06/19/2012

How Prevalent Is Fake Antivirus Software?

Over the past couple of years, we've gotten a lot of calls and emails from people who've been infected by fake antivirus software.

I took a call myself from Joyce in Philadelphia late last week. She told me about how she had to wire money to India to get the viruses removed from her computer.

Their pitch to her? Her antivirus software (their fake software) had expired. When she called their so-called tech support number, they told her there was no way they could remove the virus without her making a payment by Western Union to renew the software for another year.

There were problems (of course) with her computer even after she paid the fees, so she was calling to see what the best antivirus software was because what she bought, she felt, sure wasn't very good.

Sure, some readers are going to say, "Why on Earth did she send a Western Union transfer to India?! What was the thinking??"

Let's put that aside for a while and ask the bigger question: Just how prevlent is this crap?

Funny thing is Kasperksy asked this question, too, in their survey/report Digital Consumer’s Online Trends and Risks.

A whopping 24% of users surveyed worldwide said they're encountered fake antivirus software with the worst three countries for "infection" being Russia (48%), the United States (34%), and the United Kingdom (28%).

What's the take-away message from this?

Well, there's more than just one:
  1. If you've seen fake antivirus software, you're not alone.
  2. Your chances are about 1 in 4 you will.
  3. Make sure you're running real antivirus software
  4. Familiarize yourself with what it's like and how it works
  5. If you're familiar with it, you're more likely to know a fake threat when you encounter it

06/05/2012

Should I Be Concerned about the Flame Worm?

Since it was uncovered, there's been a lot of (mis)information on what Flame is, how it works, and what's at risk.

Let's take a look.

First, Lee Ferran and Rhonda Schwartz of ABC News should get an award. In this piece on Flame, they claim,
"The cyber espionage super bug Flame compromised a key Microsoft security system, the company has now revealed, prompting Microsoft to issue an emergency patch to its millions of customers because of fears of what one expert called potential "collateral damage" from the U.S. and Israel's cyber war against Iran."
I left in the entire paragraph from their article so that it could be seen in all its glory.

At best, the quote above is misleading. At worst, it's alarmist.

Now, let's set the record straight. For starters, no one compromised a "key Microsoft security system." "Compromised" by most any measure--but particularly in cybersecurity parlance--implies there was an intrusion into Microsoft.

There was no such intrusion.

What really happened? A garden variety compromise of Windows lead to a privilege escalation that allowed the creators of the Flame virus to sign their software as if it had been written by Microsoft. (Garden variety may be a little off the mark, but hopefully, you get the idea. It was Windows itself that was compromised.)

Was it serious pie/mud in Microsoft's face? Sure. Was it [compromise] of "a key Microsoft security system"? Hardly.

What's worse is the article goes on to say, "The same day Microsoft revealed their security breach...." This bears repeating with emphasis.

There was... no... security... breach... at Microsoft.

Virus writers used existing software on the victims computers to trick the user into installing their software. That's it.

Now that that's clear, just what is this thing?

It's a virus, well, technically, it's a worm, and it appears to be of the same vein as Stuxnet in that it appears that it may've been written by a nation-state. And it's been there for a long time--at least five years say Kaspersky's researchers working on its analysis.

OK, so what's it do?

A better question: is there anything it doesn't do?

So far, according to Kasperksy's analysis of Flame it can:
  1. Ennumerate nearbly bluetooth devices
  2. Record audio (if there's a microphone)
  3. Create backdoor accounts on infected machines (HelpAssistant)
  4. Listen for incoming network requests
  5. List the PCs directory contents
  6. Lists "interesting" files
  7. Logs keystrokes
  8. Upload collected data to remote servers
  9. Identifies antivirus software and firewalls
This is a pretty nasty/impressive list of feats.

Now the real question. Are you at risk.

As with any virus, the answer is maybe. In this particular case, it's a worm, which makes matters worse since worms, by their very nature, seek out new targets to infect on their own.

Making matters worse is that it appears this bugger has been out there for at least five years, meaning it's had plenty of time to fly under the radar, infect PCs, and do its business.

The (slight) upside of things--at least if you're a home consumer not living in the Middle East--is that it appears it only targets PCs of "value" in the Middle East and according to Kaspersky, it appears to've infected about 1,000 PCs. (In this case "value" means those in some way related to government, military, or defense related organizations, from which it can glean intelligence data.)

Getting Rid of Flame

As complex as this worm is, at least one major antivirus company (in this case BitDefender) has already created a detection and removal tool. If you think your regular antivirus software may've missed it (or you're not running any), here's where you can find out: http://labs.bitdefender.com/2012/05/cyber-espionage-reaches-new-levels-with-flamer/.

One last thing, if you're looking for more information on the Flame, keep in mind that it goes by other names: Flamer, sKyWIper, and Skywiper, as most virues do.

06/04/2012

Five Great Firefox Add-Ons You're Not Using... (But Should Be)

Like anything, some Firefox Add-Ons are great, some are meh, and some are crap.

What we've got here, my friends, is a list of the top five Add-Ons we like most (and use.)

In one way or another, the ones we've chosen are all geared towards improving your online privacy, security, or both.  Sure, some of our favorites are popular and used by a lot of people; chances are though that even most security conscious uber geeks haven't heard of all of 'em we list.

Have a look at our list and feel free to throw your own $.02 in if there are ones you know of we missed.

Five Great Firefox Add-Ons

(At Least Some of Which You've Never Heard Of)
Add-On Name / Link About The Add-On

Perspectives Project

Perspectives Project

Is that secure site really who it says it is?
The SSL system is imperfect. At its core are the Certificate Authorities (CAs). The first problem: it's possible to perform a Man-in-the-Middle (MiTM) attack against a CA.

The second problem: the CAs, while historically among the most secure organizations online, are also not impervious to attacks. Crackers have breached the gates and gotten into CAs.

In either case, all bets are off. That site you think is secure is anything but. Once a CA is compromised, any communcations you have with a "secure" site can be intercepted and read like it's on the front page of Yahoo.

The Perspectives Project solution is a system of public network notaries to monitor the world's SSL certificates and help ensure the certificates are legit.

Running the Firefox Add-on is a cinch, and once you've used it even for a few minutes, you'll likely have the same, "Oh!" feeling like we did when we first started running it.

ShareMeNot

ShareMeNot

The ubiquitous social media icons you see on just about every site (including ours), are tracking what we do and where we go online. How can you keep their functionality and lose Big Brother?
To web geeks, it's no surprise that these little icons are tracking our every move online. What may be a surprise? It's very easy to keep their functionality and ditch their privacy-invading tracking with ShareMeNot.

Aside from how easy to use it is, the best part is that even if you forget to log out of your Facebook, Twitter, LinkedIn, Google/GMail, or Digg account (among others), ShareMeNot has still got your back.

In fact, that's when it works best. You can stay logged into your Facebook or GMail account and keep the great functionality of the "Like" and "+1" buttons as you surf but don't let 'em track where you're going online or what you're doing.

NoScript

NoScript

Scripts are everywhere. Some are good; some are evil.
Tip the scale in your favor.

NoScript creator Giorgio Maone and the folks who develop NoScript take a unique approach to scripts: don't trust any. Until you do.

On every site you visit, Javascript, Java, Flash, and others are all prevented from loading 'til you explicitly grant them permission to load on a given web site.

And, interestingly, not only do most sites still work even when scripts are disabled, but enabling necessary scripts on sites you trust is a piece of cake.

All-in-all it's a beautiful piece of work.

Adblock Plus

Adblock Plus

Get the content, kill the ads.
Advertising is one thing. Intrusive, annoying ads are another.

Adblock plus is a great answer to the problem.

Sure, there's overlap between what NoScript and Adblock can do, but Adblock is geared more towards stopping ads than NoScript.

Another interesting feature is it lets you "collapse" (i.e. hide) sections of a web page. Great for getting the content you want and avoiding the seemingly unavoidable in-your-face ads.

Using it is easy, too--just start with any of the 50+ existing lists. Then if and when you want to customize it, you can do that, too.

BetterPrivacy

BetterPrivacy

There are cookies, and there are evil LSO cookies. Luckily, dealing with them isn't as hard as it once was.
Local Shared Object (LSOs) are a special, particularly evil type of cookie. Known as "Super Cookies," they're Flash, and they get placed onto your system's central folder. Thus, they're much, much more permanent than regular browser based cookies. Super Cookies go where you go, and you can't see or delete them with a garden variety "delete cookies."

This is where BetterPrivacy comes in.

With it you can manually manage LSOs, or set it up to automatically delete 'em when anytime you close (or open) a browser. And you can keep the LSOs/Super Cookies where they belong... not on your system.