Online financial fraudsters are hiding their latest bank-account-stealing weapon inside what appears to be a legitimate Google Chrome installer.
The downloadable file, “ChromeSetup.exe,” contains a sophisticated, multifaceted banking Trojan that, once running on a system, relays that computer’s information to a remote IP address. Most of the compromised browsers connect to IP addresses in Brazil and Peru, researchers at Trend Micro explained. The fake Chrome installer appears to be hosted on popular domains including Facebook, Google and MSN.
The real danger occurs when the malware implants a file that triggers the victim’s Web browser to redirect to a rigged banking site when the user attempts to visit his legitimate banking platform. The Trojan, identified as “TSPY_BANKER.EUIQ,” hijacks the user’s banking session and displays a dialogue box that reads, “Loading system security,” giving the victim the belief that he’s actually being protected when, in fact, the crooks are picking his virtual pockets.
Adding insult to injury, the Trojan uninstalls GbPlugin, a software plugin built to protect Brazilian online banking customers. Trend Micro said the malware, which was first spotted in October 2011, is currently being used in the wild and is morphing to evade detection and more effectively fleece its victims.
You can protect yourself and your online banking sessions by making sure any site that requires you to enter your financial information is secured with “HTTPS” encryption — look for “HTTPS” highlighted in green and a picture of a lock in your Web browser. If a website seems suspicious, or requests information you don’t feel comfortable handing over, do not trust it.
© 2012 SecurityNewsDaily. All rights reserved
Like it or not, the internet is changing. We who use the internet have passed into the era of uncertain privacy and questionable surveillance of our online activities. Rather than await the full implications of what the Googles and Facebooks are doing with our private information, the Electronic Frontier Foundation and Tor have partnered to not only encourage internet users to take a more proactive role in protecting their internet security, but offered a few tools to help out with the task.
For those that don’t know, Tor is basically the internet’s shadow: it’s a network of “virtual tunnels” that allows users to enhance their privacy on the internet by preventing “traffic analysis,” a common form of internet surveillance used by pretty much any entity with the means and determination to find out what you’re doing on the internet.
One of the first and best ways in which people can increase their level of online security is by installing a new browser extension for Firefox and Chrome called HTTPS Everywhere. The extension “encrypts your communication with many websites and, in conjunction with Tor, helps to protect your anonymity online.” HTTPS Everywhere will most notably improve your online security against anybody that’s snooping around on your wireless network, plus it’ll protect you against any eavesdroppers hanging around on the network you’re using to communicate with a website.
To better understand how HTTPS and Tor can level up your online security, EFF put together an interactive graphic to help you answer any lingering questions you may have about what HTTPS is, why you need to be concerned about the vulnerability of your online privacy, and how these guidelines will keep you safer and sounder.
As we slouch onward into this new age of online hyper-surveillance, the old maxim “better to be safe than sorry” can not be valued enough.
Article source: http://www.webpronews.com/eff-tor-https-everywhere-2012-03
Chrome/Firefox: HTTPS Everywhere is a simple extension that, with just a one-click installation, can seriously increase your security on over 1,400 web sites by encrypting your connection.
We’ve talked before about HTTPS, what it does, and why you should use it. Many sites, like Gmail (and Facebook, with caveats) have options that let you browse with HTTPS always turned on, but the HTTPS Everywhere extension makes this simpler. Instead of turning it on for individual sites, HTTPS Everywhere will automatically routes all your data through a secure connection on any of its 1,400 supported web sites, keeping your information safe and away from prying eyes—in short, it’s an extension everyone should have installed.
HTTPS Everywhere has long been a favorite of Firefox users, but today marks the first time Chrome users can get in on the fun, with a new beta version of the extension that quietly sits in your address bar and switches you to HTTPS whenever possible. The Firefox version has also been updated to 2.0, which adds a new feature called the Observatory which, when turned on, detects encryption weaknesses and will notify you when you’re browsing a site with a security vulnerability. To read more about the new version of the extension and install it in your browser, hit the link below.
HTTPS Everywhere is a free extension, works wherever Chrome and Firefox do.
New ‘HTTPS Everywhere’ Version Warns Users About Web Security Holes | Electronic Frontier Foundation
Photo by dgbomb (Shutterstock).
I’m still trying to wrap my head around Google’s surprising revelation (in Google engineer Adam Langley’s blog) that it will disable online certificate revocation checking in a future version of the Chrome browser. Standard across all the leading browsers, online revocation checking is the process of conducting a verification query of a certificate authority when presented with a new digital certificate tied to a particular website. Although the certificate revocation process is currently broken, as I’ll explain below, Google’s Chrome-only fix is problematic in a number of ways. And a much simpler fix — for Chrome and every other browser — is plain for all to see.
When your browser connects to an HTTPS-protected website, it will examine the digital certificate the site presents, locate the revocation link pointer embedded in the digital certificate (if it exists), then query the indicated certificate authority to determine whether the certificate has been revoked by the issuer. Common reasons for revocation include a compromise of the certificate owner’s private key or just periodic certificate replacement, but a certificate can be revoked for any reason the issuer chooses. I’ve seen certificates revoked because the owner didn’t pay the issuer in a timely manner.
[ Roger A. Grimes offers a guided tour of the latest threats in InfoWorld's Shop Talk video, "Fighting today's malware." | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Revocation checking allows applications such as your Web browser to make sure that the presented certificate is still valid and a reliable vouchsafe for the site you’re visiting. As such, it is integral to PKI, and without it, maliciousness can occur. Unfortunately, revocation has often been neglected or ignored. Whether and how it’s done is completely dependent upon the “consuming” application or system. In many scenarios, revocation checking is so poorly implemented that it’s hard to say it’s being performed or provides any value.
For example, the digital certificates for many websites either don’t contain a revocation link pointer, or they point to a location that isn’t contactable. One presentation I saw at Black Hat Las Vegas a few years ago found that more than 90 percent of HTTPS-enabled websites didn’t implement digital certificates correctly. Not all of those failures were due to revocation issues, although a large number of them were.
Certificate revocation checking is broken
HTTPS revocation checking is so hit or miss that most popular browsers fail “open” — meaning that if the certificate’s revocation information cannot be confirmed, the browser will proceed as if the certificate were still valid. Worse, in most cases, the user isn’t aware that revocation checking doesn’t work. Many browsers can be configured to fail closed (that is, if revocation checking can’t be performed, then the browser won’t let the user connect to the protected website), but no browser vendor has the stomach to make this the default behavior. Many legitimate websites would become unreachable, and no browser maker wants to risk widespread user frustration.
All PKI and crypto experts understand the current problems with revocation checking, so it’s not just Google. However, Google is drawing a line in the sand to protect the users of its browser by stating that today’s generally accepted standards for doing digital certificate revocation, Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP), are too broken to fix.
Google is strengthening the encryption on Gmail and other services so that messages stored today can’t easily be decrypted later by faster computers using brute force methods.
The company is enabling what is called “forward secrecy” by default, Adam Langley from Google’s security team, wrote in a blog post yesterday.
“Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption. In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today,” he wrote. “In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today’s email traffic.”
With forward secrecy, the private crypto keys for a connection are not kept in persistent storage, which would allow an adversary to decrypt past connections by breaking a single key.
Forward secret HTTPS (Hyper Text Transfer Protocol Secure) is live for Gmail, Google Docs, SSL (Secure Sockets Layer) Search, and Google+.
Chrome users can check whether they have forward secret connections by clicking on the green padlock in the address bar of HTTPS sites and looking for the “ECDHE_RSA” key exchange mechanism.
Firefox and Internet Explorer on Vista and later support forward secrecy using elliptic curve Diffie-Hellman. However, only Chrome and Firefox will initially use it by default with Google services because IE doesn’t support the combination of ECDHE and RC4. “We hope to support IE in the future,” Langley wrote.
Google has been aggressive in rolling out encryption options for its users, starting with a Gmail option back in July 2008, then SSL by default in Gmail in January 2010, and more recently, default SSL for search in October.