Security Corner


August 3, 2012  6:17 PM

Microsoft releases Attack Surface Analyzer 1.0

Ken Harthun Ken Harthun Profile: Ken Harthun

From the MSDN blog:

Last year we released a beta version of our free Attack Surface Analyzer tool.  The purpose of this tool is to help software developers, Independent Software Vendors (ISVs) and IT Professionals better understand changes in Windows systems’ attack surface resulting from the installation of new applications.   Since the initial launch of Attack Surface Analyzer, we have received quite a bit of positive feedback on the value it has provided to customers.  Today we are pleased to announce that the beta period has ended and Attack Surface Analyzer 1.0 is now available for download

This isn’t merely a new toy to play with, it’s a serious tool for analyzing your Windows systems. I immediately added it to my toolkit and went off to check out our lab PCs at the college where I am Network Administrator.

The tool is meant to be run first on a fresh system with no applications installed in order to establish a baseline. Then, you install your apps one by one and run the tool after each install to see how your attack surface is changing.

I’m going to put my student assistants to work on this next week and I’ll deliver a more comprehensive report on what I discover.

August 1, 2012  8:18 PM

It’s not nice to fool with Anonymous

Ken Harthun Ken Harthun Profile: Ken Harthun

It is an unprecedented boneheaded move that a French company, Early Flicker, or E-Flicker, is certain to regret. They have registered the Anonymous headless man logo and the slogan “We are Anonymous, We do not forgive, We do not forget. Expect us” with the French National Institute of Industrial Property. Apparently, E-Flicker plans to profit from merchandising; it also gives them the right to take action against anyone else who uses the logo.

Needless to say, Anonymous is not happy: “Their arrogance and ignorance of what they have done will not go unpunished,” Anonymous promised in a YouTube video. “Anonymous will take down any business they have going on the internet and the ninety nine per cent will not stop until the registration has been revoked and a public apology has been made. The name of Anonymous will not be the whore of the world.”

So far, pickapop.fr, E-Flicker’s website, appears to remain online, but I’m sure they can expect some mischief shortly. We’ll see how this plays out. Here’s the video:Anonymous speaks


July 31, 2012  10:00 PM

Redux: Security Baseline for Small Businesses

Ken Harthun Ken Harthun Profile: Ken Harthun

This story bears repeating. The more things change, the more they stay the same.

Many small business owners treat their business computers like their home computers; they run minimal security and engage in unsafe computing practices. This isn’t my opinion, mind you, it is based on my years of field experience servicing small business clients. My most recent call to one such client was to restore a PC that had become infected by malware. It was my first visit to their office and during the course of that visit, I got familiar with how lax they were in setting things up.

The office runs on a Windows 2003 domain controller. Four PCs running Windows XP Service Pack 2 are domain members and all business data is stored on the server. They’re backing up daily to tape. That’s about as far as it goes before getting ugly. Suffice it to say that even a mediocre attempt to compromise their network would probably be successful. This got me to thinking about what level of security comprises a baseline for small business networks. Here’s what I came up with, see if you agree:

  • Physical access to servers, backup, and network equipment is restricted and controlled.
  • Backup power sufficient to allow for graceful shutdown of servers is in place.
  • The local network is isolated from the Internet by a hardware UTM device, firewall, or NAT router.
  • If wireless access is in use, security is applied, preferably WPA or WPA2 with AES encryption.
  • File servers are protected by appropriate anti-malware applications.
  • Mail servers are protected by anti-spam software or this is implemented at the gateway.
  • Password policy requires strong passwords, frequent changes, and is enforced.
  • Desktops use screen savers and they are password protected.
  • Unless they are required to be left on for security scanning or backup purposes, desktops are powered down at night.
  • Desktops have appropriate anti-malware applications installed.
  • Company policy regarding appropriate use of the Internet is in place and enforced.
  • Data is backed up and media is stored securely off-site.
  • Encryption is implemented and in use for the storage of sensitive information.
  • Procedure is in place for denying access to personnel upon termination of employment.

 


July 30, 2012  3:42 PM

Hoax alert: “Invitation FACEBOOK – Olympic Torch”

Ken Harthun Ken Harthun Profile: Ken Harthun

If you receive the chain letter “Invitation FACEBOOK – Olympic Torch,” don’t waste your time forwarding it: it’s a hoax, variations of which have appeared in email boxes since 1998 or earlier. Big news items generally spawn such things and the opening of the 2012 Summer Olympics in London is the genus of this one:

PLEASE CIRCULATE THIS NOTICE TO YOUR FRIENDS, FAMILY, CONTACTS!

In the coming days, you should be aware.....Do not open any message with an attachment called: Invitation FACEBOOK, regardless of who sent it. It is a virus that opens an OlympIc torch that burns the whole hard disc C of your computer.

This virus will be received from someone you had in your address book. That's why you should send this message to all your contacts. It is better to receive this email 25 times than to receive the virus and open it.

If you receive an email called: Invitation FACEBOOK, though sent by a friend, do not open it and delete it immediately. It is the worst virus announced by CNN.

A new virus has been discovered recently that has been classified by Microsoft as the most destructive virus ever. It is a Trojan Horse that asks you to install an adobe flash plug-in. Once you install it, it's all over. And there is no repair yet for this kind of virus. This virus simply destroys the Zero Sector of the Hard Disc, where the vital information of their function is saved.

SNOPES SAYS THIS IS TRUE

http://www.snopes.com/computer/virus/facebook.asp

In case you are wondering, the line “Snopes says this is true” generally is a good indicator of a hoax and if you check Snopes.com, you’ll find The link to Snopes – a well-known source of anti-hoax information – is legitimate, but says exactly the opposite, confirming that the email is false:

Don’t fall for it.


July 27, 2012  5:05 PM

New security feature in Firefox and Chrome speeds surfing

Ken Harthun Ken Harthun Profile: Ken Harthun

Oh, and did I mention that it also keeps you safer?

Both Firefox and Chrome have added a new security feature called “Click-to-play.” After you enable it–which you will have to do since the feature is not enabled by default in either browser–you will have to click on a specified blank placeholder on the web page if you want the content to play.

Gizmo’s Freeware provides these instructions:

How to enable Click-to-play in Chrome

  1. Enter “chrome://chrome/settings/content” in the Chrome address bar (without quotes)
  2. Scroll down the configuration page that opens to the Plug-ins section (shown in the figure)
  3. Click the button “Click to play”

Chrome plug-in configuration

How to enable Click-to-play in Firefox 14

  1. Enter “about:config” in the Firefox address bar (without quotes)
  2. Agree to be careful
  3. Scroll to the plug-ins section (shown in the figure below)
  4. Double-click the entry “ plugins.click_to_play” so that the Boolean value reads “true”

Firefox plu-in configuration


July 20, 2012  6:52 PM

Why security managers need hands-on skills

Ken Harthun Ken Harthun Profile: Ken Harthun

This says it all (as things from SANS usually do), so I won’t belabor the point. This is the preamble to SANS NewsBites, July 17, 2012, Vol. 14, Num. 057:

Just heard the best answer ever to the question of whether security
managers need to have hands-on technical skills.  An Air Force Major was
complaining to an Air Force course director that the major didn’t need
to know networking and security taught in the intensive in house Air
Force course, “My people will do that; I never will; I am a manager.”
The course director asked the major, “Do you know what a router access
control list is?”
Major: “Yes.”
Course director: “Have you ever sat down at a terminal and written an ACL?”
Major: “No”
Course director: “Then how do you know your netadmin is doing it right,
when just one error in one line can stop all the traffic on your
network?”
Major: eyes wide
Course director: “And how do you know whether your netadmin isn’t
blowing smoke?”
Major: “Get me registered for the course.”

Alan

Alan Paller is director of research at the SANS Institute.


July 16, 2012  10:59 PM

Yahoo Voices hack exposes worst passwords you could ever use

Ken Harthun Ken Harthun Profile: Ken Harthun

I hope that none of you, my readers, are using any passwords like these:

I have spent endless hours writing about best password practice and how to generate strong, unguessable passwords. I know many other writers in the security field are doing the same. Do people listen? Maybe some do, but as Graham Cluley, Senior Technology Consultant at Sophos says: “And yet, people continue to use passwords that are – quite frankly – dumb, and then compound the problem by using the same simple password in multiple places.”

The recent hack of Yahoo Voices presented another opportunity for someone to analyze the passwords that people tend to use. This from the Naked Security blog:

Scandinavian security blogger Anders Nilsson spent a little time with the Pipal password analysing tool, running it against the 450,000 plaintext passwords snatched by hackers from Yahoo Voices.

And what he found doesn’t inspire much confidence that users are getting the message about password security.

Sigh…


July 16, 2012  12:55 PM

Humor: The first backup

Ken Harthun Ken Harthun Profile: Ken Harthun

I don’t know the exact source of this (unless its creator is the colleague who sent it to me, Kenneth Nelson), but my hat is off to the author.

Tablets, of course, are a vital component of Christian iconography, as the Old Testament tells us. On Mount Sinai, God gave Moses two tablets (of the analog kind) upon which the deity had inscribed the rules for his creations, a process which saw Moses on the mountain for 40 days and 40 nights without food or water.

But when Moses came down the mountain and discovered the Israelites cavorting around a golden calf, he smashed the tablets, burnt the idol, ground it up, mixed it with water, made everyone drink it, then ordered the killing of 3,000 of of those Israelites who didn’t immediately side with him (Exodus 32:19-28). 

Moses was then told to carve a new set of tablets, and upon them God restored the sacred text files from what was presumably a celestial backup, thus retiring history’s first recorded tablet tech-support ticket.


July 8, 2012  11:40 PM

Paper is still king for passing on your estate’s online assets

Ken Harthun Ken Harthun Profile: Ken Harthun

These two articles became the subject of a lot of thought and discussion on how to best pass on your electronic assets when you pass away:

How will you pass on your passwords when you pass away? Part 1
How will you pass on your passwords when you pass away? Part 2

In the process of figuring out my own system, I became aware of the existence of  “electronic will” sites that will supposedly allow your loved ones to get your passwords and other online account information in the event of your demise. I advise against using such sites for two reasons:

  1. If the site disappears (despite what promises are made as to their plan for succession) and you die before you can find a replacement site, your loved ones are out of luck; and,
  2. If you fail to keep the site updated with changes, it’s useless.

This is why I say “paper is king.” You need to come up with a system that is relatively fail safe and that system needs to be committed to paper and placed in a safe deposit box or held by your attorney or other trusted person.

By “fail safe,” I mean a system that will allow your survivors to gain access to all of your important online assets even if you do not faithfully apply it. Yes, it has to be set up in such a way that someone could easily discover where your lapse occurred and recover your credentials. This isn’t the least bit difficult to do; in fact, it’s rather simple and I’ll present a full system in a future post.


July 6, 2012  1:12 PM

The Great Internet Blackout is coming July 9

Ken Harthun Ken Harthun Profile: Ken Harthun

If you are still infected with the DNS Changer malware, you will be unable to access the internet as of July 9, 2012. According to the FBI, who took over a series of rogue DNS servers last November,  there are still hundreds of thousands of computers infected with the malware. While the FBI substituted valid DNS servers to keep resolving internet names, these servers will be taken offline on July 9, making it impossible for infected PCs to resolve domain names.

You need to make sure your PC is not infected. You can do that by checking websites created by the DNS Changer Working Group (DCWG), a cross-industry team of experts. The list is posted here.

Sophos also provided an informative video:How not to lose your internet connection


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: