Security Corner

January 17, 2009  3:27 AM

Software for Secure Computing: Exploit Prevention Labs Link Scanner

Ken Harthun Ken Harthun Profile: Ken Harthun

With cybercriminals now actively poisoning search results and legitimate websites–unbeknownst to the webmasters–you can’t be too careful when clicking on links. Take a look at this video library presented by Exploit Prevention Labs (XPL) CTO and Chief Researcher Roger Thompson and you’ll see why. The videos show a number of recent exploits.  The bad thing about these exploits is that you never see them coming. From the XPL Threat Center:

Exploits deliver their malcode through driveby downloads that happen silently and can be delivered through any kind of site. Most site owners don’t know themselves when their site has been poisoned – it’s happened to every kind of site, from global businesses to individual MySpace pages.

That’s why you should be using XPL’s LinkScanner. This nifty utility integrates with the search engines to check for a variety of threats, so you’ll know whether a site is safe (or not) before you click the link. Take a look at the screenshot of my Google search on “warez.” The red X’s are the LinkScanner results: those sites are dangerous. The green checkmark on the Wikipedia entry indicates that it’s safe to surf.

LinkScanner allows you to check any link on demand by right-clicking on the link and selecting “Quick Scan with LinkScanner.” This is great for checking links in sites you’re surfing. You can also open a console and paste an address for scanning.

You may wonder how LinkScanner compares with McAfee’s SiteAdvisor. So did I. XPL gives an in-depth comparison on their LinkScanner vs SiteAdvisor page. Here’s an excerpt:

LinkScanner’s SearchShield technology actually does a live scan on Google, Yahoo and MSN search results and with no delay in search engine results delivery. This enables LinkScanner to definitively state whether the page behind any link is or is not safe at the only time that matters – the time you plan to visit it.

In contrast, SiteAdvisor “crawls” entire sites over a period of weeks and/or months and renders opinions about entire sites, which are then stored in a central database.

Download LinkScanner Lite it for yourself and you just may find, as I did, that it’s an indispensible tool for secure computing.

January 14, 2009  2:28 AM

Security Resolutions for 2009

Ken Harthun Ken Harthun Profile: Ken Harthun
New Year Resolutions Graphic

We’re nearly two weeks into the New Year and how many of those resolutions we made during the glow of the holiday season (and maybe some martinis) have gone off with the Grim Reaper? We all make them and break them; it wouldn’t be the New Year without making resolutions, after all. Lose weight, quit smoking (or drinking), start exercising, all are fine resolutions, but how about making a couple security resolutions that will help keep you safe on the Wild, Wild, Web? Here’s a list that you can pick from. Choose one, two, or all of them and pledge to yourself that whichever of them you choose, you won’t break them.

  • I will never view, open or click on an email attachment unless I know who sent it, why they sent it and what it is.
  • I will never click on a link in an email without knowing exactly where it will take me.
  • I will never send sensitive personal or financial information to anyone via email.
  • I will download and study Recognizing and Avoiding Email Scams provided by US-CERT.
  • I will also download and study Avoiding Social Engineering and Phishing Attacks.
  • I will install security software on my computers and keep the software up to date.
  • I will set up and begin using a backup plan to protect my data.
  • I will use only WPA2 encryption on my wireless access point and a strong password.
  • I will review all my passwords, change them regularly, and use strong passwords where sensitive information is at stake.
  • I will keep up with security issues by reading Security Corner on a regular basis (shameless plug!)

Any one or more of these security resolutions will get you off to a good start in 2009. I recommend you adopt them all.

Happy New Year!New Year Resolutions Graphic

January 7, 2009  3:35 AM

MD5 Hashing Algorithm No Longer Safe

Ken Harthun Ken Harthun Profile: Ken Harthun

Just last week, two German security researchers, Alex Sotirov and Jacob Appelbaum, made a surprising announcement at the Chaos Communication Conference in Berlin: they had created a fraudulent Certificate Authority (CA) that had a valid signature from a root CA, Equifax, one of the oldest. The ramifications of this are far-reaching. Imagine what will happen if cyber criminals generate fraudulent certificates. The phony certificates could be used to create phishing sites that would appear to browsers to be perfectly legitimate.

Steve Gibson focused on this issue in his latest Security Now! podcast (#177). On the resource notes for the episode, Steve gives a link to the actual certificate with instructions on how to view it.

The extremely paranoid can remove any certificates that don’t rely on SHA1 hashes to protect their certificates and CAs should immediate ditch MD5.

December 30, 2008  8:33 PM

CastleCops Shuts Down Operations

Ken Harthun Ken Harthun Profile: Ken Harthun

CastleCops, the largest and most effective volunteer security community on the Internet, has shut down operations. Their website has this announcement posted:

You have arrived at the CastleCops website, which is currently offline. It has been our pleasure to investigate online crime and volunteer with our virtual family to assist with your computer needs and make the Internet a safer place. Unfortunately, all things come to an end. Keep up the good fight folks, for the spirit of this community lies within each of us. We are empowered to improve the safety and security of the Internet in our own way. Let us feel blessed for the impact we made and the relationships created.

CastleCops, founded by Paul Laudanski in 2002, spent six years investigating malware and phishing scams, working closely with law enforcement and the Internet security community to take down malicious websites. Because of their effectiveness, CastleCops’ websites were often the target of DDoS attacks and other attempts by cybercriminals to discredit them.

The group also ran volunteer training programs and provided assistance in malware cleanup. Some of their most popular resources were the lists of Windows CLSIDs, Startup programs, toolbars and the like that helped people identify and remove malware. I’m glad to see that those resources continue to be maintained by former CastleCops volunteers at the website.

They’ll be missed.

December 24, 2008  5:04 PM

Merry Christmas!

Ken Harthun Ken Harthun Profile: Ken Harthun

Christmas Bells

Wishing you all the best for a safe and happy holiday season.

Ken Harthun

December 24, 2008  4:43 PM

Microsoft Releases Security Advisory (961040)

Ken Harthun Ken Harthun Profile: Ken Harthun

Microsoft’s latest Security Advisory (961040) covers a vulnerability in SQL Server that could allow remote code execution:

Microsoft is investigating new public reports of a vulnerability that could allow remote code execution on systems with supported editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue.

Exploit code has been published on the Internet, but Microsoft states that it’s not aware of any active exploits or customer impact at this time. One mitigating factor is that this vulnerability is not exposed anonymously–an attacker would need to authenticate in order to take advantage of the flaw, thus leaving evidence for investigators.

Microsoft has issued tested workarounds for the affected versions. While they don’t repair the underlying vulnerablity, they effectively block the known attack vectors

December 21, 2008  11:19 PM

No More Security Updates for Firefox 2

Ken Harthun Ken Harthun Profile: Ken Harthun

Security Fix reports that on December 16, Mozilla released its final update to Firefox 2, and plans no further updates for this version. From the Firefox 2 Release Notes page:

Note: This is the last planned release of Firefox 2. All users are encouraged to upgrade to Firefox 3. Firefox does not include Phishing Protection.

Despite mixed reviews at its initial release, Firefox 3 is now stable and should now be your browser of choice for safe surfing on the web. Besides using far less system memory than previous versions, Firefox 3 “includes strict anti-phishing and anti-malware measures, plus easy ways to tell the good guys from the bad like [the] new one-click site ID info” according to Mozilla.

If you’re not already using it, be sure to install the NoScript add-on. Firefox 3 with NoScript is the simplest, safest browser setup you can get at the moment. And just to be sure, I deliberately went to a really bad site to see what would happen. Firefox delivered. Take a look at the screen shot below.
Attack Site Blocked

So, if you’re still using any earlier version of Firefox. Upgrade now to Firefox 3. And if (heaven forbid!) you’re still using Internet Explorer, stop putting yourself at risk and switch to Firefox 3 now.

Have a safe and happy holiday season, both on and off the web!

December 16, 2008  9:21 PM

Microsoft Announces Out-of-band Patch for Zero-day Flaw

Ken Harthun Ken Harthun Profile: Ken Harthun

Microsoft issued today “Microsoft Security Bulletin Advance Notification for December 2008.” The actual security bulletin will be released on December 17, 2008:

Microsoft Security Bulletin Advance Notification for December 2008
Published: December 16, 2008

Microsoft Security Bulletin Advance Notification issued: December 16, 2008
Microsoft Security Bulletins to be issued: December 17, 2008

This is an advance notification of an out-of-band security bulletin that Microsoft is intending to release on December 17, 2008.

This bulletin advance notification will be replaced with the revised December bulletin summary on December 17, 2008. The revised bulletin summary will include the out-of-band security bulletin as well as the security bulletins already released on December 9, 2008.

I don’t have any statistics on how fast they’ve responded to zero-day flaws in the past, but this seems pretty quick to me.

December 12, 2008  9:44 PM

Internet Explorer Targeted by Zero-day Attack

Ken Harthun Ken Harthun Profile: Ken Harthun

Even though Microsoft released the biggest batch of patches ever on Tuesday–28 flaws affecting Windows, Office, Internet Explorer, Visual Basic Active Controls and Windows Media Player, 23 of them rated “critical”–there’s no fix for a zero-day XML parser vulnerability that surfaced the same day. This was first reported by Robert McMillan of IDG News and was picked up quickly by other media. According to McMillan:

The code exploits a bug in the way IE handles XML (Extensible Markup Language) and works on the browser about “one in three times,” Huang said in an instant message interview. For the attack to work, a victim must first visit a Web site that serves the malicious JavaScript code that takes advantage of the flaw. …

In attacks, the code drops a malicious program on the victim’s PC which then goes to download malicious software from various locations.

According to a blog post by Symantec:

The vulnerability is caused by a function that incorrectly frees a certain region of heap memory so that an attacker is able to control the EAX register with a specially crafted Unicode URL, which includes the magic “0x0A0A” value in it,” Elia Florio, a security researcher at Symantec, wrote….

Symantec released the antivirus signature Bloodhound.Exploit.219 and IPS signature 23241 – HTTP MSIE Malformed XML BO to protect users against this exploit.

I recommend that anyone using Symantec’s antivirus or IPS products, immediately perform an update. Furthermore, Symantec recommends blocking the following hosts which are apparently being used by the exploit to download and install other malware:


In its security advisory 961051, Microsoft presents the following mitigating factors:

• Protected Mode in Internet Explorer 7 and Internet Explorer 8 in Windows Vista limits the impact of the vulnerability.

•By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.

•An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

•Currently known attacks cannot exploit this issue automatically through e-mail.

Nevertheless, users should avoid using Internet Explorer and should instead use Firefox with the NoScript extension installed until Microsoft issues a patch. We may see an out-of-cycle patch on this one according to the security advisory:

We are actively investigating the vulnerability these attacks attempt to exploit. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Well, since I’m forced to use IE for certain applications in my job, this customer needs a patch as quickly as possible.

December 9, 2008  2:33 AM

But Wait! Apple Says it’s Just Kidding About Antivirus

Ken Harthun Ken Harthun Profile: Ken Harthun

If you tried to click through to the link in my December 2d article, you probably saw this page:

Apple has taken down their notice recommending that users install multiple antivirus programs on their Mac computers. They said it was “because it was old and inaccurate.”

Could the real reason be that they can’t afford to compromise their expensive ad campaign?

SANS Editor Eugene Schultz says: “Apple needs to quit flipflopping re. whether anti-malware software needs to run on Macs. Many serious malware-related threats against Macs exist. Apple’s waffling with respect to recommending what to do about these threats is a huge disservice to the Mac user community.”

C’mon, Apple. You’ve just lost a ton of credibility with this one.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: