You were to bring balance to the ads, not leave us in darkness HTML5

Subject: General Tech | June 24, 2016 - 04:59 PM |
Tagged: VPAID, VAST, security, Malware, javascript, html5, flash

Upsetting news today from GeoEdge, not only is HTML5 not going to prevent drive by infections from ads but it also turns out that Flash was nowhere near as responsible for these infections as we thought.  Hard to say which of those two facts is more upsetting but don't worry, you can still malign JavaScript.  The security problems actually stem from the two advertising standards used on the web, VAST and VPAID which are the vector of infection of the JavaScript code which runs to display the ad on your browser.  Follow the link from Slashdot for a detailed explanation of what is happening. 

images.jpg

"A study from GeoEdge, an ad scanning vendor, reveals that Flash has been wrongly accused of being the root cause of today's malvertising campaigns, but in reality, switching to HTML5 ads won't safeguard users from attacks because the vulnerabilities are in the ad platforms and advertising standards themselves."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

I love it when a bad guys plan doesn't come together

Subject: General Tech | March 17, 2016 - 05:25 PM |
Tagged: ransomware, Malware, security, idiots

With the lousy news below the fold, up to and including yet another StageFright exploit, here is a bit of amusing news to balance out the bad.  A recently unleashed ransomware program seems to have been developed on stolen code and the original developer has taken offence to this.  His original program, EDA2, was designed to illustrate how ransomware works and he intentionally included a backdoor to ensure that the data could be unencrypted. 

He has used that backdoor to break into the program and has obtained the complete list of decryption keys and posted them to the net, The Register has a link to that list right here.  It is good for the soul to see incompetent bad guys every once and a while.

Vault door.jpg

"A software developer whose example encryption code was used by a strain of ransomware has released the decryption keys for the malware."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Ransomware Spreading Through Major Websites Via Infected Ad Servers

Subject: General Tech | March 16, 2016 - 05:12 AM |
Tagged: ransomware, Malwarebytes, Malware, adware

Compromised ad servers have been pushing out ransomware directly to unwitting users of many popular domains. As reported by Ars Technica (via MalwareBytes and others), whose story is heavily referenced here, the domain list contains a number of high traffic sites.

"It hit some of the biggest publishers in the business, including msn (.com), nytimes (.com), bbc (.com), aol (.com), my.xfinity (.com), nfl (.com), realtor (.com), theweathernetwork (.com), thehill (.com), and newsweek (.com). Affected networks included those owned by Google, AppNexis, AOL, and Rubicon."

teslacrypt-640x577.png

(Image credit: Ars Technica)

Unfortunately, the story doesn't get better from here. The Ars report continues:

"The ads are also spreading on sites including answers (.com), zerohedge (.com), and infolinks (.com), according to SpiderLabs. Legitimate mainstream sites receive the malware from domain names that are associated with compromised ad networks. The most widely seen domain name in the current campaign is brentsmedia (.com)."

The ads have been traced back to multiple domains, including: trackmytraffic (.biz), talk915 (.pw), evangmedia (.com), and shangjiamedia (.com). The report continues:

"The SpiderLabs researchers speculate the people pushing the bad ads are on the lookout for expired domains containing the word "media" to capitalize on the reputation they may enjoy as a legitimate address."

The full article from Ars technica can be found here as well as the source link, and the cited Malware Bytes post can be found here.

So how did they do it? The banner ads themselves contained the malware, which could infect the viewers system undetected.

"When researchers deciphered the code, they discovered it enumerated a long list of security products and tools it avoided in an attempt to remain undetected.
'If the code doesn't find any of these programs, it continues with the flow and appends an iframe to the body of the html that leads to Angler EK [exploit kit] landing page,' SpiderLabs researchers Daniel Chechik, Simon Kenin, and Rami Kogan wrote. 'Upon successful exploitation, Angler infects the poor victim with both the Bedep trojan and the TeslaCrypt ransomware...' "

Of course it goes without saying that advertising online is a sticky issue. It can be intrusive, with ads blocking article text, or autoplay videos creating a cacophony of unwanted noise, somewhere amidst the many open tabs. Of course it can be done with class, respectful of the reader's experience (and I would use our own site as an example).

A large number of web users employ ad-blocking extensions to their browser, though it is often the case that ad revenue pays for the costs associated with keeping such sites online. This outbreak is a further blow to the current financial stability of many sites when news such as today's ransomware debacle hits the tech (and soon the mainstream) press.

Source: Ars Technica

Microsoft to Reclassify Certain Ad-Injectors as Malware

Subject: General Tech | December 24, 2015 - 10:52 PM |
Tagged: microsoft, windows defender, adware, Malware, superfish

The Microsoft Malware Protection Center has announced that, on March 31st, 2016, certain types of advertisement-injection will be reclassified as malware. This does not include all forms of ad-injection, just ones which use confusing, difficult to remove, or insecure methods of displaying them. Specifically, adware must use the browser's default extension model, including their disable and remove functions. Recent adware has been known to modify DNS and proxy settings to force web traffic through a third party that injects ads, including secure websites using root certificates.

In other words, Superfish.

microsoft-2015-windowsdefender.jpg

An interesting side-story is that, while Microsoft requires that adware uses default browser extensions, Microsoft Edge does not yet have any. Enforcement doesn't start until March 31st, but we don't have a date for when extensions arrive in Microsoft. I seriously doubt that the company intends to give Edge a lead-time, but that might end up happening by chance. The lead time is probably to give OEMs and adware vendors a chance to update their software before it is targeted.

The post doesn't explicitly state the penalties of shipping adware that violates this blog post, but the criteria is used for antimalware tools. As such, violators will probably be removed by Windows Defender, but that might not be the only consequence.

Source: Microsoft

Samsung Laptops Disable Windows Update Automatically

Subject: General Tech | June 24, 2015 - 07:00 PM |
Tagged: windows update, Samsung, notebook, Malware

A report from Paul Thurrott draws an uncomfortable comparison between the behavior of Samsung's notebook software and the recent Superfish controversy, and should be cause for concern for anyone using Samsung laptops with factory software.

SW_Update.jpg

Image credit: Samsung

The behavior is rather malware-like, as Thurrott point out: "In disabling Windows Update, the Samsung utility is behaving like malware—is, in fact, malware—which of course opens this event up to a comparison with Lenovo’s Superfish fiasco."

This behavior is apparently designed to prevent Microsoft drivers from installing over Samsung's proprietary versions, but this obviously has significant security implications. The fact that this happens automatically in the background is a signifant breach of trust for consumers. This discovery was initially made by a Microsoft MVP, Paul Barker, who posted this response from Samsung on his blog:

“When you enable Windows updates, it will install the Default Drivers for all the hardware no laptop which may or may not work,” he was told. “For example if there is USB 3.0 on laptop, the ports may not work with the installation of updates. So to prevent this, SW Update tool will prevent the Windows updates.”

There are instructions for disabling this software, but it might just be time for all of us to go to the trouble of creating our own official restore media and starting fresh with a clean install of Windows.

Source: Petri

Lenovo for those who don't care about security

Subject: General Tech | February 19, 2015 - 05:57 PM |
Tagged: superfish, Malware, Lenovo

Since 2014 Lenovo has been selling consumer laptops installed with an innocuously named program, Superfish.  For those not in the habit of wiping their laptop and installing the OS fresh to avoid the bloatware generally present on consumer products, you have been sharing the exact same SSL certificate as every other Lenovo owner and the icing on the cake is that it is self signed by Superfish, not a certificate authority.  This means any and all transmissions done on a browser (apparently other than Firefox) could have easily been unencrypted by anyone who captured your wireless transmissions since the SSL key you were using is well known seeing as it is present on every recent Lenovo machine. 

Lenovo is downplaying the security issue and emphasizing that Superfish was just intended inject ads into your browser based on history and that it could be disabled manually or by not agreeing to the terms and conditions when you turn on your laptop for the first time.  As the commentors on Slashdot rightly point out, that argument is disingenuous and exposing your customers to a man in the middle attack just so you can serve them up some targeted advertising is a gross oversight.  Samsung has not seen much success with the argument that their monitoring software could be manually disabled either.  The program is no longer bundled on Lenovo laptops, as of this year.

index.jpg

"... doesn't mention the SSL aspect, but this Lenovo Forum Post, with screen caps, is indicating it may be a man-in-the-middle attack to hijack an SSL connection too. It's too early to tell if this is a hoax or not, but there are multiple forum posts about the Superfish bug being installed on new systems. Another good reason to have your own fresh install disk, and to just drop the drivers onto a USB stick."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

The TIFF of Doom!

Subject: General Tech | November 6, 2013 - 09:08 PM |
Tagged: security, Malware, TIFF, windows

A newly discovered flaw in the handling of TIFF image files effects machines running Windows Vista or Server 2008 as well as Office 2003 to 2010 and Microsoft Lync products on WinXP and Win7 with Windows 8 being the only one that does not contain this vulnerability.  According to The Register attack code is launched when the image is display with tricks the "OS into copying malicious code stashed in the file into memory and then hijacking the processor to execute it."

index.jpg

"The software giant said the flaw allows attackers to remotely execute code and install malware on a vulnerable system by sending an email or instant message or convincing a user to open a specially crafted webpage."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

You're Supposed to Incinerate Plagued Corpses, Right?

Subject: General Tech | July 9, 2013 - 04:24 AM |
Tagged: Malware, derp

Sometimes I like to cleanse the palette with a lighthearted feel-good story. A little over a year and a half ago, Department of Homeland Security (DHS) alerted the Economic Development Administration (EDA) and the National Oceanic and Atmospheric Administration (NOAA) of potential security breaches with their hardware. NOAA handled their clean-up well, EDA seemed to apply the logic commonly reserved for diseased cattle. I guess this counts?

killitwithfire.jpg

Image: Memegenerator

Ultimately, it was paranoia that harmed the EDA. They spent a million dollars hiring an external firm to sanitize, secure, and guarantee immunity against malicious software. Unsatisfied with the lack of results under the final mandate, the EDA decided to destroy any hardware adjacent to any contamination.

Computers... printers... cameras... keyboards... mice...

$170,500 USD of hardware was demolished and almost a year was spent getting back on track. A further $3 million worth of equipment would have reached the same fate if the budget had not run out. This news was made public during their audit, released last month, by the Department of Commerce. The infections, discovered through this cleansing, were common malware and not a targeted attack.

The final cost of this overreaction was $2.7 million.

Source: Ars Technica

Tag teaming malware, just what everyone needs

Subject: General Tech | July 3, 2013 - 05:16 PM |
Tagged: Vobfus, Beebone, Malware, security

Vobfus has been around the block a few times, some Visual Basic code that first popped up in 2009 which tried to download and install code to attack machines that managed to get Vobfus on their systems.  Beebone, aka Win32/Beebone is newer, a fairly common Trojan infection which is similar to Vobfus in that it attempts to download other malware as opposed to attacking your machine directly.  According to this story on The Inquirer, they have developed a symbiotic relationship, where when one infects you it immediately tries to infect you with the other.  That way it can fool anti-malware programs into beleiving that they've sanitized your machine of all infections when in fact you only remove one of the two infections and the remaining one immediately downloads and installs a different variant of the one you just removed.

rkill.jpg

"SOFTWARE HOUSE Microsoft's security researchers have discovered a pair of malware programs that help one another to avoid being detected by antivirus software.

Known as Vobfus and Beebone, the collaborating malware prove difficult to remove from infected machines as they work together, foiling the removal by regularly downloading updated versions of their respective partners."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Beware the click-jacking Captcha of Evil!

Subject: General Tech | July 2, 2013 - 05:29 PM |
Tagged: Malware, IE10, chrome, security

Just in case you weren't already getting tired of captchas there is a new click-jacking technique which works on both IE9 and 10 in Windows 7 and also on Chrome for Windows 8 so for the time being you might want to avoid any captchas that begin with an 'R'.  The new Smartscreen features on Win8 as well as UAC should give you at least some defense and require you to allow the exectuable to run and infect your machine but you can be guaranteed that some less observant users will click straight through without reading the messages which appear.  While this type of attack is nothing new, the particular technique mentioned at The Register does have some new tricks.

CAPTCHA.jpg

"A security researcher has discovered a sneaky social engineering trick that might be used to disguise the go-ahead to run hostile code on Windows 8 machines.

The so-called keyjacking technique, uncovered by Italian security researcher Rosario Valotta, is similar to clickjacking. However, instead of fooling marks into generating fake Facebook likes, the keyjacking involves disguising a "run executable" dialogue box within a CAPTCHA challenge."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register