Security Corner

February 27, 2010  2:02 AM

Waledac is Now Virtually Headless

Ken Harthun Ken Harthun Profile: Ken Harthun

Waledac Infections Worldwide

Microsoft isn’t playing around anymore.  Through legal action and technical cooperation with industry partners, they have managed to take down Waledac, a large and well-known spambot that is estimated to have infected hundreds of thousands of computers worldwide. According to their blog, “…Microsoft found that between December 3-21, 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more.”

On February 22, in response to a complaint filed by Microsoft  (“Microsoft Corporation v. John Does 1-27, et. al.”, Civil action number 1:10CV156) in the U.S. District Court of Eastern Virginia, a federal judge granted a temporary restraining order cutting off 277 Internet domains believed to be run by criminals as the Waledac bot.

This is good news! Cutting them off at the .com domain level is a virtual beheading.

This action has quickly and effectively cut off traffic to Waledac at the “.com” or domain registry level, severing the connection between the command and control centers of the botnet and most of its thousands of zombie computers around the world. Microsoft has since been taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command and control communication within the botnet, and we will continue to work with the security community to mitigate and respond to this botnet.

Click here for a map of the infection.

February 26, 2010  2:23 AM

Simple Security

Ken Harthun Ken Harthun Profile: Ken Harthun

Complexity, they say, is the enemy of security. Actually, I think it was Bruce Schneier who I first heard it from. It has come to be one of those “everybody knows” things, however, so it’s irrelevant who first said it. Nevertheless, it’s true. The more complicated the software, device, or campus, the more room for error.

Good security for your stash of cash would be to encase it in a 3’x3’x3′ concrete cube and bury it where no one but you can find it. That’s pretty simple. Of course, this isn’t practical, so we have to look at other means. Enter complexity.

We keep the concrete, but add a sealed access panel. Security hole #1. It’s a little easier to breach now, but still impractical to access, so we remove the sealant and add a lock. But what if we lose the key? Add a  hidden back door access panel that only the owner knows about. But what if the owner dies? No problem, have a secret, secret back door that only the manufacturer knows about. On and on, ad nauseam it goes until there are so many “features” to accommodate every possible scenario that all it would take is a six-year-old kid with a big stick to open the “vault.”

Think about it. Used to be that you had to enter data in every field of a database manually. It didn’t matter if you were entering the same thing for a certain field in each record, you had to type it in. These days, you start typing and the software suggests the contents based on your last few entries. Convenient, but that’s cached somewhere and unless that cache is encrypted, it’s subject to compromise.

That’s just one “feature” of modern software. As we all know, modern software is all about giving everyone everything they want. And when you try to please everyone (which you can’t do anyway), you make software very complex. When you try to make all of those features play well with each other, you take shortcuts and you make mistakes.

Bye, bye security.

When I was programming back in the day–in assembly language–when you said “jump,” that’s what happened, the program did what you told it to do. These days, when you say “jump,” the program asks you if you really want to jump and suggests that the last command you gave was “leap,” which is almost the same, but not quite.

I know, I’m ranting. I’m tired. And my spell checker just misinterpreted my Latin phrase above and suggested that it was “nauseous.”

I hope I’m not nauseous to people, but right now, I’m a bit nauseated (the correct term for having the feeling of nausea, as in “that nauseates me,” NOT “that makes me nauseous”).

Oh, well. People program the spell checkers, too. And people make mistakes.

Bye, bye security.

February 24, 2010  3:24 AM

A Tale of Two PCs

Ken Harthun Ken Harthun Profile: Ken Harthun

“It was the best of times, it was the worst of times; it was the age of wisdom, it was the age of foolishness; it was the epoch of belief, it was the epoch of incredulity; it was the season of Light, it was the season of Darkness; it was the spring of hope, it was the winter of despair; we had everything before us, we had nothing before us; we were all going directly to Heaven, we were all going the other way.”

Dickens couldn’t have done a better job of describing the Internet today. Let me illustrate.

PC 1 – User profile: Uses pay-for-download sites to build music library; avoids risque sites; instantly spots “My Dear Friend” emails and deletes them; calls friends to ask them if they sent an email link and never clicks when not sure; knows that PayPal, the IRS and their bank never requests their password in an email; closes popups and scans for malware if one shows up. PC profile: Plugged into NAT router that has SPI firewall built in; security suite up to date; Windows firewall enabled; automatic updates enabled; uses alternative browser.

PC 2 – User profile: Loves to surf the web looking for free music downloads; occasionally surfs “soft” porn sites; has sympathy for the poor Nigerian gal who just lost her father and needs help to move USD 20,000,000 into a safe bank account in the US; clicks links in email; thinks phishing is a fun thing that people do; recently received warning that PC was infected and bought “repair” service via scareware popup. PC profile: Plugged directly into broadband router; AV software bundled with new PC expired months ago, not renewed. Windows firewall disabled by malware; automatic updates disabled; uses IE 6.

Need I say more?

February 21, 2010  11:48 PM

Security on Public PCs – NOT!

Ken Harthun Ken Harthun Profile: Ken Harthun

Sorry. There’s nothing you can do to make a public computer safe. I’ve had family members ask me if it’s OK, while their computer at home is down (due to spyware, adware and viruses, mind you) if they can go to the library and pay their credit card bills, check their bank accounts, etc.?

OMG! Are you crazy? I don’t really say that to them, but you get the idea. The answer is NO! NO! NO!

There is no such thing as a secure publicly accessible computer. And if you don’t want to listen to me, let me defer to security expert Steve Gibson of the Security Now! podcast; if you don’t believe him, you’re just beyond help!

…it would be nice to be able to say that there’s a way to reliably defeat keyloggers on public computers. And I’ve got to say that there isn’t. I can’t think of probably anything more frightening than using a public computer, that is, like a computer in a library or in an Internet cafe that is being used by lots of people, I can’t think of anything more frightening than to use such a machine for critical, sensitive work…I don’t think there’s any way you could argue that anything you could do…could make it safe. There could be a keystroke logger in the keyboard.

… So I would like to completely disabuse anyone from the idea that using a public computer can be safe.

Thanks for the help, Steve. I agree!

February 21, 2010  3:54 AM

Humor: Operation Mandatory Patriotic Tattoo

Ken Harthun Ken Harthun Profile: Ken Harthun

If you’re not familiar with you’re missing out on some great political humor.

Check out Operation Mandatory Patriotic Tattoo. Here’s an exerpt:

UPDATE: Governor Ridge Formally Launches O.M.P.T. – Click Here to Read Details! – Operation Mandatory Patriotic Tattoo is NOW UNDERWAY! Skilled Federal Tattoo Technicians have established kiosks at bankrupt K-Mart stores in YOUR area. By authority of Presidential Executive Order #13251-B, local liberal media outlets across America have been ordered to assist with the coordination of tattooing the populace. Contact your local FOX NEWS affiliate to determine when YOU must report to be emblazoned with the only proof of patriotism that is recognized by the United States government.


February 20, 2010  4:00 PM

Software for Secure Computing: LockNote

Ken Harthun Ken Harthun Profile: Ken Harthun

Steganos GmbH (Germany) provides LockNote for free so you can encrypt sensitive information in text files. LockNote is open source and is based upon open source technologies, e.g. the certified CryptoPP program library for strong encryption.

The program is not meant to be a robust security solution; rather, it’s a portable memo pad that enables you to store text information, using 256-bit AES encryption. Storage is limited to plain text without formatting; you need to create multiple copies to organize or use it for different purposes, but each LockNote is self-contained. You can type any text you want, e.g your bank account information, website passwords, social security number etc. and then simply close LockNote, at which time you will be prompted to set a password. You can drop any text file onto the app and you’ll be asked if you want to convert it.

I tried to drop a PDF file onto LockNote and got the message, “The file [filename] can not be converted and will be skipped. Only files with the extension .txt can be converted.

When you double click on LockNote.exe, you’re greeted with all the instructions you need to use it:

Welcome to Steganos LockNote.

Type some text and close Steganos LockNote when you are done. What you typed will be encrypted using a password, which you supply.

You can also drop text documents on Steganos LockNote to turn them into encrypted self-opening documents as well.

You can start over by removing all text. You can also clear the text field to reset the password.

It doesn’t get much simpler and easier than that.

February 20, 2010  2:42 AM

Video: Chromium OS Security

Ken Harthun Ken Harthun Profile: Ken Harthun

Google Chrome OS is an open source operating system for people who spend most of their time on the web built around the core tenets of speed, simplicity and security.

Now this is the way it should be done.

[kml_flashembed movie=”” width=”425″ height=”350″ wmode=”transparent” /]

February 18, 2010  2:30 AM

Anonymity and the Internet

Ken Harthun Ken Harthun Profile: Ken Harthun

There’s a faction that believes the solution to all our security woes on the Internet is a universal identification scheme. Anonymity is a bad thing in their book and if we get rid of it, we’ll know where all the bad stuff is coming from. We’ll be able to identify the spammers, the phishers, the source of all the DDoS attacks, malware mongers and the predators who threaten our children. We’ll achieve Internet Utopia!

Only, it won’t work. To eliminate anonymity would mean that every single packet on the Internet be tagged with the identity of the sender. The bandwidth cost would be astronomical, for one thing, not to mention the cost of implementing an infrastructure to certify the identity of every user and computer on the Internet. Besides that, it’s just too easy to re-anonymize a packet. I have to agree with Bruce Schneier’s position in the essay Schneier-Ranum Face-Off: Should we ban anonymity on the Internet? Here’s an excerpt of a key point:

Even if everyone could trace all packets perfectly, to the person or origin and not just the computer, anonymity would still be possible. It would just take one person to set up an anonymity server. If I wanted to send a packet anonymously to someone else, I’d just route it through that server. For even greater anonymity, I could route it through multiple servers. This is called onion routing and, with appropriate cryptography and enough users, it adds anonymity back to any communication.

The push for universal identification on the Internet, besides being an impossible task, is a concept almost as ridiculous as banning the killing of certain animals we use for food on the grounds that it’s cruel.

Well, maybe it’s not quite that bad, but it’s close.

What do you think?

February 17, 2010  3:28 AM

Mozilla Alert About Sothink Was False Positive

Ken Harthun Ken Harthun Profile: Ken Harthun

Better a false positive than no warning at all, I say. And the one real alert was confirmed. Here’s the scoop as reported by Mozilla in their blog:

Last week, we disclosed two instances of suspected malware in experimental add-ons on AMO.  Since that disclosure, we’ve worked with security experts and add-on developers to determine that the suspected trojan in Version 4.0 of Sothink Video Downloader was a false positive and the extension does not include malware.  The same investigation also confirmed that the Master Filer extension included a valid instance of a trojan.

Recall that I reported on this last week: Mozilla Missed Malware in Infected Firefox Add-ons.

Here’s an idea: Err on the side of false positives rather than denial. Sure, it would be a little inconvenient to deal with, but at least we’d all be more secure as a result, don’t you think?

Well, what DO you think? Send me some feedback!

February 17, 2010  2:37 AM

Heal thy apps, they (plead) stipulate

Ken Harthun Ken Harthun Profile: Ken Harthun

Such a good tag line, I just had to steal it from The Register and this article.

This is a novel idea. If you were responsible for writing secure code, how would you like this? Would you agree to such a contract?

Computer experts from some 30 organizations worldwide have once again compiled a list of the 25 most dangerous programming errors along with a novel way to prevent them: by drafting contracts that hold developers responsible when bugs creep into applications.

Here’s the list: What do you say? Are you up to it?

Microsoft could learn something from this.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: