Security Tools


11
Dec 13

Help Bring Privacy Laws Into 21st Century

Lost in the ongoing media firestorm over the National Security Agency’s domestic surveillance activities is the discussion about concrete steps to bring the nation’s communications privacy laws into the 21st Century. Under current laws that were drafted before the advent of the commercial Internet, federal and local authorities can gain access to mobile phone and many email records without a court-issued warrant. In this post, I’ll explain what federal lawmakers and readers can do to help change the status quo [tl;dr: if you'd rather skip the explanation and go right to the What Can You Do? section, click here] cloudprivacy

The Center for Democracy & Technology, a policy think-tank based in Washington, D.C., has a concise and informative primer on the Electronic Communications Privacy Act (ECPA), the 1986 statute that was originally designed to protect Americans from Big Brother and from government overreach. Unfortunately, the law is now so outdated that it actually provides legal cover for the very sort of overreach it was designed to prevent.

Online messaging was something of a novelty when lawmakers were crafting the ECPA, which gave email moving over the network essentially the same protection as a phone call or postal letter. In short, it required the government to obtain a court-approved warrant to gain access to that information. But the Justice Department wanted different treatment for stored electronic communications. (Bear in mind that this was way before anyone was talking about “cloud” storage; indeed CDT notes that electronic storage of digital communications in 1986 was quite expensive, and it wasn’t unusual for email providers to delete messages that were more than a few months old).

CDT explains the bargain that was struck to accommodate the government’s concerns:

“Congress said that after 180 days email would no longer be protected by the warrant standard and instead would be available to the government with a subpoena, issued by a prosecutor or FBI agent without the approval of a judge,” CDT wrote. “At the same time, Congress concluded that, while the contents of communications must be highly protected in transit, the ‘transactional data’ associated with communications, such as dialing information showing what numbers you are calling, was less sensitive. ECPA allowed the government to use something less than a warrant to obtain this routing and signaling information.”

Fast-forward to almost 2014, and we find of course that most people store their entire digital lives “in the cloud.” This includes not only email, but calendar data, photos and other sensitive information. Big cloud providers like Google, Microsoft and Yahoo! have given users so much free storage space that hardly anyone has cause to delete their stuff anymore. Not only that, but pretty much everyone is carrying a mobile phone that can be used to track them and paint a fairly detailed account of their daily activities.

But here’s the thing that’s screwy about ECPA: If you’re the kind of person who stores all that information on your laptop, the government can’t get at it without a court-ordered warrant. Leave it in the hands of email, mobile and cloud data providers, however, and it’s relatively easy pickings for investigators.

“There has been an interpretation of the law from the government that says any document stored in the cloud can be accessed with a subpoena, regardless of how old it is,” said Mark Stanley, a communications strategist with CDT. “The government can access emails over 180 days old with just a subpoena. “We also know that the [Justice Department] has interpreted the law to say that any emails that are opened — regardless of how old they are — can be accessed without a warrant.”

Continue reading →


12
Nov 13

Zero-Days Rule November’s Patch Tuesday

Microsoft today issued security updates to fix at least 19 vulnerabilities in its software, including a zero-day flaw in Internet Explorer browser that is already being actively exploited. Separately, Adobe has released a critical update that plugs at least two security holes in its Flash Player software.

crackedwinThree of the eight patches that Microsoft released earned its most dire “critical” label, meaning the vulnerabilities fixed in them can be exploited by malware or miscreants remotely without any help from Windows users. Among the critical patches is an update for Internet Explorer (MS13-088) that mends at least two holes in the default Windows browser (including IE 11). MS13-089 is a critical file handling flaw present in virtually every supported version of Windows.

The final critical patch – MS13-090 — fixes essentially another IE flaw (ActiveX) that showed up in targeted attacks late last week. Microsoft says attackers used a second, “information disclosure” vulnerability in tandem with the ActiveX flaw, but that the company is still investigating that one. It noted that its Enhanced Mitigation Experience Toolkit (EMET) tool successfully blocked the ActiveX exploit.

Nevertheless, it’s important for IE users to apply these updates as quickly as possible. According to Rapid7, exploit code for the ActiveX vulnerability appeared on Pastebin this morning.

“It was known to be under some targeted exploitation, but that will probably expand now that the exploit is public,” said Ross Barrett, senior manager of security engineering at Rapid7. “I would call patching this issue priority #1.” For what it’s worth, Microsoft agrees, at least according to this suggested patch deployment chart.

Today’s patch batch from Redmond did not include an official patch for yet another zero-day vulnerability that has been under active exploitation, although Microsoft did release a stopgap Fix-It tool last week to help blunt the threat. The company also is once again advising Windows users to take another look at EMET.

Check out Microsoft’s Technet blog for more information on these and other updates that the company released today.

brokenflash-aIn a separate patch release, Adobe issued a fix for its Flash Player software for Windows, Mac, Linux and Android devices. The Flash update brings the ubiquitous player to v. 11.9.900.152 on Mac and Windows systems. Users browsing the Web with IE10 or IE11 on Windows 8.x should get the new version of Flash (11.9.900.152) automatically; IE users not on Windows 8 will need to update manually if Flash is not set to auto-update.

To check which version of Flash you have installed, visit this page. Direct links to the various Flash installers are available here. Be aware that downloading Flash Player from Adobe’s recommended spot – this page – often includes add-ons, security scanners or other crud you probably don’t want. Strangely enough, when I visited that page today with IE10 , the download included a pre-checked box to install Google Toolbar and to switch my default browser to Google Chrome.

Continue reading →


6
Nov 13

CryptoLocker Crew Ratchets Up the Ransom

Last week’s article about how to prevent CryptoLocker ransomware attacks generated quite a bit of feedback and lots of questions from readers. For some answers — and since the malware itself has morphed significantly in just a few day’s time — I turned to Lawrence Abrams and his online help forum BleepingComputer.com, which have been following and warning about this scourge for several months.

This message is left by CryptoLocker for victims whose antivirus software removed the file needed to pay the ransom.

This message is left by CryptoLocker for victims whose antivirus software removes the file needed to pay the ransom.

To recap, CryptoLocker is a diabolical new twist on an old scam. The malware encrypts all of the most important files on a victim PC — pictures, movie and music files, documents, etc. — as well as any files on attached or networked storage media. CryptoLocker then demands payment via Bitcoin or MoneyPak and installs a countdown clock on the victim’s desktop that ticks backwards from 72 hours. Victims who pay the ransom receive a key that unlocks their encrypted files; those who let the timer expire before paying risk losing access to their files forever.

Or, at least, that’s how it worked up until a few days ago, when the crooks behind this scam began easing their own rules a bit to accommodate victims who were apparently willing to pay up but simply couldn’t jump through all the hoops necessary in the time allotted.

“They realized they’ve been leaving money on the table,” Abrams said. “They decided there’s little sense in not accepting the ransom money a week later if the victim is still willing to pay to get their files back.”

Part of the problem, according to Abrams, is that few victims even know about Bitcoins or MoneyPak, let alone how to obtain or use these payment mechanisms.

“We put up survey and asked how many [victims] had paid the ransom with Bitcoins, and almost no one said they did, Abrams said. “Most paid with MoneyPak. The people who did pay with Bitcoins said they found the process for getting them was so cumbersome that it took them a week to figure it out.”

Another major stumbling block that prevents many otherwise willing victims from paying the ransom is, ironically, antivirus software that detects CryptoLocker — but only after the malware has locked the victim’s most prized files with virtually uncrackable encryption.

“Originally, when antivirus software would clean a computer, it would remove the CryptoLocker infection, which made it so the user could not pay the ransom,” Abrams said. “Newer versions change the desktop background to include a URL where the user can download the infection again and pay the ransom.”

The idea of purposefully re-infecting a machine by downloading and executing highly destructive malware may be antithetical and even heresy to some security pros. But victims who are facing the annihilation of their most precious files probably have a different view of the situation. Abrams that said his testing has shown that as long as the registry key “HKCU\Software\Cryptolocker_0388″ remains in the Windows registry, re-downloading the malware would not try to re-encrypt the already encrypted data — although it would encrypt any new files added since the initial infection.

“Some antivirus companies have been telling victims not to pay the ransom,” Abrams said. “On the one hand, I get it, because you don’t want to encourage these malware writers. But on the other hand, there are some companies that are facing going out of business if they don’t, and can’t afford to take the holier-that-thou route.”

CRYPTOLOCKER DECRYPTION SERVICE

On Friday, Nov. 1, the crooks behind this malware campaign launched a “customer service” feature that they have been promising to debut for weeks: a CryptoLocker Decryption Service. “This service allow [sic] you to purchase private key and decrypter for files encrypted by CryptoLocker,” the site reads. “Customers” of the service can search for their “order number” simply by uploading any of the encrypted files.

“They’re calling it an ‘order,’ as if victims posted an order at Amazon.com,” Abrams said.

The "Cryptolocker Decryption Service."

The “Cryptolocker Decryption Service.”

“If you already purchased private key using CryptoLocker, then you can download private key and decrypter for free,” explains the service, which is currently hosted at one of several addresses on the Tor anonymity network. The decryption service site is not reachable from the regular Internet; rather, victims must first download and install special software to access the site – yet another potential hurdle for victims to jump through.

According to Abrams, victims who are still within the initial 72-hour countdown clock can pay the ransom by coughing up two Bitcoins — or roughly $200 using a MoneyPak order. Victims who cannot pay within 72 hours can still get their files back, but for that unfortunate lot the ransom rises fivefold to 10 bitcoins — or roughly USD $2,232 at current exchange rates. And those victims will no longer have the option to pay the ransom via MoneyPak.

Abrams said the service exposes two lies that the attackers have been perpetuating about their scheme. For starters, the bad guys have tried to dissuade victims from rolling back their system clocks to buy themselves more time to get the money together and pay the ransom. According to Abrams, this actually works in many cases to delay the countdown timer. Secondly, the launch of the Cryptolocker Decryption Service belies the claim that private keys needed to unlock files encrypted by CryptoLocker are deleted forever from the attacker’s servers after 72 hours.

Continue reading →


5
Nov 13

Microsoft Warns of Zero-Day Attack on Office

Microsoft warned today that attackers are targeting a previously unknown security vulnerability in some versions of Microsoft Office and Windows. The company also has shipped an interim “Fix-It” tool to blunt attacks on the flaw until it has time to develop and release a more comprehensive patch.

crackedwinIn a post on its Technet blog, Microsoft said the attacks observed so far against the vulnerability have been “carefully carried out against selected computers, largely in the Middle East and South Asia.” It added that the exploit needs some user interaction because it arrives disguised as an email that entices potential victims to open a specially crafted Microsoft Word attachment.

The exploit attacks an unpatched security flaw in the way some older versions of Office and Windows process graphical images. According to Microsoft, the exploit combines multiple techniques to bypass exploit mitigation techniques such as data execution prevention (DEP) and address space layout randomization (ASLR). The company says this exploit will not affect Office 2013, but will affect older versions such as Office 2003 and Office 2007.

“Due to the way Office 2010 uses the vulnerable graphic library, it is only affected only when running on older platforms such as Windows XP or Windows Server 2003, but it is not affected when running on newer Windows families (7, 8 and 8.1),” Microsoft wrote.

affectednot

Microsoft’s latest Fix-It tool should help blunt attacks on this vulnerability. Also, while this particular exploit does try to evade DEP and ASLR protections, it’s probably as good a time as any to remind readers about Microsoft EMET, a free tool that can increase the security of third party applications that run on top of Windows.

Interestingly, news of the exploit surfaced less than 48 hours after Microsoft announced it would expand its $100,000 bug bounty program for researchers who can find and report novel exploitation techniques for evading Windows’ built-in defenses.


1
Nov 13

How To Avoid CryptoLocker Ransomware

Over the past several weeks, a handful of frantic Microsoft Windows users have written in to ask what they might do to recover from PC infections from “CryptoLocker,”  the generic name for an increasingly prevalent and nasty strain of malicious software that encrypts your files until you pay a ransom. Unfortunately, the answer for these folks is usually either to pay up or suck it up. This post offers a few pointers to help readers avoid becoming the next victim.

A Cryptolocker prompt and countdown clock. Photo: Malwarebytes.org

A CryptoLocker prompt and countdown clock. Image: Malwarebytes.org

According to reports from security firms, CryptoLocker is most often spread through booby-trapped email attachments, but the malware also can be deployed by hacked and malicious Web sites by exploiting outdated browser plugins.

The trouble with CryptoLocker is not so much in removing the malware — that process appears to be surprisingly trivial in most cases. The real bummer is that all of your important files — pictures, documents, movies, MP3s — will remain scrambled with virtually unbreakable encryption unless and until you pay the ransom demand, which can range from $100 to $300 (and payable only in Bitcoins).

File-encrypting malware is hardly new. This sort of diabolical threat has been around in various incarnations for years, but it seems to have intensified in recent months. For years, security experts have emphasized the importance of backing up one’s files as a hedge against disaster in the wake of a malware infestation. Unfortunately, if your backup drives are connected physically or via the local network to the PC that gets infected with CryptoLocker, your backups may also be encrypted as well.

