Home Tags Internet Security

Tag: Internet Security

Encryption project issues 1 million free digital certificates in three months

Let's Encrypt, an organization set up to encourage broader use of encryption on the Web, has distributed 1 million free digital certificates in just three months. The digital certificates cover 2.5 million domains, most of which had never implemented SSL/TLS (Secure Sockets Layer/Transport Layer Security), which encrypts content exchanged between a system and a user.

An encrypted connection is signified in most browsers by "https" and a padlock appearing in the URL bar. "Much more work remains to be done before the Internet is free from insecure protocols, but this is substantial and rapid progress," according to a blog post by the Electronic Frontier Foundation, one of Let's Encrypt's supporters. The organization is run by the ISRG (Internet Security Research Group) and is backed by Mozilla, Cisco, Akamai, Facebook and others. There's been a push in recent years to encourage websites to implement SSL/TLS, driven in part by a rise in cybercrime, data breaches and government surveillance. Google, Yahoo, and Facebook have all taken steps to secure their services. SSL/TLS certificates are sold by major players such as Verisign and Comodo, with certain types of certificates costing hundreds of dollars and needing periodic renewal.

Critics contend the cost puts off some website operators, which is in part why Let's Encrypt launched a free project. "It is clear that the cost and bureaucracy of obtaining certificates was forcing many websites to continue with the insecure HTTP protocol, long after we've known that HTTPS needs to be the default," the EFF wrote.

Anatomy Of An Account Takeover Attack

How organized crime rings are amassing bot armies for password-cracking attacks on personal accounts in retail, financial, gaming, and other consumer-facing services. Account takeover attacks (ATO) are a very lucrative business for cybercriminals.

They fuel the underground fraud-as-a-service economy with compromised accounts, which are sold or exchanged for a variety of downstream attacks involving retailers, financial services, reward programs, mobile games, and other consumer-facing services.

Based on the number of data breaches that took place in 2015, it’s likely that the stolen credentials will be used heavily toward ATO attacks in 2016.  What makes ATO attacks so dangerous is that they target accounts that are created by real users. Unlike mass-registered fake accounts, they contain valuable information such as financial data, and their activities are less likely to raise the suspicion of security solutions.

According to a recent Trend Micro report, a single compromised account is worth upward of $3 each on the underground market.

That’s more than 17 times the price of a stolen credit card number, which is only 22 cents. Compromised takeover accounts are commonly used for financially motivated downstream attacks, including: Financial fraud: Targets are accounts at financial or e-commerce services that store users’ banking details.

The attackers perform unauthorized withdrawal from bank accounts or fraudulent transactions using the credit/debit cards on file. Spam: Spam can appear in any service feature that accepts user-generated content, including discussion forums, direct messages, and reviews/ratings, degrading platform integrity and brand reputation. Phishing: Attackers can assume a compromised user’s identity and launch phishing attacks on others in his/her social circle to steal their credentials, personal information, or sensitive data. Virtual currency fraud: Virtual “currencies” that are worth real money include reward points, promotional credits, and in-game virtual items, which can be harvested for real world gains. ATO Campaigns Organized crime rings are performing account takeover at scale by leveraging massive bot armies to attempt password-cracking attacks at various consumer-facing websites. Just how big are these armies? In a mass ATO attack the DataVisor team recently discovered at a large retailer website, bot armies made more than 300,000 login attempts from thousands of IP addresses in the course of a single day.

Each IP address was used to attempt logins to approximately 100 distinct user accounts, with a different browser cookie used for every login, likely to skirt security solutions based on device tracking.

The map below shows the geographic distribution of the attacking IPs, which are located in residential networks from all over the world. Map of IPs from a widely-distributed “password cracking” botnet attack.     The vast majority of the attempts involved accounts that all had valid email addresses registered at this particular retailer.

The success rate of the login attempts was not very high, only 8%, so it is likely the attacker obtained the usernames from third-party data breaches. Users that have weak passwords or reuse them at other services are especially at risk (as shown by the recent attack on Fitbit accounts). Putting Compromised Accounts into Action After the initial ATO stage of the attack, the same attackers looked to immediately put these stolen credentials to use.
In this particular attack, DataVisor detected attempts to validate stolen credit card numbers by testing them within the compromised users’ payment profile page, an attack we refer to as an “oracle test.” If the credit card is invalid or known to be compromised or stolen, the site will reject the card and display a warning message.

This feedback essentially turns the service into an online credit card “oracle” where fraudsters can verify their bulk card purchases from the underground market.

This is similar to the attack technique used by botmasters to query public IP blacklists to check whether their spamming bot2s are blacklisted. Image Source: DataVisorAn example of a credit card “oracle” test. Beyond Financial Accounts Compromised accounts are exploited for financial gain, but it’s not only retailers or financial services that are vulnerable and at risk.

There are plenty of virtual “currencies” that are worth real money, including reward points that can be converted into merchandise, flights, hotel stays, and gift cards, virtual items in online games that can be sold (sometimes for hundreds of thousands of dollars), and social reputation that can be exploited to boost business sales or ad revenue.

This makes most, if not all, consumer-facing services prime targets for ATO attacks. As the saying goes, “money isn’t everything,” and these attacks can impact more than just the financials for modern online services. With consumers becoming more conscious about their online security and privacy, the impact of ATO to brand name reputation is especially harmful, and will likely to affect user growth and revenue in the long term.  Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200. Ting-Fang Yen is a research scientist at DataVisor, Inc., a startup providing big data security analytics for consumer-facing web and mobile sites.

Before DataVisor, she was threat scientist at E8 Security and principal research scientist at RSA.

Ting-Fang received a PhD ...
View Full Bio More Insights

How techies are losing the Apple-FBI privacy fight

The geeks are approaching the whole Apple vs.

FBI battle over encryption and privacy all wrong.

This is a golden opportunity to get John Q. Public on board regarding data privacy and online security.

But instead, we have a cacophony of conflicting information and noise, and the FBI is winning in the court of public opinion. It's high time Jane Q.

Citizen got to see a clear example of how the U.S. government is slowly but surely chipping away at personal privacy under the guise of national security.

And you couldn't have a better company standing up to the government: The one behind some of the most popular consumer electronics devices today.

There's none of the squickiness of Google and its constant slurping of data, or Facebook's desire to collect information about people you know and things you like.

Apple is not just a tech company -- hate it or love it, Apple is indubitably a lifestyle brand. But there is a stark difference in how Apple and the FBI and the Justice Department, along with their allies, are framing the conversation.

And as a result, Apple and the techies are losing John's and Jane's attention by railing about backdoors, encryption, and legal precedents. Those detailed explainers and FAQs do lay out what's at stake.

But it's the FBI that comes off looking reasonable.

The FBI is, it regular reminds us, trying find out why two people killed 22 people and injured 14 a few months ago as part of a mass shooting, which it regularly describes as terrorism.  So reasonable, in fact, that there's this headline: "San Bernardino terror attack victims' families ask Apple to cooperate with FBI." The side relying on emotions and fear is always going to win against the side carefully crafting logical arguments.
It may be in the nature of technical people to avoid emotions and favor logic, but that's one reason why the FBI is winning the hearts and minds of Americans here.  The thing is, even with all the secret documents that Snowden stole from the NSA, the average user isn't any more concerned about government surveillance today than he or she was three years ago. Sure, it's terrible, but when it comes to user privacy it's still a world of weak passwords, mobile devices with no passcode (or TouchID) enabled, and an overall lack of urgency. So skip the arguments about how if the FBI wins this round, law enforcement will keep coming back with more requests against more devices.  If there is something the Janes and Johns are scared of, it's the foreign other, the faceless enemies sitting in China, Russia, and Iran (why not throw North Korea in the mix, too?).
It's the criminals siphoning money from banks, the nation-state actors stealing personal information from government agencies, and adversaries trying to stop a movie release.  If the FBI gets its way on bypassing this iPhone 5c's protections, what would stop other governments from coming to Apple, Dell, and other companies and asking for help modifying the devices we use to further their own purposes? It won't be the first time a government tried to compel a company to modify technology in the name of national security. Remember BlackBerry?  "While the FBI's request seems to go beyond what other governments have sought from Apple so far, if Apple is forced to develop code to exploit its own phones, it will only be a matter of time before other countries seek to do the same," Jennifer Granick, the director of civil liberties at the Stanford Center for Internet and Society, wrote on the NYU School of Law's Just Security blog. She's right.

And that's a scary enough prospect to justify supporting Apple.

Techies may not like the emotionalism, and consider it to be FUD.

But it's not FUD.
It truly is scary -- and should be talked about that way.

10 Things Employees Can Do to Improve IT Security in 2016

In 2015, the borders between personal and professional use of apps and devices became less defined than ever. People constantly use whatever device they have at the time to do either personal or business tasks—that's the real world. In 2016, the line between how employees use data in and outside of work will continue to blur and will drive important trends that IT needs to consider when building a security strategy. To help CIOs better understand how their workforces are accessing and securing data—and where IT can help fill the gap—Ping Identity surveyed 1,000 employees at U.S. enterprises. The company's 2015 Online Identity Study revealed that most employees today are not connecting the dots between the security best practices they are taught and their behavior at work and home. While employees say online security is a priority, they struggle to consistently follow best practices and be accountable for their actions, the study revealed. The study results showed that in the event of a data breach, most employees say the blame falls on IT and not on their own risky behavior. Here's a look at key trends that the study suggests will shape the coming year.

Sophos Home

Some antivirus vendors pitch their products directly to consumers, some focus instead on big-business protection, and some do both. For quite a while, antivirus giant Sophos has stayed on the business side of the market. With the recent release of the free Sophos Home, consumers can now enjoy the same level of antivirus protection as the Fortune 500 on up to 10 Windows and Mac OS devices. As it comes from a business orientation, Sophos Home includes some sophisticated management features not typically found in consumer-side free antivirus products. To get started with the product, you create a free account, which gives you access to an online dashboard. You can log in to the dashboard from any PC or Mac to install the software directly, or send a link to install Sophos on another device. McAfee AntiVirus Plus (2016) is one of the very few competitors to offer this kind of remote management. The installer notes that getting the product installed can take up to 15 minutes, which seemed unusually long to me. But indeed, it did take almost precisely that long. After installation, it downloaded updated antivirus definitions and launched a full scan. The scan took 37 minutes, just slightly less than the current average. A repeat scan wasn't significantly faster. Simple InterfaceWhether you install Sophos on a Mac or a Windows box, its main window exhibits a pleasant simplicity. A large banner across the top displays your security status, with a button to view any pending alerts and another button to open the online dashboard. You can click to launch a full scan, which displays its progress right in the main window. And there are on/off switches for Automatic Virus Protection, Web Protection, and Potentially Unwanted App Detection.  There's one little problem with the Sophos Home user interface: every time you open it, you have to respond to a User Account Control prompt. That's not quite as bad as ESET Smart Security 9, which requires a UAC response every time you respond to a firewall program control popup, but it still seems unnecessary. Labs Love ItThe independent antivirus testing labs don't specifically include Sophos Home in their testing, but Sophos Cloud Endpoint Protection comes under scrutiny by all of the labs that I follow. According to Sophos, the free consumer product "uses the same award-winning technology from Sophos that protects millions of business people worldwide," which makes sense. Why would the company develop a separate technology for the free product? Both ICSA Labs and West Coast Labs certify Sophos both for malware detection and malware removal. Looking at results from Virus Bulletin, it appears that Sophos stopped participating some months ago. However, Sophos did participate in four of the most recent 12 tests and earned VB100 certification each time. Bitdefender Internet Security 2016 and ESET took VB100 in all 12 of those 12 tests. AV-Test Institute evaluates antivirus products from three different angles, protection, performance, and usability. In the all-important protection test, Sophos earned 6 of 6 possible points, and it managed 5 points for performance. Its 5.5 point score for usability indicates that to some small degree it flagged valid programs or websites as malicious. Sophos earned 16.5 of 18 possible points, which is quite good. However, several products earned a perfect 18 in the latest test, among them Bitdefender, Kaspersky Internet Security (2016), and Symantec Norton Security Premium. The researchers at AV-Comparatives perform a dazzling variety of tests; I closely track five of those tests. Sophos participated in four of these. It earned the top rating, Advanced+, in the performance test, and managed Advanced in the file detection, zero-day detection, and real-world dynamic tests. Dennis Technology Labs aims to replicate the user's actual experience as closely as possible.  Every day, researchers locate real-world malicious URLs that host drive-by downloads and other attacks, using site-ripping tools to capture the entire website. For testing, they use a playback system to expose each product to exactly the same attack. Products can receive certification at five levels: AAA, AA, A, B, and C. Sophos earned the best possible rating, AAA, with excellent detection and no false positives. Test results for the antivirus technology shared by Sophos Home and the Endpoint Protection product are very good. However, Kaspersky and Bitdefender in particular have done even better. See How We Interpret Antivirus Lab Tests Accurate AntiphishingThe Web Protection component in Sophos Home watches incoming HTML data and blocks access to dangerous websites of all kinds, including phishing sites. In testing, it proved quite accurate. For this test, I gather a collection of URLs that have been very recently reported as fraudulent, so recently that they haven't yet been analyzed and blacklisted. I launch each URL simultaneously in five browsers. One browser is protected by the product under testing, naturally, and another by Norton, which has consistently proven to be an antiphishing whiz. The other three rely on the fraud protection built into Chrome, Firefox, and Internet Explorer. Out of more than 30 recent products, only one, Bitdefender, has outperformed Norton in this test. More than two-thirds of the products earned a detection rate lower than at least one of the browsers, and half of those failed to beat any of the browsers. I'm happy to say that Sophos isn't among this losing crowd. The Web Protection component's phishing detection rate came in just 4 percentage points below Norton's; only a handful of competitors have done better. And Sophos beat out the built-in protection of all three browsers, by varying amounts. See How We Test Antiphishing Effective Malicious URL BlockingIn addition to antiphishing, Web Protection naturally covers fending off websites that host malware or spyware, or that are known to be dangerous. Here again, Sophos turned in an excellent performance. For this test, I use a feed of newly discovered malware-hosting URLs supplied by MRG-Effitas. The test is quite simple. I try to launch each URL in turn, discarding any that result in an error message. For the ones that are still live, I note whether the antivirus prevents all access to the URL, catches and eliminates the malware payload during download, or completely misses the attack event. Out of 100 active malicious URLs, Sophos protected against 90 percent, almost all of them by completely blocking access to the URL. It identified several different kinds of problems. For some, it reported Malicious Content, identifying the detected malware. Others it blocked with a message that spyware was found. And it flagged quite a few as High Risk, also identifying malware found on the site. Only two recent products have scored better in this test. Norton and McAfee both managed 91 percent protection, edging out Sophos by a single percentage point. Less Impressive Malware BlockingI saved reporting on my own hands-on malware blocking test for last, because the results aren't as stellar as the other tests. This test starts when I open a folder containing my current collection of malware samples. Like many of its competitors, Sophos started checking these samples the moment I opened the folder. The transient popups that Sophos uses to report threat detection deserve a mention. Many products display a transient notification near the bottom right of the desktop. Some incorporate multiple detection events into a single notification, others stack up notifications so you can view them one by one. Sophos displays a modern-looking transient banner near the top right of the screen. If there are multiple events, it displays as many as three banners, one below the other. And if there are more than three the new ones take their place as the older ones fade out. It's different, but it works. Over the course of several minutes, Sophos detected and eliminated 61 percent of the samples. That's not bad, but many competitors wiped out even more of these samples on sight. AVG AntiVirus Free (2016) and Panda Free Antivirus (2016) eliminated more than 80 percent of the samples at this stage. Next, I launched the surviving samples one at a time, noting whether Sophos detected the attack and using a hand-coded tool to verify how thoroughly it blocked those that were detected. Sophos missed roughly a third of the survivors. Another third managed to plant one or more executable files on the test system despite the product's attempt at protection. With 86 percent detection and an overall score of 7.9 points, Sophos doesn't look good in this test. Most of the time my hands-on results jibe with results from the labs. When they don't, I give the labs more weight. They have dozens of experts working on antivirus analysis, after all. See How We Test Malware Blocking Remote ManagementI mentioned earlier that you install Sophos Home on a Windows or Mac OS device by logging in to the Home Dashboard. Once you've installed protection on a device or two, you can use the dashboard to remotely monitor and control your installations. The dashboard's summary page lists all of your devices, along with the number of alerts, threats cleaned, and websites blocked. It also reports the time of the latest update. Below this you get a list of all recent alerts. For alerts involving detection of a Potentially Unwanted Application (PUA), you can remotely choose to ignore the detection or ask Sophos to clean up. Clicking on a particular device in the dashboard gives you more remote control abilities. You can trigger a scan, or remove Sophos from the device. And you can toggle the on/off status of the same three components featured on the local product's main page: Automatic Virus Protection, Potentially Unwanted App Detection, and Web Protection. A Choice to ConsiderSophos Home uses the same technology that gets rave reviews in the service's business-focused Cloud Endpoint Protection. It gets very good ratings from the independent testing labs, and it earned high scores in my hands-on antiphishing and malicious URL blocking tests. I did find its performance in my hands-on malware-blocking test unimpressive, though. Three free antivirus products have earned the title of Editors' Choice, Avast Free Antivirus 2016, AVG AntiVirus Free (2016), and Panda Free Antivirus (2016). If you're looking for free antivirus protection, these are definitely worth consideration. But since it costs nothing to try a free antivirus, consider giving Sophos Home a whirl, too. You may find that its simple interface and remote management suit your needs.

VU#305096: Comodo Chromodo browser with Ad Sanitizer does not enforce same...

