Yes, some of your users phones are infected

Subject: General Tech | July 5, 2016 - 12:32 PM |
Tagged: security, Malware

Managing mobile devices in an enterprise environment is a nightmare, even with properly set up security polices and some sort of Mobile Device Manager.  Security firm Skycure recently estimated one in every 200 devices is infected with some form of malware, which seems a bit low especially considering that some the devices tested had 290 apps installed.  Infections of Android devices are most common but do not think for a moment that your iOS device is safe, it may only be half as likely to be compromised but it does indeed have serious vulnerabilities as well.  Drop by The Register for a look at the numbers of bad apps on various stores.


"Researchers found enterprises have three unique infection instances with devices sporting an eye-watering average of 290 apps a piece."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Doctor, treat thyself .. or at least the hospital please

Subject: General Tech | June 29, 2016 - 01:36 PM |
Tagged: hospital, security, winxp, Malware

For the past few years we have heard about some rather horrific security vulnerabilities in hospitals and sadly this has not changed at all.  Indeed many hospitals are still on older, unsupported OSes such as WinXP that most security software no longer protects against the malware which was used.  In one case a hospital using centralised intrusion detection software, updated endpoint protection, and new model firewall was still compromised using very old malware. In most of the cases described by The Register it was personal data and medical records which were compromised but that doesn't mean the medical appliances and physical security systems are not also vulnerable to attack.


"Attackers have popped three prominent US hospitals, using deliberately ancient malware so old that it slips under the radar of modern security controls to compromise Windows XP boxes and gain network beacheads."

Here is some more Tech News from around the web:

Tech Talk


Source: The Register

You were to bring balance to the ads, not leave us in darkness HTML5

Subject: General Tech | June 24, 2016 - 12:59 PM |
Tagged: VPAID, VAST, security, Malware, javascript, html5, flash

Upsetting news today from GeoEdge, not only is HTML5 not going to prevent drive by infections from ads but it also turns out that Flash was nowhere near as responsible for these infections as we thought.  Hard to say which of those two facts is more upsetting but don't worry, you can still malign JavaScript.  The security problems actually stem from the two advertising standards used on the web, VAST and VPAID which are the vector of infection of the JavaScript code which runs to display the ad on your browser.  Follow the link from Slashdot for a detailed explanation of what is happening. 


"A study from GeoEdge, an ad scanning vendor, reveals that Flash has been wrongly accused of being the root cause of today's malvertising campaigns, but in reality, switching to HTML5 ads won't safeguard users from attacks because the vulnerabilities are in the ad platforms and advertising standards themselves."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

I love it when a bad guys plan doesn't come together

Subject: General Tech | March 17, 2016 - 01:25 PM |
Tagged: ransomware, Malware, security, idiots

With the lousy news below the fold, up to and including yet another StageFright exploit, here is a bit of amusing news to balance out the bad.  A recently unleashed ransomware program seems to have been developed on stolen code and the original developer has taken offence to this.  His original program, EDA2, was designed to illustrate how ransomware works and he intentionally included a backdoor to ensure that the data could be unencrypted. 

He has used that backdoor to break into the program and has obtained the complete list of decryption keys and posted them to the net, The Register has a link to that list right here.  It is good for the soul to see incompetent bad guys every once and a while.

Vault door.jpg

"A software developer whose example encryption code was used by a strain of ransomware has released the decryption keys for the malware."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Ransomware Spreading Through Major Websites Via Infected Ad Servers

Subject: General Tech | March 16, 2016 - 01:12 AM |
Tagged: ransomware, Malwarebytes, Malware, adware

Compromised ad servers have been pushing out ransomware directly to unwitting users of many popular domains. As reported by Ars Technica (via MalwareBytes and others), whose story is heavily referenced here, the domain list contains a number of high traffic sites.

"It hit some of the biggest publishers in the business, including msn (.com), nytimes (.com), bbc (.com), aol (.com), (.com), nfl (.com), realtor (.com), theweathernetwork (.com), thehill (.com), and newsweek (.com). Affected networks included those owned by Google, AppNexis, AOL, and Rubicon."


(Image credit: Ars Technica)

Unfortunately, the story doesn't get better from here. The Ars report continues:

"The ads are also spreading on sites including answers (.com), zerohedge (.com), and infolinks (.com), according to SpiderLabs. Legitimate mainstream sites receive the malware from domain names that are associated with compromised ad networks. The most widely seen domain name in the current campaign is brentsmedia (.com)."

The ads have been traced back to multiple domains, including: trackmytraffic (.biz), talk915 (.pw), evangmedia (.com), and shangjiamedia (.com). The report continues:

"The SpiderLabs researchers speculate the people pushing the bad ads are on the lookout for expired domains containing the word "media" to capitalize on the reputation they may enjoy as a legitimate address."

The full article from Ars technica can be found here as well as the source link, and the cited Malware Bytes post can be found here.

So how did they do it? The banner ads themselves contained the malware, which could infect the viewers system undetected.

"When researchers deciphered the code, they discovered it enumerated a long list of security products and tools it avoided in an attempt to remain undetected.
'If the code doesn't find any of these programs, it continues with the flow and appends an iframe to the body of the html that leads to Angler EK [exploit kit] landing page,' SpiderLabs researchers Daniel Chechik, Simon Kenin, and Rami Kogan wrote. 'Upon successful exploitation, Angler infects the poor victim with both the Bedep trojan and the TeslaCrypt ransomware...' "

Of course it goes without saying that advertising online is a sticky issue. It can be intrusive, with ads blocking article text, or autoplay videos creating a cacophony of unwanted noise, somewhere amidst the many open tabs. Of course it can be done with class, respectful of the reader's experience (and I would use our own site as an example).

A large number of web users employ ad-blocking extensions to their browser, though it is often the case that ad revenue pays for the costs associated with keeping such sites online. This outbreak is a further blow to the current financial stability of many sites when news such as today's ransomware debacle hits the tech (and soon the mainstream) press.

Source: Ars Technica

Microsoft to Reclassify Certain Ad-Injectors as Malware

Subject: General Tech | December 24, 2015 - 05:52 PM |
Tagged: microsoft, windows defender, adware, Malware, superfish

The Microsoft Malware Protection Center has announced that, on March 31st, 2016, certain types of advertisement-injection will be reclassified as malware. This does not include all forms of ad-injection, just ones which use confusing, difficult to remove, or insecure methods of displaying them. Specifically, adware must use the browser's default extension model, including their disable and remove functions. Recent adware has been known to modify DNS and proxy settings to force web traffic through a third party that injects ads, including secure websites using root certificates.

In other words, Superfish.


An interesting side-story is that, while Microsoft requires that adware uses default browser extensions, Microsoft Edge does not yet have any. Enforcement doesn't start until March 31st, but we don't have a date for when extensions arrive in Microsoft. I seriously doubt that the company intends to give Edge a lead-time, but that might end up happening by chance. The lead time is probably to give OEMs and adware vendors a chance to update their software before it is targeted.

The post doesn't explicitly state the penalties of shipping adware that violates this blog post, but the criteria is used for antimalware tools. As such, violators will probably be removed by Windows Defender, but that might not be the only consequence.

Source: Microsoft

Samsung Laptops Disable Windows Update Automatically

Subject: General Tech | June 24, 2015 - 03:00 PM |
Tagged: windows update, Samsung, notebook, Malware

A report from Paul Thurrott draws an uncomfortable comparison between the behavior of Samsung's notebook software and the recent Superfish controversy, and should be cause for concern for anyone using Samsung laptops with factory software.


Image credit: Samsung

The behavior is rather malware-like, as Thurrott point out: "In disabling Windows Update, the Samsung utility is behaving like malware—is, in fact, malware—which of course opens this event up to a comparison with Lenovo’s Superfish fiasco."

This behavior is apparently designed to prevent Microsoft drivers from installing over Samsung's proprietary versions, but this obviously has significant security implications. The fact that this happens automatically in the background is a signifant breach of trust for consumers. This discovery was initially made by a Microsoft MVP, Paul Barker, who posted this response from Samsung on his blog:

“When you enable Windows updates, it will install the Default Drivers for all the hardware no laptop which may or may not work,” he was told. “For example if there is USB 3.0 on laptop, the ports may not work with the installation of updates. So to prevent this, SW Update tool will prevent the Windows updates.”

There are instructions for disabling this software, but it might just be time for all of us to go to the trouble of creating our own official restore media and starting fresh with a clean install of Windows.

Source: Petri

Lenovo for those who don't care about security

Subject: General Tech | February 19, 2015 - 12:57 PM |
Tagged: superfish, Malware, Lenovo

Since 2014 Lenovo has been selling consumer laptops installed with an innocuously named program, Superfish.  For those not in the habit of wiping their laptop and installing the OS fresh to avoid the bloatware generally present on consumer products, you have been sharing the exact same SSL certificate as every other Lenovo owner and the icing on the cake is that it is self signed by Superfish, not a certificate authority.  This means any and all transmissions done on a browser (apparently other than Firefox) could have easily been unencrypted by anyone who captured your wireless transmissions since the SSL key you were using is well known seeing as it is present on every recent Lenovo machine. 

Lenovo is downplaying the security issue and emphasizing that Superfish was just intended inject ads into your browser based on history and that it could be disabled manually or by not agreeing to the terms and conditions when you turn on your laptop for the first time.  As the commentors on Slashdot rightly point out, that argument is disingenuous and exposing your customers to a man in the middle attack just so you can serve them up some targeted advertising is a gross oversight.  Samsung has not seen much success with the argument that their monitoring software could be manually disabled either.  The program is no longer bundled on Lenovo laptops, as of this year.


"... doesn't mention the SSL aspect, but this Lenovo Forum Post, with screen caps, is indicating it may be a man-in-the-middle attack to hijack an SSL connection too. It's too early to tell if this is a hoax or not, but there are multiple forum posts about the Superfish bug being installed on new systems. Another good reason to have your own fresh install disk, and to just drop the drivers onto a USB stick."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

The TIFF of Doom!

Subject: General Tech | November 6, 2013 - 04:08 PM |
Tagged: security, Malware, TIFF, windows

A newly discovered flaw in the handling of TIFF image files effects machines running Windows Vista or Server 2008 as well as Office 2003 to 2010 and Microsoft Lync products on WinXP and Win7 with Windows 8 being the only one that does not contain this vulnerability.  According to The Register attack code is launched when the image is display with tricks the "OS into copying malicious code stashed in the file into memory and then hijacking the processor to execute it."


"The software giant said the flaw allows attackers to remotely execute code and install malware on a vulnerable system by sending an email or instant message or convincing a user to open a specially crafted webpage."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

You're Supposed to Incinerate Plagued Corpses, Right?

Subject: General Tech | July 9, 2013 - 12:24 AM |
Tagged: Malware, derp

Sometimes I like to cleanse the palette with a lighthearted feel-good story. A little over a year and a half ago, Department of Homeland Security (DHS) alerted the Economic Development Administration (EDA) and the National Oceanic and Atmospheric Administration (NOAA) of potential security breaches with their hardware. NOAA handled their clean-up well, EDA seemed to apply the logic commonly reserved for diseased cattle. I guess this counts?


Image: Memegenerator

Ultimately, it was paranoia that harmed the EDA. They spent a million dollars hiring an external firm to sanitize, secure, and guarantee immunity against malicious software. Unsatisfied with the lack of results under the final mandate, the EDA decided to destroy any hardware adjacent to any contamination.

Computers... printers... cameras... keyboards... mice...

$170,500 USD of hardware was demolished and almost a year was spent getting back on track. A further $3 million worth of equipment would have reached the same fate if the budget had not run out. This news was made public during their audit, released last month, by the Department of Commerce. The infections, discovered through this cleansing, were common malware and not a targeted attack.

The final cost of this overreaction was $2.7 million.

Source: Ars Technica