In this Candid Camera Prank attack, someone posts fake video message on your profile page showing a woman on a bicycle in a short skirt. Clicking the movie thumbnail does not display the video but instead takes you to a Facebook application that tries to get you to download a “video player” which is really the old Hotbar adware. If you do fall for it, not only are you flooded with spam and other junk but your Facebook account is now used to spread the infection to your friends.

The interesting thing about putting the two articles together is that the hackers are no longer just trying to attack your computer directly. Sure, many still use old-fashioned scripts and viruses that try to directly attack your computer. But more and more have largely moved their attacks to social media. Their attacks depend more on you to fall for a trick, giving them an inlet to your network. Facebook, MySpace and other social media sites are very powerful and important tools but the same things that make them valuable to you also make them easy avenues to use for attacks against you.

Having a good anti-virus program and keeping it up to date is still vitally important. Even though the ratio is down, there are still hundreds of attacks against the average computer every day. But for the new attacks, vigilence and paranoia are the word of the day. No matter how good your technical defenses are, you can not rely on them alone.

If something looks too good to be true, it probably is. Trust your suspicions.

SQL stands for Standard Query Language and is the code that almost all databases use when answering your questions. SQL is what brings up your account when you log onto your bank to see your latest statement. Any but the most rudimentary website uses a SQL database to hold, sort and present the content to you, the reader.

As long as the user plugs in things that make sense (like a name into the username field), the query will run properly and will return only the results for your account. But what happens if you type something unusual into that field? What if you put in an account number instead? If the website was well-designed, the request will simply fail. If, however, the website was not designed properly, the computer may return something – but it won’t be anything that you intended.

For example, a hacker might try typing ' OR 1=1 -- into a date field. The “OR 1=1″ part will always be true. The -- characters tell the computer to consider everything after as a comment (that is, a note the programmer left to him/herself as an explanation of the code). The result is a request for all lines of data where the first part is true. But 1=1 is always true so the computer spews out all the data in that table. Not only does the hacker get his own account details, he gets yours and everyone else’s as well.

Other commands can be crafted to modify data, add tables, execute commands, etc. If a site is vulnerable to a SQL-injection attack, there is little that the hacker can’t do.

How do you stop it? The easiest way to prevent a SQL-injection attack is to design your application to validate its inputs. The username field should have only text characters (or maybe also some numbers but nothing that looks like computer code), the credit card number field should only accept numbers, etc. Define the acceptable character sets and enforce those whitelists. Force the inputs to conform to specific patterns when special characters are needed (i.e. dd-mm-yyyy). And validate the data length of all inputs.

These are all basic checks that the folks building your website should be making. Put the IT processes and controls in place to make sure that they are building you a quality product and won’t leave your data vulnerable to the world.

By the way, to test whether a site has their own security in place, type something unusual into a field and see what happens. If you get a simple error telling you the allowable format (or if the computer simply rejects the request), you’re probably okay. If you see a lot of computer gobbledy-gook, you might not want to let that company have your confidential data.

Some background – I maintain the beekeepers’ website for them and host both that site and this one through a third-party provider. And while I do all of the writing for the infosec blog, I have a couple of other beekeepers who were helping to maintain the beekeepers’ site. It’s all volunteer work and I’m so glad for any help I can get that it’s hard to impose a lot of strict standards or hurdles. Besides, who cares about hacking a beekeeper club’s website?

Apparently lots of people.

It’s unlikely that we will be able to prove exactly how the hacker got in but it was almost certainly a scripted attack – a robot run by a hacker against anything he/she could find vulnerable – not a targeted attack. (For example, the hacker vandalized only pages titled index.htm, the standard name for a site’s home page, and none of the pages which had human-created names. Any targeted attack would have overwritten the other pages as well. Not only would it be more pages hacked but the vandalism might go unnoticed longer.) Our best guess is that the hacker go in because we weren’t careful enough about passwords. One of my authors had a password the same as his username. Even a kiddy-script can test for passwords that easy.

Lessons Learned:

• Any site is vulnerable even if you don’t think that anyone would bother with little old me.
• Passwords are important, even when you think they aren’t.
• Volunteer time is valuable but only if it’s the right volunteer. Even if his/her heart’s in the right place, sometimes that time is more expensive than it’s worth.
• Internal segmentation would have limited the damage. Merged accounts makes it easier to manage the domains but separate accounts would have kept the hacker from “promoting” himself across to the other accounts so easily.
• Monitoring is a good thing. In my case, it was dumb luck. My wife has the site as one of her home pages and noticed it as soon she logged on in the morning.
• Good backups make repairing the damage easy. My backups are automatically managed through third-party host and they do an excellent job. Once we discovered the vandalism and collected the evidence, the act of repairing the vandalism took mere minutes. I wish I could take credit for it but I got lucky and picked a good vendor.

Anyone can get hacked. Do what you can to minimize your chances, discover it quickly and plan so the costs to repair are low. I can’t say that I’m proud of this post but I do hope that you can learn from my mistakes.

If you run a small business with a network (that is, anything more than one computer and your credit card reader), read Mary Brandel’s recent article in CSO Online about the Dos and Don’ts of selecting an anti-virus solution for your enterprise. The short version is that there is a lot more out than just anti-virus these days. Look around for a good package that does more than just virus-checking. That was good enough a few years ago but not any more.

You may also be able to save some money by buying an integrated package and consolidating your security products some.

On point worth mentioning: Brandel is a fan the use of whitelists but I’m not so sure. Whitelists are lists of applications which are allowed to run in your environment. If you have a comprehensive list, then anything not on the list must be malicious and gets blocked. In theory, it’s a great idea. In practice, it requires a great deal of control to build and maintain that list. In a dynamic, small business, you may lose some flexibility.

Her other points (especially the one on page 4 about malware removal) are spot-on.

Corporate examples of web filters include Websense and OpenDNS. Home tools might include NetNanny or CyberSitter.

All of these tools work by building long lists of webpage addresses and categorizing each site. Amazon gets classed as a shopping site, Playboy as adult content, YouTube as streaming media, ESPN as a sports site and the local high school as an educational institution. When a user attempts to go to a webpage, the URL is compared to the filter’s master list. If the URL is on the list and allowed, the content flows through to the user’s browser. If the URL is in a blocked category, the user gets an error message on his/her screen instead.

There might be as many as a hundred different categories. You decide whether to permit or block each category on the list based on the risks to your organization including the risk that you will interrupt the business accidentally. Block too much and you’ll find that you’ve gotten in the way of business. Or that you’ve cut off some service that your younger employees take for granted, hurting morale and making retention more difficult. Don’t block enough and you increase legal and employment risks unnecessarily. And no matter how much or little you block, there will always be some false positives – legitimate sites that are mistagged by the vendor. (Breast cancer research sites, for example, are frequently mistagged as adult content.)

The problem now is that the hackers are starting to find ways around the web filters. Inappropriate sites are often up for only a short while, then moved to a new address faster than the filter-makers can update their lists. Inappropriate content is also hidden on hijacked sites that some legitimate business or person failed to properly protect. No matter how hard they try, some inappropriate sites can always slip through. (For more about the limitations of web filters, read this article from CSOonline.)

Even with those limitations, I strongly recommend that every organization install a webfilter to stay safe from hostile workplace suits and other employment risks. It won’t be perfect but it’s still an important part of your layers of defense. I also recommend that any parent with children still living at home install a filter. Kids may seem very web-savvy but they still don’t know how to fully protect themselves from strangers, hackers and other age-inappropriate content. Help to protect them from themselves.

Patches fix holes in the vendor’s software and keep hackers from being able to walk through the back door of your system. Applying patches is important. Security vendors want you to apply the patch immediately in case the hackers are pounding on your door right now. Every minute you wait is a minute of exposure.

But most of us don’t apply the patches immediately. It takes your IT shop a few days of testing to make sure the patch won’t break something else and to tweak the network so everything runs properly again. With so many companies ignoring the vendors, why haven’t we had a catastrophic zero-day attack yet?

The truth is that most responsible IT departments use a layered approach to security. They have tools and policies that will generally keep out the malicious software for long enough for IT to complete the tests and apply the patches in an orderly fashion.

So who does get hacked? According to a recent Verizon report, nine out of ten data breaches could have been prevented if the company had taken reasonable security measures, most often applying patches that had been available for years. As Brenner points out, why should a hacker bother to write a complicated new virus to exploit the latest hole when you can still make money walking through holes that should have been patched four years ago?

If you have a solid approach to computer security, you can take the time to test the latest patches properly. On the other hand, if you don’t have a dedicated IT team, you probably also don’t have the staff to conduct the testing so you should set the patches to automatically update themselves.

Of course, if you’re not guarding your infrastructure with the basics (strong passwords, current anti-virus and anti-spyware, firewalls, up-to-date on patches even if not up-to-the-minute, etc.), you need to start now.

One of the lawsuits specifically charges Texas-based Branch Software with involvement in the “Registry Cleaner XP” scam. A number of other “john doe” lawsuits were filed in an attempt to learn the identities of the individuals responsible for marketing other scareware products such as WinDefender, XPDefender, Antivirus2009 and Scan & Repair Utilities.

Kudos to Microsoft for finally attempting to do something about these scammers. Now if they’d just reset the defaults in their own software so it wasn’t so vulnerable in the first place…

Until they do, make sure you keep your computer fully patched, never bypass the firewall and be cautious of any suspicious links or pop-ups – especially ones telling you that your computer needs fixing.

If your office has an IT specialist, make sure he/she is signed up for regular alerts about the latest technical security vulnerabilities. These alerts will help you prioritize which patches need immediate remediation and which can wait while you test them for unintended consequences. Here are a few that I’ve found to be reasonably thorough:

• US-CERT (US Computer Emergency Readiness Team)
• Internet Storm Center (a service of SANS.org)
• BOL Tech Talk (a service of BankersOnline.com)
• Internet Security Systems’ X-Force Threat List (recently purchased by IBM)

If you don’t have someone who can watch and evaluate these notifications, you probably need to set your patches to automatically update themselves and hope that the patch doesn’t break anything else accidentally.

A rootkit is a particular type of malicious software. It is different from an ordinary virus in that it is specifically designed to seize control of your computer at the highest possible level. (In the old unix terms, this was called ‘root’ access – the equivalent level of authority in Windows is ‘administrator’.) Once the hacker has a rootkit on your computer, he/she has full access to everything on the computer. More than that, the hacker can usurp control of the computer and make it run other malicious programs (perhaps as part of a botnet) or can use it as a jumping-off point to attack other data on your network. The hacker can do anything on the computer that you can do – and many things that most of us can’t.

Rootkits are also different in that they generally limit themselves to seizing and holding control of one system – a virus, on the other hand, is will try to spread itself to other computers. Rootkits are also often kits, that is, combinations of multiple malicious programs that work together. Ordinary viruses are usually single programs. That said, an ordinary virus can be sent out to infect your computer and can, as its first act, load a rootkit onto your computer. Using a virus as a component of a rootkit is a fairly common attack now. According to some researchers, as many as one in five PCs are infected with a rootkit.

Rootkits frequently masquerade themselves as other files and/or deliberately hide files from programs that are used by legitimate administrators to hunt for viruses. This makes them particularly difficult to clean out once your computer has become infected.

Not all rootkits are created by hackers. In 2005, Sony BMG included rootkit software on some music CDs in an attempt to prevent music piracy. Unfortunately, the rootkit exposed every one of their customers’ computers to exploitation by anyone who knew to look for the backdoor the rootkit created.

To defend against rootkits:

• Practice safe surfing – don’t go to virus-infected websites. Music-sharing, video, software, porn, hacker and other ‘gray’ websites are frequently loaded with virus-infected downloads. While there are some legitimate freeware sites, “there ain’t no such thing as a free lunch“. If they’re not making money through sales or advertising, they’re probably getting something else out of the deal – don’t let that something be your computer.
• Keep your antivirus program on and up-to-date. But recognize that this is probably incomplete. Rootkits are specifically designed to defeat the major antivirus programs.
• Keep all the applications on your computer fully patched.
• Keep your firewall turned on and locked down as far as you can go. This won’t necessarily stop you from picking up that first infection but it might prevent the virus from sending out the command to download the rest of the kit.
• Turn off your computer when you’re not using it. First, restarting the computer each day triggers a number of cleanup activities. More importantly, the computer isn’t exposed to exploit while it’s turned off.
• If you are infected, take your computer to an IT specialist. Rootkits are especially difficult to clean out and will often reinstall themselves if part is missed. The usual practice is to wipe and rebuild the machine – they’re that hard to get rid of.

At home, fix your firewall, update your antivirus and patches and practice safe surfing. If google or yahoo (or your existing antivirus program) give you a warning that you are about to go to a sight that might contain malicious code, heed the warning. Do not override it just because you think that you’re going to a "safe" site like the hotel.

At work, shut your computer off every day. (Your IT department probably pushes updates to your computer’s defenses every day but many of those updates can’t take effect until you restart your computer. If you leave your computer on for an extended period, you will be missing those critical updates.) And, of course, practice safe surfing.

If you get one of these pop-up warnings, never allow it to scan your computer. If you think you might have triggered one of these scams, call IT.

Spoofing of the Microsoft Malicious Software Removal Tool (MSRT) is particularly common but all the Microsoft updates have been spoofed in one form or another.

In one recent case, the spoof was triggered by infected ‘friend’ requests on MySpace. Users triggered the trap when they went to check on the profile of the person trying to befriend them. If you are a MySpace or Facebook user, beware of friend requests from people you don’t know and be cautious when surfing other people’s profiles.

If you get a request to update software on your work computer, ignore it unless you also received an email from your IT department explaining the update. If you receive the pop-up on your home computer, go to your Control Panel and look for the Security Center. Once there, initiate the check for updates yourself rather than trusting the pop-up. Never click a pop-up that shows up on your computer unexpectedly.