Security Corner


April 18, 2010  1:42 PM

Google Says Botnet Takedowns Had Little Effect on Spam

Ken Harthun Ken Harthun Profile: Ken Harthun

In a recent blog post entitled “Q1’10 spam & virus trends from Postini,” Google said that a recent spate of botnet take-downs (Waledac, Mariposa, Zeus) has not had a dramatic impact on spam levels. While spam and virus levels did fall below Q4’09 highs, Google’s analytics show that global spam levels were relatively steady during Q1’10.

It’s discouraging. This goes to show that there is no shortage of botnets out there; the criminal spammers simply buy, rent or deploy another botnet when an active one is taken down. Anti-spammers are not going to win this war: we need a fundamental change in all operating systems to make it possible for trusted authorities to remotely disable malicious code the minute it is discovered. Steve Gibson, in Security Now #244, discusses Apple’s approach:

…imagine if Microsoft…were able to just reach out and kill a trojan. Well, they don’t have the ability to do that because there’s nothing like this kind of grip and control that exists on the open platforms. Apple has that. And so I can see, yes, it’s a mixed blessing in that, as you say, Apple could kill off a competitive program. But to me there’s a tremendous advantage that, if something was discovered to be malicious, and arguably that would probably surface very quickly, for Apple to be able to just kill it off throughout the entire ecosystem, I mean, even the fact that that ability exists, I would argue, militates against developers bothering to create something malicious because they just know it’ll have an extremely short life…. The second it becomes known, it’ll get killed.

What do you think? Leave your comment.

April 16, 2010  2:56 PM

Software for Secure Computing: dsCrypt

Ken Harthun Ken Harthun Profile: Ken Harthun

I found this nifty little encryption utility on Gizmo’s Freeware Reviews site and immediately fell in love with it. It’s lightweight (25K), fast and easy to use. Double click the single executable and a small box appears (see below). Click the “Mode” menu item to select encryption or decryption. Drag-and-drop files, even multiple selections, from Windows Explorer on dsCrypt’s window, or use the “Open” command to browse and select files.

Unlike some encryption tools, dsCrypt overwrites original files, does not create any temporary files, and erases the data and password memory allocation after use; any possible paging/swap file leftovers are nullified. It does not save your password in any form.

Another feature I like is the Secure PassPad. It employs a mouse operated, graphical keypad, which directly communicates with the application. Here’s the full list of features from the website:

– extensively tested and widely accepted algorithm
– BruteHalt® and exceptional resistance to brute-force password search
– inherent resistance to brute-force key search
– Secure PassPad® and immunity to keylogger-infested environments
– disclosed implementation and source code
– secure use of system resources
– verified data and file processing
– efficient user interface and operation
– speedy performance
– really small executable file
– self-contained and dependency-free
– installation-and-pollution-free
– freeware status and unrestricted distribution

I’m using dsCrypt to keep sensitive information on my thumb drive secure.

There is one drawback, however: If you send a dsCrypt-encrypted file to someone else, they’ll need dsCrypt on their end to decrypt it. When I need to send a single file to someone else, I use AxCrypt to make a self contained package.


April 15, 2010  1:51 AM

Government Interception Attacks Against SSL

Ken Harthun Ken Harthun Profile: Ken Harthun

Researchers Christopher Soghoian and Sid Stamm have authored a paper, “Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL” that is truly disturbing.  Here’s the Abstract:

This paper introduces a new attack, the compelled certificate creation attack, in which government agencies compel a certificate authority to issue false SSL certificates that are then used by intelligence agencies to covertly intercept and hijack individuals’ secure Web-based communications. We reveal alarming evidence that suggests that this attack is in active use. Finally, we introduce a lightweight browser add-on that detects and thwarts such attacks.

I have no problem with law enforcement agencies using their powers to deal with the bad guys, but this truly alarms me. If you read the paper, you’ll see why. Heck, just read this excerpt from the paper’s Introduction:

A pro-democracy dissident in China connects to a secure web forum hosted on servers outside the country. Relying on the training she received from foreign human rights groups, she makes certain to look for the SSL encryption lock icon in her web browser, and only after determining that the connection is secure does she enter her login credentials and then begin to upload materials to be shared with her colleagues. However, unknown to the activist, the Chinese government is able to covertly intercept SSL encrypted connections. Agents from the state security apparatus soon arrive at her residence, leading to her arrest, detention and violent interrogation. While this scenario is fictitious, the vulnerability is not.

Guess what? There’s an appliance being marketed to help facilitate this attack. The brochure is included in the report. But, there’s good news. These guys have developed a Firefox add-on (see the screen shot above):

In an effort to significantly reduce the impact of this attack upon end-users, we have created Certlock, a lightweight add-on for the Firefox browser. Our solution employs a Trust-On-First-Use(TOFU) policy, reinforced with enforcement that the country of origin for certificate issuing does not change in the future. Specifically, our solution relies upon caching CA information, that is then used to empower users to leverage country-level information in order to make common-sense trust evaluations.

Read the paper. Realize its implications. Then, change your habits accordingly. Believe me, until this add-on is released, I’m going to be very suspicious of any SSL connection.


April 13, 2010  1:16 AM

Microsoft Decides to Forgo Steady State Development – 77 Million PCs at Risk

Ken Harthun Ken Harthun Profile: Ken Harthun

Thanks to Windows Secrets Newsletter for alerting me to this. I was responsible for implementing Windows Steady State (WSS) on a score of public computers including some that were used in credit union kiosks. Microsoft has decided to forgo development of Steady State on Windows 7 according to Microsoft forum moderator Sean Zhu in a March 10, 2010 post:

Hi…thank you for the feedback. I’d like to inform you that currently, there is no plan to develop compatible version of Windows SteadyState for Windows 7.

This creates an upgrade dilemma for many public institutions: Stay with Windows XP for now (extended support for XP SP3 lasts until April 2014) and continue to use Steady State, or upgrade to Windows 7 and invest considerable extra expense on implementing some semblance of WSS functionality using Group Policy and third party software? It’s a no-brainer to me.

Consider this: A study conducted by University of Washington Information School, funded by the Bill and Melinda Gates Foundation, reports “Nearly one-third of Americans age 14 or older–-roughly 77 million people–-used a public library computer or wireless network to access the Internet in the past year….  In 2009, as the nation struggled through a recession, people relied on library technology to find work, apply for college, secure government benefits, learn about critical medical treatments, and connect with their communities.”

What are you thinking, Microsoft? Do you listen to your users? I have similar sentiments to these forum posters:

“Seems Microsoft has made another blunder with windows 7, we have decided to stay with XP and notify users that until Microsoft updates WSS to run with windows 7 that we will stay with xp and advise them to do the same, we have withdrawn all support for 7 and are advising people to downgrade if they are stuck with 7,  Its simply not viable, especially in this economy to spend the extra tens of thousands of dollars on the extra staff that would be needed to support a OS that we have came to the conclusion that even Microsoft [isn’t] prepared to support fully.”

“Shame on MS for dumping such an essential OS feature for many IT environments. We have halted the upgrade to WIN 7 of around 12000+ PC  and will stay with XP until MS provides something equivalent to WSS in any upcoming OS.”

I don’t know what Microsoft charges for a Win 7 volume license for 12,000 PCs (can I get some help on that from someone?), but I’m sure it’s a significant amount.

Doesn’t make a whole lot of sense. But who am I to argue? I’m just a guy who will help save people money for the next four years–or until Microsoft figures this out.


April 9, 2010  12:06 AM

Warning: Facebook Password Reset Spoof

Ken Harthun Ken Harthun Profile: Ken Harthun

Facebook users may receive an email with the subject “Facebook Password Reset Confirmation! Customer Support.” It’s bogus. The text reads:

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.

Notice the obvious lack of personalization and the bad formatting. And, who the heck is “Your Facebook?” This was obvious to me, but I’m savvy. I posted a warning on Facebook and received many thank you messages.

The message comes with a zip attachment.

Those who get duped into opening the attachment will be infected with various nasty trojans and other malware.

Warn your friends and clients.


April 6, 2010  5:45 PM

Security Fun: Password Paradox

Ken Harthun Ken Harthun Profile: Ken Harthun

Seems like it’s always bad news out there on the security front lines. Now, the PDF format itself has a huge security vulnerability that can be exploited without even using a rendering appplication. So, let’s take a break and have some fun for a change. Check out Password Paradox:

A billionaire has become rich using a secret scheme called the PARADOX SCHEME. Come to http://www.danzen.com to play the most addictive game in the world, Password Paradox.

To win you have to guess 10 people’s passwords to get to level 2 and then start all over again and guess 10 more passwords to get to level 3 and then you have to guess the master password to open a safe.

Go ahead, try it. You know you want to; in fact, you need to.

Have fun!


April 2, 2010  3:00 PM

Twitter is Under Attack Again

Ken Harthun Ken Harthun Profile: Ken Harthun

Panda Security’s PR firm just informed me of a deep dive analysis that Sean-Paul Correll has performed on the current Twitter attack that has been ongoing since 22 February. The attack is being propagated through Twitter by capitalizing on trending topics and key phrases to spread via Twitter accounts. Coupled with the most widely referenced terms on Twitter, like “free,” “teen” and “sex,” hundreds of malicious tweets are being distributed and directed to a fake codec infection site which installs the Adware/SecurityTool rogueware.

We were alerted of a new trending topic attack today on Twitter by a fellow threat researcher.  Like the past Twitter trending topic attacks, this one was heavily targeting recent news breaking items such as the suicide bombings in Moscow, as well as many other hot topics on the Internet today.

Correll unearthed some rather alarming statistics:

  • 1,888 Twitter accounts (and growing) have been used to spread the attack URL
  • 2,560 malicious tweets have been sent out
  • The malicious links were clicked on 25,854 times
  • 78% of victims came from the United States, 12% from Korea, and 8% from Germany

The high click-rate was in part due to sites like The Huffington Post inadvertently helping promote the malware campaign on the Internet by an embedded Twitter stream on its site.

More detail of Sean-Paul’s analysis can be found at the PandaLabs blog: http://pandalabs.pandasecurity.com/deep-dive-analysis-on-a-twitter-attack/


March 31, 2010  7:20 PM

Forensics: SANS Investigative Forensic Toolkit (SIFT) Workstation

Ken Harthun Ken Harthun Profile: Ken Harthun

This is so significant, that I’m not going to elaborate on it. If you’re an IT Security professional, you probably already know about it. If you don’t, then check it out here: SANS Investigative Forensic Toolkit (SIFT) Workstation: Version 2.0.

Faculty Fellow Rob Lee created the SANS Investigative Forensic Toolkit(SIFT) Workstation featured in the Computer Forensic Investigations and Incident Response course (FOR 508) in order to show that advanced investigations and investigating hackers can be accomplished using freely available open-source tools.

The SANS SIFT Workstation is a VMware Appliance that is pre-configured with all the necessary tools to perform a detailed digital forensic examination. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats. The brand new version has been completely rebuilt on an Ubuntu base with many additional tools and capabilities that can match any modern forensic tool suite.

You know what an Open Source advocate I am and this just proves the value of that even more.


March 30, 2010  12:37 PM

Security Humor: Internet Explorer Security Settings

Ken Harthun Ken Harthun Profile: Ken Harthun

If you’ve ever wondered what all those security levels in Internet Explorer really mean, then this one-minute animation on John Haller’s site will clear things up for you. If you’re not rolling on the floor laughing after you see this, you’re either unconscious or dead. Check it out:

http://johnhaller.com/jh/mozilla/ie_security_humor/


March 29, 2010  11:27 PM

Out-of-cycle Patch for IE Coming Tomorrow

Ken Harthun Ken Harthun Profile: Ken Harthun

Tomorrow, Microsoft will issue an out-of-cycle patch for a vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8, is not affected. The vulnerability allows remote code execution on the affected browsers.

According to Microsoft, in Microsoft Security Advisory (981374), “The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.”

When the advisory was issued, Microsoft was aware of targeted attacks attempting to use this vulnerability. Today, the Microsoft Security Response Center (MSRC) issued this statement:

Today we issued our Advanced Notification Service (ANS) to advise customers that we will be releasing security update MS10-018 tomorrow, March 30, 2010, at approximately10:00 a.m. PDT (UTC-8). MS10-018 resolves Security Advisory 981374, addressing a publicly disclosed vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8 is unaffected by the vulnerability addressed in the advisory and we continue to encourage all customers to upgrade to this version to benefit from the improved security protection it offers.

Be sure to apply the update if you are running IE 6 or IE 7. Better yet, just upgrade to IE 8 . Even better still, dump IE and use Firefox or Chrome.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: