A Basket Full of Caveats – The LimeWire Safety Page

I was taking a look at some P2P stuff for our Reputational Risk work when I bumped into the LimeWire safety page. This is a page that is (I suppose) intended to educate users on the risks associated with P2P file sharing networks and the use of LimeWire specifically. I really thought it was interesting.

The page is: http://www.limewire.com/legal/safety

Some of the items the page covers are: copyright infringement, careful shared content selection (to avoid leaking documents, spreadsheets, etc. and entire drives/folders), adult content, spyware/malware cautions and lots of language about default behaviors. Now to be sure, the authors of LimeWire have implemented new controls in their version 5 software to make it more difficult for users to make mistakes and share the wrong contents. Even given that, I still caution everyone to do their own risk/reward assessment before using such a tool.

The bottom line is this. Check out the page, because as infosec folks, we need to be aware of what topics we need to continue to talk about with others. Educating them in how to configure this type of tool, should they choose to use it, might be a powerful way to help them (and maybe your organization) remain safer online. At the very least, it seems that LimeWire has at least done a good job of trying to caution people about the problems with using their tool. That, at the very least, is quite admirable!

Lessons From a Reputational Risk Audit

Here is a recent lesson from one of our new Reputational Risk Audits that we have begun performing. The client, a financial services company, hired us to check out how their brand was being used online. They were very interested in possible risks that extend from the use of their brand and their online reputation.

We offer this service in three levels of research focus:

1. Basic web research and profiling only.

2. Inclusion of blogs and social networks.

3. Inclusion of peer to peer networks for leaking documents, pirated code, etc.

Our services look at many facets of online reputation and many mechanisms that DLP tools and the like might miss.

In this particular case, the client wanted us to focus in on the 1st and 2nd levels of our service. After a couple of weeks, we met to present our findings. There were several. I am at liberty to share one, in particular, with the public.

The client had a customer service person, we will call Sheila. Sheila had been with their organization for a little over 5 years and was considered to be a senior level customer service representative. She was very helpful and had great rapport with their customers. Unfortunately, Sheila had also recently discovered social networks and took it upon herself to create a customer support profile on a well known social media network. Her profile was linked to the brand and site of our client financial services company. Sheila did what she thought was an admirable thing and established the profile as an interface (albeit unsanctioned) for working with her customers.

Sheila was trying to do the right thing. She really wanted to use social media to talk to her customers, help them resolve their problems and truly help progress the image of the company she worked for. There were just a few issues with this approach:

1. She was asking customers confidential questions and receiving their information on a public service. This exposed the personal information of the customers to search engines, attackers and other online crimes.

2. She failed to obtain permission to use the brand of the organization she worked for and in doing so, caused harm to her customers AND the very company she was trying to help.

There are other issues as well, but these are the primary ones. Needless to say, our client was not thrilled when we detailed this for them. Talks with Sheila ensued and much discussion with attorneys, HR, regulators and eventually the customers were required. In the end, Sheila kept her position and while her management applauded her initiative and attention to the customers, she was sharply rebuked for causing the disclosures. Many customers were also furious as they were notified of the issue.

The moral of the story is that reputational risk is real. How your brand, online presence and service organization presents itself online has a huge impact on your customers, reputation and bottom line. Have you checked out your security policies around blogs, social media and/or online brand use? Have you sifted through the Internet to see what your organization looks like to the public, your customers and your employees? If you want to discuss reputational risk and how to help manage it, give us a call. We would be happy to talk you through some of the ways that you can tackle this growing issue. In the meantime, have a talk with your employees, especially customer service folks. Help them to understand that while they may want to “go the extra mile” to help their customers, they have to remain well within the boundaries of security and safe interaction. Sheila was trying to do the right thing, just like the folks on your team!

Conficker: A serious threat or the world’s biggest Rick Roll?

The Conficker worm was touted with nearly as much danger and fear as was Y2K… I remember that New Year’s better than any other in my lifetime simply because we were all standing around the day after to realize “hey, that wasn’t so bad… my computer really could count to 2000!”

With the media’s sensationalism of Conficker/Downadup/Kido, people started to panic once again. Our machines would rise up against us and human kind would become slaves to the technology we’ve become so dependent upon. The best part was that this was all supposed to happen on April Fool’s Day, 2009. Really?

So our team sat back and watched the story unfurl. We infected a machine in our lab to monitor the traffic, or lack thereof. We waited and studied and watched the story unfold- or not. After days of non-activity, the P2P functionality of the worm kicked into effect. Conficker began what appeared to be an update process, as well as dropping an unidentified payload on infected machines. These updates are prime vehicles for changing the modus operandi of the infection as well as adding to the near endless list of methods for killing nearly two dozen security applications and update programs reportedly affected by the infection.

When the P2P traffic trailed off, there was some speculation of a “cease fire” on or around 3 May, 2009 but this may not necessarily be the case. Reports have come from India this week where systems have been observed to have installed a second infection referred to as Waladec, which is known to send spam without the user’s knowledge. Shantanu Ghosh, VP, India Product Operations, Symantec India has been cited to say research has shown that widespread use of peer-to-peer file-sharing programs, low awareness of the need to update anti-virus software regularly and rampant use of pirated software have contributed to India’s high rank among countries affected by Conficker.

Well we may not be out of the woods yet, but this takes me to the moral of our story. Updates are not optional. These things are necessary in order to ensure proper functionality and security within a network. This infection is certainly containable and should not be the end of the Internet as we know it, but if something as simple as an update could stop this thing in it’s tracks, why doesn’t everyone do it?

Domestic Defense: 3 Steps to Hardening Home PCs

As we wander the information superhighway it’s no secret there is an abundance of thieves, pirates, and stalkers out there just looking for low hanging fruit to make a quick buck and move on to the next mark. We’ve all heard horror stories of hacker-ish ways good people have fallen prey to the black hats out there, this is encouragement for those who’d like to take as much power back into their own hands as possible; to make thyself a harder target.

Microsoft’s Windows operating system is the market leader in terms of home computer users  and there is an entire subculture of people out there who pretty much work to break it by any means for fun and profit! Taking the following countermeasures makes you a little less susceptible to the threats on the Internet.

Windows Automatic Updates

This is a necessary evil of using the Windows operating system. Microsoft launches updates weekly as well as periodic urgent updates that are designed to keep your computer patched against the latest threats. While some prefer to have control over when these updates are applied, it is strongly encouraged to take advantage of the automatic feature- a sort of “set it and forget it” tool that allows one to not continually worry whether they’re up to date or not. Enable or modify your update settings as follows:

Click on Start, open the Control Panel and select Security Center. At the bottom, open Automatic Updates.

automatic-updates

By selecting the automatic option, windows will phone home at the time specified by you. Some prefer to set this for a time when the machine is not in use to prevent the updates from interfering with normal use, such as overnight. Once the desired settings are chosen, click “Apply”, then “OK” and close up shop.

Anti Virus Solutions

Anti Virus and Firewall programs are essential to the protection of any windows computer that is connected to a network. These programs work together to monitor the flow of data through your machine and to give warnings or indications of what might not be “quite right”. While there are premium options available on the market, there is also a set of free tools that do a fine job of protecting the average user.

AVG Anti Virus offers a free solution that offers extensive virus protection with live updates and a nice user interface that allows at-a-glance confirmation that the program is functioning. While there are more features in the subscription version of this product, there is a very comprehensive program in the Free Edition:

avg-free-edition_1

The update menu also has an automatic feature that allows for the “set it and forget it” freedom. Updating immediately will allow AVG to “phone home” and get the latest virus definitions before the first scan of your system. Once these updates are complete (a restart may be required), you’re ready to spend time in the Computer scanner menu setting up preferences and then scanning your system to ensure it’s clean.

avg_free_com_scanner

It’s important to first set a scan schedule. Once you’ve got that done, scan the whole computer. This will take some time. Grab a cup of coffee (or my preference, a Monster Drink) and find something to kill some time with. If your Windows partition has any chance of infection (ie, this is NOT a fresh install) then you’ll want to check in periodically to ensure you’re not prompted to address any juicy discoveries. After the initial scan of your machine, you’ll have FREE, real time protection against a good portion of the software threats facing home users today.

Comodo Firewall

Yes, it’s true Comodo offers an “all in one” solution which is a firewall AND an anti virus in one package, but I’ve always been of the mind that my proctologist shouldn’t be doing my mechanic’s work and vice versa. AVG has been my go-to anti virus for some time and it out performs the other freebies while still offering a very easy to use program, and Comodo makes for a great firewall- so I recommend exactly that in Comodo’s Personal Firewall Free Edition. This means it will be important NOT to install the anti virus that comes with the Comodo package:

comodo_uncheck_install_antivirus

This is VERY important because having more than one anti virus program running at once can cause them to conflict each other and might not protect you to their fullest potential.

Once installed, spend some time learning the interface. Again you’ll want to allow it to update (which is an option under the MISCELLENEOUS menu). When the update is complete, the firewall will want to scan your system. This again sets a baseline by which Comodo can assess future changes to alert you and get permission before taking place.

After the initial scan, you’ll want to spend some time doing typical tasks to let the firewall learn from you. Comodo pops up alerts from the system tray with an outline of a detected action. When you’re teaching it something new, you’ll want to allow the action and usually to “Remember my answer”. It’s a good idea to read these alerts and thoroughly understand this interface to ensure your firewall is functioning properly. This learning period tends to be tedious, but is necessary for the full benefit of “educating” the firewall. Notice the “Treat this application as” option. This puts the firewall into an “installation mode” which will let software be updated or installed without asking permission for every single change.

comodo_alert

Once Comodo learns your typical activities, you’ll rarely hear from it. The updater will ask permission to phone home and it will alert you of any odd looking traffic, but in reading the alert you should get a good understanding of whether you want to allow it or not. I actually use the Firefox addon “Malware Search”; which adds right click menus that link you to Process Library, &System Lookup, and Google where I’ll search down anything I don’t recognize. If it’s unidentifiable, it doesn’t get through.

Secunia Personal Software Inspector

Secunia PSI is an invaluable tool to the home user. In a nutshell, this program will monitor your system for any available updates and let you know. It’s like a central command and control center for all your software. PSI will advise you of new updates, and re-evaluate to ensure you’re fully covered.

secunia_scan

After scanning the computer, PSI will ensure all programs are up to date and will set the process in motion to address any that might not be.

psi_scan_complete

These free tools will set a solid security foundation on any home computer. These things are necessary today in a cyber world where identity theft, spam, and botnets are rampant. It’s us against them and we shouldn’t allow ourselves to be easier targets than absolutely necessary. The MSI team will continue to search out ways of protecting and educating the good guys while thwarting the bad guys.

Microsoft IIS 6.0 WebDav Vulnerability – Urgent

We recently received a report of a vulnerability we thought everyone should be aware of. The vulnerability is in the Microsoft IIS 6.0 implementation of the WebDAV protocol. According to Wikipedia, “Web-based Distributed Authoring and Versioning, or WebDAV, is a set of extensions to the Hypertext Transfer Protocol (HTTP) that allows users to edit and manage files collaboratively on remote World Wide Web servers.” A common tool used as a WebDAV client, is Microsoft’s FrontPage.

The vulnerability describes a way for an attacker to retrieve protected files without any authentication. From a technical standpoint, all an attacker needs to do is insert a certain unicode character in the URI request. This make this vulnerability trivial to exploit. The vulnerability allows attackers to list all of the files in the WebDAV folder, and then access them individually.

As of this morning, there is no known mitigation for this vulnerability save disabling WebDAV for the time being.

Businesses employing an IIS 6.0 Web Server with WebDAV authoring method should carefully analyze their need for such service, and disable it if possible until a fix is released.

Book Review: Computer Security and Cryptography

fsecuritym444a6d61

Computer Security and Cryptography (Wiley) by Alan G. Konheim, is a great resource to understand and implement data security systems. Chapters are organized to help develop technical skills, describe a cryptosystem and method of analysis, and provide problems to test your grasp of the material and ability to implement practical solutions.

The book begins with the history of cryptography and moves into the theory of symmetric and public-key cryptography. Chapter 18 focuses on cryptography application. Included is Unix password encipherment, password cracking and protecting ATM transactions.

With consumers becoming increasingly wary of identity theft and companies struggling to develop safe, secure systems, this book is essential reading for professionals in e-commerce and information technology. Written by a professor who teaches cryptography, it is also ideal for students. Available at Amazon for $90.00.