Security Corner


February 10, 2009  3:02 AM

OpenDNS Service to Track and Block Conficker Worm

Ken Harthun Ken Harthun Profile: Ken Harthun

With some estimates placing the number of computers infected by the Conficker worm at 10 million or more, Conficker has the potential to become one of the biggest botnets ever. Given that many system administrators probably don’t realize they’re hosting the parasite, it’s a good bet that things will get worse before they get better. Fortunately, the good guys at OpenDNS are offering a free service designed to alert administrators of Conficker’s presence and help them with containment and cleanup.

Though Conficker began spreading late last year, so far none of the infected machines has downloaded any software that would create a botnet or send spam. However, that could change in a blink if the criminals behind Conficker add a malicious payload to any of the domains the drones connect to every day. If a network has any PCs that try to connect to the rogue servers, OpenDNS will pinpoint them. As part of the service, infected machines will be prevented from connecting to the control servers:

What’s interesting about this particular virus is that it uses the Domain Name System in a unique way: Conficker contains an algorithm that checks 250 new domains per day for instructions on what it should do. This puts us in a unique position to keep you safe since we’re in the unique position of providing insight and intelligence into your DNS service. We’ve teamed with Kaspersky Lab to identify those 250 daily domains, and stop resolving them.

Administrators must register for a free account in order to take advantage of the service and must use OpenDNS on their networks. Once the account is set up, it’s a simple matter to check for Conficker’s presence:

To find out if Conficker has penetrated your network, simply log in to your account and select Stats on the left sidebar. From there choose Blocked Domains and filter “only domains blocked as malware.” This will generate a list of malware sites your network has attempted to connect with.

February 3, 2009  3:19 AM

Are Windows PCs Threatened by Malware Harbored on Mac & Linux OS’s?

Ken Harthun Ken Harthun Profile: Ken Harthun

Can Mac and Linux boxes harbor malware that does not affect them, but could affect Windows PCs?  Absolutely. It can and does happen. The Sophos white paper, “Protecting Mac and Linux computers: genuine need or nice to have?” presents a convincing case, describing just how Mac and UNIX/Linux machines threaten Windows PCs.

…it is very common for Windows networks to include a server running UNIX or Linux. Vulnerabilities, such as a weak SSH password, can allow hackers to convert a Linux server into a botnet controller, and install malware that will compromise desktop Windows computers.

Well, that’s one way, but consider this: Viruses, worms, and other types of malware are files, and can be stored on any digital media, regardless of the format or operating system that created them. A Mac/UNIX/Linux machine can store Windows files; a Windows machine can store Mac/UNIX/Linux files. That a Windows virus cannot damage a Mac/UNIX/Linux machine–and vice-versa–is irrelevant: Typhoid Mary harbored and transmitted typhoid fever yet never succumbed to it. She did, however, infect 47 others, three of whom died.

…computers harboring the malware can quietly transmit it to Windows computers. For example, UNIX computers can easily transmit the virus to Windows computers via the Samba fle-sharing system.

If you have a mixed network, it’s time to put some effort into protecting the non-Windows machines. Best practice now dictates that every server and desktop machine in your network be protected with some sort of anti-malware application.


January 31, 2009  3:58 PM

Five Essential Steps to Secure Your Home PCs & Network

Ken Harthun Ken Harthun Profile: Ken Harthun

When we buy an appliance, we expect to be able to take it home, take a brief glance at the instructions for setting it up, plug it in and go. For most things, this expectation is fulfilled, even, unfortunately, for the home PC. In fact, once you get a few things plugged into the back of it all you have to do is turn it on and start surfing. When you first start a Windows PC, there’s a short setup routine that asks if you want to turn on Automatic Updates (recommended), but little else in the way of how to properly secure your PC and the network it’s plugged into.

PC makers should at least provide a short, animated tutorial or video that explains these five essential steps to securing a home PC and network:

1. Install a NAT router. Inexpensive, and easy to configure, a NAT (Network Address Translation) router is your first line of defense on the Internet. While the Windows firewall is on by default these days, if your PC is plugged directly into your broadband router, you’re visible to everyone on the ‘Net. The router takes this live Internet address and translates it to a private address that is invisible to anyone on the outside.

2. Change the router default password. All routers come pre-configured with a default login and password. These are well known and lists are posted on the Web. Here’s an example of one that’s searchable by router model: http://www.routerpasswords.com/. While an attacker normally can’t get to this from the outside, if you somehow get infected with remote control malware, an attacker can get to it from your computer. He can change the settings to send you virtually anywhere he wants you to go. Not good.

3. Install and/or update a security suite. Most PCs these days come bundled with either anti-virus or a full security suite like McAfee Internet Security, Norton Internet Security or the like. My favorite is ESET Smart Security; unfortunately, this isn’t one that you’ll see bundled with a new PC. Make sure the software is up to date and make sure it will update itself automatically.

4. Turn on Automatic Updates. You should have done this when you set up the computer, but if you haven’t, do it now by following these instructions.

5. Learn about and follow safe computing practices. All of the security devices and software in the world won’t help you if you click on pop-ups, open every email you get, click on random links, and generally practice unsafe surfing. Unfortunately, this is the one of the main reasons why the criminals continue to succeed. Take some time to learn how to be safe on the ‘Net by taking advantage of these free resources:

Nine Steps to System Security – 2008: http://tinyurl.com/6nt2jr
Home Network Security: http://www.us-cert.gov/reading_room/home-network-security/
Recognizing and avoiding email scams: http://www.us-cert.gov/reading_room/emailscams_0905.pdf
Protecting your privacy: http://www.us-cert.gov/cas/tips/ST04-013.html
Avoiding Social Engineering and Phishing Attacks: http://www.us-cert.gov/cas/tips/ST04-014.html

Good luck, and be careful out there.


January 30, 2009  4:23 AM

“Victim” of Cybercrime Found Searching for Illegal Porn

Ken Harthun Ken Harthun Profile: Ken Harthun

Talk about irony. You get infected by a cybercriminal’s illegal bot (Ozdok/Mega-D in this case) which takes a screen shot that shows you searching for illegal underage porn; then, security researchers get hold of some screen shots from the bot’s command and control (C&C) server; while going through the shots, the researchers come across those of your screen and notify the authorities (presumably, the FBI).

From a Security Works research note, Ozdok: Watching the Watchers:

Also, a note to the gentleman searching for images of nude preteen girls: You can run all the anti-spyware tools you can find, and employ the best anonymity tools in your web browser – it’s not going to help you if you get infected with an advanced trojan like Ozdok/Mega-D or one of the many others that allow hackers to take screenshots of your computer desktop. Don’t worry though, you probably won’t need a computer in the near term, as we’ve notified the authorities of your name and location (which you conveniently provided in a series of screenshots).

The good news is that you can remove the pest. Here’s what Symantec recommends for their products:

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.

Complete removal instructions in this article.


January 28, 2009  1:47 AM

Using the Malicious Software Removal Tool (MSRT) from the Command Line

Ken Harthun Ken Harthun Profile: Ken Harthun

In my September 13, 2008 post, “Software for Secure Computing: Microsoft Malicious Software Removal Tool,” I said, “Many people don’t even know that MSRT can be run from the Microsoft.com website or downloaded and run at will.” I wonder how many people know that if you have automatic updates enabled, there’s no need to download MSRT to run it–the latest version is already on your system.

The MSRT can be invoked from the Run dialog or the command line using a simple three-letter command. Several options are available.  Hit Windows Key + R to open the Run dialog and type mrt /? This will bring up an information box as shown below. (The same thing happens if you type the command at a command prompt.)

The options are self-explanatory. If you just type mrt by itself, it will bring up a UI that allows you to point and click to select the type of scan you want. At the first UI screen, you can view a list of malicious software that the tool detects and removes. The signatures are updated monthly on patch Tuesday when Microsoft releases the latest version of the tool.

Remember that the MSRT is not a replacement for an anti-virus product; it targets only a limited set of specific, prevalent malware as determined by Microsoft’s security folks.  You should use a good anti-virus product.


January 23, 2009  2:15 AM

Will They Ever Learn to Patch?

Ken Harthun Ken Harthun Profile: Ken Harthun

The latest mass infection to hit the Internet is the Win32/Conficker/Downadup Worm, estimated to have already infected between 500,000 and 8.9 million PCs, depending on whose numbers you believe. This is astounding, considering that the worm exploits a vulnerability in Windows that Microsoft Security Bulletin MS08-067 addressed back in October 2008. Microsoft issued an emergency out-of-cycle patch to address the vulnerability. Windows users who have automatic updates enabled would have received the update so the hole is patched. But there are plenty of people and organizations who, for one reason or another, have automatic updates turned off.

Why any individual PC user would put themself at risk by having automatic updates turned off is beyond me. Organizations are another story; they want to test patches before deployment to ensure they don’t break critical applications or disrupt the network. But in this case, the patch should have been applied without question by every sys admin on the planet. Had this happened, the furor surrounding Conficker.A–the original worm–probably would have died down. Instead, enough sys admins left the hole open that a particularly ferocious variant–Conficker.B–surfaced; it’s the one responsible for the current mass infection.

You can read all about Conficker.B and its blended threat in this post at the Microsoft Malware Protection Center, so I won’t burden you with all the gory details about its blended threat here. I will, however, burden you with my informed opinion: Sometimes you have to heed the warnings and go ahead and patch, regardless of what problems that patch could potentially cause. A network taken down by a malware infection is much worse and potentially more costly to repair than a couple of broken apps here and there.


January 18, 2009  1:34 AM

The Great Drive Wiping Controversy Settled at Last

Ken Harthun Ken Harthun Profile: Ken Harthun

How many times do you have to overwrite a hard drive in order to securely wipe it? This question has been at the center of an ongoing controversy for a long time. On the one hand, we’ve had Peter Gutmann saying it takes 35 passes (Gutmann, P.  (1996) “Secure Deletion of Data from Magnetic and Solid-State Memory”); on the other hand, we’ve had the NIST saying one pass is enough (http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf). So, which is it, one, 35, or something in between?

NIST gets the prize: One pass is enough to delete data such that it can not be recovered.  A paper published in December last year; “Overwriting Hard Drive Data: The Great Wiping Controversy” by Craig Wright, Dave Kleiman and Shyaam Sundhar R.S. as presented at ICISS2008 and published in the Springer Verlag Lecture Notes in Computer Science (LNCS) series, proves beyond doubt that data can’t be recovered from a wiped drive even if one uses an electron microscope. As Craig Wright puts it in a post on the SANS Computer Forensics blog:

Although there is a good chance of recovery for any individual bit from a drive, the chances of recovery of any amount of data from a drive using an electron microscope are negligible. Even speculating on the possible recovery of an old drive, there is no likelihood that any data would be recoverable from the drive. The forensic recovery of data using electron microscopy is infeasible… The fallacy that data can be forensically recovered using an electron microscope or related means needs to be put to rest.

That sure makes life easier for those of us who have to deal with secure deletion of sensitive data. I’ll use my copy of Darik’s Boot and Nuke (DBan) with one pass from now on and get those retired hard drives wiped in no time.


January 17, 2009  3:27 AM

Software for Secure Computing: Exploit Prevention Labs Link Scanner

Ken Harthun Ken Harthun Profile: Ken Harthun

With cybercriminals now actively poisoning search results and legitimate websites–unbeknownst to the webmasters–you can’t be too careful when clicking on links. Take a look at this video library presented by Exploit Prevention Labs (XPL) CTO and Chief Researcher Roger Thompson and you’ll see why. The videos show a number of recent exploits.  The bad thing about these exploits is that you never see them coming. From the XPL Threat Center:

Exploits deliver their malcode through driveby downloads that happen silently and can be delivered through any kind of site. Most site owners don’t know themselves when their site has been poisoned – it’s happened to every kind of site, from global businesses to individual MySpace pages.

That’s why you should be using XPL’s LinkScanner. This nifty utility integrates with the search engines to check for a variety of threats, so you’ll know whether a site is safe (or not) before you click the link. Take a look at the screenshot of my Google search on “warez.” The red X’s are the LinkScanner results: those sites are dangerous. The green checkmark on the Wikipedia entry indicates that it’s safe to surf.

LinkScanner allows you to check any link on demand by right-clicking on the link and selecting “Quick Scan with LinkScanner.” This is great for checking links in sites you’re surfing. You can also open a console and paste an address for scanning.

You may wonder how LinkScanner compares with McAfee’s SiteAdvisor. So did I. XPL gives an in-depth comparison on their LinkScanner vs SiteAdvisor page. Here’s an excerpt:

LinkScanner’s SearchShield technology actually does a live scan on Google, Yahoo and MSN search results and with no delay in search engine results delivery. This enables LinkScanner to definitively state whether the page behind any link is or is not safe at the only time that matters – the time you plan to visit it.

In contrast, SiteAdvisor “crawls” entire sites over a period of weeks and/or months and renders opinions about entire sites, which are then stored in a central database.

Download LinkScanner Lite it for yourself and you just may find, as I did, that it’s an indispensible tool for secure computing.


January 14, 2009  2:28 AM

Security Resolutions for 2009

Ken Harthun Ken Harthun Profile: Ken Harthun
New Year Resolutions Graphic

We’re nearly two weeks into the New Year and how many of those resolutions we made during the glow of the holiday season (and maybe some martinis) have gone off with the Grim Reaper? We all make them and break them; it wouldn’t be the New Year without making resolutions, after all. Lose weight, quit smoking (or drinking), start exercising, all are fine resolutions, but how about making a couple security resolutions that will help keep you safe on the Wild, Wild, Web? Here’s a list that you can pick from. Choose one, two, or all of them and pledge to yourself that whichever of them you choose, you won’t break them.

  • I will never view, open or click on an email attachment unless I know who sent it, why they sent it and what it is.
  • I will never click on a link in an email without knowing exactly where it will take me.
  • I will never send sensitive personal or financial information to anyone via email.
  • I will download and study Recognizing and Avoiding Email Scams provided by US-CERT.
  • I will also download and study Avoiding Social Engineering and Phishing Attacks.
  • I will install security software on my computers and keep the software up to date.
  • I will set up and begin using a backup plan to protect my data.
  • I will use only WPA2 encryption on my wireless access point and a strong password.
  • I will review all my passwords, change them regularly, and use strong passwords where sensitive information is at stake.
  • I will keep up with security issues by reading Security Corner on a regular basis (shameless plug!)

Any one or more of these security resolutions will get you off to a good start in 2009. I recommend you adopt them all.

Happy New Year!New Year Resolutions Graphic


January 7, 2009  3:35 AM

MD5 Hashing Algorithm No Longer Safe

Ken Harthun Ken Harthun Profile: Ken Harthun

Just last week, two German security researchers, Alex Sotirov and Jacob Appelbaum, made a surprising announcement at the Chaos Communication Conference in Berlin: they had created a fraudulent Certificate Authority (CA) that had a valid signature from a root CA, Equifax, one of the oldest. The ramifications of this are far-reaching. Imagine what will happen if cyber criminals generate fraudulent certificates. The phony certificates could be used to create phishing sites that would appear to browsers to be perfectly legitimate.

Steve Gibson focused on this issue in his latest Security Now! podcast (#177). On the resource notes for the episode, Steve gives a link to the actual certificate with instructions on how to view it.

The extremely paranoid can remove any certificates that don’t rely on SHA1 hashes to protect their certificates and CAs should immediate ditch MD5.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: