Suzie Secretary received an email with the subject “Fire Your Boss.” She opened it. In it, she found a link which she clicked. She was taken to a website with a home page that contained this text (reproduced exactly as found):
Although this is a brand new site and a new carrier for me my main aim is to give you the oppertunity to browes this web site at your own pace to find excatly what it is you want and if we dont have it then please let us know and we will do our best to have what you want avalable.Just Email us and let us know what it is you are looking for a paticular product or eBook what ever it is you require and remember with any order you place thier is a full 30 day money back garrenty so thier is absolutly no risk of any kind wether you use the product for 1 day or 30 and then dont want the product or its not what you wanted then just send a quick Email and we will refund the money all we ask is that you delet the product from your computer.So please enjoy browsing
There were several pages on the site, all of which were sales pages with similar atrocious English. On each page was an order form asking for personal information and a credit card number. Suzie “ordered” one of the products with her credit card. She never received it. The advertised price was $49. Her credit card was charged $490. Twice. It finally dawned on her to report the fraud to her credit card company.
Duh! Some people should never be allowed near a computer.
Sometimes, a program or utility becomes such a part of the computing experience that we take it for granted. Such is the case with LastPass; it seems so “there” that I don’t even remember how long I’ve been using it. What I do remember is why I started using it. I had been using the portable version of KeePass, the Open Source password manager and had built up a large database of passwords. One day, I forgot the USB thumb drive with KeePass on it and was absolutely lost. I decided right then that I needed a solution that was securely accessible from anywhere. That’s when I switched.
Besides the convenience of having all of my site login information in one place I like the the way LastPass makes it easy for me to use secure passwords. Since all I have to remember is the master password to be able to log into LastPass, I don’t have to fudge around with mnemonic systems and such to make easy-to-remember complex passwords; I simply use the program’s built-in password generator to get strong, random password strings.
Probably the most powerful security feature is the support for one-time passwords (OTP). From a secure PC, you simply log into your secure LastPass vault on the website, configure a few OTPs, print them out and store them in your wallet. Then, if you ever have to access your LastPass vault from a public kiosk or insecure public WiFi hotspot, you just use one of the OTPs. Even if a keylogger snags it, the password cannot ever be used again. Your vault remains secure.
Even if you’re already using some other password manager program, you can easily switch. It’s simple to import existing passwords from Internet Explorer, Firefox, RoboForm, 1Password, KeePass, MyPasswordSafe, Password Agent, Password Safe, Sxipper, Passpack and TurboPasswords.
Two Firefox add-ons located in the experimental section of Mozilla’s official add-on download site were recently discovered to contain trojans. Despite the ability of commercial anti-virus Products to detect the trojans since 2008, The Register reported that “…a scanning tool used by Mozilla to vet add-ons during upload failed to catch the malicious files.” Here is what Mozilla had to say in a recent blog post:
Two experimental add-ons, Version 4.0 of Sothink Web Video Downloader and all versions of Master Filer were found to contain Trojan code aimed at Windows users. Version 4.0 of Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained Win32.Bifrose.32.Bifrose Trojan. Both add-ons have been disabled on AMO.
Apparently, the addition of two additional malware detection tools to its validation chain is what allowed Mozilla to discover the most recent infected add-on:
AMO performs a malware check on all add-ons uploaded to the site, and blocks add-ons that are detected as such. This scanning tool failed to detect the Trojan in Master Filer. Two additional malware detection tools have been added to the validation chain and all add-ons were rescanned, which revealed the additional Trojan in Version 4.0 of Sothink Web Video Downloader.
Mozilla reports that no other instances of malware have been found.
Here’s a list of anti-virus software known to detect the trojans in the infected add-ons:
You really have to be a Geek to enjoy this, but it’s hilarious. Pete Lindstrom who writes the Spire Security Viewpoint blog, originally wrote this in 2003. Here’s an excerpt:
In the wee hours of [date], a [adjective] computer worm spread [adverb] throughout the Internet. Dubbed [silly name] because [ridiculous reason that doesn't explain anything about how it works], and also known as [another random name] and [another random name], the worm has infected an estimated [number] systems within [length of time]. Experts are calling this worm the most [adjective] since [date in the past].
The worm exploits a hole in [Microsoft product name] that was first identified [number] months ago by [security company name].
It gets better, believe me. Read the rest of it here: http://spiresecurity.typepad.com/spire_security_viewpoint/2005/08/adjective_compu.html
I’m going to end this first month of 2010 with a password challenge contest. There are two entry categories: The Top Ten List of Worst Passwords; and, the Strongest Short Easy-to-remember Password . One First Prize winner in each category will get a free copy of my Geek Toolkit. Here are the rules:
Top Ten List of Worst Passwords: Compile your own Top Ten List of the worst passwords you’ve seen or read about. I will compare that with my compiled list from authoritative sources. The person whose list matches the most entries on my list wins. If there are ties, everyone wins.
Strongest Short Easy-to-remember Password: In ten characters or fewer, come up with a strong password that is also easy to remember. Random strings are not allowed, i.e., I won’t accept Xcy4lmO3az. I will judge the strength of the passwords using my Password Meter at Ask the Geek. You must tell me what makes the password memorable to you. For example, can you write down a password hint that means nothing to me, but that tells you what the password is? If there are ties, everyone wins.
You may send an entry for either or both categories, but they must be in separate emails. Use my secure contact form to enter (http://askthegeek.kennyhart.com/index.php/ask-a-question/). Deadline is Sunday, February 7, 2010
Results will be published.
Ask almost any infosec expert what is the biggest mistake in security and he or she will answer that it’s failing to educate employees. While certain professions that fall under HIPAA, GLBA and other legislation are required to implement security awareness programs, the vast majority of businesses are not required–and don’t provide–such education to their employees. Let me give you two actual examples from my own experience to illustrate how even a very simple program can make a big difference.
The Wrong Way–ABC Company didn’t even have a security policy in place much less do any kind of employee training. The management had the misguided idea that since they spent a lot of money on a firewall and anti-malware software on the servers and PCs, they didn’t need to concern themselves with any security risks. One fine Spring afternoon, the receptionist received a call from someone claiming to be from the local ISP who told her that her password had been compromised and asked her to visit a certain web site to change it. Not knowing any better, she happily complied and her computer was infected with a spambot that caused all kinds of trouble before I finally got it under control.
The Right Way–XYZ Company has a very simple, but effective, security policy in place. Employees are given a one-hour orientation on security when they are hired and the sessions are repeated on a bi-monthly basis. Each session starts with this basic statement of security policy: “XYZ Company prides itself on having a secure network and a safe working environment. The reason we do is because of you.” The rest of the session is devoted to explaining what to watch out for in terms of email phishing attempts and social engineering attacks and what to do about them. It’s kept simple all the way and in each session, the same information is repeated. It works; they’ve never had a serious security problem.
Today, I spent a rather grueling couple of hours taking an assessment of my network security skills. The assessment, for reasons known only to the assessors, focused more on Linux configuration, firewall and router commands than on security theory and principles. If you needed to hire a security administrator for your company which person would you choose: The guy who has memorized all of the commands for your brand of firewall/router; or, the person who understands security on a conceptual level? I’d choose the latter every time.
This goofy focus on configuration skills to the almost complete exclusion of general security knowledge got my brain gears meshing in overdrive; I decided to look deeper and see if I could find other examples of erroneous ideas of what constitutes good security. It wasn’t easy, except for picking number one. Here are my Top Five Security Faux Pas beginning with number five:
- 5. Relying Solely on Software Security Updates–What, you’ve never heard of a zero-day exploit? C’mon, we professionals know that the bad guys are usually first to discover the security flaws and they’re the first to exploit them.
- 4. Altering the Firewall–Oh! There’s a threat? Let’s add a rule to the firewall. You have a Cisco Certified CCIE-Security on staff? Good for you! If not, this isn’t a good option.
- 3. Failure to Monitor the Network–If you don’t analyze the firewall, IDS and server logs, you’re likely missing things that shouldn’t be. Buried among those thousands of failed attempts a finding an open port are those few that manage to attempt a connection and fail. Do you see them?
- 2. Failure to Consider Internal Threats–Your employees are all angels, right? They always follow the security guidelines, policies and procedures you set for them. Outright malice aside, what if that thumb drive they plugged in this morning picked up a trojan from their home computer last night? Oh, oh! You’re pwned.
- 1. Mistaking Technical Expertise for Security Savvy–So, the new “Sec Admin” can configure any router or firewall and knows all the commands to “protect” your network. So, what? Can he teach the receptionist how to detect and thwart a telephone phishing attempt? Does he even know how someone would go about that? If not, you’re doomed…
Suggestion for all you folks who love to do “assessments” of candidates’ “network security” abilities: Assess their security mindset, not their ability to memorize arcane firewall configuration commands. It does no good to block malicious packets at the firewall when Suzy Secretary is injecting them into the local network or becoming easy prey to the perpetrator of a telephone phishing attack.
It’s again time to delve into our Hacking Skills Challenge. Our last challenge was level 8 at HackThisSite.org and that was almost three months ago. They’re starting to get a little tougher now, but we’ve learned some good techniques that will help us. Here’s the challenge:
The password is again hidden in an unknown file. However, the script that was previously used to find it has some limitations. Requirements: Knowledge of SSI, unix directory structure.
Pay attention, now. Look at the challenge carefully. There’s some key information on the challenge page:
Network Security Sam is going down with the ship – he’s determined to keep obscuring the password file, no matter how many times people manage to recover it. This time the file is saved in /var/www/hackthissite.org/html/missions/basic/9/.
In the last level, however, in my attempt to limit people to using server side includes to display the directory listing to level 8 only, I have mistakenly screwed up somewhere.. there is a way to get the obscured level 9 password. See if you can figure out how…
So, it looks like Sam goofed and we may be able to manipulate our directory hack slightly to find the level 9 password. Let’ see… Well, if you try anything in the level 9 page, you just get errors, so maybe this is the key clue: last level, however, in my attempt to limit people to using server side includes to display the directory listing to level 8 only.
So, let’s go back and hack level 8 a little differently and see what happens. Last time, we used the command [<]!–#exec cmd=”ls ..”–[>] (don’t use the brackets) to get us a listing of the level 8 directory (the “../” we used to take us back one level). Can it be as simple as specifying the directory for basic 9 in this way: [<]!–#exec cmd=”ls ../../9”–[>]?
Go back to the level 8 page and enter that string in the “Enter your name” field. Bingo! We get this: Your file has been saved. Please click here view the file. We click that link and we get:
Hi, index.php p91e283zc3.php! Your name contains 24 characters.
Load p91e283zc3.php in your browser like this: http://www.hackthissite.org/missions/basic/9/p91e283zc3.php, and you get the password, 3c40ec25.
Go back to level 9 and enter that password. Mission accomplished!
We all have a toolkit–that collection of security, maintenance and utility software that we carry around with us so we can get some real work done. I’ve written about several of my favorite tools in this blog. Here are some of the more useful ones from last year:
My complete Geek Toolkit is a compilation of free and Open Source software that contains, among other things, web wervers, utilities, spyware killers, security tools, disk tools, and disaster recovery info. It’s 354 MB contained in more than 700 files. In addition to that, I have seven other flash drives that are configured with various bootable utilities for those systems that are completely hosed.
What’s in your Geek Toolkit? Hit the comments and let me know. I’m going to be compiling more tools soon and I’d like to know what you like.
Goes to show that I’ve gotten behind on my keeping up with security news. Health and family issues have taken an inordinate amount of my attention this month. Consequently, I just came across this announcement.
Brian Krebs, whose column “Security Fix” was often a source of information for my own posts, has left The Washington Post effective December 31, 2009. I’ll let him tell you:
This will be the last post for the Security Fix blog. Dec. 31 marks my final day at The Washington Post Company.
Over the last 15 years, I’ve reported hundreds of stories for washingtonpost.com and the paper edition. I have authored more than 1,300 blog posts since we launched Security Fix back in March 2005. Dozens of investigative reports that first appeared online later were “reverse published” in the newspaper, including eight front-page stories and a Post Magazine cover.
He’s not out of the security reporting biz, though:
He now has his own site, Krebs on Security, and it looks like he’s on a roll. Check it out and know that I’ll be drawing on his insight, too.