Security

University of Utah gets hit by conficker worm

Over 700 computers were hit by the most recent release of the conficker worm at the University of Utah. Computers included those at the University’s three hospitals.

The worm was first detected on Thursday on some of the school’s computers. By Friday it had hit the school’s computers at the three hospitals, medical school, and colleges of nursing, pharmacy and health.

University officials don’t believe that any patient data or medical records were compromised. According to officials those are protected “in a deeper way”. That begs the question of what exactly does that mean? Is that the only data that is virus protected? Is it on Linux or Unix?

The IT staff at the school shut off internet access for up to 6 hours Friday in an effort to isolate the worm. The staff worked over the weekend to cleanup the damage caused by the outbreak. Kind of gives real meaning to the saying “An ounce of prevention is worth a pound of cure” doesn’t it?

Mindy Tueller of the university’s office of information technology said all faculty and students should take steps to make sure they are protected. The virus does not infect Macs.

Or Linux, Unix or any other OS besides Windows

“It can do a lot of bad things,” Tueller said. “Every university member should be concerned about this if they’re using Windows-based devices.”

Interesting. Ms. Tueller and school officials apparently recognize that the problem is the OS but apparently don’t want to do anything about it. How much does that attitude cost the school?

-j

Cybersecurity bill before Senate for approval

A cybersecurity bill is before the Senate for approval. The bill, if passed, would impose standards on the public and private sectors and certifications for cybersecurity professionals.

The legislation is aimed streamlining cybersecurity authorities, promoting public awareness and enhanci cybersecurity cooperation between government and industry, The bill would also increase cybersecurity education and research and development efforts.

So far as networks are concerned the bill would give the new national cybersecurity adviser the right to disconnect any network deemed critical to national security or the US infrastructure from the internet. This would only happen if the network is considered at risk for attack.

According to the article:

The senators also called for a public awareness campaign, a review of the laws that apply to cybersecurity and a report on identity management and civil liberties. They would also further involve the private sector in cybersecurity efforts through the establishment of:

* A group that would certify that products purchased by the federal government meet cybersecurity standards.
*
A panel of outside experts to advise the president on cybersecurity.
*
A public-private clearinghouse for information sharing on cyberthreats.
*
State and regional cybersecurity centers to help small and medium-sized businesses.

I suppose it had to happen sooner or later. In the past couple of months I have mentioned several cybersecurity attacks, some successful and other networks at risk, in both the private and public sectors. It is a natural progression of this county’s government to step in when business, organizations, and government branches refuse to police themselves and protect their constituents and customers from harm.

On the brighter side a whole new market is opening up for security professionals and software. This is going to happen at the collegiate level as well as in the development of new security software. If you are looking for a career or career change this is an area that you should investigate.

-j

And you thought conficker was dead

The conficker worm that infected millions of computers starting last October was believed to be at bay. Not so according to Vincent Weafer, vice president of Symantec’s security response group.

Computers infected with this worm are being updated with a stronger variant. The variant is designed to sidestep security measures attempting to cut the connection between infected machines and it’s hacker controllers. An estimated 20 technology companies, including Microsoft, have joined together to try and counter the stronger variant.

They are attempting to stop the worm by pre-registering domains that they believe the worm will use. According to Symantec and others in the group the worm can register up to 50,000 domain names a day. The domains are used to band together the infected computers and route the worm to other computers for infection.

The new worm is also better at resisting eradication. “It’s turning off a variety of security services,” Weafer said, as well as tools often used by security companies to dig into malware.

Weafer also believe that the number of infected computers has peaked. “The number of infected machines is constantly dropping, so we’re dealing with a much smaller pool [of devices] that are potentially getting this update,” Weafer said.

There is bright side to all of this. Linux users don’t have to worry about this. We don’t need to download Microsoft’s patch to fix our machines. What is really glaring is that so far as I know there are no open source companies joined to the group to protect the Windows computer. Maybe they should consult with them and teach them how to write software that is not so susceptible to attacks like this.

This whole thing started because of a security vulnerability in the Microsoft OS. When are Microsoft users and companies going to wake up and realize how expensive it is to continue using this brain dead OS? FWIW my definition of brain dead is an OS that has users, administrators and anyone else who uses the machine pointing and clicking to set up the OS and not knowing what they just did. No wonder that OS gets attacked so much.

If you have a Microsoft machine that is infected what you need is the MS08-067 security update. You’ll have to look it up yourself - I have no need for it. You can read more about this fiasco here.

I’ll stick with my Linux and Open Source software thank you very much.

-j

Protect your ssh server with DenyHosts

If you have an SSH server that is accessible from the internet then you should look at the DenyHosts application to protect your servers and networks.

DenyHosts protects your servers by parsing your ssh log for failed attempts at ssh login. The log where this is recorded varies by distribution. On Red Hat it is /var/log/secure and /var/log/auth.log on Mandrake. You should have one of these log files on your system

DenyHosts works by monitoring these logs for failed ssh login attempts. It also tracks which user accounts are targeted. When it finds a repeated failures from the same IP address it inserts these into your /etc/hosts.deny file effectively blocking the offending crackers.

Like any security measure this one can be shored up by implementing complementary measures. These would include disallowing root logins, using a port number other than 22 and disabling password logins. All of these can be set in your /etc/ssh/sshd_config file. Your ssh daemon must be restarted after making these changes.

You can download DenyHosts here.
-j

How safe is your seach engine?

Crackers are increasingly attempting to influence the behavior of search engines to get them to misdirect users to malicious sites says security firm Marshal.

Unknowing users are asked to download an anti-malware application to protect their computers. The malware program then installs it’s malicious code onto the users computer.

Microsoft has attempted to help users with it’s Internet Explorer browser by using what they call a Smartscreen filter. The filter scans servers that have downloads to determine if those servers have a history of giving out malicious content. It if does the user is warned that they may be on a malicious web site.

Crackers also add links to bad websites in the comments. Posting links to such sites is known as blog spamming. When a user goes to one of these sites the cracker has automated tools that help gain entry into the users computer.

Unfortunately there is no firewall rule to prevent the foolishness of people visiting such sites. Once they are there bad things happen. Updated browsers, proxy servers and black and white lists certainly help. Still the best prevention for eliminating problems is educating users what to avoid along with the aforementioned methods.

-j

Government scholarships for studying cybersecurity

The US Government give you a full scholarship for college if you want to become a cybersecurity specialist. The scholarship covers room and board, books and tuition.

The obvious question here is “What do I have to give them in return?” Two years of government service at a federal agency in a cybersecurity position. That’s not a whole to ask in my opinion. Think about. Your getting a paid-for education in a field whose demand is only going to grow and all you have to do is work at a federal agency for two year using what you majored in at college. Not bad.

The program, known as SFS (Scholarship for Service), is run by run jointly by the National Science Foundation and DHS. SFS is quickly becoming known for more than just recruiting talent for their scholarships:

In the information assurance community, SFS is becoming widely recognized as indispensable, especially when government demand for highly skilled information technology security professionals is surging because of Information Systems Management Act requirements, the inexorable growth in security operations centers and an impending wave of retirements.

Michelle Kwon who graduated from the program has this to say about it

“When I graduated from the SFS program, I really thought I was going to do my two years [of government service] and then jump to industry and make big bucks,” Kwon said. “But I was given opportunities through the program that I wouldn’t have had otherwise.”

Michelle is now in a high-powered position as director of the Homeland Security Department’s U.S. Computer Emergency Readiness Team. Last year she was named director of US-CERT.

You can read more about the program here.

If I were a student and looking for a way to go to college this would be a fantastic way to go.

-j

Are you using myOpenID? (They launched a Wordpress plugin)

myOpenID is an open source third party authentication tool allowing users to have one login across multiple websites. myOpenID is developed my JanRain.

Making life even better OpenID works with many websites where you may already have an identity. These include Facebook, MySpace, Google, Yahoo, AOL and Windows Live ID. Many sites will allow you to use your authentication information from one of these sites to login to their site.

JanRain eases the integration of OpenID with their RPX product. RPX allows websites to be up and running in an afternoon with OpenID. They recently launched a Wordpress plugin for blogging sites. This site uses Wordpress. I wonder if we’ll be getting OpenID

OpenID has launched a demo of the RPX product here. The plugin demonstrates the ease in which the RPX turnkey solution can be implemented.

OpenID now has over 35,000 sites using their product. These include high profile sites like PayPal, Plaxo, Sun and AOL.

I know that I use it with Yahoo as my identity provider for sites that accept them. I could use my myOpenID uthentication for all of them if I chose to do so. You should try it-it’s nice to able to use existing web identities instead of having to register at sites that you want to use.

-j

IRS a little lazy on scanning servers for malware

A recent report by the Treasury Inspector General for Tax Administration (TIGTA) noted that the IRS scans about 89% of it’s servers weekly for malware and viruses. That should give you a warm and fuzzy feeling.

Apparently they believe that employee workstations pose more of a threat. All employee workstations are scanned weekly. Of the 11% of servers that aren’t scanned some are scanned intermittently and others not at all.

According to Michael Phillips, the deputy inspector general for audit, The IRS’ Cybersecurity Computer Security Incident Response Center responded to 961 malware incidents in calendar year 2008, an increase of 45 percent over the prior year,

The TIGTA also said that the IRS has adequate controls in place to prevent and respond to malware attacks. They have also built up the security structure to deal with the increasing threat of crackers.

The inspector general also recommended that IRS administrators should not be accessing the internet with their IRS logons. Employees and their managers should also be notified when their browsing results in a successful malicious code incident.

Terence Milholland, IRS’ chief technology officer, said in response the service would begin to scan all servers weekly by May 1 and implement regular reminders on Internet access restrictions by Aug. 1. The IRS would start notifying employees and their managers when their activity results in a malware incident, he said.

You can access the full report here.

-j

Want to know how the Federal Government uses virtualization?

I have often wondered how the really big technology users, like the Federal Government, utilize various technologies such as virtualization.

Now we can all get a first hand look by watching an eSeminar presented by Government Computer News. They are presenting Anil Karmel, a solutions architect in the network and infrastructure engineering division at Los Alamos National Laboratory, in an eSeminar at 2 p.m. Tuesday, March 24.

In the seminar Mr. Karmel will present on the initiatives taken by Los Alamos to address such things as green computing, disaster recovery and security. During the presentation he will discuss

How Los Alamos National Laboratory implemented virtualization to reduce their carbon footprint and consolidate data centers across their campus;

How to leverage server virtualization to cost-effectively supplement your disaster-recovery or business-continuity plan;

How to identify “low hanging fruit” for your agency’s green initiatives while achieving a substantial return on your investment; and

Moving computing from the desktop to the data center to enhance your agency’s security.

Sounds like a good place to learn about how some really smart people implement virtualization. I certainly plan on being there. You can read more about it here.

-j

Wyndham Hotels gets hacked

The Wyndham Hotel chain’s computer systems security team discovered in mid-September 2008 that the company’s central computer systems were infiltrated. The intruder gained access through a franchisee’s computer system and from there was able to access the central systems of Wyndham. Wyndham believe that as many as 41 properties may have been affected and about 21,000 people in Florida.

Wyndham immediately retained a qualified investigator to assess the problem and ensure that it was isolated and to strengthen and implement a stronger security system. The Secret Service, credit card agencies and several state’s attorney general offices were also notified. They are making an effort to contact all of the affected customers by working through the credit card companies. It appears that only the credit card information was stolen without matching names and addresses. Wyndham says:

To ensure our customers’ card numbers were protected, we provided each of the payment card companies (American Express, Visa, Mastercard and Discover) with the actual card numbers that were accessed so that these payment card companies could take such action as they deemed appropriate to monitor the use of the cards.

Wyndham does not keep social security numbers or other confidential identifying information and does not believe any identity theft has occured because of the breach. The criminals did manage to get magnetic stripe information which contains the CVV code. Card numbers with this code bring a higher price on the black market because it is easier to use the card in a fraudulent transaction.

When a stolen card is used that includes the cvv code the banks are responsible for the charges. When there is only a card number and an expiration date used in the transaction which occurs in many online sales then the retailer is responsible.

If you believe that you may have been affected by the theft you can find more information here to get more information.

-j