Pages

Wednesday, January 20, 2016

Beyond Anti-Virus Protection

What you need beyond an anti-virus program to fight against phishing attacks, banking malware and ransomware.

Windows and browser security


All too often computer users install anti-virus software that gives them a feeling of security without actually knowing what type of protection they can expect. Anti-Virus programs help in many ways, but lag behind in detecting more sophisticated attacks like Ransomware and Man-In-The-Middle attacks. Nowadays, computer users need to keep up on updates and review their PC security software in order to add or replace outdated security tools. This has become necessary because hackers are improving their ability at an alarming rate, inventing new vectors of attack that only the latest software may detect. You can no longer expect to have ample protection by just using an anti-virus program. Hopefully, you will find some of the security tools that I use to be useful for your own protection.
A quote I have seen on several security sites that I agree with says:
Remember that security is not about risk elimination, but rather risk reduction. Your risk will never be zero but you can employ tools and steps to reduce it.
Note: All of my suggestions require some technical proficiency and understanding. Please be careful and use this information at your own risk.
Difference between Random and Targeted Attacks

Random attacks

These attacks are mostly automated and opportunistic and are on the increase. Hackers use automated crawlers to search the web looking for software and devices with known vulnerabilities such as browser extensions, OS versions and routers. These attacks are mostly used to download bots to add your computer to a growing number of remote nodes for DDoSing, Spamming and Phishing attacks. Other random attacks come from websites and third-party ads that have been infected by malicious scripts or may have infected Adobe flash or PDF files. This is a good reason to block all third-party advertising sites, except for those sites that you support and know are safe. Your email is one of the most widely used attack vectors for spear-phishing attacks. Well-crafted advertising emails from well-known social media and shopping sites are the worst public threat because they are easy to create and difficult to trace. Many of the ransomware infections come from clicking a link to an Adobe PDF or Flash video that begins the file encryption process. The recent CryptoWall ransomware attacks were disguised as a fake update for applications such as Adobe Reader, Flash Player or the Java Runtime Environment. Ransomware attacks have recently affected many high-profile websites, including the Huffington Post, the New York Daily News, Answers.com and Thesaurus.com.

Targeted attacks

These attacks are aimed at companies and individuals that have something specific the hacker wants. Random attacks often yield information that can lead to targeted attacks. In particular, targeted attacks on individuals are often initiated from stolen personal identity that was google searched or sniffed from the internet and even from lost wallets and spear-phishing expedition on social media. But these days, company and government data breaches have unleashed the largest cache of stolen personal identity that hackers can buy on the cheap with little effort. The Anthem data breach alone compromised 78.8 million records. Needless to say, armed with your valuable personal identity, a hacker will narrow down those candidates worthy of attacking through targeted analysis. The more tracking activity left from individuals and family members on the web the easier it is to find something of worth to go after. Once an individual becomes a target, a hacker could customize a targeted email from a familiar company you know to lure you into clicking a link so they can drop a bot on to your system to steal your username and passwords or activate a ransomware attack that starts encrypting your documents, pictures, etc.

Ransomware attacks

Ransomware is a type of attack that could be the biggest threat in 2016. It takes over your computer by encrypting your documents, pictures, etc. and holds them ransom until you pay to get the private key that is used to unencrypt them. Cryptolocker was one of the first which appeared in late 2013. Its high turnaround prompted other cyber-criminal entities to write copycats that use much more sophisticated spreading and encryption algorithms. Some of the most notorious families of ransomware now wreaking havoc include CryptoWall, Citroni and TorLocker. Some even threaten to publicly release the information and even put illegal pictures and documents on your computer and then threaten to expose you to the authorities. Android users were also massively targeted by ransomware over the last 2 years.
More information is available here. “What is ransomware and what can you do to stop it” (http://www.digitaltrends.com/computing/what-is-ransomware-and-should-you-be-worried-about-it)

Man-In-The-Middle (MitM) attacks

This is a stealthy attack where attackers insert themselves between the client browser and the server website to impersonate the client when talking to the server and vice versa. The biggest danger with this type of attack is that they are very difficult to detect even by security monitoring applications.
In recent years, criminals have found several ways to reinvent this classic attack. To make matters worse, a variety of inexpensive tools, such as the “WiFi Pineapple”, are readily available online that make it easy for almost anyone to conduct these attacks.”
Using SSL (HTTPS) secure protocol can mitigate an attack; unfortunately many websites do not support this protocol yet, or do not have it enabled by default. I use a browser extension called “HTTPS Everywhere” which tries to force connection to HTTPS to help prevent HTTP connections being hijacked. There are plans to inforce all web sites to use HTTPS and the HSTS web security policy which will greatly help this type of attack.
Using VPN connections is another good protection against most MitM attacks as long as they are set up properly by the VPN company providing the certificate.
More information is available here. “Meet the man-in-the-middle of your next security crisis” (http://www.infoworld.com/article/2998147/advanced-persistent-threats/meet-the-man-in-the-middle-of-your-next-security-crisis.html)  

Public Open WiFi

You can tell if a network is a Public Open WiFi if it doesn’t require a WPA-2 network security key when you connect to it. The security dangers around free Public Open Wi-Fi are very real because the network in not encrypted, which could allow attackers to harvest personal information or provide hackers with the opportunity to infect users with malware in man-in-the-middle (MitM) attacks.
The first line of defense is to make sure the sites you visit use HTTPS in your browser’s address bar. But even HTTPS is not full proof which was recently proven to be vulnerable by a malicious malware called Heartbleed that attacks the router. The best protection is to use a VPN provider which encrypts all transmitted data between your computer and the VPN end-point site.
More information is available here. “3 Dangers of Logging On to Public Wi-Fi” (http://www.makeuseof.com/tag/3-dangers-logging-public-wi-fi)

Browser Site identity and connection information

In the left corner of a browsers URL is located the sites identity and connection information.

These icons let you know whether or not a site uses TLS (Transport Layer Security) or SSL (Secure Sockets Layer) certificates to prove it's the site it claims to be. You can tell if a site is real if it has a valid TLS/SSL certificate. Invalid certificates could mean that someone is trying to tamper with your connection to the site.
More information is available here. “How do I tell if my connection to a website is secure” (https://support.mozilla.org/en-US/kb/how-do-i-tell-if-my-connection-is-secure)

Zero-Day exploit

Zero-Day exploits refer to vulnerabilities in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it. The Stuxnet worm was found to have four zero-day vulnerabilities. It was the world’s first industrial digital weapon discovered in June 2010 and originally used on the Iran nuclear enrichment plant. Now that it is out there, it is allowing hackers to learn new skills by using it as a blueprint to repurpose the code for very sophisticated attacks.

Ways to reduce your vulnerability to attacks

The following is an outline providing good practices and security applications that can reduce your vulnerability to attack. Hopefully, they may prevent an attack from succeeding, or at least warn you that an attack is in progress.

Good Practices

·         Make sure your daily personal login runs as a Standard User account. Never use an Admin account for your everyday personal login. Read more at (http://www.howtogeek.com/124754/htg-explains-why-you-shouldnt-disable-uac/)
·         Login passwords should be at least 8 to 12 characters long and encryption password keys should be at least 18 or more characters long. Both types of passwords should have capitals, numbers and special characters.
·         Set the User Account Control settings (UAC) to the Default setting. To change this go to Control Panel\ All Control Panel Items\ Action Center\ Account Control settings and on the left panel select Change User Account Control Settings.
·         Use two-factor authentication for all sites that offer it. Two-factor authentication will send you a  code,  either by email or a phone text that you have to enter on a site when you log in. This will thwart many types of attacks, even if hackers have your username and password, because the code sent to you is always different.
·         Actively monitor your accounts for any changes or unusual activity.
·         Someday soon, passwords will not be needed to prove your identity. Until that time, use a password manager like LastPass to remember your username and passwords. This saves you from typing them in so hackers never have the chance to capture them.
·         Never use unencrypted or free WiFi hotspots for any sensitive transactions.  If the establishment really cared about your safety they would provide a secure WiFi connection that requires a WPA-2 network security key that locally encrypts the data before it reaches the Web.
·         To protect yourself on unsecured Open WiFi networks you should use a VPN application that will encrypt and protect your data from prying eyes.
·         Make sure your home WiFi router uses WPA2 encryption, not WEP, and uses a strong 12+ character password.
·         When providing sensitive data make sure the URL starts with HTTPS and has a green lock or shows the EV certificate information. Use the browser plugin called "HTTPS Everywhere," which seeks out HTTPS connections on any website you visit and tries to enforce HTTPS.
·         If your browser warns you that a site's certificate has a problem, leave and don't visit the site.
·         Keep the operating system, applications, and antivirus up to date on all of your devices.
·         Because of several Flash Zero-Day exploits this year you should think about disabling the Flash player in your browser, or at least set Flash to” Click to Play”. This way, you can activate only the ads or videos using Flash that you wish to see, and the others will remain disabled.
·         Check every year that your Anti-Virus software is highly rated compared with other competitors. Do a Google search for test and review sites for the best anti-virus software to use. One test site I use is AV-Test (https://www.av-test.org/en/antivirus/home-windows/).
·         Run Anti-Virus scanners, like the free Norton Security Scanner and Malwarebytes Anti-Malware Scanner, on a Weekly or biweekly basis to make sure nothing hidden has slipped passed your main line of defenses.

Security Software

There are several different types of threats that are discussed below that include suggestions to reducing your vulnerability to an attack. I have included suggestions for simple and advanced levels of protection, so you can choose the level of protection that is within your comfort level to apply.

Simple Protection


1.       HitmanPro.Alert 3.0 (http://www.surfright.nl/en/alert)
This software protects against the latest banking malware, ransomware, software vulnerabilities and exploit attacks by cyber-criminals or (nation-state) hackers.  The 30-day free trial of the Pro version is worth trying and then buying, but even the free version still provides browser protection including Keystroke Encryption which protects against key loggers that can steal usernames and passwords.


2.       CryptoMonitor – (https://easysyncsolutions.com/Products)
The Pro version of this product is currently free. CryptoMonitor uses Entrapment Protection (also none as Honey Pot or Canary Token files) and Count Protection (Pro Version Only) to monitor encryption activate.
Note: First install CryptoMonitor from the Administrator login. If your daily computer login is a Standard user account (which it should be) you will then need to log in to that account and launch CryptoMonitor. Then go into Settings and press Alt-T. This will allow you to enter the username of the Standard user and the Administrator password. This will allow CryptoMonitor to start when you log in to your Standard user account.

This is a passive standalone tool that protect against a wide range of ransomware like the CryptoLocker threat and other malware by using security restrictions on Group Policies, Registration and folders.
I use the Maximum Protection settings, which are the Advanced levels and are not recommended for most users because it requires users to remember to set the Protection Level back to the “Default” level before installing any software. You will not have to do this if you set the protection level to “Default”.


4.       Browser Extension
The following browser extensions are the ones that I use:
4.1.    Browser Add-on
4.1.1. uBlock Origin – (https://github.com/gorhill/uBlock)
This is the best browser protection out there at the moment and includes an ad blocker, but is so much more. uBlock Origin blocks ads through its support of the Adblock Plus filter syntax. uBlock extends the syntax and is designed to work with custom rules and filters. Furthermore, advanced mode allows uBlock to work in default-deny mode, which mode will cause all 3rd-party network requests to be blocked by default, unless allowed by the user. I recommend you also set the 3 Disconnect filters in the 3rd Party Filter settings.
4.1.2. WOT – (https://www.mywot.com)
This shows you the sites user rating in the search results. It also shows you a warning if you land on a site that has a poor reputation based on user ratings.
4.1.3. LastPass – (https://lastpass.com/)
I highly recommend using LastPass to automatically store and retrieve your usernames and password for individual web sites. It also has an Android and iOS app. Android Firefox supports a LastPass addon. Make sure to install the Binary Component for added protection. Look in the More Options/About Lastpass menu and click on "Install Native Messaging" button if it exists. 
4.1.4. HTTPS Everywhere – (https://www.eff.org/https-everywhere)
Tries to force connection to HTTPS to help prevent HTTP connections being hijacked.

Advanced Protection


This section is intended for an advance computer user and should not be implemented otherwise. Use at your own risk!
1.       Blocking harmful web sites - For years, a list of Malicious Domain site have been actively managed by security forums and agencies to build blacklist files. These are known as "Malware Domain lists" which can be used to prevent you from landing on them in the event you click on an Email or web link that tries to download malicious software onto your system. Protection occurs at both the browser and system level. The following help with the system level protection.
1.1.    HostsMan - (http://www.abelhadigital.com/hostsman)
This is a freeware application that lets you manage your Hosts file with ease. I use it to manage a Malware List of URLs for my network computer system protection.
In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic; DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks. Read more at (https://www.opendns.com/about/innovations/dnscrypt/)

2.       Backup everything – I highly recommend incorporating a data backup of your personal information and pictures. This is the best defense for just about everything except having your computer stolen or taken hostage my malware. For that you should have an image backup that is a complete copy of everything on your computer.
A data backup should be set up on a weekly rotation which does a full backup once a week with daily differential or incremental backup thought the week. Use a backup naming convention that includes the date so that you save several weekly backup sets on a 2 week rotation. Backup software that supports weekly rotation should delete the oldest week of backups before creating a new full backup. I use Cobian Backup 11. Read more about it at (http://www.cobiansoft.com/cobianbackup.htm).

3.       Virtual Private Network (VPN)
A VPN network connection allows a user to send and receive data across shared or public networks in a safe manner, because the data is encrypted between their computer and the VPN server. One way to have VPN support is to run an application like Avast SecureLine  or CyberGhost. The other way is to use an OpenVPN Server that is available by most home routers. Either of these methods are  good choices to provide VPN security when you’re away from home.
3.1.    OpenVPN – (https://openvpn.net/
This is an open source software that implements a VPN Server on my Asus RT-N65U router. It is well worth the effort in my view to implement this, because it is faster and more reliable than a third party VPN and it allows as many mobile connections as you need. Read about it at
3.2.    CyberGhost – A free VPN service I use for PC and mobile devices
3.3.    Avast SecureLine – A good pay VPN service for PC and mobile devices.

4.       Security Vault – This is an application that creates an encrypted file folder to act as a security vault for all your sensitive data. I use the open source program called VeraCrypt (https://veracrypt.codeplex.com/) which is an offshoot of the TrueCrypt program that is no longer maintained.

Security Podcasts and Videos

Security Now

I’m a big fan of Steve Gibson’s “Security Now” podcasts. They are a way of keeping up on current security issues and it’s fun entertainment, but very techy.

Nova on PBS

These are a few eye-opening videos that Nova recently aired that will being you up to date with the hacking crises we are facing today.

As internet connections multiply so do points of attack and risks to national security. Aired October 14, 2015 on PBS

A new global geek squad is harnessing cryptography to stay a step ahead of cybercriminals. Aired May 20, 2015 on PBS

No comments: