Mark. Sucker. Victim. Yeah, that’s you viewed through the monitor of a cybercrook sitting somewhere in A-holevania or Trashcanistan.
Call us cynical or hard-edged, but we frankly believe that the world is filled with hustlers, grifters, and crooks out to bamboozle us at every turn.
Those suspicions are doubled for our digital lives. For no longer do bunko artists need to trick you into buying that iPad box with a brick in it. Today, they can rip you off by auto pilot. With the deadliness and stealth of a UAV, these scumbags can steal your banking credentials, clone your debit card, or infect your computer.
Scared yet? Good. Fear is one of best motivators to getting people off of their lazy butts. It’s not all about fear, though. It’s also about information. Knowledge that can empower you and help you mount an effective defense against the multipronged attacks we all face today. Do you know how to thoroughly fortify your PC and network against enemy infiltration? How about your smartphone? Can you spot an ATM skimmer? What other potential threats should you be aware of? We’ll give you all of the deets, along with the opinions of two security experts.
Don’t worry about being too paranoid. From what we learned in the course of writing this story, there’s really no such thing as being overly vigilant when it comes to your digital security.
Installing strong, up-to-date security software is a given. But it takes much more than that to defend the epicenter of your digital life.
Could real people actually be as clueless as some of those characters we see in movies? Sadly, you need no more evidence of that cliché than the average computer user. Even though he or she knows that an OS update is as critical as, say, nailing boards over your windows in a zombie apocalypse, many choose to ignore the updates until something crawls in and eats their brains.
The most basic security step PC users should take—regardless of OS—is to install the latest updates. Yes, we know, it can be teeth-gritting—especially when the updates are larger than the original OS—but it’s necessary for patching holes being used by attackers to squeeze into your PC. \
Windows XP was a great operating system but it’s now pushing 10 years old and it’s a popular target for attacks. Why? It’s not as secure as its replacements. It’s also where the money is—literally—with 51 percent of computers on the planet running it. Many attacks specifically target XP and ignore Windows Vista and Windows 7 completely. Unless you like to wrench on your OS all day, we recommend that you give XP the retirement it has earned.
Even Microsoft haters have to admit the company has done an admirable job patching its operating systems in a reasonable amount of time. Because of this, many of the weak spots on a PC aren’t even the OS anymore, but rather the third-party applications. While Microsoft will patch its own products in Windows Update, it doesn’t do squat about anything else. With literally dozens of apps to check for updates every week, you can see where the problem lies. That’s why we run Secunia’s PSI Scanner ( www.secunia.com ). The free app runs in the background and checks your installed apps and plugins for available updates and then gives you a link of where to download the patch. The latest beta version will actually install some of the updates for you. The company also offers an online scanner but we don’t recommend it because it runs in Java.
Secunia’s free PSI app will monitor the dozens of applications installed on your machine for available security patches.
Start by disabling Acrobat/Reader in your browser. In Firefox, go to Tools, then Add-ons, then Plugins, and disable the Acrobat plugin. While you’re there, you should also probably disable QuickTime, Java, and even the DivX Web Player if you want to be extra cautious.
Disabling plugins for Acrobat, QuickTime, and other media players can mitigate some of the damage from new zero-day exploits.
To disable these plugins in Chrome, go to Options, Under the Hood, Content Settings, Plugins, and select “Disable individual plugins.”
For QuickTime, start the player, dig into Edit, Preferences, QuickTime Preferences, Browser, and uncheck “Play movies automatically.”
To mitigate the damages from Adobe Flash, consider running the FlashBlock extension in Firefox and Chrome. This will prevent Flash from being displayed on a page. In its place will be a place holder that, when clicked, will play the Flash content.
Since the vast majority of attacks are coming from the browser, one of the safest ways to surf the web is from a virtualized browser or a virtual machine. Dell offers its free KACE browser ( www.kace.com ), which virtualizes Firefox 3.6 along with Adobe Reader and Flash. Malware that exploits holes in Firefox, Reader, or Flash would be contained within the virtual machine. The bad news? If you do get an infection and need to flush the virtual Firefox, you lose all of your settings. That includes the numerous updates to Firefox that come out seemingly every month and any bookmarks and plugins you installed. An alternative is to build a virtual machine using either Virtual PC 2007 ( www.microsoft.com ) or VM Ware Player ( www.vmware.com ). Both are free, and both Microsoft and VM Ware offer free images that include browsers. Microsoft offers Vista and XP with IE8 installed and VM Ware offers Ubuntu with Firefox installed. Of the three options, VM Ware’s is the most solid but folks not used to Linux might be thrown for a loop. Microsoft’s images time out after three months, so you’ll have to download it again.
Do you really know if that file is truly untainted? Many malware writers are specifically crafting wares to avoid detection by antivirus suites. If you have a file that you need to run, we recommend that you incubate it for a few days or a few weeks if possible. This gives security software a chance to catch up to any new exploit. We then recommend that you get a second opinion from Virustotal.com . This website lets you upload a file to be scanned by two dozen AV engines. Just remember that malware writers are also using tools such as Virustotal.com to see if their wares can pass muster, so long incubations are key.
Shortened URLs can conveniently turn unwieldy web address into bite-size morsels, but they can also disguise a link to a malware-ridden site. Though many of the URL shortening services check for malicious websites, it’s usually better to verify a shortened URL’s destination. For that, we use Longurlplease.com . It supports 81 shortening services. As for cryptic shortened URLs, visit Virustotal.com to have the address checked by six URL analysis engines.
Although many URL shortening services claim to scan for malware, it’s probably best to lengthen those URLs before you click on them, using Longurlplease.com.
Running as an administrator in a Windows OS is a bit like giving someone the right to walk into your home and rummage through every nook and cranny. One easy way to avoid or greatly limit damage from malware is to always run with standard user rights. As with all things, this is no guarantee against harm. Some malware, even when executed in a standard user account, can grant itself administrator privileges and still run rampant through your PC, but running as a standard user minimizes risk.
Running in standard user mode in a Windows OS has proven to be useful in beating back malware attacks.
That Windows is the number one target for cybercrime and mischief is not news to any of us—naturally, owning 95 percent of the market makes it an obvious target. That’s why we agree with security journalist Brian Krebs ( http://krebsonsecurity.com ) that members of the most at-risk group should do online banking with a Linux Live CD. You can do your gaming and other Windows-based computing booted from your hard drive. But once you have to go into secure mode, whip out your Live CD and boot to it. Numerous Linux builds are available, but the most popular, and among the easiest, is Ubuntu.
So, you’ve created this incredibly secure moat, ringed with razor wire, claymores, and mines. And then you let your 14-year-old nephew play some Flash games or “check email.” Right. The best solution is to have visitors use a separate, secured guest PC. But if they must use your machine, make sure you have the guest account activated. Another option is to have them use a virtual machine. Once they’re done, simply shut down the VM and erase any trace of their activities. Or have them use your HTPC, where they’re working in the open instead of being left alone in your office.
Kensington’s new ClickSafe key lock makes it an easy one-step process to secure your laptop from snatch-and-grabs.
Obviously, all the same security risks and safety recommendations that apply to your desktop computer also apply to your laptop. But your laptop carries the added risk of being stolen. And let’s face it: If you haven’t encrypted all your sensitive data or been diligent about backups, the loss of your laptop could be mighty painful. One way to prevent the potentially dire consequences is to use a laptop lock.
The vast majority of notebooks have a slot to accommodate a physical locking mechanism—it’s usually designated by a padlock icon. The lock itself is attached to a reinforced cable which cannot be easily cut without the aid of a large and very noticeable set of bolt cutters. The cable is either bolted to the floor—in your office at work, for instance—or looped around a substantial or immovable object. Kensington is one of the biggest names in cable-lock makers, and offers both combination and key locks, priced at $25 and $50, respectively.
You think you’re immune to harm because you don’t go to piracy or porn sites, right? But putting all your faith in Goody Two Shoes browsing is like whistling past a graveyard. Like commercial fishermen, crooks are casting bigger nets to catch as many fish as possible. Here’s how they do it.
2. The crooks then hack into an advertising server or a web page to place the code. In some cases, the crooks masquerade as legit advertisers and buy time on mainstream websites. These ads, in turn, are actually hosted by the crooks’ servers to keep the company running the ads from knowing they’re tainted.
4. The trojan then contacts another server that is controlled by the crooks and receives instructions on what to do.
Keep your digital bits out of the hands of baddies.
If the crooks can’t convince you to visit their phony-baloney banking webpage, the next step is to get you there against your will. One way to do that is to poison the DNS cache you’re using. The DNS server translates URLs into IP addresses. By exploiting flaws in the DNS software, crooks are able to redirect you to any sight of their choice—even if you typed in the correct URL of your bank.
Bypass your ISP’s DNS for one that’s likely faster and more secure, Google DNS.
To avoid this, we recommend switching from your ISP’s DNS to Google’s public DNS ( http://bit.ly/7Ti5tM ). It’s free and the company has implemented many of the recommended safeguards against cache poisoning. To change the DNS on your client PC, go to Network Connections, right-click on your connection, and double-click Internet Protocol. Then simply enter the preferred DNS of 188.8.131.52 and alternate of 184.108.40.206 and click OK.
You want a simple reason not to check your personal email at work? Someone in your network could be using a so-called “man in the middle” attack to spy on you. Whether by exploiting ARP cache poisoning, session hijacking, or some other technique, MITM attacks let a crook steal the credentials issued to your machine and then fool, say, Yahoo or Gmail into thinking he’s you.
At work, with hundreds of computers and a network that stretches the coasts, you really wouldn’t know where the MITM attack is coming from. This risk negates the possibility that your corporate network is more secure than your home network. So, assuming you have secured your home Wi-Fi (or don’t use wireless) and that the other machines on your home LAN are secure, save your personal email and banking for home.
Quick, what’s the most secure wireless available today? None. OK, we jest, but probably no wireless protocol is 100 percent secure. But just because there’s a theoretical way to break the latest wireless encryptions doesn’t mean you should be using the weakest form. The weakest, of course, is WEP. Easily broken in under a minute by anyone capable of reading an Internet how-to, WEP is far less secure than WPA or WPA2. If you’re running WEP because some old hardware doesn’t support WPA2, consider junking the old equipment or upgrading your router to one that supports guest networks. This lets you keep your internal network behind WPA2, while keeping guests roped off with the weaker WEP protocol to access the Internet. If you’re running WPA2, the adage in security circles is that the longer and more randomized the key, the better.
Although not a guarantee, you can also set up your router’s wireless to only accept connections from known MAC addresses. These are the unique IDs assigned to each computer’s network card. The hole there is that an intruder could easily spoof a MAC address from a trusted client to still access your wireless network.
You can check what files are shared on a machine by right-clicking My Computer, selecting Manage, and clicking Shared Folders. Great, now how do you do it for all of the machines on your network? One way is to use NetBrute Scanner ( www.rawlogic.com ). This free utility will scan your internal network and report on shared resources that are available.
If a neighbor has broken into your network so he or she could download movie torrents, how would you know? Since most home networks use DHCP, go into your browser’s setup screen and check the DHCP screen to see how many IP addresses are assigned. Then, try to match those up with the systems on your network. If you have more IP addresses assigned than devices (remember that your smartphone will eat an IP address if it’s using Wi-Fi), you may have an intruder. Another option is to use RogueScanner ( www.paglo.com ), a free tool that will query devices on your network and compare them to an online database of devices to help you identify the machines.
Running an internal port scan may help reveal intruders freeloading on your network’s bandwidth.
So what do you do if you have an intruder or suspect one? Since the person has likely infiltrated your network via wireless, you’ll want to lock down your wireless by switching to WPA2 and using a very long and very random key.
It's a lot smaller than your desktop PC, but the risks are just as big.
Currently, the number one threat to smartphone users is having the device end up in the wrong hands, through theft or loss. Your first line of defense, therefore, is constant vigilance regarding your smartphone’s whereabouts.
Should your phone get lost or stolen, a good first layer of protection is a password, an option many phone users neglect. Choose the strongest password option available—a passphrase, for instance, rather than a four-digit code or swipe pattern. Encryption options vary among mobile OSes, but when possible, you should encrypt your storage card as well as your device memory.
Just as with a PC, backing up your smartphone is important. Regularly synching the device to a linked computer will do the trick. It’s insurance against the loss of your phone, corruption of your OS, or any other event that jeopardizes your data.
The surest way to guard your sensitive data is to keep it off your smartphone altogether. Minimize the number and/or days of emails you store on your phone, or better yet, save email and attachments to a server. Make it a habit to regularly move or delete anything you wouldn’t want to share with strangers.
An abundance of apps is both a blessing and a curse for smartphones—there is no way every app that makes it to market can be thoroughly vetted for 100 percent fail-safe security. By selecting reputable apps, backed by favorable user reviews, from a trusted source, you can diminish the risks. Avoid apps with scant reviews or that have only recently been uploaded. Also be cautious when granting an app permissions; consider the app’s function and what it might reasonably need access to.
Make sure you are running the latest versions of your apps, OS, and phone manufacturer software and firmware. This will ensure that any security holes are patched and your device is less vulnerable to hacks.
Unsecured wireless networks can be used by hackers to either attack your phone or steal information from it. You can protect yourself by keeping Wi-Fi and Bluetooth off when you don’t need them. When wireless is needed, stick to known Wi-Fi networks using WPA2 and beware of public networks, which are sometimes set up by crooks to snare people’s data.
When using Bluetooth, make sure it’s in non-discoverable mode to avoid hacks like “Bluesnarfing” (stealing data), “Bluejacking” (sending unsolicited messages), and “Bluebugging” (listening in on your calls).
You’ve long been warned about the risks of opening strange links and attachments—particularly those arriving in unsolicited emails or text messages. All those same warnings apply to smartphones. And those warnings also apply to calling unfamiliar phone numbers received in messages, and clicking links for app “updates.” You can ensure the authenticity of an update by going to the app’s website.
Currently, smartphone malware infections are rare—nothing like what you see with PCs. But as proliferation of the devices grow, expect viruses, worms, and trojans to become more of an issue. To combat these threats, you need third-party software, and if you’re like the majority of smartphone users, you don’t have it. But even if malware isn’t a pressing problem at the moment, a security app can offer other useful benefits, such as browsing protection, telephone and text-message spam blocking, and theft-protection features like locking down, wiping, or even locating a stolen phone.
You can find mobile security apps by many of the big names in PC protection. Independent security testing lab AV Comparatives ( www.av-comparatives.org ) recently evaluated mobile apps from ESET, F-Secure, Kaspersky, and Trend Micro and gave them all “Approved” designations. See the full report at http://bit.ly/cGRySZ .
In today’s connected landscape where we enjoy Internet access not only from our desktops and notebooks, but also from our smartphones, tablets, and even our portable media players, it’s easy to see why free-to-use webmail has become so popular. Most webmail accounts now offer several gigabytes of storage space, effectively turning us into digital pack rats.
Everything you choose to save—from sensitive email exchanges to confidential attachments—is not only accessible to you, but anyone who manages to figure out your password, whether by brute force dictionary attacks or by answering a series of weak security questions. And it’s not just your email history that’s in danger; an unsecure webmail account opens the door to other security breaches, like using your email account to send spam and spread viruses. Here are some ways you can avoid becoming just another statistic.
Your webmail account is only as secure as your password, so use a strong one. The best way to do this is to use a combination of letters, numbers, and even symbols if your webmail provider allows. Avoid using real words at all costs, as these are easily cracked by any teenage hacker using a brute force dictionary script. For particularly sensitive accounts, use a random password generator ( http://bit.ly/bf9oB2 ).
The key to your house doesn’t unlock your car door, nor does it work with your safety deposit box. If it did, you’d be three feet deep in dung if it ever fell into the wrong hands, and the same concept applies to your digital accounts. In practice, most people tend to use the same password for various accounts, and that’s a rookie mistake. Use a different password for your email than you do your bank account, forum login, and whatever else you do online. If you have trouble keeping track of them all, store your passwords in a virtual safe, like KeePass (free, http://keepass.info ).
It might be slightly inconvenient to log out of your webmail and clear your browser cache, but if your notebook ends up lost or stolen, you’ll be glad you did. And if there are others around, log out and close your browser before heading off for a bathroom break.
Answering security questions can save your bacon if you forget your login credentials, but keep in mind that anyone who knows you well can probably guess the correct answer(s). Only rely on these if the questions are particularly personal in nature, or if you’re allowed to create your own that are not easily guessable. And, for God’s sake, don’t publish that information in your Facebook profile. There’s no point in having a security question of what city where you born in, or what your pet’s name is if your public profile gives the answer away.
There have been many zero-day vulnerabilities disclosed (and exploited) in 2010 based on PDF/Flash. These exploits have pioneered new attacks that bypass enhanced security measures such as address space layout randomization (ASLR) and data execution prevention (DEP). Due to the ubiquity of PDF/Flash technology, attackers use these vulnerabilities as a favorite way to infect machines. Oftentimes, end users think they cannot become infected through document/media files (only executables); this mentality needs to change quickly, because these vulnerabilities now present a very real and serious threat.
Once a machine is infected, there is another threat vector that exists—a botnet’s command and control (C&C) channel. Every botnet needs to phone home in order to receive commands and send stolen data. We see this as a potent threat vector, since if this channel is blocked, no instructions can be carried out, and no stolen information can be sent. There are lots of innovative ways that botnets try to discretely access C&C channels, but the most prevalent way remains HTTP, and, as a result, we deem the HTTP protocol itself a nasty threat vector. Most botnets will simply use RFC-compliant HTTP POST/GET commands; however, some will encrypt the payload to avoid detection.
Persistent and nonpersistent XSS holes exist because of development oversights when implementing websites. Because they have existed for a while, and continue to be a problem, it is important to underscore the necessity of safe development practices to mitigate these threats.
USB drives are actually one of, if not the most, common ways you can infect a network from inside a firewall. There are several reasons for this: They’re cheap, small, hold a lot of data, and can be used among multiple computer types. The ubiquity of thumb drives has driven hackers to develop targeted malware, such as the notorious Conficker worm, that can automatically execute upon connecting with a live USB port. What’s worse is that default operating system configurations typically allow most programs (including malicious ones) to run automatically.
Derek Manky is project manager and cyber security and threat researcher at Fortinet’s Fortiguard Labs, and author of Fortinet’s monthly Threat Landscape Report.
Smartphones such as BlackBerrys, iPhones, and Droids have become the go-to devices for email, text messaging, shopping, and online banking, and the attackers have taken notice. There have been some limited, narrowly focused attacks already, but this will increase significantly in the near future.
We’ve already seen a few malicious apps that have made their way into the various smartphone app stores, including iTunes and the Android Market. This is incredibly fertile ground for the bad guys, who are interested in compromising as many devices as possible and being as quiet about it as they can. A trojan disguised as a game or an online banking app is a quick way to do just that.
Pre-infected Hardware Devices
There have been a number of examples of USB keys, mobile phones, and even digital photo frames being infected with malware before they leave the factory. Expect to see more of this, including malware pre-installed on laptop hard drives, in the years ahead, because a small payment for every device infected is an easy way for a low-paid factory worker to make a lot of money quickly.
As the Mac platform’s popularity continues to grow, attackers will focus more and more of their attention on it. Expect to see more malware specifically designed to compromise Macs and iPhones as attackers begin to figure out useful attack vectors.
Highly Targeted Phishing
Mass phishing attacks are inefficient and attackers have turned their attention to highly targeted attacks, perhaps against a handful of key employees in a given organization who have access to valuable data. Emails that appear to come from a trusted customer, partner, or colleague and contain malicious PDFs or Excel spreadsheets have been a very successful vector and will continue to spread, especially among sophisticated attack crews with time and resources for reconnaissance.
Dennis Fisher is a security evangelist for Kaspersky Lab Americas.
ATM skimming gets a lot of headlines but it’s hard to say how much damage it’s actually doing. The Secret Service tallies skimming in the “financial crimes” column, which hasn’t moved much. In 2008, all financial crimes totaled $442 million. In 2009, the crimes totaled $443 million. While the chances of you getting skimmed are actually slim, that doesn’t mean you should be blind to it.
Skimmers literally skim your debit card’s data and PIN code when you use an ATM. The crooks accomplish this by placing incredibly detailed facades over an actual ATM. As you slide your card into the ATM, a mag reader in the device reads the magnetic stripe. These mag readers are incredibly small and usually designed to replicate the look of a normal mag reader interface. Then, either a pinhole camera or a faux keyboard laid over the actual ATM’s keypad records your PIN entry.
ATM skimmers, like this one from an Australian bank, are designed to hide in plain sight. Often times, a second device will record your PIN code being entered into the ATM, too.
The devices are usually installed in the middle of the night. After a few days, or sometimes a few hours, the crooks remove the device and collect the information. More advanced devices include Bluetooth radios so the crooks can download the stolen information remotely.
Scary? Yes. But there are a few steps you can take as a precaution.
Try to use ATMs that you are familiar with. This way, you’re more likely to catch any tell-tale signs that something is amiss. If the ATM you have been using suddenly has a new or secondary safety mirror placed about the keyboard or a new pamphlet holder, take a closer look at the items or try to rock them to see if they will come off. Crooks will often place their surveillance cameras in these objects to capture you entering your PIN code.
Before you put your card in the ATM, try yanking or nudging the card reader. Skimmers are usually held on with double-stick tape or magnets and will easily be moved.
When you enter your PIN code, cover the keyboard as though you were protecting your hole card in a tough poker game.
Beware of people trying to “help” you with your ATM card and those who hover too closely while you enter your PIN code.
Crooks will occasionally pose as the police and call skimmer or pick-pocket victims and ask for the PIN code to the card.
Closely monitor your bank statements and immediately report suspicious activity to your bank.
What’s scarier than an ATM skimmer? To us, it’s the gas skimmer. Crooks are beginning to crack open gas pumps where they can install Bluetooth-enabled skimmer equipment. Unlike ATMs, which are alarmed and closely monitored by the banks, gas pumps are far less secure. Since the equipment is inline and sniffs the data coming from the keyboard on the gas pump, there are no external signs to look for as there are with ATMs. Crooks can leave the equipment in place for far longer than an ATM skimmer and can simply download the information via Bluetooth while parked in a nearby vehicle.
There isn’t much to be done in this case, but there are a few steps you should take. Crooks are likely to tamper with pumps farther away from the cashier’s booth where a surveillance camera is unlikely to catch them in the act. Using your debit card in credit card mode will only require you to enter your zip code, not your PIN code, so they won’t be able to easily clone your card and use it at the ATM to withdraw or transfer funds. The third option is to just use cash or use your card inside the gas station. Just make sure you lock your car when you go inside.
What do you do if you find a USB key in the parking lot at work? You take it to the office and insert it in your work machine to see if you can find embarrassing pictures of a coworker. Instead, you’ve just been hacked with malware specifically targeted at the machines in your company. That had been just a proof-of-concept until the appearance of the Stuxnet worm, which targeted Iranian nuclear power plants in this manner. Although the worm is likely the work of a foreign intelligence agency, USB-based hacks emulating Stuxnet are expected. Even before Stuxnet, worms that spread by USB key have long been around. The fix is easy: Don’t put that key in your machine. Also, consider disabling AutoRun on your machine. One way to easily do that is with the free app Panda USB and AutoRunVaccine ( http://bit.ly/9XClno ).
Disabling AutoRun in your OS can help prevent the spread of some USB-based malware.