Monday, September 8, 2014

2014-09-08 WTKM Talking Points (September 8 2014)



Linksys and Cisco routers unsafe! Updating does NOT help.
Any other router: Turn WPS off (known since 2011)

Cloud Storage: Another example of lost access and no recourse.

For-Pay Windows maintenance tools worthless

Infectious” USB drives on the horizon. So far only drives with a certain type of controller but that might change.
But they don't tell us what brand controller is affected.


14 antivirus apps have security problems.
    After finding basic boo-boos in security software researcher says vendors just don't care.
Avira, BitDefender, ESET and Panda (
among others) in “hall of shame”.

The skinny: The more a security app does the bigger the attack surface
and
the more it slows down the computer.

Why do people create virus programs? MONEY!
CryptoWall alone cashed over six months more than $1.1 million

Did Home Depot get hacked? Whether yes or no,
currently do not use ANY card at any retail stores.

Firefox enhances security with new version 32. Upgrade!

Mac security programs: Only three of 18 very good, a few good. Fuhgetabout the rest.

As usual I welcome suggestions and comments right here in the blog. 
 
Click here for a categorized Table Of Contents.

Monday, September 1, 2014

Details on CryptoWall


This article assumes that you are familiar with my previous article CryptoLocker - Revisited.

Detailed information was released about CryptoWall, one of the CryptoLocker variants.

Between mid-March and late August CryptoWall infected almost 625,000 systems; on these systems it encrypted more than 5.25 billion files.

The US seems to have the most CryptoWall infections: 253,521 (or about 40 percent), followed by Vietnam with 66,590 infections, the U.K. with 40,258, Canada with 32,579 and India with 22,582.

The US likely got targeted more often because CryptoWall's got distributed through spam emails sent from the Cutwail botnet which targets English language computer users.

Researchers collected data directly from CryptoWall's  payment server such as the exact number of paying victims and the amount of payments. Of nearly 625,000 infections and over about six months 1,683 victims (0.27%) paid the ransom for a total of $1,101,900.

CryptoWall seems to have  a home-made problem by accepting payment of ransom by Bitcoin only. Many average computer users will have problems paying with Bitcoin and reseachers assume that this is part of the reason that only 0.27% of CryptoWall's victims paid compared to 1.3% of CryptoLocker victims; CryptoLocker allowed payment by MoneyPak as well.

As sad as it is, these numbers clearly show that cyber crime pays.


As usual I welcome suggestions and comments right here in the blog.

Click here for a categorized Table Of Contents.




Tuesday, August 26, 2014

CryptoLocker - Revisited



In December 2012 I wrote for the first time about the back then new relatively virus CryptoLocker.
In October 2013 I wrote again about new variants of this virus. Now I have new information that warrants to visit CryptoLocker again.

This family of viruses is by now one of the most destructive threats I have seen. Much of the news regarding CryptoLocker is rather negative but there is at least a bit of positive news as well.

CryptoLocker has evolved

Very shortly after the original CryptoLocker had appeared the first variant was discovered; on first glance it appeared to be similar to the original version. It almost was a look-alike, the method of infection was the same, the encryption seemed the same and the message on the infected computer's screen was very much like the original's. There were only two obvious differences: The original CryptoLocker demanded $100 for information to decrypt the user's files and it offered two payment methods (MoneyPak or Bitcoin); the “look alike” demanded $300 and accepted Bitcoin only.

Time consuming and detailed analysis uncovered significant internal differences. Specialists found that the second version most likely was written by a different programmer or even programming team. It was written in a different programming language and many other internal differences were discovered as well.

In the meantime we know of at least six other virus programs that work similar to CryptoLocker. They are called “encrypting ransom ware” (in the following ERW), they are actively distributed, modified and improved. Most likely they were created and are being run by different groups of malware creators and distributors. Some names I have run across:
  • CryptoLocker (the original)
  • CryptoLocker 2 (the first imitator referenced above, my naming))
  • Critroni
  • CryptoDefense
  • CryptorBit
  • CryptoWall (see this new article for details)
  • CTB Locker
  • PrisonLocker or PowerLocker
  • TorLocker
The newer versions of ERW viruses have become increasingly sophisticated, hard to detect and difficult to remove.

