SophosLabs is intercepting a widespread criminal campaign to infect innocent users’ computers. The attack has been spammed out widely, pretending to be an email containing a scan from an HP OfficeJet printer.
The precise wording used in the dangerous emails’ subject lines, message body and attachment names can vary – but here are some examples:
You will get an idea about some of the variations from the following randomly selected examples:
Subject Attached filename Re: Fwd: Scan from a Hewlett-Packard Officejet 69087080 HP_Document_02-22_OFCJET99677.htm Fwd: Re: Scan from a HP Officejet #43384897 HP_Scan_02-22_OFCJET67245.htm Fwd: Re: Scan from a Hewlett-Packard Officejet #1584730 HP_Scan_02-22_OFCJET67107.htm Re: Scan from a Hewlett-Packard Officejet 1206754 HP_Document_02-22_OFCJET94399.htm Re: Fwd: Fwd: Scan from a Hewlett-Packard Officejet #886303 1.2 HP_Scan_02-23_OFCJET15517.htm Re: Fwd: Fwd: Scan from a HP Officejet #75709542 HP_Scan_02-22_OFCJET53685.htm Fwd: Re: Fwd: Scan from a Hewlett-Packard Officejet #128469 HP_Officejet_02-23_OFCJET71498.htm Fwd: Re: Re: Scan from a Hewlett-Packard Officejet #662447 HP_Scan_02-23_OFCJET99544.htm Re: Scan from a HP Officejet #49477094 HP_Officejet_02-22_OFCJET43520.htm Fwd: Fwd: Scan from a Hewlett-Packard Officejet #885932 HP_Document_02-23_OFCJET29774.htm Fwd: Fwd: Scan from a HP Officejet #09665907 HP_Document_02-22_OFCJET84014.htm Sophos security products detect the attached files as Mal/Iframe-W, and just as with yesterday’s “Changelog” malware attack, a malicious script inside the HTM file is designed to make your browser visit third-party sites which may contain further malicious and exploit code.
Attacks which cloak their true intentions by posing as a emailed scan from a printer are nothing new, and in the past have helped cybercriminals infect computers with Java and Adobe exploits.
Computer users need to learn to be wary of unsolicited attachments, and not blindly click on something just because it pretends to be an official communication.
Up-to-date anti-virus and anti-spam protection is a good defence. But remember to augment it with a good serving of common sense too in order to reduce the chances of an attack being successful.
Malware: ‘Scan from a HP OfficeJet’ attack spammed out widely | Naked Security
Schneier on Security: Protecting Your Privacy at International Borders
Schneier on Security
A blog covering security and security technology.
« Collecting Expert Predictions about Terrorist Attacks | Main
January 11, 2012
Protecting Your Privacy at International Borders
The EFF has published a good guide.
My own advice is here and here.
Posted on January 11, 2012 at 7:15 AM • 19 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Comments
The simplest advice is take nothing with you across any border at any time except the minimum you require to get to your hotel etc.
You arange for anything else to be sent another way.
Two reasons for this,
1, You have nothing that you don’t know about on you.
2, You don’t have any devices on which malware etc can be added to your detriment.Oh you also have less to be stolen/mislaid and nothing for the TSA et al to scratch the backs of their heads over…
Posted by: Clive Robinson at January 11, 2012 8:53 AM
Carrying a laptop into the U.S. of A. is carrying coals to Newcastle. Just take some money and buy a new one once in, cheaply. In fact, this is what many people from this side of the pond perform routinely as a secondary purpose of their trip.
Once you have it, download the data you need. Before leaving, securely erase it. After returning, keep it or sell it – with a profit usually.
For the purpose of secure deletion: do not buy SSD disks!
Posted by: Peter A. at January 11, 2012 9:13 AM
And all these recommendations fail if they are really after you. i.e. installing some hardware bug while your laptop gets searched.
So if you are paranoid taking no device with you seems the only solution.
Posted by: ChristianO at January 11, 2012 9:39 AM
They missed one trick in a sidebar. Dr. Akina doesn’t need to ‘securely wipe’ the travel laptop, she just mails it back.
Given the fun and games involved with secure wiping and the triviality of simply FedExing it back (or, if it really is a worthless travel laptop, throwing it away) makes it pretty clear which I’d recommend.
Finally, doesn’t this just blow the lid of a very serious problem?!
Given an information economy, isn’t the idea that any information of value you bring over the border can and will be stolen outright anathematic to everyone except highwaymen??
J.
PS – And yes, if you bring over a pile of cash (over $10,000), it too can and will be stolen from you, in the name of ‘fighting drugs’. J.
Posted by: Jon at January 11, 2012 11:31 AM
I can dream, but I can suppose loading up your laptop with a bunch of lawfully purchased media files which is then taken from you and copied would expose the ICE, CPB, and DHS to monstrous copyright fines, or even get them unplugged from the Internet…
J.
Posted by: Jon at January 11, 2012 11:35 AM
What a complete pain. And every precaution, every contingency described, begets more pain. How far we’ve come.
Posted by: simon at January 11, 2012 11:54 AM
My MacBook has Lion’s pre-boot filevault encryption on the small root partition, and TrueCrypt for the remaining large user partition with my home directories, so the entire disk is encrypted.
When I travel internationally, I make a full image copy of that drive, physically remove it, and then install a clean OS into the MacBook. If I need it, I then place the original encrypted drive into a small USB enclosure. It talks only a couple of minutes to open the MacBook, swap out the drive, and close it again.
Border officials can examine the MacBook as much as they want. If they also ask to see the drive in the USB enclosure in my coat pocket, which they have not so far, I can say that it was wiped and not formatted. When I place it into the mac, it shows up as an uninitialized disk, and a window pops up asking if they want to format it, which they can. They can even keep the external USB drive, since it is encrypted and I have it backed at home.
(My backups are also TrueCrypt encrypted.)
This might seem nuts, but I work in the semiconductor and banking industries and travel globally, and my laptop is full of trade secrets and security data.
I have had my laptops previously inspected in USA, Britain, Japan, and China. I don’t see a need to hand over legal trade secrets and security data to corrupt officials without any just cause, if I want to keep my job.
Posted by: Lisa at January 11, 2012 12:30 PM
Forgot to mention, that I have to use FileVault + TrueCrypt for full disk encryption, since TrueCrypt does not provide full disk encryption on the Mac yet.
And I don’t trust that Apple Lion’s closed source FileVault does not have some secret back door for officials.
Posted by: Lisa at January 11, 2012 12:33 PM
They are missing something I pointed out a long time ago. It’s hard to securely overwrite every storage location on a system. However, there is a way to do that without doing that: ensure it’s strongly encrypted & simply loose the long, truly random key. This concept was independently discovered in an academic paper a few years back. I’ve voluntarily, and involunatirly
The deletion process is almost instant if digital & happens in seconds if the key is stored on paper (lighter or stove required). If a suitable algorithm & implementation is used, then the data will be truly unrecoverable. No, really, I tried my best undelete that stuff.
Posted by: Nick P at January 11, 2012 12:47 PM
… or just do what I have for the last 11 years. Don’t travel to right-wing theocracies (Pakistan, USA, Iran etc.). Can’t say I’ve missed anything.
:p
Posted by: Slarty at January 11, 2012 1:42 PM
@Lisa: “I can say that it was wiped and not formatted.”
That would be lying to a federal officer, which, just FYI, is illegal.
Posted by: Paeniteo at January 11, 2012 1:58 PM
@Slarty – or Canada, at least if you’re a Bishop
Posted by: NobodySpecial at January 11, 2012 2:08 PM
@ Lisa,
And I don’t trust that Apple Lion’s closed source FileVault does not have some secret back door for officials
It might have but then again it might have bugs or even faux bugs that are realy backdoors.
That’s the problem with complex security and software, you can easily drive yourself crazy trying to “verify and trust”.
So the best thing is to assume that all software has bugs and is thus insecure (including products that claim EmSec level security), and you have to make the choice of how to mitigate accordingly.
The usual choice for low value data items is to chain various pieces of the security systems in sequence giving you the “onion layer” model. However on most OS’s this has a fatal flaw which is the OS it’s self, because it provides the link between all the pieces.
For higher value data items it used to be “use hardware” such as “Inline Media Encryptors” but as the US Gov and others have found the hardware is made outside of their control these days and could well be “Backdoored” by foreign nationals working for their governments…
Thus as I’ve said before on a number of occasions sometimes the best way to work is not to take high value data items with you across a border, nor the hardware&OS that can be “backdoored” as you go through.
There is however another option available which you are part way to with your external USB drive, but is not an option available to all. Which is “roll your own”.
I’ve used a number of the more recent micro controlers with multiple USB ports to do this. You can buy the source to a RTOS that has multi tasking, and you can also buy the source to the USB and other stacks. You can also download for free very striped down RTOS’s and limited schedulers from the net and USB stacks and software for flash drives etc. You can thus design and build your own “Inline Media Encryptor”.
For those nervous about “flash memory” just remember provided the drive only has encrypted data on it as Nick P has pointed out if you lose the crypto key you go from “data brick” to “house brick” in one go.
There is also a further wiggle you can do (simplest with stream ciphers) which is to have the data in flash encrypted under one key, the inline hardware changes that to encrypted under the transmission key to be sent across the USB cable and the driver on the commodity computer changes that into decrypted plain text. Now the trick is to make the transmission key evolve with time and data usage such that any data a third party picks up off of the wire will be different every time.
You then pick a method of sending/agreeing the transmission key from the commodity computer driver to the inline encryptor. There are a number of well known and well described protocols for doing this.
Oh and finally just incase you think “rubber hose” analysis will be applied to you, as you presumably work for an international company you can use MofN key shares from different jurisdictions with agreed “duress codes”.
But to be honest when it gets to this level you realy should consider not moving high value data items around, and changing the working practices to suit. Simply because it removes the risk to you and others, as a hostile agency that has targeted the company is almost certainly going to know what the internal company procedures are before they grab an individual “courier”, it they know no data gets shifted by courier they will leave all the companies travlers alone.
Posted by: Clive Robinson at January 11, 2012 2:18 PM
Passwords, if written down, should be written on small slivers of paper, small enough to fit within a pill’s capsule, yet durable enough to last unpacking and repacking.
Yes, they sell bags of empty pill capsules by the hundreds or thousands for cheap, look at your local health food store.
These “capsules” containing your password(s) can be mixed in with a medicine bottle and carried on your person.
Withdrawing a capsule from a medicine bottle and swallowing it casually but quickly draws less attention than attempting to force a huge wad of paper down your throat, or ripping them up into pieces and chewing them for good measure before gulping them down.
But if you’re attacked by someone and they force you to vomit, you’re screwed either way, unless you have a fast dissolving capsule and paper medium. Rice paper wouldn’t tolerate much manhandling but there are other options.
(bad) example:
– https://secure.wikimedia.org/wikipedia/en/wiki/Rice_paperThe ultimate solution would be a V2K device for your own personal enjoyment, but that’s in the military domain for now.
A Truecrypt volume placed on an mp3 player, disguised as a track of music could work, you could combine this with stego tech too for a fake audio track or a photo mixed in other photos of the same type.
And those are some tips for the border security. I’m sure you’ve seen everything and some really strange concealment methods, I’d love to hear amusing stories if anyone has them.
Posted by: fork() at January 11, 2012 2:50 PM
@Peter A
“For the purpose of secure deletion: do not buy SSD disks!”
There was an article from a forensic IT investigator last year in which he noted the way that aggressive firmware garbage collection in modern SSDs permanently removed deleted data without operator intervention.
He said he was shocked at how much information was overwritten for good after just 10 minutes of letting the SSD sit powered up, but otherwise inactive.
So maybe SSDs are one of the most secure storage options, by default?
Posted by: Godel at January 11, 2012 4:22 PM
“Oh and finally just incase you think “rubber hose” analysis will be applied to you, as you presumably work for an international company”
I would hope those working in “sensitive” fields would already be programmed in ways of dissociation. The net is full of information on this both in military and in government fields. Most Google searches will probably bring up conspiracy theories but read between the lines, there are some good articles on the subject.
The mind “splits” and no matter how much they torture you, the information stays within you. This is often found in people with MPD.
Posted by: The Conversation at January 11, 2012 4:51 PM
I think I’d rather play it safe and not bring my laptop with me. It seems like more of a hassle than it’s worth.
Posted by: Deck Construction at January 11, 2012 5:30 PM
“If a border agent asks you to provide an account password or encryption passphrase or to decrypt data stored on your device, you don’t have to comply.”
This may be true in the USA, but almost certainly, if you’re passing through USA customs, you have or will pass through some other country’s customs with the device, and their laws may differ.
Posted by: MW at January 11, 2012 5:58 PM
@Peter A.
“Carrying a laptop into the U.S. of A. is carrying coals to Newcastle. Just take some money and buy a new one once in, cheaply.”Fine if you’re doing this for economic reasons, but if you’re worried about security the first thing you’re going to do to a new laptop is re-install from scratch to get rid of shovel-ware, or at the very least patch it. Either way, hours of fun…
@Jon
“They missed one trick in a sidebar. Dr. Akina doesn’t need to ‘securely wipe’ the travel laptop, she just mails it back.”And trust the courier?
The last time I send a PC via courier the insurance premiums implied they loose about one in 10 of them.Posted by: Thomas at January 11, 2012 6:40 PM
Subscribe to comments on this entry
Post a comment
Powered by Movable Type. Photo at top by Geoffrey Stone.Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
Some very interesting solutions to international travel and protecting your privacy. Has it really come to this?
blog.reddit — what’s new on reddit: Stopped they must be; on this all depends.
The freedom, innovation, and economic opportunity that the Internet enables is in jeopardy. Congress is considering legislation that will dramatically change your Internet experience and put an end to reddit and many other sites you use everyday. Internet experts, organizations, companies, entrepreneurs, legal experts, journalists, and individuals have repeatedly expressed how dangerous this bill is. If we do nothing, Congress will likely pass the Protect IP Act (in the Senate) or the Stop Online Piracy Act (in the House), and then the President will probably sign it into law. There are powerful forces trying to censor the Internet, and a few months ago many people thought this legislation would surely pass. However, there’s a new hope that we can defeat this dangerous legislation.
We’ve seen some amazing activism organized by redditors at /r/sopa and across the reddit community at large. You have made a difference in this fight; and as we near the next stage, and after much thought, talking with experts, and hearing the overwhelming voices from the reddit community, we have decided that we will be blacking out reddit on January 18th from 8am–8pm EST (1300–0100 UTC).
Instead of the normal glorious, user-curated chaos of reddit, we will be displaying a simple message about how the PIPA/SOPA legislation would shut down sites like reddit, link to resources to learn more, and suggest ways to take action. We will showcase the live video stream of the House hearing where Internet entrepreneurs and technical experts (including reddit co-founder Alexis “kn0thing” Ohanian) will be testifying. We will also spotlight community initiatives like meetups to visit Congressional offices, campaigns to contact companies supporting PIPA/SOPA, and other tactics.
We’re as addicted to reddit as the rest of you. Many of you stand with us against PIPA/SOPA, but we know support for a blackout isn’t unanimous. We’re not taking this action lightly. We wouldn’t do this if we didn’t believe this legislation and the forces behind it were a serious threat to reddit and the Internet as we know it. Blacking out reddit is a hard choice, but we feel focusing on a day of action is the best way we can amplify the voice of the community.
As we have seen yet again in the fight against PIPA/SOPA, the best ideas come from our community. We all have just over a week to figure out exactly what to do with our extra cycles on January 18th. Please join us in the discussion in the comments here and in /r/SOPA.
— the reddit team
Learn More
- Information on H.R.3261 – Stop Online Piracy Act at OpenCongress.org
- Information on S.968 PROTECT IP Act at OpenCongress.org
- /r/SOPA FAQ
- Problematic language in the bill pointed out by a redditor.
- Video examination of bill’s language.
Get Involved
- /r/sopa
- List of companies that have expressed support for SOPA or PIPA.
- List of tech companies, and their contact info, that have expressed support for SOPA or PIPA.
- List of companies that have expressed concern with SOPA and PIPA.
- Take Action Checklist at Stop American Censorship.
- Contact Your Representative with info and a widget to find them by EFF and Wired for Change.
- Directory of Representatives
- Senators of the 112th Congress
- Helpful info on making phone calls to your Senator or Representative.
- SOPAOpera.org keeps track of where your Congressmembers stand on PROTECT-IP and SOPA.
Adam Ant is NOT dead – despite what you may have read on the net | Naked Security
Messages have spread rapidly across Twitter and Facebook in the last few hours, claiming that the 1980s British popstar Adam Ant has died.
According to the messages, the musician – who had hits with songs such as “Prince Charming” and “Stand and Deliver” – died from injuries he sustained in a jet ski accident on the Turks and Caicos Islands.
Although some users are just tweeting their respects at the “news” of Adam Ant’s death, others are posting a link to what appears to be an online news report about the musician’s death.
It’s a very sad story. Or at least, it would be if it was true.
Here’s what you see if you follow the link.
Do you notice the “adam.ant” in the url? I wonder what happens if I change that to include my own name.
Well fancy that – I’m a dead musician!
Some small print, included at the bottom of the webpage in a tiny font gives the game away for anyone who hasn’t realised that the report is utterly bogus:
FAKE... THIS STORY IS 100% FAKE! this is an entertainment website, and this is a totally fake article based on zero truth and is a complete work of fiction for entertainment purposes! this story was dynamically generated using a generic 'template' and is not factual.
Of course, the sheer number of people tweeting out the link won’t have done any harm at all for the website – which presumably is earning revenue from the adverts plastered on its fictional news report.
Always think carefully before believing breaking news that someone has shared with you on the net. If a major news outlet has not confirmed it to be true, it’s possible that you could be falling for a confidence trick.
Just imagine the harm that could occur if there was malware lying in wait at the end of that salacious news story link?
No doubt this won’t be the last time that a rumour spreads quickly across the internet that a celebrity has died. Remember when Christian Slater was killed in a snowboarding accident? Or Tom Cruise fell to his death off a cliff in New Zealand? Or Johnny Depp came to a sticky end in a car crash?
WARNING: Scammers Target Anti-Timeline Facebookers
It was only a matter of time before scammers took advantage of Facebook users’ disdain for the new timeline profile.
Scammers are dangling bogus instructions on how to go back to the “old” Facebook profile as bait for anti-timeline users, who are then duped into clicking like buttons, inviting friends, viewing YouTube videos, and downloading malicious files.
Facebook features have been the subject of scams before, most notably the nonexistent dislike button.
As of this writing, 16 timeline-related scam pages remain live on Facebook, and together they’ve collected a total of more than 71,000 likes.
Continue reading
MyPermissions offers one-stop shop to clean up social media permissions | Naked Security
A new site, MyPermissions.org, makes it easy to herd a posse of wild cats – aka the hoard of applications and sites to which we’ve granted permission to access our information on Twitter, Facebook and more.
MyPermissions doesn’t ask for your personal information or login details, thank goodness. Otherwise, it would be a phishing goldmine.
Rather, the site simply offers a handy set of links to permissions lists. It also allows you to easily revoke access from the permissions pages.
On top of that, MyPermissions offers a reminder service: a monthly email via ifttt that prompts you to check your permissions.
Of course, you can set up a reminder on your own calendar and bookmark permissions pages on your own, but MyPermissions is a handy place to do it all from one spot.
Clicking through to different sites’ lists of permissions is an eye-opener. Do you know, offhand, how many applications can access your Facebook information, for example?
I was a trifle surprised to find that I’ve granted permission to 15 Facebook applications. I thought it sounded high until I read a comment from PStamatiou on a Hacker News thread about MyPermissions:
Nice! Just revoked access to about 40 things on Twitter, 30 on Flickr, 15 on Google, a handful on LinkedIn, 11 on dropbox, and about 150 (yikes!) on Facebook.
150 applications can access Pstamatiou’s personal information on Facebook??? Yikes indeed!
Of course, there are many legitimate apps and websites which you can give permission to connect with your account – but that doesn’t mean you have to have a free-for-all.
Remember, any application that gets permission to access your profile information potentially puts that information at risk. And, in the case of Facebook, it could put your friends’ information at risk, as well.
Any permissions can be dangerous, but Facebook is particularly worrisome, given the high number of users who are happy to give their personal information to strangers.
As Sophos found when it contacted 200 Facebook users posing as a plastic frog back in 2007, 87 responded, with 82 – or 41% – leaking personal information when they did so.
That personal information can be used for identity theft. It can be used for a mind-boggling array of other nastiness, as well. Bill Pringle has a nice compilation page of Facebook security issues, but lest we forget, the other social media sites can be used in similar mischievous ways.
As Tim O’Reilly Tweeted about the site (the site proudly displays said Tweet on its home page), MyPermissions is an excellent idea. “Treat your permissions with respect,” Mr. O’Reilly advises.
I wholeheartedly agree. Now, if you’ll excuse me, I’m off to choke a few Facebook applications in their cradles before they turn out to be monsters.
And please, feel free to let us know what surprises you in your permissions page.
It is well worth your time to check this out.
FLAMING RETORT: Hacktivism, hacking and hackers – what do these words really mean? | Naked Security
I keep getting asked – by journalists, friends, colleagues, competitors, delegates at conferences, people on the bus – what my attitude is to hacktivism, hacking and hackers.
I usually answer by saying, “What do you mean by hacktivism?” And the answer is frequently, and impassably, circular. “Y’know – all that hacking that hacktivists are doing these days.”
No! I don’t know! And I’m not willing to guess what you mean just so I’ve got something to say!
Fortunately, a few days ago a friend alerted me to a cartoon in the XKCD series (‘a webcomic of romance, sarcasm, mathematics, and language’, in its own words) which – like many XKCDs – cuts through most of the ambiguity and misunderstanding which surrounds the abovementioned H-words. (Don’t forget to hover over the image below to read the pop-up text.)
And we need to cut through the ambiguity, because every time we use the H-words on Naked Security, we seem to end up in comment wars over their relevance, meaning and imputation.
Does calling someone a hacker imply they’re a cybercriminal, even if they aren’t, and even if they might use that word to describe themselves? Does calling a cybercriminal a hacker demean everyone who ever took the term hacker as a badge of honour?
More importantly, does the sort of stuff which many so-called hacktivists get up to actually count as hacking, even if you allow the word to denote criminality?
For example, Anonymous recently bragged about a hack Down Under in which it revealed to the public a database of already-published web pages belonging to a local council. One publication blared this to the world as ‘Council falls prey to computer hacking gang’. Another avoided the H-word, but still rather extravagantly announced that ‘Anonymous releases government records including Australian council data.’
If that’s hacking, then perhaps walking to the bus stop is a major athletic achievement worthy of coverage in sporting magazines worldwide?
As the always-amusing Richard Chirgwin pointed out in The Register, the truth about this Down Under ‘hack’ was a little less dramatic.
Under the wry headline Council Website copied by Anonymous – Wget would have worked nearly as well, Chirgwin noted:
Australian democracy stubbornly fails to teeter on the brink of collapse this morning, after a bunch of script-kiddies mistakenly published a backup copy of a public Website in the delusional belief that they'd achieved yet another stunning coup in the "anti-sec" campaign.
In a world under clear and ongoing economic erosion by cybercriminals – not by hacking, or by hacktivists, or by hackers, but by cybercriminals – the overuse of the H-words in the media actually works against computer security in general.
Firstly, calling most self-styled hacktivists by their own name of choice imbues them with a social conscience and a justification they don’t seem to possess – rather like legitimising the looters currently on the rampage in Britain by labelling them as protesters.
Secondly, with all the attention that so-called “hacktivism hacks” against high-profile organisations are getting, it’s easy to fall into the trap of assuming that individuals and small businesses are safely under the radar. After all, who would target the website of Uncle Fred’s Garden Mowing Service when they could be taking on the mighty CIA?
The answer is that cybercriminals generally don’t care.
You might not have any data worth stealing (though it’s almost certain you do), but even if all you have to offer them is a badly-protected PC infected with zombie malware – a resource they can use to line up their next attacks whilst keeping out of the frame themselves – you are inadvertently aiding, if not abetting, their criminal activities.
So why not take one step tonight which will improve your attitude to security, and your personal resilience to compromise?
For example:
* If you use the same password for many websites, make tonight the night you change that approach.
* If you’ve been leaving your virus scanner turned off or out-of-date, make tonight the night you get it back up-to-date and activated.
* If you’ve been putting off downloading and installing the latest security patches for your operating system and software, make tonight the night you catch up.
* If you’re in the habit of friending people on Facebook just because they’re there, make tonight the night you treat Facebook friendships like you do real-life ones – based on knowing, liking and trusting the person.
* If you give inadvertent succour to hacktivists by simply following along and watching “for the lulz”, make tonight the night you search out something more visibly positive to do online for the greater good of all.
(Writing documentation for open source software projects is something most people can help with, even if they’re non-technical. It’s not glamorous but it’s important, useful, and can teach you a lot. You’ll be much more of a hacker than someone who joins in a DDoS attack – and you can put it on your CV, too!)
These terms are used often and almost always misunderstood.
Most Wi-Fi routers susceptible to hacking through security feature | Naked Security
Stefan Viehböck, an independent security researcher, published a paper on Boxing Day titled “Brute forcing Wi-Fi Protected Setup” to his WordPress blog disclosing a weakness in the configuration of most consumer/SoHo Wi-Fi routers.
As we all know the state of security for most home Wi-Fi networks was nearly non-existent only a few years ago.
This prompted the Wi-Fi Alliance to establish a new simple method for consumers to enable and configure WPA2 on their routers without knowledge of encryption, keys or how it all works.
The standard is called Wi-Fi Protected Setup (WPS) and is enabled by default on nearly all consumer Wi-Fi access points, including those sold by Cisco/Linksys, Netgear, Belkin, Buffalo, D-Link and Netgear.
It has three methods of simplifying the connection of wireless devices to WPA2 protected access points:
- Push Button Connect (PBC) requires the user to push a button on the router which allows it to communicate with a client needing configuration. The client attempts to connect and the router simply sends it the security configuration required to communicate.
Client PIN mode is where the client device supports WPS and has a PIN assigned by the manufacturer. You then login to the router’s management interface and enter the PIN to authorize that client to obtain the encryption configuration. Router PIN mode allows a client to connect by entering a secret PIN from a label on the router, or from its management interface which authorizes the client to obtain the security configuration details. The first method requires physical access, while the second requires administrative access, both of these pass muster. The third however, can be accomplished only through the use of the Wi-Fi radio.
The PIN used for authentication is only eight digits which would give the appearance of 108 (100,000,000) possibilities. It turns out the last digit is just a checksum, which takes us down to 107 (10,000,000) combinations.
Worse yet the protocol is designed where the first half and second half are sent separately and the protocol will confirm if only one half is correct.
So you have now reduced the difficulty of brute forcing the PIN down to 104 (10,000) plus 103 (1,000) or 11,000 possibilities.
Some of the routers Viehböck tested did seem to implement a mechanism to slow down the brute forcing, but the worst case scenario allowed him to acquire the keys within 44 hours.
Compared with attempting to attack WPA2-PSK directly, this is a cheap and effective attack.
As the sub-title of Viehböck’s paper states “When poor design meets poor implementation” security is the loser.
If you own a reasonably modern Wi-Fi router you are at risk (unless you have installed some sort of alternative firmware like OpenWRT or Tomato Router).
If possible disable the WPS support on your router and contact your manufacturer for updated firmware which may provide a fix or mitigation against this attack.
Another researcher independently discovered the same issue and has published a tool called Reaver that implements this attack.
Similar to the Firesheep tool, this will likely light a fire under the butts of the Wi-Fi Alliance and manufacturers to quickly resolve these issues.
I have never liked or used this feature. Remember, Always change the default settings on a new router and you will eliminate almost all vulnerabilities.
A short history of Christmas malware | Naked Security
Since the very earliest days of computer viruses, malware authors have been inspired by the Christmas holidays when developing attacks.
Here’s a quick, and probably incomplete, history of some of the Christmas-related malware that we have seen over the years.
Christmas 1987
“Christmas Tree” (also known as “CHRISTMA EXEC”), which spread in December 1987, was an early example of an email-aware worm.Using the subject line
"Let this exec run and enjoy yourself!"
the worm would display EBCDIC character art of a Christmas tree and forward itself via email to other users if activated.
The worm was blamed on a German student, who claimed he just wanted to send greetings to his friends.
In 1990, the Christmas Tree worm resurfaced, forcing IBM to shut down its 350,000 network of terminals.
Christmas 1999
The WM97/Melissa-AG virus (also known as Prilissa) infected Microsoft word documents, spreading via email using the subject lineMessage from <username>
and the message text:
This document is very Important and you've GOT to read this !!!
Opening the attached DOC file, however, would infect your computer. The payload would trigger on December 25th, displaying a message:
and inserting randomly coloured blocks in the current Word document.
As a final destructive gesture, the virus would attempt to format the C: drive on the next reboot.
Meanwhile, rumours were spreading far and wide that a game called “Elf Bowling” was infected with a computer virus.
The game which showed Santa Claus trying to knock down a pack of elves with a bowling ball, caused panic amongst companies terrified of computer viruses, and Sophos was deluged with requests for more information about the “virus” which was said to trigger on December 25th.
A typical warning being spread across the internet read:
If anyone has sent you, a game called "elfbowl.exe" (cool> game, tenpin bowling with little elves as pins), it apparently has a virus that will be activated on December 25th. Either take a risk, or delete before then.
However, all copies of the game examined by Sophos researchers were found to be uninfected, and the warnings were nothing more than a hoax wasting users’ time.
Sophos’s staff did enjoy testing the game intensively, however.
Christmas 2000
The W32/Navidad virus spead via email, masquerading as an electronic Christmas card.Infected computers could be identified by the mysterious blue eye icons it would place in the Windows system tray.
Users who moved their mouse cursor over the eyes would be presented with a variety of different messages:
Another example of malware which tried to leave its mark on the holiday season in 2000 was the W32/Music email-aware worm.
Sending out messages similar to “Hi, just testing email using Merry Christmas music file, you’ll like it.”, the worm was attached as a file called music.com, music.exe or music.zip.
When run the worm attempts to play the first few bars of the song “We wish you a Merry Christmas” and displays a cartoon of Santa Claus with the caption “Music is playing, turn on your speaker if you have one” or “There is error in your sound system, music can’t be heard.”
Christmas 2001
The Maldal virus spread via email, again using the tried-and-trusted technique of pretending to be a seasonal electronic greeting card called Christmas.exe.
Once installed, the Maldal malware would display a picture of Santa Claus on skis accompanied by a prancing reindeer, with the message “From the heart, Happy new year!”.
Christmas 2004
The Zafi-D virus spread fear rather than cheer, attached to emails offering offering seasonal greetings. The virus, created in Hungary, could communicate in a variety of languages – spreading messages such as “FW: Merry Christmas”, “Joyeux Noel!” and “Feliz Navidad!”In a somewhat un-Christmassy twist, it embedded a vulgar animated GIF graphic of two “smiley” faces which appeared to be enjoying themselves in a way that would make Rudolph the reindeer red-faced as well as red-nosed.
At its height, a staggering one in every ten emails was infected by the Zafi-D virus.
Christmas 2007
The creators of the Dorf-AE worm (also known as the Storm worm) launched an attack that posed as a sexy striptease being performed by none other than the wife of Santa Claus.Using a wide variety of subject lines, including “Your Secret Santa”, “Santa Said, HO HO HO”, “Warm Up this Christmas” and “Mrs. Clause Is Out Tonight!”, the emails attempted to direct internet users to a website containing images of scantily clad young women in a Santa suit.
Christmas 2009
The pesky Koobface worm, which targets users of social networks such as Facebook, adopted a Christmas disguise by hiding on a Santa-themed webpage.
The webpage pretended that you need to install an update to Adobe Flash Player but that was, of course, in reality a carrier for a version of the worm.
There are, no doubt, plenty of other examples of Christmas-related malware we have seen in the past – but hopefully this gives you an insight into some of the more visual examples we have seen in the past at least.
Remember that you need to take computer security seriously all year around – don’t let your guard drop and don’t fall into bad habits just because it’s the holiday season. My colleague Paul Ducklin has written up some guidelines for staying safe online this Christmas, and even made a cheery video to get you in the mood.
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
