The Glider

2011 has been called the year of the data breach, with hacker groups publishing huge troves of stolen data online almost daily. Now a new site called pwnedlist.com lets users check to see if their email address or username and associated information may have been compromised.

Pwnedlist.com is the creation of Alen Puzic and Jasiel Spelman, two security researchers from DVLabs, a division of HP/TippingPoint. Enter a username or email address into the site’s search box, and it will check to see if the information was found in any of these recent public data dumps.

Puzic said the project stemmed from an effort to harvest mounds of data being leaked or deposited daily to sites like Pastebin and torrent trackers.

“I was trying to harvest as much data as I could, to see how many passwords I could possibly find, and it just happened to be that within two hours, I found about 30,000 usernames and passwords,” Puzic said. “That kind of got me thinking that I could do this every day, and if I could find over one million then maybe I could create a site that would help the everyday user find if they were compromised.”

Pwnedlist.com currently allows users to search through nearly five million emails and usernames that have been dumped online. The site also frequently receives large caches of account data that people directly submit to its database. Puzic said it is growing at a rate of about 40,000 new compromised accounts each week.

Puzic said information contained in these data donations often make it simple to learn which organization lost the information.

“Usually, somewhere in the dump files there’s a readme.txt file or there’s some type of header made by hacker who caused the breach, and there’s an advertisement about who did the hack and which company was compromised,” Puzic said. “Other times it’s really obvious because all of the emails come from the same domain.”

Puzic said Pwnedlist.com doesn’t store the username, email address and password data itself; instead, it records a cryptographic hash of the information and then discards the plaintext data. As a result, a “hit” on any searched email or username only produces a binary “yes” or “no” answer about whether any hashes matching that data were found. It won’t return the associated password, nor does it offer any clues about from where the data was leaked.

Any site that raises awareness about the benefits of strong passwords is a good thing in my book. But deciding what action to take — if any — after finding a hit on your email address at pwnedlist.com. I searched for my email address, krebsonsecurity [at] gmail.com, and the site told me my address was found in the database on June 1, 2011.

Answering the question of, “What now,” pwnedlist.com offers the following advice:

“Don’t panic! Just because your email was found in an account dump we collected does not mean it has been compromised. Your first reaction should be to immediately change any passwords that might be associated with this email account. It is probably a wise idea to go through all your accounts and create new passwords for each of them, just in case. Once one account has been compromised its best to assume all others have been too. Better safe than sorry.”

My email password is ridiculously long and complex, but being the ultra paranoid type, I tend to change it frequently, and have done so several times since it landed in this database.

Length and complexity are two of the most important factors in determining a strong password. It’s also a good idea to periodically change passwords for sensitive accounts, provided you have a decent way to recover the password should you forget or lose it. Check out my Password Primer for a list of tips and resources to help create and protect strong passwords.

Puzic said while his site does not store username or email address submitted to the pwnedlist.com form, for security reasons he does keep a record of Internet addresses of those who use the site: It seems some users have been trying to poison the database or include malware and exploits in data dumps submitted to the site.

“We have attempts about every other week [to plant malware or hack the site], but nobody’s done it yet,” he said. “We’ve had lots of different attempts. Someone tries just about every week.”

The two researchers plan to begin publishing regular updates to their Twitter account (@pwnedlist) when new data dumps are discovered. Longer term, Puzic said he has multiple goals for the site, including a longitudinal study on password security.

“I would love it if this could raise awareness about cybersecurity,” he said. “Also, it could serve as a good measuring stick for the amount of breaches that happen every day. For example, if you see that all of a sudden I have eight million more entries, something big may have happened.”

Adobe today issued an out-of-band software update to fix dangerous security flaws in its Flash Player products, including at least one that is actively being exploited. Patches are available for versions of Flash on Windows, Mac, Linux, Solaris and Android operating systems.

Adobe said one of the bugs, a cross-site scripting flaw, is being exploited in the wild in targeted attacks to trick users into clicking on a malicious link delivered in an email message. At the moment there isn’t much more information about this vulnerability (other than Adobe credits Google with reporting it). That may soon change if news begin to surface about which organizations were targeted with the help of this flaw.

According to Adobe: “This universal cross-site scripting issue could be used to take actions on a user’s behalf on any website or webmail provider if the user visits a malicious website.”

This update applies to Flash Player 10.3.183.7 and earlier on Windows, Mac, Linux and Solaris systems, and Flash 10.3.186.6 for Android. Adobe’s bulletin says the company is fixing at least six different security flaws in this update. The latest version for Android devices is 10.3.186.7; for all others it is 10.3.183.10.

To find out which version of Flash you have, visit this page. Windows users who browse the Web with anything other than Internet Explorer will need to apply the Flash update twice, once using IE and again with the other browser (Google Chrome users should already have the latest version of Flash). To avoid using Adobe’s annoying Download Manager, IE users can grab the latest update directly from this link; the direct link for non-IE browsers is here.

Google today began warning more than a million Internet users that their computers are infected with a malicious program that hijacks search results and tries to scare users into purchasing fake antivirus software.

Google security engineer Damian Menscher said he discovered the monster network of hacked machines while conducting routine maintenance at a Google data center. Menscher said when Google takes a data center off-line, search traffic directed to that center is temporarily stopped. Unexpectedly, Menscher found that a data center recently taken off-line was still receiving thousands of requests per second.

Screenshot of the image Google is displaying to notify users of infected PCs.

Menscher dug further and discovered the source of the traffic: more than a million Microsoft Windows machines were infected with a strain of malware designed to hijack results when users search for keywords at Google.com and other major search engines. Ironically, the traffic wasn’t search traffic at all: The malware instructed host PCs to periodically ping a specific Google Internet address to check whether the systems were online.

Menscher said the malware apparently arrives on victim desktops as fake antivirus or “scareware” programs that use misleading warnings about security threats to trick people into purchasing worthless security software. He suspects that the fake AV program either ships with or later downloads the search hijacker component.

The malware intercepts traffic destined for high profile domains like google.com, yahoo.com and bing.com, and routes it through intermediate hosts or “proxies” controlled by the attackers. The proxies are used to modify the search results that a victim sees for any given search term, and to redirect traffic to pay-per-click schemes that pay for traffic to specific Web sites.

Fortunately, the traffic generated by the malware has a unique “signature” that Google is able to use to alert victims. Google is placing a prominent notification at the top of victims’ Google search results; it includes links to resources to help remove the infection.

Google should be applauded for alerting users, but the hard work will be in the cleanup: Search hijackers are notorious for blocking users from visiting antivirus Web sites or other popular sources of malware removal tools.

Apple has issued a software update that fixes at least three serious security holes in supported versions of its iPhone, iPad, iPod and iPod Touch devices.

The patch targets security weaknesses in the way iOS devices render PDF files. Experts have been warning that attackers could leverage the flaws to install software without warning or permission if users were to merely browse to a malicious site. The update fixes the same vulnerabilities that jailbreakme.com has been using to help people jailbreak Apple’s i-devices.

The Apple update — iOS 4.2.9 or iOS 4.3.4, depending on your device — can be downloaded only from within iTunes. If you are planning to jailbreak your device, visit jailbreakme.com, and then apply the unofficial patch that the Dev-Team released to help jailbreakers protect their phones from further abuse of the vulnerabilities.

Microsoft today released updates to fix at least 22 security flaws in its Windows operating systems and other software. The sole critical patch from this month’s batch addresses an unusual Bluetooth vulnerability that could let nearby attackers break into vulnerable systems even when the targeted computer is not connected to a network.

Bluetooth is a wireless communications standard that allows electronic devices — such as laptops, mobile phones and headsets — to communicate over short distances (the average range is between 30 to 100 meters, but that range can be extended with specialized tools). To share data, two Bluetooth-enabled devices normally need to “pair” with one another, a process that involves the exchange of a passkey between the two devices.

But Microsoft today shipped a patch to fix a flaw in its Bluetooth implementation on Windows Vista and Windows 7 computers that it said attackers could use to seize control over a vulnerable system without any action on the part of the user.  The assailant’s computer would need to be within a short distance of the victim’s PC, and the target would merely need to have Bluetooth turned on.

Joshua Talbot, security intelligence manager for Symantec Security Response, said the vulnerability could be exploited without any alerts being sent to the victim PC.

“An attacker would exploit this by sending specific malicious data to the targeted computer while establishing a Bluetooth connection,” Talbot said. “Because of a memory corruption issue at the heart of this vulnerability, the attacker would then gain access to the computer. All this would happen before any notification alerts the targeted user that another computer has requested a Bluetooth connection.”

Although it is unlikely, such a vulnerability could be used to power a computer worm that spreads from one Bluetooth-enabled Windows laptop to another, Talbot said.

Microsoft advisory states: “Windows Vista and Windows 7 support a wide range of Bluetooth radio devices, and will install the Bluetooth driver when a removable Bluetooth device is added to the system. As a result, all supported versions of Windows Vista and Windows 7 are affected.”

But Talbot added that many Windows laptops are configured to make connectivity as easy as possible for users, and will turn on Bluetooth when the computer’s wireless Internet component is active or searching for networks (which, for many machines, is all the time).

Microsoft fixed 21 other security vulnerabilities this Patch Tuesday; all of them were less severe, so-called “privilege escalation” flaws that are of little use unless the attacker already has a foothold on the target’s system.

Updates are available from Windows Update, or via Automatic Updates. As always, if you experience any problems before, during or after applying these updates, please drop a note in the comments section about your experience.

Living on the East Coast, I often wonder how the early pioneers lived without Doppler radar and the Weather Channel. Today, we know about hurricanes weeks ahead of time, and you have days to batten down the hatches, gas up the car, and buy strawberry Pop-Tarts at Wal-Mart. Think I'm kidding about the last item? It's a consumer behavior proven to be an early indicator of where a hurricane will actually strike. Just look up the phrase "hurricane poptarts walmart" in your favorite search engine.

read more

I often get emails from people asking if it’s safe to download executable programs from peer-to-peer filesharing networks. I always answer with an emphatic “NO!,” and the warning that pirated software and cracks — programs designed to generate product keys or serial numbers for popular software and games — are almost always bundled with some kind of malware. But I seldom come across more than anecdotal data that backs this up.

Recently, I heard from Alfred Huger, vice president of engineering at Immunet, an anti-virus company recently purchased by Sourcefire. Huger was reaching out to offer feedback on my 3 Rules for Online Safety post. He told me that the rules should have included this warning: Do not download pirated software and cracks from filesharing networks and cracks sites because they are a major source of malware infections.

I replied that people who knowingly engage in this type of risky behavior probably don’t care much about my three rules, and that the advice was meant for people who were interested in learning how to stay safe online. But I was curious about his comment, and asked if he had data to support it. Huger said these types of infections were closely correlated with cases in which Immunet users opted to dispute its malware detection for specific files. Files that are “convicted” by anti-virus programs are considered malicious and are placed in a quarantine area on the user’s system. But if users still want to access the file, or they don’t believe or care that it’s malicious, they can reverse or “roll back” that conviction.

“A roll back to us is a file which we convicted but people disagreed with the conviction and rolled it out of quarantine,” Huger said. “About 90% of the false positive roll backs I see which result in more than 10 convictions  — meaning more than 10 people rolled it back, turn out to be real malware. In almost every case when I can actually track down the user and ask why they rolled it back I am told it was a crack or pirated material of some type. They went looking for it and installed it.

As an example, Huger said that in the previous week, more than 100 Immunet users had rolled back infected files that install copies of the Conficker worm, among other malware.

“I am doing false positive management again this morning,” Huger told me last week. “In the last 7 days 484 people in my community rolled this out from quarantine. It’s frustrating to see because I know once they get infected it’s going to be pure misery for them.”

I hope it’s clear from reading this post that downloading pirated software and software cracks is among the fastest and likeliest ways to infect your computer with something that ultimately hands control over of your PC to someone else.

Please add these to the  growing list of KrebsonSecurity Rules for Online Safety:

It is almost never safe to download executable programs from peer-to-peer file sharing networks because they are a major source of malware infections.

I've been doing a lot of vulnerability and penetration testing for a customer who wants to see various simulated attacks and possible outcomes. I've been a penetration tester going on 10 years, and it is easily the most enjoyable task I can be asked to perform. Breaking in is fun -- and far easier to pull off when you use one of the many handy vulnerability-testing tools available today.

read more

Most Web sites use JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. To protect yourself, it is critically important to have an easy method of selecting which sites should be allowed to run JavaScript in the browser.

It is true that selectively allowing JavaScript on known, “safe” sites won’t block all malicious scripting attacks: Even legitimate sites sometimes end up running malicious code when scammers figure out ways to sneak tainted, bogus ads into the major online ad networks. But disallowing JavaScript by default and selectively enabling it for specific sites remains a much safer option than letting all sites run JavaScript unrestricted all the time.

Firefox has many extensions and add-ons that make surfing the Web a safer experience. One extension that I have found indispensable is NoScript. This extension lets the user decide which sites should be allowed to run JavaScript, including Flash Player content. Users can choose to allow specific exceptions either permanently or for a single browsing session.

The NoScript extension makes it easy to place or remove these restrictions on a site-by-site basis, but a novice user may need some practice to get the hang of doing this smoothly. For instance, it’s not uncommon when you’re shopping online to come across a site that won’t let you submit data without fully allowing JavaScript. Then, when you enable scripting so that you can submit your address and payment information, the page often will reload and clear all of the form data you’ve already supplied, forcing you to start over. Also, many sites host content from multiple third-party sites, and users who prefer to selectively enable scripts may find it challenging to discover which scripts need to be enabled for the site to work properly.

Chrome also includes similar script- and Flash blocking functionality that seems designed to minimize some of these challenges by providing fewer options. If you tell Chrome to block JavaScript on all sites by default, when you browse to a site that uses JavaScript, the upper right corner of the browser displays a box with a red “X” through it. If you click that and select “Always allow JavaScript on [site name]” it will permanently enable JavaScript for that site, but it doesn’t give you the option to block third-party JavaScript content on the site as Noscript does. In my testing, I had to manually refresh the page before Chrome allowed scripting on a site that I’d just whitelisted.

To restrict scripting in Chrome, click the wrench icon in the upper right corner of the browser. Under “Options,” select “Under the Hood.” Click the “Content Settings” button at the top. Under JavaScript, select the button: “Do not allow any site to run JavaScript”.

Internet Explorer 9, which Microsoft released earlier this year, is by far the fastest and most advanced version of IE (it rivals Chrome in the speed with which it loads Web pages). IE9 also includes new security features, such as enhanced memory protection and Microsoft’s SmartScreen Application Reputation engine, designed to alert users when they try to download files from locations on the Web with an unknown or dodgy history.

But I found it somewhat difficult to believe that this new version of IE still doesn’t give the user much choice in handling JavaScript. In IE9, you can select among JavaScript on, off, or prompting you to load JavaScript. Turning JavaScript off isn’t much of an option, but leaving it completely open is unsafe. Choosing the “Prompt” option does nothing but serve incessant pop-up prompts to allow or disallow scripts (see the video below).

I like Chrome’s simplicity and speed, but I prefer Firefox because it offers the most options for dealing with JavaScript. But, whichever browser you use, be aware that running JavaScript can be the point of entry for intrusive and infectious malware. Use caution before deciding to allow it on any site that you visit.

I remember being excited when I was asked to use a sledgehammer to tear down a covered garage that wasn't approved by the city. It had been standing beside my girlfriend's house for years. You could tell it was built intelligently and with love. The supporting beams were twice as thick as required by code, and every nail and screw was driven straight. The lumber itself was top shelf, not a knot or bend in it.

read more