According to a recent security study, low assurance digital certificates have become a new gateway for hackers to get to your personal data, by means of a man-in-the-middle (MITM) attack.
The MITM attack consists of a hacker putting themselves between two parties in a dialogue, such as a person and their bank. Once in place they effectively control the conversation to get login credentials or other, far more valuable information.
Generally, untrustworthy certificates will be halted by error messages or warnings that throw up red flags for potential problems, at least to the more internet-savvy. However, more crafty hackers will often add a legitimately issued certificate to the mix, making even the most secure browsers continue on their merry way, as if nothing has happened.
So how can you keep yourself safe online? Well, at time of press there isn’t any kind of listed fix, but just watch yourself and your information. Acting supremely paranoid can’t hurt, can it?
Since 2002, CastleCops has been among the leading antimalware research websites, offering a Wiki, blog, malware removal and prevention tips, and much more. CastleCops founder Paul Laudanski went to work for Microsoft's Live Consumer Services team in mid-May of this year, and CastleCops, which was volunteer-driven, did not survive the transition. CastleCops' last day on duty was December 23, as the farewell message relates:
You have arrived at the CastleCops website, which is currently offline. It has been our pleasure to investigate online crime and volunteer with our virtual family to assist with your computer needs and make the Internet a safer place. Unfortunately, all things come to an end. Keep up the good fight folks, for the spirit of this community lies within each of us. We are empowered to improve the safety and security of the Internet in our own way. Let us feel blessed for the impact we made and the relationships created.
With respect to the server marathon, by March 17 2009 CastleCops will refund contributions made through PayPal that were specifically designated for servers. Unfortunately, server donations made via check cannot be returned because we do not have the addresses for the donating entity. Unless instructed otherwise, CastleCops will re-allocate these funds as a donation to the Internet Systems Consortium (ISC.org). This organization sponsored our hosting environment for approximately the past 2 years. Please contact us [cc at laudanski dot com] before March 17, 2009, if you would like a return of your server marathon donation. Otherwise, we would like to thank the ISC for their unfettered support.
We thank everyone in creating our unique footprint and memories in time.
Love, Best Wishes and Happy Holidays, CastleCops PST 23 Dec 2008
If you've depended upon CastleCops' databases and forums as a resource for fighting malware, now what? Join us after the jump for new resources, and for your chance to suggest your favorite anti-malware websites and tools.
Terry Childs, who locked down San Francisco's FiberWan system last summer, will get his day in court on January 13, exactly six months since he went into the slammer for allegedly hijacking the network he designed and maintained. $5 million bail stands between Childs and a 'get out of jail' card until trial.
After an eight-day preliminary hearing, Superior Court Judge Paul Alvarado ruled Wednesday that prosecutors had produced enough evidence of Terry Childs' probable guilt to hold him for trial on four felony charges of tampering with a computer network, denying other authorized users access to the network and causing more than $200,000 in losses.
How much more than $200,000? According to prosecutors, the city claims it spent almost $1.5 million in "attempts to regain control of the network and assess its vulnerability to intrusions."
Childs' attorney claims her client was trying to protect the network from other employees:
Mr. Childs had good reason to be protective of the password. His co-workers and supervisors had in the past maliciously damaged the system themselves, hindered his ability to maintain it...and shown complete indifference to maintaining it themselves...He was the only person in that department capable of running that system.
The case made our 250 Most Important Tech Products, Events, and People of 2008list at number 232. Stay tuned to MaximumPC.com for further updates.
If you've purchased a digital photo frame from Amazon recently, it's in your best interest to pay attention to any emails originating from Amazon Customer Service. That's because the online e-tailer has been warning its customers that one of Samsung's digital frames, specifically its SPF-85H 8-inch unit, ships with a little something extra.
"We have recently learned that Samsung has issued an alert affecting its SPF-85H 8-Inch Digital Photo Frame," Amazon writes. "The alert concerns discovery of the W32.Sality.AE worm on the installation disc SAMSUNG FRAME MANAGER XP VERSION 1.08, which is needed for using the SPF-85H as a USB monitor."
Vista owners and those running a different Frame Manager version aren't affected by the worm, Samsung says. For those that are affected, Samsung advises removing the worm using Norton Internet Security 2009, uninstalling Frame Manager 1.08, and then updating to Frame Manager XP 1.082.
Thsi isn't the first time malware has made its way onto digital picture frames. Earlier in the year, some Insignia units sold at Best Buy were found to contain a Trojan Horse payload, with reports claiming several other vendors, such as Sam's Club, Target, and Costco, were also selling infected digital frames.
Before you drop in on the American Express website to see how much damage you did to your credit line with holiday shopping, you should know it's vulnerable to an XSS (cross-site scripting) exploit. As The Registerreports, this news comes after a bungled attempt to fix the problem. As El Reg puts it,
The cross-site scripting (XSS) error that makes it trivial for attackers to steal americanexpress.com user's authentication cookies is alive and kicking. The confusion stems from a mistake made by many application developers who incorrectly assume that the root cause of a vulnerability is closed as soon as a particular exploit no longer works.
So far, only proof-of-concept exploits have been written to show how easy it would be to pilfer login credentials, but until AmEx really eradicates this problem, keep a careful eye on your website transactions. For a list of precautions you can take to stop XSS exploits, see our 2007 article.
Have you been victimized by an XSS error? Join us after the jump and sound off.
"In our world of customized online services, responsible use of data is critical to establishing and maintaining user trust," said Anne Toth, Yahoo!'s Vice President of Policy and Head of Privacy. "We know that our users expect relevant and compelling content and advertising when they visit Yahoo!, but they also want assurances that we are focused on protecting their privacy."
The new limit puts Yahoo well ahead of its competition. Earlier this year, Google reduced its data retention time frame from 18 months to nine months, and Microsoft vowed to cut its data retention policy to six months if its rivals did the same.
Yahoo will begin implementing the new policy next month and says it will be effective across all of the company's services by the middle of 2010.
Could it be possible that legitimate email messages only account for 10 percent of all email? According to the Cisco 2008 Annual Security Report, the answer is 'yes.' The report claims that nearly 200 billion pieces of spam are sent and received every day, accounting for 90 percent of the world's email. Making the influx of spam messages possible are armies of hijacked computers, Cisco says.
"Every year we see threats evolve as criminals discover new ways to exploit people, networks, and the internet," said Cisco chief security researcher Patrick Peterson. "The botnet is, in many cases, ground-zero for online criminal threats."
Cisco points to the United States as by far the biggest source of spam, accounting for 17.2 percent of the messages. Turkey came in second at 9.2 percent, and Russia ranked third accounting for 8 percent.
What's most striking is that spam volumes have nearly doubled in 2008 compared to 2007. This despite a handful of recent busts by the FTC on various spam rings, which appear to have done nothing when looking at the overall picture. And because spammers "rarely use computers in their physical possession, instead renting or building botnets," the FTC will continue to fight an uphill battle until security improves across the board. Don't hold your breath.
Once again, Internet Explorer (aka "Internet Exploder") has been attacked through a "zero-day" remote code execution vulnerability. That might not seem like MaximumPC.com-worthy news, except for two factors: the flaw is affecting thousands of websites, and this time, it isn't just Firefox fans who are saying "time to switch browsers, already!" - security experts at Trend Micro, the Spamhaus Project, and the UK's PC Pro magazine are all recommending making a switch, according to the BBC. And here's why:
The flaw in Microsoft's Internet Explorer could allow criminals to take control of people's computers and steal their passwords, internet experts say.
Switching Browsers? Choices Abound!
Attacks against IE7 have been verified, but all versions of IE (including IE 8 Beta 2) have the same underlying vulnerability; a vulnerability not present in IE's competitors (Firefox, Opera, Chrome, and Safari). Switching browsers makes sense for most web surfing, but, alas, some websites and (of course) Windows Update and Microsoft Update for Windows XP won't work with anything but IE.
Redmond Readies Security Update
Since the vulnerability was detected on December 10th, Microsoft code jockeys have been working hard to patch the flaw (Redmond doesn't want you to switch, naturally, and given the way that IE and Windows work together, a broken IE isn't good for anybody), and a patch will be available tomorrow (December 17th) for all versions of IE from 5.01 up, applying to all versions of Windows and Windows Server from Windows 2000 on up. It's rare for Microsoft to perform a security update between Patch Tuesdays, but when a "Critical" vulnerability (the most dangerous category of vulnerability) is discovered, there's no time to waste.
If you must use IE and you're looking for workarounds until you can get the update, join us after the jump for details.
Earlier this year, researchers for Finjan, a web security firm, said that stolen bank data had become "commoditized," with items like PIN codes and credit card information fetching only a fraction of what they used to pull in. Now Finjan warns of an impending "sharp rise [in cybercrime] in 2009 due to the current economic downturn, which makes financial gain from stealing data and selling online even more attractive."
Finjan's report (PDF) notes that cybercrime has evolved into a "booming global business" in 2008, and pointed out an early trend of unemployed IT personnel boosting their income by using crimeware toolkits sold by professional hackers. Finjan says the trend is only the beginning and as layoffs go on the rise in 2009, so too will cybercrime, both in the amount of attacks and the severity.
But not everyone is convinced of Finjan's gloom and doom future. ArsTechinca points out that Finjan's sources are up for interpretation, including a November 19 Forbes article cited in the PDF report. According to ArsTechnica, the Forbes article "doesn't really provide a solid foundation for Finjan's statement. While the piece does take note of various trends, occurrences, and vibrations in the malware market, the author notes that the data 'remains largely anecdotal.'"
Are we on the verge of a major cybercrime spike? Hit the jump and post your predictions.