Category Archives: Tools

December security and privacy roundup

Security and privacy stories making the rounds in December…

Aethra modem botnet

In February I wrote about hack attempts on several of my WordPress sites. Most of those attacks originated in Italy, from Aethra modems provided by Italian service provider Albacom. At the time, I tried to contact Albacom and its new owner, BT Italy, with no success. Apparently I wasn’t the only person who noticed. The people who make Wordfence, an extremely useful security plugin for WordPress, recently reported on the efforts of a Voidsec security researcher to track down and report the problem.

Nemesis malware worse than ever

A particularly nasty piece of malware called Nemesis now has the ability to insert part of itself in the boot process of a PC, making it even more difficult to detect and remove. Luckily for regular folks, Nemesis mostly seems to be targeting financial institutions. On second thought, there’s nothing lucky about that.

Linux computers increasingly targeted – and vulnerable

It’s becoming clear that Linux computers can be just as vulnerable as computers running Windows: a single, unpatched application vulnerability can be all that’s required for attackers to gain complete control. Hacking groups are acting quickly when new vulnerabilities are revealed, and have been adding exposed Linux servers to their botnets at an alarming rate.

Mysterious attack on root DNS servers

In early December, most of the Internet’s core name servers were briefly flooded with requests from all over the net; the requests were all related to two specific (and undisclosed) domain names. It’s still not clear who perpetrated the attack, and no real damage was done, since the servers involved absorbed the traffic relatively easily.

Help for securing routers

The US-CERT security organization posted a useful guide for securing home routers. The guide necessarily gets into technical details, but anyone who is interested in keeping their home network secure – and has access to their router’s configuration – should give it a look.

Oracle spanked by the US FTC for its deceptive practices

Oracle has done a terrible job of informing Java users of the dangers of leaving old versions of Java installed. Worse, Java installation software is traditionally not very good at detecting and removing older Java installs. The FTC finally noticed, calling Oracle’s practices a “deceptive act or process” in violation of the Federal Trade Commission Act. In response, Oracle has posted a Java uninstall tool on its web site. To be fair, the newer Java runtime installers now also look for older versions and offer to uninstall them, so they are making progress.

A rational response to claims that encryption is somehow bad

You’ve no doubt noticed elected officials in various countries claiming that smartphone encryption is making police work more difficult. They often use the catchphrase ‘going dark’ and invoke ‘terrorism’ to scare people into believing their BS. There’s a post over on Techdirt that exposes the lunacy of these ‘going dark’ claims.

Panopticlick – is your browser keeping your activity private?

The Electronic Freedom Foundation (EFF) created a web-based tool that analyzes your web browser and lets you know how well it protects you against online tracking technologies. It’s a handy way to make sure that the browser you’re using is keeping your activity as private as you think it is. Keep in mind that a lot of web sites (including this one) use tracking technologies for legitimate reasons, such as counting the number of visits. To learn more, check out this helpful post over on the PixelPrivacy site that explains browser fingerprinting.

Security practices of some service providers still terrible

Brian Krebs recently reported that his PayPal account was hacked. During his subsequent investigation, he discovered that PayPal handed his credentials to someone impersonating him on the phone. PayPal’s responses to Krebs’ criticisms don’t exactly inspire confidence. Krebs says “the successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.”

BitTorrent removes limits from free version of Sync

Not long ago, I expressed my disappointment with BitTorrent‘s 2.0 release of their Sync software. My main beef was that they had introduced a ten-folder limit on the free version, thereby rendering it almost useless.

Well, apparently BitTorrent listened to the complaints, because the just-released Sync 2.2 removes the ten-folder limit from the free version.

This is great news, especially since I’ve been unable to find a reliable replacement for Sync. Kudos to BitTorrent for listening to users and reverting the earlier decision.

Avoid Hola’s free VPN service

In the wake of Snowden’s revelations, many people have started using VPN services to encrypt their online activities. Until recently, one popular choice was Hola’s free VPN.

Researchers have discovered that Hola is selling access to the resources of its users, creating what has been described as a botnet, which may have been used for malicious activities.

Hola has been scrambling to deal with the public backlash over this news, but so far all they’ve done is retroactively update their FAQ, adding statements about what Hola can do with your computer if you’ve installed their software.

Recommendation: avoid Hola completely. This kind of deceptive behaviour should not be encouraged. If you’ve been using Hola, check your level of exposure using this handy tool.

BitTorrent Sync loses its appeal

Up until recently, I recommended BitTorrent Sync (aka BTSync) to anyone who needed a simple way to share files between remote computers. I won’t be doing that any more.

BTSync is now out of its beta period, and the news is bad. It comes in two distinct versions: the paid version, which does what we’ve come to expect but now costs $50 per year per seat, and the free version, which is limited to ten shared folders.

BTSync Pro trial expiry message
BTSync Pro trial expiry message

This, despite earlier promises that functionality would not be removed from the free version. Some may argue that no actual features have been removed from the free version, but if I was running more than ten shares and suddenly some of them stopped working, it would sure seem like something was missing.

Of particular interest in the expiry message (above) is this: “Folder additions and removals will not be propagated to other devices.” I interpret this to mean that in the free version of BTSync, adding or deleting a folder in an existing share will not result in those changes being propagated to peers. If true, this makes the free version of BTSync almost entirely useless. But in my tests, it appears that folder additions and deletions are in fact still being propagated between peers. Possibly BitTorrent intended to make this change but changed their minds and didn’t update the expiry message.

In any case, while I understand that BitTorrent has the right to try to make money from their software, tricking beta users into using (and testing) your software only to break it – and ask for what is effectively ransom money to keep using it – is not going to win many customers.

I expect BTSync usage numbers to plummet sharply soon. I’ll be looking at alternatives, and if I find something good, I’ll add it here. For now, all I can do is warn everyone: don’t use BitTorrent Sync.

EMET 5.2 released by Microsoft

A new version of the Enhanced Mitigation Experience Toolkit (EMET) was announced by Microsoft on March 12. EMET is an application that provides an additional level of security for Windows systems by detecting and blocking specific types of application behaviour that are associated with malware.

Version 5.2 of EMET adds new features for Windows 8.1 (and up), and for Internet Explorer.

EMET is highly recommended for Windows computers. You can obtain it from the main EMET page.

Update 2015Mar17: If you downloaded EMET 5.2 before March 16, you may have noticed that Internet Explorer on Windows 8.1 stopped working. Microsoft has re-released EMET 5.2 to address this problem.

VPN services: how private is your communication?

In the wake of the Snowden revelations, there’s been a lot of new interest in Virtual Private Networks (VPN).

A VPN service works by creating a secure, encrypted network that extends across the public Internet, allowing users to communicate securely with remote systems. VPNs have been used for corporate networks – which are often distributed across many physical locations – for years.

While a VPN service can be set up by anyone using open source software and network hardware, a simpler approach for typical users is to use one of the many VPN service providers currently available.

With so many people now depending VPN services, TorrentFreak wondered just how private those services really are, and came up with a list of questions for VPN providers. For example, some VPN providers keep logs of user IP addresses, which – when handed over to the NSA – could lay bare your supposedly private communications.

You can find the results of TorrentFreak’s investigation on their web site.

Password management software now being targeted

If you’re not already using password management software, you should be. It’s an extremely bad idea to use one password for more than one service, which makes remembering all those passwords difficult. With a password manager, you only have to remember one password: the one that allows access to all your other passwords.

I’ve been recommending Password Corral for years. Bruce Schneier’s Password Safe is also excellent. These are both desktop programs. I don’t recommend using an online password manager, because there’s always the possibility that the service itself could be hacked.

Unfortunately, even as we collectively get better at keeping ourselves secure, nefarious hackers shift their focus to more fertile ground. Now, it appears that they are targeting password management tools. It’s easy to see why: if a hacker can break your master password, they will have access to all of your other passwords.

Recommendation: if you are using a password management tool, make sure your master password is long and unique.

Update 2014Nov27: A post on the Duo Security blog has additional details.

CryptoLocker defanged at last

Security researchers have cracked the encryption used by the horrible CryptoLocker ransomware.

Recall that once CryptoLocker infects a computer, it encrypts all documents it can find, making them inaccessible until you pay the perpetrators $300 for a key to unlock them. Thousands of users have been hit, with some paying the ransom, while many others lost their data forever.

The researchers have set up a free web site (2016Jan09: the site has been decommissioned) that allows anyone hit by CryptoLocker to decrypt their files. You must upload one encrypted file, after which you are sent the required key. After decrypting your files, you can then use a CryptoLocker removal tool to get rid of the infection.

Brian Krebs has more.

Microsoft XML code vulnerable on many computers

A recent report from Secunia (PDF) highlights the unfortunate hole into which some versions of the Microsoft XML parser library have fallen.

Numerous versions of this library are available for Windows, and any or all of them can be installed at the same time on Windows PCs. Some versions are no longer supported by Microsoft, and updates for those older versions won’t appear in Windows Update.

Because of this, many Windows PCs contain versions of this library that have security vulnerabilities.

Microsoft’s documentation on the XML library is confusing and incomplete. For what it’s worth, here are a couple of links to said documentation:

We recommend installing and running Secunia’s PSI, which scans for out of date software, including Microsoft’s XML libraries. PSI also helpfully provides links to download any missing updates.

Update 2014Jul30: A reader pointed out that getting MSXML4 up to date is not a simple task. Here’s what you need to know:

  • The most up to date MSXML4 is a patched version of MSXML4 SP3, specifically 4.30.2117.0.
  • Windows Update won’t offer newer updates for MSXML4 if the version on your computer is SP2. This is the basic problem pointed out by Secunia.
  • To get the most recent MSXML4 on your computer, you have to manually download and install MSXML4 SP3, then run Windows Update, which should show this update: Security Update for Microsoft XML Core Services 4.0 Service Pack 3 (KB2758694). Once you install that update, you should be running MSXML4 SP3 version 4.30.2117.0.
  • Even after you’re running the most recent version of MSXML4, Secunia PSI will tell you it needs to be updated. That’s because Secunia has decided to report MSXML4 as ‘end-of-life’ (which it is) and direct users to MSXML6 instead. There are two problems with this: first, installing MSXML6 will not remove any earlier versions, including MSXML4; second, Microsoft recommends leaving MSXML4 in place as long as it’s up to date. The upshot is that unless you manually remove all remnants of MSXML4, PSI will keep telling you to install MSXML6, even if it’s already installed.

Further reading: