Utah’s Award Winning Computer Magazine!

Utah’s Award Winning Computer Magazine!

www.ucs.orgThis Month’s Meeting:Wednesday 14th at 7 pm

Volume 29, No. 12 Decmber 2011

ISSN 1061-5725

This Month’s Presentation

Check Out

Security RelatedReport #25

Starting onon page

4

MerryChristmas!

Page 2 Blue Chips Magazine — December 2011

™

By Cliff Millward, [email protected]

Finè

movements as an instruction to go to a previous page or program. You are supposed to be able to turn off this feature in the Blue Tooth commands, but it does not work. I solved this problem by buying an inexpen-sive USB Logitech mouse. I actually like the Logitech mouse better for a couple of reasons.

1. It is much lighter and easy to manipulate.2. It has no batteries to burn out.The Mac mouse houses two AA batteries which

burn out about every three to four weeks. The wireless keyboard also has two AA batteries which, I assume, will burn out in that same time frame as well. I cannot verify this as I never used the wireless keyboard more that a couple of days after I bought the computer as I needed the number keypad for the Sibelius program.

One nice thing about the Mac is, it is silent. It has no cooling fans and runs cooler than PC’s. As a result, you never have to turn it off. In fact, Apples recom-mends only turning it off when you will not be using it for a couple of days or more.

Eric Browning, who handles all the Mac’s at Juan Diego High school informs me that he never turns any of the computers off there and has almost no problems with them. Eric is a friend of mine and Preston An-derson. Some of you will remember him as the third person on the radio program Internet Insights which was on KALL a few years ago.

The Apple turn off button is hidden on the left side of the computer in the back. The only way you know it is by feel. Run your fingers lightly on the left lower side of the back and you will be able to feel a circle; push it to turn off or turn on the computer. When you want to turn it off, however, it is best to do it with the shut down command which appears in the drop down menu after clicking the Apple which appears on the menu bar at the top of the screen. If you ever have to turn on one of these Mac’s, remember the button is hidden at the left on the back of the computer.

Well, there you have an update to Sibelius and the Mac. With all its problems, I still like the Mac. However, I still feel more at home on the PC. I guess I have been infected in my body by a Microsoft virus!

A Rather Different ColumnFirst, let me wish all of you a very Merry Christmas

and a Happy New Year! It has been a historic year for Blue Chips as we have

diminished our presence and changed our meeting pro-cedures. However, we are still in existence held together by intense individuals determined to pursue esoteric information about their first love,(?) computers.

Sibelius 7 and the MacI have been working with Sibelius for about six

weeks now and I am becoming more impressed with the updated features. It still has some bugs in it, but I can get around them.

One obnoxious bug is in printing. Every once in a while it crashes when I ask it to print a particular part (such as a piccolo or a violin part) and a nasty little box comes up informing me that an error has occurred. How-ever, it automatically sends the crash information to Avid (the parent company of Sibelius) so that they can make adjustments in their next upgrade.

Other little bugs are that some of the keyboard commands do not work on the Mac. They do, however, work on the PC! As a result of this fact, I use the PC as a back up if I have trouble with the Mac. I simply copy the file to a memory stick and transfer it to the PC. The PC has, so far, solved all my problems. Also, the printer drivers on the PC seem to be better than on the Mac. When I push print on the PC, the printer responds immediately. The Mac takes 10 to 20 seconds before it sends the information to the printer. The actual printing is the same, but the delivery is slower on the Mac.

The wireless mouse that comes with the Mac is very unstable in Sibelius. It often throws me out of Sibelius onto the “Mission Control” window. This happens be-cause I must occasionally lift my hand off the mouse to use the number keypad. (By the way, the wireless keyboard that comes with the Mac has no number keypad, so I had to buy one that contains it in order to use Sibelius. The new keypad is not wireless.) This annoying event occurs because the mouse is sensitive to hand movements and interprets the sideways hand


Blue Chips Magazine

Magazine Staff

Editor — Cliff Millward 619-9633Review Program Liaison — James Alexander 250-2269Review Product Editor — Donna Nendell (702) 776-8677 Review Editor/Product Recruiter — Don Nendell (702) 776-8677 Photography — LeRoy JohnsonProof Reader — Larry Lamph, Doug Jackson

Advertising Rates

Ad costs 1 month 3 months 6 months 12 months2 Page Spread $150 $400 $700 $1200Full Page $100 $275 $500 $900Half Page $50 $130 $250 $450Quarter Page $25 $70 $130 $225Business Card $15 $30 $60 $120

Full page size is 7½ x 10 inches. All other page sizes are based on a 7 x 10 inch page in order to conform to editorial style. Half-page ads may be 7 x 5 inches or 3½ x 10 inches. Quarter-page ads are 3½ x 5 inches. Business card ads are 3½ x 2½ inches.

Classified Advertising Utah Blue Chips members may place personal classified ads at no charge. Maximum ad size is 7 lines, 35 characters per line.

Submissions Members are encouraged to submit text articles for publication in ASCII text only. Photos in .TIF or .JPG format only. Line graphics, tables, in almost any vector or .TIF format. Do not imbed graphics or tables in text files. All articles must be received by the 15th of the month preceding the month of publication. All articles become the property of the Utah Computer Society and by submitting an article, the author gives permission for the Blue Chips Magazine Staff to edit the submission. The author also gives permission for republication in other users groups’ communications.

Permission to Copy Permission is granted to other nonprofit PC user groups to reproduce any article published in this newsletter, provided credit is given Blue Chips Magazine and the author (s) of the reproduced materials. Reprinted articles are subject to the terms of their respective copyright holders.

“Utah’s Award Winning Publication”

Charter Member of theAssociation of PC User Groups

MONTHLY MEETING LOCATION2nd Wednesday of every month

University of Utah, Union Building, 7:00 p.m.

Officers and Trustees Eve. Phone E-mailPresident, Stuart Gygi 576-1891 [email protected]. Pres., Larry Lamph 571-2908 [email protected], Lowell Kenedy 278-3035 lkenedy@ucs,orgTreasurer, John Witzel 296-1390 witzelj@ucs,orgttDoug Jackson 322-2337 [email protected]

InformationPersons or companies may join or renew at the meeting, or by sending a check payable to the Utah Computer Society to:

Utah Computer Society Membership Secretary 5435 Riley Lane Murray, Utah 84107

Individual memberships are $25/year. Business Memberships are $35.00 a year.Corporate sponsorships are available at two levels. Corporate Sponsors enjoy all benefits of membership including multiple individual membership and prepaid advertising coverage. Contact a Board Member for more information.

Other important information:Meeting Information http://www.ucs.orgGroup Business (James Alexander) 250-2269Magazine (Cliff Millward) 955-9633Web Site http://www.ucs.orgWebMaster 262-6045Membership (evenings) (Bob) 262-6045

Monthly Meeting:OnThe

Internet


Security-Related Report #25Suspected SIREFEF Trojan, et. al.

Security Related Report

By Don Nendell

Dear Reader,If you are reading this in a

non-PDF format, you are missing a large part of the whole Report/Review 1 & 2. You should, therefore, stop reading and immediately fol-low the steps outlined in the Foot-notes 1 & 2 below. Which BTW are:

1. “If you are reading this Report/Review 1 & 2 from directly off of an In-ternet search, you are seeing it in HTML (or text) format. Yuk! There’s No Graphics there! To see all the beauti-ful Graphics in this Report/Review 1

& 2 - the ones that we’ve worked so very hard to entertain you with - you will need to follow the procedures outlined in 2 below. Enjoy! Again, our web page is: (www.ucs.org).”

2. “See the actual Reports/Re-views 1 & 2 in the Blue Chips Maga-zine (BCM) Archives (i.e., begin search on left-hand side of web page) at: (www.ucs.org).

Note. Always choose the cen-ter option, i.e., PDF format for its beauty.”

PreludeAs I wrote in Secu-

rity-Related Report #24 (See also my August 2011 BCM Security-Related Report #23 1 & 2 plus the September 2011 BCM Security-Re-lated Report #24 1 &

2 ), “It’s a War, this time a Cyberwar, and they’re taking no prisoners. Well almost. Let me qualify that statement. The ‘Good Guys’ and the ‘Bad Guys’ are sitting side-by-side and taking notes at the same classes at Security Conferences, much like Black Hat USA 2011 (BHB 2011) and Def Con 19 (DC19), all over the world day in and day out. When these conferences conclude they return to their place(s) of business(es) and con-tinue to duke it out all over the world,

and they do it in every nook and cranny that holds any information of value; but it’s most evident to us all when it’s over, [you guessed it,] ‘Money!’

“These ‘fierce battles’ are raging, as we speak (and s l e e p , b e c a u s e these cyber-combat-ants never sleep), all over the Internet, at Banks, Medical-related Establish-ments, Industrial

Giants, et al., even between Nation-states, et cetera, et cetera. The list is endless actually; it effects everybody, and is everywhere, because it’s virtually ‘ubiquitous’ now....

“Peiter Zatko is a famous hacker known as Mudge from the early L0pht (Crack) group. But he crossed into the realm of white hats when he joined the Pentagon’s Defense Advanced Research Projects Agency (DARPA) as program manager for cyber security. In a Black Hat keynote, he announced that...

“ i t t a k e s about 125 lines

of code to create the typical piece of Malware, and it takes about 10 million lines of code to create sophisticated technologies to protect against it.” (My emphasis here) There’s more, lots more... Read on, dear ones.

(We continue) Putting Security into Context

“eEye Digital Security at Black Hat USA 2011 stated (http://go.eeye.com/LP=62), ‘There’s a lot of fear swirling through the IT Security world. You’re warned to prepare for the worst - Stux-


net, Night Dragon, Aurora, APTs, bot-nets, etc. You try to make sense of media alarmism like ‘coordinated attack on the US,’ ‘state-sponsored e-terrorism,’ and ‘cyber Armageddon!’ [But] Hold on. Let’s bring this conversation down to Earth. Cyber threats are very real and very serious, but not all of them should incite the same urgency to every busi-ness, [or everybody, for that matter,] every time.

“I agree with the admonition whole-heartedly, but let’s leave the ‘naivety’ part out of this very serious matter be-fore us over there in the toilet where it rightfully belongs! Instead, be informed, be forewarned, be armed, and fight this evil scourge with all your might, while you can!” (See more below)

9/11, A Decade Later - Targeted attacks: Bulls-eye on government agencies by: Bradley Anstis, GSN 09/08/11. Cyber-criminals are employ-ing new, sophisticated and highly-tar-geted methodologies that are completely circumventing traditional security and are going after the next layer of pro-active security, as well.

I have been attending those very

same Security Conferences as ‘Those Good Guys and those Bad Guys!” I have been writing about such things for what seems like a very long time now, mostly because of my deep personal involve-ment in the Security Industry, plus my very deep conviction that everyone must be made aware of the inherent dangers to their very life, limb and properties.

And,, so it goes! Don’t say we haven’t been warned - because you and I have... too many times to count?

Blackhat USA 2011 & Def Con 19 After-action Report

Andy Marken, CEO of Marken Com-munications ([email protected]), writes in his Content Insider #193 - Def Con, Blackhat (2011) Wrap, 08/27/11, every time you turn around there’s a new report about someone losing a bunch of folks personal data or hackers defacing your stuff or a new,

better online bait-and-switch. Cyber-criminals are making impressive gains. Marken says, “Don’t sit back and think too long though because the kid down the street is light years ahead of you. But then maybe it’s just up to us to become more secure in an increasingly insecure world ...maybe....” Marken goes on to say that, yeah, there was a lot of fun ‘n games; but a lot of serious business was discussed and I gotta’ tell you, the future isn’t all that bright.

Ergo, let’s get on with this month’s Blue Chips Magazine (BCM) Se-curity-Related Report, #25 in the current series, because I have so much to report on this month, I don’t even know where to begin.>

IntroductionHow prophetic, and timely,

too, what I wrote just a short two (2) months ago. Well, my little vacation is officially ended and I am back at it again, thanks to some real savvy technology profes-sionals. Let me explain that non-humorous remark, OK?

“Blasphemy is an epithet bestowed by superstition upon common sense.” - Robert Green Ingersoll”

Common sense is instinct. Enough of it is Genius.” - George Bernard Shaw

“Common sense is not so common.” - Voltaire

I was researching BCM’s Product


Review (for No-vember 2011), which was sup-posed, the op-erative term is here is, “was supposed” to be about the C M S C E S e -cure USB Flash D r i v e , w h e n all “Hell broke

loose” on my Win 7 PC (See below). Actually, it was more like “Stopped!” I got smacked in the kisser with an ex-tremely vicious Trojan, which my friend at the Doctor’s of Technology called, “The Trojan of the Week!” NOT THE MEEK, OR WEAK, mind you, but ... THE WEEK! For me, it may be of the “Trojan of the decade.” I bundled up my sick friend (the Gateway with the Win 7 Pro on it) and took him to the Geek Squad; he was under warrantee, you see. Initial thoughts by the Agent was that this was the SIREFEF Trojan, but also said it was the Troj/DwnLdr-JGH Trojan, whatever that is (See below and page 29 graphic). To make matters worse, they wanted to charge me for their service, i.e. to remove the “sicko?” “No thanks,” I said, “I’ve got ‘Free’ help from GFI!” So I left mumbling under my breath, not being too happy about the Geek Squad’s, so-called “service,” and Best Buy’s Extended Warrantee ($$$$) program, at that.

BTW I, too, originally thought it was the deadly SIREFEF Trojan (but, what do I know?); but it actually turned out to be the Antivir Solutions Pro (Trojan) (See its full description in CBC2 graphic on page 21 and in Footnote 5 be-low). In it’s own right a very bad hombre. But, more to come on that, for sure.

Holy Yogi Berra, It’s deja vu all over again

As I began to write this Report, it went something like this:

Yes sir, that all began eleven (11), count’em, 11 days ago, and it’s still not over, yet! I will be receiving a call from GCI Tech Support, formerly Sunbelt Software, (i.e., my trusted Vipre A/V protection) tomorrow around noon to continue resolving this devastating problem (we’ll get back to “that part of

the story” in a just a short while). To make matters even worse, I seriously think “I” may have spread “it” to another critical PC, all because I was being “el stupido” in taking a USB flash drive with five (5) downloaded “emergency recovery A/V programs” back and forth between a healthy PC and the “el sicko” one! Duh! Gotta explain that one, for sure, too! Hold on to your hats, the ugh, “fun” (NOT!) is about to begin.

What Happened to Me in Actuality

Like I said in the beginning of this S-R, I was doing extensive research on November’s original Product Review, when all “Hell broke loose” on my Win 7 PC. Well, it wasn’t quite like that, really. After I had returned from searching for graphics I noticed almost immediately that I got my very first “white screen of death” on my Windows Explorer 8 (Ever had one of those, yet? I didn’t think so!)

Oh, Oh! I knew then and there that I was in a “little” trouble. Sure enough, I certainly was; more like being a “little pregnant,” you know? However, not having that experience personally, there’s no such animal; you either “are” or “you aren’t” pregnant, but certainly not a “little bit,” I’m told. It does de-scribe my situation to a “T,” however, as I was about to give birth to a vicious Trojan growing in my PC’s belly. I took a screen shot of the never-seen-by-me-before phenomena, but alas, I have to hope that all that data was backed up by DoT (See below) in their recovery stage, but we’ll see? I’m still putting it all back together, as we speak. Even then, I’m winging it, so to speak, right now! But I most certainly wasn’t (“winging it”) in tackling the newest “deadly” problem to fall into my lap (remember HIAWC 4 ).


OK! So, I “immediately ran a deep scan” of the Win 7 PC with Vipre A/V, my tried and true savior and friend. For The Record (FTR) I have absolute and complete trust of GCI and their secu-rity products, and especially their Tech Support (See also my June 2011 BCM Security-Related Report #23 1 & 2 ). The deep scan turned up only two (2) “Low Risk cookies,” and that was all. BTW THAT ORDINARILY WOULD HAVE SCORED A “10” FROM ALL THE JUDGES, HOWEVER, I contacted Tech Support immediately and got the ball rolling, because the IE 8 was still locked in its death-like struggle which was being displayed by its inability to still be able to access the Internet, i.e., the “white screen of death” - it was like the “Eyes of Texas” - were still upon me (and I left Texas at the ripe old age of ten (10), too).

I called GFI Tech Support and the following is what happened from then on:

First e-mail from GFI TSGFI Technical Support Request GFI

111102 437651 (Wed 11/02/11 4:34 PM)Don, Thank you for opening a sup-

port case regarding your GFI product. We look forward to resolving the is-sue as soon as possible; a GFI Support Technician has been assigned to this case, and will contact you upon review of the information you provided. Case Number: GFI-111102-437651

Product: Vipre Internet SecurityCase Subject: Customer calling with

infectionSubmitted Name:Company:Email:Phone:Country: United StatesCustomer ID: N/AInstalled OS: Windows 7 (x64) Pro/

Ult/Ent

Second e-mail from GFI TSIn Reference to GFI Case GFI-

111102-437651 for Vipre Internet Security (Wed 11/02/11 8:52 PM)

From: Timothy Dorris ([email protected])

Case Subject: Customer calling with infection

Hello Don,(http://fileforum.betanews.com/

download/Malwarebytes-AntiMal-ware/1186760019/1)

The above link will take us to a web page that will allow us to download and install Malware-bytes. Malwarebytes is a sister company. We will download and install the program, then we will need to run a Full Scan with the Malwarebytes Program.

Thank you very much for contacting GFI Technical Support.

Timothy DorrisConsumer Support Technician - GFI

Software - (www.gfi.com)Web & Mail Security, Archiving,

Backup & Fax, Networking & SecurityTel: +1 (877)-673-1153

Like GFI Tech Support in-structed me to do in their e-mail, I downloaded and ran the full scan with Malwarebytes Anti-Malware 1.51.2 (September 12, 2011) Win-dows (All) / Shareware; $24.95 / 14,253,047 downloads. Malware-bytes’ Anti-Malware (MAM) is a high performance anti-malware application that thoroughly removes even the most advanced malware and spyware. With one of the fastest, most effective quick scans and malware removal capabili-ties on the market, this program is the perfect addition to your PC’s defenses. The full version of the product includes a number of key features, including the ability to schedule updates and scans and most importantly, a real-time mal-ware protection module that blocks ma-licious processes before they even start.

Note. Download the MAM Share-ware ($24.95) version at fileforum.com: (http://fileforum.betanews.com/download/Malwarebytes-AntiMal-ware/1186760019/1).

I was able to load it, the trouble is, MAM didn’t find anything either, prompting TS to upgrade my problem to


working feverishly for five (5) days on “it” already, plus having to wait seven (7) more days for professional help to arrive, like a fireman, to “save my baby!”

Well, on the 5th day of waiting, I’d had enough, I hadn’t heard back from GFI, so I took it to my friends at Doctors of Technology (DoT) to get an instant fix. Boy, was I mistaken on the time frame of “Getting It Fixed?” (See graphic of business card) (See CBC2 graphics on pages 21 and 22. Now is where the cheese gets binding.

Level 2 (See CBC2 graphics on page 16).BTW Strangely enough, in pro-

ceeding to fight the infection further on my own, I could not, repeat, could not, either load, run, nor scan with five (5) additional separate A/V programs I downloaded—for a grand total of six A/V programs. Each “Free” A/V program came highly recommended to me by a friend, an IT Security Pro with 28 years of High Tech experience, and he should know, because he dates all the way back to Def Con II or III (They’re on Def Con XIX now. See also my September 2011 BCM Security-Related Report #23 1 & 2 ). My friend also indicated that it should be a relatively simple matter to get rid of the accursed infection rather easily, as well. I simply would have had to go into the Registry and manually dig around a “little bit,” but what the hey, I’m an expert aren’t I?

Definition of an expert: That’s a drip under pressure.

Third e-mail from GFI TS

In Reference to GFI Case GFI-111102-437651 for Vipre In-ternet Security (Mon 11/07/11 7;25 AM)

Don, My name is Caleb Crable from the GFI Security Response Team and I’ll be assisting you with the virus removal. I see you’re located in Las Vegas and in Pacific Stan-dard Time zone. Are you available at Monday November 14th at 12pm PST? If not, what is your availability for the [November] 14th and 15th? Thank you.

Caleb Crable - Malware Removal Specialist

Security Response TeamGFI Software - www.GFI.comref:00D8ZQDU.500CGdjsa:refFourth e-mail from GFI TS

(11-22-11)Re. In Reference to GFI Case

GFI-111102-437651 for Vipre Inter-net Security Don, At your convenience today, please resend your teamviewer cre-dentials and I’ll connect up to the infected machine and take a look. I am booked solid today, so I will be unable to call you, but I can get the remote done for you. Thank you (see below). Caleb Crable - Malware Removal Specialist Security Response Team GFI Software - www.GFI.com

“Please Note the difference in the four (4) GFI e-mail dates above” (initially it took 5 days to get even get back to me, and 7 more days of waiting just to get that next level of TS help (See above) all because “this one” was going to require a “manual” removal of the Trojan). I decided right then and there that this must be a worse case sce-nario; far more devastating than anything I could ever remember being associated with in all of my 27 years of computing experience, dating all the way back to my old Atari days.

After Thoughts and ActionsJust think of it: This dastardly,

dirty infection easily slipped right on past “completely unbeknownst/untouched/unaffected/unharmed/un-anything” by my GFI Vipre A/V; “It” could not even be detected by seven (7) different A/V programs (two (2) commercial (Vipre and Kaspersky Labs 2010, updated to 2011 (See graphic), at that); “It” wouldn’t allow me to clean it out either, simply because no A/V program could be loaded, let alone even find “It”; Only the GEEK Squad person was able to tell me what he “thought “It” might be (See above)?” All this after

Censored

(graphic continued on next page)


PC (See pages 21 and 22), specifically that:

1. My (infecting) Trojan changed the Proxy Set-tings to 127.0.0.1 (over Port 7212);

2. It is also a virus that caused hidden files to disappear, i.e., Attributes (To fix that: CMD - Attrb - -h /s/d and Retrieve hidden files one (1) time);

3. Ben also had to bring back many lost Programs: (To fix that: SMTP files in local C: Drive Programs (i.e., S-Copy & Paste them back into the Start Menu)); and

4. Among other things, this Tro-jan also did a Google redirect and something (I Dunno what?) about Speedup My PC?

Note. Now read for yourself (See page 21) what Antivir Solu-tion Pro (ASP) is supposed to do, and see if it rings true with what I had? Which was: The IE Browser “locked up completely” (i.e., White Screen of Death).and “Never once came up and told me anything.” Period. Each time I re-booted the PC, it did the exact same thing; “It died an ignoble death at the same exact spot every time, that is, ‘It always died: Dead,’ D-E-A-D!” (See also above).

Caveat. The trouble with all this “neat” reasoning is that “you have to already know ahead of time what the virus/Trojan (See CBC2 Graphic on pages 14 through 24) is before

you can go out and find the manual disinfection tool.” Duh!

Hold it, NewtThere’s only one (1) thing

wrong with all of this diatribe, however, I did not get any, repeat, ANY of the indications listed above for an Antivir So-lution Pro (Trojan). It is what Doctor’s of Technology found in their analysis and repair of my infected Win 7 PC. Not saying they were wrong, I, Repeat, I

My friend, Ben, at DoT worked on the PC from the 6th to the 12th before he could completely eradicate the Trojan, it was that fierce and deeply ensconced. It just kept coming back with a ven-geance, no matter what he did to dig it out of there. He said it was the Antivir Solution Pro Trojan, not the SIREFEF Trojan, that I originally thought “it” might have been; another wild and

wooly “beast” that is going around now (See graphic Last 20 days of vulner-abilities).

H e h a d t o completely clean out the PC and t h e n r e i n s t a l l Win 7 Pro, or so I thought (See be-low). That’s why I am still behind the power curve right now, I have to re-install all the programs, yet, just to get it back up to speed. Then too, GFI will be calling at noon tomorrow to finally follow up on rectifying the problem. I’ll give you a report on that little encounter, too, of course.

Update: They didn’t find any-thing on 11/22/11, of course, be-cause Ben had completely rein-stalled Win 7 Premium, not Win 7 Pro, like it originally was, and he had just pronounced it “hail, healthy and hearty!” But wait, there’s more to come...

On the 14th of November, GCI Level 2, Caleb, checked my XP Box, because the Win 7 Box was fixed by DoT, of course. It, too, was clean, thank the Lord! Then Caleb checked the Win 7 Box on 11/22/11, and found it clean, as well.

Ben at DoT noted for me on a print-out of the Antivir Solution Pro Trojan (See Description below).and what this Trojan was supposed to specifically do to my Win 7 PC. He also wrote down for me that in my case (and he worked six (6) days on it, because the “stupid” (Not!) thing kept coming back on him) of: 1) DoT Receipt (i.e., work done), and 2) Description of Work Needed on


often seen in rogue AV solutions, says GFI’s Jovi Umawing. It is also often used by phishers for seamlessly redirecting users to phishing pages when they try to visit legitimate ones. “Users are advised to be wary of clicking links in e-mails. If you didn’t contact the party that sent such mails, it’s always best to not bother yourself with them and delete them from your inbox,” he advises. “Be careful with how you do searches online as well, since the criminals behind rogue AV are still banking on the old, yet very effective search engine optimization technique (SEO).”

4. (Latest screamer) Tool to detect Carrier IQ Posted on Help Net Security 12-05-2011 (www.net-security.org/secworld.php?id=12045). Bitde-fender announced the availability of a new tool that identifies the presence of the controversial mobile network di-agnostic tool from Carrier IQ. Dubbed Carrier IQ Finder, the tool instantly determines if the user’s Android device has been equipped with the Carrier IQ tracking package, and if the device is be-ing monitored (See Next Paragraph).

5. Bitdefend-er Carrier IQ Finder reveals t h e p r e s e n c e of the Carrier IQ mobile net-work diagnos-tic tool, Android Market 12-01-11 (https://market.android.com/details?id=com.bitdefender.ciq-finder). Earlier this week, independent developers identified a software package from Carrier IQ shipped within a num-ber of Android-based mobile devices. This piece of software was apparently designed to provide metrics to help mo-bile carriers improve their services, but in some circumstances, the software is not optional and in many cases the users don’t know it’s there, tracking all interactions with their mo-bile phone (My emphasis here). [Supposedly, this very bad hombre is] designed to help mobile carriers solve customer-support and infrastructure issues, the application has been discov-ered to systematically syphon out loca-tion data, keystrokes and other aspects of e-mail and SMS conversations.

6. FYI Enclave Security at: (http://enclavesecurity.com/blogs/)

Administration, and we are committed to protecting our critical infrastructure by taking decisive action against cyber threats,” he said.

2. FYI Here’s an interesting stat: Do a search o n “ 2 5 w o r s t p a s s w o r d s o f 2011 revealed” and you’ll get 18M (that’s an 18

and six (6) zeros) results in 0.18 seconds. OK! Move’n right along...

3. FakeScanti rogue sends us-ers to download additional fake AV solution Posted on Help Net Secu-rity 11-29-2011, (www.net-security.org/malware_news.php?id=1920). Lately, the Blackhole exploit kit has been get-ting a lot of attention, and no wonder - it is continually updated with exploits for various flaws in popular software, and can deliver practically any malware the attackers want it to (Note. My emphasis here, plus, See my story above - the gist of this Security-Related Report #25). One of the vari-ants - named “AV Protection 2011” - has an interesting capability. It modifies the infected computer’s HOSTS file (the file that allows the system to connect host-names to IP addresses) so that when the user tries to visit the Google Search engine, Facebook or Bing, he is redi-rected to a page hosted in Germany that serves up another variant of the same family: The hijacking of the HOSTS file is not unusual behavior when it comes to worms and backdoors, but it not that

couldn’t find anything at all con-cerning exactly what infection I did have, and neither could any of the A /V programs I tried to install to fix the “blasted thing.” Period. Very strange. Remember, too, that The Geek Squad person initially found what he called, the Troj/DwnLdr-JGH Trojan (i.e., that was a Sophos definition. See graphic of Sophos Detailed Analysis)? Oh Well, what the ....?

Page 4, And, the Rest of the Story1. December is critical in-

frastructure protection month by Mark Rockwell, GSN 12-01-2011 (www.gsnmagazine.com). President Obama signed a proclamation on Nov. 30 declaring December 2011 as “Criti-cal Infrastructure Protection Month,” adding that cybersecurity remains a key part of that protection. From irriga-tion to the Internet, said the president, the U.S.’s critical infrastructure sup-ports an incredible array of services and industries that are essential to our continued success and prosperity.... Natural disasters, pandemic diseases, and acts of terrorism are serious risks to infrastructure and the nation needs to be prepared for them, he said.... He noted that the Department of Homeland Security’s “If You See Something, Say Something” campaign, has engaged individual citizens and communities across the country (See “Posse” below) to help improve public safety. “All of us have a role to play in strengthening our national security, and together, we are taking steps to foster a culture of resilience,” he said. A large part of that resilience, he said, including the safety of transportation networks, electricity grid, financial systems, and other assets and infrastructure, relies on cybersecurity. “Cybersecurity remains a priority for my


the highly publicized Lockheed Martin, FBI, Sony Play Station Network and Citigroup breaches. Lesser-known, but collectively damaging, attacks against government agencies were also on the rise, as 2011 ushered in a measurable increase in breaches targeting all orga-nizations. Today’s cybercriminals are banding together - learning from each other, devising new ways to attack our security defenses and wreaking havoc on their targets, as well as entire industries. In the last six years, we have witnessed year-over-year growth in the scope and impact of breaches. As a result, many are left wondering if the good guys stand any chance against these cybercriminals.

As the Founder and CEO of Wise-gate, a private online community for senior-level IT executives, I have the privilege of working with some of IT’s best-and-brightest security profession-als, with a ringside seat to the private discussions that unfold in the aftermath of these attacks. Our members, CISO’s and senior security practitioners from brand-name companies and govern-ment agencies, come together to debate these issues. One solution to this grow-ing problem stands clear - collabora-tion. If the bad guys are getting better at collaboration, so must the good guys.

In a recent Wisegate poll, 81 percent of se-nior info secu-rity respondents agreed that “In-fosec profession-als collaborating more to outsmart hackers” was the preemptive measure that would have the greatest potential to reduce the frequency and scope of hacker attacks. I like the idea of fighting crime through collaboration, which is not a new idea. It reminds me of stories told about the Wild Wild West. After all, what’s going on with hackers today is a lot like what the ranchers of the 19th and 20th centuries faced with cattle rus-tlers. As the West was settled and cattle ranching flourished, rustlers showed up, banded together and stole cattle. It was a serious problem. In order for any of the ranchers to survive, they had to join to-gether - even though some of them were competitors. They realized that no one rancher had enough manpower to deal with roving bands of rustlers; they need-ed to create a force that was greater than

has some interesting security stories (including paragraph 3 above) largely reproduced from the DHS Open Source Daily Report, a full version of which can be found at: (http:// http://www.dhs.gov/files/programs/editorial_0542.shtm).

FYI one of the “most important and informative Blogs” I know of, is GFI Labs Blog at: (http://sunbeltblog.blogspot.com/). BOOK MARK THIS ONE FOR SURE!

7. Defeating hackers: Col-laboration as the best defense by Sara Gates, GSN Magazine, 12-05-2011 (http://by159w.bay159.mail.live.com/default.aspx?wa=wsignin1.0#!/mail/InboxLight.aspx?n=1098830669!fid=1&fav=1&n=1547930545&m i d = 1 8 e b e a f a - 1 f 4 6 - 1 1 e 1 - b 8 4 2 -00215ad99f24&fv=1). 2011 was a ban-ner year for security breaches, including

that of their enemy. They couldn’t go it alone. The ranchers fought the rustlers through collaboration [Posse’s?] and it worked. The ranchers put a serious dent in the rustling. They even retrieved a lot of stolen cattle. And when the rustlers saw that stealing cattle was no longer easy, they started looking elsewhere to cause trouble

Fast forward to today. Cy-bercriminals are using significant intelligence-gathering techniques and coordinating their efforts to get informa-tion about the consumers and sensitive data the good guys are trying to secure (See also below). Jeff Bardin, who has held top secret clearances while break-ing codes and ciphers, and performed Arabic language translations while serving in the U.S. Air Force and at the National Security Agency, tells us that “Cybercriminals will examine Facebook, LinkedIn, YouTube sites, anything they can think of to gather info that they can use to find ways into corporate environments to get at valuable data.” And, today data is equal to what cattle represented in the Old West - money. Also, Phil Agcaoili, chief information se-curity officer at Cox Communications, a founding member of the Cloud Security Alliance and co-chair of the FCC CSRIC Cyber Security Working Group, believes there is a strong correlation between the increase in - and sophistication of - security breaches and the coordination of today’s hackers. He says, “They’ve


using the Internet one of his “44 ways to support jihad” in propaganda writings. Islamist groups continue to produce extremely well-crafted anti-Western video montages using online technology.

[ U p d a t e : The New York Times report-ed Al Awlaki (April 22, 1971 - September 30, 2011) plus some of his compan-ions, were ap-parently killed [while accident-ly driving a vehicle into a malfunctioning practice missile which was jettisoned from a CIA UAV?] in the northern des-erts of Yeman. Source: (http://www.nytimes.com/2011/10/01/world/mid-dleeast/anwar_al_awlaki_is_killed_in_yemen.html?pagewanted=all)]

The Web’s use, said Bardin, by the groups is widening into social media, from Tweeting to socializing on Face-book. Both are central to worldwide jihadist communications, he said.

Note: Lori Fena, on privacy: “Internet: Nobody knows you’re a dog. Facebook: Everyone knows you’re a dog.”

One of the more dangerous develop-ments in recent months, Bardin said, is the use of online gaming platforms like World of Warcraft and even U.S. Army online video games. World of Warcraft, with its maps and strategies and its solid overarching security, can provide a place where real-life attacks can be planned, he said. Participants can use benign terms associated with the game to plan real world ambushes, or even larger at-tacks, he said. “Online gaming is secure by definition. They’re starting to move this way,” he said of Jihadists.

Some jihadists have used U.S. mili-tary war fighting simulating platforms to reconstruct specific attacks and improve their tactics and observe how U.S. mili-tary tactics are used.

However, he said, the technology they have cleverly adopted can be turned against them. For instance, those trying to thwart Jihadist activity have adopted

really gotten together, shared what they know, and have done a good job of joining forces to attack the defenses that our security experts are building in cyberspace.”

Senior IT executives agree (Me, too! Emphasis here mine) - it’s time for the ranchers and cowboys of information security to band together, armed with their collective brainpower, to outsmart the bad guys. Just like in the old days, there’s power in numbers.

Comment. Personally, I think we all should join the Posse and forcibly take back “Our Precious Wild, Wild West!”

8. And now, we bring you some “Bad News” and some “Good News”: Cyber jihad takes many electronic forms, says expert by Mark Rockwell, GSN Magazine 09-19-2011 (www.gsnmagazine.com/article/24562/cyber_jihad_takes_many_electronic_forms_says_ex-pert). Despite their aversion to the West, radicalized Islamists use western software and social media to spread their message in increasingly sophisti-cated ways, said a security expert at the ASIS 2011 show. Many radical Islamist Web sites, said Jeffrey Bardin, chief se-curity strategist at security consultancy Treadstone 71, use Vbulletin, a common commercial Internet forum software produced by subsidiaries of Internet Brands. The software is either boot-legged, or paid for with stolen credit card numbers, said Bardin, who has worked with the FBI to gather information on radicalized Islamist elements on the Web. He said Al Qaeda in the Arabian Peninsula’s Anwar Al Awlaki has made

false identities, backed those ID’s with false histories and associations, and sur-reptitiously entered “friended” jihadists on Facebook. The association allows ob-servation and information gathering on an intimate level. More directly, Tweets from a Jihadist can be almost mirrored with look-alike Tweets from someone sending Western information or propa-ganda to match the original Tweet. Such disinformation tactics can be frustrating to the original “Tweeters” and confuse those following them, he said.

9. And lastly we have: The state of information security: What government agencies can expect in 2012 by Adam Powers, GSN:Government Security News, 11-08-11. From WikiLeaks to Anonymous, 2011 has been marked by an explosion of high-profile cyber attacks. With so many types of attacks to keep track of, it has become difficult to delineate between various threat vectors and determine which ones should be of most concern. In the past, attacks were often classified by the method used -- virus, botnet, etc. However, due to their ever-increasing sophistication, it is now more valuable to think in terms of the motivation be-hind attacks to better evaluate their risk. The sections below classify and describe today’s most prominent types of attacks based on their risk levels, and also exam-ine how risk will evolve in 2012.

The future of security. This year has taught us that the targeted, highly mo-tivated attacker is real. Expect to see the steady stream of high-profile at-tacks continue, if not in-crease, in 2012. While the Advanced persistent threats (APT) 2012 Forecast: Trending Up will remain highest on our radar, [all] other attacks dis-cussed ... will also steadily proliferate moving forward (with the exception of fully automated attacks (FAT)).


Summary(See previous graphic and graphics

on pages 14 through 24.)“Sleep tight! Don’t let the ‘bedbugs,’

worms, Trojans, virusi, phishers, bots, Denial-of-Service (DoS) attacks, terror-ists, et al., bite!”

See you at CES 2010, Happy Holidays, everyone!

Ciao!

Footnotes1 If you are reading this Review

from directly off of an Internet search, you are seeing it in HTML (or text) format. Yuk! There’s No Graphics there! To see all the beautiful Graph-ics in this Review - the ones that we’ve worked so very hard to entertain you with - you will need to follow the pro-cedures outlined in Footnote 2 below. Enjoy! Again, our web page (www.ucs.org).”

2 “See the actual Reports/Re-views in the Blue Chips Magazine (BCM) Archives (i.e., begin search on left-hand side of web page) at (www.ucs.org).

Note. Always choose the cen-ter option, i.e., PDF format for its beauty.

3 Feature(s) precisely identi-fied as reason(s) for designating this Review/Report as “Security-Related.” In this case, everything.

4 My Hard Earned Byline: Hap-piness Is A Working Computer (HIAWC).

5 What this infection does: When Antivir Solution Pro is running it will state that most programs are in-fected when you attempt to run them. The text of this fake infection alert is:

Application cannot be executed. The file notepad.exe is infected. Do you want to active your antivirus software now?

It does this for two reasons. The first is to make you think that your legitimate, and clean, programs are infected so that you will then purchase the rogue. The second reason is to block you from run-ning any legitimate security programs that may help you remove this infection.

While Antivir Solution Pro is run-ning it will also show you fake security alerts that attempt to further scare you into thinking you have a infection on your computer. These alerts will state that active malware has been detected or that your computer is under attack. The text of these alerts is:

Windows Security Alert Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan your computer. Your system might be at risk now.

Antivirus Software Alert Infil-tration Alert Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan [sic] - dropper or similar.

Just like the other false infections alerts, these warnings are all fake and should be ignored. Last, but not least, Antivir Solution Pro will also configure your computer to use a proxy server at 127.0.0.1:5643, which is actually the Antivir Solution Pro program itself. This makes it [think] that when you browse the web using Internet Explorer, the rogue will intercept all your web browser requests and instead display a page that shows a security warning about the site you are visiting. This warning states:

Internet Explorer warning - visit-ing this site may harm your computer!

Most likely causes:The website contains exploits that

can launch a malicious code on your computer

Suspicious network activity There might be an active spyware

running on your computer

These warnings should be ignored as they are false. If you use a browser other than Internet Explorer you will not see the warnings at all and can browse the Internet like normal.

Without a doubt, Antivir Solution Pro was created solely to trick you into purchasing the program by convincing you that your computer has a security problem. Now that you know what this program does, it goes without say-ing that you should not purchase this program for any reason. If you already have purchased it, then we suggest you contact your credit card company and dispute the charges.

6 GOD Bless America!7 For additional security informa-

tion please refer to the May 2008 BCM Security-Related News and Views 101 Report 1 & 2, as well as, all the other Security-Related Reports 1 & 2 in the series I’ve been sharing with you here over the years in BCM.

Note. I invite you to pay partic-ular attention to the 2008 series: Encryption -What’s That Report 1

& 2 (July 2008); Encryption - Why Report 1 & 2 (August 2008); Security News n Views Part 2 Report 1 & 2 (September 2008); and, Security News n Views Part 3 Report 1 & 2 (November 2008).





Censored








UCSBoard ofTrustees

C&C Bldg.RoomN3005

6:30 p.m.

Blue Chips — Utah’s Computer Guide in the 21st Century

Utah Blue Chips CalendarDecember 2011, January 2012

TBA

MagazineDeadline

U of U7:00pm

UBCGeneral Meeting

U of U7:00 p.m.

MagazineDeadline

UBCGeneral Meeting

7:00 p.m.

Documents

Utah’s Award Winning Computer Magazine!