All of them are critical, but not a single one of them affects Windows 7, scheduled for release on October 22.
The most dangerous flaw covered by this month’s batch of patches is a remote code execution vulnerability in the way that the JScript scripting engine decodes script in Web pages (MS09-045). A remote attacker can exploit this vulnerability by convincing a user to visit a specially crafted Web page and this could result in execution of arbitrary code on the affected system. All versions of Windows—except Windows 7—are vulnerable. Here is the list of bulletins taken from the Microsoft Security Bulletin Summary for September 2009:
MS09-045 Vulnerability in JScript Scripting Engine Could Allow Remote Code Execution (971961)
MS09-049 Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710)
MS09-047 Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812)
MS09-048 Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)
MS09-046 Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (956844)
It remains to be seen how Windows 7 will fare once it’s released to retail, but so far, it appears to be more secure the previous versions of Windows. According to Wolfgang Kandek, chief technology officer at software security provider Qualys, "There are a number of additional security measures [in Windows 7] that seem to be working so far in its favor."
We can only hope.
The other day, I proposed you test out your ethical hacking skills over at HackThisSite. If you didn’t see that post, take a look now: How Are Your Hacking Skills? As promised, I’m publishing my comments and approach to the solution.
Level 1, dubbed “The Idiot Test,” requires that you enter the correct password into a password field in order to continue to the next level. The name itself seemed a giveaway to me, so I started with the obvious, a blank password, and simply clicked the submit button. No joy. Next, I tried ten of the most popular weak passwords in use (take your pick as to which “Top Ten” list you prefer):
None of these worked; it appeared as if the test was going beyond the idiot level. If it’s that simple, it should be obvious, so I took another look at the screen and noticed another subtle clue: “If you have no idea what to do, you must learn HTML.” Hmm. Maybe the page source has a clue. I opened the page source and searched for “password.” Bingo! I found this in the code:
<!-- the first few levels are extremely easy: password is 1e79cde6 –>
Did you figure it out? Hit the comments and let me know.
I received some good feedback on my “14 Golden Rules of Computer Security” list, in particular, this comment from Michael: “…you encourage people to go through all the effort of running Virtual Machines to protect themselves from malware, but you don’t actually encourage them to run Anti-Virus software. Which basically, unfortunately, means you’re violating rule #1 and much more likely to run into rule #12.” This lead to a review of past articles I’ve posted on the subject and my finding that though I’ve covered all of the bases, my writing is a bit fragmented. So, you can go back to “Nine Steps to System Security – 2008", “The Lazy Man’s Way to System Security”, and “14 Golden Rules of Computer Security” and put them all together for a complete PC security package, but that’s a lot for the average user to digest.
As of today, I’m embarking on a major pre-release revision of the eBook, 14 Golden Rules of Computer Security to make sure all of the bases are covered in a logical combination and sequence. In essence, the book will begin with the concept of a security baseline—the bare security essentials—for a normal home PC setup and will branch from there.
What’s a good PC security baseline? In “The Lazy Man’s Way to System Security,” I proposed these four bare security essentials: “…a NAT router; a good antivirus program; a good anti-malware program; and, a good software firewall.” That was good enough at the time, but these days antivirus, antimalware and a software firewall are usually combined into a single suite. I choose to align with Windows Secrets’ Security Baseline page: “…a hardware firewall that’s built into your [NAT] router, security software that guards against all types of malware threats, a software-update service to ensure that your applications are patched against the latest exploits, and a secure browser.”
There are many possibilities for implementing those four basic items and that will be well covered in the book.
In playing the contract consultant game over the years, I’ve become accustomed to verbal and written skills assessment tests, but until recently, I’d never had anyone present a question like this: “Optional – Extra Credit – Create an account on http://www.hackthissite.org and complete levels 1 through 4 of the Basic Web Hacking Challenge and explain how you figured out each level.” Sounds like fun, I thought, and it makes sense: If you want to know how well a guy can protect your network, see if he knows how a hacker would attack it. So I headed on over to the site. Having never been there, I didn’t know what to expect; I was greeted with this:
Hack This Site is a free, safe and legal training ground for hackers to test and expand their hacking skills. More than just another hacker war games site, we are a living, breathing community with many active projects in development, with a vast selection of hacking articles and a huge forum where users can discuss hacking, network security, and just about everything. Tune in to the hacker underground and get involved with the project.
I created an account, logged in and proceeded to the “Basic Missions” section; their are 11 of them, and I was to complete the first four. At level one, the challenge reads, “This level is what we call ‘The Idiot Test.’ If you can’t complete it, don’t give up on learning all you can, but don’t go begging to someone else for the answer, that’s one way to get you hated/made fun of. Enter the password and you can continue.”
Though they call it “The Idiot Test,” it’s not as simple as you might think. You’ll find the solution interesting. Try it for yourself, post your comments and check back in a day or so; I’ll be posting my analysis and solutions to each level, eventually covering all 11 basic missions.
In the meantime, have a safe and enjoyable Labor Day weekend.
It’s just not in fashion anymore; phishing attacks are ‘way down, falling out of favor with cybercriminals who now prefer malicious websites and password-stealing Trojan horse programs.
IBM’s security research and development division, X-Force, recently issued a report that found throughout 2008 , phishing volume was around 0.5 percent of overall spam volume. But in the first half of 2009, the volume of phishing attacks fell to around 0.1 percent of spam volume. Not only did the volume of phishing attacks drop, but the targets also changed: in 2008, 90 percent of all phishing attacks targeted the financial industry; in the first half of 2009, that percentage had dropped to 66 percent.
That’s the good news. The bad news is that, according to the report, the number of malicious Web links is up 508 percent in the first half of 2009 and many of these links appear on otherwise trusted sites such as search engines. X-Force Director Kris Lamb says, “There is no such thing as safe browsing today and it is no longer the case that only the red light district sites are responsible for malware. We’ve reached a tipping point where every Web site should be viewed as suspicious and every user is at risk."
A copy of the IBM report can be downloaded here (PDF).
As always, let the surfer beware.
In celebration of (almost) being close to releasing my first eBook to the general public, I’m releasing the list of the 14 Golden Rules of Computer Security in hopes that any last minute errors will be spotted by my peers here at IT Knowledge Exchange. Here’s the list:
#1: The best security measures are completely useless if you invite attackers into your PCs or networks.
#2: A first, important step in securing your PC is to install and configure a NAT router.
#3: Always change the default username and password of any configurable device you put on your home network.
#4: Use an un-guessable, or difficult-to-guess password always.
#5: A vital part of PC security is keeping up with software patches for ALL of the software on your system, not just the operating system. Where it is available, use the software’s automatic updates feature.
#6: Always disable any message preview or auto-open features in your e-mail client. View messages as text-only until you know they are safe.
#7: If you store sensitive information on a PC or laptop, even if it’s only personal information, encrypt the
folders or drives where the information is stored and use an un-guessable passphrase as the encryption key.
#8: Physical security is almost as important as data security. Make it as difficult as possible through any
physical means for a thief to steal your hardware. Rules of thumb: Lock it up and lock it down; out of sight, out of mind.
#9: When surfing the web, testing unknown programs, or engaging in other activities with the potential to harm your computer, use a sandbox or virtual machine to protect your base system from harm.
#10: When using external removable media for backups, either encrypt the backup files or make sure the media is taken offline after the backup has been completed.
#11 Never enter sensitive information into any web page unless you have verified that the information is being sent over a secure connection signified by https:// in the address bar and a lock icon in the browser’s status bar.
#12: Once a PC is infected with malware, you can’t trust it. The only way to restore trust is to wipe the hard drive clean and reload the operating system.
#13: When it comes to securing a WiFi network, the only way is WPA.
#14: If your email address will be visible to the public, obfuscate it.
In the book, each one of these rules is explained in detail with links to tools and other information.
I value your comments, so if I’ve left anything out, or you have issues with what I’ve posted here, let me know. I want this to be the best first edition it can be.
Besides being a security Geek, I’m also an Internet marketer (no, not the bad kind—the good kind—I actually try to help people with what I sell). Twitter, at first blush, appears to be a great way to get your message out; it probably is, if done right, but it’s also easily abused. Yes, Twitter gets spam, too. The spammers are relatively easy to spot; you see them sending out multiple marketing messages in rapid succession, often using different profiles for the same message.
Here’s the rub: Because Twitter only allows 140 characters per tweet, the URLs are always shortened, therefore it’s difficult to identify their target. My policy is to never click on a link in a tweet from someone I don’t know, especially when I see them sending multiple tweets trying to get me to take action of some sort. That’s a dead giveaway that the person or persons controlling the profile are spammers or scammers.
Enter TwitBlock, a junk filter and bulk blocking tool for Twitter users. Here’s what they say:
You may think you have a loyal following of people who find you interesting, or amusing, but they’re probably not all real people. Among your followers will be a wide spectrum of fully automated, or computer aided Twitter accounts. They will range from reputable companies looking to profile and market to you, to fake profiles directing you to adult websites. At the very worst you will find the spammers and phishing gangs – the same junk you get in your email inbox, designed to sell you fake pharmaceuticals, or trick you into parting with your passwords or credit card numbers.
An easy way to spot the spammers on your own is to look for duplicate profile images. I have my own handsome mug posted on my Twitter profile and I’m sure no one else is using it. Spammers tend to use pics of attractive women, often “R” rated, or generic photos. TwitBlock maintains a list of the top 20 duplicate profile pics (Warning: some are inappropriate for young viewers!)
The application is still in alpha, but consider testing it. Just give it some thought before you block “Annette552” who may just be your next door neighbor in disguise, but who is more likely to be a spammer out to get your credit card info. You be the judge.
A visitor to my Ask the Geek site told me about a great little utility, UNetbootin for Windows and Linux that allows you to create bootable Live USB drives for a variety of Linux distributions without requiring you to burn a CD. Not only that, but UNetbootin can be used to load system utilities, including:
- Parted Magic, a partition manager that can resize, repair, backup, and restore partitions.
- SystemRescueCD, a system repair, backup and recovery tool.
- Super Grub Disk, a boot utility that can restore and repair overwritten and mis-configured GRUB installs or directly boot various operating systems
- Dr.Web Antivirus, F-Secure Rescue CD, and Kaspersky Rescue Disk, which remove malware from Windows installs.
- Backtrack, a utility used for network analysis and penetration testing.
- Ophcrack, a utility which can recover Windows passwords.
- NTPasswd, a utility which can reset Windows passwords and edit the registry.
- Gujin, a graphical bootloader that can also be used to boot various operating systems and media.
- Smart Boot Manager (SBM), which can boot off CD-ROM and floppy drives on computers with a faulty BIOS.
- FreeDOS, which can run BIOS flash and other legacy DOS utilities.
The tool works like a charm. I’ve made bootable USB drives with ClamAV Live CD, the Kaspersky Rescue Disk, Dr. Web Antivirus, and a couple of others, just to see how it works. These are invaluable tools for we security wonks and I thought I’d pass it on.
Be sure to check out the UNetbootin site for complete information and tutorials on how to make it work.
OMG! I just opened that box that Pandora gave me. I have often said that I don’t like password managers because I don’t consider them secure. That goes double for the password managers built into the browsers. I don’t like anything to reside directly on my system, so that leaves a remote location. These days, “remote location” equates to “The Cloud.”
That’s why I use LastPass and have been using it for more than a year now. All of my passwords are stored online, encrypted, and I only have to remember one master password to unlock the vault. I don’t have to carry anything with me on a thumb drive or install any programs on someone else’s computer in order to access my stuff when I’m not using my own PC.
Don’t take my word for it, check out this list of features. And then decide for yourself.
Oh, by the way, you can generate very secure passwords with LastPass and you don’t have to worry about remembering them, because LastPass will do it for you. Firefox and IE add-ons make things even easier. When you come to a new site you need to set up an account with, LastPass offers to generate a password for you. Then, when you log in, LastPass offers to save all information for the site. If you do that and then come back to the site later, LastPass will give you the option to either auto-fill the information or perform an auto login.
Highly recommended if you don’t want to do your own password management. You can still use all of the methods I’ve proposed for generating secure passwords, but you’ll never have to worry about remembering them. Use my methods to generate the most secure password you can for your LastPass master password and encode it so you can write it down securely, but use LastPass for all your password management needs.
The sheer number of passwords most of us have is a big problem. Even if we have hints written down, how do we know which one created the password for which login? It would appear as though we’re back to writing them down or using a password manager. Don’t worry, though. Here’s how to create secure passwords that you can safely write down; yes, write them down, give them to all your friends–even your enemies–and still be safe. Post them on your monitor at work. Leave them lying around on the bus or train. A simple trick based on cryptographic techniques will conceal your actual password in a form that almost anyone will mistake for the password itself.
Let’s say you found a piece of paper that had this written on it:
What would you think it was? Bet you’d think you’d found someone’s password list, eh? That’s exactly the deception we want: What those strings of characters really mean is known only to you. So, what DO they mean? Let’s take the first example; in my Ask the Geek blog, my article How to Write Down Your Password and Not Worry About Someone Stealing Them, I explain:
[It's] a substitution cipher based on a date. This one uses two levels of secret "keys": 1. a clue or mnemonic for the date; 2. an abstraction of the encoding algorithm. We’ll use Abe Lincoln’s birthday in numeric form–02/12/1809–for our plaintext, leaving out the slashes, i.e., 02121809, which will result in a strong, eight character password. Now, for the first key, we can use "BDAbe." This immediately reveals the plaintext, but means little or nothing to anyone else. (NEVER use your own birthday, for obvious reasons.) [Note: even if someone guesses that it's Abe's birthday, they still have a long way to go to figure out how it was used - Ken]
Next, we decide to use alternating shifted characters, beginning with the first character. So, for key two, we make an abstraction of that: %x#, for example. It doesn’t matter what characters you use, only that they clearly represent shifted and lower-case characters; you could just as easily use AyT or !2@. The pattern of shift-lowercase-shift on the keyboard is what matters to you; the characters mean nothing else. Put the two keys together and you have this: BDAbe%x#. That’s your cipher pattern, the "something only you know," with an added level of complexity: it’s something only you know (the plaintext) and only you know what it means (the encoding pattern).
Pretty slick, eh? This should give you a clue as to what the second one is: 1941ph means (to me) 12/07/1941, the date of the attack on Pearl Harbor that led us into WWII. Based on the pattern, the actual password is 1@0&1(4!. Can you figure out what the last one might mean? (You won’t guess the actual password unless you know what I know about the first part, but you can figure out what the code hint is.) Post your comments and we’ll see how you do.
I don’t recommend you use these examples, for obvious reasons; you’ll want to come up with your own ways of doing things and your own hints using things that mean something only to you.