Security Corner


March 20, 2009  12:31 AM

Win an Xbox for Asking & Answering IT Questions

Ken Harthun Ken Harthun Profile: Ken Harthun

Hey, fellow Geeks,

Now through the end of April, your tech savvy can earn you the chance to win one of three Xbox 360 game consoles being given away by our favorite tech site, IT Knowledge Exchange. Winners will be the top three community members who have the most Knowledge Points earned and have asked five IT-related questions. You still get points for asking other questions, but only those related to IT will be counted for the contest. Full details are in community manager’s Jenny Mackintosh’s ITKE Community blog posting, so go there for rules, etc.

The three winners will receive:

  • First Place: Xbox 360 Elite
  • Second Place: Xbox 360
  • Third Place: Xbox 360 Arcade

This is a chance to show off your IT guru skills and win a neat prize in the process. Go ahead and ask a tough question (remember, you need to ask five of them) by going to the Ask a Question page.

Good luck and have fun!

March 16, 2009  5:41 PM

RSA Social Security Awards: Please Nominate Security Corner

Ken Harthun Ken Harthun Profile: Ken Harthun

If you like Security Corner and find it useful, I would appreciate your nomination. I suppose the best category would be the non-technical blog. Here’s info from their blog post:

The nominations for the Social Security Awards are well underway and we currently have more than 450 nominations in hand. People can keep nominating until March 31 at which time we will sift threw the nominations and hand over the final five in each category to our esteemed panel of judges from CSO Magazine, Washington Post, Forrester Research, Dark Reading and TechTarget.

I want to clarify that you need not be present to win one of the Social Security Awards, so get your readers to nominate you in one of the following categories:

  • Best Security Podcast
  • Best Technical Security Blog
  • Best Corporate Security Blog
  • Best Non-Technical Security Blog
  • Most Entertaining Security  Blog

Thanks in advance for your show of support!

Cheers!
Ken


March 6, 2009  1:35 AM

Firefox 3.0.7 Released, Addresses Multiple Vulnerabilities

Ken Harthun Ken Harthun Profile: Ken Harthun

Mozilla Foundation released Firefox 3.0.7 today to address multiple vulnerabilities. According to the Security Advisories, the vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or spoof the location bar. Mozilla says that the vulnerabilities also affect Thunderbird and SeaMonkey. No updates have been released for these applications at this time.

The following Security Advisories are addressed in Firefox 3.0.7:

  • Mozilla Foundation Security Advisory 2009-07: “Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.”
  • Mozilla Foundation Security Advisory 2009-08: “An anonymous researcher, via TippingPoint’s Zero Day Initiative program, reported a vulnerability in Mozilla’s garbage collection process. The vulnerability was caused by improper memory management of a set of cloned XUL DOM elements which were linked as a parent and child. After reloading the browser on a page with such linked elements, the browser would crash when attempting to access an object which was already destroyed. An attacker could use this crash to run arbitrary code on the victim’s computer.”
  • Mozilla Foundation Security Advisory 2009-09: “Mozilla security researcher Georgi Guninski reported that a website could use nsIRDFService and a cross-domain redirect to steal arbitrary XML data from another domain, a violation of the same-origin policy. This vulnerability could be used by a malicious website to steal private data from users authenticated to the redirected website.”
  • Mozilla Foundation Security Advisory 2009-10: “libpng maintainer Glenn Randers-Pehrson reported several memory safety hazards in PNG libraries used by Mozilla. These vulnerabilities could be used by a malicious website to crash a victim’s browser and potentially execute arbitrary code on their computer. libpng was upgraded to a version which contained fixes for these flaws.”
  • Mozilla Foundation Security Advisory 2009-11: “Mozilla contributor Masahiro Yamada reported that certain invisible control characters were being decoded when displayed in the location bar, resulting in fewer visible characters than were present in the actual location. An attacker could use this vulnerability to spoof the location bar and display a misleading URL for their malicious web page.”

Everyone should immediately upgrade to Firefox 3.0.7 to mitigate these issues.


February 28, 2009  4:11 PM

Use This Little Known Tool to Securely Delete Files and Folders on Your Hard Drive

Ken Harthun Ken Harthun Profile: Ken Harthun

For those who grew up with the graphical user interface, command line tools are often seen as arcane remnants from the dawn of PC history, a time when badly-dressed nerds sporting horn-rimmed glasses and pocket protectors ruled the universe (well, maybe just the computer lab). For them, nearly all of the command line tools are little known; for us dinosaurs who were typing on terminals well before the PC arrived, there are few of these older tools we haven’t seen. However, as the GUI gradually replaced the command line and we command line geeks began to point and click more and more, some useful tools escaped our notice. One of these is the ten-year-old SDelete by Mark Russinovich of Sysinternals fame. Microsoft acquired Sysinternals in July, 2006 and made all of the excellent tools available free.

Using SDelete

SDelete is a command line utility that takes a number of options. In any given use, it allows you to delete one or more files and/or directories, or to cleanse the free space on a logical disk. SDelete accepts wild card characters as part of the directory or file specifier.

Usage: sdelete [-p passes] [-s] [-q] <file or directory>
sdelete [-p passes] [-z|-c] [drive letter]

-c     Zero free space (good for virtual disk optimization).

-p passes     Specifies number of overwrite passes.

-s     Recurse subdirectories.

-q     Don’t print errors (quiet).

-z     Cleanse free space.

SDelete implements the Department of Defense clearing and sanitizing standard DOD 5220.22-M, which is overkill (see The Great Drive Wiping Controversy Settled at Last), but ensures your data is deleted forever. There is one caveat: SDelete securely deletes file data, but not file names located in free disk space. If you want to be completely sure that all traces of a file are gone, be sure to use the –c or –z option.

#####

Want to see even more useful, little known tools? Check out Sysinternals Live:

Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool’s Sysinternals Live path into Windows Explorer or a command prompt as http://live.sysinternals.com/<toolname> or  \\live.sysinternals.com\tools\<toolname>.

You can view the entire Sysinternals Live tools directory in a browser at http://live.sysinternals.com.


February 25, 2009  1:52 AM

Beware the Phone Phishing Scam

Ken Harthun Ken Harthun Profile: Ken Harthun

In my area, there has been a rash of phishing calls targeting bank customers. Coincidentally, today’s WXP News (Vol. 8, #59 – Feb 24, 2009 – Issue #367) addresses the same issue:

You might never click a link in an email purporting to be from your bank, but what if someone from the bank called you on the phone and informed you that your account may have been compromised, and asked for your credentials? The best of these scammers will express concern for “security” and insist that you call them back to “verify” that the call is legitimate. And of course, the number that they give you to call is answered with the bank’s name. Some even go so far as to spoof the caller ID information so your phone displays the name of the bank when they call.

The countermeasure to this is to hang up, dial the bank’s main, published phone number and ask to speak to someone in their security department (some banks call it their “Bank Protection” section). Tell them you believe you may be the target of fraudulent activity. Most banks adhere to some variation of this policy: [XYZ Bank] does not contact customers via email, phone or mail to request or verify security information about passwords, personal identification numbers (PINs), credit card numbers or Social Security numbers.

Check your bank’s website for more information and current security alerts. And don’t give out any information over the phone unless you are absolutely sure who is on the other end.


February 24, 2009  3:37 AM

Scareware – Yes, People Do Fall for the Ruse

Ken Harthun Ken Harthun Profile: Ken Harthun

What happens when people fall for the scareware ruse and actually install the stuff? Oddly enough, they may not even know they’ve been duped. Their systems may run a little slower, but they may be fooled into thinking they’re now being protected by the malware they’ve installed. What follows is a real-life example of someone who wrote in to a well-known security forum. (So as not to cause embarrassment to the victim, I have changed names and details.)

Question one, [Miss K] is very upset that Microsoft uninstalled her new antivirus program.  [Gentlemen], she writes, “I turned on my computer a few days ago, and I got a message saying that Microsoft MSRT had removed AV 2009 from my computer.  So now I don’t have an antivirus installed.  I tried to download another copy of AV 2009, but I couldn’t remember where I got it.  Can you tell me…” [the gentleman reading this question actually thinks it’s a joke] “Can you tell me where to find it, or recommend a free AV program?”

Here is some of the conversation between the hosts:

Host1:  And a lot of people have been getting it.  And MSRT has been removing it from a lot of machines.  So in case [Miss K] is serious, we’re not laughing at you, we’re laughing with you.

Host2:  Yes, because you’re not alone.  There are many, many, many people who’ve fallen for this.  I get – literally I get this call on the radio show all the time.

Host1:  Yes.  Yes.  So do not go looking for another copy of it.  Actually it’ll probably find you, without you having to look for it, and happily crawl into your computer.  It is malicious.  It’s good that Microsoft MSRT removed it.

 


February 18, 2009  5:05 PM

Scareware–Using Fear & Deception to Dupe Consumers

Ken Harthun Ken Harthun Profile: Ken Harthun

You’re checking out your favorite web sites when out of the blue a scary message appears on your desktop, which may look like the picture below, or it may just be a box that says “Warning! Spyware detected on your computer!”

What do you do? If you’re the average computer user, this will probably scare you (which is why it’s called “scareware”). You’ll be very tempted to click on the button, thinking that you are ridding yourself of some nasty spyware, but don’t do it: The message is a fake and you’re not really infected. If you click, however, you are going to get infected by some really nasty stuff.

Not only that, but clicking will probably bring up a “registration” screen and if you click on that, you’ll be taken to a web site where the crooks try to sell you their bogus–and totally useless–”security” software. Not only will they dupe you out of $39.95, $49.95, or whatever they’re charging, they’ll get your credit card or banking information and maybe clean you out for real. It’s all a scam and the criminals who run these things are making millions.

The only defense is knowing that these scams exist and not falling for the ruse if you’re ever hit by one. With that in mind–and with some help from various sources on the web–I present a list of some of the more prominent “scareware” scams. This list is by no means complete; new variations appear regularly. But all of them use the same tactic: scare the victim into taking some action.

  • AntiVirus 2008, 2009 and 2010: The above screenshots are of Antivirus 2009, but all three are basically the same program and have similar appearance.
  • AntiVirus Plus: Sometimes uses Microsoft Security Center alerts to trick you into thinking it’s legit. The screen shot below is totally bogus.

  • AntispywareXP 2009: Very intrusive. The fake alerts and scan results overload your system and slow it down.
  • XP Antispyware 2009: Virtually the same as AntispywareXP 2009.
  • WinDefender 2009: This little gem will always find malware on your system. Of course, what it finds is bogus, but it’ll scare you enough to dupe you into buying the software.
  • Personal Defender 2000: Uses the same tactic as WinDefender 2009, but gives a warning about your firewall and then tries to get you to buy the software.
  • AntiVirus Sentry: This is one that will often download itself even if you don’t click on anything.
  • Security 2009: The crooks responsible for this one have the audacity to advertise it on the Web as if it’s a legitimate application.
  • ProAntispyware 2009: You might see this one advertised on the Web, too.
  • RapidAntiVirus: This one is capable of damaging your system because it identifies legitimate system files as malware. If you remove the files, you can crash your PC.
  • Antispyware 3000: Usually budled with Trojan Horse programs. Looks legit, but don’t let it’s slick appearance fool you–it’s bogus.

Thanks to Redmond Magazine, bleepingcomputer.com, Microsoft Malware Protection Center, and others for information used to compose this post.


February 14, 2009  3:54 PM

There is no "Super Secure" Browser

Ken Harthun Ken Harthun Profile: Ken Harthun

Security is a complicated process, leaving many to desire a magic bullet. Unfortunately, there isn’t one. No matter how much security developers build into software, the behavior of the person seated in the chair will always be the weak link. Truth be told, all of the major browsers are safer than the browsing habits of their users. I have advocated safe computing practices for years, especially when it comes to keeping operating systems and applications patched. Sure enough, the best protection against malware is a fully patched system.

Recently, Roger A. Grimes of InfoWorld posted “Browser Security Wars” in his Security Advisor blog. For several months, Grimes tested the five most popular Web browsers: Chrome, Firefox, Internet Explorer, Opera, and Safari. His conclusion is no surprise:

So which one is guaranteed to make your Internet browsing experience perfectly safe?

None, of course. If you have the need for high security on a computer you manage, don’t allow it to surf on the public Web. It’s that simple. Internet browsers are highly complex pieces of software interacting with millions of combinations of highly complex active content and programming code, much of it not so friendly. There is no “super secure” browser.

Not exactly a great revelation; however, there is one surprising discovery: In Grimes’s testing, none of the browsers allowed malware to silently install as long as they were running on fully patched systems. Instead, most of them relied on tricking the user into intentionally running an infected executable:

Almost all the malicious Web sites I came across offered an executable to install, usually in the form of bogus anti-malware software or some sort of content player. In order to be infected, I had to intentionally run the offered executable — not always, but nearly so. There was a smattering of sites that tried to use malformed or mismatched content to trick the third-party software into silently executing code, but it was uncommon; and when my system was fully patched, it never silently succeeded. [Emphasis added]

You’ll find a comprehensive rundown of security features and faults of all the aforementioned browsers in InfoWorld’s special report, “InfoWorld Test Center’s guide to browser security.”


February 11, 2009  10:30 PM

Software for Secure Computing: Easy Email & File Security with AxCrypt

Ken Harthun Ken Harthun Profile: Ken Harthun

Most of the email we send and receive from our co-workers, family, and businesses contains little that requires any degree of confidentiality. The same goes for most of the files we have stored on our hard drives and thumb drives. Occasionally, however, we need to pass on or store some information that wouldn’t be prudent for us to send or store in clear text, i.e., unencrypted. To go through all of the effort (and it’s a bit of effort, believe me) to set up secure email or create encrypted partitions or directories on the hard drive is a waste of time for most people. Fortunately, there’s a simple, free solution: AxCrypt.

AxCrypt is open source file encryption software for Windows. It integrates seamlessly with Windows to encrypt, decrypt, store, send and work with individual files. It runs on Windows 2000/2003/XP/Vista and uses AES-128 encryption.

Once installed, AxCrypt is integrated into Windows Explorer’s context menu. You simply right-click files and folders in Windows Explorer, select AxCrypt and then select the action you want from the sub-menu (see screen shot). If you choose Encrypt Copy to .EXE, AxCrypt makes a copy of the document, asks you for a passphrase, and creates a standalone, self-decrypting file that you can safely send across the network or store anywhere you choose.

To use AxCrypt for secure email, simply create a text file that contains all of the sensitive information you want to send, make a self-decrypting EXE file, and send it as an attachment. You’ll have to make contact with the recipient off-line to give them the passphrase, but your information will be secure in transit.

The AxCrypt site has plenty of information on how to use the program, as well as an excellent FAQ and command line reference.

Check it out. It’s a great addition to your secure computing software collection.


February 10, 2009  3:02 AM

OpenDNS Service to Track and Block Conficker Worm

Ken Harthun Ken Harthun Profile: Ken Harthun

With some estimates placing the number of computers infected by the Conficker worm at 10 million or more, Conficker has the potential to become one of the biggest botnets ever. Given that many system administrators probably don’t realize they’re hosting the parasite, it’s a good bet that things will get worse before they get better. Fortunately, the good guys at OpenDNS are offering a free service designed to alert administrators of Conficker’s presence and help them with containment and cleanup.

Though Conficker began spreading late last year, so far none of the infected machines has downloaded any software that would create a botnet or send spam. However, that could change in a blink if the criminals behind Conficker add a malicious payload to any of the domains the drones connect to every day. If a network has any PCs that try to connect to the rogue servers, OpenDNS will pinpoint them. As part of the service, infected machines will be prevented from connecting to the control servers:

What’s interesting about this particular virus is that it uses the Domain Name System in a unique way: Conficker contains an algorithm that checks 250 new domains per day for instructions on what it should do. This puts us in a unique position to keep you safe since we’re in the unique position of providing insight and intelligence into your DNS service. We’ve teamed with Kaspersky Lab to identify those 250 daily domains, and stop resolving them.

Administrators must register for a free account in order to take advantage of the service and must use OpenDNS on their networks. Once the account is set up, it’s a simple matter to check for Conficker’s presence:

To find out if Conficker has penetrated your network, simply log in to your account and select Stats on the left sidebar. From there choose Blocked Domains and filter “only domains blocked as malware.” This will generate a list of malware sites your network has attempted to connect with.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: