Security Corner

April 13, 2010  1:16 AM

Microsoft Decides to Forgo Steady State Development – 77 Million PCs at Risk

Posted by: Ken Harthun
Microsoft, Microsoft steady state, Opinion, Public Computers, Windows Steady State

Thanks to Windows Secrets Newsletter for alerting me to this. I was responsible for implementing Windows Steady State (WSS) on a score of public computers including some that were used in credit union kiosks. Microsoft has decided to forgo development of Steady State on Windows 7 according to Microsoft forum moderator Sean Zhu in a March 10, 2010 post:

Hi…thank you for the feedback. I’d like to inform you that currently, there is no plan to develop compatible version of Windows SteadyState for Windows 7.

This creates an upgrade dilemma for many public institutions: Stay with Windows XP for now (extended support for XP SP3 lasts until April 2014) and continue to use Steady State, or upgrade to Windows 7 and invest considerable extra expense on implementing some semblance of WSS functionality using Group Policy and third party software? It’s a no-brainer to me.

Consider this: A study conducted by University of Washington Information School, funded by the Bill and Melinda Gates Foundation, reports “Nearly one-third of Americans age 14 or older–-roughly 77 million people–-used a public library computer or wireless network to access the Internet in the past year….  In 2009, as the nation struggled through a recession, people relied on library technology to find work, apply for college, secure government benefits, learn about critical medical treatments, and connect with their communities.”

What are you thinking, Microsoft? Do you listen to your users? I have similar sentiments to these forum posters:

“Seems Microsoft has made another blunder with windows 7, we have decided to stay with XP and notify users that until Microsoft updates WSS to run with windows 7 that we will stay with xp and advise them to do the same, we have withdrawn all support for 7 and are advising people to downgrade if they are stuck with 7,  Its simply not viable, especially in this economy to spend the extra tens of thousands of dollars on the extra staff that would be needed to support a OS that we have came to the conclusion that even Microsoft [isn't] prepared to support fully.”

“Shame on MS for dumping such an essential OS feature for many IT environments. We have halted the upgrade to WIN 7 of around 12000+ PC  and will stay with XP until MS provides something equivalent to WSS in any upcoming OS.”

I don’t know what Microsoft charges for a Win 7 volume license for 12,000 PCs (can I get some help on that from someone?), but I’m sure it’s a significant amount.

Doesn’t make a whole lot of sense. But who am I to argue? I’m just a guy who will help save people money for the next four years–or until Microsoft figures this out.

April 9, 2010  12:06 AM

Warning: Facebook Password Reset Spoof

Posted by: Ken Harthun
Facebook, Hacking, Social Networking Hacks

Facebook users may receive an email with the subject “Facebook Password Reset Confirmation! Customer Support.” It’s bogus. The text reads:

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Your Facebook.

Notice the obvious lack of personalization and the bad formatting. And, who the heck is “Your Facebook?” This was obvious to me, but I’m savvy. I posted a warning on Facebook and received many thank you messages.

The message comes with a zip attachment.

Those who get duped into opening the attachment will be infected with various nasty trojans and other malware.

Warn your friends and clients.

April 6, 2010  5:45 PM

Security Fun: Password Paradox

Posted by: Ken Harthun
Hacking, Password, Security fun

Seems like it’s always bad news out there on the security front lines. Now, the PDF format itself has a huge security vulnerability that can be exploited without even using a rendering appplication. So, let’s take a break and have some fun for a change. Check out Password Paradox:

A billionaire has become rich using a secret scheme called the PARADOX SCHEME. Come to to play the most addictive game in the world, Password Paradox.

To win you have to guess 10 people’s passwords to get to level 2 and then start all over again and guess 10 more passwords to get to level 3 and then you have to guess the master password to open a safe.

Go ahead, try it. You know you want to; in fact, you need to.

Have fun!

April 2, 2010  3:00 PM

Twitter is Under Attack Again

Posted by: Ken Harthun
Blackhat SEO, cyber security, Security, Trending topic attack, Twitter

Panda Security’s PR firm just informed me of a deep dive analysis that Sean-Paul Correll has performed on the current Twitter attack that has been ongoing since 22 February. The attack is being propagated through Twitter by capitalizing on trending topics and key phrases to spread via Twitter accounts. Coupled with the most widely referenced terms on Twitter, like “free,” “teen” and “sex,” hundreds of malicious tweets are being distributed and directed to a fake codec infection site which installs the Adware/SecurityTool rogueware.

We were alerted of a new trending topic attack today on Twitter by a fellow threat researcher.  Like the past Twitter trending topic attacks, this one was heavily targeting recent news breaking items such as the suicide bombings in Moscow, as well as many other hot topics on the Internet today.

Correll unearthed some rather alarming statistics:

  • 1,888 Twitter accounts (and growing) have been used to spread the attack URL
  • 2,560 malicious tweets have been sent out
  • The malicious links were clicked on 25,854 times
  • 78% of victims came from the United States, 12% from Korea, and 8% from Germany

The high click-rate was in part due to sites like The Huffington Post inadvertently helping promote the malware campaign on the Internet by an embedded Twitter stream on its site.

More detail of Sean-Paul’s analysis can be found at the PandaLabs blog:

March 31, 2010  7:20 PM

Forensics: SANS Investigative Forensic Toolkit (SIFT) Workstation

Posted by: Ken Harthun
cyber security, Forensics, SANS, Security, Security tools, Software for Secure Computing

This is so significant, that I’m not going to elaborate on it. If you’re an IT Security professional, you probably already know about it. If you don’t, then check it out here: SANS Investigative Forensic Toolkit (SIFT) Workstation: Version 2.0.

Faculty Fellow Rob Lee created the SANS Investigative Forensic Toolkit(SIFT) Workstation featured in the Computer Forensic Investigations and Incident Response course (FOR 508) in order to show that advanced investigations and investigating hackers can be accomplished using freely available open-source tools.

The SANS SIFT Workstation is a VMware Appliance that is pre-configured with all the necessary tools to perform a detailed digital forensic examination. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats. The brand new version has been completely rebuilt on an Ubuntu base with many additional tools and capabilities that can match any modern forensic tool suite.

You know what an Open Source advocate I am and this just proves the value of that even more.

March 30, 2010  12:37 PM

Security Humor: Internet Explorer Security Settings

Posted by: Ken Harthun
Firefox, insecure, Internet Explorer, Security Humor

If you’ve ever wondered what all those security levels in Internet Explorer really mean, then this one-minute animation on John Haller’s site will clear things up for you. If you’re not rolling on the floor laughing after you see this, you’re either unconscious or dead. Check it out:

March 29, 2010  11:27 PM

Out-of-cycle Patch for IE Coming Tomorrow

Posted by: Ken Harthun
Firefox, Google Chrome, insecure, Internet Explorer, Microsoft, Patch management, Patch Tuesday, Security

Tomorrow, Microsoft will issue an out-of-cycle patch for a vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8, is not affected. The vulnerability allows remote code execution on the affected browsers.

According to Microsoft, in Microsoft Security Advisory (981374), “The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.”

When the advisory was issued, Microsoft was aware of targeted attacks attempting to use this vulnerability. Today, the Microsoft Security Response Center (MSRC) issued this statement:

Today we issued our Advanced Notification Service (ANS) to advise customers that we will be releasing security update MS10-018 tomorrow, March 30, 2010, at approximately10:00 a.m. PDT (UTC-8). MS10-018 resolves Security Advisory 981374, addressing a publicly disclosed vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8 is unaffected by the vulnerability addressed in the advisory and we continue to encourage all customers to upgrade to this version to benefit from the improved security protection it offers.

Be sure to apply the update if you are running IE 6 or IE 7. Better yet, just upgrade to IE 8 . Even better still, dump IE and use Firefox or Chrome.

March 29, 2010  1:57 AM

Technospeak: Fundamentally Vulnerable Structure

Posted by: Ken Harthun
Secure Computing, Security, security awareness, Virus, Vulnerabilities

I’m weary. Very weary. There is just so much to keep up with in the way of patches and fixes for security vulnerabilities across so many applications and in nearly every OS that I no longer even bother trying to stay on top of it all. My main concern, of course, is Windows/Microsoft and the applications that run on that platform. But I do have to keep up with some Unix/Linux and legacy apps.

