Vulnerabilities

No-Hassle Way to Kill ActiveX Controls

ActiveX has always been a weak point in IE. The majority of browser plug-in vulnerabilities are ActiveX based. Microsoft realizes this and has a method to disable certain problematic ActiveX controls. But Microsoft’s method involves setting the kill bit by editing the registry and in order to discover the CLSID (Class ID) of the control you want to disable, you may have to uninstall others. In short, it’s a messy way to do things.

Errata Security to the rescue. They’ve created AxBan, a free tool to set the kill bit on known bad ActiveX controls. Errata promises that they’ll “be updating it as needed with new CLSIDs on an as needed basis.” AxBan is a single, small (45.5 KB), standalone executable that contains a list of known dangerous ActiveX controls. It highlights in red any you have installed on your system and gives you a button to set the kill bit. Be careful, though–there isn’t an “undo” button. Once you set the kill bit, if you find you’ve made a mistake, you’ll have to edit the registry to unset it.

Nevertheless, it’s a handy tool to have in your security arsenal

Top Five Personal Firewalls

How well does your personal firewall protect you? GRC’s Leak Test, PCFlank, and Bob Sundling’s TooLeaky all provide a quick way to check your personal firewall to see if it effectively blocks outbound connections. But if you really want to know how well your firewall protects you against a whole host of known attacks, check out Matousec’s Firewall Challenge website. Here are the top five based on Matousec’s extensive testing:

1. Comodo Firewall Pro 3.0.21.329 (Free)
2. Online Armor Personal Firewall 2.1.0.119 ($40, Free version available)
3. ProSecurity 1.43 ($30 single PC home user, $40 household)
4. Outpost Firewall Pro 2008 6.0.2302.264.0490 ($40/year for 3 home PCs)
5. Kaspersky Internet Security 7.0.1.325 ($80/year for 3 PCs)

The top two, Comodo and Online Armor, scored 100% on the tests. I’m using Comodo from now on.

Are You Lazy? Then You Have Security Risks

True computer and network security takes a lot of work to implement and it takes a lot of work to use. Despite training (if any) and admonitions by their supervisors and the IT department, the lazy create simple, easily-guessable passwords, write them down, and post them on sticky notes right in their cubicle or on their monitor. Even though we IT folks enforce password complexity policies, the effort is wasted if the user post their passwords in plain sight.

Maybe I’m dreaming, but I think that even the lazy can take the time to come up with serious passwords and take measures to make them memorable and/or write them down in a secure way. My article on generating secure passwords describes a method of doing this; it takes a bit of work at first, but once implemented, it’s a simple system that even the lazy can appreciate. (You may guess that I’m no fan of password managers or stored passwords and your guess would be right.)

If more of us IT geeks put more work into developing simple password generation and mnemomic systems for the lazy users, perhaps our networks would be more secure; perhaps not, but it can’t hurt now, can it?

Disk Encryption Vulnerable to Cold Boot Attack

According to researchers at Princeton University, it’s possible to recover encryption keys from memory for some time after a computer is powered down. Their paper, “Lest We Remember: Cold Boot Attacks on Encryption Keys,” begins with this abstract:

Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them

Check out the researchers’ video demo of the attack:

While I don’t consider this a great concern for the average user, it’s a real problem in terms of corporate espionage and national security.

Aside from simply never using standby modes or screen locking, possible solutions would be for encryption programs to require two-factor authentication or for operating systems to securely erase memory as part of the shutdown routine. This article at SANS Internet Storm Center gives further insight into the issue.

If You’re Not Patched, You’re a Target!

OK. So you’ve installed a NAT router, you’ve changed the default login and passsword, and you’ve used an unguessable password. You’ve done everything right so far. However, you still may be vulnerable; in fact, you probably are, even if you keep your operating system patched. In a Lockergnome posting last year, I wrote:

To say nothing of Microsoft Windows, there are few, if any, application software packages that are free of security vulnerabilities. The SANS Institute publishes its Top 20 Internet Security Attack Targets on a regular basis and Secunia currently lists 14,043 pieces of software and operating systems with vulnerabilities.

Not surprising, Secunia reports that as of this date, the above number has increase by more than 3,300:

Our database currently includes 17,406 pieces of software and operating systems.

It probably won’t surprise you that Microsoft leads the list, but that is by no means the only source of security vulnerabilities out there. The truth is, if you’re on the ‘Net and running any unpatched software, you’re a target; I can look at my firewall logs and identify what vulnerabilities are being targeted on my machine. Many of these holes have long since been patched and there’s no excuse for your not having patched them.

So much for the bad news. The good news is that most reputable software companies, when informed of a vulnerability by security researchers, promptly issue a software patch to fix it. These are widely available to the public for free download or through update features built into the software packages. Windows and other software packages allow you to enable automatic updates (which you should do).

I give you Security Maxim #5: A vital part of PC security is keeping up with software patches for ALL of the software on your system, not just the operating system. Where it is available, use the software’s automatic updates feature.

Cheers!
The Geek