Some good news for Windows users for a change; Microsoft's free-to-download Security Essentials tool has been certified by anti-virus research organisation AV-Test as part of an in-depth study of 19 security products.

Security Essentials was launched last year as a replacement for the scrapped Windows Live OneCare subscription service, and is a free download for consumers running Windows 7, Windows Vista and Windows XP SP2 or higher.

At the time, questions were raised about whether a free security product could really prove effective in protecting Windows computers, especially when compared against full-blown security suites from established vendors such as Symantec and McAfee.

However, Security Essentials seems to have fared well in AV-Test's study, especially in the usability category which examines how much a particular tool impacts on the performance of the computer it is running on.

This tallies with feedback from reviewers and testers, who have previously praised the tool for its unobtrusive operation. Some security suites can slow down a PC alarmingly.

In terms of protection, Security Essentials was still rated as less effective than Symantec's Norton Internet Security 2010 or AVG: Internet Security 9.0, both of which are paid-for suites, but Microsoft has always maintained that the product is aimed at those users who would otherwise have no protection at all, rather than at taking market share from other security vendors.

August 19, 2010 | Permalink | Comments (1)

V3.co.uk entered the world of hacking yesterday by participating in a 'Hack the Lab' session arranged by network security firm Stonesoft.

A fictitious web site was created especially for participants to hack into and the results were interesting and a little frightening.

Using tools such as Nmap (port scanner), Netcat (multi-purpose tool), Metasploit (command line tool) and John the Ripper (password cracker), which are all freely available on the internet, we had a crack.

We successfully managed to hack into the fabricated web site and obtained not only admin login details, but credit card details of the owners and customers in under just under half an hour.

This was done using a Virtual Network Computing (VNC) tool, which we installed on the fictitious admin machine to gain remote desktop access.

Alan Cottom, technical engineering specialist at Stonesoft, was on hand to explain the principles.

There are usually five steps that an attacker goes through when looking to carry out a hack:

1. Selecting the target: There are mainly two types of hackers. Those who focus on an individual or organisation for financial/political gain and those who are opportunistic, who scan ports looking to find vulnerable systems.

2. Gathering information: Once a target has been selected, the hacker embarks on the most important process which is the research phase. Attackers aim to gather as much information as possible, including business/domain/contact names, web site addresses, phone numbers and emails. These are all primary pieces of information that a hacker is eager to acquire. The more information an attacker has, the easier it is to gain access into a system.

Individuals must be careful about posting computer details on forums as hackers commonly browse these to pick up information about potential targets.

Hackers are always on the look out for mergers and acquisitions as these are seen as 'soft targets' because businesses usually want to link IT systems quickly and may sacrifice security, Cottom said.

3. Exploiting vulnerabilities: Hackers do not waste their time breaking into firewalls, they look to exploit vulnerable areas of a system i.e. through a web server that may not have been patched properly or a test machine that has remained connected.

4. Leaving a back door: After access has been found, a hacker always leaves a back door to regain entry, by planting a root kit or a remote shell. Some may even modify access rules.

5. Covering tracks: The best attackers will look to disable auditing processes and delete event logs.

The first thing a good administrator will do if he/she suspects there has been an attack is check the logs, so hackers will want to cover their tracks by disabling these, Cottom said.

There have been several high profile hacks recently including the infiltration of Google's Gaia password system in January. This occurred when an employee clicked on an MMS link and had their machine infiltrated, which was used to gain access to the firm's admin system.

However, Twitter experienced one of the most embarrassingly simple hacks last year when a user used a brute force password cracker to gain admin access. Passwords were changed, private information was viewed, and tweets were sent out from users such as Britney Spears.

Twitter could have avoided this by simple employing a lockout of accounts after three-password attempts.

Essential Security Tips from Stonesoft
- Use alphanumeric passwords, but not ones that are so complicated that you need to write them down.
- Keep anti-virus software and patches up-to-date.
- Do not click on suspicious links in emails or instant messages.
- Turn office hardware off at night.
- Take a look at some Intrusion Prevention Software.

V3.co.uk will post a video demo of Alan Cottom explaining the stages of hacking soon.

July 29, 2010 | Permalink | Comments (0)

Google has increased the maximum payment for those who find a bug in its Chromium web browser to $3,133.7.

The Chromium Security Reward scheme was launched in January and Google claims that the program has been a success.

"We have been notified of numerous bugs, and some of the participants have made it clear that it was the reward program that motivated them to get involved with Chromium security," Google said in a blog post this week.

"Whilst the base reward for less serious bugs remains at $500, the panel will consider rewarding more for high-quality bug reports. Factors indicating a high-quality bug report might include a careful test case reduction, an accurate analysis of root cause, or productive discussion towards resolution."

The maximum reward for a single bug has been increased substantially from $1,337 to $3,133.7. But this will only be paid to those who find critical bugs in Chromium, the company said.

The increased reward reflects the fact that the sandbox makes it harder to find bugs of this severity, Google added.

Google follows in the tracks of Mozilla, which upped its bounty payment to $3,000 last week.

Even though Google has added $3,000 to the reward, not all users are happy, however.

"I highly doubt a $3,133.7 payoff is justifiable. If you figure an individual (or team) put in a combined effort of 160 hours, you're getting paid roughly $19 per hour," noted one commenter on the Google blog.

"I personally wouldn't waste my resources on someone who can not be justified being paid more than $19/hr. Neither would I waste my time providing any information to anyone who values their operating budget for security at $19/hour per incident."

Looks like someone woke up on the wrong side of bed.....or maybe he was just upset that the reward is no longer code for elite.

July 21, 2010 | Permalink | Comments (0)

Facebook's ongoing problems continue after security firm AVG announced that it has discovered hacking taking place on the site in the form of "political hacktivism" emanating from Turkey, seemingly in retaliation for the recent events in Gaza.

Research by the firm found that all manner of attacks including web site defacements, denial-of-service, information theft and virtual sabotage were coming from two different sources, suggesting only two groups or individuals are involved.

Roger Thompson, AVG's chief research officer, said that although the number attacked so far was relatively small, perhaps less than fifty, there was always a risk that it could increase in number very quickly.

"The number of hacked accounts is fairly small which would indicate that it is not an automated attack. This is the first time, as far as I am aware, that Facebook has been a victim of political hacktivism," he said.

"Given the attack seems to be run by Turkish hackers, and that they once claimed a world record for defacing 37,000 pages in day, we should not discount the thought they might find an automated way to move."

Late last year Twitter was targeted by a group calling itself the Iranian Cyber Army, which hijacked the web site domain name.

June 9, 2010 | Permalink | Comments (0)

Google is now "paranoid" about security, chief executive Eric Schmidt is reported to have told an assembled bunch of 400 chief information officers at an all day event in Mountain View yesterday.

Speaking at its inaugural Atmosphere 2010 event, Schmidt is reported to have explained that the web giant learned some hard lessons from its recent brush with Chinese hackers.

It is widely believed that the hackers gained initial access to an employee's computer via a flaw in Internet Explorer 6, from which point they managed to infiltrate deeper into Google's systems.

So what does this all mean for the security or otherwise of Google's products? Well, in a strange way the hack will probably end up being good news for the web giant's customers.

Schmidt argued that the firm has since accelerated its plans to use more of its own web-based products and services internally, such as the Chrome OS. These are "inherently more secure" than the alternatives out there, he added. Over to you, Microsoft.

April 13, 2010 | Permalink | Comments (0)

Barnet Council has become the latest public sector body to suffer an embarrassing data breach, after unencrypted USB sticks and CDs containing the details of 9,000 schoolchildren were stolen following a burglary at an employee's home.

The details, which were held for statistical purposes by the council, included date of birth, gender and ethnicity, and all those affected have been informed, according to an FAQ section on the council web site.

Barnet Council also said it thought the risks associated with this data breach are very low, given that the burglars were "looking for high-value items rather than specifically to steal data".

"We, the council, has disabled any access to external storage devices so no member of staff can make unauthorised copies in the future," said the council.

"All computers leaving the council offices have to be confirmed as encrypted. A full independent review of how the council holds data has been ordered."

The incident highlights many of the problems the public sector faces in trying to tighten up its record on data breaches, namely that all the rules and guidelines in the world don't mean anything if staff are willing to disregard them.

March 31, 2010 | Permalink | Comments (0)

More proof emerged today that phishing attacks are not solely confined to the financial services space, as Panda Security revealed several new campaigns targeting World of Warcraft players.

In a blog post today, the vendor's technical director Luis Corrons highlighted the phishing emails designed to lure users into clicking on a malicious link. This link takes the user to a fake log-in page where they are asked to enter their username and password.

"As you have seen, the attack could be considered pretty good, both the message and the web site looked as if they were real, so we can assume that these are smart cyber criminals with high skills," he explained.

"But we know there are a lot of phishing kits out there, and that there are easy ways to accomplish these kind of attacks, so anyone could be able to do this."

These kinds of attacks are particularly dangerous given that many computer users use the same user name and passwords for multiple accounts, potentially giving the phishers access to online banking and other accounts.

Corrons added that the criminals, it turned out, were not so smart as they allowed the Panda research team to access their own database of stolen credentials.

Apparently, most of the scammed WoW players were using their email addresses as user names.

"I bet that the password used for WoW is the same one they are using for each and every online service (mail, Facebook etc)," wrote Corrons.

"And what's the moral of this story? Well, if such a moron is able to steal thousands of credentials, imagine what a smart cyber criminal could achieve."

March 29, 2010 | Permalink | Comments (1)

According to the latest internet security report from PandaLabs hackers are breaking all established records when it comes to the nefarious business of creating new threats.

The security firm said that it had recorded five million new strains of malware in just the last three months. Alarmingly most were banking trojans, the rest a mix of adware, worms, hacking tools and spyware. Trojans took a 38 per cent share of all infections, adware was responsible for 18.68 per cent, and worms 14 per cent. Country to country, Taiwan was found to have the most active infections, 29 per cent, but is closely followed by the US and the UK, which both have roughly 25 per cent.

The risk of infection continues to worsen, according to PandaLabs, which paints a bleak picture of the future. "We are currently receiving some 50,000 new examples of malware everyday, this compares to 37,000 just a few months ago. There is no reason to believe that the situation will improve in the coming months," explained Luis Corrons, technical director at PandaLabs.

PandaLabs said that crooks would throw almost every resource at their disposal in order to infect the maximum number of machines. It said that these varied from social networking attacks to search engine manipulation. The firm also fingered a few firms for exposing their users to potential risks. It called one of the vulnerabilities patched by Microsoft, 'Striking', and another, 'Alarming'.

What with all these risks out there PandaLabs suggests that users install some web security software. You shouldn't need to look too far to find a supplier of that.

October 1, 2009 | Permalink | Comments (0)

Most online users simply ignore 'invalid certificate' warnings despite the security risks involved, according to a recent study by Carnegie Mellon University.

Although VeriSign, one the biggest names behind web certification, recently announced that it has issued more than four million Secure Sockets Layer (SSL) certificates, the research brings into question just how useful they are.

"Everyone knew that there was a problem with these warnings, our study showed dramatically how big the problem was," said Joshua Sunshine, co-author of the Carnegie Mellon paper.

Although warnings can come up due to various technical issues, they exist to help protect users from being redirected to various fake sites or to help catch out typo-squatting, where online fraudsters set up sites with URLs almost identical to their target to catch out those who accidentally misspell an address when typing it in.

According to the study, most internet users simply don't know what the certificates are or what the warnings mean, while others believe they just have to me more careful on sites where these warnings appear.

Interestingly, the results seem to depend a lot on which browser was being used, primarily because the various developers use different language and prompts when displaying certificate warnings.

As a result, users of Mozilla's Firefox 3 browser were the least likely to click through after being shown a warning, and several security warnings created by the researchers themselves were even more effective. According to VerSign, this highlights the need for education and obvious prompts that can help even inexperienced web users to be aware when something may be wrong.

"This research reminds us of the importance of providing usable tools for end users to differentiate between an authentic and an inauthentic web site and emphasises the importance of educating end users on how to use those tools," said Tim Callan, vice president of product marketing at VeriSign.

"That's why the industry has created new interface conventions like the green address bar to make it easier than ever for end users to distinguish between a real site and counterfeit site."

July 28, 2009 | Permalink | Comments (2)

News that hackers have once again found their way into Facebook should serve as reminder to firms using external social networks as part of a business strategy that data is not necessarily secure behind a web site's login details.

Perhaps social suites available from enterprise vendors might be a safer bet.

FBHive, a recently launched site following Facebook, said yesterday it was able to hack into any person's "Basic Information" section, no matter what their privacy settings.

"We have already reported this bug to Facebook on June 7th 2009, through multiple avenues, but it has received little attention. Hopefully this incites a little more action from them," said the post.

The exploit involved fooling the "Edit Information" section of a user's profile to display another user's Basic Information by using the Tamper Data add-on for Firefox.

FBHive launched a video to show Facebook users how easy the hack was.

Although soon after FBHive published its report, the Facebook security team fixed the exploit, the news follows a revelation from a Burton Group analyst back in 2008 that an email add-on called Xobni, which plugs in to Microsoft Office and correlates Outlook contact data with external sources such as Facebook, also managed to override privacy protections.

Analyst Mike Gotta said that when an individual's social data is pulled from an external network site into another person's email account, they should be properly notified.

"I do believe that context of a relationship agreement made within one environment does not necessarily transfer to other environments without the parties being aware and in some cases, consenting to that information being revealed in those other contexts," Gotta had said in his blog.

"What really surprised me though was that I now had access to people's information via Xonbi's Facebook Connect application that I could not access normally on Facebook," he added.

June 23, 2009 | Permalink | Comments (0)