10 easy ways to prevent malware infection

August 26, 2016 – 5:43 PM

We told you how to tell if you’re infected with malware. We told you how to clean up the infection if you get it. How about how to stop the infection from happening in the first place?

Yes, it’s possible to clean up an infected computer and fully remove malware from your system. But the damage from some forms of malware, like ransomware, cannot be undone. If they’ve encrypted your files and you haven’t backed them up, the jig is up. So your best defense is to beat the bad guys at their own game.

While no single method is ever 100 percent fool-proof, there are some tried and true cybersecurity techniques for keeping malware infections at bay that, if put into practice, will shield you from most of the garbage of the Internet.

Source:
https://blog.malwarebytes.com/101/2016/08/10-easy-ways-to-prevent-malware-infection/

Google Chrome will start blocking all Flash content next month

August 10, 2016 – 4:04 PM

Flash was an integral part of the internet in years past, but it has also been a drag on performance and the source of a great many security vulnerabilities. Today, HTML5 is a better way to get the same sort of interactive content running on the web, and it works on mobile devices. The next phase in Adobe Flash’s agonizingly slow demise starts next month when Google Chrome begins blocking all Flash content.

This will come as part of the Chrome 53 update, which should be available in early September. Chrome 53 will block all the small, non-visible Flash elements on web pages. These are usually tacking platforms and page analytics, but they can slow down page loads just like larger Flash content. This is not Google’s first attempt to de-emphasize Flash on the web. Last year in Chrome 52, Google made most Flash content “click-to-play.”

So, what’s different now? In Chrome 52, the Flash block only applied to Flash objects that were above a certain size, but now that’s being extended to smaller Flash objects. The previous restriction was in place because at the time, there was no reliable way to detect viewability. Now, Chrome’s intersection observer API allows that. You will have the option to enable Flash objects on a page if they are necessary for the experience. If non-visible Flash objects are blocked, an icon in the address bar will alert you.

Google says that all Chrome users will see a benefit from this move. All the Flash objects loading in the background can make page loading sluggish. If you’re on a laptop, Flash also gobbles up power and reduces your battery life. Flash’s innate inefficiency is why it never took off on mobile devices.

Source:
http://www.extremetech.com/internet/233383-google-chrome-will-start-blocking-all-flash-content-next-month

Hackers Could Break Into Your Monitor To Spy on You and Manipulate Your Pixels

August 7, 2016 – 4:37 PM

We think of our monitors as passive entities. The computer sends them data, and they somehow—magically?—turn it into pixels which make words and pictures.

But what if that wasn’t the case? What if hackers could hijack our monitors and turn them against us?

As it turns out, that’s possible. A group of researchers has found a way to hack directly into the tiny computer that controls your monitor without getting into your actual computer, and both see the pixels displayed on the monitor—effectively spying on you—and also manipulate the pixels to display different images.

“We can now hack the monitor and you shouldn’t have blind trust in those pixels coming out of your monitor,” And Cui, the lead researcher who come up with this ingenious hack, told me earlier this week.

Cui, the chief scientist at Red Balloon Security and a recent PhD graduate from Columbia University, presented his findings at the Def Con hacking conference in Las Vegas on Friday along with Jatin Kataria and other colleagues.

During a demo at the Red Balloon offices in New York City earlier this week, Cui and his colleagues showed me how the hack works. Essentially, if a hacker can get you to visit a malicious website or click on a phishing link, they can then target the monitor’s embedded computer, specifically its firmware. This is the computer that controls the menu to change brightness and other simple settings on the monitor.

The hacker can then put an implant there programmed to wait for further instructions. Then, the way the hacker can communicate with the implant is rather shrewd. The implant can be programmed to wait for commands sent over by a blinking pixel, which could be included in any video or a website. Essentially, that pixel is uploading code to the monitor. At that point, the hacker can mess with your monitor.

Source:
http://motherboard.vice.com/read/hackers-could-break-into-your-monitor-to-spy-on-you-and-manipulate-your-pixels

How to Disable WPAD on Your PC So Your HTTPS Traffic Won’t Be Vulnerable to the Latest SSL Attack

July 26, 2016 – 6:21 PM

You may not know what HTTP is exactly, but you definitely know that every single website you visit starts with it. Without the Hypertext Transfer Protocol, there’d be no easy way to view all the text, media, and data that you’re able to see online. However, all communication between your browser and a website are unencrypted, which means it can be eavesdropped on.

This is where HTTPS comes in, the “S” standing for “Secure.” It’s an encrypted way to communicate between browser and website so that your data stays safe. While it was used mostly in banking, shopping, and other high-security situations, it’s now common for many websites such as Facebook, Google, and even Wikipedia to protect your information with HTTPS. And it’s most important when you’re browsing the internet on free Wi-Fi hotspots, guest networks, and other non-private access points.

But that “security” isn’t so secure anymore, thanks to some security researchers that will be presenting at this years Black Hat security conference in Las Vegas.

You’re in a potentially malicious network (free WiFi, guest network, or maybe your own corporate LAN). You’re a security conscious netizen so you restrict yourself to HTTPS (browsing to HSTS sites and/or using a “Force TLS/SSL” browser extension). All your traffic is protected from the first byte. Or is it?

By forcing your browser/system to use a malicious PAC (Proxy AutoConfiguration) resource, it is possible to leak HTTPS URLs. . . . We will present the concept of “PAC Malware” (a malware which is implemented only as Javascript logic in a PAC resource) that features: a 2-way communication channel between the PAC malware and an external server, contextual phishing via messages, denial-of-service options, and sensitive data extraction from URI’s.

Source:
http://null-byte.wonderhowto.com/how-to/disable-wpad-your-pc-so-your-https-traffic-wont-be-vulnerable-latest-ssl-attack-0172499/

Paperspace: Your full computer in the cloud

July 5, 2016 – 4:41 PM

I’d forgotten that I signed up to test the BETA version of this service about a year ago and I finally got an invite over the weekend and started playing around with it.  VDI is not new but it’s now becoming more affordable for the consumer and they offer some really good price plans in terms of cost/horsepower.  At quick glance, the encryption and privacy looks pretty solid but I did request their official security whitepaper to take a deeper look under the hood.  Check them out if something like this looks interesting to you:

https://paperspace.io/

Note: I’m not looking at it right now as a secure desktop replacement, but as a cloud-based secondary desktop for various engagements that require scanning/probing from outside a firewall.  It’s also much cheaper than the alternatives and you seem get more for your money.  I’m locked into a $20/month plan right now.