Tax Time Phishing Blues

Here in the US, it’s almost time to get those tax forms submitted. Which means that there is an increase in the number of tax phishing emails.

Repeat after me: “The IRS doesn’t use email to ask for tax information.”

I Read It on the Internet So It Must Be True!

Today is the day that you don’t want to believe what you read on the Innertubes … more than usual.

You’ll find lots of allegedly humorous pages trying to fool you. And lots of emails that contain links to malware.

So, be careful out there.

Now, please excuse me while I do a backup to my WORN drive (Write Once, Read Never). Can’t be too careful.

Master Boot Record Malware Becoming More Stealthy

Your hard disk’s Master Boot Record (MBR) is the first thing that gets loaded when you start your computer, even before the operating system. What if you could change the MBR to load your very own special program? That would make your program the ‘most powerful’ on your computer, giving your program access to all sorts of potentially interesting things.

MBR malware has been around for a while, and has surfaced again. Check out the McAfee folks analysis of the latest version of a MBR malware: .

One of the interesting things is that the malware is self-aware. The program monitors itself, and if the program stops, it restart (and re-infects) the computer.

Malware writers are getting a bit clever.

A Zero-Day Spam Attack

Sudden increase in spam that got through the filter over the weekend. Since most spam detection is ‘reactive’, using a database (or signatures) of ‘known spam’, a new spam campaign will likely get through your spam filter for a day or two.

Since those messages were short (pun not intended), a dictionary-based blocking wouldn’t work. Only when the spam databases get updated with the latest attack will the spam be blocked.

So the various users got a bit excitable this morning as they saw a few more spam messages in their email inbox than they usually see.

Although if you use Gmail, you might not have noticed the spam attack. Gmail seems to be very effective in blocking spam. I suspect it’s because there is user involvement via the ‘report spam’ button. There are so many Gmail users that there are a lot of people reporting spam.

I suspect that Gmail proactively removes spam from your inbox. For instance, a zero-day spam attack might get some spam into your regular “in” folder. But as people report messages as spam, I suspect that the Gmail guys actually dynamically remove the spam from your in folder and stick it in the spam folder.

Zero-day spam attacks prevention is much like the risk of a zero-day virus attack. A new virus might get through your virus detection until the anti-virus vendors get things updated. So relying on one layer of protection is not enough.

I suspect that these ‘zero-day’ attacks will become more prevalent in the future as the more organized spam cartels get better at bypassing spam filters.

Web Defacement and Password Stealing

The TrendMicro folks (anti-malware vendor) got hit by a web site defacement. But they weren’t the only ones. There’s hundreds of thousands of sites that will try to install password-stealing software on your computer. (One story here: ).

And the Internet Storm Center reports ( ) has a related report on the problem.

The attack seems to come, as usual, with a web site (usually an ‘adult’ site) that asks you to install some software to view a video. Or the site may try to tell you to install some software to scan your computer for viruses.

One example of the attack is shown in a video on McAfee’s site ( ) . Interesting short video that shows how the attack works.

The protection? The usual “safe computing practices” we’ve previously discussed. Current anti-virus, don’t install software/add-ins just because a web page asks you to, current operating system and other software patches, etc, etc.

And it’s not just Windows-based systems. The operating system is not the only vulnerability; all your software needs to be kept current.

Be careful out there.

Protection against a Cold Boot Data Attack

You might have heard about the new technique for getting data off of an encrypted hard disk by freezing the memory on the computer. (You can do your own Google to find more details.) The story has hit mainstream press.

Am I worried? Only if someone physically gets to my computer, just after a power-down (or hibernate).

Protection? Several choices — the ones you use depend on the confidentiality of your data (or your activities on the computer):

– encrypt files / folders as well as the entire hard disk
– keep the computer physically secure to prevent theft; don’t use sleep or hibernate
– power off the computer, don’t use hibernate. By the time you get out the door, the data in RAM will ‘bleed off’.

Risky places? Try hotels, conferences, going through customs (did you know that your computer can be inspected — or even siezed — by Customs?), any place where your computer is not under your total physical control.

And ‘safe computing practices’ will also help. Add to those the physical security of your system and data. And that includes USB thumb drives.

Blinded By the Updates

One of the mailing lists I subscribe to is the “Consensus Security Vulnerability Alert” from . It comes out weekly, and lists all new vulnerabilities of software – commercial and open source.

This week’s list is notable for the many commonly used programs. No, not just Windows. The problem is that you might become a bit complacent if all you do is use Windows Update.

Here’s a list of the software that caught my eye (in no particular order)

  • Apple Mac OSX
  • Apple QuickTime
  • Novell Client
  • Symantec BackupExec
  • Adobe Reader
  • ClamAV
  • Apple iPhoto
  • MPlayer
  • Yahoo! Music Jukebox
  • Nero Media Player
  • Checkpoint SecureClient/SecuRemote
  • Apple iPhoto
  • WordPress plugins

Do you have an update strategy for keeping all of these applications current? Or do you just rely on Microsoft’s Automatic Updates and your anti-virus update?

Security Policies and Inadvertent Holes

I worked on a vbScript program that queried a range of computers by IP addresses. The script grabs information from the registry on the status of Windows Update settings. It places the results in an HTML table for easy analysis. The result was interesting; even though we have a policy of those settings to be installed on all systems, there were a few holes found.

Which is sort of the old ‘trust but verify’ mantra of an information security guy. You can set up rules and procedures, but you need to verify that the rules and procedures are being followed. If they are not, there can be some serious holes for malware to slip through.

Loving Storm Worm Spam

I’m seeing what appears to be a new round of spam email from the “Storm Worm” gang. The messages are very short, wtih a subject related to Valentines’ Day, and a short message with a link to a web site. An example: a subject of “Blind Love”, and a message of “Rockin’ Valentine” along with a link to a web site.

Clicking on the web link (or even typing it in manually) will get you an attempt to download some malware automatically. Current anti-virus may protect you against the download attempt, depending on the web page payload. Current patches will be another protection layer.

Note that Microsoft has released 12 patches today, many of them critical. Of course, all of my many readers (yes, the two of you in the back) are following Safe Computing Practices, and have their computer set up for automatic updates. And you have updated Adobe, Apple Quicktime, Firefox, and Linux kernal updates…

More info about the ‘lovely’ Storm Worm spam is here:

PDF Exploits Seem Widespread

Reports from the various malware researchers indicate that the exploit for Adobe PDF files is becoming widespread. Although it’s not clear at this time the exact distribution, there appears to be distribution via PDF links in banner ads, and also through the usual spam mail.

Adobe has an update available. To install, start up your Adobe program (reader or ‘writer’), and use Help, Check for updates. Current version is 8.12 (shown via Help, About). Any prior versions (before version 8) should be replaced with version 8.12.