Security & Privacy

Astroturfing is the practice of creating fake grass-roots organizations to sway public opinion.  According to freepress.net, “Astroturf groups fighting media reform manufacture the impression of public opposition to issues like Net Neutrality to sway policy makers and the media. What these groups won’t tell you is that they’re bought and paid for by the phone and cable industry.”

One recent example of astroturfing cited in Wikipedia includes several self-proclaimed seniors groups, whose biggest contributor is the pharmaceutical industry.  Another is the “Save Our Species Alliance”, which calls itself a grass-roots organization but is actually a front group for wealthy cattle and timber interests.

For the past several years, the telecommunications and media giants have engaged in some pretty shady practices, including astroturfing, in order to obfuscate the so-called Net Neutrality, or Internet Neutrality debate.  Click on the interactive control to the right of the text (couresy of freepress.org) to learn more about how much these companies are spending in order to convince the public and our lawmakers that net neutrality is a bad thing.

Rumors have been circulating for months that facebook would begin charging a monthly fee for usage beginning some time in 2010.  The idea that the site, beloved by millions of members, might no longer be free carried so much momentum that hundreds of thousands of facebook users have joined groups protesting any such move.

Facebook spokespeople have repeatedly denied the rumor, stating that ”We have no plans to charge users for Facebook’s basic services.”   Note that this wording doesn’t say that they will never charge for anything, or that the definition of “basic service” may be subject to change, but it does refute the idea that facebook would begin charging a monthly fee.

This is just another example of the gullibility of the masses when it comes to the Internet.  The whole notion that facebook would begin charging money appears to have originated with this hoax email.  Rule of Thumb – any email message that intends to incite fear, raise awareness of impending disaster, promises some reward for forwarding it, or nearly any other message meant for mass distribution should be checked out.  Snopes.com is a good starting place.

Encrypting with TrueCrypt

In an earlier post I wrote about some of the free encryption options for PC users.  One of the products I talked about was TrueCrypt, and others agree with me that it is a good option for data encryption.  I decided to take it a step further, and wrote a How-To article using TrueCrypt.  It’s a pretty detailed beginner’s guide to creating encrypted volumes on a Windows PC.  Performing the same operations in Linux wouldn’t be that different, since the interfaces are very similar.

Free Virtualization Options

One of my Suite101 articles covers the Benefits of Virtualization on PCs.  The benefits are summarized here:

• Run Alternative Operating Systems
• Safer Internet Browsing and Banking
• Software Testing on VMs
• Customized VMs for Multiple Users
• Snapshots for Easy Backup and Restore

Again deciding that an easy to follow beginner’s guide was warranted, I wrote a Tutorial for getting Linux running in a Virtual Machine on Windows, using VirtualBox.

Encryption and Virtualization for Configuration Management

Both of these technologies can play an important role in config management.  Configuration files containing server information, passwords, etc. are often necessary in the deployment of applications.  Leaving them in plain-text is an invitation for disaster.  Sooner or later, someone who shouldn’t will see the information and gain unauthorized access.  This doesn’t even have to be someone with malicious intent in order to be dangerous.  Some of the worst mis-haps in the tech industry have been caused by well-meaning employees who had more access than their role and expertise warranted.

Virtualization too has it’s advantages for a configuration manager.  If you can create VMs to represent the target servers and workstations, then you can develop, test, and tweak your deployment methods – particularly with respect to automation – without risking any real environment.

These ideas and articles just scratch the surface of the usefulness of encryption and virtualization.  The latter, especially, has a lot to offer in the workplace, including disaster recovery, remote control, backup and restore, etc.   Both technologies can increase the security and reliability of configuration management practices.

I previously reported that I had become a contributing writer on Suite 101. For my first article, I decided to summarize some of the Best Free Encryption options available for computer users.  I covered the pros and cons of Encrypting File System (EFS), TrueCrypt, and GnuPG.  Here’s the quick rundown:

• EFS: OK for Windows users who aren’t using a home / basic edition of Windows.  Can’t encrypt on removable devices.
• TrueCrypt: Good for encrypting not only sections of the hard drive (or entire partitions), but also removable media like thumb drives, CDs, etc.  Encrypted emails possible, but not ideal.
• GnuPG: Best for end-to-end encryption of data at rest and in transit (via email or IM).  Most complex to set up, but messages can only be decrypted and read by the intended recipient.

For download links and full details, please check out the entire article.

Various security vendors are reporting a significant drop in the percentage of emails comprising phishing attacks lately.  For example, Kaspersky Labs noted a 37% drop from 1st quarter to 2nd quarter this year.  They attribute the drop to better security tools like spam filters, and anti-phishing technology showing up in the latest browsers.  I’d like to think it also has something to do with the Internet’s user base getting smarter about phishing and other types of on-line fraud.

The news is welcome, to be sure.  The trouble is, the cyber criminals aren’t just giving up because phishing has become less profitable.  Most of them are turning to more sophisticated “crimeware” in order to swindle you out of your hard-earned money.   If they can’t trick you into giving them your bank account number and passwords, then they’ll try to get them by using key-loggers and banking trojans.  And these tools are getting more sophisticated all the time.

Recently, security and hacker sites alike are a-buzz about a new botnet control framework called ‘Fragus.’  The features it advertises include encryption (to defeat signature-based anti-malware software),  a sophisticated control interface, customizable exploits, and real-time statistics showing the size and distribution of an operator’s botnet.  Zombie computers controlled by the operator not only are prone to deeper infection as the operator sends more trojans, viruses, etc., but they become conduits, used by the controller to spread the botnet to non-infected PCs.

So, while we can celebrate the drop in spam emails, just remember to keep your security tools up to date, and remain vigilant.  The war against cybercrime is still heating up.

Save 10% on Kaspersky AntiVirus 2010 Instantly!
Instant savings on KAV 1 pc, one year license Digital product Offer Expires 12/04/10

Coupon Code: No Code Needed!

The Apache Foundation shut down several servers last Friday when administrators discovered rogue processes running on one of their machines that serves websites. Investigation revealed that a compromised SSH key on a 3rd party hosting provider allowed attackers to access an account. From there, they were able to create files on an Apache Foundation server, and these files were then propagated to the web servers by automated processes.

A briefing on apache.org gives an overview of the method of attack and the steps administrators took to remove the malicious processes. The page includes the following statements:

“To the best of our knowledge at this time, no end users were affected by this incident, and the attackers were not able to escalate their privileges on any machines.
While we have no evidence that downloads were affected, users are always advised to check digital signatures where provided.“

The Apache admins were able to restore from backup to their web servers, and bring the site back online.  They report that some servers remain offline for further investigation, but that most site functionality has been restored.

The Apache Foundation deserves some applause for being open about the attack and the steps they took to combat it.

One take-away from this incident: protect your private keys.

I’m generally surprised when I hear the number of people that fall for Phishing scams.  I mean really, do that many people really think that some corrupt official in some remote country is going to send them millions of dollars?  Less obvious are the ones that try to spoof your bank site or some other institution.  Well, I got one today that I almost fell for.

The email came from ‘mail@online-paypal.com’ – which should have been a dead give-away right there.  The subject was ‘(1 new message).’  The body of the message implied that someone had tried to process a charge against my paypal account, but that the transaction was on hold because it was initiated from a foreign IP address.  There was a link to cancel the transaction.  Of course, my first impression was “Ahah!  Somebody is trying to steal from my account!  Well, I’ll just hit this handy little ‘cancel’ button and put a stop to that!”

I don’t know where the button would have taken me, because at the last moment it dawned on me that paypal doesn’t generally send links in their emails.  Upon close examination I realized the button didn’t link to a paypal domain at all.  I forwarded the email to spoof@email.com, who did indeed confirm that it was a spoof.

The text of the email is as follows (link removed for safety):-

You have initiated a payment for $22.00 USD to info@servage.net.-

Payment details
Amount: $22.00 USD
Transaction ID: 5H633774LW536779Q

Because the payment was made from an foreign ip address, we put the transaction on hold.
To cancel this payment, click here. (this phony link went to pllthdpsec17.com)

Please do not reply to this email.

Email Id: DQ 532 XYONXVVQNMMBWRYWHDULWPGVMVRHOHKYGMIVJY

Hopefully, nobody else is dumb enough to fall for it, like I almost did.

With all the interest lately in the Conficker worm, my friend security evangelist Christopher Spence has set up a simple test on his company blog.  It basically just displays images from 4 of the security companies Conficker blocks.  If you can display the images, you probably are not infected.  Otherwise, there is a link to Kaspersky’s Conficker removal tool.  Visit Christopher’s Conficker Test page.

The credit card industry imposes mandatory safeguards to which merchants are supposed to adhere in order to protect your personally identifiable financial information. They are known as the Payment Card Industry (PCI) Data Security Standards. Additionally, government regulations exist for the same purpose, for example, the federal Fair and Accurate Credit Transactions Act (FACTA). In spite of the fact that the penalties for non-compliance can be severe, many merchants lack the discipline to maintain the required vigilance, and some simply don’t have the resources to remain compliant. Thus, even if <I>you</I> practice good security with your data (by burning or shredding credit-card receipts, etc.), the far greater risk comes from these businesses who do not.

There are steps you can take to help. They do nothing to safeguard your data maintained by non-compliant merchants, but they can mitigate the damage if your data is stolen.

• Set fraud alerts with the major credit bureaus.
• Opt out of pre-approved credit card lists.
• Check your credit report.

Read The Full Report, with links to tools to help implement these suggestions.

Read about other ways to Protect Your Privacy

I feel so special – I got an email from Robert S. Mueller III, Executive Director of the FBI. Amazingly, it appears that the Bureau is aware that I’ve been contacted by the Central Bank of Nigeria, and they felt compelled to protect my interests and investigate the contracts and related fund dispersal promised by the bank in payment for the rendering of some unspecified services.

This is good news indeed, since I didn’t even know that the CBN owed me $10,000,000.00, and now not only do I know about it, but I can rest assured that the FBI has already confirmed for me that the fund transfer is legitimate, and they will closely monitor the transfer. All I have to do is contact the CBN using the phone number and email address that the FBI has so thoughtfully provided, and follow their instructions expediently.

Seriously, does anybody fall for these scams anymore?

What is hosted email security?

Hosted (outsourced) email security is a service offered by 3rd party providers which handles the scanning of inbound (and sometimes outbound) email messages. Following the trend toward SaaS (Software as a Service), or “Cloud Computing” as it is becoming known, hosted email services handle such things as spam filtering, virus and other crimeware removal, phishing protection, etc.

Recent Growth and Projections

The last several months have seen spending on outsourced email hosting and security grow at the substantial rate, primarily among small to medium sized businesses. The growth rate within larger corporations (greater than 2500 users) is smaller but also increasing measurably. According to IDC, The Radicati Group, and other analysts, these growth rates should continue to accelerate over the next few years, exceeding an estimated $2 billion by 2012. This represents a 40% growth in the number of seats over today’s figures.

Already, about 5% of SMB users are utilizing hosted email security solutions, a figure expected to grow to 9% over the next few years.

Advantages to SMBs – Reasons for Growth

A variety of reasons are cited by researchers and subscribers for outsourcing email security, but the main ones are:

• Lower Network Resource Requirements: Spam entering a company’s network incurs bandwidth and storage costs, even if it’s caught in spam filters. Outsourced spam filtering solutions only allow legitimate email to enter the network.
• Fewer Maintenance Costs: The costs of acquiring, configuring, and keeping spam filters up to date can be extensive for in-house solutions, especially when you include the cost of the admin’s time.
• Malware Protection: While an outsourced solution shouldn’t replace in-house virus scanners, keeping up with the latest threats becomes the burden of the solution provider for email. These companies often employ up-to-the-minute malware updates and multiple scanning engines.
• Business Continuity: Should a company’s own network fail or become compromised, the external service provider can queue their mail for a period of time, until their Disaster Recovery Plan is executed (you do have a DR Plan, right?).

Reservations

Not everyone is jumping on the bandwagon. The biggest concern expressed by potential customers is the perceived security and reliability of the service providers’ network. However, research done by NetworkWold indicates that many of these providers maintain infrastructures more robust and secure than that of most of the enterprises they serve. Another issue is the concern for the safety of confidential information being in the hands of an external agency, which is why most subscribers only use these services for inbound email, even though some providers offer outbound filtering as well.

Outlook

As IT departments strive to cut costs while maintaining service levels, more will be looking at the ROI offered by outsourced security solutions.

Legendary writer and author Jerry Pournelle sent me an email! OK, so I’m a subscriber on his website and he sent it out to everybody, but still, I thought it was cool. The message was a warning about the fact that malicious hackers had compromised the online job boards and were selling their services to spammers and scam artists. Monster.com, hotjobs.com, and other mainstream job boards are affected. You can get the details here.

I became a fan of Jerry’s writing in the ’80s when he was a columnist for BYTE Magazine. This was back when magazines printed a lot of useful technical information, hacks, program listings, and electronics projects. A fellow programmer was a subscriber, and introduced me to the magazine, and particularly “Chaos Manor,” Jerry’s column. When BYTE was sold to another publisher, it’s format turned more to product reviews and coverage of the IT business industry. In other words, it became geared more for managers with IT budgets and less for programmers, hobbyists, and end users. Not long after that the magazine ceased publication altogether.

I missed Jerry’s anecdotal accounts of his struggles with technology. He did product reviews too, but always from the first-person perspective of a non-technical person (an author) actually trying to implement, rather than just cover, the products. His often humorous tales were always informative and entertaining. I was delighted when I discovered a year or so ago that Jerry was still writing his Chaos Manor Reviews, as well as Other Musings. I should have known that his talent and desire (need?) for self-expression would have steered him toward the online publishing world, and was chagrined that I hadn’t thought to search on his name sooner.

Several months ago I wrote an article for a Helium Marketplace publisher.  My submission was not selected, but I find that it is one of my more popular articles on Helium (definitely in the top 3), so I thought I’d share it here.  Please read How to find out what’s running on your PC (and why this is important).  Let me know how you like it.

The other night I spent about 2 1/2 hours at the house of a friend, trying to free his PC of some particularly nasty malware, SpyGuarder and Vista AntiVirus 2008. Both are classified as rogue anti-spyware programs. This type of malware attempts to trick you into buying their full versions by running free scans with a trial version, and showing you all sorts of viruses, trojans, keyloggers, etc. with which your system is supposedly infected. They then offer to remove all these infections if you’ll just click the link and upgrade to the full version of their program, which of course, costs money. There are a number of problems with both these programs.

1. Your system doesn’t really have the infections these programs claim. Or to be more accurate, they have no way of knowing one way or another, since the so-called “scans” they do are completely fake. Nor could they remove the infections if you did have them, since they do not actually fight spyware or viruses, but are likely to install some of their own. Of course, if you elect to do this, future scans will say that your system is now clean.
2. These programs are obnoxiously persistent. Any attempts to cancel the scans, close the windows, or kill the processes just result in another process being launched.
3. These programs prevent legitimate anti-spyware programs from installing and running. Generally, when trying to clean spyware out of a system, one of the first things I do is install and run Adaware from lavasoft. Vista AntiVirus 2008 would not let me install it, popping up a fake system message saying basically that the Administrator for the PC has configured it to disallow “installations of this type.” Spybot Search & Destroy did work, but did not remove the two nasties I was dealing with. SpyGuarder similarly prevents the task manager from launching, claiming that “Task Manager has been disbled by your Administrator.”
4. The presence of either of these programs indicates that you may have the zlob or other dangerous trojans.

No doubt some of you would have advised me to run various legitimate anti-malware applications like SpyHunter, which can apparently automate the removal of SpyGuarder and Vista AntiVirus 2008. Pride and miserliness made me opt to do it by hand, which I did with the help of instructions found here and here.

Vista AntiVirus 2008 has several other identities, all which do the same bad things to your system, such as Windows Antivirus 2008, Windows AntiVirus Pro, etc. These, as well as SpyGuarder, are advertised on professional-looking web sites, and give the appearance of being the most advanced anti-malware products on the market. Do not be fooled, do not install either of these products – the commercial or the free versions – on your computer under any circumstances. If you find you have been infected with either of these anyway (it’s possible to pick them up via “drive-by” infection), take steps to remove them immediately.

Added 7/1/2008: I had to go back and remove yet another fake security program. His commercial virus protection had long since expired, so I installed AVG Free, which found and removed about a dozen viruses and trojans, but then his desktop and taskbar disappeared. After searching around on the internet, I found that Malwarebyte’s RogueRemover Free is a great free tool which completely fixed the desktop problems and removed some additional adware / spyware. It will definitely be joining Adaware and Spybot Search & Destroy in my arsenal.