Computers infected with CryptoLocker may initially show no outward signs of infection; this is because it often takes many hours for the malware to encrypt all of the files on the victim’s PC and attached or networked drives. When that process is complete, however, the malware will display a pop-up message similar to the one pictured above, complete with a countdown timer that gives victims a short window of time in which to decide whether to pay the ransom or lose access to the files forever.

Fortunately, there are a couple of simple and free tools that system administrators and regular home users can use to minimize the threat from CryptoLocker malware. A team of coders and administrators from enterprise consulting firm thirdtier.net have released the CryptoLocker Prevention Kit – a comprehensive set of group policies that can be used to block CryptoLocker infections across a  domain. The set of instructions that accompanies this free toolkit is comprehensive and well documented, and the group policies appear to be quite effective.

Continue reading →


26
Jun 13

How Much is Your Gmail Worth?

If you use Gmail and have ever wondered how much your account might be worth to cyber thieves, have a look at Cloudsweeper, a new service launching this week that tries to price the value of your Gmail address based on the number of retail accounts you have tied to it and the current resale value of those accounts in the underground.

My Gmail was priced at $28.90.

My Gmail was priced at $28.90.

The brainchild of researchers at the University of Illinois at Chicago, Cloudsweeper’s account theft audit tool scans your inbox and presents a breakdown of how many accounts connected to that address an attacker could seize if he gained access to your Gmail. Cloudsweeper then tries to put an aggregate price tag on your inbox, a figure that’s computed by totaling the resale value of other account credentials that crooks can steal if they hijack your email.

In a blog post earlier this month titled The Value of a Hacked Email Account, I noted that many people do not realize how much they have invested in their email account until that account is in the hands of cyber crooks. That post quoted prices from one seller in the cybercrime underground who buys compromised accounts, such as hacked iTunes accounts for $8, or credentials to Groupon.com for $5, for example.

Chris Kanich, assistant professor at UIC’s computer science department and principal organizer of the project, said Cloudsweeper’s pricing model is built on prices collected from multiple sellers across multiple underground forums and services. I ran one of my Gmail accounts through Cloudsweeper, and it determined my account would be worth approximately $28.90 to bad guys. While this is not a Gmail account I use every day, I was surprised at how many third party services I had signed up for using it over the years. According to Cloudsweeper, bad guys with access to my account could also hijack my accounts at Amazon, Apple, Groupon, Hulu, NeweggPaypal, Skype, UPlay and Yahoo, to name a few.

Cloudsweeper uses the Open Authentication (OAuth2) protocol to connect to your Gmail account and search through messages. OAuth is an open standard for online authorization, and using it with Cloudsweeper does not require you to type in your password as long as you are already logged into the Gmail account that you’d like scanned. Cloudsweeper doesn’t keep your credentials, and it forgets about your visit and inbox after you log out of the service, or within 60 minutes of inactivity.

PLAIN TEXT OFFENDERS

Prior to performing a scan, the service asks users if they wish to participate in a study, which Kanich said gathers and securely stores non-personally identifiable information about Cloudsweeper users who opt-in. That data includes how many types of accounts each user has tied to their Gmail. The study also draws on data from the second core feature of Cloudsweeper: The ability to discover and then redact or encrypt passwords that various services may send to users in plain text.

Continue reading →


18
Jun 13

Windows Security 101: EMET 4.0

Several years ago, Microsoft released the Enhanced Mitigation Experience Toolkit (EMET), a free tool that can help Windows users beef up the security of third-party applications. This week, Microsoft debuted EMET 4.0, which includes some important new security protections and compatibility fixes for this unobtrusive but effective security tool.

EMET's main window.

The main window of EMET 4.0

First, a quick overview of what EMET does. EMET allows users to force applications to use several key security defenses built into Windows — including Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). Put very simply, DEP is designed to make it harder to exploit security vulnerabilities on Windows, and ASLR makes it more difficult for exploits and malware to find the specific places in a system’s memory that they need to do their dirty work.

EMET can force a non-Microsoft application to perform ASLR on every component it loads, whether the program wants it or not. Please note that before you install EMET, you’ll need to have Microsoft’s .NET Framwork 4 platform installed. And while EMET does work on Windows XP (Service Pack 3 only), XP users cannot take advantage of mandatory ASLR and a few other notable protections included in this tool.

However, EMET includes several important security features that can help fortify third-party applications on XP. Namely, its “Structured Exception Handler Overwrite Protection,” or SEHOP protection, which guards against the most common technique for exploiting stack overflows on Windows. Microsoft says this mitigation has shipped with Windows ever since Windows Vista Service Pack 1.

In addition to a revised user interface, EMET 4.0 includes a handful of new features that were bundled with the 3.5 tech preview version, such as novel methods of blocking an exploit technique called return-oriented programming (ROP). Attackers can leverage ROP to bypass DEP protections by using snippets of code that are already present in the targeted application.  

One of the much-hyped new capabilities of EMET 4.0 is its “certificate trust” feature, which is designed to block so-called “man-in-the-middle” attacks that leverage counterfeit SSL certificates in the browser. The past few years saw several attacks that impersonated Webmail providers and other top Internet destinations using fraudulent digital certificates obtained by certificate authorities, including Comodo, DigitNotar and Turktrust. This feature is a nice idea, but it seems somewhat clunky to implement, and only works to protect users who browse the Web with Internet Explorer. For tips on configuring and using this feature of EMET, check out this post.

Continue reading →


24
May 13

Skype Beta Plugs IP Resolver Privacy Leak

A few months ago, I warned readers that a glaring privacy weakness in voice-over-IP telephony service Skype allows anyone using the network to quickly learn the Internet address of any other Skype user. A new beta version of the popular Microsoft program appears to have nixed that privacy leak with a setting that restricts this capability to connections in your Skype contacts only.

A new privacy feature in Skype Beta 6.5 for Windows and Mac 6.4

A new privacy feature in Skype Beta 6.5 for Windows and Mac 6.4

As I wrote on March 21, 2013,  number of services have emerged to help snoops and ne’er-do-wells exploit this vulnerability to track and harass others online. For example, an online search for “skype resolver” returns dozens of results that point to services (of variable reliability) that allow users to look up the Internet address of any Skype user, just by supplying the target’s Skype account name.

The resolvers can look up the IP address of any Skype user — whether or not that user is in your contacts list or even online at the time of the lookup. What’s more, resolver services frequently are offered in tandem with “booter” or “stresser” services, essentially sites that will launch denial-of-service attacks against a target of your choosing.

Apparently in response to this problem, Microsoft has added a new option to its Skype 6.5 Beta, released April 30, that allows users to allow direct connections to your contacts only. The information tab on this option, found under Skype->Options->Connection, says “When you call someone who isn’t a contact, we’ll keep your IP address hidden.”

Continue reading →


11
Mar 13

Help Keep Threats at Bay With ‘Click-to-Play’

Muzzling buggy and insecure Web browser plugins like Java and Flash goes a long way toward blocking attacks from drive-by downloads and hacked or malicious Web sites. But leaving them entirely unplugged from the browser is not always practical, particularly with Flash, which is used on a majority of sites. Fortunately for many users, there is a relatively simple and effective alternative: Click-to-Play.

c2pGCClick-to-Play is a feature built into both Google Chrome, Mozilla Firefox and Opera (and available via add-ons in Safari) that blocks plugin activity by default, replacing the plugin content on the page with a blank box. Users who wish to view the blocked content need only click the boxes to enable the Flash or Java content inside of them.

To enable click-to-play on Chrome: From the main menu, click Settings, then in the search box type “click to play,” and click the highlighted box labeled “content settings.” In content settings, scroll down to the “plug-ins” section, and change the default from “run automatically” to “click to play”. To enable exceptions so that certain sites (krebsonsecurity.com?) are allowed to load Flash and other content by default, click the “manage exceptions” box. Alternatively, this can be done in Chrome through the address bar: when you browse to a site that has content blocked by the click-to-play feature, an icon will appear on the far right side of the address bar that allows you to add an exception for the current site.

c2pFFTo enable click-to-play in Firefox: Open a browser window and type “about:config” without the quotes. In the search box at the top of the resulting window, paste the follow “plugins.click_to_play”, again without the quotes. Double click the entry that shows up so that its setting under the “value” column changes from “false” to “true” (hat tip to F-Secure.com for this advice). To enable per-site exceptions, look for the blue lego-like icon in the lefthand portion of the URL bar, and click it; click the “activate” button to enable plugins just for that session, or to make it permanent for that site, click the down arrow next to “activate all plugins” and select the “always activate plugins for this site” option.

Continue reading →