ESET Threat Blog

If sensitive information is stored on your hard drive (and if you don’t have -something- worth protecting on your system, you’re probably not reading this blog…), protect it with encryption.

Furthermore, when you copy or move data elsewhere, it’s usually at least as important to protect/encrypt it when it’s on removable media, or transferred electronically. Even if the target storage device is secure from malware or hacking, you also need to be aware of other dangers such as physical risks, transit risks, business-related risks such as an escrow site going out of business and so on.

Consider (seriousl!) regularly backing up your data to a separate disk (as a bare minimum) and, where possible, a remote site or facility. Sounds extreme? Think about it.

You can’t rely on backing up to another partition on the same disk as the original: if the disk dies, the chances are that all partitions will be lost.

You can’t rely on backing up to another disk on the same system. If the system is stolen, or there’s a fire, for instance, then in the immortal words of Tom Lehrer they’ll "all go together". In the latter instance, the chances are that you’ll lose your thumb drives, CD-RWs and so on as well.

And if you’re working in a corporate environment, you might want to avoid doing what one site I know of did, and back up data to a server, but forget to back up the server itself.

I’m sure I don’t need to remind you to take care of your passwords as well, do I?

David Harley BA CISSP FBCS CITP

Update: Graham Cluley’s new blog post suggests that so far, at least some of the phishes here have been used for old style defacement purposes rather than out-and-out fraud. I suspect, though, that now this latest phishing genie is out of the bottle, there will be fraud…

In deference to all those old enough to get a panic attack when reminded of how bad pop music was capable of being in the 1970s, I’ll try to overcome by the urge to mention "Chirpy Chirpy Tweet Tweet".

Anyway, to business. Having all the blogs I can handle already, I’ve avoided the Twitter microblogging tool so far, but my curiosity has been piqued over the past few days by references to Twitter phishing. Inevitably, the issue has become higher profile because of the confession by Stephen Fry (the UK actor/writer/presenter etc. recently seen criss-crossing the USA in, for some reason that escaped me, a London taxi) that he responded to a phish by clicking on a link sent to him in a DM (Direct Mail).

" Lawks. Hope I haven’t been phished for all my details. Clicked on scam URL last night before I knew what it was. Eeek. x"

So does this tell us anything really useful?

It certainly tells us that even celebrities-with-a-brain can be duped by social engineering. Actually, quite basic social engineering. The scams in question have, so far, been along the lines of:

• "Hey, look at this funny blog"
• "Click here to win an iPhone

(I’m desperately trying to avoid making any uncalled for comment about Jeremy Clarkson and celebrity brain power here. )

Meanwhile, back at the plot… This sort of "click here" social engineering is something most of us are inured to after many years of seeing similar stings in email, IM etc. In fact I specifically mentioned it a couple of days ago here. But context is important. If it wasn’t for the fact that many legitimate organizations are so careless about sending out messages that are barely distinguishable from phish messages, the phish problem would be much less significant. Besides, anyone might drop their guard from time to time.

Michael Miller, in a recent book called "Is it Safe?" (not a bad book at all, by the way, as far as I can see from a quick skim: I’ll come back to that in a future blog, maybe) includes a note about how he was fooled by an eBay "fake question" phish. In fact, at the very beginning of the phish explosion, I too nearly logged in to a fake eBay site: like Miller, I’m a natural sceptic (paranoid, even), but it so happened that it took the form of a query about my account and it arrived within hours of my actually opening an eBay account, so the timing was perfect. Fortunately, the fact that it wasn’t in any way personalized tipped me off that it was a fake before I clicked on anything. Twitter has been regarded by its users as a "safe" context, up to now, though of course that simply means that it took the bad guys a while to see its potential.

What potential would that be, you may ask? Frankly, the sky is probably the limit, long term. In the short term, though, there are a couple of immediate possibilities, apart from fairly trivial testing-the-water or teen-hacker doing-it-because-I-can motives.

• Many people re-use passwords: stealing the password for one fairly trivial account may result in serious exposure elsewhere
• Stealing access from a celebrity account immediately ups the social engineering potential.

There are definite positives, though, in this event, and this is the one that I found most inspiring. All too often, an organization will react to a security problem with knee-jerk denial or complete silence. Twitter, however, responded with a useful blog, They also, apparently, reported the fake web page and a similar fake Facebook page. It’s always encouraging to find a provider taking some responsibility for abuse of their service rather than blaming the security industry for the fact that we don’t detect all known and unknown puddy cats.

