Obama Birth Certificate search results yield malware

It’s long been a tactic of ne’er-do-wells to capitalize on topical issues to deliver malware.  Today is no different.  Many of the “1st page” Google image results for “Obama Birth Certificate” yielded images which had embedded exploits which would take advantage of known browser and/or Java vulnerabilities.

When you think about it, this is a very effective mechanism for malware delivery.  In our post-physical newspaper society, many get their news from online news sources.  Of that many, some will consistently goto the same sites to get information, the rest will simply search for (dare I say Google) what specific piece of news they are looking for.

Malware authors are well aware of this and capitalize on it quite often. While users may have become more aware of this when looking a links in a typical Google search, they may not be as aware when doing searches on images (like have occurred recently with Charlie Sheen and the Obama Birth Certificate searches).

So what can you do to help protect yourself in this ever changing malicious environment we call the Internet?

  1. As a “safe browsing technique” – try to use known, “reputable” new sites when you are looking for topical information.  I will concede that just because news site is well known does not make it immune from being hacked or to be delivering malware.  But the chances are much less with those sites than general unknown sites.
  2. Certainly use caution with all pop-ups that ask you to download, install, or run anything.  Also do not rely on the little red X to close those windows.  Chances are, it won’t do what you expect it to.  You are best off to bring up your system processes and just kill off your browsing sessions and start over.
  3. Make sure you operating system and security applications are kept up to date.  If you stay current with your patches and keep your security protection suite updated, you have reduced the opportunity for any of the known exploits to actually work on your system.
Follow these precautionary steps and you could be “winning” too…

P.T. Barnum wasn’t wrong – Firefox Beta Links spread Malware

It should not come as a surprise to you that Firefox is available for free download from Mozilla (hence the Open Source Project).  This must not be apparent to users who are being fooled by a fake Firefox 4.0 beta download scam.  

The scam goes a bit like this:

  1. You want software but don’t want to pay for it (in this case a new version of the Firefox browser)
  2. You get email/see link/etc that a new Firefox browser is going to be out
  3. Email/Link/etc portends to provide either a software crack or a key generation file (items used to break registration of what should be purchased software).
  4. You download and run crack files
  5. You get infected with a Trojan

Reports note the following trojans have already been seen using this scam:

  • FraudTool.Win32.FakeVimes
  • Trojan-Downloader.Win32.CodecPack.2GCash.Gen
  • Trojan.DNSChanger.Gen
  • Virus.Win32.Parite
  • TrojanDownloader-Win32/FakeRean

Moral(s) of the story:

  1. Always check an authoritative source.  If you are interested in the Firefox 4 Beta, check out Mozilla’s site and download it there.
  2. It’s always a bad idea to pirate software.  Sites that host/distribute cracked versions of software and keygens are already operating in a shady area, don’t be surprised to get infected/attacked if that is a site you visit.  (As I tell my kids, don’t touch that, you don’t know where it’s been).
  3. Patch and Update.  For at least the few noted pieces of malware being spread here, if your system is patched and your AV updated you should be okay.  However, this can change at any moment, so don’t test it.

Cell phone security best practices – keeping your personal information personal.

In presentations I give on security, I have become accustomed to a pattern of presenting the information.  Step one, pose questions or situations that allow your audience to immediately identify with you or the subject.  Step two, provide case studies or scenarios that provide examples to support the subject.  Step three, give the audience some actionable items.

This article is all about supporting step three.  If I’ve done a good job of getting a person to identify with the subject and provided a reasonable explanation of the information, the reader/listener usually focuses in on the action items.

In this case, I wanted to provided supporting information to the Does My Cell Phone Have a Virus article. Also this seems very timely with the recent loss of the next generation iPhone at The Gourmet Haus Staudt in Redwood City, California. While I’m certain Apple has many more policies for device management, nevermind the policies around having a prerelease device, if Gray Powell had simply followed the first recommendation below, things would be much different…

But I digress…   Most all the offline questions I have received from my last article have had a common theme:

  • I did this, did I get a virus?
  • My insert_model_phone_name_here is acting funny what do I do?
  • I installed this app, is it legit?

Trying to address issues at that level and point is the “whack-a-mole” approach you want to avoid.  You want to put preventative measures in place so that these concerns should be minimized.

You will find a number of lists like this on the Internet, but this is my take on steps to take to safeguard your information on your mobile device:

  1. Loss is your biggest risk, don’t lose your phone.  Your cell phone can have the equivalent information as your birth certificate, bank statements, and diary all in one location.  Maintaining physical control of the device is the best thing you can do to avoid losing your information.
  2. Make sure you use a password (or PIN if that’s what your phone supports) to lock out the device.  This is the single biggest thing that users complain about the inconvenience of.  If anyone were to pick up your device, do not leave it wide open for anyone to read.  Protect it.
  3. If your device offers encryption of the device and any removable media, use it.  If you lose a device, the average person who picks it up will not likely have the ability to pull memory chips and decrypt your information.  Make it difficult for someone to get the data.
  4. Just because you can download hundreds of applications, does not mean you should.  Be aware that many free applications are made to get personal information from you (again see my other post on this).  Others may actually be malicious.
  5. When downloading applications, be especially careful of banking applications. Only download them from trusted sources.  If you can download directly from the bank, that is your best option.  If you download from an app store, read the reviews and make sure you are one of the first 10 people to download something.
  6. Only use Bluetooth if you absolutely require it. If you use Bluetooth, enable a PIN for pairing devices and do not leave your device discoverable.
  7. If your device supports WiFi, only connect to secure and trusted networks.  A network called “FreeWiFi” usually is not the best option.
  8. Limit the amount of data you store on your phone.  If you are working on things like tax documents or have personal information on the device, only leave it on the phone while you need it.  Limiting the amount of data on the device limits your risk if the device is lost or stolen.
  9. From a financial liability standpoint, inquire about cell phone insurance from your provider.  In a day where cell phones can initially cost $300 and cost $500 to $600 to replace, it may be worth the couple of dollars a month insurance to be able to replace it.
  10. If your provider offers the ability to remotely manage or wipe a mobile device, know how this works and be prepared to use it in case your device is lost.  If you remove all the data, you can limit your loss to just the device itself.
  11. Inquire with your provider and check with device manufacturer for device patches and upgrades.  Much like your PC, smartphone software is updated on an ongoing basis to fix functionality and increase security.
  12. If your device supports third party security applications (usually Windows Mobile, Symbian, or Palm devices) look to manufacturers like Symantec and McAfee for firewall, anti-virus and SPAM prevention software.

Some of these are configurations you can do on your phone while the others are things you need to know to modify your behavior while using your phone.  If you follow these steps, chances are you should be okay.  In the rare case you loose your phone (ahem… next generation iPhone in a bar) and it happens to get picked up by an extremely technical user who can tear it down (Gizmodo) know that all bets may be off.  But for the average person, you’re going to be okay.

Just say no! BlackBerry + Facebook = Security FAIL

Point 1:

I’m not the biggest fan of any RIM device, though I do utilize one for my job.

Point 2:

I support the development of applications for mobile devices.  Applications are key to driving the adoption and growth of many of the new “smart” (and I use that term loosely) phones on the market.

Point 3:

Applications, regardless of what platform they are developed for, should all be done securely and efficiently.  And in that order.

What the heck does all this have to do with the BlackBerry and Facebook????

Here: http://www.spylogic.net/2010/02/facebook-spam-on-blackberry-devices/

Thanks to the guys that really spend a lot of time reviewing social media stuff (specially Tom Eston and Kevin Johnson), they have noted that specifically crafted SPAM messages will show up as a Facebook notification in your Facebook for Blackberry application.

What makes this troublesome from an information protection standpoint is that, the Facebook application is actively scanning your email inbox.  In the case of many, many Blackberry users, this is not your personal email, but your corporate email.  Of the 13,934,752 monthly active users (according to facebook.com) I’m sure you all read the EULA when you installed the app right?  That’s another post…

To be fair, this is how the application is presented to the end user: “Facebook for BlackBerry smartphones allows BlackBerry smartphone users to connect their friends’ profile pictures, Facebook names, and company names to existing BlackBerry smartphone contacts in the Contacts application. Facebook for BlackBerry smartphones updates the caller ID pictures of your synchronized friends with their latest profile pictures.”

So in order to do this, you have full access to contact names.  So if you’re on a corporate BES, the information contained therein is your corporate email directory?  Uh, yeah.  So corporate BlackBerry users with the Facebook app are willingly providing a valid contact list for their entire company.  My understanding of SPAM and capitalism is that this is quite valuable information and can be sold to email distribution list providers quite readily.  Can someone please point me to the data management policy that protects this information from disclosure?  I’d be ecstatic if it existed.

To all the BlackBerry users:

Rather than send out 14,000,000 apologizes, I put it out there now.  Sorry.  But if you have this app installed on your BlackBerry.  Uninstall it.  NOW! Do not finish reading this post, uninstall the app and come back to finish the post.

To RIM:

I trust (which is always a bad thing) when you provide a singed application that you have performed a review of how the application performs on your device and that it doesn’t do anything we don’t expect.  Like skim our emails and contact information.  Much like an application requests permission to utilize your GPS coordinates (which is another bad thing) why would you not have the same request when an application wants access to your personal information and email?

Let me check here… Options – Security Options – Application Permissions -….  hmmm I’m sure the app is on here, let me look again…

Options – Security Options – Application Permissions -… nothing.  So, when I install Facebook for BlackBerry devices, it doesn’t ask me for any permissions?  NONE?!?  FAIL!

But wait, during the setup there is an option to “allow” access to your messages, calendar, and contacts.  First, the statement that it will send a copy of your contacts to the FaceBook site should be alarming enough.  But worse yet, it seems that turning all these off during the setup did not affect a SPAM’ers ability to inject a properly crafted email.  I infer from this that it still reads emails from your message list.  So can I expect it will also send contacts even if I ask it not to?

To all BES admins (you know who you are):  (updated May2010)

It appears that RIM may be slightly ad odds with the application developers here.  In the 5.0 release of BES, the settings that allow an end user to do this are set to FASLE by default.  Which is what I would expect those settings to be. It is my hope at this point that you are running BES 5.0.  If so, please make certain the IT policy Disable Organizer Data Access for Social Networking Applications is used.  I also understand that this is backwards compatible to BES 4.x installs, so everyone has the opportunity to enable this policy.

How do I really know this is you?

The recent OWA (Outlook Web Access) themed spam/crimeware reinforces what has been known for some time.  Criminals continue to get better and better at what they do. (http://ddanchev.blogspot.com/2010/01/outlook-web-access-themed-spam-campaign.html)

What is also enforces is that, it’s not about just keeping up.

Through the tiers of systematic scans and filters, we have managed to reduce an inordinate amount of SPAM and crimeware.  The use of signatures, heuristics, dictionaries, and external reputation scoring you can dramatically reduce the amount of spam received.  Through these mechanisms we now only deal with a single digit percentage of the total emails received at the gateway.

The next step in this battle has relied on the education of end users.  Given the fast changing landscape of how spam/malware/crimeware is changing, it’s a difficult prospect to expect end users to be able to dissect each email with a keen technological and investigative eye.  Though I will admit, this has been the common practice to help fight that which makes it through all your technical controls.

In the case of this OWA themed spam the emails look remarkably like they OWA system and sound professional enough to be legitimate.  It’s very easy for end users to discern spam when the wording of the email is similar to this:

“Good news dear, It is my pleasure to inform you that the latest development regarding the news from the New president of the United State of America to release all your fund through bank of america without any further delay.” (http://www.scambusters.org/scamlanguage.html)

However when the images are done well, the wording is grammatically correct, and the emails appropriately targeted, this can be a difficult task.

While this may be considered a tactical approach to combating these issues, I have a suggestion that can help fight this battle:

Provide your end users with a validation that internal emails are authentic.

By utilizing certificates to digitally sign your email communications, you provide your end users with:

  1. Message integrity (content is reliable)
  2. Validate origination (this came from a known trusted source)

In the case of the OWA spam, users would note that this is not digitally signed and from their trusted source.  So they don’t have to worry about discerning if the wording is correct, mousing over links to see if they are legitimate urls, etc.

This approach will help your organization communicate two messages to your end users.  One, the message you are sending in the email communications, and two the concern and support for reliable trusted communications between the company and the user base. Utilize your education and awareness campaigns to inform users of the point of digitally signed communications and hope that the applications of the technology find it’s way into other applications.  In the case you have an external certificate store, there is an excellent opportunity to use this to communicate with your customer base also.