Networking

Windows XP SP3 Offers Enhanced Reliability and Security, But Not IE7

The long-awaited Windows XP Service Pack 3 became available as an Express Update May 6, 2008 on Windows Update, and offers enhanced reliability and security through a few new features: Network Access Protection (NAP), designed to work with Windows Server 2008; a product key-less install option; a Kernel Mode cryptographics module, and; a “black hole” router detection algorithm.

One puzzling thing, however, is that SP3 doesn’t include the more secure IE7–it ships with a fully-patched IE6 instead. As I found out, having applied SP3 to my systems, all of which are running IE7, this isn’t a problem; systems won’t be rolled back to IE6. Here’s an excerpt from the IE Blog:

XPSP3 will continue to ship with IE6 and contains a roll-up of the latest security updates for IE6. If you are still running Internet Explorer 6, then XPSP3 will be offered to you via Windows Update as a high priority update. You can safely install XPSP3 and will have an updated version of IE6 with all your personal preferences, such as home pages and favorites, still intact.

If you are currently running IE7 on XPSP2, Windows Update will offer you XPSP3 as a high priority update. If you choose to install XPSP3, Internet Explorer 7 will remain on your system after the install is complete.

If you’re still running IE6, you really should upgrade to IE7. Along with SP3, that will make your XP system as secure as it can be at this time.

Tighten Security With Your Hosts File

Using a HOSTS file to block access to malicious or unwanted web sites is an old trick and it’s excellent protection against malware. I’ve been using the mvps.org hosts file for about five years, and I have never been infected with any malware, despite, for testing purposes, intentionally visiting sites known to host it. The thing just works. It’s a great way to add an additional layer of security to your machine. You’ll also notice that many of those annoying ads no longer display in your browser.

Today, I found a cool utility that will let you download, install, and update your HOSTS file directly from the mvps.org site: Hosts File Updater, a freeware program by FaltronSoft. This single 16K executable checks the mvps.org site for a new version of the HOSTS file. If it finds one, it asks you if you want to update. Give your permission and the program backs up your existing HOSTS file and downloads and installs the new one. It also automatically sets the file to read-only, a nice feature.

How to Prevent DNS Rebinding Attacks

There’s nothing new about the DNS rebinding attack, but it’s in the news again. Dan Kaminsky, Director of Penetration Testing for IOActive has shown a video of the attack in action at the RSA 2008 Conference. I first addressed this problem more than a year ago in a Lockergnome posting, and just recently in this Security Corner article. Both of those articles say the same thing: Change the default password on routers, switches, and any other configurable device on your network.

There’s another thing you can do: Use OpenDNS; they block known phishing and malware-infested sites, thereby making your web surfing more secure. They also just released a nifty tool called FixMyLinksys that makes it easy for anyone to change the default password and enable OpenDNS. An article at DarkReading.com had this to say about OpenDNS:

…“This will stop all the automated attacks that Dan is showing at the RSA conference today. It’s easy and is done over the Web,” says David Ulevitch, CEO of OpenDNS.

OpenDNS also launched a new type of DNS filter today that protects users from a DNS response from a malicious server. “In short, a DNS response from a malicious server that resolves to a host inside your network would get blocked,” Ulevitch says.

I’ve been using OpenDNS for some time; I’m glad to see they’ve addressed this issue directly.

Are You a Security “No” Man or a Security “Yes” Man?

We security wonks always seem to be put into a position of having to say “no.” That makes us unpopular with the I’m-not-hurting-anything crowd who insist on checking their webmail, IMing their friends, and running assorted and sundry downloaded and web-based applications (but only on their time, of course). Maybe they’re right on some level; many of those things are benign and don’t represent security threats. But there are also potentially dangerous applications such as peer-to-peer (P2P) file sharing that can expose your network to hackers via an open P2P connection (See P2P Leads to Major Leak at Citigroup Unit and Pfizer Falls Victim to P2P Hack).  What’s one to do?

Start saying “Yes.” You read that right. Look at it from the user’s standpoint: A blanket prohibition against anything and everything usually foments rebellion on the part of some and they’ll do whatever they want to do with wild abandon. Your network is less secure as a result. But, if you develop policies that allow webmail, online shopping, and IM instead of blocking them at the gateway, while prohibiting the potentially dangerous stuff, you just might find the users starting to ask you if it’s OK to do certain things.

And they just might listen to you if you say “No.”

Wireless Headset Security Nightmare

Being a Ham Radio operator, I’ve always understood the risk inherent in using radio signals to transmit sensitive information: anyone with the right equipment can receive and record anything transmitted over the air. These days, I’m noticing a lot of people in various offices walking around with these cute wireless headsets hooked up to their office phones.

Ever wondered what kind of security risk these things might pose to your company? Yeah, me too. So, did the folks at Secure Network Technologies as evidenced by their article “Hacking Wireless Headsets” that appeared Jan. 22, 2008 at DarkReading.com, a site that provides in-depth security news and analysis. Here’s an excerpt:

To perform the work, we purchased a commercially available radio scanner. These devices are available at any local electronics retailer at prices ranging from $80 to several thousand dollars. We chose a scanner capable of monitoring frequencies from 900-928 Mhz and the 1.2 Ghz ranges, which is where many of the popular hands-free headsets operate.

We took a position across the street from the facility and started up the scanner. Within seconds of turning on the device we were able to listen to conversations that appeared to be coming from our client’s employees. Several of these conversations discussed the business in detail, as well as very sensitive topics. After some careful listening, we determined that the conversations were indeed coming from our customer.

See the nightmare coming? With the right information you can then use social engineering techniques to get your tentacles very deep into the company. And that’s exactly what they did:

Our plan was to assume an identity of an employee who had never been to the office we were testing. Using that identity, we would enter the building, commandeer a place to sit and work, then see how long we could stay inside the building. After zeroing in on a particular employee, we gathered as much intelligence on him as we could. To prepare for the entry into the facility, we printed a business card with our assumed identity. I put on my best suit, and then went to work.

In all, they spent three days “working” in the company, gaining access to all sorts of information, technology, and resources. Not only that, but they also discovered that the headsets acted as bugging devices; even when disconnected, the headsets continued to transmit. The impersonators were able to listen in on conversations carried on by the wearers.

Be afraid. Be very afraid Seriously, read the article and if your office uses these things, do your own tests to find out where you’re leaking. Then, plug the leaks.

Can a Criminal Hacker Guess Your Password?

In my last post, I stressed the importance of changing the default username and passwords of all configurable network devices. That’s good advice. But a weak password, one that is easily guessable, is almost as bad as no password. Far too many people use a password that’s obvious; i.e., given some basic information about the person, a determined hacker could easily guess it without too much effort.

I have two clients, both of which generate some serious confidential data, who set up initial passwords for new users in the form password.2008 or changeme. (Thankfully, I recently convinced both of these clients to implement password policies!) I’ve been able to use basic observation and small talk to guess users’ passwords about 20% of the time. The first thing I try is a blank password–you’d be surprised how often that works, especially for home users. Next, I’ll try the user name, the spouse’s name or “password.” I may try a couple of other things, like “123456,” “asdfjkl;” or, believe it or not, “********.” Usually, though, I just ask them for the password and they give it to me.

According to Wikepedia there are several things many people use as passwords that results in their being predictable:

Repeated research has demonstrated that around 40% of user-chosen passwords are readily guessable because of the use of these patterns:

• blank (none)
• the word “password”, “passcode”, “admin” and their derivates
• the user’s name or login name
• the name of their significant other or another relative
• their birthplace or date of birth
• a pet’s name
• automobile license plate number
• a simple modification of one of the preceding, such as suffixing a digit or reversing the order of the letters.
• a row of letters from a standard keyboard layout (eg, the qwerty keyboard — qwerty itself, asdf, or qwertyuiop)

So, if you want to protect your router and the other devices on your network, never use anything from the above list and apply Security Maxim #4: Use an unguessable, or difficult-to-guess password always.

Next time: How you can do everything right and still be vulnerable to attack.

Cheers!
The Geek

Omit This Setup Step and Your Router Can Be Easily Compromised

Last time, I stressed having a NAT router–or router/firewall–between your PC and the Internet as a first line of defense. This is without question the first, most important security step, but it can be useless unless you have it properly configured; in fact, omitting one crucial first step can leave you even more vulnerable to attack that you would be without the device.

All routers come with a default username and password, often as simple as admin/admin (when I’m faced with a router I haven’t seen before, this is the first thing I try–and it often gets me in). Default settings are a good thing because if you ever forget your password, you can reset the router and take it back to square one. However, this is also a dangerous security risk; these defaults are well known and published on the Web. Three of the more widely used consumer routers, Linksys, D-Link, and Netgear, have recently been shown to be vulnerable to a JavaScript web page attack. Go to the wrong site and if you haven’t changed the default password, the attacker can change your router’s settings to send you to malicious websites. For example, you’ll think you’re looking at your bank’s login page, but it will be a fake look-alike that steals your account information as soon as you log in.

So, put this on your list as Security Maxim #3: Always change the default username and password of any configurable device you put on your home network.

Next time: You’ve changed your default router password; you still may be vulnerable.

Cheers!
The Geek

How Not to Invite Attackers into Your PCs or Network - the First Line of Defense

The other day, I gave you what I consider to be the most basic security maxim, one on which I base all of my security practices: The best security measures are completely useless if you invite attackers into your PCs or networks.

Windows users will remember back before Windows XP Service Pack 2 was released that simply plugging your computer into your cable or DSL modem was almost certain to result in your being compromised in short order. (Who can forget the havoc that Sasser and other worms wreaked before Microsoft wised up and finally turned the firewall on by default?) Running naked with all ports open to the world is a gold-gilt invitation to every criminal and mischief maker on the Internet, and while running a software firewall is a good idea, it’s not nearly enough–crackers already know how to take down XP’s firewall.

Consider this: every IP address owned and/or issued by your Internet Service Provider, no matter who that may be, is constantly being targeted by hackers that are scanning the’Net or worms that are infecting the ‘Net. The IP address assigned to me by my cable Internet provider has been scanned or probed 46 times in the last hour; this goes on 24 hours a day, seven days a week. I certainly don’t want my PC’s software firewall subjected to this kind of thing; yet, most people, not knowing any better, plug their computer directly into the broadband modem. Why do this when there is an inexpensive, simple, yet effective first line of defense available at any big box electronics or office supply superstore–a router?

Through the beauty of Network Address Translation (NAT), even the cheapest router becomes an effective hardware firewall, virtually making your PC invisible to the ‘Net. NAT Router Security Solutions by Steve Gibson of “Security Now!” explains NAT in detail. Here’s one of his illustrations from that article:

I must mention that except for one, simple configuration change that is absolutely essential, these simple devices work fine right out of the box. The average user can plug it in and not have to worry about a complicated setup process.

So, here’s Security Maxim #2: A first, important step in securing your PC is to install and configure a NAT router.

(Note: I first posted this maxim nearly a year ago at Ask the Geek, Too. The article was entitled, How to Secure Your Computer: Maxim #2 (or, How Not to Invite Attackers Into Your PCs and Networks). Since then, many routers now contain built-in firewalls, so do double-duty and are even more secure.)

Next time: the one, most overlooked configuration option that can render your router or firewall useless and make you even more vulnerable than you were without it.

Cheers!
The Geek

Your comments are welcome!