A fired Massachusetts state worker has been exonerated of a charge of possessing child pornography after computer forensics showed that his work laptop was infected with malicious software that was surreptitiously visiting illegal Web sites.
Michael Fiola, 53, was fired as a worker's comp fraud investigator with the Massachusetts Department of Industrial Accidents in March 2007 after IT administrators found cached images of child porn in the temporary Internet files in his browser, according to the Dark Reading security news site.
Fiola, described as being "computer illiterate," hired a forensics expert who found the evidence that was used to convince the court to drop the case last week. He remains unemployed and plans to sue the agency over his firing.
"Our lives have been hell," Fiola, a former state park ranger now living in Rhode Island told the Boston Herald. "I hope to recover my reputation, but our friends all ran."
His laptop initially attracted attention because its wireless usage was four times higher than that of his co-workers. But because the IT department hadn't properly configured the agency laptop and antivirus software wasn't working on the machine, it was riddled with Trojans and viruses, in addition to the malicious software that was bringing up the porn sites.
McAfee released a study late on Tuesday that indicates the domains that tend to be the most dangerous or malware-prone on the Web, and at the top of the list is the Hong Kong (.hk) domain.
The McAfee Mal Web report, which serves as a safety guidebook to risky online neighborhoods, reveals that 19.2 percent of all Web sites ending with the .hk domain pose a security threat to Web users, followed by China (.cn), the Philippines (.ph), Romania (.ro) and Russia (.ru).
By contrast, the safest domains on the Web are Finland (.fi), Japan (.jp), Norway (.no), Slovenia (.si), and Colombia (.co).
In general, the chance of downloading spyware, adware, viruses, or other undesirable software from surfing the Web increased 41.5 percent over 2007, the report found.
To arrive at these conclusions, McAfee researchers used the company's SiteAdvisor tool, which crawls the Web and clicks "yes" to test everything from downloadable software, screensavers, and peer-to-peer file-sharing clients to photo upload utilities, and e-mail and newsletter sign-ups.
The tool then monitors what happens to the test computer after it engages with the sites, looking particularly for risky things like malicious downloads, exploits, viruses, and spyware. Each site is then rated based on the behavior, with buttons on the browser colored green, yellow, or red for computers that have the tool downloaded.
Even if the greatest percentage of dangerous sites use the .hk domain, that doesn't mean they are all based in Hong Kong or that more malware distributors are located there, said Shane Keats, a research analyst for McAfee. Many sites, particularly the malicious software sites, choose the most affordable domain registrars in countries with the least regulation, so usually they are not located in that country, he said.
"They are looking for top-level domains with the least regulation, that are the easiest to maneuver and the cheapest to register," Keats said.
While registrars in China charge as little as 15 cents for a registration and others are free, sites with domains in Japan and Australia are found to be safer partly because those countries require proof that a company is incorporated to use their top-level domains, he said.
In addition, English speakers shouldn't feel safer just because many of the more risky domains are in foreign countries, because many of those sites are still presented in English, according to Keats. For instance, nine times out of 10, sites with the Romanian domain will be in English, he said.
The damage from risky sites runs from the "apocalyptic to the annoying," according to Keats.
"It can be as minimal as a pop-up track, and I can't exit out or it opens a new pop-up window and I have to reboot, (to) other sites where you just touch the site and you have downloaded software that turns the machine into a bot in a bot army that sends spam," he said.
A Web surfer has a 1-in-20 chance of "hosing" the computer if a file is downloaded at random from the Internet, while the odds increase to 1 in 10 if the file comes from an Italy (.it) domain and 1 in 7 if it comes from a Romania domain, he said.
As for online porn, those sites aren't considered any more risky than other types of sites on the Web in general, despite the common belief that they are, he said.
Because they have viable business models, porn sites don't need to use malicious software to make money. However, "when they are bad, they are really, really bad, and among the worst of the spammers and exploits," Keats said.
Top 20 top-level domains ranked by percentage of sites with red and yellow download ratings.
(Credit: McAfee)
Consumers are being warned that they may get an ad instead of a music or video file on several file-sharing sites in what security firm McAfee says is the most significant malware outbreak in three years.
McAfee Avert Labs reported on Tuesday that more than 500,000 detections of a Trojan horse masquerading as a media file have been found on computers since Friday on services like Limewire and eDonkey.
