Kane’s Computing World

A new extension for the Firefox browser is garnering attention in the technology press.

A new Firefox add-on lets "pretty much anyone" scan a Wi-Fi network and hijack others’ access to Facebook, Twitter and a host of other services, a security researcher warned today.

The add-on, dubbed "Firesheep," was released Sunday by Eric Butler, a Seattle-based freelance Web application developer, at the ToorCon security conference, which took place Oct. 22-24 in San Diego.

Butler said he created Firesheep to show the danger of accessing unencrypted Web sites from public Wi-Fi spots.

Although it’s common for sites to encrypt user log-ons with HTTPS or SSL, few encrypt the actual traffic. "This leaves the cookie, and the user, vulnerable," said Butler in a post to his personal blog. "On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy."

With a user’s cookie in hand, a criminal can do anything the user can do on a site, Butler noted. Among the sites that Firesheep can hijack are Facebook,Twitter, Flickr, bit.ly, Google and Amazon.

New Firefox add-on hijacks Facebook, Twitter sessions

It still requires some know-how to use the extension properly.  However, it does highlight the need for proper wireless security practices.

• Avoid the use of unsecured public wireless networks.
• If you do have to use a public wireless hotspot, seriously consider the use of a VPN (Virtual Private Network) to encrypt all traffic between your computer and the internet. Many paid and free VPN options exist.
• Use certain additional Firefox extensions to protect your surfing sessions. This will not work with Internet Explorer or Google Chrome

Feel free to contact us if you need assistance in evaluating your wireless security setup.

Great Linux distro suitable for laptop, desktop or server.

You can find the following new features added to Ubuntu 10.10.

• A revamped installer. Now you can continue performing other installation tasks while the installer is copying files to your machine.
• A redesigned "Software Center" which allows a user to search for, and install applications in Ubuntu. This is far more intuitive and user friendly than its previous version.
• A new image management software – Shotwell has been included in place of F-Spot, which was used in 10.04.
• Ubuntu 10.10 Netbook Edition now sports a new interface called Unity. This interface arranges all the commonly used applications in a launcher on the left side of the screen. 
• Ubuntu 10.10 has full multi-touch support. This means, if you own a tablet on similar lines as Apple’s iPad, you can install Ubuntu Netbook Edition on it, and it will respond to your touches and gestures.

Ubuntu 10.10 Unveiled – Supports Multi-Touch

It affects all 3.5 and 3.6 versions.  No fix available yet.

Mozilla has issued a warning that its popular Firefox browser contains a critical vulnerability that is being actively exploited by cybercriminals to distribute malware.

The vulnerability, which was previously unknown, is said to affect versions 3.5 and 3.6 of Firefox.

Security firm Norman reported that the Nobel Peace Prize website was distributing a Trojan horse via the exploit yesterday, although it’s obviously possible that other websites may also be serving up the vulnerability in an attempt to infect visiting users.

Sophos is issuing protection against the malware as Troj/Belmoo-A.

Mozilla says it is working on a fix, but in the meantime Firefox users might be wise to turn JavaScript off and use the popular NoScript addon.

Firefox hit by critical zero-day vulnerability

Having security software on your computer is important; being aware is more important:

You may have seen some headlines today about a New Java Trojan that attacks Macs. It turns out that it also attacks Windows and Linux users as well. The Trojan pretends to be a video on Facebook. A user gets a message asking “is this you in this video” with a link. Upon clicking the link the user is prompted to install software. At this point an educated user should suspect that there is something wrong. It is not usual to need to install software to view a video. An educated user would abort and avoid infection.

…

It doesn’t matter if you have a Mac, Windows, or Linux computer, you will be attacked by cybercriminals and it is your good judgment that will afford you the most protection. Education is the equalizer in the fight against malicious software and cybercrime. The more you learn about safe Internet behaviors the better protected you will be. Your computer is the vehicle, don’t drive it into a brick wall.

Your Computer Won’t Protect You

Through third party ads linked on that web site, that’s how:

Third-party ads are the cause of a lot of problems. It does not matter how legitimate a site is, as long as it is referencing dynamic ads, it can expose its users to malware.

I usually never click on “Sponsored links” as I’m most likely not interested in such or such product. But a lot of people do because those links are relevant to the article (or the search). For every click, the website hosting the ad will receive some money, and more if the user “converts” (the user ends up buying whatever was promoted).

As a general rule, I would advise never to click on “Sponsored links” or ads that you see on a website. There is big debate about marketing: Does it fulfill a need people already had and never knew or does it create a need that never existed? I believe in the latter.

Then again, you may click on one by accident!

PCWorld links to scareware

Facebook confirmed today that many of the popular apps (including Farmville) on the popular social network are leaking user ID information to advertising networks.  The user ID is the unique number associated with each Facebook user.

The user ID is the number associated with every user on the site. Before Facebook allowed customized URLs for profile pages, it was easy for anyone to find this number. The user ID is not a private part of a person’s Facebook profile. Knowing someone’s UID will only grant access to the information that user has set to share with “everyone,” which is usually very basic pieces of data like pictures, hometown, age, job, musical preferences, etc. However, when given in bulk, these numbers can provide a database of track-able information to advertisers.

Facebook’s Mike Vernal publicly responded to the controversy on the company’s developer blog, claiming that many publishers have, in fact, violated its privacy policy by sharing UIDs with ad networks, but added that most companies “did not intend to pass this information, but did so because of the technical details of how browsers work.”

Major Facebook apps have been leaking user IDs, including Farmville

Security vendor McAfee published research listing the ten most dangerous places to give out your Social Security number and how to protect it.

For the past 70 years, the Social Security number has become our de facto national ID. The numbers were first issued in the 1930s to track income for Social Security benefits. But functionality creep, which occurs when an item, process, or procedure ends up serving a purpose that it was never intended to perform, soon took effect.

Here we are, decades later, and the Social Security number has become the key to the kingdom. You’re forced to disclose your Social Security number regularly, and it appears in hundreds or even thousands of files, records, and databases, accessible to an untold number of people.

What’s the danger of it getting into the wrong hands? Anyone who does access your Social Security number can use it to impersonate you in a hospital, bank, or just about anywhere else.

Top Ten Dangerous Places to Leave Your Social Security Number

Tips to protect your Social Security number:

1. In honor of National Protect Your Identity Week (October 17-23, 2010), check your credit report this week using a reputable firm such as, Experian, and set reminders every three months to review it again.

2. You can refuse to provide your Social Security number.

3. Invest in an identity protection service. Because there are times you cannot withhold your Social Security number, an identity protection service can monitor your bank information and your personal ID.  McAfee® Identity Protection (CounterIdentityTheft.com) will alert you, help prevent loss of personal information, allows unlimited checks of your credit, credit monitoring, scanning of the internet and identity fraud resolution.

4. Securely dispose of mail. The standard advice is to thoroughly shred preapproved credit card offers and anything that includes any account information. While this is good advice and should be heeded, it’s not going to protect you when your bank or mortgage company or utility provider tosses your information in a dumpster that is subsequently raided by identity thieves.

5. Opt out of junk mail and preapproved credit card offers. This is good advice and can be done at OptOutPrescreen.com. However, even if you opt out of new offers, others will still arrive. It’s inevitable. You also need to get a locking mailbox, but that still won’t fully protect you.

6. Lock down your PC. McAfee Total Protection™ software is the most comprehensive security tool to protect your computers data.

You can refuse to give out your Social Security number, but businesses requesting it can then erect a number of hurdles to make it more difficult to obtain the service you are seeking.

This trojan sends for-fee SMS (text) messages at $6 a pop.

It apparently masquerades as a media player for porn:

Be careful with downloading apps, especially through the Android Market, where many of these fake programs reside.

Some great suggestions for checking your Gmail settings and securing your account.  These come from the Gmail support site.

Gmail’s support site has a security checklist that’s useful if you want to make sure that your Gmail account is secure. There are some obvious tips like updating your operating system and your browser, but Google also posted some advanced tricks

Gmail’s Security Checklist

We hear the term Cloud Computing all the time these days, but what does it really mean?  A concise explanation comes to us from Bill P. developer of the popular WinPatrol program.

In simple terms, Cloud computer [sic] refers to having programs and data reside on an outside network device instead of permanently on your local hard drive. In theory it turns your browser into a flexible smart terminal and the main program you execute. The program you run and data you store is somewhere else on the planet similar to the old concept of a main frame.

What on Earth is Cloud Computing

Check out Bill’s posts and his great HIPS program WinPatrol!

Or you could use the lightweight and free Foxit Reader for PDF files.

Adobe Systems Inc. on Tuesday issued a new version of both Adobe Acrobat and its free Adobe PDF Reader to fix at least 29 separate security vulnerabilities in these products. If you have either (or both) of these programs installed, take a moment to update them. Adobe warns that hackers already are exploiting at least one of the flaws to break into vulnerable systems. Users of Adobe Reader and Acrobat version 9.1.3 and earlier should update to version 9.2, available in the “solution” section at this link. Updates are available for Windows, Mac and Unix versions of the programs. Adobe has some special instructions for those who for whatever reason need to stay with older lines of the software: The company recommends users of Acrobat 8.1.6 and earlier versions update to Acrobat 8.1.7, and users of Acrobat 7.1.3 and earlier versions update to Acrobat 7.1.4. 

Adobe Plugs 29 Critical Reader, Acrobat Holes
(author unknown)
Tue, 13 Oct 2009 22:20:22 GMT

Time to patch Windows!

From McAfee Security Insights Blog:

Microsoft today released 13 security bulletins that cover a total of 34 vulnerabilities, the most vulnerabilities Microsoft has ever addressed on a single Patch Tuesday. (The previous record was set in June when Microsoft addressed 31 vulnerabilities in 10 bulletins.)

Windows 7
The barrage of security fixes comes a week before Microsoft is expected to officially release Windows 7, a new version of Windows. Five of the security bulletins released today fix security vulnerabilities in the yet-to-be-released operating system, indicating that Windows 7 will bring little change when it comes to the security of Windows.

Booby-trapped Web sites
Many of the vulnerabilities addressed by the fixes could be exploited if a Windows user simply visits a malicious Web site or opens a rigged media file, favorite attack methods among cybercriminals.

Among the fixes the critical vulnerability (MS09-062) exposes Windows XP and Windows Vista users to attacks that exploit the Graphics Device Interface (GDI+), a Windows component used to process image files that has been patched repeatedly over the past couple of years.

Microsoft has repeatedly had to fix problems related to the Graphics Device Interface in Windows and vulnerabilities in the component have been exploited broadly in the past. Security researchers will be looking to reverse engineer today’s patches, which may very well lead to exploits being created.

Zero day vulnerabilities
Of the 13 bulletins, eight are rated critical by Microsoft, the company’s highest risk rating. Five are deemed important, one notch lower on Microsoft’s severity scale. Nine of the vulnerabilities had been previously disclosed, allowing cyberattackers a way to break into Windows systems before the fix was available.

Record Patch Tuesday Includes Windows 7
Joris Evers
Tue, 13 Oct 2009 23:41:25 GMT

From the Sunbelt Software blog:

Don’t go there:

The Zeus Trojan is being spread through a major spam campaign under the guise of a notice from the IRS. Spam emails contain a subject line of “Notice of Underreported Income.”

If users follow a link in the spam or open an attachment they get infected with the Zeus Trojan.

CERT advisory here.

Tom Kelchner

IRS NOT!
Tom Kelchner
Mon, 28 Sep 2009 19:53:00 GMT

Via Eset’s Threat Center Blog:

Australia’s Internet Industry Association (IIA) is working on best practices for isolating computers with bots on them (http://iia.net.au/index.php/initiatives/isps-guide.html)
At the same time, the Internet Engineering Task Force (IETF) is also drafting a document about the same thing (http://tools.ietf.org/html/draft-oreirdan-mody-bot-remediation-03)

If these recommendations are adopted then people who have bots on their computers would have to get their computers cleaned up before their ISP would allow them to surf the web. The idea has been around for quite a while, however issues such as cost and privacy have been the main barriers to the plans.

I do think it is likely that eventually your ISP will adopt an approach to identify customers who have bots on their computers and then limit their web access to a site that can help them clean their computer. I think it will be a few years before any major ISPs actually have full implementation of quarantining infected users, but the day may come that you won’t be able to surf the web if your computer is infected.

Randy Abrams
Director of Technical Education

Can’t Surf the Web?
Randy Abrams
Fri, 18 Sep 2009 17:43:37 GMT

From the ESET Threatblog:

The Journal of West Virginia reported yesterday that 19-year-old Jonathan G. Parker was charged on Tuesday with felony daytime burglary. He’s alleged to have stolen two diamond rings worth more than $3,500, but to have taken some time out to access his Facebook account on the victim’s laptop.

If the report is correct, it seems that no sophisticated computer forensic analysis was necessary to determine this, since the criminal mastermind left the laptop where it was, still logged in to his account. (Presumably laptops aren’t worth stealing any more.)

I imagine that Facebook are now considering changing their famous “What’s on your mind?” prompt to “What on earth were you thinking?” Still, given all the recent stories about burglars checking prospective victim’s FB accounts to find out when they’re away, it’s good to know that social networking can work for law enforcement, too.

Hold the jemmy a second, I need to check Facebook
David Harley
Fri, 18 Sep 2009 13:19:16 GMT

Via Internet Storm Center:

Rogue AV programs have become increasingly common in last two years. We at the SANS Internet Storm Center get messages from our readers about new rogue AV sites daily.

It is obvious that the bad guys are making (serious?) money with this scamming scheme. There are couple of things interesting about rogue AV programs. First, the bad guys here do not use (in most cases) any sophisticated attacks on clients. They instead rely on visitors to wittingly install their AV program. How do they do this? Through social engineering they create web pages which are very authentic copy of legitimate screens in Windows operating systems. These web pages make visitors believe that their machine is infected with several malicious programs and that the offered AV program can help them clean it.

Once the rogue AV program is installed, the victim has to pay money to get it working or, in some cases to even uninstall it. So, the money making scheme is simple (some rogue AV versions even steal local data and install keyloggers).

In order to get people to visit their web sites serving rogue AV programs, the attackers use different vectors they even follow news as only couple of hours after Patrick Swayze’s death search engines were filled with bogus pages pointing to rogue AV programs. 

Why is Rogue/Fake AV so successful?, (Thu, Sep 17th)
(author unknown)
Thu, 17 Sep 2009 07:36:18 GMT

Check this post FakeAV Generates Own Fake Malware from SophosLabs blog:

We’ve all seen FakeAV applications deliberately misreporting malware detection and encouraging the user to buy their “products”. The slew of these fake anti-virus applications has been relentless. My colleague, Pete, has highlighted the importance of taking adequate measures to ensure that you do not fall for such scams.

This FakeAV ups the ante further.

Take a look at the following folder:

This is the typical My Documents folder for Windows. It shows the folder is by and large, empty with the exception of a few folders.

We now turn our attention to the FakeAV in question. When this particular Trojan (Troj/FakeAV-AAB) is executed, the following dialog box is displayed:

No suprises there. Most Fake AV applications display a rather decent GUI (Graphical User Interface) that tries to make you think that they’re from legitimate anti-virus vendors. Needless to say (hmmm. that is a bit of an oxymoron), getting the full useless license requires you to invoke the necessary step of you having to part ways with the money that is sitting nice and warm in your wallet.

I proceeded to do a scan using the Spyware Scanner option.

To my surprise, the fake anti-virus application purports to report positive detections for files in a folder that I had known by all accounts, empty. Have these malware authors messed up? Or have they gotten so lazy that they cannot be bothered to do a proper file scan anymore?

Puzzled, I decided to recheck the folder and lo, behold:

Wait a minute. the files now magically appear just after I run the scan on the fake anti-virus application? Had I miss something?

Of course not.

What has gone on here is something that is rather sneaky. Instead of blatantly and randomly misreporting files as malware, what this Trojan has done is to deliberately spawn/create new junk files on the infected computer, with random names and random file extensions and proceeded to detect them! To make matters worse, these files manifest themselves in various folders like the My Documents folder and Windows folder.

Thankfully, these files are not malicious by themselves. They consist of random junk data (the files can be safely removed from the infected computer via the good ol’ “Hit the Del key and empty the Recycle/Trash Bin” method).

To top it all off, like all other FakeAVs, this Trojan also periodically pesters you with annoying popup messages asking you to buy their product. And I thought such applications can’t get more annoying, was I wrong indeed!

Talk about rubbish producing and detecting more rubbish.

We’ve upgraded WordPress to 2.8.4 to address a significant vulnerability.

See http://tinyurl.com/pjtjkd for details.

If you’re running WordPress, you should upgrade your installation today!

From the Internet Storm Center:

Google has released an update for Chrome, their own web browser. From their advisory here: Google Chrome’s Stable channel has been updated to version 2.0.172.31 to fix two security issues in WebKit. CVE-2009-1690 is a memory corruption which can lead to arbitrary code execution within the sandbox. CVE-2009-1718 is an information leak. Both CVE’s name Apple Safari, however they also affect Google Chrome.
Cheers,
Adrien de Beaupr
EWA-Canada.com

Google updates for Chrome, (Fri, Jun 12th)
Fri, 12 Jun 2009 13:07:19 GMT

From Network World on Security:

Mozilla on Thursday patched 11 vulnerabilities in Firefox, more than half of them labeled "critical."