Thanks to Sara for nudging me into looking into this, and also to Graham Cluley and Jack Schofield for their very useful blog posts on the same issue. And now, for the information of those millions of people who are waiting to follow my every movement on Twitter… no, let’s not go there.

David Harley BA CISSP FBCS CITP

Speaking of SANS, the Internet Storm Center has more than once talked about problems with digital photo frames, and at Xmas did so again with reference to the well-publicised Samsung incident.

The San Francisco Chronicle came up with a story a couple of days ago that was even more alarming, and not only in the volume of related incidents they dug up.

You may have noticed that we’re pretty keen here on disabling the Autorun facility in Windows except when you really need it. It appears that Microsoft’s Malware Protection Center may disagree. According to the Chronicle, senior program manager Ziv Mador thinks it’s a bad idea because it’s not simple to do.

(He has a point: it should be easier than it actually is, but surely that’s an issue with the operating system, not a reason to avoid taking a step to improve security?)

His concern, apparently, is that users may get confused. ""They’re used to entering a CD (or plugging in a frame) and it loads automatically, and that will not work anymore…The important thing is to have up-to-date antivirus software and keep it turned on. That will mitigate much of the risk."

He’s right, up to a point. Even SANS - not always the antivirus company’s best friend - admits that AV companies are pretty good at keeping on top of threats that use this particular approach to infection. But that doesn’t mean that Autorun is a good idea.

Actually, it is a good idea in principle: it’s the way that it’s been exploited by the bad guys that has ruined it. However, the users of other mainstream operating systems manage quite nicely without it, and Windows users could do, if it wasn’t turned on by default, or even made a little easier to turn off for people who aren’t security gurus or MCSEs. 

In fact, as Randy pointed out in a much earlier blog, not everyone at Microsoft is so protective of Autorun. (Whatever you may hear to the contrary, there are some very sharp people working in security at MS!) Steve Riley points to some ways of mitigating the autorun effect. There’s more Technet info here. Incidentally, the INF/Autorun approach to auto-installation doesn’t work with all removable media, but there have been ingenious attempts to achieve the same thing (legitimately or maliciously) on a variety of types of flash media, sometimes by forcing the media to "lie" to the operating system about what kind of device it is, or using third-party software.

There is also an interesting example of a family of SymbOS Trojans that attempts to install Windows worms if a phone memory card is read on a PC, though I’m not aware of an incident where that infiltration actually worked in real life.

(Here are a couple of other links relating to older stories: http://www.theregister.co.uk/2008/01/25/best_buy_digital_frames_virus/ 
http://www.theregister.co.uk/2008/01/11/malware_digital_devices/ 
http://isc.incidents.org/diary.html?storyid=3892) And this story at Darkreading, though a couple of years old, still makes the point very succinctly.)

David Harley BA CISSP FBCS CITP

Don’t disclose sensitive information on public websites like FaceBook or LinkedIn. Even information that in itself is innocuous can be combined with other harmless information and used in social engineering attacks.

Rather than expand on that point, for now, I’m going to point to another "10 ways to protect yourself" resource: the more good advice on security the better, whatever its source.

SANS Institute Security Newsletter for Computer Users Volume 6, Number 1 January 2009, also known as "SANS Ouch!" includes "Ten Do-It-Yourself Computer Security Tips". I don’t always agree with everything that comes out of SANS, but there’s some sound advice there. (But then I would say that: they make some of the same points that we do.)

David Harley BA CISSP FBCS CITP

Don’t trust unsolicited files or embedded links, even from friends.

It’s easy to spoof email addresses, for instance, so that email appears to come from someone other than the real sender (who/which may in any case be a spam tool rather than a human being). Basic SMTP (Simple Mail Transfer Protocol) doesn’t validate the sender’s address in the "From" field, though well-secured mail services do often include such functionality.

I remember years ago one of my colleagues at a medical research charity in the UK sent email as a joke using someone else’s address, a trick that’s easily performed using telnet and an unsecured mailserver. On that occasion, I was able to identify the real sender immediately by his IP address (much to his surprise), but the nature of the 21st century Internet means that there are many ways of concealing such information, if you really want to stay hidden. 

It’s also possible for mail to be sent from your account, without your knowledge, by malware, though malware that does this is far rarer than it used to be. It’s far more effective for a spammer to hire the services of a botherder, nowadays.