How these infections spread

Many infections happen when the user attempts to opens an e-mail attachment that then in turn launches the ERW. By now almost any file type can be abused in this way; you just can't trust so called “safe” file types any longer.

Over time I have received many emails about supposedly failed deliveries of goods. Some of these emails were made professionally and looked at first glance almost authentic. It made no difference whether the email seemed to be from DHL, FedEx, UPS or the US Postal Service; there always seemed to be some legitimate sounding reason to open the attachment.

In all cases attention to detail and applied common sense protected my computer better than any security program could have done; I simply avoided that one fatal click to open an attachment.

Another increasingly often encountered way for ERWs to spread are “drive-by downloads”. They come from compromised websites and compromised web servers. These sophisticated attacks take advantage of known vulnerabilities in almost ubiquitous software like Windows, Adobe Flash, Adobe Reader, Java and so on. Since these vulnerabilities are known there is only very little excuse to get caught by a drive-by download. To get the computer infected by a drive-by download is very unlikely if the user keeps all software up to date.

Protection?

On the positive side we have to my knowledge three options, some free and some with premium versions for a charge. These programs do not interfere in or conflict with common anti virus or security software. I warn against running any two of these programs concurrently due to the likelihood of conflicts with each other.

1. CryptoPrevent
2. MalwareBytes Anti-Exploit
3. HitmanPro Alert with CryptoGuard

If you are interested to learn more please follow the links.

To make it perfectly clear: I am convinced that the best protection is our own attention to detail, caution and applied common sense. No software in the world can replace our watchfulness!

ERWs on non-Windows computers

To make a bad situation even worse there are reports of ERWs on other, non-Windows platforms like tablets and smart phones with the Android operating system. There was talk about a popular NAS system (Network Attached Storage) being targeted as well. Only Apple systems seem to be not affected, so far at least; as we all know that can change any moment.

A bit of good news

Fairly recently, I believe it was in early August 2014, two software companies announced that they have jointly developed a method to decrypt at least some of the files that were encrypted by the original CryptoLocker. The companies and their web sites are The companies offer their program free of charge to people who still have files encrypted by the original version of CryptoLocker who wants to attempt to recover them.

The companies are FireEye (www.fireeye.com) and Fox-IT (www.fox-it.com). These companies apparently did not crack the encryption, they gained access to some of the command and control servers where some private keys were stored that the original CryptoLocker virus had used.

Much detailed sleuthing, dis-assembling, re-engineering and analysis of the original virus enabled them to write a program called DecryptCryptoLocker that can decrypt affected files when the were encrypted using any of the recovered private keys. At https://www.decryptcryptolocker.com/ you can read how this works. There is a decent chance that this program will recover encrypted files but there is no guarantee.Some so far encountered obstacles that may prevent decryption are:
  • It works only on files encrypted by the original version of CryptoLocker infections; it may or may not work on files encrypted by later versions of ERW.
     
  • Nobody knows if the servers accessed by FireEye and Fox-IT contained all private keys CryptoLocker had used.
     
  • The original CryptoLocker was effectively eliminated late in May, 2014; any later infections will most likely have used different sets of private keys.
Despite these obvious limitations of the procedure FireEye and Fox-IT deserve a lot of credit and big kudos. Anybody who still has files encrypted by the original CryptoLocker should try the procedure and see if it works for them.

My personal conclusion

It is primarily user behavior that protects the computer by always keeping Windows and all other regularly used programs up to date. If all this is accompanied by attention to detail and applied common sense then the computer will most likely remain “healthy” and safe.

In the worst case scenario, that is after your computer got hit by CrypyoLocker or a look-alike having a recent clean backup will be the best medicine against sleepless nights.

As usual I welcome suggestions and comments right here in the blog.

Click here for a categorized Table Of Contents.

 

Tuesday, August 12, 2014

How to Use Malwarebytes Anti-Malware


In my article 2014 Update On Malicious Programs I promised to write about how to correctly use Malwarebytes Anti-Malware (MBAM). Here it is.

Allow me to repeat the short installation instructions:

MBAM is a time proven product and available in a totally sufficient free version. You have to watch during the original install and when you install a program update. The last window of the installer looks like this:



Please pay attention to the marked entry; it's check box is preselected! That means the “trial version” will be activated and after the trial period ends you would have to pay for using the program.

You have to uncheck this check mark.

Eventually the program itself needs to be updated; the installer will run again and again you have to pay attention to this little detail to avoid the for-pay version!

And now to what the title promises.

After you start MBAM you see this window:


I recommend to always click on Update Now; this is where the cursor points in the screen shot. Let the program work until you see that the database has been updated:


Do you see the check mark by Database Version (see the cursor).

Then you click on the big green button labeled Scan Now.

The program window will show the progress:


When MBAM finishes scanning it may either show that no traces of malware were detected:

 

Or it shows this window listing encountered traces of malware (a real life example from a customer's computer):


The free version of MBAM does not allow to select different action(s). Experience has shown that the program's suggested action is appropriate.

My recommendation is to follow MBAM's suggested actions and to click on Apply Actions. When that action has finished you can close MBAM.


As usual I welcome suggestions and comments right here in the blog.

Click here for a categorized Table Of Contents. 
 

Friday, August 8, 2014

2014 Update On Malicious Programs


As far as malicious software is concerned much has changed since I last wrote about it. So here is an updated report on the current situation (summer 2014) ans my personal advice on how to stay safe on the Internet. I will talk about
  • Definitions
  • Protective tools for the home user
  • How to avoid these troubles and a
  • Conclusion

Definitions:

Malware: Short for malicious software. It is a general term used to describe all viruses, worms, spyware, and pretty much anything that is specifically designed to cause harm to your PC, steal your information or throw never ending torrents of advertisements at you.

Virus: A program that copies itself and infects a PC, spreading from one file to another, and then from one PC to another when infected files are copied or shared.

Spyware: Any software that collects your information without your knowledge and usually sends that information back to the creator(s) so they can use that personal information in some nefarious way.

Scareware: A relatively new type of attack, where a user is tricked into downloading what appears to be an antivirus application, which then proceeds to tell you that your PC is infected with hundreds of viruses, and can only be cleaned if you pay for a full license. Of course, these scareware applications are nothing more than malware that holds your PC hostage until you pay for the “full” version. In many cases you can't uninstall them and/or the render the PC unusable.

Trojan horses: Applications that look like they are doing something innocuous, but secretly have malicious code that does something else. In many cases, trojans will create a backdoor that allows your PC to be remotely controlled, either directly or as part of a botnet—a network of computers also infected with this trojan and/or other malicious software. The major difference between a virus and a Trojan is that trojans don't replicate themselves—they must be installed by an unwitting user.

A computer worm uses a network to send copies of itself to other PCs, usually utilizing a security hole to travel from one computer to the next, often automatically without user intervention and often via email.

Ransomware usually encrypts your files that then are useless to you and some even “lock” your computer. The software requests an often quite substantial payment for the means to restore your files into usable form – which even after payment sometimes fails. 


Protective tools for the home user

You will always want to run a specialized anti virus program and a specialized on-demand only malware removal tool. I will recommend the only two programs I have learned to trust over the years – and that are easy enough to handle for the home user.

Anti virus: The release of Microsoft Security Essentials has changed the landscape of antivirus software. We finally have a completely free application that protects against viruses, spyware, and other malware without killing system performance like some of the "suites" tend to do. In my extensive personal experience it barely slows down even relatively slow machines and it's user interface is the easiest to use of all I know.

Don't only take my word for it. AV-Test.org found that it detects 98% of their enormous malware database and AV-Comparatives (a widely known anti-malware testing group) found that MSE was one of only three products that did well at both finding and removing malware.

Anti malware: Modern malware is very different from classic viruses. Most anti-virus programs can not detect this malware and thus do nothing about it. 

I recommend Malwarebytes Anti-Malware (MBAM for short). Please download it from these two links only (they both go to the same destination).

MBAM is a time proven product and available in a totally sufficient free version. You have to watch during the original install and when you install a program update. The last window of the installer looks like this:



Please pay attention to the marked entry; it's check box is preselected! That means the “trial version” will be activated and after the trial period ends you would have to pay for using the program.

You have to uncheck this check mark.

Eventually the program itself needs to be updated; the installer will run again and again you have to pay attention to this little detail to avoid the for-pay version!

See this article on how to correctly use MBAM.


How to avoid all these troubles

When it comes to protecting yourself, it's laughable how many people install multiple antivirus applications but don't keep their system updated with the latest patches for the operating system.

If everybody would simply keep their system and all programs up to date, we wouldn't have to worry so much about these problems. If the constant rebooting action of Windows Update has you frustrated, you can always temporarily delay the reboot; remember, only after the reboot the patches are completely installed and active to protect your computer..

Keeping your applications updated is critically important to protect your computer's security. Your firewall won't protect you, and an antivirus software is unlikely to help if you're using an old, vulnerable version of Adobe Flash or Adobe Reader.


Conclusion

In the end, good browsing habits and common sense should be your first line of defense against any kind of malware. I recommend to always run a good security suite like MSE and additionally to use MBAM as an on-demand scanner. That way you're as well protected as easily possible and you can scan your system for malware whenever you want.

So here's the bottom line: In my not so insignificant experience MSE and the on-demand free version MBAM work very well together . Coupled with good browsing habits and common sense this a good combination of security tools and judiciously using them should keep you well protected.

As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

Click here for a categorized Table Of Contents.


Monday, August 4, 2014

2014-08-04 WTKM Talking Points (August 04 2014)




Linksys and Cisco routers unsafe! Updating does NOT help.
Cisco comment: “There are currently no known workarounds available for this vulnerability."
You could possibly switch your router to safer firmware by installing OpenWRT or the EFF's OpenWireless Router. Beware: This is not for the faint of heart!



Bitdefender enterprise endpoint security is unsafe!
Where does that leave the home user?
Remember, the company and their support are in Romania!



Cloud Storage: Another example of lost access and no recourse.



Passwords



InfectiousUSB drives on the horizon. So far only drives with a certain type of controller affected.
That will change!



New RAT (Remote Access Trojan) targets Bank of America, Citibank, Natwest, RBS and Ulsterbank (last three in GB) but there may be more.

AVG search revenue from freebie scanners dries up. Significant drop in income from search!


14 antivirus apps have security problems. After finding basic boo-boos in security software researcher says vendors just don't care. Avira, BitDefender, ESET and Panda (among others) in “hall of shame”.The skinny: The more a security app does the bigger the attack surface –  and the more it slows down the computer.

As usual I welcome suggestions and comments right here in the blog.

Click here for a categorized Table Of Contents. 
 

Thursday, July 24, 2014

Cloud Storage - again


May 5th 2013 I documented my opinion about cloud storage based on a real life example with Google's service.

Today I ran across a similar example based on the service named "LiveDrive". Here is the original text:
Livedrive has started closing people's accounts without warning.  Not everyone's account, of course.  Just a few.  And when those people contact the company to ask why, they're told that they were breaching the terms of their "unlimited storage" package by, er, storing too much stuff.

If this happens to you, and you make a fuss, Livedrive will restore your access in order that you can retrieve any important data.  However, in the experience of a couple of friends of mine, this access has its bandwidth throttled to such a degree that it is virtually impossible to download anything.  So your files are pretty much lost.
So again, as a reminder, cloud storage services may be convenient but:
Your data is not safe!

You can lose access any time without warning! 
Always keep the original file locally stored and backed up!

Sometimes I am outright fascinated by how easily people can be made to believe in third parties they have absolutely no control over.

IMHO at least the cloud is no place to entrust my most important documents and irreplaceable memories (aka pictures) with.

As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

Click here for a categorized Table Of Contents.

Monday, July 7, 2014

2014-07-07 WTKM Talking Points (July 07 2014)

 
Security researchers despair: Users will run malware if paid as little as one cent.
This raises questions about the effectiveness of well known security advice when competing against the smallest of incentives,

Cloud storage service Norton Zone closes down. Users have until August 6, 2014 to migrate their data to other services.
My opinion on clous storage was published here.

Whether you use DropBox, Micro$oft's SkyDrive, Google Drive or any other free cloud storage service the service or your data can vanish “over night”.

CryptoLocker: The UK’s National Crime Agency (NCA) a month ago has warned people have just two weeks to protect themselves against the CryptoLocker ransomware before both return from the dead. C&C servers were temporarily down.
These 2 weeks are past by now. What have you done?
NCA hit the nail on the head when they said:
Our message is simple: Update your operating system regularly, update your security software and use it and think twice before you click on links or attachments in unsolicited emails.”
      “An estimated 234,000 computers worldwide, half in the US, have been infected with CryptoLocker since September 2013. These infection have been used to bilk victims out of more than $27m according to FBI estimates.” 
Protection? 
CryptoPrevent from FoolishIT
CryptoGuard from SurfRight (this is what I use; but my main defense is paying attention!)  

Do you remember?
About 10 to 12 weeks ago the US government (DHS) advised NOT TO USE Internet Explorer! Update, update, update!
In Windows version you should run at least
Vista SP2 IE 9
Windows 7 IE 9
Windows 8 IE 10
Windows 8.1 IE 11

Do NOT tolerate Youtube ads! Some of them distribute malware and trojan horse viruses!

"Microsoft scam calls": Sorry but neither MS not their "partners" know that we exist.
“I am calling from Windows”; there is no company named "Windows"!
All downloads, fixes updates a.s.o. for Windows XP offered on web sites are bogus; beware!
The first file encrypting and device locking trojan horse virus on Android discovered.
Microsoft has changed their Terms and Conditions. (See here for details)
Basically
- you give up your rights to become part of an eventual future class action lawsuit and
- you agree that Micro$oft is not responsible for anything.
My personal take-away:
Don't do any business with Micro$oft, don't entrust any data to their services!


Wednesday, June 18, 2014

Micro$oft's new Terms and Conditions - A Bombshell


Microsoft Corp. changes their Terms and Conditions. Not that big an issue for me but when I think of millions of Windows 8 users who get tricked, conned and arm-twisted into establishing a "Microsoft Account", well, then I get a queasy stomach.

If I add in the many millions of unsuspecting users of email accounts with hotmail.com, outlook.com, live.com and other M$ server names then the I get really nauseous.

And when I think of hundreds of millions of Windows 8 and Office 2013/365 users whose data gets "automatically stored in the cloud" plus many small businesses that think "cloud backup" is a good solution, man, then I actually want to p**e. 

To spare you (and me) wading through lots of legalese details here only hree quotes from Micro$oft's original text (highlights by me, some editing lost in transferring the text): 
  • 10.3. Binding arbitration. If you and Microsoft don't resolve any dispute by informal negotiation or in small claims court, any other effort to resolve the dispute will be conducted exclusively by individual binding arbitration governed by the Federal Arbitration Act ("FAA"). Class arbitrations aren't permitted. you're giving up the right to litigate disputes in court before a judge or jury (or participate in court as a party or class member). Instead, all disputes will be resolved before a neutral arbitrator, whose decision will be final except for a limited right of appeal under the FAA. Any court with jurisdiction over the parties may enforce the arbitrator’s award.
  • 10.4. Class action waiver. Any proceedings to resolve or litigate any dispute in any forum will be conducted solely on an individual basis. Neither you nor Microsoft will seek to have any dispute heard as a class action, private attorney general action, or in any other proceeding in which either party acts or proposes to act in a representative capacity. No arbitration or other proceeding will be combined with another without the prior written consent of all parties to all affected arbitrations or proceedings.
  • 11. NO WARRANTIES


    MICROSOFT, AND OUR AFFILIATES, RESELLERS, DISTRIBUTORS, AND VENDORS, MAKE NO WARRANTIES, EXPRESS OR IMPLIED, GUARANTEES OR CONDITIONS WITH RESPECT TO YOUR USE OF THE SERVICES. YOU UNDERSTAND THAT USE OF THE SERVICES IS AT YOUR OWN RISK AND THAT WE PROVIDE THE SERVICES ON AN “AS IS” BASIS “WITH ALL FAULTS” AND “AS AVAILABLE.” MICROSOFT DOESN'T GUARANTEE THE ACCURACY OR TIMELINESS OF INFORMATION AVAILABLE FROM THE SERVICES. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAW, WE EXCLUDE ANY IMPLIED WARRANTIES, INCLUDING FOR MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, AND NON-INFRINGEMENT. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW. NOTHING IN THIS AGREEMENT IS INTENDED TO AFFECT THOSE RIGHTS, IF THEY ARE APPLICABLE.
    YOU ACKNOWLEDGE THAT COMPUTER AND TELECOMMUNICATIONS SYSTEMS AREN'T FAULT-FREE AND OCCASIONAL PERIODS OF DOWNTIME OCCUR. WE DON'T GUARANTEE THE SERVICES WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE OR THAT CONTENT LOSS WON'T OCCUR.  
 If I still can read correctly the very last part of the last sentence "... or that content loss won't occur." contains the admission that Micro$oft can not guarantee availability of their services and that you data will be available to you when you need it.

This is much worse than expressed in my previous diatribe about cloud storage services.

And trust me, just by using any Micro$oft service you have agreed to these Term of Service.  Even if you only use your copy of Windows 8 that you set up with a MS account you have agreed to these Terms!

As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

Click here for a categorized Table Of Contents.
 

Monday, June 2, 2014

2014-06-02 WTKM Talking Points (June 02 2014)

First thing’s first: If you log in to Facebook on your computer and are mysteriously prompted to download a “unique software tool for safe and secure authentication” to your Android device, do not proceed.

If this occurs, your computer is already infected and downloading the software will infect your Android device as well. If you are seeing such a prompt you need help!

A new Trojan distributed through Facebook instant messaging and Yahoo! Messenger has claimed hundreds of victims.

Ebay data breach: Have you changed your password? Is it unique (on the whole big web)?
Ebay is very slow to alert affected customers.

Antivirus firm Avast: We got broken in to. Security guys can't secure their own computers? Oh PLEASE! Do NOT use Avast any longer! Replace it with Microsoft Security Essentials (or Windows Defender on Win 8).

Do you remember?
About 6 to 8 weeks ago the US government (DHS) advised NOT TO USE Internet Explorer! IE 8 still vulnerable; no fix yet. Upgrade to newer version!
In Windows version you should run at least
Vista SP2 IE 9
Windows 7 IE 9
Windows 8 IE 10
Windows 8.1 IE 11

AOL confirms security breach. Yes, we are in 1995 again!

Windows 8.1 Update went to Automatic Updates April 8th. 890+MB; huge; be VERY patient!

Apple has released updates for Safari web browseron OS X fixing 22 serious security flaws.

Test if your Linksys/Cisco Routers is supported. If not you have to replace it.
"Not supported" means that the firmware is unsafe and can not be updated.

 Do NOT tolerate Youtube ads! Some of them distribute malware and trojan horse viruses!

"Microsoft scam calls": Sorry but neither MS not their "partners" know that we exist.
“I am calling from Windows”; there is no company named "Windows"!
All downloads, fixes updates a.s.o. offered for Windows XP are bogus; beware!
Yahoo and AOL hacked; serve infected advertisements!

Symantec: Antivirus (the Norton products!) is 'DEAD' – says Symantec's CEO.

US Senate slams advertisement servers for security failings.
Will anything ever be done about it?