Pick Shane's Brain

It occurred to me the title “Common Sense Approaches to Computer Security” might not be a great title. I’ve thus renamed this series to ‘Practical Approaches…’.

Thumb drives

Thumb drives are the bane of the earth, they’re the devil’s little helpers. Also known as FLASH drives, these little gadgets are also the coolest thing since sliced bread. With memory capacities in excess of 16 gig, they make fantastic backup devices. It is exceedingly easy to copy files to them from one computer, and transfer them to another computer. Including malware…

Just like diskettes in the early 1990′s, thumb drives can also carry viruses and other forms of malware. The catch is that thumb drives are much more ‘automatic’ in how they work. Malware can position itself such that when the thumb drive is inserted into a new computer, it will automatically launch.

Windows has a way to defeat this, it’s called AutoPlay, an applet available in the Control Panel. Change your AutoPlay settings so that you get prompted to indicate which programs you want to use each time you insert a disc. For each media type that you don’t want to play automatically, select “Ask me every time”, and then click Save.

Now each time you insert a disc into your computer, you can choose the program it starts in.

I hope to have stressed upon my readers that AV software is not a magic bullet.  I’d like to equally stress that AV software is the best and most efficient way to protect oneself against malware.  AV software manufacturers have done their best to make sure their product reaches a certain level of confidence but even so, the scanners cannot claim to offer 100% protection against malware.

What to do? Fortunately there are many things that one can do to increase the security of their computer.  Most suggestions follow a common sense approach, such as:

a) NEVER download security software (a.k.a. FREE antivirus) unless you are sure of the source.  There are countless websites that offer free antivirus, and many are pure scams.  Some of them host rogue products that actually contain malware and will attempt to extort payment from you for access to the full product.

b) Public computers are a convenient way to compromise your password. Public computers sit unattended much of the time.  Poorly configured and generally not up-to-date with the latest security patches, it is highly possible that a public computer contains at least one piece of malware, for example keylogging software that captures all of a user’s keystrokes.

c) Your laptop’s wireless connection can be ‘sniffed’ by a software product named Wireshark. Everything you do while working on your laptop, sitting at your favorite wi-fi hotspot, can be viewed by a potentially malicious attacker.  My suggestion is don’t do anything from a public Wi-Fi hotspot that you would want viewed by a malicious hacker.

d) Update your operating system.  Microsoft, Red Hat, Apple provide updates for a reason.  Application software like QuickBooks, Adobe Flash Player and Java require periodic updates. Because updates to application software aren’t always automatic, a program like Secunia PSI can help to manage this arduous task.

Above are 4 things that one can do to improve overall computer security. Over the next couple of weeks I will do my best to extend this list.  If you have additional common-sense approaches to computer security, I invite you to post a reply to this blog entry.

As regards my earlier post, this security update resolves a publicly disclosed vulnerability in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message.

Made ya look! Actually, if you did look at this blog because of the title of the blog entry, please include yourself as a positive statistic (in a negative way) in a recent report by AppRiver.

In the report researchers at AppRiver conclude that SPAM-generating bad guys craft messages that use natural disasters as part of their draw. Why? Because it is a great way to get people to click on computer-compromising email messages and web links! No kidding! In a world where Internet surfers readily click on the most dramatic headline news, and where people who are simply bored of standing in a slow-moving grocery store shopping-line are inundated with crap (yes I said it) that plays on the bad-luck of well-known actors…AppRiver’s report isn’t really surprising. Not to say the report is bad. It isn’t, not by any means. It’s really a good report…just…with sobering statistics.

In an upcoming article that I’m writing for the local Chamber of Commerce, I include this type of information in an effort to make people more aware of various types of scams. I will publish the article when it comes out, but in the meantime, to quote an old Hill Street Blues show….”Let’s Be Careful Out There” [of what we click].

AppRiver report: http://www.appriver.com/reports/pdf/AppRiver6MonthjuneSpamReport2010.pdf

The above link is purposely disabled so that you won’t have to click on it. Why? Stay tuned, I’ll explain why in tomorrow’s blog entry.

There is a workaround to temporarily resolve this issue, but it isn’t a very good workaround.  Unregistering the HCP protocol will break all local, legitimate help links that use hcp://.  For example, links in Control Panel may no longer work.  I wonder if that will include the Windows Update feature….

My advice: Be very aware and Very on top of applying Windows updates released this July 13th.

Microsoft Technical Advisory:

http://www.microsoft.com/technet/security/advisory/2219475.mspx

PC World story:

http://www.pcworld.com/businesscenter/article/200237/microsoft_10000_pcs_hit_with_new_xp_0day_attack.html

An interesting thing happened the other day.  Apparently a client’s web developer thought he could simply take the client’s website and make it his own.  In doing so the web developer effectively took control of the business website, locking out his own client.  As you might imagine this didn’t bode well with the client.  The client, after witnessing this nefarious maneuver, immediately called his web hosting company changing the account’s admin password and resetting the ‘secret’ security question.  However, less than 24 hours later, the website developer had regained control of the account, deleting critical codes and defacing the landing page.  How did this happen?

We’re still working on that one, at least in the sense that we’re trying to wrap our brains around the full scope of the situation.  Basically (long story short), the client didn’t change the credit card to which the account was tied.  One call by the web developer, who of course knew the credit card number, was all that it took for the web hosting company to believe said developer was the site’s true owner.  Wow!  That’s kind of bad?

Sensible security is always tricky, but I think it might be time for the hosting company to start following more stringent security protocols.  Just because a caller has one piece of information correct does not make that caller the account’s true admin.  I would think that if the hosting company had asked (and strictly followed protocol) several different questions, where each question absolutely required a correct answer, this situation could have been avoided.

Don’t ask about the title. It’s my attempt at gaming humor.

The topic: Your Internet domain name. Make sure that you are aware of its expiration date. Why, you might ask?

Not only do you NOT want to let it expire — possibly losing your carefully crafted domain name to somebody else — but even more so, you want to be aware of when it expires, & WHO you should be re-registering with once its expiration date comes close.

The reason why I am blogging about this is because of something a client handed to me the other when I was visiting his office. As I walked in he handed me a sheet of paper that he had received in postal mail. It was a form that would allow him to re-register his domain. The paper looked quite official, it had his correct domain name, and a variety of other techno-babble that related to his website.

The problem with the paper is that it listed a completely incorrect date-of-expiration. Rather than correctly stating that his domain name was 6 years away from expiration, it said that he needed to pay $39.99 by the end of June 2010, else he would chance losing his domain.

Don’t be fooled by this mailer. It is a SCAM! I saw this same scam circulating through postal mail several years ago, but this was the most recent case. So obviously the scam is still around, making a comeback, or the dude that originally thought it up is back out of jail with a new bulk mail permit. /sigh…

Surprise!  http://news.yahoo.com/s/pcworld/20100613/tc_pcworld/linuxtrojanraisesmalwareconcerns

…Or maybe not: http://en.wikipedia.org/wiki/Linux_malware

^Excerpt: Shane Coursen, a senior technical consultant with Kaspersky Lab, claims, “The growth in Linux malware is simply due to its increasing popularity, particularly as a desktop operating system … The use of an operating system is directly correlated to the interest by the malware writers to develop malware for that OS.”

Just a quick update to my previous post:  Adobe has released its fix for a vulnerability found in its Flash Player (a critical vulnerability affecting versions 10.0.45.2 and earlier).  See the full advisory here:

http://www.adobe.com/support/security/bulletins/apsb10-14.html

Thought this was obvious, but it’s good to have solid data from an accredited source:

http://www.pcworld.com/article/198612/online_porn_users_take_huge_risks_study_finds.html

I normally don’t just paste in the original advisory, but in this case the original text is best served by being replicated exactly.

Release date: June 4, 2010
Vulnerability identifier: APSA10-01
CVE number: CVE-2010-1297
Platform: All

SUMMARY:

A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat. This advisory will be updated once a schedule has been determined for releasing a fix.

http://www.adobe.com/support/security/advisories/apsa10-01.html

IF this story is actually true & more companies follow a similar direction this is the perfect catalyst for an increased interest in developing native Mac and Linux malware:

http://www.newsfactor.com/story.xhtml?story_id=01200172VPJ0

BTW, this decision won’t really help Google avoid much of anything. It will simply increase this cost of securing their systems.

Yahoo email users take note!  The story claims Yahoo has been talking about this for months, but this is the first I’ve heard of it.  Here is hoping that Yahoo blasts this story out to a bigger media outlet, because I seriously doubt this story is going to get the attention it deserves until after the changes have gone into effect.

http://hosted.ap.org/dynamic/stories/U/US_TEC_TECHBIT_YAHOO_PRIVACY?SITE=SCAND&SECTION=HOME&TEMPLATE=DEFAULT

If you are old enough to remember 8″ floppy disks, punch cards and Selectric typewriters, the following InfoWorld article might be of great interest.  Yes, we are a long way (almost 50 years!) from the aforementioned technologies, but not so far as to completely forget where much of the computing technology that we enjoy today, originated.

“Virtualization”, believe it or not, had its roots planted firmly in silicon by 1967 in the form of CP-40.   CP-40 the first operating system that implemented complete virtualization, albeit at that time it was a machine-specific implementation and made available only to the computing-elite.  Understandably so, the machine on which it ran (IBM System/360) was state-of-the-art at the time and could only be installed in a location with strict environment controls.

Enough with the history lesson!  Fast-forward nearly 50 years, and virtualization stands to (re)make its mark in history. 

A clear case of back to the future?  I’m not entirely certain.  As with anything computing, each person/company/market segment has its own unique computing needs. Even though they may not realize it, a lot of people could really take advantage of virtualization technologies.  Others will be dead-set against it, be it for financial reasons or some other ulterior motive.  For me personally, I fall in to the pro-virtualization category.  Yes I realize that up-front costs for large-scale projects can be prohibitive, but, being the forward-thinking person that I am, I know that benefits will eventually outweigh costs.

I tend to view virtualization as a friend due to my work in the field of anti-virus research.  In 1993, when I was in the midst of developing Symantec’s very first automated infection system, the biggest hurdle I had to step over (or skirt around) was that of restoring an infected computer back to a known-clean state.  Logistically it wasn’t a difficult task to achieve, but doing so represented what the computer was doing the majority of its computing cycles — cleaning itself up.  If only I had a method of restoring a machine to a pristine state simply by hitting the reset button!  Instead of producing daughter/granddaughter/etc. infections for 10 viruses every 8 hours, virtualization would have allowed for far greater efficiency.

What can virtualization do for the everyday computer user?  Besides the many advantages it offers in relation to computer security, read the following InfoWorld article.  If you think the technology has a place in your company, realize that virtualization is a more accessible (and cheaper) than you might think.  If after reading the article you have additional questions, as always please feel free to pick my brain.

http://www.infoworld.com/d/virtualization/what-desktop-virtualization-really-means-352

‘Tis but thy name that is my enemy;
Thou art thyself, though not a Montague.
What’s Montague? it is nor hand, nor foot,
Nor arm, nor face, nor any other part
Belonging to a man. O, be some other name!
What’s in a name? that which we call a rose
By any other name would smell as sweet;’

Erm….a more contemporary way to say it would be “what matters is what something is, not what it is called”. Suddenly I’m thinking that Donald Rumsfield had quite an affinity for Shakespeare. Ok, so what exactly am I getting at with this post? Rogue, fake, false, fraudulent, artificial, factitious, bogus, mimic, mock, sham, simulated, substitute, synthetic, etc., etc., etc., anti-virus software.

Not that my words can possibly carry as much weight as a Google report, but I can confirm that rogue AV is very prevalent.  About 2 in every 5 service calls that I make are to remove rogue anti-virus software.  How to stay away from it? According to the details of the NewsFactor article of where the rogue software comes from, and how it arrives to our computers, it is mostly by having a Very Healthy paranoia of what we click on.  Of course there is more to it, but yes, sometimes computer security really can be just that easy!

From Newsfactor Network: Fake Scans That Plant Malware Are Rising, Google Says

Concerned that Big Brother (or your little sister) is watching over your every search term?  Then you might be interested to know that Google has extended SSL to its search engine.  It is still in beta stage, but shows promise as a method to keep 3rd parties (as well as a malicious attacker) out of what should be your business alone (“your business” in the privacy sense).  Keep in mind that if your computer is already compromised (for example, with a keylogger), a SSL connection will do nothing for your privacy.  The reason being is that a keylogger will sit at a “higher” location than that of an SSL connection.

Nonetheless Google SSL is worth checking out.  First I would recommend reading Google’s official blog on the matter to get a better idea of what it is all about.  Then, if you think it is for you, try it out!  If you are so inclined you can test the security of the SSL search by inserting a sniffer somewhere in _your_private_network_that_you_own_ and setting the appropriate filters to watch the specific IP address of the machine that is performing the search.

Google blog: http://googleblog.blogspot.com/2010/05/search-more-securely-with-encrypted.html

Google SSL Beta: https://www.google.com/

This is a very smart move by Oracle (and IBM).  Here is why:  When we think of a hack we usually think it comes from the outside.  That is, we sit at our computer, which is connected to the Internet, and suddenly a bad guy hacker from who-kn0ws-where successfully bypasses our computer’s defenses.  Uh-oh we’ve just been hacked!

But….Attacks against our computers come from all angles.

It’s true!  Be it negligence on the part of the computer operator who clicked on an email attachment they had no business clicking, or a disgruntled employee bent on causing chaos within the office, or an employee who is skimming data for personal gain — (the list of possible reasons goes on) — many of the hacking cases that I’ve had the displeasure of contending with have originated from the inside.

Technology to protect ourselves _from_ ourselves is (sadly) probably a more effective solution than technology to protect ourselves from an unknown outsider.   Original story link follows:

http://www.newsfactor.com/news/Oracle-To-Buy-Secerno-for-Security/story.xhtml?story_id=11100B2HMTNR

“Although external threats are real, King said internal threats are just as possible in a world where customer sales and credit data can be used for personal profit. With business analytics and business intelligence tools, King noted, companies can search databases for actionable insights that drive revenue. But in doing so, it opens up the database to new groups of users.”

The article: http://www.pcmag.com/article2/0,2817,2363812,00.asp

Same comment here as I left at the PC Mag site: Having been a “pro” AV researcher since 1992, and having been maintainer of The WildList between 1995 and 2002, I can back up Neil’s statement when he says ‘preparing a new malware collection takes considerable effort’. It does!

Your methodology looks sound, Neil. I could only suggest that you allow antivirus software manufacturers to peer-review your library. (They probably won’t unless they’ve scored awful in a test. As alluded to above, it is a massive undertaking to create a library. To *verify* the viability of a library would require an almost identical amount of effort, thus you might not find too many takers. But…it is always nice to offer.)