ESET Threat Blog

Specifically spear-phishing, where the target is deliberately selected, as opposed to a random untargeted attack.

An article at Dark Reading.com discusses the entirely unsurprising results of a test that concluded that the iPhone, BlackBerry, and Palm have essentially no protection against spear-phishing attacks. http://www.darkreading.com/insiderthreat/security/app-security/showArticle.jhtml?articleID=221100150&cid=nl_DR_WEEKLY_T

LinkedIn was used as the service to send a fake invitation from. LinkedIn users are completely ripe for spear-phishing attacks as LinkedIn supports and embraces anti-phishing worst practices with incredible gusto. Of course, MySpace, FaceBook, Twitter, and a myriad of other social networking site also do all in their power to assure the success of phishing and spear-phishing attacks.

There’s no problem with getting an email inviting you to add a contact, a follower, etc., but including a link in the email is simply ignorant. Yes, it is very convenient, but even more so for cyber criminals to exploit. If you knew that a legitimate social networking email never contained a link then the phishing attacks would be much more ineffective.

If you don’t want to be the victim of a phishing attack, then don’t click on the links in the emails for any sites you must log on to. If you click on a link and it leads to a log on page, close your browser, delete yout temporary internet files, and then open your browser and type in the Url for the service (not using the email you received as a reference. Log into your account and then make decisions knowing that you logged into your real account.

The researcher is right that technology provides little protection against social engineering attacks, but missed the fact it is the abuse of technology by social engineering sites, banks, credit unions, credit card companies, and others that make phishing so effective!

Randy Abrams
Director of Technical Education

"Now may I suggest some of the things we must do if we are to make the American dream a reality. First, I think all of us must develop a world perspective if we are to survive. The American dream will not become a reality devoid of the larger dream of brotherhood and peace and goodwill. The world in which we live is a world of geographical oneness…" - Dr. Martin Luther King, from a speech delivered at Lincoln University, Pennsylvania, June 6, 1961

If Dr. King had still been alive today to see the wonders of the global connectivity of the Internet, he would probably consider the quoted portion of his speech as a "statement before its time."

Today the current global Internet penetration rate stands at approximately 24%. With a global population of 6.7 billion, that equates to roughly 1.6 billion users on the Internet across the globe. At the current penetration rate, cybercrime has become pervasive, pandemic and increasingly connected with other parts of the criminal ecosystem. It ranges from the theft of an individual’s identity to the complete disruption of a country’s Internet connectivity due to a massive distributed attack against its networking and computing resources.

With the remaining 5 billion users to connect to the Internet, there are significant challenges – one of which is cybercrime (via its many methods). There are technological preventative measures that help mitigate cybercrime attacks, but technology alone is not the answer.

The next one billion users on the Internet will not come from developed countries, but rather mostly from developing countries. Awareness, even simple levels of awareness, of various types of risks and cybercrime attacks can yield positive results. This is primarily due to the fact that the weakest link in the “security chain” is, correctly, always quoted as being the end user. The additional one billion users on the Internet will be considered “fresh targets” by the cybercriminals.

The target of cybercrime centers on information – the data that is electronically stored for retrieval and subsequent use. For instance, even with varying levels of per-capita income, the amount of money that stands to be lost to a cybercrime called “phishing” (one of the most common online attacks where a person is socially engineered to provide personally identifiable information by someone posing to be a trusted source) has the potential to be quite significant due to the sheer number of users at risk (unaware).

A real-world example of the scope of the threat: cybercrimes, like phishing and data breaches, are a scalable threat to the United States. These threats are so severe they are detailed as national security threats in the 2009 Annual Threat Assessment Intelligence Briefing to the Senate Intelligence Committee. This representes the scope of one cybercrime problem in a single country, whose users have had several years of exposure to the Internet. New Internet users will face the same difficulties – but from cybercriminals that have had also years of experience and that have optimized their attack and evasion techniques. 

Infrastructure build-out, deployment and subsequent end-user connectivity should be coupled with effective cybersecurity awareness training – in addition to application usage training. It is the ignorance of on-line risks that poses the greatest threat to the new generation of global Internet citizens. Coordinated global efforts in effective awareness training will transform these new Internet citizens from potential victims to increasingly aware, and less vulnerable, people as a whole.

Jeff Debrosse
Senior Research Director

Securing Our eCity community initiative: http://www.securingourecity.org/

I was speaking with our friend David Perry at Trend Micro about the insecurity of social networking services and what steps users could take to strengthen their security online. In the course of our conversation, we came up with a list of simple steps you could take to better protect yourselves.

• Be careful about whom you befriend. Many social networking services seem to be structured around an online popularity model, making prominent note of how many friends, links, nodes or other connections you have. This is definitely a smart move on their part, since it not only encourages you to spend more time on their site, but it also greatly reduces their marketing and customer acquisition costs, since you do the work for them. Think about whether or not you really need to add that person to your network before linking to them. While it may be fun to be a social butterfly in the real world, it might be better to be something of an armadillo online.
   
• Think before you click. Do not take it for granted that URL shortening services like bit.ly and TinyURL are redirecting you to trustworthy web sites. URL shortening is great for micro-blogging services like Twitter; however, because you typically cannot see the destination URL beforehand, there is a certain amount of risk. Also, there is an issue as to what happens to shortened URLs over the life of the service. What happens if they get recycled or hijacked and re-pointed to a new malicious web site? Also, what happens if the business goes under and the domain name gets acquired by a malicious (or merely incompetent) organization? Twitter and Bit.Ly use Google’s Safe Browsing API to check for malicious sites, and TinyURL provides a Preview option which allows you to see the address of a web site before visiting it. While these are good security steps, they are not a replacement for protecting your computer with security software. For additional information, see the following ESET ThreatBlog articles: "Shorteners/Redirectors: short of ideas," "Compressed URLs & Twitter," "TinyURL: The Tiny Terror," and "TinyURL and Anti-Spyware Toolbar." 
• It’s a matter of trust. Many social networking sites have APIs (application programming interfaces) that allow developers to create various add-ons, plugins, web applications and programs that connect with the service. Just because a social networking site has security and privacy policies does not necessarily mean that third-party tools have them as well, or that they take them as seriously. Know the difference between a social networking site and applications from other parties used to interact with it, and find out what policies each party has with respect to information you might enter, such as your username and password. 
• Browse differently. Consider using a different web browser to visit social networking web sites. If you normally use the web browser provided by your operating system vendor, consider using one by an independent software provider. While these may not have the same features or look-and-feel as the web browser provided with your operating system, criminals are less likely to take the time to look for exploits in web browsers used by fewer people, and to target them as they do more popular web browsers. Cybercriminals nowadays are in search of a good ROI (return on investment) and it is much more profitable for them to look for holes in a web browser that can be found running on 70% of computers than it is to spend time proving  web browsers used by the remaining 30% of users. 
• Get unplugged. When visiting social networking sites, disable scripting, plugins, Java and Flash and only enable each feature as and when it is needed. Running your web browser in a sandbox or a virtual machine can provide an additional layer of protection as well. 
• Truth is relative, and so are your relatives. Social networking sites often collect a wide variety of biographical information, not just to allow you to reset your password, but to allow people to find each other on their site. This kind of searchable information is a goldmine for identity fraudsters. So, think about the answers to questions you are being asked, and consider when it might be appropriate to lie a little. For example, the answers to questions about birthdays, mother’s maiden names, first pets and the like are commonly used to reset a password. Knowing or being able to find the answers to these types of questions easily makes it easier for someone to steal your identity, even if you aren’t an Alaskan governor running for the office of Vice-President.   If you use false answers, though, consider keeping a small notebook or stack of index cards near your computer to keep track of the data you enter into each social networking site should you ever need to reset your password. For more information about keeping your personally-identifiable information safe, see ESET ThreatBlog article "Honesty Is Not The Best Policy For Password Resets." Keep in mind also that if you aren’t sure of the identity of all your Twitter followers and Facebook buddies, telling the world that you’re on vacation for the next three weeks might be opening the door to a physical intruder. 
• tRuSt_no_1. Use a strong and a different password for each social networking site. If you have a methodology  for creating strong passwords, make sure it is complex and distinctive enough that the accidental disclosure of two or three passwords on social networking sites will not compromise all the others. Because passwords are such an integral part of the computing experience, we frequently discuss them. For additional information you can read the following ESET ThreatBlog articles: "Password Mythology," "Emotions Are Poor Passwords" and "%$^& is Fine for Cussing, But Not a Great Password" as well ESET’s white paper on creating secure passwords, "Keeping Secrets." 
• Dial it up to 11. Many social networking sites offer different levels of privacy and security, and the default values are usually to allow others to see your information and contact or otherwise connect with you. While it may seem like overkill to increase the security so that only your peers and friends can see you and to approve all invitations to connect manually, it actually requires far less effort (and embarrassment) than having to de-louse your computer. And it saves you from having to apologize to all your online buddies about the message they received from your stolen credentials asking them visit web sites containing pictures of naked Hollywood starlets. Note: This may be less of an issue for you if you normally tell your friends to visit these types of web sites. 
• Make friends with The Man. Many social networking sites have an official security web page, group or address that you can follow, join or otherwise befriend. Stay abreast of site-specific security issues by reading what they have to say.  Here are the privacy and security pages for several social networking sites: Digg, Facebook, Friendster, Hi5, MySpace, Orkut, StumbleUpon, Twitter and Xbox LIVE. Keep in mind, though, that the quality of such pages can be highly variable, as is the speed of response from each site. Sometimes, what is best for them commercially may not always be the best for your personal safety. 
• Staying safer in the aether. If you regularly access social networking sites from a wireless connection make sure you have taken appropriate precautions to secure your computer. For more information, see the ESET ThreatBlog article, "Fly By Wireless." 
• Advanced tip: Limiting access. More advanced users and network administrators might want to consider using site blocking to limit access to social networking sites, or at least ancillary sites used by programs that interface with them by way of their APIs. This can be done in many ways, such as blocking through the hosts file, using an RBL (real-time block list) in conjunction with your security software and/or gateway router, or even implementing a pseudo-caching DNS server on your network.

Social networking sites are meant to be fun places where you can network and spend time online with your friends. However, the Internet is just like the real world when it comes to which neighborhoods you choose to spend time in. Keep aware of your surroundings and protect yourself appropriately. For further information about staying safe online, I would suggest, as a jumping off point, visiting Securing Our eCity, a public and private initiative in which ESET and other companies, organizations and agencies participate.

I feel like the learned judge in the ’60s who asked, in the course of a trial, "What is a Beatle?" since until recently I couldn’t have given you an accurate answer to the question "What is a Jessica Biel?"

In fact, I’d probably have said something like ""Wasn’t she in Flashdance?" (The answer is no: she would apparently have been a baby when I saw Jennifer Beals in that film, back in the days when I had a social life.) Clearly, I need to do something about my work/life balance, and the fact that I now only ever see movies on television or on planes.

Or perhaps not, since McAfee have reported, according to Yahoo News, that web searches for Ms Biel are "more likely to lead to online threats such as spyware and viruses than searches for any other celebrity."

There’s a certain irony here, in that the media and the blogosphere have picked up so readily on McAfee’s latest report, based on statistics from their SiteAdvisor site rating database. Well, celebrity stories are not only the stock-in-trade of many journalists and a major preoccupation of much of their readership (clearly there’s a correlation between those two factors!) but also a favoured target among spammers, scammers and purveyors of malware, who are always ready to use a topical story (real, fabricated, important or trivial) as social engineering bait in order to spread Badness.

Why is it ironic? Because even while they’re pointing to the dangers of celebrity hunting on the ‘net, they are, to some extent, perpetuating it. Of course, it’s a good thing if more people become aware of the dangers that malicious search engine optimization (SEO) poses, and I don’t blame McAfee for using the "cult of celebrity" to make that point, but it’s a pity that the media is focused on that narrow aspect of a much wider problem.

McAfee researchers Shane Keats and Eipe Koshy came out with a substantial research document earlier this year, using a number of statistical resources as well as SiteAdvisor. Rather than focusing on celebrities, it looked at a whole range of hooks used by the bad guys to lure the unwary, using search categories like screensavers, free games, taxes and viagra, as well as personalities from the entertainment world and politics.

Why is it ironic? Because even while they’re pointing to the dangers of celebrity hunting on the ‘net, they are, to some extent, perpetuating it. Of course, it’s a good thing if more people become aware of the dangers that malicious search engine optimization (SEO) poses, and I don’t blame McAfee for using the "cult of celebrity" to make that point, but it’s a pity that the media is focused on that narrow aspect of a much wider problem.

McAfee researchers Shane Keats and Eipe Koshy came out with a substantial research document earlier this year, using a number of statistical resources as well as SiteAdvisor. Rather than focusing on celebrities, it looked at a whole range of hooks used by the bad guys to lure the unwary, using search categories like screensavers, free games, taxes and viagra, as well as personalities from the entertainment world and politics.

Bizarrely, while celebrities did rank number 7 in the list of high-risk keywords in the US, the top two items in the table "Top 50 riskiest search terms in the United States" were "word scrambler" and "lyrics", so perhaps Lady Mondegreen is even more dangerous than Jessica.

But the paper deserves much closer attention than I can give it in a short blog. If you’re interested in what other psychological quirks the bad guys are finding it useful to exploit, take a look.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Regular readers will be aware that, unlike many people in the security industry, people in this research team tend to be enthusiastic supporters of security education for end users, both inside and outside business: not as The Answer To Everything, not in terms of turning everyone who uses the Internet into a security expert, but as an essential part of any business, social or political strategy for making cyberspace a safer experience for everyone.

In fact, Randy and I wrote a paper for last year’s AVAR (Association of anti Virus Asia Researchers) conference ("People Patching: Is User Education Of Any Use At All?") that covers some of those issues in some depth, and ESET strongly supports and is very active in a number of initiatives such as Securing Our eCity, which is very much focused on "educational programs, tools and technologies", and AMTSO (Anti-Malware Testing Standards Organization), which is far more narrowly focused in its topic matter, but also regards education and the sharing of information as fundamental to its mission.

So it was very interesting to see an article on SC Magazine’s UK web site based on an interview with our own Juraj Malcho, head of the Virus Lab in Bratislava, in which he presented his views on user education, highlighting a crucial issue: the fact that user education is an ongoing process, not a one-off.

The sad fact is that education is conceptually simple but in practice quite difficult, at least in the long term. Many educational mechanisms are based on alerts and warnings about specific threats, and we’ve seen many times that such alerts can seriously mitigate the impact of a threat in the short term: for example, when we were able to provide some early warning about the Waledac July 4th spam run. And as long as the bad guys are lazy about using infection mechanisms delivered with stereotypical messages, some people will remember the last time and be more cautious the next time a similar social engineering hook is used. (Sadly, some people will fall time and time again for the same con, and they represent a particular educational challenge…)

However, not all Black Hats are so obligingly lazy: some show startling creativity, not only in technical terms, but in generating new social engineering traps for the unwary. (My colleague Cristian Borghello, at ESET Latin America, has an interesting paper that addresses some aspects of the social engineering problem here.) Unfortunately, many potential victims are less adaptable, and find it difficult to extrapolate fromone threat to another.

So while education remains an important, even essential supplement to other, more technical solutions, it can’t usually replace them. It’s just part of a wider defensive strategy. Though if we could find an effective way of teaching scepticism, that would make the bad guys’ job a lot harder. E.M. Forster said something like "the confidence trick is the work of man, but the want-of-confidence trick is the work of the devil." The fact is, though, that a little paranoia can save a lot of heartache, and some very bad men rely on the gullibility of others.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/
 

There’s been a certain amount of buzz in the past couple of days about messages claiming to link to Wire Transfer information, but actually related to a Trojan commonly called Delf or Doneltart. ESET is detecting the examples we’ve been seeing as a variant of Win32/TrojanDownloader.Delf.OZG.

The messages generally look something like this (at least, all the samples I’ve seen have). The subject field takes the form:

Wire Transfer Info for <1stname> <2ndname>

The message looks like this:

For more details please download the invoice found on this link:
[http://]<domain></folders>/transfer.php?name=<1stname><2ndname>

The link goes to a domain in Italy somewhat appropriately named after a region historically associated with violin making, or a subdomain thereof. The fiddle in this case, of course, is that the link is to a Trojan Downloader, this being a very common payload for this family of malware, though some members have been seen to redirect web traffic or mess about with applications.

These messages may look familiar: the gang behind this malware family seems rather fond of social engineering around wire transfers, as a report going back to June from the Internet Storm Center indicates. That’s because in this case at least, quite a few of the targeted domains are financial institutions, and on that occasion the message was along the lines of:

Please check the wire statement attached and let me know if everything is correct.
I am waiting for your reply.

Detection of this wave of malware seems to be reasonable, in general. Here’s a VirusTotal report Pierre-Marc has sent me relating to one of the samples he’s seen (23 detections out of 41 products):

http://www.virustotal.com/analisis/57b19e0a576be2d0493a00893cbd35e0cb4c278af106e06d9c906ab7028ab73a-1249334843

The hit rate varies between samples, though: I’ve seen reports as low as 16 for some, but NOD32 hasn’t failed to detect any of the samples I’ve tried subsequently (half a dozen or so, so far). That doesn’t, of course, mean I can guarantee we have 100% detection!

The really encouraging thing about this issue has been the generous exchange of information between researchers on certain specialist lists. Because of the nature of those lists, it’s best if I don’t name names (apart from Pierre-Marc of course!), but you guys know who you are.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

When I first went to university at the end of the 1960s (yes, I really am that old, though not quite old enough to be of that generation that only remembers that decade through a haze of psychedelic phenomena), my choice of social sciences was regarded as somewhat fluffy. It was the age of "the white heat of technology" (a phrase credited to Prime Minister Harold Wilson, though it’s not exactly what he said): science and engineering students were going to be the leading architects of society (nerdy image notwithstanding), art school was the accepted jumping-off point for a career in rock and roll, and social mechanisms were popularly perceived as being of interest only to academics and trainee social workers.

In fact, popular opinion was somewhat behind the curve. Vance Packard’s 1957 book "The Hidden Persuaders" had already let the genie out of the bottle by opening the eyes of his audience to the way that psychological and emotional processes were already being used by businessmen and politicians to sell products and image through the media. While an unimaginative comedian can still get a safe laugh by referring to a degree in media studies as a degree in MTV or "American Idol" or "Grey’s Anatomy", that particular discipline has been influenced by a wide range of studies: urban sociology, propaganda studies, and media effects studies, for example. There’s a lot more to this field than predicting whether House and Cuddy will ever get it on.

So I’m not terribly surprised to see MSN describing Salford University’s Masters Degree in Social Media as an "MA in Facebook and Twitter," or making sarcastic (but amusing) comments about TechRadar’s Doctorate in YouTube and 140-character dissertations. And MSN is right to see this as a course that’s likely to appeal to PR and marketing people. That’s important. You don’t often see a product in any market that’s so clearly ahead of the pack that it doesn’t need to be properly marketed, and social networking/interactive technologies have become important marketing tools as well as means of acquiring and sharing other information.

Perhaps we’re all missing a point, though. MSN quoted Professor Ben Light, the course leader, as saying "knowledge of high quality production and communication techniques will create powerful campaigns – whether for commercial or social reasons." He’s clearly thinking of social media as a "a way of doing social good", perhaps remembering the days when "social engineering" had a constructive, socially responsible meaning. But legitimate marketing, education, social engineering in the pre-hacking sense of social improvement: they’re only half the story.  Botherders, hackers, spammers, hoaxers, conmen, phishers: knowingly or not, they use many of the same techniques.

I don’t, of course, suggest that everyone in the security industry should take a year or two off to do a higher degree in social media, still less that everyone should. But everyone with an interest in security or with something to lose from not having an interest in security needs to have some idea of what psychological buttons the bad guys are trying to push. That’s a theme I’ve ranted on many times before (and I’ve recently been exploring it again in a couple of papers for the Virus Bulletin conference in September), but I think perhaps it’s one I’ll be returning to here, sooner rather than later.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

I’ve mentioned here before that targeted malware, often delivered by "spear phishing" carried by apparently "harmless" documents such as PDFs, .DOCs and spreadsheets rather than overt programs, can have much more impact than the raw numbers of such attacks suggest. In fact, some sources now use the term "whaling" rather than "spear phishing" to reflect the size of the organizations targeted (and, presumably, the scale of the potential impact).

This impact can be so great because instead of being distributed to huge numbers of random people, the social engineering messages are distributed to a few people who have particular influence, or access to particularly interesting and/or valuable information. Today’s Big Issue is concerned with what are alleged to be attacks largely originating in China, against various diplomatic and governmental organizations and the Dalai Lama’s Tibetan exile centres, following the simultaneous release of an article in the New York Times, a paper from the University of Toronto, and another from the University of Cambridge in the UK. At the time of writing, the Toronto paper is unavailable because of a problem with the site, but it’s currently mirrored here.

While I haven’t come across these attacks against the exiled Dalai Lama’s supporters before, both the mechanisms and the far-East connection have been known for some years, even before the UK Centre for the Protection of National Infrastructure (then called NISCC) and security services went semi-public with an advisory. And I’ve referred here before to a chapter section in my "AVIEN Malware Defense Guide" where Ken Dunham and Jim Melnick describe zero-day attacks by "Wicked Rose" and the NCPH group centred on Trojans targeting such organizations as the Department of Defense.

Even if you’ve no particular interest in the locales and organizations named in these reports, there’s an issue touched on in the Cambridge paper by Shishir Nagaraja and Ross Anderson that demands further consideration, when they suggest that "What Chinese spooks did in 2008, Russian Crooks will do in 2010, and even low-budget criminals from less developed countries will follow in due course." Here’s why I think they’re right.

What Nagaraja and Anderson call social malware – what I’d call a combination of sophisticated Trojan malware and effective, targeted social engineering - is not the sole preserve of governments spying on governments. (In fact, government contractors and other organizations with significant political interest have been targeted from the beginning: it’s naive to think that a Critical National Intrastructure (CNI) is just an aggregation of government departments.)

The on-line world is full of crooks trying to make money from some form of phishing or other forms of fraud. There are plenty of potential victims out there, but maybe not as many as there were:

• global recession has made the world poorer
• the level of awareness of criminal activity among internet users in general is rising, albeit painfully slowly

So criminals may have to share smaller pots between more people.

Furthermore, random dissemination of phishing and similar scams has a fatal weakness: massive random mailouts don’t lend themselves to personalized content.

For instance, I’m not likely to fall for -any- Bank of America phish because I don’t have an account with BoA, and hopefully you won’t send your credit card details to someone who addresses you as "Dear American Express User".

But even a sceptic like me might fall for an email that looks (and sounds) as if it comes from someone I trust, and includes or directs me to a document rather than a program file. Right now, you are most likely to get such a mail if you’re working in certain sectors. But as more blackhats get into the game who are more interested in cash than ideology, the more enterprising among them will spend more time on customizing and targeting, in the hope of getting a better hit rate and higher profits.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Someone raised an interesting point in a comment to yesterday’s blog about Symantec’s own PIFTS.EXE being flagged by their own firewall as a possible problem. Let me quote the comment in full.

I by no means buy into the super root-kit routine, I do however think that there will be copy cats (if not already) that are passing themselves off as “OOPS, I’m just an unsigned update, sorry, just install me anyways and we’ll be gravy”.

Hoax, scam, conspiracy theory lore, ya, already. But something not to warn your users about? Definitely not.

I started to respond to this as a follow-up comment, but thought it probably deserved a fuller response.

Fake patches are already common, and not usually signed. I don’t think of a way in which malware could pass itself off as an unsigned update without inviting the question "so -why- isn’t this update signed when the sender acknowledges that it ought to be?" Certainly I wouldn’t expect security software to be fooled by social engineering.  Hopefully. (Of course, I realize that security software can be compromised indirectly when a human falls for social engineering.)

However, I suppose it’s quite possible that someone will try the "we weren’t able to sign this because the digital pen ran out out virtual ink" approach, and there’s probably someone, somewhere who will fall for it. Certainly there are plenty of people who have no idea of how code signing and digital signatures in general work, and it’s perfectly true that the bad guys are very adept at misusing and misrepresenting a security concept so that they can use it as an attack. On the other hand, it’s not unknown for fake patches to be sent out with a fake digital signature.

However, what we’re discussing here is two different issues. Fake patches are sent out using common and easily misused transport mechanisms like email attachments or forged, malicious links. In such a case, a fake signature, where used, is usually just a dummy. It’s there to fool the human being who receives the lure (social engineering), not the software.

In fact, Symantec’s firewall was doing just what it was supposed to do: if the executable had been signed, as it was supposed to have been, the issue would not have arisen, because the firewall could have authenticated it. As the situation did arise, the firewall quite properly flagged it as a possible problem. It was a glitch in the process rather than a technological error.

But you’re quite right: the bad guys are always looking for new angles to exploit human psychology: it’s much easier to patch and hotfix software than it is naïve human behaviour.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Well, this actually isn’t a lie, but a lot of what you read on the web are lies designed to steal money or identities. If you go to a web page and it says you need a new codec or new software to view a video or picture, or pretty much anything, the odds are that it is a trick to get you install malicious software (malware) Consider the following story:  http://redtape.msnbc.com/2009/01/post-1.html#posts

You go to your friend’s Twitter, Facebook, Myspace, or whatever web site, and see an urgent plea for help. Your first thought should be that the friend’s account has been stolen. If you needed help immediately, would you really put it up on your Facebook page or would you be doing something else to obtain assistance? Yeah, I can see where someone might use Twitter, but it is a really bad idea to believe such a request is genuine. Remember, for a while all of the accounts on twitter were accessible using an easily guessed name and the password. If you haven’t changed the password on your social networking page in the past 3 months, I strongly encourage you to do so.

Attacks against social networking sites are common. There is also a commonality between these attacks and emails that claim to provide government grants, IRS refunds, and a host of other free or low cost things. In all cases it is essential that you verify the facts before you part with money or any personal information.

The easiest way to hijack social networking profiles is to guess the password. This is because most people use really, really bad passwords. Using poor passwords for your email or other web accounts can put your friends at risk. No matter how obscure you think a word is, it is still easy for a computer to guess the password. No single word in any language is a good password. Always use at least two words if you must use words. It is even better if you use a number as well as a word, and a large number, like 1010 is much better than a small number.

Numbers less than about 895,435,776,880,213,776,992,053 are bad passwords and numbers that large are hard to remember. 123 is one of the worst and most common passwords. 123elephantpig would be a fairly good password, relative to numbers or words alone. Elephant100pig is even better for a password. You can use words and you can use numbers, but use them both at the same time!

Requests for help, threats of legal action, or offers of free things should always be viewed with skepticism and always investigate before acting upon.

If you have any general security questions, feel free to email me @askeset@eset.com, but the address is not for product support, or requests for business relationships!

Randy Abrams
Director of Technical Education