Anti-Spyware and PC Security News

The web was all in a ruckus in late August, 2009. Embarrassing screenshots of many Facebook accounts echoed, prompting questions of veracity and user adherence to basic security principles. In fact, everything actually happened last February. According to Jimmy Ruska’s detailed analysis of the incident, a Christian singles website accidentally allowed the email addresses and passwords of their entire 35000-strong userbase to be exposed. Many of the users of this singles website used the same password for all of their online accounts. This enabled the infamously malicious users of 4chan, an online forum that offers and encourages anonymous posting, to access the email, social networking, e-commerce and online payment processing accounts of the members of the site. The Register has coverage of the attacks, although they neglect to mention when the attacks actually occurred.

This incident highlights how much risk you are taking whenever you use the same credentials at multiple websites. With many websites using either your email address as your login name or offering password resets via email, it only takes one unintended exposure of its database of login credentials by one website for a potentially significant portion of your life and identity to be stolen and used by miscreants. Read on for more details about the risks of re-using passwords or using passwords that are easily guessable, and for helpful advice on how you can reduce the risk to you and your business by managing unique passwords or using two-factor authentication.

It is standard procedure among many web services to use your email address which, in effect, constitutes a unique username. This includes everything from social media, e-commerce, online payment processing and customer relationship management. Your whole online life, and thus your identity, is linked together by your email address—assuming that you use the same address for all services. That’s a lot of passwords to remember! It’s no wonder that people will often have a single “throw away” password for sites they consider unimportant or, worse, just one password that they use everywhere.

When you use the same password on more than one web service, you are relying on each and every one of those services to protect your password. If, somehow, your password is leaked by even one of those websites, your whole online identity is potentially compromised.

The consequences of having your online identity compromised are not limited to traditional identity theft. Consider the case in the introduction of this post. For something fun to do on a chilly winter Saturday night, some of the users of 4chan invaded the privacy of a large number of strangers with whom they have differing opinions and publicly humiliated them.

The humiliation was compounded by the online tormentors’ access to their victims’ email accounts. Many, if not most, online services will allow you to reset your password by email, working under the assumption that you are the only person in control of your email account. With control of your email account, someone can gain control over the rest of your online accounts, whether you used a good password or not. In at least one case of the 4chan incident, details of a very personal purchase were shared with the victim’s friends, crossing the line between the fictional and the actual and humiliating the victim.

So how can you protect yourself? Make your passwords difficult to guess, but not too difficult for you to remember. Google provides some useful guidelines for creating a secure password that should not be too difficult to memorize. Among other things, they suggest choosing an acronym and replacing letters and syllables with similar symbols. For instance, if you go a bit silly with Google’s guidelines you can turn “This is a secure password, but it is too obvious” into “t1@5pbi20,” which is memorable, if a bit difficult to type.

If you are not the embodiment of Dustin Hoffman’s character in Rain Man, it is understandable that it would be difficult to remember a different password for every website that you visit. If you prefer low tech, you can always write down your passwords in a notebook that you keep in a safe place. While this goes against some of the traditional password safety doctrine, you are more secure doing this than you are if you use the same password in multiple places.

For a slightly more high tech but less portable solution, you can use the password manager in your web browser. Be sure to use a master password to keep your passwords safe—if your computer becomes compromised by info-stealing malware, all of your passwords will be immediately compromised. There are plenty of encrypted password management solutions available, such as Mozilla Firefox, Password Safe and 1Password.

For the ultimate in high tech, you can use Stanford PwdHash, a website and Firefox extension that generates theft-resistant passwords. While we do strongly suggest using multiple passwords, if you really want to, you can use one password for everything and PwdHash will reduce the risk of your other online accounts being compromised if one site leaks its theft-resistant password.

You wouldn’t use the same key for your house, your car, your office, your bicycle and your safety deposit box. If you gave your key to a valet and they made a copy, your whole life could be stolen from you. Don’t do the same with your online identity and your passwords!

Bookmark to:

Apple Engineers missed a key opportunity to implement an industry-standard technology in their latest operating system that would have made it more resistant to hacking attacks, three researchers have said.

Known as ASLR, or address space layout randomization, the measure picks a different memory location to load system components each time the OS is started. While Microsoft has had it implemented since the roll-out of Windows Vista, the analogous protection in Snow Leopard, which went on sale Friday, suffers from a crucial deficiency: It fails to randomize core parts of the OS, including the heap, stack and dynamic linker.

That means that attackers who identify buffer overflows and similar bugs in OS X components have a much better chance of causing the vulnerability to execute malicious code that compromises the machine. The halfhearted attempt at implementing ASLR has been a chief complaint of security researchers since Leopard, Snow Leopard’s predecessor. Many had hoped it would be made more robust in the new version.

“ASLR is really only useful if EVERYTHING is randomized,” Charlie Miller, co-author of The Mac Hacker’s Handbook, wrote in an email to The Register. “If there is anything that is not randomized, it defeats the purpose mostly. This is a major shortcoming of Apple, and I’m disappointed they didn’t take this opportunity to implement full ASLR.”

Dino Dai Zovi, who also co-authored the Mac-hacking book, and fellow researcher Rich Mogull, CEO of Surosis, agreed that there is no discernible improvement in Snow Leopard’s implementation of ASLR compared with Leopard.

Not that the new OS hasn’t improved some security offerings. One, called DEP, has been greatly expanded in Snow Leopard. It prevents shellcode and similar data that is supplied by a user from being executed by the OS. Had OS X had the protection over the past two Pwn2Own hacking contests neither of Miller’s winning exploit entries would have worked.

One possible weakness with the new DEP offering: several parts of the Safari browser remain both writable and executable, a shortcoming that may make it easier for attackers to strike at one of the most targeted Apple applications.

QuickTime has also been mostly rewritten from scratch. While the jury is still out on how big an improvement the new code base contains, Miller said a vulnerability that works in the most recent version of Leopard doesn’t work in the QuickTime for Snow Leopard. Another improvement: Several highly targeted OS X components, including the H.264 video codec, now come with sandboxing, which tightly restricts the types of activities they can carry out.

Apple has made additional changes, including expanded menu options in its firewall and Safari plug-ins that run as separate processes. While Mogull said the latter should make it harder to exploit buggy add-ons, Dai Zovi worried that the change might allow attackers to repeatedly crash them unbeknownst to the user.

And as reported earlier, Snow Leopard comes with new malware protection that in some cases warns users if they are about to install a malicious file. The feature is extremely limited at the moment, but it wouldn’t be surprising to see Apple expand the offering over time.

Bookmark to:

More than two days after experiencing a complete outage as a result of a distribute denial-of-service (DDoS) attack, Twitter and other social networking sites such as Facebook are still battling a surge in traffic related to the attack. Twitter has taken some steps to mitigate the spike in traffic and ensure that the site is not knocked offline again, but some of those steps are having an impact on third-party tools that link to Twitter through API’s (application programming interface).

Evidence gathered thus far from Twitter and other sites targeted by the DDoS attacks seems to suggest that the attack is actually a politically motivated attack aimed at silencing a Georgian activist. The victim, known by the online handle Cyxymu, uses blogs and social media sites like Twitter and Facebook to express views related to the tensions between Russia and Georgia. In a blog post, Mikko Hypponen, Chief Research Officer of Internet security firm F-Secure, said “Launching DDoS attacks against services like Facebook is the equivalent of bombing a TV station because you don’t like one of the newscasters.

To defend itself against the ongoing DDoS attack, Twitter has implemented various defensive actions, some of which are blocking third-party Twitter applications from being able to connect with Twitter API’s. The mitigating steps are also affecting the ability of many users to post to their Twitter accounts via SMS (short message service) text messages.

Twitter is working diligently for a more permanent solution that doesn’t impact third-party applications or SMS messaging. In the meantime though, Twitter has stated that as long as the attacks continue they can’t guarantee that things will get better or provide any assurances that they won’t get worse. The best they can do is to promise to do everything they can as fast as they can to ensure the site remains available.

Other steps that can be taken involve identifying and isolating sources of attack traffic and simply dropping all incoming packets from those sources. That can have some affect, but when an attack leverages a botnet and the attack traffic is literally coming from hundreds of thousands of sources simultaneously it quickly becomes cumbersome and impractical to try and filter the traffic in this way. Another temporary solution could be to filter all traffic intended for the suspected victim, Cyxymu, and block that so that it does not hog the network bandwidth or server processing horsepower.

When the dust settles, Twitter should look at ways they can build scalability and redundancy into their network to better withstand similar attacks in the future. Stuart McClure, VP of Operations and Strategy for McAfee’s Risk and Compliance Unit and co-author of Hacking Exposed 6, says “Many of these newly emerging social engineering sites weren’t built with security or high performance scalability in mind. They need to look at their current and desired states and make tough decisions that migrate them from homegrown applications to highly available cornerstones of commerce.”

Bookmark to:

Another good reason to monitor carefully one’s credit card transactions. Network Solutions has announced that customers’ credit card of its merchant servers were stolen. Obviously the reason for this theft is they will use it for purchase online or every way possible. It may not be now since the subject is still hot.

In a letter sent to merchants who use its Ecommerce Hosting services, the company said that someone illegally installed software on company servers used handle credit card transactions initiated by 573,928 people between March 12 and June 8, 2009.

The code “may have been used to transfer data on certain transactions for approximately 4,343 of our more than 10,000 merchant Websites outside the company,” Network Solutions said in the letter, signed by company chairman and CEO Roy Dunbar and sent to merchants on Friday.

Consumers who were possibly affected by the intrusion are also being notified by credit monitoring service TransUnion. They will get 12 months of free credit monitoring.
The company has set up a Web site, where affected merchants and consumers can get more information on the breach.

Bookmark to:

Be careful when joining social network, especially when a certain friend suddenly invites you to join one. Their email address could be inappropriately used and when you join, yours will be used too. The social networking site could grab all your contacts and spam them with “join” messages. Be sure to read the Terms and Conditions before joining.

On social Web, beware of address book mining
http://www.msnbc.msn.com/id/32088728/ns/business-consumer_news/

QUOTE: When you join a new Web site, how often do you read the terms and conditions before you click the accept button? Most people probably answer never or rarely. And that’s understandable. Many just want to get on the site. Who wants read a document that goes on and on in language that only a lawyer could understand? That can be a big mistake. You never know what could be tucked in there. When you go to a new site, make sure you know what you are allowing them to do with your personal information.

Bookmark to:

Breaking into someone’s e-mail can be child’s play for a determined hacker, as Twitter Inc. employees have learned the hard way — again.

For the third time this year, the San Francisco-based company was the victim of a security breach stemming from a simple end-run around its defenses. In the latest case, a hacker guessed the password for an employee’s personal e-mail account and worked from there to steal confidential company documents.

The techniques used by the attackers highlight the dangers of a broader trend promoted by Google Inc. and others toward storing more data online, instead of on computers under your control.

The shift toward doing more over the Web — a practice known as “cloud computing” — means that mistakes employees make in their private lives can do serious damage to their employers, because a single e-mail account can tie the two worlds together.

Stealing the password for someone’s Gmail account, for example, not only gives the hacker access to that person’s personal e-mail, but also to any other Google applications they might use for work, like those used to create spreadsheets or presentations.

That’s apparently what happened to Twitter, which shares confidential data within the company through the Google Apps package that incorporates e-mail, word processing, spreadsheet, calendar and other Google services for $50 per user per year.

Co-founder Biz Stone wrote in a blog posting Wednesday that the personal e-mail of an unnamed Twitter administrative employee was hacked about a month ago, and through that the attacker got access to the employee’s Google Apps account.

Separately, the wife of co-founder Evan Williams also had her personal e-mail hacked around the same time, Stone wrote. Through that, the attacker got access to Williams’ personal Amazon and PayPal accounts.

Stone said the attacks are “about Twitter being in enough of a spotlight that folks who work here can become targets.”

Some of the material the hacker posted online from the Google Apps documents was more embarrassing than damaging, like floor plans for new office space and a pitch for a TV show about the increasingly popular online messaging service.

Twitter says only one user account was potentially compromised because a screenshot of the account was included among the stolen documents. The value in hijacking a user’s account is limited, as those attacks are mainly used to post fake messages and try to trick the victim’s friends into clicking on links that will infect their computers.

Sensitive Twitter documents were filched, though.

The hacker claims to have employee salaries and credit card numbers, resumes from job applicants, internal meeting reports and growth projections.

TechCrunch, a widely read technology blog, says it was e-mailed the documents, and subsequently published some of them, including financial projections that Twitter drew up in February. The forecast envisioned Twitter generating its first revenue in the current quarter, with sales of about $400,000 and about 60 employees. By the end of next year, Twitter expected to employ about 345 people with annual revenue of about $140 million, according to the documents published by TechCrunch.

Stone said in an e-mail that most of the documents TechCrunch has access to are “speculative exercises.”

In his blog post, Stone said the stolen documents “are not polished or ready for prime time and they’re certainly not revealing some big, secret plan for taking over the world,” but said they are sensitive enough that their public release could jeopardize relationships with Twitter’s partners.

Stone said the company is talking to lawyers about “what this theft means for Twitter, the hacker, and anyone who accepts and subsequently shares or publishes these stolen documents.”

What the attacks on Twitter show is that Web sites don’t need to get compromised in the traditional sense to put its users and employees at risk.

Hackers don’t need to find a vulnerability in the site itself, or plant a virus on an employee’s computer, to sneak inside.

The easier approach is much more low-tech: All they need to find is an employee who uses weak passwords for his or her e-mail accounts, or has security questions that are easy to answer with a little information about the person.

It’s an old strategy that’s becoming more and more valuable as people’s personal and work lives merge online.

It can be trivial to guess someone’s passwords, as former vice presidential candidate Sarah Palin found out during the election, when her personal e-mail was hacked and screenshots were posted online. The attacker sneaked in by accurately guessing the answer’s to Palin’s security questions, based on information about her and her family that was already online.

Password-guessing programs are also a common hacking tool. An attacker runs the program against an account, and if it’s allowed to try lots of times and the password isn’t very complicated, the hacker’s in.

Twitter was hit twice before this year in similar incidents.

In an attack against Twitter in January, a Twitter support staffer’s account was compromised using a password-guessing-program. The hacker got administrative access to the site. The Twitter feeds for Barack Obama, Britney Spears and other celebrities were used to send out bogus messages. A similar attack happened in May.

The attacks on Twitter serve as a reminder of why many corporations are reluctant to jump on the cloud computing bandwagon. Outsourcing sensitive jobs can save money but also open up companies to more risk, because their data aren’t entirely under their control.

Another trend online is for Web-based services to streamline access by letting users log into each others’ sites with the same usernames and passwords. Facebook and other services have begun to do this, raising possible security risks.

The lesson from Twitter’s latest security troubles is an old one: Use strong passwords, which include some combination of letters and numbers, and for companies, be careful about how many accounts are linked to the same username and password combination.

Bookmark to: