Category Archives: Online Security

GlassWire is a Beautiful Network Monitor and Firewall for Windows

One trait that’s a rarity among Windows applications is beauty. However, every once in a while there comes an app that stands out and makes you take notice due to its well thought out design and interface. GlassWire is one such app.

Cracking

GlassWire is a free network and bandwidth monitor and firewall. There’s no shortage of similar apps for Windows; however, almost all of them are a confusing mess of complexity that would scare away anyone who is not tech-savvy. GlassWire on the other hand is brilliant in its simplicity.

There are only four tabs – Graph, Firewall, Usage, and Alerts. The Graph section shows a continuous stream of your network activity. You can see your total internet activity or drill down on type of traffic and application.

GlassWire - Graph
GlassWire – Graph

The Firewall tab allows you to quickly block an app from using your internet connection. It lists all apps that are connected or have connected to the internet, along with details about the host that it is connecting to. If you see something that you don’t like you can instantly bock that app by clicking on the fire icon next to it. GlassWire itself doesn’t have a Firewall engine. Instead, it sits on top of the Windows Firewall and provides an interface to control the Windows Firewall.

GlassWire - Firewall
GlassWire – Firewall

The Usage tab gives a detailed report on the internet usage pattern of every app. You will be able to see exactly who your app has been communicating with and how much data they are sending out. GlassWire also has an Incognito Mode for the times when you don’t want your activity to be recorded. It’s also pretty straight forward to delete reports, in case you want to keep some stuff off the books.

GlassWire - Usage
GlassWire – Usage

Finally, there’s a pretty versatile Alerts feature, which provides you a wide range of alert including first network activity, excessive bandwidth usage, host files modification, and suspicious host connection. There’s also an option to remotely observe another system’s activity.

It’s still early days for GlassWire, and there’s undoubtedly room for improvement. The Firewall tab simply lists all the processes that are transferring data over the internet. It will be a lot more useful it also integrated with something like ProcessLibrary to show more information about each app/process. There are also a few UI glitches that show up at various resolutions.

GlassWire - Alerts
GlassWire – Alerts

The absence of advanced features found in most third-party firewalls might put off power users, but GlassWire does just enough to be useful to a large section of users, who might get annoyed or confused by a full-fledged firewall. GlassWire does a good job at keeping things simple and exposing a lot of useful information without being confusing.

[ Download GlassWire ]
Image Credit: Crackers by elhombredenegro

Kaspersky Tops Antivirus Shootout, Windows Defender Worst of the Lot

Anti-virus software is no longer a catch-all solution for your security due to the multitude of new vectors. However, it still makes sense to have an effective anti-virus software installed on your system. Renowned security testing lab Av-Test put 25 consumer antivirus-solutions through the wringer to determine how well they perform in real-world scenarios on Windows 8.1.

All the security apps were graded on three criteria – Protection, Performance, and Usability. The first criterion is an indication of the detection rate. Each security software was tested on a system with 20,646 known (malware that have been widespread and prevalent in the last four weeks) and 138 unknown samples. The Performance score is based on the amount of impact the security software had on the system performance, while usability is determined by the amount of false positives.

The good news is that most of the antivirus suites performed pretty well, with only three tools ending up with a detection rate below 94% on unknown malware. The average detection rate for known malware was 98%. The bad news is that Microsoft Windows Defender, which ships with Windows 8.1 performed abysmally. It was the worse of the lot scoring 0 points in protection. The other two poor performers in the heuristics test were the Tencent PC Manager and AhnLab V3 Internet Security. Even popular third-party freeware products like AVG and Avast performed relatively poorly. Panda Cloud Antivirus and Qihoo 360 Internet Security were the top performing free antivirus software.

Windows-Defender-Detection-Rate
Windows Defender Protection Results

The overall top performer was Kaspersky Internet Security 2014, which obtained a perfect score of 18. Qihoo, McAfee, Bitdefender and Avira scored 17.5 points. As many as nine antimalware apps got a perfect score in the detection tests. The high score were undoubtedly influenced by Av-Test’s decision to use only widespread and prevalent malware for the known samples test, but it also makes Windows Defender’s mere 79% detection rate look even worse.

Antivirus-Shootout-Result
Av-Test Antivirus Shootout Results

PasswordDay.org helps consumers protect personal information online

As part of World Password Day earlier this week, McAfee and its partners started an effort to help educate consumers worldwide on the importance of password safety in the wake of the multiple global security breaches. Continue reading PasswordDay.org helps consumers protect personal information online

The Heartbleed FAQ – Everything You Should Know About It

Heartbleed The interwebs is awash with reports and speculations about the Heartbleed. Post-Y2k it’s difficult to recall any occasion when a security vulnerability managed to gain such widespread attention. But, exactly what is Heartbleed? Here’s a quick summary of everything you need to know about Heartbleed.

What is Heartbleed?

Heartbleed is a critical vulnerability in the OpenSSL library. The official designation of this bug is CVE-2014-0160. SSL stands for Secure Sockets Layer and is a standard security technology for establishing an encrypted link between a web server and a browser. This bit of technology essentially ensures that no one can peek into the data sent between you and the webserver. Every website with an URL that begins with https:// (often indicated by a padlock in your browser’s address bar) uses SSL to keep data, including the authentication information that you key in, private. OpenSSL is an extremely popular open source implementation of this protocol.

Heartbleed is a bug in the OpenSSL code, which can be theoretically be leveraged by an attacker to gain access to data transmitted between you and the webserver. This means that theoretically the attacker can see all of the data that you enter into an affected website, including your username and password. There has also been speculation that the bug can enable the attacker to gain access to a server’s private key. This would essentially allow the attacker to impersonate any web service and conduct MTM (man in the middle) attacks. This would force every affected website to revoke and reissue their certificates. However, there’s still debate about whether this worst case scenario is possible or not. CloudFlare has declared that after extensive testing it has been unable to grab private SSL keys by exploiting Heartbleed.

Update: The CloudFlare challenge has been cracked. So, it’s possible to access a server’s key with this exploit.

How did this happen?

Contrary to the conspiracy theories buzzing around the social media websites and discussion boards, there is a very simple explanation behind how the Heartbleed vulnerability was introduced. It was a simple coder oversight.

The bug was introduced by Dr Seggelmann, a German contributor to the OpenSSL project. He was working on patching existing bugs and adding new features. Unfortunately, in one of the new features, he forgot to validate a variable containing a length. The same mistake was also overlooked by the code reviewer Dr Stephen Henson, and thus the bug made its way into the production code of OpenSSL.

How does this exploit work?

As mentioned earlier, the Heartbleed vulnerability is due to a missing validation on a variable size. One of the reasons why the bug has been named as Heartbleed is that it occurs in the heartbeat stage of the protocol. A heartbeat is essentially a technique that enables a computer at one end of the SSL connection to double check that the recipient is still alive. The following XKCD comic does a pretty good job at explaining the issue in simple terms. Essentially, the hearbeat mechanism sends a key and requests a response from the recipient to confirm that the recipient is still active. However, the length of the request isn’t validated. So, you can send a key that is just 3 characters long, but request an acknowledgement that is up to 65536 characters long. Since, the server isn’t checking the length of the response requested, it would send you all of the requested characters, which will include whatever characters that are stored in the memory after your key. With some luck and persistence, you can exploit this oversight to gain access to confidential information.

XKCD-Explains-Heartbleed-Bug

Who discovered it?

The Heartbleed bug was introduced two years ago; however, in a strange co-incidence, it was discovered and reported by two parties on the same day. One of those parties was Google’s Neel Mehta, who quietly reported the bug to OpenSSL. The other party was a Finnish security research firm called Codenomicon. Realizing that the discovered bug was extraordinary in its impact and severity, Codenomicon decided to create a campaign to make sure everyone took notice of the issue. They registered the domain heartbleed.com, came up with the compelling name, designed a logo, and created the initial narrative. Both researchers collaborated with OpenSSL to ensure that the vulnerability wasn’t disclosed before an official patch was released.

What can you do?

To be honest there isn’t much you can do. A fix for the vulnerability has already been issued by OpenSSL. Most major websites, including banks and other financial service providers, have already updated their OpenSSL installation. Given the massive publicity this bug has received, it’s likely that most websites will implement the patch in the coming days. Mashable has published a massive list of popular websites affected by this vulnerability. It’s wise to change your password at any website that was affected by the bug, but you should do so only after that website has patched the vulnerability. Otherwise, you risk exposing yourself further. As always, folks using unique passwords are considerably safer.

Lastpass, one of the most popular password managers, has updated its Security Challenge tool to include Heartbleed related information. It automatically scans websites in your vault and lists all the websites that have been affected. It also lets you know which websites have been patched, so that you can go ahead and change your password.

How to Encrypt and Password Protect Your Gmail Messages

In light of the currently en vogue privacy debate raging all around the world and given the flippant stance of many of our often used communication platforms with regards to securing its users’ privacy, it is becoming more and more evident that if the user wants privacy online, he’ll have to snatch it, for it won’t be easily given.

Talking of communication, email comes to mind. Privacy begins with encryption. And encrypting email isn’t exactly an easy task. It is at best annoying. At worst it can be so cumbersome that most people don’t bother. You can use desktop clients and PGP keys, like Lifehacker details. The annoying procedure of making and handling security keys is also mentioned by Arstechnica here in its editorial about why most people don’t bother encrypting email.

So what do you do if you don’t want peeping toms and evil governments looking into your email? The best idea would be to go stone age and use smoke signals, but of course, we’re discussing technology here and I digress. A rather simpler alternative would be to encrypt the email text and share the password via other means. This is what the ingenious Google Chrome extension SecureGmail aims to do.

SecureGmail Encrypt Email

Let’s discuss the pre-requisites here before we begin encrypting our Gmail messages! You and your message recipient both will need the following:

  1. Gmail accounts
  2. Google Chrome
  3. The Chrome Extension SecureGmail 

What does the extension do? The extension will create a new button beside the usual Compose red button. When you click on it, the new mail window box appears but this one is different from the vanilla compose box as whatever you type in here won’t be saved to Google’s servers. For the technically curious, SecureGmail uses an open source JS crypto library from Stanford available here.

SecureGmail

On completing the message, click the Send Encrypted button. You’ll be asked to set a password for the message as well as a password hint. Your recipient will only see the password hint. If he doesn’t have the extension installed, he’ll see a link to install it. Otherwise, the password can be input right away and the email decrypted.

Only the encrypted copy is saved on Gmail’s servers. If you check your Sent items folders, you’ll see something like this.

SecureGmail

The success of this method obviously assumes that you’ve sent your password to your recipient successfully via other means. Maybe it’s the first word on the 37th page of a certain book, maybe it’s an irrelevant word written as graffiti somewhere. Sci-fi movies will give you enough ideas to supply a hint.

What to do if you want to encrypt text with a password but don’t want to use a chrome extension? Googling for “encrypt text” will give you a slew of options.

Interested in encrypting more kinds of files? Learn about the different tools we’ve written about here and here.

India’s CLAT Exam Leaks Applicant’s Emails, Leads to Phishing Scam

CLAT-Law-Exam-IndiaPrivacy and internet aren’t exactly best friends. In fact, it might well be better to assume that as long as you are on the web, you will suffer from an unexpected privacy breach sooner or later – whether it is due to your own naiveté or due to third party security mishaps. However, that doesn’t make irresponsible, careless, and purposeful data leaks any less aggravating. Today’s offender is CLAT or Common Law Admission Test.

CLAT is a fiercely competitive centralized test for admission to prominent National Law Universities in India. Last month, CLAT closed its application procedure. Soon after, in an amazingly dumb headed move, it mailed all applicants a PDF titled “3. Online Applications (UG) Submitted till 30th March 2013”. Here’s a look at its content.

CLAT-Email-Leak

Yes, someone in CLAT thought that it was perfectly appropriate to dispatch the full list of more than eighteen thousand candidates along with their email ids in a PDF. Now I understand that CLAT probably has more lawyers than technically minded folks, but it’s shocking that no one in its technical team acted to stop this amazingly boneheaded move. For good measure, CLAT also uploaded this document to its website (where it is still available).

Now, an email address isn’t very high on the list of sensitive information. However, in the wrong hands it can be misused. And, misused it was. Over the past few weeks, candidates listed in the document have been receiving mails appearing to be from [email protected], claiming to be sent by Dr. Dipak Das, Registrar In-Charge of Hidayatullah National Law University, Raipur and the Convenor of CLAT-2013. The mails ask the Candidates to immediately deposit Rs. 2000, in order to avoid cancellation of their application due to non-payment of fees. Considering the state of the candidates mind, and the relevance of the message, it’s not surprising that many have fallen victim to the phishing scam. Thankfully, the scammer in this particular case was naïve enough to demand a money transfer to an SBI (State Bank of India) account, which should be easily traceable. CLAT might not have a lot of technical expertise or common sense. However, one thing it does have is access to plenty of lawyers. Unsurprisingly, CLAT-2013/Hidayatullah National Law University, Raipur, is taking necessary legal steps.

(hat tip: Sameer Gupta)

Movie Rental Site Vudu Suffers Break-in; Customer Data Stolen

Wal-Mart owned movie rental/purchase site has become the latest victim of data breach. But unlike some of the previous attacks, Vudu data breach didn’t involve any remote hacking attempts.

Some lawbreakers broke into Vudu’s office and stole a number of items including hard drives. Unfortunately for its users, the same hard drives contained usernames, passwords and the last four digits of credit cards of some customers.

Vudu has sent out emails to all affected users urging them to reset their passwords. They have also released a press release which is provided below.

On March 24, 2013, there was a break in at the VUDU office and a number of items were stolen, including hard drives. These hard drives contained customer data including names, email addresses, mailing addresses, account activity, dates of birth, and encrypted passwords, but NO full credit card numbers. We are proactively retiring and resetting all passwords and notifying all customers. As another level of protection for customers we are also providing AllClear ID identity protection services. We reported the theft to law enforcement immediately, and are cooperating fully with their investigation.

Luckily, Vudu doesn’t store full credit card numbers of its users. Hence the damage was greatly reduced. So, if you are a Vudu customer, we strongly recommend changing your password as soon as possible. Also, if you have used the same password for some other service(which is actually a very bad idea), please change those passwords as well.

Cybercriminals Exploiting Java Digital Signature Flaw

If you spent the last few years of your life worrying about various Adobe PDF exploits, it is time for some fresh news. Java is taking over Adobe products in the exploits category, and a recent Java digital signature exploit takes things even further in the threat arena. Cybercriminals have started using flaws in Java digital certificate checks to run their malicious code through web-browsers. The misbehaving application is usually signed with a trusted certificate, making it impossible to spot any malicious behavior at first glance.

java_logo

A similar signed and infected application was found on the website of Chemnitz University of Technology in Germany. The application was signed with a known Web-exploit toolkit called g01pack , which was probably developed by the Iranian Cyber Army. The first sample of the attack was discovered on Feb 28.

Java 7 brought a new awesome feature called Security Control to the table. With update 11 of Java 7, the security level was set to high, requiring users to approve if they wanted to run an applet irrespective of whether it was signed or not. However, unsigned applications showed a clear security warning, whereas signed application simply showed a confirmation dialog, though with the same call to action. In case of this malicious application too, the warning dialog was that of a signed application. However, on closer manual inspection, it was seen that the application was signed with a certificate that was revoked in December last year. Clearly, Java does not check for revoked certificates by default.

Security Researchers Discover the Earliest Version of Stuxnet

Stuxnet has been troubling the world of cyber-security for over two years now. It is the most sophisticated piece of worm ever written, and has been tailored to attack particular infrastructures, making it the deadliest cyber-weapon of early 20th century. Now that it has been discovered and studied thoroughly (thanks to Symantec), many interesting facts have come to light, which will help deal with such attacks in future. However, the more people try to understand Stuxnet, the more it surprises them.

Recently, the earliest version of Stuxnet has been discovered, and christened Stuxnet 0.5. Stuxnet 0.5 reveals the evolution of this dreaded worm over the years. While still aimed at nuclear power plant infrastructures, Stuxnet 0.5 had a different behavior altogether. Help net Security writes,

Unlike Stuxnet versions 1.x that disrupted the functioning of the uranium enrichment plant by making centrifuges spin too fast or too slow, this one was meant to do so by closing valves.

Apparently, Stuxnet 0.5 did not meet the developer’s expectations (or perhaps ambitions), and it was developed further to attack centrifuges. However, the development frameworks used in both the versions were different; Flamer for version 0.5 and Tilded for version 1.x, suggesting that a different set of developers were involved in these two versions. Moreover, Stuxnet 0.5 was not designed to spread efficiently either. However, the most interesting part of the code was the one that stopped Stuxnet 0.5 from contacting its command and control center from January 11, 2009 and completely functioning beyond July 4, 2009.

Check out this YouTube video for a quick overview of Stuxnet and its attack patterns.

Symantec explains Stuxnet 0.5 in great detail in this whitepaper [link to PDF].

 

Zero Day Java Vulnerability Compromises Computers of Facebook Employees

Last month, a number of major companies such as the New York Times, Washington Post and most recently, Twitter had revealed that they were targeted by hackers leading to some form of data breach.

In a recent development, Facebook has also now revealed that some of the computers of its employees were hacked by using a Java exploit. In a blog post penned yesterday, Facebook security team says,

[…] In this particular instance, we flagged a suspicious domain in our corporate DNS logs and tracked it back to an employee laptop. Upon conducting a forensic examination of that laptop, we identified a malicious file, and then searched company-wide and flagged several other compromised employee laptops.

After analyzing the compromised website where the attack originated, we found it was using a “zero-day” (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware.

The computers were compromised when the victims visited a mobile developer website that was compromised to host a zero day exploit, which installed malware on the victim’s PCs. Facebook contacted Oracle regarding the exploit and they released a patch for the same on February 1st.

Facebook says that other companies were targeted in a similar manner and they are working with the affected companies and law enforcement officials to track the source of the attack.

And most importantly for us, there is no evidence that any kind of user data was exposed. Well, that’s a relief!

Source: Facebook