Security Corner


October 23, 2010  11:21 PM

Bogus EFTPS Failure Notices are Result of AWeber Hack



Posted by: Ken Harthun
Hacking, spam, Spear phishing, Zero-day exploit, Zero-day vulnerability

I just got this from a friend of mine, Arindam Chakraborty, who is also a fellow Internet marketer: Warning About EFTPS Tax Phishing Emails!Like me and many, many other marketers, he uses AWeber Communications email marketing service to manage his subscriber lists. It seems that AWeber was hacked last Saturday. Here is their official notice: Email Subscriber Data Accessed; What We’re Doing About It. Here’s an excerpt.

Over the weekend, AWeber was the target of a deliberate and successful attempt to mine email addresses.

On Saturday, October 16th, an unknown person gained unauthorized access to databases containing email subscriber information.

This incident appears to be part of a broader series of similar successful attacks on a number of email service providers (ESPs).

This happened 2009 December as well:

December 21, 2009

AWeber was recently the victim of an intentional attack to mine email addresses.

We’d like to take this opportunity to share what happened, what was (and was not) affected and what we’re doing as a result of this attack.

Apparently, the attackers found a zero-day vulnerability in AWeber’s systems, though they’re not saying exactly what that was:

On a daily basis, a few thousand attempts are made to attack AWeber. This sounds like a lot (and it is), but it’s no different at any other sizable web-based application.

We use a combination of in-house and third-party security solutions to scan our network for possible “holes” in security, and to monitor, block and analyze the many attempts made to gain unauthorized access to AWeber. On the whole, these solutions are very good at what they do and this approach serves us well. Unfortunately, both the in-house and third-party solutions failed to detect or stop this particular attack.

I’d sure like to know what those “third-party solutions” are so I can patch them if they exist on any of my clients’ systems!

October 20, 2010  11:50 PM

Seven Ways to Detect System Intrusions



Posted by: Ken Harthun
Hacking, Intrusion detection, security awareness, Security practice

One of the services I provide to clients is proactive server and network maintenance. Part of my monthly routine involves checking to make sure that the security measures remain effective and haven’t been compromised. For the longest time, I had a series of five things I checked. One day, while researching a security issue, I stumbled upon SANS’ excellent cheat sheet, Intrusion Discovery Cheat Sheet v1.4 for Windows. I noticed that they specified two additional things to check, so I added those to my list as well. (It’s gratifying when such a respected authority as SANS Institute publishes something that validates what you have been doing.) Here are the checks and the order I do them in:

  1. Event logs: Anything unusual or suspicious in any log gets my attention. I am particularly sensitive to entries in the security log.
  2. Running processes and services: I sort task manager processes by user name and look for anything unusual (SANS recommends checking the performance for anything unusual). Then I examine the services using both net start and services.msc commands.
  3. Network usage: I look for unusual shares, open sessions, listening ports and NetBIOS over TCP/IP activity. Anything that doesn’t look normal is suspect.
  4. Registry keys: Strange entries in HKLM\Software\Microsoft\Windows\CurrentVersion\Run, Runonce and RunonceEx are suspect.
  5. File system: Unusually large files and sudden disk space changes can indicate system compromise.
  6. User manager: The SANS cheat sheet says to look for new, unexpected accounts in the Administrators group.
  7. Scheduled tasks: SANS recommends using both the command line and GUI for look for unusual scheduled tasks, especially those that run with Administrator privileges, as SYSTEM, or with blank user name. The cheat sheet also recommends checking autostart items in msconfig.exe.

This is by no means a comprehensive list of security checks, but if there has been a system intrusion, some indication is likely to be found in one or more of the above items. Sys Admins generally get a feel for how their systems operate and often simply “get the feeling” that something isn’t right. It certainly happens to me sometimes; that’s when I start looking for unusual behavior. Often, it turns out to be nothing, sometimes I catch something before it becomes an issue.

These checks can be applied to any system including workstations. You can even do them on your personal computers. If you’re not already doing checks like these, I highly recommend you start. You’ll enjoy even greater peace of mind if you do.


October 20, 2010  5:49 PM

Why Trusting Users With Security is a Bad Idea



Posted by: Ken Harthun
cyber security, Security policy, Security practice

I have seen it happen time and again; I educate the people I support about proper security practices and they go on and do dumb things anyway. Trusting users with security is a bad idea. It’s a bad idea because it doesn’t work. Security is hard. It takes thought and effort. People don’t want to have to think about it. They want instant gratification and they want it to be easy.

So, what’s the solution? Do we lock everything down so it’s impossible to get in trouble? That has been proven unworkable. Do we switch to dumb terminals for mission-critical apps? Perhaps, but that’s cost prohibitive for small businesses.

The solution that works for my clients is a simple one:

  • There is an Internet usage policy in place and incorporated into the employee’s employment agreement; it is strictly enforced.
  • Server-based anti-malware with real time threat monitoring and notification is in place.
  • Proven anti-spam filtering is in place.
  • URL filtering is in place to block known malicious and prohibited sites.

In the last five years, where the above is implemented, I have had to respond to a security incident on only one occasion and that one was an internal breach by an employee who attempted to steal a customer list.


October 18, 2010  3:15 PM

Bogus EFTPS Failure Notices are Spear Phishing Attempt



Posted by: Ken Harthun
IRS Phishing, Phishing, spam, Spear phishing

Beware of this one, but it doesn’t take much to spot it’s a fake. Look at all the typos! There are so many of them, it’s almost funny. Can you believe that anyone would fall for something like this? Sad, but true, people are probably being duped by this right now.

I got 13 of these this morning, all with different headlines. They appear to be spear phishing attempts, as they reference “Cmopany Identifiaction Feild.” The links point to various TLDS in Romania, Hungary, Russia, Thailand, Estonia, Germany, even one in France.

If you click the link, you go to a page that appears to start Java (probably a keylogger app) and then you are redirected to the real EFTPS site.

EFTPS ONLINE
THE ESAIEST WAY TO PAY YOUR FEDREAL TAXES

Your Federal Tax Payment ID: 01037593731 has been not accepted.


Plaese, make sure that all informtaion you have sumbitted is corerct and refer to Code R21 to find out the informtaion about copmany payemnt. Plaese cnotact this page if you have any questions:
(Link Removed)

Rteurn Reason Code R21 – The identifiaction nmuber you enetred in the Cmopany Identifiaction Feild is not functional. Try sedning infromation to your acocuntant adivser using other optoins.

EFTPS: The Electronic Federal Tax Payment System

WARNING!
You are uisng an Official United States Government System, which may be used only for auhtorized purposes. Unauthorized modification of any information stored on this ssytem may result in criminal prosecution. The Govermnent may monitor and audit the usage of system, and all presons are hereby notified that the use of this system constittues cosnent to such monitoring and auditing. Unauthorized attempts to upload inofrmation and/or change information on this web site are stritcly prohibited and are subject to prsoecution under theCmoputer Farud and Abuse Act of 1986 and Title 18 U.S.C. Sec. 1001 and 1030.


October 15, 2010  1:38 AM

Who’s Up for a Password Challenge?



Posted by: Ken Harthun
Password, Password Contest, Security

Let’s have a password contest, shall we?. There are two entry categories: The Top Ten List of Worst Passwords; and, the Strongest Short Easy-to-remember Password . One First Prize winner in each category will get a free copy of my Geek Toolkit. Here are the rules:

Top Ten List of Worst Passwords: Compile your own Top Ten List of the worst passwords you’ve seen in actual use, not just read about. On your list, give details without compromising the confidentiality of the person who used. it. I will compare that with my list. The person whose list matches the most entries on my list wins. If there are ties, everyone wins.

Strongest Short Easy-to-remember Password: In ten characters or fewer, come up with a strong password that is also easy to remember. Random strings are not allowed, i.e., I won’t accept Xcy4lmO3az. I will judge the strength of the passwords using my Password Meter at Ask the Geek. You must tell me what makes the password memorable to you. For example, can you write down a password hint that means nothing to me, but that tells you what the password is? If there are ties, everyone wins.

You may send an entry for either or both categories, but they must be in separate emails. Use my secure contact form at Ask the Geek to enter (http://askthegeek.kennyhart.com/index.php/ask-a-question/). Deadline is November 1, 2010.

Results will be published.

Good luck!


October 13, 2010  12:36 AM

Microsoft’s Patch Tuesday is Biggest Ever



Posted by: Ken Harthun
Critical update, Microsoft, Patch management, Patch Tuesday, Vulnerabilities

Sixteen bulletins, four of them critical, patching a total of 49 vulnerabilities, comprise today’s round of patches for Microsoft’s largest ever Patch Tuesday breaking it’s previous record of 34 in 2010 August. Nine of the patch bulletins describe vulnerabilities which can be remotely exploited to inject and execute code on a victim’s system. The updates are likely to plug two vulnerabilities used by Stuxnet to elevate its privileges on infected systems.

Stuxnet was specifically written to attack Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes. Stuxnet includes the capability to reprogram the programmable logic controllers (PLCs) and hide the changes. According to a PC World report, “… Ralph Langner, a well-respected expert on industrial systems security, published an analysis of the worm, which targets Siemens software systems, and suggested that it may have been used to sabotage Iran’s Bushehr nuclear reactor. A Siemens expert, Langner simulated a Siemens industrial network and then analyzed the worm’s attack.”

See Microsoft Security Bulletin Advance Notification for October 2010.


October 10, 2010  1:54 PM

Five Poor Security Practices That Hackers Exploit



Posted by: Ken Harthun
cyber security, security audits, Security best practice, Security policy

Security audits are vital if you plan to keep your network safe in today’s environment. It doesn’t have to be complicated. Here are 10 of the most common poor security practices that hackers exploit.

  1. Using weak passwords – Don’t even get me started on this one! Most of the time it’s easy to guess someone’s password because they don’t follow good password procedures. Articles abound, including many of my own on the subject. Ramp up that password strength.
  2. Lack of web and email filtering – Trojan horses delivered via drive-by downloads and links in spam are common. Web filtering (OpenDNS is a good one to use, and free, to boot) and good spam filtering go a long way toward preventing both. Links pointed to known malware/phishing sites will be caught and stopped before doing any damage.
  3. Not changing defaults – We’ve all been guilty of this one, from not changing the administrator account name to installing operating systems and applications in their default directories. Don’t forget about default passwords on routers, switches and other network equipment; these are all published and freely available on the Internet.
  4. Using unsecured wireless networks – Anything traveling in the clear, especially over a wireless network, is subject to sniffing and capture. It’s trivial to capture usernames and passwords when they’re not encrypted. This is particularly true on publicly-accessible wireless networks.
  5. Failure to apply security updates – Nearly all malware is designed around specific security vulnerabilities in operating system and application software. If these vulnerabilities are patched on every system in your network, the malware is impotent. It’s also vital that you stay up on the security news for notices of zero-day exploits; complacency about security is dangerous.

While there is much more that can and must be considered in a serious security audit, these five things will go a long way toward making your network much safer and more difficult to attack.


October 8, 2010  11:55 PM

It’s National Cybersecurity Awareness Month in the U.S.



Posted by: Ken Harthun
cyber security, microsoft security essentials, National Cybersecurity Month

In the US, it’s currently National Cybersecurity Awareness Month, which is an initiative sponsored and promoted by the Department for Homeland Security.

October 2010 marks the seventh annual National Cybersecurity Awareness Month sponsored by the Department of Homeland Security. Americans can follow a few simple steps to keep themselves safe online. By doing so, you will not only keep your personal assets and information secure but you will also help to improve the overall security of cyberspace.

In honor of this event, I post my all-time evergreen security tips:

  1. Repeat after me: I will NEVER, EVER click on any pop-up of any kind – NEVER, EVER. Not even on the “X” (it’s usually safe, but why take the chance?). Use the key combination Alt-F4 instead; it safely closes the current window. In the slimy world of sleaze-ware, “No” means yes, “Cancel” means yes, “Close” means yes – ANY click on a button means yes. So many times users ask, “How did I get that? I clicked ‘no’ when it asked me!” Well, sorry, but you clicked, so they got you. NEVER, EVER CLICK!
  2. Although Internet Explorer has enhanced security and has been detached somewhat from the Windows operating system, it is still too big a target. Crackers are still writing malware that exploits IE security flaws. I recommend you use Firefox or Opera to browse the Web. (Some web sites still require IE, so you’ll be forced to use it for those, but you should minimize its use otherwise.) Whatever browser you use, be sure you configure your preferences to block all unwanted pop-ups or install a pop-up killer like the Google Tool Bar. And while you’re at it, re-read #1!
  3. Patch your system. If you’re still running XP, make sure you have at least service pack 2. If you’re a home user, install service pack 3. (I still see systems that are running XP with service pack 1 or 1a, probably because they turned off automatic updates. While some argue against it, I recommend you turn them on.) And be sure to install any recommended security updates and patches for ALL software on your system, – especially Microsoft Office – not just Windows. If you’re running Windows Vista, you benefit from its enhanced security, but you still need to keep ALL of your applications patched. Secunia’s Online Software Inspector is an excellent tool for scanning your system’s applications to discover those that need updates.
  4. Besides installing a NAT router (see How to Secure Your Computer: Maxim #2), run a properly-configured, proven software firewall. Don’t rely only on Windows XP’s built-in firewall – it blocks inbound attacks only (see this article) and it has flaws of its own (see this article). It will not stop back-door trojans, adware, spyware, and the like from “phoning home” with your sensitive information. (See this article for more info.) My favorites are the Comodo Personal Firewall (free), and the Sunbelt Kerio Personal Firewall (full-featured for 30 days, then runs free in limited-feature mode, $19.95/yr for full version).
  5. Run a good anti-virus program. Choices abound. I have used AntiVir Personal Edition (free) and Grisoft’s AVG (free). Other good ones are Avast! and Comodo AntiVirus. Microsoft Security Essentials is now my hands-down favorite, however.
  6. Run multiple anti-spyware/anti-adware programs and keep them updated. I recommend you run Malware Bytes Anti-malware. One of the best commercial anti-spyware applications is Sunbelt Software’s CounterSpy. It is a PC World Best Buy award winner. Comodo BOClean:AntiMalware is also a good one and it’s free.
  7. Run a spam blocker to isolate junk e-mail. Most malware and all phishing attempts rely on spam. You want to isolate this stuff and delete it. NEVER, I repeat, NEVER, EVER click on a link in any e-mail you are not absolutely certain is legitimate. And to be as safe as possible, always type in the address of your bank, credit card companies, and any other site that you want to keep secure. (See #1 above and apply that principle to links, too!) One of the best programs is Open Field Software’s ella for Spam Control. It uses wizards to “train” it to your personal specifications.
  8. On Windows XP, set up a restricted user account and use that for routine tasks. Only log on with administrative privileges when you need to install or configure software. This will prevent rogue programs from affecting your system – they won’t be able to install. You can activate the “run as” feature so you can do administrative tasks while logged in as a restricted user. Microsoft Knowledge Base article Q294676 explains how to activate and use this feature. If you are running Vista, you don’t have to worry about this step: User Access Control (UAC) takes care of it.
  9. Finally, disable scripting in your browser. If you use IE (you probably shouldn’t, see Step 2), Tony Bradley gives you an excellent step-by-step procedure to accomplish this. Firefox users have a more elegant solution in the form of an add-on: NoScript. I use it on every PC. Scripts are blocked globally by default, but you can selectively activate them if you trust the site. For example, you can trust the main site’s scripts but keep blocking any advertising or other third party scripts with no ill effects.


September 30, 2010  11:59 PM

LinkedIn Target of Spam Intended to Infect Users with Zeus Trojan



Posted by: Ken Harthun
Cybercrime, LinkedIn, spam, Zeus Trojan

On Monday, some members of the business social network LinkedIn were emailed LinkedIn Alert messages with a link that masqueraded as a contact request. It was the largest such attack known to day. Cisco reports in a blog post:

Clicking the link takes victims to a web page that says, “PLEASE WAITING…. 4 SECONDS,” and redirects them to Google. During those four seconds, the victim’s PC is infected with the ZeuS data-theft malware via a drive-by download.

It is thought that the attackers were targeting business users who would likely have financial responsibility in order to gain access to funds in bank accounts. In case you’re not familiar with what Zeus does, here’s info from Wikipedia:

Zeus (also known as Zbot, PRG, Wsnpoem, Gorhax and Kneber) is a Trojan horse that steals banking information by keystroke logging. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009, security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster, ABC, Oracle, Cisco, Amazon, and BusinessWeek.

It is still active in 2010. On July 14, 2010, security firm Trusteer filed a report which says that the credit cards of more than 15 unnamed US banks have been compromised.[8] A recent outbreak is being called Kneber.

Better be careful and delete any suspicious items if you are a LinkedIn member.


September 30, 2010  6:22 PM

Breaking News: PandaLabs Publishes Interview with “Anonymous” Group Behind Operation Payback



Posted by: Ken Harthun
anti-piracy laws, cyber security, DDoS, Hacking, RIAA

PandaLabs has just published an exclusive Q&A with the leaders of the “Anonymous” group responsible for the anti-piracy motivated attacks against the Motion Picture Association of America, Recording Industry Association of America and others over the past week.

You can find the entire Q&A on the PandaLabs blog: http://pandalabs.pandasecurity.com/an-interview-with-anonymous/

The group’s spokesperson, when asked about their mission stated:

To fight back against the anti-piracy lobby. There been a massive lobbyist-provoked surge in unfair infringements of personal freedom online, lately. See the Digital Economy Bill in the UK, and “three strikes” legislation in the EU which both threaten to disconnect internet connections based on accusations supplied by the music and movie industries. In the USA, a new bill has been proposed that could allow the USA to force top level registrars such as ICANN and Nominet to shut down websites, all with NO fair trial. Guilty until proven guilty! Our tactics are inspired by the very people who provoked us, AiPlex Software. A few weeks back they admitted to attacking file sharing sites with DDoS attacks.

It’s apparent that the attacks are going to continue. The spokesperson said, “We will keep going until we stop being angry.”

I wouldn’t want to be in the IT department of the targets!


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: