Networking

Mar 25 2009   1:49PM GMT

Worm Targets Home Networking Equipment

Posted by: Ken Harthun
Security, Firmware security, Security management, Routers, Vulnerabilities, Botnet

As reported yesterday in The Register, the “psyb0t” worm targets home routers and modems and may be the first piece of malware to do so. Researchers from DroneBL, a real-time tracker of abusable IPs, say that as of March 22 100,000 hosts had been infected.

Whether or not your equipment is vulnerable depends on three things:

Your device is a mipsel (MIPS running in little-endian mode, this is what the worm is compiled for) device.

Your device also has telnet, SSH or web-based interfaces available to the WAN, and

Your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.

“This technique is one to be extremely concerned about,” the researchers say, “because most end users will not know their network has been hacked, or that their router is exploited. This means that in the future, this could be an attack vector for the theft of personally identifying information.”

If you believe your equipment is vulnerable or has been compromised, you should immediately take the following actions:

1. Power cycle your router.
2. Disable WAN-facing telnet, SSH or web-based configuration interfaces.
3. Change the passwords to something unguessable (see this article).
4. Upgrade to the latest firmware.

Mar 10 2009   9:28PM GMT

Security Baseline for Small Businesses

Posted by: Ken Harthun
Security, Security management, Wireless security, Instrusion prevention

Many small business owners treat their business computers like their home computers; they run minimal security and engage in unsafe computing practices. This isn’t my opinion, mind you, it is based on my years of field experience servicing small business clients. My most recent call to one such client was to restore a PC that had become infected by malware. It was my first visit to their office and during the course of that visit, I got familiar with how lax they were in setting things up.

The office runs on a Windows 2003 domain controller. Four PCs running Windows XP Service Pack 2 are domain members and all business data is stored on the server. They’re backing up daily to tape. That’s about as far as it goes before getting ugly. Suffice it to say that even a mediocre attempt to compromise their network would probably be successful. This got me to thinking about what level of security comprises a baseline for small business networks. Here’s what I came up with, see if you agree:

• Physical access to servers, backup, and network equipment is restricted and controlled.
• Backup power sufficient to allow for graceful shutdown of servers is in place.
• The local network is isolated from the Internet by a hardware UTM device, firewall, or NAT router.
• If wireless access is in use, security is applied, preferably WPA or WPA2 with AES encryption.
• File servers are protected by appropriate anti-malware applications.
• Mail servers are protected by anti-spam software or this is implemented at the gateway.
• Password policy requires strong passwords, frequent changes, and is enforced.
• Desktops use screen savers and they are password protected.
• Unless they are required to be left on for security scanning or backup purposes, desktops are powered down at night.
• Desktops have appropriate anti-malware applications installed.
• Company policy regarding appropriate use of the Internet is in place and enforced.
• Data is backed up and media is stored securely off-site.
• Encryption is implemented and in use for the storage of sensitive information.
• Procedure is in place for denying access to personnel upon termination of employment.

What do you think? Too much? Something left out?

Discussion welcome.

Feb 3 2009   3:19AM GMT

Are Windows PCs Threatened by Malware Harbored on Mac & Linux OS’s?

Posted by: Ken Harthun
Virus, Anti-virus, Linux, Microsoft Windows, Networking, Security, Security management

Can Mac and Linux boxes harbor malware that does not affect them, but could affect Windows PCs?  Absolutely. It can and does happen. The Sophos white paper, “Protecting Mac and Linux computers: genuine need or nice to have?” presents a convincing case, describing just how Mac and UNIX/Linux machines threaten Windows PCs.

…it is very common for Windows networks to include a server running UNIX or Linux. Vulnerabilities, such as a weak SSH password, can allow hackers to convert a Linux server into a botnet controller, and install malware that will compromise desktop Windows computers.

Well, that’s one way, but consider this: Viruses, worms, and other types of malware are files, and can be stored on any digital media, regardless of the format or operating system that created them. A Mac/UNIX/Linux machine can store Windows files; a Windows machine can store Mac/UNIX/Linux files. That a Windows virus cannot damage a Mac/UNIX/Linux machine–and vice-versa–is irrelevant: Typhoid Mary harbored and transmitted typhoid fever yet never succumbed to it. She did, however, infect 47 others, three of whom died.

…computers harboring the malware can quietly transmit it to Windows computers. For example, UNIX computers can easily transmit the virus to Windows computers via the Samba fle-sharing system.

If you have a mixed network, it’s time to put some effort into protecting the non-Windows machines. Best practice now dictates that every server and desktop machine in your network be protected with some sort of anti-malware application.

Jan 31 2009   3:58PM GMT

Five Essential Steps to Secure Your Home PCs & Network

Posted by: Ken Harthun
Security, Secure Computing, Security management, Networking, Microsoft Windows, Routers, NAT

When we buy an appliance, we expect to be able to take it home, take a brief glance at the instructions for setting it up, plug it in and go. For most things, this expectation is fulfilled, even, unfortunately, for the home PC. In fact, once you get a few things plugged into the back of it all you have to do is turn it on and start surfing. When you first start a Windows PC, there’s a short setup routine that asks if you want to turn on Automatic Updates (recommended), but little else in the way of how to properly secure your PC and the network it’s plugged into.

PC makers should at least provide a short, animated tutorial or video that explains these five essential steps to securing a home PC and network:

1. Install a NAT router. Inexpensive, and easy to configure, a NAT (Network Address Translation) router is your first line of defense on the Internet. While the Windows firewall is on by default these days, if your PC is plugged directly into your broadband router, you’re visible to everyone on the ‘Net. The router takes this live Internet address and translates it to a private address that is invisible to anyone on the outside.

2. Change the router default password. All routers come pre-configured with a default login and password. These are well known and lists are posted on the Web. Here’s an example of one that’s searchable by router model: http://www.routerpasswords.com/. While an attacker normally can’t get to this from the outside, if you somehow get infected with remote control malware, an attacker can get to it from your computer. He can change the settings to send you virtually anywhere he wants you to go. Not good.

3. Install and/or update a security suite. Most PCs these days come bundled with either anti-virus or a full security suite like McAfee Internet Security, Norton Internet Security or the like. My favorite is ESET Smart Security; unfortunately, this isn’t one that you’ll see bundled with a new PC. Make sure the software is up to date and make sure it will update itself automatically.

4. Turn on Automatic Updates. You should have done this when you set up the computer, but if you haven’t, do it now by following these instructions.

5. Learn about and follow safe computing practices. All of the security devices and software in the world won’t help you if you click on pop-ups, open every email you get, click on random links, and generally practice unsafe surfing. Unfortunately, this is the one of the main reasons why the criminals continue to succeed. Take some time to learn how to be safe on the ‘Net by taking advantage of these free resources:

Nine Steps to System Security - 2008: http://tinyurl.com/6nt2jr
Home Network Security: http://www.us-cert.gov/reading_room/home-network-security/
Recognizing and avoiding email scams: http://www.us-cert.gov/reading_room/emailscams_0905.pdf
Protecting your privacy: http://www.us-cert.gov/cas/tips/ST04-013.html
Avoiding Social Engineering and Phishing Attacks: http://www.us-cert.gov/cas/tips/ST04-014.html

Good luck, and be careful out there.

Nov 14 2008   3:00AM GMT

WPA-TKIP Now Vulnerable to Attack

Posted by: Ken Harthun
Security management, Wireless, Security, WPA, Wireless security, Secure Computing

In my How to Secure Your Computer series of articles, I issued Maxim #13, “WiFi Security–The Only Way is WPA“. However, TKIP–which is one of the protocols used under the WPA certification standard–is now vulnerable to attack, so I feel it prudent to modify my stance a bit and shed a little light on the subject. Certain media reports would have you believe that WPA has been cracked; this isn’t the case. (See “WPA Not Cracked, But Still Vulnerable.”) Steve Gibson’s latest episode (#170) of Security Now! explains in great detail the TKIP hack and why it’s much to worry about–at least, not yet.

Under the WPA/WPA2 standards, a wireless access point or router can use either TKIP (Temporal Key Integrity Protocol) or AES-CCMP (Advanced Encryption Standard, Counter Mode/CBC MAC Protocol). TKIP is an enhancement of WEP that utilizes the RC4 stream cipher with 128-bit keys for encryption and 64-bit keys for authentication; CCMP provides much stronger protection because it uses AES (Rinjdael) encryption.

Two German researchers, Martin Beck and Erik Tews, recently found a way to crack TKIP. They use what is called a chopchop attack, which attempts to decrypt packets byte by byte. You can read all about it in their white paper, “Practical attacks against WEP and WPA” so I won’t go into the details here.

While there doesn’t appear to be much an attacker can do at this point, the attack is a harbinger of things to come and now would be a good time to log into your wireless router and see what’s up. I discovered that mine doesn’t support AES-CCMP, only TKIP, so I need to upgrade the firmware. I recommend that everyone do one of the following: 1. Switch your current WPA configuration to AES-CCMP if it’s supported; 2. Upgrade the firmware in your router so it supports WPA2 with AES-CCMP;  3. If neither of those is possible, or, heaven forbid, your router only supports WEP, replace it with one that’s WPA2 compliant and use AES-CCMP.

Oct 8 2008   12:26AM GMT

TCP Vulnerable To Low-bandwidth DoS Attack

Posted by: Ken Harthun
Networking, Security, Vulnerabilities, Denial of Service

There’s already a frenzy of speculation, analysis and, probably, development of malware surrounding the announcement of SockStress–the proof-of-concept program developed by two Dutch researchers to exploit an apparently heretofore unknown vulnerability in the TCP/IP stack. It started when they let the cat out of the bag in an interview that got the attention of Slashdot. I’m not going to dive in and add my opinion to the frenzy; however, this incident reinforces the idea that data and network security require constant vigilance and attention to protecting the data first (See The #1 Security Priority: Protect The Information).

Steve Gibson of Gibson Research Corporation presents a good sampling of the news surrounding this issue. There’s a lot that is (and isn’t) being said. The bottom line is that it’s a nasty vulnerability. It’ll be interesting to see how this develops.

Aug 31 2008   9:44PM GMT

Software for Secure Computing: Personal Firewalls

Posted by: Ken Harthun
Firewalls, Security, Routers, NAT, Anti-virus, Anti-malware, Secure Computing

How to Secure Your Computer: Maxim #2 stressed the importance of using a NAT router to make your network “invisible” to criminal hackers and other Internet riffraff.  This is excellent protection against inbound malicious connections, but it does nothing to block outbound connections originated on the local network. The router won’t stop back-door trojans, adware, spyware, and the like from “phoning home” with your sensitive information. This behavior is by design; if outbound connections were blocked, you’d never be able to browse the Web. The problem is that if you inadvertently get infected by a mistaken click or a cross-site scripting (XSS) vulnerability, you’re in trouble. You may not even know you’ve been infected–I’ve seen bot-infected machines running up-to-date antivirus software happily spewing spam emails by the thousands.

One of the most important pieces of software for secure computing is a properly configured, proven software firewall. Don’t rely only on Windows XP’s built-in firewall–it blocks inbound attacks only (see Is Microsoft’s Firewall Secure?) and has flaws of its own (see Windows Firewall flaw may hide open ports). While Vista’s firewall does offer outbound filtering, it isn’t much better (see Analysis: New Windows Vista Firewall Fails on Outbound Security for more information).

My favorite personal firewalls for secure computing are the Comodo Personal Firewall (free), and the Sunbelt Kerio Personal Firewall (full-featured for 30 days, then runs free in limited-feature mode, $19.95/yr for full version). I’m currently testing the ESET Smart Security suite and from what I’m seeing, this may be one to recommend to your non-savvy home users; it’s non-intrusive in automatic mode, allowing you to surf freely without those annoying do-you-really-want-to-do-this popups.

Jul 29 2008   10:47AM GMT

The Lazy Man’s Way to System Security

Posted by: Ken Harthun
Firewalls, Security, Routers, Malware, Anti-virus, Anti-malware

A good many people have responded to my various articles on system security. Most of the feedback has been positive, but many wondered if there might be a simpler approach, some basic things you can do to protect yourself without too much hard work.

You’re in luck. Call it the lazy man’s way to system security; if you install protection against the the three biggest threats to your on-line security–infections by viruses, worms and Trojans, malicious software (spyware, adware, browser hijackers) and crackers who wish to secretly access and control your PC–you’ll be protected from the worst of security problems. One caveat, however: if you go to questionable sites (you know the ones I mean!) and are in the habit of clicking on links in pop-ups and spam emails, you’re out of luck—nothing can help you because you’re inviting infection.

But, for those who generally try to avoid the bad stuff, these are the four bare security essentials: a NAT router; a good antivirus program; a good anti-malware program; and, a good software firewall. Simple, and highly effective for most users.

Before you ask, the answer is yes, you still need a software firewall, even if you already have a NAT router or hardware firewall. Most hardware firewalls are configured to keep bad traffic from getting in, but will let most traffic from your network out, so they don’t keep those sneaky tracking programs from phoning home. A software firewall will at least give you some warning when a program is trying to access the Internet and you can decide whether to allow it. Besides, it gives you an extra layer of protection, just in case.

I highly recommend you read and apply Nine Steps to System Security - 2008, but if you’re feeling a bit lazy today, the four essentials will get you by.

Jul 27 2008   4:09PM GMT

Nine Steps to System Security - 2008

Posted by: Ken Harthun
Firewalls, Security, Microsoft Windows, Routers, Browsers, Vulnerabilities, NAT, spam, Malware, Email security, Phishing, Anti-virus, Opinion, Rootkit, Anti-malware

It isn’t getting any better on The Wild, Wild Web, despite state and federal government attempts to arrest and prosecute those responsible for electronically-perpetrated criminal acts. Spyware and malware of all kinds are increasingly more stealthy and difficult to remove thanks to rootkit technology. With the advent of Web 2.0 and its emphasis on sharing and collaboration, web-based attacks are more prevalent than ever, especially those that rely on JavaScript and other scripting languages.

CAN-SPAM did little to deter or eliminate spammers, and today the spam problem is even worse thanks to huge botnets run by organized cyber-crime syndicates. Phishing attacks are harder to detect and more frequent. Recently, I spent the better part of two days cleaning up the aftermath of a mass mailer worm infection for one of our clients; their email is still being blocked by some servers. In its September 2005 issue, Consumer Reports said, “One Third Of Net Users Damaged By Malware.” Considering that article is three years old, I’d wager that the number of infected computers has doubled since then.

In my job as a systems engineer for Connective Computing, Inc., I deal with the effects of malware nearly every day. My previous releases of this article, “Seven Steps to System Security - 2004″ , and “Eight Steps to System Security – 2005“, listed the field-proven steps I recommend to everyone I know. It’s been nearly three years since I published the last guide, but those eight steps haven’t changed much; they just need to be brought up to date, and a new step involving disabling scripting in the browser has been added. Computer users still haven’t learned safe surfing practices, however (will they ever?), and must modify their on-line behavior–particularly by applying the first step–for rest of these steps to be truly effective.

Did I mention these things are proven? They are. These are practices have been protecting computer users in homes and businesses for as long as I’ve been using them. This is free advice that’s really worth something:

1. Repeat after me: I will NEVER, EVER click on any pop-up of any kind - NEVER, EVER. Not even on the “X” (it’s usually safe, but why take the chance?). Use the key combination Alt-F4 instead; it safely closes the current window. In the slimy world of sleaze-ware, “No” means yes, “Cancel” means yes, “Close” means yes - ANY click on a button means yes. So many times users ask, “How did I get that? I clicked ‘no’ when it asked me!” Well, sorry, but you clicked, so they got you. NEVER, EVER CLICK!
2. Although Internet Explorer 7.0 has enhanced security and has been detached somewhat from the Windows operating system, it is still too big a target. Crackers are still writing malware that exploits IE security flaws. I recommend you use Firefox or Opera to browse the Web. (Some web sites still require IE, so you’ll be forced to use it for those, but you should minimize its use otherwise.) Whatever browser you use, be sure you configure your preferences to block all unwanted pop-ups or install a pop-up killer like the Google Tool Bar. And while you’re at it, re-read #1!
3. Patch your system. If you’re still running XP, make sure you have at least service pack 2. If you’re a home user, install service pack 3. (I still see systems that are running XP with service pack 1 or 1a, probably because they turned off automatic updates. While some argue against it, I recommend you turn them on.) And be sure to install any recommended security updates and patches for ALL software on your system, - especially Microsoft Office - not just Windows. If you’re running Windows Vista, you benefit from its enhanced security, but you still need to keep ALL of your applications patched. Secunia’s Online Software Inspector is an excellent tool for scanning your system’s applications to discover those that need updates.
4. Besides installing a NAT router (see How to Secure Your Computer: Maxim #2), run a properly-configured, proven software firewall. Don’t rely only on Windows XP’s built-in firewall - it blocks inbound attacks only (see this article) and it has flaws of its own (see this article). It will not stop back-door trojans, adware, spyware, and the like from “phoning home” with your sensitive information. (See this article for more info.) While Vista’s firewall does offer outbound filtering, it isn’t much better (see this article for more information). My favorites are the Comodo Personal Firewall (free), and the Sunbelt Kerio Personal Firewall (full-featured for 30 days, then runs free in limited-feature mode, $19.95/yr for full version).
5. Run a good anti-virus program. Choices abound. I have used AntiVir Personal Edition (free) and Grisoft’s AVG (free). Other good ones are Avast! and Comodo AntiVirus.
6. Run multiple anti-spyware/anti-adware programs and keep them updated. I recommend: a. Spyware Blaster. This free program blocks adware and spyware from installing in the first place and is frequently updated; b. Ad-Aware. Scan weekly, more frequently if you are a heavy surfer; c. Spybot S&D. Run it on the same schedule as Ad-Aware; d. Microsoft’s Windows Defender is an excellent product and is installed by default in Windows Vista. Configure it for real time protection and automatic updates. One of the best commercial anti-spyware applications is Sunbelt Software’s CounterSpy. It is a PC World Best Buy award winner. Comodo BOClean:AntiMalware is also a good one and it’s free.
7. Run a spam blocker to isolate junk e-mail. Most malware and all phishing attempts rely on spam. You want to isolate this stuff and delete it. NEVER, I repeat, NEVER, EVER click on a link in any e-mail you are not absolutely certain is legitimate. And to be as safe as possible, always type in the address of your bank, credit card companies, and any other site that you want to keep secure. (See #1 above and apply that principle to links, too!) One of the best programs is Open Field Software’s ella for Spam Control. It uses wizards to “train” it to your personal specifications. There are free and paid versions that work with Outlook, Outlook Express. My clients swear by it. Another good program is Sunbelt Software’s iHate Spam.
8. On Windows XP, set up a restricted user account and use that for routine tasks. Only log on with administrative privileges when you need to install or configure software. This will prevent rogue programs from affecting your system - they won’t be able to install. You can activate the “run as” feature so you can do administrative tasks while logged in as a restricted user. Microsoft Knowledge Base article Q294676 explains how to activate and use this feature. If you are running Vista, you don’t have to worry about this step: User Access Control (UAC) takes care of it.
9. Finally, disable scripting in your browser. If you use IE (you probably shouldn’t, see Step 2), Tony Bradley gives you an excellent step-by-step procedure to accomplish this. Firefox users have a more elegant solution in the form of an add-on: NoScript. I use it on every PC. Scripts are blocked globally by default, but you can selectively activate them if you trust the site. For example, you can trust the main site’s scripts but keep blocking any advertising or other third party scripts with no ill effects.

While total immunity is impossible - new infections and variations on existing exploits appear daily - these nine steps will help prevent, catch, or clean 98 percent of the junkware out there. As for the other two percent - or if you are already badly infected - you’ll need to hire a geek like me.

Jul 25 2008   1:45AM GMT

Sure-fire Spam Zombie Killer

Posted by: Ken Harthun
Networking, Firewalls, Security, Routers, spam, email, Email security, Exchange

The other day, I got a call from one of my clients who said that their email was bouncing back from people they had always been able to send to. I investigated and found that the error message was to the effect of <hostname.domain #5.5.0 smtp;550 Blocked;Spam/Zombie address listed at spamhaus.org sbl-xbl>.

Well, that was odd, because the client is running a bona fide Exchange server and a check of the server revealed nothing wrong that I could see. Thinking that maybe an employee was infected with a mass-mailer trojan, I blocked all traffic on smtp port 25 from all addresses on the network except the Exchange server.

Running the netstat -an command on my client’s PC revealed 88 connections, all trying to send mail out on port 25, which the firewall was now blocking.

Certainly, you don’t want to get infected by a mass-mailer trojan, but blocking outbound traffic on port 25 from your network is a sure-fire spam zombie killer and will prevent your IP address from getting blacklisted if someone does get infected.Of course, you’ll want to clean up that infection as quickly as possible.