocation of the certificates
    2. A hard coded blacklist of the certificate serial numbers in Firefox deployed as RC2 of Firefox 4 with two additional code patch releases, released on March 22.
    3. Mozilla released an announcement with some details of the problem.

    Mozilla released the patch prior to publishing any announcements out of concern the attackers would be tipped off to blocking the updates.

    Mozilla's security blog reported:

    Mozilla recognizes that the obvious mitigation advice we might offer (to change Firefox’s security preferences to require a valid OCSP response in all cases, or to remove trust from Comodo’s certificates, or both) risked causing a significant portion of the legitimate web to break as well.

    Additionally, neither we nor Comodo have found any evidence of access to their OCSP responder being blocked, either in Iran or anywhere else. We have also found no evidence of any other sort of attack.

    In hindsight, while it was made in good faith, this was the wrong decision. We should have informed web users more quickly about the threat and the potential mitigations as well as their side-effects.

    Mozilla has requested that Comodo do the following:

    1. Publish a full account of exactly what happened. (So far: they have published an incident report and a blog post.)
    2. Monitor their OCSP logs for evidence of use of these certificates, or evidence that access to their OCSP responders is being blocked from any geographical locations. (So far: no sign of use or blocking.)
    3. Cancel all relationship with the RA concerned. (So far: the RA is suspended.)
    4. Change their practices to use intermediate certs rather than issuing directly off the root, and use a different one for each RA.

    With Internet attackers always on the move, consumers of the Internet should always ensure their PCs are getting the latest updates, including updating Firefox, to protect against security intrusions and malware. Aside from that having solid, trusted, Internet security software can also give peace of mind in holding off these threats.

    03/22/2011

    Hacker Gang Leader Sentenced to 9 Years for Hospital Computer Attacks

    Thanks to a piece by Kevin Poulsen at Wired Magazine, we learned about a successful prosecution of a hacker gang leader, who was convicted of installing malware on PCs in a Texas hospital.

    Self video of hacker McGraw carrying out hospital computer attack.
    (Video: YouTube)

    The ringleader of a former online anarchist group called the Electronik Tribulation Army was sentenced on Thursday to over nine years in prison for installation of malware at a Texas hospital.

    Hacker Jesse William McGraw, 26, also known as "GhostExodus", was fined $31,881 and ordered to serve three years of supervised release after serving time in prison.

    He came to the attention of the FBI in 2009 after shooting and posting a YouTube video of himself "infiltrating" computers by installing RxBot at a medical office building.

    According to the government, the Electronik Tribulation Army was creating a botnet to attack rival hacker gangs, which included Anonymous--known more at the time for hardcore pranks than the 'hacktivism' they've been known for since.

    Security Researcher McGrew
    Computer security researcher Wesley McGrew.
    (Photo: Kristen Hines Baker, courtesy Mississippi State University)

    In another video, McGraw showed off his personal infiltration gear, which included items such as lock picks, a cellphone jammer device, and falsified credentials portraying the FBI. The videos were shot at the Norther Central Medical Plaza in Dallas, TX.

    McGraw was able to do so easily since he was a night security watchman and had unresricted access to the hospital.

    He plead guilty last May to computer-tampering charges for installation of malware on a dozen machines which included a nurse's station with medical records. McGraw also installed a remote-access program called LogMeIn on the hospital's MS Window's-controlled HVAC system.

    R. Wesley McGrew of McGrew Security in Mississippi, initially contacted the FBI after seeing screenshots of the HVAC access online. McGrew says,

    I think the sentence is appropriate. He jeopardized public health and safety with his actions and I think its important to take a really strong stance against that,"

    In the wake of McGraw’s arrest, other members of ETA have campaigned to harrass McGrew, which led to FBI raids of three suspected members, but there were no reported charges.

    Although the YouTube videos suggest McGraw wasn't necessarily a critical threat to cyberspace, the FBI took note when it was discovered he'd installed a backdoor in the HVAC unit.

    They noted that any failure of the unit--which controlled the first and second floors of the North Central Surgery Center--could have adversely affected patients in the hot summer time or caused refrigerated drugs or medical supplies to go bad.

    There are a couple of important lessons here:

    1. Never, ever leave a workstation unlocked when you step away from it. Ever. If you give someone physical access to your computer, all bets are off.
    2. Audit your PCs regularly. The most dangerous phrase in security is, "It's not like...."

      Rather than thinking to yourself, "It's not like someone could ever put a virus on my computer without me knowing!" Assume there are people smarter than you, and they will if they can.
    3. Keep your antivirus software updated, set it up to run automatic scans, and run a manual scan, too, every now-and-again just to be on the safe side.

     

    06/29/2010

    Patches to Adobe Flash Player, Adobe Acrobat & Adobe Reader

    Adobe issued a couple of critical patches this month to its Flash, Acrobat, and Adobe Reader products including one today for its Acrobat and Adobe Reader programs.

    Adobe Acrobat & Adobe Reader Flaws and Upgrade/Patch

    As for Adobe Reader as of the writing of this piece, the latest version of Adobe Reader is:

    9.3.3

    Here's how you can check your version and what you should see:



    These security flaws in Acrobat and Reader--and Adobe's handling of it--has had fairly widespread discussion including coverage at Kaspersky's 'threatpost' security blog.

    Kaspersky's Ryan Naraine in his piece about the Adobe security patches says,

    The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file.

    What's so important about this particular set of updates is the number of different types of systems that are affected, and while some antivirus software may be able to offset some of the threats posed by these security flaws in these programs, it's not worth the risk.

    What's already clear is that there are security exploits in the wild that are taking advantage of these security holes, and if you're running Flash, Reader, or Acrobat (about 95% of the world is), your computer may be susceptible, regardless of what type of system you run--even a Mac.

    Adobe Flash Player Flaws and Upgrade/Patch

    The Flash Player (and the upgrade, of course) and Adobe Reader are free and only take a minute to install. (Adobe Acrobat isn't free but the security patch is.)

    Here's the official Version Test for Adobe Flash Player.

    On that page, you'll see what version of Flash Player you're running. As of the writing of this piece, the latest version for all systems is:

    10.1.53.64

    Don't take our word for it though, here's the official version information page for the Adobe Flash Player

    Here's what the page looks like when it tests for your version of Flash Player (click the image below for a larger version plus our notes):



    It's worth mentioning in our tests of the newest version of Flash Player, a reboot was sometimes recommended and other times not; regardless of whether or not you're prompted to reboot, it certainly won't hurt.



    It's getting more commonplace for a bug to be a security issue on different computers--not just PCs--these days, but in these particular cases, just about every system was affected. Here's a breakdown of what the affected programs and systems looks like:

    Program Affected Versions Affected Systems
    Adobe Flash Player
    • 10.0.45.2
      (and earlier 10.0.x versions)
    • 9.0.262
      (and earlier 9.0.x versions)
    • Microsoft Windows
    • Apple Macintosh
    • Linux
    • Sun/Oracle Solaris
    Adobe Reader
    • 9.3.2 (and earlier 9.x versions)
    • Microsoft Windows
    • Apple Macintosh
    • UNIX
    Adobe Acrobat
    • 9.3.2 (and earlier 9.x versions)
    • Microsoft Windows
    • Apple Macintosh
    • UNIX