Five Poor Security Practices That Hackers Exploit

Security audits are vital if you plan to keep your network safe in today’s environment. It doesn’t have to be complicated. Here are 10 of the most common poor security practices that hackers exploit.

1. Using weak passwords – Don’t even get me started on this one! Most of the time it’s easy to guess someone’s password because they don’t follow good password procedures. Articles abound, including many of my own on the subject. Ramp up that password strength.
2. Lack of web and email filtering – Trojan horses delivered via drive-by downloads and links in spam are common. Web filtering (OpenDNS is a good one to use, and free, to boot) and good spam filtering go a long way toward preventing both. Links pointed to known malware/phishing sites will be caught and stopped before doing any damage.
3. Not changing defaults – We’ve all been guilty of this one, from not changing the administrator account name to installing operating systems and applications in their default directories. Don’t forget about default passwords on routers, switches and other network equipment; these are all published and freely available on the Internet.
4. Using unsecured wireless networks – Anything traveling in the clear, especially over a wireless network, is subject to sniffing and capture. It’s trivial to capture usernames and passwords when they’re not encrypted. This is particularly true on publicly-accessible wireless networks.
5. Failure to apply security updates – Nearly all malware is designed around specific security vulnerabilities in operating system and application software. If these vulnerabilities are patched on every system in your network, the malware is impotent. It’s also vital that you stay up on the security news for notices of zero-day exploits; complacency about security is dangerous.

While there is much more that can and must be considered in a serious security audit, these five things will go a long way toward making your network much safer and more difficult to attack.

It’s National Cybersecurity Awareness Month in the U.S.

In the US, it’s currently National Cybersecurity Awareness Month, which is an initiative sponsored and promoted by the Department for Homeland Security.

October 2010 marks the seventh annual National Cybersecurity Awareness Month sponsored by the Department of Homeland Security. Americans can follow a few simple steps to keep themselves safe online. By doing so, you will not only keep your personal assets and information secure but you will also help to improve the overall security of cyberspace.

In honor of this event, I post my all-time evergreen security tips:

1. Repeat after me: I will NEVER, EVER click on any pop-up of any kind – NEVER, EVER. Not even on the “X” (it’s usually safe, but why take the chance?). Use the key combination Alt-F4 instead; it safely closes the current window. In the slimy world of sleaze-ware, “No” means yes, “Cancel” means yes, “Close” means yes – ANY click on a button means yes. So many times users ask, “How did I get that? I clicked ‘no’ when it asked me!” Well, sorry, but you clicked, so they got you. NEVER, EVER CLICK!
2. Although Internet Explorer has enhanced security and has been detached somewhat from the Windows operating system, it is still too big a target. Crackers are still writing malware that exploits IE security flaws. I recommend you use Firefox or Opera to browse the Web. (Some web sites still require IE, so you’ll be forced to use it for those, but you should minimize its use otherwise.) Whatever browser you use, be sure you configure your preferences to block all unwanted pop-ups or install a pop-up killer like the Google Tool Bar. And while you’re at it, re-read #1!
3. Patch your system. If you’re still running XP, make sure you have at least service pack 2. If you’re a home user, install service pack 3. (I still see systems that are running XP with service pack 1 or 1a, probably because they turned off automatic updates. While some argue against it, I recommend you turn them on.) And be sure to install any recommended security updates and patches for ALL software on your system, – especially Microsoft Office – not just Windows. If you’re running Windows Vista, you benefit from its enhanced security, but you still need to keep ALL of your applications patched. Secunia’s Online Software Inspector is an excellent tool for scanning your system’s applications to discover those that need updates.
4. Besides installing a NAT router (see How to Secure Your Computer: Maxim #2), run a properly-configured, proven software firewall. Don’t rely only on Windows XP’s built-in firewall – it blocks inbound attacks only (see this article) and it has flaws of its own (see this article). It will not stop back-door trojans, adware, spyware, and the like from “phoning home” with your sensitive information. (See this article for more info.) My favorites are the Comodo Personal Firewall (free), and the Sunbelt Kerio Personal Firewall (full-featured for 30 days, then runs free in limited-feature mode, $19.95/yr for full version).
5. Run a good anti-virus program. Choices abound. I have used AntiVir Personal Edition (free) and Grisoft’s AVG (free). Other good ones are Avast! and Comodo AntiVirus. Microsoft Security Essentials is now my hands-down favorite, however.
6. Run multiple anti-spyware/anti-adware programs and keep them updated. I recommend you run Malware Bytes Anti-malware. One of the best commercial anti-spyware applications is Sunbelt Software’s CounterSpy. It is a PC World Best Buy award winner. Comodo BOClean:AntiMalware is also a good one and it’s free.
7. Run a spam blocker to isolate junk e-mail. Most malware and all phishing attempts rely on spam. You want to isolate this stuff and delete it. NEVER, I repeat, NEVER, EVER click on a link in any e-mail you are not absolutely certain is legitimate. And to be as safe as possible, always type in the address of your bank, credit card companies, and any other site that you want to keep secure. (See #1 above and apply that principle to links, too!) One of the best programs is Open Field Software’s ella for Spam Control. It uses wizards to “train” it to your personal specifications.
8. On Windows XP, set up a restricted user account and use that for routine tasks. Only log on with administrative privileges when you need to install or configure software. This will prevent rogue programs from affecting your system – they won’t be able to install. You can activate the “run as” feature so you can do administrative tasks while logged in as a restricted user. Microsoft Knowledge Base article Q294676 explains how to activate and use this feature. If you are running Vista, you don’t have to worry about this step: User Access Control (UAC) takes care of it.
9. Finally, disable scripting in your browser. If you use IE (you probably shouldn’t, see Step 2), Tony Bradley gives you an excellent step-by-step procedure to accomplish this. Firefox users have a more elegant solution in the form of an add-on: NoScript. I use it on every PC. Scripts are blocked globally by default, but you can selectively activate them if you trust the site. For example, you can trust the main site’s scripts but keep blocking any advertising or other third party scripts with no ill effects.

LinkedIn Target of Spam Intended to Infect Users with Zeus Trojan

On Monday, some members of the business social network LinkedIn were emailed LinkedIn Alert messages with a link that masqueraded as a contact request. It was the largest such attack known to day. Cisco reports in a blog post:

Clicking the link takes victims to a web page that says, “PLEASE WAITING…. 4 SECONDS,” and redirects them to Google. During those four seconds, the victim’s PC is infected with the ZeuS data-theft malware via a drive-by download.

It is thought that the attackers were targeting business users who would likely have financial responsibility in order to gain access to funds in bank accounts. In case you’re not familiar with what Zeus does, here’s info from Wikipedia:

Zeus (also known as Zbot, PRG, Wsnpoem, Gorhax and Kneber) is a Trojan horse that steals banking information by keystroke logging. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009, security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster, ABC, Oracle, Cisco, Amazon, and BusinessWeek.

It is still active in 2010. On July 14, 2010, security firm Trusteer filed a report which says that the credit cards of more than 15 unnamed US banks have been compromised.^[8] A recent outbreak is being called Kneber.

Better be careful and delete any suspicious items if you are a LinkedIn member.

Breaking News: PandaLabs Publishes Interview with “Anonymous” Group Behind Operation Payback

PandaLabs has just published an exclusive Q&A with the leaders of the “Anonymous” group responsible for the anti-piracy motivated attacks against the Motion Picture Association of America, Recording Industry Association of America and others over the past week.

You can find the entire Q&A on the PandaLabs blog: http://pandalabs.pandasecurity.com/an-interview-with-anonymous/

The group’s spokesperson, when asked about their mission stated:

To fight back against the anti-piracy lobby. There been a massive lobbyist-provoked surge in unfair infringements of personal freedom online, lately. See the Digital Economy Bill in the UK, and “three strikes” legislation in the EU which both threaten to disconnect internet connections based on accusations supplied by the music and movie industries. In the USA, a new bill has been proposed that could allow the USA to force top level registrars such as ICANN and Nominet to shut down websites, all with NO fair trial. Guilty until proven guilty! Our tactics are inspired by the very people who provoked us, AiPlex Software. A few weeks back they admitted to attacking file sharing sites with DDoS attacks.

It’s apparent that the attacks are going to continue. The spokesperson said, “We will keep going until we stop being angry.”

I wouldn’t want to be in the IT department of the targets!

Beware McDonald’s Survey Phishing Attempt

This phishing attempt started showing up in my inbox around the end of last month and since then, I’ve seen it three times, each with different links. The text of the emails is always the same:

Dear customer,

Please give us only 5 minutes of your valuable time to ask you some questions about our products . Please be aware that we will not ask you about any personal information.

In return, we will credit $90.00 to your account - just for your time.

If you want to answer our simply 8 questions , please click the link below:

http://remo.ved.uri.edu/.mcdonalds.com/survey/index.html

Thank you for helping us to become better.

Sincerely, McDonald's Survey Department.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response.

The link takes you to a page with survey questions that looks legitimate and when you submit your answers, you arrive at this page:

Looks like they’re going for full-blown identity theft information, not just simple credit card fraud. I feel sorry for the poor souls who fall for this one.

Be sure to warn your family and clients about this one.

A Pleasant Surprise at CVG – LilyPad Free Wireless

When I think “free wireless Internet access,” I think I won’t use it for anything sensitive and I’ll make darned sure that any email logins, etc. show https:// in the URL. So, you can imagine my delight when I connected to the free LilyPad wireless at the Greater Cincinnati/Northern Kentucky International Airport last week and found that it uses a secure proxy. You can conduct any business you want and know that you’re doing so securely. I was able to take advantage of some down time at the terminal to catch up on some business I would not have otherwise been able to conduct.

I love it when people “get” security and do it right from the start. What a pleasant surprise.

So, I have to plug LilyPad. Here’s info from their site:

Lily Pad is a 100% volunteer initiative, led by Give Back Cincinnati and supported by key business partners, government leaders and academic representatives. Project Lily Pad is one of many city-wide projects to create an environment that attracts mobile “creatives” to the Greater Cincinnati area. Project Lily Pad will foster a vibrant community and enhance the quality of life in the region, while allowing access to data anytime, anywhere.

Project Lily Pad is part of an effort to improve our ability to attract the creative class and raise national awareness that the Greater Cincinnati area is a tech-savvy region. Attracting and creating people to the region is critical, as it will promote economic growth, facilitate research efforts at our regional universities and businesses, and improve educational opportunities to under-represented communities.

Very cool, and something I’m going to look into further.

Hotmail Phishing Attempt

I have to admit this one is good enough that I opened it, but as soon as I started reading, its true intent was obvious. By the second sentence, it doesn’t even make sense anymore. Not only that, but another telltale sign is the way the headline is constructed. See for yourself:

Why anyone ever falls for these is beyond me, but I know that people fall victim to these things every day.

Don’t let your family and clients become victims. Teach them what to look for and how to avoid these attempts and once you’ve taught them, remind them on a regular basis.

ClearCloud: Another Safe Computing Solution

Back in 2010 June, I posted Sunbelt’s ClearCloud DNS Sneak Peek. At that time, only one server was available. Now, ClearCloud DNS is officially in Beta.

You can configure your DNS settings to use ClearCloud with the following IP addresses: Preferred DNS server: 74.118.212.1; Alternate DNS server: 74.118.212. You will find complete instructions for Windows, Macintosh and router configuration here. They also provide a utility that allows you to automatically enable and disable ClearCloud at the click of a button. This can be handy if you run into a blocked site that you actually need or want to load.

Similar to OpenDNS, ClearCloud DNS is a free service that checks every website address your computer is trying to access; unlike OpenDNS, ClearCloud DNS does not provide content filtering as its intent is to be a security device to keep your computer safe from malicious sites. Here’s what they say:

As such, we do a lot more research on sites that try to steal information from you, download malicious files onto your machine, trick you into buying useless programs, and other similar functions. We block a lot more sites that are malicious because that’s what we concentrate on. We process up to a million potential threats a day, and capture any URLs that real threats “phone home” to. We also actively search out malicious sites and have other systems in place to identify who the bad guys are.

It would appear that you now have to make a choice between content filtering and blocking of malicious sites. I don’t know of any way to query two servers at the same time without some major shenanigans.

After you’ve configured ClearCloud, you can test it with 2 pages to verify that it’s working:

test.ssdsandbox.net – ClearCloud block page

clearcloudtest.ssdsandbox.net – Test page – You should see the ClearCloud logo on this page.

Disable and Delete Flash Cookies for Good

You’ve disabled third-party cookies and locked down your privacy settings. Ever wondered why you are still tracked? You’ve probably got scores of “super cookies,” also known as Local Shared Objects (LSO) or Flash cookies. Maybe you’ve heard about these and used Adobe’s own tools, Adobe Global Storage Settings Panel, to disable and delete them, but they just seem to keep coming back. Suspicious. In Security Now! Episode 266, Steve Gibson talks about the problems he’s noticed:

So I went back over to the Flash configuration. And just using that UI, I disabled these again. I went through the various tabs, noting that there were more of them now than there used to be. And when I went back to the first tab where I turned it off, it was already turned on again. So I’m really annoyed by this. I don’t know, I haven’t tracked down what’s going on. But I’ll just tell people, you think you’ve turned this off, check back the next day and see if it stays off because something is turning it back on.

Enter BetterPrivacy, a safeguard which protects your system from these super cookies:

Better Privacy serves to protect against non-deletable long term cookies, a new generation of ‘Super-Cookie’, which silently conquered the internet. This new cookie generation offers unlimited user tracking to industry and market research. Concerning privacy Flash- and DOM Storage objects are most critical. This addon was made to make users aware of those hidden, never expiring objects and to offer an easy way to get rid of them – since browsers are unable to do that for you.

I installed the add-on just see what was on my system and was greeted with a message on exit–that’s when BetterPrivacy does its work, by default–that it was about to delete 879 LSOs. Wow! That’s a lot of super cookies, but really not surprising considering the number of Flash videos I encounter on the web.

When you install the add-on, a new item appears under the Tools menu: BetterPrivacy. This control panel allows you to configure the add-on to perform according to your preferences. Explore the options and you’ll see what you can do.

This add-on doesn’t replace using Adobe’s tool to disable the cookies in the first place, but in the event Adobe’s shenanigans re-activate the “feature,” this tool will let you know about it right away.

Who Else Has Had It With Adobe?

I'm fed up with Adobe!

There are those of us who haven’t used Adobe’s Acrobat Reader in years, choosing alternatives like the free FoxIt Reader, or Open Source Xpdf instead. My reason at first was simply that Acroreader is bloatware, took forever to load and used up too much memory; these days, my reason includes the terribly insecure software Adobe insists on releasing. Unfortunately, it’s hard to get away from Flash on the web, but there is an alternative player/plugin that I’ll talk about in a moment. And here we go with business as usual:

Security Advisory for Flash Player

Release date: September 13, 2010
Vulnerability identifier: APSA10-03
CVE number: CVE-2010-2884
Platform: All

Summary

A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.

We’ll have to wait until the week of September 27, 2010 for the Flash patch, and the week of October 4, 2010 for the Reader/Acrobat patches.

What can you do? Unless you absolutely have to have Reader/Acrobat for some reason, switch to an alternative such as one of those I mentioned above. FoxIt Reader integrates nicely with Firefox. There’s another FF add-on that’s an alternative to Adobe: gPDF is a handy tool to view PDF, DOC, DOCX and PPT files online, using Google’s Docs Viewer.

Next, disable Shockwave Flash plugin. Download and install Swiff Player (current version 1.7), a Free stand-alone player that enables web designers and Flash users to easily play Flash movies. When you install it, it also becomes the default player for .swf files on the web. Sweet, eh? Swiff Player is very fast, too. This won’t eliminate Flash (Swiff Player requires it), so I’m not sure exactly what is gained, but it’s an extra layer for hackers to penetrate, so it just might break a Flash exploit by introducing a misdirection.

Anyone have any thoughts on this?