For years, I have given advice to everyone that the first line of security for your home PCs is a NAT router between your home network and the Internet. While that is still true, there is one situation where the protection normally afforded you by the router is non-existent, leaving your public IP address visible to the world and your home network open to attack. I have actually observed the phenomenon I will describe in a moment, so I know it is an issue and something you should know about. It’s highly unlikely it could be exploited on any large scale, but it’s possible, so something worth discussing. In any event, the concept is out there, so someone is sure to try it.
This reader question came up in Security Now! Episode 133:
Question #5, Sami Lehtinen…from Helsinki, Finland makes a GREAT observation about dangerously leaky “hardware” firewalls. He says: I wanted to warn people about potential problems with regular home routers such as the more expensive and fancy firewall routers that are very configurable. That configurability can backfire nastily….
While the router is booting – it’s quite a long process – parts of the system start with default configuration, like the switch portion. This causes all LAN, WAN and DMZ ports to be completely bridged for about one minute. After that, normal NAT/SPI, DHCP, et cetera, function returns….
What Sami discovered is that you are directly connected to public Internet for about a minute while the router reboots. Steve Gibson concurs and proposes his solution, which I wholeheartedly endorse:
So this is a very real problem. What, I mean, the takeaway from this actually is to – what I would do is, and I’m probably going to do it from now on, I don’t reboot my router very often, but I would disconnect my LAN side connection for a couple minutes until the router comes up and it settles down, and then bring my local network up inside….
For years I have trusted CNET’s download.com as a trustworthy place to download software, but some recent news has made me rethink my position. Seems that according to Brian Krebs, “…CNET increasingly is bundling invasive and annoying browser toolbars with software on its site, even some open-source titles whose distribution licenses prohibit such activity.” Egad! While I am usually careful to pay attention to what an installer is wanting me to do, I prefer such stuff not be offered to me in the first place.
SANS reports: “The president of Download.com has apologized for bundling Nmap open source network scanning software with an installer that changed browsers’ home pages and default search engine. Nmap developer Gordon Lyon said that the bundling violated the Nmap distribution license. The installer in question has been removed.”
CNET, get your act together or us Geeks will stop relying on you altogether as a trusted source of both information and software.
I checked out an interesting site, malwarecity.com, courtesy of one of my fellow Net Admins’ assistants. He referred me to a post about a malware removal tool that targets the most important infections identified in November. The tool, in both 32-bit and 64-bit versions, is provided by Bitdefender. You can read the post here.
I haven’t tested the tool and have had just a quick browse of the Malwarecity site, but it sure looks like true security Geek stuff. Makes sense, as the site is powered by Bitdefender.
Unfortunately, the list of the top 100 wasn’t yet posted on the download page as promised. I’ll try to check back and revise this post as soon as it shows up.
A study by Accuvant Labs, commissioned by Google, has concluded that of the top three browsers, Chrome, Internet Explorer and Firefox, Chrome is the most secure. Internet Explorer ranks second and Firefox comes in third. Accuvant took a different approach than previous comparisons that relied on historical vulnerability statistics and URL blacklist services favoring instead a more comprehensive look that included sandboxing, plug-in security, JIT hardening, address space layout randomization (ASLR), and data execution prevention (DEP) as well as URL blacklist services. They concluded:
The URL blacklisting services offered by all three browsers will stop fewer attacks than will go undetected. Both Google Chrome and Microsoft Internet Explorer implement state-of-the-art anti-exploitation technologies, but Mozilla Firefox lags behind without JIT hardening. While both Google Chrome and Microsoft Internet Explorer implement the same set of anti-exploitation technologies, Google Chrome’s plug-in security and sandboxing architectures are implemented in a more thorough and comprehensive manner. Therefore, we believe Google Chrome is the browser that is most secured against attack.
The 140-page report is highly informative, especially if you want to get your security geek on.
Better, but I’m not there yet. Truth is, I haven’t been working on the existing passwords and there are now many, many sites that I no longer even log into. I did my first LastPass Security Challenge on July 11, 2010 and reported on it in this article: I Just Scored 55.7% on the LastPass Security Challenge. Here are my key results this time:
Top strength rating for passwords is 100% – my average is 63.9% Yikes!
24 unique passwords are used on more than one site – a definite no-no.
101 sites are using duplicate passwords – some of these are OK, but poor practice.
29 of my passwords score below 50% strength rating.
Average password length is 9.1 characters – 10 characters would be better.
One key factor that has greatly improved: Multifactor Authentication Score is 7/10. That’s probably due to my using the Yubikey.
There has been a furor today over some Columbia University researchers’ claims that certain HP printers can be compromised by hackers via “Remote Firmware Update” and made to overheat or catch fire. This article on redtape.msnbc.com is the first one I was aware of and leads with:
Could a hacker from half-way around the planet control your printer and give it instructions so frantic that it could eventually catch fire? Or use a hijacked printer as a copy machine for criminals, making it easy to commit identity theft or even take control of entire networks that would otherwise be secure?
It’s not only possible, but likely, say researchers at Columbia University, who claim they’ve discovered a new class of computer security flaws that could impact millions of businesses, consumers, and even government agencies.
You can read the article and decide for yourself it this is a real threat or just sensational journalism. My take is that I’m not going to worry about it unless it starts happening in the wild. Naturally, HP responded and while I’m no HP apologist, I tend to view their stance as justified. You can read HP’s statement which leads with:
Today there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers. No customer has reported unauthorized access. Speculation regarding potential for devices to catch fire due to a firmware change is false.
HP LaserJet printers have a hardware element called a “thermal breaker” that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or this proposed vulnerability.
While HP has identified a potential security vulnerability with some HP LaserJet printers, no customer has reported unauthorized access. The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall.
HP says it is working on a firmware upgrade to address the security vulnerability.
The cyber-criminals are getting pretty good at perpetrating their phishing scams. Even those of us in the know sometimes have trouble spotting them. Find out how well you fare in the OpenDNS Phishing Quiz:
“Ever wonder how good you are at telling the difference between a legitimate website and one that’s a phishing attempt? Take this quiz to find out how well you can identify which websites are real and which ones are really good at stealing your personal information. Vote for each website you see as either “Phish” or “Real.” When you’re done, we’ll tell you how you did. Good luck!”
Here are my results:
Congrats! You correctly identified 5 out of 10 websites in the OpenDNS phishing ID quiz!
Nice work! You’ve got a good eye for what’s legitimate and what isn’t. If you haven’t already, consider setting up OpenDNS for those times when you think the website you’re about to head to is real… but aren’t quite sure.
Everyone involved in cyber security (which should be every one of us working in the IT field) should find this video from security firm Sophos quite interesting. It outlines latest trends in cyber crime, what you can do to protect yourself, and how the government can work with the private sector to help share information. Speakers include Michael Kaiser of NCSA, Chester Wisniewski of Sophos Inc and Rob Strayer of the Bipartisan Policy Center. It’s more than 1.5 hours long, so grab a beverage of choice, sit back and relax.
[kml_flashembed movie="http://www.youtube.com/v/nl9M0B3hNec" width="425" height="350" wmode="transparent" /]
With the kickoff to holiday shopping the day after US Thanksgiving–“Black Friday” as it is commonly known–come the spammers, scammers and thieves. There will undoubtedly be waves of fake gift card deals and other “click candy” full of scams and malware. A big one floating around right now is a fake iTunes gift certificate. It arrives with the subject line “iTunes Gift Certificate” and contains an attachment that is supposedly the gift code. The attachment is a ZIP file containing malware. (Sophos detects this file as Mal/BredoZp-B.)
This is nothing new; we always see such things around the big holidays. But there are a few things you can do to avoid getting fooled. Here’s a list from Sophos’s Naked Security Blog:
Here are some other things to watch out for, adapted from a list posted by USA Today:
* Beware bogus forms. Beware emails and pop-up messages that ask you to type your account username and password, credit card number or personal information such as Social Security number and date of birth. Legitimate organizations don’t solicit sensitive information via email.
* Don’t blindly believe urgent, personalized warnings. Phishers often claim that you need to take urgent action with official organisations such as IRS (taxation), Social Security or the Department of Motor Vehicles.
* Don’t fall for that cute-baby photo. Even if you recognise the sender’s name, don’t open attachments. Distrust all email until and unless you’ve verified that the sender actually intended you to get the message and can vouch for its content.
Have a Happy Thanksgiving and stay safe out there!
After a bit of a hiatus on my studies for various certifications, I have gotten back into the swing of things and found a bit of wisdom that I wanted to share. From a Network Admin perspective, here are five essential password policies that will help you mitigate the threat of password attacks on your network:
- Do not allow the same password to be used on multiple resources. If an attacker manages to get one password, he will then have them all if the same password is used on more than one resource.
- Lockout a user account after a set number of failed login attempts. This defeats brute force password cracking attempts.
- Do not allow cleartext storage of passwords. Self-explanatory.
- Use strong passwords. Repeat: use strong passwords. Alternative: encourage passphrases. “mykittenpreferswhiskas” is very unguessable, but easily remembered.
- NEVER, NEVER, NEVER allow default passwords to remain on devices on your network. “Admin/admin” is too easy and is one of the first things a cracker will try. On any new device, immediately change the default username and password.
Seriously, these are so obvious that I haven’t even written about them all in one post before. I confess that I have sometimes forgotten one or more of them.
Don’t get complacent. Fix these now.