Internet Security Zone Blog

By Laura Yecies

In the past few months, several major cases involving some of the world’s most notorious spammers have had dramatically different outcomes.

Last week, Herbal King had its operations shuttered by a US District Court because the company was using spammers around the world to market its male-enhancement drugs. The case is pending trial, but the outcome could have distinct ramifications by significantly deterring US-based companies from risking the use of overseas-based contract spammers.

http://www.itproportal.com/articles/2008/10/17/worlds-largest-spammer-organisation-ordered-close-down-us-judge/

In another development recently, one of the biggest individual spammers of all time has got off scot-free in Virginia.

http://www.nytimes.com/2008/09/13/us/13brfs-SPAMLAWSTRUC_BRF.html?ref=technology

On Friday, the Virginia state Supreme Court struck down the state’s anti-spam law, reversing the felony conviction of one Jeremy Jaynes. While the name might not mean anything to you, this one person reportedly was responsible for sending millions of messages A DAY.

He didn’t even argue innocence. He claimed the First Amendment gives him the right to fill your inbox with junk mail. Okay, not exactly, but close. His lawyers argued the law was unconstitutional because it banned bulk email including religious or political (which are protected speech). The court agreed.

Obviously the state government had intended to outlaw the kind of commercial spam Mr. Jaynes. But it serves as a good warning for states looking to enact similar laws: be specific.

The good news is that Mr. Jaynes and other spammers are not immune from the federal Can-Spam act, which is unaffected by the Virginia decision. So despite this set-back, you shouldn’t see a measurable increase in spam as a result.

Spam continues to be a scourge. Even if you are using your ZA anti-spam feature, spam continues to suck up bandwidth on networks, slowing Internet traffic and putting a major burden on ISPs and Web mail services. And for people not using an effective anti-spam solution, it is not only a nuisance but can include spyware, scams, or phishing lures.

Until the war again spam is won, stay vigilant!

By Laura Yecies

Hackers today know there’s one easy way to bypass your firewall, anti-virus and anti-spyware – you.

Yes, they know it. If you have a full security suite, including all the core elements (don’t forget browser security), hackers can’t penetrate it without an expressed, written invitation from you.

What are the top tricks today?

1. You leave a window open. Or more specifically, you leave your MS Windows open. You know those zero-day patches Microsoft issues? Install them! Patch Tuesday? Don’t hesitate. The minute those vulnerabilities are disclosed, hackers go to work exploiting them.
2. Phishing – These e-mails still can occasionally evade some desktop and ISP filters and find their way into your inbox. Don’t fall victim…your bank won’t e-mail you and ask you to log into your account. When in doubt, call them directly (not the phone number in the email though)
3. Fake Web sites: Often advertised through search engines, these legitimate-looking sites will bait you into willingly downloading spyware etc.
4. Holiday fraud – Beware e-mails or search ads showcasing hard-to-find holiday gifts at bargain prices. Those deals are usually too good to be true.
5. Nigerian scams – For some reason, people still fall victim to those old Nigerian scams. NO, no one is ever going to offer you $5 million to rescue their inheritance from an evil dictator.

Hackers today, in completion now with each other, are relying on sheer numbers to infest and steal. They have to rely on tricks instead of technology. In fact, much of the basic technology used behind the simplest tricks can be easily bought by anyone looking to perpetrate a scam online.

I know it can be tempting to be passive about security…it’s not always convenient and we sure have heard about attacks for years! But there’s a reason why massive botnets exist on the Internet today – millions if PCs are hacked and the people don’t even know it. Or if they do, they don’t really care (IE “I don’t have anything to lose.” But you do!).

Granted, there’s always going to be a percentage of computer users who simply aren’t savvy about security. The technology scares them, or they simply don’t think they could be a target (the “why would a hacker care about me” defense).

But there’s also a percentage who allow their security subscriptions to lapse, assuming their 4-year-old security suite that came pre-installed on their PC can keep up. But it can’t. You need the updates (whether you use ZA or anyone else).

Hackers always innovate, and so do we to keep a step ahead. And when innovation stalls, they always have a few tricks up their sleeves.

By Laura Yecies

Summer is long since over school is well underway, and the realities are starting to set in. Around the world, a new generation of K-5 parents are dealing with a brand-new generational issue in child-rearing – how to keep your kids safe online.

We were Gen-Xers, the so-called slackers who turned out to be pretty ambitious after all. While we didn’t invent the Internet, many of us helped build it into what it is today.

Now, we’ve got to keep our kids safe, without having grown up in the same digital world. Yes, many of us are increasingly tech-savvy (the Internet started showing up in or around our college years, so we’re not completely clueless). But we certainly didn’t have the Net in kindergarten, nor were we building Facebook profiles to at age ten.

Dating back to the old Zone Labs days, all of us here on the ZoneAlarm team have long supported consumer education with our Defend the Net campaign (download the PDF format How to Protect your Family Online guide here http://download.zonealarm.com/bin/media/pdf/defendTheNet_howToGuide.pdf ). But we’re just one voice. Last month, the UK government has decided to undertake a massive effort to provide parents with a single-source guide to protecting kids online. From social networks to anti-malware, this site is expected to be very, very thorough.

More info here:
http://news.bbc.co.uk/1/hi/education/7638492.stm

It’s an honorable effort. But since the problems are hardly directed at the UK, I’d like to propose that this becomes a global effort. We need one source, in many languages, where parents around the world can find out all the information they need to protect kids online.

Currently, in the US, there are a plethora of resources, both public and private. We like www.safekids.org. FEMA has a site too, www.fema.gov/kids/on_safety.htm. As does the FBI: www.fbi.gov/kids/k5th/safety2.htm. And the National Cybersecurity Alliance: http://www.staysafeonline.info/home-quiz.html. And there are others.

Others sites we like:
NetSmartz
www.netsmartz.org

ChildNet International
www.chatdanger.com

Internet Content Rating Association
http://www.icra.org/kids

The New York Public Library
www.nypl.org/legal/safety.cfm

By Laura Yecies

Botnets continue to be the scourge of the Internet, affecting consumers, businesses and ISPs. The Storm worm, which over the past couple of years has created one of the largest known botnets ever and may have infected over a million PCs, is just the tip of the iceberg. The headlines are scary, but we believe it is possible to stay safe.

The first step is to understand the threat. What is a botnet, and how can you protect yourself from becoming a dreaded zombie?

Essentially, a botnet is a bunch of personal and even business PCs that a hacker has successfully compromised (with a Trojan, virus or other “backdoor” malware). Those PCs are referred to as “zombies” or “bots” because they are mindless thugs controlled remotely, used to carry a cybercriminal’s dirty work.

In the past hackers often used botnets to launch distributed denial-of-service (DDoS) attacks against a company, often in some sort of protest (or make a political statement etc). Basically, they wanted to wreak havoc. How did they do it? A hacker might harness the power of all the bandwidth available from thousands (or more) zombie PCs to flood
a company’s servers with random, useless Internet traffic and data packets in order to bring down their Web site or disrupt e-mail/Internet communications. Then they’d brag about it.

Today, botnets are less typically tools of revenge and glory and more often exploited for financial gain. They may be “rented” out to other cybercrooks for sending out masses of spam, or they may be used to serve illegal content such as child pornography – enabling the illegal venture to essentially hide behind an innocent PC user.

Botnets are also exploited to steal financial information (hackers can build up financial profiles of the “people behind the PCs” by spying on online banking, shopping etc and sell the profile on the Internet’s black market), or they’ll use them to distribute spyware like keyloggers to capture sensitive information from even more unsuspecting users.

Now you know what a botnet is and how hackers use them. So how do you know if you could own a zombie PC? Slow, sluggish performance is one sign. Is your Internet connection lagging? Does your PC get stuck at times (and you’ve exhausted all other explanations, like you haven’t run your system maintenance for awhile and you have adequate RAM etc)? Or, when you are doing nothing on your PC, can you hear it “thinking” (IE the processor is working, even when you’re across the room watching TV)?
Does your firewall give you random alerts when you are surfing the Internet?

If you suspect your PC is a zombie, run a virus/spyware scan immediately and remove/quarantine any suspicious applications found. If viruses or spyware are found on your PC, consider changing your passwords and keep an eye on your bank accounts and credit statements. You can also take it a step further and sign-up for an identity theft protection service if you suspect your personal information has fallen in the wrong hands.

How can you prevent your PC from turning into a zombie? Use a full security suite, set your firewall settings to “high”, and make sure you keep your all of your antivirus and anti-spyware definitions/signatures up-to-date. Also, keep your PC’s operating system, plus all other installed software such as your browser, current by installing new
security updates and patches. This simple step can make a major difference, since hackers often install malware through exploits in everyday software.

Have you ever become part of a botnet? I’d love to hear your stories.

By Laura Yecies

As PC and browser security closes more and more holes, hackers are spending more time and effort finding ways to try to trick you into giving them access to your PC or giving up your personal data.

Phishing, or fraudulent e-mails posing as legitimate messages, remains a popular tactic by hackers. There’s little technical knowledge required to set up a phishing scam. All a person has to do is set up a real-looking Web site and spam hundreds of thousands of e-mail addresses, and wait for an unsuspecting victim.

Bank-related phishing e-mails remain the most popular, because we all notice a message from our bank and are likely to feel a sense of urgency to act. One common format is the “warning” e-mail. Ironically, hackers will base the theme on the premise that your account has already been hacked! One phishing e-mail I recently received came with the subject line, “Suspicious Activity Logged on Your Account – Please Respond Immediately.” The e-mail had very convincing graphics, and sounded alarming. I instinctively knew it was a fake, but because the e-mail did happen to branded with my bank’s name, just in case I called to make sure there were no issues with my account.   If you ever question an e-mail from a bank or credit card institution, just call you bank’s main number (but NOT the one in the e-mail…hackers use fake numbers too).

PayPal and eBay are also common themes used in phishing e-mails. In fact, a week ago I surfed over to Phishtank.com, a reporting site for phishing Web sites. Out of the top 50 most recently reported, 18 were fake PayPal sites, 6 were fake eBay sites, 22 were banks, and 4 were misc (including a fake MSN login Web site and a UK customs site).

There are two new ones that recently showed up in my inbox that I haven’t seen before. The first was from FedEx, telling me that my package was not delivered. Since I had recently sent a package, I was fooled!  Luckily, when it asked me to track the package using my credit card, I wised up and went directly to FedEx.com to track my package (it had been delivered).

The second was from a dating site. The phishers put together a realistic looking dating site and ask you to join. It looks like a scheme to capture your passwords (based on the assumption you use the same or similar passwords for many different sites).

The lesson? Phishing e-mails have not abated. So when you receive a suspicious e-mail in your inbox, be wary. And when in doubt, use the phone. Your bank (assuming it’s still in business!) and other financial institutions won’t mind.

By Laura Yecies

There was a potential threat unveiled at the OWASP AppSec 2008 conference at the end of September, and after a little internal review we believe it worth a warning.

It’s a new kind of browser attack, currently only known to be a proof-of-concept threat (meaning we haven’t yet seen it in the wild). Dubbed “clickjacking,” it highlights the growing focus on the browser as the attack vector of choice for hackers.

According to Gregg Keizer at Computerworld, researcher Robert Hansen, founder and chief executive of SecTheory LLC, and Jeremiah Grossman, chief technology officer at WhiteHat Security Inc. have discovered a way that hackers can trick you into doing virtually anything – reportedly without ever even compromising a Web site.

Here’s the original story:

Security researchers warn of new 'clickjacking' browser bugs
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115700

While the story doesn’t contain many specific details because the researchers are wisely working with browser and Web technology vendors to fix the flaw, it appears that hackers can set up shop in the middle of your browser and an Internet site and place hidden “click” buttons with various commands. For example, a hacker could place an invisible button over a legitimate link on a Web site, triggering a malicious download or otherwise opening up your PC to attack.

Here’s how the story describes a potential scenario:

"Think of any button on any Web site, internal or external, that you can get to appear between the browser walls," Grossman said in an e-mail on Friday. "Wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users' mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to."

We’re waiting to hear more, and as soon as the POC code is made public we’ll get to work testing and vetting the threat against ZoneAlarm, the Suite and ZoneAlarm ForceField. Our initial assessment is that ZoneAlarm ForceField would provide a key layer of protection, by isolating the attacker in your virtual browser and preventing malicious downloads.  Additionally, your ZoneAlarm Firewall is built with a self-defense mechanism that prevents remote commands from disabling its protections.

Browser security continues to be a very high priority, and we remain committed to helping you surf safely.