New Precautions from Banks about Online Banking

It goes without saying that the cybercriminals are getting smarter... a lot smarter, and they're writing more and more sophisticated trojans, viruses, and all forms of other malware to get at your computer and ultimately your data and personal information.

What this has led to is a banking industry group, Financial Services Information Sharing and Analysis Center, to recommend their member banks notify their customers (i.e. businesses who do online banking) to take much more stringent means to ensure secure communications between their business and the banks.

According to the Washington Post's Security Fix blog which has a post, Tighter Security Urged for Businesses Banking Online on this very topic,

"The group recommends that commercial banking customers 'carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.'"

What this means is: have one computer that does absolutely nothing but talk to the bank, get Windows updates, and (in our view, of course, antivirus updates).

This raises a couple of questions:

  1. Is this practical?
  2. If it's recommended for businesses, why not for consumers, too?

As to the question of practicality, it may or may not be. For a company where there's more than one person doing the bookkeeping and banking, perhaps a couple of additional computers might be a small cost to absorb.

For a large company, this just isn't practical; however, there may be other alternatives like a Linux "LiveCD"

As for it being practical for consumers, that isn't likely either.

How many people have the space and money to have a computer just for banking--not to mention the time to set it up and keep it updated, though running a good, modern antivirus product can certainly help reduce the likelihood of an infection in the first place.

Lastly, lest it go unsaid, use your head when you're doing online banking! Make sure you're on an https page when you connect, and if you know the website address of your bank, which you should, bookmark the link.

This way you can be much more aware that you're going to the right URL and not accidentally going to a fake (but very real looking!) version of your banks website.


Protecting Yourself From Stealth Keyloggers

There's ample understanding and concern about viruses, worms, and even botnets to some degree.

Most everyone who runs a PC understands that viruses, adware, and the like come with the territory and that it's wise to run antivirus software (or better yet an Internet security suite.)

What's still a bit more murky than viruses and worms are stealth keyloggers--especially ones that report back to a central server in realtime.

What adds to the murkiness is that keyloggers in the eyes of some technologists aren't all necessarily bad.

While some keylogging software definitely is, there's other software out there that are used to help protect kids online and to help monitor employees and public workers who're abusing computer and office time.

The line between good keyloggers and bad ones, really comes down to one thing: what is the keylogger being used for?

In the case of "good" keyloggers, ultimately they're used to protect. Perhaps it's a child, perhaps it's an employer, perhaps it's a government agency, or perhaps it's someone else.

In the case of "bad" keyloggers, they're used to steal, wreck, and ruin. Perhaps it's to steal passwords, perhaps it's credit card numbers or a bank account, perhaps it's an identity, perhaps it's merchandise.

Whatever the case, how evil real-time stealth keyloggers work is a little less of a mystery thanks in part to a New York Times piece in the technology blogs, "Bits," section of nytimes.com

Part of the problem is that these real-time keyloggers are now allowing the cyber-criminals to completely circumvent things like RSA's SecurID system and other similar security technology roadblocks.

As Saul Hansell of the times puts it,

"By going real time, hackers... are now undeterred by systems that create temporary passwords, such as RSA’s SecurID system, which involves a small gadget that displays a six-digit number that changes every minute based on a complex formula.

"If your computer is infected, the Trojan zaps your temporary password back to the waiting hacker who immediately uses it to log onto your account.

"Sometimes, the hacker logs on from his own computer, probably using tricks to hide its location.

"Other times, the Trojan allows the hacker to control your computer, opening a browser session that you can’t see."

"They don’t break the encryption; they just log in at the same time you do."

I'll hand it to them, it's definitely clever, but what's even more amazing and alarming is that,

"When people visit Web sites that have been taken over by the hackers, the software is surreptitiously downloaded onto their machines.

"Clampi[a particularly nasty Trojan that uses real-time components] has an unusual feature that can take advantage of a vulnerability in Windows and spread itself to all of the computers on a corporate network.

"...each of those machines, in turn, was programmed to notice when their users visited any of 4,600 specified Web pages, including banks, brokerages and other sorts of sites."

As the article asks, "Does this mean the high-tech security tokens and such are a waste?"

Not really, as they still help protect against less sophisticated attacks.

Think of it this way: locking your front door might not deter a criminal willing to smash the window to get it; however, it might deter a good portion who won't smash a window but who would try to turn the doorknob to get in.

Criminals with access to the advanced technologies like real-time keyloggers are still fairly rare; less sophisticated ones aren't.

What's more, even still many of these types of attacks can be thwarted and prevented outright by even "good" antivirus firewall software.

The bottom line is, some security is better than none and multiple layers of security are better than just one. Ideally, you should look to combine:

  1. a software firewall
  2. antivirus software
  3. antispyware


Antivirus Software: What's Real? What's Fake?

One of the growing concerns for many security and antivirus professionals is the dramatic growth of fake antivirus software.

The idea behind fake A/V software is to trick unsuspecting consumers into downloading and installing their fake software in an effort to get trojans, viruses, spyware, and other malware installed onto PCs in the process.

There's nothing real about the fake software, except the threat it poses.

The process works like this:

  1. Trick consumer with a real looking, real sounding ad on an (often unsuspecting) legitimate website
  2. Get consumer to install the phony (but very real looking) antivirus application
  3. Stuff any number of trojans, keyloggers, spyware, and other evil applications into the fake antivirus program
  4. Use the newly infected computer to do their bidding, including (among other things):
    1. identity theft
    2. credit card fraud
    3. bank theft
    4. infecting other computers
    5. spamming

Solution to the Fake Antivirus Software Problem

Word is filtering out today about a way to tell fake antivirus software from legitimate ones.

A new site from security and SSL vendor Comodo of a project they're backing called, "Common Computing Security Standards Forum," aims to help consumers figure out what's real and what's not.

In their list of all known legitimate antivirus software vendors, they hope to help put an end to the dummy antivirus programs out there and to help consumers stay clear of the crap.

In addition to thanking them for their efforts, here is a complete list of current antivirus vendors known to Comodo to be the real deal:

Legitimate Antivirus Software Vendors
  • AhnLab
  • Aladdin
  • Antiy
  • Authentium
  • AVG Technologies
  • Avira GmBH
  • BitDefender (BitDefender Antivirus & Internet Security)
  • BullGuard
  • CA Inc (CA Anti-Virus)
  • Checkpoint
  • Cisco
  • ClamAV
  • Comodo
  • CSIS Security Group
  • Drive Sentry
  • Dr.Web
  • Emsi software
  • ESET
  • F-Secure
  • Fortinet
  • Frisk Software
  • G Data Software
  • GFI/Sunbelt Software (VIPRE Antivirus & Internet Security)
  • Ikarus Software
  • Intego
  • iolo
  • IObit.com
  • Kaspersky Lab (Kaspersky Anti-Virus & Internet Security)
  • Kingsoft
  • Malwarebytes
  • McAfee McAfee VirusScan Plus & Internet Security)
  • Norman
  • Panda (Panda Antivirus Pro & Internet Security)
  • PC Tools
  • Prevx
  • Rising
  • Sophos
  • SuperAntispyware
  • Symantec (Norton AntiVirus & Internet Security)
  • Trend Micro (Trend Micro AntiVirus & Internet Security)

  • You'll note, every one of the programs (reviews linked above) are included in our antivirus reviews since day one of our site are included on the list.

    If you know of other legitimate A/V software not on the list, please contact us so that we can share your insight with the folks at Comodo.


    More Warnings about Flash/Acrobat Reader Vulnerabilities

    Ever read .PDFs or watch something in Flash?

    Most people do. In fact, something like 99% of all computers have Flash installed likewise a huge portion of computers have Acrobat Reader, too.

    As such, if you're in that 99% pool, you're probably vulnerable, as roughly 80% of all computers still are according to internet security firm Trusteer.

    A couple of weeks ago, we covered the Flash / Acrobat Reader Security Advisory, and now there's more warning on WebProNews about the same Flash / Acrobat vulnerabilities.

    In the posting there by Chris Crum he quotes Trusteer's CEO, Mickey Boodaei, as saying,

    "Adobe is facing some major security challenges and one of its biggest hurdles is its software update mechanism.

    "For some reason, it is not effective enough in distributing security patches to the field.

    "Given the lack of attention this situation has received to date, it appears that few people understand the magnitude of the problem. We recommend that all enterprises and individuals install the latest Flash and Acrobat updates immediately.

    [Editor's note: emphasis is mine.]

    We originally covered this vulnerability two weeks ago saying,

    "...there's an urgent update that Adobe has just made to Acrobat, Flash Player, and Adobe Reader."

    So, now that there are others adding their voices to the chorus, and we're all saying this is a big deal, please visit this page on Adobe's site which covers the Acrobat/Flash security update.

    If you're reading this article, please, stop what you're doing, go to that URL, *read* it, and follow Adobe's instructions.

    Regardless of if the rest of your Windows OS is patched, regardless of whether or not you have a software firewall running, and regardless of whether or not you've installed the best antivirus software or an Internet security suite, you still need to do this. 

    Acrobat and Flash live outside of the normal Windows Update mechanism, and thus, they can not be upgraded via Windows Update and are best upgraded manually, (i.e. don't rely on the Adobe autoupdater.)

    In our humble opinion, this vulnerability has every bit the potential to be even bigger than the Conficker worm from early April this year because of the enormous install base Acrobat and Flash have.


    Twitter Used to Control Botnets

    Jose Nazario, who's well-known in computer security circles and is also a well-regarded botnet researcher, has made some interesting discoveries about botnets and the darling social media site, Twitter.com.

    What he's discovered is that botnet operators are using Twitter's micro-blogs to send command-and-control messages to botnets.

    In an article on wired.com on how the malware operators are using Twitter to control botnets it explains,

    "tweets turned out to be obfuscated links to sites where further malicious code and instructions could be downloaded."

    In a post to the Arbor Networks blog he discusses his findings about Botnets and Twitter. Jose says,

    "While digging around I found a botnet that uses Twitter as its command and control structure.

    "...what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run.

    "It’s an info-stealer operation."

    There are a couple of interesting things about these findings:

    First of all, this means a whole new level of obfuscation for the writers of viruses, trojans, spyware, and all sorts of other malware, as they're able to hide their controls behind a real company.

    In doing so, they're even better able to hide who they are and how their malware networks work.

    Further, they're also able to move to a very, very reliable service (i.e. Twitter), and in doing so alleviate some of their own infrastructure problems. After all, even with the couple of outages Twitter has had since it really began to grow in popularity, it's still a highly reliable site.

    This means, even if the botnet operators' own servers fail or are attacked, they can easily move things to another location and just make another "Tweet" (posting) to Twitter, and instruct the PCs in their control to go elsewhere for the latest instructions.

    As to the question of whether or not PCs are being infected just from visiting Twitter, that definitely doesn't appear the case (at least not just yet), nor does the service appear to be any more vulnerable to becoming that type of virus-spreading mechanism than any other website.

    In other words, yes, it's still safe to use Twitter. Regardless of it being "safe" in that respect, it's still smart to run antivirus software.

    There's really no substitute for an Internet security suite because A/V and firewall software, which are the two cornerstones of Internet security software, are your best line of defense to ensure your computer stays clean of viruses, trojans, and the like and doesn't become a part of a botnot.


    Critical Security Patches to Mozilla Firefox

    On the heels of an announcement a couple of days ago from Adobe about security flaws in Acrobat, Reader, and Flash, Mozilla just released versions 3.5.2 and 3.0.13 of Firefox to patch two security flaws they're calling "critical".

    From the Mozilla Foundation's security announcement,

    "We strongly recommend that all Firefox users upgrade to this latest release....

    "This update can be applied manually by selecting 'Check for Updates...' from the Help menu."

    3.0 and 3.5 releases of Firefox have different vulnerabilities being patched with their respective releases, but each of them are definitely well worth taking the time to patch your browser to fix.

    Here's a brief recap of the fixes (for complete details visit the following URLs):

    Firefox 3.5.2 Release Notes
    Firefox 3.0.13 Release Notes

    Firefox 3.0.13 Fixes
    Mozilla Advisory # Fix Details Why It Matters
    2009-42 "These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions." A subtle flaw in the way HTTPS (i.e. SSL sites) have their security certificates handled in Firefox means an attacker could lead you to believe you're on a secure site, like your bank, when in fact, you're at their evil site--even if it looks perfectly legitimate.
    2009-43 "This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client." An attacker can craft a security certificate that will cause Firefox to run any code of their choosing on your computer.

    Firefox 3.5.2 Fixes
    Mozilla Advisory # Fix Details Why It Matters
    2009-45 "Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code." Memory corruption is never a good thing. In the case of software like Firefox, it can mean an attacker running code of their choosing on your PC.
    2009-46 "Mozilla security researcher moz_bug_r_a4 demonstrated that the broken functionality was due to the window's global object receiving an incorrect security wrapper and that this issue could be used to execute arbitrary JavaScript with chrome privileges." Similar story here: with enough care, an attacker could write code, Javascript in this case, to run code of their choosing on your computer.

    While we've not tested these various vulnerability and whether or not antivirus software could help insulate your PC from these various attacks, that's one of the things we rely on antivirus software for: protect our computers against unknown security issues.

    A few things are definitely clear from this announcement:

    1. The bad guys aren't going to stop trying.
    2. Even good software like Firefox has bugs.
    3. If you think just because you're running Firefox, you're immune from such exploits, think again.
    4. While antivirus software may not help protect against every possible threat, it definitely helps minimize the risks.


    Urgent Adobe Acrobat & Flash Security Advisory

    Let's get right to the story here: there's an urgent update that Adobe has just made to Acrobat, Flash Player, and Adobe Reader.

    If you have Acrobat, Reader, or Flash installed, which most folks do, you'll want to upgrade NOW. Here's the lead in of the Adobe security announcement.

    "A critical vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems.

    "This vulnerability (CVE-2009-1862) could cause a crash and potentially allow an attacker to take control of the affected system.

    "There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows."
    [Editor's Note: Emphasis mine.]

    Here are complete details (and the fix) to the Acrobat security issues

    As of the writing of this post, it appears that antivirus software and a software firewall can help mitigate the impact.