A client recently called about his home PC saying that there were all kinds of pop-ups telling him he was infected. Naturally, the pop-ups promised to remove the “infection” for $49.95, a typical scareware tactic. I figured this would be a simple job, probably WinAntivirus Pro or some variant of it, and I would be in and out in less than an hour. I was wrong; he had deeper problems.
When I booted his PC, I was confronted by multiple command windows all with the title “desote.exe.” I was able to get to a web page and determine that this file is related to Windows Police PRO, a WinAntivirus Pro variant. I was also able to download MalwareBytes’ Antimalware. It wouldn’t install; desote.exe popped in every time I tried to run MBAM installer. I decided to try a manual removal to get the PC to where I could run MBAM and clean things up later, so I deleted desote.exe, dbsinit.exe and a couple other related files. That was a mistake; Windows lost its ability to run .exe files.
I knew I’d probably have to hack it, so I fell back on an old trick: When .exe files won’t run, change the extension to .com. This worked. I was able to install MBAM, run it, and get the system cleaned up. Turns out that the malware changes the registry key HKCR\exefile\shell\open\command from the (Default) entry of [“%1″ %*] to ; since desote.exe was missing, Windows didn’t know what shell to run .exe files with. Besides that, MBAM found rootkit components that would have been difficult to remove manually.
Hacker skills are valuable for us white hats.
Did you figure out level 2 of the HackThisSite.org Basic Missions? Here’s the mission:
Network Security Sam set up a password protection script. He made it load the real password from an unencrypted text file and compare it to the password the user enters. However, he neglected to upload the password file…
Read the mission briefing very carefully. A script loads a password from a file. There isn’t a file, so the script won’t load anything, meaning the variable will be…empty (blank). Clicking the Submit button with an empty password field should do it.
That worked. Mission accomplished.
Yesterday, Michael Morisy, ITKnowledgeExchange’s community editor, posted “President Obama’s back-to-school speech tells students to pursue technology. What’s your advice?” It contained a transcript of The President’s speech. Ignoring the controversy and the politics, one has to agree that he made some good points; in fact, I found the whole speech inspiring.
One thing President Obama said relative to the pursuit of technology careers stood out: “Students who sat where you sit 20 years ago founded Google, Twitter and Facebook and changed the way we communicate with each other.” Yes, and before that another generation of students invented the Internet and founded the biggest software company in the world. What he left unsaid is that these technological advances have not been without problems; indeed, they have created entirely new problems that have spawned a separate IT industry: Information Security.
My advice to students who pursue technological careers—particularly IT related—is to realize that the development of new technology also carries with it the responsibility of ensuring that technology is safe to use. The lack of such responsibility in the past, whether through shortsightedness or outright neglect, has given us an Internet that is a haven for a new breed of criminal, that exposes our children to predators, hate propaganda and smut all at the click of a button and often unwittingly. And I haven’t even mentioned the threat to our national security.
President Obama said, “…you become good at things through hard work.” There’s a lot of hard work ahead before we get to the point where anyone can buy a computer, plug it in and use it safely without having to be an information security specialist.
We’ll know we’re there when the PC is as safe to use as a TV.
All of them are critical, but not a single one of them affects Windows 7, scheduled for release on October 22.
The most dangerous flaw covered by this month’s batch of patches is a remote code execution vulnerability in the way that the JScript scripting engine decodes script in Web pages (MS09-045). A remote attacker can exploit this vulnerability by convincing a user to visit a specially crafted Web page and this could result in execution of arbitrary code on the affected system. All versions of Windows—except Windows 7—are vulnerable. Here is the list of bulletins taken from the Microsoft Security Bulletin Summary for September 2009:
MS09-045 Vulnerability in JScript Scripting Engine Could Allow Remote Code Execution (971961)
MS09-049 Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710)
MS09-047 Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812)
MS09-048 Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)
MS09-046 Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (956844)
It remains to be seen how Windows 7 will fare once it’s released to retail, but so far, it appears to be more secure the previous versions of Windows. According to Wolfgang Kandek, chief technology officer at software security provider Qualys, "There are a number of additional security measures [in Windows 7] that seem to be working so far in its favor."
We can only hope.
The other day, I proposed you test out your ethical hacking skills over at HackThisSite. If you didn’t see that post, take a look now: How Are Your Hacking Skills? As promised, I’m publishing my comments and approach to the solution.
Level 1, dubbed “The Idiot Test,” requires that you enter the correct password into a password field in order to continue to the next level. The name itself seemed a giveaway to me, so I started with the obvious, a blank password, and simply clicked the submit button. No joy. Next, I tried ten of the most popular weak passwords in use (take your pick as to which “Top Ten” list you prefer):
None of these worked; it appeared as if the test was going beyond the idiot level. If it’s that simple, it should be obvious, so I took another look at the screen and noticed another subtle clue: “If you have no idea what to do, you must learn HTML.” Hmm. Maybe the page source has a clue. I opened the page source and searched for “password.” Bingo! I found this in the code:
<!-- the first few levels are extremely easy: password is 1e79cde6 –>
Did you figure it out? Hit the comments and let me know.
I received some good feedback on my “14 Golden Rules of Computer Security” list, in particular, this comment from Michael: “…you encourage people to go through all the effort of running Virtual Machines to protect themselves from malware, but you don’t actually encourage them to run Anti-Virus software. Which basically, unfortunately, means you’re violating rule #1 and much more likely to run into rule #12.” This lead to a review of past articles I’ve posted on the subject and my finding that though I’ve covered all of the bases, my writing is a bit fragmented. So, you can go back to “Nine Steps to System Security – 2008", “The Lazy Man’s Way to System Security”, and “14 Golden Rules of Computer Security” and put them all together for a complete PC security package, but that’s a lot for the average user to digest.
As of today, I’m embarking on a major pre-release revision of the eBook, 14 Golden Rules of Computer Security to make sure all of the bases are covered in a logical combination and sequence. In essence, the book will begin with the concept of a security baseline—the bare security essentials—for a normal home PC setup and will branch from there.
What’s a good PC security baseline? In “The Lazy Man’s Way to System Security,” I proposed these four bare security essentials: “…a NAT router; a good antivirus program; a good anti-malware program; and, a good software firewall.” That was good enough at the time, but these days antivirus, antimalware and a software firewall are usually combined into a single suite. I choose to align with Windows Secrets’ Security Baseline page: “…a hardware firewall that’s built into your [NAT] router, security software that guards against all types of malware threats, a software-update service to ensure that your applications are patched against the latest exploits, and a secure browser.”
There are many possibilities for implementing those four basic items and that will be well covered in the book.
In playing the contract consultant game over the years, I’ve become accustomed to verbal and written skills assessment tests, but until recently, I’d never had anyone present a question like this: “Optional – Extra Credit – Create an account on http://www.hackthissite.org and complete levels 1 through 4 of the Basic Web Hacking Challenge and explain how you figured out each level.” Sounds like fun, I thought, and it makes sense: If you want to know how well a guy can protect your network, see if he knows how a hacker would attack it. So I headed on over to the site. Having never been there, I didn’t know what to expect; I was greeted with this:
Hack This Site is a free, safe and legal training ground for hackers to test and expand their hacking skills. More than just another hacker war games site, we are a living, breathing community with many active projects in development, with a vast selection of hacking articles and a huge forum where users can discuss hacking, network security, and just about everything. Tune in to the hacker underground and get involved with the project.
I created an account, logged in and proceeded to the “Basic Missions” section; their are 11 of them, and I was to complete the first four. At level one, the challenge reads, “This level is what we call ‘The Idiot Test.’ If you can’t complete it, don’t give up on learning all you can, but don’t go begging to someone else for the answer, that’s one way to get you hated/made fun of. Enter the password and you can continue.”
Though they call it “The Idiot Test,” it’s not as simple as you might think. You’ll find the solution interesting. Try it for yourself, post your comments and check back in a day or so; I’ll be posting my analysis and solutions to each level, eventually covering all 11 basic missions.
In the meantime, have a safe and enjoyable Labor Day weekend.
It’s just not in fashion anymore; phishing attacks are ‘way down, falling out of favor with cybercriminals who now prefer malicious websites and password-stealing Trojan horse programs.
IBM’s security research and development division, X-Force, recently issued a report that found throughout 2008 , phishing volume was around 0.5 percent of overall spam volume. But in the first half of 2009, the volume of phishing attacks fell to around 0.1 percent of spam volume. Not only did the volume of phishing attacks drop, but the targets also changed: in 2008, 90 percent of all phishing attacks targeted the financial industry; in the first half of 2009, that percentage had dropped to 66 percent.
That’s the good news. The bad news is that, according to the report, the number of malicious Web links is up 508 percent in the first half of 2009 and many of these links appear on otherwise trusted sites such as search engines. X-Force Director Kris Lamb says, “There is no such thing as safe browsing today and it is no longer the case that only the red light district sites are responsible for malware. We’ve reached a tipping point where every Web site should be viewed as suspicious and every user is at risk."
A copy of the IBM report can be downloaded here (PDF).
As always, let the surfer beware.
In celebration of (almost) being close to releasing my first eBook to the general public, I’m releasing the list of the 14 Golden Rules of Computer Security in hopes that any last minute errors will be spotted by my peers here at IT Knowledge Exchange. Here’s the list:
#1: The best security measures are completely useless if you invite attackers into your PCs or networks.
#2: A first, important step in securing your PC is to install and configure a NAT router.
#3: Always change the default username and password of any configurable device you put on your home network.
#4: Use an un-guessable, or difficult-to-guess password always.
#5: A vital part of PC security is keeping up with software patches for ALL of the software on your system, not just the operating system. Where it is available, use the software’s automatic updates feature.
#6: Always disable any message preview or auto-open features in your e-mail client. View messages as text-only until you know they are safe.
#7: If you store sensitive information on a PC or laptop, even if it’s only personal information, encrypt the
folders or drives where the information is stored and use an un-guessable passphrase as the encryption key.
#8: Physical security is almost as important as data security. Make it as difficult as possible through any
physical means for a thief to steal your hardware. Rules of thumb: Lock it up and lock it down; out of sight, out of mind.
#9: When surfing the web, testing unknown programs, or engaging in other activities with the potential to harm your computer, use a sandbox or virtual machine to protect your base system from harm.
#10: When using external removable media for backups, either encrypt the backup files or make sure the media is taken offline after the backup has been completed.
#11 Never enter sensitive information into any web page unless you have verified that the information is being sent over a secure connection signified by https:// in the address bar and a lock icon in the browser’s status bar.
#12: Once a PC is infected with malware, you can’t trust it. The only way to restore trust is to wipe the hard drive clean and reload the operating system.
#13: When it comes to securing a WiFi network, the only way is WPA.
#14: If your email address will be visible to the public, obfuscate it.
In the book, each one of these rules is explained in detail with links to tools and other information.
I value your comments, so if I’ve left anything out, or you have issues with what I’ve posted here, let me know. I want this to be the best first edition it can be.
Besides being a security Geek, I’m also an Internet marketer (no, not the bad kind—the good kind—I actually try to help people with what I sell). Twitter, at first blush, appears to be a great way to get your message out; it probably is, if done right, but it’s also easily abused. Yes, Twitter gets spam, too. The spammers are relatively easy to spot; you see them sending out multiple marketing messages in rapid succession, often using different profiles for the same message.
Here’s the rub: Because Twitter only allows 140 characters per tweet, the URLs are always shortened, therefore it’s difficult to identify their target. My policy is to never click on a link in a tweet from someone I don’t know, especially when I see them sending multiple tweets trying to get me to take action of some sort. That’s a dead giveaway that the person or persons controlling the profile are spammers or scammers.
Enter TwitBlock, a junk filter and bulk blocking tool for Twitter users. Here’s what they say:
You may think you have a loyal following of people who find you interesting, or amusing, but they’re probably not all real people. Among your followers will be a wide spectrum of fully automated, or computer aided Twitter accounts. They will range from reputable companies looking to profile and market to you, to fake profiles directing you to adult websites. At the very worst you will find the spammers and phishing gangs – the same junk you get in your email inbox, designed to sell you fake pharmaceuticals, or trick you into parting with your passwords or credit card numbers.
An easy way to spot the spammers on your own is to look for duplicate profile images. I have my own handsome mug posted on my Twitter profile and I’m sure no one else is using it. Spammers tend to use pics of attractive women, often “R” rated, or generic photos. TwitBlock maintains a list of the top 20 duplicate profile pics (Warning: some are inappropriate for young viewers!)
The application is still in alpha, but consider testing it. Just give it some thought before you block “Annette552” who may just be your next door neighbor in disguise, but who is more likely to be a spammer out to get your credit card info. You be the judge.