Google stopped trusting Symantec after discovering the CA had mis-issued thousands of certificates over several years, and researchers found that phishing sites were using PayPal-labeled certificates issued by Linux Foundation’s Let’s Encrypt CA.
Even with these missteps, the CAs play a critical role in establishing trust on the internet.To read this article in full or to leave a comment, please click here
I always tell them the same thing: It's difficult for a free CA to actually provide any security assurance.
There is no free lunch.I was reminded of this maxim when I read a recent article from HashedOut revealing that the popular, free Let's Encrypt has issued more than 15,000 digital certificates with the word "PayPal" in the subject name. PayPal itself doesn't use Let's Encrypt, so it's likely that most of these digital certificates are related to phishing attacks (according to HashedOut's analysis, that would be a whopping 96.7 percent of them).To read this article in full or to leave a comment, please click here
I try my best to review the latest security suite and antivirus releases from all the security companies, but occasionally I miss one. The 2016 product line from TrustPort slipped past me. I hoped that with two years of innovation rather than the usual one, I would see remarkable improvements in TrustPort Internet Security Sphere, which fared poorly in my last review. Sadly, it didn't score any better than when I last reviewed it in 2015.
At $37.95 per year for three licenses (or $29.95 for a single license), TrustPort is significantly less expensive than most competing products. Bitdefender, Kaspersky, and Norton all cost just a little more than twice as much. On the other hand, those three are much more effective than TrustPort. For the same price, McAfee Internet Security lets you install protection on every Windows, Mac, Android, and iOS device in your household.
The main window for Trustport's antivirus features a single row of five square buttons, while the full suite has two rows of five, to accommodate its additional features. The six green buttons turn components like the real-time scanner and parental control on and off. Blue buttons invoke actions such as running a scan or checking for updates. It's a different arrangement of square buttons from the version I reviewed previously, and a different color scheme, but not a lot else has changed, appearance-wise.
Shared Antivirus Features
This suite's antivirus protection includes everything found in TrustPort Antivirus Sphere, plus an additional Web scanner component. Please read that review for full details of features common to both. I'll summarize here and focus on the suite's additional antivirus abilities.
Several high ratings from the independent testing labs marks a highly effective antivirus. Alas, only one of the labs that I follow includes TrustPort. In its RAP (Reactive And Proactive) test, Virus Bulletin scored TrustPort at 85.34 percent, a little above the average score. But that's not enough data for me to come up with an aggregate lab rating. On a scale of 10 possible points, Kaspersky Internet Security earned an impressive aggregate score of 9.8, while Norton managed 9.7 points.
In my own hands-on malware-blocking test, TrustPort detected 87 percent of the samples and earned 8.5 of 10 possible points. That's one of the lower scores among products I've tested with this sample set. Webroot SecureAnywhere Internet Security Plus, Comodo, G Data, and a few others detected every single sample. Webroot, Comodo, and PC Matic earned a perfect 10 points in this test.
My malicious URL blocking test uses very new malware-hosting URLs. Products get equal credit for blocking all access to the URL and for eliminating the malicious executable during download. Handicapped by lack of any Web-based protection, TrustPort's antivirus managed to wipe out 70 percent of the samples during download. When I tested the suite, its Web scanner blocked access to 21 percent of the URLs, and the real-time antivirus took care of another 55 percent. The total protection rate of 76 percent is still pretty low. Tested in the same way, Symantec Norton Security Deluxe blocked 98 percent of the samples.
Other Shared Features
The antivirus includes a feature called Anti-Exploit, but it's not about blocking attacks that exploit unpatched vulnerabilities, as you might expect. Rather, it looks for suspicious activity, things like programs attempting to manipulate other programs. In its default silent state, it doesn't do anything at all. When I took it out of silent mode and tested it with some valid programs, it found 40 percent of them to be suspicious. To get those programs working, I had to add them to the trusted list.
Next I switched from Anti-Exploit to an alternate tool called Application Inspector and tested again with a collection of valid programs. The Application Inspector flagged 30 percent of them for a different set of suspicious behaviors than Anti-Exploit did. You're better off just leaving this feature in its silent, do-nothing mode.
Clicking the Extra Applications button doesn't actually get you any extra applications, at least not in the standalone antivirus. Rather, it offers access to two different but equally complicated techniques for creating a bootable antivirus. You can use a bootable antivirus to clear up malware infestations that resist normal disinfection. However, the options offered by TrustPort are just too complex for the average user. The full security suite does offer extra applications, which I'll describe below.
Poor Phishing Protection
Phishing is the practice of creating fake versions of sensitive websites and hoping some poor chump takes the bait. Victim who log in to a fake PayPal site, for example, have just given away their credentials to their real PayPal account. These fraudulent sites get blacklisted and taken down quickly, but the fraudsters just reopen with a new fake site.
To test phishing protection, I use the newest phishing URLs I can find, preferably ones that have been reported as fraudulent but not yet analyzed and blacklisted. I try to visit each in a browser protected by the product under test, and in another browser protected by Norton, which has a long history of effective phishing detection. I also launch each URL in Chrome, Firefox, and Internet Explorer, relying on each browser's built-in fraud detection.
The first time TrustPort blocked anything, it popped up the standard notification it uses when it detects malware in a file. I resolved to track such events separately from times when the Web scanner denied all access the fraudulent site. But I didn't need to do that. Not once did I see a page replaced by the Web scanner's warning window. In addition, I found that even when TrustPort reported that it found phishing, the fraudulent page was completely accessible, and I had no trouble entering my (fake) credentials.
Very few products can match Norton's detection rate in this test. Of all recent products, ZoneAlarm tied Norton, while Webroot, Kaspersky, and Bitdefender Internet Security 2017 did a little better. Every other product lagged Norton's detection rate, some by a little, some by a lot.
TrustPort falls in the "by a lot" category. Its detection rate came in 66 percentage points behind Norton's. Chrome and Internet Explorer also beat TrustPort by a wide margin. This is a poor showing.
TrustPort's firewall handled the basic task of fending off outside attack just as well as Windows Firewall. It put the system's ports in stealth mode, making them invisible from the outside, and fended off my port scans and other Web-based attacks. In a recent test, G Data Internet Security 2017 went even further, presenting a notification that it blocked a port scan attack.
Of course, merely doing as well as Windows Firewall isn't a huge accomplishment. Most personal firewalls, TrustPort included, also take control of how programs connect to the Internet and network. Early personal firewalls foisted decision-making on the poor, uninformed user. Should I allow netwhatever.exe to connect with the computer at IP address 184.108.40.206 over port 80? Who knows! Some products, ZoneAlarm among them, cut down on these popups by maintaining a huge database of known good programs and automatically configuring permissions for those.
Norton takes this concept to the next level. If a process isn't in the database, Norton doesn't ask the user what to do. Rather, it monitors that process extra-closely for any suspicious network activity. That's much better than relying on the untrained user for important security decisions.
TrustPort offers four levels of firewall protection, but if you read the text associated with each, it doesn't actually recommend any of them. The default level is called Use Firewall Rules, but the text states this is only recommended for experienced users. The description of the less-strict Enable Outgoing Connections level includes a warning that it can't defend against Trojans and spyware. And there's no point in the options that block or allow all network traffic. For testing, I stuck with the default, Use Firewall Rules.
In this mode, TrustPort is totally old-school. It did correctly pop up a query about my hand-coded browser's use of the network, and it managed to detect a couple leak test programs trying to evade its view. But it also popped up queries for numerous internal Windows components. A user who accepted the default action, blocking that process from Internet access now and forever, would wind up disabling parts of Windows.
Fixing a program blocked in error is also tough with this suite. You click Advanced Configuration, find the Firewall section, and open the Filter Definitions page. Scrolling past dozens and dozens of confusing default rules, you'll eventually find application-specific rules. You could jump in and edit the rule that's blocking the program, but you're better off just deleting the entry and choosing to allow access next time the firewall asks.
Protection against exploit attacks is often a firewall feature. I tested TrustPort's protection by hitting the test system with several dozen exploits generated by the CORE Impact penetration tool. Its Web protection component jumped in to block 30 percent of them, identifying all but one of the exploit attacks by name. Tested in the same way, G Data blocked 50 percent of the exploits. Norton has the best score in this test. It blocked 63 percent of them, all at the network level, before any portion of the exploit reached the test system.
I always investigate methods that a nefarious coder might use to disable firewall protection. TrustPort doesn't seem to store anything in the Registry, so there's no way I could flip the Off switch. I tried to kill its six processes using Task Manager, with no result beyond six Access Denied messages.
However, like G Data, F-Secure Internet Security, and a few others, TrustPort doesn't protect its essential Windows services. I set the Startup Type for all six to disabled and rebooted the system. On reboot, TrustPort didn't run at all. Comodo also didn't protect its services, but on reboot it reported the problem and offered to fix it automatically.
This firewall handles the same tasks that the built-in Windows Firewall does, which is no great feat. Its program control component pops up queries about Windows components; a hapless user who chooses the default block action may disable part of Windows. And the firewall isn't properly hardened against attack. It's not an impressive showing.
See How We Test Security Software
Clicking the big Extra applications button on the main window lets you launch Portunes (rhymes with fortunes) and Skytale (rhymes with Italy). Portunes offers static storage for your passwords and other important data. Skytale encrypts messages. And neither is very useful.
Portunes stores passwords, credit cards, contacts, addresses, and more. You define what it calls a PIN to protect the collection. Last time I reviewed this product, it required a four-digit PIN; now you can enter a respectable master password. That's an improvement, albeit a minor one.
However, Portunes doesn't have any password management features other than including passwords among the things it stores. You can, if you wish, sync your data between multiple installations. To do so, you give Portunes access to your Dropbox account.
As for Skytale, it's easy enough to use. Type or paste in some text, click Encrypt, enter a password, and email or otherwise transmit the resulting gibberish to the recipient, sending the password separately. The catch is, the recipient must also be a TrustPort users. Quite a few encryption utilities don't have that kind of limitation. Some let you create a self-decrypting EXE file, while others offer a free decryption-only tool. Without any similar feature, Skytale isn't terribly useful.
Optimalize Your PC
"Optimalize" may not be precisely English, but it's what the button says. Clicking it launches TrustPort Optima, a simple tune-up utility that deletes temporary files, wipes out useless and erroneous Registry entries, and defragments your disk drives.
You start by clicking Analyze. On my test system, this step went quite quickly for the temporary files and Registry data, but it took quite a while to finish analyzing disk fragmentation. In a similar fashion, the actual cleanup of temp files and Registry went quickly, while defragmentation took quite a bit longer. You can click for a retro view that shows the defrag process as it happens.
If you rely on Web-based mail for your personal email account, you probably don't see much spam, as the major webmail providers filter it out. Likewise, your business email account probably gets filtered at the email server. Given that few people need a spam filter these days, and that my antispam testing was the most lengthy and laborious of all my tests, I dropped that hands-on test last year.
That's a good thing for TrustPort. The last time I reviewed this suite's spam filter, I found it to be quite dismal. It noticeably slowed the process of downloading email, and certain messages caused it to hang, cured only by quickly turning spam filtering off and on again. And its accuracy was terrible. We can hope that the designers have tuned this component since that time.
The spam filter supports Outlook, Outlook Express, Windows Mail, Thunderbird, and The Bat!, but not Windows Live Mail (the replacement for Outlook Express and Windows Mail). Even with these supported email clients, you still must define a message rule to put the spam in its own folder.
You can manually add email addresses or domains to the whitelist or blacklist. However, there's no option to automatically whitelist addresses to which you send mail, or import the address book to the whitelist, the way you can with ESET, Trend Micro Internet Security, and others.
Spam filtering in Check Point ZoneAlarm Extreme Security 2017 is extremely comprehensive and boasts pages and pages of configuration choices. I'm happier with a reduced set of choices, things users can actually understand. TrustPort's advanced spam filter settings are decidedly reduced—there are just four of them—but the average user will get no benefit from meddling with these.
Not everyone has kids, and not every parent wants a parental control utility. For those who do want it, having parental control integrated with the security suite can be convenient. That is, if the parental control component does its job.
TrustPort's Parental Lock is a content filter, nothing more. If you turn it on by clicking its button on the main window, it immediately starts filtering access to websites in five categories: Violence, Porn, Warez, Hacking, and Spyware. You can tweak the configuration to also filter out seven more categories, among them Chat, Shopping, and Drugs.
By default, the filter applies to all users. It's possible to configure it one way for your teen and another way for your toddler, but it's far from easy. Doing so requires using the arcane Windows Select Users dialog. Guys, couldn't you just give Mom and Dad a simple list of user accounts?
In testing, I found that quite a few seriously raunchy sites got past the filter. It doesn't handle secure sites, so any HTTPS porn sites slipped right through. Logging in through a secure anonymizing proxy lifted any limitations by the content filter.
This so-called parental control system is worse than useless. If you want a suite that includes a full-functioning parental control system, look to Norton, Kaspersky, or ZoneAlarm.
More Drag Than Most
The days of resource-hogging security suites that bogged down performance are gone. Users wouldn't accept it, and security companies changed their ways. Few modern suites put a noticeable drag on performance. Even so, there's still a range, and in my hands-on testing TrustPort's performance drag came in on the high side.
Getting all the protective components of a security suite loaded can have an impact on the time it takes to boot up your PC. My boot time test waits for 10 seconds in a row with less than five percent CPU usage, defining that as the time the system is ready for use. Subtracting the start of the boot process, as reported by Windows, yields the boot time. I ran this test 20 times before installing TrustPort and 20 more times afterward, then compared the averages.
The result was so high that I tried again, this time watching the process closely. I found that at each reboot, the firewall was popping up queries about system processes. I manually rebooted the system over and over, responding to all the popups until they stopped coming. When I re-ran the test it still showed a 54 percent increase in boot time. That's one of the biggest impacts among current products. Fortunately, most of us don't reboot any more than we're forced to.
I also measure the suite's impact on simple file manipulation. One test times a script that moves and copies a mixed collection of files between drives. Averaging multiple runs with and without the suite, I found the script took 28 percent longer with TrustPort present. That's a little more than the current average of 23 percent. On the plus side, it didn't exhibit any measurable drag on another script that repeatedly zips and unzips those files.
The average of TrustPort's three performance scores is 27 percent, one of the largest among current products, but I didn't actively notice the test systems seeming slow. At the other end of the spectrum, Webroot had no measurable effect on any of the three tests. Norton averaged just five percent drag, which is quite good.
Typically I'd conclude by summarizing the good and bad points of TrustPort Internet Security Sphere, but there's just not much I can say on the plus side. The independent labs don't rate it, and it fared poorly in our hands-on tests. Its firewall pops up warnings even for Windows internal processes, and it isn't defended against hacking. And the parental control system is worse than useless.
Forget about this suite. Look instead to one of our Editors' Choice security suite products. For a basic security suite, those are Bitdefender Internet Security and Kaspersky Internet Security.
Note: These sub-ratings contribute to a product's overall star rating, as do other factors, including ease of use in real-world testing, bonus features, and overall integration of features.
Credentials from the likes of Facebook, Viber, Youtube, WhatsApp, Uber, Snapchat, WeChat,Instagram and Twitter will also be sucked up and sent to unknown parties . Antivirus firm Dr Web says says the app is standard fare in terms of malicious Android apps but is unusual in that the code has been offered up for free, something that will likely result in the creation of more malicious apps. "When an SMS message arrives, the trojan turns off all sounds and vibrations, sends the message content to the cybercriminals, and attempts to delete the original messages from the list of incoming SMS," Dr Web researchers wrote. "As a result, a user could miss not only bank notifications about the unplanned transactions but also other incoming messages. "In general, the [capabilities] of this trojan are quite standard for modern Android bankers, however, as cybercriminals created it with publicly available information, one can anticipate that many trojans similar to it will appear." Harvested device data is shipped to attackers' command and control servers and appears on adminstrator panels from where the application can be controlled. The app can also steal all phone contacts, track user location, and create phishing dialogues. ® Sponsored: Want to know more about Privileged Access Management? Visit The Register's hub
Image: Lawrence. Those subtle intrusions across the line open avenues for phishers; chevron popups can be faked and 'block' and 'allow' buttons turned into malicious clickable links, for example. In 2005, a remote code execution flaw affecting Firefox was dug up which abused favicons, the untrusted icons websites set that appear in tabs and bookmarks. The line of death deteriorated in 2012 when Microsoft moved Windows 8 Internet Explorer to its full screen minimalistic immersive mode. Lawrence, then program lead for Internet Explorer with Microsoft, opposed the move and says it made the line of death indistinguishable from content, . "... because it (Internet Explorer) was designed with a philosophy of 'content over chrome', there were no reliable trustworthy pixels," he says. "I begged for a persistent trust badge to adorn the bottom-right of the screen - showing a security origin and a lock - but was overruled." He says one Microsoft security wonk built a "visually-perfect" Paypal phishing site that duped the browser and threw fake indicators. "It was terrifying stuff, mitigated only by the hope that no one would use the new mode." The breaching of the line of death is a boon to picture-in-picture phishing attacks, in which attackers create what appear to be fully functional browsers within a browser.
Immaculate reproductions of browsers including the trusted sections above the line of death have been created that fool even eagle-eyed researchers. Microsoft's own security researchers in 2007 would find picture-in-picture attacks to be virtually perfect.
The team of four wrote, in a paper titled An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks wrote in the paper [PDF] that the attack vector was so compelling it beat all other phishing techniques including homograph tricks in which letters of legitimate URLs are replaced with visually similar equivalents from, for example, the Cyrillic alphabet. Everything is untrusted: The line of death dies in HTML5.
Image: Lawrence. Picture-in-picture attacks also rendered ineffective the then-new extended validation SSL certificate scheme for determining malicious sites.
Extended validation, now mainstream, displays a green address bar padlock for participating and verified sites.
The inconvenient research spooked one large certificate vendor then in talks with Redmond over buddying up for the then new certificates. The line of death receded further with the advent of HTML 5, which brought with it the ability for websites, and phishers, to push browsers into fullscreen mode which wiped any line between trusted and untrusted content. And the line is all-but-absent on mobile devices, where simplicity and minimalism is king. "We are seeing a lot more hits on phishing links in mobile because it is so much harder to extract necessary information," Sophos senior technology consultant Sean Richmond tells El Reg . "Expanding the URLs is more difficult and it is harder to get the information users need to make decisions, so security awareness can suffer." Email apps are similarly breaching the line of death. Outlook's modern versions place a trusted message of "this message is from a trusted sender" within the untrusted email contents window, allowing phishers to replicate the notice. "Security UI is hard," Lawrence says. ® Sponsored: Customer Identity and Access Management
The logged keypresses would be siphoned off to a website called limitlessproducts.org. Shames was eventually snared by FBI agents after selling his software from a PayPal account that was registered in his real name, according to court documents obtained by The Register.
That PayPal account was connected to an email address – email@example.com – that answered support queries for the malware and was also the contact address for the domain name limitlessproducts.org.
Shames had registered that domain under his real name and home address, too. An ice hockey fan and one-time country club waiter, Shames built the software nasty while he was in high school, according to the DA's office. When he graduated from Langley High, in Fairfax, Virginia, he continued to develop and peddle his malware online from his JMU dorm room in Shenandoah Hall. According to his LinkedIn page, Shames, a 3.7 GPA student of Great Falls, Virginia, worked as an intern at Northrup Grummond from 2015 to August of last year, developing front-end website code and backend Java software and managing a MySQL database.
Spyware author Zach Shames "I am a Junior at James Madison University working towards a degree in Computer Science," the malware author boasts on his personal website. "I am really interested in developing cool new programs and I want to expand my skills to make me a more well-rounded programmer.
I have been programming for the past six years, and in my spare time I do freelance design jobs and coding for various programs/websites.
I am passionate about anything and everything internet and technology." Here's how passionate he was.
According to prosecutors, "Shames developed malicious software, known as a keylogger, that allowed users to steal sensitive information, such a passwords and banking credentials, from a victim’s computer. "Shames sold his keylogger to over 3,000 users who, in turn, used it to infect over 16,000 victim computers.
Shames developed the initial versions of his keylogger while attending high school in Northern Virginia, and continued to modify and market the illegal product from his college dorm room." The kid will be sentenced on June 16. ® Sponsored: Next gen cybersecurity.
Visit The Register's security hub
Some antivirus companies that are big in Europe don't get as much mindshare here in the US.
G Data is one such security software maker.
According to the G Data website, G Data developed the very first antivirus in 1985; while some dispute that claim, the company has clearly been around for a while.
G Data Antivirus 2017 is the company's latest, and it does a good bit more than the basics of antivirus protection.
At $39.95 per year for a single license, G Data is in good company price-wise.
Bitdefender, Kaspersky Anti-Virus, Norton, and Webroot are among the numerous products at that price point.
For another $10, you can install G Data on up to three PCs.
If you go for a multi-PC license, you create an account for the first installation, then log in to that account for the rest.
G Data's main window features a bold red banner across the top. Not red for danger, or for stop—it's just red.
The rest of the main window displays the status of the product's numerous protection features, in several groups.
A green checkmark icon indicates that the feature is fully active.
For a partially disabled component, the icon changes to a yellow exclamation point; a fully disabled feature gets a grey dash icon. Naturally, you want to see green across the board.
G Data participates in testing with three of the five independent testing labs that I follow.
In Virus Bulletin's RAP (Reactive And Proactive) test, it scored 85.19 percent.
The average score for products I follow is 81.99 percent, so G Data comes in above average. PC Pitstop PC Matic scored highest in the latest test, with 94.75 percent, but failed overall due to many false positives.
Testers at AV-Test Institute look at antivirus products from three different perspectives, assigning up to six points for each of the criteria.
G Data earned 6 points in the all-important protection category, and by avoiding false positives (detection of valid programs as malicious) it managed another six points for usability.
A small impact on performance dragged its score in that category down to five points, however.
The overall score of 17 points wasn't quite enough to earn it a Top Product rating, but it's good.
In that same test, Kaspersky scored a perfect 18 points.
Bitdefender, Quick Heal, and Trend Micro Antivirus+ Security got 17.5 points.
These four earned the designation Top Product.
Most of the lab tests I follow report a range of results. MRG-Effitas takes a different tack.
To pass the banking Trojans test, a product must protect against every sample used; anything less is failure. Over 70 percent of tested products fail, G Data among them.
Due to the binary pass/fail nature of this test, I give it less weight when calculating an aggregate lab score.
G Data's three lab results worked out to an aggregate score of 8.7 points, which better than most companies manage. However, based on tests from all five labs, Kaspersky took 9.8 of 10 available points, the best aggregates score.
Avira Antivirus and Norton managed 9.7 points, each tested by three of the five labs.
Effective Malware Blocking
Your antivirus utility has many opportunities to save your PC from malware attack.
It can block access to the malware-hosting website, eliminate the threat on download, detect and delete known malware based on its signature, and even detect unknown malware based on behavior alone.
G Data includes all of these layers of protection, and my hands-on testing showed them in action.
In addition to scanning files on access, G Data scans your computer any time it's idle.
Between real-time protection and idle-time scanning, there isn't a screaming need for a full scan of your whole computer.
If you want a full scan, you click the Idle Time Scan link on the main window and choose Check Computer.
A full scan of my standard test system took an hour and 40 minutes, over twice the current average of about 45 minutes.
But once again, unless you actively suspect an infestation you should be able to just rely on the idle-time scan.
When I opened the folder containing my current collection of malware samples, G Data started examining them.
The process was slower than with many competing products, but clearly very thorough.
In most cases, it offered to quarantine the item as its default action; for a few, it advised simply blocking the file from execution.
By the time it finished, 97 percent of the samples were either quarantined or deactivated.
I keep a second set of samples on hand; these are modified versions of the originals.
To create each modified sample, I change the filename, append nulls to change the file size, and overwrite some non-executable bytes.
G Data detected all of the same samples, even in their tweaked form.
In addition, it detected all the remaining samples after execution, for a 100 percent detection rate. Webroot SecureAnywhere AntiVirus, F-Secure, and Ashampoo Anti-Virus 2016 also detected 100 percent of the samples. PC Matic also blocked 100 percent of the samples, but then, it blocks any unknown program.
Webroot managed a perfect 10 points in this test.
G Data, like F-Secure Anti-Virus, allowed a few executable traces to hit the test system, but the 9.8 points both of them earned is still very respectable.
For another view of each product's ability to protect against malware, I use a feed of current malware-hosting URLs supplied by MRG-Effitas.
I launch each URL in turn, discarding any that are defective, and noting whether the antivirus blocks access to the URL, wipes out the malware download, or fails to respond at all.
I keep at it until I've accumulated data for 100 malicious URLs.
G Data earned a 78 percent detection rate in this test, in most cases by blocking access to the malware-hosting URL.
That's just a middling score.
Symantec Norton AntiVirus Basic and PC Pitstop managed 98 percent protection, with Avira close behind at 75 percent.
I didn't see G Data's behavior monitoring kick in during these tests, because other protection layers beat it to the punch.
In any case, behavior monitoring in some antivirus products bombards the user with dire warnings about good and bad programs alike.
For a sanity check, I installed about 20 old PCMag utilities, programs that tie into the operating system in ways that malware might also do.
G Data didn't flag any of the PCMag utilities, but it did give the stink-eye to two of my hand-written test programs.
It popped up a clear warning that the test program might be malicious, with a detailed list of its reasons, and its reasons made total sense.
A program that launches Internet Explorer and manipulates it to download malware? That's suspicious! I'm pleased to see that behavior monitoring kicks in for a pattern of suspicious behavior, not for every little potential problem.
So-So Phishing Protection
Writing a data-stealing Trojan and getting it somehow installed on victim PCs can be a tough job.
Simply tricking users into giving away their passwords and other personal data can be quite a bit easier. Phishing websites masquerade as financial sites, Web-based email services, even online games.
If you enter your username and password on the fraudulent site, you've given the fraudsters full access to your account.
If the website looks just like PayPal but the URL is something goofy like armor-recycling.ru, at least some users will detect the fraud.
But sometimes the URL is so close to the real thing that only those with sharp eyes will spot it as a fake.
Antivirus programs that have a Web protection component usually attempt to protect users against phishing as well, and G Data is no exception.
To test the efficacy of a product's antiphishing component, I first scour the Web for extremely new phishing URLs, preferably URLs that were reported as fraudulent but that haven't yet been analyzed and blacklisted.
I launch each simultaneously in one browser protected by the product under test and another protected by long-time fraud fighter Norton.
I also launch each URL in instances of Chrome, Firefox, and Internet Explorer, relying on the browser's built-in phishing detection.
Because the collection of fraudulent sites differs every time, I report results in relative terms rather than absolute detection rate.
Very few products do better than Norton in this test, but many come closer than G Data did.
G Data's detection rate came in 45 percentage points below Norton's, which a is poor result.
Internet Explorer and Chrome both did a better job than G Data. Yes, G Data beat Firefox, but Firefox hasn't been doing very well lately.
The lesson here? Don't turn off your browser's built-in phishing protection.
Along with the expected antivirus features, G Data gives you several features that you'd expect to see in a security suite.
I tested its exploit protection by hitting the test system with about 30 exploits generated by the CORE Impact penetration tool.
It identified 30 percent of the exploits by name and blocked another 20 percent using more generic detection.
That 50 percent detection total is as good as what Kaspersky Internet Security managed in this test. Norton leads this test, with 63 percent protection.
Like Safepay in Bitdefender Antivirus Plus 2017 and Kaspersky's Safe Money, G Data's BankGuard feature aims to protect your financial transactions.
Bitdefender uses a whole separate desktop to run Safepay, and Kaspersky puts a glowing green border around the browser protected by Safe Money.
By contrast, BankGuard works invisibly to protect all your browsers.
The only way to see it in action is to encounter a Trojan that attempts a man-in-the-browser attack or other data-stealing technique.
The related keylogger protection feature was easier to test than BankGuard.
I installed a popular free keylogger, typed some data into Notepad, typed into my browsers, and then typed in Notepad again. When I brought up the keylogger's keystroke capture report, it showed no keystrokes between the two uses of Notepad.
To test G Data's ransomware protection component, I first turned off every other feature related to real-time malware protection. When I launched a ransomware sample, it quickly popped up a warning about suspicious behavior that suggests encrypting ransomware, with the caveat that if you are actively running an encryption utility yourself, you can ignore the warning. My G Data contact noted that in most cases, some other layer of protection will block the ransomware before it gets to this point.
G Data has long featured the ability to manage the programs that launch automatically when your system boots.
Its Autostart Manager can delay launch of any such program for from one to 10 minutes, or set it to never launch at startup. You can also configure it to launch the program when the system's startup activity has died down.
This is a more fine-grained control than you get with the similar feature in Norton.
A Mature Product
G Data has been around longer than almost any of its competitors, and G Data Antivirus 2017 is a mature product.
Since my last review, it has added components specifically designed to protect against exploits, keyloggers, banking Trojans, and ransomware.
It earned a great score in my hands-on malware-blocking test, and took decent scores from the independent testing labs. However, it proved less effective at blocking access to malicious and fraudulent URLs.
Bitdefender Antivirus Plus and Kaspersky Anti-Virus earn top scores from the independent labs.
Symantec Norton AntiVirus Basic scored high in all of my hands-on tests, and includes an impressive set of bonus features. Webroot SecureAnywhere Antivirus goes even farther with behavior-based detection, making it the tiniest antivirus around.
And a single license for McAfee AntiVirus Plus lets you install protection on every device in your household. Out of the huge range of antivirus products, these five have earned the title Editors' Choice.
PCMag may earn affiliate commissions from the shopping links included on this page.
These commissions do not affect how we test, rate or review products.
In the security realm, I’ve always been a huge fan of the Trusted Computing Group.
It’s one of the few vendor organizations that truly makes computers more secure in a holistic manner. The Fast Identity Online (FIDO) Alliance is another group with lots of vendor participation that’s making headway in computer security.
Formed in 2012, FIDO focuses on strong authentication, moving the online world past less secure password logons and emphasizing safer browsers and security devices when accessing websites, web services, and cloud offerings.
Its mission statement includes the words “open standards,” “interoperable,” and “scalable” — and the organization is actually doing it.
Better, FIDO wants to do this in a way that’s so easy, users actually want to use the methods and devices. All FIDO authentication methods use public/private key cryptography, which makes them highly resistant to credential phishing and man-in-the-middle attacks.
Currently, FIDO has two authentication-specification mechanisms: Universal Authentication Framework (UAF), a “passwordless” method, and Universal Second Factor (U2F), a two-factor authentication (2FA) method.
The last method may involve a password, which can be noncomplex, because the additional factor ensures the overall strength.
FIDO authentication must be supported by your device or browser, along with the authenticating site or service. With UAF, the user registers their device with the participating site or service and chooses to implement an authentication factor, such as PIN or biometric ID. When connecting to the site or service, or conducting a transaction that requires strong authentication, the device performs local authentication (verifying the PIN or biometric identity) and passes along the success or failure to the remote site or service. With U2F, an additional security device (a cellphone, USB dongle, or so on) is used as the second factor after the password or PIN has been provided. The public/private key cryptography used behind the scenes is very reminiscent of TLS negotiations.
Both the server and the client have a private/public key pair, and they only share the public key with each other to facilitate authentication over a protected transmission method. The web server’s public key is used to send randomly created “challenge” information back and forth between the server and client.
The client’s private key never leaves the client device and can be used only when the user physically interacts with the device. FIDO authentication goes much further than traditional TLS.
It links “registered” devices to their users and those devices to the eventual websites or services.
Traditional TLS only guarantees server authentication to the client. One authentication device can be linked to many (or all) websites and services.
A nice graphical overview of the FIDO authentication process can be found here. Google Security Keys Google recently touted the success of its physical, FIDO-enabled “Security Keys” in a new whitepaper.
The versions touted in the paper are small, USB-enabled dongles with touch-sensitive capacitors that act as the second factor.
Each dongle has a unique device ID, which is registered to the user on each participating website.
The public cryptography is Elliptical Curve Cryptography (ECC), with 256-bit keys (aka ECDSA_P256) and SHA-256 for signing. Google tested its Security Keys by giving them to more than 50,000 employees and made them an option for Google online service customers.
Google’s results? Zero successful phishing, faster authentication, and lower support costs—can’t beat that.
The only negative was the one-time purchase cost of the devices, although Google says consumers should be able to buy Security Key devices for as little as $6 each.
That’s not bad for greater peace of mind. FIDO updates FIDO recently announced the 1.1 version of its specification.
It includes support for Bluetooth Low Energy, smartcards, and near-field communications (NFC).
FIDO authentication can already be used by more than 1.5 billion user accounts, including through Dropbox, GitHub, PayPal, Bank of America, NTT DoCoMo, and Salesforce.
Six of the top 10 mobile handset vendors already support FIDO, at least on some devices; mobile wallet vendors say they will participate as well. The 2.0 version of the FIDO specification is already in the works.
FIDO 2.0 is partitioned into two parts: the Web Authentication Spec, which is now in the W3C Web Authentication working group; and the remaining parts, including remote device authentication—which should allow you, for example, to unlock your workstation with your cellphone. Reducing the use of stolen credentials takes a big bite out of online crime.
I can only hope that the web continues to adopt the FIDO authentication standards as fast as possible.
After years of previous attempts at similar initiatives, this one looks posed for broad success.
It was registered to a command and control server (C2) which held stolen keylog data from HawkEye RAT victims, but was also being used as a one-stop-shop for purchasing hacking goods. WhiteHats on the prowl? Before diving into an analysis of the server, it is worth pointing out some interesting behavior spotted in several of the victims’ stolen accounts.
A group of WhiteHat hackers who call themselves Group Demóstenes were found to be working around the clock, trawling the internet and looking to exfiltrate stolen data from C2 servers. When such a server was found, the group looked for a backdoor that would give them control over the filesystem.
They would then monitor the incoming, stolen data.
Either manually or automatically, they would collect the stolen credentials and send emails to the victims’ accounts.
These emails contained an attachment with proof that the user’s machine has been compromised.
In addition, they advise the user to change passwords immediately and offer to help. Hi *********** Our SERVERS detected information from a server on the US, we don’t even know goverment or another sourse …. we send a file with all your logins and passwords of all your accounts from hxxp://www.p******op[.]biz/*******WE HAVE TESTING IN YOUR PAYPAL ACCOUNT. LOG IN TO YOUR ACCOUNT AND YOU WILL SEE TWO CANCELED BILLING (OUR JOB IS WHITE HAT NO HACK ….
Steal)Seme you verify this information. it’s better thing we hurt all change password on the other computer Because Called Computer Name PC USER-PCLocal Time: 03.10.2016. 18:45:02Installed Language: en-Net Version: 2.0.50727.5485Operating System Platform: Win32NTOperating System Version: 6.1.7601.65536Operating System: Microsoft Windows 7 Home PremiumInternal IP Address: 192.168.0.101External IP Address:Installed Anti virus: Avast AntivirusInstalled Firewall: have a keylogger harm report All That You write, messages, passwords or more. ¿Why we do it?We have a Cause Called Group Demóstenes looking for Ciber attacks and false info.Please Donate by PayPal at h**cg**an@gmail[.]com 5 USD or more, Because this is only our ingress. PLEASE WRITE ME AT THIS MAIL FOR KNOW IF YOU KNOW ABOUT THIS The email above appears in two languages, English and Spanish.
The name of the group appears to be of Portuguese origin, though it is not certain. The shopfront: the command and control servers Scanning for network services which are running on the C2, we discovered that it contains not only a back-end for storing stolen credentials but also a front-end for selling some of them, alongside many other “goods”. Browsing the domain that communicated with the HawkEye RAT samples disclosed a login page.
Given the fact that the server was newly operational, it allowed users to register an account and login to purchase the goods on offer. After registering on the C2 web application, there was no sign of the stolen data transferred from compromised machines.
A forum-like web page opens up once a successful login is being processed. The C2 was meant to securely store the stolen data; however, it contained a crucial vulnerability which allowed researchers to download the stolen data. The C2 owners seem to have added six new Shell scripts on 22 November, just a week before the research started – a further indication of how new the operation is. Another item for sale is scam pages, and some are multilingual.
The attackers also reveal the scope of their victims, noting those who are registered to Amazon, Apple, Netflix and even National Bank of Australia and Barclays.
The listing of the year next to the banking information probably refers to how up-to-date the scam pages are in terms of the bank’s website updates. The attackers have spared no details and have added additional information regarding how one should act when using their services, and who to contact in the Support tab. To purchase goods in the private shop you must deposit money into your account on the website.
The attackers accept Bitcoins, PerfectMoney and WebMoney. Back to the stolen data As we described, HawkEye is a robust keylogger that can hijack keystrokes from any application being opened on the victim’s PC.
It can also identify login events and record the destination, username and password.
It is, however, limited to two-factor authentication and single sign-on. Stolen credentials on the server were found to be holding sensitive access passwords to government, healthcare, banking and payment web applications.
Among them is the following web server which belongs to the Pakistani government. As mentioned, hundreds of machines were found to be compromised by just one C2.
The following is a partial list of what was downloaded from the malicious server. Usually, careless threat actors forget to remove test files which might contain sensitive data.
In this case, we were able to obtain the attackers credentials from one very small file that was captured when searching related strings. Target geography The research is still ongoing and is currently affecting users located in APAC, such as Japan, Thailand and India, as well as parts of Eastern Europe such as Russia and Ukraine.