Don’t Trust Padlock and HTTPS on Detecting Phishing Websites

Recently, they are reports of phishing websites are using Digital Certificate and this is alarm for all of us. Initially, I always tell users that for well-known websites including banks and where you need to enter data, make sure it has Digital Certificate, it is little padlock on the top of browser saying that your connection is encrypted and because purchase Digital Certificate used to be expensive and required difficult validations, most phishing websites are gone without Digital Certificate and it was good sign to spot phishing. So, if you visit your online banking website and it doesn’t have nice padlock icon on the top of browser and you didn’t see it start with HTTPS then it is definitely phishing and it is remaining the easy way to spot phishing. But I should express that even if website has padlock icon and start with HTTPS, you should still check the URL and make sure it is really your banking and trusted website. Because phishing websites are able to get Digital Certificate and it means when you visit their websites, they have HTTPS and padlock.

Security professionals are fighting with phishing and we have advance technologies to detect and block phishing websites, but you will need to be extra careful. One good practice would be making sure you type the address of your trusted websites including banks, money transfer, email, etc. correctly and when you visit it and make sure it is really the correct one, then add it to favorite so next time when want to visit your bank, don’t search for it and just click on it from favorite. Even if bank send you email don’t click on the link inside it and use the favorite to access your trusted websites. This is new challenge for our cyberspace and I am already start working on solution for this problem while other security researchers doing the same thing and soon I will share my outcome with industry and you will see inside your browser. Meanwhile, if you ever come across any phishing website, use Report unsafe website option in Internet Explorer or Microsoft Edge and report it.


How to Detect Scams in Public Forms?

Cybercriminals using new ways to steal data, one of the ways I have been seen recently is using public form creating tools like Google Form or Microsoft Form. While using these technologies are very productive and helpful and you don’t have to be expert to create a form and share it online, these could be used for crime purposes. It is always good idea to use these forms for good purposes, for one example I have been using Microsoft Form to organize conferences. In this case instead of asking users to send their name and details by email which would take long time to put them into Excel file and keep track of who is attending or buy a domain and then SSL and create a form which is costly and time consuming, I could just login with my Microsoft Account and create a form easily and quickly, it gives me a website with SSL and good security and I just share it with my community members or those who wanted to attend my conference and they fill up their data, this platform put them all into a nice Excel and I will just save the Excel file and use it for the event to keep track of who is attending and who is not and I could send reminder to email list before event. Meanwhile, I could share feedbacks to the team through the Feedback interface and ask them to make it better.

However, cybercriminals also using this for criminal purposes, in this case they easily create a form in Google or Microsoft Form or other online Form creators, these forms come from reputable domains like Microsoft or Google and they have SSL and in this case user won’t get suspicious but they are asking for information which they shouldn’t ask for and in this case, you should report them as abuse , so Microsoft or Google will take action against them (if it is valid abuse) and you could protect millions of users. They have option at the end of the page to report abuse.

However, the main question is how do we spot abuse? Someone might have posted a form which is valid and legitimate while others might post a form which is real abuse, you will see public forms like Google or Microsoft form as abuse/scam if it has the following conditions:

  • It is asking you about anything related to password: Like enter password, save password, password recovery, etc.
  • It is asking about banking and credit card information: If it asked you to enter your credit card details on a simple textbox, then it is fraud for sure.
  • It is asking irrelevant information: Let say you are attempting to register for a conference , asking for your name, email, phone number and address might be valid, but if they are asking more private information like date of birth, city where you born, your first school, are not valid required information, unless they are related like asking for school when you are organizing educational event and you get such data for statistics.
  • It is claiming to be from Microsoft or Google: because they are using valid Google and Microsoft domain and it has their logo, some people might get fooled that it is coming from these companies, if you see any public form where it has Report Abuse option and claim to be from Microsoft or Google, it is scam.

Therefore, it is always good idea to use public form and you could trust them generally, as I said it is being used for conference, public events and even celebrations, but you have to make sure you are using valid one and don’t fall in trap of scam and make sure report scammers.

Report Malicious Websites to Windows Defender Security Intelligence

While we are browsing web, we might come across dangerous websites, they might be phishing website or malicious websites. Internet Explorer and Microsoft Edge, come with a way to report unsafe website, from tools->Safety->Report unsafe website in Internet Explorer and tools->Send Feedback->Report unsafe website in Microsoft Edge, you could report unsafe websites to Microsoft. Such function is great in browsers and these browsers has feature called SmartScreen filter where it is able to detect and block suspicious websites. But there are cases where SmartScreen filter is unable to detect unsafe website and you could use those methods to report the website and when it has been detected as unsafe, it will be blocked. Now, Microsoft has a new way for users to report suspicious website and you could do this directly from Microsoft Windows Defender Security Intelligence and it is recommended to login with your Microsoft Account, so you may add multiple websites and keep track on your submitted website. However, if you are in public area and you fear that login with Microsoft Account has risk of your account being compromised, you may just add website as a guest without login with Microsoft Account. You may report suspicious websites on:

When you report unsafe website, you may report them as Phishing, meaning they are websites which might not contain malwares but pretend to be from authorized and well-known website. For example, consider creating website exactly like you bank account login page but it is not your bank’s login page and it steals your credentials. You may also report Malicious websites, they are one contains malware, you might see when you visiting a website your Anti-Malware detects a malware in the folder where browser’s cache is located or you see some malicious codes embedded into website, in other case, it might be scammer, they one saying your PC is infected and call this number or any other malicious intentions. When you report such a website, you are providing great help not only to Microsoft but to millions of users globally. Sending such report might lead to discovering new 0-day or unknown malware or exploit. It could help millions of users to lose their accounts and money to cybercriminals. It makes internet safer and healthier. We could stop botnets and malicious actors, before they perform their criminal intentions.

