Security researchers have discovered that certain models of iOS devices that have been “jailbroken” are now being targeted in a malware attack, dubbed “unflod”, that can collect the AppleID account login and password used on that device and transmit it to hacker-controlled servers. While jailbreaking iPhones or iPads isn’t likely to be something the majority of iOS device-users will do (primarily because it voids your warranty), a significant percentage of users (2% in early 2013, or nearly 7 million devices) regularly jailbreak their devices. Even if the actual count of phones vulnerable to this threat is somewhere less than 7 million, it’s still a big enough target for identity thieves.
What this means for you:
If your iOS device isn’t jailbroken, you don’t have to worry about the unflod malware attack. If you have an iPhone 5s, iPad Air, or iPad Mini 2G, you don’t have to worry about this particular attack either, even if the device is jailbroken, as the malware currently in use doesn’t work on 64-bit operating systems, of which the aforementioned devices use. The unflod malware appears to be caught through application of certain system tweaks that can only be applied to jailbroken, 32-bit OS devices, and only then if the tweaks are sideloaded outside of Apple’s own official app store, or Cydia, the “unofficial official” app store for jailbroken devices. In other words, if most of the words in the article don’t make sense to you, you probably won’t be affected by this malware.
HOWEVER, if you’ve ever considered jailbreaking your iOS device for whatever reason, let the above serve as a cautionary tale: be sure you know what you are doing, back up your important device data, and seriously consider whether you really need a jailbroken iPhone. While the above malware attack requires a specific set of circumstances that only affect a very small percentage of users, jailbreaking a device should only be done by someone willing to take on an increased risk of security breaches and with a full understanding of troubleshooting your own device issues.
It’s an unfortunate but not unexpected state of affairs that hackers continue to take advantage of our voracious appetite for news. As has been happening with hot news stories for at least a year or more, malware links are cropping up to exploit the media frenzy surrounding missing Malaysian Flight MH370. Taking advantage of the viral nature of sharing prevalent on Facebook and Twitter, fake links promise “shocking video” revealing the fate of the missing flight. Clicking them takes you to a counterfeit survey designed to look like the Facebook surveys many app-makers use to gather info on users before granting access to their app or content. Instead of course, you are giving your info to hackers on a fake website which will undoubtedly be used to annoying, or worse, nefarious ends.
What this means for you:
If I’ve said it once, I’ve said it 1000 times: don’t click links in Twitter, Facebook or email, doubly so if the source isn’t someone you trust or recognize, and you can’t clearly see the destination URL. Most links shared on Twitter use a URL shortener which obscures the final destination, a technology designed originally to compress long URLs into tiny ones and now used as a trick by spammers and hackers to lure you to a fake website. All it takes is a simple page load (no typing or filling in forms required) for an out-of-date browser or OS to be compromised, and once they have a toe in the door, it’s all down hill from there.
From this point forward, you should expect hackers will exploit hot news items to take advantage of our natural curiousity. If part of your online brand-building, either professionally or personally, includes re-sharing or retweeting internet links, be careful you don’t inadvertently share a fake news item to your friends and followers.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
_0-460x260_c.png "Google_Chrome_icon_(2011).png"){kind=icon}
Back when Google’s Chrome browser was brand new in the browser market and demonstrating how poor Microsoft’s Internet Explorer security was in comparison, it was easy to recommend it as the faster, more secure option. However, with market share comes concessions to convenience and feature-creep, and it seems that Google may be stretching itself too thin to be the browser on everything and for everyone. Aside from the rather disturbing and glaring security flaw pointed out earlier this year in the desktop versions of Chrome (and steadfastly refuted by Google…until it was fixed), Chrome has typically been viewed as the “most secure” of the big three Windows browsers (the other two being IE and Firefox).
Unfortunately, security firm Identity Finder has burst this bubble by revealing another weakness in Chrome. In the spirit of convenience, Chrome offers to save information used to fill out the countless webforms we all run into on a daily or even hourly basis while surfing. Most of these fields are what would be considered personally identifying information (names, addresses, account numbers, etc.) and Chrome stores them in plain text on your hard drive so as to be able to retrieve them for autopopulating other web forms. The problem with this, of course, is that anyone with access to your hard drive can read that data and use it to nefarious ends. And in case you’re still trying to sort out why this is bad, access isn’t limited to someone working on your computer or stealing your hard drive. Unauthorized access is most often gained now through malware infections.
What this means for you:
Sadly, achieving better security is no longer simply a matter of changing your browser, no matter how much any company (even Google!) would have you believe otherwise. If you want to disable the above mentioned “feature” in Chrome, you can do so by visiting Settings -> Advanced Settings -> Passwords and Forms and unchecking “Enable Autofill to fill out web forms in a single click.” You should never rely on just a browser choice to determine the totality of your security. Good security is a combination of browser choice, settings, malware protection and constant vigilance. Chrome still remains a solid choice as a browser but beware convenience features like Autofill and saving passwords in your browser, as this convenience may come at the price of security.
For many professionals, LinkedIn plays an important role in their ability to network and market themselves to others, but the primary business tool of choice for just about everyone is still email. Realizing this, LinkedIn has created an app (currently only for iOS) that puts a lot more LinkedIn into your email. The app, dubbed “Intro”, is designed to provide you LinkedIn profile information (if it exists) of your recipients while you are writing your email, as well as automatically inserting an “Intro” banner that includes your profile information into every email you send. It’s this latter function that has security analysts up in arms, because in order for Intro to do its thing, it requires the user to switch their email server from the provider to LinkedIn’s own mail servers, which in turn authenticate on the user’s behalf while inserting the Intro snippet into each email as it makes its way through LinkedIn’s service. You read that right: every email you send using Intro goes through LinkedIn’s servers as well.
What this means for you:
For decades now, hackers have used a similar technology process to compromise security systems: the “Man in the Middle” attack basically tricks a computer into sending information to an alternate destination, which then forwards on the information to the intended destination, all the while pretending to be the original sender, with neither endpoint being the wiser. In this manner, the “man” in question is able to collect any information passing between the two points, including passwords and other sensitive information. Obviously, LinkedIn’s Intro app is purposefully inserted into the middle of a user’s email by the user himself, but the principle remains the same, and, at minimum, complicates security. Think of it as an email “love triangle.”
On top of this concern, security analysts have already figured out a way to spoof the information Intro inserts into your emails, essentially “weaponizing” Intro’s banner to carry any sort of payload the hacker would like, including links to hijacked websites. Imagine if you sent your client an email with a compromised LinkedIn Intro banner that led to them getting infected and their information destroyed by a virus. For now, I’d recommend sticking to inserting your own signatures into your email (which can include a link to your LinkedIn profile) and waiting a few months to see if LinkedIn has worked out all the security concerns in their new app.
Malicious agents continue to use increasingly sophisticated email templates to fool victims into installing malware on their computers. Most recently, people have been falling prey to an email that appears to be from Dropbox.com, a very widely used cloud storage website. The email uses Dropbox artwork and is kept short and to the point: it warns the user that they need to change their password and provides a link (which, of course, leads to a hijacked website). Adding to this email’s apparent credibility is the fact that Dropbox has engaged in this very same practice to legitimately warn users about password changes. Couple this with the fact that it’s highly likely you have a Dropbox account, and the hook is set before you know it.
What this means for you:
Whenever you receive a warning like this, the safest method to take action is to manually type the URL of the service in question in your browser and never click links in the email, unless you are confident they don’t lead to a hijacked website. Most email clients, including web-based ones like Gmail and Yahoo Mail, allow you to roll over the links in any email and see the actual linked destination (it may take a second or two, be patient while hovering), as it’s trivial to fake the visible destination while sending you down a dark road to infection. For more tips on spotting fake emails like this one, read my previous post, “Fake Emails are Getting Harder to Spot“.
Confirming what many commercial security companies already claim, a security bulletin published on the Public Intelligence website by the Department of Homeland Security and the Federal Bureau of Investigation identifies the Android OS as the most attacked mobile operating system. Nearly 80% of all malware threats in 2012 targeting mobile devices were focused on Google’s platform. The distant second place (19%) was held by Nokia’s Symbian OS, most commonly found on older feature phones. At the other end of the spectrum was Apple’s iOS, which despite being one of the most popular mobile devices on the planet, was only targeted less than 1% of the time in 2012.
What this means for you:
The malware focus on Android is not unexpected: the platform is fractured across multiple versions and multiple carriers, and there are hundreds of thousands of phones running older versions of Android that have well-documented security flaws that have been fixed in later versions. Unlike Apple’s relentless updating of the iOS, many Android phones rely on the carrier to push OS updates, which they do reluctantly, if at all, especially to hardware lines that are no longer being sold or considered a significant portion of the market.
Unfortunately, the carriers have also locked down the OS on many models, requiring a series of highly-technical processes to “unlock” and “root” the phone to force an update to the OS. Of course, doing so voids any warranties with the carrier, and has a chance of “bricking” the phone itself if the process is done incorrectly, or if it is updated with an OS that has bugs or is incompatible with that specific model phone.
Here are some things you can do if you find you are using an Android phone running an older version of the OS:
- Contact your carrier to request an OS update. If they tell you one is not forthcoming immediately, or that your particular model is essentially no longer receiving updates, let them know you are concerned about security flaws in the older OS, and ask for an upgrade to recent model phone.
- Whether or not a new Android phone is in your future, you should be extremely careful about “sideloading” apps. Only install apps from Google’s Play store, and be very careful following app install links from anyone. Instead, get the name of the app you want to install, go to the Google Play app already installed on your phone, search and install from there. If you can’t find the app, it’s likely the link was to a sideloading site (and potentially unsafe), or a disguised attempt to get you to install malware on your device.
- Install a malware protection app. Several reputable companies make apps for Android. I’ve been using SecureAnywhere from Webroot for several months now, without issue, and I will soon be testing Kaspersky’s app. Look for a name you recognize, and give their app a try. Some of them might slow your phone down on ocassion as they scan for issues, but the temporary inconvenience may save you from serious heartache later on.
One of the claims by loyal Apple fans is that the Apple desktop operating system is more secure than Microsoft Windows because they are affected by markedly less malware. This has more to do with the fact that virus-writers would rather spend their time creating malware for an OS that is much more widely installed and has many well-known security weaknesses and bugs to exploit, and less to do with any inherent security strengths in OS X.
Which ever side of the fence you fall on, Mac users have recently been falling prey to a new form of ransomware that is delivered via Apple’s Safari web browser. Affected users are displayed the usual threatening messages that purportedly come straight from the FBI, demonstrating “proof” that your Apple computer has been engaged in illegal activity. Users are given the opportunity to pay a “fine” which will supposedly allow them to regain control over their machine and remove the warning messages blocking their screen.
What this means for you:
If you are a Windows user, you’ve probably already seen this form of malware in action. The Apple variant is slightly less annoying than its Windows counterpart, relying heavily on “iFrames” to pop-up the warnings. Savvy Safari users can close these windows to escape the ransomware’s clutches temporarily (something that’s not possible on the Windows side), but should still reset their browser settings (FBI provides instructions here) to clear out any rogue alterations made, and then run a full anti-malware sweep to ensure they didn’t pick up anything else alongside of the ransomware scam.
As always, you should never heed instructions to pay a “fine” levied by some governmental institution via online method. Law enforcement agencies do not operate in that fashion. Regardless of the brouhaha ongoing with the NSA and the Prism surveillance, no government entity is going to handle illegal activity via automated fines, and especially not through dodgy online payment websites. Use your common sense. If you encounter this form of malware and are unable to fix it yourself, shut down your workstation and pick up the phone to call a professional.
The upcomign Black Hat security conference features a topic that may give traveling iPhone users second thoughts about using a public charging station to juice up their phones. Three security researchers from Georgia Institute of Technology have built a prototype device that can hack an iPhone through the dock connector merely by being plugged in. Supposedly this hack can be accomplished on the latest iOS update, and does not require any interaction from the user, nor does it rely on the device being jailbroken.
What this means for you:
I’ve always viewed public charging stations as being rather sketchy to begin with, especially the ones that charge you for the service and offer “highspeed charging” which could easily fry your phone’s battery if not the device itself. I’d rather spend a few extra minutes locating a regular wall outlet and using my own equipment. Supposedly the prototype that will be demonstrated at the upcoming conference is too big to fit into a standard Apple-branded iPhone charger, but the designers of the device inferred that stealthier versions wouldn’t be hard to produce at all.
Most modern smartphones combine data and power in the same port (Android phones and most tablets also feature this same convenience) so it may not be just iPhones that will be vulnerable to this method of attack. For now, make sure you use chargers you know are safe regardless of what type of mobile device you use, and avoid public charging stations. This particular cow is well on its way out of that barn.
When laptops and desktops first started shipping with webcams built right into the chassis, people immediately started joking about their computers spying on them, and I saw numerous semi-serious and completely serious attempts to cover them up with tape, post-it notes, permanent marker and just about anything people could put their hands on to alleviate that prickling sensation of being watched. Unfortunately, reality isn’t typically far behind imagination, and you probably aren’t surprised to know that it is completely possible for your webcam equipped device to be hacked, and yes, your webcam activated and watching whatever is in front of it. Not scary enough for you? What about that laptop you just gave your daughter?
Sadly, this isn’t just a scare tactic. ArsTechnica has a chilling article that takes a detailed look into the creepy world of “ratters” – young, mostly-male hackers who use covert Remote Access Terminal software (RATs) installed on compromised computers for the express purpose of spying on and remotely tormenting their “slaves.” RAT software is based on the same technology commonly found in support software used by IT professionals (like C2) to provide remote assistance and control on their customer’s computers. Unlike those legitimate tools, RAT software is designed to being undetectable and easy to install and spread without the victim’s knowledge.
What this means for you:
In nearly every case of malware attacks, especially ones that can deliver a payload like a RAT package, the incursion is typically the result of an action taken by the victim: visiting questionable websites, opening unknown attachments, clicking strange links in emails. Alongside of this is a set of inactions that the user is also guilty of: failure to install reputable antimalware software, failure to make sure the OS and installed software are kept up to date, and of course, failure to remain constantly vigilant! As you’ve heard me say many times, nothing will stop a dedicated hacker from penetrating even the most stalwart of defenses. However, a good malware application and some common sense will put you miles ahead of the less cautious and less safe and typically off the radar of hacking ratters, who are looking for easy targets.
Another simple solution? That piece of tape ain’t looking so bad now, right? Just remember to cover the lens and not the “activity” light for the camera, which will tell you when your camera is possibly watching your every move. As always, if you notice your computer behaving strangely, disconnect it from the internet immediately and call a professional for advice.
Image courtesy of idea go / FreeDigitalPhotos.net
Just this past week I received 2 emails that looked very legitimate, but were in actuality very cleverly designed phishing emails meant to trick unwary individuals into making some bad decisions. And when I say “cleverly designed” I mean that even to my experienced eye, the emails looked very real, with properly implemented graphics, clever use of recognizable branding and even using text from actual legitimate emails to camoflauge the hook.
How did I know they were not the real deal? Well, first off, Gmail’s spam filters flagged them right away (score one for Google!) but there were a couple of other things that immediately marked them as fishy, and a little more investigation revealed the true colors of these sophisticated phishing attempts. These types of emails will happen more frequently once the cybercriminals realize how much more effective they are, so I think it’s time I showed you some techniques for spotting counterfeits before they trick you.
Apply Common Sense
Are you a customer of the company, service or brand that sent you an email asking you to do something? Is what they are asking you to do something that makes sense for that particular company/service/brand? In the example here, I received an email that looks like it was from ATT notifying me that my monthly account was ready for review. OK, this would have passed the “smell test” for me a couple years ago, but I’m not an ATT customer anymore. However, ATT is the largest cellular provider in the US, so it’s not inconceivable that many, many people thought this was a legitimate email.
Who’s the email from? And who is the actual recipient?
In the fake ATT email, you can see clearly that the sender on this email is totally bogus (outlined in RED at the top). Why would ATT be sending an email from the IRS? Always look closely at who the sender was on the email, especially if it looks like it’s something you might expect to see in your email box. Is that email address actually correct. Call up the sender to ask if they actually sent the email.
In my second example, the sender actually looks like it might be legitimate at a passing glance. They got the domain right, so now you have put your security glasses on and take a harder look. This particular email was sent to a recipient address that is an alias for a webmaster inbox for one of my clients. I know for a fact she uses Quickbooks, but I also know she would never have used this particular email address to register the product or create an account because it goes to my email box, not hers. On top of this, there are several other addresses in the CC field (including 2 that weren’t actually email addresses), something you should never see when receiving a legitimate, automated email from a company like Intuit.
But once again, the content looks legitimate, and it’s not unlikely that the phisher landed a few hooks, considering how widely used Quickbooks is in the business world. So, let’s dig a little deeper!
Are the embedded links legitimate?
Outlook provides a handy feature that allows you to roll over a link in an email and see the actual URL of the link, even if it isn’t typed out in the email (which it never will be in a phishing attempt). Webmail users may not have this function handy, depending on the browser and the service you are using. Regardless of what program you are using, NEVER CLICK LINKS THAT YOU CAN’T ACTUALLY VERIFY, AND IF YOU HAVE THE SLIGHTEST HINT OF DOUBT, STOP CLICKING AND START DIALING FOR A HUMAN! (If ever there was a justified need for all caps and bold, that was it.)
In my two examples, you can clearly see that neither of the “call to action” links actually go to sites that have even the remotest connection to either of the services they purport to represent. Why would my American ATT account need me to click a domain in Australia? Why would I ever download US Withholding Data from a domain with “latina dot com” in the name?
What this means for you:
These types of emails will continue to become harder to spot, and I will guarantee you that the cybercriminals will continue to improve their counterfeiting techniques once they see how effective they are as compared to the past easy-to-spot and detect trash that normally fills our Junk folders. Unless the good guys come up with better ways to protect us (and they haven’t yet!), the best defense is (as my good friend Prof. Moody likes to shout) “Constant vigilance!” Take the time to read all emails carefully, and think twice before clicking once.