Subject: General Tech | March 17, 2016 - 05:25 PM | Jeremy Hellstrom
Tagged: ransomware, Malware, security, idiots
With the lousy news below the fold, up to and including yet another StageFright exploit, here is a bit of amusing news to balance out the bad. A recently unleashed ransomware program seems to have been developed on stolen code and the original developer has taken offence to this. His original program, EDA2, was designed to illustrate how ransomware works and he intentionally included a backdoor to ensure that the data could be unencrypted.
He has used that backdoor to break into the program and has obtained the complete list of decryption keys and posted them to the net, The Register has a link to that list right here. It is good for the soul to see incompetent bad guys every once and a while.
"A software developer whose example encryption code was used by a strain of ransomware has released the decryption keys for the malware."
Here is some more Tech News from around the web:
- Stagefright: Millions of Android devices vulnerable to new exploit @ The Inquirer
- American Express Warns Customers About Breach -- From 2013 @ Slashdot
- New iOS malware targets stock iPhones, spreads via App Store @ The Register
- Within 6 Years, Most Vehicles Will Allow OTA Software Updates @ Slashdot
- Hands On With The Odroid C2; the Raspberry Pi 3 Challenger @ Hack a Day
- Sky throws hat into VR ring with launch of new studio @ The Inquirer
- Plucky cable billionaires defeat menace of small-town broadband @ The Register
Subject: General Tech | March 16, 2016 - 05:12 AM | Sebastian Peak
Tagged: ransomware, Malwarebytes, Malware, adware
Compromised ad servers have been pushing out ransomware directly to unwitting users of many popular domains. As reported by Ars Technica (via MalwareBytes and others), whose story is heavily referenced here, the domain list contains a number of high traffic sites.
"It hit some of the biggest publishers in the business, including msn (.com), nytimes (.com), bbc (.com), aol (.com), my.xfinity (.com), nfl (.com), realtor (.com), theweathernetwork (.com), thehill (.com), and newsweek (.com). Affected networks included those owned by Google, AppNexis, AOL, and Rubicon."
(Image credit: Ars Technica)
Unfortunately, the story doesn't get better from here. The Ars report continues:
"The ads are also spreading on sites including answers (.com), zerohedge (.com), and infolinks (.com), according to SpiderLabs. Legitimate mainstream sites receive the malware from domain names that are associated with compromised ad networks. The most widely seen domain name in the current campaign is brentsmedia (.com)."
The ads have been traced back to multiple domains, including: trackmytraffic (.biz), talk915 (.pw), evangmedia (.com), and shangjiamedia (.com). The report continues:
"The SpiderLabs researchers speculate the people pushing the bad ads are on the lookout for expired domains containing the word "media" to capitalize on the reputation they may enjoy as a legitimate address."
So how did they do it? The banner ads themselves contained the malware, which could infect the viewers system undetected.
"When researchers deciphered the code, they discovered it enumerated a long list of security products and tools it avoided in an attempt to remain undetected.
'If the code doesn't find any of these programs, it continues with the flow and appends an iframe to the body of the html that leads to Angler EK [exploit kit] landing page,' SpiderLabs researchers Daniel Chechik, Simon Kenin, and Rami Kogan wrote. 'Upon successful exploitation, Angler infects the poor victim with both the Bedep trojan and the TeslaCrypt ransomware...' "
Of course it goes without saying that advertising online is a sticky issue. It can be intrusive, with ads blocking article text, or autoplay videos creating a cacophony of unwanted noise, somewhere amidst the many open tabs. Of course it can be done with class, respectful of the reader's experience (and I would use our own site as an example).
A large number of web users employ ad-blocking extensions to their browser, though it is often the case that ad revenue pays for the costs associated with keeping such sites online. This outbreak is a further blow to the current financial stability of many sites when news such as today's ransomware debacle hits the tech (and soon the mainstream) press.
Subject: General Tech | December 24, 2015 - 10:52 PM | Scott Michaud
Tagged: microsoft, windows defender, adware, Malware, superfish
The Microsoft Malware Protection Center has announced that, on March 31st, 2016, certain types of advertisement-injection will be reclassified as malware. This does not include all forms of ad-injection, just ones which use confusing, difficult to remove, or insecure methods of displaying them. Specifically, adware must use the browser's default extension model, including their disable and remove functions. Recent adware has been known to modify DNS and proxy settings to force web traffic through a third party that injects ads, including secure websites using root certificates.
In other words, Superfish.
An interesting side-story is that, while Microsoft requires that adware uses default browser extensions, Microsoft Edge does not yet have any. Enforcement doesn't start until March 31st, but we don't have a date for when extensions arrive in Microsoft. I seriously doubt that the company intends to give Edge a lead-time, but that might end up happening by chance. The lead time is probably to give OEMs and adware vendors a chance to update their software before it is targeted.
The post doesn't explicitly state the penalties of shipping adware that violates this blog post, but the criteria is used for antimalware tools. As such, violators will probably be removed by Windows Defender, but that might not be the only consequence.
Subject: General Tech | June 24, 2015 - 07:00 PM | Sebastian Peak
Tagged: windows update, Samsung, notebook, Malware
A report from Paul Thurrott draws an uncomfortable comparison between the behavior of Samsung's notebook software and the recent Superfish controversy, and should be cause for concern for anyone using Samsung laptops with factory software.
Image credit: Samsung
The behavior is rather malware-like, as Thurrott point out: "In disabling Windows Update, the Samsung utility is behaving like malware—is, in fact, malware—which of course opens this event up to a comparison with Lenovo’s Superfish fiasco."
This behavior is apparently designed to prevent Microsoft drivers from installing over Samsung's proprietary versions, but this obviously has significant security implications. The fact that this happens automatically in the background is a signifant breach of trust for consumers. This discovery was initially made by a Microsoft MVP, Paul Barker, who posted this response from Samsung on his blog:
“When you enable Windows updates, it will install the Default Drivers for all the hardware no laptop which may or may not work,” he was told. “For example if there is USB 3.0 on laptop, the ports may not work with the installation of updates. So to prevent this, SW Update tool will prevent the Windows updates.”
There are instructions for disabling this software, but it might just be time for all of us to go to the trouble of creating our own official restore media and starting fresh with a clean install of Windows.
Subject: General Tech | February 19, 2015 - 05:57 PM | Jeremy Hellstrom
Tagged: superfish, Malware, Lenovo
Since 2014 Lenovo has been selling consumer laptops installed with an innocuously named program, Superfish. For those not in the habit of wiping their laptop and installing the OS fresh to avoid the bloatware generally present on consumer products, you have been sharing the exact same SSL certificate as every other Lenovo owner and the icing on the cake is that it is self signed by Superfish, not a certificate authority. This means any and all transmissions done on a browser (apparently other than Firefox) could have easily been unencrypted by anyone who captured your wireless transmissions since the SSL key you were using is well known seeing as it is present on every recent Lenovo machine.
Lenovo is downplaying the security issue and emphasizing that Superfish was just intended inject ads into your browser based on history and that it could be disabled manually or by not agreeing to the terms and conditions when you turn on your laptop for the first time. As the commentors on Slashdot rightly point out, that argument is disingenuous and exposing your customers to a man in the middle attack just so you can serve them up some targeted advertising is a gross oversight. Samsung has not seen much success with the argument that their monitoring software could be manually disabled either. The program is no longer bundled on Lenovo laptops, as of this year.
"... doesn't mention the SSL aspect, but this Lenovo Forum Post, with screen caps, is indicating it may be a man-in-the-middle attack to hijack an SSL connection too. It's too early to tell if this is a hoax or not, but there are multiple forum posts about the Superfish bug being installed on new systems. Another good reason to have your own fresh install disk, and to just drop the drivers onto a USB stick."
Here is some more Tech News from around the web:
- Microsoft opens Office storage back end for iOS love @ The Register
- Qualcomm outs ARM Cortex A72-based Snapdragon 620 and 618 chips @ The Inquirer
- How to Zip, Stick, and Screw Stuff Together @ Hack a Day
- BlackBerry's money-making QNX unit touts virty dual-OS devices @ The Register
- Getting Data Out of the Cloud Before Disaster @ Benchmark Reviews
- New Android Trojan Fakes Device Shut Down, Spies On Users @ Slashdot
- Adobe Photoshop turns 25 @ The Inquirer
- 10 Highlights of Jon Corbet's Linux Kernel Report @ Linux.com
Subject: General Tech | November 6, 2013 - 09:08 PM | Jeremy Hellstrom
Tagged: security, Malware, TIFF, windows
A newly discovered flaw in the handling of TIFF image files effects machines running Windows Vista or Server 2008 as well as Office 2003 to 2010 and Microsoft Lync products on WinXP and Win7 with Windows 8 being the only one that does not contain this vulnerability. According to The Register attack code is launched when the image is display with tricks the "OS into copying malicious code stashed in the file into memory and then hijacking the processor to execute it."
