Category Archives: Computer Security

Heartbleed is the name of a bug, not a virus

The Heartbleed Bug was a major story not that long ago. Lists of affected websites circulated with instructions to change your passwords if you had accounts at those websites.

In the whirlwind of online news articles, a lot of jargon got tossed around that the average computer user may not be familiar with, and any time there is a knowledge gap, scammers can and do take advantage of it. Spam emails began to circulate claiming to include a Heartbleed removal tool that was, naturally, a malicious program itself. The attachment, if opened, installed a keylogger on victims’ computers, which could transmit sensitive information to criminals. Symantec has a fine article about this particular attack.

Of course, if you’re an old hack hand at Computer Stuff like myself, you already knew that Heartbleed was a bug affecting servers, not a virus. But not everybody is familiar with all these terms, so I decided it would be useful to explain some of these concepts in layman’s terms.

DATA is digital information. If you’re looking at a website, your computer is taking data and presenting it in a readable, watchable, or listenable way. You’re looking at data, which happens to be mostly in text form, right now. When you have an account at Amazon or Facebook (for example), your username and password are part of your personal data, which is the stuff you don’t want being accessed by anyone but yourself. Websites keep this kind of data on servers that use various software to make it (hopefully) impossible to access by unauthorized people.

SERVER is a big computer where data is stored. When you watch a video on YouTube, the digital information that makes up that video is stored on an incredibly large computer, which transmits that data to your computer, which turns it into a video you can watch. Companies such as Facebook and Google have multiple servers that fill entire buildings. Your employer may have a smaller server that looks like a regular desktop computer, which hold all the business’s customer data, and only employees have access to it. Same concept, different scale.

OpenSSL is a particular type of server software that was affected by the Heartbleed bug. You know how your desktop computer runs Windows or MacOS, and your phone runs Android or iOS? OpenSSL is pretty much the same type of thing for servers. Your home computer uses Windows or MacOS to do home computer things, some (but not all) servers use OpenSSL to do server things, like store huge customer databases.

BUG is a flaw in a piece of software. You know how sometimes you download some goofy free app on your phone, and it works for a few seconds then crashes? That app has a bug that makes it function improperly. In the case of Heartbleed, the bug was a security flaw that potentially opened up account information (such as encrypted passwords) to hackers.

ENCRYPTED data has been scrambled in a way that unauthorized persons cannot access it. Servers don’t just store your username and password in text form because it would be too easy for someone to just steal the file and open it. They use complicated methods to make sure that, even if someone got the file, they wouldn’t be able to read it. (At least, this is how it would always work in a world without security bugs like Heartbleed; this is why you had to change your passwords at affected sites after the bug was fixed.)

HACKER: a person who breaks into computer networks. This in and of itself does not make them bad…many are actually hired to break in, in order to highlight security flaws so they can be fixed. Some use their skill for criminal purposes.

These are pretty simplistic explanations, but I think it’s important to at least have a concept of what these terms mean, so that when you read an article that says “security bug affecting servers running OpenSSL versions etc…” you can at least understand that they’re talking about software you’re NOT running on your home computer, and to ignore any emails offering a fix because Heartbleed wasn’t a virus in the first place.

But you’re not going to open attachments in any unsolicited emails, anyway, are you? If nothing else, remember this First Principle: “If you didn’t ask for it, don’t click on it.”

What to do about DNSChanger

It’s a long, long story. It starts with the arrest in November 2011 of six Estonian cybercriminals who managed to infect millions of computers with malicious software known as DNSChanger.

This malware would compromise search results, direct infected PCs to rogue websites, compromise antivirus software and insert rogue advertisements into legitimate pages. These guys made a load of money before they were nabbed.

However, even after the arrests, plenty of computers remained infected. The FBI set up temporary servers for infected PCs, but those will be coming down on July 9, 2012. In other words, if your computer or router is infected, you won’t be able to connect to the Internet, starting Monday.

(“Five Years” by David Bowie just popped into my head, but in this case, you’ve got about three days.)

The first thing you need to do is check to see of your machine is infected. The DNSChanger Working Group provides a list of sites that check your computer here. If it says you’re good to go, no additional action is required.

However, if you get a red light, you’ll have to fix your computer. The DCWG provides instructions here, along with links to tools that specifically remove the malware, but you may need to take your PC to a professional computer repair shop.

I’ve heard that about 70,000 computers are still infected (this one’s clean!), so it’s not as if the entire Internet is going to die on Monday (as some of the jumpier news sources have implied), but you still don’t want to find yourself unable to connect and cut off from solutions to the infection.

How to make sure you’ve got the latest version of Java (Windows users)

According to the excellent website Krebs on Security, a new Java exploit is set to go completely mushroom cloud on computers worldwide with outdated Java installations within the next few days.

The BlackHole Exploit Kit is used by cybercriminals for purposes various and nefarious, and is currently the most common web threat around. However, we won’t go into too much detail here about the malware itself. Instead, let’s talk about how to keep your Windows-based computer safe.

The first thing you need to do is find out if you have Java installed on your computer at all, and which version you’ve got. The easiest way to accomplish this task is to visit java.com and click the “Do I hava Java?” link. This takes you to a page with a big “Verify Java version” button:

2012-07-06-a

Click the button and the site will tell you if you’ve got the recommended version of Java installed, which currently (as of July 6, 2012) is either Version 6 update 33, or Version 7 update 5. If it tells you to update, follow the on-screen instructions.

(If your computer is set up like mine, your web browser will ask you for permission to run the Java content on this page. At this point, you’ll know you’ve got it installed, but you still need to verify which version you’ve got. Click the “Run this time” button when prompted, and it will let you know if you have the recommended version.)

What if the site says you don’t have Java installed? Should you install it?

Naturally, the java.com website will suggest you do, but if you’ve been using your computer without it so far, I’d recommend not installing it at all. Java is currently the most popular channel through which exploits like the BlackHole pack are used, and new security holes are discovered all the time. If you’ve come this far without Java, there’s really no good reason to install it.

If you’ve got Java installed and want to keep it (there are still some websites that rely on it), make sure you’ve got the software set to check for updates at least once a week, but I recommend taking it a step further and checking daily. Here’s how.

1. Click the “Start” button, then select “Control Panel.”

2012-07-06-b

2. Find the “Java” icon in the Control Panel window and double-click it.

 

2012-07-06-c

3. Click the “Update” tab, then the “Advanced” version.

2012-07-06-d

4. Select “Daily” and check what time of day it will check. I left mine on 11:00 PM. Click “OK.”

2012-07-06-e

5. Click “Apply” and “OK.” You’re done!

2012-07-06-f

Note: if the updater detects that a new version of Java is available, most of the time you’ll have to manually install the update. Your computer will prompt you when it’s time.

The “Slow Computer” Scam

Does your computer seem to be running slower lately?

You’re not alone. Over time, computers tend to get bogged down. For example, you install a piece of software to accomplish some task you only perform every now and then, but the program requires that a component of itself be running in the background at all times. Or you upgrade your antivirus software—the new version does a better job of filtering out malicious software, but it also needs more system resources to do its job.

Perception also plays a role—the “new” wears off a computer pretty quickly, and what seemed like blinding speed a year ago now feels like you’re trudging through treacle every time you want to fire up a web browser, even if the machine is running just fine.

The net result is that a lot of people think, “Hey, this thing isn’t running as fast as it used to—something must be wrong!” Enter the Slow Computer Scam. It generally targets seniors, but anyone with a computer could fall for it.

It begins with a phone call from a stranger who claims to work for Microsoft. The caller tells the victim that the company has received notification that their computer has been running slowly or is infected with spyware, viruses or other problems.

At this point, if the victim agrees, the call will go one of two directions. In the first variant, the victim is instructed to go to their computer, then fed step-by-step directions by the caller that are supposed to fix the problem. What is actually happening is the victim is handing over control of their computer to a criminal, allowing them to search for files containing personal information, install spyware designed to harvest any data the victim enters, or link the computer to a botnet used to transmit data for organized criminals.

In the second version, the victim will be told that the caller can fix the problem, but only for a fee. They will be instructed to use Western Union to wire a few hundred dollars as payment.

There is a recent double-dip version in which the scammers call the same victim again a few weeks later. This time, they inform the victim that they are from Dell (or whoever manufactured the victims computer), the earlier call from Microsoft was a scam, and that their computer was infected with malware by the scammer. They offer to fix the computer for a fee of several hundred dollars, again to be wired via Western Union.

This may be one of the easiest scams to recognize. If your telephone rings, and someone is on the line telling you that there’s something wrong with your computer, that’s your cue to hang up.

Microsoft does not have a giant control room that keeps tabs on the performance of every computer in the world. Nobody is sitting at a monitor going, “Whoa. Some guy out in Indiana has a slow computer. Perkins! Get on this!”

The same goes for Dell and other computer hardware manufacturers—they don’t have a giant database of who owns their computers or how they’re running. If there’s a problem with your hardware or software, or if your machine is infected with malware, it’s basically on you to figure it out and fix it.

There is also no scenario in which Microsoft, Dell, or any other tech company is ever going to require payment via Western Union. Keep your antivirus software up-to-date, and when a stranger calls to tell you there’s a problem with your computer, hang up.

Link: Krebs’s 3 Basic Rules for Online Safety

I usually only like to create my own content around here because my ego is just that huge. Seriously; I had to buy a different car than the one I wanted last summer because my head wouldn’t fit in a Focus.

I kid.

Anyway, sometimes somebody else just sums it up so perfectly, it’s better to just let them say it.

With that in mind, please give Krebs’s 3 Basic Rules for Online Safety a read right now. It won’t take you five minutes to read, but it lays out three principles that could save you a lot of headaches down the road.

In fact, if you’ve got a few sites you regularly read, I’d recommend adding Krebs on Security to that list.

Having a dedicated computer for online banking

Clipart of bills and coins
Image via Wikipedia

Here’s a great idea that doesn’t get talked about enough: having a computer you use only for online banking and other financial activities, and a different computer for games, music and general Internet usage.

It seems like an expensive route to have two separate computers, but think about it—your financial machine only has to be just powerful enough to handle an operating system, an Internet connection and a web browser. You don’t need massive amounts of RAM or a great (or even particularly good) video card. You could probably even find a used laptop running Windows XP (if you’re a PC user; however I would not recommend Windows Vista) if you poke around. Install your antivirus software and Mozilla Firefox with the NoScript plugin, and you’re ready to go. I would also recommend setting up a separate email address for anything related to finances, and only check it with your financial computer.

What this does is keeps your financial activities separate from everything else; you’re not likely to encounter malware by logging in to your credit card providers or financial institution’s website. In the meantime, if you run into malware trouble on your “fun” computer while mucking about on the Intertubes, the damage will be limited. Your banking passwords won’t get snagged by a keylogger you picked up on an infected website, even if your Facebook password does.

Of course, buying a separate computer is going to cost money whether you go new or used, and in any case you have to keep your security software up-to-date on both machines. It’s not an option for everyone. However, if you can swing a few hundred bucks for a dedicated banking computer and some good security software, it’s just one more layer of protection.

What is likejacking?

You have to love the Internet. It used to take years for new words to be coined and gain popular usage. Over the last decade and a half or so, as Internet usage has evolved from something only nerds do to most people’s primary source of information, new words are coined and take off within days. Podcast. Lifehacking. Likejacking.

Likejacking is a recent term that is really just a Facebook-specific form of clickjacking that involves tricking users into following a link to a website, usually to obtain some form of content (usually video). However, the content doesn’t get delivered at all.

The user clicks on what appears to be a video player within the website, but there is no player. There is, however, a hidden link that causes the page to show up on the user’s Facebook status (i.e. “Joe Blow likes FIVE REASONS YOU SHOULD NEVER USE A CELLPHONE AGAIN”). Joe’s friends see this update, wonder what Joe now knows that they don’t, and they get roped in.

Meanwhile, Joe Blow is being redirected some sort of bogus survey site or other shady website. It’s usually a ploy by dishonest people to abuse online affiliate programs—trick a bunch of people to click on your pay-per-click ads and rake in a nice chunk of money.

The way I understand the likejacking process is this: on the malicious website, you have something that looks like an embedded video player, but is actually just a JPG image of one. This object is set up to be “transparent,” i.e. you can’t act on it by clicking, so even though you can see it, to your computer it’s not there at all. However, if a different object (such as a Facebook “like” link) is hidden underneath the JPG, when you click on what you think is a video player’s “play” button, you’re actually clicking the “like” link hidden below it.

The basic avoidance techniques are the same in the case of likejacking; if one of your friends appears to be posting a link to some sort of sensational/juicy content, don’t click. Urge your friend to remove the update, too. ALL CAPITAL LETTERS are a bad sign, as well as any variation of “once you see this _____, you won’t ever _____ again.”

Now that I typed those spaces in there, all I can think of is Mad Libs. Let’s see…a noun and a verb. Okay, DUCK and SMILE. “Once you see this duck, you won’t ever smile again!” Yeah! Comedy gold!

Oh, never mind.

Chile Earthquake Scams: yet another preemptive strike.

I don’t think you’d need to be a rocket surgeon to guess that Chile Earthquake Scams are already well underway. I once posed the hypothetical, “How long does it take a crook to turn something into a scam, four minutes?”

Turns out I wasn’t giving the con artists enough credit. My new estimate is 30 seconds.

The same rules apply here as when dealing with possible Haiti Earthquake Scams. Be extremely wary of unsolicited charity donations. The best way to help is to contact your favorite organization first and turn down all other requests.

There is a short article on the topic at Scambusters that identifies a couple additional threats beyond fake charities, and both involve malware.

Basically, if a stranger sends you alleged photos of the earthquake damage, do not open these attachments because they are infected with a virus. In fact, don’t even open the message at all. There is plenty of footage coming in through official news sources.

Also, beware of fake news stories that come up in search engines. These can lead to websites that are infected with malware as well. According to the Scambusters article, these sites were up within hours of the earthquake. Just go directly to your favorite news source’s website and get your information from there. Many will even have a list of trustworthy resources if you want to donate to relief efforts.

Online security: teach your children well.

I don’t have any kids yet, but I know a few people who do.

Okay, so I know more than a few. I know many, and almost all of them have something in common: their computers are constantly being infected with viruses, trojans and other types of malware. I’m not talking about the occasional adware popup or tracking cookie—these machines are usually just crawling with malicious software.

There’s sort of an old myth that your twelve year old is always going to know more about the computer than you. Perhaps this is true when it comes to first-person shooters and making goofy videos, but kids don’t know everything about computers, and security is one of those areas where they generally seem to lack the fundamentals.

Of course, they’re invincible, too. There’s always that. Ask them sometime; “Is it even possible that you might run into a virus on the Internet?” They’ll probably look at you like you’re an idiot. Again.

But it happens, and it seems to happen a lot. You’ve got to educate your kids about malicious software, because a keylogger doesn’t care who downloads itself; it’s going to send login and password information, whether it’s to a Facebook profile (bad news) or your financial accounts (worse).

First, if you’ve got kids using the Internet, try to keep an eye on them at least some of the time. Since this is impossible, though, make sure you’re using Firefox with the NoScript plug-in. No Internet Explorer! There are more holes in that browser than a hunk of Swiss.

Secondly, learn about the various dangers yourself, and make sure you warn your kids. No kid is going to be able to resist “lol is this you?” or “lol funny video” followed by a shortened URL, unless someone tells him that such links lead only to malware.

Thirdly, obtain the burliest antivirus and firewall software you can afford, and pay the money to keep it updated. This is vital anyway, but if you’ve got kids clicking a mile a minute on Facebook and Twitter, you really need to take maximum precautions.

I suppose you could try to limit your kids’ access to the Internet, but you could also try to wrestle a grizzly bear while you’re at it. Good luck with that one.

Finally, consider getting your own computer or laptop that the kids aren’t allowed to even touch, and use that one for business and banking. At least your accounts will be safe(r), assuming you’re taking the necessary precautions on this computer as well.

Okay, does this post officially put me in the “old person complaining about young people” camp? It does sort of have that “I tell ya, the kids today, with their Facebooks and their Twitters,” flavor doesn’t it?

I don’t know, but I know it’s important to get your kids hip to the dangers of malware as soon as you can. Your own financial security may depend on it.

Virus Alert: “Your internet access is going to get suspended.” (ICS Monitoring Team)

This email has been around for at least a couple years. Full text:

From: ICS Monitoring Team
Sent: Tuesday, February 09, 2010 2:48 AM
To: [email address]
Subject: Your internet access is going to get suspended

Attachment: report.zip

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

Sincerely
ICS Monitoring Team

If you get this message, or anything similar, delete it immediately, and whatever you do, don’t open that attachment. It’s a virus.

I don’t know exactly what sort of malware is attached, but if I had to guess, I would assume it contained some form software that could be used to remotely gain control of your computer. These “zombie computers” can then be used as part of a “botnet” to commit other crimes. In fact, a search for “ICS Monitoring Team” returned at least one link that appeared to be software that would allow you to remotely control other computers on a network.

They were really going for the jugular with this one, weren’t they? The fact is, a lot of people download copyrighted material, so they’ve got a lot of potential victims. Your first reaction upon reading something like this would probably be a small jolt of panic, whether you’ve been downloading stuff or not. The social engineering angle here is as brilliant as the grammar and spelling are execrable. “Consorcium?” Really?

Whatever you’ve been getting up to online, this message isn’t related to it. It’s just another attempt to infect computers with some kind of bad juju. I’m not saying you should keep ripping off copyright holders. Sometimes those BitTorrents are infected with stuff, too. And remember that one kid the entire music industry practically wanted to execute nine or ten years ago? People run into trouble that way.

However, if you do get caught, most likely your Internet service provider will just shut you down with very little explanation beyond “terms of service violations.” Some third party isn’t going to be given that power, at least not in the run-of-the-mill instances.