Friday, September 25, 2009

Security Smorgasbord, Vol 1, No. 3

Malware from legitimate sites

If you browse to, shall we say the seedier part of Al Gore's Intarwebz (not that you'd ever do that), you know to be on your guard. But what about when you're in the nice part of town? Say the Drudge Report (yeah, I know I said "nice part of town"; work with me, people)? The Bad Guys have figured out how to get their malware into ads served up via Google Ads:

Some of the web's bigger websites were flooded with a torrent of malicious banner ads after cyber crooks managed to sneak them onto syndication services operated by Google, Yahoo, and a third company, according to a security firm.

The ads - which attacked previously-patched vulnerabilities in Adobe's PDF Reader and Microsoft's DirectShow - starting appearing on sites such as the DrudgeReport, horoscope.com and lyrics.com last Friday, ScanSafe researcher Mary Landesman told The Register. They were delivered over networks belonging to Google's DoubleClick; Right Media'sYield Manager (owned by Yahoo); and Fastclick, owned by an outfit called ValueClick.

There's quite a lot of finger pointing between the companies whose sites were victimized, and the ad distributors (particularly Google). What this means is that there really are no "good parts" of the Internet anymore. This topic deserves a more detailed post, but for now pay extra attention to patches - especially for Adobe and flash.

Oh, and Sitemeter tells me that almost 40% of you are on Internet Explorer 6.x or 7.x. If you have to stay with IE, upgrade to IE 8 right now - it's much, much more secure than earlier versions. That'll also be another post.

People still ignore pop-up warnings

Where this is most important is with bad Digital Certificates (the bit that lets you verify that Amazon.com is really Amazon.com). Your browser will give you a popup when there's a problem with the certificate. People mostly ignore it:

In an online study conducted among 409 participants, the researchers found that the majority of respondents would ignore warnings about an expired Secure Sockets Layer (SSL) certificate. The more tech-savvy the user, the more likely they would be to ignore it, the study found.

SSL certificates are designed to provide the user with a degree of confidence about the authenticity of a Web site they are visiting. As a technical security mechanism, the certificate allows the browser to validate the authentication chain for the Web site server. While SSL certificates often expire for benign reasons, an expired certificate can also indicate that the user could be the victim of a man-in-the-middle attack.

What's interesting about this is that bit about tech-savvy users ignoring the warnings even more that everyone else. These are the people best suited to figure out what to do. Me, I'm happy to pass up a site with an expired certificate, but I don't shop online much. However, you have to be pretty crazy to give your credit card to a site with an expired certificate.

In other news of ignoring popups, sometimes you should really really pay attention:

A federal government employee is under arrest this week after venturing into a classified system he was not authorized to access.

...

The affidavit says Montgomery ignored automated security warnings that told him not to proceed, even though he had a working password. Montgomery says he saw the warnings, but didn't read them and didn't know the system was being monitored by the FBI.

Oops. "I didn't read it" didn't work with my teachers, and I expect that it double plus won't work with the system security officer.

Good Security Blog

John Pescatore is one of the most perceptive security analysts around, and has a (new to me) security blog. If you're looking for a good introduction to real world security issues, John's your guy. It's not techno-geeky, so John is very accessible to a general audience:
... safety is a relative thing. As the old saw says about what one hunter said to the other when they ran into the angry bear in the woods: “I don’t have to outrun the bear, I only have to outrun you.” Animals use “herd behavior” as a basic safety mechanism – humans call it “due diligence.”
John has a nifty "Twelve Word Tuesday" series of posts. I'd try something like that here, but as you all know, the problem isn't getting me to talk, it's getting me to shut up.

Added to be blogroll here, so you know his hit counter's fixin' to spin ...

Mac Malware Group Discovered

Most malware targets Windows, and Mac users really don't have the same level of security problems to deal with. However, there are some good reasons to think that this is changing. A group of Black Hats who specialized in Mac malware has been discovered. Like everyone esle, they did it for the money:

A researcher has unearthed fresh evidence of cyber criminals' growing attraction to Apple's OS X platform with the discovery of a now-disbanded group that offered 43 cents for every infected Mac.

Mac-codec.com was just one of hundreds of "codec-partnerka," a term researcher Dmitry Samosseiko uses to describe the well-organized affiliate networks that pay a small bounty each time their malware is installed on an unsuspecting end user's computer. What makes this one stand apart is its dedication to the Mac platform.

Maybe they'll stay unique, but that's not where the smart money is betting. In the meantime, Mac users should keep your powder patches dry.

2 comments:

  1. I no longer feel sympathy for anyone who uses an obsolete browser unsafely and gets victimized. I'm glad they're out there, too: It gives the thugs easier targets.

    Jim

    ReplyDelete
  2. Could happen anywhere. I had malware show up from Instapundit at work, but our IT sucked anyway.

    Regards,
    NMM1AFan

    ReplyDelete

Remember your manners when you post. Anonymous comments are not allowed because of the plague of spam comments.