MS Word users warned of ongoing attacks exploiting unpatched bug

Microsoft warns Word users of ongoing attacks exploiting unpatched bug – Computerworld

Biggest worry, says expert, is that exploits are triggered just by previewing malicious messages in Outlook 2007, 2010 and 2013

Microsoft today warned users of Word 2010 that in-the-wild attacks are exploiting an unpatched vulnerability in the software.

The company also published an automated tool to protect customers until it issues a patch.

An attacker could cause remote code execution if someone was convinced to open a specially-crafted Rich Text Format (RTF) file or a specially-crafted mail in Microsoft Outlook while using Microsoft Word as the email viewer,” said Dustin Childs, group manager and spokesman for Microsoft’s Trustworthy Computing group in a blog Monday.

BOLD in the quote is mine.

Microsoft put out a Security Advisory 2953095 as Corrine noted on her Security Garden Blog including Fix it buttons for enabling and disabling reading email messages in plain text format.

This is one of the things for which both Microsoft in Outlook and Apple in Mail have massively fallen down on the job. This would not be happening if you could easily toggle various view options such as HTML or Plain Text for reading emails, as well as allowing and disallowing images inline.

This is something that I am very thankful that Mozilla Thunderbird got right from the very beginning. Mozilla Thunderbird gives very granular control regarding the various ways to Display email messages such as in PLAIN TEXT, SIMPLE HTML (simple html with javascripting disabled), or ORIGINAL HTML.

You also have control over how images are displayed or not in several ways and differentiating between attached images and remote images.

You can also close to enable do not track in emails. There are Security Add-ons like Adblock PlusEnigmail (OpenPGP), more. As well as lots of specialized Add=ons. One of these that I like is QuickText and a few others. It works on Windows, Mac and Linux.

There is also a pay to play $9.95 I think, but also has a free trial. It was originally for Macs and now there is a Windows version as well. It was created by the original developers of Thunderbird called Postbox. It has some but not all the Add-ons that Thunderbird has.

/rant on

I am not saying everyone should move to Mozilla Thunderbird. What I am saying is that Microsoft Outlook and Apple Mail should give their users these types of granular control so people can choose how they wish emails to be viewed. Both do some things but they stop way short of what is really needed in this day and age with emails.

HTML is like a venetian blind. It hides what is behind it. You can’t see what is behind all that HTML. You can’t decide to see HTML only if you trust the email after viewing what is in that email. This makes it way too easy for phishing emails to look like your bank, PayPal, your credit card company, etc. It also allows companies to track you with web beacons, transparent gif images and other remotely loaded images so they know if and when you view their email.

Something needs to be done about all this. Mozilla Thunderbird makes it so easy for folks to be able to toggle images so they can’t track you, use SIMPLE HTML to keep the ‘form’ of an email message without the more dangerous javascripting. Or allows you to totally view the email in plain text so you can see that that link that appears to be going to your bank actually goes to some strange URL that has nothing to do with your bank or a store you may or may not do business with.

People need these tools. Some may or may not realize it, but they really do.

I have heard so many people say that the email look just like it was from their bank and they fell for it. Or a store they frequent and gave up their login credentials by clicking on the link rather than going to the website because it looked like it was the store’s promotion.

Sure, no one should click on links in email, but if it looks legit, many do. Sure, if you like something in a promotion for a store, it might be better to just go to the store’s website but some stores really don’t have a page on their website that is clickable to get you there, unless you click on the link in an email. Also, the links are often obfuscated by third party trackers and campaign tracking sites, etc. This all makes life very difficult for email users to know what’s good and what’s not.

OK, I will get off my soap box now.

/rant off

 

Advertisements

LibreOffice Community Gets Free E-Mail, Jabber And SIP Addresses @Libreoffice.Org

LibreOffice Community Gets Free E-Mail, Jabber And SIP Addresses @Libreoffice.Org

The Document Foundation (TDF), the charitable entity behind LibreOffice, the leading free office suite, today announces the upcoming availability of @libreoffice.org addresses for its members, starting July 1st. To foster the rapidly growing community and help it with their daily engagement, the foundation will provide a variety of free services under this domain. As of today, these are:

  • an e-mail address with a fully-featured IMAP account, alternatively an e-mail forwarder
  • a Jabber/XMPP address for instant messaging
  • a SIP/VoIP account for voice conferencing

Those services will be, beginning July 1st, provided free of charge to all members of The Document Foundation, and are made possible with the generous help of our supporters, whom we’d like to thank on behalf of the community!

More info in the article.

Emails with Malware URLs

It is amazing to me how many malicious emails one can get!

Just today, I got one that purported to be from CNBC, however, the link was not any of the CNBC franchise websites. So I thought, well, maybe I missed one?

I searched Google for the root domain name in email link and it tried to give me real life news channel results which were of course all legitimate websites, not the dangerous one that was in the email.

However, it did give the ability to search on the exact domain again if I really meant it, which of course I did. The only links available — which I was very happy to see — for that domain name were several links to malwareURL.com – (The MalwareURL Team is a group of Internet security experts dedicated to fighting malware, Trojans and a multitude of other web-related threats) that exposed the website in the email as a malware site for a work at home scam:

This web site is a known security risk – Detailed web site security report

Security Category: Work-At-Home scam

The results on the link above about the website stated the following:

Domain matching reallivenewschannel.com were found in our database.

1348 other active domains were found on 707 IP(s) for AS30058 (FDCSERVERS)

Show the report for AS30058 (FDCSERVERS)

Malicious URLs on reallivenewschannel.com
/weeknews/lastnews.php
/weeknews/go.php

Blacklist
Google
Google Diagnostic Page

My WOT
WOT Score Card

hpHosts
hpHosts listing

MalwareDomainList
MDL listing

After the above information, there was information specific to the domain.

Interestingly, the domain appears to be registered in NY, USA.

The name servers are in .RU/Ukranian domain origins.

In addition, this malware link in the email had a prefix that looked like the following, except I changed the numbers in the link:

cf533cb444.reallivenewschannel.com

NOTE: Notice the above is not a live link as we don’t want to visit under any circumstances, unless you are a security researcher preferably using a throwaway Virtual Machine or live CD.

If I had looked at this email in full HTML as it was intended by the malware purveyors, it would have looked somewhat like the following in simple HTML except it would likely have had the look of a CNBC website rather than just the text as it does in simple HTML:

A CNBC Event – Work At Home Mom Makes Almost $10,000/Month, Part-Time

Patricia Feeney of , never thought she’d have a job working at home until she filled out a simple form online, one afternoon. Before she knew it, she had discovered her secret to beating the recession and no longer had worries about being able to provide for her family – and she did all of this by working from home. » Continue reading

CNBC
To unsubscribe to this email click here. If this e-mail was forwarded to you and you’d like to sign up for additional alerts from CNBC click here.

© 2012 CNBC, Inc. All Rights Reserved. 900 Sylvan Avenue, Englewood Cliffs, NJ 07632

See where the Continue reading is? That was the link, totally obfuscated from view to trick users into thinking it was a CNBC link when actually it was linked to the full malware URL I have been discussing in this posting.

Pretty convincing isn’t it? Looks like a legitimate email from CNBC.

If you looked at the email source, you would also have seen that the real Return path is not CNBC, but a user from a .pl domain.

Thankfully, SpamAssassin did give it a 6.5 Spam Status level (required was 5 so it was 1.5 beyond the level required to be considered Spam. X-Spam-Report says the following:

X-Spam-Report: 
*  2.3 FROM_STARTS_WITH_NUMS From: starts with many numbers
*  1.8 URI_HEX URI: URI hostname has long hexadecimal sequence
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  2.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
*  0.1 RDNS_NONE Delivered to trusted network by a host with no      rDNS

Sadly, many emails that look like they originate from legitimate sites come in every day and people are often fooled by them. Many times just because they look at emails in HTML.

These types of things would fall by the wayside if everyone was more wary and understood that when they send out millions of emails like this likely every day or every week, it only takes 1.5% of the people to respond to make it well worth while to the spam, malware, phishingspear phishing, or scam (or any combination together) purveyors.

Also check out the Anti-Phishing Workgroup website for more information.

There are many of us who have been using email clients that allow you to view emails as Plain Text such as; Thunderbird (opensource – free – accepts donations), Postbox ($9.95 – based on Thunderbird and by original Thunderbird developers), Pegasus (free but proprietary – accepts donations), and there are many others that allow plain text. Most Linux based email clients give this ability as well.

Oddly, however, although Apple Mail granularly allows you to choose (after already choosing the email message) to read in plain text on an email by email basis — Apple Mail DOES NOT have an option in Preferences that allows you to choose to view emails as Plain Text by default which would prevent many problems with these dangerous types of emails. This is very sad news for Apple users. Microsoft Outlook DOES NOT give users the ability to view emails in Plain Text either (on an email by email or by option in preferences). I would very much like to know why Microsoft and Apple do not give that option to people. These are the two most ubiquitous email clients used in OS X and Windows.

I have read emails in plain text from the very beginning. Intentionally. Simply because I don’t want to be accidentally fooled by this type of  spammalwarephishingspear phishing, or scam.

Email clients like Thunderbird (opensource – free – accepts donations), Postbox ($9.95 based on Thunderbird and by original Thunderbird developers), Pegasus (free but proprietary – accepts donations) give the ability to view in original HTML, simple (non-executable) HTML or Plain text. They also give you the ability to allow or disallow images inline! Very important if you wish not to be tracked by email senders with beacon ads, web beacons, web bugs. These email clients also give an easy way to view the source of an email so you can do your own investigation of information in the headers or body of the email, and to facilitate sending comprehensive email information about spammers, etc. to sites like PayPal, Google, eBay, your bank, etc.

Sadly even many website based email clients, like GMail, Yahoo Mail, Outlook.com, Hotmail, MSN Email, etc, go only half way in regard to these very necessary capabilities … if that.


			

Religious websites riskier than porn for online viruses: study

Religious websites riskier than porn for online viruses: study – Raw Story

Web wanderers are more likely to get a computer virus by visiting a religious website than by peering at porn, according to a study released on Tuesday.

“Drive-by attacks” in which hackers booby-trap legitimate websites with malicious code continue to be a bane, the US-based anti-virus vendor Symantec said in its Internet Security Threat Report.

The same article, or variations on the theme have been have been run by many news/technology venues such as InformationWeek, NYDailyNews, WallStreetJournal Blogs, CSO Online, PCWorld, etc. Many created their own stories from the report, so well worth a read.

Where did all this information come from:
Symantec Internet Security Threat Report – 2011
Symantec Logo - Confidence in a Connected World - Click to view Malicious Code Threat Report 2011

Malware in 2011
By analyzing malicious code we can determine which threats types and attack vectors are being employed. The endpoint is often the last line of defense, but it can often be the first-line of defense against attacks that spread using USB storage devices, insecure network connections and compromised, infected websites. Symantec’s cloud-based technology and reputation systems can also help to identify and block new and emerging attacks that haven’t been seen before, such as new targeted attacks employing previously unknown zero-day exploits. Analysis of malware activity trends both in the cloud and at the endpoint can help to shed light on the wider nature of threats confronting businesses, especially from blended attacks and threats facing mobile workers.

Corresponding to their large internet populations, the United States, China and India remained the top sources for overall malicious activity. …

The reference about religious sites?

Moreover, religious and ideological sites were found to have triple the average number of threats per infected site than adult/pornographic sites. We hypothesize that this is because pornographic website owners already make money from the internet and, as a result, have a vested interest in keeping their sites malware-free – it’s not good for repeat business.

And here’s just one more small area of the report:

Exploiting the Web: Attack toolkits, rootkits and social networking threats

Attack toolkits, which allow criminals to create new malware and assemble an entire attack without having to write the software from scratch, account for nearly two-thirds (61%) of all threat activity on malicious websites. As these kits become more widespread, robust and easier to use, this number is expected to climb. New exploits are quickly incorporated into attack kits. Each new toolkit version released during the year is accompanied with increased malicious Web attack activity. As a new version emerges that incorporates new exploit functionality, we see an increased use of it in the wild, making as much use of the new exploits until potential victims have patched their systems. For example, the number of attacks using the Blackhole toolkit, which was very active in 2010, dropped to a few hundred attacks per day in the middle of 2011, but re-emerged with newer versions generating hundreds of thousands of infection attempts per day towards the end of the year.
On average, attack toolkits contain around 10 different exploits, mostly focusing on browser independent plug-in vulnerabilities like Adobe Flash Player, Adobe Reader and Java. Popular kits can be updated every few days and each update may trigger a wave of new attacks.
They are relatively easy to find and sold on the underground black market and web forums. Prices range from $40 to $4,000. …

The whole report is well worth a read! There is only so much you can put into an article.

Much more in the report!

Lizamoon and Epsilon breach

[tweetmeme source=”franscomputerservices” only_single=false]There are two major things that users need to be aware of right now, as if there weren’t enough already. 😉

One affects email and the other affects browsing/surfing the Internet. Both bad news, and we all need to be very aware of what has happened and why we have to be very vigilant in making sure we don’t click on links in email, open attachments sent in email, or respond to potential unexpected boxes and requests while surfing the Internet.

Financial and payment services are the biggest areas being hit right now, and will continue to be so much more effective and dangerous due to the current economy while people scramble to survive around the world.

Targeted Sectors Q2 2010 - Anti-Phishing Working Group (APWG)

Targeted Sectors Q2 2010 - Anti-Phishing Working Group (APWG)

Lizamoon/LizaMoon drive-by rogue malware infection

Lizamoon is a drive-by rouge antimalware or antivirus download infection. Thankfully you generally have to take some action to allow it to install as noted by Fred Langa in the comp copy of WindowsSecrets.com newsletter in his article entitled, “LizaMoon infection: a blow-by-blow account“. Must read!

The most important takeaway is that Fred said he had to take action on four separate occasions before the infection took place:

On the other hand, deliberate choices and actions by a user can defeat any software. LizaMoon required my active, voluntary involvement four different times before the infection took hold.

LizaMoon wasn’t even subtle: I had plenty of warnings and opportunities to abort the process, the malware itself provided abundant clues to its own bogus nature (such as an inability to keep its aliases straight).

Much more in the article. A must read for all who surf the Internet to be able to identify this rogue drive-by infection when it happens/if it happens.

The biggest takeaway:We can prevent these types of things by being aware and not clicking on things just because they are presented to us while surfing the Internet.

Epsilon breach – Spear Phishing attacks

Epsilon is an outsourcing marketing company for many big companies/banks. They have a huge database of people’s email addresses, names and the company or bank associated with each email address. This makes the spear phishing, generally a very effective social engineering technique and can make their attacks via email so much more effective…mainly because they know the email addresses are real, and more importantly they can link the real name and the actual company/bank connected the email address.

Computerworld reports, “Security experts today warned users to be on the watch for targeted email attacks after a breach at a major marketing firm that may have put millions of addresses in the hands of hackers and scammers.”

Brian Krebs (KrebsOnSecurity) and Heise Online Security report,

Epsilon has now confirmed that approximately 2 per cent of its total clients were affected. According to a blog post by security blogger Brian Krebs, financial services company Visa and American Express (Amex) say that they were not impacted by the Epsilon breach. However, the following banks, service providers and online retailers are said to have been affected:

1-800-FLOWERS
AbeBooks
Air Miles (Canada)
Ameriprise Financial
Barclay’s Bank of Delaware
Beach Body
Bebe Stores
Best Buy
Benefit Cosmetics
Brookstone
Capital One
Chase
Citigroup
City Market
College Board
Dillons
Disney Destinations
Eddie Bauer
Eileen Fisher
Ethan Allen
Euro Sport (Soccer.com)
Food 4 Less
Fred Meyer
Fry’s Electronics
Hilton Honors Program
Home Depot Credit Card (Citibank Editor)
Home Shopping Network
JPMorgan Chase
Kroger
Marks and Spencer
Marriott
McKinsey Quarterly
MoneyGram
New York & Co.
QFC
Ralph’s
Red Roof Inns
Ritz-Carlton
Robert Half International
Smith Brands
Target
TD Ameritrade
TiVo
U.S. Bank
Walgreen’s

Much more in these articles, must read, as well as others on the web including WashingtonPost, eWeek, BBC, and others.

The biggest takeaway: Don’t believe everything you see in email. Don’t trust links or downloads in email. Check with the person who sends it before opening any downloads and don’t give out information from your bank, and other sites, etc. unless you can confirm it definitely came from them. You can always go to the site directly from your own bookmarks/favorites and login to ensure you get to the right place. Don’t use their links in email unless you can verify it’s really from the company. In fact, one can get into trouble and get further compromised by clicking on links in email.

Side note: this is why I do not view email as HTML. So much can be hidden behind all the pretty pictures and code.

And be prepared. Keep your antivirus software and antimalware program as well, clear your Internet cache frequently. If you suspect you have been hit with one of these rogue antivirus/antimalware attacks, unplug the Internet/network cable from your computer to prevent further harm and take appropriate action by running Malwarebytes Antimalware, CCleaner (or other temporary Internet cleaner program you use), and then a scan with your antivirus software and take whatever recommended action they call for. Links to these programs provided on our Resources page.

If you make sure both of these are updated before you surf for the day, you will be in a much better situation should you somehow get hit with something.

And do your backups, and have an image of your OS to restore from if it becomes necessary. Windows 7 makes this very easy to do with their built-in image creator and backups, and system repair disk.

Beware the emails bearing Adobe updates!

[tweetmeme source=”franscomputerservices” only_single=false]CNET article entitled, “Phishing scam masquerades as Adobe upgrade” reports, “Phishers use all kinds of come-ons to lure their victims. But one persistent piece of spam tries to trick people by offering an upgrade to Adobe Acrobat.

Detailed by security provider Cloudmark in a blog posted yesterday, this type of advertising spam e-mails users a notice to upgrade to the new Adobe Acrobat Reader. Those who click on the link are directed to a Web site touting the benefits of the software.”

Beware of emails bearing Adobe gifts – as Cloudmark blog entry shows, Do not download now!! They get so tricky!

Strong Passwords not needed you think? Think again.

[tweetmeme source=”franscomputerservices” only_single=false]To see why strong or secure passwords are really important, check out the following 3 page article at arstechnica.com:

Anonymous speaks: the inside story of the HBGary hack

Most frustrating for HBGary must be the knowledge that they know what they did wrong, and they were perfectly aware of best practices; they just didn’t actually use them. Everybody knows you don’t use easy-to-crack passwords, but some employees did. Everybody knows you don’t re-use passwords, but some of them did. Everybody knows that you should patch servers to keep them free of known security flaws, but they didn’t.

Just a word to the wise, use secure/strong passwords, and don’t reuse passwords for anything.

It may be a little frustrating, but being hacked would be much more frustrating…

Must read article especially since these were supposedly security experts and they were taken down by simply not using security best practices.