There are also many ways to disguise a harmful link so that it looks like something quite different, whether it’s in email, chat or whatever. The disguising of malicious links in phishing emails so that they appear to go to a legitimate site has obliged developers to re-engineer browsers to make it easier to spot such spoofing, but too many people forget to make use of elementary precautions such as passing the mouse cursor over the link so that the real link shows up. In any case, it’s not always easy to tell a genuine or fake site just from the URL, even if the URL is rendered correctly. (Early phishing emails tended to rely on exploiting bugs in popular browsers to hide the real target link.)  DNS cache poisoning, for instance, allows an attacker to redirect a web query to an IP address under his control.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence  

Welcome to prime-time scam season. This is when the advertisements for taxes in the USA really start to pick up. Granted, they go on all year long, but now is when we traditionally see an increase in volume. There are a variety of such scams.

The worst of the scams are the phishing attacks. If you get an email from the IRS and you did not initiate contact with the IRS, then the email is not really from the IRS. The IRS will never ask you for any information, like your bank account number or credit card information in email. These emails are always scams. Usually the emails say that you owe the IRS money or the IRS owes you money. The idea is to trick you into going to a web site, or sending an email and providing information used to steal from your credit card or bank account. This information may also be used for identity theft.

For virtually everyone, IRS emails are 100% fake. Don’t respond to them and do not follow links in them.

Other scams include fake offers to help with your taxes. These can be as simple as offers to file online to expensive offers to do your taxes for you. If you get an offer to do your taxes for much less than others are charging then it is probably because the person making the offer is going to simply take your money and do nothing at all. Worse yet, they may do it wrong and you are still responsible for any owed taxes and penalties.

Always use a reputable tax preparer. It is a god idea to use someone who is listed with the Better Business Bureau unless you have personal references from people with experience with the tax preparer.

Do your friends and relatives a favor and remind them that emails from the IRS are fake, even if they look legitimate. If there are any questions you can always call the IRS to be sure, but not using a phone number in the email.

I’m sure we will revisit this subject in future blogs. There are still lots of people falling for the scams.

Randy Abrams
Director of Technical Education

Use different passwords for your computer and on-line services. Also, it’s good practice to change passwords on a regular basis and avoid simple passwords, especially those that are easily guessed.

As Randy pointed out in a recent blog, it’s debatable whether enforced frequent changes of hard-to-remember passwords are always constructive (they can force the user to write down passwords, for example, which may well swap one security problem for another).

However, you should certainly be aware that if some miscreant guesses or cracks one of your passwords, using different passwords for other services and for your system passwords drastically limits the damage that he can do. If, on the other hand, you use the same password for different accounts, you run the risk that one lucky guess will give the cracker the keys to the kingdom. Indeed, it’s likely that one of the reasons that quite trivial accounts are sometimes phished is that they give a cracker a headstart on guessing the password for other, more profitable/plunderable accounts.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Log on to your computer with an account that doesn’t have “Administrator” privileges, to reduce the likelihood and severity of damage from self-installing malware. Multi-user operating systems (and nowadays, few operating systems assume that a machine will be used by a single user at a single level of privilege) allow you to create an account for everyday use that allows you less privileges than are available to an administrator.

Most competent system administrators are familiar with (and adhere to) this “principle of least privilege” – simplistically, the more privileges you have as a user, the more damage you can do – and use a privileged account only when they need it to perform a specific task. Following their lead will give an extra layer of protection. However, as always, you shouldn’t think of this as any sort of Magic Bullet. Apart from the fact that there is no Magic Bullet, some modern operating systems have somewhat diluted the least privilege model, making it rather easy for a user with little knowledge of the security implications of administrative privilege to use it inappropriately, exposing the system to threat.

Further to my post of 25th December about the withdrawal of the CastleCops services, there’s a blog at Darkreading that includes more information, including some quotes from Paul Laudanski, who was, with his wife Robin, the driving force behind the organization: also quotes from our own Randy Abrams, David Ulevitch of PhishTank, and Garth Bruen of KnujOn.

What I, and many others, would like to see, is someone finding a way of redeploying the many volunteers who joined forces under the Castlecops banner. Unfortunately, it would take quite an effort to match the six years of hard work Paul and Robin put into the organization.

Best wishes for the new year to them, and to you.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Further to Pierre-Marc’s post on the 25th December about the resemblances between Waledac and Storm, I notice that Steven Adair of Shadowserver has been blogging some very nice notes on much the same topic. Well worth a look.

David Harley