Secure Computing

Acrobat Reader Users Should Switch to Foxit Reader, Shrink Their Attack Surface

I’m not going to rant, I promise–I don’t have to because this doesn’t affect me. Several years ago, I abandoned the bloated, insecure and extremely resource-intensive Acrobat Reader in favor of the smaller and more secure Foxit Reader. Once again, here is more evidence that I’m right to have switched.  Brian Krebs of The Washington Post wrote:

No! Don’t update. Shrink your attack surface and switch to Foxit Reader and their other PDF software. Not only are Foxit Software’s products more secure, they’re also cheaper.

Trust Only https:// on Form Pages

How often, when you log into a site that requires a username and password, to you check to see if the connection is secure? You probably don’t give it a second thought. Most people don’t. For many sites, like newspapers, online magazines, etc., it probably doesn’t matter much. Who cares if someone logs into a news site with your credentials? They’re not going to gain anything by doing so and there’s no identity or personal financial information at stake.

For any sites where you are accessing or entering sensitive identity or financial information such as bank account or credit card numbers or government program IDs such as Social Security numbers, State identification numbers or the like, you are seriously at risk of identity theft if you trust this information to a form that is served as “http://[URL].” It’s true that the Submit button may invoke transmission of the information using https:// (SSL), but there is no guarantee that this will happen, so you risk sending your information “in the clear.”

Best practice: change all of your bookmarks pointing to financial and other sensitive site login pages to read “https:// [URL of site].”

Convert a USB Thumb Drive into a ROBAM

What’s a ROBAM? you ask. Check out this post: Protecting Your Business from Online Banking Fraud. SANS says, “The number one recommended mitigation [to online banking fraud caused by infostealer infections] is to use a read-only bootable alternative media (ROBAM) as an isolated environment for financial transactions.”

You can use a USB thumb drive instead of a CD if you do the following:

1. Download your alternative Linux OS choice (I prefer Ubuntu or Knoppix) in .iso format
2. Download UNetbootin from http://unetbootin.sourceforge.net/
3. Create a bootable USB thumb drive using UNetbootin
4. Set the properties of the drive to “read only”

This should have the same effect as using a Linux live CD.

I haven’t tried this, so comments welcome.

Protecting Your Business from Online Banking Fraud

I’m pleased to see some professionals with clout advocating a security practice I have often recommended to my clients. Brian Krebs of The Washington Post and SANS Institute are both pushing the use of Linux live CDs for online banking. Krebs’ latest article, “Avoid Windows Malware: Bank on a Live CD,” starts off by recommending people NOT use Microsoft Windows for online banking:

An investigative series I’ve been writing about organized cyber crime gangs stealing millions of dollars from small to mid-sized businesses has generated more than a few responses from business owners who were concerned about how best to protect themselves from this type of fraud.

The simplest, most cost-effective answer I know of? Don’t use Microsoft Windows when accessing your bank account online.

Krebs has reported frequently about some of the more prominent online banking fraud incidents, including the hack against Bullitt County, Ky. and two California firms that lost a combined total of more than half a million dollars, both of which were using two-factor authentication requiring the use of a security token.

The credential-stealing Trojans used in these attacks were designed to avoid detection by normal anti-malware software, so the victims had no clues that they had been infected. With the huge amounts of money involved, it’s likely the cybercriminals have evolved their programming skills to the point where it will be difficult for security firms to keep up.

It’s not surprising, then, that SANS, as a direct result of Krebs’ reporting, issued a challenge to its students to create a white paper to determine the most effective methods for small and mid-sized businesses to mitigate the threat from these types of attacks. The report, “Protecting Your Business from Online Banking Fraud,” addresses the issue. Here’s that report’s Abstract:

Recently, small and medium businesses have lost millions of dollars from fraudulent electronic financial transactions.  This paper reviews the threat and provides guidance for mitigating the threat.  These crimes typically begin with a phishing email targeted at the comptroller or other staff in the finance department.  After the comptroller’s computer is compromised, sophisticated malware is used to eavesdrop on the comptroller’s activity and account credentials for financial systems.  Once the attackers have the required information, they begin to steal money with fraudulent transactions in amounts below $10,000.  These smaller amounts fly under the laundering detection mechanisms in the US Bank Secrecy Act.  In many cases, repeated transactions have added up to hundreds of thousands of dollars lost by individual organizations.  The paper provides a number of possible ways to mitigate these types of attacks.  A defense in depth approach is used to provide multiple mitigation recommendations.  The number one recommended mitigation is to use a read-only bootable alternative media (ROBAM) as an isolated environment for financial transactions. [emphasis added] The mitigation steps also include protecting the email address of the comptroller, network protection, endpoint protection, virtual machines, awareness training, policy changes and monitoring financial transactions.

I highly recommend that everyone responsible for security in their organization read this paper.

Malvertising an Ever-expanding Threat

As if we don’t already have enough to deal with, it seems that malvertising–a technique where malicious code is placed in an online ad to either mislead the user or infect their computer—is on the rise. Microsoft recently filed five lawsuits against unnamed individuals accusing them of posting ads containing malicious and deceptive code on its MSN advertising network. And when Microsoft stands up and takes notice against a threat, you know it has some teeth.

The lawsuits Microsoft filed allege that individuals doing business as Soft Solutions, Direct Ad, “qiweroqw.com” (that’s a randomly generated name if there ever was one), ITmeter INC, and “ote2008.info” used malverstisements to either spread malicious code or deceive users into visiting websites that peddle scareware. Microsoft hopes that by filing civil suits in the U.S., the individuals responsible will be discovered and enjoined from continuing to post malvertising.

Recall that last week, as reported in The Register, an ad appeared on the New York Times web site offering a virus scan that then attempted to sell scareware to the user (“NYT scareware scam linked to click fraud botnet”).

As always, I recommend using a secure browser (Firefox with NoScript) and keeping your OS and security software up to date. Oh, yes, and a healthy serving of general caution couldn’t hurt.

Caveat araneo-fluitator! (Let the web-surfer beware!)

What do you think? Leave a comment!

Have You Noticed? Phishing Attacks Are Down

It’s just not in fashion anymore; phishing attacks are ‘way down, falling out of favor with cybercriminals who now prefer malicious websites and password-stealing Trojan horse programs.

IBM’s security research and development division, X-Force, recently issued a report that found throughout 2008 , phishing volume was around 0.5 percent of overall spam volume. But in the first half of 2009, the volume of phishing attacks fell to around 0.1 percent of spam volume. Not only did the volume of phishing attacks drop, but the targets also changed: in 2008, 90 percent of all phishing attacks targeted the financial industry; in the first half of 2009, that percentage had dropped to 66 percent.

That’s the good news. The bad news is that, according to the report, the number of malicious Web links is up 508 percent in the first half of 2009 and many of these links appear on otherwise trusted sites such as search engines. X-Force Director Kris Lamb says, “There is no such thing as safe browsing today and it is no longer the case that only the red light district sites are responsible for malware. We’ve reached a tipping point where every Web site should be viewed as suspicious and every user is at risk."

A copy of the IBM report can be downloaded here (PDF).

As always, let the surfer beware.

14 Golden Rules of Computer Security

In celebration of (almost) being close to releasing my first eBook to the general public, I’m releasing the list of the 14 Golden Rules of Computer Security in hopes that any last minute errors will be spotted by my peers here at IT Knowledge Exchange. Here’s the list:

#1: The best security measures are completely useless if you invite attackers into your PCs or networks.
#2: A first, important step in securing your PC is to install  and configure a NAT router.
#3: Always change the default username and password of any configurable device you put on your home network.
#4: Use an un-guessable, or difficult-to-guess password always.
#5: A vital part of PC security is keeping up with software patches for ALL of the software on your system, not just the operating system. Where it is available, use the software’s automatic updates feature.
#6: Always disable any message preview or auto-open features in your e-mail client. View messages as text-only until you know they are safe.
#7: If you store sensitive information on a PC or laptop, even if it’s only personal information, encrypt the
folders or drives where the information is stored and use an un-guessable passphrase as  the encryption key.
#8: Physical security is  almost as important as data security. Make it as difficult as possible through any
physical means for a thief to steal your hardware. Rules of thumb: Lock it up and lock it down; out of sight, out of mind.
#9: When surfing the web, testing unknown programs, or engaging in other activities with the potential to harm your computer, use a sandbox or virtual machine to protect your base system from harm.
#10: When using external removable media for backups, either encrypt the backup files or make sure the media is taken offline after the backup has been completed.
#11 Never enter sensitive information into any web page unless you have verified that the information is being sent over a secure connection signified by https:// in the address bar and a lock icon in the browser’s status bar.
#12: Once a PC is infected with malware, you can’t trust it. The only way to restore trust is to wipe the hard drive clean and reload the operating system.
#13: When it comes to securing a WiFi network, the only way is WPA.
#14: If your email address will be visible to the public, obfuscate it.

In the book, each one of these rules is explained in detail with links to tools and other information.

I value your comments, so if I’ve left anything out, or you have issues with what I’ve posted here, let me know. I want this to be the best first edition it can be.

Twitter Security: TwitBlock Blocks the Spammers

Besides being a security Geek, I’m also an Internet marketer (no, not the bad kind—the good kind—I actually try to help people with what I sell). Twitter, at first blush, appears to be a great way to get your message out; it probably is, if done right, but it’s also easily abused. Yes, Twitter gets spam, too. The spammers are relatively easy to spot; you see them sending out multiple marketing messages in rapid succession, often using different profiles for the same message.

Here’s the rub: Because Twitter only allows 140 characters per tweet, the URLs are always shortened, therefore it’s difficult to identify their target. My policy is to never click on a link in a tweet from someone I don’t know, especially when I see them sending multiple tweets trying to get me to take action of some sort. That’s a dead giveaway that the person or persons controlling the profile are spammers or scammers.

Enter TwitBlock, a junk filter and bulk blocking tool for Twitter users. Here’s what they say:

You may think you have a loyal following of people who find you interesting, or amusing, but they’re probably not all real people. Among your followers will be a wide spectrum of fully automated, or computer aided Twitter accounts. They will range from reputable companies looking to profile and market to you, to fake profiles directing you to adult websites. At the very worst you will find the spammers and phishing gangs - the same junk you get in your email inbox, designed to sell you fake pharmaceuticals, or trick you into parting with your passwords or credit card numbers.

An easy way to spot the spammers on your own is to look for duplicate profile images. I have my own handsome mug posted on my Twitter profile and I’m sure no one else is using it. Spammers tend to use pics of attractive women, often “R” rated, or generic photos. TwitBlock maintains a list of the top 20 duplicate profile pics (Warning: some are inappropriate for young viewers!)

The application is still in alpha, but consider testing it. Just give it some thought before you block “Annette552” who may just be your next door neighbor in disguise, but who is more likely to be a spammer out to get your credit card info. You be the judge.

Un-guessable Passwords—How to Make Them

The sheer number of passwords most of us have is a big problem. Even if we have hints written down, how do we know which one created the password for which login? It would appear as though we’re back to writing them down or using a password manager. Don’t worry, though. Here’s how to create secure passwords that you can safely write down; yes, write them down, give them to all your friends–even your enemies–and still be safe. Post them on your monitor at work. Leave them lying around on the bus or train. A simple trick based on cryptographic techniques will conceal your actual password in a form that almost anyone will mistake for the password itself.

Let’s say you found a piece of paper that had this written on it:

Work BDAbe%x#
Home 1941phx!n
email fon!%m

What would you think it was? Bet you’d think you’d found someone’s password list, eh? That’s exactly the deception we want: What those strings of characters really mean is known only to you. So, what DO they mean? Let’s take the first example; in my Ask the Geek blog, my article How to Write Down Your Password and Not Worry About Someone Stealing Them, I explain:

[It's] a substitution cipher based on a date. This one uses two levels of secret "keys": 1. a clue or mnemonic for the date; 2. an abstraction of the encoding algorithm. We’ll use Abe Lincoln’s birthday in numeric form–02/12/1809–for our plaintext, leaving out the slashes, i.e., 02121809, which will result in a strong, eight character password. Now, for the first key, we can use "BDAbe." This immediately reveals the plaintext, but means little or nothing to anyone else. (NEVER use your own birthday, for obvious reasons.) [Note: even if someone guesses that it's Abe's birthday, they still have a long way to go to figure out how it was used - Ken]

Next, we decide to use alternating shifted characters, beginning with the first character. So, for key two, we make an abstraction of that: %x#, for example. It doesn’t matter what characters you use, only that they clearly represent shifted and lower-case characters; you could just as easily use AyT or !2@. The pattern of shift-lowercase-shift on the keyboard is what matters to you; the characters mean nothing else. Put the two keys together and you have this: BDAbe%x#. That’s your cipher pattern, the "something only you know," with an added level of complexity: it’s something only you know (the plaintext) and only you know what it means (the encoding pattern).

Pretty slick, eh? This should give you a clue as to what the second one is: 1941ph means (to me) 12/07/1941, the date of the attack on Pearl Harbor that led us into WWII. Based on the pattern, the actual password is 1@0&1(4!. Can you figure out what the last one might mean? (You won’t guess the actual password unless you know what I know about the first part, but you can figure out what the code hint is.) Post your comments and we’ll see how you do.

I don’t recommend you use these examples, for obvious reasons; you’ll want to come up with your own ways of doing things and your own hints using things that mean something only to you.

Peter Piper Picked a Perfect Password Pattern

A little Alliteration is good for writing effect every now and then; why not apply this to passwords? I don’t mean to write out an alliterative phrase and turn it into a password or passphrase (though you could, I guess); what I mean is to use a pattern that makes it easy for you to remember the password, but still results in a very strong, un-guessable one. Here’s an example of a very strong password: 19[-[Phrase]-]60.

This one is very weak: %6*Some*Phrase*6%. Can you see why? Too many repetitions of characters. Change it slightly, %6!Some*Phrase!6%, and it becomes very strong.

The trick is to come up with a pattern that means something to you. By no means should you use the patterns I suggest—use something that will be easy for you to remember.

I’ll leave it to you to analyze the two examples and let you come up with your own. Remember, the bad guys read these blogs, too.

You can mosey over to the Password Meter page at Ask the Geek to check the patterns/passwords you come up with. That’s the best password meter I’ve ever seen, bar none.