Malicious hardware may be next hacker tool

As if computer viruses and worms aren’t enough of a nuisance, malicious hardware, which will be much more difficult to detect, could soon become a threat too.

Today, computer viruses, which are programs downloaded either as an email attachment or when someone visits a website, are responsible for most computer attacks. Hackers use them to gain control of a computer so that they can press-gang it into sending spam or downloading more malicious software, such as a keystroke logger, which can record credit card details and passwords typed in by the user.

Anti-virus (AV) software monitors a computer for signs of a virus, such as chunks of telltale code. To fight back, hackers write new viruses that use different code, or bury the code deeper in the operating system where the AV software isn’t programmed to look.

Read the rest of the story…

Posted in Hardware, Internet, Privacy, Security | No Comments

Two Factor Authentication is Dead

The fundamental problem with two factor (2FA) session authentication is that the approach is vulnerable to Man in the Middle and Man in the Browser attacks. 2FA requires that customers present not only a password (something they know) when they log into online banking, but also demonstrate that they possess an authentication device (something they have). Devices normally take the form of a key fob which displays a number that changes every few seconds, but another approach is to require the customer to insert their bank card into a stand-alone reader. Unfortunately, there is nothing to stop an attacker using a 2FA authentication code to commit fraud.

In the classic Man in the Middle attack, the customer is coerced to visit the attacker’s website, normally by a phishing email. The website will look identical to the legitimate bank site, but when the customer enters their account details and one-time-password, the malicious software will immediately connect to the real bank site and use the details to impersonate the customer and make a fraudulent transaction. Even mutual authentication does not defend against this attack, since the attacker also is able to see what the bank would normally show, making the customer think that they are communicating directly with the bank.

The Man in the Browser attack is an enhancement of the Man in the Middle, already seen in the wild. It is designed to work even against customers who are careful enough to not enter their bank details on sites visited from links in emails. In this attack, the fraudster installs malware on the customer’s PC, either via email or a drive-by download (even with up to date anti-virus software, 80% of new malware is undetected). Then, when the customer makes a transfer using their normal online banking, the malware inside the web browser silently manipulates the amount and destination.

Read the rest of the story…

Posted in Internet, Privacy, Security | No Comments

Webroot plots the end of desktop security

Security’s rising star, Webroot, plans to offer web and malware filtering as a service to SMBs, the first vendor of any size to offer such a capability in subscription form.

The software-as a service (SaaS) model, which extends the email filtering service already offered by the company, will appeal to smaller and medium-sized outfits for whom keeping out web threats with conventional security appliances is now proving increasingly onerous.

Expected to go live in the US in June, the unnamed service will mean business running web traffic through Webroot datacentres where it will be filtered for suspicious URLs, web-borne downloads such as Trojans, and vulnerability malware trying to exploit known software holes.

When run with the company’s email filtering service, the idea is that the bulk of an SMB’s traffic security problems will have been taken care of. Although it can in principle replace desktop anti-malware, the company still recommends users run desktop software as a second line of defence and to intercept threats when using third-party pipes while roaming.

“The advantage of the service model is that you have unlimited computing power and you can do much more. You also have greater visibility [on threats] because you have all the traffic. You can see patterns of outbreak very quickly that you will never see on the desktop,” said Webroot’s CTO Gerhard Eschelbeck.

He said that the system would be able to stop filtering bypass hacks such as proxy websites, even if they were previously unknown. That is the worry – that cleverer users attempt to bypass filtering services by opening encrypted tunnels to proxy sites.

Read the rest of the story…

Posted in Internet, Privacy, Security, Software | No Comments

Wireless modem considerations

I am pretty sure that there are a number of you out there reading this blog over a wireless network. Given that wireless is so widely distributed these days, its not uncommon that users are unaware of how insecure their wireless setup maybe.

Unfortunately one other reality is that a number of ISP’s install wireless modems without setting up any sort of security. What’s worse is that if the client doesn’t speak up – they don’t quite advise the customer of what could be at risk. Basically as long as your laptop/device successfully connects to the wireless LAN that is setup up for you, they’re out of there. SOO – this is where we come in to offer some advice.

If you connect to your wireless router without a password, its time to get hold of a technician who knows his business and set up some security on it. That’s not all…

Recent developments published by Petko D. Petkov reveal some pretty nasty things an attacker can do to Thomson Speedtouch wireless modems – which is what a lot of us Maltese people have at home to connect to the internet.

Thanks to a friend of mine who first pointed out the article above, it is now possible that if an attacker sees your default network name (SSID) then it would be possible for him to crack your default password and use your internet connection. Therefore here are some healthy tips you could pass onto your technician if you’re not confident to set them yourself.

Read the rest of this story…

Posted in Hardware, Internet, Privacy, Security, Software | No Comments

Stamp out spam with Sophos’s spam pledge

IT and security control firm Sophos is urging internet users to take the Sophos Spam Pledge and put an end to the significant problems that many businesses face on a daily basis, as spam marks its 30th anniversary today. The first ever spam message was sent on 1st May 1978 by Gary Thuerk, a marketing representative at the Digital Equipment Corporation (DEC), to 393 users of ARPANET.

Recent Sophos research showed that 95 percent of all email is spam, indicating that the spam crisis has reached new levels – SophosLabs discovers one new spam-related webpage every three seconds. With this in mind, Sophos experts are appealing to internet users, advising them to resist clicking on spam links, in the hope that spam will not reach its next landmark anniversary. A recent survey conducted by the firm revealed that a worrying 11 percent of people admit to having bought good via spam.

“Users are always just a click away from spam – from weight loss medications to drugs used to improve sexual performance, spam is a burden on all of us,” said Graham Cluley, senior technology consultant at Sophos. “What’s worse is that a lot of spam is deliberately malicious today, aiming to steal your bank account information or install malware. People who buy goods sold via spam are merely perpetuating the problem of junk email for all users and must be stopped.”

Read the rest of the story…

Posted in Internet, Privacy | No Comments