Security Corner


September 21, 2008  2:06 PM

On the Lighter Side of Security

Ken Harthun Ken Harthun Profile: Ken Harthun

Security’s a serious subject sometimes causing us to get a bit too deep in concern over the potential and real threats we face. So, today I’m going to lighten it up with a bit of humor. In the sixties and seventies, it was common to see this sign posted in mainframe computer rooms:

ACHTUNG!

Alle touristen und non-technischen lookenpeepers! Das machine is nicht fur fingerpoken und mittengrabben. Is easy schnappen der springenwerk, blowenfusen und poppencorken mit spitzen sparken. Das machine is diggen by experten only. Is nicht fur gerwerken by das dummkopfen. Das rubbernecken sightseeren keepen das cottenpicken hands in das pockets. Relaxen und watchen das blinkenlights.

I was amused to find that there’s now an Internet version:

Das Internet is nicht fuer gefingerclickend und giffengrabben. Ist easy droppenpacket der Routers und overloaden der Backbone mit der spammen und der me-tooen. Ist nicht fuer gewerken bei die Dummkopfen. Die mausklicken Sightseeren keepen das Bandwidth-spewen Hands in die Pockets muss; relaxen und watchen das cursorblinken.

When I get a round tuit, I’m going to do a security version.

September 19, 2008  1:30 AM

Antivirus XP 2008/2009 Malware Up the Ante

Ken Harthun Ken Harthun Profile: Ken Harthun

According to US-CERT, the cybercriminals who are foisting fake antivirus programs, such as Antivirus XP 2008 and 2009 off on innocent users, are now doing more than just ripping people off for the purchase price of their worthless programs–they’re going after personal and financial information. “If the user purchases the bogus software, the attacker may be able to obtain personal and credit card information for use in additional scams and fraudulent activity,” US-CERT reports. Their site has some recommendations on preventive measures to take.

US-CERT encourages users to perform the following preventative measures to help mitigate the risks:

  • Install legitimate antivirus software from a trusted vendor, and keep its virus signature files up-to-date.
  • Do not follow unsolicited web links found in email messages or instant messages.
  • Use caution when visiting untrusted websites.
  • Do not install untrusted software.

My bootable linux thumb drive virus scanner will remove this infection, but the best thing is not to get infected in first place.

Be careful out there.


September 15, 2008  3:42 AM

Top Five Security Information Resources

Ken Harthun Ken Harthun Profile: Ken Harthun

When I discuss security with people who aren’t security-focused, they often ask where I get my information. I usually generalize, telling them I subscribe to several security newsletters and check the web frequently. I do that to avoid a long-winded discussion of the whys and wherefores of my sources, not to hide them. This post will serve as a good reference for those who are truly interested in learning more about security in general and security issues in particular. So, I present my top five security information resources:

  1. Security Now! podcast produced by Leo Laporte of Twit.tv with Steve Gibson of GRC.com. The longest running security podcast on ‘Net with Episode 161 just released. Thousands of individuals, sys admins, and other security-minded professionals–many of whom have been listening to the podcast since Episode 1– rely on Steve’s unique insight into security issues.
  2. SANS Institute. As their site asserts, and I concur, “SANS is the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet’s early warning system – Internet Storm Center.”
  3. Dark Reading.com. In-depth security news, analysis, opinion, and product reviews.
  4. The Register–Security. Lots of IT news with an edge. Check it out and you’ll see.
  5. Secunia.com. If not the leading vulnerability intelligence provider and distributor in the world, they’re very close. Their advisories are top notch; their software advisor is a must-use tool.

What sources do you rely on? Comments welcome.


September 13, 2008  6:32 PM

Software for Secure Computing: Microsoft Malicious Software Removal Tool

Ken Harthun Ken Harthun Profile: Ken Harthun

It’s funny how sometimes we take for granted things like Microsoft’s Malicious Software Removal Tool (MSRT). That’s probably because it doesn’t do much to make its presence known. Every month, Microsoft offers MSRT (890830) through automatic updates and on the Windows Update site. Once installed, the tool runs in the background and quietly does its job.  Many people don’t even know that MSRT can be run from the Microsoft.com website or downloaded and run at will.

System administrators and security researchers benefit from the reporting component that MSRT uses to send malware data to Microsoft. The Microsoft Malware Protection Center Threat Research & Response Blog regularly provides reports on the state of security and is an excellent resource for Internet security issues. “Cleaning Over 10 Million IRC Bots,” posted on September 8, 2008, for example, has a graph that clearly shows a general downward trend in IRC bots activity.

No doubt about it: MSRT and the related websites are powerful additions to anyone’s secure computing toolkit.


September 12, 2008  2:22 AM

Bootable Thumb Drive Virus Scanner Saves the Day

Ken Harthun Ken Harthun Profile: Ken Harthun

Forgive me if I brag a bit in this post, but I think I earned the right. You be the judge.

Last weekend, I noticed strange behavior on my home system. ESET Smart Security kept reporting that it had “found and quarantined m.exe, probably a variant of Win.Qhost trojan.” Every time I plugged in a USB thumb drive, ESET would pop up with the message. I couldn’t run HijackThis. If I tried to go to certain antivirus websites–Avira in particular–my browser closed. Sysinternals Process Explorer wouldn’t run. My thumb drive showed two hidden files: Autorun.inf and m.exe. Hmmm. Running ipconfig /displaydns revealed multiple connections to porn and malware sites. Searching Google led me to some tools that eventually fixed my problem at home. Turns out I had a bigger problem.

Apparently, I had picked up the infection from a client’s Exchange server and during my weekly tour there, I found that the tools I used on my XP machine wouldn’t run on Windows Server 2003.  I tried everything in my arsenal; no tool found anything wrong. This thing was very stealthy; even Safe Mode didn’t disable it. I was about to give up. Then I remembered that I’d recently finished making up a bootable Linux thumb drive virus scanner using the AntiVir rescue CD, a tool that allows offline scanning (thank you, Avira, you made it a little easier for me). I booted the server to the thumb drive, ran the scan, rebooted the server, and voila! The infection was gone.

There’s a whole backstory to this incident that I won’t bore you with. Suffice it to say that I’m glad I put in the hours of hacking and research to come up with a really useful tool that I was able to use to help a client. Veni! Vidi! Vici!


August 31, 2008  9:44 PM

Software for Secure Computing: Personal Firewalls

Ken Harthun Ken Harthun Profile: Ken Harthun

How to Secure Your Computer: Maxim #2 stressed the importance of using a NAT router to make your network “invisible” to criminal hackers and other Internet riffraff.  This is excellent protection against inbound malicious connections, but it does nothing to block outbound connections originated on the local network. The router won’t stop back-door trojans, adware, spyware, and the like from “phoning home” with your sensitive information. This behavior is by design; if outbound connections were blocked, you’d never be able to browse the Web. The problem is that if you inadvertently get infected by a mistaken click or a cross-site scripting (XSS) vulnerability, you’re in trouble. You may not even know you’ve been infected–I’ve seen bot-infected machines running up-to-date antivirus software happily spewing spam emails by the thousands.

One of the most important pieces of software for secure computing is a properly configured, proven software firewall. Don’t rely only on Windows XP’s built-in firewall–it blocks inbound attacks only (see Is Microsoft’s Firewall Secure?) and has flaws of its own (see Windows Firewall flaw may hide open ports). While Vista’s firewall does offer outbound filtering, it isn’t much better (see Analysis: New Windows Vista Firewall Fails on Outbound Security for more information).

My favorite personal firewalls for secure computing are the Comodo Personal Firewall (free), and the Sunbelt Kerio Personal Firewall (full-featured for 30 days, then runs free in limited-feature mode, $19.95/yr for full version). I’m currently testing the ESET Smart Security suite and from what I’m seeing, this may be one to recommend to your non-savvy home users; it’s non-intrusive in automatic mode, allowing you to surf freely without those annoying do-you-really-want-to-do-this popups.


August 31, 2008  4:30 PM

CERT Says Linux is Under Attack

Ken Harthun Ken Harthun Profile: Ken Harthun

It had to happen sooner or later; as Linux gains an ever-increasing foothold (Linux market share to reach 7% in 2008 ) in the market, it will become a viable target for criminal hackers. According to the U.S. Computer Emergency Readiness Team (CERT) in US-CERT Current Activity, attacks are already underway:

US-CERT is aware of active attacks against linux-based computing infrastructures using compromised SSH keys. The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as “phalanx2″ is installed.

Phalanx2 appears to be a derivative of an older rootkit named “phalanx”. Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.

For now, the attack is easily detected (though variants of the rootkit will likely change its behavior): The attack creates a directory “/etc/khubd.p2/” that is hidden from “ls,” but it can be entered with “cd /etc/khubd.p2″. Any directory named “khubd.p2,” regardless of its location, is hidden from “ls” but can be entered using “cd.” Additionally, “/dev/shm/” may contain files from the attack, so anything unusual in there is suspect. You can also try searching for hidden processes and checking the reference count in “/etc” against the number of directories shown by “ls”.

Check out the full article, “SSH Key-based Attacks” for complete details on risk mitigation and compromise response.


August 27, 2008  2:40 AM

Worm Infects International Space Station Laptops

Ken Harthun Ken Harthun Profile: Ken Harthun

Houston, we have malware. (Sorry, I had to do that.)

Apollo 13 had real live mechanical malfunctions that could have resulted in the mission earning a place in our space program’s disaster timeline between Apollo 1 in 1967 and the Challenger disaster in 1986. Fortunately, that didn’t happen–Apollo 13 went down in history as a close call. Unfortunately, physical problems with the heat shield tiles resulted in the Columbia disaster in 2003. Now, the space program faces another threat–this time, a non-physical one–in the form of malware invading laptops aboard the International Space Station (ISS).

In the article, “Houston, we have a virus” in The Register, “The infected machines were not considered mission critical, meaning they weren’t responsible for command and control. The NASA spokesman was unable to say if the infected laptops were connected to mission-critical systems.”

What if there are?

Security is not optional–it’s mandatory. Especially when lives are at stake.


August 23, 2008  2:39 AM

Oscarbot.UG Eludes Detection with Intelligent Stealth

Ken Harthun Ken Harthun Profile: Ken Harthun

According to Panda Security, the Oscarbot.UG virus, first detected on August 17, 2008, uses intelligent stealth techniques to avoid detection.  “It deletes the original file from which it was run once it is installed on the computer. It uses several methods in order to avoid detection by antivirus companies [one of them being that it] terminates its own execution if it detects that it is being executed in a virtual machine environment, such as VMWare or VirtualPC.”

As reported by Help Net Security, the worm “stops running if it finds that it is being tried on virtual machines such as vmware, a sandbox or in a honeypot (these tools are often used to check in a controlled environment if an executable file is running malicious commands).

The good news is that anyone running a virtual environment is safe from infection: The worm won’t run and when you shut down the virtual machine, it’s gone. The bad news is that malware using this type of intelligent stealth is on the rise, raising the bar for anti-malware researchers.

At what point do we switch from a reactive anti-malware approach (blacklisting) to a pro-active one (whitelisting)? The day is fast approaching (it may already be here) when the programs designed to protect us become so huge and so invasive that they prevent us from getting any useful work done.

The best way to combat malware would be to take the profit out of spam, phishing scams, and other cyber-fraud crimes.

I don’t have the answer for that one.


August 21, 2008  1:50 AM

Software for Secure Computing: Keep Your Software up to Date

Ken Harthun Ken Harthun Profile: Ken Harthun

Though you probably don’t think of it as software, Microsoft Windows Update is a web-based application that’s a vital part of your secure computing initiative. As recently as last month, I had to clean up a system that had been severely infected with malware. One of the steps in my cleanup process was to check the service pack; turns out this user was still on service pack 1a because automatic updates had been turned off. (While some argue against it, I recommend that all home users turn them on; in a corporate environment, the IT department usually manages things.) If you’re still running XP, go ahead and install service pack 3.

That takes care of Windows, but what about security updates and patches for all of the other software on your system? Windows isn’t the only security risk — every application you run has potential issues. You need to keep ALL of your applications patched. Secunia’s Online Software Inspector is an excellent tool for scanning your system to discover commonly installed applications that need updates. It first looks for missing Microsoft updates then checks other software such as Apple QuickTime, iTunes, Adobe Flash Player, and Sun Java. My most recent online scan took less than three minutes and found 9 of 15 applications had missing updates. Needless to say, I patched them all.

Worth repeating: Keeping your system patched is a vital part of your secure computing initiative.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: