« February 2009 | Main | April 2009 »

The Conficker Worm: Signs, Protection, and Removal

By Daniel Armao, Security Advisor

Experts believe that the Conficker worm, which has infected millions of PCs, is programmed to change on April 1st 2009, dangerously increasing the number of domains that infected PCs contact to run an update program. This worm has not delivered a payload yet, but if it does, it could install spyware on the infected machines to steal financial information or conduct a denial of service attack against websites.

The Conficker worm, first discovered on October 2008, infects a PC through a vulnerability in the Windows Server service that was patched by Microsoft Windows security patch MS08-067. (Note that Mac operating systems are not at risk.) The worm tries to find connections to systems that are unprotected by the patch. When it infects a PC, it connects to a rogue web server that is controlled by the Conficker creators.

To protect yourself from Conficker:

·        Make sure you update your PC with updates from Microsoft by using the automatic update feature. Network Administrators must make sure to get the latest security updates by Microsoft.

·        USB drives may get infected by the Conficker worm if Autorun is not disabled. To prevent a USB infection, PC users can download a patch that allows the option to disable the Autorun functionality: http://support.microsoft.com/kb/967715

·        Make sure your PC has active, updated security software and the latest virus signature definition updates to detect:

o        In ZoneAlarm, click Antivirus on the left navigation bar, then click the Update Now button. (ZoneAlarm is set to receive virus signature updates several times a day—you can set them to happen hourly by going to the Antivirus panel and clicking Advanced Options.)

o        To make sure your product is up-to-date, click Check for Updates on the main panel, lower left corner.

o        A strong two-way firewall is also recommended, so a suite that includes a firewall and antivirus is ideal. (For example, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, or ZoneAlarm Extreme. Free trials are available.)

·        Networks with weak passwords can also allow the Conficker worm to infect systems by the use of brute force software which is designed to guess short and simple passwords. To protect yourself, use long and complex passwords that have at least 6 characters, are unique, and include numbers, upper- case letters, and symbols.

Signs you may be infected with Conficker:

·        Windows services are disabled—such as Automatic updates (in System Properties panel), Background Intelligent Transfer Service, and Error Reporting service (in System Properties).

·        Some security-related web sites are blocked. This web page loads several of the security sites typically blocked -- http://eyechart.sie.isc.org/  -- so you can check it to see if you may be infected.

·        You experience a slow response from network domain controllers (i.e., slow security authentication request responses)

·        Your system restore points are deleted

 

REMOVAL INSTRUCTIONS FROM ZONELARM TEAM:

To detect and remove the Conficker worm:

·        If you do not use ZoneAlarm, please check for removal details at the Web site for your security software.

·        If you have ZoneAlarm, click Antivirus on the left navigation bar, then:

1.     Click the Update Now button.

2.     Click the Scan for Viruses/Spyware button.

3.     If the scan results show a virus with any variation of the names conficker, kido or downadup, remove it immediately with our remover tool. Download tool.

Posted by ZoneAlarm on March 31, 2009 at 02:38 PM in Malware, Spyware, Worms | | Comments (22)

|

Sign on the pad, not paper? Gladly!

By James Grant, Team Lead and Senior Developer

When big stores started using digitizing pads to capture my signature for purchases, I had my usual paranoid reaction. No way! Think of all the ways it could go wrong:

1) My signature is stolen, gets applied to some other purchase, and I have no proof I didn't buy it

2) The store computer captures the purchase amount incorrectly and I get charged $150 instead of $15 for a watch

2) The store charges me twice when I purchased once

3) The store intentionally alters the price and I have no legal recourse

Signing for a computer - it's not the same
The beauty of signing on paper is you sign the same piece of paper that shows your purchase amount. You get a copy, they get a copy. In case of dispute, you each have evidence. The store cannot alter the amount without the risk of a detective discovering the alteration. They cannot apply that signature to another purchase. Also, it is a system that has worked reasonably well for decades and I have already accepted the risk.

When you sign on a pad or a "screen", most of them display the amount of your purchase, but when you hit the "OK" button, your signature gets stored in one computer file and the purchase amount gets stored in another (I expect, though I've never built or audited one of these). From my understanding of databases, I expect all these PoS (point of sale) systems record a transaction, and record the amount and the name of the file that contains the signature.

All four nightmare scenarios are possible
The computers used to handle sales are very much like the computer you use at home. They store information digitally and files get moved around from one computer to another. Sales computers can have software bugs, just as home computer software or voting machines can. I have been accidentally charged twice (it was an over-the-phone order), by an employee using a computer he didn't understand. I have no experience with a store intentionally defrauding me, but I have been a victim of credit card fraud, so it is no stretch to think a criminal would take my signature and use it if they could get hold of it.

So initially, I resisted using the signature pads. I asked to sign paper. At the start, when the pads were new, the stores still had the ability to print a paper receipt for me to sign, so I got my way. I noticed an increasing resistence however. I also noticed how my wife would roll her eyes, so I knew I needed to work out a compromise.

Problem Solved
One day, when asked to sign on the pad, I tried an experiment. I discreetly wrote the purchase price in the corner of the screen and signed in the middle. Accepted! So I kept it up. Before long, I was in the habit of putting the purchase price at the top in the middle and intentionally signing so that my signature overlapped the numbers.

Once I saw that being accepted, I decided my problem was solved. It address three of the four worries I listed at the top and I can't imagine a thief going so far as erasing the numbers in an attempt to isolate my signature - that is pretty extreme.

So for anyone out there who has been nervous about the adoption of digital signature pads, try what I do: write the purchase amount first, then sign over it. 

Posted by ZoneAlarm on March 25, 2009 at 03:12 PM in ID Theft | | Comments (1)

|

Best Tricks for Staying Ahead of Unpatched Software Exploits

By Liam T, Security Advisor, SecureTec Australasia

Firewalls, antivirus, and antispyware programs are an essential part of keeping your computer secure, but allowing insecure programs to access the internet threatens to undermine this protection. An “insecure program” is simply a program which contains a known security vulnerability which all too often has the potential to allow an attacker unrestricted access to the computer. In my experience it is not uncommon to find between 5 -10 insecure programs installed on an average computer.

A firewall can stop unauthorized access to the computer and prevent unauthorized programs from accessing the internet, but allowing an insecure program to access the Internet is a bit like leaving a bank vault door open and hoping the security guard inside (your antivirus/antispyware protection) is tough enough to deal with the criminals which will inevitably show up.

Ensuring you have the latest updates for Windows and “all” the other software installed on your computer will protect your computer from many common security exploits and in essence close the door to the vault. But this can be harder than it sounds, which is why I’m sharing a few tips to make it easier to stay ahead of exploits.

1. Make sure you have enabled Automatic “Microsoft” Updates.  The first step in ensuring your computer is up to date, is to make sure that the Windows Automatic Updates are turned on and that you are checking for “Microsoft” Updates as opposed to “Windows” Updates. Microsoft Updates will update the majority of Microsoft products (including Office) in one go, whereas Windows Updates generally only updates Windows itself. To enable checking for Microsoft Updates click the link below and follow the prompts:

http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us

2. Check for and update insecure programs. Checking for and updating insecure programs installed on your computer can be quite troublesome, but thankfully this task has been made significantly easier with the release of software scanning tools from Secunia:

Secunia Software Inspector program (free for home use):

Secunia Corporate Software Inspector (more advanced paid version for businesses):

3. How secure are the programs you use? Ensuring software is up to date is an important step in staying secure but it will still not prevent exploits in programs for which a patch or update has not been released. For example, Internet Explorer was vulnerable to exploits for 284 days in 2006, leaving users exposed to potential attacks. Other easily forgotten software which use browser plugins, such as Macromedia/Adobe Flash, Adobe Acrobat, Java and QuickTime, also tend to be hit by several exploits a year. If you would like to check the security of specific programs you use, you can do so here: http://secunia.com/search/

Many users have also experienced fewer incidences of browser exploits using Mozilla Firefox as an alternative to Internet Explorer. Firefox, like Internet Explorer, has its share of security flaws but their patch release time is extremely fast, averaging 1-3 days, unlike Internet Explorer which has at times been weeks or even months before a patch was released. More information about Firefox can be found here: http://www.mozilla.com/firefox/. Users of alternate web browsers like Firefox still need to ensure that the plugins for their browser such as Flash, Acrobat, Java and QuickTime are always kept up to date.

As many security exploits target common web browsers and their plugins, ZoneAlarm ForceField was released to provide protection against these threats. ZoneAlarm ForceField protects Internet Explorer and Mozilla Firefox, and their plugins, by creating a virtual "bubble" around the web surfing session, protecting the computer from fraudulent websites, Phishing scams, Spyware websites, and dangerous downloads. If you aren’t already using it, you should seriously consider it.

NOTE from the ZoneAlarm team: ZoneAlarm security suites also have a program control feature that may provide some protection when no vulnerability patch is available. By default, ZoneAlarm program control’s “least-privilege” policy can help prevent an application from running in a way that allows the vulnerability to be exploited. For example, say a vulnerability exists for an application and you cannot patch it yet. The vulnerability may require that the application have server rights to in order to be exploited, but thanks to the least-privilege policy, server rights would not be granted.

Posted by ZoneAlarm on March 18, 2009 at 01:30 PM in Malware, Spyware, Worms | | Comments (1)

|

Do-it-yourself identity theft protection (for extremely attractive people)

By Jordy Berson, Group product manager, ZoneAlarm products
 
It's hard to get away from the onslaught of advertisements on the radio, from your credit card company, and similar for identity protection services.  And to some, paying somebody else to monitor their credit is worth the cost.  Then there's the rest of us, the ones who do *not* get the extended warranty at Sears for the drill we just bought, who don't get the extra insurance when we rent a car, and who simply prefer to take care of matters ourselves and save our money for better things.

Some people call us "cheap."  I prefer "frugal, smart and extremely attractive because of it."  In that vein, here are some ways to take protection of your identity into your own hands - the "Cliffs Notes" version.  If you want the long version, check out the FTC's Web site (link at bottom). 
 
Ways to take care of your own identity:
 
Fraud alerts:
  • What it does: When you (or a thief) goes to a store with your credit card, the store keeper will be notified to double-check your identity before allowing any transaction. 
  • When to use them: When you think you're about to be a victim (ex. your wallet was just stolen) and when you know you're a victim.
  • Cost: Free under the federal Fair Credit Reporting
  • Types: Initial (90 days, can be renewed) and extended (7 years)

  • How to do it:

    Call any one of Equifax: 1-800-525-6285; Experian: 1-888-EXPERIAN (397-3742); TransUnion: 1-800-680-7289. Whichever one you call is responsible for contacting the other two agencies on your behalf.

