Security Corner


October 26, 2013  10:44 PM

Got CryptoLocker? Your data is probably toast



Posted by: Ken Harthun
Cybercrime, Encryption, Malware, Security, Security best practice

CryptoLocker is a particularly nasty piece of malware that encrypts dozens of file types including .doc, .xls, .ppt, .pst, .dwg, .rtf, .dbf, .psd, .raw, and .pdf  then demands you pay a “ransom” to get the key to unlock your data. If you see this pop-up on your PC, you’ve been infected:

CryptoLocker

They make it sound bad, don’t they. Truth is, there is probably no way to get your data unless you risk paying the money to the criminals. Here’s what Windows Secrets has to say about it:

There are no patches to undo CryptoLocker and, as yet, there’s no clean-up tool — the only sure way to get your files back is to restore them from a backup.

Some users have paid the ransom and, surprisingly, were given the keys to their data. (Not completely surprising; returning encrypted files to their owners might encourage others to pay the ransom.) This is, obviously, a risky option. But if it’s the only way you might get your data restored, use a prepaid debit card — not your personal credit card. You don’t want to add the insult of identity theft to the injury of data loss.

That last part is very good advice, but you still risk losing your money and not getting your data back. How can you trust a criminal to keep their promise?

You best strategy at this time is prevention. Antivirus software won’t catch CryptoLocker and limiting admin rights on your computer has no effect, either. To ensure that you will be able to recover your data, the most reliable method is frequent backups. Should CryptoLocker slam you, restoring your data from backup will save your bacon.

If you are running Windows XP Professional or higher, you can set Group Policy to prevent execution of the malware. If you are technically inclined and adventurous, BleepingComputer.com has a comprehensive guide of some things you can try that might work to help you recover data.

Good luck!

October 13, 2013  11:45 PM

Muscle memory passphrases and passwords.



Posted by: Ken Harthun
passphrase, Password, Security

We probably all agree that passphrases can be easier to remember than complex, random passwords. IhaveABIG2013truck! can be memorized in just a couple of minutes whereas Ih*^29xB@@!dude would take a lot longer to commit to memory. This isn’t to say that passphrases can’t also be difficult to remember.

Athletes, artists, musicians, craftsmen – anyone who develops a particular manual skill – rely on muscle memory to a greater or lesser extent. As a musician, I know that repetitive practice of scale patterns, chords, picking patterns and melodic riffs trains the muscles in my fingers to “remember” those patterns. At first, I feel awkward and perform slowly, but after a while, the patterns come second nature and take little thought to perform.

You can do the same thing with passphrases and passwords. In fact, the best typists usually don’t think about what they are typing: the key patterns for whole words are trained into the muscle memory of their fingers.

An innovative approach to utilizing muscle memory is to choose passwords and passphrases that alternate between left hand and right hand on the keyboard. The rhythm 0f going back and forth will soon be ingrained into your fingers. This requires some knowledge of touch typing, but don’t worry, you can get familiar enough with it in just a few short lessons on line. Here’s something that may help you. The image shows the “home” keys and you can probably easily figure out which hand goes with which keys.

QWERTY-home-keys-position

Source: Wikipedia

A random password like A*#9tU is a left, right, left, right pattern. For passphrases, there are hundreds of words that alternate in this manner. Below is a sampling from a list called lrwords.txt that you can find here:

amendmentemblem
fiendish
zizith
tormen
torment

Add in some numbers or special characters that alternate hands and you’ve got the advantage of unusual passphrases that use both your mental and physical memory. How about fiendish1927emblem? Easily memorized and has a nice rhythm on the keyboard. Type it a few times and it’s not likely you’ll forget it.


October 10, 2013  12:53 AM

Adobe resets user passwords in wake of security breach



Posted by: Ken Harthun
Adobe, Cybersecurity, Data Theft, Hacker, Security
adobe_hacked

Source: capmac.org

On October 3, Adobe was hacked and 3 million user accounts were compromised. The attack exposed customer names, encrypted credit and debit card numbers, expiration dates, and other information. Adobe is resetting the passwords on all customer accounts. Here’s the text of the notification I received early this morning:

We recently discovered that an attacker illegally entered our network and may have obtained access to your Adobe ID and encrypted password. We currently have no indication that there has been unauthorized activity on your account.

To prevent unauthorized access to your account, we have reset your password. Please visit www.adobe.com/go/passwordreset to create a new password. We recommend that you also change your password on any website where you use the same user ID or password. In addition, please be on the lookout for suspicious email or phone scams seeking your personal information.

We deeply regret any inconvenience this may cause you. We value the trust of our customers and we will work aggressively to prevent these types of events from occurring in the future. If you have questions, you can learn more by visiting our Customer Alert page, which you will find here.

Adobe Customer Care

Reportedly, Adobe will also be notifying customers whose credit or debit card information was exposed. (I do not have a credit card on file with Adobe, so I just got the password reset notice.) Adobe has also promised to offer affected customers the option of enrolling in a one-year complimentary credit monitoring membership where available.


October 8, 2013  10:21 PM

Eight security bulletins highlight the 10th anniversary of Patch Tuesday



Posted by: Ken Harthun
Critical update, Microsoft, Patch management, Patch Tuesday, Security, Security bulletin, Security management, Vulnerabilities

Microsoft_patch_tuesday

Image by Shawn Knight

It’s that time of the month again (no pun intended). It’s Patch Tuesday. It also happens to be the 10th anniversary of the celebrated (not) monthly visitor (sorry, they just keep coming). Microsoft released eight new security bulletins—four rated as Critical and four Important. The most urgent one, however, is MS13-080—the cumulative security update for Internet Explorer. It addresses a total of 10 separate vulnerabilities affecting all supported versions of the Web browser:

This security update resolves one publicly disclosed vulnerability and nine privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Other Critical patches:

MS13-081: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2870008)

MS13-082: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2878890)

MS13-083: Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2864058)

Better get patching!


October 5, 2013  7:30 PM

It’s National Cyber Security Awareness Month



Posted by: Ken Harthun
National Cyber Security Awareness Month, Secure Computing, Security, Security best practice, Security management

NCSAM-10th-Anniversary-Logo-302x86October 1 marked the start – and the 10th anniversary of – National Cyber Security Awareness Month (NCSAM). Sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center, NCSAM is an initiative aimed at making sure everyone has the resources they need to stay safer and more secure online.

We all can do our part by educating family, friends and coworkers on how to use the internet safely. The average person really has little clue about the dangers lurking in cyber space and even if they have an inkling, they are far too trusting of what their clueless friends routinely send them. In their defense, cyber security is not easy and the last ten years have shown us a wide range of security threats that test the mettle of even the most savvy cyber security professional.

Sophos has posted 10 topical tales, “in vaguely chronological order, that have burst into our collective security concerns at various times in the last decade.” It’s an interesting list and will give you some food for thought as well as real examples you can use to educate your people.

In another post, Sophos recommends that you do these 3 essential security tasks for your family today.

What are you waiting for? Git ‘er done!


September 30, 2013  4:00 PM

Microsoft releases Law Enforcement Requests Report



Posted by: Ken Harthun
Cybercrime, Cyberlaw, Microsoft, Security

question-mark1Microsoft has released its Law Enforcement Requests Report for the first six months of 2013. It is the second such report they have issued. The report “…details the number of requests for data we received from law enforcement agencies around the world, and how Microsoft responds to those requests. It covers requests for data relating to all of Microsoft’s online and cloud services, including Skype.” The report is not permitted to give detailed information about the type and volume of any national security orders (e.g. FISA Orders and FISA Directives), so these are not included in the report. However,  they do summarize the aggregate volume of National Security Letters received.

Most of the data is in line with the report for the year 2012, so it makes one wonder about all of the recent hype: Just how much data is really being disclosed? It’s nice to have some real facts from at least one source to help evaluate the current state of things. Here are some of the more pertinent facts:

  • Microsoft (including Skype) received 37,196 requests from law enforcement agencies potentially impacting 66,539 accounts in the first six months of this year. This compares to 75,378 requests and 137,424 potential accounts in the whole of 2012.

  • Approximately 77 percent of requests resulted in the disclosure of “non-content data”. No data at all was disclosed in nearly 21 percent of requests.

  • Only a small number of requests result in the disclosure of customer content data, just 2.19 percent of total requests. 92 percent of the requests that resulted in the disclosure of customer content were from United States law enforcement agencies. This is again, broadly in line with what we saw in 2012.

What is interesting is the majority of the requests come from only five countries:

While we see requests from a large number of countries, when you look at the overall number, the requests are fairly concentrated with over 73% of requests coming from five countries, the United States, Turkey, Germany, the United Kingdom, and France. For Skype the requests were similarly concentrated, with four countries, the US, UK, France and Germany, accounting for over 70 percent of requests.

One thing really stands out for me and that is the position that Microsoft is taking on the sharing of information regarding FISA requests and national security. This is encouraging.

We believe this data is valuable and useful to the community that is looking to better understand these issues. However we recognize that this report—focused on law enforcement and excluding national security—only paints part of the picture. We believe the U.S. Constitution guarantees our freedom to share more information with you and are therefore are currently petitioning the federal government for permission to publish more detailed data relating to any legal demands we may have received from the U.S. pursuant to the Foreign Intelligence Surveillance Act (FISA).


September 30, 2013  12:40 AM

Software vulnerabilities are on the rise



Posted by: Ken Harthun
Security, Security best practice, Security management, Vulnerabilities

Every year, Secunia publishes its Secunia Vulnerability Review. The 2013 version results do not bode well for our state of security. Here are some of their findings from 2012:

In 2012, 2,503 vulnerable products were discovered with a total of 9,776 vulnerabilities in them.

There’s an average of 4 vulnerabilities per vulnerable product.

Vulnerabilities were discovered in 2,503 products from 421 vendors.

The number shows a 15% increase in the five year trend, and a 5% increase from 2011 to 2012.

One fifth of the criticalities discovered in all products were rated as either ‘Highly critical’ (18.3%) or ‘Extremely critical’ (0.5%).

With an 80% share, the primary attack vector for all products was Remote Network.

Two things concern me: 1. That the trend is increasing; and, 2. That remote attacks are the primary vector. This tells me that we have to get better at hardening our perimeters and educating our users to keep the doors to our network closed.

And, of course, software companies need to work harder at closing security holes.


September 29, 2013  4:32 PM

Humor: Insane video requests



Posted by: Ken Harthun
Security

Time to lighten up a bit. Even though this is a cutely disguised ad for Sophos products, it’s funny. Who doesn’t have someone who comes in for a daily “I forgot my password?” I’ve gotten to the point where I see the faces and know what they need.

Enjoy.


September 28, 2013  10:26 PM

Ten steps to avoid being one of the73% of WordPress sites vulnerable to attack



Posted by: Ken Harthun
Secure Computing, Security, Security best practice, Security management, Two-factor authentication, Vulnerabilities, WordPress

wordpress-securityAccording to this nakedsecurity blog post, “A recent investigation has concluded that 73% of the 40,000 most popular websites that use WordPress software are vulnerable to attack.” Vulnerability researchers EnableSecurity carried out the study and was reported by WordPress security firm WP WhiteSecurity. The investigators qualified their statistics a bit with this statement: “The tools used for this research are still being developed therefore some statistics might not be accurate.” Nevertheless, it warrants your attention if you are running WordPress.

Here are ten steps that Sophos recommends to bolster your WordPress security:

  • Always run the very latest version of WordPress
  • Always run the very latest versions of your plugins and themes
  • Be conservative in your selection of plugins and themes
  • Delete the admin user and remove unused plugins, themes and users
  • Make sure every user has their own strong password
  • Enable two factor authentication for all your users
  • Force both logins and admin access to use HTTPS
  • Generate complex secret keys for your wp-config.php file
  • Consider hosting with a dedicated WordPress hosting company
  • Put a Web Application Firewall in front of your website


September 28, 2013  6:20 PM

Minimum effective security



Posted by: Ken Harthun
Secure Computing, Security, Security best practice, Security management

smartkey_locksviewcdNo matter how much we would like to think it’s possible, perfect security is unattainable. Install a moat and 40-foot high walls around your village and the enemy will use trebuchets to throw fireballs at you. Build a stronger lock and someone will come along with stronger bolt cutters. Install the latest firewall and IDS and hackers will use social engineering to attack you from inside the perimeter. No matter what security measures you employ, someone will come up with a way to defeat them. There is no such thing as perfect security.

There is, however, such a thing as effective security for a given situation, what I call Minimum Effective Security (MES). I define MES as follows:

Minimum Effective Security is that set of surveillance, barriers and countermeasures adequate to protect against known threats that could reasonably be expected to be leveled against the protected assets.

If you think about it, the key word here is “adequate.” But adequate against what? You have to identify the threats that you could reasonably expect given the value of the assets. So, you first have to establish the impact a successful attack would have: Minor inconvenience, or major loss?

You probably wouldn’t be too concerned about putting up video surveillance cameras to monitor your backyard tool shed nor would a perimeter wall be necessary. Depending on the value of the contents, you might want to install an inexpensive audible alarm and/or motion sensor lights. More than likely, however you’ll simply have good hinges and a strong hasp with a sturdy lock. Adequate.

On the other hand, you would equip your home with a robust, monitored security and fire detection system and you would probably have at least a camera at the main entrance.

How about your home network? You certainly don’t need an expensive commercial grade firewall and IDS; a good consumer grade NAT router with built-in firewall features would probably be adequate. Of course, keeping your system and applications up to date with security patches would have to be part of that mix to qualify as adequate security. Of course, you’ll want a good backup strategy.

If your home network is also part of your business, you’ll need a bit more than the above to qualify as adequate security. You would probably want to encrypt critical data and you’ll certainly want multiple backups with at least one stored offsite.

You get the idea. You have to take a good look at the types of threats you can reasonably expect given your circumstances and then work out what would be adequate. Naturally, there is nothing wrong with going beyond adequate; it won’t hurt a bit to put stronger measures in place if that makes you feel more comfortable.

Just make sure you always achieve and maintain Minimum Effective Security.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: