Keystroke Logging Increases, Security Firm Says

March 8, 2008 – 6:07 PM

Hackers are likely to release more than 6000 keylogging programs this year–up 65 percent from the number in 2004–according to Reston, Virginia, security vendor iDefense. Such software illegally records every keystroke pressed on a victim’s PC and then transmits the data to the hacker, making it an effective way to snoop out confidential information such as user names and passwords.

Organized cybercrime groups commonly send keyloggers to unsuspecting victims via e-mail, often in combination with spyware, phishing e-mail, or some other type of malicious software, the security company said.

Costs to You

Citing a survey by National Mutual Insurance, iDefense estimates that the average cost of a successful keylogging attack is about $4000 per victim.

But the financial cost is only part of the equation. Keylogging attacks are a major time sink, as well. The National Mutual survey found that victims of this type of fraud spent 81 hours, on average, resolving matters.

In 2000, hackers released just 300 keyloggers, according to iDefense’s numbers; and in 2001, the number dropped to 275. The first spike in keylogger programs occurred between 2002 and 2003, when the number rose from 444 to 1230. This year, the total is expected to jump from 3753 in 2004 to just under 6200 by year’s end.

iDefense, a unit of VeriSign, sells security intelligence to government and enterprise customers.

http://www.pcworld.com/news/article/0,aid,123569,tk,dn111705X,00.asp

Surf More Safely In Any Browser

March 8, 2008 – 6:06 PM

This is one of those ideas that make you want to slap your forehead and wonder why it never occurred to you before. I don’t remember what prompted it, but I decided to do a little experiment with my virtual test PC. I created a low-level user account and then went surfing some of the most spyware-infested web sites I could find.

Guess what? Nothing happened. Not only did I fail to pick up a single hijacker, I never once saw as much as a single ActiveX prompt. As far as I could determine, I was immune to spyware infection. Why? Because in limited mode, Windows doesn’t allow you to do very much. You are not allowed to make the changes necessary for malware to install and hide itself.

That is not much of a revelation. Many people already realize that if you surf the web in limited mode, not as “root” or “Administrator”, then you are much safer. The reason why people, myself included, do not tell internet newcomers to do that is because using a Windows computer in limited mode is nearly impossible.

Don’t believe me? If you have Windows 2000 or XP, try it right now. Go to Control Panel > User Accounts and create a new limited user. Now spend a few days in it and see what happens. Numerous programs that you use, if you are able to install them at all, simply will not work. You will have an unending series of “permission denied” errors as you try to use your computer normally. Because of this problem, very few people use Windows in limited mode.

The main culprit is software developers. Many of these developers create their programs in such a way that a limited user cannot use them. I remember trying to install a copy of PaintShopPro 7 once. First, I couldn’t install it. When I circumvented that by using the “Run As” feature and did install it, I couldn’t use it. That is just boneheaded design right there.

Microsoft is partly to blame. I mentioned the “Run As” feature. What that does is allow you to load a program as a different user. Basically, you provide the log-in password for an administrator account while logged in as a limited user.

The problem with this is that Windows treats that situation as if you are logged into that administrator’s account. Files saved from the program, if launched this way, cannot be stored in “your” My Documents folder. They have to be stored in the My Documents folder associated with the administrator account. Occasionally, a program won’t operate correctly even if you use the “Run As” feature.

Microsoft could learn from Linux on this one. With Linux, you operate normally as a limited user. If you need to do something to the system, you can open a command terminal, give the “root” password and Linux will temporarily give you the same permission as the root-level user. The problems you run into with a limited Windows account simply do not occur with Linux.

So, although it is much safer to surf the web in limited mode, people refuse to do it because of the permission problems they run into. No one wants to run Windows in limited mode.

Well, there is a simple fix for this problem. It is so simple that I wonder why it never occurred to me before now.

Use Windows normally in your admin-level account to avoid the problems caused by bad software design. However, any time you plan to surf the web, log out of that admin-level account and into a limited account. When you are through surfing the web, log back into your admin-level account. If you have any version of XP, you don’t even have to log out of your normal account. Just use Fast User Switching to go back and forth.

I won’t claim that you will be immune to a spyware infection if you do this. I will say that the chances of it happening are very slim.

There is one thing that I want to point out. Windows XP has a really stupid bug. If you create an additional account, the default “Administrator” account will disappear from the Welcome screen. Since quite a few people use that default account, that leaves them unable to log-in from the Welcome screen after they create a new account. This bug is present in XP Gold, XP SP1 and XP SP2.

Unbelievably, Microsoft considers that to be a feature, not a bug. So the chances of it ever being fixed are low. There is a registry hack that will put the account back on the Welcome screen. Do not attempt to edit your registry if you don’t know what you are doing. You could cause some serious problems with Windows.

Don’t worry, there is an easy way around this bug if you don’t feel comfortable hacking at your registry. At the Welcome screen, simply press the CTRL ALT DEL buttons at the same time and a new log-in prompt will pop up. Just type “Administrator” for the user and give your normal password and it will log you in.

If you are one of those people whose computer is infected repeatedly by malware (you know who you are), you should give this a try. I’ll bet that, if you do this, you will not have nearly as much trouble with spyware as you do now.

http://www.spywareinfo.net/nov11,2005#limitedsurfing

Cisco: The Next Big Security Concern

March 8, 2008 – 6:05 PM

Which operating system, embedded in more than 80% of enterprise IT environments, represents one of the fastest-growing hacker targets and potentially the most-devastating information-security vulnerability? Hint: It ain’t Windows. Cisco Systems’ Internetwork Operating System now sits at the center of the information security vortex. Because IOS controls the routers that underpin most business networks as well as the Internet, anyone exploiting its flaws stands to wreak havoc on those networks and maybe even reach into the computer systems and databases connected to them. IOS is a highly sophisticated piece of software, but–as with Microsoft’s Windows–that’s a double-edged proposition. Software complexity can be a hacker’s best friend.

Cisco is working hard to better shield its routers and other network equipment from the risks, but there are reasons to believe Cisco security will become a bigger problem before it gets better. The sheer amount of Cisco equipment installed, the many versions of IOS involved, the difficulties of upgrading that software, and the IOS vulnerabilities already out there or yet to be discovered present a major challenge to network administrators and security professionals.

Just last week, Cisco issued a security advisory for a serious IOS “heap-overflow” vulnerability that could let hackers get control of routers and switches running certain versions of the software. Cisco said it’s not aware of any “active exploitation” of the vulnerability, which will give customers at least short-term comfort. But Cisco notes that successful exploitations of similar vulnerabilities in the past have resulted in denial of service when the exploit caused a router to crash and reload. “In the event of successful remote code execution,” Cisco warns, “device integrity will have been completely compromised.”

http://www.crn.com/sections/custom/custom.jhtml?articleId=173500374

Better Spyware Defenses Needed

March 8, 2008 – 6:02 PM

Warning: Long ramble ahead.

A lengthy discussion has popped up on the Bugtraq mailing list. It began with an observation from a user that Microsoft Antispyware missed software from Claria and a whole raft of cookies. It is not surprising that it did not detect the Claria software, since Microsoft has decided that adware will not be detected by default.

The discussion has turned into a series of suggestions for reducing the number of malware infections. New posts are arriving as I write this.

It is an interesting question; and it made me start thinking. As long as it is legal and as long as there is money to be made in doing it, people will continue to create unwanted software parasites. How do we stop those parasites from infecting the average computer?

Everyone seems to agree that computer users need to be educated about the risks. I believe that the people most at risk of becoming infected by spyware are those who have connected to the internet for the first time.

The incident that turned me into a crusader against spyware was an ActiveX driveby installation of Comet Cursor. I had been online for just a couple of days and decided that the default browser security settings were too tight – so I loosened them.

Basically, what I did was to leave the keys of a very nice car sitting in the ignition after parking it in a seedy neighborhood. It happened because I was ignorant of the risk. No one told me that the neighborhood was dangerous, so I dropped my guard. If I had known that spyware could appear on my computer just from surfing a web site, I would have been more likely to tighten the security settings, not loosen them.

Education is not the whole answer. Despite all the warnings, people still become infected. I still receive emails with the “I Love You” virus attached; and that virus is six years old!

Laws will help to a certain point. Unfortunately, the people creating the worst of the malware already realize that what they are doing is wrong. Most of them will not care about laws.

The ultimate solution will have be technological. The software which claims to protect against spyware will have to start living up to that claim. I can think of three things that antispyware software can start doing which will prevent the majority of spyware infections.

Number One:

At the moment, the second most popular method used to install unwanted software is to exploit browser flaws. Microsoft releases patches for most of these flaws but many people do not install them. Going to the wrong web page with an unpatched browser is like leaving home with the front door wide open.

This should be the first thing examined by antispyware software. If a patch, which fixes a flaw used in the installation of malware, is available and it is not installed, the software should point that out and tell the user to install it. It should make such a pest of itself about the patch that the user installs it just to make the program shut up.

You couldn’t do that with the corporate version, because the IT department may have vetoed a patch for causing more problems than it fixes. In the home version, the antispy program should make it difficult to ignore a patch that fixes a hole used by malware.

Number Two:

The most popular way to install spyware continues to be the third-party bundle. For years, most file sharing programs have been installing spyware. The antispy programs should keep a list of those P2P programs known to bundle third-party software and pop up a strong warning if the user is trying to install any of them.

Even better, why not scan any installer package as soon as it loads into memory? Most installers are just scripts which extract archived files to predetermined locations. With most installers and, with the right software, you can see what files are located inside, as if it were a regular Zip file. If the files for Gator or SaveNow are located within an installer, force the installer out of memory and pop up a warning.

Number Three:

After browser flaws and third-party bundles, the next most common source of malware infestation probably is the ActiveX installer. There is a common misconception about ActiveX. People believe that, if ActiveX has a signed digital certificate, it can be trusted. It is the unsigned ActiveX that is the problem, or so people are told.

The fact that an ActiveX program is signed means exactly NOTHING. Every single piece of ActiveX malware that I have seen has been signed. Every single one of them. Even the porn dialers are signed.

In theory, the certificate issuer will revoke a signature if the software is used for malicious purposes. X-Block once tried to convince Verisign to do just that. Verisign would not do it, despite clear evidence that the program was malicious. The digital signature system is nothing but a scam, since the issuers will do nothing about the malicious use of the signed files.

However, since those programs ARE signed, that makes things a little easier. The Antispy program should install a Browser Helper Object that reads each ActiveX certificate as Internet Explorer downloads it. If the ActiveX is signed by a company associated with malware, block it and pop up a warning.

This presents the malware creator with a cruel choice. They can leave their malicious creation unsigned and risk having the browser block it. Or they can choose to sign the files, making it easier to identify them. They can randomize the file names all they want and it will not matter. Not even the wealthiest of adware companies can afford to buy multiple digital signatures in order to avoid this sort of detection.

I know most of the antispyware developers are reading this. I am suggesting very strongly that they look into seeing if these things are possible. If the antispy programs start doing this, I believe it will put up a roadblock to the three main avenues of spyware infection. With those roads blocked and guarded by armed sentries, the neighborhood will become a little safer for everyone.

http://www.spywareinfo.net/oct27,2005#betterdefenses

A Peek at IE7’s New Security

March 8, 2008 – 6:01 PM

Microsoft has revealed some of the security changes to the upcoming Internet Explorer 7 and Windows Vista–changes that could cause trouble for some Web sites.

One key change is that Explorer will disable SSLv2, an older version of the Secure Sockets Layer (SSL) protocol. SSL is used to carry out secure Web transactions. In its place, Explorer 7 will continue to support SSLv3 and will enable Transport Layer Security (TLS) v1, a newer protocol.

The change means that sites currently requiring SSLv2 will need to allow either SSLv3 or TLSv1, Microsoft said on its Internet Explorer Weblog, part of the Microsoft Developer Network.

Some Sites Need Updates

Microsoft downplayed the possible disruption caused by the change.

“It’s a silent improvement in security. Our research indicates that there are only a handful of sites left on the Internet that require SSLv2,” writes IE program manager Eric Lawrence on the blog. “Adding support for SSLv3 or TLSv1 to a website is generally a simple configuration change.”

The company said security is a priority for the Explorer update, and has been soliciting suggestions for improvement–even from hackers.

SSLv2 was the first public version of SSL, and suffers from several well-known weaknesses–for example, it doesn’t provide any protection against man-in-the-middle attacks during the handshake, and uses the same cryptographic keys are used for message authentication and for encryption. These and other problems have been fixed in SSLv3, but the older version is still supported by most browsers and is in use on some systems.

IE 7 will introduce some changes to the user experience, including blocking navigation to sites with problematic security certificates. The problems include certificates issued to a hostname other than the current URL’s hostname–for example, secure.example.com instead of www.example.com; the certificate issued by an untrusted root; and expired or revoked certificates.

Instead of giving the user a dialog box asking how to resolve these problems, as IE currently does, the browser will present an error page explaining the problem. The user can, however, choose continue to browse the site, unless the certificate has been revoked, Lawrence said. If the user continues on, the address bar will be colored red as a reminder of the problem.

“Ensure that the hostnames used for your secure pages exactly match the hostname in your digital certificate,” Lawrence advised.

Other Security Changes

If a page includes both secure and non-secure items, the user will no longer be initially given the option of displaying the non-secure items. Instead, only the secure items will render, and users will have to manually request that the nonsecure items be rendered.

Lawrence said this could head off future types of attacks. “Very few users (or Web developers) fully understand the security risks of rendering HTTP-delivered content within a HTTPS page,” he wrote.

Other changes include the inclusion of AES security in Windows Vista and certificate revocation checking being enabled by default in Vista, Lawrence said.

A change to Vista’s Transport Layer Security (TLS) implementation could cause problems for some sites. TLS will be updated to support Extensions, a feature that can cause some non-standards-compliant TLS servers to refuse connections, Lawrence said.

“If your site supports TLS, please ensure that it has a standards-compliant implementation of TLS that does not fail when extensions are present,” he wrote.

http://www.pcworld.com/news/article/0,aid,123215,tk,dn102605X,00.asp