Useful ICT security Resources
Update on 27 August 2012
How to Spot Fake Antivirus Software
A couple of months ago, a neighbor was chatting with me about a new miracle antivirus application that he got from a friend. He told me that it works great and frequently captures a lot of viruses on his computer. His only complaint was that he had to pay every time the software purged his computer of the malware.
I almost didn’t have the heart to tell him that the magical virus eliminator he was referring to is in fact, what is known in the security industry as fake AV or Rogue AV.
There are many versions of fake AV currently circulating on the Internet today. While there are different variations, styles and names, they all share a common feature set, including:
- A professional-looking graphical user interface (GUI) that resembles a legitimate antivirus application. Once fake AV is running on a user’s computer system, it launches the GUI and displays a fake scanning activity for the computer
- After the fake scan is complete, the software typically reveals that the system is infected with malicious software
- The fake AV then asks for payment in order to “clean” the system. Once an unsuspecting user enters their credit card information, they immediately become a candidate for identity theft
FortiGuard Labs recently encountered a new variant of a fake AV, which Fortinet detects as W32/FakeAV.RA!tr.
Once the malware is installed, an infected user receives a warning message that reads the software has discovered a spyware infection (Figure 1). When a user clicks on this warning message, a new application window that resembles a legitimate antivirus application appears, starts “scanning” the system and begins displaying detected infections (Figure 2).
Once the detection phase is complete, a new window appears that displays the number of infections the software has discovered (Figure 3). The window also includes an option for the user to remove the detected threats or “Continue unprotected.” Common sense dictates a user selects “Remove all threats now”.
After clicking on “Remove all threats now,” a credit card transaction window appears where the user can enter their credit card information (Figure 4).
In a variation of the above fake AV example, a user selects the “Recommended” option (Figure 5), which immediately takes the user to the checkout window shown in Figure 4.
This version of fake AV displays a warning message whenever a user tries launching a program (Figure 6) and is particularly nasty, as it doesn’t allow a user to launch any applications from their computer. What’s worse, in addition to taking your cash, fake AV can log key strokes, steal documents, infect other files and networks and install additional malicious malware.
How you get it
There are actually a number of ways fake AV can appear on a user’s system. It could come in through an infected email attachment, it could be a link within an email or Web 2.0 application such as a social media site that leads a user to a malicious Website that automatically downloads the fake AV, or the software could be downloaded onto a system by malware (such as a botnet) that already resides on the user’s system.
How You Know you got it
The first thing users should do occurs BEFORE infection. If not already, all computer users should familiarize themselves with the antivirus solution that’s currently running on their system. Know the vendor name. And, while making a note of the antivirus software maker on the system, make sure the software is updated with the latest versions and patches. If the user doesn’t have an antivirus software client on their machine, then they can download one from an AV vendor’s Website. Fortinet makes a free one that can be downloaded from here: http://download.cnet.com/FortiClient-Lite/3000-2239_4-75532356.html?tag=mncol;1
Now that the user knows which antivirus software is on their system, it should be pretty clear to spot if the computer has come under attack from fake AV, as most of the time the fake AV makers fail to put a legit AV company’s logo in their popup windows. If the software does put a logo in the pop up window and it’s not from the AV Company that you already have installed, then it’s most likely fake AV. If there’s still a question whether or not fake AV is on the system, the tip off should come when the credit card window opens. No reputable AV software maker will make an end user pay to scan their system if they already have the latest updates installed on their machines.
How You Get Rid of It
If fake AV is on the system, the user should scan the system using their legitimate antivirus software. If the fake AV is preventing the legitimate AV software from loading, then the user should restart their system in “safe mode” and then scan the system using a valid AV. In addition, it is advised to do an “offline scan.” This means a computer should to be scanned and cleaned outside of the full operating system to complete remediation. This requires a restart into the Windows Pre-installation Environment (WinPE) to run a scanning utility, such as Windows Defender Offline scan tool.
The Windows Defender Offline scan tool is a free tool available for download as a bootable Windows Imaging Format (WIM) file, which can be put onto media (USB or DVD) and inserted into the infected computer.
What to do if You’ve Given them your Credit Card Number
If you think you’ve been a victim of fake AV fraud, know that you’re not alone. If fake AV was easy to spot, we wouldn’t feel compelled to write a paper on the topic. It should be noted that Rogue AV is a billion dollar a year business. Some criminal gangs have been caught, but others are still operating with impunity. The first thing you should do if you think you’ve been a victim of fake AV is call your credit card company as soon as possible and scrutinize all charges from the day you entered your credit card number into the application. Second, you’ll want to ask for a new credit card. Just because they haven’t charged anything on your card, doesn’t mean you’re safe, cybercriminals may be bundling your number with others they’ve collected and then selling them to a 3rd party criminal organization.
- Always update your antivirus software from the valid sources
- Do not run applications coming from emails or downloaded from the Internet if you are not sure they are clean
- Do not give away your financial information by entering them into suspicious Website
- Always scan your system using your legitimate antivirus software
Another variant of FakeAV detected as W32/FakeAV.KL!tr is briefly discussed below:
Figure A1 shows the main screen of W32/FakeAV.KL!tr, a professional looking Antivirus software complete with menu and scanning window. In a normal clean computer, it will show that you are infected by at least 14 threats.
If you want to remove the infection, by clicking the “Remove” button, you will be asked to activate the FakeAV software as shown in Figure A2.
Selecting “Yes”, you will be redirected to the payment window shown in Figure A3, which you will be required to enter your account information.
Or, if you refuse to activate your account, you will receive a warning message as shown in Figure A4.
If you ignore or forget about this FakeAV, you will be reminded by constant windows pop-up as shown in Figure A5.
As we can see, W32/FakeAV.KL!tr may have a different display as W32/FakeAV.RA!tr, but it is clearly doing the same thing. It will show you that you are infected and will ask you for your credit card information to remove the infection.
If you need more convincing, let’s take a look at a more familiar looking fakeAV.
This FakeAV looks like it came from Microsoft Windows itself, with the familiar menu on the left and a familiar display on the right side of the main display window shown in Figure B1. It doesn’t show any scanning activity but it displays that there are alerts for your computer.
If you click the “Clean Now” button, the software will tell you that it is only a trial version and you need to activate the FakeAV as shown in Figure B2.
If you want to activate it, it will show you a different window asking for your bank account (See Figure B3). It is interesting to note that, Microsoft’s security and AV software can be installed for FREE.
If you ignore this, warning messages will pop-up like those shown in Figure B4 and B5.
Source from http://blog.fortinet.com
Update on 13 February 2012
Securing Your Mobile Device Apps
Mobile devices have become one of the primary tools we use in both our personal and professional lives. One of the things that makes mobile devices so powerful is that there are thousands of apps we can select from and use. However, with the tremendous power and flexibility of apps come a number of risks you must be aware of. In this newsletter we cover the dangers of mobile device apps and how you can install, use, and maintain them securely.
The first step in using apps is making sure you always download them from a secure, trusted source. Cyber criminals will create malicious apps that look real, but which may be infected with viruses or worms. If you inadvertently install one of these apps, cyber criminals can take control of your mobile device. By downloading apps from only well known, trusted sources you reduce the chance of installing an infected app. However, even in well-known online app markets, some malicious apps can still be found. This is especially true for devices like the Android where the app markets are not tightly controlled. To reduce your risk, avoid apps that are brand new, that few people have downloaded, or that have very few comments. The longer an app has been available or the more positive comments it has, the more likely that app can be trusted. Finally, install only the apps you need and use. Each additional app brings the potential for new vulnerabilities, so if you stop using an app, remove it from your mobile device. In addition, you may be tempted to jailbreak or root your own mobile device, the process of hacking into it and installing unapproved apps or changing existing functionality. We highly recommend against this, as jail breaking not only bypasses or eliminates many of the security controls built into your mobile device but often voids any warranties or support contracts.
CONFIGURING & USING APPS
Once you have installed an app from a trusted source, the next step is making sure it is safely configured and protecting your privacy as well. Installing and/or configuring certain applications requires that you grant certain privileges and permissions. Depending on the device, these applications will prompt you before authorizing. Always think before authorizing any access, does your app really need those permissions? For example, some apps use geo-location services. If you allow an app to know your location, you may be allowing the creator of that app to track your movements. In addition, any public postings you make may include your location, allowing anyone to know where you are or prove where you have been. If you do not like the permissions an app is requesting, simply find another app that better fits your requirements. Be careful when using apps that request or store sensitive information. Even if the app is legitimate, there is no guarantee that the developer used good coding practices to protect your information while stored on the device or while transmitted over the Internet. Applications that consolidate sensitive information can be very convenient, but they are also targets for cyber criminals. Read the detailed description about the app and reviews from other users to see if there have been any security issues.
Apps, just like your computer and mobile device operating system, must be updated in order to remain current. Bad guys are constantly searching for and finding weaknesses in apps. They then develop attacks to exploit these weaknesses. The app developers that created your app also create and release updates to fix these weaknesses and protect your devices. The more often you check for and install updates, the better. We recommend that you monitor your app stores and update your apps at least once a month. In addition, some apps can be set to update automatically, but please note that this may also automatically grant additional permissions if requested by that app
Many applications today allow you to purchase additional features, new content, or the removal of advertising. A common mistake some people make is to store their app store credentials locally on their device, allowing them to easily make future purchases within an application. We highly recommend you do not allow your mobile device to save your app store credentials, log-in information, or payment information. Although convenient, this information may be available to, or misused by, anyone who has access to your mobile device, including the bad guys if your device has been remotely hacked. An alternative is to use gift cards or one-time use virtual credit card numbers instead.
We strongly encourage you to follow all the best practices discussed here. Mobile devices and apps are still a relatively new and fast growing field. In addition, one of the challenges we all face is that there are few options available for security software to help protect you and your apps. You are the best defense for your mobile devices
The key to maintaining secure mobile device apps are installing apps only from trusted secure sources and make sure they are updated.
SOURCE BY OUCH! The Monthly Security Awareness Newsletter for Computer Users
The SANS Institute 2012
Update on 05 December 2011
Recent SQL Injection Hacks – Things You Should Know
SQL Injection, the remote root exploit for Web applications, has been the initial attack vector behind several high profile compromises over the last six months. MySQL.com, Sun.com, HBGary Federal, Comodo’s RA(GlobalTrust.it/InstantSSL.it),eHarmony, Nasdaq, Savannah GNU, PlentyOfFish, Royal Navy Website, BoingBoing, and no doubt countless others we’ll never hear about. Let’s also not forget if a website is serving up drive-by-download malware, as many thousands have already, chances are it’s because a SQL Injection exploit inserted a malicious iFrame. Clearly OWASP made a good call placing “Injection” at the top of the Top Ten.
Here are some quick tips to avoid becoming tomorrows headline and an end of the year statistic:
- If Parameterized SQL statements, not Stored Procedures, are used everywhere in the code, the odds of SQL Injection vulnerabilities will drop dramatically. Purge all forms of concatenated database query strings and add a healthy code of input validation. There is no substitute.
- Suppression of verbose error messages is still a good idea, but DO NOT do so just to get the vulnerability to “go away” in the application vulnerability scanner report. Fix your code. Don’t be fooled by vendors claim of Blind SQL Injection detection in scanning products. The lack of verbose error messaging remains serious hindrance to automated detection with painful side effects. Direct source code access the has advantage here on comprehensiveness — use to your advantage.
- Hack yourself first. That means ALL your websites. Not just the “main” ones. Learn what the bad guys know or eventually will. Attackers are quite capable and smart enough to compromise secondary websites, use them as launching pads, and then pivot around the network.
- Detect any malware on website(s) before Google does. Failure to do so will get you black listed from search results. Give Dasient a look.
Yes there are many other things you can do to prevent SQL Injection, like detecting attacks with WAFs/IDS or database hardening procedures. Only let’s get some of the basics down first shall we?
BY JEREMIAH GROSSMAN
source by whitehat security
Update on 8 July 2011
for more information click link below
SKMM Defacement Advisory ( http://www.skmm.gov.my/cybersecurity )
Update on 18 October 2011
10 security problems you might not realize you have
Takeaway: It’s easy to get distracted by high profile security threats and let more subtle — but equally destructive — risks fall through the cracks.
IT administrators are often so busy just trying to keep up with the obvious security threats that many more problems fly under the radar. Here are 10 security risks you may have in your organization that you are not aware of.
1: Your employees
Your own employees are your biggest source of security risks. Sometimes, it is deliberate; sometimes, it is not. Employees have the most access and the most time. We expend a lot of effort worrying about external threats, but in all honesty, all it takes is an employee bringing in a virus from a home PC on a USB drive to nullify all your forward-facing firewalls and measures. Disgruntled employees sometimes express their anger by hurting your computer systems. And of course, it is possible for a well-meaning employee to make a major mistake. Good governance, education, setting (and enforcing) policies, and knowing your employees are your best steps to closing the holes here.
2: Common coding mistakes
Certain mistakes in programming still get made despite years of warnings and education. Most common are SQL injection and cross-site scripting vulnerabilities. I still see these issues from time to time even in major software packages that you would think are trustworthy (WordPress is a good example). It’s hard to change software once you’ve installed it, so you need to keep these packages up to date even though it is quite a hassle.
3: Unauthorized machines
I’ve seen this one too many times. Someone decides to bring in an old PC and put it on the network to do something your existing infrastructure doesn’t allow them to do. They think that they are being helpful, working around the limitations of the IT department. After all, if IT won’t build a Web site for their group, it’s just “doing them a favor” to set up an old PC in the corner with a Web server on it, right? Wrong. The best way I’ve found to keep these rogue machines in line is with rigorous IP address audits and policies and scanning the network to create a list of machines. If machines can’t get IP addresses, they can’t do much harm
4: Ancient “rock solid” servers
We all have them — that server buried deep in the data room that “just won’t quit.” Usually, it’s running some software package that is impossible to migrate to another machine. Sadly, these machines are often major security risks because they typically are no longer getting patches or we fail to patch them out of fear of breaking them. In addition, those older versions of operating systems often come with inherent security holes that no patching can fix. You need to replace these servers one way or the other. The best first step is to virtualize them. From there, it is a lot easier to try to update them.
5: Legacy applications
It’s not just the old servers that are big security risks; it is also the applications running on them, as well as other legacy applications you may have running. These applications would be a lot less problematic if they were current with their patches, but usually they aren’t. All too often, we miss a major version update because the upgrade is so difficult, and then we’re so far behind the ball that it’s impossible to catch up. Or perhaps the applications are completely discontinued. It’s painful to say it, but the best thing you can do is find a migration path to a recent version or another package entirely.
6: Local admins
We all know the dangers of allowing users to run with escalated privileges. Still, we occasionally end up with users being granted local admin rights inappropriately. In my experience, this often happens while troubleshooting a problem: We make the user a local admin to see if it fixes a problem and we forget to undo it. Regardless of how it occurs, it is a ticking time bomb for security. Use your central administration tools to make sure that the local admin list gets reset on a regular basis to the proper users and groups.
7: Incorrect share/file permissions
File permissions are tricky things, and most users are not even aware of how to set them. So what happens? Users create sensitive files in their usual networked location and those files get the default permissions, which are “collaboration friendly” to say the least. The next thing you know, everyone can read the documents, which are supposed to be confidential. Your best weapon is to pre- establish a share and file structure with the correct permissions. For example, give everyone a home directory for personal documents and create shares or directories around roles, projects, and teams with the appropriate permissions. The hard part is then educating them to use the correct locations — but that is much easier than trying to teach them permissions.
8: Hidden servers within applications
I have seen more and more applications lately that use a local Web server as an administration console. Sometimes, these applications are installed by users without permission. But occasionally, the IT department just does not realize what comes with an application. While these servers can be locked down so that they are not a risk (and with luck, they get installed like that), you need to verify that the applications are secured properly before allowing them to be installed on users’ machines.
9: VPN clients
Some users figure out how to set up VPN access on their personal machines. For a power user, it isn’t too hard to do. But you have no control over that machine, and once it is on the VPN, problems with the unauthorized machine can easily spill over onto the VPN. One thing you can do is audit the VPN systems to see who is connecting from what PCs and compare it to your list of authorized systems. Also, you can put additional firewalls around VPN clients to quarantine them. Finally, there are various systems to ensure that the clients connecting are on a preapproved list.
10: Disabled security software
Security software often puts up roadblocks to getting work done, so the “logical response” from many users is to find a way to work around it. For example, I’ve seen people set up anonymizers at home to sidestep IT policies. Power users (especially developers and system administrators) often know how to circumvent security tools. They may also be local administrators because of a technical need, which makes disabling software and changing settings even easier.
Combatting this is tough because these users often assume that they are “too smart” to be a security risk. What they fail to realize is that the modern crop of security threats do not require the user to make a mistake, like going to an obviously suspect Web site or downloading pirated software. Every Acrobat file, for example, is a potential plague rat at this point. Start looking for unusual trends, like large amounts of consistent traffic to an IP address and use centralized tools to ensure that settings are at the right levels and are reset periodically. Also, take any unnecessary local administration rights and firewall entire groups onto their own network segment to limit damage if those groups have a legitimate need for lower security.
Source from TechRepublic’s free newsletters.
|Security Magazine (SIM)-27-Jan-2012.pdf||666.96 KB|