Security Corner


March 29, 2010  11:27 PM

Out-of-cycle Patch for IE Coming Tomorrow

Ken Harthun Ken Harthun Profile: Ken Harthun

Tomorrow, Microsoft will issue an out-of-cycle patch for a vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8, is not affected. The vulnerability allows remote code execution on the affected browsers.

According to Microsoft, in Microsoft Security Advisory (981374), “The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.”

When the advisory was issued, Microsoft was aware of targeted attacks attempting to use this vulnerability. Today, the Microsoft Security Response Center (MSRC) issued this statement:

Today we issued our Advanced Notification Service (ANS) to advise customers that we will be releasing security update MS10-018 tomorrow, March 30, 2010, at approximately10:00 a.m. PDT (UTC-8). MS10-018 resolves Security Advisory 981374, addressing a publicly disclosed vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8 is unaffected by the vulnerability addressed in the advisory and we continue to encourage all customers to upgrade to this version to benefit from the improved security protection it offers.

Be sure to apply the update if you are running IE 6 or IE 7. Better yet, just upgrade to IE 8 . Even better still, dump IE and use Firefox or Chrome.

March 29, 2010  1:57 AM

Technospeak: Fundamentally Vulnerable Structure

Ken Harthun Ken Harthun Profile: Ken Harthun

I’m weary. Very weary. There is just so much to keep up with in the way of patches and fixes for security vulnerabilities across so many applications and in nearly every OS that I no longer even bother trying to stay on top of it all. My main concern, of course, is Windows/Microsoft and the applications that run on that platform. But I do have to keep up with some Unix/Linux and legacy apps.

We’re losing the race, you know. The bad guys are winning and if we don’t make some major changes to our Fundamentally Vulnerable Structure, computing as we know it is doomed. Let me defer to my favorite tech guru, Steve Gibson, again:

…the architecture, the fundamental design of our machines are not secure. I mean, the fundamental architecture, the design, evolved from a time when there was absolutely no, and I mean no, concern about security…. But there was, once upon a time, no concern for security. It just wasn’t…on the map at all. And it began, of course, in the mainframe era, where you started to have multi-user systems where they said, okay, well, we need some sort of authentication…. So that sort of, that notion of some concern for security began to happen.

And then of course the Internet sort of grew organically from an experiment in, gee, could this notion of autonomous packet routing work on, be a scalable solution so that we’re able to connect things? And I remember when I first began hearing about this notion of a global network. It’s like, okay, well, that’s ridiculous. You’re not going to have that. Well, whoops. We do.

But no one foresaw what’s happening now–or if they did, they didn’t prepare for it.  It all just kind of happened. Hell, I remember when when I first got on BBS’s back in the 80′s using a terminal that printed out the “session” on thermal paper. Years later, the “internet” was just starting and I had to dial up to some long distance phone number in New York City just to download a few messages–which took a long time at the incredible speed of 2400 bps. And you know what? I can still dial up an ISP with a modem and access the Internet.

In those “good ole days,” I wasn’t connected to the global network every time I turned on my computer; I had to specifically request a connection. And that connection was terminated as soon as I did my business. The rest of my work was done off-line. I read my email, composed my replies as necessary, then uploaded them as a batch to be sent by the mail server. Simple. Pretty secure, too. I never got a virus from a pure text file.

Sure, we had viruses back then; they spread by floppy disk. Most of them were nothing more than practical jokes and did little damage, so no one paid much attention. We should have. In 1995, I was hit with a boot sector virus that destroyed the data on my hard drive. That incident completely wiped out the only electronic copy of a how-to book I was selling. I had a hard copy, but it took me a month to reenter all the text.

A week later, my boss’s son was hit by the the same virus and almost lost all of his thesis for graduate school. Fortunately, for him, I had found a way to remove the infection and restore the master boot record so he lost nothing. That was my very first success as a security professional and one that I’ll never forget. But I didn’t foresee how bad it would get; I just kept fixing the problems as they occurred.

Just like everyone else did.

And now we have the cat-and-mouse game of security as it exists today.

It’s time to hit the “reset” button on all of this and completely rethink our computing model.


March 28, 2010  2:24 AM

My Bank is Vigilant-Thank You, Bank!

Ken Harthun Ken Harthun Profile: Ken Harthun

I love it when people look out for my interests instead of it being the other way around all the time. My bank is serious about preventing online banking fraud and banking fraud in general with it’s customers. I received this letter in the mail today:

Important Information About Your [bank name] Account

Dear [My Name],

One of the most important ways we can help our customers manage their money in a safe and secure environment is by providing detailed account information on a timely basis.

Because your account referenced above is classified as dormant–no deposits or withdrawals for 36 months–we are letting you know that there has recently been activity on the account. If you are aware of this activity, no action is required.

We suggest that you first check with other signers on the account to verify whether they have accessed the account. However, if they have not and you believe the activity to be unauthorized, please contact us immediately at [800 phone number], so that we may investigate this activity and take appropriate action.

Below is a summary of the activity:

[details of the transaction]

If you have questions or need additional information [etc., etc., etc.]

This was for a DEPOSIT!

I have a warm, fuzzy feeling now.


March 27, 2010  2:01 AM

Software for Secure Computing: Spam Assassin

Ken Harthun Ken Harthun Profile: Ken Harthun

Spam Assassin has to be the #1 Open Source anti-spam application. My experience with its influence is in my Aweber account. Aweber is an auto-response email marketing program that enforces strict policies about making sure subscribers have specifically opted in to your newsletter, blog, or whatever. When I compose a message to send to my list, Aweber uses a Spam Assassin score to tell me how likely it is that my message will end up in a junk folder.

SpamAssassin is a mail filter to identify spam. It is an intelligent email filter which uses a diverse range of tests to identify unsolicited bulk email, more commonly known as Spam. These tests are applied to email headers and content to classify email using advanced statistical methods. In addition, SpamAssassin has a modular architecture that allows other technologies to be quickly wielded against spam and is designed for easy integration into virtually any email system.

It works, and I trust it. If my Spam Assassin score exceeds 5 on any message I plan to send, I modify it. I want people to read my messages, not have them dumped in the bit bucket with the obvious junk we all get.


March 26, 2010  3:20 AM

20-year Sentence in TJX Credit Card Case

Ken Harthun Ken Harthun Profile: Ken Harthun

In the lengthiest sentence yet handed down in an identity or hacking prosecution, confessed TJX hacker Albert Gonzalez was sentenced to 20 years in federal prison for orchestrating one of the largest theft of payment card numbers in history.

IDG News Service – BOSTON — As his parents and sister silently wept, hacker mastermind Albert Gonzalez was sentenced Thursday in U.S. District Court to two concurrent 20-year stints in prison for his role in what prosecutors called the “unparalleled” theft of millions of credit and debit card numbers from major U.S. retailers.

“I stand before you humbled by these past 24 months,” Gonzalez said. “I’m guilty not only of exploiting complicated networks, but also of exploiting personal relationships.”

SANS Institute editor Stephen Northcutt had this to say in a recent issue of SANS NewsBites (Vol. 12 Num. 23):

It seems sensible to me to make stealing 45 million identities a more serious crime than selling marijuana, not that I support either. When you steal identities you hurt so many innocent people. When you sell Marijuana, the damage, if any, occurs in the lungs and brains of the people that willingly used the drug. Yet…it appears to me that in the past people received stiffer sentences marijuana sales than for identity theft. I believe both should be illegal, but that identity theft is the more harmful crime. Nothing against Mr. Gonzalez, but if he is sentenced to a serious number of years, it could send a signal to the criminals of the world there is a downside to identity theft.

Well, the signal has been sent. Personally, I don’t believe that any non-violent crime should be subject to lengthy terms of incarceration, but that’s a subject for a different post at a different blog at another time.

The cyber-criminals in the huge international crime rings who run most of the major botnets and steal most of the money won’t even blink at this.


March 25, 2010  12:45 AM

Whither Security?

Ken Harthun Ken Harthun Profile: Ken Harthun

No reports about it, but with all of the nation’s attention diverted and focused on the Health Care law fiasco, what are the cybercriminals doing to exploit the lapse of attention in other areas?

Let me point out that a very effective security subversion tactic is  the creation of a diversion. The diversion does not have to be intentional; it can just as easily be inadvertent, as in the case of focusing on possible cyber attacks related to the passage of the controversial health care reform law.

I’m sure that we’ll hear about cyber attacks related to this recent regulation, probably in the form of attempted web site defacings and/or DDOS attacks against relevant websites. Many people are up in arms about provisions in the law, so certainly, there are going to be attacks. In my life I’ve seen unrest through the 1960′s and 1970′s, but I don’t think I’ve ever seen it quite as bad as today.

It behooves us to be even more vigilant than usual in these times of political upheaval and unrest. If I have you focused on target A, then I can easily attack target B.

And I believe we’ll see that happening.


March 23, 2010  1:08 AM

Technospeak: Advanced Persistent Threat

Ken Harthun Ken Harthun Profile: Ken Harthun

Just what we need – another coined phrase and acronym. This time, it’s Advanced Persistent Threat: APT for short. This new one was popularized at the RSA conference a couple of weeks ago. What is it? Let me explain; rather, let’s let Steve Gibson of the Security Now! podcast explain. This is from episode #240, Listener Feedback #88:

So this notion of an Advanced Persistent Threat is that some way in is found, and then the bad guys set up a persistent presence inside the network and attempt to stay undetected and connected in the network, present essentially, for as long as possible, for doing whatever they’re doing – surveillance, collecting files, sending them offsite, out of that local country zone, wherever.

Very bad. And the worst part about it is that it only takes one un-patched hole to leave a network open. The biggest problem with security is that it must be absolutely perfect. Here’s Steve again:

And remember, this is the big problem with security is it has to be perfect. Meaning it only takes one mistake somewhere, one thing missed, one vulnerability not patched, one port left open, one unsafe application running. I mean, literally, the barrier is so high to be absolutely secure because it just takes one hole for some guy to get in. And so if there’s tremendous pressure against the security perimeter, any leak will allow someone in.

This should be enough to get your attention and put in that IDS that you’ve been putting off for so long.


March 15, 2010  2:10 AM

What is Weaponized Email?

Ken Harthun Ken Harthun Profile: Ken Harthun

The security threat formerly known as “spear phishing” is now called “weaponized email” and it’s a bad, bad thing made worse by Web 2.0 and the social network sites. As you probably know, spear phishing is an email attack that targets a specific organization or demographic. A couple of years ago, we had these things targeting dentists, doctors and other professionals from purported “hit men” who had consciences agreeing to forgo the hit in exchange for “protection” money — a classic extortion scheme. With the meteoric rise of Web 2.0 social networking sites like Facebook, MySpace, Twitter, the Ning networks and what have you, the game has changed.

Consider this (based on an actual incident): You’re employed by a financial firm; you have a Facebook page; you’re the coordinator for the annual company picnic; and, many of your co-workers also have Facebook pages and are in your group of friends. Sounds OK, right? Just a gathering of co-workers on a social network.

Well, think again. The cyber-criminals had a field day with it.

The crooks noticed this social circle, noting that they all worked for a firm that might be a good target. Attempts to hack the Facebook accounts were rewarded with a successful attempt against the person I mentioned above. The criminals now were able to impersonate the victim. The crooks sent messages out to the victim’s friends with a subject similar to “Look who I caught on camera at the company picnic.” The messages contained what looked like a link to some photos, but was really a link to a malicious site that contained malware in the form of a keylogger program.

You’re a friend of the victim, and you get a message from them. No problem, they’re your friend on Facebook and a co-worker whom you trust. Naturally, you think it’s safe, so you open the email and click on the link. You’re infected with a keylogger program. On your company laptop. That you use to access the corporate VPN at home and on the road.

Tonight, you have a report that’s due and you’ve just finished it, so you log into the VPN, access the secure data repository and upload your file. The bad guys have a complete recording of everything you just did…

The criminals managed to log in to the corporate VPN and spent the better part of two weeks mapping the network to see what they could steal. The good news is that the slime bags were discovered, but not before they had already compromised two of the central database servers and had taken full control of them.

Trust no one and never click links until you are sure where they lead.


March 13, 2010  3:36 PM

Worth Repeating: Use a Dedicated PC for Online Banking

Ken Harthun Ken Harthun Profile: Ken Harthun

In light of my last my post, “120M Stolen By Hackers in Three Months“, I want to reiterate what I said in “ABA Recommends Using Dedicated PC for Online Banking.” This is the way I would do it:

…set up a PC with Microsoft’s Steady State, disable any Internet access except to the bank’s online application and uninstall Outlook Express. I would make a completely locked down and hardened installation of Windows with all services disabled except for essentials. Assign a static IP address to the machine. I would use a software firewall and disable all ports except 80 and 443. Of course, anti-malware software would be essential.

In March 2010 SANS Ouch! Vol. 7 No. 3, you’ll find this advice:

* Keep your dedicated computer out of reach, or even better, under lock and key
* Set a strong password for the Administrator account
* Create a second account that has limited privileges and always use this account for your online banking
* Contact your computer support provider for information about how to add, remove and change user accounts
* Turn your dedicated computer off when not in use to help prevent network-based intrusions
* Keep the operating system secure by applying patches and updates promptly
* Don’t scrimp on security software; install a good-quality security suite and keep it updated
* Never use a wireless connection for online banking
* Use a strong password for your online banking account, and do not use that password anywhere else (Strong password tips:
http://www.sans.org/newsletters/ouch/issue/20100219.php)

Either way, the key is to use a secure, dedicated system. And if you spot any unauthorized activity, or suspect your information has been compromised in any way, the Federal Trade Commission recommends you take the following actions:

* Notify your bank and credit card companies immediately
* Close all affected accounts
* Notify the major credit reporting agencies
* File a report with the Federal Trade Commission
* File a report with the police

Find more advice in the ABA Education Foundation article,  “Protect Your Financial Identity“.

Just do it!


March 11, 2010  2:36 AM

$120M Stolen by Hackers in Three Months

Ken Harthun Ken Harthun Profile: Ken Harthun

David Nelson, an examination specialist with the FDIC, says that online banking fraud involving the electronic transfer of funds rose to over $120 million in the third quarter of 2009. He presented his estimates Friday at the RSA Conference in San Francisco.

I wrote about this in October, 2009 in my article, “Protecting Your Business From Online Banking Fraud.” I wasn’t the only one to advocate secure read-only systems to use for banking, but it looks like the message didn’t spread very far. Businesses need a security manager to prevent such losses.

Let’s see, if I was to charge, say, 1% fee based on the monthly ACH transfer volume of a given company to keep them secure and that company was doing $1M/mo., that would be a good living. Hmmm…just might have to look into that.

Better to pay 1% than to lose 100%, don’t you think? Especially when you consider this: “Commercial deposit accounts do not receive the reimbursement protection that consumer accounts have, so a lot of small businesses and nonprofits have suffered some relatively large losses,” Nelson said. Bullitt County, Kentucky suffered a loss of $415,000: PC Invader Costs Ky. County $415,000.

Wake up, people!


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: