ESET Threat Blog

If you’re going to be attending RSA in San Francisco next week, stop by our booth (#1751) and say hi!

ESET bloggers Jeff Debrosse, David Harley, and I will be there.  Jeff and I will take turns presenting “Security’s Rosetta Stone: Translating security to human behavior”.

You can also enter a drawing to win some cool Intel motherboards!

We were pleased to learn we have been nominated for the best security blog in an SC Magazine contest. Voting is closed, but we look forward to the results. There are some really, really good security blogs and we are honored to be in the competition.

Hope to see you there!!!

Randy Abrams
Director of Technical Education
 

Conficker

• If you have not already done so, deploy Microsoft’s MS08-067 patch for the vulnerability initially used by the worm to infect systems.  It is also a good idea to install the MS08-068 and MS09-001 patches as well.
• Disable AutoRun on removable media.  More about this below.
• Use strong passwords.  The Conficker worm contains a set of commonly-used passwords in order to make it easier for the worm to spread across network shares.  A list is mentioned in this news article.  For more information about choosing good passwords, see these three earlier ThreatBlog articles here, here and here.  We also have a white paper on the subject.

Worms continue to spread quick as a flash

Conclusion

Aryeh Goretsky MVP, ZCSE
Distinguished Researcher

This is a research blog, not a marketing blog. Not that there isn’t a place for marketing (that’s what pays our salaries, in a sense!) and marketing blogs, but my guess is that most of our readers here would get bored quite quickly if we spent too much time on press-release type material, our latest VB100 award and so on. So while we will mention stuff like new product releases or information from the labs that might interest some of you, we try not to waste your time with gratuitous blowing of our own trumpets.

So why am I directing your attention to a very complimentary article  by the estimable Dan Raywood in SC Magazine? (Yes, another SC Mag article!) 

It turns out that Dan recently spent a few days in Bratislava talking to my colleagues over there, and said some very positive things about them. (As indeed he should: the European labs are very much the engine room behind our products, and they’re very, very smart people.) While I’m not at all averse to your reading nice things about expanding product ranges and marketing strategy, I think what you might find really interesting is the insight into how the operation over there works and get to know a little about some of the team members there.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/
 

Discussion has been rolling on in comments to a blog Randy posted some time ago (back in June, to be precise…) on Microsoft Essentials. Rather than go over exactly the same ground, I’d like to reiterate some points about free antivirus generally, but starting off from a question that was put in a comment to that blog.

Why shouldn’t you use free antivirus? (Actually, the question was why shouldn’t you use MSE, but since, as a UK resident, the MSE beta was never available to me, I can’t say much about that specific product.)

Hmm. I don’t think anyone here said you shouldn’t use free AV, did we? After all, we do make free trial versions available and we do have a free online scanner. Of course, the evaluation copy only functions for the evaluation period, and an online scanner has limited functionality, but completely free versions also have limitations. So I’m not going to say that you shouldn’t use a free product. But I will say that you need to be sure that:

• You meet the eligibility criteria for using a free version. Vendors who make a free version of a commercial product available usually intend it to be available to home users or for evaluation only: they probably don’t intend you to use it on every machine in your organization, used by all your staff of 500.
• That the free product itself meets all your needs. Most free AV is limited to detection (and, in some cases, removal). If that’s all you need, fine. Be aware though, that some free products don’t detect the full range of malware, and don’t usually have all the capabilities of a full-blown security product.

No, nothing to do with drive-by downloads…

Our colleagues in Europe came up with a nice idea: an article on the dangers of web surfing on free wi-fi and some tips on staying safe. (A topic dear to the hearts of all of us who find ourselves out and about with our laptops from time to time, though I usually find myself sitting in airports and hotels rather than in parks or by city fountains. Ah well…)

I’m sure I don’t have to tell you that wi-fi is intrinsically not, in general, as safe as wired connections (and no, you shouldn’t assume that a wired connection is safe: there may be such a thing as a free lunch – I had one myself last week (thank you, AMTSO!) - but safe networks are another matter). So ESET have come up with a few tips on precautions that you can take to make your summer surfing experience a little safer, though most of them aren’t particularly unique to using wi-fi.

1. Keep your system and applications updated. Of course, you should be doing this all the time anyway, not just in order to feel safe when you’re browsing in the park. And talking of browsers, while there are plenty of malicious sites that use drive-by browser exploits, don’t forget that a lot of current malware reaches its target via PDFs, Microsoft Office documents and so on. Which means that you need to keep applications like Adobe Reader and Office up-to-date with patches. Fortunately, the big players in those sectors, like Microsoft, Adobe, and indeed Apple and Linux, are getting better at making it hard to avoid updating than it is to update
2. Change your passwords frequently: painful though most of us find this, it does limit the extent to which your systems are exposed if something does get through.
3. Use different passwords for different accounts and resources, so that if one does leak, it doesn’t mean that an attacker has access to everything you own and every service you access.
4. Use strong passwords or passphrases – a combination of upper and lower-case letters, numbers, and other characters. There’s a document I put together some years ago on selecting passwords here (actually, there are lots of good resources on the Saving Our eCity website: see the link at the end of this blog). There’s also a more recent document by Randy and myself due to appear shortly on the white papers page (also linked below). 
5. Create a specific user profile for public surfing. Don’t use your current profile, especially if it has administrator rights. Using a profile that doesn’t have administrator privileges is likely to restrict the amount of damage an attacker can do if he does get access to your system. 
6. Back up your data before you take your laptop out. Then, if your laptop is stolen or damaged, then you won’t have lost all that information (though you should still change passwords straightaway if the PC is lost. We can all take a lesson from this: when I was mugged in Windhoek last year, I was able to replace all the kit that was stolen, but it was only a matter of luck that I wasn’t carrying my laptop: if that had been gone, I would have lost some data, and it could have set me back many months. 
7. Make sure you your security software is updated regularly and automatically, but don’t assume it will protect you from everything. Wi-fi is inherently insecure and you need to use common sense as well.
8. The guys in Europe quote Pierre-Marc on the subject of Man-In-The-Middle (MITM) attacks: "If someone else is on the network, he can modify network traffic and let you think you are dealing with your bank while, in reality, you are sending him all your credentials."
9. WEP encryption, as used on many Wi-Fi networks, is weak and easy to crack: later protocols (WPA and, better, WPA2 are better, but you shouldn’t assume that they’ll protect you from all kinds of attacks.
10. I’d always recommend disabling the sharing of files or folders, but it’s not just the settings on your computer that can save you from the hacker’s grasp, but you also need to take care which sites you surf. Wherever possible, avoid connecting to websites that involve the transfer of sensitive information, such as online banking and if you must access webmail, use the HTTPS option. Also, make sure your browser and supplementary and helper applications such as Flash and Adobe Reader are kept fully patched, if you must use them, given all the Adobe exploits around at the moment.

• Data Breaches continue to be a huge problem: Eight-five percent of organizations surveyed had had at least 1 data breach in the last 12 months, demonstrating that there is no let up in breaches as this is consistent with 84 percent sited [sic] in the 2008 report. Companies suffering more than 5 data breaches rose to 22 percent in 2009 up from 13 percent in 2008.
• More than 70% have fully executed or just launched data encryption strategy in their organization. Once again data encryption strategies are being implemented across a majority of the respondent participants. The majority of organizations, 78 percent, have some type of encryption strategy, up from 74 percent in 2008 and from 66 percent in 2007.
• Encryption of data on mobile data-bearing devices used by employees is very important or important. More than 59 percent of respondents say it is very important or important to encrypt employees’ mobile devices – a sign that organizations recognize that valuable data is more mobile than ever.
• On average a company will pay $202 per record compromised, and, in total an average of $6.6M should they experience a data breach.

• Domestic population (census.gov): 307M
• Personally-identifiable records involved in data breaches (privacy rights clearing house): 262.5M
• Domestic Internet penetration rate (internetworldstats.com): 74.4% (251M users)

San Diego is a great place to live in and visit. I grew up in San Diego and didn’t realize how good I had it until I moved to San Bernardino when I was 15.  What does this have to do with security? If you need an excuse for a trip to San Diego (or if you live in San Diego), take a look at <http://www.securingourecity.org/news.php>

Securing Our eCity is an initiative that ESET and other public and private sector organizations have formed to help provide quality education about cybercrime and how to defend against it.

We are delighted that this coalition of concerned organizations has been able to create free courses on how to better educate and protect yourself from cybercrime. In late May an early June we are offering several free presentations on cybercrime. We’d be delighted to have your presence at one of the seminars… more if you like!

What if you can’t make it to San Diego? We plan to expand this program to many other cities, but I don’t have the details of when yet. You can also visit <http://www.securingourecity.org> for educational materials and resources to learn more.

I hope you’ll share this information with people you know who may need to learn a bit more about phishing and other threats on the internet.

Randy Abrams
Director of Technical Education

Just a reminder that we can’t usually handle support issues here. Not that we want to be unhelpful, but the Research team simply isn’t resourced for that sort of work.

Someone just posted a problem they had with V.4 here, and I mailed them back, but the message bounced, so I’ll summarize here.

As it was quite a specific problem with a specific program, it would probably be easiest to fill in the contact form at http://www.eset.com/support/contact.php,

Other support options here: http://kb.eset.com/esetkb/index?page=home

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence