Networking

Patch Tuesday – Microsoft Fixes Eight Security Flaws

All of them are critical, but not a single one of them affects Windows 7, scheduled for release on October 22.

The most dangerous flaw covered by this month’s batch of patches is a remote code execution vulnerability in the way that the JScript scripting engine decodes script in Web pages (MS09-045). A remote attacker can exploit this vulnerability by convincing a user to visit a specially crafted Web page and this could result in execution of arbitrary code on the affected system. All versions of Windows—except Windows 7—are vulnerable. Here is the list of bulletins taken from the Microsoft Security Bulletin Summary for September 2009:

MS09-045 Vulnerability in JScript Scripting Engine Could Allow Remote Code Execution (971961)
MS09-049 Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710)
MS09-047 Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812)
MS09-048 Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)
MS09-046 Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (956844)

It remains to be seen how Windows 7 will fare once it’s released to retail, but so far, it appears to be more secure the previous versions of Windows. According to Wolfgang Kandek, chief technology officer at software security provider Qualys, "There are a number of additional security measures [in Windows 7] that seem to be working so far in its favor."

We can only hope.

Good PC Security Begins With a Baseline

I received some good feedback on my “14 Golden Rules of Computer Security” list, in particular, this comment from Michael: “…you encourage people to go through all the effort of running Virtual Machines to protect themselves from malware, but you don’t actually encourage them to run Anti-Virus software. Which basically, unfortunately, means you’re violating rule #1 and much more likely to run into rule #12.” This lead to a review of past articles I’ve posted on the subject and my finding that though I’ve covered all of the bases, my writing is a bit fragmented. So, you can go back to “Nine Steps to System Security – 2008", “The Lazy Man’s Way to System Security”, and “14 Golden Rules of Computer Security” and put them all together for a complete PC security package, but that’s a lot for the average user to digest.

As of today, I’m embarking on a major pre-release revision of the eBook, 14 Golden Rules of Computer Security to make sure all of the bases are covered in a logical combination and sequence. In essence, the book will begin with the concept of a security baseline—the bare security essentials—for a normal home PC setup and will branch from there.

What’s a good PC security baseline? In “The Lazy Man’s Way to System Security,” I proposed these four bare security essentials: “…a NAT router; a good antivirus program; a good anti-malware program; and, a good software firewall.” That was good enough at the time, but these days antivirus, antimalware and a software firewall are usually combined into a single suite. I choose to align with Windows Secrets’  Security Baseline page: “…a hardware firewall that’s built into your [NAT] router, security software that guards against all types of malware threats, a software-update service to ensure that your applications are patched against the latest exploits, and a secure browser.”

There are many possibilities for implementing those four basic items and that will be well covered in the book.

Worm Targets Home Networking Equipment

As reported yesterday in The Register, the “psyb0t” worm targets home routers and modems and may be the first piece of malware to do so. Researchers from DroneBL, a real-time tracker of abusable IPs, say that as of March 22 100,000 hosts had been infected.

Whether or not your equipment is vulnerable depends on three things:

Your device is a mipsel (MIPS running in little-endian mode, this is what the worm is compiled for) device.

Your device also has telnet, SSH or web-based interfaces available to the WAN, and

Your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.

“This technique is one to be extremely concerned about,” the researchers say, “because most end users will not know their network has been hacked, or that their router is exploited. This means that in the future, this could be an attack vector for the theft of personally identifying information.”

If you believe your equipment is vulnerable or has been compromised, you should immediately take the following actions:

1. Power cycle your router.
2. Disable WAN-facing telnet, SSH or web-based configuration interfaces.
3. Change the passwords to something unguessable (see this article).
4. Upgrade to the latest firmware.

Security Baseline for Small Businesses

Many small business owners treat their business computers like their home computers; they run minimal security and engage in unsafe computing practices. This isn’t my opinion, mind you, it is based on my years of field experience servicing small business clients. My most recent call to one such client was to restore a PC that had become infected by malware. It was my first visit to their office and during the course of that visit, I got familiar with how lax they were in setting things up.

The office runs on a Windows 2003 domain controller. Four PCs running Windows XP Service Pack 2 are domain members and all business data is stored on the server. They’re backing up daily to tape. That’s about as far as it goes before getting ugly. Suffice it to say that even a mediocre attempt to compromise their network would probably be successful. This got me to thinking about what level of security comprises a baseline for small business networks. Here’s what I came up with, see if you agree:

• Physical access to servers, backup, and network equipment is restricted and controlled.
• Backup power sufficient to allow for graceful shutdown of servers is in place.
• The local network is isolated from the Internet by a hardware UTM device, firewall, or NAT router.
• If wireless access is in use, security is applied, preferably WPA or WPA2 with AES encryption.
• File servers are protected by appropriate anti-malware applications.
• Mail servers are protected by anti-spam software or this is implemented at the gateway.
• Password policy requires strong passwords, frequent changes, and is enforced.
• Desktops use screen savers and they are password protected.
• Unless they are required to be left on for security scanning or backup purposes, desktops are powered down at night.
• Desktops have appropriate anti-malware applications installed.
• Company policy regarding appropriate use of the Internet is in place and enforced.
• Data is backed up and media is stored securely off-site.
• Encryption is implemented and in use for the storage of sensitive information.
• Procedure is in place for denying access to personnel upon termination of employment.

What do you think? Too much? Something left out?

Discussion welcome.

Are Windows PCs Threatened by Malware Harbored on Mac & Linux OS’s?

Can Mac and Linux boxes harbor malware that does not affect them, but could affect Windows PCs?  Absolutely. It can and does happen. The Sophos white paper, “Protecting Mac and Linux computers: genuine need or nice to have?” presents a convincing case, describing just how Mac and UNIX/Linux machines threaten Windows PCs.

…it is very common for Windows networks to include a server running UNIX or Linux. Vulnerabilities, such as a weak SSH password, can allow hackers to convert a Linux server into a botnet controller, and install malware that will compromise desktop Windows computers.

Well, that’s one way, but consider this: Viruses, worms, and other types of malware are files, and can be stored on any digital media, regardless of the format or operating system that created them. A Mac/UNIX/Linux machine can store Windows files; a Windows machine can store Mac/UNIX/Linux files. That a Windows virus cannot damage a Mac/UNIX/Linux machine–and vice-versa–is irrelevant: Typhoid Mary harbored and transmitted typhoid fever yet never succumbed to it. She did, however, infect 47 others, three of whom died.

…computers harboring the malware can quietly transmit it to Windows computers. For example, UNIX computers can easily transmit the virus to Windows computers via the Samba fle-sharing system.

If you have a mixed network, it’s time to put some effort into protecting the non-Windows machines. Best practice now dictates that every server and desktop machine in your network be protected with some sort of anti-malware application.

Five Essential Steps to Secure Your Home PCs & Network

When we buy an appliance, we expect to be able to take it home, take a brief glance at the instructions for setting it up, plug it in and go. For most things, this expectation is fulfilled, even, unfortunately, for the home PC. In fact, once you get a few things plugged into the back of it all you have to do is turn it on and start surfing. When you first start a Windows PC, there’s a short setup routine that asks if you want to turn on Automatic Updates (recommended), but little else in the way of how to properly secure your PC and the network it’s plugged into.

PC makers should at least provide a short, animated tutorial or video that explains these five essential steps to securing a home PC and network:

1. Install a NAT router. Inexpensive, and easy to configure, a NAT (Network Address Translation) router is your first line of defense on the Internet. While the Windows firewall is on by default these days, if your PC is plugged directly into your broadband router, you’re visible to everyone on the ‘Net. The router takes this live Internet address and translates it to a private address that is invisible to anyone on the outside.

2. Change the router default password. All routers come pre-configured with a default login and password. These are well known and lists are posted on the Web. Here’s an example of one that’s searchable by router model: http://www.routerpasswords.com/. While an attacker normally can’t get to this from the outside, if you somehow get infected with remote control malware, an attacker can get to it from your computer. He can change the settings to send you virtually anywhere he wants you to go. Not good.

3. Install and/or update a security suite. Most PCs these days come bundled with either anti-virus or a full security suite like McAfee Internet Security, Norton Internet Security or the like. My favorite is ESET Smart Security; unfortunately, this isn’t one that you’ll see bundled with a new PC. Make sure the software is up to date and make sure it will update itself automatically.

4. Turn on Automatic Updates. You should have done this when you set up the computer, but if you haven’t, do it now by following these instructions.

5. Learn about and follow safe computing practices. All of the security devices and software in the world won’t help you if you click on pop-ups, open every email you get, click on random links, and generally practice unsafe surfing. Unfortunately, this is the one of the main reasons why the criminals continue to succeed. Take some time to learn how to be safe on the ‘Net by taking advantage of these free resources:

Nine Steps to System Security - 2008: http://tinyurl.com/6nt2jr
Home Network Security: http://www.us-cert.gov/reading_room/home-network-security/
Recognizing and avoiding email scams: http://www.us-cert.gov/reading_room/emailscams_0905.pdf
Protecting your privacy: http://www.us-cert.gov/cas/tips/ST04-013.html
Avoiding Social Engineering and Phishing Attacks: http://www.us-cert.gov/cas/tips/ST04-014.html

Good luck, and be careful out there.

WPA-TKIP Now Vulnerable to Attack

In my How to Secure Your Computer series of articles, I issued Maxim #13, “WiFi Security–The Only Way is WPA“. However, TKIP–which is one of the protocols used under the WPA certification standard–is now vulnerable to attack, so I feel it prudent to modify my stance a bit and shed a little light on the subject. Certain media reports would have you believe that WPA has been cracked; this isn’t the case. (See “WPA Not Cracked, But Still Vulnerable.”) Steve Gibson’s latest episode (#170) of Security Now! explains in great detail the TKIP hack and why it’s much to worry about–at least, not yet.

Under the WPA/WPA2 standards, a wireless access point or router can use either TKIP (Temporal Key Integrity Protocol) or AES-CCMP (Advanced Encryption Standard, Counter Mode/CBC MAC Protocol). TKIP is an enhancement of WEP that utilizes the RC4 stream cipher with 128-bit keys for encryption and 64-bit keys for authentication; CCMP provides much stronger protection because it uses AES (Rinjdael) encryption.

Two German researchers, Martin Beck and Erik Tews, recently found a way to crack TKIP. They use what is called a chopchop attack, which attempts to decrypt packets byte by byte. You can read all about it in their white paper, “Practical attacks against WEP and WPA” so I won’t go into the details here.

While there doesn’t appear to be much an attacker can do at this point, the attack is a harbinger of things to come and now would be a good time to log into your wireless router and see what’s up. I discovered that mine doesn’t support AES-CCMP, only TKIP, so I need to upgrade the firmware. I recommend that everyone do one of the following: 1. Switch your current WPA configuration to AES-CCMP if it’s supported; 2. Upgrade the firmware in your router so it supports WPA2 with AES-CCMP;  3. If neither of those is possible, or, heaven forbid, your router only supports WEP, replace it with one that’s WPA2 compliant and use AES-CCMP.

TCP Vulnerable To Low-bandwidth DoS Attack

There’s already a frenzy of speculation, analysis and, probably, development of malware surrounding the announcement of SockStress–the proof-of-concept program developed by two Dutch researchers to exploit an apparently heretofore unknown vulnerability in the TCP/IP stack. It started when they let the cat out of the bag in an interview that got the attention of Slashdot. I’m not going to dive in and add my opinion to the frenzy; however, this incident reinforces the idea that data and network security require constant vigilance and attention to protecting the data first (See The #1 Security Priority: Protect The Information).

Steve Gibson of Gibson Research Corporation presents a good sampling of the news surrounding this issue. There’s a lot that is (and isn’t) being said. The bottom line is that it’s a nasty vulnerability. It’ll be interesting to see how this develops.

Software for Secure Computing: Personal Firewalls

How to Secure Your Computer: Maxim #2 stressed the importance of using a NAT router to make your network “invisible” to criminal hackers and other Internet riffraff.  This is excellent protection against inbound malicious connections, but it does nothing to block outbound connections originated on the local network. The router won’t stop back-door trojans, adware, spyware, and the like from “phoning home” with your sensitive information. This behavior is by design; if outbound connections were blocked, you’d never be able to browse the Web. The problem is that if you inadvertently get infected by a mistaken click or a cross-site scripting (XSS) vulnerability, you’re in trouble. You may not even know you’ve been infected–I’ve seen bot-infected machines running up-to-date antivirus software happily spewing spam emails by the thousands.

One of the most important pieces of software for secure computing is a properly configured, proven software firewall. Don’t rely only on Windows XP’s built-in firewall–it blocks inbound attacks only (see Is Microsoft’s Firewall Secure?) and has flaws of its own (see Windows Firewall flaw may hide open ports). While Vista’s firewall does offer outbound filtering, it isn’t much better (see Analysis: New Windows Vista Firewall Fails on Outbound Security for more information).

My favorite personal firewalls for secure computing are the Comodo Personal Firewall (free), and the Sunbelt Kerio Personal Firewall (full-featured for 30 days, then runs free in limited-feature mode, $19.95/yr for full version). I’m currently testing the ESET Smart Security suite and from what I’m seeing, this may be one to recommend to your non-savvy home users; it’s non-intrusive in automatic mode, allowing you to surf freely without those annoying do-you-really-want-to-do-this popups.

The Lazy Man’s Way to System Security

A good many people have responded to my various articles on system security. Most of the feedback has been positive, but many wondered if there might be a simpler approach, some basic things you can do to protect yourself without too much hard work.

You’re in luck. Call it the lazy man’s way to system security; if you install protection against the the three biggest threats to your on-line security–infections by viruses, worms and Trojans, malicious software (spyware, adware, browser hijackers) and crackers who wish to secretly access and control your PC–you’ll be protected from the worst of security problems. One caveat, however: if you go to questionable sites (you know the ones I mean!) and are in the habit of clicking on links in pop-ups and spam emails, you’re out of luck—nothing can help you because you’re inviting infection.

But, for those who generally try to avoid the bad stuff, these are the four bare security essentials: a NAT router; a good antivirus program; a good anti-malware program; and, a good software firewall. Simple, and highly effective for most users.

Before you ask, the answer is yes, you still need a software firewall, even if you already have a NAT router or hardware firewall. Most hardware firewalls are configured to keep bad traffic from getting in, but will let most traffic from your network out, so they don’t keep those sneaky tracking programs from phoning home. A software firewall will at least give you some warning when a program is trying to access the Internet and you can decide whether to allow it. Besides, it gives you an extra layer of protection, just in case.

I highly recommend you read and apply Nine Steps to System Security - 2008, but if you’re feeling a bit lazy today, the four essentials will get you by.