Security Corner


October 27, 2008  9:29 PM

Software for Secure Computing: Firefox & NoScript

Ken Harthun Ken Harthun Profile: Ken Harthun

Everyone agrees that it just isn’t safe out there on the Wild, Wild, Web and while Microsoft has made huge strides in securing Internet Explorer, the fact that IE continues to use ActiveX scripting technology makes it the least secure browser. I often recommend that people not use IE unless they have to and if they have to, to run it in a sandbox or virtual machine. An application sandbox such as SandboxIE protects your system from malicious scripts by allowing them to run only in the protected area.

There’s a much better approach, however: switch to Firefox and take advantage of the free Firefox add-on, NoScript. NoScript takes a “default deny” approach and prevents all scripts on a site from running unless you explicitly permit them.  NoScript is also effective against the latest clickjacking attacks. My article, “How to Protect Yourself from Clickjacking,” over at Dave’s Computer Tips describes the configuration options for both IE and Firefox with NoScript installed.

Switch to Firefox, install NoScript, and enjoy secure computing.

October 23, 2008  8:29 PM

Microsoft Releases Out-of-Band Security Bulletin MS08-067

Ken Harthun Ken Harthun Profile: Ken Harthun

Microsoft just released a critical update for a “privately reported” vulnerability in the server service:

This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

Exploits are already being detected, according to the Microsoft Malware Protection Center:

Currently, attacks try to download a trojan named n2.exe to the victim’s computer and there are now two different versions of this binary. Our products are able to detect both files as TrojanSpy:Win32/Gimmiv.A. This trojan drops another DLL that we detect as TrojanSpy:Win32/Gimmiv.A.dll. The malware deletes itself after it executes so you may not find it even on systems that were previously infected. Our products provide real-time protection that will block that malware from being copied to the hard drive. You can read more details about this malware in our encyclopedia write ups.

I’m going to update the servers right now. Everyone should do the same.


October 21, 2008  5:00 PM

The Four D’s of Cyber Security: Deny, Discriminate, Detect, & Destroy

Ken Harthun Ken Harthun Profile: Ken Harthun

This is an interesting and sensible approach to security.  I would call these the “Logics of Cyber Security” because they’re so basic they could well be the principles upon which all cyber security can be based. The paper’s authors call them “first principles,” defining such as “…a basic foundational proposition or assumption that cannot be deduced from any other proposition or assumption”–in other words, logics. (You can read the orginal article, “A Thematic Approach to Cyber Security Using First Principles” and the link to its latest revision at https://wiki.cac.washington.edu/pages/viewpage.action?pageId=7481170&navigatingVersions=true. Note: The article hasn’t been updated since February, 2008.)

Here’s a simple overview of these principles.

DENY — default deny is an absolute must when making shared resources available via servers, network storage, and the Internet. You block everything until you are able to determine whether the entity attempting access is authorized. Another method of denial is encryption. This could be used to provide more granular application by, for instance, denying access to certain resources if the otherwise authorized user has no security clearance for the resource.

DISCRIMINATE –there are several ways one can discriminate between authorized and unauthorized access attempts, the simplest being a password; smart cards, biometrics, and security tokens are other examples, all of which should result in the access attempt being classified as either authorized or unauthorized.

DETECT — some means to detect unauthorized access attempts must be in place. In a Windows environment, one could activate auditing at both account level and resource level. Intrusion detection systems, both network and host based are designed for this purpose.

DESTROY — when unauthorized access attempts are detected, rules must be activated that effectively disrupt the attempt before the resources are compromised. This could be accomplished by dropping the connection, blacklisting the IP, etc.


October 17, 2008  1:26 AM

Beware of E-Mail Scam Targeting Microsoft Customers

Ken Harthun Ken Harthun Profile: Ken Harthun

The latest e-mail scam targeting Microsoft customers delivers the Backdoor:Win32/Haxdoor trojan as an attachment. The email looks like this:

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.

Anyone reading this can spot the obvious grammar and punctuation mistakes, the first things that should alert them that this is a scam. But, as we know, users blindly click on anything and everything, especially links in official-looking messages.

Please advise your users to immediately delete this message if they receive it, and continue to advise them to NEVER click a link or open an email that they are not sure about. It’s better to err on the side of caution.

By the way, Consumer Reports has an Online Security Guide posted on their website. It’s well worth looking at and certainly good for your non-savvy users as it’s written for, well, consumers.


October 8, 2008  12:26 AM

TCP Vulnerable To Low-bandwidth DoS Attack

Ken Harthun Ken Harthun Profile: Ken Harthun

There’s already a frenzy of speculation, analysis and, probably, development of malware surrounding the announcement of SockStress–the proof-of-concept program developed by two Dutch researchers to exploit an apparently heretofore unknown vulnerability in the TCP/IP stack. It started when they let the cat out of the bag in an interview that got the attention of Slashdot. I’m not going to dive in and add my opinion to the frenzy; however, this incident reinforces the idea that data and network security require constant vigilance and attention to protecting the data first (See The #1 Security Priority: Protect The Information).

Steve Gibson of Gibson Research Corporation presents a good sampling of the news surrounding this issue. There’s a lot that is (and isn’t) being said. The bottom line is that it’s a nasty vulnerability. It’ll be interesting to see how this develops.


October 2, 2008  8:12 PM

Beware Google AdWords Phishing Attack

Ken Harthun Ken Harthun Profile: Ken Harthun

Criminals are targeting Google AdWords customers with phony emails requesting the victim download a 128-bit SSL certificate. A client received this version (there are quite a few variations):

From: Google Adwords account [mailto:adwordsupdate@google.com]
Sent: Monday, September 29, 2008 8:52 PM
To: <potential victim>
Subject: Google Adwords Alert

Attention GOOGLE ADWORDS Customers!

For certain services, such as our advertising programs, we request 128-bit SSL security information which we maintain in encrypted form on secure servers.
We take appropriate security measures to protect against unauthorized access to our unauthorized alteration, disclosure or destruction of data.
Please download latest SSL protection certificate

Read more>>

Unprotected browsers will not be able to Log in after September 30, 2008
Sincerely, Genaro Escobar.

2008 Google Adwords, Developing new services.

Unsuspecting victims who click on the “Read more” link are taken to a malicious website where their machine is infected with a keylogger rootkit. The URL of the site varies, but is similar to this one:

hxxp://adwords.google.select.starter.signup.privatelogin.6uwwcgx2pxuijw4.siteminderagent.privatelogin.mekefri.com/login.htm?/cfmasternbank/memberverify/OSL.htm?LOB=2418214764&refer=wWCgX2PxUijw4nP

Of course, the actual domain the person arrives at isn’t google.com, but, in this case, mekefri.com.

A good rundown on this attack can be found at: Digital Certificate Spammer Goes for Google Adwords


September 28, 2008  4:39 PM

Clickjacking: The Latest Criminal Tactic

Ken Harthun Ken Harthun Profile: Ken Harthun

According to US-CERT‘s latest alert, “Multiple Web Browsers Affected by Clickjacking,” there’s a new cross-browser exploit technique called “Clickjacking.” One report suggests that, “With Clickjacking attackers can do quite a lot. Some things that could be pretty spooky.” According to the CERT article:

Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. Therefore, if a user clicks on a web page, they may actually be clicking on content from another page. A separate report indicates that this flaw affects most web browsers and that no fix is available, but that disabling browser scripting and plug-ins may help mitigate some of the risks.

A ZDNet blog posting, Firefox + NoScript vs Clickjacking, The Firefox plugin NoScript, written by Giorgio Maone, is effective against the most dangerous aspects of the exploit. In an email to ZDNet blogger Ryan Naraine, Maone said this about the exploit:

1. It’s really scary
2. NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) — see this comment by Jeremiah Grossman himself.
3. For 100% protection by NoScript, you need to check the “Plugins|Forbid iframe”[options]

Understandably, there’s not much specific information available about the exploit, but most experts agree that there’s no simple fix for it. In his blog post, Naraine said “I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue. In a nutshell, I was told that it’s indeed ‘very, freaking scary’ and ‘near impossible’ to fix properly.”

For now, everyone should immediately disable scripting and iframes in whatever browser they’re using. Firefox users should install NoScript and set the “Plugins | Forbid iframe” option as noted above. I also recommend that everyone review US-CERT’s article “Securing Your Web Browser” to insure maximum protection against this and other security risks.

I’ll keep you posted on further developments and suggestions for additional protection as the story unfolds.


September 24, 2008  1:12 AM

Software for Secure Computing: Trend Micro’s RUBotted

Ken Harthun Ken Harthun Profile: Ken Harthun

I stumbled across this nifty free tool when running an online scan at Trend Micro’s HouseCall site. Botnets are a big problem, accounting for most of the spam on the Internet, not to mention their use in stealing financial information and launching denial-of-service (DoS) attacks. RUBotted (Beta) “…monitors your computer for suspicious activities and regularly checks with an online service to identify behavior associated with Bots. Upon discovering a potential infection, RUBotted prompts you to scan and clean your computer.” Note that this tool doesn’t clean anything–you still have to use antivirus software. Alternatively, you can take advantage of one of the many online malware scanners.

The tool runs on Windows 2000, Windows XP Home and Professional, Windows 2003 Server, and Windows Vista (32-bit only), providing the latest service packs are installed. There’s one caveat, however:  Trend says, “RUBotted cannot protect computers running Panda Internet Security 2008.”

I hope that this effort by Trend starts a trend (pun intended) of vendors providing similar secure computing software, perhaps incorporating bot removal tools to boot. We’ll see.


September 21, 2008  5:10 PM

Beware of the Fake Video Codec Malware Trick

Ken Harthun Ken Harthun Profile: Ken Harthun

A variant of Win32/Zlob is being spread by cybercriminals via the fake video codec trick. Through misdirection or outright deception (including social engineering), users are sent to a site that has what appears to be embedded video. When they arrive at the page, there’s a message in the viewer similar to the one shown at “The ZLOB Show: Trojan Poses as Fake Video Codec, Loads More Threats.” If the user falls for the trick, Zlob trojan is downloaded and installed.

The variant, posing as “MediaTubeCodec.1.220.2.exe”–a name that should arouse suspicion in savvy users, but probably looks “official” to the unenlightened–was recently analyzed by Microsoft (see “Another Reason to Avoid Piracy” in their Microsoft Malware Protection Center blog). Microsoft updated its detection signatures to detect this variant as TrojanDownloader:Win32/Zlob.gen!CD. If diagnostics on a user’s PC (netstat, for example) reveal connections to any of the following, assume infection and take appropriate action:

  • hxxp://64.247.39.247
  • hxxp://second-reason.com
  • hxxp://viacodecright2.com

According to the blog, “Only the first two are responding at the time of writing—both appear to be running nginx [pronounced "engine X"] (a lightweight web/mail server), one server is hosted in the USA and the other in China. So please folks—avoid piracy, and be wary when a website insists that you download a new codec in order to watch a video or listen to a song.”


September 21, 2008  2:06 PM

On the Lighter Side of Security

Ken Harthun Ken Harthun Profile: Ken Harthun

Security’s a serious subject sometimes causing us to get a bit too deep in concern over the potential and real threats we face. So, today I’m going to lighten it up with a bit of humor. In the sixties and seventies, it was common to see this sign posted in mainframe computer rooms:

ACHTUNG!

Alle touristen und non-technischen lookenpeepers! Das machine is nicht fur fingerpoken und mittengrabben. Is easy schnappen der springenwerk, blowenfusen und poppencorken mit spitzen sparken. Das machine is diggen by experten only. Is nicht fur gerwerken by das dummkopfen. Das rubbernecken sightseeren keepen das cottenpicken hands in das pockets. Relaxen und watchen das blinkenlights.

I was amused to find that there’s now an Internet version:

Das Internet is nicht fuer gefingerclickend und giffengrabben. Ist easy droppenpacket der Routers und overloaden der Backbone mit der spammen und der me-tooen. Ist nicht fuer gewerken bei die Dummkopfen. Die mausklicken Sightseeren keepen das Bandwidth-spewen Hands in die Pockets muss; relaxen und watchen das cursorblinken.

When I get a round tuit, I’m going to do a security version.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: