CAUCE

19 February 2013

Facebook, their Walled Garden, and McAfee Anti-Virus – What Really Happened

On Sunday, a number of Facebook users reported being locked out of the system. When they attempted to log in they were presented instead with the a series of screens, informing them that their computer was infected, and providing a link to a free scanning service by McAfee antivirus software.

Being locked out upset people to no end, because it was the first they had heard about their computer being infected.

It appears that Facebook users on a grand scale are receiving a notice that their account is temporarily locked and could be infected with a virus. These users are then encouraged to download a free tool by McAfee to scan their system. There has been much speculation on the issue. Our best guess is that there is a bug in Facebook's filters or algorithms that is yielding a false positive malware result for a large portion of these users. We have reached out to Facebook regarding the matter and will update this thread if we hear anything back.
Other users with Mac computers insisted they were safe.

If only that were true. Over just these past few weeks we have read about Facebook itself being hacked due to a vulnerability in Oracle’s common cross-platform (Windows, Mac, UNIX) software component Java. Media-player Adobe Flash has had a tough time of it too being repeatedly patched, then re-hacked within days, and that runs on all sorts of computers. One Adobe rep, looking very tired, said recently that things were so busy with security issues staff had taken to sleeping at the office. Like, as in ‘moved in’.

Our point? It was entirely reasonable to think that Facebook was detecting infected computers trying to log into their systems.

Wait what? Facebook is scanning their users computers?

Yes, they are. This isn’t a new activity. For example, Google and Facebook helped quell a massive infection called DNSChanger by diverting infected users to special pages with disinfection information U.S. Cable ISP behemoth Comcast also scans their users’ computers and in the case of repeated, untreated infections, user accounts are placed in a so-called ‘walled garden’ limiting Internet access until they can be fixed.

Walled Gardens are a reasonable approach, and an effective way to deal with the rampant levels of compromised computers that can damage networks, and the users’ themselves, by stealing personal information on the machine. In fact, CAUCE has representation on the FCC’s Communications Security, Reliability and Interoperability Council (CSRIC) working group advocating a similar approach industry-wide.

CAUCE has also been involved in parallel discussions in Canada, where the idea is still nascent, but is likely to take hold shortly. But what does all this have to do with Facebook Users? Facebook scans computers connecting to their network for infections, and places compromised user computers in a walled garden until the problem can be remediated. They offer free tools to help. They write certain rules for the scanning engine to detect the infections Reasonable enough. According to a Facebook rep., speaking on condition of anonymity said the problem last Sunday was a new employee wrote rules that were a bit too aggressive, and they incurred many false positive results, falsely indicating computers were infected when they were not. After a couple of hours, the error was caught, and initially they withdrew the rules, and then began to find, and reverse the suspended status of those users they had initially blocked. This lead to what users were experiencing– log in once, you are told you are infected, log in again, no such notice. This is what is known in the computer industry by the technical phrase ‘oops’. CAUCE congratulates Facebook (and others) on their efforts to help mitigate computer compromises by this approach. While it is irksome, and sometimes scary to be locked out, and told your computer is infected, the worst-case scenario is that you were unable to post cat and baby photos for a short time on Sunday, and had to run a harmless anti-virus scan.

Posted by CAUCE on 19 February 2013 in Canada, United States, World | Permalink | Comments (0)

16 January 2013

What happens when people respond to pharma spam?

NPR's Planet Money did a remarkable piece yesterday, based on research by reporter Brian Krebs and UCSD professor Stefan Savage, looking at pharma spam (black market pharmacies selling prescription drugs), who sends it, and what happens when people respond.

The most surprising discovery was that, for the most part, people actually get the drugs they order. Listen to the Planet Money episode for the full story.

Posted by CAUCE on 16 January 2013 | Permalink | Comments (0)

17 December 2012

Are You Donating to a Real Charity?

Please share this post.

After a tragedy, many of us want to donate to funds and charities to show our support for a community.

However, scam charities immediately pop up, looking to steal your well intentioned donations. There are at least 30 newly-registered domains created in the past 48 hours related to the tragic shootings at the Sandy Hook elementary school in Connecticut: Most, probably all are scams and rip-offs. How then, to donate so that your funds make it to the deserving victims?

Check out Charity Navigator, an online database that assesses charities based upon revenues, operating costs, and the percentage of funds that make it to the intended recipients.

Donate to the Red Cross / Red Crescent / Magen David Adom. The International Red Cross is a stalwart organization that is reliable, and extremely well-run. The Red Cross of America has a fund for the families and survivors of the Sandy Hook shootings.

News site CNN usually will make mention of an appropriate charity. They report that the United Way of Western Connecticut have set up a Sandy Hook School Support Fund at https://newtown.uwwesternct.org/

If you encounter what you believe to be a scam charity, report them to your local police, federal government or police force, and to the Internet Crime Complaint Center

Posted by CAUCE on 17 December 2012 in News, United States, Warnings, World | Permalink | Comments (0)

11 December 2012

TEN STEPS : What To Do if Your Data is Being Held for Ransom

We have your data. Fork over the money!

For the past few months, so-called 'Ransomware' has been very popular among online criminal gangs. A computer is infected with malware which encrypts some or all of the data on the computer, and the criminals demand a payment to restore the machine to normal.

This ofen comes with a fake warning from the national law enforcement agency of the location of the computer, such as the FBI in the US, and geo-locates the payment to dollars or Euros as appropriate. Sometimes the warning claims pirated content or illegal pornography has been found on your machine. While we don't know what you have been downloading, we can say this: Law enforcement won't infect your computer and demand ransoms.

It can happen to anyone: the Miami Family Medical Centre, in the Gold Coast of Australia has reportedly lost patients' medical records to this scheme.

So, what to do, and how to avoid being held to ransom for your favorite grandkid's pictures, your PhD dissertation, or that quarterly report you've been working on for weeks?

1. Do not try to remove the malware yourself. Some variants have trip-wires built in that erase your data permanently if you do the wrong thing.

2. Back up your files religiously.

By religiously we mean constantly, at least several times a day. You can do this automatically with many back-up programs like Apple's Time Machine that back up changed files every hour, and then all files once a day.

3. Use Cloud Services for important data - keep stuff you can't live without somewhere else, like a central server if your organization has one, or box.com, dropbox.com, Google drive, etc.

4. Keep your software and operating system up to date every day! Use Windows Update set to automatically install updates, and Secunia, to alert you to updates to your other applications, if you are a PC user. Apple machines also have automatic checks for software and OS updates.

5. Run anti-virus software. Yes, even if you have an Apple computer! While A/V software can miss some viruses, it generally catches up pretty quickly and is your first line of defense.

6. Install the MyWOT plugin onto all of your browsers. My WOT blocks access to malicious sites.

7. If you are infected, and have anti-virus software that failed to detect the malware - wait if you can. As variations of the malware come out, so too do updates to anti-virus programs - see if you can update your a/v software, as it may be able to decrypt the stolen data.

8. If you have backups, or your data is stored on a cloud service, have an expert help wipe your machine completely clean, reinsstall your operating system and software, and then restore your data from a backup version prior to the infection.

9. If you are really stuck - as a last resort, pay the ransom. Paying the ramsom reportedly works in some cases. But try everything else first, because it may just tell the criminals that you're a live one, so they can come back for more.

While we don't encourage people to give money to criminals, if the data is irreplacable, you may have to give this a try if all else fails.Then start making backups. If you need to buy a backup disk, do so, now that you know what a good investment it is.

10. Don't respond to spam. Never click on it - delete it immediately

Posted by CAUCE on 11 December 2012 in Warnings, World | Permalink | Comments (0)

25 October 2012

FBI Agent Thomas X. Grasso Receives First J.D. Falk Award

News Release

For Immediate Release

FBI Agent Thomas X. Grasso Receives First J.D. Falk Award
for Establishing DNS Changer Working Group and Protecting End-Users

Baltimore, Maryland, Oct. 25, 2012 – Convincing competitors, disparate business entities and researchers to collaborate – many donating their services and resources – to protect millions of end-users worldwide is no small feat. Yet FBI Supervisory Special Agent Thomas X. Grasso did just that by quietly working behind the scenes to create the DNS Changer Working Group that saved an inestimable number of end-users from losing access to the Web over the last two years. Recognizing his leadership, Grasso received the inaugural J.D. Falk award on Tuesday at the Messaging, Malware and Mobile Anti-Abuse Working Group 26^th General Meeting in Baltimore.

The first-annual J.D. Falk Award

“Tom embodies the kind of personal sense of responsibility and accountability that built the Internet and is vital to its future growth. First, he had the foresight to understand the problem and to realize that something could be done to prevent it. Then it took an enormous commitment of his time and energy to muster the resources and bring dissimilar entities together to accomplish an objective that turned out to be a critical issue for many end-users,” said M³AAWG Co-Chairman Chris Roosenraad.

Grasso created the ad hoc committee based on the relationships and goodwill he had developed over his 12 years working with the Internet industry. He persuaded large corporations to commit time and funds to notify infected customers, and convinced anti-virus vendors, Internet Service Providers and the security research community to cooperate in the project. DCWG members include Georgia Tech, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro and others.

In November 2011, the FBI’s Operation Ghost Click led to the arrest of six Estonians allegedly behind the distribution of the DNS Changer malware and thought to be operating the illicit Rove Digital advertising network. The malware hijacked Internet searches and re-routed Web browsers of infected computers to fraudulent sites on Rove Digital’s network by altering the DNS settings the computers use to locate websites. Once the rogue servers were turned off, the malware-infected computers that had their settings redirected to them would not have been able to reach the Web.

The DNS Changer Working Group was Grasso’s idea to encourage end-user remediation of the malware and to respond to the massive challenge of potentially millions of users losing access to the Web. The group helped monitor the DNS servers that were now legally operated by the Internet Systems Consortium (ISC) under a court order, and as a result, the infected users received a useful message to clean up their machines instead of suddenly dropping off the Internet.

“The FBI recognizes the invaluable assistance the private sector and academia provided through the DNS Changer Working Group,” said Joseph M. Demarest, assistant director of the FBI’s Cyber Division.

CAUCE founding member J.D. Falk, an active member of M³AAWG and many other industry organizations, was passionate about safeguarding the Internet, end-user security and the impact of cooperative endeavors. The award named after him recognizes individuals for specific achievements that enhance the Internet experience, protect end-users, and embody his spirit of volunteerism and community building. It is administered by M³AAWG with the support of Falk’s employer Return Path Inc. and the Falk family.

Posted by CAUCE on 25 October 2012 in Press Releases, World | Permalink | Comments (0) | TrackBack (0)