The latest mass infection to hit the Internet is the Win32/Conficker/Downadup Worm, estimated to have already infected between 500,000 and 8.9 million PCs, depending on whose numbers you believe. This is astounding, considering that the worm exploits a vulnerability in Windows that Microsoft Security Bulletin MS08-067 addressed back in October 2008. Microsoft issued an emergency out-of-cycle patch to address the vulnerability. Windows users who have automatic updates enabled would have received the update so the hole is patched. But there are plenty of people and organizations who, for one reason or another, have automatic updates turned off.
Why any individual PC user would put themself at risk by having automatic updates turned off is beyond me. Organizations are another story; they want to test patches before deployment to ensure they don’t break critical applications or disrupt the network. But in this case, the patch should have been applied without question by every sys admin on the planet. Had this happened, the furor surrounding Conficker.A–the original worm–probably would have died down. Instead, enough sys admins left the hole open that a particularly ferocious variant–Conficker.B–surfaced; it’s the one responsible for the current mass infection.
You can read all about Conficker.B and its blended threat in this post at the Microsoft Malware Protection Center, so I won’t burden you with all the gory details about its blended threat here. I will, however, burden you with my informed opinion: Sometimes you have to heed the warnings and go ahead and patch, regardless of what problems that patch could potentially cause. A network taken down by a malware infection is much worse and potentially more costly to repair than a couple of broken apps here and there.
How many times do you have to overwrite a hard drive in order to securely wipe it? This question has been at the center of an ongoing controversy for a long time. On the one hand, we’ve had Peter Gutmann saying it takes 35 passes (Gutmann, P. (1996) “Secure Deletion of Data from Magnetic and Solid-State Memory”); on the other hand, we’ve had the NIST saying one pass is enough (http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf). So, which is it, one, 35, or something in between?
NIST gets the prize: One pass is enough to delete data such that it can not be recovered. A paper published in December last year; “Overwriting Hard Drive Data: The Great Wiping Controversy” by Craig Wright, Dave Kleiman and Shyaam Sundhar R.S. as presented at ICISS2008 and published in the Springer Verlag Lecture Notes in Computer Science (LNCS) series, proves beyond doubt that data can’t be recovered from a wiped drive even if one uses an electron microscope. As Craig Wright puts it in a post on the SANS Computer Forensics blog:
Although there is a good chance of recovery for any individual bit from a drive, the chances of recovery of any amount of data from a drive using an electron microscope are negligible. Even speculating on the possible recovery of an old drive, there is no likelihood that any data would be recoverable from the drive. The forensic recovery of data using electron microscopy is infeasible… The fallacy that data can be forensically recovered using an electron microscope or related means needs to be put to rest.
That sure makes life easier for those of us who have to deal with secure deletion of sensitive data. I’ll use my copy of Darik’s Boot and Nuke (DBan) with one pass from now on and get those retired hard drives wiped in no time.
With cybercriminals now actively poisoning search results and legitimate websites–unbeknownst to the webmasters–you can’t be too careful when clicking on links. Take a look at this video library presented by Exploit Prevention Labs (XPL) CTO and Chief Researcher Roger Thompson and you’ll see why. The videos show a number of recent exploits. The bad thing about these exploits is that you never see them coming. From the XPL Threat Center:
Exploits deliver their malcode through driveby downloads that happen silently and can be delivered through any kind of site. Most site owners don’t know themselves when their site has been poisoned – it’s happened to every kind of site, from global businesses to individual MySpace pages.
That’s why you should be using XPL’s LinkScanner. This nifty utility integrates with the search engines to check for a variety of threats, so you’ll know whether a site is safe (or not) before you click the link. Take a look at the screenshot of my Google search on “warez.” The red X’s are the LinkScanner results: those sites are dangerous. The green checkmark on the Wikipedia entry indicates that it’s safe to surf.
LinkScanner allows you to check any link on demand by right-clicking on the link and selecting “Quick Scan with LinkScanner.” This is great for checking links in sites you’re surfing. You can also open a console and paste an address for scanning.
You may wonder how LinkScanner compares with McAfee’s SiteAdvisor. So did I. XPL gives an in-depth comparison on their LinkScanner vs SiteAdvisor page. Here’s an excerpt:
LinkScanner’s SearchShield technology actually does a live scan on Google, Yahoo and MSN search results and with no delay in search engine results delivery. This enables LinkScanner to definitively state whether the page behind any link is or is not safe at the only time that matters – the time you plan to visit it.
In contrast, SiteAdvisor “crawls” entire sites over a period of weeks and/or months and renders opinions about entire sites, which are then stored in a central database.
Download LinkScanner Lite it for yourself and you just may find, as I did, that it’s an indispensible tool for secure computing.
We’re nearly two weeks into the New Year and how many of those resolutions we made during the glow of the holiday season (and maybe some martinis) have gone off with the Grim Reaper? We all make them and break them; it wouldn’t be the New Year without making resolutions, after all. Lose weight, quit smoking (or drinking), start exercising, all are fine resolutions, but how about making a couple security resolutions that will help keep you safe on the Wild, Wild, Web? Here’s a list that you can pick from. Choose one, two, or all of them and pledge to yourself that whichever of them you choose, you won’t break them.
- I will never view, open or click on an email attachment unless I know who sent it, why they sent it and what it is.
- I will never click on a link in an email without knowing exactly where it will take me.
- I will never send sensitive personal or financial information to anyone via email.
- I will download and study Recognizing and Avoiding Email Scams provided by US-CERT.
- I will also download and study Avoiding Social Engineering and Phishing Attacks.
- I will install security software on my computers and keep the software up to date.
- I will set up and begin using a backup plan to protect my data.
- I will use only WPA2 encryption on my wireless access point and a strong password.
- I will review all my passwords, change them regularly, and use strong passwords where sensitive information is at stake.
- I will keep up with security issues by reading Security Corner on a regular basis (shameless plug!)
Any one or more of these security resolutions will get you off to a good start in 2009. I recommend you adopt them all.
Happy New Year!New Year Resolutions Graphic
Just last week, two German security researchers, Alex Sotirov and Jacob Appelbaum, made a surprising announcement at the Chaos Communication Conference in Berlin: they had created a fraudulent Certificate Authority (CA) that had a valid signature from a root CA, Equifax, one of the oldest. The ramifications of this are far-reaching. Imagine what will happen if cyber criminals generate fraudulent certificates. The phony certificates could be used to create phishing sites that would appear to browsers to be perfectly legitimate.
The extremely paranoid can remove any certificates that don’t rely on SHA1 hashes to protect their certificates and CAs should immediate ditch MD5.
CastleCops, the largest and most effective volunteer security community on the Internet, has shut down operations. Their website has this announcement posted:
You have arrived at the CastleCops website, which is currently offline. It has been our pleasure to investigate online crime and volunteer with our virtual family to assist with your computer needs and make the Internet a safer place. Unfortunately, all things come to an end. Keep up the good fight folks, for the spirit of this community lies within each of us. We are empowered to improve the safety and security of the Internet in our own way. Let us feel blessed for the impact we made and the relationships created.
CastleCops, founded by Paul Laudanski in 2002, spent six years investigating malware and phishing scams, working closely with law enforcement and the Internet security community to take down malicious websites. Because of their effectiveness, CastleCops’ websites were often the target of DDoS attacks and other attempts by cybercriminals to discredit them.
The group also ran volunteer training programs and provided assistance in malware cleanup. Some of their most popular resources were the lists of Windows CLSIDs, Startup programs, toolbars and the like that helped people identify and remove malware. I’m glad to see that those resources continue to be maintained by former CastleCops volunteers at the SystemLookup.com website.
They’ll be missed.
Wishing you all the best for a safe and happy holiday season.
Microsoft’s latest Security Advisory (961040) covers a vulnerability in SQL Server that could allow remote code execution:
Microsoft is investigating new public reports of a vulnerability that could allow remote code execution on systems with supported editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue.
Exploit code has been published on the Internet, but Microsoft states that it’s not aware of any active exploits or customer impact at this time. One mitigating factor is that this vulnerability is not exposed anonymously–an attacker would need to authenticate in order to take advantage of the flaw, thus leaving evidence for investigators.
Microsoft has issued tested workarounds for the affected versions. While they don’t repair the underlying vulnerablity, they effectively block the known attack vectors
Note: This is the last planned release of Firefox 2. All users are encouraged to upgrade to Firefox 3. Firefox 188.8.131.52 does not include Phishing Protection.
Despite mixed reviews at its initial release, Firefox 3 is now stable and should now be your browser of choice for safe surfing on the web. Besides using far less system memory than previous versions, Firefox 3 “includes strict anti-phishing and anti-malware measures, plus easy ways to tell the good guys from the bad like [the] new one-click site ID info” according to Mozilla.
If you’re not already using it, be sure to install the NoScript add-on. Firefox 3 with NoScript is the simplest, safest browser setup you can get at the moment. And just to be sure, I deliberately went to a really bad site to see what would happen. Firefox delivered. Take a look at the screen shot below.
So, if you’re still using any earlier version of Firefox. Upgrade now to Firefox 3. And if (heaven forbid!) you’re still using Internet Explorer, stop putting yourself at risk and switch to Firefox 3 now.
Have a safe and happy holiday season, both on and off the web!
Microsoft issued today “Microsoft Security Bulletin Advance Notification for December 2008.” The actual security bulletin will be released on December 17, 2008:
Microsoft Security Bulletin Advance Notification for December 2008
Published: December 16, 2008
Microsoft Security Bulletin Advance Notification issued: December 16, 2008
Microsoft Security Bulletins to be issued: December 17, 2008
This is an advance notification of an out-of-band security bulletin that Microsoft is intending to release on December 17, 2008.
This bulletin advance notification will be replaced with the revised December bulletin summary on December 17, 2008. The revised bulletin summary will include the out-of-band security bulletin as well as the security bulletins already released on December 9, 2008.
I don’t have any statistics on how fast they’ve responded to zero-day flaws in the past, but this seems pretty quick to me.