We earned 4 stars in the PC Magazine review of SafeCentral 2.6 that review that appeared on Friday. I am very happy to see the review up on the PCMag.com home page.
The reviewer, Neil J. Rubenking, commends our ease-of-use and the real-time feedback we give users on the safety of their web sessions. Our support for 64-bit platforms, including XP, Vista and Windows 7 was also noted.
One of the "Cons" in the review is the closed nature of the SafeCentral browser. We do not allow any and all browser plugins. We see this as a strong positive. On our work computers we are used to the network admins at our companies limiting what we can install and run, and which websites we visit. We understand that these constraints are necessary to protect company assets. Now is the time for us to recognize that we need to exercise the same control over our home PCs and laptops. When we sign into our bank or online retirement account, we should think and act differently--we have more to protect at this moment that when we are watching the latest funny YouTube video or posting a photo to Facebook.
Just like the iPhone is carefully managed by Apple to ensure the quality and security of iPhone applications, we recognize that browser plugins can introduce additional risks into sensitive web sessions and seek to protect users from those risks. Increased security almost always comes with some impact on usability. With SafeCentral, though, you still can use your regular browser and those Digg and Flickr toolbars to do all your fun stuff. Use SafeCentral for serious web stuff like banking, stock trading and tax filing.
Monday, January 11, 2010
PC Magazine Four-Star Review of SafeCentral 2.6
Friday, December 18, 2009
Twitter Hack and the Iranian Cyber Army
(See continuing updates to this story below.)
Earlier this morning a DNS hack took control of Twitter.com traffic and redirected to a website with a splash page proclaiming, "THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY." This hack has a lot in common with the Dr.Hiad website defacement I reported on two weeks ago.
New information
The so-called Iranian Cyber Army has defaced websites in the same manner as Dr.Hiad. At this moment (7:35AM Eastern Time) there is a website displaying the exact image that Twitter users saw earlier today during the Twitter hack event. A screenshot of that web page is shown below. The webpage contains an email link to the Iranian Cyber Army's Gmail account.
It is likely that the Twitter DNS attackers simply pointed "twitter.com" to the IP address of a defaced website like the one below. It would not make sense for them to point Twitter traffic to their own web server: that would allow them to be traced and possibly caught.
When the Twitter attackers realized they could take over Twitter's DNS, they had to decide where to point the traffic. Redirect it to comedycentral.com? Disney.com? Or how about a defaced webpage bearing the image of the Iranian Cyber Army?
There is some chance the Twitter attackers executed both the website defacement and the DNS takeover.
DNS is Fundamental
DNS is the Internet service that kicks in when we type a website name into our browser or click a link on a web page. Type "twitter.com" into your browser and DNS will lookup the IP address of the Twitter web server so your browser can connect and download all those tweets. As fundamental as DNS is to our Internet experience, it has virtually no security, particularly on our home computers and Internet connections. Also, the DNS servers "up in the cloud" are rife with vulnerabilities that enable attackers to gain control and carry out pranks like the Twitter redirection this morning.
Updates
December 18, 2009 8:20AM - Update
The defaced website that Twitter users were directed to, shown in the screenshot above, is an online forum for the Green Freedom Wave, an Iranian reform movement.
December 18, 2009 9:08AM - Update
The Green Freedom Wave website was hosted at Netfirms, a managed web server company that is well-known to website defacers who exploit weaknesses in web and database servers. These web hosting companies offer lots of functionality, including web sites, databases and online shops, at very reasonable prices. However, these features also can make them vulnerable to compromise.
The website defacement is the minor part of this story. The DNS takeover is extremely serious, especially since it happened at Twitter.com, which receives over 20 million visitors per month. If the Twitter.com site had been redirected to a web page containing malware, a huge chunk of the Internet population would be infected. Perhaps I should say a "huger" chunk: 35 million computers infected per month with one type of malware.
December 18, 2009 10:35AM - Update
The Green Freedom Wave website was probably hacked using SQL Injection, Remote File Inclusion, or similar techniques that are well-documented on the web. Note the signature line of Dr.Hiad from my earlier post. Remote File Inclusion allows an attacker to exploit a script on the target website to replace the home page of the website.
December 19, 2009 7:49AM - Update
Busy day yesterday speaking to reporters and colleagues about the Twitter DNS compromise. Here are a couple of stories:
Tuesday, December 8, 2009
Securing the Cloud
I will be a speaker at a free cloud security webinar sponsored by Enterprise Florida on Thursday, December 10 and 2PM Eastern Time. Cloud computing is a topic generating both hype and anti-hype right now. The anti-hype comes mostly from the security community warning that the benefits of fast, easy development and hosting are just what we do not need right now.
Also presenting will be Chris Day, Chief Security Architect at Terremark, and Alex Eckelberry, CEO of Sunbelt Software. The event is moderated by Esther Schindler, author and industry expert.
See you there!
Tuesday, December 1, 2009
Dr.HiaD: Islamic Terrorist or Teenager Having Fun?
Click image for expanded viewLet me steal my own thunder and go with Teen Having Fun.
Earlier today the campaign website of Bill Connor, candidate for Lieutenant Governer in South Carolina, was defaced with a graffiti-like image in the typical fashion of juvenile hackers.
Source: FITSNews Political Blog (not verified)
Click image for expanded viewThe hacked page included a small amount of Arabic text, which got the attention of the candidate and former US Army officer, who served in Afghanistan. A statement on his campaign's Facebook page said, "I do hope this serves as a wakeup call to the continuing danger we face in South Carolina from the threat of radical Islam and shari’a law."
Bill Connor
Was this a political act by Isamic extremists? Examining the facts makes it hard to draw that conclusion. There are many valid threats to our safety on the Internet today, but it is important to isolate the facts and not rush to judgement when it comes to identifying and prosecuting true crime online.
"Hi ADmin your security = 0" Thus reads the graphic that displaced the candidate's home page. That statement is a poke in the eye at the web hosting company that operates the web server (not the candidate) and is typical of widespread pranks conducted by computer savvy kids who enjoy exercising their technical skills to penetrate weak server configurations from far across the Internet and leave their mark.
"Dr.HiaD" in this case is the online nickname used by the hacker. Dr.HiaD has taken credit for over one hundred such website defacements. I have seen lists of URLs of over 4,000 web pages with his signature on them. Other pranksters have perpetrated many more thousands of website hacks and even keep track of their scores. See below a screenshot of one such scorecard showing recent defacements by Dr.HiaD. The score for all "players" on this website is a staggering 43,000 on December 1, 2009 alone.
Source: Ray Dickenson
Click image for expanded viewI have blocked out the website names in order to prevent readers from attempting to visit these sites, which may now host malware that can infect PCs. But you can see Dr.HiaD is a prolific defacement artist.
Another site Dr.HiaD hacked, that also contained a short snippet of Arabic script, was the website of a Chinese baby products company. Again, I will withhold the name of the site, but share the graphic that was posted there.
One of many other websites defaced by Dr.HiaD
Source: Ray Dickenson
Click image for expanded viewWho is Dr.HiaD? He appears on an Arabic hacker website with the below signature. Now, when it comes to teenage hackers, it is difficult to believe everything we read. Is Dr.HiaD really 15-years-old? Is Dr.HiaD from Morocco? Hard to say for sure, but I believe he (or she) is. These pranksters must balance two competing goals: (1) not getting caught and (2) claiming and receiving credit for their exploits. For young hackers, recognition normally trumps caution. On the score-keeping website mentioned above, there are hackers from Singapore, Russia, India, Switzerland, Germany and many more countries around the world. So Dr.HiaD really could be from anywhere.
Source: Ray Dickenson
Click image for expanded viewOne last point about the colors used in Bill Connor's website defacement. Some of the English letters appeared in white, green and red with black background. It is true that these are Islamic colors. But they are also the simplest colors to use in web pages. The RGB color codes for these colors are: FF0000, 00FF00, 000000, FFFFFF. Extremely simple for kids making web pages who do not want to be bothered with shades like 0CF1E2, CECE28. They are also stark and strong. Perfect for a prankster.
Let's close with a comment about the first screenshot above (source: Ray Dickenson). That one came from the website of an auto accessories company in China that was hacked by Dr.HiaD. Is this a photo of the real Dr.HiaD? Probably not. But it does convey something about the Dr's personality and the artistic flair of his or her pranks. Many teenagers who crave technical accomplishment and get into trouble pursuing recognition for their talents grow up to be valuable contributors in the computer field. Ask Michael "MafiaBoy" Calce or Kevin Mitnick.
December 2, 2009 - Update
I spoke with Susanne Schafer of the Associated Press about this story, and she wrote an article that appeared here.
December 3, 2009 - Update
The dramatic image in the first screenshot above comes from an Italian photographer, posted here on Flickr: Amegliocchi. One interesting connection is that a large number of Italian language websites were defaced by Dr.Hiad.
Connection to Dr.Hiad splash screen courtesy of TinEye, a pretty effective reverse image search engine. Want to find photos of you on the web? Try TinEye. If you dare :)
Wednesday, November 18, 2009
SafeCentral: New York Times article says it "protects users even if there’s malware on the computer"
A few weeks ago I demonstrated SafeCentral to Riva Richmond of the New York Times. She wrote an article appears in Friday's New York Times covering a "new breed of products" that address online identity fraud. The article features SafeCentral alongside other new services that directly address online threats to our identities and bank accounts. Riva Richmond points out that traditional tools like antivirus are struggling to keep up with the flood of high-tech crimeware that invades our computers to install keyloggers or conduct automated phishing.
This article is not an online holiday shopping scare fest. It provides helpful information on tools consumers can use to proactively protect themselves and remain safe and happy through the new year.
Tuesday, November 3, 2009
Twitter: The Internet is a more dangerous place
Twitter has made it extremely easy for people to share news and web links and at the same time has created a boon for online criminals. It is hard to find a web service that has done more to make malware distributors' jobs easier.
I don't mean just the explosive growth in the Twitter user base. Microblogging in general, and Twitter specifically, contribute to malware distribution in fundamental ways that must be re-examined and corrected.
Here are the Twitter features that make it so dangerous:
- Twitter usernames are easily harvested in vast quantities
- Criminals can send tweets to anyone on Twitter
- Twitter encourages its users to share without thinking
- Twitter and supporting services like bit.ly strip away critical context
- Twitter is programmable and can be automated using their published APIs
While each of these features has appeared to some degree in other Internet services like email and instant messaging, Twitter has taken them to a new level and -- as icing on the cake -- got celebrities like Ashton Kusher and Miley Cyrus to help fuel the frenzy of massive sharing.
Before describing how these features introduce vulnerabilities hackers can exploit more easily than ever, let's be clear that this is not Twitter bashing. There is a reason Twitter has become so popular: it clearly meets a need shared by many millions of users. On Twitter.com we see people using the best features of the Internet to be more connected and more informed. But just as we think twice about attending large gatherings during a swine flu pandemic, we should also think twice about sharing links on an infected Internet.
Okay, let's look at our hacker wish list in more detail.
Twitter usernames are easily harvested in vast quantities
Compared to email, collecting huge lists of Twitter usernames is incredibly easy. Part of the attraction of Twitter is that anyone can see what all the users are up to, including seeing usernames. Showing everyone what everyone else is saying is a great way to encourage new users to join the fun. It's also a great way to build a list of users to target.
Quality email lists, on the contrary, are harder to build. Malware authors have been very creative in building tools to collect email address lists. The Warezov worm, for example, would scan a PC for email addresses and then send itself to those addresses to continue the process. These worms, however, require a user to open a binary attachment to start the process, and then require the next recipients to do the same.
Warezov and other email worms were pretty darn effective, but gathering lists of Twitter users does not require jumping through such technical and social engineering hoops. The public nature of Twitter usernames, combined with the Twitter API (see below), make it outrageously easy "crawl" across Twitter and build massive lists of users.
Here is an interesting look at a Twitter-crawling app created by some good guys -- repeat Good Guys! -- that demonstrates the concept.
Looking at the image above, it is important to note that not only are lists of usernames easy to build, but relationships between users are also publicly available on Twitter, raising the possibility of targeted attacks against organizations using (seemingly) inside information. ("Harry Reid said you should respond to this: [click here]")
Criminals can send tweets to anyone on Twitter
Now that we have a huge list of usernames that we generated in a couple of hours, our next step will be to send them malicious links to infect their computers. Before the rist of Twitter, there were other methods malware distributors used to get links in front of people. "Spim" is the term of sending spammy links through an Instant Messaging (IM) network. But the Instant Messaging model calls for users to establish relationships by a two-way handshake. I add a new user to my contact list, they see the request and choose to accept the relationship. Then I can send messages. Now, it is true that malware writers can circumvent this requirement for a handshake but, like the email address harvesting example above, it requires malware engineering to get around protection designed into IM systems. On Twitter there is no such requirement.
Twitter has a similar model wherein I follow you and you follow me. But you do not have to choose to follow me in order to see messages from me. I can follow you, see your tweets, and send a reply that you will see in your reply box. The Replies page is labeled "Tweets mentioning [myusername]". And on Twitter, who does NOT want to see tweets mentioning them? (Miley Cyrus aside.) Compared to the effort of hacking an IM system to send unsolicited links, Twitter makes it very easy for anyone to send links to arbitrary users.
So I build a huge list of usernames, follow all the users, wait for them to tweet and then reply with: "You are so right and this proves it: [click here]"
At this point, the only thing keeping my huge list of users from clicking the link is a good dose of caution. And Twitter is not about caution. Read on.
Twitter encourages its users to share without thinking
Stepping out of the technical realm for a moment, let's look at the Twitter social phenomenon. Twitter is not about privacy. Twitter is about massive-scale sharing. The tagline on the Twitter home page is, "Share and discover what's happening right now, anywhere in the world." And, "Join the conversation." THE conversation. Not one on one conversations with your known friends. We're talking about The Big conversation that we crawled through collecting our usernames up in step one.
Twitter does provide Public or Protected accounts. But the default setting is public and the message is clear: don't be shy. Jump in the deep end of the pool.
On top of that, the first step you see after creating an account is "See if your friends are on Twitter" and a web form that asks for your Gmail, Yahoo or AOL email password. Yes, your password. Twitter will log into your email account and retrieve your contact list to see if there are matching Twitter accounts. Doesn't this sound just like our friend Warezov described above?
Of course these are features designed to maximize the number of users and connections between users, and that's the attraction of Twitter. The sunny day scenario is positive one that helps build the Big Conversation. What we are doing here is looking at these features with an eye on how they contribute to the spread of malware across the Internet.
So to recap: we have a huge list of usernames with known relationships between users, we can send any of them a link that includes some apparently familiar context even though they don't know us, and the users are in a hurry. Tweets are short and sweet and meant to be posted and read frequently. This favors the social engineering malware distributor who hopes the users do not spend too much time deciding whether or not to click a link in a tweet.
Twitter and supporting services like bit.ly strip away critical context
Tweets are very short messages that don't leave a lot of room to establish familiar context. "Check this out: [click here]" is a classic line from emails that distribute malware.
The shortened URLs that appear in tweets remove all the warning signs that indicate dangerous links. When a link appears in your email, an IM message or a tweet it is important to inspect the URL and see where it goes before clicking on it. If we receive a message that looks like it is from a friend asking us to look at their vacation pictures, we have a chance to be suspicious if the URL ends in a .ru (Russia) or .cn (China). It's not likely that our friends chose a Russian or Chinese photo hosting service. Or if the link is purportedly from our bank but the URL looks like http://aimee.pl345xxx.ru/scripts/infector/clickit.html, we might be wary about clicking it.
http://aimee.pl345xxx.ru/scripts/infector/clickit.html
URL shortening services like bit.ly, tinyurl.com or tweetburner remove all the useful context and turn all URLs into generic nonsense. There is no chance for a user to screen out risky URLs when they are shortened.
http://bit.ly/YTmnD
Then there is the risk of someone penetrating the URL shortening service itself and hijacking previously shortened links to point them to malware sites. Over 2 million shortened links were hijacked this summer at URL shortening service Cligs.
Twitter is programmable and can be automated using their published APIs
As I mentioned above, Twitter provides an Application Programming Interface (API) that lets developers create programs to automatically exercise Twitter features. Features that the API does not support can be accessed by automating web requests as described here: Scripting Twitter with cURL.
Countermeasures
As we have seen, Twitter is a feature-rich malware distribution platform with a ready-to-go user base of 25 million Tweeters who are predisposed to do exactly what the bad guys want: click it fast. Here is a short list of things users can do protect themselves:
- Protect your tweets: Go into your Twitter settings and click the "Protect my tweets" checkbox at the bottom. This will remove you from the public timeline and only people you approve can follow your tweets and send you replies.
- Check those short links: Network security firm Sucuri provides a free service that scans shortened URLs with McAfee SiteAdvisor and Google's SafeBrowsing service. It's available here: http://sucuri.net/index.php?page=tools&title=check-url. AVG's LinkScanner is also an option that will scan all the links you visit in a supported browser.
- Use Twitter security tools: Security tools designed specifically for Twitter are starting to appear on the market. I haven't evaluated them yet, but one recent example is Krab Krawler from Kaspersky.
Thursday, October 15, 2009
Windows 7 Security versus Usability: The Beat Goes On
Usability and security are competing goals: the more secure a computer is, the harder it is to use. The easier a computer is to use, the less secure it is. In my opinion, Windows 7 is easier to use than Vista.
With Vista, Microsoft introduced User Account Control (UAC), which frequently shows pop-ups asking the user to confirm any configuration changes, like changing network settings. UAC was one of the biggest usability problems with Vista and was lampooned by Apple in one of their hilarious "I'm a Mac and I'm a PC" commercials."
With Windows 7, Microsoft backed off on the UAC prompts, which greatly improves usability. My personal observation as a user is that Windows 7 is much more pleasant to use than Vista. This is important, because UAC had the effect of making the entire Vista experience very un-fun and slowed adoption of an operating system that has other important security improvements.
However, as is nearly always the case, increasing operating system usability also increases security risks -- risks of infection and compromise of data and functionality. The changes to Windows 7 UAC have made it easy for malware writers to turn UAC off entirely without the user's knowledge. Microsoft recommends keeping UAC turned on and yet allows malware to turn it off without the user's knowledge. A post on the Windows 7 Engineering Blog explains some of the thinking behind the no-prompt-to-turn-off-UAC issue.
The story gets much more complicated at this point. If malware is on the computer, hasn't the game already been lost? Why worry about UAC if a password-stealing Trojan is on your computer? The answer lies in the difficulties inherent in identifying a program as goodware or malware. If my son downloads a game (goodware) that has been secretly tampered with to introduce malicious capability (malware) that tries to change my system configuration, I will not see a UAC prompt warning me of the configuration change. The first step of this malicious code will be to turn off UAC and avoid warnings. I cannot depend on antivirus to detect the malware, and I cannot depend on UAC to put up a prompt that will make my son say, "Daaaaaaad??!"
Tuesday, October 13, 2009
Will the Internet be there when you need it?
I have an article appearing in TechNewsWorld about the reliability of Internet web services. The Twitter outage in August shocked a lot of people and called into question the dependability of Internet-based services. In this article I look back on other notable outages -- eBay, MySpace, and Yahoo have all had their bad days -- and look into the root causes of the failures.
While researching the article I read "Mafiaboy: How I Cracked the Internet and Why It's Still Broken." This is the story of distributed denial of service (DDoS) attacks that took down Yahoo, CNN and other websites in February of 2000. The perpetrator was a 15-year-old high school student from Montreal who had built up his DDoS capabilities by hacking university and corporate servers for many months. If a high school student with no budget can take down top websites, it's clear that politically-motivated adults with even modest funding can do the same or worse.
Thursday, September 17, 2009
The Importance of a Good (Consumer) Education
Vicki Salemi posted an article on SheKnows.com about shopping securely online. Educating consumers about safe online behavior is extremely important, and Vicki is certainly doing her part.
The article highlights ecommerce safety tips I shared with Vicki this summer. These tips are even more important as we head towards the holidays, so I'll recap them briefly here:
- It is best to shop on "name brand" websites that are well-known and have a distinctive look and feel. Unfamiliar websites that look cheap and poorly designed are not a wise place to spend money, even if they have eye-popping prices.
- Check the address bar in the browser when you are ready to buy, reading from left to right, and be sure it starts with "https://" followed by the name of the website and ".com".
- It is best to type the name of your favorite shopping website into the browser to get started. Clicking on links in emails is a risky way to start an online shopping excursion, since the links may be fake.
- Don't forget to log out when you have made your purchases. If you remain logged in and then go browsing other sites, it is possible for malware to use that login in surprising ways.
- Don't make purchases on public computers. Do you use public computers in libraries or other places? Don't enter your credit card or other information into computers that aren't yours. They may have information-stealing software that can give your credit card number to the bad guys.
- Pay attention to what your anti-virus program is telling you. If it says it needs an update, get the update. If it says it expired, renew it.
Monday, September 14, 2009
High-level Attention on the Growing Cyber Crime Threat
A couple of weeks ago we warned that small businesses and local governments are being ripped off by online thieves who have learned to tap into commercial bank accounts by infecting computers with crimeware.
Yesterday, the Senate Committee on Homeland Security and Governmental Affairs met to hear from government and industry experts on the growing threat of cyber-crime targeting small- and medium-sized businesses. In his opening remarks, Committee Chairman Joseph Lieberman focused the hearing with the question: "What can be done by the public and private sectors to make commercial cyberspace secure, especially for organizations that can’t afford to have large IT staffs on the job 24/7?"
He went on to cite the same recent thefts from small businesses and local governments we talked about in this blog a couple of weeks ago. You can check out the hearing yourself: Cyber Attacks: Protecting Industry Against Growing Threats.
