Monthly Archives: August 2013

Companies Connecting with Wireless Charging

Wireless phone chargers can be found in coffee houses, airports and stores around the world as companies compete to become the industry “standard.” Duracell Powermats installed at Starbucks and other chains sit on the store’s tabletops and look like flat coasters. They are accessible with smartphones like the iPhone and Samsung Galaxy.

Has the future of mobile technology arrived? Starbucks, McDonald’s and Delta Sky Club are testing wireless phone-charging stations for customers, possibly ushering in a new era of smartphone use at cafes, restaurants, bars and major venues across the USA.

Last week, Starbucks announced it will roll out Duracell Powermat charging docks at 10 stores in Silicon Valley over the next few weeks, expanding its pilot test, which began last fall, from 17 locations in Boston.

Companies have made wireless chargers available for purchase and personal use, and chains such as Starbucks could play a role in making them more mainstream, says Gerard Goggin, a professor at the University of Sydney who has researched global cellphone culture. The coffee chain led the way in popularizing public Wi-Fi in the past decade.

Wireless charging also is spreading on an international level as charging stations appear in public places across Europe and Asia.

“Electricity is the last great barrier in mobiles, and if it can be sorted out, and mobiles fully untethered, users will embrace this,” Goggin says in an e-mail. “Starbucks’ adoption of wireless charging will be helpful, but it really depends on a whole system, and network of chargers and charging stations being possible.”

Duracell Powermats installed at Starbucks and other chains sit on the store’s tabletops and look like flat coasters. They are accessible with smartphones such as the iPhone and Samsung Galaxy. Though you don’t need an outlet or a cord, many users will need a Duracell Wireless Battery Case or a Power Matters Alliance (PMA) portable battery to use the charging pads, at least for now.

Daniel Schreiber, president of Powermat Technologies, says he expects wireless-charging technology to be integrated into more phones. AT&T plans to do so next year.

McDonald’s has been testing wireless chargers at a handful of New York locations as well as across Europe. Delta Air Lines has placed them in New York’s LaGuardia Airport in Delta Sky Club lounges and the Marine Air Terminal, where the Delta Shuttle operates.

More than 550 charging stations are available at Madison Square Garden. And the Coffee Bean & Tea Leaf, a coffee and tea retailer in 24 countries, is testing wireless chargers at several Los Angeles locations.

Rapper Jay-Z had them installed at his 40/40 Club in New York.

“People look at their phones at noon, 2 in the afternoon, and notice their battery is drained,” Schreiber says. “If we added wireless power to surfaces, you’d never run out of power. It would be replenishing your battery throughout the day.”

Goggin says wireless devices could play an integral role in the future of phone charging: “Wireless chargers are a great idea, and, if practical and cheap, will become part of mobile phone culture.”

Via: enterprise-security-today

The past, present and future of VPNs

Terminologies such as frame relay, packet switching and dial-up modem have largely been consigned to the “weren’t they quaint” cabinet of terms we used to talk about in the 1980s and 1990s.

They were, however, all instrumental strata in the formation of remote connectivity and the point-to-point connections that have allowed us to build an affordable generation of enterprise networking technologies.

With prehistoric beasts like the X.25 protocol mostly a thing of the past, we have evolved our use of networks logically through internet-based channels to create data connections where we want them and how we want them.

Where the internet opened up interconnectivity to all, it also enabled the creation of dedicated connectivity of a more cloistered corporate nature. The concept of the virtual private network (VPN) actually works across any public communications, or indeed telecommunications infrastructure; the internet just happens to be quite a convenient and functional transport protocol.

In practice, a VPN is used to connect remote points – users, databases or whole offices – to an organization’s central secured network. Cheaper than a dedicated leased line connection, the option to deploy a VPN is now a completely practicable and affordable option for the average small to medium-sized enterprise (SME) that wants that extra layer.

VPN security

Security inside a VPN comes through functions or disciplines, including tunneling protocols and encryption. Data is encrypted at either end of the tunnel before it is transported and network addresses at either end can also be disguised. Without entering into a history of the 7-layers of the Open System Interconnection networking framework model, layer-2 is where the encoding and the synchronization happens for your common-or-garden VPN.

