August, 2008

Software for Secure Computing: Personal Firewalls

How to Secure Your Computer: Maxim #2 stressed the importance of using a NAT router to make your network “invisible” to criminal hackers and other Internet riffraff.  This is excellent protection against inbound malicious connections, but it does nothing to block outbound connections originated on the local network. The router won’t stop back-door trojans, adware, spyware, and the like from “phoning home” with your sensitive information. This behavior is by design; if outbound connections were blocked, you’d never be able to browse the Web. The problem is that if you inadvertently get infected by a mistaken click or a cross-site scripting (XSS) vulnerability, you’re in trouble. You may not even know you’ve been infected–I’ve seen bot-infected machines running up-to-date antivirus software happily spewing spam emails by the thousands.

One of the most important pieces of software for secure computing is a properly configured, proven software firewall. Don’t rely only on Windows XP’s built-in firewall–it blocks inbound attacks only (see Is Microsoft’s Firewall Secure?) and has flaws of its own (see Windows Firewall flaw may hide open ports). While Vista’s firewall does offer outbound filtering, it isn’t much better (see Analysis: New Windows Vista Firewall Fails on Outbound Security for more information).

My favorite personal firewalls for secure computing are the Comodo Personal Firewall (free), and the Sunbelt Kerio Personal Firewall (full-featured for 30 days, then runs free in limited-feature mode, $19.95/yr for full version). I’m currently testing the ESET Smart Security suite and from what I’m seeing, this may be one to recommend to your non-savvy home users; it’s non-intrusive in automatic mode, allowing you to surf freely without those annoying do-you-really-want-to-do-this popups.

CERT Says Linux is Under Attack

It had to happen sooner or later; as Linux gains an ever-increasing foothold (Linux market share to reach 7% in 2008 ) in the market, it will become a viable target for criminal hackers. According to the U.S. Computer Emergency Readiness Team (CERT) in US-CERT Current Activity, attacks are already underway:

US-CERT is aware of active attacks against linux-based computing infrastructures using compromised SSH keys. The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as “phalanx2″ is installed.

Phalanx2 appears to be a derivative of an older rootkit named “phalanx”. Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.

For now, the attack is easily detected (though variants of the rootkit will likely change its behavior): The attack creates a directory “/etc/khubd.p2/” that is hidden from “ls,” but it can be entered with “cd /etc/khubd.p2″. Any directory named “khubd.p2,” regardless of its location, is hidden from “ls” but can be entered using “cd.” Additionally, “/dev/shm/” may contain files from the attack, so anything unusual in there is suspect. You can also try searching for hidden processes and checking the reference count in “/etc” against the number of directories shown by “ls”.

Check out the full article, “SSH Key-based Attacks” for complete details on risk mitigation and compromise response.

Worm Infects International Space Station Laptops

Houston, we have malware. (Sorry, I had to do that.)

Apollo 13 had real live mechanical malfunctions that could have resulted in the mission earning a place in our space program’s disaster timeline between Apollo 1 in 1967 and the Challenger disaster in 1986. Fortunately, that didn’t happen–Apollo 13 went down in history as a close call. Unfortunately, physical problems with the heat shield tiles resulted in the Columbia disaster in 2003. Now, the space program faces another threat–this time, a non-physical one–in the form of malware invading laptops aboard the International Space Station (ISS).

In the article, “Houston, we have a virus” in The Register, “The infected machines were not considered mission critical, meaning they weren’t responsible for command and control. The NASA spokesman was unable to say if the infected laptops were connected to mission-critical systems.”

What if there are?

Security is not optional–it’s mandatory. Especially when lives are at stake.

Oscarbot.UG Eludes Detection with Intelligent Stealth

According to Panda Security, the Oscarbot.UG virus, first detected on August 17, 2008, uses intelligent stealth techniques to avoid detection.  “It deletes the original file from which it was run once it is installed on the computer. It uses several methods in order to avoid detection by antivirus companies [one of them being that it] terminates its own execution if it detects that it is being executed in a virtual machine environment, such as VMWare or VirtualPC.”

As reported by Help Net Security, the worm “stops running if it finds that it is being tried on virtual machines such as vmware, a sandbox or in a honeypot (these tools are often used to check in a controlled environment if an executable file is running malicious commands).

The good news is that anyone running a virtual environment is safe from infection: The worm won’t run and when you shut down the virtual machine, it’s gone. The bad news is that malware using this type of intelligent stealth is on the rise, raising the bar for anti-malware researchers.

At what point do we switch from a reactive anti-malware approach (blacklisting) to a pro-active one (whitelisting)? The day is fast approaching (it may already be here) when the programs designed to protect us become so huge and so invasive that they prevent us from getting any useful work done.

The best way to combat malware would be to take the profit out of spam, phishing scams, and other cyber-fraud crimes.

I don’t have the answer for that one.

Software for Secure Computing: Keep Your Software up to Date

Though you probably don’t think of it as software, Microsoft Windows Update is a web-based application that’s a vital part of your secure computing initiative. As recently as last month, I had to clean up a system that had been severely infected with malware. One of the steps in my cleanup process was to check the service pack; turns out this user was still on service pack 1a because automatic updates had been turned off. (While some argue against it, I recommend that all home users turn them on; in a corporate environment, the IT department usually manages things.) If you’re still running XP, go ahead and install service pack 3.

That takes care of Windows, but what about security updates and patches for all of the other software on your system? Windows isn’t the only security risk — every application you run has potential issues. You need to keep ALL of your applications patched. Secunia’s Online Software Inspector is an excellent tool for scanning your system to discover commonly installed applications that need updates. It first looks for missing Microsoft updates then checks other software such as Apple QuickTime, iTunes, Adobe Flash Player, and Sun Java. My most recent online scan took less than three minutes and found 9 of 15 applications had missing updates. Needless to say, I patched them all.

Worth repeating: Keeping your system patched is a vital part of your secure computing initiative.

The Best Way to Avoid Spam

In the 1986 hit movie, The Karate Kid - Part II, the kid’s instructor, Mr. Miyagi, uttered this famous line: “Best way to avoid punch, no be there!” Good advice, indeed; it’s one of those universal pieces of truth that’s so obvious, it’s overlooked. The beauty of it is that it can be applied to anything. In this case, I’ll apply it to spam email, the electronic equivalent of a punch: “Best way to avoid spam, no have email address!”

That’s not exactly practical; we all have an email address. Some of us have several of them (at last count, I have at least nine addresses and I’m sure I’ve missed a couple somewhere). In my final installment of the “How to Secure Your Computer” series, “If Spam has You Irate, Obfuscate!” I gave examples of how you can make your email address unreadable by web bots. Well, that can be a bit of work, forcing you to cut and paste, and make other efforts that can quickly become tedious. There’s an easier way.

Enter Mailinator, the completely anonymous email address that you create on-the-fly when you need to enter an email address but don’t want to use your real one. From their site:

How do I create an account at Mailinator? It’s simple, you just send email to it. Temporary accounts are created when email arrives for them. First, you give out the mailinator email address you created, and then you check it. It’s that simple.

Do I have to sign up? No sign-up, you don’t even have to tell Mailinator you’re coming.

It’s a valid, working email address that you can check just by visiting the site. Of course, anyone can check it just by entering the address in the “Check your inbox” box. Not the best of situations, so they fixed it by providing alternate inbox names . In a nutshell, you use the alternate inbox name for your email address when you post it publicly. Anyone who enters the alternate inbox name will simply get a “no messages” message. Pretty slick.

The beauty of Mailinator is that it provides a valid email address; you can download stuff from and subscribe to those sites that require clicking links in confirmation emails without having to worry about exposing yourself to spam. Use the alternate inbox name or even a different email address every time you need one.

Best way to avoid spam, no have email address — or at least use one you can throw away at will. Either way, you avoid the punch and the security risk.

Software for Secure Computing: Secure Browsers

Two of the biggest mistakes Microsoft ever made were tying Internet Explorer into the Windows OS and ActiveX. Exploits took advantage of both and some of the nastiest malware ever written entered millions of PCs through these vectors. I’ll be the first to acknowledge that IE7 has enhanced security and MS has taken some of the hooks out of the OS, but the old adage, “Once burned, twice shy” is my operating basis. Yes, you can configure IE to be relatively secure, but it’s more work than the average user is willing to do. Why not just use a browser that’s relatively secure to begin with?

Some things still (unfortunately) require IE, so you’ll have to use it sometimes; but, for everyday use, I don’t recommend it.  Firefox 3 and Opera 9.5 are both inherently more secure than IE. Take your pick. Either way, you’ll be more secure on the Web.

New Article Series: Software for Secure Computing

I recently posted the last article in my How to Secure Your Computer series of security maxims (an eBook will be available shortly–stay tuned for details). While editing the book, I realized there’s a wealth of free and Open Source software available that can help anyone from the novice to the professional practice secure computing.

My “Nine Steps to System Security - 2008” (originally posted as “Seven Steps to System Security - 2004“) is the latest iteration of what is essentially the basis of all the maxims. It lays out a plan that’s been proven highly workable and will serve as a rough guide for the sequence of articles in the new series. The maxims will provide additional layers as the series develops.

At last count, there were 26 pieces of software mentioned in the main articles. Many of those will be grouped into a few general categories, but I believe the Software for Secure Computing series will be substantial.

First in the series will be “Software for Secure Computing: Secure Browsers.”