May 25, 2013

Posts Comments

You are here: Home / Archives for Blog / Security

Clever Criminals use LinkedIn Phishing Email [Video]

July 18, 2012 by Leave a Comment

LinkedIn MessagesToday I received connection requests for LinkedIn, only they weren’t connection requests for LinkedIn they actually contained links to a site with a Trojan Horse Virus. Since this message was fairly convincing I was concerned that some people might click the link and become infected. The purpose of this article is to arm you with the knowledge to avoid becoming infected by this and similar attempts. Three of the messages to the right are the result of the Kryptik.RY trojan and 1 of them is an authentic message from LinkedIn. The video below demonstrates how to avoid becoming a victim of attempts like this:

If you browser doesn’t support Flash or you do not see the video you can view it on You-Tube.

Have you received any of these messages yet?

Filed Under: Business/Productivity, IT Professionals, Security, Videos Tagged With: , , , ,

The Best Antivirus Software

June 18, 2012 by Leave a Comment

This article originally appeared in “The Danville Tech Guy” column 6/8/2012 on the Danville Patch.

This week’s Danville Tech Guy question comes from Danville Patch reader Lisa. Lisa asked:

“What is the best anti-virus software out there? There are so many now and it’s really confusing to try to compare what will work the best.”

This is a great question, and we’re all in search of that secret sauce to keep our computers safe from harm while we travel the World Wide Web. Part of the confusion I believe stems from the fact that there are a number of different (but related) products to address different parts of the security equation. The result you are looking for I assume is to protect your computer and privacy from compromise by someone who would like to harm or steal from you. I’m going to talk a little bit about what the products are, what they do and make some suggestions. Ultimately the best product to use is probably the one that the person that supports you if there is a problem recommends. How you use your computer: the sites you visit, the communications you receive, the programs you use are actually the biggest factor in how secure you will be. The best advice I can give you is to take time to learn about how to be a safer computer user; perhaps I can tackle that in a future column.

Antivirus and other security products

We have seen an evolution from what was once simply Antivirus software into a massive industry with several key components:

  1. Antivirus
  2. Anti-Malware
  3. Security Suites
  4. Other security products

Antivirus

This is the traditional product that has a real time scanning component that based on definitions (known virus signatures) or heuristics (virus-like features) blocks certain files from running on your computer. For most people this is the backbone of their protection scheme. My company recommends Eset NOD32 for this role but there are plenty of other good products on the market place.

Anti-Malware

Most antivirus products include signatures (how the software detects the bad programs) in their definition sets but it is often useful to use Anti-Malware products as well. There are two that I’d recommend Spybot Search and Destroy and Malware Bytes Anti-Malware. Spybot has an inoculation process that definitely can help protect you from a lot of common malware passively by making some changes to your computer.

Security Suites

These products include Antivirus, Anti-Malware, Firewalls and other components. I am not a big fan at all of these products because they are very invasive and often prevent you from doing things you want to do. They also have a level of interaction and training where a user could easily allow something they shouldn’t while “training” the system. That time and effort can be better spent elsewhere.

Other security products

There are lots of products that creatively attempt to solve the security equation. One of the products that I’ve grown to love is Sandboxie. Sandboxie allows you to run programs isolated from your operating system. That means if you happen to execute a virus file within the sandbox it will only affect that sandbox not your operating system overall. This greatly reduces the risk to your system. Unfortunately configuring and learning to use this software correctly requires a time investment. The time invested is well worth it though as you will be able to much more confidently access the web.

NOD 32The short answer:

Eset NOD32 is the product I would recommend with the understanding that no software will ever be 100% and your willingness to learn about security and privacy issues will be a valuable asset.

Do you have an IT Question?

Please visit this article if you’d like to learn how you could have your question featured on this blog or you can always swing by our Facebook page and ask your question there as well.

Filed Under: Eset, Hardware, Howto, Security Tagged With: , , , , , ,

Removing Your Personal Data Before Disposing of a PC

June 11, 2012 by Leave a Comment

This article originally appeared in “The Danville Tech Guy” column 6/4/2012 on the Danville Patch.

This weeks Danville Tech Guy question comes from Patch Reader Mrs. G. She asked:

“What’s the best way to remove your personal data before disposing of a PC?” -Mrs. G

This is a great question and I am happy that you asked in Mrs. G. We are all storing so much personal information on our computers these days. The loss of a computer could have a significant impact on our privacy and open us up to identity theft and a host of other problems. There are a number of options to ensure that our private information does not become compromised when we dispose of a computer. Based on skill, I am going to suggest three options.

  1. Use a disposal company that can provide you with a certificate of data destruction.
  2. Remove the hard drive and store it in a safe place.
  3. Run a disk wiping utility that destroys the data.

Data DestructionUsing a disposal company that can provide a certificate of data destruction (for novices).

We use a local e-waste company (E-Waste Direct) they and some other firms can provide a certificate of data destruction for the computers they recycle on your behalf. This is the easiest way to avoid having your data get into the wrong hands but you are relying on a third party to do so. Be very cautious and research the company’s reputation before selecting this option. Chances are if they don’t know what a certificate of data destruction is you should keep looking, and that is the first question I would recommend you ask.

Removing and storing the hard drive(s) (novice and up)

Depending on how the computer was designed this can be simple to difficult to do. Hard disks have a very distinct appearance (you can see examples here) and usually have zero (tool-less) to 4 screws. Since you are disposing of the computer do not worry about harming it. The recyclers are going to take it apart anyway.

Using a disk wiping utility (for professionals)

If you know how to create disk images using an ISO file then this moderately more difficult option is very effective at sanitizing a hard disk by completely wiping all data off of it. Most professionals use this method but it can be difficult. There is a free program called dban or Darik’s Boot and Nuke (www.dban.org). If you download the ISO file they provide and boot from the Dban CDROM you can automatically wipe or “nuke” any hard drives in the computer.

Figure out which method works best for you and don’t hesitate to do a little more research and ask more questions Mrs. G. – Joe

Have an IT Question?

Please visit this article if you’d like to learn how you could have your question featured on this blog or you can always swing by our Facebook page and ask your question there as well.

Data Destruction image compliments of Robert Emperley, Creative Commons.

Filed Under: Hardware, Howto, Security Tagged With: , ,

Phishing Email from FDIC targets Businesses

February 8, 2012 by Leave a Comment

It’s tax season and we’ve already seen the tax related phishing Emails showing up in our inbox. Early this morning a new phishing scheme was detected that is targeting businesses with Emails purportedly from the FDIC. If you take the time to evaluate the link it can be easily determined to be just that. Here is a screenshot of the message:

FDIC Phishing Email Screenshot

For your convenience and to learn more on how to protect yourself you can also check out this video:

Video not displaying? You can also view it on Youtube.

Here is the entire text of the message (added to properly index this article with the search engines):

Attn: Financial Department

By this message we would like to inform you about the recent alterations in the FDIC insurance coverage for transaction accounts.

During the period from December 31, 2010 to December 31, 2012 all the money in a “noninterest-bearing transaction account” are insured in full by the Federal Deposit Insurance Corporation. Please note, that this measure is temporary and separate from the FDIC’s common deposit insurance regulations.

The term “noninterest-bearing transaction account” includes a traditional checking account or demand deposit account on which no interest is paid by the insured depository institution.

For detailed information about temporary FDIC insurance coverage of transaction accounts, please view the official site link.

Yours sincerely,
Tad Melendez.

Federal Deposit Insurance Corporation

Filed Under: Business/Productivity, News, Security, Videos Tagged With: , , , , , ,

Twitter Phishing DM and Fake Twitter Website in the Wild

January 14, 2012 by 14 Comments

Please be very careful following any hyperlinks on Twitter. Tonight I received a direct message from someone I am following on one of my accounts. The message includes a link to a fake Twitter website that appears to be the way this user was originally compromised. Watch the video (updated 1/16/2012) if you want to see exactly how it looks and works.

Browser doesn’t show flash or video not displaying? You can also view it on Youtube.

Updated 1/14/2012 10:25PM UTC-8: Chrome is already reporting the URL in the video as a suspected phishing site. Phishing Site

Updated 1/15/2012 7:05PM UTC-8: The fake site is still up and running. I decided to go and report it to the ISP, unfortunately it’s in China and they probably won’t do anything about it.
Who Owns it?

Updated 1/16/2012 11:33PM UTC-8: This thing is picking up steam in spite of efforts to build awareness. If you receive one of these messages be sure to tell the person who sent it to you to change their twitter password. Presently whoever is pharming these accounts is not locking the owner out by changing the password. This could change at any point. Also just keep in mind if you use the same password for multiple things you should change the others also as this password list is likely to circulate in nefarious circles. Here is a Tweet spotted tonight after just glancing at the Twitter stream.

Warning about DM Spam

Updated 1/17/2012 2:39PM UTC-8: Surprisingly something simple that would be dead if it wasn’t hosted in China (any ISP in the USA/Western Countries would have taken this site offline within 6-8 hours) appears to be gaining steam. A coalition of humorous and fed up folks setup a gag site about it. I won’t ruin it for you, you can check it out at didyouseewhattheysaid.com. I will say this, I got a chuckle out of it.

Filed Under: Security Tagged With: , , , ,

2 Things Everyone Needs to Know about the WPS Vulnerability

January 6, 2012 by 4 Comments

I Promise Not to Own your WifiYou may have heard recently that there is a vulnerability affecting many wireless access points. It has to do with Wi-Fi Protected Setup (WPS) which is supposed to make it easier to configure devices to use your wireless network. The problem is the WPS system is vulnerable to a brute force attack that will allow a malicious attempt within range of your wireless signal to access and change settings on your device. Once the foot is in the door there are many other things that can be done, especially if you have un-protected devices on your network.

The two things you should know if you own or are responsible for any wireless access points are:

  1. There is no practical universal solution to the problem.
  2. You may have to use the hacking tools themselves to be 100% certain you are not vulnerable.

If you feel you have anything someone might want to steal, the smartest thing might be to just disconnect the wireless access point or turn it off. Then live without it until the manufacturer has clear information on your make and model of wireless device. Of course if your wireless access point is also your Internet Router this could be problematic.

There are more questions than answers right now and while you can’t tell with certainty if you are not vulnerable a list is being compiled of devices that have been confirmed to be vulnerable. You can access the WPS Vulnerability Testing Document to find devices that have been confirmed.

Known and potential solutions

Solutions to this issue will be updated here as they become available

Belkin (Does not note if this fully disables WPS!)

Netgear (Home Routers)

Additional Resources

Vulnerability Note VU#723755 (US-Cert)

Special thanks to @Shonali for sharing the Bart Simpson Chalkboard Generator.

Filed Under: Hardware, IT Professionals, Security, Technology Tagged With: , , , , , , , ,

Critical Java update and a stark reminder to update JAFO

October 21, 2011 by Leave a Comment

Java LogoThe latest advisory for Oracle Java addresses a total of 20 vulnerabilities 19 of those 20 may be remotely exploitable. Remotely exploitable vulnerabilities are very high information security priorities because they can allow rapid propagation of a malware or computer viruses.

It’s time to add a new acronym

For some time now we’ve all learned that windows/operating system updates are pretty important but there are emerging threat vectors that also need to be addressed. Back in early 2009 a huge ramp up in volume of Adobe PDF and Java updates occurred. Since that time those two have become two very popular sources of computer exploitation. Add that to some recent nasty Flash exploits and you have the makings of a new acronym:

Always update JAFO:

Java
Acrobat
Flash
Operating System (Critical Updates Windows, etc)

Extra credit for the techie types, remember when Microsoft had their own Java Virtual Machine?

 

Filed Under: IT Professionals, News, Security, Technology Tagged With: , , , , ,

Duqu in the wild, not the drivers you were looking for.

October 19, 2011 by Leave a Comment
Duqu not Dooku

Duqu not Dooku, Image Credit Tracheotomy Bob

The Duqu Remote Access Trojan (RAT) that hit the wild in Europe this week is not a character in the latest Star Wars movie. While it sounds like a George Lucas inspired character duqu comes from the ~DQ prefix that researchers noticed this previously unknown malware was adding to files it creates when it was discovered. I am sure Dairy Queen is happy with their choice. Joking aside this virus is no laughing matter. It seems to have been written by the authors of or with the benefit of the Stuxnet source code. Stuxnet is the virus that was believed to have setback the Iranian nuclear program last year. It’s smaller and appears to be designed to spy on infected computers with a combination of a key stroke logger, a data siphon and remove itself after eluding detection for 36 days.

A new breed of threat

One disconcerting aspect of this particular Trojan is that one of the drivers in a variant used a signed certificate of a known organization in Taiwan. That means that a windows machine will treat that driver as a legitimate driver, just like one you’d download to access a new hardware device on your Windows PC. Luckily the certificate has been revoked. This particular malware mask’s it’s presence on the infected machine quite well providing a challenge to detect.

What can you do to protect yourself?

All of the best practices that apply to information security will help you avoid Duqu. This includes:

  1. Keeping your critical components up to date.
  2. Cautious web surfing and Email habits.
  3. Avoid public charging kiosks.
  4. Avoid flash drives from unknown sources.
Did you already get infected? You might want to visit the post virus opportunity center.

Can we prevent this?

Seeing as the machines that were infected with this Trojan were hit when it was “Zero-Day” it is prudent to consider what other means may have prevented the infection. If it ends up that this virus communicates with hosts in remote countries that a security solution I recently proposed would prevent the infection from transferring or downloading any information rendering it useless.

More information

If you found this article helpful or interesting please share it with your friends.

Filed Under: Business/Productivity, IT Professionals, News, Security, Technology Tagged With: , , , , , ,

Why all businesses should consider SEC Cyber Security Guidance

October 17, 2011 by Leave a Comment
Cyber Security Sandia Labs Research

Image compliments of Sandia Labs (Creative Commons)

Last week the SEC released a Disclosure Guidance Document on Cyber Security. The document was a direct response to the dependence on digital technologies and the increased risks associated with Cyber Security. While the SEC guidance was aimed at publicly traded companies, the information in and the existence of the document should raise eyebrows at any business.

An ounce of prevention truly is worth a pound of cure

The document contained extensive guidance for organizations including before, during and after a cyber security incident. Perhaps the most interesting suggestion in this particular document is the call to disclose risk:

Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.

This is something all businesses should be asking themselves, not based on guidance from the SEC or specific directives such as HIPAA but rather because it is the right thing to do. We as businesses are stewards of our clients critical information. In many cases prevention is less expensive than we might think and much less expensive than the liability associated with a failure to prevent a cyber security event.

In response to the extraordinary role that Cyber Security has played in our modern connected world Managed Solutions introduced a program called Secure Enterprise in 2002 to assist businesses with protecting critical enterprises of any size. You can join the conversation about Cyber Security on our Facebook page.

Filed Under: Business/Productivity, Featured, IT Professionals, News, Security, Technology Tagged With: , , , , ,

Why did the RSA allow traffic to a known Malware site?

September 7, 2011 by 1 Comment

SecureID Tokens

Samples of the ~40 million SecureID Tokens the RSA replaced as a result of the hack.


I am frustrated, the information disclosed by F-Secure about how the RSA was hacked is appalling.

There are lots of layers to security and in all fairness I hold no technical information security certifications. I do know that the weakest link is usually the human being sitting at the keyboard. In this case someone at RSA – a security firm opened an Email that had just:

I forward this file to you for review. Please open and view it.

No signature, nothing, nada. It had an Excel file attached 2011 Recruitment plan. They opened it. They got infected by a zero day flash exploit embedded in the Excel file.

The RSA got “Owned”

I am frustrated because I know this happens every day all over the world and were it not so sad it would almost be laughable how easy it is to compromise computer systems. I could talk about all the apparatus that failed the RSA in this case, but in the interest of time I am going to focus on one:

Why did the RSA allow traffic to a known Malware site?

The site that the payload (Poison Ivy) contacted was mincesur.com which according to F-Secure:

“The domain mincesur.com has been used in similar espionage attacks over an extended period of time.”

WHAT?!?!?

Then why on earth is the RSA allowing it’s systems to access that site? I did an arin.net lookup for the IP address for mincesur.com (119.70.119.30):
whois for 119.70.119.30 mincesur.com
I can understand a company like the RSA needing access to the APNIC space, though most of us do not. Specifically though, why would they route traffic to a address/domain that is known to be used in espionage attacks? Since we already established that the user failed to identify a threat what about the other devices and mechanisms in the transaction that occurred between the computer that was infected?

Touch #1 – DNS Lookup

When the Poison Ivy payload asked the DNS system what IP address micensur.com had, the DNS servers at RSA promptly gave them the known threat’s IP address. It is possible and useful to add records for known malicious domains to resolve to something harmless such as loopback 127.0.0.1 (basically the payload would try to connect to local machine itself). Failed.

Bonus info: This can even be over-ridden and handled by a hosts file on an individual computer. (An example is at Malwarehelp.org)

Touch #2 – Antivirus Software

Endpoint Security software can block access to known malware websites. Failed.

Touch #3 – Router

One or more RSA Routers were touched in the process. Without a router a computer cannot communicate with systems outside of its own network. Routers can maintain black lists or null routes to avoid traffic coming from or going to known malicious sites. The router(s) in this case happily sent and received traffic from the known malicious host. Failed.

Touch #4 – Proxy Server (Optional)

Many companies use a proxy server or transparent proxy server to store copies of frequently accessed files to avoid them from having to be downloaded every time. A Proxy server can optionally be used to provide additional protection including domain based filtering. Since micensur.com was a known malware domain this could easily have been blocked by a proxy server. Failed.

Touch #5 – Intrusion Detection/Prevention Device (IDP – Optional)

These are usually definition based devices that look for traffic that matches a known malicious definition. Such as traffic coming from or going to a known malicious website. Failed.

Touch #6 – Firewall

Even many small companies have firewall hardware. Firewalls allow for much more complex rules about what kind of traffic can go where and even when. Firewalls are the ultimate traffic cops for networks. There are a number of ways that a properly configured firewall could have prevented this infection. Failed.

Is it time to re-prioritize?

With so many chances to block this from happening, how is it that a company like RSA, that is involved with security products is not better protecting themselves from threats? I’m sure they have made changes as a result but with a reputation for having things locked down, I find it excruciatingly curious that they allowed traffic to a known malicious site, don’t you?

Is it time push information security higher up the priority list?

Image credit br1dotcom, creative commons.

Related Posts Plugin for WordPress, Blogger...
Filed Under: IT Professionals, Security, Technology Tagged With: , , , , , ,
«Older Posts