Credit freeze:
  • What it does: Restricts anybody from accessing your credit report.  So if a thief tries to open a line of credit using your name, he will have to check with you first. (Hint: don't let him do it.)
  • When to do it: As a preventative device; or if you're already a victim.
  • Trade-offs: Legitimate access to your credit report, such as when you rent a home, buy a car, or get a new credit card, will require that you temporarily unfreeze your credit report to allow access.
  • Cost: Costs for freezing and unfreezing your credit vary state-by-state and by your status (victim or just a smart guy trying not to become a victim).  Check with your state attorney general’s office or visit www.naag.org.
  • How to do it: Call *each* of Equifax: 1-800-525-6285; Experian: 1-888-EXPERIAN (397-3742); and TransUnion: 1-800-680-7289 (a credit freeze placed at one company is not referred to the other companies.) Beware that the three major credit reporting companies have begun offering credit freezes directly to consumers — for a fee — regardless of whether their state has a freeze law.
Free credit report:
  • What it does: Unlike fee-based services that constantly monitor your credit report and alert you to alarming behavior, this allows you to do it yourself - although not constantly. 
  • When to do it: As much as the law allows for free, which is once/year for each company.  So do one of the agencies every four months for the best coverage.
  • Cost: Free every 12 months for each agency.
  • How to do it: Visit www.annualcreditreport.com
Opt-out of free credit card offers:  (This tip comes from we the people at ZoneAlarm, which we got from our id theft partner, who got it from their neighbor, who got it from his dog, who got it from...)
  • What it does: Stops all those free credit offers from getting into your physical mail box. It turns out there's enough information about you in one of those envelopes for someone to steal your identity.
  • When to do it: If you notice strangers digging through your garbage at night. Or if you don't need any more credit cards, you want to be greener, you are extra safety conscience, ...
  • Cost: Free
  • How to do it:Call 1-888-5-OPTOUT (1-888-567-8688) or opt out on.line at http://www.optoutprescreen.com.
 Victim assistance:
Links:

Posted by ZoneAlarm on March 11, 2009 at 04:05 PM in ID Theft | | Comments (1)

|

Controversial DNSSEC could solve pernicious Internet security issues

by Albert Sweigart, Consumer Security Development

The well-known security researcher Dan Kaminsky pushed for the adoption of DNSSEC (Domain Name System Security Extensions) in his recent presentation at the Black Hat DC conference. Kaminsky is famous for a critical flaw he found in the Domain Name Service protocol last summer. DNS is the protocol that translates domain names (such as zonealarm.com) to the numeric Internet Protocol address (such as 209.87.209.206). By exploiting the flaw, Kaminsky discovered a DNS server can be tricked into resolving the domain name to a different IP address. This would allow the attacker to trick someone visiting YourOnlineBank.com to a fake replica of the website that they control. The user would unwittingly give their online bank password to the attacker’s fake website.

That vulnerability has been patched since, but the DNS protocol itself in many ways remains fundamentally insecure:

  • DNS is not a secure protocol by itself, and software applications do not rely on it for security. The use of cryptography imposes some computational expense on the server and cause scalability issues. Secure Sockets Layer, the technology that most consumers interact with by seeing the tiny lock icon next to the URL bar in their web browser, mitigates this problem somewhat. A fake website would not be able to reproduce the proper SSL certificate, and web browsers display warnings about accessing web sites with invalid SSL credentials. However, users are amazingly resistant to such warnings, and the “click the button to make the message box go away” mentality causes many users to ignore these warnings.

  • Unfortunately, a more common attack would just be not employing SSL at all. Redirecting a user from YourOnlineBank.com (which uses SSL) to the fake replica website (which does not use SSL) would not produce any browser warnings. The cannier user may notice the lack of the “https” in the URL before entering their password, but most would not.

  • With the domain name system vulnerable, a website’s “forgotten password” feature also becomes an easy targets to hackers. By hijacking the YourOnlineEmail.com, an attacker could then go to Facebook, Ebay, or any number of online web services and request a new password sent to a user’s email address (such as BObama@YourOnlineEmail.com). This password would then be intercepted by the attacker when it is sent not to the real YourOnlineEmail.com, but the fake one in the control of the attacker. The real user is never involved or aware of the attack at any point.

DNSSEC is a proposed protocol (introduced in RFC 2065) that would secure the DNS protocol using public key encryption, but its adoption has been slow due to many factors. It is notoriously complicated to implement and maintain. Without a demand from applications, there is little incentive to add DNSSEC.

DNSSEC also has a political problem with the international community and more libertarian proponents of the Internet. The DNSSEC protocol would place the root authority to authenticate the entire domain name system with the U.S. Department of Commerce, including the domain name system of 187 different countries. This centralization of authority would also give the government the power to disable domain names, or perform DNS hijacks themselves.

Kaminsky has always been lukewarm to the idea of DNSSEC, but despite its problems and complexity Kaminsky is for securing the DNS protocol. A fix at this level of the Internet could potentially solve an entire class of security problems. The pressure placed on networks and DNS servers by business and consumer interests provide too large of an incentive to ignore this issue forever. And while the work to simplify the administration of DNSSEC is still far in length, Kaminsky has pointed that the implementations of proposed alternatives to DNSSEC (such as DNSCurve) are far behind.

Posted by ZoneAlarm on March 05, 2009 at 08:52 AM in PC Security, Security Industry, Technology, ZoneAlarm | | Comments (1)

|

Real World Internet Safety Tips for Using Public Wi-Fi

By James Grant, Team Lead and Senior Developer

I was recently traveling and wanted to keep in touch with both work and the world. I packed my laptop and was off. On arrival, the hotel clerk proudly told me that the hotel offered free Internet over Wi-Fi, no encryption to worry about. Great! I guess...

Confession: I get a little paranoid about security so I'm thinking through all the ways this could go wrong: the person in the next room is going to see all my Internet traffic because it is going over the airwaves like a cell phone call; the person in the next room will try to hack into my computer; the person in the next room will see my email address and I will get more spam. I need a new room! But wait, everyone in the hotel can see my traffic-- as well as anyone driving by! Well, the good news is that not everything you do on the Internet puts you at risk.

Using email

The first thing I wanted to do was check email at work. My company uses a VPN to support email access, so I can do that safely. I am free to use a public Wi-Fi link because a snoop will not try to decrypt my VPN traffic to read the emails. The VPN is the strongest link in the chain, not the weakest link.

The next thing I wanted to do was check my personal email at Gmail. There I have to be a bit more careful. I deliberately go to https://gmail.google.com (instead of http://...)because then Gmail gives me an encrypted connection (safe). If I just typed gmail.google.com, my login would be encrypted, but the emails I read and wrote would be unencrypted and any snooper could see them! Remember: whenever you see "https" at the start of the link in your browser, it means you're a lot safer than "http".

Checking online news

With that done, I wanted to check the news. Now I personally don't care who knows what news articles I read, so I freely went to my favorites:

www.news.google.com, www.theregister.co.uk.

Using Facebook

Then I wanted to check what was happening at Facebook. Darn. That's where I caught myself and chose to wait. Facebook encrypts the actual login, but after that it isn't as safe. Snoopers could learn the email address I use to log in as well as my profile ID (every Facebook member has a unique profile ID).

They also might be able to get my "session token": information that lets them connect to Facebook as if they were me. I could be wrong, like I said, I get a little paranoid. So I did not connect to Facebook over the unencrypted Wi-Fi.

Banking and other private activities

What else would I not recommend in a public setting?

- banking - even if the connection is encrypted, I reveal what bank I use

- online investments - same as banking, only more money at stake

- private activities: IM, political activities, porn (no, I'm

not confessing anything here. It's you, Dear Reader, I am thinking of!)

Avoid all of these things on unencrypted Wi-Fi, unless you use a service like Anonymizer Anonymous Surfing. With a service like Anonymizer, everything works the same but your network traffic gets routed through their server using an encrypted connection. Snoopers can't tell where you're going or what you're sending.

What about public computers?

A final note about using a public computer (library, conference, hotel, etc.) I would not log on to any account of mine on a public computer, even if it were an encrypted https: website. The computer might have a virus or other tool for logging everything you type. Think of a public computer as having the public looking over your shoulder.

Posted by ZoneAlarm on March 03, 2009 at 09:35 AM in Facebook Security, ID Theft, Phishing & Spam, Security Industry, Technology, ZoneAlarm | | Comments (1)

|