Monday, March 31, 2014

Facebook IM "LOL Image" is a Worm

There is a bit of malware circulating through Facebook lately. The worm spreads by contacting people through Facebook's Messenger service, pretending to be a friend. The content of the message is the phrase "LOL" with an attachment named to look like an image (IMG_####.zip). When you open the file, it is in fact a Zip archive with a single file inside - IMG_####.jar.

Jar files are Java archives, a means of packaging Java programs for easy transport. In this case, the Java program is simply a downloader - it downloads a Trojan from a particular Dropbox account, which infects the computer and swipes your Facebook login information. It then turns around and sends messages to your friends, repeating the cycle.

The moral of the story? The same as it has been for at least 15 years: don't open unexpected attachments (whether in email or instant messaging services). Pay attention to the file extension - an image is not usually bundled into a .Zip file. When in doubt, contact the sender (preferably through a different channel, such as by phone) to verify that they did in fact send you an attachment.

And if they intentionally sent you a malicious attachment? Well, now you know to have one fewer friend :-)

Thanks to MalwareBytes for bringing attention to this particular case.

Tuesday, March 25, 2014

Free Android Games! Bonus Malware Included!

You don't want this "night vision" app
Earlier this month, antivirus company Avast alerted us to a piece of malicious software masquerading as a "night vision camera app" that slipped through safeguards and made its way into Google Play Store. The app claimed to let you take pictures in the dark, with the specific example of spying on your neighbor changing (sex still sells, nevermind that unless your neighbor changes with the lights out, a night vision capability will be useless).

Needless to say, the app does not do what it claims to do. But what it does do is quite unpleasant. This particular app collects phone numbers from your contacts list, sends them to a server in order to register them with a premium SMS list, and then depending on some factors that are not clearly explained, can through premium SMS add as much as $50/month to your cell phone bill.

Tuesday, March 18, 2014

Foiling the Identity Thief: Is Identity Theft Insurance Worthwhile?

A friend once asked my thoughts on insuring against identity theft and fraud. As I had never really thought about this category of insurance before, it seemed a good excuse to do a bit of research.

There are a number of different definitions for identity theft depending on whom you ask, but in general they fall into two broad categories:
  • Unauthorized use of an existing relationship or account (for instance, credit card fraud, email compromise, or exploiting a Facebook or Twitter account)
  • Unauthorized use of personal information to establish a new relationship or account (for instance, opening new credit accounts, tax return fraud, or medical identity theft)

Tuesday, March 11, 2014

Unintended Consequences

For the last few months I have been bringing my children (late elementary school and middle school) into the modern age when it comes to finances - setting them up with savings and spending bank accounts, teaching them to track their balances and plan their spending, and showing them how saving over time adds up. An approach my wife and I have taken is to give each child a savings account when they turned 10, that they could use to begin saving money to buy a car when they are of driving age. We offered to match any money they put into savings, but they would not be allowed to withdraw anything until they are 16(ish). We're not talking big money, but even a couple of bucks a week for 6 years can add up to a few thousand dollars ... and with multiple siblings that might be willing to pool their money, they could get a pretty decent set of wheels. But I digress...

Thursday, March 6, 2014

A Password is Not Enough, Part 2

Earlier this week I wrote about the limitations of passwords as a security measure. Based on a conversation with a reader though I believe it would be useful to write a somewhat less technical explanation.

A secret word (i.e. a password) is one way of limiting access to something (email, bank, club, etc.). If you don't know the secret, you don't belong - but a secret can be found out. In the physical world, a secret may be discovered by eavesdropping, or by someone sharing the secret. In the online world the password may be stolen by viruses and other malware, or through digital eavesdropping. So while a strong password is a good start, by itself a password could be compromised.

Multifactor authentication is combining a secret with something else - often a smartphone or a keycard. If an attacker steals the password, it does them no good unless they also have the cellphone, or keycard, or whatever the second factor is. Granted a determined adversary may still overcome this hurdle, but it is exponentially harder than simply stealing a password.

Note that a second secret (such as the "password reset questions" that some websites ask you to set up) is not the same thing as multifactor authentication. If one secret can be found out, so can another (especially if the second secret is something easy to lookup, such as your mother's maiden name or the elementary school you attended). True multifactor authentication means something from at least two of the following categories: something you know (such as a password); something you have (such as a cellphone or a key); and something you are (such as a fingerprint or a retina scan).

Now that you know what multifactor authentication is, go back to my original post and see how it is implemented by a handful of popular online services!

Tuesday, March 4, 2014

A Password is Not Enough

Top Secret
10,000 years ago, Grog and Mag formed a secret club. To ensure new members of the club would be accepted, they came up with a secret phrase. Thus was born the first password. One day Narg overheard two members greeting one another and learned the secret phrase. Thus occurred the first password breach.

Fast forward to 1962. MIT’s Compatible Time-Sharing System (an early multi-user computer) was one of the first computers to use passwords as a means of keeping users’ personal files separate. A Ph.D. researcher had been allotted a certain amount of time each week on the CTSS, but it wasn’t enough time to run the full simulations he had designed. Rather than suffer the atrocity of abiding by the rules, he found a way to print a copy of the password database so he could use other users’ time allotments. Thus occurred the first documented case of account compromise through password theft.