Fireball Malware Strikes a Quarter Billion Computers

Unlike most malware, for which attribution is hard to determine, everyone knows where Fireball Malware comes from. Not only is it known to originate in China, but it is also known to be designed by the Chinese digital advertising firm, Rafotech. In fact, this may have been an advertising angle that got out of control. Digital advertising is a competitive business so many advertisers use browser plug-ins to increase their advertising effectiveness. That’s kind of what Rafotech did; at least initially.

The company’s website has disappeared, but its Linkedin page describes the company, in a somewhat garbled manner, as follows.

“Being years of publisher ourselves, Rafotech has deep understanding of what it means to monetize more. Started as a business unit of Rafo Technology Inc, one of the premium publisher powering over 6 billion monthly impressions, our solution to monetize both display and search traffic has been proved profitable and sustainable. It is a solution made by publisher and for publishers.”

My guess is that they are saying they can help you make more money by advertising more effectively. Well, they kind of kept their promise.

Initially, Rafotech installed plug-ins in browsers that could be used to control what ads appeared on pages that the user navigated to. Then they got a little too creative. They took advantage of the fact that all of us use a default search engine, and for many of us, that search engine is google.com or yahoo.com.

fireball1

From the Check Point Report

 By redirecting victims from their normal default search page to a Rafotech-approved search page, Fireball designers can position themselves to implant tracking pixels into browsers to gather user information. They can use the same technique to replace your normal home page with one of these search engines, like the one shown below.

trotux

Example of a Fireball-approved Search Engine

The reason they use this technique is to find out what a user is interested in and then target them with ads based on this interest. This advertising approach is not, in itself, dangerous. Its main use is to generate money for the company and its affiliates. However, the fact that the company controls your browser means Rafotech, or others, can use it to install malware onto your computer. They could, for example, send users to a malicious site that is designed to download remote access malware and take full control of your device. Although Rafotech has not done this, as far as we know, they have opened a backdoor that others could, perhaps, take advantage of.

fireball2

From the Check Point Report

 Actually, the line between this advertising strategy and a malware attack is very fuzzy. Adware distribution is not, in itself, considered a crime or the CEOs of all major social media firms would be in prison.

Check Point, the cybersecurity firm that discovered this malware, calls Fireball, “possibly the largest infection operation in history.” The main question, then, is: How did Fireball manage to infect 250 million computers?  In a word, the answer is, bundling. Bundling is including other, usually unwanted programs, in a download that the user has chosen. Normally, when installing the wanted download, the user is given the option of a customized installation. If they do not choose this option, the malware or adware is automatically installed. In other words, the company did nothing wrong because you, the user, have accepted the extra programs in the bundle. And good luck trying to uninstall these programs. This is something left to experts only. Still, there is no law that says you have to make your programs easy to uninstall. To illustrate this difficulty, here is the advice given for uninstalling the Trotux search engine shown above.

“How to remove Trotux.com redirect (Removal Guide)

This malware removal guide may appear overwhelming due to the amount of the steps and numerous programs that are being used. We have only written it this way to provide clear, detailed, and easy to understand instructions that anyone can use to remove malware for free. Please perform all the steps in the correct order. If you have any questions or doubt at any point, STOP and ask for our assistance.”

At other times, you may not be given the choice of what adware or browser plug-ins are installed with your chosen download. You won’t even know they are there until your browser begins to act in unpredictable ways, suddenly leading you to sites you never chose to visit or opening your browser to a new home page. Again, it will be difficult to remove these browser controllers because, even when they are deleted from your browser, they will reinstall themselves once the browser is opened again. Sometimes, the only option left may be resetting your browser to its default settings.

Check Point also suspects that Fireball spreads by less than legitimate means, such as through spam or by using fake names on the freeware to make it appear as something that it isn’t. It would be difficult to get such a huge number of infections installed if bundling were the only distribution method. That’s because the infection power of this malware can only be called, astounding. In Indonesia, for example, 60% of corporate networks are infected. Check Point claims that 20% of the world’s corporate networks are infected with Fireball. The U.S. is just beginning to be targeted with ‘only’ 10.7% of U.S. corporate networks infiltrated.

The tools for a major security breech are, thus, in place. As Check Point notes, “Rafotech holds the power to initiate a global catastrophe.” I guess that about sums it up. What else could you say if 20% of the world’s corporate networks could be breached and sensitive information stolen? What if these computers were used in a DDoS attack? It is no exaggeration to say that most of the world’s internet services would be knocked offline. Keep in mind that the Mirai Botnet DDoS attack took down major internet sites around the world with only 100,000 infected endpoints. Fireball is hundreds of millions of times bigger. Just think about that for a while.

Are you or your enterprise network infected? Go to the Check Point post to read the removal instructions. Good luck.

 

Posted in Uncategorized | Tagged , , , , | Leave a comment

Movie Review: Risk: The Julian Assange Documentary

Risk Poster

The reviews for this documentary are all over the place. Reviewers who are firm advocates of WikiLeaks tend to over-exaggerate the film’s virtues, while those who find the organization’s actions reprehensible tend to hate it. For this reason, I tried to watch the film as an objective reviewer.

Some have called the film a sleeper and there are parts of the film that live up to that branding. These episodes occur mainly at the beginning of the film when scenes shift quickly and conversations are somewhat baffling and vapid. Some conversations seem to emerge without enough context to give them comprehensibility. It also seems to lack a coherent theme.

Assange emerges as an emotionally remote character who hides his true personality behind his dedication to WikiLeaks. He even states that what he does is more important than who he is. The only scene in which we get a glimpse into his repressed character is when he is interviewed by Lady Gaga, dressed in her Wicked-Witch-of-the West costume. Ms. Gaga, like most celebrities, tries to hide her insecurity behind false bravado and seemingly unfiltered, clumsy questions which tell us more about her than Assange. In a clear case of projection, she asks about his relationship to his parents, wherein Assange claimed his father was “abstract”.

We do get some glimpses into the life Assange lives within the Ecuadorean Embassy. We learn about his relationships with his team. We see what he does to pass the time and plan strategies, and we learn a few ways that the organization keeps itself protected from government intrusion. A pervading and probably justified paranoia surrounds everything they do. This look into daily life at Wikileaks may hold some interest for some viewers.

The latter half of the film is more interesting, especially when the topic turns to the DNC hacking. I only wish this were expanded more as it is more timely. It is at this point in the film that Assange gives more information on his view of the world. He talks about the Earth as being so interconnected that any action must be evaluated in a global context. It is an interesting an important viewpoint that should be considered. It is not simply “think globally, act locally”. It is closer to the idea that even a small local action may have global implications.

The film leaves many questions unanswered and, as a whole, doesn’t flow very well. It could have been better made. There is nothing compelling in it, meaning that a viewer may be tempted to stop watching the film entirely at certain points. There is no hook that makes us want to see how it ends. There are no compelling relationships and some issues seem unresolved that could easily have been. Still, a few scenes are definitely worth seeing. For those interested in the world of cyber security, political intrigue, and government surveillance, this documentary may be of interest. For the general public, however, except for a few scenes, it may simply be too dull. I’ll give it a 6 out of 10.

 

See all my reviews at http://imdb.com/user/ur25920573/comments

Posted in Uncategorized | Leave a comment

How Xerox, Google, and The Intercept Exposed an Anonymous NSA Document Leaker

The ironically named Reality Winner was not one. Reality bites. It bites any anonymous leaker from any government agency who may be naïve enough to believe that their anonymity will be guaranteed. Likely motivated by her desire to expose Russian connections to “a soulless, ginger orangutan” (a.k.a. Donald Trump), Reality Winner sought out and leaked a document that she probably thought would achieve this end. Sadly for her, she only exposed her connections to the leaked document.

Winner began working for NSA contractor, Pluribus International Corporation, shortly after Trump was inaugurated. Winner is a vegetarian weightlifter and an environmental activist who supported Bernie Sanders.

leaker

When Trump approved construction of the Keystone/Dakota Pipelines, Winner wrote on Twitter, “Repeat after me: In the United States of America, in the year 2017, access to clean, fresh, water is not a right, but a privilege based off one’s socio-economic status. If that didn’t feel good to say aloud, contact your senators today and tell them those exact words as to why the Keystone XL and Dakota Access pipelines cannot be built on American soil. Let’s fix the pipes meant to bring water, sans lead or pollutants, to our citizens before we build pipes meant to benefit big oil and poison the land.”

No doubt Trump’s June 1st withdrawal from the Paris Climate Accord further fueled Reality’s pro-environmental flames. Coincidentally, it was on that same day that the FBI was notified by the NSA that someone had leaked a top secret document to the online news outlet, The Intercept.  The Intercept had informed the NSA that it was in possession of a top secret document that they were going to release. They gave the NSA a copy of this report in order for them to verify its authenticity. The Intercept seems to have naively believed that they were not compromising the anonymity of the leaker by doing this. That was a mistake.

Many new printers print nearly invisible yellow dots on any document it prints. The dots and the pattern they create can be used to identify the type of printer, the model number, the serial number of the actual printer used, and the precise time the document was printed. Any scanned document, like the one Winner sent to The Intercept and The Intercept sent the NSA, would contain these dots.

Here are a series of pictures which show these dots on the leaked NSA document and the pattern they created. To show what these dots are like and how they can be used, I created the images below. The first image shows the upper left hand corner of the original document, which is already magnified to some degree; yet, no obvious yellow dots (or pixels) are evident, at least to my eye. (The encircled area shows where the dots exist and indicates the area which will be subsequently magnified.)

the yellow dots

 

I then magnified the above image to 600% and, perhaps, some sharp-eyed readers can begin to see a few faint yellow areas.

dots 600x

However, to really see these dots, I had to increase color saturation. So, at 600% magnification, with color saturation, here is what the dots looked like on the NSA document.

dots saturation

The complete pattern with the decoded information it includes is shown in the following image. (For more information on hidden document codes visit the EFF website.)

leaked document pattern

I have since confirmed that the pattern persists even when the document is copied into another program, such as Word, or onto other websites.

So The Intercept, in effect, told the FBI that one of the 4,000 employees at Pluribus International Corporation, Georgia, printed this document on a specific printer with the above serial number at 6:20am on May 9th. At 6:20am? That, in itself, should limit the number of people who could have done this. In the end, it was found that only six people had printed out this report. This pretty much outed poor Reality.

This top secret report was first published four days earlier on May 5th, so Reality was, in my opinion, either tipped off on its existence or was diligently conducting ongoing searches for incriminating documents. In short, she had an agenda. In any event, according to the affidavit, the six people who printed this document had their company computers investigated. Among them, only one, Winner, had had email contact with The Intercept.

Interestingly, Winner did not use the company email for this contact but her Gmail account. She probably thought that this would be safer. This was a mistake. The company likely monitors all emails going through its systems. It was simply a matter of searching their database for any communication with The Intercept. Yes, the communication was innocent, (she wanted a transcript of a podcast) but it showed she was at least aware of the news outlet’s existence.

However, this alone would not be enough to arrest her. It is possible the company had a keylogger installed on all of its computers, so they may have had a record of her Gmail password which they could use to access her account. This would allow them to see if she had any other further correspondence with The Intercept from computers outside the company.  However, if they did this, the company would be in danger of committing a criminal act.

Thus, it is likely that the FBI will have to ask Google for access to Winner’s Gmail account. Will Google give this information to them? If you have to ask this question, see my last post on Google tracking and privacy. Google will almost always give access to user accounts when government agencies request it.  Although Google claims that it carefully reviews all such requests before allowing government agencies to access an account, in truth, they will only rarely refuse to do so. If it is found that Winner had further correspondence with The Intercept via her Gmail account, this would be the conclusive evidence that the government would need to convict her. It will be interesting to see how this aspect of the case develops.

The Intercept further implicated Winner when one of its reporters contacted an inside informant at the NSA who later contacted the FBI. So much for trusted sources. The affidavit states the belief that Winner may have communicated with The Intercept in other ways and that evidence of such communication, or of the documents themselves, may be found on her home computer or other devices.

When contacted on June 3rd, “Winner admitted intentionally identifying and printing the classified intelligence reporting at issue despite not having a ‘need to know,’ and with knowledge that the intelligence reporting was classified. Winner further admitted removing the classified intelligence reporting from her office space, retaining it, and mailing it from Augusta, Georgia, to the News Outlet, which she knew was not authorized to receive or possess the documents. Winner further acknowledged that she was aware of the contents of the intelligence reporting and that she knew the contents of the reporting could be used to the injury of the United States and to the advantage of a foreign nation.”

It is no surprise that Winner confessed when she was confronted with the above evidence. However, she has subsequently pleaded not guilty, which is somewhat baffling. More baffling is the fact that the government did not interfere with The Intercept publishing this top secret document two days later on June 5th. Interestingly, the announcement of Winner’s arrest followed within hours of the document’s publication. This made it  appear, perhaps intentionally, that The Intercept was not a viable outlet to send a leak to. Wikileak’s Julian Assange lambasted the unprofessional conduct of the outlet and offered a $10,000 reward for information “leading to the public exposure & termination” of the reporter. Assange had no choice but to take this action because those publishers who do not protect their sources cast a shadow on all leak platforms.

The bottom line here is that Winner will be made an example of to deter potential leakers from misusing their access to secret information in the hope of affecting the political landscape. Making leaking platforms look unstable will also make those with access to sensitive information think twice before giving this information to leak publishing organizations. In short, leakers should only do so with the full expectation that they will likely be caught. If they truly believe that their actions have a moral value that supersedes any penalty they may have to pay, then nothing the government does to Reality will stop them.

Posted in Uncategorized | Tagged , , , | Leave a comment

For Those Who Don’t Want to be Followed While Browsing

Nothing is more costly than a free service. If you think such services such as Google, Yahoo, Facebook, or Twitter are given to you for free, you have a naïve idea of how these companies make their money. The truth is that Information from you is collected from your browsing habits and sold to marketers and partners at a nice profit; a profit that you get no financial benefits from. In short, you are working for free. I guess it’s you who are offering the free service.

Okay, raise your hand if you’ve read the license agreement for the services you receive from the above companies. Yeah, that’s what I thought. When you clicked the ‘Accept’ box on the privacy agreement, you gave up more rights to your privacy than you may have wanted to. Probably the best way to begin this post is to use a quote from Google CEO, Eric Schmidt, himself.

“If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place. If you really need that kind of privacy, the reality is that search engines – including Google – do retain this information for some time and it’s important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities.”

 To translate, yes, we are following you and gathering data on everything you search for. We will also give any information we have on you to the government if they want it. That is to say, if you use Google, you are under government surveillance by default.

All these companies generate revenue in much the same way. They sell the rights to your privacy. They sell your personal information. But what exactly do they learn about you and what powers do they really have? Here is a list of some of the things Google says it can do in its privacy agreement. Remember, this type of information gathering is not only done by Google.

They know, and can use, your name, email address, telephone number, credit card number (used to verify age), and what kind of YouTube videos you like. Can they read your emails?  “Our system may automatically scan the content in our services, such as emails in Gmail, to serve you more relevant ads.” So the answer is, ‘yes’, but they claim this is all done by machines and not humans. Google is a large company offering many services and signing up for one service means you are under surveillance for all of their services. “This includes information like your usage data and preferences, Gmail messages, G+ profile, photos, videos, browsing history, map searches, docs, or other Google-hosted content.” In addition, “we collect device-specific information (such as your hardware model, operating system version, unique device identifiers, and mobile network information including phone number). Google may associate your device identifiers or phone number with your Google Account.” This allows them to access “telephony log information like your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls.” Not only that, but they can use your device to store whatever information they find on you, which seems somewhat presumptuous. “We may collect and store information (including personal information) locally on your device using mechanisms such as browser web storage (including HTML 5) and application data caches.” Hmm, maybe they should pay you for storing information on your computer that helps their marketing.

Who are they selling your information to anyway? Google sells data to companies who sign up for their targeted ad services. They match the business’ product to the profiles of people who may be interested in it. The more you browse and use their services, the more they learn your likes and dislikes. Even if you opt out of receiving targeted ads, you will still get ads. In other words, if you want ads targeting your supposed interests, you have to let them use your personal information. Google is not innately evil. They are simply doing what you told them they could do.

However, there is another dimension to internet surveillance that Google and other social media firms would rather not talk about. This is the topic of providing information on you to the government or law enforcement agencies. The disclosure of the NSA’s Prism surveillance program by Edward Snowden named at least 9 internet firms who were supplying information to the U.S. government.

prism

Among these companies were Google, Yahoo, Microsoft, Facebook, Skype, and Apple. But the Washington Post reported that “98 percent of PRISM production is based on Yahoo, Google, and Microsoft.” Google admits that they “will share personal information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:

    • meet any applicable law, regulation, legal process or enforceable governmental request.
    • enforce applicable Terms of Service, including investigation of potential violations.
    • detect, prevent, or otherwise address fraud, security or technical issues.
    • protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.”

Google, and the other companies mentioned, met this disclosure of their working with the government with declarations of innocence. “Google cares deeply about the security of our users’ data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a backdoor for the government to access private user data… [A]ny suggestion that Google is disclosing information about our users’ internet activity on such a scale is completely false.”

Google may be right. There would be no need to install a backdoor if the front door was already open. Google appears to have worked out an arrangement with the NSA. One investigator stated that “according to officials who were privy to the details of Google’s arrangements with the NSA, the company agreed to provide information about traffic on its networks in exchange for intelligence from the NSA about what it knew of foreign hackers.” In such a case, Google would not have to install a backdoor that the NSA could use, they could just ‘accidentally’ forget to close it. In other words, they could leave an unpatched exploit in place that the government could exploit.

I won’t pursue this in any detail because it’s clear that the government can easily access your information via Google or other social media services. The important fact to keep in mind is that every social media platform is developing new strategies to acquire personal information on their users. Facebook even wants to design a program that will allow an algorithm to determine your mood by accessing your face through your camera. This is marketing through assessing your emotional state, but how long will it be before this evolves into marketing by manipulating your emotional state?

If you do not want your browsing and other habits to be monitored for marketing, you will have to find how to disable the tracking capabilities of each social media outlet. These sites don’t make this easy. However, before you begin adjusting your ad settings, I would suggest going to a site called, Panopticlick. This site will test your browser’s tracking vulnerabilities for free. Here is what it said about my usual browser.

panopticlick

And here it was it says about my use of the Tor browser.

panopticlick2

Yes, the Tor browser does seem to limit the use of your personal information. The important statistic to note is that which gives the uniqueness of your browser fingerprint. The higher the number, the easier it is to identify you. It is the uniqueness of your browser configuration that gives you away and this has nothing to do with cookies. Your browser fingerprint allows you to be identified and tracked even with cookies disabled.

Do not be surprised if you see a red ‘X’ in every category. I have most of my browser tracking sites turned off. To get a more complete view of who is tracking you, go here, It will be a sobering experience. If you want to opt out of all targeted marketing and see who’s been using your information, go here. In short, you will quickly learn that everyone is targeting you and you’ll never stop all of them.

In my last post I showed how to avoid Facebook’s pixel-based marketing. For Google, you will have to go to your personal account, “Ad settings”, “Manage Ads Settings”. When you get here, you can turn off “Ads Personalization”. If you go to the bottom of the page you will see the “Opt out of more ads” link which will give you more control over who targets you.

Again, I do not want to condemn Google or any other digital site as having nefarious goals. These are businesses that provide services we like to use. As businesses, they need to make money to operate. True, they could make their marketing plans somewhat more transparent, but when it comes to using internet services, it’s a let-the-buyer-beware landscape. I have less tolerance for their attitudes on government surveillance. There is no transparency at all here and we can’t be sure how much information is collected by the government by whim rather than by judicial decrees. If these social media sites collapse, it will not be targeted marketing that brings them down. It will be the fear of continual surveillance and the paranoia that this will generate in its users.

Posted in Uncategorized | Tagged , , | 1 Comment

Scribbles: the CIA Document Tracking Program that Uncovers Leakers

Nobody disputes the fact that there have been a lot of leaks making the news recently, and nobody disputes that many of them emanated from the intelligence community.

leaks

But there is one question that needs to be answered: How is this possible? We’re talking about agencies that have the power of universal surveillance. How is it possible that they cannot see what’s going on in the next office?

This is even more confusing when one realizes that they have, and have had, programs in place to identify leakers for years. The leak collector site, Wikileaks, has just released information on a CIA program called. “Scribbles”, which puts digital watermarks on documents to allow their movements to be traced. With this program, the government can identify whistleblowers, those leaking documents to whistleblower sites, those leaking documents to news media, and foreign agents who may steal these documents.

Scribbles takes advantage of Word to put tracking beacons into any documents created on a computer or network. Word allows for images to be put into a document and this is the same vector that Scribbles uses. It is a sort of pixel-based tracking program. Such tracking has been around for years and allows for one transparent pixel in an image or document to contain a program that allows for tracking. The pixel sends out a beacon to its control center with information. Tracking will not only identify the IP address of the person receiving the document, but when the document was opened, what operating system the possessors of the document used, and what they did with the file. If the file is forwarded to others in the network, an entire network could be mapped out.

But with this ability to track documents, why are the leaks continuing? This could occur for a number of reasons. Scribbles will not work if documents are encoded or come with a password. If the document is opened in a non-Microsoft Office program, it may make the tracking program visible. In other words, any potential, document-leaking staff member who knew about the program would be able to easily circumvent it.

As I mentioned above, there is nothing new about pixel tracking programs. Such tracking programs are widely used by marketers to learn about potential customers. Facebook even has its own pixel tracking system for anyone with a business on Facebook. If you have a Facebook account, information on what you do online is collected so that you can be targeted with ads wherever you go and, your browsing patterns can be handed over to its business partners. Such surveillance can be good for people who are interested in purchasing certain items but others may view this as an infringement on their privacy. If you are in the latter group, you can opt out of this surveillance. It’s a bit of a convoluted process that begins with you clicking on the small triangle next to the question mark in the upper right hand cornet of your Facebook page.

fb triangle

You then go to “Settings”, “Ads”, and “Ads based on my use of websites and apps”. Eventually, you will have navigated to a page that looks like the one below. In the “Show online interest-based ads:” setting, make sure it is set to “Off”.

fb ad settings

You can also tweak other advertising preferences on this page. I found the “Advertisers you’ve interacted with” interesting because I only found two that I remember interacting with. Keep in mind this only disables Facebook tracking. Other marketing companies will still be able to present you with targeted ads. In short, your browser habits are under continuous surveillance. I’ll write more about how to avoid this surveillance in a future post.

Although Scribbles has its shortcomings, it does have a place in the anti-leaking arsenal. However, if the intelligence agencies want to control online-enabled leaking, they have far more powerful cyber tools at their disposal. In fact, if you were an intelligence agency employee attempting to leak information via online channels, you would have to be insane, suicidal, or simply ignorant to try this route. The only way to do so without getting caught would be to work in collusion with a hacker or with those in control of the network.

In a previous article, I pointed out that employees could, in cooperation with a hacker, ‘accidentally’ open a bad attachment, click on a bad link, or visit a compromised website. All of these could allow a hacker onto a network where they could just happen to find documents that they could leak to the media or other agencies.

Those in control of securing a network could be in a position to leak information by circumventing the very safeguards they have put in place. They could do this either directly or by allowing certain individuals on a network to leak documents undetected. I’m not saying that anyone would do this, only that this is the only way that a leak could occur without being detected by the wealth of cyber tools the intelligence agencies have at their disposal.

Still, the best way to leak is by smuggling the information out on a USB or SD card a la Snowden. This would require the leaker to disconnect from the network in order to download sensitive data without raising suspicion. Again, collusion with network administrators could help in this endeavor.

However, there is another angle to using programs like Scribbles which cannot be overlooked. Imagine that an intelligence agency wanted to infiltrate a whistleblower network. They could pose as a leaker and send tracking documents to that site. The documents could be used to map the network and find potential vulnerabilities that could be used in a more sophisticated malware attack later on. The agencies could set up spyware on the whistleblower site that would let them see where leaks are coming from and who the leakers within their agencies were.

In short, it would be difficult to believe that the intelligence agencies could not identify most leak attempts. Leakers are usually motivated to do so for three basic reasons:  to achieve financial gain (such as selling secrets to foreign governments or competitors), to affect the political landscape (such as the DNC leaks), or to gain emotional satisfaction (revenge  of disgruntled employees or indignation of whistleblowers who feel their employer is engaged in immoral or unethical behavior). For these reasons, I would suspect that most intelligence agency employees are subject to surveillance in their personal lives as well as their working lives. Such a project, known as the ACES project, was proposed by James Clapper in 2014. “What we need is a system of continuous evaluation where when someone is in the system and they’re cleared initially, then we have a way of monitoring their behavior, both their electronic behavior on the job as well as off the job.” I’m not sure if this system has been formally put in place but, informally…who knows. So do the intelligence agencies know the source of their leaks? You be the judge.

Posted in Uncategorized | Tagged , , | 3 Comments

Chrome Browser Vulnerability Allows Hackers to Take Remote Control of Your Device and Network

In order to be infected by most malware, you have to download a malicious file and open it. Downloading the bad file is simply not enough to cause you problems. But what if there was a file that downloaded and opened itself automatically? That would truly be your worst nightmare. Sadly, if you use Google’s Chrome browser, your nightmare has now arrived.

Browsers make our lives easier by automating a lot of processes. For example, if you don’t specify where you want your download to go, it will go into a file often called, ‘Downloads’. When Chrome assumes a file is safe, the user will receive no other information when a download is called for. The file is simply downloaded. Normally, this presents no problem. However, a new vulnerability in Chrome makes this automated process the springboard for a serious malware attack.

Most files will not open automatically when downloaded but a few will. Among these are files which will create an icon which is really a shortcut link to some other location. These files come with the extensions .lnk or .scf. The .lnk extension has been stopped from automatically opening but the .scf extension has not. It will open when the file or directory it is stored in, such as the ‘Download’ file, is opened. In other words, Windows File Directory will automatically activate the icon. The problem occurs when the SCF ‘icon’ is actually a link to a remote server. At this point, the remote server will receive the hashed passwords for the user’s PC and, if they are on a corporate or institutional network, the hashed password for this as well. So if the attacker can lead the victim to a website with a malicious SCF file, Chrome will help the attacker do the rest.

Maybe it’s a good idea to look at hashing at this point. If you already know about hashing, you can skip this paragraph. Hashing is basically a one-directional encrypting process. When you first register your login information on a website, the website transforms your password into a random series of numbers, letters, and symbols of a particular length called a ‘hash’. It’s the hash, not the actual password, that they store on the website. Unlike regular encryption, this hashing cannot be reversed. Thus, when a hacker steals your hashed password they cannot apply some formula or key to decrypt it. They have to use another technique which is basically, guessing. They simply type in a guessed password to see how it is hashed. If they have guessed correctly, they will see that their hashed password matches the one on the list of stolen hashed passwords. Only then can they log into your account.

hash

Your Windows password is automatically hashed so the attacker operating the remote server that receives it has two options. They can try to use software to guess and match (crack) the hash in order to get the actual password, or they can use the hashed password itself. This is because some Microsoft services only require the hashed passwords to operate. Such services include OneDrive, Outlook.com, Office 365, Office Online, Skype, Xbox Live, and more. In other words, using either of these techniques can allow an attacker remote access to your computer and any network to which you may be connected. Needless to say that good hackers can leverage network access to steal  sensitive data from an enterprise or compromise other users on the network. It all depends on whether their goal is information-based or financially based.

 Although the Chrome browser may allow for downloads of SCF files to proceed without hindrance, you may suppose that antivirus software will detect these files and notify users of their presence. Unfortunately, this does not appear to be the case. The main investigator of this vulnerability stated that, “we tested several leading antivirus solutions by different vendors to determine if any solution will flag the downloaded file as dangerous. All tested solutions failed to flag it as anything suspicious.” Moreover, Windows Explorer automatically removes the visibility of the SCF extension so it will not appear in the name of the file. In other words, if the attacker uses a file named photo.jpg.scf, the user only sees photo.jpg, which may appear as a valid jpg file.

Since the file does not appear malicious to either Chrome or antivirus software, you will need to be the download filter. To do this, you simply have to set Chrome’s advanced settings to “Ask where to store each file before downloading” option. Then, you will be able to intercept any automatic downloads that may otherwise occur.

You may also want to adjust your firewall to stop any SMB communications to devices outside of your network. Unless you have an older Windows operating system, such as Windows XP, you should probably disable SMB 1.0. I gave directions on how to do this in a recent post.

Although it might seem an easy flaw for Google to fix, so far, none has been reported. Thus, unless you want your computer remotely controlled by someone else or your business to be infiltrated, you need to browse with some caution. Of course, there is another option. You can change your browser. Sorry Google.

 

Posted in Uncategorized | Leave a comment

A Simple Guide for Protecting Yourself from Ransomware

If you think the last ransomware attack was the end of the story, you’re wrong. If you think only enterprises are targeted by ransomware, you’re wrong. And if you think you have an operating system that is safe from ransomware, you’re wrong. In other words all of us are vulnerable. In fact, most researchers think that the next targets could be bigger enterprises and more individuals via a vast botnet attack.

However, it remains true that all of these attacks can be subverted by a few simple steps because, when all is said and done, attackers only have a few vectors that they can exploit to get control of your device. Although there are many ransomware varieties that are prowling the internet for victims, the attacks always begin by attacking individuals. If these individuals are working for companies or institutions that depend on quick access to data, so much the better for the attackers. Enterprises have a role to play in all of this, but each person, each employee must know how attackers are trying to trick them into becoming victims. Here are the steps to take to stop that from happening.

1, System Updates and How to Get Them

 
 Windows 10 really gives you no choice but to accept updates. In truth, that’s probably good, at least for critical updates. There are ways to work around the automatic updates but, for safety’s sake, it’s best to make your updates automatic. Go to your settings, then to Updates and Security and here you can check for the latest updates.

updating

The WannaCry Ransomware targeted older operating systems, especially Windows XP and enterprise networks that used these older systems. As the chart below shows, extended support for Windows 7 and above will continue for a few years yet so be sure to keep up with those updates.

support schedule

Older, unsupported versions of Windows Vista and below, normally have no support. However, due to the seriousness of the latest ransomware attack, Microsoft has created some patches that you can download here.

Quick installation of updates is important because hackers will use the updates to find what holes existed that needed patching. They know that many people won’t update right away so they will search the internet for unpatched computers and networks that they can attack. Big enterprises with big networks take a long time to patch and the hackers know it. These exploits are termed one-day exploits because that’s how long it will take the attackers to begin the attack on networks that do not update fast enough.

There are other steps for advanced users to take and they can be found here. I wouldn’t recommend these to the average user because some of the suggestions deal with tweaking the registry and any mistakes could seriously affect the functionality of your device.

2. Disabling SMB1.0

This may sound daunting but it is not. What you will be doing is protecting your device from being remotely attacked. Basically, if this is not disabled, attackers can work around later updates of the SMB protocol to cause you problems. This is especially true for enterprises with large networks. SMB stands for Server Message Block and is used for sharing files on a network. If you run Windows XP or have an old printer you may still need SMB1.0, otherwise you probably do not. Even with all of its shortcomings, SMB1.0 comes enabled on Windows 10. I have disabled SMB1.0 on my device and will let you know in updates if any functionality problems arise.

So, to disable SMB1.0, go to ‘Search’ (lower left hand corner) and type in “Windows features”. You will be given a control panel for turning off or on various Windows features (see below). You will probably see the area that I highlighted with the box checked. Simply uncheck it and reboot your computer. If you think this is a small thing, think again. As one Microsoft expert on the topic wrote, “stop using SMB1. For your children. For your children’s children. Please. We’re begging you.”

windows features

  3. How to tell if an email attachment is malicious

 There are some good phishing scams out there. They can fool anyone. Some phishing emails may come from your friends or even from people in management. The attachment may have a legitimate name. It could be photos from a party you went to or information your CEO wants you to read. You can’t simply refuse to open any attachment. You could lose friends and even your job. So what do you do?

The first thing to remember is that no attachment is dangerous until you download and open it, thus, releasing its payload. So, before you open it, you can scan it for viruses or malware with your antivirus software. If your file is smaller than 150MB, you can use a good online scanner like VirusTotal.

At the same time that WannaCry Ransomware was bringing down enterprises around the globe, Jaff Ransomware was using a botnet to spread its payload at the rate of 5 million an hour, mostly to individuals. Although researchers are not sure how WannaCry delivered its payload, Jaff was doing so with the help of a PDF attachment. Opening the attachment will give you this.

pdf ransom

The file mentioned is a Word document packaged within this PDF file. It will look like this.

word ransom

If you follow the instructions and enable editing, you will install the ransomware which will begin encrypting all of your files. Eventually, you will be told to pay a ransom in Bitcoins of over $3,000 to get your files back.

This attack needs you to enable macros before it can operate. Until you do this, you are safe. Make sure your macros are disabled. First, you need to find your Word Macro Settings menu. This will either be in Trust Center Settings or Tools/Macros/Security. There, choose the High or Very High option.

macros

According to Kaspersky Labs, the spammed phishing emails come with a subject line similar to “Receipt to print” and will sometimes have a message like, “Print two copies”.

The senders will be generic “John” or “Joan” but with an unusual email address that should give them away. It doesn’t matter to the criminals as long as they can trick even a small percentage of people.

4. Check those links

Similar to attachments, links may also come from friends or management. They may have valid names. Hover over any link with your cursor to see if a valid address appears in the lower left hand corner of your screen. If you’re still not sure, or the URL doesn’t appear, you can push the ‘Reply’ button and you will see the true address of the sender in the “To” field. Don’t send the message. Simply look at that address and see if it looks valid. If you are still unsure of a link, test it by copying it and using VirusTotal to check it. If you are still unsure you can always contact the sender in person or by phone to see if they actually sent that email and link. Yes, it is possible that visiting an infected website alone will be enough to download and install ransomware. This is called a ‘drive-by’ attack and it often employs the Flash Player, Adobe Reader, or Java. Keeping these programs up to date is a good way to thwart such attacks.

5. Enterprise Security

Enterprises need to isolate data on their networks so that it is not easily accessed and then encrypted. Many will use sandboxing to do this. However, the Jaff Ransomware knows this and has been designed to detect and avoid sandboxes. Hardware separation employed on all network endpoints may be the best solution. In this case, even if the normal-use half of an endpoint is breached and encrypted, important data on the hardware-separated network half of the device cannot be accessed by the attacker. All important data is kept safe.

Conclusion

If you’ve taken the steps mentioned above, you should be protected from most ransomware and other malware attacks. That said, back up your files. Malware is always evolving and no malware is evolving faster than ransomware. Researchers are already warning users not to be complacent just because the most recent attack was accidentally thwarted. The attackers will quickly find a new workaround. I personally believe that the attack was bigger than the attackers really wanted it to be. Just as what happened in the San Francisco metro attack, they may have drawn too much attention to themselves. Those hackers had to back off on their ransom demands.

Attackers really just want the money paid and the victims to remain silent. Many enterprises pay the ransom and say nothing so as not to ruin their reputations. That’s why most ransom demands are kept relatively low. The criminals know it is easier for the company to pay than to risk tarnishing their image. Besides, they often need the encrypted data too much to risk losing it.  At the beginning of this year, almost every security firm predicted that ransomware would be the big story of 2017. I concurred and I will stand by that prediction.

Posted in Uncategorized | Tagged , , | 1 Comment