Friday, September 19, 2008

How Criminals Hacked

I decided to wait a day before posting about this to see if anything popped up that indicates the criminals that took over VP Candidate Sarah Palin's email address did anything special.

Nope. This was social engineering, plain and simple. According to the BBC, the hackers simply contacted Yahoo customer support and asked for the password to be changed.

When challenged by the security questions (What is your mother's maiden name? What is the name of your pet?), the criminals used "information from Wikipedia and other online databases helped to establish Mrs Palin's date of birth, zip code and other personal information."

As in:

"Okay Mr Bush, I can reset that password for you... but I need to ask you a couple of questions first... what is your mother's maiden name, and what is the name of your pet?"

The answers are, of course, "Pierce" and "Barney". Date of birth? July 6th, 1946. Zip code? The White House has its own: 20500.

Challenge-response has been an underlying security principle since the whispering of passwords upon approaching castle gates in pre-Roman times. But in an era where people can quickly and easily learn everything about you, easily-guessed questions are passe.

Over the past couple of years, many major sites have improved the strength of these challenge response mechanisms a little by allowing users to input their own questions.

But too many of these sites compromise this action by defaulting to common questions that are easily researched, such as "mother's maiden name", or guessed "city in which you were married".

Ultimately, where we are headed is towards trustworthy computing, powered by technologies like Authentium SafeCentral, which does a great job of protecting login credentials - and securely storing web site passwords.

Note: The criminals apparently left their fingerprints on the theft. One interesting conundrum will be whether on not C-Tunnel will be forced to turn over logs relating to their anonymizing of the session to the Secret Service.

My guess on that is "yes, they will".

Thursday, September 4, 2008

Beware: Skype "Security Center" Scam

I use Skype a lot to chat with friends and business partners outside the US. It's cheap, and the quality is often better than POTS (Plain Old Telephone Service)-based systems. However today, my Skype client almost bit me.

The above message (see screen shot) came in as I was on my normal telephone line and immediately caught my interest.

A Security Center warning? Via a Skype client?

Now, as the founder of a security software company, you'd probably expect me to be immune to social engineering attacks by now, and ultimately, I was. But it took me a few seconds. This is one well-crafted scam, and Skype is becoming so rich with features that for a moment, I wondered if Skype had in fact integrated with the Windows Security Center.

Then, the fog lifted.

A call to Robert Sandilands and the other hard-working guys in our Authentium virus lab confirmed that this social engineering scam and others (including dating offers) are starting to become reasonably prevalent on the Skype service.

Skype users, heed this advice: if you see a "Repair Service" warning come in over Skype, DO NOT click on the links.

According to Eric in the lab, the link takes you to a fake web-scanner complete with animated progress bar and a pretend file tree that will pretend to find spyware/viruses, then try and scare you into handing over your credit card details.

"The link at the bottom of your SKYPE snapshot image leads to a page that does a mock scan of your system (but what it really is just HTML code and java-script displaying several filenames pre-stored in a java-script file, with a progress bar and such, and then displaying number of infections found)..."

"...which then prompts the user to visit another webpage that asks the user to purchase their antispyware solution and prompts the user for shipping and billing information, credit card information, country and state of residence, etc. The page is written to look very professional with privacy statements, etc."

Skype users - please be careful, and please ignore "Security Center" security warnings that appear in the Skype interface - they are scams. And be prepared - we can expect to see a lot more of these Skype-based social engineering attacks in the future.

Wednesday, September 3, 2008

Password-Stealing Virus in Space

Remember how in Independence Day, the aliens were thwarted by a virus uploaded from Jeff Goldblum's Mac? Wired magazine has a news story out about a recurrence of malware-related activity in the International Space Station.

A NASA spokesperson confirmed to Wired yesterday that this was not the first time this has happened.

"This is not the first time we have had a worm or a virus," NASA spokesman Kelly Humphries said. "It's not a frequent occurrence, but this isn't the first time."

You can read the rest of the article here.

Google Chrome's Big Weakness: Screen-Stealing

Google Chrome improves the security profile normally associated with browsers, but it also leaves users exposed to one of the largest vulnerabilities: screen-stealing.

Screen-stealing is a real problem and a major objective of spyware and malware developers. It is a great way for criminals to gather information they can use to commit identity fraud, or outright identity theft.

Here's some instances in which you *don't* want criminals stealing shots of your web browser:

  • When you're banking
  • When you're doing your taxes
  • when you're applying for a new license
  • When you're paying your bills
  • When you're doing email in your browser
  • When you're entering account details
  • When you're viewing family pictures
  • When you're modifying settings
  • When you're opening a new account somewhere
If you're considering doing any of these things securely, you should probably avoid Google Chrome for the time being in favor of a truly secure browsing environment.

The screen-shot above of Google Chrome was lifted right off the desktop, mid-way through a new account sign-up at a major bank. There are literally thousands of examples of malware out there that can do this.

Authentium SafeCentral does not allow screen shots to be captured: SafeCentral prevents screen shots from being used by online criminals and identity thieves. Google Chrome is not able to stop this from happening - nor are IE, Firefox, Safari and Opera. Only SafeCentral has the ability to prevent screen-stealing.

If you need to bank online securely, go over to SafeCentral and download it. It takes about the same amount of time as downloading Chrome, but it is much more secure.

Tuesday, September 2, 2008

Google Chrome: First Impressions

Okay, I'm writing this blog post inside of Google Chrome, the brand new browser from our friends at Google. But as I was posting a screenshot into Blogger (a Google company), I experienced a blow-up complete with an image reminicent of what I used to see when my Mac 128k blew up:

You might say "hey, it's day one - cut them some slack!" But that would be boring. Besides, people need to know. So here's some instant things that I instantly hate, plus a couple of reasons why you still need a safe browser:

1. Web pages used to look different in just three popular browsers - now they are going to look different in Firefox, IE, Safari AND Chrome. More work for me and every one else that owns a web site. Thanks a lot.

2. Freaking-out fonts! I just went on Facebook and the fonts look ever so slightly - and weirdly - different. Why?

3. Yellow highlight around the form text field. I hate this as much as I hate seat belts and bicycle helmets.

4. Unexpected behavior - inside the Blogger edit window , I used to just click on an image to highlight it - now the browser thinks I want to travel there. Uh-uh. That's what Crl-Click is for.

5. Only slightly better security than Firefox. Not mind-blowing, not even close to comprehensive.

6. If this truly is representative of the front-end of cloud computing, we aren't going to be saying goodbye to desktop apps for some time to come - and Chrome adds nothing to the overall security of your device, save a slightly safer browser.

Anyway, that's five minutes worth of feedback. As far as #5 (security) goes, if everything works as advertised, Chrome will create a safer Internet browsing experience, but nothing even close to what our SafeCentral secure desktop provides.

We go deeper (in terms of operating system-level protection), broader (we protect *all* desktop apps, not just web apps running in your browser), and further (we protect DNS lookup requests and all of the associated infrastructure and files.

In other words, ignore page 26 of the comic book. Google attempts to protect only what is in the browser - and only does so in a limited way. We protect everything. Authentium SafeCentral rules the roost when it comes to holistic security - i.e. securing your Internet browsing and your desktop.

In Google Chrome's favor, the rendering speed is faster, and the support for multi-processing seems to work well (I recovered from the above issue without having to restart the browser). It is a very clearn UI. The bookmark import worked just as well as it does on Firefox.

Add to all this the fact that someone has bothered to redesign the idea of browsing from scratch (yet, BMW-like, incorporate the good stuff from years gone by), and Chrome may yet become a standard - we can only hope it doesn't grab a mere 15% market share and force yet another test case on the world's web developers.

Note: "Chrome" is a reference to what browser developers call the user interface, or visual part of the browser. If you've done any browser add-on development using XPI or XUL, the Firefox extension and UI languages, you'll be able to instantly relate - the rest of humanity is probably wondering why call it anything - other than "the Google browser".

Note: to get Chrome started on Vista, I had to navigate one amusing screenshot (the first shot in the battle?) - this is the screen shot that I was trying to post earlier, but couldn't: