“Like many businesses, entrepreneurs and web users, we oppose these bills because there are smart, targeted ways to shut down foreign rogue websites without asking American companies to censor the Internet,” a Google spokesman told Ars. “So tomorrow we will be joining many other tech companies to highlight this issue on our US home page.”

List of those big sites that are protesting: sopastrike.com

More information at http://americancensorship.org/

The break-in in Certificate Authority (CA) DigiNotar back in July was much worse than previously thought.

A preliminary analysis of the incident now claims that there have been 531 fraudulent certificates. The hackers may have explored DigiNotar’s servers for the first time in early June and gained control on June 17. The company detected the hack on June 19, but failed to prevent the creation of the first rogue certificate on July 2. The hacker activity apparently ended on July 22.

As a Aryeh Goretsky stated at Scot’s Newsletter Forums noted so succinctly:

DigiNotar, a company which issues digital certificates used to establish cryptographically-secure connections to web sites, was hacked, and over 500 certificates were acquired for high-profile web sites. Amongst other things, this would allow someone* to monitor what would otherwise be secure, private connections to those sites. Passwords, emails, personally-identifiable information and other sensitive data could be viewed by someone* who would otherwise not be able to see that information.

*Such as a government, ISP, or government-owned ISP.

Aryeh, I couldn’t have said it better myself.

And highlighting the fact that it could be a government, ISP, or government-owned ISP is spot on to the concerns.

There was recently an article that suggested that this has already happened in Iran.

Hackers steal SSL certificates for CIA, MI6, Mossad (Computerworld):

Criminals acquired over 500 DigiNotar digital certificates; Mozilla and Google issue ‘death sentence’
…
Among the affected domains, said Markham, are those for the CIA, MI6, Mossad, Microsoft, Yahoo, Skype, Facebook, Twitter and Microsoft’s Windows Update service.
…
Google has pointed fingers at Iran, saying that attacks using an ill-gotten certificate for google.com had targeted Iranian users.

Much more in this two page article where a link to Markham’s blog details more about this:

On Monday August 29th at 6.30pm BST Mozilla was informed by Google about a misissued certificate for *.google.com which was being used in active attacks on users in Iran. This certificate was chained to the root of the Dutch CA “DigiNotar”. Since that notification, I have been part of the Mozilla team working on our response.

…

The CNs concerned were as follows:

*.10million.org
*.balatarin.com
*.google.com
*.logmein.com
*.microsoft.com
*.mossad.gov.il
*.skype.com
*.torproject.org
*.walla.co.il
*.wordpress.com
addons.mozilla.org
azadegi.com
DigiCert Root CA
Equifax Root CA
friends.walla.co.il
login.yahoo.com
Thawte Root CA
twitter.com
VeriSign Root CA
wordpress.com
www.cia.gov
www.facebook.com
www.sis.gov.uk

So much more in Markham’s blog posting.

Delay in disclosing SSL theft put Iranian activists at risk, says researcher (Computerworld)

The delay in disclosing a theft of the digital certificates for some of the Web’s biggest sites, including Google, Skype, Microsoft and Yahoo, put Iranian activists’ lives at risk, a researcher argued Wednesday.

But I think EFF explains the issues best.

Iranian Man-in-the-Middle Attack Against Google Demonstrates Dangerous Weakness of Certificate Authorities (EFF)

What’s worse than finding a worm in your apple? Finding half a worm.

What’s worse than discovering that someone has launched a man-in-the-middle attack against Iranian Google users, silently intercepting everything from email to search results and possibly putting Iranian activists in danger? Discovering that this attack has been active for two months.

People all over the world use Google services for sensitive or private communications every day. Google enables encrypted connections to these services in order to protect users from spying by those who control the network, such as ISPs and governments. Today, the security of this encryption relies entirely on certificates issued by certificate authorities (CAs), which continue to prove vulnerable to attack. When an attacker obtains a fraudulent certificate, he can use it to eavesdrop on the traffic between a user and a website even while the user believes that the connection is secure.

The certificate authority system was created decades ago in an era when the biggest on-line security concern was thought to be protecting users from having their credit card numbers intercepted by petty criminals. Today Internet users rely on this system to protect their privacy against nation-states. We doubt it can bear this burden.

This latest attack was reportedly caught by a user running the Google Chrome browser in Iran who noticed a warning produced by the “public key pinning” feature which Google introduced in May of this year. Basically, Google hard-coded the fingerprints for its own sites’ encryption keys into Chrome, and told the browser to simply ignore contrary information from certificate authorities. That meant that even if an attacker got a hold of a fake certificate for a Google site—as this attacker did—newer versions of the Chrome browser would not be fooled.

Certificate authorities have been caught issuing fraudulent certificates in at least half a dozen high-profile cases in the past two years and EFF has voiced concerns that the problem may be even more widespread. But this is the first time that a fake certificate is known to have been successfully used in the wild. Even worse, the certificate in this attack was issued on July 10th 2011, almost two months ago, and may well have been used to spy on an unknown number of Internet users in Iran from the moment of its issuance until it was revoked earlier today. To be effective, fraudulent certificates do not need to have been issued by the same authority that issued the legitimate certificates. For example, the certificate in question here was issued by a Dutch certificate authority with which Google had no business relationship at all; that didn’t make it any less acceptable to web browsers.

Much more in the article…

This problem is not only related to issues of privacy related to people who’s lives would be in danger, but also, victims of malware purveyors as well.

Cryptographic keys for SSL sites are only as good as the honesty of the holder and issuer of those keys, as well as the honesty and security diligence of the issuer, in this case DigiNotar.

They would like us to think that SSL is extremely safe, but it’s not as safe as those who issue them would like us to believe either. Anyone with money can purchase a SSL certificate, and there have been malware purveyors that have also bought them so folks would ‘feel’ secure. If you see the lock, you think, “Safe”. That’s what they want you to think.

However, just like anyone can purchase what is considered a ‘legitimate’ SSL certificate, good, bad or indifferent, there are worse things.

‘Legitimate’ SSL certificates can be created by site owners as well, good, bad, or indifferent.

The companies that sell SSL certificates and browser makers put out root certificates for their browers and show green or gold with the lock for those obtained by big name sellers of these certificates. So if you are legitimate site owner who creates their own to save money, you are automatically assumed to be ‘not legitimate’ by browsers and it shows as red/dangerous to users.

I don’t see what the solution is, but it really doesn’t matter whether you make your own, or if you buy one, you are still playing craps with SSL certificates in many ways these days.

As Corrine noted in the same topic at Scot’s Newsletter Forums:

Microsoft Security Advisory 2607712 has been updated to revoke the trust of the DigiNotar root certificates by placing them into the Microsoft Untrusted Certificate Store.

The update is available via Automatic Update and applies to all supported releases of Microsoft Windows, including Windows XP, Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.

Within short order, Mozilla sent out updates to their products including Firefox, Thunderbird, et. revoking the certificates.

Opera has done the same thing yesterday, disabling the root store for DigiNotar.

Because Apple was slow to act, one researcher (thanks Corrine) rapped Apple for not blocking the stolen SSL certificates, and various places on the Internet were trying to help Mac users to take care of disabling and removing the DigiNotar certificates from the KeyChain so Safari and other browsers would be safer online on the Mac. Since then, Apple released an update to revoke DigiNotar from their trusted list:

If you are running an older Mac you can still protect yourself, but you will need to do it manually. You can follow the excellent instructions posted over at the ps | Enable blog.

And most recently, Adobe has posted instructions on how to remove DigiNotar from the Adobe Approved Trust List (AATL) for Adobe Reader.

And here we go again (thanks zlim)…

GlobalSign Stops Issuing Digital Certificates After Hack (PCWorld)

Second firms stops issuing digital certificates (CNET)

How many more will have fallen before it’s all said and done? I am beginning to wonder if we wouldn’t be better off just generating our own SSL certificates, it would likely be as safe as this fiasco has become…

But nothing could be further from the truth. I was one of Google’s real endorsers. But no more. Their real name policy has turned away many real people and that was never Google’s way before. So why now?

I have to say i loved Google. I generally don’t trust corporations online or off, but Google was one I thought and even through all this i really hoped they would turn this around and once again try to ‘do no evil’.

I guess the old saying is true — especially for corporations — Everyone has their price; even Google.

Sigh…

NOTE: see my last posting entitled A wave out to all my Google+ friends.

EDIT 9/6/2011: In the comments, I continue to add articles. I hope to have this be a pretty inclusive list of articles on this issue. If you know of one I have missed please feel free to leave a comment with the link. Thanks!

EDIT: grammer/clarity and to add Bob Blakley’s Gartner blog article. Also almost forgot my TWEETMEME link, and Added Todd Vierling’s “Just go somewhere else” is a fallacy. The name policy stretches far beyond Google+, and here’s why.”

Hackers are aggressively exploiting a just-patched Flash vulnerability, serving attack code “on a fairly large scale” from compromised sites as well as from their own malicious domains, a security researcher said Friday.

The attacks exploit the critical Flash Player bug that Adobe patched June 14 with its second “out-of-band,” or emergency update, in nine days.

Check your current version of Adobe Flash and make sure you have their latest version. They have put out 2 out of band updates recently, so we all need to really be sure.

BleepingComputer has been a great source for Windows users since 2005 for removal instructions and removal tools for rogue anti-spyware programs. They have helped so many! I often find myself doing research at their site.

In keeping with their past dedication and commitment in helping Windows users get rid of this malware plague with removal guides and removal tools, they have also started posting removal instructions for Mac Defender, Mac Security, Mac Protector, and even the new more nasty MacGuard which doesn’t need a password to install like the others that was just released into the wild (at least if you are using Safari configured to Open “safe” files after downloading).

Grinler, an Admin at BleepingComputer forums posted an excellent summary of the history of these rogue anti-spyware programs on Windows PCs, and now on the Mac. This summary is also where you can find the updated removal guides and Mac Rogue Remover Tool.

Currently, BleepingComputer’s Mac Rogue Remover Tool will remove the following:

Mac Security – Mac Security Removal Guide
Mac Defender – Mac Defender Removal Guide
Mac Protector – Mac Protector Removal Guide
Mac Guard – Mac Guard Removal Guide

If you have any questions on these guides and tools, Grinler ask that you post in their forums here.

Thanks to Corrine (Security Garden) for posting this information at Scot’s Newsletter Forums.

Criminals ‘give Apple the finger,’ says security researcher, by releasing new version just hours after Apple warned of fake AV software

Joy…This just hours after Apple decided to finally help users defend against these fake AV scams, as well as provide a way to rid the Mac of the problem.

The article notes given the name of the new malware and the timing of its release, they definitely think it does seem like a reactionary message.

And the worst part … now no password needed. Or maybe the worst part will be the new spammer’s URL shortening scheme?

Spammers establish their own fake URL-shortening services (Help Net Security):

Under this scheme, shortened links created on these fake URL-shortening sites are not included directly in spam messages. Instead, the spam emails contain shortened URLs created on legitimate URL-shortening sites.

These shortened URLs lead to a shortened-URL on the spammer’s fake URL-shortening Web site, which in turn redirects to the spammer’s own Web site.

Mac malware authors release a new, more dangerous version (ZDNet):

Yesterday, 25 days after the Mac Defender malware began to appear in the wild, Apple finally responded. In a technical support note, “How to avoid or remove Mac Defender malware,” the company posted instructions for users to follow if they’ve encountered this malware specimen in the wild. It also promised a security update to remove infections automatically.

File that memo under, “Too little, too late.”

Yes….it does seem so.

If you want to keep your money Apple, you should be thinking about protecting your users a whole lot quicker than this from now on.

God help all Apple users, the gloves are off…be on your guard for MacGuard…

With the equivalent of “Security Center 2011” now having a counterpart for the Mac called “MAC Defender, Mac Security, Mac Protector, or any number of knockoff names“, there is a lot of discussion as to how safe the Mac still is compared with Windows.

I have not seen any Windows variant of this type of malware that is as easy to remove from Windows as it is from the Mac.

Sure, Malwarebytes Antimalware will take care of it easily on Windows, even if you somehow are tricked through social engineering to click on it (it can get a little dicier depending on how far you let it get), but with the Mac, you just go to Applications, find Mac Defender and throw it in the trash and flush. What’s easier than that? Here‘s the full instructions in Bleeping Computer’s full removal instructions.

EDIT 5/25/2011 – IMPORTANT REMOVAL INFO: Apple has also now posted removal instructions including killing the process, removing the program, and stopping it from starting on boot, here. This was noted in Computerworld: Apple admits Mac scareware infections, promises cleaning tool and USAToday: Apple to issue Mac update to halt malware attacks, and Arstechnica: Apple acknowledges Mac Defender malware, promises software update, as well as likely other places on the web today.

The Computerworld article above notes:

Andrew Storms, director of security operations with nCircle Security, was surprised that Apple said it would embed a malware cleaning tool in Mac OS X.

“That’s new ground for Apple,” Storms said, pointing out that the move is a first for the company, which until now has only offered a bare-bones malware detection mechanism in Mac OS X 10.6, aka Snow Leopard, and then only populated it with a handful of signatures.

“Not only is Apple going to help customers remove [Mac Defender], but by doing so, they’re also admitting that there are security problems with Mac OS,” Storms said.

Even though it is very easy to remove, with Mac Defender out there, it does mean that malware, particularly on compromised websites, have begun to include other platforms. And you can bet others will follow. And they may not be as easy to remove.

So, does it mean Mac users should be installing Antivirus and/or Antimalware programs? I have, but according to the Wired.com article below:

Charlie Miller, a security researcher who has repeatedly won the annual Pwn2Own hacking contest by hacking Macs and iPhones, told Wired.com he doesn’t think so.
…
Ultimately, it’s up to the customer because there’s a trade-off involved. Anti-virus software will help protect your system from being infected, but it’s expensive, uses system memory and reduces battery life.

“Mac malware is still relatively rare, but is getting worse,” Miller said. “At some point soon, the scales will tip to installing antivirus, but at this point, I don’t think it’s worth it yet for most people.”

So how is this happening?

Browser choice and settings The first problem I see for Mac users is Safari and it’s settings. First for the same reason I rarely ever use Internet Explorer in Windows, I rarely use Safari on the Mac. Safari by default allows opening of files automatically after download. Bad move. This caused problems in the past with some ‘rogue’ Widgets a few years ago, but folks realized it was easy to fix this and turned it off under Safari preferences. With Safari open, Click Safari on the Menu bar, then click Preferences, on the first tab (General), at the bottom, untick Open ‘safe’ files after downloading. Personally, I prefer to use a variety of browsers, such as Firefox, Google Chrome, Opera for various things. Firefox and Chrome have some some great addons to help protect you. Opera has some as well.

Keeping programs up to date – Keeping Adobe Flash, Adobe Reader, and other addons/plugins, web browsers, and other software that touch the Internet up to date, as well as the operating system itself.

Paying attention The next biggest problem I see are people not paying close enough attention (regardless of their OS), and not familiarizing themselves with their OS as well as they could. This type of malware tries to replicate some sort of a security area on the OS to some degree and scare you into thinking they are finding malware on your system.

This type of malware requires you allow the installation.

On Windows computers, by clicking through the Administrator authentication box, and on the Mac by authenticating with your Admin password.

On Windows, way too many things ask for this kind of authentication (although it is better than it used to be), but on the Mac, which is more like UNIX/Linux in that regard, you are only asked when it could be a potential threat to the system like installing software that wants access to the system, or needs access to system areas. We should always be sure we know what is being installed and why before authenticating with our Admin password. Don’t have a password? Set one up under Accounts in the System Preferences today!

Search results People need to be able to tell the legitimate search results from the bogus ones that have managed to get into the top searches through Black Hat SEO technicques. If you don’t have a way to at least tell whether a site is good, bad or indifferent, it makes it so easy to click on the wrong one. There are programs that can help with this. They are not foolproof, use common sense as well. A free community based one is MyWOT and it works on Windows, Mac, and Linux. There are others that work on Windows as well from antivirus/firewall companies.

Keeping things cleaned up Having and using a temporary files cleaner. I run it after every single browser session, but every day or at worst case once a week would work as long as you don’t notice any issues or weirdness with your OS.

There is a good one for Windows called CCleaner (free and paid versions). For the Mac there are several available. I like MainMenu. It is not free, priced at $15 and a bit more for the Pro version. Main Menu is also available in the MacApp Store. Another favorite is free, OnyX.

You can find out more information about this “Mac Defender” malware in the following articles:

An AppleCare support rep talks: Mac malware is “getting worse” (at Ed Bott Microsoft Report on ZDNet (first article on it)

New Mac Malware Fools Customers, But Threat Still Relatively Small (Wired.com’s Gadget Labs)

Malware on the Mac: is there cause for concern? Ars investigates (Arstechnica)

Modern Mac owners need to ignore the dinosaurs and get protection (Hardware 2.0 at ZDNet)

Microsoft links fake Mac AV to Windows scareware gang (Computerworld)

Don’t Panic Over the Latest Mac Malware Story (SecurityWeek):

Now that we’ve established who benefits from Mac malware predictions — security companies and a certain type of IT professional — the second question is, do we care about the prediction that “serious” malware is coming to Macs? Only a little. It is true that Macs aren’t dusted with some sort of magic unicorn Unix-y pixie powder that makes it less vulnerable to security flaws than Windows. But it is equally true that the Mac remains a less risky platform than Windows because of the fewer strains of malware written for OS X. By “fewer” I mean 99% fewer: a hundred malware samples versus 50 million. The Mac also has a much less evolved malware supply chain. By “less evolved” I mean “nonexistent,” this one example notwithstanding.

And with that, I will close this topic for the time being…

EDIT added Bleeping Computer article on removal of Mac Defender and the last article from Hardware 2.0 at ZDNet and Microsoft links face Mac AV to Windows Scareware Gang at Computerworld and Don’t Panic Over the Latest Mac Malware Story at SecurityWeek.

Hackers are embedding malicious Flash Player files in Microsoft Word documents to launch targeted attacks against select businesses, according to a warning from Adobe.

These are being used to steal secrets from corporations, likely through downloaded and emailed MS Word documents such as Excel.

Adobe is working on patches for Flash 10.2.x and for earlier versions as well, for just about every OS out there.

Adobe Reader X protected mode will “prevent an exploit of this kind from executing.” The actual fix won’t come till their normal patch cycle in June for Adobe Reader. So be sure to get the latest version (Adobe Reader X)!

Much more in the article including information and links to Adobe’s security release.

One affects email and the other affects browsing/surfing the Internet. Both bad news, and we all need to be very aware of what has happened and why we have to be very vigilant in making sure we don’t click on links in email, open attachments sent in email, or respond to potential unexpected boxes and requests while surfing the Internet.

Financial and payment services are the biggest areas being hit right now, and will continue to be so much more effective and dangerous due to the current economy while people scramble to survive around the world.

Targeted Sectors Q2 2010 - Anti-Phishing Working Group (APWG)

Lizamoon/LizaMoon drive-by rogue malware infection

Lizamoon is a drive-by rouge antimalware or antivirus download infection. Thankfully you generally have to take some action to allow it to install as noted by Fred Langa in the comp copy of WindowsSecrets.com newsletter in his article entitled, “LizaMoon infection: a blow-by-blow account“. Must read!

The most important takeaway is that Fred said he had to take action on four separate occasions before the infection took place:

On the other hand, deliberate choices and actions by a user can defeat any software. LizaMoon required my active, voluntary involvement four different times before the infection took hold.

LizaMoon wasn’t even subtle: I had plenty of warnings and opportunities to abort the process, the malware itself provided abundant clues to its own bogus nature (such as an inability to keep its aliases straight).

Much more in the article. A must read for all who surf the Internet to be able to identify this rogue drive-by infection when it happens/if it happens.

The biggest takeaway:We can prevent these types of things by being aware and not clicking on things just because they are presented to us while surfing the Internet.

Epsilon breach – Spear Phishing attacks

Epsilon is an outsourcing marketing company for many big companies/banks. They have a huge database of people’s email addresses, names and the company or bank associated with each email address. This makes the spear phishing, generally a very effective social engineering technique and can make their attacks via email so much more effective…mainly because they know the email addresses are real, and more importantly they can link the real name and the actual company/bank connected the email address.

Computerworld reports, “Security experts today warned users to be on the watch for targeted email attacks after a breach at a major marketing firm that may have put millions of addresses in the hands of hackers and scammers.”

Brian Krebs (KrebsOnSecurity) and Heise Online Security report,

Epsilon has now confirmed that approximately 2 per cent of its total clients were affected. According to a blog post by security blogger Brian Krebs, financial services company Visa and American Express (Amex) say that they were not impacted by the Epsilon breach. However, the following banks, service providers and online retailers are said to have been affected:

1-800-FLOWERS
AbeBooks
Air Miles (Canada)
Ameriprise Financial
Barclay’s Bank of Delaware
Beach Body
Bebe Stores
Best Buy
Benefit Cosmetics
Brookstone
Capital One
Chase
Citigroup
City Market
College Board
Dillons
Disney Destinations
Eddie Bauer
Eileen Fisher
Ethan Allen
Euro Sport (Soccer.com)
Food 4 Less
Fred Meyer
Fry’s Electronics
Hilton Honors Program
Home Depot Credit Card (Citibank Editor)
Home Shopping Network
JPMorgan Chase
Kroger
Marks and Spencer
Marriott
McKinsey Quarterly
MoneyGram
New York & Co.
QFC
Ralph’s
Red Roof Inns
Ritz-Carlton
Robert Half International
Smith Brands
Target
TD Ameritrade
TiVo
U.S. Bank
Walgreen’s

Much more in these articles, must read, as well as others on the web including WashingtonPost, eWeek, BBC, and others.

The biggest takeaway: Don’t believe everything you see in email. Don’t trust links or downloads in email. Check with the person who sends it before opening any downloads and don’t give out information from your bank, and other sites, etc. unless you can confirm it definitely came from them. You can always go to the site directly from your own bookmarks/favorites and login to ensure you get to the right place. Don’t use their links in email unless you can verify it’s really from the company. In fact, one can get into trouble and get further compromised by clicking on links in email.

Side note: this is why I do not view email as HTML. So much can be hidden behind all the pretty pictures and code.

And be prepared. Keep your antivirus software and antimalware program as well, clear your Internet cache frequently. If you suspect you have been hit with one of these rogue antivirus/antimalware attacks, unplug the Internet/network cable from your computer to prevent further harm and take appropriate action by running Malwarebytes Antimalware, CCleaner (or other temporary Internet cleaner program you use), and then a scan with your antivirus software and take whatever recommended action they call for. Links to these programs provided on our Resources page.

If you make sure both of these are updated before you surf for the day, you will be in a much better situation should you somehow get hit with something.

And do your backups, and have an image of your OS to restore from if it becomes necessary. Windows 7 makes this very easy to do with their built-in image creator and backups, and system repair disk.