26 October 2013

Ransomware: Why This New Malware is So Dangerous and How to Protect Yourself

 

Published on October 25th, 2013  |  Written by: Chris Hoffman

Ransomware is a type of malware that tries to extort money from you. One of the nastiest examples, CryptoLocker, takes your files hostage and holds them for ransom, forcing you to pay hundreds of dollars to regain access.Most malware is no longer created by bored teenagers looking to cause some chaos. Much of the current malware is now produced by organized crime for profit and is becoming increasingly sophisticated.

How Ransomware Works

Not all ransomware is identical. The key thing that makes a piece of malware “ransomware” is that it attempts to extort a direct payment from you.Some ransomware may be disguised. It may function as “scareware,” displaying a pop-up that says something like “Your computer is infected, purchase this product to fix the infection” or “Your computer has been used to download illegal files, pay a fine to continue using your computer.”In other situations, ransomware may be more up-front. It may hook deep into your system, displaying a message saying that it will only go away when you pay money to the ransomware’s creators. This type of malware could be bypassed via malware removal tools or just by reinstalling Windows.Unfortunately, Ransomware is becoming more and more sophisticated. One of the latest examples, CryptoLocker, starts encrypting your personal files as soon as it gains access to your system, preventing access to the files without knowing the encryption key. CryptoLocker then displays a message informing you that your files have been locked with encryption and that you have just a few days to pay up. If you pay them $300, they’ll hand you the encryption key and you can recover your files. CryptoLocker helpfully walks you through choosing a payment method and, after paying, the criminals seem to actually give you a key that you can use to restore your files.You can never be sure that the criminals will keep their end of the deal, of course. It’s not a good idea to pay up when you’re extorted by criminals. On the other hand, businesses that lose their only copy of business-critical data may be tempted to take the risk — and it’s hard to blame them.

Protecting Your Files From Ransomware

This type of malware is another good example of why backups are essential. You should regularly back up files to an external hard drive or a remote file storage server. If all your copies of your files are on your computer, malware that infects your computer could encrypt them all and restrict access — or even delete them entirely.RELATED ARTICLEWhat Files Should You Backup On Your Windows PC?Everybody always tells you to make sure that you are backing up your PC, but what does that really mean? And what files do you actually need to backup? Today we'll walk you through the basics of backing up your PC, what you should back up, and why. [Read Article]When backing up files, be sure to back up your personal filesto a location where they can’t be written to or erased. For example, place them on a removable hard drive or upload them to a remote backup service like CrashPlan that would allow you to revert to previous versions of files. Don’t just store your backups on an internal hard drive or network share you have write access to. The ransomware could encrypt the files on your connected backup drive or on your network share if you have full write access.Frequent backups are also important. You wouldn’t want to lose a week’s worth of work because you only back up your files every week. This is part of the reason why automated back-up solutions are so convenient.If your files do become locked by ransomware and you don’t have the appropriate backups, you can try recovering them with ShadowExplorer. This tool accesses “Shadow Copies,” which Windows uses for System Restore — they will often contain some personal files.

How to Avoid Ransomware

RELATED ARTICLE10 Important Computer Security Practices You Should FollowAntivirus programs aren’t perfect — especially Microsoft Security Essentials. If you’re relying on your antivirus alone to protect you, you’re... [Read Article]Aside from using a proper backup strategy, you can avoid ransomware in the same way you avoid other forms of malware. CryptoLocker has been verified to arrive through email attachments, via the Java plug-in, and installed on computers that are part of the Zeus botnet.Use a good antivirus product that will attempt to stop ransomware in its tracks. Antivirus programs are never perfect and you could be infected even if you run one, but it’s an important layer of defense.Avoid running suspicious files. Ransomware can arrive in .exe files attached to emails, from illicit websites containing pirated software, or anywhere else that malware comes from. Be alert and exercise caution over the files you download and run.Keep your software updated. Using an old version of your web browser, operating system, or a browser plugin can allow malware in through open security holes. If you have Java installed, you should probably uninstall it.For more tips, read our list of important security practices you should be following.Ransomware — CryptoLocker in particular — is brutally efficient and smart. It just wants to get down to business and take your money. Holding your files hostage is an effective way to prevent removal by antivirus programs after it’s taken root, but CryptoLocker is much less scary if you have good backups.This sort of malware demonstrates the importance of backups as well as proper security practices. Unfortunately, CryptoLocker is probably a sign of things to come — it’s the kind of malware we’ll likely be seeing more of in the future.

08 October 2013

SB13-280: Vulnerability Summary for the Week of September 30, 2013

There are 20 fresh security patches in Google Chrome, including fixes for a number of high-severity vulnerabilities. Google regularly pushes out new versions of its browser every few weeks, and sometimes will only have a handful of security fixes.  Chrome users should update their browsers as soon as possible to protect against attacks using these vulnerabilities.
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

·   High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0
·   Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9
·   Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Here is the list:

High Vulnerabilities
Primary
Vendor -- Product
Description
Published
CVSS Score
Source &
Patch Info
google -- chrome
Use-after-free vulnerability in Blink, as used in Google Chrome before 30.0.1599.66, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to inline-block rendering for bidirectional Unicode text in an element isolated from its siblings.
2013-10-02
google -- chrome
Use-after-free vulnerability in modules/webaudio/AudioScheduledSourceNode.cpp in the Web Audio implementation in Blink, as used in Google Chrome before 30.0.1599.66, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
2013-10-02
google -- chrome
Use-after-free vulnerability in the PepperInProcessRouter::SendToHost function in content/renderer/pepper/pepper_in_process_router.cc in the Pepper Plug-in API (PPAPI) in Google Chrome before 30.0.1599.66 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving a resource-destruction message.
2013-10-02
google -- chrome
Use-after-free vulnerability in the RenderBlock::collapseAnonymousBlockChild function in core/rendering/RenderBlock.cpp in the DOM implementation in Blink, as used in Google Chrome before 30.0.1599.66, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging incorrect handling of parent-child relationships for anonymous blocks.
2013-10-02
google -- chrome
Google V8, as used in Google Chrome before 30.0.1599.66, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.
2013-10-02
google -- chrome
Multiple unspecified vulnerabilities in Google Chrome before 30.0.1599.66 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
2013-10-02
google -- chrome
Use-after-free vulnerability in International Components for Unicode (ICU), as used in Google Chrome before 30.0.1599.66 and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
2013-10-02

Medium Vulnerabilities
google -- chrome
Multiple race conditions in the Web Audio implementation in Blink, as used in Google Chrome before 30.0.1599.66, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to threading in core/html/HTMLMediaElement.cpp, core/platform/audio/AudioDSPKernelProcessor.cpp, core/platform/audio/HRTFElevation.cpp, and modules/webaudio/ConvolverNode.cpp.
2013-10-02
google -- chrome
The Window.prototype object implementation in Google Chrome before 30.0.1599.66 allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.
2013-10-02
google -- chrome
Google Chrome before 30.0.1599.66 uses incorrect function calls to determine the values of NavigationEntry objects, which allows remote attackers to spoof the address bar via vectors involving a response with a 204 (aka No Content) status code.
2013-10-02
google -- chrome
Use-after-free vulnerability in the XSLStyleSheet::compileStyleSheet function in core/xml/XSLStyleSheetLibxslt.cpp in Blink, as used in Google Chrome before 30.0.1599.66, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper handling of post-failure recompilation in unspecified libxslt versions.
2013-10-02
google -- chrome
Use-after-free vulnerability in the XMLDocumentParser::append function in core/xml/parser/XMLDocumentParser.cpp in Blink, as used in Google Chrome before 30.0.1599.66, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving an XML document.
2013-10-02
google -- chrome
Use-after-free vulnerability in the color-chooser dialog in Google Chrome before 30.0.1599.66 on Windows allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to color_chooser_dialog.cc and color_chooser_win.cc in browser/ui/views/.
2013-10-02
google -- chrome
Google Chrome before 30.0.1599.66 preserves pending NavigationEntry objects in certain invalid circumstances, which allows remote attackers to spoof the address bar via a URL with a malformed scheme, as demonstrated by a nonexistent:12121 URL.
2013-10-02
google -- chrome
Blink, as used in Google Chrome before 30.0.1599.66, allows remote attackers to spoof the address bar via vectors involving a response with a 204 (aka No Content) status code, in conjunction with a delay in notifying the user of an attempted spoof.
2013-10-02
google -- chrome
The ReverbConvolverStage::ReverbConvolverStage function in core/platform/audio/ReverbConvolverStage.cpp in the Web Audio implementation in Blink, as used in Google Chrome before 30.0.1599.66, allows remote attackers to cause a denial of service (out-of-bounds read) via vectors related to the impulseResponse array.
2013-10-02
google -- chrome
The DoResolveRelativeHost function in url/url_canon_relative.cc in Google Chrome before 30.0.1599.66 allows remote attackers to cause a denial of service (out-of-bounds read) via a relative URL containing a hostname, as demonstrated by a protocol-relative URL beginning with a //www.google.com/substring.
2013-10-02
google -- chrome
Double free vulnerability in the ResourceFetcher::didLoadResource function in core/fetch/ResourceFetcher.cpp in the resource loader in Blink, as used in Google Chrome before 30.0.1599.66, allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering certain callback processing during the reporting of a resource entry.
2013-10-02
google -- chrome
Use-after-free vulnerability in core/html/HTMLTemplateElement.cpp in Blink, as used in Google Chrome before 30.0.1599.66, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that operates on a TEMPLATE element.
2013-10-02




27 July 2013

¿Podemos fiarnos de TrueCrypt?

Nadie discute que hoy día el estándar de facto para cifrar discos duros / datos en un HD es TrueCrypt.

Funciona bien, es un software muy estable, y está disponible para múltiples plataformas.

Pero ¿Nos podemos fiar de TrueCrypt? ¿Es realmente un software libre de toda sospecha? ¿Podría ser un 'honeypot' de la CIA?

Hace tiempo encontré un post en el que se apuntaban ciertas partes oscuras con respecto a TrueCrypt y sobre quién está tras el proyecto. Todo lo que se expone es muy 'conspiranoico' pero es cierto que proyecta sombras sobre el proyecto. No obstante, después de Stuxnet, Flame y amigos, la capacidad de asombro y de negación ha quedado muy mermada.

El artículo original plantea las siguientes cuestiones (mis comentarios personales sin negrita):

El dominio truecrypt.org se registró con una dirección falsa, en concreto 'NAVAS Station, Antarctica'. Esto, per se, a mi no me parece nada sospechoso, mucha gente lo hace.

Nadie sabe quienes son los desarrolladores de TrueCrypt (su identidad, se desconoce). Esto SI me parece algo a tener muy en cuenta, me parece genial que en ciertos foros donde se liberan herramientas más 'ofensivas', estas herramientas sean firmadas por pseudos o nicks, pero todo lo que tenga que ver con criptografía debe ser totalmente transparente.

Los creadores de TrueCrypt trabajan gratis. Aseveración un poco discutible en mi opinión. Mucha gente trabaja 'gratis' en proyectos opensource, escribe blogs, etc etc.

Compilar TrueCrypt es complicado. Lo que apuntan en el post original es que, la mejor forma de incentivar la descarga de binarios pre-compilados por el equipo de TrueCrypt es hacer complicada la compilación del software. Tiene lógica
La licencia de TrueCrypt no es realmente OpenSource. Bueno, tampoco indica nada en especial, es cierto que TrueCrypt ha sido rechazado de muchas distribuciones Linux (en el post citan a Fedora), pero eso no lo tiene porque hacer necesariamente sospechoso
El código de TrueCrypt nunca ha sido auditado. El autor del post se queja de que nadie ha publicado un estudio sobre el código de TrueCrypt, en parte tiene razón, pero resulta muy aventurado decir que nadie lo ha hecho. Lo que si está claro es que si alguien realiza esa auditoría y encuentra algo, es su pasaporte a la fama. Cuesta creer que nadie haya puesto sus ojos en el tema.

Existe censura en los foros de TrueCrypt. Parece que en los foros de TrueCrypt no se puede hablar de otras soluciones de cifrado ni de herramientas para atacar a TrueCrypt.

No seré yo quien desacredite un producto como TrueCrypt que tantas alabanzas ha cosechado, pero del post original, tengo que decir que hay varios puntos que sí me preocupan bastante.

Lo de la identidad desconocida es bastante grave, ¿usarías un algoritmo de cifrado del que desconozcas su autoría? probablemente no, como decía más arriba, criptografía = transparencia como axioma

Respecto a introducir un backdoor en el software, es técnicamente posible, y voy mas allá: de estar ahí, puede ser REALMENTE complicado encontrarlo. Y si no, que se lo digan a Theo

Que cada cual saque sus propias conclusiones.

Source:
http://t.co/0CR23MDubN