Four-star review of SafeCentral

PC Magazine published a review of SafeCentral 2.0 today, giving our latest version 4 stars. You can read the entire review here. Neil Rubenking, the reviewer, looks at a lot of products and has a good eye for what works and what doesn't. This is his second look at SafeCentral.

If you haven't given SafeCentral your first look yet, here is a little flash video to whet your appetite. Visit www.safecentral.com for the full story.

Safe Travels

I've been on constant travel for the past month, connecting to various hotel, airport and coffee shop wireless networks, and talking with people about information risks while on the go. More and more travelers--business people, vacationers, kids and grandparents--are using laptops, netbooks and smartphones to stay connected, informed and entertained on the road and in the air. Our computers are more susceptible to infection by malicious software when we are on the move, connecting to different networks and dealing with distractions caused by unfamiliar surroundings and fear of missing a connecting flight. We are also far away from our safety net of computer support, whether that is the computer help desk at our company or the "computer guru" friend you can depend on to help you out of a jam.

True Story
I was sitting on an airplane at the Charlotte, NC, airport waiting to return home after visiting a couple of banks. Another business traveler sat down next to me and asked if I connected to the free Wifi the airport provides in the terminal. "I connected to the network and saw a certificate warning page," he said, "I clicked past that page and a few minutes later my McAfee antivirus started alerting me about viruses on my computer." I introduced myself and offered to take a look when we got up to cruising altitude.

We opened his laptop and I reviewed the virus alerts and looked in his browser cache. He said the only thing he did was connect to the network and open his browser, which loaded the Yahoo home page. I saw the file McAfee was complaining about, which was a download triggered by a javascript file downloaded from a server in China about a minute after the Yahoo home page loaded.

A little more reverse engineering and I found that a flash ad on the Yahoo home page had infected the computer and installed a downloader which started downloading all manner of malware. McAfee was not telling him it had blocked the infection, it was telling him he was already infected. The first Flash exploit got right past his antivirus protection with no problem. It wasn't until the second or third install of malware that McAfee finally noticed something was up.

Turns out the guy was general manager of a US company and this was the laptop he used for his corporate computing, commercial banking, everything. I strongly recommended that he rebuild the laptop, reinstall all the software and in the meantime refrain from any banking or other sensitive online use. But he was on the way to important meetings and far away from his IT support group. I invited him to stop by our offices near West Palm Beach, Florida for some cyber-assistance but I never heard from him again. I'm pretty sure he continued to use his compromised laptop, perhaps after trying multiple antivirus scan-and-clean routines.

Preparing for Travel

Given the increased chances for malware infection while traveling, here are a few things we can do to be safer on the road. These steps should be completed the day before you head out on your business trip or vacation.

1. Update Windows - Run Windows Updates and install all updates. This is your chance to let Microsoft close as many holes as possible in your operating system and Microsoft programs.

2. Update Applications - Adobe Flash Player, Apple Quicktime and a few other applications are closely tied to web browsing and are prone to exploitation if they are out of date. In the anecdote above, an out-of-date Flash Player was responsible for the business traveler's infection. Run the vulnerability scan at Secunia for free. It's a great tool that shows you what is out-of-date and gives easy links to click to make it all better (see screenshot below).

3. Update Antivirus - And, of course, make sure your antivirus is updated with the latest definition files.

Secunia Online Scan for Out-of-Date Applications

Making sure your operating system, application programs and antivirus are up-to-date will give you the best chance to stay safe during your travels. Good luck!

Quips and Comments - RSA Conference 2009

I just returned from the RSA Conference in San Francisco where the focus was on cloud security, identity theft, data protection, and online fraud prevention. The Expo floor was busy, with lots of foot traffic and a higher-than-expected level of energy. Especially from the guy who escaped a straightjacket while balancing atop a high-rise unicycle and pitching a security product. We all have to multi-task.

More than half of my meetings were in hotel suites and other locations away from the Moscone Center. Power-walking between venues, it took me a while to realize that the biz-hipsters in hair gel and rock-star sunglasses were not the new wave in computer security--they were from the AdTech conference in the Moscone Center West. Yes, geeks, infosec is still in our hands.

The "gubment" was there--in the towering National Security Agency booth/condo. They could neither confirm nor deny jamming my iPhone.

More seriously, Defense Secretary Robert Gates was interviewed during the week on CBS News about cyber-spying. It's worth noting that the same basic techniques are used by spies stealing government secrets and crimeware operators stealing consumer identities. If the government cannot stop spies from stealing secret plans for our latest fighter planes or infiltrating presidential campaigns, what chance do ordinary citizens have protecting their bank accounts?

I'd like to thank Neil Rubenking, PC Magazine Lead Analyst and AppScout contributor, for taking the time to meet with us, talk about SafeCentral 2.0 and post his observations on AppScout.

When Websites Attack

Wouldn't it be crazy if a banking website infected our computer with a virus that steals money from our bank account? If you agree, then get ready for a big dose of crazy. Here's the inside scoop on a banking website we discovered doing just that: infecting its customers' computers with banking malware.

[Quick note: 60 Minutes ran a segment yesterday on infected websites. You can view the segment here. They interviewed a woman who watched her bank account get hacked before her very eyes.]

During a routine scan of banking, shopping and financial services websites, the virus lab here at Authentium discovered malicious code on the website of a credit union in Lousiana. The code, which would have been invisible to us humans, was inserted at the bottom of each web page on the site. Here are some Before and After shots of the site, showing the source code:

Before

After

What does this code do?

Any Internet user who pointed their browser at the site would have the bad code downloaded and run inside their Internet Explorer or other web browser. The web browser would run this code just like all the other "good" code that shows us the text, images and links that make up the web page we're viewing. The bad code is smart. It pulls down more code from various places, jumping from China to the Ukraine and back to China. It's pretty tough for the good guys to track down the bad guys with that kind of world-hopping behavior. Here's a simple view:

During Step 3, the code tries to infect our computer, betting on the fact that our Windows software is not up to date like Microsoft warns here, or we have not updated our Adobe PDF viewer like Adobe warns here and here. In spite of these warnings from software vendors, an alarming percentage of computers remain out-of-date and vulnerable to infection.

The code in Step 3 is identified on http://www.virustotal.com/ as the (variously named) Zbot Trojan. The trojan installs a keylogger, steals sensitive data and enables fraudulent banking transactions. One thing to note in the following screenshot is that only some antivirus products detect the infection. If you were running Trend Micro or McAfee when you visited the site you would not have been protected.

http://www.virustotal.com/ analysis of the infection

So the upshot of the above is: simply browsing to the credit union website can get you infected with a trojan that steals your money.

How did the code get there?

It's likely that the company managing the website did not keep the operating system, database, web server or other software up-to-date, allowing criminals to gain administrative access to the server and insert the bad code. They need to make sure the servers are up-to-date with the latest patches from Microsoft and the other vendors, just like we need to do with our own computers.

Happy Ending?

The malicious code has been removed from the banking website we are profiling here. That doesn't mean it won't be back. Authentium continues to scan banking and shopping websites to make sure that users of our SafeCentral secure browsing service are as protected as possible. SafeCentral is designed to provide safe web transactions even if you've been unlucky enough to visit a website that has infected your computer.

Kids Download the Darndest Things

As a kid I loved to hunt wild creatures, trap them and bring them home alive. Snakes were my favorite. My mom still tells the story of my bringing home a four foot reptile during her tea party with neighborhood moms.

These days kids are just as likely to introduce dangerous creatures of the digital kind into the home computer.

An interesting segment appeared on NBC's Today Show this morning that describes the risk. The story focused on kids who downloaded and used a file sharing program to access music online. Unfortunately they were using the same computer that Mom and Dad used to prepare the family tax return and did not realize the completed tax forms were shared for the entire world to see! Any identity thief could simply type "Tax Return" into their own file sharing program's search field and find the family's 1040 form ripe for the picking. The family profiled in the Today Show story had their tax form filed electronically by an online thief who was very happy to receive their $2000 tax refund.

There are more insidious risks to file sharing networks: they are an excellent means for spreading Trojans that quietly infect computers, remain under your antivirus radar, and do more long-term damage than grabbing a tax return. File sharing programs are used by millions of users around the world to download "free" software. Need Photoshop but don't want to spend the money? File sharing programs can deliver you a "cracked" copy (a permanent free trial) or a key generator you can use to generate your own license key. Bogus key generators ("keygens") are the most common form of malware on file sharing networks.

Malware distributors watch for file sharing searches of any and all keywords and immediately offer up files that match the keywords. Searches for "Benjamin Franklin" in a file sharing program will return hits like "Benjamin Franklin keygen" or "Benjamin Franklin Greatest Hits." The files these search results point to can be executable programs or songs and videos that can deliver infections to computers that play them.

Here is an example of a file sharing search this morning. The marked entry, "benjamin franklin KeyGen," is identified by Authentium's Command Anti-Malware as "W32/Trojan2.FXIS." This is a trojan that infects the Windows login service so it runs every time a user logs in. What does it do next? Anything it wants to.



These infections can include Banking Trojans, Keyloggers and DNS Changers that are described elsewhere on this blog.

Kids do download the darndest things. Authentium's SafeCentral provides secure banking and shopping even on computers that may have been infected by the kids.

Now I'm going to call my mom and remind her that none of the snakes, crabs or lizards I brought home ever emptied the family bank account.

Update:
March 16, 2009: A couple of media outlets picked up on this story over the weekend:

Dallas Morning News - Pamela Yip covered the story in Sunday's paper here:
Protect your personal data when filing taxes online

MarketWatch - Andrea Coombes included it in last Friday's Taxing Times and will be following up with more this week in the Market Watch Personal Finance section

The Next Internet..Now

Internet Security is broken, and the best way to fix it is to start over. This is the idea presented in an excellent article in the New York Times this weekend: Do We Need a New Internet? John Markoff describes "a growing belief among engineers and security experts that Internet security and privacy have become so maddeningly elusive that the only way to fix the problem is to start over."

This is an excellent topic for debate and discussion among Internet technologists and everyday users alike. Technologists can (and will) endlessly debate the merits of a revolutionary approach like the Clean Slate program at Stanford versus a more evolutionary approach to incremental improvements like deploying DNSSEC and IPv6. Whichever approach we take, it is safe to say the solution will take decades to develop and get into mass deployment.

But the fact that stands out clearly is: Something Must Be Done.

Authentium has taken a revolutionary approach to Internet security and developed a solution that gives users access to The Next Internet, now. We recognized the limitations of DNS and the critical impact its compromise can have on Internet transactions. We saw the "maddening" failure of antivirus and firewall suites in their efforts to keep computers clean of infection by identity-stealing malware that allows criminals to "take over someone's computer from half a world away."

So we developed SafeCentral, which has its own Secure DNS and its own hardening against the keyloggers and screen-stealers found in Banker Trojans. Our goal was to create an island of safety on a computer that is otherwise adrift on an unsafe Internet, which is the only Internet we have right now.

Is there Safety in the Cloud?

Web applications that run in Data Centers can be well-protected with physical, network and system security by applying sufficient people, processes and technology to manage infrastructure that is directly under the control of operations staff.

Unmanaged endpoints, like desktop computers of tele-workers or laptops of mobile users who access these applications, can introduce holes into an otherwise complete security model.

The best efforts of server and network professionals can protect data in the server farm, but data that originates from or is downloaded to compromised endpoints is subject to theft and exploitation.

So, yes, there is safety in the cloud, but the endpoint is another matter.

Authentium's SafeCentral is an endpoint-based solution that creates a secure footprint on an otherwise unmanaged computer to allow it to access sensitive data and applications and block data leakage. Such leakage can result from mass-market or targeted attacks on endpoints that install keyloggers, SSL data hijackers, remote access tools or other malware.

SafeCentral creates a managed session on an otherwise unmanaged computer. SafeCentral applies special, restrictive policies to the unmanaged operating system during web application usage such that data and functions the application makes available can be shielded from monitoring, recording and theft by malware that has infected the endpoint.

Examples of shielding include:

• Blocking keyloggers


• Blocking screen capture


• Preventing code injection that can steal data even out of SSL/TLS-protected web connections


• Providing alternate, secure DNS lookups that bypass vulnerable DNS resolvers


• Providing browser lockdown that blocks malicious plugins and extensions

Online banking is a good example of extremely sensitive web applications that run on unmanaged clients. Banking trojans are increasingly used by online criminals to take advantage of these access points to create a multi-billion-dollar industry of fraudulent transactions. The largest banks around the world will be deploying SafeCentral to their clients during 2009.

There will be many interesing ways in which remote desktops, virtual machines or virtual browsers on the client side, and other security approaches evolve over the next decade. Given that Citrix Winframe has been available for over a decade, it's clear that these technologies take time to achieve maturity and large-scale deployment.

SafeCentral is available now as a managed service that provides a secure web application client on Windows endpoints that are prone to infection and exploitation even when antivirus, antispyware, firewall and other security software is already installed. Data Center staff cannot also take responsibility for keeping endpoints clean of malware, but they can require use of SafeCentral to access their server-side applications and rest assured that web sessions remain private and protected.

Where Did All the Nice Web Sites Go?

There is a new report out from Websense that summarizes their research into the status of web-based malicious code in the second half of 2008. The major takeaway for me was: there are no safe web sites anymore. By "safe" I mean not likely to contain malicious code that will infect your browser or your computer.

Here are a some snippets from the report:

77 percent of Web sites with malicious code are legitimate sites that have been compromised.
By "legitimate sites" they mean web sites that Internet users would not expect to be hosting malicious code. Sites like the New York Times, Business Week, and CNET. It's remarkable that Websense numbers show there are more legitimate websites distributing malware than there are malicious websites set up by the bad guys!

70 percent of the top 100 sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites.
A large majority of the most-visited web sites on the Internet either had malicious content on them or had links to malicious sites posted by users who exploit social networking features like comments and messages.

39 percent of malicious Web attacks included data-stealing code.
If you regularly visit web sites in the top 100 most-visited sites, chances are you were exposed to malware. You could still be safe if your operating system, web browser and plug-ins like Adobe Viewer and Flash were all the latest versions AND you did not encounter an exploit for an unpatched vulnerability. Secunia's statistics show that less than 2% of computers are fully patched, and over 45% have 11 or more insecure programs.

These numbers show the shocking truth: there is a very high chance an average Internet user will get infected with data stealing malware even if they stay on the well-lit, well-traveled portions of the web.

Dedicate a Computer for Banking and Shopping
My advice is to keep a dedicated computer for banking and shopping. Here is a checklist for this "safe computer:"

• Make sure Windows Updates are set to automatic.
• Always keep Adobe and Flash plugins up-to-date (make sure you don't click on fake update windows).
• On this dedicated computer, never visit any social networking site like MySpace or Facebook.
• Do not view any videos.
• Do not check your email.
• Do not read news sites.
• Do not install any programs other than a web browser like Firefox or Safari.
• Do not use Internet Explorer.
• Wipe the disk and re-install Windows once every three months (more frequently if it starts behaving erratically)
• If you are up to it, use Linux rather than Windows

I know this is a large list and it may be easier to lose weight and quit smoking than abide by its rules. I hope you're not reading this list on your dedicated safe computer, because you will have just broken a rule!

Another thing you can do is install SafeCentral and use its secure browser for banking, shopping and financial services. We built SafeCentral knowing that there are too many hoops a user needs to jump through to keep their identity and their money safe online.

The Promiscuous Browser in a Dangerous World

Microsoft released an urgent patch for a critical Internet Explorer vulnerability yesterday, highlighting the risks our web browsers represent to our online safety. Web browsers in general, and Internet Explorer specifically, are the most promiscuous programs we run on our computers. "Promiscuous" refers to the quantity and diversity of web sites we visit, content we view, programs we download, and sensitive information we exchange when browsing the web. Browser promiscuity also refers to what happens after we type a URL into the address bar. The browser first downloads an HTML page that includes tags and pointers to other content: images, stylesheets, scripts and videos. This content can come from many different web servers operated by many different organizations and can carry harmful data that infect our computers, steal our data or just sit there, undetected, until an online criminal issues remote commands to bring it to life.

Richard Adhikari posted an excellent article on InternetNews.com that describes the Internet Explorer patch, why it was necessary and what it means for online safety going forward. The multitude of exploitable features in Internet Explorer make it an excellent target for online criminals seeking to gain control of our computers and our bank accounts.

Simply put, it is not reasonable to use one browser for everything we do on the Internet. It is important for us to segment our web activities into two basic buckets:

Casual Web Use
Casual use includes reading the news, listening to music, researching recipes, and clicking links to the latest must-see Flash video our friends send us in email.

Sensitive Web Use
Sensitive use includes online banking, shopping, applying for a job, or any other transaction that requires information we would not want everyone to know.

Casual use is where we are most likely to get our computer or browser infected. It's easy to visit hundreds of websites a month, clicking from link to link, moving from reasonably safe websites to a dangerous Internet neighborhood where crimeware infections are likely to occur. Sensitive use is where we are most likely to get our money or identity stolen if we are using an infected computer or browser. Moving from one activity to the other with the same browser is just not smart. I like the excerpt from court-ordered wiretaps of Illinois Gov. Rod R. Blagojevich, quoted here from a Department of Justice press release:

"assume everybody’s listening, the whole world is listening."

That is smart advice for Internet users. If you have casually browsed the web for a few weeks or months on your computer, there is a high likelihood you have been infected through a web browser vulnerability. Infections can include "banker trojans," password- and money-stealing programs that listen in to your online banking sessions. So, when you move from casual use to sensitive use, assume the whole world is listening.

Safe Web Use
A new category of web usage that we are pioneering at Authentium is "Safe Web Use." Safe Web Use means we assume "everybody's listening" and still protect your sensitive online transactions. Our SafeCentral service helps to automatically switch between Casual and Sensitive web use and kicks in extra protection to block crimeware that got past your antivirus software during a casual web browsing session. SafeCentral stops keyloggers, screen-stealers, harmful browser plug-ins and many other crimeware components. We also provide a Secure DNS services that protects against another class of threat: DNS redirection.

So, be sure you get yesterday's Internet Explorer patch. But please understand that yesterday's patch will not protect against tomorrow's exploit. In October Microsoft released an unscheduled, critical update for Windows. Chances are the online criminals are already working on exploits we will only hear about in January or February.

Also be sure to check out SafeCentral and be safe even if everybody's listening.

DNS Changer Learns a New Trick

SANS, Symantec, McAfee and others have reported on a new trick that malware is using to redirect unsuspecting users from authentic web destinations--the name we type into the browser address bar or pick from our favorites--to a web server operated by the Bad Guys. These guys can set up web sites that look just like the real Citibank or Wachovia but are designed to steal our user ID and password or transfer money out of our account.

The trickiest part of the new trick is that we can follow all of the best security advice and still be susceptible. If one user on a Wifi network is infected with this new DNS Changer, all users who connect to that network can have their DNS settings changed by the one infected computer. So that guy who is halfway through his latte when you sit down in the coffee shop and open your laptop could be a threat to you. Even if you are super careful about the websites you visit and the security software you have installed.

How?
DNS is the Internet-wide system that translates names like "online.mybank.com" into the numerical address our computers need to actually connect to MyBank. If the Bad Guys control your DNS, they control where your web browser really goes when you think it is going to PayPal.

Every time we open our laptop and connect to a new network, a router on that network will send down settings that let us connect, (pay!), and get out on the Internet. The new DNS Changer trick is this: a computer infected with this DNS Changer variant will listen for new computers requesting a connection on the same network (the same coffee shop) and try to answer with Bad Guy settings before the "official" router can send it the "official" settings.

As fundamental as DNS is to the operation of the world-wide web, it's amazingly susceptible to compromise. This new DNS Changer behavior capitalizes on the vulnerability of DNS settings and: (1) leaves no traces, (2) doesn't require your computer to be infected with anything that your antivirus software will complain about.

Now What?
This is why we invented SafeCentral. SafeCentral includes a unique Secure DNS feature that protects against DNS Changer and other threats. SafeCentral uses it's own DNS. It uses Authentium's Secure DNS servers and it does so through an encrypted (HTTPS) connection.

So even if we connect to a Wifi hotspot that is hosting an infected computer, we can happily browse the web, bank and shop safely.