I ran into this article this morning on my daily web run and thought it was a fantastic set of insights into what you should be doing to protect your laptops.
It also shows that even security folks can make mistakes (it’s human nature!) and potentially expose themselves and data to loss.
Even though the article is Mac-centric, the basics at the core apply across all platforms. You might need a different set of applications, but the underlying principles are all the same.
I was taking a look at some P2P stuff for our Reputational Risk work when I bumped into the LimeWire safety page. This is a page that is (I suppose) intended to educate users on the risks associated with P2P file sharing networks and the use of LimeWire specifically. I really thought it was interesting.
The page is: http://www.limewire.com/legal/safety
Some of the items the page covers are: copyright infringement, careful shared content selection (to avoid leaking documents, spreadsheets, etc. and entire drives/folders), adult content, spyware/malware cautions and lots of language about default behaviors. Now to be sure, the authors of LimeWire have implemented new controls in their version 5 software to make it more difficult for users to make mistakes and share the wrong contents. Even given that, I still caution everyone to do their own risk/reward assessment before using such a tool.
The bottom line is this. Check out the page, because as infosec folks, we need to be aware of what topics we need to continue to talk about with others. Educating them in how to configure this type of tool, should they choose to use it, might be a powerful way to help them (and maybe your organization) remain safer online. At the very least, it seems that LimeWire has at least done a good job of trying to caution people about the problems with using their tool. That, at the very least, is quite admirable!
Here is a recent lesson from one of our new Reputational Risk Audits that we have begun performing. The client, a financial services company, hired us to check out how their brand was being used online. They were very interested in possible risks that extend from the use of their brand and their online reputation.
We offer this service in three levels of research focus:
1. Basic web research and profiling only.
2. Inclusion of blogs and social networks.
3. Inclusion of peer to peer networks for leaking documents, pirated code, etc.
Our services look at many facets of online reputation and many mechanisms that DLP tools and the like might miss.
In this particular case, the client wanted us to focus in on the 1st and 2nd levels of our service. After a couple of weeks, we met to present our findings. There were several. I am at liberty to share one, in particular, with the public.
The client had a customer service person, we will call Sheila. Sheila had been with their organization for a little over 5 years and was considered to be a senior level customer service representative. She was very helpful and had great rapport with their customers. Unfortunately, Sheila had also recently discovered social networks and took it upon herself to create a customer support profile on a well known social media network. Her profile was linked to the brand and site of our client financial services company. Sheila did what she thought was an admirable thing and established the profile as an interface (albeit unsanctioned) for working with her customers.
Sheila was trying to do the right thing. She really wanted to use social media to talk to her customers, help them resolve their problems and truly help progress the image of the company she worked for. There were just a few issues with this approach:
1. She was asking customers confidential questions and receiving their information on a public service. This exposed the personal information of the customers to search engines, attackers and other online crimes.
2. She failed to obtain permission to use the brand of the organization she worked for and in doing so, caused harm to her customers AND the very company she was trying to help.
There are other issues as well, but these are the primary ones. Needless to say, our client was not thrilled when we detailed this for them. Talks with Sheila ensued and much discussion with attorneys, HR, regulators and eventually the customers were required. In the end, Sheila kept her position and while her management applauded her initiative and attention to the customers, she was sharply rebuked for causing the disclosures. Many customers were also furious as they were notified of the issue.
The moral of the story is that reputational risk is real. How your brand, online presence and service organization presents itself online has a huge impact on your customers, reputation and bottom line. Have you checked out your security policies around blogs, social media and/or online brand use? Have you sifted through the Internet to see what your organization looks like to the public, your customers and your employees? If you want to discuss reputational risk and how to help manage it, give us a call. We would be happy to talk you through some of the ways that you can tackle this growing issue. In the meantime, have a talk with your employees, especially customer service folks. Help them to understand that while they may want to “go the extra mile” to help their customers, they have to remain well within the boundaries of security and safe interaction. Sheila was trying to do the right thing, just like the folks on your team!
The Conficker worm was touted with nearly as much danger and fear as was Y2K… I remember that New Year’s better than any other in my lifetime simply because we were all standing around the day after to realize “hey, that wasn’t so bad… my computer really could count to 2000!”
With the media’s sensationalism of Conficker/Downadup/Kido, people started to panic once again. Our machines would rise up against us and human kind would become slaves to the technology we’ve become so dependent upon. The best part was that this was all supposed to happen on April Fool’s Day, 2009. Really?
So our team sat back and watched the story unfurl. We infected a machine in our lab to monitor the traffic, or lack thereof. We waited and studied and watched the story unfold- or not. After days of non-activity, the P2P functionality of the worm kicked into effect. Conficker began what appeared to be an update process, as well as dropping an unidentified payload on infected machines. These updates are prime vehicles for changing the modus operandi of the infection as well as adding to the near endless list of methods for killing nearly two dozen security applications and update programs reportedly affected by the infection.
When the P2P traffic trailed off, there was some speculation of a “cease fire” on or around 3 May, 2009 but this may not necessarily be the case. Reports have come from India this week where systems have been observed to have installed a second infection referred to as Waladec, which is known to send spam without the user’s knowledge. Shantanu Ghosh, VP, India Product Operations, Symantec India has been cited to say research has shown that widespread use of peer-to-peer file-sharing programs, low awareness of the need to update anti-virus software regularly and rampant use of pirated software have contributed to India’s high rank among countries affected by Conficker.
Well we may not be out of the woods yet, but this takes me to the moral of our story. Updates are not optional. These things are necessary in order to ensure proper functionality and security within a network. This infection is certainly containable and should not be the end of the Internet as we know it, but if something as simple as an update could stop this thing in it’s tracks, why doesn’t everyone do it?
As we wander the information superhighway it’s no secret there is an abundance of thieves, pirates, and stalkers out there just looking for low hanging fruit to make a quick buck and move on to the next mark. We’ve all heard horror stories of hacker-ish ways good people have fallen prey to the black hats out there, this is encouragement for those who’d like to take as much power back into their own hands as possible; to make thyself a harder target.
Microsoft’s Windows operating system is the market leader in terms of home computer users and there is an entire subculture of people out there who pretty much work to break it by any means for fun and profit! Taking the following countermeasures makes you a little less susceptible to the threats on the Internet.
Windows Automatic Updates
This is a necessary evil of using the Windows operating system. Microsoft launches updates weekly as well as periodic urgent updates that are designed to keep your computer patched against the latest threats. While some prefer to have control over when these updates are applied, it is strongly encouraged to take advantage of the automatic feature- a sort of “set it and forget it” tool that allows one to not continually worry whether they’re up to date or not. Enable or modify your update settings as follows:
Click on Start, open the Control Panel and select Security Center. At the bottom, open Automatic Updates.
By selecting the automatic option, windows will phone home at the time specified by you. Some prefer to set this for a time when the machine is not in use to prevent the updates from interfering with normal use, such as overnight. Once the desired settings are chosen, click “Apply”, then “OK” and close up shop.
Anti Virus Solutions
Anti Virus and Firewall programs are essential to the protection of any windows computer that is connected to a network. These programs work together to monitor the flow of data through your machine and to give warnings or indications of what might not be “quite right”. While there are premium options available on the market, there is also a set of free tools that do a fine job of protecting the average user.
AVG Anti Virus offers a free solution that offers extensive virus protection with live updates and a nice user interface that allows at-a-glance confirmation that the program is functioning. While there are more features in the subscription version of this product, there is a very comprehensive program in the Free Edition:
The update menu also has an automatic feature that allows for the “set it and forget it” freedom. Updating immediately will allow AVG to “phone home” and get the latest virus definitions before the first scan of your system. Once these updates are complete (a restart may be required), you’re ready to spend time in the Computer scanner menu setting up preferences and then scanning your system to ensure it’s clean.
It’s important to first set a scan schedule. Once you’ve got that done, scan the whole computer. This will take some time. Grab a cup of coffee (or my preference, a Monster Drink) and find something to kill some time with. If your Windows partition has any chance of infection (ie, this is NOT a fresh install) then you’ll want to check in periodically to ensure you’re not prompted to address any juicy discoveries. After the initial scan of your machine, you’ll have FREE, real time protection against a good portion of the software threats facing home users today.
Comodo Firewall
Yes, it’s true Comodo offers an “all in one” solution which is a firewall AND an anti virus in one package, but I’ve always been of the mind that my proctologist shouldn’t be doing my mechanic’s work and vice versa. AVG has been my go-to anti virus for some time and it out performs the other freebies while still offering a very easy to use program, and Comodo makes for a great firewall- so I recommend exactly that in Comodo’s Personal Firewall Free Edition. This means it will be important NOT to install the anti virus that comes with the Comodo package:
This is VERY important because having more than one anti virus program running at once can cause them to conflict each other and might not protect you to their fullest potential.
Once installed, spend some time learning the interface. Again you’ll want to allow it to update (which is an option under the MISCELLENEOUS menu). When the update is complete, the firewall will want to scan your system. This again sets a baseline by which Comodo can assess future changes to alert you and get permission before taking place.
After the initial scan, you’ll want to spend some time doing typical tasks to let the firewall learn from you. Comodo pops up alerts from the system tray with an outline of a detected action. When you’re teaching it something new, you’ll want to allow the action and usually to “Remember my answer”. It’s a good idea to read these alerts and thoroughly understand this interface to ensure your firewall is functioning properly. This learning period tends to be tedious, but is necessary for the full benefit of “educating” the firewall. Notice the “Treat this application as” option. This puts the firewall into an “installation mode” which will let software be updated or installed without asking permission for every single change.
Once Comodo learns your typical activities, you’ll rarely hear from it. The updater will ask permission to phone home and it will alert you of any odd looking traffic, but in reading the alert you should get a good understanding of whether you want to allow it or not. I actually use the Firefox addon “Malware Search”; which adds right click menus that link you to Process Library, &System Lookup, and Google where I’ll search down anything I don’t recognize. If it’s unidentifiable, it doesn’t get through.
Secunia Personal Software Inspector
Secunia PSI is an invaluable tool to the home user. In a nutshell, this program will monitor your system for any available updates and let you know. It’s like a central command and control center for all your software. PSI will advise you of new updates, and re-evaluate to ensure you’re fully covered.
After scanning the computer, PSI will ensure all programs are up to date and will set the process in motion to address any that might not be.
These free tools will set a solid security foundation on any home computer. These things are necessary today in a cyber world where identity theft, spam, and botnets are rampant. It’s us against them and we shouldn’t allow ourselves to be easier targets than absolutely necessary. The MSI team will continue to search out ways of protecting and educating the good guys while thwarting the bad guys.
We recently received a report of a vulnerability we thought everyone should be aware of. The vulnerability is in the Microsoft IIS 6.0 implementation of the WebDAV protocol. According to Wikipedia, “Web-based Distributed Authoring and Versioning, or WebDAV, is a set of extensions to the Hypertext Transfer Protocol (HTTP) that allows users to edit and manage files collaboratively on remote World Wide Web servers.” A common tool used as a WebDAV client, is Microsoft’s FrontPage.
The vulnerability describes a way for an attacker to retrieve protected files without any authentication. From a technical standpoint, all an attacker needs to do is insert a certain unicode character in the URI request. This make this vulnerability trivial to exploit. The vulnerability allows attackers to list all of the files in the WebDAV folder, and then access them individually.
As of this morning, there is no known mitigation for this vulnerability save disabling WebDAV for the time being.
Businesses employing an IIS 6.0 Web Server with WebDAV authoring method should carefully analyze their need for such service, and disable it if possible until a fix is released.
The 2009 version of the Swine Flu has already hit the U.S., and it looks like it could be a bad outbreak. There have already been more than 300 deaths among the 1,600 reported cases in Mexico, and cases of the Flu will undoubtedly turn up in more U.S. States over the next several days. Here are some facts about the Flu, pandemics and contagious diseases in general that may help you and your business better prepare for a serious outbreak:
Pandemics are defined as epidemics or outbreaks in humans of infectious diseases that have the ability to spread rapidly over large areas, possibly worldwide. Several pandemics have occurred throughout history and experts predict that we will experience at least one pandemic outbreak in this century. Although avian flu viruses are currently the most likely disease vector to cause a pandemic, in reality any highly infectious drug resistant disease could lead to a pandemic outbreak.
So how can Flu viruses spread? The most insidious way for the flu virus to spread is through the air in the form of “droplets”. When persons with the flu cough or sneeze into the air, large and very small droplets of liquid filled with virus travel through the air and can easily make their way into lungs or onto hands. Large droplets generally do not travel more than six feet but small “micro-droplets” can float through the air for some time and travel greater distances. Flu virus can also enter your body through your digestive system or eyes. If there is flu virus on your hands or food and you put them in your mouth, you can get the flu. If you have flu virus on your hands and you rub your eyes or nose, you can get the flu. So, what can you do to protect yourself from getting the flu or giving it to others?
The best thing you can do, even though it is a pain, is wash your hands. I mean wash your hands each time before you touch anything and put it in your mouth, or before you rub your eyes. Also, I wouldn’t eat food that has been sitting uncovered around where people have been coughing or sneezing.
Another thing you can do that really helps is wear a face mask. Even though individual viruses are small enough to go right through the pores in a normal face mask, it is not true that you get the flu from individual viruses; you get the flu from droplets of moisture that contain and protect thousands of virus cells. So if you want to keep from getting the flu, wear a mask. If you have the flu and don’t want to give it to others, wear a mask and cover your face when you cough or sneeze.
There are also a number of different things that can kill microorganisms like flu viruses. Ultra violet radiation, such as direct sunlight, kills microorganisms almost instantly. Also, Microorganisms die quickly when they come in contact with hard, smooth, dry surfaces. For example, counter tops or glass surfaces or plastic objects won’t support microorganisms as long as there is no moisture or grease on the surfaces to protect the cells. Microorganisms also cannot exist in freely flowing water. And finally, microorganisms can be killed or removed by the use of soaps and other chemical cleaners such as hand sanitizing lotions or disinfectant sprays.
So how do you protect your business from the flu? One way is to implement the advice above. When the flu is rampant in the community, protect yourself when you are in close public areas such as grocery stores, automobiles, airplanes or malls. You should also remember that you can be infectious 24 hours before symptoms appear and you will continue to be contagious for about seven days after symptoms do appear. So if you know you have been in contact with someone with the Flu, or if you are feeling ill yourself, stay away from other people as much as you possibly can. Have your employees do any work remotely that they can. If they can VPN into the network securely or use the telephone and work from home, have them do so. If you are a financial institution, consider closing or restricting access to the lobby and doing as much business as possible via the drive up windows. Insist that employees that have the flu stay home. No matter how important an employee is to the business, find some way to work around them or use their services remotely. And finally, make sure that your business has good written operating procedures in place, and that your employees cross train with each other on a regular basis. This will be a real help in times of great absenteeism.
Traditionally, we thought malware spreading ads were relegated to the sketchy dark corners of the Internet. Lately though, malware spreading ads have increasingly popped up on sites such as eweek.com, bostonherald.com, and foxnews.com. How is this happening?
In this case, it’s not a vulnerability on the sites in question. The attackers have turned their attention to the ad networks themselves. In some cases, attackers are submitting ads to the ad networks and having them served. In some other cases, it seems that the ad networks are suffering from vulnerabilties that are being exploited, allowing the attackers to insert malicous code into otherwise legitmate ads.
The malicious ads are doing a variety of different things to attack the end user. The most recent one makes a popup that looks very much like the real Windows Security Center, detailing that your system is infected with some large number of trojans and viruses. The ad claims that it can ‘fix’ your system by installing a tool. Ads have also been seen that were sending a PDF that contains exploits for the recent Adobe Acrobat vulnerabilties.
The best defenses against these attacks are following the tried and true measures. Make sure your OS, browser, and all software is as up to date as possible. Using anti-virus software, as well as regular anti-malware/spyware scans will also help. Consider using a tool such as Secunia PSI, to help make sure 3rd party aps are up to date. Always use safe browsing sensibility, don’t click on anything suspicious, even if it’s from a website you would normally trust. Remember, there are no safe websites.
That’s right! Send us your picture taken in a “security-related pose” with a stuffed, bee costume or bee-related item and we will pick the winner of a FREE license for HoneyPoint Security Server!
Just like in life, style counts, so get your ideas together and send us those pictures! Our judges will pick the winner on April 30th, so get your pics in before then. Imagination, security details and fun will be the key to your success. Three runners up will receive FREE licenses for HoneyPoint Personal Edition!
You can send your pictures via email to: hppics@microsolved.com
Remember, we reserve the right to publish all submissions, so make sure you are OK with that before you submit. 🙂 Contest closes and winners picked at noon on April 30th, 2009. Enter as often as you wish, odds of winning depends on number of people entering. Have fun!
My technical team has been training some new engineers and have been focusing on SQL injections for the last couple of days. They wanted me to share some great resources that they have found and have been told about to help with learning the basics of SQL syntax and such. They are currently working on compiling a set of vulnerable platforms and system images to create a deep lab environment with many examples and test scenarios in which to sharpen their skills and test new techniques and defenses.
The first site that they like is SQLZoo.Net which is a gentle online introduction to SQL. It is perfect for those who took a SQL course long ago, or who is in need of the basics. It is a quick refresher and instructor of SQL syntax, processes and command basics. This basic education mechanism lays the ground work for them to understand SQL queries and reverse engineer the instructions that are in place as they perform SQL injections. (Thanks to @tnicholson for the pointer to this site!)
Second, they have found the book Hacking Exposed: Web Applications Second Edition to be very helpful. The explanations about, and the examples of, SQL injections really helped them “get it”. Once they walked through this, side by side, with members of our penetration testing team, they really made huge strides and were able to immediately employ the examples in the lab. Thanks to the authors for their great work on this book. The entire Hacking Exposed series is simply fantastic for training up and coming security engineers!
Lastly, with special thanks to OWASP, the team found the use of the WebGoat tool to be amazing. This is an interactive web mechanism for stepping through a variety of basic attack patterns. While not complete, in and of itself, for real application penetration testing, it is a great educational tool and makes for great training examples. Our team spent a good deal of time learning to communicate and demonstrate the issues in WebGoat to a mock set of upper management folks who were role playing their parts. Our team members must be able to clearly, concisely and expertly communicate technical issues to non-technical folks, so this makes a great platform for training.
Thanks to all who helped by suggesting resources and thanks to the new techs for keeping their concentration so high. Our experienced engineers did a great job of bringing the new team members to the first floor, now they are showing them how to keep growing for the top. Great work!
If you would like to hear more about SQL injection, application security testing or would like to hear more about creating training/labs for SQL, please drop us a line.
Thanks for reading and I hope this gives you a pointer in the right direction to learn more about the basics of SQL injections!