Instead of playing an adult video, the Lion King in Portuguese, or the Girls Aloud theme from the St Trinnians soundtrack, for example, hundreds of rigged MP3 and MPEG files on the services trigger the download of an executable that serves ad to the infected computer.
Craig Schmugar, threat researcher at McAfee Avert Labs, explains in a blog entry that if people agree to download and run the executable they are asked to agree to a phony end user license agreement and some other useless software.
"In the end you're left with a fake MP3 file taking up space, a worthless MP3 player, adware that claims not only to not display popups, but also to block them, and more adware that successfully displays popup and popunder ads," Schmugar writes.
McAfee rates the threat "medium" risk, the highest rating given to any malware since 2005.
In security in the real world, companies screen the people who enter their building and admit only those who are authorized to be there, such as employees with badges and approved guests--a sort of white list for physical security.
(Credit:
Bit9)
About 65 percent of the applications released to the public are malicious, according to Symantec. To combat that trend, Symantec CEO John Thompson predicted at the RSA 2008 conference last month that technologies like white listing would be critical in the future.
And Microsoft's David Cross, director of program management for Windows security, told the RSA crowd a few days later that there would be an increased emphasis in Vista on white listing.
This is good news for Bit9, a provider of software for enterprises that helps them prevent malware distributions on the network.
"In the next two to four years, every PC will have a white list," said Patrick Morley, Bit9 chief executive and president.
Bit9 allows companies to create their own white list of software they will allow employees to run. They can lock down the computers so they run only the approved applications, set the software to block and alert the company when unapproved software is being downloaded, or simply monitor the situation.
"It doesn't work to let everything in and then try to figure out if it's bad software," Morley said in an interview.
Skeptical, I pointed out that there are varied needs within corporations and managing all the different requirements for individual employees and departments is already an IT headache. True, Morley said: "You can't stop people from doing the day-to-day work. It's got to be done in a way that's easy."
I asked security sage and notorious cynic Bruce Schneier to weigh in. "Seems like a really good idea," he wrote in an e-mail. "The whole idea of 'allow anything except what's on this list' doesn't work. It doesn't work for spam. It doesn't work for network perimeters. And it doesn't work for desktops."
What do you think?
It turns out malware somehow found its way onto a Maine-based supermarket chain's servers, which led to the security breach announced earlier this month compromising up to 4.2 million credit cards.
Citing a letter the Hannaford grocer sent to Massachusetts regulators, The Boston Globe on Friday reported that the malicious software intercepted data from customers as they paid with plastic at checkout counters and sent data overseas.
The malware was installed on computer servers at each of the 300-some stores operated by Hannaford and its partners, the Globe reported.
The company is continuing its investigation into how the malware may have been placed on the servers. The Secret Service, meanwhile is conducting its own investigation.
The breach appears to be one of the first in which credit card numbers were stolen while the information was in transit, or at the point of sale. One of a growing number of sophisticated attacks, it illustrates vulnerabilities in the communication between cash registers and branch servers, as Neal Krawetz of Hacker Factor Solutions has warned in research (PDF).
That mode contrasts to attacks on databases, the method used to compromise 45.7 million accounts over a two-year period in a data breach of customer records at TJX Companies, the operator of T.J. Maxx and Marshalls retail chains.
Andrew Conry of InformationWeek adds that Hannaford, in addition to the breach, has two related class action lawsuits on its hands alleging negligence in maintaining customer security. And he suggests that there might be some truth to the claims, noting that Hannaford should have noticed that "internal servers were transmitting outside the network to a strange IP. This should've raised flags somewhere--server logs, IDS logs, firewall logs."
I'll second Conry's conclusion: "In any case, the whole mess should be very instructional to retailers everywhere," particularly in light of Friday's news of attacks on top Web sites like USAToday.com, Target.com, ABCNews.com, Walmart.com, and of a data breach at Antioch University in Ohio.
Web browser updates in development from Microsoft and Mozilla will include better built-in protection against phishing, viruses, and other maladies.
At its Mix conference in Las Vegas on Wednesday, Microsoft demonstrated IE 8 for the first time publicly.
Larry Dignan at ZDNet points out that IE 8 will include better malware protection through a new feature called the Safety Filter, which improves on IE 7's phishing filter.
IE 8's Safety Filter
(Credit: Microsoft)A beta test version of IE 8 is available for download now. Microsoft executives told News.com's Ina Fried that a broader test release of IE 8 will come this summer.
Likewise, Mozilla plans improved malware protection in Firefox 3, currently in beta testing. Mozilla says the new release warns users when they arrive at sites which are known to install viruses, spyware, trojans or other malware.
Stop back later on Thursday to read a more detailed first look at IE 8 by Robert Vamosi from CNET Reviews.
Care should be taken when plugging holiday gift gadgets into your personal computer and laptop, said security researchers at Sans.org, Microsoft, and Kaspersky in recent blog posts. Reports of strange files being found on USB storage devices increased over the holiday season. Reporting Monday on the SANS' Internet Storm Center blog, director Marcus Sachs said, "In years past this would have been limited to iPods and USB memory sticks, but now it includes digital photo frames, GPS devices, external hard drives, and of course digital cameras."
The unofficial Sans.org investigation started on Christmas after researcher David Goldsmith received an ADS Digital Photo Frame - 8". He soon discovered that the built-in 128MB of storage included file cfhskjn.exe. When he tried running the mystery file, he received several error messages.
Others have noticed odd behavior with storage devices as well. Kaspersky antivirus reports purchasing a Kensington memory card in Napal which contained Worm.VBS.Small.n, a computer worm. A second Kaspersky blog mentions Victory LT-200, an MP3 player that includes (at no extra charge) the malware Worm.Win32.Fujack.aa.
Coincidentally, the January 2008 issue of Microsoft TechNet magazine includes a report on "island hopping", the act of using USB storage devices to infect personal computers. The author of the article, Jesper M. Johansson, said many USB controllers are Direct Memory Access (DMA) devices that bypass the operating system and directly read and write memory on the computer. "Bypass the OS and you bypass the security controls it provides--now you have complete and unfettered access to the hardware. This renders device control implemented by the OS completely ineffective. I am unaware of any hacking tools that currently use this technique, but I very much doubt that this has not already been done."
Kaspersky said most removable media exploits in the wild use the Windows autorun functionality. Kaspersky said the autorun vector is not perfect. In Windows XP SP2 the autorun.inf feature is disabled and the user is asked whether or not to run the file. A similar process occurs within Windows Vista. In both cases, however, researchers note that the user can still infect themselves by selecting Run setup.exe.
On Tuesday, a security researcher disclosed to Bugtraq, a public newsgroup, details of remote execution attacks on some models of Hewlett-Packard laptops. According to the researcher, who is using the name "porkythepig," flaws in HPInfoDLL.dll, one of the ActiveX controls used within the HP Info Center, could allow remote attackers to target the laptop and also execute registry changes on the compromised machine.
As of Wednesday, HP has not offered a response.
The scenario within the disclosure suggests that an attacker could lure a victim to a specially created Web site. When viewing the Web site in Internet Explorer, the ActiveX control within the HP Info Center could be compromised. If the victim uses a browser other than Internet Explorer, the browser would still call Internet Explorer to handle the ActiveX component on the specially created Web site.
Once a machine is compromised, an attacker could then install malware, change registry information in preparation for a more sophisticated attack, use the machine in a denial-of-service attack on itself or another target, or steal sensitive data from documents on the compromised machine.
A list of potentially vulnerable HP laptop models can be found in the full disclosure posted on BugTraq. To see whether your particular HP laptop is vulnerable, the researcher also provided a Web site (use this link at your own risk).
When it comes to antimalware software, the first decision any Windows user needs to make is whether to go with an integrated suite of software or pick and chose specific products, such as a firewall, antivirus, and antispyware software. If a suite came preinstalled, it's certainly a tempting option. Dealing with a single company and not having to install new software has obvious appeal. But, I think it's the wrong way to go.
For one thing, the software suites can be complicated to use. Oftentimes they have been known to slow down the computer. And they cost money, whereas there are many free antivirus, antispyware, and firewall programs to chose from.
Plus, they may be overkill. In what has been called feature creep, they typically include many different types of protective software in addition to the baseline antivirus, antispyware, and firewall. This added complexity can negate the single product simplicity advantage.
Among the extras are antispam software that many people don't need, and, a case can be made that fighting spam is a server side thing, not something best done on your computer.
My colleague from The Personal Computer Show, Alfred Poor, has recommended against software suites many times on the show. He cites "bloatware" as the main reason:
"... the publisher piles on features not because they are practical or useful, but so that they can win the 'battle of the checkbox' where buyers go for the program with the most features. This leads to more software running in the background, which means a performance hit at the very least, and an increased chance of conflicts with other applications. My advice is to buy what you need, and no more."
Another big consideration is that, taken as a whole, software suites don't offer the best protection.
Leo Notenboom, made this argument last week on his Ask-Leo Web site. Quoting from How do I pick the right tools to protect my system?
"Would a bundled application (all defenses in one) be necessarily more effective than several standalone products? In my fairly strong opinion, no. I base that primarily on the four+ years of problem reports and feedback that I've received here at Ask Leo!. It just seems that the combined suites cause more problems and miss more malware or security issues than a well chosen set of individual solutions."
Why don't the suites offer the best protection? Here too, I agree with Leo:
"My theory is that the suites start with a really good single product...in order to create a suite the manufacturer then buys or creates what I can only assume are second-rate additional components..."
The ZoneAlarm firewall is a case in point. I like the free firewall and would buy the commercial version for the additional features. But I can't; at least not without also buying either antispyware or antivirus software from CheckPoint. So I pass.
Interestingly, I disagree with Leo's recommendations for antivirus, antispyware, and firewall software. But, even people who disagree on the specific choices, agree that making specific choices is the way to go.
As for Alfred's point about bloatware, a comparison of the assorted software bundles offered by ZoneAlarm/CheckPoint shows no less than 16 types of defensive software included in the top-of-the-line product.
Another example of an antimalware product being assimilated into a suite comes from Eset.
In his newsletter/blog last week, Scot Finnie discussed the stand-alone NOD32 anti-virus program vs. their suite of anti-malware software called Eset Smart Security. As for the new version of NOD32, Scot writes "...my preliminary impression of Nod32 3.0...was quite positive. That product is available as a standalone upgrade to Nod32 2.7..."
But regarding the suite he says "I looked pretty extensively at Eset Smart Security in late beta, and I didn't think much of the firewall at all. Plus I have no use for Eset's antispam solution. So I am definitely recommending *against* the new $60 Eset Smart Security (ESS)."
Finally, a note from the school of hard knocks.
After reading some good reviews of F-Secure Anti-Virus a while back, I installed it on a couple machines. On one machine, when I later installed Spy Sweeper, the antispyware product from Webroot, I learned about an incompatibility with F-Secure Anti-Virus.
Another machine had the free ZoneAlarm firewall installed. When I tried to install F-Secure Anti-Virus, it complained about ZoneAlarm, basically saying it's either us or them. The F-Secure product would not install unless the ZoneAlarm firewall was removed.
What possible conflict could there be between an antivirus program and a firewall? My guess is that F-Secure had a single installation program for both their software suite and their standalone antivirus, and they hadn't customized the antivirus installation to not bother checking for firewall software. Just a hunch.
The debate over individual antimalware products will continue until Windows truly becomes secure. Until that day, fight assimilation and opt for standalone antimalware products.
See a summary of all my Defensive Computing postings.
Every large Internet company has an online security team in place, and Google is no different. Now the search engine giant is going public. Yesterday, Google launched its new online security blog. The blog will post news on its little-known antimalware team, which, it turns out, has been in existence for about a year.
In its initial post, Google clarifies its now-famous one-in-10-Web-sites-are-malicious statement, derived from a presentation Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang, and Nagendra Modadugu gave at last month's Hotbots 2007. Provos says the figure that is quoted in the media should be 0.1 percent (less than 1 percent) since the analysis used in the paper, "The Ghost in the Browser" (in PDF), covers several billion Web sites. From that number, presenters selected a subgroup of 12 million, of which 1 million were found to be engaging in drive-by downloads of malicious code. There's also a colorful map in today's post showing which countries are responsible for hosting compromised Web sites and distribution servers (the U.S. and China both appear bright red, with Canada and Russia coming in a close second on each map).
Given that malware on the Internet is a huge problem, Google has been quietly evaluating Web sites on its own. Frequent users of the search engine may have seen statements under site names indicating that Google suspects a given site may be harmful to your PC.
This is curious, since major security vendors Symantec, Trend Micro, and McAfee currently offer products that overlay online search results with similar warnings. ZDNet blogger Ryan Naraine wonders whether Google is planning to go up against these vendors or perhaps purchase an existing security vendor. Predictably, Google declined to speculate on its future plans.
