A Mozilla researcher seems to have stumbled upon an entirely new kind of phishing exploit that involves those handy tabs we’re all becoming used to seeing in different browsers. It’s a fairly simple design, but it’s clever and some people are bound to get tapped by it. This attack plays on the method in which browsers manage and deal with tabs.

The basic concept involves a script that while running in tab number one, for example, it can change the content in tab number two. The main requirement is to have multiple tabs open at the same time which is a pretty common online practice.

The Mozilla representative, Aza Raskin, has demonstrated the tab phish, and he has conjectured that this new method is suited for specific and well-targeted attacks against customers of banks, credit card companies, or even web based email services.

An additional requirement in order to complete the exploit is for the attackers website to have been visited. Of course that site contains the script used in the tab attack exploit. When the infected site is visited, the deviant software works to identify any existing tabs that are open. Then it determines the length of time each tab has been open.

This is important because to have a successful exploit with this method requires sites that have been open for a while. Javascript is then used to change the content to resemble basically anything the attacker wishes.

Mr. Raskin has an example on his website in which the new page is actually Gmail’s login page. You can watch a video demonstration of the attack here: Video Demonstration Tab Exploit

But you can see the potential here. The attacker can make the page look like whatever he wants such as your bank’s login page, a credit card login page, or even Paypal’s login page. Of course there is a reliance on the reader’s memory of visiting that page.

But the important item of note is this attack can involve any site. Javascript must also be enabled for thsi attack to be effective.

As for Firefox, a fix has been implemented for the Noscript addon for this type of attack. But the attack apparently is successful in Google’s Chrome. The take away from this is to be vigilant when you’re browsing if you have tabs.

Do You Know If That RSS Feed Subscription Is Safe?

In case you don’t know, RSS stands for Really Simple Syndication and/or Rich Site Summary. It’s a method for distributing content via an XML format. You can subscribe to RSS feeds from any site that offers them, usually blogs, and then read them using RSS readers on your computer. It’s an efficient and convenient process that many people enjoy.

So let’s delve a little deeper into RSS…

As you now know, or probably already knew, there are RSS feeds and RSS readers. The latter are also known as RSS aggregators, or feed readers. And the feeds contain the content you’re looking for from RSS enabled static sites and blogs. The reader is a software program installed on your home computer.

Now let’s get to the meat of the matter and discuss some security vulnerabilities associated with RSS.

There are risks and vulnerabilities with feeds as well as readers. These risks are inherent with the entire process and is too large a subject to cover in a single blog post.

RSS feed vulnerabilities:

The major security issues with feeds involve a variety of scripts that are injected into the feeds and become incorporated into the normal feed elements. Of course this occurs upstream to your computer, and it’s performed in such a way that it looks like normal feed data.

Some of the exploited RSS elements are: Feed Item links, titles, description XML components; and feed titles. Some Atom feed elements are: Feed title, sub title, author name, and entry updates.

The HTML literal injection exploit:

These involve placement of scripts within literal HTML tag inclusions. In particular cases, when there are HTML tags within a feed, the content is displayed in a literal fashion. When an RSS reader, or aggregator, sees these tags, they’re executed as literals and the scripts they contain are executed.

An infected feed can include scripts that install malicious software that perform additional executions of pretty much any kind, or they can just steal cookies, for example. It all depends on the degree of harmful intent - and your luck of the draw.

The HTML entity injection exploit:

Basically, these exploits are normally read and executed within HTML entities of the RSS feed. The harmful scripts are executed after they arrive on your computer and are read. There’s no way of knowing if you’re reading an infected RSS feed, not right away at least. But still, you won’t know if the RSS feed caused your problem, or not.

Entity injections bring into play issues with ‘local zones’ within your computer. This happens because readers usually store their data within a local directory file, and then you’ll be left with local zone security vulnerabilities within your PC.

A local zone security problem can arise if the infected file has ActiveX configured to read/write files to your hard disk. Then that file can be read and sent to anywhere the hacker specified it to be sent on the net. That is how critical and personal data and information can be stolen from your computer.

The disheartening news about all this is that it’s extremely difficult to use RSS feeds in a safe manner. You can use a reader that removes HTML entities and any meta characters before displaying the feed. Also, you can use a feed reader that strips various tags such as: object, frameset, script, embed, link, meta, etc.

Proceed with caution…

Online Banking Is Secure, So It’s Safe. Right?

Your bank offers secure online banking, so why should you worry…

Most people see the ads for “Secure Online Banking” and think it’s safe to use, and there won’t ever be a problem. After all, banks can afford the best resources money can buy. A reasonable assumption about a bank.

But you may be alarmed at this statistic…

In 2009, Americans lost approximately $559 million to various forms of online theft from bank accounts. That figure is according to the Internet Crime Complaint Center. The 2009 amount is more than double the amount for 2008 in which ‘only’ $268 million was stolen via the net.

Sean Sullivan, a security adviser with F-Secure - an internet security firm, made the following comment: “Last year there were more online bank robberies than there were actual on-site bank robberies. Banks have become very proactive in protecting accounts from hackers, but it’s still quite a large problem. We see all types of new attempts every day.”

Hackers are designing trojans specifically targeted toward banks, and these trojans constitute the largest threat to online banking customers. According to Sullivan, “Some more advanced types of trojans can make fraudulent transfers and drain your account while you are logged on to the account online.”

But how can you tell if your bank is safe, or at least reasonably well-protected?

The way you can tell doesn’t offer much of a warm fuzzy, and it even seems a bit of a crude indicator. But here goes…

The more aggravation you encounter when you log into your online bank account, the more secure it is. What? If your online bank website makes you jump through many hoops in the form of questions, and wants you to input multiple passwords, which mine does not, then that means the level of security is higher.

We hope you feel better now.

Sullivan offers this, “The more layers you have before you get to your account, the safer you are.”

What you can do to protect your bank account:

• Make sure you’re home PC has the suite of security apps including firewall, anti-spyware, anti-virus, and any other security software. Plus - keep it all updated and current.

• Never access your online bank account, or any financial-related account, from a shared computer.

• Always report anything suspicious on your bank account, and perform a regular review of your statement.

• Be sure to use the strongest password possible. Use all the available spaces your bank will let you and include numbers, odd spellings, upper and lower case.

• For wireless connections, you brave soul, make sure your connections are encrypted. Never use a public network such as in public places.

• If you have a LAN set-up at home, see the previous post about network hacks. Change your router password ASAP.

• Be sure to log-out, fully, after every online banking session.

Desktop Security War Is Lost While The Home Network Security War Heats Up

Desktop security is a subject that sometimes seems to take a back seat to the usual news about website, blog, and server hacking. But it’s a well worn topic for big financial business and security experts and analysts. And for very good reason.

This past week Jeremiah Grossman, CTO of WhiteHat Security, wrote that many organizations within the financial services industry are at the point now where the operating assumption is that customer desktop’s are compromised.

That is the basic assumption.

Related to that ugly and depressing scenario is the nearby battle waging over the security of home networks. Nefarious botnets are being unleashed on home routers and DSL modems.

What that means is even if your PC has been pronounced squeaky clean, you need not surf another infected site, or receive another piece of malware laden spam to still lose control over your home system. From the DNS, routers, and modems you’re wide open and fair game.

What’s worse, at this moment there are few defensive security measures in place to protect your home networks - or to even detect if they have become compromised.

Enter Chuck Norris , the botnet.

This botnet was first discovered, and named, by Czech researchers. The method of unwanted entry is attacking poorly configured DSL modems and routers. One thing you can do, and it’s not a lot and may be too late, is to change the default password on your home router.

The Chuck Norris botnet only targets vulnerable routers and DSL modems. It will guess default admin passwords, and the situation is inadvertantly encouraged because many of these devices are configured for remote access.

After doing the preliminary guesswork, the botnet will install itself.

The network botnet mission is to gain control of outbound internet traffic which can be used for a number of purposes. This is a very effective strategy for hackers and allows for control over large numbers of systems while eliminating the need for constant intrusion and reinfection.

Little is actually widely known about how to fix compromised network devices. The final shot to the gut is that cable companies and ISP’s basically don’t care about your home network maladies.

That’s your territory, and your problem.

Why You Need To Take Social Media Security Threats Seriously In Your Business

Security and social media sites are a combination that presents unique challenges for individuals as well as businesses. The real-time environment and communications are only part of the attraction. As you can imagine, this real-time aspect also provides unique, powerful, and dangerous opportunities for those who would do you, or your business, harm.

Just a few well-known risks involve Facebook images with worms, and the uncertainty of what’s behind all those shortened URLs on Twitter. Also, many social media resources and tools are hosted on third party websites which makes it even more difficult to know their levels of security or trustworthiness.

Here are some interesting numbers regarding security and social media sites:

• According to the Sophos Security Threat Report (Jan 2010), for 2009 there was a 70% increase in the proportion of businesses reporting spam and malware attacks originating from social network websites. Over one third of these businesses reported receiving malware attacks from social media sites.

• Also, more than 72% of these firms feel employee behavior on social media sites pose dangers to the security of their businesses.

• According to SC Magazine, respondents to their studies consider Facebook to be the biggest threat to security, then followed by MySpace and Twitter.

There are a number of measures companies, and individuals, can put into place to protect their assets, and that includes both in and out of the firewall. But the one strategic action everyone should take is to become aware of the risks involved with social media sites.

Risk awareness is critical because you will not take any protection measures if you’re not aware of potential threats.

Threat mitigation is another recommended and desired strategic action. Putting these safeguards into place, after the fact, can be a very painful lesson learned.

Here are additional tips and resources to decrease social media security threats:

You are an integral mitigating force in the overall arsenal. So, remember to “Think before you click.” Obviously that is not total protection. But have you ever been rushed, or maybe even excited to check something out, and you clicked on a link almost automatically? Have you ever done that and had something unpleasant happen? Well, that happens all the time all over the world.

So just try to remember to think before you click.

Shortened links - They’re great for saving space in the Twitter micro-blogging world. You’ve seen them, most likely: tinyurl, Bit.ly, or is.gd. But the obvious risk they pose is hiding the destination URL. What you need is a scanner to check shortened links such as:

Disclaimer: No tool is 100% perfect.

http://longurl.org/

http://prevurl.com/

Expanded links - Expanded links are of the kind that reveal the website domain. For example, www.wordpresssecured.com/wpsecurity can be called an expanded link. But still, you could be unaware of what exactly is on the page behind the link. There could be a malware threat, virus, or other threat waiting for you. So to counter that, you can use an expanded link scanning tool:

Disclaimer: No tool is 100% perfect.

http://searchengineland.com/googles-safe-browsing-diagnostic-tool-14064

http://linkscanner.explabs.com/linkscanner/default.aspx

PDF Exploits - What You Don’t Know Can Hurt You

In a previous post, I referenced Semantec’s Internet Security Report 2010 finding that PDF exploits were sharply on the rise in 2009. Recenly, there have been alarming reports of new PDF exploits that are of a particularly malicious nature. What is also noteworthy is they contain new techniques and strategies to accomplish their tasks.

• Security research at McAfee reports that these exploits are continuing to increase in 2010.

• Additionally, according to McAfee labs, only 2% of all malware took advantage of Adobe Reader/Acrobat in 2007 and 2008. In 2009, that figure increased to 17% and 28% in the first quarter of 2010.

• Microsoft has stated that 46% of browser exploits, in the latter half of 2009, were directed toward Adobe’s free PDF viewer.

A PDF was identified by TrendLabs Malware blog which contained exploits for two previous security loophole patches. This is a continuing trend with hackers and programmers on the dark side. They work to exploit existing weaknesses in any application or entrance vehicle.

First though, current Adobe software provides protection against this particular exploit.

The nature of this PDF exploit involves an embedded XML file which contains a virulent TIFF file. This file then downloads existing malware off the net and executes it.

There’s a yet separate PDF exploit that uses the ‘/Launch’ capability and when the PDF is run and confirmed, it executes a malicious embedded file. The PDF itself uses a variance of the ‘Launch’ command, and while a dialog box is opened either choice that is made results in malicious activity.

M86 Security Labs recently reported an infected PDF also taking advantage of the “Launch” feature. But in that case the installed malware was identified as the data-stealing bot, Zeus which has not been observed in this type of PDF exploit.

So far, Adobe has yet to respond with a fix for this situation.

The “launch” PDF exploit has been seen in spam message attachments. So, as you should know, it is never advisable to open attachments from unknown senders. If you have any suspicions at all, the conservative action is to always avoid opening any attachment from unknown senders.

It’s also very highly recommended to maintain current software for all security related applications, and especially Adobe’s software if you use it.