Another Reason Why You Need a Password Manager

This Wordfence article is a great demonstration of why using a password manager is so important.

The message the author is pushing is “these browsers suffer because it’s easy to phish them” when the reality is that the specific “vulnerability” is actually the way the Internet is designed. The weakest link for all phishing is always PEBCAK – aka, “Problem Exists Between Chair and Keyboard”. Phishing is not your typical security problem, because it’s not the computer the attacker needs to convince, it’s the person.

Don’t get me wrong, I’m not saying that there should not be some visual and functional indication for IDN domains, but the user is still going to be the weakest link. Any indicator would go unnoticed or misunderstood by most people anyway.

A better solution is to use a password manager such as RoboForm. RoboForm bypasses this issue by preventing you from authentication to the forged domains. RoboForm (and most other password managers) authenticate only to trusted domains, so even though the IDN domain may visually appear to be the same, it will not be treated as the real domain within the password manager.

See how RoboForm addresses this problem. In the first image you can see the emboldened stored credentials which will only appear if the domain is a match for the stored login.

Demonstration of RoboForm Domain Match

RoboForm Domain Match

Here we have the punycode IDN variation, which, since it is actually a different domain, has no match in RoboForm.

Demonstration of RoboForm Domain Mismatch

RoboForm Domain Mismatch

While the specific issue at hand is phishing for ways to trick the user into authenticating to a domain that appears to be the real thing using a specific cosmetic effect, there are many other ways that domains can be made to look like the real thing, and each of them still works well after this particular issue is addressed.

Using a password manager is the best and easiest way to ensure that you’re visiting the real site. It also provides strong authentication and far better passwords than you can create on your own.

Okay, now go get RoboForm.

That’s all for now folks. Keep it clean out there. ūüėČ

Regards,

Shawn K. Hall
http://SaferPC.info/
http://12PointDesign.com/

Catphishing on the Rise

In the last week I’ve had three separate Facebook friends re-friend me using¬†new accounts. A few¬†months ago I even had a cousin re-friend me “after Facebook sent him a million dollars and he could finally afford to create a new account!” His words, not mine. He was, of course, not actually my cousin but an impostor trying to get me to click through a third party link to infect my computer. It was kinda cute. ūüôā

Clients have reported that¬†online friends they’ve known for years are now re-friending them and asking for money to bail them out of strange situations¬†— everything¬†from jail¬†to “beta testing” to solar investment loans. In all cases, contacting the person directly with their (previously known) offline contact methods (phone, text, IRL) results in first surprise, then horror, as the person realizes what has been done in their name.

And that’s the real issue here. It’s not like you’re witnessing your friends falling for a scam from an anonymous Nigerian Prince. No, they’re friending you and you¬†(in their mind) are responsible for anything that happens to them. From that moment forward, even long after they learn it was not really you, they’ll always associate you with this event. Some won’t talk to you anymore out of embarrassment. Some will blame you as though there were some way you could have prevented their folly. In any case, you’re both harmed by a total stranger using your name.

This phenomena is called catphishing: The process of creating a fake online persona based on someone else and using it to take advantage of the target’s friends. Impersonation through, quite literally, duplicity.

Here’s the problem

She was astonished to see how her grandmother looked.

She was astonished to see how her grandmother looked.

Online service providers, such as Facebook, Google, Yahoo, Microsoft and so on, don’t exactly perform DNA testing to ensure that the guy claiming to be your neighbor really is your neighbor. If they did, nobody would use their services. Since they don’t, it’s up to you to be able to identify whether it really is your neighbor.

They don’t make it easy.

These intelligent scammers¬†will use just about any means possible to replicate the identity of the person they’re posing as. They’ll re-use the same or similar image as their personal photo. They might crop it differently than the original that they’ve harvested from the real person’s page, but it’ll be¬†“real”. They’ll also migrate some content, mostly copied directly from the original account, onto the new catphishing page. They’ll also copy personal details, such as dates, employment or social history, possibly even replicating the victim’s relationships with additional accounts. All it really takes, when the information is already available only a click away, is the time to copy and paste.

These types of phishing accounts are usually short-lived. Within only a few days they’ll be identified by the targets friends as a phish, though in that time dozens or even hundreds of people may be victimized. This means the attacker will have to act fast. Once they’ve created the account they’ll quickly send out many friend requests to the targets existing friends. They’ll then add or contact many, and the few that answer quickly will then be social engineered.

First a little small talk, then mentioning some great event – like being mailed a million dollars by Mark Zuckerberg, or how they just saved a bunch of money by doing something different like taking advantage of a government program or loan gimmick. They won’t waste much time getting to the pitch, though they might not be able to respond to everyone all at once so it might be a day or two before they push. When you feign interest they’ll have a link at the ready to help you “research” their pitch. It might even be a personal page on a popular site or a typo-squatted version of a popular domain. They’ll seed the idea then send you a link to infect yourself or enable you to self-hijack by posting your account information at an untrustworthy site.

While you’re giving up your information, your real friend is completely oblivious to what is happening.

So how do you protect yourself?

First and foremost, don’t just friend everyone that asks. A very effective means of security (in most things) is to let other people be the guinea pig. This means you don’t respond to friend requests or new contacts immediately. Just wait. At least a couple days, but a week or more is ideal. By this time, there’s a good chance other people would have suffered at their hands if it’s a phish, and thus the account may have either been locked or shut down by the time you are prepared to accept the friend request. Patience really is it’s own reward.

Of course, if you suspect an account isn’t legitimate, report it. Most popular websites have tools to report various contacts and requests, and these are the tools you should be using. This allows the website owner (such as Facebook) to aggregate information about these attacks to block specific types of attacks or shut down entire networks of attackers all at once, and possibly prevent some of them in the future. It’s up to you to report it properly and fully, however. Simply blocking a user will not have any effect other than eliminating their unwelcome messages to you. If you want to stop it you have to be specific in how you report it.

On Facebook you can go to the fake user account¬†page, click the account action button (…), select Report, Report this profile, then select “They’re¬†pretending to be me or someone I know.” Then follow the prompts.

fb-report fb-report-profilefp-report-catphish

Don’t forget to tell the person they’re claiming to be, preferably through a previously known offline contact method.

What if they’re posing as me?!

Same thing. Report them quickly and warn your friends that may have succumbed to your fake friendship.

But wait, there’s more! In most states there are laws against phishing. Here in California the law¬†is really written only to protect businesses, but you, as a victim, can sue an¬†impostor for a¬†half million dollars if they pose as your business.

It doesn’t hurt to regularly search social media for your own name, too. Not your account, mind you, just your name. This will return other accounts that are using your name so you can investigate them. Even a few minutes of effort once a month can save you and your friends from a lot of hurt down the road.

Another trick is to add a Google Alert to your name for social media. This bypasses your own social account (if configured correctly) and emails you whenever your name appears on a site. First go to Google Advanced Search and fill out the form to use a search phrase such as this:

“john t example” site:facebook.com -“johntexample”

This searches for his exact name, on Facebook, but excludes his Facebook slug/username. Now go to the Google Alerts page and search for the formula you composed above. “Show options” then set the alert to contact you once per day. It’s not a perfect solution, but it might catch a phish.

Good luck, and keep it clean out there,

Shawn K. Hall
http://SaferPC.info/
http://12PointDesign.com/

Enable SSL Certificate Revocation Checks

Today brings another¬†disclosure of a popular entity SSL certificate being improperly issued. These certificates allow the attacker to spoof content, and perform phishing and man-in-the-middle attacks against users who might otherwise not have any reason to distrust their connections. The potential for exploitation increases significantly for untrusted networks, such as open Wi-Fi nodes, minimal security networks like coffee shops and airports¬†and so on. I suggest you use OpenDNS to minimize the risk of DNS poisoning — it has many other benefits as well.

This is only the most recent example of a popular certificate being issued to the wrong party. Sadly, this type of thing happens on a regular basis.

Even so, many browsers and fail to perform proper certificate validation to ensure that this type of hijacking is a minimal risk.¬†The default behavior for most recent operating systems and browsers is to perform some certificate revocation checks, but leave some options inadequately validating the trust level for revocation. You can verify that your browser is properly configured within it’s settings as below.

For Internet Explorer:

Go to Tools, Internet Options.

IE - Tools, Internet Options

Click the Advanced tab, then under the Security group check both “Check for publisher’s certificate revocation” and “Check for server certificate revocation“.

Check both "Check for publisher's certificate revocation" and "Check for server certificate revocation"

Check both “Check for publisher’s certificate revocation” and “Check for server certificate revocation”

Click OK to save the options.

For Chrome:

Go to Menu, Settings:

Chrome: Menu, Settings

Scroll to the bottom and click show advanced settings.

Chrome: Show advanced settings

Finally, check the box for Check for server certificate revocation. Your preference will be saved immediately.

Chrome: Check for server certificate revocation

For Firefox:

Go to Menu, Options.

Firefox: Menu, Options

Click the Advanced tab, the Certificates sub-tab, and the Validation button.

Firefox: Advanced, Certificates, Validation

In the popup check both options, “Use the Online Certificate Status Protocol (OCSP) to confirm the validity of certificates” and “When an OCSP server connection fails, treat the certificate as invalid“. Click OK and OK in the Options window to save the changes.

Firefox: Certificate Validation
And while all of this is important, don’t forget to setup OpenDNS!

The DNSChanger Scare – or Is the FBI Really Going to Turn Off the Internet?

Unless you live in a cell at Guantanamo Bay, chances are¬†you’ve heard the horror stories of how the FBI is going to beturning off the Internetfor millions of Americans in less than 48 hours. Let’s¬†dispel a few myths:

Will I Lose Internet Access?

No.

We’re not talking about some sort of¬†doomsday event.¬†Even if you’ve been infected with the DNSChanger malware, your Internet service will not go down. DNS would not resolve, which would mean that while you probably won’t be able to visit any websites until you fix it, the hardware, software and networks will remain in place to ensure your Internet service is operating fine.

And if you do lose access, it’s important to understand that “it’s not them, it’s you.”

The only way that you could be affected by this issue is if you’re one of the approximately 4 million (worldwide) people that were infected with one of the DNSChanger malware variants (such as Zlob) over the last six years and have not disinfected your computer yet. If you’ve been running, well, any antivirus software over the last year or so, you would have been disinfected and had your DNS settings reset. No big deal.

What’s DNS and Why Should I Care?

DNS, or the Domain Name System,¬†is one of the core functions of the Internet. This service is usually provided by your ISP to translate domain names like example.com to their IP addresses. DNS also provides other capabilities, such as the ability to have¬†redundant networks should a server fail, provides the very basis for¬†email¬†relay capabilities (MX), anti-spam measures (DNSRBL), and ensuring that the site you’re connecting to is the “real” site (DNSSEC).

If your DNS doesn’t work, you won’t be able to visit any domain-name based websites (such as google.com, bing.com,¬†facebook.com¬†or yahoo.com). You will still be able to visit IP-based websites such as http://208.69.38.205/¬†or http://74.125.45.99/.

Windows Sucks!

A common myth about DNSChanger is that this malware only infected Windows computers. That’s not true. Not only did it not only affect Windows-based computers, but it may have infected your Mac¬†OS X¬†(RSPlug & Puper), changed the settings on your Router/Modem or even your phones (via Flush.*).

While Windows was surely the most popular target, it was most definitely not the only one.

How Can I Tell If I’m Infected?

You can test whether you will be effected by the DNS changes simply by visiting dns-ok.us or even Google¬†or Facebook¬†– if you see a message indicating that you’re infected or need to correct your DNS, then you’ve got problems.

If you’ve been infected, you should first disinfect your computer. Changing your DNS settings alone will not remove the malware from your computer! You can get¬†the free version of MBAM,¬†AVG, Avast!, or use the McAfee DNS Checker tool to remove the malware from your computer.

Infected or Not, What Should I Do?

Run a virus scan. There are literally dozens of free anti-virus programs out there. Pick one. Run it.¬†Do this once in a while even when the MSM isn’t in Chicken Little mode. If you’re infected, it means you haven’t run a scan since at least November. Think about that for a minute.

Then immediately setup OpenDNS on your computers and networks. OpenDNS (208.67.222.222 & 208.67.220.220) is a free DNS service that provides additional protection by filtering out phishing and malware sites automatically Рwith the option of filtering another 58 categories of content from porn to p2p to web spam or even politics (free account required).

If you’re insane and would prefer to avoid the added security of the phishing and malware filters provided free by OpenDNS, you can opt instead to use Google’s Public DNS¬†(8.8.8.8 & 8.8.4.4). Or contact your ISP to find out what their DNS servers are usually set to.

How Did I Get Infected?

If you were infected by this malware you were most likely visiting porn or warez sites on your computer, or used an¬†Internet connection that was already¬†infected by someone else that had. The sad truth of computer security is that even “being good” won’t prevent you from being infected when someone else on your network is bad.

Again, the best way to ensure that your computer/phone/tablet isn’t infected through this DNS poisoning method¬†is to setup OpenDNS directly on your device so that it always uses a “safe” DNS source.

Why is the FBI Turning Off This Service?

A better question would be, why did they turn it on in the first place? All they’ve done by replacing the malware DNS servers with their own is spend $10,000/month and preserve hundreds of thousands of infected computers. What they should have done is replace it with a locked DNS that relayed all requests directly to dns-ok.us or the DCWG so people that were infected could immediately correct it. Instead, they’ve prevented the malware from propagating, but they’ve enabled as many as half a million computers to stay infected. As an IT guy myself, I see this similarly as if they had sold untrackable guns to drug cartels so they could see what they did with them.

The bottom line…

This is not really the problem it’s been made out to be. The DNS Changer Working Group (DCWG) spokesman Barry Greene is quoted as saying:

“Think about it: Various estimates place the number of PCs worldwide at between 1 billion and 2 billion. That means the 250,000 or so still-infected computers represent fewer than 2-100ths of a percent (0.02 percent) of all PCs in the world. That‚Äôs about the number of PCs a botnet hunter commandeers in a single day,” Greene says, adding: ‚ÄúIt‚Äôs no big deal.‚ÄĚ

Really, my only serious concern is that for some reason the FBI will change their mind and postpone shutting down the servers again, effectively keeping these users infected even longer.

That’s all for now folks. Keep it clean out there. ;)

Regards,

Shawn K. Hall
http://SaferPC.info/
http://12PointDesign.com/