Security Corner


April 29, 2014  6:27 PM

Update Flash and switch to “click to play”

Ken Harthun Ken Harthun Profile: Ken Harthun

From Krebs on Security:

Adobe Systems Inc. has shipped an emergency security update to fix a critical flaw in its Flash Player software that is currently being exploited in active attacks. The exploits so far appear to target Microsoft Windows users, but updates also are available for Mac and Linux versions of Flash.

This is also tied in with the vulnerability in IE that I posted yesterday.

Flash is required on many web sites (I won’t rant about this now, but that is really pretty stupid, given Adobe’s dismal security record), but that doesn’t mean you have to allow it to run willy-nilly. Google Chrome, Mozilla Firefox and Opera allow you to block plugin activity, giving you the option to run it only when you trust the site. Krebs posted an article on how to do this here.

April 28, 2014  5:23 PM

Stop using Internet Explorer – for now

Ken Harthun Ken Harthun Profile: Ken Harthun
Security

Stop using Internet Explorer and switch to an alternative browser immediately. Microsoft just announced a zero-day vulnerability in Internet Explorer that is being actively exploited in targeted attacks; they have not yet issued a fix. All versions of IE are affected.

According to security firm FireEye, the attack, dubbed “Clandestine Fox,” is a remote code execution vulnerability. The Microsoft security advisory, CVE-2014-1776 says this:

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

This means that you don’t have to do anything at all except visit a poisoned website to be affected. There is no patch, but Microsoft is recommending that Internet Explorer users install its free Enhanced Mitigation Experience Toolkit (EMET) to harden security of Windows systems.

I recommend you stay away from IE entirely and run an alternative browser.

Be on the lookout for an out-of-band patch from Redmond.


March 30, 2014  4:12 PM

Who supports 2FA (two-factor authentication)?

Ken Harthun Ken Harthun Profile: Ken Harthun

In light of the plethora of data breaches in the news, it behooves us to use two-factor authentication (2FA) where it is available. I use it for important accounts like LastPass, eBay and PayPal. Where it is offered on other financial accounts, I use it. You should, too. But how do you know who offers it? Here is a great website that shows who does and doesn’t offer 2FA and what methods they use: http://twofactorauth.org/.

I’m going to be setting up 2FA on all of the listed services I use and for which I don’t currently have 2FA enabled. I suggest you do the same. Can’t hurt and can only help by making it more difficult for the cybercriminals to get access to your information.


March 29, 2014  9:58 PM

Turn off email preview in your email client

Ken Harthun Ken Harthun Profile: Ken Harthun

In light of Microsoft Security Advisory 2953095, I am restating advice I first published in 2008. While this particular vulnerability may not be directly related to previewing email messages, it is still a viable attack vector.

Here is what I originally called “Security Maxim #6:”

Some of these tips may very well be “everybody knows” types of things, but I find that these are often the things that get overlooked. That’s why I’m publishing them as computer security maxims. Take a look at the recent furor surrounding the cold boot attack against disk encryption . That was an “everbody knows,” too.

I get questions all the over at Ask the Geek [site no longer active] about using a mail client’s message preview feature. Opinions vary, of course, but for this geek, it’s a bad idea. In order to preview a message, it has to be opened or rendered by the HTML engine. Think about how a PC can be infected by a malicious web site and you’ll immediately understand the danger: The same malicious programs can exist in scripts in HTML messages. It’s a serious security risk.

Security Maxim #6: Always disable any message preview or auto-open features in your e-mail client. View messages as text-only until you know they are safe.


March 29, 2014  9:36 PM

Oh no! Not another password post!

Ken Harthun Ken Harthun Profile: Ken Harthun

bad-passwordsYes, another post about passwords, choosing secure ones. Unfortunately, they aren’t going to go away anytime soon and, equally unfortunately, they are getting easier and easier to break. In a recent blog post, Bruce Schneier said: “As insecure as passwords generally are, they’re not going away anytime soon. Every year you have more and more passwords to deal with, and every year they get easier and easier to break. You need a strategy.”

Indeed. Agreed. I’ve written many posts about how to choose secure passwords. I’m not the only one. In addition to the blog post mentioned above, here are some other resources that have strategies designed to help you create secure passwords. Oh, and regardless of what any of these articles say is the best length for a password, I recommend no fewer than 12 characters and prefer 15 characters. This number is always a moving target, subject to adjustment upward as computing power increases. Here’s my top five list:

Steve Gibson’s Password Haystacks: https://www.grc.com/haystack.htm
My article: Is your password “qeadzcwrsfxv1331?”
Sophos’ How to Choose a Strong Password: http://nakedsecurity.sophos.com/2010/02/03/choose-strong-password
Roger Grimes’ Creating strong passwords is easier than you think
Microsoft’s Tips: http://windows.microsoft.com/en-us/windows-vista/tips-for-creating-a-strong-password

 


March 26, 2014  1:55 AM

Thwart predators and social engineers with a passphrase

Ken Harthun Ken Harthun Profile: Ken Harthun

I don’t remember exactly where I saw it or heard it, but I recall a story about an incident where a child was approached by a (potential) sexual predator.  The child was told his mother wanted him home right away and — we’ll call him Mr. Friendly — Mr. Friendly was there to pick the child up. The child then asked Mr. Friendly for the password and was able to get away in the resulting delay caused by the confusion when Mr. Friendly couldn’t remember the password. The lesson learned here is that every child should have a secret passphrase and only trust those who can repeat that passphrase back to them. This could save countless lives. In fact, my wife had all our kids indoctrinated in this trick back in the day (she just reminded me). Thank heaven the kids never had to use it.

It could also save your corporate network.

Social engineers who call you pretending to be from Microsoft, your corporate office, or some other normally trusted entity are just the digital version of Mr. Friendly. And the same tactic will work on them.

Your organization should have a passphrase that is required to be known by every person on your help desk and any and all support personnel. Every staff member should be required to ask any caller who seeks sensitive information to repeat the passphrase. The passphrase should be changed on a frequency that is appropriate for your organization.

A typical scenario may go like this:

Caller: “Hello, this is Corporate Help Desk. We’ve noticed you have a virus. We can remove it, but we need your user name and password.”

You: “Sure, be happy to help you. What is the passphrase for today?”

Caller: “Ummmm.”

You: <click> <dial IT deparment>

IT: “Hello, IT.”

You: “I just received a call from 555-5555 asking for my login credentials. They didn’t know the passphrase.”

IT: “Well done. Just in case, we’re forcing a reset of your password.”

Trust No One on the internet…


March 17, 2014  2:49 AM

KrebsOnSecurity hit with massive WordPress pingback attack

Ken Harthun Ken Harthun Profile: Ken Harthun

In a March 14, 2014 blog post, Brian Krebs revealed that his site, KrebsOnSecurity, which runs on WordPress, was hit by a DDoS attack:

On Wednesday, KrebsOnSecurity was hit with a fairly large attack which leveraged a feature in more than 42,000 blogs running the popular WordPress content management system (this blog runs on WordPress). This post is an effort to spread the word to other WordPress users to ensure their blogs aren’t used in attacks going forward.

I covered the details of the attack method in my last post, but I also want to help spread the word to other WordPress administrators via the list of attacking sites that Mr. Krebs provided:

My hosting provider shared with me a list of the WordPress blogs that were used in the attack on this blog. I’m sharing it here to get the attention of WordPress administrators. I realize that some readers will view this as providing a roadmap for attacks, but I’m hopeful that making this information public will decrease the number of blogs that can be used in future such attacks.

 


March 15, 2014  4:21 PM

Is your site an unwitting participant in a DDoS attack?

Ken Harthun Ken Harthun Profile: Ken Harthun

In a normal DDoS attack, a botnet of hundreds or thousands of computers performs a coordinated attack against a particular website. But what if you don’t have access to a botnet? You trick WordPress sites into sending unwanted traffic to the site. Here’s how, according to a blog post by Sucuri:

Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites.

Just in the course of a few hours, over 162,000 different and legitimate WordPress sites tried to attack his site.

Can you see how powerful it can be? One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file:

$ curl -D -  "www.anywordpresssite.com/xmlrpc.php" -d '<methodCall><methodName>
pingback.ping</methodName><params><param><value><string>http://victim.com</string>/value></param><param><value><string>
www.anywordpresssite.com/postchosen</string></value></param></params></methodCall>'

How can you tell if your site is being used in an attack? You’ll have to check your web server logs. This is they type of entry you are looking for with pingbacks to random sites. If you see these, your site is being misused:

93.174.93.72 - - [09/Mar/2014:20:11:34 -0400] "POST /xmlrpc.php HTTP/1.0" 403 4034 "-" "-" 
"POSTREQUEST:<?xml version=\x221.0\x22 encoding=\x22iso-8859-1\x22?>\x0A<methodCall>\x0A
<methodName>pingback.ping</methodName>\x0A<params>\x0A <param>\x0A  <value>\x0A   
<string>http://fastbet99.com/?1698491=8940641</string>\x0A  </value>\x0A </param>\x0A 
<param>\x0A  <value>\x0A   <string>yoursite.com</string>\x0A  </value>\x0A </param>\x0A
</params>\x0A</methodCall>\x0A"

You can also check out WordPress DDOS Scanner to check if your WordPress site is DDOS’ing other websites (I checked and mine isn’t).

Here’s how to stop your site from being used for DDoS, according to Sucuri create a plugin that adds this filter:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
} );

 


March 15, 2014  2:37 PM

PWN2OWN cracks Reader, IE, Flash, Firefox and Chrome, but not Java

Ken Harthun Ken Harthun Profile: Ken Harthun

laptopthiefThe first day of the PWN2OWN 2014 competition, an elite hacking competition that runs each year in parallel with the CanSecWest security conference in Vancouver, Canada, was held Wednesday 12 March 2014. Right out of the box, Adode Reader, IE 11, Adobe Flash and Mozilla Firefox were PWNed. An attack on Java was not attempted, presumably because it was considered too difficult a target. What a change that is!

Day two saw both Chrome and Safari PWNed.

You can get a full recap of the results of the competition here.

Since attackers must responsibly disclose how they accomplished their hacks as a condition of entry, we can expect patches for the vulnerabilities in the next round of security updates for the affected apps.


March 13, 2014  12:56 AM

iOS 7.1 released to patch bugs and fix the White Screen of Death

Ken Harthun Ken Harthun Profile: Ken Harthun

On Monday, Apple released iOS 7.1 for iPad and iPhone and recommended that users update as soon as possible. The update comes just a few weeks after Apple released an emergency update for iOS that fixed a critical security hole that could have allowed hackers to intercept secure communications between your iPhone and SSL-protected websites.

According to security expert Graham Cluley (GCHQ: Graham Cluley’s security newsletter), “If you didn’t install that update (and you really should have done if possible), don’t waste any time and leapfrog up to iOS 7.1 as soon as you can.”


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: