Sunday, July 8, 2012

The internet will die tomorrow!

Panic!
The internet will die tomorrow! (Monday July 9, 2012)

Maybe. But not likely for you. For 0.02%(1) (that’s 1 in 5,000) users in the world. Only 27%(2) of the total are in the US and since the US has a high percentage of users; your chances are even lower.

What happened?

A few years ago some bad guys infected some users and changed their DNS settings. The DNS system tells your internet connections where to go when you type an address such as “google.com” in your browser. Rather than using the master DNS servers, an infected computer gets its directions from the bad guys’ servers. When you typed “google.com” (or any normal address), they would actually send you to Google. However, when Google sent your browser back to pick up an ad, they would insert the destination to their own ads so they made money.

Pretty soon the global police forces found the bad guys and took over their system. But they realized if they shut it down cold no one who was infected would get to Google when they typed “google.com.” So … our FBI has, for several years, paid a private company to run the bad guys’ servers and to serve up correct information.

Why will the internet die?

Now the FBI has stopped paying this bill and 250,000 computers won’t be able to find Google, or any other named domain, until they fix their settings.

Am I infected?

Probably not. See the first paragraph above.

A site that will give you a quick “yes” or “no” is at www.dns-ok.us, but with some caveats. The FBI also has a 6-page .pdf(3) explaining how to check your own DNS settings. It’s tedious, but detailed enough that anyone reading this can follow. It also points out that your computer can have an apparent safe setting while your router is infected.

References

(1) – Article on Time Techland.
The best non-tech explanation I saw.

http://techland.time.com/2012/07/06/dnschanger-no-the-internet-isnt-shutting-down-on-monday/

(2) – Infection count by country, as of 6/11/12


 Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at http://zaitech.com/satellite/contacts.htm.
(c) 2011 Bill Barnes - Disclaimer - Home Page - Blogs Home

Saturday, July 7, 2012

Should I open this email?

Should I open this email?

A client asks:
I received an email from someone I don’t recognize. The email had an attachment (document) he wanted me to evaluate. Do I dare open the attachment?  Is there any way I can do so and guarantee it is not a virus? 

Basically, no. You can’t guarantee it’s benign.

In this sort of circumstance, either as sender or recipient, I try to validate the legitimacy of the contact. In the text of the email I identify myself and the attachment by filename and size. Sometimes I will make non-email contact to alert the recipient or verify the sender. Unless you or the data on your system are particularly high value, it’s unlikely a random attack would take the effort to pass these tests.

If you can’t make this “out of band” contact and still want to open the message or its attachment, there are some unilateral assessments you should make first. Start with the anti-spam / anti-phishing / anti-virus triggers you apply to every subject line, message, and attachment.
In the preview, before you open the email:
•    Are you expecting this?
•    Do the From and To addresses look reasonable. For example, do names look random or made up, are there multiple similar addressees at the same domain, or is your exact address missing from the list? If it makes reference to an account, especially a financial account, and is not directly and exclusively addressed to you; it’s probably a phishing attack.
•    Is the subject line meaningful and relevant?
•    If it refers to an “issue with your account;” does it identify the account or describe the problem?
•    Does the content apply to you? (Immediately trash a notice from BigBank if you don’t do business with them.)
•    Do the grammar, writing style, and content ring true to the request? If it comes from someone you know, do the style and content match what they usually send?
•    Are there excessive links and do they connect to what you expect? Hover your mouse over the link and look at the entire URL. Work back from the first “/” after “http://.” A link of “http://BigBank.com.BadGuys.ru/...” will actually take you to BadGuys’ site. While you’re looking at the links, pay attention to the top level domain (TLD). That is the letters left of the “/” until you hit a period – classically “.com” or “.org.” The “.ru” in the example above refers to Russia; along with China, a common starting point for malware. This is a minor indicator as bad guys can buy a .com and good things can come from unexpected countries such as bit.ly (a useful URL-shrinking service), where the “.ly” stands for Libya. (http://en.wikipedia.org/wiki/List_of_Internet_top-level_domains#Country_code_top-level_domains)
•    Are the attachment’s name and file type what they appear to be? It’s an old trick to name the attachment “CuteKitty.jpg” and then pad the name out with many spaces before giving the actual functional name of “…virus.exe” which falls off the edge of the page.
•    Is it delivered primarily as pictures? Your previewer should be set not to download pictures automatically, but only on your request. Downloading the pictures can deliver malware and return significant tracking information about you. If you can’t comprehend the gist of the message from the text it doesn’t deserve further analysis.
•    Look at the source of the message. In Microsoft Office (retail) Outlook, right-click on the message and choose View Source. This is very geeky and includes a lot of garbage; but, with experience, you may be able to spot something suspicious. Backtracking the internet headers is even more obscure, but can reveal that the sender is not who he appears to be.
•    Did it pass your up-to-date virus and spam checker? Antivirus programs often remove the malware attachments and deliver a message that contains very little text. There’s usually a good reason for it to be labeled spam.
•    Right-click the attachment and save it to a temporary folder on your computer or sacrificial thumb drive. Run an on-demand virus check on it.
•    Be sure all your viewing software is up-to-date. There is often a “check for updates” option under the Help or Tools menu or you can go to the publisher’s website. Especially visit adobe.com, java.com, and microsoft.com at least monthly to check for updates for Adobe Reader, Flash Player (hopefully, you’ve never installed Shockwave Player), Java, and Windows.
•    Open the attachment in less common programs. For example, use foxit (www.foxitsoftware.com) for .PDFs rather than Adobe Reader or send office documents to Google Documents (docs.google.com).
•    Open the attachment on a Linux or Apple computer as malware is often (but not necessarily) Windows-specific. You can get a CD to boot your PC directly into Linux. Everything runs in memory and when you reboot there’s no record (and hopefully, no residual evil) from what you just did.
•    If this were a legitimate email and you trashed it without opening would it really cause any problems?

Surf - and email - safe!

Read more:
An example of a "good" email from your bank. 


 Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at http://zaitech.com/satellite/contacts.htm.
(c) 2011 Bill Barnes - Disclaimer - Home Page - Blogs Home

Pages