While the VPN may be established, there are still many questions to be answered for companies looking to embrace them. Let’s start with the three basic types:


You can think of IPSec
as the standard VPN in that it is flexible and configurable in terms of its ability to connect two networks (or a single computer) to a network. Traffic carried through this type of VPN is encrypted and authenticated to protect it against undetected alteration. Because IPsec operates at the network Internet Protocol (IP) layer, it works with any protocol carried by IP. This makes it an ideal general-purpose VPN.

One important caveat, however, is although we refer to IPSec as “standardised”, different implementations may sometimes have difficulty interoperating. IPsec is ideal for single-supplier implementations, or where an organization has IT staff to support it.


Type two is the SSL VPN, which links a single computer to an application gateway on a corporate network. Because SSL VPNs use the client’s web browser as an interface, additional software is often not needed on the client machine. This means installation and support of client computers is simplified and the client can run any operating system (OS) that supports a browser and SSL.

The disadvantage here is that, to avoid extra client software and realize OS independence, SSL VPNs are restricted to proxying web pages, so are limited to HTML/HTTP-aware applications. By adding a small amount of software on the client, SSL VPNs can perform application translation, but adding more client software limits platform independence, meaning it may make more sense to use an IPSec VPN.


Third is the mobile option. We know that mobile VPNs are integral to certain industry use cases, such as in public safety and emergency services. In terms of form and function, VPNs differ from traditional VPNs as the endpoint is not fixed. The VPN has to retain the user’s connection while dealing with the logins to each new endpoint, using a client to do so.

Check Point Software Technologies’ technical director Tom Davison says modern VPN deployments can be extremely flexible and are usually integral to the company’s main security gateway.

“As we know, security today comes from the IPSec Internet Protocol (IP) technology suite as it works to encrypt data on the VPN channel,” Davison said. “This adds security between the remote server or PC and the main gateway at the firm’s main office location.”

“Between offices, the VPN is usually set up between two gateways: the main office gateway and a smaller, branch office device. For individuals, clientless approaches offer great flexibility, as users don’t need to download and manage software, or have an authentication token, as this can be provisioned centrally.”

For VPN access from smartphones and tablets, Check Point is one company that offers a free downloadable app for iOS and Android. IT teams can then provision access centrally, then users load the app onto their device which manages the VPN connection.

Choosing the VPN to meet the needs of the business

It is important to realise that firms, even SMEs, come in all shapes and sizes. This means that a good VPN deployment may not be based upon the physical size of the company, but be more closely related to how the business works.

Network engineer at PEER 1 Hosting Liam Enticknap says that a customer requiring secure access to its servers from anywhere may prefer a VPN solution over and above security through firewall policies or rule sets.

“We consider this a client-to-site VPN and this allows the user to install a VPN client on machines and connect up from anywhere,” Enticknap said. “The limitation in this is that depending on the model of firewall you’ve purchased with your hosting depends on how many connections can be had at any one time.

“Another VPN option is site-to-site where a tunnel is built statically between a client’s site and their hosted firewall. This means users pass secure traffic, but can only initiate it when at the specified location(s). You can run both of these together offering a more dynamic option depending on your business needs.”

So the rationale for creating a VPN installation comes from a need for security, a need for dedicated data control, a need for mobile data management (MDM) and a need for corporate (and/or smaller scale SME-level) cloud-driven device access connections.

Timico CTO Trefor Davies argues while, in one sense the VPN has not changed in years, in another it has been superseded by mobile and internet/cloud technologies that provide a better and more reliable connection.

“The proliferation of high-performance tablets and smartphones has led to increased use of mobile VPNs that need careful application of device security policies,” Davies said. “A mobile VPN traditionally encrypts data and sends it through a tunnel across the internet to the corporate firewall. A MAM (mobile access management)-based mobile VPN runs over a private network and never touches the internet.”

“MAM therefore doesn’t require encryption, which can traditionally add significant packet overhead to a conventional mobile VPN connection. So a MAM-based mobile VPN connection is faster because it doesn’t need to tunnel and encrypt its data.

Davies adds: “Historically, MAM has been the domain of big businesses that could afford the set up fees. However these days, some internet service providers have their own large data pipes into the mobile operators networks and are able to subdivide the MAM into segments that are affordable to smaller businesses.”

The elephant in the room

We know by now there are several types of VPNs and dedicated mobile data channels and then there is cloud. But is cloud the elephant in the room for future VPN services? Juniper Networks senior director of solutions marketing Paul Gainham highlights the fact that many SMEs will have been enticed by the promise of cloud services from the likes of Amazon and Microsoft.

“The application agility and pay-as-you-grow business model, combined with the outsourcing of some aspects of IT management are indeed compelling and have seen impressive uptake,” Gainham said. “But are these open, uncontrolled public cloud services at odds with the guaranteed, secure, single supply benefits of VPN services that many SMEs have become used to.”

“The reality is these two worlds are beginning to come together. A number of VPN service providers (OBS VPN Galerie as an example) are now beginning to offer integrated public cloud services as part of their VPN offer so that the SME gets the best of both worlds – access to public cloud services through the guaranteed, secure, single service supply that they enjoy through their current VPN.”

Growing into your VPN

Looking ahead is Duncan Higgins, director of product and marketing at Virgin Media Business. Higgins warns SMEs it is about making sure you have access to technology that gives you room to grow, both in the short term but also in the long term. There’s no point in paying up front for VPNs that will be redundant in a year’s time.

“We undertook some research last year into the VPN upgrade habits of UK-based CIOs and discovered that over a third needed to upgrade their VPNs every year, costing on average £30,000 each time,” Higgins said.

“SMEs simply can’t afford to be constantly battling to find the finance to undertake yearly upgrades; they need VPNs that give them the room to grow and innovate, which is what SMEs do best.”

As established or seasoned as the VPN model is, it is the very existence of the web itself which gives VPNs their IP transport mechanism but also presents alternative data conduits in their own right.

VPNs are unlikely to go away anytime soon, but we may yet witness the birth of the cloud-centric VPN 2.0 as the traditional desk and cubicle office space model of the last half-decade crumbles into new remote workflows.

Via: computerweekly

Google to encrypt Cloud Storage data by default

Google said Thursday it will by default encrypt data warehoused in its Cloud Storage service.

The server-side encryption is now active for all new data written to Cloud Storage, and older data will be encrypted in the coming months, wrote Dave Barth, a Google product manager, in a blog post.

“If you require encryption for your data, this functionality frees you from the hassle and risk of managing your own encryption and decryption keys,” Barth wrote. “We manage the cryptographic keys on your behalf using the same hardened key management systems that Google uses for our own encrypted data, including strict key access controls and auditing.”

The data and metadata around an object stored in Cloud Storage is encrypted with a unique key using 128-bit Advanced Encryption Standard algorithm, and the “per-object key itself is encrypted with a unique key associated with the object owner,” Barth wrote.

“These keys are additionally encrypted by one of a regularly rotated set of master keys,” he wrote. “Of course, if you prefer to manage your own keys then you can still encrypt data yourself prior to writing it to Cloud Storage.”

Data collection programs revealed by former U.S. National Security Agency contractor Edward Snowden have raised questions about U.S. government data requests made to Internet companies such as Google for national security investigations.

A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law.

“Our legal team reviews each and every request, and we frequently push back when the requests appear to be fishing expeditions or don’t follow the correct process,” she wrote. “When we are required to comply with these requests, we deliver it to the authorities. No government has the ability to pull data directly from our servers or network.”

Via: csoonline

Microsoft Warns of Windows Phone 8 Wi-Fi Weakness

The issue is that Microsoft committed one of the cardinal sins of security: it took a good idea (encryption), implemented it badly in Windows Phone 7.8 and Windows Phone 8 operating systems and then released it to the market, said Kevin O’Brien, an enterprise solution architect at CloudLock.

Microsoft is warning consumers with smartphones that sport the Windows Phone 7.8 and Windows 8 mobile operating systems that they could be open for attack.

Hackers could exploit a weakness in the Wi-Fi authentication process, known as PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2), to access the user’s log-on credentials.

“In vulnerable scenarios, an attacker who successfully exploited this issue could achieve information disclosure against the targeted device,” the company said in a security advisory. “Microsoft is not currently aware of active attacks or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.”

Intercepting Encrypted Credentials

Here’s how an attacker-controlled system could exploit the weakness: First, the system poses as a known Wi-Fi access point. This charade would cause the targeted device to automatically attempt to authenticate with the access point. That, in turn, would allow the attacker to intercept the victim’s encrypted domain credentials.

At that point, an attacker could exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to grab the victim’s domain credentials. Finally, those credentials could be used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on the network.

We caught up with Kevin O’Brien, an enterprise solution architect at CloudLock, to get his take on the exploit. He told us the pivot point is cryptographic weakness.

“We’ve seen this particular type of vulnerability before, including from Microsoft, whose ASP.NET framework had a similar issue a few years ago,” O’Brien said. “We’ve seen it recently, in the now well-known Cryptocat exploit. And we’ll see it again.

As O’Brien sees it, the issue is that Microsoft committed one of the cardinal sins of security: it took a good idea (encryption), implemented it badly and then released it to the market.

“What went wrong in the MS-CHAPv2 example here is that the protocol relies largely upon smoke and mirrors to appear confusing, either intentionally or due to a lack of understanding on the behalf of the original coders,” O’Brien said. “As a result, the entire protocol is compromised, and it should cease to be used in favor of the far more robust open-source alternatives in the market today.”

A Recipe for Mass Compromise

Mike Gross, Global Risk strategy director at 41st Parameter, told us the lesson: most mobile devices, by default, enable convenient access to known Wi-Fi and other networks, so users need to be aware of these settings and how they can protect themselves.

“While there are specific steps that businesses can take to protect their secure networks from unauthorized access, users will unfortunately still be vulnerable to attack unless they disable the option to automatically connect to known Wi-Fi networks — something most consumers will not do because of the inconvenience involved in reconnecting every time they come home or walk into an airport,” he said.

In many cases, Gross noted, a smartphone or tablet user may simply be strolling through his local airport where an attacker has set up a Wi-Fi hotspot mimicking that of the legitimate public Wi-Fi, using the airport code as a network ID and not requiring a password to connect. He called this scenario a recipe for mass-compromise, as mobile devices would likely connect to the known network without hesitation.

“Even if the Wi-Fi auto-join feature is disabled, consumers are not in the clear. They will likely still be prompted to connect to a Wi-Fi network and should be extra vigilant when traveling or in a public location where this type of network spoofing is possible,” Gross said. “Smartphone software configurations and defaults are clearly set up with user convenience in mind, so consumers must take extra steps to protect themselves and the integrity of their mobile devices.”

Via: enterprise-security-today

Flaws Found in Apple’s iOS Let Malware Slip Through

Georgia Tech Information Security Center researchers say malware can be installed onto Apple’s iOS devices via Trojan Horse-style applications and peripherals such as chargers. The technique, developed as part of a proof-of-concept attack dubbed Jekyll, hides malicious code that would otherwise get rejected during the Apple review process.

U.S. researchers say they’ve found security weaknesses in Apple’s iOS operating system that could let hackers compromise an iPhone through apps or peripherals.

“Apple utilizes a mandatory app review process to ensure that only approved apps can run on iOS devices, which allows users to feel safe when using any iOS app,” Paul Royal, director of the Georgia Tech Information Security Center, said in a Georgia Tech release Wednesday. “However, we have discovered two weaknesses that allow circumvention of Apple’s security measures.”

Researchers at the center determined malware can be installed onto iOS devices via Trojan Horse-style applications and peripherals such as chargers.

The technique, developed as part of a proof-of-concept attack dubbed Jekyll, hides malicious code that would otherwise get rejected during the Apple review process, they said.

“We were able to successfully publish a malicious app and use it to remotely launch attacks on a controlled group of devices,” research scientist Tielei Wang said. “Our research shows that despite running inside the iOS sandbox, a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps — all without the user’s knowledge.”

Researcher Billy Lau created a proof-of-concept malicious charger using a small, inexpensive single-board computer made to resemble a normal iPhone or iPad charger that, once plugged into an iOS device , stealthily installs a malicious app.

Both Wang and Lau notified Apple upon the discovery of these security weaknesses, Georgia Tech said.

Apple has implemented a feature in its upcoming iOS 7 that notifies users when they plug their mobile device into any peripheral that attempts to establish a data connection, and is working on ways to address the weaknesses revealed through Jekyll, the school said.

“These results are concerning and challenge previous assumptions of iOS device security,” Royal said.

Via: enterprise-security-today

5 Minute Phishing Skills Test from Core Security

Here’s a quick exercise in phishing that anyone can try. Go ahead, give it a shot. In just five minutes – assuming your search skills are halfway decent – you can gather enough information about a high-value target to create your own spear phishing attack.

First, choose one of your company executives about whom you have very little information. Or choose their executive assistant, a system admin with uber-privileges or an executive from another organization – it doesn’t really matter. With your web browser open, set a timer for 5 minutes, press start and begin searching for information about your ‘target.’  Your goal is to gather enough personal information so your phish email can appear to be legitimate enough so the recipient takes the desired action, so use your imagination while doing your research (e.g. notices about public speaking engagements, upcoming board meetings, big company news, news from important customers/partners).

I’ve shared the results of my own basic search below. Please use the Comments section to let us know what you dug up (no real names please!).

My target is the CEO and Chairman of the Board of a Fortune 500 company. I quickly learned that he also currently sits on three other boards. Other notable facts that I turned up about my target:

  • Date of birth
  • Work history for 20+ years
  • University degree and fraternity affiliation
  • Detailed stock transactions, including dates and amounts
  • Address and photos of his primary residence
  • Address of his vacation home in Vail

While the individual I researched isn’t very active online (e.g. his LinkedIn profile is just a placeholder), he is probably the exception among prominent executives. Other targets might reveal seemingly insignificant details about their lives in blog posts, Twitter conversations and elsewhere. Such data can help a spear phisher craft very targeted messages.

However, my search still provided plenty of fodder for spear phishing campaigns, possibly enough to compel my target to click on a link or malicious file. With a little more effort and access to an illicit directory or two, I’m sure the odds of a successful attack increase considerably. After all, it only took this spear-phishing newbie, without any financial motivation, 5 minutes to identify several potential points of contact. Imagine what a skilled and determined spear phisher might be able to conjure up.

If nothing else this exercise showcases how easy it is for cyber-crooks to develop effective spear phishing campaigns. There are certain security measures all organizations can take to protect themselves from attacks, but phishing campaigns are different beasts, and the best tactics are awareness, training and testing.  Internal policies and strict spam rules within an organization should be top priorities to protect critical data exposures, but communicating the nasty effects of opening a suspicious email or putting personal information on unsecure forms can be a useful form of deterrence. Employee phish testing can help raise awareness about the types of phishes and teach employees how to detect them. And for data or metrics driven organizations, phish testing can help teach you about the effectiveness of your employee training and anti-phishing techniques. While phishing attacks are tough to protect against, they can be limited and contained.

Via: coresecurity

BlackBerry starts looking for buyer or partner as new OS struggles

A committee will explore strategic alternatives for the future of the company.

Blackberry’s board of directors has formed a committee to explore strategic alternatives for the future of the company that could include joint ventures or a sale of the company, as it struggles to turn its new BlackBerry 10 operating system into a success.

The news comes after the company announced that it had shipped 6.8 million smartphones and recorded a US$84 million loss during the three months to June 1. Only 2.7 million phones running the new OS were sold, a figure that disappointed analysts.

The soft sales led analysts to question the future of BlackBerry 10 and the company during a conference call on the results. At the time, BlackBerry CEO Thorsten Heins offered various themes on the same reply as a defense: “BlackBerry 10 is still in the early stages on its transition. In fact, we are only five months in to what is the launch of an entirely new mobile computing platform,” he said.

The so-called Special Committee of the Board is comprised of Heins, Barbara Stymiest, Richard Lynch and Bert Nordberg, and will be chaired by Timothy Dattels. All the committee members are board members. The company provided no time schedule for when the committee’s work would produce a result.

“We continue to see compelling long-term opportunities for BlackBerry 10, we have exceptional technology that customers are embracing, we have a strong balance sheet and we are pleased with the progress that has been made in our transition,” said Heins in a statement Monday. “As the Special Committee focuses on exploring alternatives, we will be continuing with our strategy of reducing cost, driving efficiency and accelerating the deployment of BES 10, as well as driving adoption of BlackBerry 10 smartphones, launching the multi-platform BBM social messaging service, and pursuing mobile computing opportunities by leveraging the secure and reliable BlackBerry Global Data Network.”

Via: itworld

Smartphone pictures pose privacy risks

WARNING! If you take photos with your cell phone you need to know the risks.

This has been around for a while but needs to be brought up again.

This is truly alarming – please take the time to watch.



Disable iPhone GPS & Geographic tagging data in iPhone Photos

In case you didn’t know, the iPhone defaults to storing GPS and geographic tagging information in the EXIF data of your iPhone images. If you don’t want such information stored in a pictures EXIF data, you can disable the feature easily in iOS settings:

How to Disable iPhone Photo GPS Geotag Data

  • Tap on Settings
  • Tap on General
  • Tap on “Location Services”
  • Select the On/Off switch next to “Camera” so that the switch is set to OFF
  • Exit settings

Those settings work in iOS 5 and iOS 4, but there have been changes made in recent iOS versions.

Turning Off Camera Location Services in iOS 6+

iOS 6 gave “Location Services” it’s own separate preference settings within the Privacy section:

  • Open Settings, then tap on “Privacy”
  • Tap “Location Services” and find “Camera”
  • Flip the switch next to Camera to OFF

Images taken from the iPhone will now no longer include GPS and location data when taking photos, and your privacy concerns should be alleviated.

You can do the same on other phones as well.

Be safe.

Apple’s Next iPad Will Indeed Inherit iPad Mini’s Thin And Light Good Looks, Reports WSJ

Apple’s next iPad will likely resemble the iPad mini, and lose some weight and possible some girth thanks to the same touch-panel tech that made the mini so… well, so mini. The Wall Street Journal reports that Apple’s next iPad, which is currently in production with Apple’s supply partners, will use a film-based (vs. a glass-based) touch panel to save on thickness and weight.

It’s not something that should come as much of a surprise: early case design leaks (pictured above) suggested that the next 9.7-inch iPad would inherit the exterior styling of the iPad mini, and possibly go in for not only a thinner case but a thinner bezel and smaller physical footprint as well.

The fourth-generation iPad, and the third-generation device before it, are actually heavier and thicker than the iPad 2, something made necessary by the introduction of the Retina display in those later devices. Shaving weight and size isn’t only logical because of the iPad mini’s example, it’s also something that could help Apple considerably in terms of providing an upgrade incentive to existing iPad owners.

In all likelihood, a new iPad would occupy the same price point as the fourth generation device, which was introduced in October last year with a surprise refresh that improved the processor and added a lightning connector. Judging by recent reports, we could see the next iPad as early as September, and it might have a longer-lasting battery to go with its new design.

Via: techcrunch

New strain of ransomware evades detection by AV apps also targets MAC OS X users

Learn about a new type of ransomware that has the potential to snare many victims – and it’s not even malware.

Some of you may be familiar with ransomware, and how to avoid being conned by it. The trouble is there are millions of people who aren’t. That alone ensures ransomware will continue to cull people of their hard-earned money. To make matters worse, there’s a new version winding its way through the Internet. And, those in the know predict what’s being called HTML ransomware will be more successful than previous versions.

HTML ransomware

I first learned about HTML ransomware from Jerome Segura, Senior Security Researcher at Malwarebytes, and his blog post, “FBI Ransomware Now Targeting Apple’s Mac OS X Users.” Initially, I was suspicious; OS X is not vulnerable in the same way Windows operating systems are, so what’s up?

As I continued reading, I learned the only requirements for HTML ransomware to work are JavaScript must be enabled, and the victim’s web browser incorporates the “Recover browser session after a crash” feature, which is part and parcel to all major web browsers — including Chrome, Firefox, Internet Explorer, and Safari.

Here’s what HTML ransomware has going for it:

  • Does not require installation.
  • Disabling JavaScript breaks many popular websites; so people aren’t willing to turn off JavaScript, something the bad guys are relying on.
  • AV applications, even with current malware signature sets, are of no use against HTML ransomware.

How it works

One way the scam starts is when an unlucky person selects a search result with a falsified link. Instead of the expected web page being presented, the victim’s web browser loads something similar to the following slide (courtesy of Jerome Seguro and Malwarebytes).


While the victim is coming to grips with the above screen, associated JavaScript code is loading copies of the same screen (150 typically) onto the browser. By creating a 150 iFrame loop, HTML ransomware gives the impression the computer is locked up. Ironically, if the victim is determined, leaving the web page, and revisiting it 150 times will remove the problem.

I doubt I’d even consider reloading the web browser that many times; my inclination would be to reboot the computer, but that doesn’t help either because HTML ransomware taps into the “Recover browser session after a crash” feature I mentioned earlier, bringing the same FBI screen back up.

It’s not malware

Something else that makes HTML ransomware unique: by most definitions, it’s not malware. It is a snippet of JavaScript code readily available on the Internet that digital extortionists use to fool victims by controlling what is visible in the browser window. No other computer function is affected, at least as of this writing, but Jerome mentioned the potential is there, especially for Windows-based computers.

It not being malware is why HTML ransomware is a great idea for the bad guys: simple to set up, easy to move to different domain names, and no concerns on how to install code onto computers. To see if bad guys agreed, we can look at how many instances of HTML ransomware have been seen?

“This ransomware is quite active; bad guys are registering new domain names several times per day. While it is not malicious (as opposed to ransomware that infects your PC), it’s still scaring people.”

How to tell if it’s HTML ransomware

Web browsers lock up for all sorts of reasons, so I asked Jerome how we would know for sure, if HTML ransomware caused the lockup:

“The browser being locked may not be ransomware in all cases. I can think of many sites that use annoying JavaScripts to keep the user on the page (pop-ups that ask ‘are you sure you want to leave this page?’). HTML ransomware is characterized by the following:

  • Warning from the police
  • Fee to be paid using a voucher
  • Computer or browser locked

“If those three elements are in place, it’s HTML ransomware.”

How to get rid of HTML ransomware

Jerome did a thorough job of explaining how to remove HTML ransomware from Safari in his blog post, but missed explaining what those using other operating systems should do. Here’s what others should do:

“I recommend ending the web-browser process(es) after first having disabled JavaScript. Simply killing the web-browser process will recover the ransomware page and put you right back where you started.”

There is a possibility you may not have to worry about HTML ransomware if your antimalware provider is on top of the situation like Malwarebytes.

“Malwarebytes has a large database of malicious sites that is constantly updated. The PRO users are protected against malicious websites as they pop up. This is due to it’s ability to blacklist entire IP ranges since they know they are only used for criminal purposes; any new website registered on those will be automatically blocked.”

Final thoughts

At first, I felt that HTML ransomware was not a big deal. But, it did not take long for me to realize darn near everything we do computer-wise involves the web browser. And, if the web browser appears to be locked up, it will seem like a huge deal.

Since this attack is easy to fix, it would be a shame to have those who do not understand what’s going on even for a second consider paying the ransom. So, please, let’s get the word out on HTML ransomware.

Via: techrepublic