It’s that day of the month again and this time Microsoft has patched 19 security holes, 15 of which have a “critical” rating. The good news is that none of the vulnerabilities affect Windows 7. As usual, a bunch of the flaws stem from ActiveX controls, probably the worst thing Microsoft’s developers ever came up with (with the possible exception of Microsoft Bob).
At least one of the vulnerabilities, MS09-037 – Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908), is currently being actively exploited on the Internet; exploit code for MS09-043 – Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638) has been posted publicly.
Get those patches installed ASAP!
Speculation abounds over who was responsible for the DDoS attacks that affected Twitter–and to a lesser degree, Facebook and LiveJournal–this past Thursday.
Various sources, including CNN and CNet, suggest that a Georgian blogger with accounts under the name “Cyxymu” (a town in the Republic of Georgia) on the services was targeted. The date of the attack coincides with the one year anniversary of the Russia-Georgia conflict.
Other sources, including The Register suggest that a JoeJob was the main source of the attack. Joejobs are spam messages designed to induce someone to click on a link in the hopes that enough people will do so, thereby harming the site being linked to.
Still others blame a conventional DDoS attack using botnets, but Arbor Networks‘ analysis actually shows a drop in traffic volume hitting Twitter during the alleged DDoS attack, leaving doubt that this method was used.
I’ve also seen reports blaming hackers angry at Twitter for becoming more popular than IRC, a vigilante trying to point up the danger of botnets, and cyber-terrorists.
Seems no one really knows for sure at this point.
On Thursday morning, I decided to check my Twitter account and was greeted by a “Network Timeout” error. I tried several more times and finally gave up, thinking I’d just try later. I thought nothing more about it until I heard the news item on a local radio station that Twitter had been DDoS’d. This was confirmed at http://status.twitter.com:
We are defending against a denial-of-service attack, and will update status again shortly.
Update: the site is back up, but we are continuing to defend against and recover from this attack.
Update (9:46a): As we recover, users will experience some longer load times and slowness. This includes timeouts to API clients. We’re working to get back to 100% as quickly as we can.
Update (4:14p): Site latency has continued to improve, however some web requests continue to fail. This means that some people may be unable to post or follow from the website.
As of late yesterday morning communication with the API and SMS was still down.
As usual, there always seems to be some humor in these situations. Here’s a comment by John Pescatore of SANS Institute from the SANS News Bites:
[Editor’s Note (Pescatore): Wow, 2 hours without tweets! That’s like a
car drive to the shore without anyone in the back seat saying "Are we
there yet? I see a rock. Is that a seagull? I like saltwater taffy.
Shaquille Oneal is really tall. Are we there yet?" the entire trip.]
This is simply idiocy—or gross negligence—of the highest degree. In the last week, more than a dozen US Representatives’ websites were defaced by hackers who posted digital graffiti on the home pages. The graffiti read, “H4ck3d by 3n_byt3 @ Indonesia H4ck3rs” (see screen shot). There was not other damage to the sites.
The method used to break in? Password guessing. The hackers compromised the site administration passwords at Web design and hosting firm GovTrends of Alexandria, VA which provides Web hosting for about 100 House sites. Not all were affected.
According to GovTrends founder Ab Emam, passwords assigned to member offices were never changed. Now, it’s typical for a Web hosting company to assign default admin passwords, but those passwords should be strong. In this case, they weren’t. “Most of these passwords could be guessed, they were obvious,” Emam said. “That’s been changed, and each of these sites is now required to have strong passwords.”
Really? Should have been required all along. There’s simply no excuse for this. I have written numerous articles over the years about how to generate strong, un-guessable passwords and I’m not the only one: a Google search brings up 61,800 results for that term. Will they ever learn?
(In all fairness, I have to report that there is some question as to whether password guessing was actually the cause of the breach. This article by Brian Krebs has been updated to suggest that SQL injection may have been the method.)
No matter; there’s no excuse for that, either.
I’ve heard this phrase bandied about in Linux forums and in the occasional blog post, but it’s something I never considered relative to the security of Windows boxes. There’s an awful lot of research on the subject and it boils down to this: The larger the attack surface, the more insecure the system. Makes sense, but just what is an attack surface? Thanks to a research paper, Measuring a System’s Attack Surface, Pratusya Manadhata and Jeannette M. Wing, CMU Technical Report CMU-CS-04-102, January 2004, we have a concise definition:
A system’s attack surface is the set of ways in which an adversary can enter the system and potentially cause damage.
This means that any applet, any built-in feature, any module, any application, probably contains multiple attack vectors. Moreover, certain applications like Internet Explorer are attack vectors in and of themselves. When I started to look into this, I found that some folks over at the Microsoft Developer Network had put together a discussion along with a handy list of Windows attack vectors:
- Open sockets
- Open RPC endpoints
- Open named pipes
- Services running by default
- Services running as SYSTEM
- Active Web handlers (ASP files, HTR files, and so on)
- Active ISAPI Filters
- Dynamic Web pages (ASP and such)
- Executable virtual directories
- Enabled Accounts
- Enabled Accounts in admin group
- Null Sessions to pipes and shares
- Guest account enabled
- Weak ACLs in the file system
- Weak ACLs in Registry
- Weak ACLs on shares
Bear in mind that any of these can be subject to multiple vulnerabilities and many of them have been connected with specific vulnerabilities. However, the attack vector itself does not necessarily indicate a system vulnerability, per se. Think of these as things an attacker would try to compromise; for example, attempting to logon to a system as Guest. If the Guest account is enabled, that’s a vulnerability; if the Guest account is disabled, it’s merely a vector for attack.
So, how can we use this information in our workaday world? First, realize that the OS itself is the basis of all of the above items. Next, realize that any program, web application, widget, gadget, what have you, is going to utilize one or more of them. Finally, get the concept of “default unnecessary.” Windows comes with many built-in (read default) features, services and applications—many of them completely unnecessary in the enterprise.
We shrink the desktop attack surface by building our desktop image in three stages:
- We clean up the OS by removing ALL unnecessary features, tools, and applications. A good place to start is all the stuff in the Accessories folder. And who ever uses Microsoft Backup, or Character Map, or Tour Windows XP? You get the idea.
- Given a stripped-down image, we next install ONLY those applications and tools that are absolutely necessary for the user to perform her job. Ideally, we avoid mainstream applications and utilities as much as possible and go with those that are not as widely used (security through obscurity) and therefore not as subject to attack. For example, if PDF isn’t used in the enterprise for purposes other than reading manuals, why use Adobe Reader? Foxit Reader or any of the Open Source apps will work.
- Finally, disable all services and uninstall all protocols that aren’t required by the OS or necessary applications. The first things that come to mind here are UPnP and the SSDP Discovery Service and the Net.tcp Port Sharing service.
That will give us a clean desktop setup with a significantly lower attack surface; come to think of it, you should probably go check the servers, too.
If I’ve missed anything, let me know.
Rogueware? The names just keep coming. It’s another name for Scareware, that stuff designed to cause shock, anxiety, or the perception of a threat, generally directed at an unsuspecting user. The end result is to steal money from PC users by luring them into paying to remove nonexistent threats. Disturbing statistics point out why this stuff won’t go away:
- Cybercriminals are earning approximately $34 million per month through rogueware attacks
- Approximately 35 million computers are newly infected with rogueware each month
- Rogueware is being distributed through Facebook, MySpace, Twitter, Digg and targeted BlackHat SEO attacks
- Research confirms that majority of cybercriminals operate from Eastern Europe
PandaLabs, Panda Security’s malware analysis and detection laboratory, announced yesterday that they’ve made a multi-year study available that examines the proliferation of rogueware into the overall cybercriminal economy. The report, “The Business of Rogueware,” by PandaLabs researchers, Luis Corrons and Sean-Paul Correll, reviews the various forms of rogueware that have been created, and displays how this new class of malware has become an instrumental player in the overall cybercriminal economy. The study also provides in depth analysis on the increasingly sophisticated social engineering techniques used by cybercriminals to distribute rogueware via Facebook, MySpace, Twitter and Google.
It’s very clear the whole landscape has changed from a vandal model to a profit model. It used to be that the cyber-vandals trashed your hard drive and wrecked your website; now, cyber-criminals use tactics to steal your identity and extort money from you. The damage is no less costly, it has just increased in both the intensity of emotional pain and amount of financial loss. The difference is that cyber-vandals didn’t have a payday—cyber-criminals do.
And people ask me why I’m adamant about cyber-security…
This video is a good example of how not all the effects of crime are bad. After all, if we didn’t have Nigerian 419 scammers, we wouldn’t have a song about the infamous Nigerian 419 scams that haunt email inboxes these days. Lyrics are a little hard to pick out, but the chorus repeats enough that you’ll eventually get it. It’s a catchy tune. Perfect to lighten things up after a serious month of fighting security threats.
I don’t know how many times I’ve told people that the embedded management interface on most devices is a security breach waiting to happen. I just got wind of some news, but can’t seem to find anything more than this mention. As soon as I dig up some details, I’ll let you know. This exchange is from Security Now! Episode 206 for July 23, 2009:
Leo: Oh, boy.
Don’t tell me I didn’t say so. Turn that interface OFF!
Sounds funny, doesn’t it? But that’s part of the title of a consumer survey recently completed by the Messaging Anti-Abuse Working Group (MAAWG): “A Look at Consumers’ Awareness of Email Security and Practices or ‘Of Course, I Never Reply to Spam – Except Sometimes.‘” The report is issued in two parts: Part 1 is a summary of the results; Part 2 is the actual survey data complete with charts. Here’s an excerpt from the report’s abstract:
This survey was commissioned by the Messaging Anti-Abuse Working Group (MAAWG) to gain a better understanding of consumers’ awareness of the risks associated with viruses and “bots” spread through email and to determine how the industry can best work with consumers in dealing with important messaging threats. The research covers bot awareness and also asks the frequently voiced question: “Why did you click on that spam link?” It identifies the specific actions consumers take to protect themselves against viruses and junk mail, looks at consumers’ attitudes toward virus mitigation, and seeks to quantify and understand consumers’ email habits.
One of the most striking results from this research is that while 82% of consumers are aware of “bots” and malware threats, only 20% believe there is a very good chance their computers could get infected.
What surprises me is the high percentage of consumers who are aware of bots; what doesn’t surprise me is that most of those have a “won’t happen to me” attitude.
The real eye opener in this study is the responses to survey question 12: “If you have ever clicked on a link or replied to an email that you suspected was spam, why did you take this action?” The majority of respondents (52%) said they had clicked or replied. 17% said they “made a mistake.” It happens, especially if you have a twitchy clicker finger. There’s no excuse for the 12% who said they were “interested in the product/service” being offered nor the completely clueless 6% who “wanted to see what would happen.” Unbelievable! It’s these people who are the reason spam won’t go away. They’re also the folks whose PCs I have to clean up on a regular basis.
Fellow security professionals, we have our work cut out for us.
Bruce Schneier’s June 19, 2009 post Fraud on eBay stands as a testament to the fact that all is not well with the online auction giant.
I expected selling my computer on eBay to be easy.
Attempt 1: I listed it. Within hours, someone bought it — from a hacked account, as eBay notified me, cancelling the sale.
Attempt 2: I listed it again. Within hours, someone bought it, and asked me to send it to her via FedEx overnight. The buyer sent payment via PayPal immediately, and then — near as I could tell — immediately opened a dispute with PayPal so that the funds were put on hold. And then she sent me an e-mail saying “I paid you, now send me the computer.” But PayPal was faster than she expected, I think. At the same time, I received an e-mail from PayPal saying that I might have received a payment that the account holder did not authorize, and that I shouldn’t ship the item until the investigation is complete.
That’s one example of eBay fraud. Another report in The Consumerist, “It’s Now Completely Impossible To Sell A Laptop On Ebay,” shows another variation, clearly a Nigerian scam:
So I re-listed the item. This time, I lowered the minimum bid and paid for the ‘featured item’ option (which I thought was a stupid idea, but the only way to get my auction seen by any appreciable audience). This time, the auction ended without incident. I got an email from the bidder telling me that he was glad to have won the auction, and was excited for me to ship it… To Nigeria.
Let it be known here that though I may not be the smartest person in the world, I’m not stupid. His email went on to explain (in poor English) that he was ‘on business trip to the Nigeria,’ and that he was willing to pay me $1000 through PayPal for the laptop. Shortly thereafter I received an email from ‘PayPal’ (who is now apparently sending out their customer service emails from gMail), stating that I had received a payment, but that it would not show up in my account until I emailed them back the tracking number for the parcel. Very clever, but once again, I’m not stupid.
While I haven’t had this type of problem on eBay, I have experienced similar fraud on Craig’s list. Here’s a short excerpt from one of the emails I received from the fraudster (reportedly sent by USPS):
Thanks you for using Postal Money Order, The payment for your merchandise has been paid for,we have your $500:00USD money order sent to you by the buyer of your item Lewis Jack in our database, as soon as the item is shipped, please forward us with the shipping tracking number, so your $500:00USD money order can be mailed to your address, your money order is secure and save.
We will be glad to inform you that the payment sent to you by Lewis Jack has been processed and verified, your payment is now on hold for 48 hours from the period of time you recieve this email, we will be sending you a shipment notification email as soon as we recieve the shipment tracking number for the item your buyer purchased.
Based on the blatant outpoints in grammar and punctuation, it’s pretty obvious that this didn’t come from the United States Postal Service. It’s clearly a scam and I would never see payment if I were stupid enough to ship the item.
I’m about to list a rather expensive router on eBay and if I have any experiences similar to those of Mr. Schneier and the other gentleman, I’ll post details here.
It appears, though, that unless you’re selling low value or garage sale class items, the watchwords are: “Caveat venditor” (let the seller beware).