Enjoy surfing the web and please report all malicious websites to Microsoft. Also consider using Microsoft Edge and Internet Explorer for safer browsing experience.

Windows Defender is Doing Great Job in Protecting you Against Malwares

There are several discussions about Windows Defender which is pre-build Anti-Virus in Windows 10 and whether it is productive or not. I have seen several videos in YouTube where it wants to proof that Windows Defender is not effective and they scan for malware and it is not being detected with Windows Defender but it will detect with other Anti-Malware product, such video could be unreliable and these are questions where we couldn’t confirm in such videos:

  1. Is this real malware or it might be false-positive meaning, it is safe file but Anti-Malware accidently detect it as malware?
  2. If it is real malware, does it added into exclude or allowed list? May be Windows Defender detect it but in video, it has been added to exclude or allowed list to trick users.
  3. Is cloud protection on or off?
  4. How about signature? In video the signature number might detect incorrectly but some tricks and old signature might have been used.
  5. If the demo is true, where is its sample? How could we reproduce the demo?

Demos in YouTube with one or few samples are not valid source for malware testing. For better malware testing we need to relay on real research center where there are many researchers with tons of samples and under comparable fair environment test Anti-Malware products and could name AV-Test and AV Comparative example of reliable source for testing antimalware products. They have test environment and professional researchers where they test Anti-Malware products. In recent test which has been done in July 2018 for bot companies shows Windows Defender done excellent job as Anti-Malware product and also when dealing with malware. Let’s start with AV-Test, in their posted test on May-June 2018, Windows Defender manage to protect against all 0-days samples (meaning malwares which are unknown to Anti-Malware products) and has 100% protection (compare to industry average which was 99.6%) and in term of protection against known malwares it protects against all malwares like other products. In term of performance, it also did a great job compare to industry average but still need improvement in this area. In term of false positive detection (meaning detecting safe software as unsafe, it only has one false detection). Leading the Windows Defender as the top product in AV-Test, you may read the complete report on:

Let’s check the report in AV-Comparative, in the latest test on July 2018, Windows Defender blocked all malwares with rate of 100% but it has high false-positive number of detecting 19 files. False-positive meaning the file was safe but incorrectly detected as malware and Windows Defender needs to improve in this area but it done great job by blocking all malwares. You may take a look at complete report on:

Above reports proof that Windows Defender is doing excellent job when it comes to detect and blocking malwares. However, as I already mention, there is no Anti-Malware software which could detect everything. Therefore, if you ever seen any sample where you believe is unsafe but being detect as safe or something which is safe but is being detect as malware in Windows Defender or other Microsoft Anti-Malware products submit its sample to Microsoft Anti-Malware team:

By submit sample, you would helping millions of people worldwide against getting infected with malwares and just one correct sample could help protecting thousands of systems. Security is ongoing process and we need to help Anti-Malware ecosystem, so they would be able to help us by enhancing their detection engines. You may check Anti-Malware testing website regularly to see their latest test and results.

Privacy Concerns in BlockChain

There are discussions about BlockChain technology. Normally, when we talk about BlockChain, it reminds people of cryptocurrencies like Bitcoin which is based on BlockChain technology. However, BlockChain could be used in other applications. BlockChain introduced concept of node for store and transferring data. Normally, when we want to transfer data in the internet, we need several servers which manage storage and transfer of data and we communicate through those servers. But in BlockChain, every PC could be considered as node and they contribute in a big system where all node together involve in storing and transferring of data. BlockChain brings high level of transparency, meaning that everyone in node will know about everything and people could easily join node. There is something known as private BlockChain where we limit access to all nodes and only nodes which we want would be part of BlockChain. Transparency is good but it should be controlled otherwise it is risk to privacy. Consider example of public and private profile in social networks like Facebook or Instagram. We might share some photos for everyone, but we share some photos with only specific people like our close friends and close family and we might have some photos which are private only for us. This is why we need servers and not nodes to protect our privacy. When we talk about servers, people who are working in data center have been verified and are being monitored. For example in Microsoft and Google Data Centers, only people who have been verified by company and government are allowed to work in data center , so we never expect to have black hacker in data center. In addition, there are protection mechanism like they couldn’t just login to a PC and they wouldn’t know which server is processing what data. If government ever need access to data for national security reason or to investigate crime, they need to go through legal procedure and they are force to adhere with privacy law and if you are citizen of country where GDPR is being enforced, you will get transparency report and you have control over your data and privacy is regulated.

However, in BlockChain the story is different, since you don’t have central server, we need relay on nodes and we need a lot of nodes. This means many people and devices which we don’t know would have access to everything. For example in BitCoin, all transactions are publicly available to all people in BlockChain. Node might belongs to hacker, cybercriminals, and bad guys and so on. Imagine, you are doing anonymous transaction with large amount of BitCoin and no one knows who you are. But they will know you have a lot of bitcoin and if they keep investigate, it won’t be hard to find you. For this reason, it is not recommended to use BlockChain for transferring sensitive data like PII (name, address, phone number, etc.). Even if all data are fully encrypted, are you trusting your personal data being shared with millions of PC? Then the idea of private blockchain come to picture. In this case, if we want to make sure privacy is fully preserved, then we need to define qualification criteria for devices. For example only devices with updated Anti-Malware and BitLocker and the one which has been approved by special privacy team allowed to be part of node. Implementing such model could build BlockChain with privacy but it would be costly and it would be better to use server instead where we have better protection and control. Instead of controlling one million trusted nodes why not control few thousands trusted server in a known location.

BlockChain is good when we need to have high degree of transparency and we don’t need to be worry about privacy. But when it comes to privacy, BlockChain is real challenge and building privacy-enable BlockChain would be expensive and difficult. Actually, I don’t see any logical argument to enforce BlockChain for sensitive data. It could be possible, but hard to manage and costly and it would be cheaper to use servers to manage everything instead of using nodes in BlockChain. When it comes to privacy we need to answer who access data (in BlockChain it is hard to find and manage who is access data). Where are my data located physically? (In BlockChain , they could be anywhere). Choosing between using centralized and server based model and BlockChain model, required you to see whether you will need transparency or privacy and then decide on which one would be more suitable.

Microsoft & GDPR

Recently the European Union, introduced new regulation which enhance protection of users within the EU. This regulation is known as GDPR and practically it succeeds the Privacy Regulation and it is new opportunity to have a better control and protection over users’ privacy and it enforce all companies and organizations and everyone who is dealing with data involving the EU citizens or companies must adhere this new regulation or they will face penalty and they have to response if they are not being compliance. Being compliance with such regulation is actually a way to protect human right and it is right to privacy but being compliance with regulation is costly and difficult for companies. It is not only about understanding the GDPR and how it works but it is about how to adapt it in the real environment. Hopefully, Microsoft is among the first companies which fully compliance with GDPR and it prepared tools for users to get ready for GDPR even before it comes into action. If you are using Microsoft Cloud technologies like Azure, Office365 and others, you cloud is fully compliance with GDPR and you could use Microsoft tools to adapt compliance easier. If you are in charge of development of application on cloud, you have to be careful about your software design and that is another issue. Windows 10 and Windows Server 2016 also giving you tools which help you to be more compliance with GDPR. Adapting GDPR would required privacy assessment and expert knowledge on field but you will come into technical issues to adapt and implement it and it is where features inside Windows and Windows Server could come and help you. If you are using Microsoft Technologies and you are in EU or you are dealing with EU, take a look at following resources:

I wish you all to have a safe GDPR journey and be ready to protect your users and customers.


Why My Anti-Malware Product Won’t Detect All Malwares?

Common question, I am hearing from users is well, I am using Anti-Malware software and I paid the license but why it won’t be able to detect all malwares? Do we have any Anti-Malware product to be able to detect and remove all malwares?

We always say that, there is no Anti-Malware software which is able to detect and remove all malwares. Anti-Malware products are able to detect all malwares in wide-list. It is list of all malwares which has been discovered and it is keep updating. Of course, if we know about malware, we could detect it. But there are tons of new malwares which are being created every day and let say it is not possible to say our Anti-Malware product is able to detect all unknown malwares too. However, they won’t leave them to go around and harm users. Anti-Malware products comes with techniques to detect unknown malwares like using heuristic detection which uses machine learning and detect suspicious objects or applications based on similarity with other known malwares and behavior monitoring which detect unknown malwares based on abnormal behavior or similarity of their behavior to known malwares. There are several techniques which Anti-Malware vendors are using to detect unknown malwares. They are placing spam-trap or honeypot to collect sample of new malwares. They doing research on black markets for new malwares and users also submit sample to them. It is whole ecosystem and keep improving to make sure unknown malwares are being detected and discovered by good guys before get used by bad guys. However, it is not possible to detect all unknown malwares. So, what to do?

Anti-Malware is not the only thing which protects you against malware. There is beautiful concept of defense in depth in Windows, which explained you have defense layers which could stop malware even before they reach to Anti-Malware product like SmartScreen Filter, DEP, ASLR and others. In addition, you as a user should learn about threats around you, if you are visiting website which looks suspicious, you have to report it through SmartScreen filter. If you have sample of program which you believe it is malware but your Anti-Malware software says it is safe, submit it for analysis. Don’t hesitate contacting support or security forums to ask about your concerns with unknown malware and unknown programs. Keep yourself update about latest security incidents and best practices.