malware

USB malware: What you need to know

Dave Farquhar security , , , , , , , , ,

Tomorrow morning on Fox 2: How this USB drive could be worse than the worst malware you’ve ever imagined!

Yes, when a security vulnerability hits TV news, it’s a big deal. It’s probably also sensationalized. And it’s not time to panic yet. Read more

Rick Broida thinks he doesn’t use antivirus software

Dave Farquhar security , , , ,

C’mon. You knew I’d get around to writing a response to Rick Broida’s claim that he doesn’t use antivirus software.

Actually, he’s not nuts. But he’s also mistaken if he thinks he doesn’t use antivirus software. His editorial is kind of like saying, “I don’t use a web browser. I use Internet Explorer.”

Although he’s mistaken that he doesn’t use antivirus software, and not all of his advice is spot-on, you can do a lot worse than follow his advice.

Read more

Web browser plugins you need to uninstall now–even if you have a Mac

Dave Farquhar security , ,

I’ve been seeing a lot of news this week about web browser plugins getting exploited to plant malware on computer systems. A lot of people know to keep Flash up to date, and to keep Java up to date or uninstall it–at least I hope so by now–but there are two targets that people generally forget about: Shockwave and Silverlight.

Because so many people have them installed and don’t know it, and therefore never update them, they are ripe targets for attack. Read more

What I did for Mother’s Day

Dave Farquhar Hardware, security, Windows , , , , , , , ,

Last month, Rapid7’s Trey Ford appealed to security professionals:

You have an opportunity to be an ambassador. When you see XP out there, have an adult conversation, educate in terms that others will appreciate. Your actions and words reflect on the entire community.

As the family CIO/CSO – look for the smart investment. There are options that will make your life easier. A small investment is a lot easier to stomach than compromised shopping/banking/credit card credentials (or identity theft.)

Read more

Five malware myths

Dave Farquhar security , , , ,

I found a story called Five Malware Myths and take no issue with anything it says. Run antivirus, whitelist your program directories, run EMET, and you’re reasonably protected but not invincible. But nobody is as invincible as the majority of people seem to think they are.

Let’s take them one by one.

Read more

I want to feel for this ad executive, but I can’t

Dave Farquhar Uncategorized , ,

There’s a problem in this world, according to Mike Zaneis. It’s ad blockers.

On one level, I can relate to the guy. Ad blockers cost me between $500 and $1,000 a year, personally. But on another level, I have no sympathy for him. Because there’s so much problematic advertising out there. If you ever try to download something from one of the major download sites, good luck. There are 14 download buttons. 13 of them are ads that deliver something other than what you want, or ridealong stuff you don’t want. Somehow, Mike Zaneis thinks that’s OK, but blocking ads is wrong.

How about misleading ads that talk about government programs that don’t exist? I see an ad promising me a mortgage bailout every day. I’d love for Mike Zaneis to explain to me how this is ethical.

There are hundreds, if not dozens, of spammy news stories that are really just advertisements, preying on ignorant people, spreading misinformation and damaging society, littering the web today. Stop eating cumquats and lose 20 pounds! Buy gas at precisely 7:05 AM and gain 4 MPG! Here’s how Warren Buffet is preparing for the apocalypse! These things don’t work, and I haven’t figured out how these newsvertisements make anyone any money except perhaps through profiling, and I’d love for Mike Zaneis to explain this. There’s a guy named Kevin Trudeau who made a career of spreading this kind of stuff. He’s in prison now. The difference between Trudeau and this stuff is that Trudeau pitched it in late-night infomercials charging $19.95 rather than giving it away for free and turning the people who read it into the product–something Mike Zaneis denies anyone thinks is a problem.

But the worst of all are malvertisements–advertisements that plant malware on your machines. If I run computer code on someone’s computer who doesn’t belong to me, I’ll be hanging out with Kevin Trudeau in prison for the next 20 years. But for some reason, it’s ok to do this in the name of advertising. I’d love for Mike Zaneis to explain this, too.

But unlike Mike Zaneis, I’m not complaining. It might be nice to be a professional blogger, but I’m better off with my day job than I would ever be as a pro blogger. It’s nice when I make a little money off this web site, but a lot of what I write is to support that day job–I can find what I need at a later date very quickly if it’s on the blog. That content never makes me a dime. I have some niche content that makes virtually all of the revenue I see, but I’m hesitant to elaborate much further lest someone like Mike Zaneis launch a site and steal all that traffic.

But that’s the thing. I adapt. I have to do that in everything I do. I can whine about how I don’t make the kind of revenue I made in 2005, but the fact is, if I were willing to change a few things, I probably could make more now than I did in 2005. About 5% of what I write accounts for all of my revenue. If I could devote 20% of my content to those subjects, I’m sure I would make considerably more. Since that would require me spending four times as much time thinking about and doing different things from what I do now, I haven’t made that shift. But if I ever needed to, I could.

Mike Zaneis thinks people who create and use ad blockers are out to extort him. They aren’t. They’re trying to encourage certain limits on acceptable behavior. That’s one reason I’m careful about the kinds of ads I let run on this site. There are certain categories–profitable categories–that I don’t allow, such as ads for gambling sites, political ads, prescription drugs, and get-rich-quick schemes. Some of those categories were profitable for me before I discovered my account was using them, but taking money from those behaviors would be wrong, so I stopped doing it. There was nothing illegal about those ads, but there was nothing ethical about them either. So I draw the line there, because some things are much more important than money.

Mike Zaneis draws the line at a different place, and he’s trying to start a war. I’m not convinced it’s a war he can win, and I have no reason to root for him.

How I turned a junker PC into a trap for scammers

Dave Farquhar scams, security , , , , , , , ,

As my regulars will be aware, for the past few weeks I’ve been getting lots of phone calls from “Peggy” from “Computer Maintenance Department.” What I’ve found during these phone calls is that debating with them does no good, and saying that your computer is crazy fast gets them to hang up on you, but they’ll call back again in a few days anyway.

Last week, I had lunch with a group of future coworkers–I’ll be joining them once my background check results come in–and I mentioned these phone calls. The guy sitting across the table from me said he wants their malware, so he can reverse-engineer it. So I said I would cooperate the next time I got a phone call. Read more

So just how dangerous is an old, out of date operating system anyway?

Dave Farquhar Retro Computing , , , , , , ,

Glaurung brought up a good point in a comment yesterday. If you never go online and/or you’re really careful, do you really need to update your OS to something new?

In my professional opinion, it depends. Didn’t you know that would be my answer? Read more

And in a story that should surprise no one, Target’s attack was unsophisticated

Dave Farquhar security , , , ,

I found a story today stating that the attackers who stole millions of credit cards from Target didn’t have to try very hard to hide. I wish I could say I was surprised.

My boss says it this way: Amateurs hit as hard as they can. Professionals hit as hard as they have to.

Why? Because if they only hit as hard as they have to, they can save the hard hit for another day. And it really boils down to simple economics. If I can buy off-the-shelf malware for $1,000 and use it to steal millions of dollars, then use the same malware again somewhere else and steal another few million, why not do that? The alternative is to buy a sophisticated attack that costs five or six figures. Then what happens? I use it, get my money, and then the victim can’t figure it out, so the victim calls in Mandiant. Mandiant discovers the zero-day attack, then tells the world about it. Mandiant looks good because they discovered something nobody else has ever seen before. The victim looks a lot better too, because they got mowed down by something that was unstoppable. But then the vendor moves heaven and earth to release an emergency out-of-band patch as quickly as possible, closing down a very brief window of opportunity to use it.

Cyber criminals may be crooked and unethical, but they aren’t stupid. And that’s why this is an uphill battle: A cheap attack can go up against defenses that cost an order of magnitude more, and still win. Read more

Why it’s a good idea to schedule your router to reboot

Dave Farquhar security ,
Why it’s a good idea to schedule your router to reboot

Many routers, notably Belkins, have a feature in them to schedule an automatic reboot periodically, usually once a week. Frequently this “feature” is there as a workaround, because something about the router’s software gets unreliable if it’s been running longer than a week. So it’s a kludge, but it keeps the thing working without a lot of effort, so the feature is there.

The respectably rock-solid DD-WRT also has the ability to schedule a reboot built in. I don’t know if it’s there to make life easier for developers, or if it’s there to deal with second-rate hardware, or if there was a time when it was necessary and they just never took the feature back out. Regardless, it’s there, though many DD-WRT stalwarts brag about never needing it because their router’s uptime is more than six years.

It’s fun to get into uptime contests, but it’s poor security. If you have a router, it’s a good idea to be rebooting it every so often, so you might as well turn on that feature, even if it costs you some pride. Read more