Archive for the ‘Security’ Category
Why unverified torrents are unsafe?
Many of the torrent distribution/search websites (such as mininova.org, torrentz.com) mark their torrents as “verified” (hint: a green colored check mark). By definition, a verified torrent is the one which comes from a trusted source sharing legitimate files. Please note that not all but only known group’s torrents are marked as verified sources.
As most of the users would know, one can check the contents of a torrent file when he opens it using a Bittorrent client. However, what many people don’t realize is that even if the torrent file only contains a single video file inside its contents (a 700 MB movie file if you are downloading a standard DVDrip movie) and no executables, you are still potentially at risk! The video, if opened via Windows Media Player, can redirect the user to any arbitrary site and download a trojan on a computer. And here is how it works:
1. User downloads a movie file (.avi) using Bittorrent.
2. User opens it using any random media player (let’s say VLC player). The video would usually display, “Use Windows Media Player” and not play any video content.
3. The above message probably would only make a computer techie suspicious. Most of the users will just open it the way it says i.e. with Windows media player without giving it a second thought. Let’s assume that the user opens it with Windows Media Player! And that’s basically it.. the user is framed.
4. It exploits Windows media player’s security loophole and opens up an illegitimate website (wmvlicense.com in my test case) via default browser and pretends that it is downloading a corresponding license to play the video file. The website asks (if doesn’t do it automatically) the user to download a codec upgrade/installation file, and that actually turns out to be a Trojan!!
How does it exploit Windows media player’s weakness?
Normally when a user tries to play a protected Windows media file, and a valid license is not stored on a computer, the application will look for it on the internet, so that the user buy access to copyright-protected content. This new technology is incorporated in the latest Windows Media Player 10 update as well as XP SP2.
If the user runs a video file that is infected by one of the “DRM Trojans”, they pretend to download the corresponding license from the net. In reality users are redirected to sites that take advantage of Windows vulnerabilities to download spyware, adware, premium-rate diallers and other viruses onto victim’s machines.
The illegitimate website (that I was redirected to in my experiment) branded itself as a Microsoft website and it even had a usual blue-theme used by microsoft.com. However, I found out that the website actually used PHP and not ASP.Net – and that was fishy enough for me to not download it; McAfee Site Advisor confirmed it here.
My software development background helped me uncover the mini-monster, but everyday users can seek help from McAfee Site Advisor service before downloading anything in tricky situations. McAfee and other anti-virus companies actually maintain a list of websites and mark them as bad if they host spywares, viruses, trojans etc. Downloading McAfee’s in-browser toolbar or checking for website’s legitimacy online might help a few if not many.
Safe surfing/downloading!
The Exaggerated Fears of Cyber-War
A very interesting point of view presented by Bruce Schneier. A good read indeed!
Good article, which basically says our policies are based more on fear than on reality.
On cyber-terrorism:
So why is there so much concern about “cyber-terrorism”? Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies—which need to justify their own existence—and cyber-security companies—which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts.
Politicians, too, deserve some blame, as they are usually quick to draw parallels between cyber-terrorism and conventional terrorism—often for geopolitical convenience—while glossing over the vast differences that make military metaphors inappropriate. In particular, cyber-terrorism is anonymous, decentralized, and even more detached than ordinary terrorism from physical locations. Cyber-terrorists do not need to hide in caves or failed states; “cyber-squads” typically reside in multiple geographic locations, which tend to be urban and well-connected to the global communications grid. Some might still argue that state sponsorship (or mere toleration) of cyber-terrorism could be treated as casus belli, but we are yet to see a significant instance of cyber-terrorists colluding with governments. All of this makes talk of large-scale retaliation impractical, if not irresponsible, but also understandable if one is trying to attract attention.
Much of the cyber-security problem, then, seems to be exaggerated: the economy is not about to be brought down, data and networks can be secured, and terrorists do not have the upper hand.
On cyber-war:
Putting these complexities aside and focusing just on states, it is important to bear in mind that the cyber-attacks on Estonia and especially Georgia did little damage, particularly when compared to the physical destruction caused by angry mobs in the former and troops in the latter. One argument about the Georgian case is that cyber-attacks played a strategic role by thwarting Georgia’s ability to communicate with the rest of the world and present its case to the international community. This argument both overestimates the Georgian government’s reliance on the Internet and underestimates how much international PR — particularly during wartime — is done by lobbyists and publicity firms based in Washington, Brussels, and London. There is, probably, an argument to be made about the vast psychological effects of cyber-attacks — particularly those that disrupt ordinary economic life. But there is a line between causing inconvenience and causing human suffering, and cyber-attacks have not crossed it yet.
The real risk isn’t cyber-war or cyber-terrorism, it’s cyber-crime.
via Schneier on Security: The Exaggerated Fears of Cyber-War.
