Security Corner


November 30, 2013  8:27 PM

Vulnerability in Microsoft Windows kernel could allow elevation of privilege

Ken Harthun Ken Harthun Profile: Ken Harthun

Microsoft_patch_tuesdayMicrosoft Security Advisory (2914486) warns of a zero-day vulnerability in a kernel component of Windows XP and Windows Server 2003 that can result in an elevation of privilege: “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.”

It does not affect newer versions of the desktop or server OS beyond XP and Server 2003.

It’s not critical. “An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.”

If you’re worried about it, here’s what to do:

“For environments with non-default, limited user privileges, Microsoft has verified that the following workaround effectively blocks the attacks that have been observed in the wild.”

To implement this workaround, follow these steps:

  1. From an elevated command prompt, execute the following commands:sc stop ndproxy
    reg add HKLM\System\CurrentControlSet\Services\ndproxy /v ImagePath /t REG_EXPAND_SZ /d system32\drivers\null.sys /f
  2. Restart the system.

Microsoft warns: “Disabling NDProxy.sys will cause certain services that rely on Windows Telephony Application Programming Interfaces (TAPI) to not function. Services that will no longer work include Remote Access Service (RAS), dial-up networking, and virtual private networking (VPN).” If you have problems after doing this and have to undo the workaround, here’s how:

  1. From an elevated command prompt, execute the following commands:sc stop ndproxy
    reg add HKLM\System\CurrentControlSet\Services\ndproxy /v ImagePath /t REG_EXPAND_SZ /d system32\drivers\ndproxy.sys /f
  2. Restart the system.

November 29, 2013  11:14 PM

Adobe hack: Check your email address now

Ken Harthun Ken Harthun Profile: Ken Harthun

managing-passwords-2012_06The recent Adobe hack revealed that people still haven’t been listening, don’t care or are just too lazy to bother coming up with good passwords. Here is some interesting data about that hack from this article at ITProPortal:

Security researcher Jeremi Gosney conducted a study on the massive dataset, assessing which passwords were most frequently used by Adobe users.

According to the research, “123456″ came out as the most popular password, with 1.9 million instances, representing 1.26 per cent of all users. This was closely followed by “123456789″, “password” and “adobe123″.

“1234567890″, “1234567″, “1234″, “123123″, and “abc123″ were strong contenders too, all featuring in the top 20 passwords used.

Slightly more surprising are “qwerty” and “azerty” (the first six letters used on keyboards in France and Belgium), as well as the touching “iloveyou”.

I hope you’re not one of those whose password matches any of these. Better yet, I hope you’re not one of the people whose credentials were compromised.

You can check to see if your email is among those who were leaked by entering it here: http://adobe.cynic.al/ at the “Adbobe Leaked Credentials Checker.”

Even if you find you are safe, please change your password if it’s a weak one, especially if it’s one of the ones listed above. And if you have ever used that password — or any password — at more than one site (heaven forbid at your banking site),  fix that problem, too.


November 28, 2013  12:31 AM

Happy Thanksgiving

Ken Harthun Ken Harthun Profile: Ken Harthun

To my readers who celebrate this American holiday…

happy-thanksgiving-horn-of-plenty

May you have a Safe and Happy Thanksgiving.


November 28, 2013  12:03 AM

Security best practice: How to store user passwords

Ken Harthun Ken Harthun Profile: Ken Harthun

encryptionAdobe’s October 2013 data breach was not only one of the largest breaches ever, it could have been prevented if the company had stored the user passwords correctly. They didn’t and to their great embarrassment, 150,000,000 records were exposed.

According to this article on Sophos’ Naked Security blog, Adobe made a huge cryptographic mistake. According to this article, here’s what they should have done:

…here is our minimum recommendation for safe storage of your users’ passwords:

  • Use a strong random number generator to create a salt of 16 bytes or longer.
  • Feed the salt and the password into the PBKDF2 algorithm.
  • Use HMAC-SHA-256 as the core hash inside PBKDF2.
  • Perform 10,000 iterations or more. (November 2013.)
  • Take 32 bytes (256 bits) of output from PBKDF2 as the final password hash.
  • Store the iteration count, the salt and the final hash in your password database.
  • Increase your iteration count regularly to keep up with faster cracking tools.

Whatever you do, don’t try to knit your own password storage algorithm.

It didn’t end well for Adobe, and it is unlikely to end well for you.

This also got me to thinking about password length and complexity again, so stay tuned for my latest cogitations on that matter.


November 24, 2013  10:25 PM

Is ubiquitous malware infection inevitable?

Ken Harthun Ken Harthun Profile: Ken Harthun

biohazardpcAre we rapidly approaching that day when every device attached to the internet carries some sort of malware? A recent SANS NewsBites carried this comment after a blurb about Stuxnet:

[Editor's Note (Skoudis): A few years ago, Marcus Sachs mentioned to me an intriguing idea. He said, someday, it is possible that pretty much every system will have some malware on it, just as our bodies are chock full of viruses and bacteria. But, our bodies handle it ok as long as the infection doesn't get out of hand and cause damage. The notion was that it will be impossible to be 100% clean, but you can in fact still be operational if you have good defenses (like the body's immune system). I didn't like hearing what he had to say then, as it sounded defeatist. But, stories like this remind me of that view of the future and make me wonder if we are heading there. ]

I have recently cleaned several PCs that showed evidence of infection by Trojans and spamware, yet they were performing fine and behaving themselves on the network; the items were sitting in Symantec’s quarantine, having been caught by the AV engine at some point. I guess you could consider that these machines were infected, similar to someone who had the flu virus in their system, but was not suffering from the illness. In the former case, the AV engine acted as the PC’s immune system; in the latter case, the body’s biological structures and processes to locate, isolate, and/or destroy pathogens are its immune system. This view seems to validate Mr. Sachs’ idea.

With all of the malware, old and new, that is already traveling around the internet, I believe we’ve already reached a certain level of ubiquitous infection if only of the infrastructure. As malware continues to get more sophisticated, it’s inevitable that some will slip by our defenses and end up on every PC.

We’ll need a better digital immune system to fight it.


November 23, 2013  9:18 PM

Adobe hacked: 38 million user accounts affected

Ken Harthun Ken Harthun Profile: Ken Harthun

adobe_hackedI don’t know how this one got under my radar, but I didn’t know about it until I received the following Last Pass Sentry Alert:

Hackers claim to have hacked the site adobe.com on 2013-11-03 and we’ve detected that your email address was included in the data published as part of the leak. The full description of the leak is as follows:

Adobe Systems announced on October 3rd of 2013 that hackers broke into Adobe network and stole source code for a range of products, including ColdFusion and Acrobat family of products. The breach also affected what was at that time estimated to be 2.9 million users but later was revised to include at least 38 million users. Adobe said hackers had stolen nearly 3 million encrypted customer credit card records, as well as login data for an undetermined number of Adobe user accounts. The breach happened in early October but the stolen accounts were not published on the web until early November. The published data includes 10s of millions of accounts with IDs, email addresses, encrypted passwords and more.

Please update the password for your adobe.com account immediately. The LastPass Security Challenge, located in the Tools menu of the LastPass addon, will help find any other accounts using the same password as the leaked account.

Thanks,
The LastPass Team

Seems that I had to change some passwords just a short time back when this happened. I sure wish someone would come up with viable, secure replacements for Adobe apps so we could breathe a little easier.


November 17, 2013  9:28 PM

Ten tips for secure online shopping

Ken Harthun Ken Harthun Profile: Ken Harthun

honestlogoBlack Friday (or Thursday, or Monday, or whatever) is approaching and marks the “official” kickoff of the holiday shopping season. According to the National Retail Federation, if the trend holds, this season will be busier than last for online merchants, increasing approx. 4.9% to $602 billion this year. That’s good news for merchants, who make most of their profits for the year during the holiday season.

It’s also good news for cybercrooks.

Criminals will be vying for their share of the revenues by victimizing unwary shoppers seeking to get the most out of their holiday shopping dollar. Offering super low prices on name brand and designer merchandise is their favorite trick. Here are ten tips for secure online shopping that will help you avoid online shopping fraud this season.

  1. If the price seems too good, it probably is. That cheap Rolex watch is either a fake, stolen or is really a “Rolev.” Beware.
  2. Crooks duplicate well-known websites to the last detail. Check the domain. If it’s different than the site, leave quickly.
  3. Poor grammar and obvious mistakes in spelling are a good reason to avoid shopping on the site.
  4. Never shop on an insecure website. Make sure you see “https://” in the URL.
  5. Avoid merchants with no customer service phone number. If there is a number, call it to verify it’s real.
  6. Avoid merchants with email addresses that don’t match the site’s domain name, e.g., gmail or yahoo addresses.
  7. Don’t use a debit card; you risk your entire bank account. Use a credit card with buyer protection. Pay Pal is a good option.
  8. Check public reviews of the site to see what others have experienced.
  9. Keep all receipts and emails related to the transaction until you have received your products.
  10. The safest option by far is to simply shop at known reputable sites or sites you have prior successful dealings with.

There is no such thing as being 100% secure online, but if you follow these guidelines, you should be OK.


November 16, 2013  3:31 PM

LastPass Security Challenge

Ken Harthun Ken Harthun Profile: Ken Harthun

onepassword1Security is a dynamic process, never a one-time set-it-forget-it thing. As such, I periodically review and attempt to improve the security of my systems. For some years now, I have been a loyal and happy user of LastPass. Every login to every site I use on a regular (and not-so-regular) basis is stored there. One of the services that LastPass provides is their Security Challenge which examines your password vault, gives you an overall security score, and tells you what to do to improve your security. Here’s my most recent result:

I just scored 73% on the LastPass Security Challenge ranking 69029th overall. It securely analyzes the strength of your passwords, alerts you if you have any duplicate or weak passwords, and tells you how to make them more secure.

Give it a try and see if you can beat my score!

https://lastpass.com/?securitychallenge=1

Not a bad score — probably much better than the average person — but I’m not happy with it. Out of carelessness, or just plain laziness, I’ve been guilty of the the biggest password no-no of all: using duplicate passwords on different sites. Seems I’ve used 22 different passwords multiple times on 65 different sites. Moreover, I have 24 passwords that are considered weak and (yikes!) three blank passwords.

So, I’ll spend a few hours of my weekend changing passwords and eliminating duplicates and weak ones.


October 31, 2013  10:39 PM

Happy Halloween!

Ken Harthun Ken Harthun Profile: Ken Harthun

It’s that special day again: Halloween! And this is once again my Happy Halloween message to you. I thought about changing it to something different, but I honestly can’t think of a more appropriate message.

IMHO, no writer in history embodies the essence of Halloween more than Edgar Allen Poe whom I consider the creator of the horror genre (yes, I know he’s credited as the creator of detective-fiction and contributor to the science fiction genre but he dealt more in the macabre than anything else).

Poe’s short story, “The Gold Bug,” is what got me interested in ciphers and encryption as a young boy; a collection of his most popular short stories is what inspired me to become a writer.

So, on this Halloween 2013 I present a very special reading of Poe’s famous poem, “The Raven.” Enjoy!


October 28, 2013  11:38 PM

Beware Halloween tricks: Malware is no treat

Ken Harthun Ken Harthun Profile: Ken Harthun

Halloween BannerThe bad guys love to trick people into downloading their malicious garbage and will use just about any tactics to do so. It’s Halloween season, so people will be searching for all kinds of scary stuff to decorate, dress up and generally celebrate the creepy. The hackers know this and will have already started putting up poisoned search results. Haven’t heard about any yet? Believe me, they are out there lying in wait for some unsuspecting victim.

How can you tell if you click on a poisoned search result? Video codecs are a favorite vehicle for hackers. If you get a pop-up saying you have to install such-and-so codec or some sort of image viewer, chances are it’s an attempt to infect you. But this isn’t the only method used; when you click on a search engine result, be aware of anything that doesn’t look or feel right. Lots of drive activity, very slow page loading, unusual error messages, any of these things can indicate an attempt to infect your system.

Hackers love holidays and news events because people can be counted on to search for related information, but the above advice applies to routine searches as well. Nothing is immune to being exploited or used as a vehicle for malware, so keep your eyes (and ears) open all the time. I know how my systems act so well that I can spot trouble long before the system crashes.

Don’t let Halloween malware ruin your day.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: