// API callback
readpostlabels({"version":"1.0","encoding":"UTF-8","feed":{"xmlns":"http://www.w3.org/2005/Atom","xmlns$openSearch":"http://a9.com/-/spec/opensearchrss/1.0/","xmlns$blogger":"http://schemas.google.com/blogger/2008","xmlns$georss":"http://www.georss.org/georss","xmlns$gd":"http://schemas.google.com/g/2005","xmlns$thr":"http://purl.org/syndication/thread/1.0","id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851"},"updated":{"$t":"2021-08-17T22:37:34.909-05:00"},"category":[{"term":"Practical Security"},{"term":"Small Word Security"},{"term":"Digital Forensics"},{"term":"Faith Family \u0026 Fun"},{"term":"Bugs and Vulnerabilities"},{"term":"Cyber Crime"},{"term":"Home Network Security"},{"term":"Internet of Things"},{"term":"Mobile Device Security"},{"term":"Bank and Credit Card Security"},{"term":"Password Management"},{"term":"Hacking"},{"term":"Identity Theft"},{"term":"Financial Fraud"},{"term":"Malware"},{"term":"Privacy"},{"term":"Social Engineering"},{"term":"Parenting"},{"term":"Phishing"},{"term":"Social Networks"},{"term":"Weekend Projects"},{"term":"Encryption"},{"term":"Awana and Kidmin"},{"term":"Asus"},{"term":"CSOonline"},{"term":"Tech Tips"},{"term":"Security Theater"},{"term":"Transportation Authorities"}],"title":{"type":"text","$t":"Security for Real People"},"subtitle":{"type":"html","$t":"A blog by David Longenecker: practical cyber security advice, digital forensics, and parenting in the digital age, with family and faith woven in."},"link":[{"rel":"http://schemas.google.com/g/2005#feed","type":"application/atom+xml","href":"http:\/\/www.securityforrealpeople.com\/feeds\/posts\/default"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/-\/Malware?alt=json-in-script\u0026max-results=50"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/search\/label\/Malware"},{"rel":"hub","href":"http://pubsubhubbub.appspot.com/"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"generator":{"version":"7.00","uri":"http://www.blogger.com","$t":"Blogger"},"openSearch$totalResults":{"$t":"29"},"openSearch$startIndex":{"$t":"1"},"openSearch$itemsPerPage":{"$t":"50"},"entry":[{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-1218583275466807819"},"published":{"$t":"2017-10-10T16:21:00.000-05:00"},"updated":{"$t":"2017-10-20T15:46:57.001-05:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Bugs and Vulnerabilities"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Digital Forensics"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"}],"title":{"type":"text","$t":"Exploiting Office native functionality: Word DDE edition"},"content":{"type":"html","$t":"\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\u003Cimg alt=\"Sensepost researchers show a way to exploit DDE to run code from Word, without macros or buffer overflows. Here\u0026#39;s how to detect it.\" border=\"0\" data-original-height=\"406\" data-original-width=\"640\" height=\"406\" src=\"https:\/\/2.bp.blogspot.com\/-CwUAVJkU7R4\/Wd03_v9vhCI\/AAAAAAAAUUk\/Ih0BFLdzANIk5bSrJtxoYCJchJRKI9FkACLcBGAs\/s640\/DDE-main.png\" title=\"Sensepost researchers show a way to exploit DDE to run code from Word, without macros or buffer overflows. Here\u0026#39;s how to detect it.\" width=\"640\"\u003E\u003C\/div\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Ci\u003E\u003Cb\u003EUpdated 20 October:\u003C\/b\u003E Added a note regarding enabling full command line logging for process creation events; added a note clarifying that \u0026quot;Creator Process Name\u0026quot; is only recorded in Windows 10 and Windows Server 2016. Older versions of Windows record the creator process ID but not the process name; added references to a variety of exploitation techniques found by other researchers or seen in the wild.\u003C\/i\u003E\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Ci\u003E\u003Cbr\u003E\u003C\/i\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Ci\u003E\u003Cb\u003EUpdated 11 October\u003C\/b\u003E: I originally wrote that this exploit technique bypassed both disabled macros, and Protected View. That is incorrect: this technique will work if macros are disabled, but the code does not trigger while in Protected View. Thanks to Matt Nelson (\u003Ca href=\"https:\/\/twitter.com\/enigma0x3\" target=\"_blank\"\u003E@enigma0x3\u003C\/a\u003E) for pointing out my mistake.\u003C\/i\u003E\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003EI love reading exploit techniques that rely on native features of the operating system or common applications. As an attacker, I find it diabolically clever to abuse features the target fully expects to be used and cannot turn off without disrupting business. As a defender, I am intrigued by the challenge of detecting malicious use of perfectly legitimate features.\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003EResearchers Etienne Stalmans and Saif El-Shereisuch of Sensepost wrote of a slick way to execute code on a target computer using Microsoft Word - but \u003Ca href=\"https:\/\/sensepost.com\/blog\/2017\/macro-less-code-exec-in-msword\/\"\u003Ewithout the macros or buffer overflows\u003C\/a\u003E usually exploited to this end. Instead, they use dynamic data exchange, or DDE - an older technology once used for coding and automation within MS Office applications. This is particularly clever because it works even with macros disabled - because it\u0026#39;s not using the macro subsystem.\u003C\/span\u003E\u003Cbr\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2017\/10\/exploiting-office-native-functionality.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/1218583275466807819"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/1218583275466807819"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2017\/10\/exploiting-office-native-functionality.html","title":"Exploiting Office native functionality: Word DDE edition"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/2.bp.blogspot.com\/-CwUAVJkU7R4\/Wd03_v9vhCI\/AAAAAAAAUUk\/Ih0BFLdzANIk5bSrJtxoYCJchJRKI9FkACLcBGAs\/s72-c\/DDE-main.png","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-6386086072695910375"},"published":{"$t":"2017-09-18T12:32:00.000-05:00"},"updated":{"$t":"2017-09-18T12:32:16.548-05:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Cyber Crime"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Practical Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Small Word Security"}],"title":{"type":"text","$t":"Avast download site compromised to host a malicious CCleaner"},"content":{"type":"html","$t":"\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EIf you downloaded \"CCleaner\" software from antivirus company Avast between August 15 and September 12, you have a problem. Cisco's Talos threat research group discovered that company's software download page was compromised to \u003Ca href=\"http:\/\/blog.talosintelligence.com\/2017\/09\/avast-distributes-malware.html\" target=\"_blank\"\u003Ehost a malicious version\u003C\/a\u003E of CCleaner that contains malware.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EComputers that downloaded and ran that software became part of a botnet, a network of computers under the control of whomever is behind that malware.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EThose that follow my advice to use the \u003Ca href=\"https:\/\/www.securityforrealpeople.com\/2015\/10\/dns-simple-way-to-stop-malicious-web.html\" target=\"_blank\"\u003Efree OpenDNS service\u003C\/a\u003E for their home networks are partially protected - your computer would still download and install the malware, but would be prevented from accessing the command and control servers the criminals use to deliver instructions to your computer.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EIf you use CCleaner, check your antivirus software to be sure it is completely up-to-date, and run a full system scan. Now that the malware is known, most commercial antivirus programs will begin to detect it (with varying degrees of success).\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EI have long recommended\u0026nbsp;automatically updating software with the latest available patches and updates, as a core tenet of basic security for individuals and small businesses. After a Ukranian software company was hacked to \u003Ca href=\"https:\/\/www.securityforrealpeople.com\/2017\/06\/to-patchnya-or-not-to-patchnya.html\"\u003Edeliver malware to taxpayers\u003C\/a\u003E in that country, I wrote up an analysis of why I still held that recommendation.\u0026nbsp;\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EI said then:\u003C\/span\u003E\u003Cbr \/\u003E\u003Cblockquote class=\"tr_bq\"\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Ci\u003EIn over twenty years as a systems administrator and security professional - much of that time overseeing patching for a Fortune 100 company with a quarter million systems to update - I can count on one hand the number of catastrophic failures caused by patching, and still have fingers left over. Conversely, hardly a month goes by that I don't see malware and criminals exploit vulnerabilities in Windows, browsers, office productivity software, mobile apps, building automation systems, industrial control systems, and other computing software\u003C\/i\u003E.\u003C\/span\u003E\u003C\/blockquote\u003E\u003Cspan style=\"font-family: \u0026quot;Helvetica Neue\u0026quot;, Arial, Helvetica, sans-serif;\"\u003EIt is becoming increasingly difficult to maintain that position...\u0026nbsp;\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026quot;Helvetica Neue\u0026quot;, Arial, Helvetica, sans-serif;\"\u003EI suspect I am up to two hands now,\u0026nbsp;\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026quot;Helvetica Neue\u0026quot;, Arial, Helvetica, sans-serif;\"\u003Ebut for the time being, I still find quickly updating is less risky than not patching.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cbr \/\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/6386086072695910375"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/6386086072695910375"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2017\/09\/avast-download-site-compromised-to-host.html","title":"Avast download site compromised to host a malicious CCleaner"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}]},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-6399116428330355817"},"published":{"$t":"2017-06-27T22:12:00.000-05:00"},"updated":{"$t":"2017-06-29T17:37:41.755-05:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Bugs and Vulnerabilities"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Cyber Crime"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Home Network Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Practical Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Small Word Security"}],"title":{"type":"text","$t":"To Patchnya, or Not to Patchnya"},"content":{"type":"html","$t":"\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cimg border=\"0\" data-original-height=\"355\" data-original-width=\"640\" src=\"https:\/\/3.bp.blogspot.com\/-FIiS-TiEzH0\/WVL3GVX1OVI\/AAAAAAAAUIU\/3ZdAdTyDTAYpciHi9zzXENL31aBTP4YAwCLcBGAs\/s1600\/ee2bab4f-5a5c-4d0c-9436-f7b881afbf15-original.jpeg\"\u003E\u003C\/span\u003E\u003C\/div\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003EHeads-up: there\u0026#39;s another \u003Ca href=\"https:\/\/isc.sans.edu\/diary\/Checking+out+the+new+Petya+variant\/22562\" target=\"_blank\"\u003Eransomware\u003C\/a\u003E worm making the rounds. Initially thought to be a variant of the \u003Ca href=\"https:\/\/www.malwaretech.com\/2017\/06\/petya-ransomware-attack-whats-known.html\" target=\"_blank\"\u003EPetya ransomware family\u003C\/a\u003E, it was later determined to be something entirely different, and has been dubbed \u0026quot;NotPetya\u0026quot; in many tweets and reports.\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003ELike the \u003Ca href=\"https:\/\/www.securityforrealpeople.com\/2017\/05\/hit-by-wannacry-it-may-also-be-hipaa.html\" target=\"_blank\"\u003EWannaCry\u003C\/a\u003E worm that made such a splash in May, it exploits a (now-patched) vulnerability in the Windows file sharing protocol known as SMB. Unlike WannaCry, it also harvests credentials from compromised systems, then uses standard Windows administration tools such as WMIC and psexec to spread within an organization.\u003C\/span\u003E\u003Cbr\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2017\/06\/to-patchnya-or-not-to-patchnya.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/6399116428330355817"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/6399116428330355817"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2017\/06\/to-patchnya-or-not-to-patchnya.html","title":"To Patchnya, or Not to Patchnya"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/3.bp.blogspot.com\/-FIiS-TiEzH0\/WVL3GVX1OVI\/AAAAAAAAUIU\/3ZdAdTyDTAYpciHi9zzXENL31aBTP4YAwCLcBGAs\/s72-c\/ee2bab4f-5a5c-4d0c-9436-f7b881afbf15-original.jpeg","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-2482357699321989597"},"published":{"$t":"2017-05-12T16:40:00.000-05:00"},"updated":{"$t":"2017-05-12T17:42:40.364-05:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Bugs and Vulnerabilities"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Cyber Crime"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Practical Security"}],"title":{"type":"text","$t":"Ransomware now comes in worm flavor"},"content":{"type":"html","$t":"\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EIf you have SMBv1 in your enterprise, and haven't completed \u003Ca href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx\" target=\"_blank\"\u003Edeploying MS17-010\u003C\/a\u003E (released in March), now would be a good time to expedite that. Multiple news outlets are reporting a widespread outbreak of the \"WannaCry\" ransomware.\u0026nbsp;\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003ERansomware is malware that encrypts all the data on a computer, holding it hostage until the victim pays a ransom fee. This particular attack is especially insidious because it acts as a \"worm\" - it spreads from computer to computer on its own, without any interaction from users.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EThe saving grace is that the vulnerability it exploits to spread, was fixed by Microsoft in March. Most home users are safe because Windows Updates apply automatically (yes, it's annoying to have a computer reboot when you do not want it to, but today you are thanking your lucky stars).\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Ch4\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003ESome reports of note:\u003C\/span\u003E\u003C\/h4\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003ECCN-CERT, the computer emergency response team for Spain, first \u003Ca href=\"https:\/\/www.ccn-cert.cni.es\/seguridad-al-dia\/comunicados-ccn-cert\/4464-ataque-masivo-de-ransomware-que-afecta-a-un-elevado-numero-de-organizaciones-espanolas\" target=\"_blank\"\u003Eissued a warning\u003C\/a\u003E\u0026nbsp;(in Spanish) of this outbreak Friday morning.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003ESpanish telecommunications company Telefónica \u003Ca href=\"https:\/\/www.telefonica.com\/es\/web\/sala-de-prensa\/-\/incidencia-ciberseguridad\" target=\"_blank\"\u003Ereported\u003C\/a\u003E\u0026nbsp;(in Spanish) that they too have been affected.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EThe British Broadcasting Company has a \u003Ca href=\"http:\/\/www.bbc.com\/news\/live\/39901370\" target=\"_blank\"\u003Erunning commentary\u003C\/a\u003E on effects in the UK, and specifically the effects on the National Heathcare Service of the UK.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EThe Register reports that UK hospitals have \u003Ca href=\"https:\/\/www.theregister.co.uk\/2017\/05\/12\/nhs_hospital_shut_down_due_to_cyber_attack\/\" target=\"_blank\"\u003Eeffectively shutdown\u003C\/a\u003E, and are not accepting new patients.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EGlobal delivery company \u003Ca href=\"http:\/\/www.businessinsider.com\/r-fedex-reports-malware-interference-in-global-cyberattack-statement-2017-5\" target=\"_blank\"\u003EFedEx reported\u003C\/a\u003E that it has been affected, but has not specified what locations or if deliveries have been interrupted. At least one FedEx customer reported Customer Service being \u003Ca href=\"https:\/\/twitter.com\/MMegan79\/status\/863052965573210113\"\u003Eunable to provide support\u003C\/a\u003E due to server outages.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Ch4\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EWhat can you do:\u003C\/span\u003E\u003C\/h4\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EHome users by and large are not affected by this. If you follow the basic steps I recommend in \u003Ca href=\"https:\/\/securityforrealpeople.com\/cybertips\"\u003Ehttps:\/\/securityforrealpeople.com\/cybertips\u003C\/a\u003E\u0026nbsp;(in particular, setting Windows to automatically install updates), Windows lomng ago installed the patch to protect you from this worm.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EFor corporate and small business readers:\u003C\/span\u003E\u003Cbr \/\u003E\u003Cul\u003E\u003Cli\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EBlock TCP 445 and 135 inbound from the Internet\u003Cbr \/\u003E\u0026nbsp;\u003C\/span\u003E\u003C\/li\u003E\u003Cli\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Ca href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx\" target=\"_blank\"\u003EInstall MS17-010\u003C\/a\u003E everywhere. Note that the April and May cumulative updates for Windows include this patch\u003Cbr \/\u003E\u0026nbsp;\u003C\/span\u003E\u003C\/li\u003E\u003Cli\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Ca href=\"https:\/\/support.microsoft.com\/en-us\/help\/2696547\" target=\"_blank\"\u003EKill off SMBv1\u003C\/a\u003E. SMB version 1 is a 30-year-old protocol that has outlived its usefulness. Every modern operating system - including all supported Windows variants, MacOS and OS X, and the Samba product for Linux file sharing, supports the newer v2 and v3 versions.\u003Cbr \/\u003E\u003Cbr \/\u003ESMBv1 can be disabled by creating or editing the following value in the Windows Registry:\u003C\/span\u003E\u003Cbr \/\u003E\u003Cbr \/\u003E\u003Cdiv class=\"code\"\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Courier New, Courier, monospace;\"\u003EHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u003Cbr \/\u003EName: SMB1\u003Cbr \/\u003EType: DWORD\u003Cbr \/\u003EValue: 0\u003Cbr \/\u003E\u003Cbr \/\u003E\u003C\/div\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EThen run the following command to disable SMBv1 on the client side:\u003C\/span\u003E\u003Cbr \/\u003E\u003Cbr \/\u003E\u003Cdiv class=\"code\"\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Courier New, Courier, monospace;\"\u003Esc.exe config lanmanworkstation depend= bowser\/mrxsmb20\/nsi\u003Cbr \/\u003Esc.exe config mrxsmb10 start= disabled\u003Cbr \/\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003C\/div\u003E\u003Cbr \/\u003E\u003Cli\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EBlock client-to-client SMB (TCP 445) traffic. Generally speaking, laptops don't need to map file shares of other laptops. Blocing lateral SMB traffic prevents this malware from spreading laptop-to-laptop. Then focus on patching your domain controllers and enterprise file servers - which genuinely do need to share services on TCP 445.\u003Cbr \/\u003E\u0026nbsp;\u003C\/span\u003E\u003C\/li\u003E\u003Cli\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003ERun Windows Firewall and block inbound TCP 445 connections when on an untrusted network (public WiFi, for example).\u003C\/span\u003E\u003C\/li\u003E\u003C\/ul\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/2482357699321989597"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/2482357699321989597"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2017\/05\/ransomware-now-comes-in-worm-flavor.html","title":"Ransomware now comes in worm flavor"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}]},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-7784489203807958191"},"published":{"$t":"2017-03-15T22:51:00.000-05:00"},"updated":{"$t":"2017-03-21T18:08:21.032-05:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Cyber Crime"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Digital Forensics"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Identity Theft"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Phishing"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Practical Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Small Word Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Social Networks"}],"title":{"type":"text","$t":"Facebook Messenger phishing scam"},"content":{"type":"html","$t":"\u003Cdiv\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cimg alt=\"A phishing scam is using Facebook Messenger to spread, by telling your friends a video of them has gone viral.\" border=\"0\" src=\"https:\/\/2.bp.blogspot.com\/-JgkdlP3x-ik\/WMoDSkzf1HI\/AAAAAAAATNg\/7chjwFZk3p4F4-Crv_s10wKeV1foERhDwCK4B\/s1600\/FB_scam_lead.png\" title=\"A phishing scam is using Facebook Messenger to spread, by telling your friends a video of them has gone viral.\"\u003E\u003C\/span\u003E\u003C\/div\u003E\u003Cdiv\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003C\/div\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Ci\u003E\u003Cb\u003EUpdated 20-March:\u003C\/b\u003E My initial analysis was limited due to traveling without my laptop, and with unreliable data service. I\u0026#39;ve updated the post with a few additional domains to block, and to show the different behavior on mobile versus PC.\u003C\/i\u003E\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003EThere’s a scam making the rounds on Facebook, making use of Facebook Messenger to spread. (Sysadmins, scroll to the bottom for a list of domains to block).\u003Cbr\u003E\u003Cbr\u003EIt starts when you receive a message from a friend, that simply says your name, with your profile picture designed to look like a preview of a video with hundreds of thousands of views. The implication is there is a “Facebook Video” of you that has gone viral.\u003C\/span\u003E\u003Cbr\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2017\/03\/facebook-messenger-phishing-scam.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/7784489203807958191"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/7784489203807958191"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2017\/03\/facebook-messenger-phishing-scam.html","title":"Facebook Messenger phishing scam"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/2.bp.blogspot.com\/-JgkdlP3x-ik\/WMoDSkzf1HI\/AAAAAAAATNg\/7chjwFZk3p4F4-Crv_s10wKeV1foERhDwCK4B\/s72-c\/FB_scam_lead.png","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-4480438676170094689"},"published":{"$t":"2017-02-11T23:22:00.000-06:00"},"updated":{"$t":"2017-02-12T14:16:28.903-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Cyber Crime"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Digital Forensics"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Phishing"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Practical Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Small Word Security"}],"title":{"type":"text","$t":"Quick and dirty malicious PDF analysis"},"content":{"type":"html","$t":"\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cimg alt=\"Analyzing weird things forwarded by friends and family is a great way to keep my DFIR skills sharp.\" border=\"0\" height=\"315\" src=\"https:\/\/3.bp.blogspot.com\/-wBOH-JTS6s8\/WJ1FNiokhvI\/AAAAAAAATJQ\/ajnI4Y55CggMLWRwDvIHQB5BA-cdU2bcgCLcB\/s640\/deceptive%2Bsite%2B2.png\" title=\"Analyzing weird things forwarded by friends and family is a great way to keep my DFIR skills sharp.\" width=\"640\"\u003E\u003C\/span\u003E\u003C\/div\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003EFriends and family regularly send me things they find suspicious or weird. Sometimes it turns out to be malicious, and other times perfectly fine, but I\u0026#39;m always glad to know I\u0026#39;ve instilled a proper degree of skepticism in my friends.\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003EMy willingness to help has an ulterior motive: aside from the \u0026quot;herd immunity\u0026quot; that comes from helping those around me stay safe, analyzing weird things they see helps me keep my own skills sharp. It also can alert me to new or resurging threats, such as the \u003Ca href=\"https:\/\/www.securityforrealpeople.com\/2015\/10\/free-disney-world-tickets-nah-its.html\" target=\"_blank\"\u003EDisney theme park scams\u003C\/a\u003E so common around customary family travel periods.\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003EToday\u0026#39;s story is about a phish. A simple phish, but one with lots of red flags to call out, and that called to my attention some new features Google introduced in Chrome last month. As with many phish, this one begins with an email. Nothing fancy, just a brief memo that a voice message has arrived.\u003C\/span\u003E\u003Cbr\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2017\/02\/quick-and-dirty-malicious-pdf-analysis.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/4480438676170094689"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/4480438676170094689"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2017\/02\/quick-and-dirty-malicious-pdf-analysis.html","title":"Quick and dirty malicious PDF analysis"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/3.bp.blogspot.com\/-wBOH-JTS6s8\/WJ1FNiokhvI\/AAAAAAAATJQ\/ajnI4Y55CggMLWRwDvIHQB5BA-cdU2bcgCLcB\/s72-c\/deceptive%2Bsite%2B2.png","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-1793760427145566514"},"published":{"$t":"2016-11-26T13:05:00.000-06:00"},"updated":{"$t":"2016-11-29T08:40:19.126-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Practical Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Small Word Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Social Networks"}],"title":{"type":"text","$t":"RIP Tom Hanks? No, it's a fake malware scam"},"content":{"type":"html","$t":"\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\u003Ca href=\"https:\/\/3.bp.blogspot.com\/-KmBgcGQRhME\/WDnbEFj3-KI\/AAAAAAAASPk\/77iPHQ4m-EkPvVSJsSCMEKd5AYINPZDXgCLcB\/s1600\/rip_tomhanks_scam.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cimg alt=\"Tom Hanks is not dead. That doesn\u0026#39;t stop crooks from using news of his demise to attract victims.\" border=\"0\" src=\"https:\/\/3.bp.blogspot.com\/-KmBgcGQRhME\/WDnbEFj3-KI\/AAAAAAAASPk\/77iPHQ4m-EkPvVSJsSCMEKd5AYINPZDXgCLcB\/s1600\/rip_tomhanks_scam.png\" title=\"Tom Hanks is not dead. That doesn\u0026#39;t stop crooks from using news of his demise to attract victims.\"\u003E\u003C\/span\u003E\u003C\/a\u003E\u003C\/div\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Ci\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003EUpdated 29 November with additional context after I analyzed the malicious link. TL;DR: Tom Hanks is not dead, and the fake news link on Facebook leads to a malicious website. As an aside, Tom Hanks is not the first celebrity to be used in fake news scams, and I am sure he won\u0026#39;t be the last. Other recent malvertisements have claimed the demise of Harrison Ford, Sylvester Stallone, Beyonce, and even Facebook\u0026#39;s own CEO Mark Zuckerberg.\u003C\/span\u003E\u003C\/i\u003E\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003ENo, Tom Hanks is not dead. However, a malicious advertisement circulating on Facebook over Thanksgiving weekend uses that headline as bait; readers that click the \u0026quot;news story\u0026quot; to find out more instead get more than they bargained for. \u003C\/span\u003E\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003EInstead of a news article, the advertisement leads to a web page that blares an incessant alarm sound and displays the following warning message. As a clever twist, the malicious content itself imitates Google\u0026#39;s own malicious website warning. \u003C\/span\u003E\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003EVictims that call the phone number on the screen will no doubt be instructed to pay a \u0026quot;Microsoft Technical Support\u0026quot; fee to have the malware removed - a twist on the classic technical support scam.\u003C\/span\u003E\u003C\/span\u003E\u003Cbr\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2016\/11\/tom-hanks-is-not-dead-ugly-malicious.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/1793760427145566514"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/1793760427145566514"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2016\/11\/tom-hanks-is-not-dead-ugly-malicious.html","title":"RIP Tom Hanks? No, it's a fake malware scam"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/3.bp.blogspot.com\/-KmBgcGQRhME\/WDnbEFj3-KI\/AAAAAAAASPk\/77iPHQ4m-EkPvVSJsSCMEKd5AYINPZDXgCLcB\/s72-c\/rip_tomhanks_scam.png","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-6220190842982655685"},"published":{"$t":"2016-09-23T22:10:00.001-05:00"},"updated":{"$t":"2016-09-23T22:11:32.158-05:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Bugs and Vulnerabilities"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Cyber Crime"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Password Management"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Practical Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Small Word Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Social Networks"}],"title":{"type":"text","$t":"Monster DDoS, Yahoo woes, malware by mail - the week in review"},"content":{"type":"html","$t":"\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cimg border=\"0\" height=\"456\" src=\"https:\/\/3.bp.blogspot.com\/--A9OlcOlbpc\/V-XoCqJwSQI\/AAAAAAAARyY\/FTfcJT2sRagXRVRGlVlSanwtvGxdwG6CwCLcB\/s640\/fire.jpg\" width=\"640\"\u003E\u003C\/span\u003E\u003C\/div\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Ci\u003EHere is a recap of some more notable cyber security stories this week, along with short and simple things you can do.\u003C\/i\u003E\u003C\/span\u003E\u003Cbr\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2016\/09\/monster-ddos-yahoo-woes-malware-by-mail.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/6220190842982655685"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/6220190842982655685"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2016\/09\/monster-ddos-yahoo-woes-malware-by-mail.html","title":"Monster DDoS, Yahoo woes, malware by mail - the week in review"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/3.bp.blogspot.com\/--A9OlcOlbpc\/V-XoCqJwSQI\/AAAAAAAARyY\/FTfcJT2sRagXRVRGlVlSanwtvGxdwG6CwCLcB\/s72-c\/fire.jpg","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-8970249339828844394"},"published":{"$t":"2016-05-06T11:07:00.000-05:00"},"updated":{"$t":"2017-01-18T22:34:59.228-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Bugs and Vulnerabilities"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Cyber Crime"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Financial Fraud"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Home Network Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Identity Theft"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Password Management"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Practical Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Small Word Security"}],"title":{"type":"text","$t":"Email hacks, cute pet scams, and payroll fraud - the week in review"},"content":{"type":"html","$t":"\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Ci\u003EHere is a recap of some more notable cyber security stories this week, along with short and simple things you can do.\u003C\/i\u003E\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Ch4\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E270 million email accounts hacked!\u003C\/span\u003E\u003C\/h4\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EThe story: many news outlets are reporting that a Russian hacker \u003Ca href=\"http:\/\/phandroid.com\/2016\/05\/04\/gmail-accounts-compromised\/\" target=\"_blank\"\u003Estole passwords to over 270 million\u003C\/a\u003E GMail, Yahoo! Mail, Hotmail, and Mail.ru email accounts. The origin of the story is a company with a dubious track record, known for making a big deal out of questionable information. Most likely, the hacker does have 270 million passwords - but not necessarily accurate, current, or associated with email accounts. This seems to be a repackaging of a story from the same source 2 years ago - at that time claiming a \u003Ci\u003Ebillion \u003C\/i\u003Epasswords. In reality, these passwords came from many smaller breaches, over a period of many years, and many were not even to email accounts. Instead, perhaps a news website was compromised and the attacker stole the email address and password used to log in; the attacker makes an assumption that you used the same password for your email account as you used for the news website.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cb\u003EWhat you should do:\u003C\/b\u003E Don't panic. Do change your email account passwords just to be safe. Do use unique and long passwords for every account (or at least for any important accounts). Do set up \u003Ca href=\"https:\/\/www.securityforrealpeople.com\/2015\/10\/grog-and-narg-teach-two-factor.html\" target=\"_blank\"\u003Etwo-factor authentication\u003C\/a\u003E (which requires a code sent to you via SMS\/text message, or an authentication app on your phone, to log in from any new location) for your email accounts.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003ERead this post for \u003Ca href=\"https:\/\/www.securityforrealpeople.com\/2015\/07\/your-password-isnt-as-strong-as-you.html\" target=\"_blank\"\u003Emore password advice\u003C\/a\u003E.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Ch4\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EFraudsters steal tax, salary data from ADP!\u003C\/span\u003E\u003C\/h4\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EThe story: ADP provides payroll and benefits services for over a half million businesses. Cyber crime investigator Brian Krebs wrote of an \u003Ca href=\"http:\/\/krebsonsecurity.com\/2016\/05\/fraudsters-steal-tax-salary-data-from-adp\/\" target=\"_blank\"\u003Eincident affecting some ADP clients\u003C\/a\u003E. Client companies have the option of either pre-creating accounts for every employee, or of having employees create accounts themselves. In the latter case, the employee provides some information that presumably only the actual employee would know (social security number, date of birth, and a code provided by the employer). In some cases, employers evidently posted the company-specific code on a public website to make it easy for employees to sign up; if an attacker were able to obtain someone's social security number and date of birth, they could then create an account pretending to be that employee, and access all of the tax and salary information ADP holds for that employee - useful for tax return fraud among other schemes.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cb\u003EWhat you should do:\u003C\/b\u003E This only affects ADP client companies that require their employees to sign up for online payroll and benefits services. The simplest defense is to create your online account with your payroll service immediately upon starting a new job - if you do it first, a hacker cannot pretend to be you.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Ch4\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E10 year old kid gets $10,000 for hacking Instagram!\u003C\/span\u003E\u003C\/h4\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003EThe story: this is actually a great positive story. Facebook awarded a 10-year-old Finnish student with the equivalent of $10,000 USD for finding and reporting a flaw in Instagram (which Facebook owns). Under the flaw, a hacker could \u003Ca href=\"http:\/\/arstechnica.co.uk\/security\/2016\/05\/facebook-schoolboy-bug-bounty-justin-bieber-instragram-hack\/\" target=\"_blank\"\u003Edelete any other people's comments\u003C\/a\u003E. Thanks to this young researcher, Facebook fixed the flaw so it cannot be exploited by those with nefarious intention. I've seen other companies disqualify bug bounty reports from underage submitters. Kudos to Facebook for giving young ones incentive to not go to the Dark Side!\u003Cbr \/\u003E\u003Cbr \/\u003E\u003Cb\u003EWhat you should do\u003C\/b\u003E: Nothing! The flaw has already been fixed by Facebook.\u003Cbr \/\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cbr \/\u003E\u003Ch4\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EWi-Fi network named \"mobile detonation device\" freaks out passengers!\u003C\/span\u003E\u003C\/h4\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EThe story: Passengers on an Australian airline turned on their wireless devices to connect to the in-flight movie system, and freaked when they saw a hotspot named \"mobile detonation device.\" The airline quickly ushered passengers off the plane while they investigated. As far as has been stated publicly, the device advertising that name was never identified, and eventually the flight did go on.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cb\u003EWhat you should do\u003C\/b\u003E: How about not naming your mobile phone wi-fi hotspot something that will cause panic and possibly get you arrested?\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Ch4\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003ECute puppies and kittens lead to online scams!\u003C\/span\u003E\u003C\/h4\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EThe story: UK fraud and cyber crime reporting center ActionFraud writes of an \u003Ca href=\"http:\/\/www.actionfraud.police.uk\/news\/alert-fake-puppies-and-kittens-for-sale-online-apr16\" target=\"_blank\"\u003Eincrease in pets offered for sale\u003C\/a\u003E through online auction websites. Often, the animal comes with a sad story about how it is in a faraway location and needs a new home, along with transportation to that new home. The unsuspecting buyer wins the auction, pays for the animal, and then is asked to pay more vet, boarding, or transportation fees. The buyer though never actually gets the animal - the pet for sale is usually merely a picture taken off a public social media post, of a happily homed pet.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cb\u003EWhat you should do\u003C\/b\u003E: Don't buy a pet through an online auction. Your local animal rescue or SPCA no doubt has plenty of sweet animals looking for new homes.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Ch4\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EThousands of WordPress blogs redirect readers to malware!\u003C\/span\u003E\u003C\/h4\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EThe story: Security research firm Sucuri found a clever malware campaign that exploits WordPress blog sites whose operators haven't paid attention to security updates. The attackers compromise the blog sites, and add a piece of code that randomly redirects some but not all users to a website controlled by the attacker. If you are one of the unlucky few, the attacker's website attempts to trick you into downloading a fake software update that is actually malware.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cb\u003EWhat you should do\u003C\/b\u003E: Two things. First, if a website asks you to install a software update, be very skeptical. Most modern software will automatically update in the background, and may display a notice in your system tray; a website popup with a software update is usually fake. Second, I am a huge fan of OpenDNS, a service that simply doesn't let your browser go to known bad sites. Read this post for a simple, \u003Ca href=\"https:\/\/www.securityforrealpeople.com\/2015\/10\/dns-simple-way-to-stop-malicious-web.html\" target=\"_blank\"\u003Estep-by-step guide to setting up OpenDNS.\u003C\/a\u003E It's not as hard as you think.\u003C\/span\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/8970249339828844394"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/8970249339828844394"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2016\/05\/email-hacks-cute-pet-scams-and-payroll.html","title":"Email hacks, cute pet scams, and payroll fraud - the week in review"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}]},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-4170474258763432065"},"published":{"$t":"2016-04-05T14:12:00.001-05:00"},"updated":{"$t":"2017-01-18T22:40:52.797-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Bank and Credit Card Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Cyber Crime"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Financial Fraud"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Mobile Device Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Password Management"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Practical Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Small Word Security"}],"title":{"type":"text","$t":"A great debate: is a smartphone really a second factor?"},"content":{"type":"html","$t":"\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\u003Ca href=\"https:\/\/twitter.com\/johnnysunshine\/status\/708000062786248704\" target=\"_blank\"\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cimg border=\"0\" src=\"https:\/\/4.bp.blogspot.com\/-BU49A4zbe6g\/VuOeY8SF0EI\/AAAAAAAAORk\/RNul9yTqRuQ3oYY_ZV8dXRsvm6duuaDEA\/s1600\/phone-2fa-question.jpg\"\u003E\u003C\/span\u003E\u003C\/a\u003E\u003C\/div\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cbr\u003E\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\u003C\/div\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003EHere\u0026#39;s a polarizing question: is a phone a second factor, in the context of two-factor authentication? Fellow infosec pro \u003Ca href=\"https:\/\/twitter.com\/johnnysunshine\" target=\"_blank\"\u003E@johnnysunshine\u003C\/a\u003E tweeted the above last week, and sparked a lively debate.\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003EBefore answering the question, let\u0026#39;s back up a bit and explain two-factor authentication (or 2fa). To borrow \u003Ca href=\"https:\/\/www.securityforrealpeople.com\/2015\/10\/grog-and-narg-teach-two-factor.html\" target=\"_blank\"\u003Ean analogy I first used two years ago\u003C\/a\u003E: 10,000 years ago, Grog and Mag formed a secret club. To ensure new members of the club would be accepted, they came up with a secret phrase. Thus was born the first password. One day Narg overheard two members greeting one another and learned the secret phrase. Thus occurred the first password breach.\u003C\/span\u003E\u003Cbr\u003E\u003Cdiv\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003C\/div\u003E\u003Cdiv\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003EPasswords can be stolen though, whether through a server database breach, or via a \u003Ca href=\"https:\/\/www.securityforrealpeople.com\/2015\/06\/please-oh-please-wont-you-phish-me.html\" target=\"_blank\"\u003Ephishing scam\u003C\/a\u003E, or by keylogging malware that captures the password as you enter it into a webpage. If a password is the only thing protecting your account, then a stolen password lets an attacker pretend to be you. If the attacker knows the right password, the server or website has no way of knowing it\u0026#39;s an impostor.\u003C\/span\u003E\u003C\/div\u003E\u003Cdiv\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003C\/div\u003E\u003Cdiv\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003EBy adding a second factor - something you physically possess (an identification card, or a token generator, or - the crux of today\u0026#39;s question - a phone), the bar for an attacker is raised. Individually, each factor might be relatively easy to defeat. Gaining access to both a password and a device at the same time though takes more effort, and is far less likely. Not impossible, but less likely.\u003C\/span\u003E\u003Cbr\u003E\u003C\/div\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2016\/04\/a-great-debate-is-smartphone-really.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/4170474258763432065"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/4170474258763432065"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2016\/04\/a-great-debate-is-smartphone-really.html","title":"A great debate: is a smartphone really a second factor?"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/4.bp.blogspot.com\/-BU49A4zbe6g\/VuOeY8SF0EI\/AAAAAAAAORk\/RNul9yTqRuQ3oYY_ZV8dXRsvm6duuaDEA\/s72-c\/phone-2fa-question.jpg","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-1568661763777982733"},"published":{"$t":"2016-03-28T11:54:00.000-05:00"},"updated":{"$t":"2017-01-18T22:45:10.051-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Cyber Crime"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Mobile Device Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Phishing"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Practical Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Small Word Security"}],"title":{"type":"text","$t":"Malware-laden \"speeding ticket\" emails crafted using GPS data from users' own phone"},"content":{"type":"html","$t":"\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003EOver the weekend, I came across an \u003Ca href=\"https:\/\/chester.crimewatchpa.com\/tredyffrinpd\/7372\/post\/scam-alert-speeding-ticket-email-scam\"\u003Eingenious phishing scam\u003C\/a\u003E seen in a small Pennsylvania town. Residents of Tredyffrin, PA have been receiving email claiming to be a speeding citation from the local police department, but containing accurate data including locations, posted speed limits, and actual driving speeds. The data is believed to come from a mobile app with permissions to access GPS data, though the actual app has not been named (nor is it certain whether it is a compromised legitimate app, or a malicious app built for the scam).\u003Cbr\u003E\u003Cbr\u003ETargeted victims receive an email similar to the following:\u003Cbr\u003E\u003Cbr\u003E\u003Cimg border=\"0\" src=\"https:\/\/1.bp.blogspot.com\/-eBArP8y0qTI\/VvldEYVAX2I\/AAAAAAAAO1E\/13U9FO0cMCcAjK8ktzA0bw7N9VzE_-EHQ\/s1600\/tredyffrin.jpg\"\u003E\u003Cbr\u003E\u003Cbr\u003EAs the email contains actual and accurate location and driving speed data, the Tredyffrin Police suspect a \u0026quot;free mobility or traffic APP\u0026quot; is involved. The attached \u0026quot;infraction statement\u0026quot; does not actually contain a license image nor any means of paying a fine; instead, it contains malware.\u003C\/span\u003E\u003Cbr\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2016\/03\/malware-laden-speeding-ticket-emails.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/1568661763777982733"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/1568661763777982733"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2016\/03\/malware-laden-speeding-ticket-emails.html","title":"Malware-laden \"speeding ticket\" emails crafted using GPS data from users' own phone"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/1.bp.blogspot.com\/-eBArP8y0qTI\/VvldEYVAX2I\/AAAAAAAAO1E\/13U9FO0cMCcAjK8ktzA0bw7N9VzE_-EHQ\/s72-c\/tredyffrin.jpg","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-2456478067635848706"},"published":{"$t":"2016-02-29T15:45:00.001-06:00"},"updated":{"$t":"2016-02-29T15:46:19.930-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Encryption"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Home Network Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Internet of Things"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Mobile Device Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Practical Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Small Word Security"}],"title":{"type":"text","$t":"Cloud apps: easy file sharing, easy ransomware sharing"},"content":{"type":"html","$t":"\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EHere's something to keep in mind when sharing files and storage with others: the mistakes of others can put you at risk.\u003Cbr \/\u003E\u003Cbr \/\u003EThere's not a lot of detail in this report, but it mentions cases where \u003Ca href=\"http:\/\/www.scmagazine.com\/researchers-confirm-cases-of-ransomware-encryption-jumping-devices-via-cloud-apps\/article\/479572\/\"\u003Eransomware has spread through shared cloud storage\u003C\/a\u003E (think iCloud, Dropbox, or Google Drive). If your friend or family member becomes infected, and you sync to the same shared account, you might unknowingly infect your device.\u003Cbr \/\u003E\u003Cbr \/\u003ERansomware is the current scourge of the Internet. Ransomware is malware that encrypts your personal data such as irreplaceable photos, documents, and financial records, making them unusable. It then charges a ransom fee to decrypt the files so you can use them again. The only fully reliable protection against this threat is a current and complete backup of your important data, stored somewhere out of the reach of the malware. Without such a backup, your only choices may be to pay the ransom or sacrifice the data forever.\u003Cbr \/\u003E\u003Cbr \/\u003EWhile I have not personally experienced ransomware spreading in this manner, I did have an \"oh crap\" moment once when a child deleted music from a shared drive. I had set up a sizable library of (legally-owned!) music that they could download to their devices, and taught them how to use a mobile SMB client to browse the server; alas I was not clear enough in showing them the difference between \"local device\" and \"shared server.\" When they wanted to remove music from their devices to make room for something new, one of them accidentally deleted some content from my server.\u003Cbr \/\u003E\u003Cbr \/\u003EThe point is, when sharing things with others, think of how their mistakes can put you at risk. In the music share scenario that I mentioned, I quickly learned to set the share so that my kids could only download music from it, but not change anything on the share itself. Only I could modify the contents of the share, and only from a PC that I controlled. \u003Cbr \/\u003E\u003Cbr \/\u003ESimilarly, you may consider whether sharing data in a read-only form is appropriate for your needs.\u003C\/span\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/2456478067635848706"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/2456478067635848706"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2016\/02\/cloud-apps-easy-file-sharing-easy.html","title":"Cloud apps: easy file sharing, easy ransomware sharing"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}]},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-4806376162251487341"},"published":{"$t":"2015-12-07T12:45:00.001-06:00"},"updated":{"$t":"2017-01-20T20:30:09.536-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Digital Forensics"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Phishing"}],"title":{"type":"text","$t":"Malware freeloading on security pros' good name?"},"content":{"type":"html","$t":"\u003Ci\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003EThe following are notes about something I am investigating, and for which I don\u0026#39;t yet have a conclusion. I am sharing in the hopes that perhaps some of my readers have seen this as well and might have some insight into the purpose or delivery mechanism. Of note, each example hosts the malicious download link on *.appspot.com\u003C\/span\u003E\u003C\/i\u003E\u003Cbr\u003E\u003Ci\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003C\/i\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003EI have a variety of Google Alerts queries set up to alert me to mentions of my blog or my name on the Internet. I frequently get notices for news articles about a David Longenecker who happens to be the fire chief in Lancaster, Pennsylvania, but that\u0026#39;s not my point today.\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003EDecember 7, Alerts informed me of three documents on Google Docs. These documents contain a long list of excerpts and headlines from various security writers, including some from my own blog. They also contain links to a likely-malicious website.\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003EThe first two documents contain headlines and excerpts about security flaws in Adobe Flash Player, along with a link to download an \u0026quot;update\u0026quot; for Flash; the third document is similar, but refers to Asus wireless router firmware instead of Adobe Flash. Below is a screenshot of one document:\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cbr\u003E\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\u003Ca href=\"https:\/\/4.bp.blogspot.com\/-_j1_hVetK_w\/VmXP1G3VsvI\/AAAAAAAAMpo\/99S7Lm1rUZA\/s1600\/mal-word-flash.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cimg border=\"0\" height=\"634\" src=\"https:\/\/4.bp.blogspot.com\/-_j1_hVetK_w\/VmXP1G3VsvI\/AAAAAAAAMpo\/99S7Lm1rUZA\/s640\/mal-word-flash.png\" width=\"640\"\u003E\u003C\/span\u003E\u003C\/a\u003E\u003C\/div\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003C\/span\u003E\u003Cbr\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2015\/12\/malware-freeloading-on-security-pros.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/4806376162251487341"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/4806376162251487341"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2015\/12\/malware-freeloading-on-security-pros.html","title":"Malware freeloading on security pros' good name?"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/4.bp.blogspot.com\/-_j1_hVetK_w\/VmXP1G3VsvI\/AAAAAAAAMpo\/99S7Lm1rUZA\/s72-c\/mal-word-flash.png","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-880001259623249903"},"published":{"$t":"2015-07-07T09:58:00.001-05:00"},"updated":{"$t":"2017-01-19T21:41:00.957-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Cyber Crime"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Hacking"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Practical Security"}],"title":{"type":"text","$t":"Hacking Team: Words of caution regarding dirty laundry"},"content":{"type":"html","$t":"\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif; margin-left: 1em; margin-right: 1em;\"\u003E\u003Ca href=\"https:\/\/1.bp.blogspot.com\/-NvFy5fUgZOo\/VZvMOCcgMRI\/AAAAAAAAH1E\/zhFkJ_-U4tc\/s1600\/hacked_team.jpg\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg alt=\"Hacking Team, a notorious hacking firm with a rather dubious reputation, finds themselves the victim of a thorough hack.\" border=\"0\" height=\"358\" src=\"https:\/\/1.bp.blogspot.com\/-NvFy5fUgZOo\/VZvMOCcgMRI\/AAAAAAAAH1E\/zhFkJ_-U4tc\/s640\/hacked_team.jpg\" title=\"Hacking Team, a notorious hacking firm with a rather dubious reputation, finds themselves the victim of a thorough hack.\" width=\"640\"\u003E\u003C\/a\u003E\u003C\/span\u003E\u003C\/div\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EWhen a notorious hacking firm with a rather dubious reputation is themselves the victim of a thorough hack, what happens with their dirty laundry? More to the point, what is appropriate with their dirty laundry?\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EHacking Team is an Italian security company that develops and sells surveillance and malware tools, in many cases to governments and law enforcement organizations. While the company claims to sell only to \u0026quot;ethical\u0026quot; governments, there has long been evidence of their tools being \u003Ca href=\"https:\/\/www.schneier.com\/blog\/archives\/2014\/06\/more_on_hacking.html\" target=\"_blank\"\u003Eused by questionable\u003C\/a\u003E, if not outright oppressive, regimes.\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003ESunday evening my Twitter timeline lit up with reports that Hacking Team had themselves been the subject of a severe hack, with 400 gigabytes of company data stolen and shared publicly on the Internet. This data included company email, contracts, customer lists, passwords, malware exploits, and source code for their surveillance products.\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EThe released data may have included much more.\u003C\/span\u003E\u003Cbr\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2015\/07\/hacking-team-words-of-caution-regarding.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/880001259623249903"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/880001259623249903"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2015\/07\/hacking-team-words-of-caution-regarding.html","title":"Hacking Team: Words of caution regarding dirty laundry"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/1.bp.blogspot.com\/-NvFy5fUgZOo\/VZvMOCcgMRI\/AAAAAAAAH1E\/zhFkJ_-U4tc\/s72-c\/hacked_team.jpg","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-2590437504980511336"},"published":{"$t":"2015-04-30T10:14:00.002-05:00"},"updated":{"$t":"2017-01-13T22:13:51.485-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Bank and Credit Card Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Bugs and Vulnerabilities"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Cyber Crime"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Financial Fraud"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Internet of Things"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Mobile Device Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Practical Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Privacy"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Transportation Authorities"}],"title":{"type":"text","$t":"Lessons from CSI:Cyber"},"content":{"type":"html","$t":"\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\u003Ca href=\"https:\/\/3.bp.blogspot.com\/-LIL_e5PwMDk\/VUJFk58KuPI\/AAAAAAAAHWE\/BqiR2A-mTvM\/s1600\/csi-cyber.jpg\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"\u003E\u003Cimg alt=\"Unrealistic scenarios aside, CSI: cyber is doing some good by bringing attention to real issues (albeit in far-fetched ways), and perhaps inspiring future digital forensic analysts.\" border=\"0\" height=\"158\" src=\"https:\/\/3.bp.blogspot.com\/-LIL_e5PwMDk\/VUJFk58KuPI\/AAAAAAAAHWE\/BqiR2A-mTvM\/s1600\/csi-cyber.jpg\" title=\"Unrealistic scenarios aside, CSI: cyber is doing some good by bringing attention to real issues (albeit in far-fetched ways), and perhaps inspiring future digital forensic analysts.\" width=\"200\"\u003E\u003C\/a\u003E\u003C\/div\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EThe CSI: franchise has been a very successful television endeavor, combining entertainment with a view into how forensic science is used to identify and prosecute criminals. Needless to say, creative liberty is taken to fit a story into a 42 minute episode, but it never pretended to be instructional. It\u0026#39;s TV, not a college class. I have no training in pathology or chemical analysis, and only a basic background in the physics of force and motion, but I\u0026#39;ve been involved in cyber technologies since before \u0026quot;cyber\u0026quot; was a household term.\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EThere has been considerable complaint from my industry over the way CSI: Cyber sensationalizes real events, and invents wholly unrealistic threats, for the sake of entertainment. I get it - I really do. The daily grind of a real cyber expert is not nearly as exciting as an action-packed TV episode. Hours of digging through logs or interpreting a pcap (a record of network traffic) wouldn\u0026#39;t make for very exciting television. As researcher\/hacker Charlie Miller recently said on Twitter, real hacking doesn\u0026#39;t happen in the span of a 42-minute made-for-TV episode. It is the result of days, weeks, or even years of research, learning, and poking at a topic.\u003C\/span\u003E\u003Cbr\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2015\/04\/lessons-from-csicyber.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/2590437504980511336"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/2590437504980511336"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2015\/04\/lessons-from-csicyber.html","title":"Lessons from CSI:Cyber"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/3.bp.blogspot.com\/-LIL_e5PwMDk\/VUJFk58KuPI\/AAAAAAAAHWE\/BqiR2A-mTvM\/s72-c\/csi-cyber.jpg","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-659153898752632303"},"published":{"$t":"2015-03-31T09:41:00.000-05:00"},"updated":{"$t":"2017-01-21T09:59:03.507-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Digital Forensics"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Tech Tips"}],"title":{"type":"text","$t":"Needle in a haystack: searching from the Windows command line"},"content":{"type":"html","$t":"\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\u003Ca href=\"https:\/\/2.bp.blogspot.com\/-pW7xl6EaKi8\/VRqxFmRHF2I\/AAAAAAAAHK4\/nY8ZpTx4L40\/s1600\/haystack.jpg\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"\u003E\u003Cimg alt=\"A key part of security involves basic command line skills. Read on for some tips for command-line searches on Windows.\" border=\"0\" height=\"132\" src=\"https:\/\/2.bp.blogspot.com\/-pW7xl6EaKi8\/VRqxFmRHF2I\/AAAAAAAAHK4\/nY8ZpTx4L40\/s1600\/haystack.jpg\" title=\"A key part of security involves basic command line skills. Read on for some tips for command-line searches on Windows.\" width=\"200\"\u003E\u003C\/a\u003E\u003C\/div\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EPart of network security involves fancy technology, specialized devices, and ever-advancing techniques. The crooks are constantly improving their craft, and so must the defenders. But an equally important part of security involves mundane and boring tasks, tasks such as looking through log files for indications that something undesirable happened or that someone has gained unauthorized access - i.e. Forensics 101.\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EThere are a myriad tools available for searching, whether on Windows, Linux, or Mac. I am of the opinion that a security expert (or system administrator) needs to understand the command line and built-in tools first. There are times when you don\u0026#39;t have the luxury of installing or using custom tools and have to make do with what comes on the operating system. If that system is Windows, you get Find and Findstr.\u003C\/span\u003E\u003Cbr\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2015\/03\/a-needle-in-haystack-searching-from.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/659153898752632303"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/659153898752632303"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2015\/03\/a-needle-in-haystack-searching-from.html","title":"Needle in a haystack: searching from the Windows command line"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/2.bp.blogspot.com\/-pW7xl6EaKi8\/VRqxFmRHF2I\/AAAAAAAAHK4\/nY8ZpTx4L40\/s72-c\/haystack.jpg","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-204568441357644877"},"published":{"$t":"2015-02-19T09:09:00.001-06:00"},"updated":{"$t":"2017-01-17T22:02:58.182-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Encryption"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Practical Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Privacy"}],"title":{"type":"text","$t":"Lenovo PCs preloaded with \"Superfish\" malware that breaks security"},"content":{"type":"html","$t":"\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\u003Ca href=\"https:\/\/1.bp.blogspot.com\/-8uTNIsZOCkM\/VOXy8roLjiI\/AAAAAAAAGo4\/KhHGf4JhRMM\/s1600\/fish-308927_1280.jpg\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cimg alt=\"Technology and security are rife with shades of grey. Even in this field though, some lines are so indistinguishable from black that they should never be crossed. Laptop maker Lenovo crossed one of these lines with recent models, by pre-installing Superfish adware that breaks otherwise secure HTTPS website connections. \" border=\"0\" height=\"151\" src=\"https:\/\/1.bp.blogspot.com\/-8uTNIsZOCkM\/VOXy8roLjiI\/AAAAAAAAGo4\/KhHGf4JhRMM\/s1600\/fish-308927_1280.jpg\" title=\"Technology and security are rife with shades of grey. Even in this field though, some lines are so indistinguishable from black that they should never be crossed. Laptop maker Lenovo crossed one of these lines with recent models, by pre-installing Superfish adware that breaks otherwise secure HTTPS website connections. \" width=\"200\"\u003E\u003C\/span\u003E\u003C\/a\u003E\u003C\/div\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003ETechnology and security are rife with \u003Ca href=\"https:\/\/securityforrealpeople.com\/2015\/02\/shades-of-grey.html\"\u003Eshades of grey\u003C\/a\u003E. Even in this field though, some lines are so indistinguishable from black that they should never be crossed. Laptop maker Lenovo crossed one of these lines with recent models, by pre-installing adware that breaks otherwise secure HTTPS website connections.\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr\u003ERecent Lenovo laptops include what can only be described as malware, malware that intercepts all web traffic whether secured or not. The \u0026quot;VisualDiscovery\u0026quot; adware from a company called Superfish reads all web traffic and injects advertisements into web pages. In doing so it completely breaks HTTPS security.\u003C\/span\u003E\u003Cbr\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2015\/02\/lenovo-pcs-preloaded-with-superfish.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/204568441357644877"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/204568441357644877"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2015\/02\/lenovo-pcs-preloaded-with-superfish.html","title":"Lenovo PCs preloaded with \"Superfish\" malware that breaks security"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/1.bp.blogspot.com\/-8uTNIsZOCkM\/VOXy8roLjiI\/AAAAAAAAGo4\/KhHGf4JhRMM\/s72-c\/fish-308927_1280.jpg","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-7225606092935334890"},"published":{"$t":"2015-02-12T14:06:00.001-06:00"},"updated":{"$t":"2017-01-16T22:43:55.149-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Bugs and Vulnerabilities"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Hacking"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Internet of Things"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Practical Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Small Word Security"}],"title":{"type":"text","$t":"Shades of Grey"},"content":{"type":"html","$t":"\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\u003Ca href=\"https:\/\/4.bp.blogspot.com\/-I4M9pSsWsdE\/VNz29f_4o-I\/AAAAAAAAGcc\/WZKn9lzN07k\/s1600\/shadesofgrey-banner.jpg\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"\u003E\u003Cimg alt=\"It may seem as though there is an easy distinction between the legitimate and the malicious. The reality is, the world of online security is not always black and white. More often, it is filled with shades of grey. \" border=\"0\" src=\"https:\/\/3.bp.blogspot.com\/-1jS044vPmww\/VNz29Y7rqEI\/AAAAAAAAGcY\/KADHAh004rU\/s1600\/shadesofgrey-banner-200.jpg\" title=\"It may seem as though there is an easy distinction between the legitimate and the malicious. The reality is, the world of online security is not always black and white. More often, it is filled with shades of grey. \"\u003E\u003C\/a\u003E\u003C\/div\u003E\u003Cspan style=\"font-family: \u0026#39;Helvetica Neue\u0026#39;, Arial, Helvetica, sans-serif;\"\u003EI frequently write about malware, spam, credit card fraud, and various computer crimes. In my and others\u0026#39; writing it may seem as though there is an easy distinction between the legitimate and the malicious. The reality is, the world of online security is not always black and white. More often, it is filled with shades of grey.\u003C\/span\u003E\u003Cbr\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2015\/02\/shades-of-grey.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/7225606092935334890"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/7225606092935334890"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2015\/02\/shades-of-grey.html","title":"Shades of Grey"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/3.bp.blogspot.com\/-1jS044vPmww\/VNz29Y7rqEI\/AAAAAAAAGcY\/KADHAh004rU\/s72-c\/shadesofgrey-banner-200.jpg","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-1878053754038805126"},"published":{"$t":"2015-02-01T12:00:00.000-06:00"},"updated":{"$t":"2017-01-21T19:50:58.571-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Bugs and Vulnerabilities"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Practical Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Small Word Security"}],"title":{"type":"text","$t":"Don't get flashed by Flash"},"content":{"type":"html","$t":"\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\u003Ca href=\"https:\/\/4.bp.blogspot.com\/-eIHFKxcgfl0\/VM_Iq188J2I\/AAAAAAAAGVI\/Q9khkH0W_Ww\/s1600\/flash-logo.jpg\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cimg alt=\"Flash Player is a common browser plug-in for rich content, but is also a common method of \u0026quot;drive-by\u0026quot; infection. Here are some security tips.\" border=\"0\" height=\"195\" src=\"https:\/\/4.bp.blogspot.com\/-eIHFKxcgfl0\/VM_Iq188J2I\/AAAAAAAAGVI\/Q9khkH0W_Ww\/s1600\/flash-logo.jpg\" title=\"Flash Player is a common browser plug-in for rich content, but is also a common method of \u0026quot;drive-by\u0026quot; infection. Here are some security tips.\" width=\"200\"\u003E\u003C\/span\u003E\u003C\/a\u003E\u003C\/div\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Ci\u003E\u003Cb\u003EThis article was written in the context of a series of Flash exploits in early 2015, but in Chrome the same technique of making plug-ins click-to-play will stop exploits against any plug-ins, including Windows Media Player.\u003C\/b\u003E\u003C\/i\u003E\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EAdobe Flash Player is a common browser enhancement that enables so-called \u0026quot;rich web content\u0026quot; - animations, video, in-browser games, interactive advertisements, and more. It\u0026#39;s also a top target for malicious hacks - a bogus Flash program that automatically launches when you open a web page can take over your computer. Over the last few weeks, there have been a \u003Ca href=\"https:\/\/www.f-secure.com\/weblog\/archives\/00002785.html\" target=\"_blank\"\u003Eseries of malware outbreaks\u003C\/a\u003E exploiting vulnerabilities in Flash to infect unsuspecting people\u0026#39;s computers.\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EWith Flash installed, all it takes is browsing to a compromised website to become infected yourself. There\u0026#39;s no way of knowing in advance if a site is compromised: in fact, a common infection method lately is to insert a malicious Flash file into an advertising network, which may be used by hundreds if not thousands of otherwise benign websites. Visit a normally-safe site whose ad network has been compromised, and your PC can become infected as soon as the page loads.\u003C\/span\u003E\u003Cbr\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2015\/02\/dont-get-flashed-by-flash.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/1878053754038805126"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/1878053754038805126"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2015\/02\/dont-get-flashed-by-flash.html","title":"Don't get flashed by Flash"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/4.bp.blogspot.com\/-eIHFKxcgfl0\/VM_Iq188J2I\/AAAAAAAAGVI\/Q9khkH0W_Ww\/s72-c\/flash-logo.jpg","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-728901545363154241"},"published":{"$t":"2015-01-02T13:36:00.000-06:00"},"updated":{"$t":"2017-01-15T15:54:55.579-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Digital Forensics"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Faith Family \u0026 Fun"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Home Network Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Practical Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Weekend Projects"}],"title":{"type":"text","$t":"Detecting malware through DNS queries: a Kali Pi \/ Snort project"},"content":{"type":"html","$t":"\u003Cdiv class=\"separator\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: center;\"\u003E\u003Cimg alt=\"With Kali and Snort running on a Raspberry Pi, and using OpenDNS for name resolution, we can set up simple malware detection alerts.\" border=\"0\" height=\"136\" src=\"https:\/\/4.bp.blogspot.com\/-6Q1xt4wikX8\/VJNUzhXUezI\/AAAAAAAAFxs\/4jucpE6-xec\/s1600\/pi_top_sm.jpg\" title=\"With Kali and Snort running on a Raspberry Pi, and using OpenDNS for name resolution, we can set up simple malware detection alerts.\" width=\"200\"\u003E\u003C\/div\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003EEarlier this year I wrote about building a minuscule hacking computer by installing \u003C\/span\u003E\u003Ca href=\"https:\/\/www.securityforrealpeople.com\/2014\/09\/installing-kali-linux-and-snort-on.html\" style=\"font-family: \u0026#39;Helvetica Neue\u0026#39;, Arial, Helvetica, sans-serif;\"\u003EKali and Snort onto a Raspberry Pi\u003C\/a\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E. I also wrote about building a \u003C\/span\u003E\u003Ca href=\"https:\/\/www.securityforrealpeople.com\/2014\/09\/how-to-build-10-network-tap.html\" style=\"font-family: \u0026#39;Helvetica Neue\u0026#39;, Arial, Helvetica, sans-serif;\"\u003Ehomemade passive network tap\u003C\/a\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E out of $10 in spare parts. Having a piece of equipment to capture network traffic is nice, but what good does it do? Today I am going to take you on a winding path through a variety of topics, putting these projects to good practical use. My ultimate goal is to detect possibly-infected computers on a network.\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026quot;helvetica neue\u0026quot; , \u0026quot;arial\u0026quot; , \u0026quot;helvetica\u0026quot; , sans-serif;\"\u003Etl;dr: download local.rules from \u003Ca href=\"https:\/\/github.com\/dnlongen\/Snort-DNS\" target=\"_blank\"\u003Ehttps:\/\/github.com\/dnlongen\/Snort-DNS\u003C\/a\u003E and add to your Snort installation; this will trigger an alert on DNS responses from OpenDNS that indicate likely malware, phishing, or adult content.\u003C\/span\u003E\u003Cbr\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2015\/01\/detecting-malware-through-dns-queries.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/728901545363154241"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/728901545363154241"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2015\/01\/detecting-malware-through-dns-queries.html","title":"Detecting malware through DNS queries: a Kali Pi \/ Snort project"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/4.bp.blogspot.com\/-6Q1xt4wikX8\/VJNUzhXUezI\/AAAAAAAAFxs\/4jucpE6-xec\/s72-c\/pi_top_sm.jpg","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-6132328139928643581"},"published":{"$t":"2014-12-18T07:46:00.000-06:00"},"updated":{"$t":"2017-01-17T19:12:59.806-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Asus"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Awana and Kidmin"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Bank and Credit Card Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Digital Forensics"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Faith Family \u0026 Fun"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Home Network Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Identity Theft"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Parenting"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Password Management"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Phishing"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Practical Security"}],"title":{"type":"text","$t":"A look back: 4 years, 100 posts"},"content":{"type":"html","$t":"\u003Cdiv\u003E\u003Cspan style=\"clear: left; float: left; font-family: Helvetica Neue, Arial, Helvetica, sans-serif; margin-bottom: 1em; margin-right: 1em;\"\u003E\u003Cimg alt=\"\" border=\"0\" height=\"200\" src=\"https:\/\/3.bp.blogspot.com\/-VlwrqBMn2F0\/VJH38Klts2I\/AAAAAAAAFtc\/5doHVgiLRAo\/s1600\/100posts.jpg\" title=\"A look back at 4 years and 100 stories on (mostly) security topics\" width=\"139\"\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EOver the last 4 years, this blog has covered a lot of ground. We\u0026#39;ve looked at safe surfing practices when using the Internet in a public location. We\u0026#39;ve looked at how to set up a home network to be reasonably secure. We\u0026#39;ve talked about password practices, and the value of two-factor authentication to secure more valuable accounts. We\u0026#39;ve discussed a rash of credit card thefts at major retailers. We\u0026#39;ve seen several severe flaws in services used widely on the Internet. This blog has even published several vulnerabilities and website flaws discovered by yours truly.\u003C\/span\u003E\u003C\/div\u003E\u003Cdiv\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr\u003EMy goal in writing is two-fold: I write technical content in the hopes that other professionals will find value, but I also endeavor to educate those that have not made a career out of information security. To that end, if there is a topic you would like to know more about, or a topic I have not explained as clearly as you would like, I invite you to comment on this or any post, or send me a message at david (at) securityforrealpeople (dot) com.\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr\u003EWithout further ado, a highly biased revue of top topics:\u003C\/span\u003E\u003Cbr\u003E\u003C\/div\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2014\/12\/a-look-back-4-years-100-posts.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/6132328139928643581"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/6132328139928643581"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2014\/12\/a-look-back-4-years-100-posts.html","title":"A look back: 4 years, 100 posts"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/3.bp.blogspot.com\/-VlwrqBMn2F0\/VJH38Klts2I\/AAAAAAAAFtc\/5doHVgiLRAo\/s72-c\/100posts.jpg","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-3032251180905151235"},"published":{"$t":"2014-10-24T20:13:00.000-05:00"},"updated":{"$t":"2017-01-22T19:21:05.292-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Bugs and Vulnerabilities"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Digital Forensics"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"}],"title":{"type":"text","$t":"Would you know if your email server were attacked?"},"content":{"type":"html","$t":"\u003Cspan style=\"font-family: \u0026#39;Helvetica Neue\u0026#39;, Arial, Helvetica, sans-serif;\"\u003E\u003Ci\u003E\u003Cspan style=\"font-size: x-small;\"\u003EThis is a continuation of a series investigating a piece of malware.\u003C\/span\u003E\u003C\/i\u003E\u003C\/span\u003E\u003Cbr\u003E\u003Cul\u003E\u003Cli\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: x-small;\"\u003E\u003Ci\u003E\u003Ca href=\"https:\/\/securityforrealpeople.com\/2014\/10\/from-click-to-pwned.html\" target=\"_blank\"\u003EPart 1\u003C\/a\u003E looks at how the malware is delivered. It and part 2 were originally a single post, later separated since they look at distinct phases in the attack.\u003C\/i\u003E\u003C\/span\u003E\u003C\/li\u003E\u003Cli\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: x-small;\"\u003E\u003Ci\u003E\u003Ca href=\"https:\/\/securityforrealpeople.com\/2014\/10\/an-introduction-to-malware-forensics.html\" target=\"_blank\"\u003EPart 2\u003C\/a\u003E analyzes the bot - the agent which turns your computer into a remotely-controlled robot doing the attacker\u0026#39;s bidding.\u003C\/i\u003E\u003C\/span\u003E\u003C\/li\u003E\u003Cli\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: x-small;\"\u003E\u003Ci\u003E\u003Ca href=\"https:\/\/securityforrealpeople.com\/2014\/10\/where-does-all-spam-come-from.html\" target=\"_blank\"\u003EPart 3\u003C\/a\u003E dives into the first payload: code to test 30,000 addresses at 5,000 domains, to see if they could be used to send additional spam.\u003C\/i\u003E\u003C\/span\u003E\u003C\/li\u003E\u003C\/ul\u003E\u003Cdiv\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EI had thought part 3 was the end of the story, but there is now more to tell. Last week I received a relatively typical spam message containing a link to view an \u0026quot;invoice\u0026quot; for something I had supposedly purchased. The link instead downloaded a botnet agent - software that would turn my PC into a bot that an attacker could remotely control to do his bidding. Nothing unusual about that approach. The attacker then gave my bot instructions to probe 5,000 domains, looking for mail servers that could be used to relay yet more spam.\u003C\/span\u003E\u003C\/div\u003E\u003Cdiv\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003C\/div\u003E\u003Cdiv\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EDiscovering and writing about criminal mischief is great, but if that\u0026#39;s where I stopped, I\u0026#39;m just one more source of noise on the Internet. I research with two purposes: to teach, and to fix. Writing this blog series was the teaching part; as for the fixing part, that is where today\u0026#39;s story picks up.\u003C\/span\u003E\u003Cbr\u003E\u003C\/div\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2014\/10\/would-you-know-if-your-email-server.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/3032251180905151235"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/3032251180905151235"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2014\/10\/would-you-know-if-your-email-server.html","title":"Would you know if your email server were attacked?"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}]},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-4391296812546818692"},"published":{"$t":"2014-10-23T09:11:00.001-05:00"},"updated":{"$t":"2017-01-21T14:46:15.852-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Cyber Crime"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Digital Forensics"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Home Network Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"}],"title":{"type":"text","$t":"Where does all the spam come from?"},"content":{"type":"html","$t":"\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\u003Ca href=\"https:\/\/4.bp.blogspot.com\/-2dhH535xnWw\/VEbAtKBqBaI\/AAAAAAAAFH8\/06vu82t0Ius\/s1600\/Package_FLLG.PDF_.scr_0000.png\" imageanchor=\"1\" style=\"clear: right; float: right; margin-bottom: 1em; margin-left: 1em;\"\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cimg alt=\"\" border=\"0\" height=\"200\" src=\"https:\/\/4.bp.blogspot.com\/-2dhH535xnWw\/VEbAtKBqBaI\/AAAAAAAAFH8\/06vu82t0Ius\/s1600\/Package_FLLG.PDF_.scr_0000.png\" title=\"This is part three in a series dissecting the Gamarue botnet agent. This post describes a payload delivered to the infected bot, which systematically probes 5,000 domains to determine which have open SMTP relays that could be abused to send yet more spam.\" width=\"200\"\u003E\u003C\/span\u003E\u003C\/a\u003E\u003C\/div\u003E\u003Cspan style=\"font-family: \u0026#39;Helvetica Neue\u0026#39;, Arial, Helvetica, sans-serif;\"\u003E\u003Ci\u003E\u003Cspan style=\"font-size: x-small;\"\u003EThis is part 3 in a series investigating a particular piece of malware.\u003C\/span\u003E\u003C\/i\u003E\u003C\/span\u003E\u003Cbr\u003E\u003Cul\u003E\u003Cli\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: x-small;\"\u003E\u003Ci\u003E\u003Ca href=\"https:\/\/securityforrealpeople.com\/2014\/10\/from-click-to-pwned.html\" target=\"_blank\"\u003EPart 1\u003C\/a\u003E looks at how the malware is delivered. It and part 2 were originally a single post, later separated since they look at distinct phases in the attack.\u003C\/i\u003E\u003C\/span\u003E\u003C\/li\u003E\u003Cli\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: x-small;\"\u003E\u003Ci\u003E\u003Ca href=\"https:\/\/securityforrealpeople.com\/2014\/10\/an-introduction-to-malware-forensics.html\" target=\"_blank\"\u003EPart 2\u003C\/a\u003E analyzes the bot - the agent which turns your computer into a remotely-controlled robot doing the attacker\u0026#39;s bidding.\u003C\/i\u003E\u003C\/span\u003E\u003C\/li\u003E\u003Cli\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: x-small;\"\u003E\u003Ci\u003EPart 3 dives into the first payload: code to test 30,000 addresses at 5,000 domains, to see if they could be used to send additional spam.\u003C\/i\u003E\u003C\/span\u003E\u003C\/li\u003E\u003C\/ul\u003E\u003Cspan style=\"font-family: \u0026#39;Helvetica Neue\u0026#39;, Arial, Helvetica, sans-serif;\"\u003EEver wondered how spam ends up in your inbox, or how spammers come up with the email addresses from which to send spam? The spammer needs a few things in order to send messages: obviously he needs a list of target email addresses to send messages to; those can be bought on the dark market at very little cost. Unless he wants to send email from his own server though, he also needs an abuseable email relay server and spoofed source address. Why? Two reasons – not every Internet provider would turn a blind eye to a spammer sending millions of malicious email; and he can gain far more capacity by sending mail through thousands of open relays.\u003C\/span\u003E\u003Cbr\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2014\/10\/where-does-all-spam-come-from.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/4391296812546818692"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/4391296812546818692"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2014\/10\/where-does-all-spam-come-from.html","title":"Where does all the spam come from?"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/4.bp.blogspot.com\/-2dhH535xnWw\/VEbAtKBqBaI\/AAAAAAAAFH8\/06vu82t0Ius\/s72-c\/Package_FLLG.PDF_.scr_0000.png","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-3152565268021252999"},"published":{"$t":"2014-10-23T08:31:00.000-05:00"},"updated":{"$t":"2017-01-17T19:18:10.146-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Digital Forensics"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Home Network Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Social Engineering"}],"title":{"type":"text","$t":"From click to pwned"},"content":{"type":"html","$t":"\u003Ca href=\"https:\/\/4.bp.blogspot.com\/-2dhH535xnWw\/VEbAtKBqBaI\/AAAAAAAAFH8\/06vu82t0Ius\/s1600\/Package_FLLG.PDF_.scr_0000.png\" imageanchor=\"1\" style=\"clear: right; float: right; margin-bottom: 1em; margin-left: 1em;\"\u003E\u003Cimg alt=\"\" border=\"0\" height=\"200\" src=\"https:\/\/4.bp.blogspot.com\/-2dhH535xnWw\/VEbAtKBqBaI\/AAAAAAAAFH8\/06vu82t0Ius\/s1600\/Package_FLLG.PDF_.scr_0000.png\" title=\"Part 1 in a series dissecting a particular botnet, this article discusses some of the tactics malware uses to infect new systems. One of the most popular approaches is tricking the end user into clicking a malicious link.\" width=\"200\"\u003E\u003C\/a\u003E\u003Cspan style=\"font-family: \u0026#39;Helvetica Neue\u0026#39;, Arial, Helvetica, sans-serif;\"\u003E\u003Ci\u003E\u003Cspan style=\"font-size: x-small;\"\u003EThis is part 1 in a series investigating a particular piece of malware.\u003C\/span\u003E\u003C\/i\u003E\u003C\/span\u003E\u003Cbr\u003E\u003Cul\u003E\u003Cli\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: x-small;\"\u003E\u003Ci\u003EPart 1 looks at how the malware is delivered. It and part 2 were originally a single post, later separated since they look at distinct phases in the attack.\u003C\/i\u003E\u003C\/span\u003E\u003C\/li\u003E\u003Cli\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: x-small;\"\u003E\u003Ci\u003E\u003Ca href=\"https:\/\/securityforrealpeople.com\/2014\/10\/an-introduction-to-malware-forensics.html\" target=\"_blank\"\u003EPart 2\u003C\/a\u003E analyzes the bot - the agent which turns your computer into a remotely-controlled robot doing the attacker\u0026#39;s bidding.\u003C\/i\u003E\u003C\/span\u003E\u003C\/li\u003E\u003Cli\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: x-small;\"\u003E\u003Ci\u003E\u003Ca href=\"https:\/\/securityforrealpeople.com\/2014\/10\/where-does-all-spam-come-from.html\" target=\"_blank\"\u003EPart 3\u003C\/a\u003E dives into the first payload: code to test 30,000 addresses at 5,000 domains, to see if they could be used to send additional spam.\u003C\/i\u003E\u003C\/span\u003E\u003C\/li\u003E\u003C\/ul\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: \u0026#39;Helvetica Neue\u0026#39;, Arial, Helvetica, sans-serif;\"\u003EMalware writers and scammers have a number of tricks up their sleeves, all with the goal of making your computer become their computer. Some tactics involve technology, some involve sleight-of-hand (sleight-of-mouse?), some involve social engineering, and some involve a combination of factors. I received an email scam that slipped past my spam filters and that exhibited a combination of old and new tactics, so took some time to break it apart.\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EIf you don\u0026#39;t want to read through the technical details, here\u0026#39;s the short version: don\u0026#39;t click links or open attachments in unexpected email, don\u0026#39;t trust email from an unknown or uncertain source, and be aware that there are lots of ways to make a malicious link look legitimate. In short, \u003Cb\u003E\u003Cspan style=\"color: red;\"\u003Edon\u0026#39;t click the link.\u003C\/span\u003E\u003C\/b\u003E\u003C\/span\u003E\u003Cbr\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2014\/10\/from-click-to-pwned.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/3152565268021252999"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/3152565268021252999"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2014\/10\/from-click-to-pwned.html","title":"From click to pwned"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/4.bp.blogspot.com\/-2dhH535xnWw\/VEbAtKBqBaI\/AAAAAAAAFH8\/06vu82t0Ius\/s72-c\/Package_FLLG.PDF_.scr_0000.png","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-4812753036862215057"},"published":{"$t":"2014-10-22T07:51:00.000-05:00"},"updated":{"$t":"2017-01-21T14:50:40.541-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Digital Forensics"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Home Network Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"}],"title":{"type":"text","$t":"An introduction to malware forensics"},"content":{"type":"html","$t":"\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\u003Ca href=\"https:\/\/4.bp.blogspot.com\/-2dhH535xnWw\/VEbAtKBqBaI\/AAAAAAAAFH8\/06vu82t0Ius\/s1600\/Package_FLLG.PDF_.scr_0000.png\" imageanchor=\"1\" style=\"clear: right; float: right; margin-bottom: 1em; margin-left: 1em;\"\u003E\u003Cimg alt=\"\" border=\"0\" height=\"200\" src=\"https:\/\/4.bp.blogspot.com\/-2dhH535xnWw\/VEbAtKBqBaI\/AAAAAAAAFH8\/06vu82t0Ius\/s1600\/Package_FLLG.PDF_.scr_0000.png\" title=\"Part 2 in a series dissecting a particular botnet agent, this post begins a forensic analysis of the downloaded malicious agent, looking at what it does to the computer, and what it does on the network.\" width=\"200\"\u003E\u003C\/a\u003E\u003C\/div\u003E\u003Cspan style=\"font-family: \u0026#39;Helvetica Neue\u0026#39;, Arial, Helvetica, sans-serif;\"\u003E\u003Ci\u003E\u003Cspan style=\"font-size: x-small;\"\u003EThis is part 2 in a series investigating a particular piece of malware.\u003C\/span\u003E\u003C\/i\u003E\u003C\/span\u003E\u003Cbr\u003E\u003Cul\u003E\u003Cli\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: x-small;\"\u003E\u003Ci\u003E\u003Ca href=\"https:\/\/securityforrealpeople.com\/2014\/10\/from-click-to-pwned.html\" target=\"_blank\"\u003EPart 1\u003C\/a\u003E looks at how the malware is delivered. It and part 2 were originally a single post, later separated since they look at distinct phases in the attack.\u003C\/i\u003E\u003C\/span\u003E\u003C\/li\u003E\u003Cli\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: x-small;\"\u003E\u003Ci\u003EPart 2 analyzes the bot - the agent which turns your computer into a remotely-controlled robot doing the attacker\u0026#39;s bidding.\u003C\/i\u003E\u003C\/span\u003E\u003C\/li\u003E\u003Cli\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: x-small;\"\u003E\u003Ci\u003E\u003Ca href=\"https:\/\/securityforrealpeople.com\/2014\/10\/where-does-all-spam-come-from.html\" target=\"_blank\"\u003EPart 3\u003C\/a\u003E dives into the first payload: code to test 30,000 addresses at 5,000 domains, to see if they could be used to send additional spam.\u003C\/i\u003E\u003C\/span\u003E\u003C\/li\u003E\u003C\/ul\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EIn my last post, we looked at a fairly typical spam message used to deliver malware to unsuspecting users. This message played on psychology (aka social engineering) to trick the reader - a confirmation message for an expensive purchase (in this case, about $1,600), with a link to retrieve the \u0026quot;invoice\u0026quot; (actually the malware). It used Google redirectors to avoid a suspicious-looking link to DropBox or some random web site.\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EOnce the reader clicks the link and allows it to download and run, their computer becomes infected with a botnet agent. In this post, I downloaded the malware into a virtual environment to do some analysis.\u003C\/span\u003E\u003Cbr\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2014\/10\/an-introduction-to-malware-forensics.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/4812753036862215057"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/4812753036862215057"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2014\/10\/an-introduction-to-malware-forensics.html","title":"An introduction to malware forensics"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/4.bp.blogspot.com\/-2dhH535xnWw\/VEbAtKBqBaI\/AAAAAAAAFH8\/06vu82t0Ius\/s72-c\/Package_FLLG.PDF_.scr_0000.png","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-1038811880496625530"},"published":{"$t":"2014-07-11T15:19:00.001-05:00"},"updated":{"$t":"2017-01-15T15:34:26.675-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Digital Forensics"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"}],"title":{"type":"text","$t":"Gameover Zeus is back"},"content":{"type":"html","$t":"\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EI have received multiple email spam this afternoon, all with the following pattern:\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EPayment to \u0026lt;email\u0026gt;\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003ERandom order number and purchase amount\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003ELink to Dropbox\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026#39;Helvetica Neue\u0026#39;, Arial, Helvetica, sans-serif;\"\u003EThe download link goes to variations on https:\/\/www.dropbox.com\/s\/xxx\/Invoice_294.PDF.scr?dl=1. The retrieved file for this sample has filename GBWNkgcdZ5GFTcBjE6gXTflu3VPLZDCX3zDEXM4ku35IhUrh5haqM9jidSC4nVkF@dl=1, sha256 b4b0d32c8aba6b319587f0828e607327fcdc763a39af4a0479efd2ec49fba949. VirusTotal finds only 1 of 54 tested AV detect it (as Spyware.Zbot.VXGen). \u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: \u0026#39;Helvetica Neue\u0026#39;, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026#39;Helvetica Neue\u0026#39;, Arial, Helvetica, sans-serif;\"\u003EThis is a different subject, hash, and detection from what \u003Ca href=\"http:\/\/blog.malcovery.com\/blog\/breaking-gameover-zeus-returns\" target=\"_blank\"\u003EMalcovery reported yesterday\u003C\/a\u003E, but is still consistent with the Gameover Zeus botnet.\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: \u0026#39;Helvetica Neue\u0026#39;, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026#39;Helvetica Neue\u0026#39;, Arial, Helvetica, sans-serif;\"\u003EIf you receive this spam, \u003C\/span\u003E\u003Cb style=\"font-family: \u0026#39;Helvetica Neue\u0026#39;, Arial, Helvetica, sans-serif;\"\u003E\u003Cspan style=\"color: red;\"\u003Edon\u0026#39;t click the link.\u003C\/span\u003E\u003C\/b\u003E\u003Cbr\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2014\/07\/gameover-zeus-is-back.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/1038811880496625530"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/1038811880496625530"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2014\/07\/gameover-zeus-is-back.html","title":"Gameover Zeus is back"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/3.bp.blogspot.com\/-q_pcVR4rg1M\/U8BFvC0t0tI\/AAAAAAAACYU\/kQ6w34_9uPo\/s72-c\/malware_spam.png","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-7975300266393056950"},"published":{"$t":"2014-06-03T16:13:00.000-05:00"},"updated":{"$t":"2017-01-21T19:24:32.376-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Cyber Crime"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Digital Forensics"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Encryption"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Home Network Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Password Management"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Practical Security"}],"title":{"type":"text","$t":"Gameover ZeuS, Cryptolocker, Operation Tovar, Oh My..."},"content":{"type":"html","$t":"\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\u003Ca href=\"https:\/\/1.bp.blogspot.com\/-q4dkR82XNgE\/U444QqMyJyI\/AAAAAAAACSQ\/dYogSK0Heb4\/s1600\/evgeniy-fbi-600x679.png\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"200\" src=\"https:\/\/1.bp.blogspot.com\/-q4dkR82XNgE\/U444QqMyJyI\/AAAAAAAACSQ\/dYogSK0Heb4\/s1600\/evgeniy-fbi-600x679.png\" width=\"176\"\u003E\u003C\/a\u003E\u003C\/div\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EThe big news this week is the U.S. Department of Justice \u003Ca href=\"http:\/\/www.justice.gov\/criminal\/pr\/speeches\/2014\/crm-speech-140602.html\" target=\"_blank\"\u003Edisclosing \u0026quot;Operation Tovar,\u0026quot;\u003C\/a\u003E an international sting operation that this weekend seized control of command and control servers directing the \u0026quot;Gameover ZeuS\u0026quot; criminal botnet. This botnet involved somewhere between a half million and a million computers, and was largely used to distribute a piece of malware known as CryptoLocker. The \u003Ca href=\"http:\/\/blogs.mcafee.com\/mcafee-labs\/game-zeus-cryptolocker\" target=\"_blank\"\u003Eoperation\u003C\/a\u003E and its \u003Ca href=\"http:\/\/blogs.computerworld.com\/cybercrime-and-hacking\/23980\/wham-bam-global-operation-tovar-whacks-cryptolocker-ransomware-gameover-zeus-botnet\" target=\"_blank\"\u003Eimplications\u003C\/a\u003E have been \u003Ca href=\"http:\/\/krebsonsecurity.com\/2014\/06\/operation-tovar-targets-gameover-zeus-botnet-cryptolocker-scourge\/\" target=\"_blank\"\u003Eheavily\u003C\/a\u003E \u003Ca href=\"http:\/\/www.bleepingcomputer.com\/forums\/t\/536370\/operation-tovar-a-success-but-is-it-really-gameover-for-cryptolocker\/\" target=\"_blank\"\u003Ecovered\u003C\/a\u003E in the news (at least among technology news sources). My intent is not to rehash the news, but rather to describe some steps to minimize the damage such malware can cause.\u003C\/span\u003E\u003Cbr\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2014\/06\/GameoverZeuS.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/7975300266393056950"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/7975300266393056950"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2014\/06\/GameoverZeuS.html","title":"Gameover ZeuS, Cryptolocker, Operation Tovar, Oh My..."}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/1.bp.blogspot.com\/-q4dkR82XNgE\/U444QqMyJyI\/AAAAAAAACSQ\/dYogSK0Heb4\/s72-c\/evgeniy-fbi-600x679.png","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-8400001916258100158"},"published":{"$t":"2014-04-08T08:00:00.000-05:00"},"updated":{"$t":"2017-01-16T22:40:44.247-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Bugs and Vulnerabilities"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Hacking"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Home Network Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Practical Security"}],"title":{"type":"text","$t":"10 things to do with an old Windows XP PC"},"content":{"type":"html","$t":"\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\u003Ca href=\"https:\/\/1.bp.blogspot.com\/-R-PdvXJdNdw\/U0NfnNM4ApI\/AAAAAAAACKQ\/U4rjZND8wDw\/s1600\/wxp.jpg\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cimg alt=\"\" border=\"0\" height=\"160\" src=\"https:\/\/1.bp.blogspot.com\/-R-PdvXJdNdw\/U0NfnNM4ApI\/AAAAAAAACKQ\/U4rjZND8wDw\/s1600\/wxp.jpg\" title=\"Today Microsoft will release the final updates for Windows XP, the once-novel, oft-maligned, and persistently enduring operating system. Microsoft has provided stability and security updates for 12 years but will no longer do so after today. Read on for some ideas of what to do with an old Windows XP PC.\" width=\"200\"\u003E\u003C\/span\u003E\u003C\/a\u003E\u003C\/div\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EToday Microsoft will release the final updates for Windows XP, the once-novel, oft-maligned, and persistently enduring operating system. Microsoft has provided stability and security updates for 12 years but \u003Ca href=\"http:\/\/windows.microsoft.com\/en-us\/windows\/end-support-help\" target=\"_blank\"\u003Ewill no longer do so after today\u003C\/a\u003E.\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr\u003EWhat does this mean to you? If you have a PC bought in about the past 5 years or so, nothing. Most if not all PCs bought since late 2009 came with Windows 7, which according to the current \u003Ca href=\"http:\/\/support.microsoft.com\/lifecycle\/?c2=14019\" target=\"_blank\"\u003Eroadmap\u003C\/a\u003E will be supported through 2020. (If you bought between early 2007 and late 2009, and did not manage to upgrade, you may have been stuck with the quite unpopular Windows Vista, but still have a few years of Microsoft support left).\u003C\/span\u003E\u003Cbr\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr\u003EBut for the millions still running Windows XP at home (and even more importantly, for the operators of millions of ATMs and point-of-sale registers running embedded Windows XP) there are some very real implications. 12 years of updates have resulted in a pretty stable operating system, and the most egregious security flaws have been fixed (at least the known ones). In its early years, Windows XP was riddled with holes that lead to such malware fiascoes as Code Red and Nimda, Internet worms that crashed millions of PCs and brought businesses to their knees for days or even weeks. That has not been the case lately.\u003C\/span\u003E\u003Cbr\u003E\u003Ca href=\"http:\/\/www.securityforrealpeople.com\/2014\/04\/10-things-to-do-with-old-windows-xp-pc.html#more\"\u003ERead more »\u003C\/a\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/8400001916258100158"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/8400001916258100158"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2014\/04\/10-things-to-do-with-old-windows-xp-pc.html","title":"10 things to do with an old Windows XP PC"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/1.bp.blogspot.com\/-R-PdvXJdNdw\/U0NfnNM4ApI\/AAAAAAAACKQ\/U4rjZND8wDw\/s72-c\/wxp.jpg","height":"72","width":"72"}},{"id":{"$t":"tag:blogger.com,1999:blog-3911105790299130851.post-3134534674028020275"},"published":{"$t":"2014-03-31T22:33:00.000-05:00"},"updated":{"$t":"2017-01-17T22:04:00.406-06:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"Malware"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Practical Security"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Social Engineering"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Social Networks"}],"title":{"type":"text","$t":"Facebook IM \"LOL Image\" is a Worm"},"content":{"type":"html","$t":"\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\u003Ca href=\"https:\/\/3.bp.blogspot.com\/-aimLVDKKE5Y\/UzowurGPJ-I\/AAAAAAAACGg\/d2FtAfZyyOQ\/s1600\/fb.png\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" height=\"200\" src=\"https:\/\/3.bp.blogspot.com\/-aimLVDKKE5Y\/UzowurGPJ-I\/AAAAAAAACGg\/d2FtAfZyyOQ\/s1600\/fb.png\" width=\"200\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EThere is a bit of malware circulating through Facebook lately. The worm spreads by contacting people through Facebook's Messenger service, pretending to be a friend. The content of the message is the phrase \"LOL\" with an attachment named to look like an image (IMG_####.zip). When you open the file, it is in fact a Zip archive with a single file inside - IMG_####.jar.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cdiv\u003E\u003C\/div\u003E\u003Cdiv\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EJar files are Java archives, a means of packaging Java programs for easy transport. In this case, the Java program is simply a downloader - it downloads a Trojan from a particular Dropbox account, which infects the computer and swipes your Facebook login information. It then turns around and sends messages to \u003Ci\u003Eyour\u003C\/i\u003E friends, repeating the cycle.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003C\/div\u003E\u003Cdiv\u003E\u003C\/div\u003E\u003Cdiv\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EThe moral of the story? The same as it has been for at least 15 years: don't open unexpected attachments (whether in email or instant messaging services). Pay attention to the file extension - an image is not usually bundled into a .Zip file. When in doubt, contact the sender (preferably through a different channel, such as by phone) to verify that they did in fact send you an attachment.\u003C\/span\u003E\u003Cbr \/\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003C\/div\u003E\u003Cdiv\u003E\u003Cspan style=\"font-family: Helvetica Neue, Arial, Helvetica, sans-serif;\"\u003EA\u003C\/span\u003E\u003Cspan style=\"font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;\"\u003End if they intentionally sent you a malicious attachment? Well, now you know to have one fewer friend :-)\u003C\/span\u003E\u003C\/div\u003E\u003Cdiv\u003E\u003Cspan style=\"font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003C\/div\u003E\u003Cdiv\u003E\u003Cspan style=\"font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;\"\u003EThanks to \u003Ca href=\"http:\/\/blog.malwarebytes.org\/security-threat\/2014\/03\/malicious-messages-foray-facebook\/\" target=\"_blank\"\u003EMalwareBytes\u003C\/a\u003E for bringing attention to this particular case.\u003C\/span\u003E\u003C\/div\u003E"},"link":[{"rel":"edit","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/3134534674028020275"},{"rel":"self","type":"application/atom+xml","href":"http:\/\/www.blogger.com\/feeds\/3911105790299130851\/posts\/default\/3134534674028020275"},{"rel":"alternate","type":"text/html","href":"http:\/\/www.securityforrealpeople.com\/2014\/03\/facebook-im-lol-image-is-worm.html","title":"Facebook IM \"LOL Image\" is a Worm"}],"author":[{"name":{"$t":"David"},"uri":{"$t":"http:\/\/www.blogger.com\/profile\/10169777669998745001"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/3.bp.blogspot.com\/-aimLVDKKE5Y\/UzowurGPJ-I\/AAAAAAAACGg\/d2FtAfZyyOQ\/s72-c\/fb.png","height":"72","width":"72"}}]}});