Comodo Chromodo browser,version 45.8.12.391,and possibly earlier,bundles the Ad Sanitizer extension,version 1.4.0.26,which disables the same origin policy,allowing for the possibility of cross-domain attacks by malicious or compromised web hosts. Chromodo is based on an outdated release of Chromium with known vulnerabilities.

Security Think Tank: Ransomware exploits poor security practice in SMEs

Here we are in 2016 and the question on our lips is – can we protect ourselves from ransomware? The answer is yes, but we must recognise that no protection can be 100% effective.  It is important not to underestimate the scale of ransomware attacks or to believe that you are safe if you are not a Microsoft user, as the first attacks on Android devices were identified in 2014. According to one industry report, the number of crypto-ransomware attacks increased in 2014 by more than 4,000%, with small to medium-sized enterprises (SMEs) being the main target due to poor security practices. On the technical side, we can have spam, malware and bad URL detection engines or services that can be installed in our networks – generally as part of an internet security appliance or firewall – rather than individual boxes installed in front of email servers. The reason we would want such protection as part of the general internet connection is to provide protection for email, browsing and other internet-related operations such as file transfer and remote access. There are also a number of very good commercial cloud-based email spam, malware and URL detection services available. These are well worth a look for smaller enterprises that must consider costs of ownership, support and overall effectiveness. Ransomware in email Even with the best spam, malware and URL detection services, some emails that could form the start of a ransomware attack may get through. These emails contain a URL link that, when clicked, will take the user’s web browser to a website that will attempt to download the ransomware. These emails could not have been detected as malicious for a number of reasons, such as the URL being too new to have been identified as malicious; the patching or updating of an onsite box being out of date; or the URL pointing to a perfectly legitimate website that has been compromised in preparation for a watering hole attack. The rise in legitimate websites being compromised for the purposes of executing watering hole attacks as a way of delivering malware – including ransomware – means enterprises need to add malware detection to web browsing activities. Protecting against an attack Having got the technical side sorted according an enterprise’s risk appetite and budget, what else can be done to help protect against a successful ransomware attack? Staff awareness training and regular follow up initiatives are key. It is important to make staff aware that unexpected emails – even from known sources – are suspicious, particularly those that require a URL link to be activated. If all else fails and a ransomware attack is successful, then having access to good, well-tested backups with at least one copy that is held off network will be vital in service restoration. Note that the off network backup itself should not be used as is, but copied. The copy should then be used to bring the network back, which will protect the good backup from being compromised. Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management. This was first published in February 2016

ESET Multi-Device Security 9

How many computers, smartphones, and tablets do you have in your house? If the answer is more than two or three, and if they're running a variety of platforms, you're a good candidate for a cross-platform multi-device security suite. As long as your devices run Windows, Mac OS, or Android, ESET Multi-Device Security 9 may suit your needs. However, a little digging suggests that you'll probably do better with one of the competing services. Comparative PricingPricing for this multi-device security suite is a little different from most. An $84.99-per-year subscription gets you six licenses, $99.99 gets you 10 licenses, and both deals are half-price at this writing. However, your licenses aren't completely interchangeable. In both deals, half the licenses are good for Windows/Mac, the other half for Android. iPhone users are out of luck. For $89.99 per year, you could get a McAfee LiveSafe (2016) subscription that protects all of the devices in your household, and it supports Windows, Mac OS, Android, iOS, and even BlackBerry. It's worth noting that as of the latest update, all of the products in the McAfee product line include unlimited multi-device support. Symantec Norton Security Deluxe costs $69.99 per year and protects up to five Windows, Mac OS, or Android devices. At $89.99 per year for 10 devices, Symantec Norton Security Premium is a better deal, and it also includes 25GB of hosted online backup. Kaspersky Total Security (2016) is a bit pricier, at $89.95 for three devices, $99.95 for five, and $149.95 per year for 10 devices running Windows, Mac OS, iOS, or Android. My own testing suggests that this product is at its best protecting PCs and that its iOS support is seriously limited. Kaspersky, McAfee, and Norton all let you allocate your licenses any way you like, with no restriction to use some for one platform, some for another. Unless your collection of devices happens to be evenly divided between Mac/Windows and Android, choosing ESET means you'll wind up with some spare licenses that you can't use. Getting StartedIf you purchase this product online, you get an email explaining how to get started. Those who buy a CD can follow instructions on the box. From the email message, it's simple enough on a Windows or Mac device. Choose the ESET product you want to download, install it, and activate it using the supplied key. As you'll see below, those using Windows and Mac devices can choose between two different security products. During the course of installation on a Windows or Android device, you'll be prompted to activate ESET Anti-Theft. Sorry, Mac users; you'll just have to rely on Apple's iCloud Find My Mac feature. Anti-Theft activation requires that you create an ESET account, and gives you access to the ESET online portal. I'll cover the portal later; for now, let's look at what's available on the different platforms. Protection for Windows DevicesYour ESET subscription lets you install either the standalone ESET NOD32 Antivirus 9 or the full ESET Smart Security 9 suite. Since the suite includes everything found in the antivirus and more, most users will choose it. Please read my review of ESET Smart Security for full details on the suite's features. I will briefly summarize here. ESET's antivirus gets mostly excellent ratings from the independent labs. It didn't fare as well in our own hands-on malware blocking test, but it scored very well in our tests that evaluate protection against malicious URLs and fraudulent (phishing) websites. The antispam component proved quite effective. It did its job without slowing the process of downloading email, completely avoided throwing valid mail into the spam oubliette, and let just a little over 6 percent of spam into the Inbox. ESET's firewall component handles blocking outside attacks, but its program control side is rudimentary. By default, it just allows all outbound access and blocks any inbound access not permitted by rules. If you enable full program control by setting the firewall to interactive mode, it buffets you with popup queries for all programs attempting Internet access, including your browsers and built-in Windows components. Parental control is limited to content filtering. While the content filter wasn't fazed by off-brand browsers or secure anonymizing proxy websites, it did spend a lot of time blocking Web analytics and other innocuous URLs. In testing, I found that Google image searches, whether naughty or nice, displayed five or more unfiltered images and failed to display any after that first group, stacking up hundreds and even thousands of parental control warning messages. The suite includes several unusual features, of varying utility. Similar to Kaspersky's Safe Money and Bitdefender Internet Security 2016's SafePay, ESET's Banking and Payment Protection feature offers to open financial sites in a hardened browser that's isolated against interference by other processes. The anti-theft feature lets you get the location of a lost or missing PC, gather screenshots and webcam photos, and even send a message to the finder of a lost device. In testing, it proved very slow to respond. Finally, the Device Control system lets you limit access to specific devices or device types for specific users or groups. This last feature will see use in business settings, but probably not at home. Protection for Mac OS DevicesAs with Windows, ESET gives Mac OS users a choice of two protection products, ESET Cyber Security and ESET Cyber Security Pro. A single license for the basic Cyber Security would cost $39.99 per year; for the Pro edition, $59.99 per year. Neither product gives users the same level of security as ESET Smart Security for Windows. ESET Cyber Security includes antivirus protection, with on-demand, on-access, and scheduled scanning. You can choose a quick scan that looks in the most likely hiding places, or a deep scan that combs every nook and cranny of your Mac. ESET also scans incoming email for malware. And it checks for Windows and Linux threats, too, so your Mac doesn't become a conduit for malware to attack other devices on the network. I didn't test the Mac version's phishing protection separately, but if it's equivalent to what you get with a Windows installation, it's quite effective. In Windows testing, ESET came closer than many competitors to Norton's detection rate, and did significantly better than the protection built into Chrome, Firefox, and Internet Explorer. Those who opt for the Pro edition (and who wouldn't?) also get simple firewall protection that lets you control data connections both on the local network and the Internet. Firewall protection specifically aims at fending off Wi-Fi attackers. Parental control is also only available in the Pro edition. It's not quite the same as what's in the Windows edition, though it's also limited to content filtering. Instead of year-by-year age-based profiles, the Mac edition offers more general profiles such as Child and Teenager. And instead of almost uncountable categories organized by group and age, the Mac edition offers to block 27 specific categories. A number of features from the Windows edition aren't found on a Mac installation. As noted, anti-theft is only for Windows and Android. The Mac version doesn't include spam filtering. Banking protection and Device Control are also missing in action on the Mac. To be fair, few security vendors offer the same level of protection for Macs as they do for Windows boxes. Android ProtectionOur review of ESET Mobile Security & Antivirus (for Android) is a little dated, but things haven't changed too much. The biggest change I see is that you can now control anti-theft via the Web console as well as through coded SMS messages. We'll update that review when possible. I found getting ESET installed on my Nexus 9 test device to be a bit awkward. I started by clicking on the Android link in the registration email and launching the resulting APK. Of course, the Nexus refused, warning me that installing apps from unknown sources is dangerous. So I downloaded from the Google Play store…and found that my not-for-sale special activation key wasn't accepted. Luckily consumers won't encounter that second problem. Installing Norton on an Android device is certainly simpler. With Norton, your activation key is baked right into the download link. McAfee can scan your network to find unprotected devices and, for all device types except iOS, it automates linking that new installation with your existing account. With the Android app installed and activated, there are still a few more configuration steps. You must enable anti-theft, create a lock/unlock password, and set ESET as a device administrator; the app walks you through necessary steps. You may need to optimize the device for anti-theft, just like in the Windows edition. For example, if you don't have a strong screen lock (pattern, PIN, facial) you'll have to create one. Anti-theft works in much the same way as under Windows. You can click a button to test the feature, which gets you the current location and snaps photos using both front and back cameras. When you report the device as actually missing, ESET locks it and starts monitoring its location, as well as sending you screenshots and camera photos. Of course, your device might have been found by a nice person who only wants to help you get it back. You can send a message that will show up on the lock screen. The finder can also tap Contact owner to see your email address. If you find the device yourself, you can unlock it by entering the unlock password you created during installation. Most mobile anti-theft products let you invoke four actions: locate, lock, wipe, and scream. Locate and lock are automatic when you report an ESET-protected device as missing. Once the device is locked, you can wipe it remotely using the online console. Scroll down to find the button that lets you trigger a siren, to help find the device when it's nearby. When you install ESET on an Android smartphone, you get another set of choices for controlling the anti-theft system. You can send password-protected SMS messages to lock, wipe, or locate the device, or to trigger a loud siren. In addition it can notify a pre-selected trusted friend if your phone's SIM card is removed. Because my Android test device is a tablet, I couldn't directly experience these features, nor the SMS and call blocking features. In any case, SMS blocking only works on Android versions before 4.4. Naturally ESET includes antivirus protection for your Android. You can invoke a Smart, Quick, or Deep scan at any time, and the real-time protection checks new apps for malware. The anti-phishing page clearly identifies the browsers it supports, which is handy. The Security Audit component has two parts. Device Monitoring checks for security problems on the device itself. For example, it warned that my device was set to allow installs from unknown sources, which I knew, since I had to change that setting to install ESET. But it also warned that USB Debugging was turned on. How did that happen? I turned it off right away. The other part, Application Audit, reports on all apps that have certain potentially risky permissions. For example, it lists all apps that can access your contacts, track your location, or use for-pay services. My clean test device was pleasantly free of such apps. Online ConsoleI've mentioned that you can manage the anti-theft feature from ESET's online console. At first glance, you might think there's a lot more you can do, as the anti-theft tab is sandwiched between two other tabs labeled Parental Control and Social Media Scanner. However, things aren't quite as they seem. ESET Parental Control for Android is a separate product that lists for $29.99 per year. That subscription does get you protection for any number of Android devices, but it's not part of ESET Multi-Device Security. As for the Social Media Scanner, there's a bit of a story here. ESET used to offer a Facebook malware scanning app, but that functionality is now built into Facebook itself. You can install ESET's Twitter app to watch for dangerous links in your feed, but here again, this is not actually part of the Multi-Device Security product. Some similar services let you manage your subscription through an online console. As noted, Norton lets you see how many licenses you have left, and helps you use those licenses on new devices. McAfee searches your network for devices that don't yet have protection. ESET's console doesn't include this kind of license management. Look ElsewhereA subscription to ESET Multi-Device Security 9 does let you protect your Windows, Mac, and Android devices, but with some limitations. If you go for six licenses, you can use three on Windows/Mac and three on Android. A 10-license subscription protects five Windows/Mac devices and five Android. Few competing products impose this kind of restriction on the use of your licenses. Symantec Norton Security Deluxe protects 10 devices including any mix of Windows, Mac, and Android, for a lower price than ESET, and with 25GB of hosted online backup as a bonus. For the same price, McAfee LiveSafe protects absolutely all of your Windows, Mac, Android, iOS, and BlackBerry devices. And the central Windows security suite in both of these products outscores ESET's equivalent. If you need cross-platform multi-device security, look to Norton or McAfee, our Editors' Choice products in this area.

ESET Smart Security 9

It's pretty easy to define a full-blown antivirus program—it's one that removes any malware that may be present on your system and prevents any attacks going forward. The definition of a security suite isn't so simple, because different vendors choose to meld different components when creating a suite. Antivirus and firewall components are de rigueur, and many suites also include spam filtering, parental control, and protection against malicious or fraudulent websites. ESET Smart Security 9 includes all of the components I've mentioned, along with some interesting bonus features. However, it doesn't quite measure up to the very best suites. Like most security vendors, ESET will happily sell you a single license ($59.99 per year) or a three-license pack ($79.99 per year). Unlike most, ESET leaves you free to choose precisely the number of licenses you need, and the length of your subscription, all the way up to a two-year 10-license subscription for $459.90. Of course, if you really need to protect 10 computers, you might be better off with Symantec Norton Security Premium ($89.99 per year for 10 licenses) or  a business-oriented endpoint security solution. Those who've used ESET before will find that the current edition looks rather different. The company's design team did extensive research into just what users want, and came up with a new, streamlined interface. ESET's blue-eyed cyborg mascot still gazes at you from the main window, along with a large banner that reflects your current security status. A left-side menu provides access to tasks like running a scan and configuring security, while a set of button across the bottom let you log into ESET online, launch ESET's online cybersecurity training, or invoke a protected browser for banking (more about that protected browser later). Shared AntivirusAs is typical, the antivirus protection in this suite is precisely the same as what you get with ESET NOD32 Antivirus 9. You can read my review of the standalone antivirus for full details—I'll simply summarize here. ESET's technology gets some very good marks from the independent testing labs, though it stumbled a bit in the latest report from AV-Test Institute. On the plus side, Dennis Labs rated its protection AAA, the best rating. ESET also achieved VB100 certification in all of the latest 12 tests by Virus Bulletin. Bitdefender Internet Security 2016 is also 12 for 12 with Virus Bulletin. Bitdefender and Kaspersky Internet Security (2016) score at or near the top with all of the independent labs. In our own hands-on malware-blocking test, ESET didn't fare as well. Its real-time protection component wiped out barely over a third of my samples on sight, whereas some competitors instantly eliminate 80 percent or more. Its final score, 8.6 of 10 possible points, is in the bottom half of current products. Bitdefender and Avast Internet Security 2016 share the top score in this test, 9.3 points. On the plus side, ESET did very well in my malicious URL blocking test. It headed off 84 percent of the malware-hosting URLs, blocking half of those entirely and wiping out the other half during the download process. Top score in this test, 91 percent, is shared by Norton and McAfee LiveSafe (2016). ESET also did a good job of fending off fraudulent (phishing) websites. Its detection rate in testing came in just 8 percentage points below that of perennial phishing champ Norton, and it soundly drubbed the phishing protection built into Chrome, Firefox, and Internet Explorer. See How We Interpret Antivirus Lab Tests See How We Test Malware Blocking See How We Test Antiphishing The suite and antivirus share a number of other handy features. A Host Intrusion Protection System aims to block exploit attacks. The Running Processes list shows all processes running on your system, along with their prevalence in the ESET network. SysInspector gathers information to help tech support understand any problems you may have. And the bootable SysRescue antivirus handles malware that prevents booting Windows, or prevents the regular ESET antivirus from functioning. Basic FirewallESET's firewall component successfully fended off all the port scans and other Web-based attacks that I threw at it. In some cases, it popped up a transient notification specifically identifying the attack as a port scan. Preventing attack from outside is one face of firewall protection; the other is managing programs that attempt Internet access. By default, ESET's firewall runs in automatic mode, which only offers the most limited form of program control. It allows all outbound traffic, and blocks all inbound traffic that isn't specifically allowed by a firewall rule. In learning mode, the firewall allows any Internet activity a program requests and creates a rule to always allow that access. For testing, I switched the firewall to interactive mode. This is the painfully familiar mode that gave early firewalls a bad name. Every time a program attempts to access the Internet or network, ESET pops up and asks you, the user, to decide whether it should allow or block access. You can make your answer a one-time thing, or check a box to create a firewall rule. The best firewalls, like those found in Norton and Kaspersky, handle such decisions internally. Others, like Check Point ZoneAlarm Extreme Security 2016 rely on a huge database of known good programs to automatically configure almost all permissions. ESET? It will ask you what to do about every single process, including browsers, browser add-ins, and internal Windows components. Worse, when you do answer its query you'll find that you must also respond to a User Account Control popup. Other firewalls, even those that rely on popup queries, manage to avoid the UAC popup. On another system I left the firewall in its default automatic mode. It still blocked a number of connections, including Windows's own SSDP Discovery and DNS Client. Other blocked connections included a local network backup and my Plex media server. Fortunately, the firewall offers a troubleshooting page that lists recently blocked processes and lets you unblock them. If some network-connected device or service suddenly stops working, take a look at this page. I mentioned that the standalone antivirus includes a Host Intrusion Prevention System. When I hit the antivirus with about 30 exploits generated by the CORE Impact penetration tool, it foiled about 45 percent of them, identifying most by the official CVE name. Since the suite includes a full firewall, I reran that test…but the results came out just the same. Norton is the hands-down winner here, blocking 100 percent of the exploits at the network level, before they even reached the test system. As far as I can tell, malware coders won't manage to disable ESET's firewall protection. I didn't find any significant Registry settings unprotected, and when I tried to terminate its two processes, I just got Access denied. Its single Windows service is hardened—I couldn't stop it, and I couldn't set its startup mode to Disabled. ESET's firewall offers basic protection, and it doesn't seem vulnerable to direct attack. However, if you enable actual program control it will drive you batty with popup queries, and it didn't show any particular ability to detect and block exploits in my testing. Fast, Accurate AntispamESET integrates with Microsoft Outlook, Outlook Express / Windows Mail, and Windows Live Mail to eliminate infected email messages and identify spam. In the incoming POP3 or IMAP email stream, it marks spam messages by adding [SPAM] to their subject lines. If you're using a supported email client, it also moves spam messages into their own folder; if not, you can just define a message rule to do that job. When you dig into ESET's advanced settings, you'll find that there are a lot of spam configuration choices. By default, ESET whitelists contacts from your Address book, and people to whom you send email. Since my aim is to test the product's ability to distinguish good mail from spam, I didn't attempt to configure the blacklist or whitelist. As for the other settings, I left them all at their default values, just as most users will do. With ESET watching carefully, I downloaded all the messages from a real-world account that gets both spam and valid mail. I discarded anything more than 30 days old, and then sorted the Inbox into valid personal mail, valid bulk mail, and undeniable spam, discarding any messages that didn't clearly fit one of those categories. After performing the same triage on the spam folder, I ran the numbers. I also measured the time required to download 1,000 messages with no spam filter and with ESET active. It didn't put any significant drag on the download process. When I tested the previous edition, I found that downloading email took four times as long, so this is a big improvement. Missing an important meeting or failing to close a deal because your spam filter mistakenly threw away a valid message is a huge problem, much worse than forcing the user to endure a few pitches for male enhancement or Canadian pharmaceuticals. I'm pleased to say that ESET didn't misfile a single valid message. It did let 6.1 percent of undeniable spam into the Inbox, which isn't too bad. Bitdefender and Trend Micro Internet Security 2016 mistakenly discarded just 0.1 percent of valid mail and missed 1.8 percent and 3.9 percent of the spam, respectively. See How We Test Antispam Problematic Parental ControlBy default, ESET's parental control is disabled. That makes sense; many users have no need for this feature. In fact, this feature is a bit hard to find—you must click Tools, then Security Tools, in order to find it. When you turn it on, you're asked to password-protect your settings, so the kids can't just turn off parental control. Note, though, that this means you'll need to enter the password for any change to ESET's settings. ESET offers per-user configuration based on Windows user accounts. Many parental control systems offer predefined profiles, perhaps Child, Preteen, and Teen. With ESET, you set the age for each child's account, from one year to 30+. I'm not sure why settings exist for ages above 18, but they do. By choosing an age for the child, you configure ESET's multitude of website categories. It's possible to configure categories manually, but their sheer number is daunting. At the top level, they're divided into five age-based groups, ages under 5, 8, 13, 16, and 18 respectively. There's also an age-neutral group. Each group contains up to 15 subgroups for a total of more than 40 subgroups. And each subgroup contains one or more categories. As an example, the Age under 18 group includes a sub-group titled Adult Content. This in turn contains R-Rated, Dating, Abortion - Pro Choice, Abortion - Pro Life, Pornography, and several other categories. Unlike most similar products, here a checkmark next to a category means that it's allowed, not blocked. I set one of my sample user accounts to be 11 years old and tried out a bunch of inappropriate sites. It correctly blocked all of them. On some inoffensive sites, it allowed access but popped up warnings that it blocked access to one or more URLs. Many of these were related to website analytics, things like gstatic.com and googleusercontent.com. This plethora of relatively irrelevant URLs also overwhelmed the log of filtered websites, making it near-impossible to find actual inappropriate sites. I verified that the content filter worked for any browser, even one I wrote myself. It wasn't affected by the simple three-word network command that disables some less-brilliant parental control systems. It also correctly filtered secure (HTTPS) sites by category, so your brilliant preteen won't evade parental control using a secure anonymizing proxy. The system broke down when I tried some image searches. Despite the content filter, searches such as "girls with no clothes" got up to 10 results, many wildly inappropriate. Scrolling down the page showed box after box with no image, and the content filter warning messages stacked up wildly—I easily reached a count of 1,000 pending messages. Worse, the same thing happened with innocuous searches like "puppies" and "kitties." There's a real problem here. Content filtering is the enter extent of ESET's parental control. It does the job for wholly inappropriate websites, but its blocking of Web analytic sites and other less-relevant categories screws up its reporting. And in my testing, it interfered with all image searches, while passing a handful of images for any category, even porn. Don't rely on ESET for parental control. Banking and Payment ProtectionIt's always smart to stay alert when randomly surfing the Web. Even an established popular site can give you problems if it's infected by a malvertising attack. Surfing for the best cat videos is one thing; interacting with your bank online is completely different. ESET's new Banking & Payment Protection aims to ensure that your online financial transactions are completely safe. When you try to visit a known banking or financial site in your unprotected browser, ESET offers to open it in the secure browser instead. You can choose to have it always open this particular site in the secure browser. Kaspersky's similar Safe Money feature launches a secure browser to protect your transaction. Bitdefender's SafePay launches a hardened browser in a separate desktop. ESET applies its protection to the browser you already use; I tried it with Chrome, Firefox, and Internet Explorer. You can easily see when this mode is active. The browser gets a green border, and a Secured by ESET tab appears in its title bar. When you close the secured browser, all traces of your actions vanish. You can also launch this feature directly from the suite's main window. Unusual Anti-TheftAnti-theft is a common feature for mobile security products—indeed, loss or theft of a mobile device is more likely than a mobile malware attack. McAfee and Symantec offer mobile device anti-theft. ESET offers the unusual ability to track your Windows computers in the event of loss or theft. Clearly this is most useful for laptops; desktop computers are less likely to be stolen. Bitdefender Total Security 2016 offers a similar feature. It keeps track of your device's location and lets you remotely lock or wipe a missing device. The Find My Laptop feature in ZoneAlarm Extreme lets you locate the device, capture screenshots or webcam photos, and optionally back up data before wiping an unrecoverable device. In order to make use of this feature, you must first enable it on the affected device. Once Anti-Theft is enabled, you still have a couple of simple tasks to perform. ESET makes it easy. Clicking one button sets up what they call a phantom user account. If necessary, clicking another reconfigures your device so it doesn't automatically log in to your usual account. That's it! In the event your device is lost or stolen, you log into ESET's online console and click a button to report the loss. This reboots the device, blocks access to all but the phantom Windows account, and starts device monitoring, which includes location, screen captures, and webcam photos. It also presents the finder with a message containing your contact info, on the chance that the device is merely lost, not stolen. Of course, the device must be online to receive instructions from the anti-theft system. Once you've marked your device as missing, you still have to wait for the next check-in. At that point, ESET reboots the system and logs into the limited phantom account. The thief (or finder) has no access to your files, and ESET starts sending location info, screenshots, and webcam photos. If you determine that the device has been found by a nice person, you can send a message with your contact information. I ran into serious trouble getting this feature working, trouble that required live chat tech support and phone support as well. At one point, the live chat technician duplicated my problem. To summarize literally hours of tech support, it turns out that rebooting before ESET has finalized the phantom account can leave anti-theft non-functional, and this finalization can take 10 minutes or more. In fact, my test systems didn't go into anti-theft mode until more than an hour after I clicked the button to activate that mode. Device Control for ExpertsWhen you click Setup and choose Computer Protection, you'll find a choice entitled Device Control. It's disabled by default; enabling it requires a reboot. Once Device Control is enabled, you gain the ability to define specific rules about all kinds of devices that connect to your computer, USB drives, Bluetooth devices, smartcard readers, and more. For individual devices or device types you can choose whether to block all access, allow access, or allow access with a warning that this access is logged. If the device includes storage, you can choose to enable it for read-only access. Your rules can apply to all users, or to specific users or groups. However, in order to specify a list of users, you have to dig down into the awkward Windows dialog titled Select Users or Groups. Really, only the most expert users will find this feature manageable, and the average user probably doesn't have any need to set limits on attached devices. I see this feature as being much more useful in an office setting. Performance HitPerformance is as important as protection in a security suite; if the suite gets in the way, the user may get disgusted and turn it off. Vendors know this, so modern suites tend to have very little effect on performance. I was somewhat surprised to find ESET's performance hit on the high side, given that the previous edition evidenced a much smaller slowdown. But rerunning my baseline (no suite) tests and my tests with ESET installed yielded the same results. I calculate the time required to boot the test system by waiting for 10 seconds in a row with CPU usage of five percent or lower. Once the system reached this ready-to-use state, I subtract the start of the boot process, as reported by Windows. Averaging multiple runs with no suite and with ESET installed, I found boot time increased by 22 percent. That's more drag than many suites, but do note that this 22 percent represents just 12 seconds more actual time. Somewhat surprisingly, my file move/copy test took 61 percent longer with ESET installed. This test simply measures the time required to run a script that moves and copies a large collection of files between drives. A repeat of the test yielded an even bigger slowdown; I stuck with the first measurement. The related zip/unzip test, using the same file collection, took 35 percent more time under ESET's protection. ESET slowed both of the file-related tests more than almost any recent suites. Even so, I didn't observe any feeling of sluggishness while running my tests. Note, though, that some competing products display almost no impact on these simple test. Webroot SecureAnywhere Internet Security Plus hold the record here. The average of its three performance scores is just 1 percent. See How We Test Security Suites for Performance Uneven ProtectionThe antivirus component in this suite is quite good, as are the antiphishing and spam filter components. However, parental control is both limited and problematic, the firewall offers just the basics, and I ran into some serious trouble with the anti-theft component. For some business settings the Device Control may seem compelling, but the average user should stick with one of our Editors' Choice suites. The security components in Bitdefender Internet Security and Kaspersky Internet Security are all top-notch, and these two companies get excellent marks from the labs. If you need to protect many computers, McAfee Live Safe or Symantec Norton Security Premium will cost you much, much less than ESET, and will do a better job.  Sub-Ratings:Note: These sub-ratings contribute to a product's overall star rating, as do other factors, including ease of use in real-world testing, bonus features, and overall integration of features.Firewall: Antivirus: Performance: Antispam: Privacy: Parental Control:

Google calls out Comodo’s Chromodo Chrome-knockoff as insecure crapware

Google security boffins have thrown the book at Comodo for turning off Chrome security. As explained in this advisory today, users who install Comodo Internet Security may not realize that their Chrome installation is replaced with Comodo's own browser, Chromodo. That little bit of crapware isn't secure at all: it's set as the default browser, and "all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices," Google's Tavis Ormandy notes. Chromodo is promoted as a "private browser" on Comodo's website, but it's not only not private, it's not remotely safe to use, because it also disables Chrome's same-origin policy. The same-origin policy enforces a rule that one script can only access data in another script if they're both from the same site. Without it, users are exposed to malicious sites sniffing private data. Google went public with the feature bug because Comodo was unresponsive, we're told. It's not the first time Comodo's been called out for crapware. In 2015, its PrivDog browser was slapped down by the US Department of Homeland Security for man-in-the-middling users' SSL sessions. Given that Comodo is also a certificate authority, bypassing end user security is a serious breach of trust. If you've got Comodo's browser installed on your machine, get rid of it. ® Sponsored: Building secure multi-factor authentication

Russia, China are totally BFFs when it comes to Internet security

Moscow, Beijing will share info when the Internet is used for "criminal purposes."