Be cautious of Internet access at airports

August 26, 2010

Accessing the Internet via an open Wi-Fi network is risky because you have no idea who is the hot spot provider or who is connected to it. At the airport it may seem more secure to use a terminal to check your e-mail or update your Facebook status; however, according to Symantec, these terminals might not be secure at all.

In a recent article on the company's Web site, Nick Johnston, senior software engineer of Symantec Hosted Services, wrote that at one Internet terminal at a large airport in England, he saw an unusual "Defense Center Installer" dialog box that turned out to be a fake antivirus software, also known as "scareware."

Scareware is a type of malware that claims a computer is infected with viruses and tries to coerce the user into buying the full version of the software to clean the fictitious infection. It's common for this type of malware to try to disable or uninstall legitimate antivirus software, causing Windows Security Center to warn that no antivirus software installed. As this type of software is not really a virus, it's hard for legitimate antivirus software to detect and remove it.

The fact that the Internet terminal has this type of malware indicates that it is not protected and might be infected with other hidden, more dangerous malware such as a keylogger. Unlike "scareware," which makes its presence known, there is no obvious indicator that a keylogger is active while it silently captures users' input. This means that usernames and passwords for airline accounts, bank accounts, Web mail, social media accounts, or any other private accounts accessed on the terminal can be stolen.

For this reason, you should exercise extreme caution whenever you are using publicly available Internet access terminals and avoid doing anything that requires you to sign on to personal or corporate accounts. The best practice is to only enter your private and important information, such as bank account, Social Security number, and so on, on computers and networks that you know. If you share computers with other people, remember to change your passwords regularly.

A few minutes of negligence might result in costly consequences that could take a long time to fix.

 

Stuxnet Malware could hijack power plants, refineries

August 17, 2010
A worm that targets critical infrastructure companies doesn't just steal data, it leaves a back door that could be used to remotely and secretly control plant operations, a Symantec researcher said on Thursday.

The Stuxnet worm infected industrial control system companies around the world, particularly in Iran and India but also companies in the U.S. energy industry, Liam O'Murchu, manager of operations for Symantec Security Response, told CNET. He declined to say how may companies may have been infected or to identify any of them.

"This is quite a serious development in the threat landscape," he said. "It's essentially giving an attacker control of the physical system in an industrial control environment."

The malware, which made headlines in July, is written to steal code and design projects from databases inside systems found to be running Siemens Simatic WinCC software used to control systems such as industrial manufacturing and utilities. The Stuxnet software also has been found to upload its own encrypted code to the Programmable Logic Controllers (PLCs) that control the automation of industrial processes and which are accessed by Windows PCs. It's unclear at this point what the code does, O'Murchu said.

An attacker could use the back door to remotely do any number of things on the computer, like download files, execute processes, and delete files, but an attacker could also conceivably interfere with critical operations of a plant to do things like close valves and shut off output systems, according to O'Murchu.

"For example, at an energy production plant, the attacker would be able to download the plans for how the physical machinery in the plant is operated and analyze them to see how they want to change how the plant operates, and then they could inject their own code into the machinery to change how it works," he said.

The Stuxnet worm propagates by exploiting a hole in all versions of Windows in the code that processes shortcut files ending in ".lnk." It infects machines via USB drives but can also be embedded in a Web site, remote network share, or Microsoft Word document, Microsoft said.

Microsoft issued an emergency patch for the Windows Shortcut hole last week, but just installing the patch is not enough to protect systems running the Siemens program because the malware is capable of hiding code in the system that could allow a remote attacker to interfere with plant operations without anyone at the company knowing, according to O'Murchu.

"There may be additional functionality introduced into how a pipeline or energy plant works that the company may or may not be aware of," he said. "So, they need to go back and audit their code to make sure the plant is working the way they had intended, which is not a simple task."

Symantec researchers know what the malware is capable of but not what it does exactly because they are not done analyzing the code. For instance, "we know it checks the data and depending on the date it will take different actions, but we don't know what the actions are yet," O'Murchu said.

This new information about the threat prompted Joe Weiss, an expert in industrial control security, to send an e-mail on Wednesday to dozens of members of Congress and U.S. government officials asking them to give the Federal Energy Regulatory Commission (FERC) emergency powers to require that utilities and others involved in providing critical infrastructure take extra precautions to secure their systems. The emergency action is needed because PLCs are outside the normal scope of the North American Electric Reliability Corp.'s Critical Infrastructure Protection standards, he said.

"The Grid Security Act provides emergency powers to FERC in emergency situations. We have one now," he wrote. "This is essentially a weaponized hardware Trojan" affecting PLCs used inside power plants, off-shore oil rigs (including Deepwater Horizon), the U.S. Navy's facilities on ships and in shore and centrifuges in Iran, he wrote.

"We don't know what a control system cyberattack would look like, but this could be it," he said in an interview.

The situation indicates a problem not just with one worm, but major security issues across the industry, he added. People fail to realize you can't just apply security solutions used in the information technology world to protect data to the industrial control world, he said. For example, Department of Energy intrusion detection testing didn't and would not have found this particular threat and anti-virus didn't and wouldn't protect against it, Weiss said.

"Antivirus provides a false sense of security because they buried this stuff in the firmware," he said.

Last week, a Department of Energy report concluded that the U.S. is leaving its energy infrastructure open to cyberattacks by not performing basic security measures, such as regular patching and secure coding practices. Researchers worry about security problems in smart meters being deployed in homes around the world, while problems with the electrical grid in general have been discussed for decades. One researchers at the Defcon hacker conference in late July described security problems in the industry as a "ticking time bomb."

Asked to comment on Weiss' action, O'Murchu said it was a good move. "I do think this is a very serious threat," he said. "I don't think the appropriate people have realized yet the seriousness of the threat."

Symantec has been getting information about computers infected by the worm, which appears to date back at least to June 2009, by observing connections the victim computers have made to the Stuxnet command-and-control server.

"We're trying to contact infected companies and inform them and working with authorities," O'Murchu said. "We're not able to tell remotely if (any foreign attack) code was injected or not. We can just tell that a certain company was infected and certain computers within that company had the Siemens software installed."

O'Murchu speculated that a large company interested in industrial espionage or someone working on behalf of a nation-state could be behind the attack because of its complexity, including the high cost of acquiring a zero-day exploit for an unpatched Windows hole, the programming skills and knowledge of industrial control systems that would be necessary and the fact that the attacker tricks victim computers into accepting the malware by using counterfeit digital signatures.

"There is a lot of code in the threat. It's a large project," he said. "Who would be motivated to create a threat like this? You can draw your own conclusions based on the countries targeted. There is no evidence to indicate who exactly could be behind it."

 

VeriSign adds malware scanning to SSL services

July 20, 2010

VeriSign is adding malware scanning to its authentication services for Web site operators, the company announced on Monday.

The "VeriSign Trusted" check mark seal indicates to Web surfers that VeriSign has verified that the site represents the organization or company that it purports to be and that it is using encryption to protect communications between the site and its visitors. Now, existing and new VeriSign SSL customers will have their sites scanned daily to check for malware as well, at no extra cost, said Tim Callan, vice president of product marketing at VeriSign.

The company also is adding its seals to Web search results on shopping search engines Pricegrabber and TheFind, as well as on Google and Bing for people using AVG's LinkScanner software. "We are aggressively pursuing deals with other search engines," Callan said.

If VeriSign discovers malware on a customer Web site, it will remove the seal and notify the site administrator via e-mail. Site administrators can see a report detailing what code was found and where via a VeriSign management console. When the malware is removed VeriSign will scan the site to verify that and then replace the seal.

The increase in drive-by-downloads in which Web surfers are infected with malware just by visiting a site prompted VeriSign to add this additional level of security for its customers, he said.

"Our seal and our service is widely understood to be the most recognized, most prominent indicator of a safe Web experience," Callan said. "In order for our seal to still mean what people think it means we needed to offer this service moving forward."

The service enhancement is also a way for VeriSign to differentiate its SSL certificate services from the dozens of other companies offering similar services. "We view ourselves as the Mercedes Benz of this category," Callan said. "We are making sure we are best of breed."

The malware scanning will be rolled out in stages to all VeriSign branded SSL certificate customers worldwide between now and the end of the year, he said.

Users of AVG LinkScanner will now see results on Google and Bing with the VeriSign SSL seal.

(Credit: VeriSign/AVG)
 



Best Communitation Website
Which communication website is best?

Myspace
Facebook
Twitter
Furry-paws
Youtube


Make a free website with Yola