"The software giant said the flaw allows attackers to remotely execute code and install malware on a vulnerable system by sending an email or instant message or convincing a user to open a specially crafted webpage."
Here is some more Tech News from around the web:
- FLASH, AH-AAAH! Saviour of the universe Rackspace cloud? @ The Register
- Samsung promises 4K smartphone screens for 2015 @ The Inquirer
- Google Nexus 5: So easy to fix, it's practically a DIY kit - except for ONE thing @ The Register
- Google Ends Internet Explorer 9 Support In Google Apps @ Slashdot
- The iPad Air, Customer Dynamics, and Planned Obsolescence @ TechwareLabas
- 250 Hard Drives Used To Make One Epic F1 Car @ Legit Reviews
Subject: General Tech | July 9, 2013 - 04:24 AM | Scott Michaud
Tagged: Malware, derp
Sometimes I like to cleanse the palette with a lighthearted feel-good story. A little over a year and a half ago, Department of Homeland Security (DHS) alerted the Economic Development Administration (EDA) and the National Oceanic and Atmospheric Administration (NOAA) of potential security breaches with their hardware. NOAA handled their clean-up well, EDA seemed to apply the logic commonly reserved for diseased cattle. I guess this counts?
Ultimately, it was paranoia that harmed the EDA. They spent a million dollars hiring an external firm to sanitize, secure, and guarantee immunity against malicious software. Unsatisfied with the lack of results under the final mandate, the EDA decided to destroy any hardware adjacent to any contamination.
Computers... printers... cameras... keyboards... mice...
$170,500 USD of hardware was demolished and almost a year was spent getting back on track. A further $3 million worth of equipment would have reached the same fate if the budget had not run out. This news was made public during their audit, released last month, by the Department of Commerce. The infections, discovered through this cleansing, were common malware and not a targeted attack.
The final cost of this overreaction was $2.7 million.
Subject: General Tech | July 3, 2013 - 05:16 PM | Jeremy Hellstrom
Tagged: Vobfus, Beebone, Malware, security
Vobfus has been around the block a few times, some Visual Basic code that first popped up in 2009 which tried to download and install code to attack machines that managed to get Vobfus on their systems. Beebone, aka Win32/Beebone is newer, a fairly common Trojan infection which is similar to Vobfus in that it attempts to download other malware as opposed to attacking your machine directly. According to this story on The Inquirer, they have developed a symbiotic relationship, where when one infects you it immediately tries to infect you with the other. That way it can fool anti-malware programs into beleiving that they've sanitized your machine of all infections when in fact you only remove one of the two infections and the remaining one immediately downloads and installs a different variant of the one you just removed.
"SOFTWARE HOUSE Microsoft's security researchers have discovered a pair of malware programs that help one another to avoid being detected by antivirus software.
Known as Vobfus and Beebone, the collaborating malware prove difficult to remove from infected machines as they work together, foiling the removal by regularly downloading updated versions of their respective partners."
Here is some more Tech News from around the web:
- Salvaging Lithium cells and circuits @ Hack a Day
- Texas Instruments releases chips to provide HD 720p touchscreens in cars @ The Inquirer
- Crimelords: Stolen credit cards... keep 'em. It's all about banking logins now @ The Register
- E3 2013 Awards @ OCC
Subject: General Tech | July 2, 2013 - 05:29 PM | Jeremy Hellstrom
Tagged: Malware, IE10, chrome, security
Just in case you weren't already getting tired of captchas there is a new click-jacking technique which works on both IE9 and 10 in Windows 7 and also on Chrome for Windows 8 so for the time being you might want to avoid any captchas that begin with an 'R'. The new Smartscreen features on Win8 as well as UAC should give you at least some defense and require you to allow the exectuable to run and infect your machine but you can be guaranteed that some less observant users will click straight through without reading the messages which appear. While this type of attack is nothing new, the particular technique mentioned at The Register does have some new tricks.
"A security researcher has discovered a sneaky social engineering trick that might be used to disguise the go-ahead to run hostile code on Windows 8 machines.
The so-called keyjacking technique, uncovered by Italian security researcher Rosario Valotta, is similar to clickjacking. However, instead of fooling marks into generating fake Facebook likes, the keyjacking involves disguising a "run executable" dialogue box within a CAPTCHA challenge."
Here is some more Tech News from around the web:
- Microsoft's murder most foul: TechNet is dead @ The Register
- ASUS USB-AC53 Dual-band Wireless-AC1200 Adapter Review @ Legit Reviews
- Last Call: Google Reader Dies Monday, Here Are The Best Alternatives @ TechSpot
- Genius DVR-FHD590 Dash Camera Vehicle Recorder @ Benchmark Reviews
- More Great Linux Awk, Sed, and Bash Tips and Tricks @ Linux.com
- Apple applies for 'iWatch' trademark in multiple countries @ The Inquirer
- VR-Zone Posts Intel SSD 5Q Roadmap – LSI SandForce Based 530 and 1500/2500 Pro M.2 SSDs On The Way
- Firefox Takes the Performance Crown From Chrome @ Slashdot
- Ninjalane Podcast Episode 30
- AT&T patents P2P content tracking system @ The Register
- July 2013 Contest - WIN an Apple iPad Mini 32GB @ Funky Kit
Subject: Editorial, General Tech | May 16, 2013 - 07:45 PM | Scott Michaud
Tagged: web browser, Malware, IE10
If you consider your browser security based solely on whether it will allow you to manually download a malicious executable: IE10 is the best browser ever!
Rod Trent over at Windows IT Pro seems to believe this when NSS labs released their report, "Socially Engineered Malware Blocking". In this report, Internet Explorer blocked the user from downloading nearly all known malware (clarification: all known malware within the test). Google Chrome came in second place with a little less than 17% fail rate and the other browsers were quite far behind with approximately a 90% failure rate.
Based on that one metric alone, Rod Trent used a cutesy chess image to proclaim IE the... king... of the hill. Not only that, he suggests Safari, Opera, and Firefox consider "shuttering their doors." After about a decade of Internet Explorer suffering from countless different and unique vectors of exploitation, now is the time to proclaim a victor for attacks which require explicit user action?
Buckle in, readers, it's a rant.
Firstly, this reminds me a little bit of Microsoft Security Essentials. Personally, I use it, because it provides enough protection for me. Unlike its competitors, MSE has next to no false positives because almost ignores zero-day exploits. The AV package drew criticism from lab tests which test zero-day exploits. Microsoft Security Essentials was ranked second-worst by this metric.
Well, time to shutter your doors Micr... oh wait Rod Trent lauded it as award-winning. Huh...
But while we are on the topic of false positives, how do you weigh those in your grading of a browser? According to the report, and common sense, achieving pure success in this metric is dead simple if you permit your browser to simply block every download, good or bad.
If a 100% false positive acceptance rate is acceptable, it is trivial to protect users from all malicious download. With just a few lines of code, Firefox, Safari, and Opera could displace Internet Explorer and Chrome as the leaders of protection against socially engineered malware. However, describing every download as "malicious" would break the internet. Finding a balance between accuracy and safety is the challenge for browsers at the front of protection technology.
A browser that is capable of blocking malware without blocking legitimate content would certainly be applause-worthy. I guess time will tell whether Internet Explorer 10 is able to walk the balance, or whether it will just be a nuisance like the first implementations of UAC.
OK, Google did actually release exactly one native Windows application at Google I/O: It's called Android Studio, an application that helps developers create apps that run on Android, Google’s answer to Windows. But don’t worry, Microsoft fans: Internet Explorer (IE) flags the Android Studio download as potential malware.
Ah crap... that was quick.
Now to be fair, Internet Explorer 10 and later have been doing things right. I am glad to see Microsoft support standards and push for an open web after so many years. This feature helps protect users from their own complacency.
Still, be careful when you call checkmate: some places may forfeit your credibility.