06/08/2017

Why Setting Your Homepage Matters

 

Among the most underappreciated things in all of Internet security is the homepage.

In fact, it's importance goes beyond security. It affects three things:

  1. Security
  2. Speed
  3. Sanity

 

In this video, we discuss why setting your homepage to one specific thing is the only way to go. (And, most people have never even heard of it!)

Here's what you get:

  1. Browsers open faster.
  2. New tabs open faster.
  3. More control of your time online.
  4. huge tip-off if a specific kind of malware has sneaked past your defenses and infected your PC

 

We talk all the time about antivirus software, but none of 'em are perfect (as I talked about in my last post, When Antivirus Software Fails You) and showed in detail in this video exposing a banking-related trojan.

In any event, setting your homepage as we show in this video, is the way to go.

 

 

06/04/2012

Five Great Firefox Add-Ons You're Not Using... (But Should Be)

Like anything, some Firefox Add-Ons are great, some are meh, and some are crap.

What we've got here, my friends, is a list of the top five Add-Ons we like most (and use.)

In one way or another, the ones we've chosen are all geared towards improving your online privacy, security, or both.  Sure, some of our favorites are popular and used by a lot of people; chances are though that even most security conscious uber geeks haven't heard of all of 'em we list.

Have a look at our list and feel free to throw your own $.02 in if there are ones you know of we missed.

Five Great Firefox Add-Ons

(At Least Some of Which You've Never Heard Of)
Add-On Name / Link About The Add-On

Perspectives Project

Perspectives Project

Is that secure site really who it says it is?
The SSL system is imperfect. At its core are the Certificate Authorities (CAs). The first problem: it's possible to perform a Man-in-the-Middle (MiTM) attack against a CA.

The second problem: the CAs, while historically among the most secure organizations online, are also not impervious to attacks. Crackers have breached the gates and gotten into CAs.

In either case, all bets are off. That site you think is secure is anything but. Once a CA is compromised, any communcations you have with a "secure" site can be intercepted and read like it's on the front page of Yahoo.

The Perspectives Project solution is a system of public network notaries to monitor the world's SSL certificates and help ensure the certificates are legit.

Running the Firefox Add-on is a cinch, and once you've used it even for a few minutes, you'll likely have the same, "Oh!" feeling like we did when we first started running it.

ShareMeNot

ShareMeNot

The ubiquitous social media icons you see on just about every site (including ours), are tracking what we do and where we go online. How can you keep their functionality and lose Big Brother?
To web geeks, it's no surprise that these little icons are tracking our every move online. What may be a surprise? It's very easy to keep their functionality and ditch their privacy-invading tracking with ShareMeNot.

Aside from how easy to use it is, the best part is that even if you forget to log out of your Facebook, Twitter, LinkedIn, Google/GMail, or Digg account (among others), ShareMeNot has still got your back.

In fact, that's when it works best. You can stay logged into your Facebook or GMail account and keep the great functionality of the "Like" and "+1" buttons as you surf but don't let 'em track where you're going online or what you're doing.

NoScript

NoScript

Scripts are everywhere. Some are good; some are evil.
Tip the scale in your favor.

NoScript creator Giorgio Maone and the folks who develop NoScript take a unique approach to scripts: don't trust any. Until you do.

On every site you visit, Javascript, Java, Flash, and others are all prevented from loading 'til you explicitly grant them permission to load on a given web site.

And, interestingly, not only do most sites still work even when scripts are disabled, but enabling necessary scripts on sites you trust is a piece of cake.

All-in-all it's a beautiful piece of work.

Adblock Plus

Adblock Plus

Get the content, kill the ads.
Advertising is one thing. Intrusive, annoying ads are another.

Adblock plus is a great answer to the problem.

Sure, there's overlap between what NoScript and Adblock can do, but Adblock is geared more towards stopping ads than NoScript.

Another interesting feature is it lets you "collapse" (i.e. hide) sections of a web page. Great for getting the content you want and avoiding the seemingly unavoidable in-your-face ads.

Using it is easy, too--just start with any of the 50+ existing lists. Then if and when you want to customize it, you can do that, too.

BetterPrivacy

BetterPrivacy

There are cookies, and there are evil LSO cookies. Luckily, dealing with them isn't as hard as it once was.
Local Shared Object (LSOs) are a special, particularly evil type of cookie. Known as "Super Cookies," they're Flash, and they get placed onto your system's central folder. Thus, they're much, much more permanent than regular browser based cookies. Super Cookies go where you go, and you can't see or delete them with a garden variety "delete cookies."

This is where BetterPrivacy comes in.

With it you can manually manage LSOs, or set it up to automatically delete 'em when anytime you close (or open) a browser. And you can keep the LSOs/Super Cookies where they belong... not on your system.

10/19/2011

More Details Emerging about R2D2 Backdoor Trojan

First reported by the Chaos Computer Club (CCC), which claims to be the largest European Hacker club, this malware, they claim, is used by German police forces, and
...can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs.
Is it legal? It appears not, despite being state sponsored.

And, no matter your opinion of remote PC monitoring and true spy software, there's something very troubling about this trojan according to CCC,
Significant design and implementation flaws make all of the functionality available to anyone on the internet. [Editor's Note: Emphasis mine.]
Their analysis isn't just hot air. Further in their report, they go on to say,
The analysis also revealed serious security holes that the trojan is tearing into infected systems.

"The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted. Neither the commands to the trojan nor its replies are authenticated or have their integrity protected.

"Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data.

"It is even conceivable that the law enforcement agencies's IT infrastructure could be attacked through this channel.
These are serious charges being leveled, so what does the antivirus software community's analysis reveal?

Both Kaspersky and F-Secure have already done their own analysis. Here's what they each have to say:

F-Secure

In their "News from the Lab" blog on the R2D2 Backdoor Trojan, their report adds,
And now, several German states have admitted to using Backdoor:W32/R2D2.A (a.k.a. "0zapftis"), though they say the backdoor falls within what's allowed.

Kaspersky

The Kaspersky blog details their own analysis which uncovered some other interesting details, including:
...there are six components in total – each with a different purpose – all of which have been analyzed by us.

"Amongst the new things we found in there are two rather interesting ones: firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows.

"Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report.

"The number of applications infected by the various components is 15 in total.
So what's the point of this trojan? Good question.

The various reports all say it's for monitoring communication from a suspect's computer when they're using several types of software:
  1. VOIP software (like Skype)
  2. web browsers
  3. chat software
Here's the complete list uncovered by Kaspersky antivirus in their analysis:
Software Monitored by R2D2 Backdoor Trojan
Program Purpose
explorer.exe Internet Explorer web browser
firefox.exe Mozilla Firefox web browser
icqlite.exe Chat software
lowratevoip.exe VOIP software
msnmsgr.exe Chat software
opera.exe Opera web browser
paltalk.exe Video chat software
simplite-icq-aim.exe Chat software
simpro.exe Chat software
sipgatexlite.exe VOIP software
skype.exe VOIP software
skypepm.exe VOIP software
voipbuster.exe VOIP software
x-lite.exe VOIP software
yahoomessenger.exe Chat software


So now, the question is are the antivirus software companies detecting the trojan?

Yes. Kaspersky and F-Secure alike say their software's heuristics (i.e. realtime protection) were capable of detecting the trojan even before they became aware of it and added specific threat definitions to their software.

F-secure says, The 'heuristic' category indicates that our automation flagged the file based on rules that our analysts have created. And Kaspersky says, All components are detected by Kaspersky as variants of the R2D2 trojan/rootkit. The dropper was previously heuristically detected and blocked by us as an invasive program.

So, the bottom line, if you're running good antivirus software with realtime protection enabled, this trojan is unlikely to be a threat.

And, if you're not, why not?

08/17/2011

Firefox 6 Released. Does it Matter?

With Mozilla Firefox now releasing its third full release in its new "rapid release" schedule, there definitely reason to upgrade for most people.

The most noticeable improvement is in the address bar, which now puts emphasis on the domain name to help thwart phishing attacks.



As you can (hopefully) see the emphasis, while subtle, is definitely there.

I've found as I got used to using it, the emphasis was easier to spot.

Personally, I love the feature; I just wish it were even more prominent.

Opera, in their version 11 took a different approach, removing everything but the domain name itself from the address bar. Thus:

http://www.pcantivirusreviews.com/antivirus-comparison.html

becomes...

http://www.pcantivirusreviews.com/


While that approach is probably good to some extent, particularly for new users, it's also frustrating because it requires you to click on the address bar to reveal the full website address.

Luckily, you can easily revert to displaying the full website address in Opera through by typing opera:config into the Opera address bar.

Whatever the case, that web browsers are trying through a host of technological means to make it harder for the malware writers to take over peoples' PCs is a good thing.

Bottom line: yes, it's worth upgrading.

Regardless of what antivirus software you're running, keeping your web browser updated is a smart thing to do. After all, most virus and malware attacks do come in via the web, so why not give yourself every technological advantage?

08/16/2011

Best Web Browser for Blocking Malicious Content?


2

Fans of Internet Explorer, rejoice!

Well, sort of.

NSS Labs, one of the top independent security research labs in the world, just put each of the top web browsers for Microsoft Windows PCs on their test bench to see how they fared against socially engineered malware.

Long lambasted for being insecure and weak in its ability to thwart malware, Internet Explorer actually landed at the front of the pack in this particular test which included:

Their report, "Web Browser Security, Socially Engineered Malware Protection," looked specifically at social engineering malware (SEM) attacks, which

...remains the most common security threat facing Internet users today.

"Recent studies show that users are four times more likely to be tricked into downloading malware than be compromised by an exploit.

How much better did IE fare? At the risk of editorializing, it was an absolute landslide. (Politicians dream of this kind of lopsided victory.)

Effectiveness of Top Web Browsers at Blocking Social Engineering Malware Attacks
Web Browser Malware Blocking Efficacy
Microsoft Internet Explorer 9 99.2%*
Google Chrome 12 13.2%
Apple Safari 5 7.6%
Mozilla Firefox 4 7.6%
Opera 11 6.1%
* With both URL and Application Reputation enabled during testing, which provided 96% and 3.2% of protection respectively.



Now for the one caveat: this only measured the efficacy of blocking social engineering malware and didn't test any of the browsers abilities (or likelihood) of being attacked through a security exploit.

What does that mean?

For starters, it means stopping viruses and other malware isn't as easy as running one web browser vs. another.

While Internet Explorer 9 might do very well at blocking social engineering malware, other browsers have historically done significantly better at stopping attacks that come through security exploits.

So, what's the best, most secure web browser?

There's no simple answer. I'd really encourage you to take a close look at the NSS Web Browser Security Report.

Another thing not covered is the effectiveness of antivirus software at blocking these types of threats.

In our tests, we consistently saw the software we tested with the best malicious website filtering giving added protection above and beyond what the web browsers themselves provided.

07/20/2011

Make the Web Safer, Get $10,000

Well, it's not quite that easy for most of us, but this week I was delighted to learn the Dragon Research Group, a security resarch organization, awarded their 2011 Security Innovation Grant (a $10,000 grant) to NoScript, a free and outstanding security add-on for Mozilla Firefox.

About the $10,000 grant, Giorgio Maone, who leads NoScript's development, said,
The grant will fund the effort to merge the current two development lines, i.e. 'traditional' NoScript for desktop environments and NSA (NoScript 3.0 alpha for Android, generously aided by the NLNet Foundation).

"...it will support the implementation of a desktop UI [and] will allow an unified 'NoScript Anywhere' package to be installed indifferently on PCs and mobile devices, sharing the same configuration and permissions everywhere via secure remote synchronization.
In non-geek speak: your Android phone and your PC will be able to share NoScript configuration data, and they'll be easy to use, too.

If you're a fan of Firefox, which we are here, running NoScript adds another layer of security to your web surfing; it's great to see DRG recognizing how important NoScript is and to help fund its continued development.

If you haven't used Firefox in a while (or haven't updated yours in a while), here's where you can Download Firefox.

As for NoScript, it works by blocking scripts like Javascript and other embedded elements on every web page you encounter 'til you specifically permit them to run. Nice.

The first week or so you're running NoScript, like a software firewall, it needs a little training to get it to understand what sites you regularly visit and are "trusted," but after that, it's always on guard against the rogue site doing things it shouldn't to your PC.

Josh, this site's other editor, likes to call it the "firewall for Firefox." Sure, techies may take umbrage with his metaphor, but it gets the point across: NoScript blocks things from happening in and to Firefox.

Regardless of whether or not you run antivirus or Internet security software, NoScript adds another layer of security to Firefox and to your PC and information security.

It's definitely worth a look.

06/22/2011

Firefox 5 Released by Mozilla Foundation

Despite Firefox 4 having been released just three months ago, the Mozilla Foundation, the organization behind the Firefox web browser, has already rolled out Firefox 5, and here's the kicker, Firefox 4 is no longer being supported.

What does this mean?

It means if you're running Firefox, you must upgrade to keep your PC secure.

No ifs, ands, or buts.

What's different?

As far as looks go, it's pretty much identical to Firefox 4, so there won't be any surprises there.

Computerworld has a brief write-up of the changes, although this bit summarizes everything handily,
Although the company said it added more than 1,000 improvements to the browser, most were minor bug fixes or tweaks.

"Among the most significant changes were enhanced support for HTML5 and new support for CSS (cascading style sheet) animations.
"So now what?" you ask?

If you're running Firefox, upgrade now. Don't wait. Don't put it off. Do it now. Older versions are--as of June 21, 2011--officially unsupported.

Translation: no security updates.

So, if the bad guys start targeting the old version of Firefox, which they will, you're putting yourself at risk. It's not worth it.

Just take care of it. It's free. It's fast. It's easy.

Where do you get it?

Download Firefox here.

06/13/2011

Firefox Users Not Safe from Scareware

Just when you thought it was safe to surf the web with Firefox, the bad guys are at it again with a new "scareware" virus.

The news is out about a brand-new piece of malware that mimics a virus attack (sometimes called "rogue antivirus"), which then prompts you to hurry up and get the latest Windows update. But the catch is, you have to pay for it or else your PC is doomed to be destroyed (hence the "scare" tactic).

But of course, you shouldn't pay anybody anything for these scareware viruses. It's all just a scam to take your money.

We've seen plenty of scareware and rogue antivirus before, so what's different about this one? This one targets Firefox users specifically.

This is the first major red-flag. Any legitimate Windows update can only be accessed through Microsoft Internet Explorer, or run in the background of Windows: a Windows prompt will never originate from Firefox like this scareware has.

The other tricky factor, is the scareware takes you to a Windows update page that looks amazingly like a real Windows update website.



It's easy for anyone to get scared into thinking their PC is about to crash and/or become highly infected, then start clicking buttons and paying someone (whom you think is legitimately Microsoft in this case) in a hurry to save your computer.

How to protect yourself?

  1. First, don't panic when you see these doomsday warnings. Take a deep breath and look at the warning carefully. If the warning is completely blocking your ability to access any part of your PC, or completely interrupting all actions on your PC, it's probably scareware.

  2. If you click the warning button, and are taken to a new site to pay for the scareware "removal" or "update," examine the website URL carefully. The site may look very real and very legitimate (it's actually very easy to design a fake webpage of any kind). But look at the URL. Does it have "update.microsoft.com/" in there somewhere?

    Be careful though, some bad guys are very tricky and will put the word "microsoft" (or some other legitimate URL) somewhere in the URL string just to make it look real. Make sure the URL says "update.microsoft.com/".

    The important part is that the URL have the real address just before the first trailing slash (a real site may still have a bunch of stuff before the final ___.com/ string, but will always have the real URL before the first trailing slash).

  3. Finally, don't give anyone your money for these scare tactics. Microsoft won't ask you for any money for a simple update if you're already using Windows OS. And if you already own antivirus software, they won't demand any money to fix your problems.

The bottom line is, Firefox users need to be just as careful as Internet Explorer users. The bad guys may not target you as often, but you're still at risk.

Be careful what you click, and make sure your antivirus software is up to date.

03/28/2011

Mozilla Firefox Takes Steps to Block Fraudulent SSL Security Certificates

Mozilla reported on March 22, that they were informed about the issuance of several fraudulent SSL certificates intended for public websites.

These were removed by the issuers which should protect most users. Mozilla has patched their Firefox versions 3.5, 3.6, and 4.0 to recognize and block these certificates, even though it is not a Firefox specific issue.

The effect to users would be that if on a compromised network, they could be directed to sites using the fraudulent certificates and mistake them for legitimate sites. This in turn, could be used to deceive users into revealing personal information like usernames and passwords or downloading malware if thought to be coming from a trusted site.

Although current versions of Firefox are protected from this attack, Mozilla is still evaluating further actions to mitigate this issue.

The Comodo Group, Inc. (the certificate authority) first reported the issue.

A follow up by Mozilla indicated that on March 15 an RA partner of Comodo Group, Inc.--which is a Certificate Authority--suffered an internal security breach, where the attacker used the RA's account with Comodo to get 9 fraudulent certificates to be issued.

The domain names of the certificates were identified as:

  • addons.mozilla.org
  • login.live.com
  • mail.google.com
  • www.google.com
  • login.yahoo.com (x3)
  • login.skype.com
  • global trustee

The attack was discovered immediately by an internal Comodo check, and the certificates were revoked and the RA account suspended.

To date, Comodo reports the only OCSP activity noted relating to these certificates has been two hits, one from the attacker's IP and another from very close by. Additionally, hits incurred from testing by Comodo and the notified companies. This hints that they have not been deployed in an attack, but it is possible the attackers would block OCSP requests as well.

Comodo has identified the IP address as an ADSL connection and originating from Iran. From the OCSP traffic mentioned, Mozilla thinks the attacker is aware the certificates have been revoked.

Mozilla does not believe there has been a root key compromise. However, an attacker armed with fraudulent certificates and an ability to control their victim's network could easily impersonate sites in a very inconspicuous way.

Risk mitigation actions implemented:

  1. Revocation of the certificates
  2. A hard coded blacklist of the certificate serial numbers in Firefox deployed as RC2 of Firefox 4 with two additional code patch releases, released on March 22.
  3. Mozilla released an announcement with some details of the problem.

Mozilla released the patch prior to publishing any announcements out of concern the attackers would be tipped off to blocking the updates.

Mozilla's security blog reported:

Mozilla recognizes that the obvious mitigation advice we might offer (to change Firefox’s security preferences to require a valid OCSP response in all cases, or to remove trust from Comodo’s certificates, or both) risked causing a significant portion of the legitimate web to break as well.

Additionally, neither we nor Comodo have found any evidence of access to their OCSP responder being blocked, either in Iran or anywhere else. We have also found no evidence of any other sort of attack.

In hindsight, while it was made in good faith, this was the wrong decision. We should have informed web users more quickly about the threat and the potential mitigations as well as their side-effects.

Mozilla has requested that Comodo do the following:

  1. Publish a full account of exactly what happened. (So far: they have published an incident report and a blog post.)
  2. Monitor their OCSP logs for evidence of use of these certificates, or evidence that access to their OCSP responders is being blocked from any geographical locations. (So far: no sign of use or blocking.)
  3. Cancel all relationship with the RA concerned. (So far: the RA is suspended.)
  4. Change their practices to use intermediate certs rather than issuing directly off the root, and use a different one for each RA.

With Internet attackers always on the move, consumers of the Internet should always ensure their PCs are getting the latest updates, including updating Firefox, to protect against security intrusions and malware. Aside from that having solid, trusted, Internet security software can also give peace of mind in holding off these threats.

03/08/2011

Fake Ads Posing as AV Solutions Target Browsers

Blogger Dan Goodwin at The Register talks about how browser malware is growing.

For a while now, ads that pimp malware disguised as antivirus "fix-it" software have typically been customized to give the appearance of belonging to Microsoft's Internet Explorer and Windows operating systems.

Well...not so anymore.

With the popularity of Google's Chrome, Mozilla's Firefox, and Apple's Safari browsers, these fake antivirus pimps are working harder to target the browser that's actually in use by the victim.

Senior security researcher at Zscaler.com, Julien Sobrier, says it looks like a crafty, targeted, browser-specific malware campaign pushing the fake antivirus software.

Here's what the malware looks like in various web browsers:

Internet Explorer

Internet Explorer users get the typical Windows 7 Security Alert.

Fake-av-ie-2

Mozilla Firefox

Interestingly, Firefox users will see Firefox elements (which also appear in the source code). Additionally, the security warning normally shown gets spoofed when Firefox detects the user attempting to navigate to a known malicious site.

Fake-av-firefox

Google Chrome

Google's Chrome users get a customized popup window -- complete with the Google Chrome logo and an unsuspecting warning. The positive side to this is Chrome identifies the page reporting this falsehood.

Fake-av-chrome

If the user clicks "ok", then a Chrome-looking window opens shows a fake scan taking place.

Apple Safari

Finally, Safari also gets spoofed and shows the Safari logo in fake pop-up alerts, but ultimately it looks and feels like IE.

Fake-av-dafari

These ads are intended to lead surfers into believing they've been infected and that the system can and will be cleaned by the (fake) antivirus software being offered. Since the popup warnings are tailored to look as though they're being presented by the browsers themselves, there appears to be a higher chance of success for the malware hackers.

Sobrier writes:

I've seen malicious pages tailored in the past, but they were mostly fake Flash updates or fake codec upgrades for Internet Explorer and Firefox.

"I've never seen targeted fake AV pages for so many different browsers.

According to Dan Goodwin, some sites that redirect to this scam are:

  • columbi.faircitynews.com
  • jmvcorp.com
  • www.troop391.org.

If you're successfully redirected, the site tries to upload and run InstallInternetDefender_xxx.exe, where the xxx is a frequently changing number.

At the time of Sobrier's piece, VirusTotal scan claims this malware is only detected by just 9.5 percent of 42 AV programs tested, although that number is sure to increase quickly.

It's clear, fake antivirus scams is getting more sophisticated. The good news is, legitimate Internet security software is evolving, too.