We’re losing the race, you know. The bad guys are winning and if we don’t make some major changes to our Fundamentally Vulnerable Structure, computing as we know it is doomed. Let me defer to my favorite tech guru, Steve Gibson, again:

…the architecture, the fundamental design of our machines are not secure. I mean, the fundamental architecture, the design, evolved from a time when there was absolutely no, and I mean no, concern about security…. But there was, once upon a time, no concern for security. It just wasn’t…on the map at all. And it began, of course, in the mainframe era, where you started to have multi-user systems where they said, okay, well, we need some sort of authentication…. So that sort of, that notion of some concern for security began to happen.

And then of course the Internet sort of grew organically from an experiment in, gee, could this notion of autonomous packet routing work on, be a scalable solution so that we’re able to connect things? And I remember when I first began hearing about this notion of a global network. It’s like, okay, well, that’s ridiculous. You’re not going to have that. Well, whoops. We do.

But no one foresaw what’s happening now–or if they did, they didn’t prepare for it.  It all just kind of happened. Hell, I remember when when I first got on BBS’s back in the 80′s using a terminal that printed out the “session” on thermal paper. Years later, the “internet” was just starting and I had to dial up to some long distance phone number in New York City just to download a few messages–which took a long time at the incredible speed of 2400 bps. And you know what? I can still dial up an ISP with a modem and access the Internet.

In those “good ole days,” I wasn’t connected to the global network every time I turned on my computer; I had to specifically request a connection. And that connection was terminated as soon as I did my business. The rest of my work was done off-line. I read my email, composed my replies as necessary, then uploaded them as a batch to be sent by the mail server. Simple. Pretty secure, too. I never got a virus from a pure text file.

Sure, we had viruses back then; they spread by floppy disk. Most of them were nothing more than practical jokes and did little damage, so no one paid much attention. We should have. In 1995, I was hit with a boot sector virus that destroyed the data on my hard drive. That incident completely wiped out the only electronic copy of a how-to book I was selling. I had a hard copy, but it took me a month to reenter all the text.

A week later, my boss’s son was hit by the the same virus and almost lost all of his thesis for graduate school. Fortunately, for him, I had found a way to remove the infection and restore the master boot record so he lost nothing. That was my very first success as a security professional and one that I’ll never forget. But I didn’t foresee how bad it would get; I just kept fixing the problems as they occurred.

Just like everyone else did.

And now we have the cat-and-mouse game of security as it exists today.

It’s time to hit the “reset” button on all of this and completely rethink our computing model.

March 28, 2010  2:24 AM

My Bank is Vigilant-Thank You, Bank!

Posted by: Ken Harthun
Banking Fraud, Online banking fraud, Security, security awareness

I love it when people look out for my interests instead of it being the other way around all the time. My bank is serious about preventing online banking fraud and banking fraud in general with it’s customers. I received this letter in the mail today:

Important Information About Your [bank name] Account

Dear [My Name],

One of the most important ways we can help our customers manage their money in a safe and secure environment is by providing detailed account information on a timely basis.

Because your account referenced above is classified as dormant–no deposits or withdrawals for 36 months–we are letting you know that there has recently been activity on the account. If you are aware of this activity, no action is required.

We suggest that you first check with other signers on the account to verify whether they have accessed the account. However, if they have not and you believe the activity to be unauthorized, please contact us immediately at [800 phone number], so that we may investigate this activity and take appropriate action.

Below is a summary of the activity:

[details of the transaction]

If you have questions or need additional information [etc., etc., etc.]

This was for a DEPOSIT!

I have a warm, fuzzy feeling now.

March 27, 2010  2:01 AM

Software for Secure Computing: Spam Assassin

Posted by: Ken Harthun
Security, Software for Secure Computing, spam

Spam Assassin has to be the #1 Open Source anti-spam application. My experience with its influence is in my Aweber account. Aweber is an auto-response email marketing program that enforces strict policies about making sure subscribers have specifically opted in to your newsletter, blog, or whatever. When I compose a message to send to my list, Aweber uses a Spam Assassin score to tell me how likely it is that my message will end up in a junk folder.

SpamAssassin is a mail filter to identify spam. It is an intelligent email filter which uses a diverse range of tests to identify unsolicited bulk email, more commonly known as Spam. These tests are applied to email headers and content to classify email using advanced statistical methods. In addition, SpamAssassin has a modular architecture that allows other technologies to be quickly wielded against spam and is designed for easy integration into virtually any email system.

It works, and I trust it. If my Spam Assassin score exceeds 5 on any message I plan to send, I modify it. I want people to read my messages, not have them dumped in the bit bucket with the obvious junk we all get.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: