Monday, October 19, 2009

Chain of events

When thinking about security, one of the things that are hardest to grasp is the way things are linked together, and of course, the ingenuity of criminals. One small thing can lead to disasterous results in ways a normal person could not even imagine.

For example, a well known story is about a family that went to a public event, and parked their car in the parking lot, like everybody else. The car was a piece of junk, so there was no reason to steal it, and therefore, the owners didn’t install any protection. When thieves broke into it, they weren’t even interested in the car itself, but instead, they stole the GPS that was in it. No…they didn’t want the $50 they could hawk it for, but instead, they just put it in their own vehicle, and pressed “go home”. Thirty minutes later, they were in the driveway of the car’s owner, and entered the house using the remote they also found in the car. I guess there’s no need to detail the resulting mess.

There are several preventative measures to prevent this kind of thing (the simplest would be to set the HOME location on the GPS at a point that’s actually a mile or two from home, or not at all), but the point is that everything can be used for bad deeds, even if it is worthless in itself. Knowing where you work, for example, will allow a clever social engineering hacker to squeeze some info from your co-workers. For example, when you are going on vacation (which would be a good time to hit your house) or what days you stay late at the office.

What can you do about this? Unfortunately, not enough. The criminal mind thinks differently than us, normal people, and even amongst the crooks, there are the more devious kind. A good practice is simply to pretend to be a bad guy for a day. Sit in your car outside your home or office, and try to come up with a way to break in. Sit at your computer, and think how YOU can bust into your boss’s computer, and then try to figure out how you would block him from doing the same to you. Some of us just can’t do it – too old to think outside the box, but you might also try having your kids suggest thoughts.

Thursday, August 20, 2009

Cloudy weather

There’s been a lot of talk in the industry recently about software-as-a-service, hosted services and cloud computing. Getting rid of the burden of managing servers and messing around with hardware seem charming, and has a lot of financial and administrative advantages, but is it SAFE?

Well, most of the stuff I write about here warns people that this or that is more dangerous than it appears, but this time, it’s quite the opposite. Cloud technology is actually is safer than the alternative in most configurations.

The thing about hosting services is that it takes away the hardest thing to control – physical security. I discussed this in my blog about thin clients – a physical computer or storage container is a sensitive thing. Cell phones and laptop theft is pretty obvious, but standard servers are also sensitive to some abuse. Even though most companies keep the servers in a secure room, not everyone can afford proper security, and even when a company can, the design is often imperfect because IT personnel are rarely trained in physical security. They might think a cardkey lock is secure, forgetting that the glass door or windows can be easily broken. They might setup alarms, but not be able to afford an onsite guard that can react fast enough in case of burglary. They might install smoke detectors, but miss out on proper fire extinguishers or water drainage infrastructure.

Also, having your own servers require some serious maintenance. AV updates need to be monitored, software updates installed, and security hardening needs to be done, and kept up regularly. Even though technologies like SMS are easily available, many companies don’t get them because of costs, and even with them, the massive resources on servers are a major honey pot. Many sysadmins are tempted to put some of their MP3s or movies “temporarily” on the file server, simply because it’s an easy plug until they come up with the cash to expand their own HD. Having this type of data would often be overlooked, but it may also expose the company to legal challenges or a virus infection.

While cloud technology is not yet perfect, and certainly does not fit every client or every scenario, it can have an important boost for the company’s security. Naturally, attention has to be given here as well, as a small or Startup Company that delivers hosted solutions might be riddled with the same problems, but with some major players entering the market in recent months, this is a great opportunity to get secure while reducing costs.

Friday, July 31, 2009

Is it safe to talk?

the short answer is NO, but the longer one depends a lot on you. Voice mail systems are pretty much standard all around, but few people realize what a security risk they can pose. On the surface, a phone seems pretty harmless. What are they going to do? Leave me a threatening message? Well, maybe, but that's not the danger.

Most people choose to leave a custom voice message on their voice mailbox. Something like "Hi, you've reached James Voca, IT manager for Pirulo systems. Please leave your message and I'll call you back" seems pretty ordinary, doesn't it? Well, for an employee giving you a call, it is, but if someone outside calls in, you just informed him or her which company it is, what's the name of the IT Manager, and how he sounds like. In the wrong hands, this data is very valuable. A type of hacking known as "Social Engineering" focuses on using peoples tendency to behave socially can use exactly that. A social engineering hacker would typically call employees of the company on the phone, and try to get them to give out sensitive data or access. With the info from this mailbox, the hacker can pretend to be the IT Manager, and influence others. Many users will recognize the high ranking position holder and tell/do anything he wants. They would give him their passwords, let him take over their computer remotely and more. Here's a scenario:

Hacker: Hi Jane. This is James from IT. I'm at home and late for meeting - do you mind if I log into your machine to get a PPT I really need?
Jane: Sure, James
Hacker: Cool. I'm sending you an Email with a link - just click it and I'll be in and out in a minute.
Outcome: Hacker can implant a backdoor on Jane's computer, or just use it to get access to some sensitive internal servers.

How about another scenario:
Hacker: Hi Scott. This is James from IT. A guy from HB is coming in to pick up my laptop for repair - be sure to let him through, OK?
Scott (security guard): Sure thing, James.
Outcome: The hacker can waltz in the building, grab some laptop and disappear with it, causing both financial damage and possibly stealing important data from the computer.

This is not the only danger, of course. Most modern voice mail systems let people access them remotely. You would typically call yourself, punch in some PIN and can listen to your messages. Many people don't want to remember complicated numbers, and set the PIN at 0000, 1234 or the default (which is often one of these too). When this happens, anyone else can call into the voice mail, guess that number and listen to your messages. These would usually be just some nagging from your Bank, but they could also contain sensitive info. For example, it could be a message from your doctor about your blood work, a message from a vendor talking about things you purchased or worse. A hacker that knows how you sound like, and that you've just ordered 10 servers from can call them, quote back some "secret" info from the message, and divert the goods to his house. He can also call you, pretend to be the vendor and get you to let him in the building with the "servers", and a good opportunity to do some damage.

The lesson here is simple - don't think that the voicemail system is safe, just because it's not connected to your computer. In fact, your own answering machine at home could expose you personally to some dangerous elements. Does your message sound like "Hi, you've reached the Smith family at 2245 lake drive"? You're just inviting people to come over and clean up your house. I recommend taking four measures:

1) Have your PIN secure - no simple numbers, but ones that are chosen carefully, changed frequently and aren't easy to guess

2) Have your message give as little info as possible. A good one could be "Hi, you've reached Jack - please leave a message". Same thing at home - "You've reached the Cole residents, please leave a message".

3) Listen to your messages frequently, and delete them. right away. Don't leave messages to linger on your phone from Friday afternoon to Sunday noon.

4) When you are leaving messages to others, whether you are a vendor, a client, a boss or a subordinate, keep in mind that you can never know the level of security the other side keeps. Treat a message left like a note left on the door - others may read it. Keep sensitive info out of the message, and just call back later.

Tuesday, June 23, 2009

The ups and downs of backing up

My experience is that any and every user appreciates the importance of backing up your stuff, but when it comes to actually doing it, almost nobody does it, and even some large organizations are failing at it. Backup failure isn't necessarily "not doing it at all", but can also mean that it's done improperly. A proper backup is such that a person or organization will never, under any circumstances, lose more than a day's worth of work. Before we even go there, I should stress one important fact - many users, and even experienced system engineers often confuse between backup and archive. Backup is when you copy your current data to another storage medium, so that if something happens to the original, you can restore it and not lose anything. Archiving is similar, but opposite - you copy your data to another storage medium, and then delete the original.

For example, many people burn DVDs with their older files and delete the originals, and most of them consider this a backup. This is, in fact, an archive, but few people are aware that a recordable DVD has a limited lifespan, and is very sensitive to physical harm. Putting your photos on a DVD and stowing it in the closet is not safer than storing food in the trunk of your car. Often, we discover this only in hind-site, when trying to recover a file from a disc burned 3 years ago, only to discover that it's partially or completely unreadable.

I believe network engineers won't need to read this, so I'm addressing this to the home user, mostly. For a backup to be worth anything, it has to meet some basic principles:
1) It has to be done to a media with at least SOME reliability.
2) It has to be done frequently.
3) It has to be stored in a place that is safe, but not too unreachable.
4) It has to be tested routinely.

What does all this mean? Well, 1st, this means you should not use a media that's unreliable. A writeable DVD, for example, has a low reliability rating, while a hard drive has more. That's not to say that a hard drive is bulletproof, but it's usually more reliable, and also easier to detect if it fails. This is because if it dies, you would usually be able to hear it, and respond by replacing it, while if a DVD stops being readable, you'll only find out when you put it in the drive. A high level tape drive, like an LTO or DLT is also very reliable, although these babies start at a few hundred dollars, so would be off the table even for some business customers.

A frequent backup is also important. Many users start this with full intentions of going all the way, but after a while, they kind'a give it up, and forget to backup for weeks or even months. Typically, you remember to do it right after your hard drive crashes, of course. A good way to avoid this pothole is to setup some automatic backup mechanism. If you use an external drive, for example, this can be done rather easily, and many external drives even come with the software. If not, Windows has a built in backup mechanism which is quite effective (especially the one that's in Windows 7!).

3rdly, if a lightning strikes your house, or a fire breaks out, the backup won't do you much good if you leave the DVDs next to the computer or leave the external drive connected. One should strive to keep the backup as far away as possible from the computer, although not too far. If you store it across town, you might have a good excuse to forget to backup. Also, if it's that far, you might become too lazy to drive over and get a file if you need it. A good solution could be to have a reciprocal agreement with a neighbor - you hold their drive during the week, and they hold yours. If you have an detached garage or storage shed, this could be good too (although, take care to prevent the drive from freezing or getting too much humidity).

Lastly, a backup that's untested will often fail you at the worst possible moment. You might discover that it hasn't actually run for over a month, or that some files are unreadable. A good practice is to test the backup around once a month. If you have a calendar like Outlook, you can use it to remind yourself to check it now and then.

One more thing - many people feel that buying a large drive just to store backup on is wasteful. In a way, that's true, but if you want to save some money there, you might consider getting a refurbished drive. These are inherently less reliable, but since you can easily detect if it stops working, it could be a suitable solution anyway. Also, keep in mind that you can activate folder-compression on it, as performance is less of an issue, and so use a drive smaller than your main one.

Monday, June 8, 2009

This car has more than 9 Lives

Most of us obsess about retaining our data - we buy large hard drives, burn countless DVDs and protect it all with RAID controllers and UPS devices. What many people care much less about is making sure that discarded data is really gone. How many times have you thrown a dead hard disk in the trash, wiping a tear for your lost files? Did you consider that a person with sufficient technical skill may grab it from the trash, recover the data and make some coins off it?

Well, the issue of data destruction has been the center of much debate. Most people are already aware that deleting a file doesn't really erase it - it simply deletes the reference to the file in the disks directory (I'm talking about actually deleting, not moving it to the trash, which doesn't delete anything), while the data is still there, untouched. A file that has been deleted can be re-created simply by finding it's 1st sector, and creating a file entry that points to it. Once you delete a file, it can be overwritten by windows, as it the system creates new files. the new files might overwrite some or all of the file's original sectors, which are now marked as free, but these sectors can also remain untouched for years.

Some people will go the distance, and actually format the hard drive before throwing it away, but this too is not sufficient. Restoring a formatted drive is more time consuming, but certainly possible. The US Department of defense probed this issue in the past, and produced a standard, known as DOD standard 5220.22, that instructs exactly what to do to erase data properly. Later on, there was some debate as to this was safe enough. Some expert claimed that you would need to overwrite the data over a dozen times, and that has been misquoted repeatedly in the press since then.

Security experts are very much concerned about erasing data securely. A company cannot risk it's commercial data falling into the wrong hands simply because somebody was too lazy and took a shortcut with the disk. Same goes for other types of media - DVDs, backup tapes etc. Even a lost cell phone could present a serious security breach, as it could include phone numbers of sensitive customers, sensitive emails or meetings etc. I would like to take this opportunity to debunk some myths about data destruction.

1) Hard drive demolition derby.
• A common method of destroying disks, by punching a hold through them, or banging them strongly with a hammer is far from secure. It's not easy to recover in this condition, but it's certainly possible.
• With modern IDE and SATA disks, using a 5220.22 secure erase software is very safe. there's no need to overwrite everything dozens of times. The need for that kind of rewrites referred to some very old MFM drives.
• Using software erasure is pretty slow, but it can be done unattended, so setting up some dedicated old computer for that is pretty easy. Just make sure no one tries to steal the old drives from that station.
• A very effective way to destroy a disk is to take it apart, and separate the plates from the other components. Dumping the plates in a different trash facility makes it pretty much impossible to recover.
• There is a technique that allows data recovery off a drive in almost any condition, but that process is so lengthy and expensive, that most experts would consider it irrelevant. Recovering data from a disk that was physically destroyed would cost so much time and money, that even government agencies don't bother with it.
• Take care to monitor old computers - many times people upgrade the disk and don't think of giving the old disk back to the IT group for sanitation. Some even take the old disks home, thereby exposing the company to huge risks. This also goes for computers that are being retired - don't sell them to 3rd party companies without either sanitizing them, or making sure that the buying company commits with a contract to do this to ALL disks.

2) Other media types:
• Recovering data off other media types, such as tapes, CDs, floppy's etc is rather easy, but these media types are also much easier to destroy. Even a little heat can totally kill an optical disc, and a strong magnet can kill a tape almost instantly. I would, however, recommend a process is used for this - don't just break a CD, and don't pop it in the oven - use a CD shredder, which costs very little these days.
• Users often overlook CDs as a potential security risk, and often throw them in the trash. A security officer would be wise to issue a recurring reminder to all employees to collect discarded CDs and DVDs and have the IT or security department dispose of them securely. This goes not only for data disks, but also software - if someone finds and uses an old copy of windows for illegal purposes, with the company's serial number, it could lead back to the company and carry legal repercussions.
• Many people carry around USB drives to take a file or two back-and-forth from/to home. This is a big risk as these drives rarely get formatted, and often are lost. I would recommend any organization introduce a security mechanism to block such devices altogether, or at least control them with a policy (for example, require to have them signed by corporate security before they are allowed in)

Tuesday, June 2, 2009

Click YES/NO to format hard drive

One of the problems we are still facing in the world of information security is that people still have a built in tendency to trust authority figures. If it looks "official" enough, most people will trust it and follow, like lambs to the slaughter. This caused the infamous "MS Antivirus" nag ware to be so effective - it's made to look like it was made by Microsoft, and most people just trust it and believe it's real.

A more interesting, and frightening case of being fooled by software is illustrated by the tale of G-Archiver. This free utility is designed to allow the user to backup his Gmail account to his local computer. Generally, this is a good idea, as one never knows when his account might be frozen or accidentally deleted. In this case, however, it has been discovered that the program works in a way that's insecure, to say the least, and borderline identity-theft. Apparently, the software is coded to send an Email back to its creator, with the credentials of any user who uses it (you are required to give it our credentials, so it can download all your message for backup). A programmer who investigated it discovered that the developer's Gmail account was full of user+password info for thousands who downloaded the used the program. Even worse, it also turned out that the developer embedded the credentials of this account (where the passwords are being sent to) in his code, so anyone with the right skills can access it and harvest all these users-names and passwords.

If you are one of those who used this software, now would be a good time to change your Gmail password. In fact, it's a good idea to change it once a month anyway, although I don't fool myself into thinking that any normal person will actually do that. Well, I hope that you at least change your PayPal password now-and-then. What's frightening here is that most of us, even experienced Sysadmins and security experts, trust programs we download to do what they say. Few, if any of us, check if a program contains spyware, and few have the skills to check for the kind of behavior mentioned above. Your credentials or private files could be circulating all over the net without you even suspecting it. On a similar note, many people install file sharing applications and share their entire drive, without realizing that all their personal documents are readily available for everyone. Want proof? Open up some file sharing program and run a search for "my cv.doc" - you will find many!

Some organizations have configured domain-enforced policies that prevent installation or even downloading of unknown software, but that's only been done within a handful of companies. If your org considered it, it was most likely rejected for political reasons - it's not easy telling everyone that they can't install anything on their computers anymore - it sounds fascist, doesn't it? If you ask me, this is already a necessary step right now, and it's only a matter of time before more security administrators or CEOs realize it and make it happen. At home, it's even worse as there are no mandatory settings. We have the technology to sign software by a trusted publisher, but hardly anyone uses it. Perhaps it's time, before the next wave of a Conficker-like worm hits all of us?

Tuesday, May 12, 2009

May I have your life, please?

Identity theft is far from new, but with the growing popularity of online accessibility, this has become a major risk that affects pretty much everybody. While most Americans are well aware of this risk and are taking several measures to prevent it, for others this is not so simple.

For Americans, the most common type of identity theft is a stolen password to an online service. If someone was clever enough to get you to hand over your password (with Phishing, for example), he can login to your account and if it's a bank account or PayPal, steal all your money. Another type of identity theft is stealing a person's Social Security Number. With that, a thief can gain access directly into things like medical records, bank accounts and much more. Most people are aware of this, and safeguard their SSN closely, but in other countries, this is not the case.

In Israel, for example, the equivalent of a SSN is the Identity Number, which is a 9 digit number assigned to each person when he/she is born. This number is unique, and will follow that person to the grave. It's printed on each citizen's Identity Card and drivers license and is the primary means of authenticating a person's identity. Unfortunately, the national identity card is notoriously easy to forge, which is why the Israeli government has been working on a smart-card based replacement. What's even more unfortunate is that the entire database of the Israeli population has been leaked to the public, and is freely available to anyone who knows how to download pirated music. In fact, this database, known as "Hipuson", "Shimoshon" or "Mirsham", has been going around for many years now. It's available on the Emule network, as well as many file hosting services, although the plethora of versions in the wild make it a little hard to find the most updated version. This database contains not only the full names and ID number of every living citizen in the state, but also their full address, birth date and parents name. With simple correlation, one can locate his parents, siblings, children and even his neighbors, and some versions of the database even have this function built in. Politicians, singers and other celebrities are not exempt, and their info is also included even if it was specifically redacted from the national phone directory. Using this database, anybody can choose a random person, or his enemies, and create a fake ID with their details and his/her picture. As I said, it is rather easy, and anyone with color laser printer, bitmap editor and laminating machine can do this. Once you have an ID card, you can access the targets bank account, his medical records and even sell his/her house and disappear with the money.

What can the Israeli citizen do? Basically, nothing. No one knows exactly how the database is leaked, but there are many parties who have access to it. When the Israeli Police started investigated this issue in March 2008, multiple breaches were detected, from unpatched servers to server-rooms left unlocked and unsupervised. Changing your ID number is not possible for a citizen, and this has been done only in rare cases where serious damage has been done to a person. In the recent report filed by the Auditor General exposes this outrageous conduct, but like most of these reports, it is likely to be completely buried or acted-upon very slowly. Perhaps the best solution is to keep your cash under the mattress?

Monday, May 4, 2009

Tunnel Vision

When waging our battles on the security front, most organizations just put all the big guns on the front line. We buy expensive load balancers to prevent D.O.S attacks, state of the art firewalls to prevent penetration, VPN products to secure our backdoors etc. Whenever some major threat comes along, everybody jumps out of bed, and rushes over to plug the hole, but at time like that, we often forget one of the oldest tricks in the burglars book - the diversion (a.k.a "Steaks for the dogs").

Unlike the movies, hacking into a network is not a wham-bam, thank you, ma'am deal. A hacker spends a long time conducting surveillance and gathering intelligence, and when he does move in, it will hardly seem like a commando attack. There won't be alarms ringing or security-doors closing and sealing people off in safe rooms, and no SWAT teams will show up with mega-phones yelling. More often than not, some minor file will be found to be missing or altered several days, weeks or months later, and that will lead to investigation that will show the break in. If you get that dreadful 4 AM phone call, telling you that the Firewall's alerts are all over the place, or that your security center detects multiple attacks, that doesn't mean that someone is actually attacking your firewall.

Just like a commando unit trying to break into an army base will distract the guards with some explosions at the front gate, while trying to sneak in through the back, a computer attacker will most likely try to get the entire security team to focus everything on the very visual notification mechanisms. He will use multiple mechanisms to trigger every possible alert on your security devices, and he will do it at past-midnight so that you and your security team will be tired, angry and less-effective. He will try to get you guys to spend as much time as possible blocking the DOS attack and plugging the holes, while he quietly sneaks in through some back door that's less obvious and less protected. You will find yourself running from server to server, trying to find your hands and feet in gigabytes of logs, and chances are you'll spend days on it. When things quiet down, you might find the actual leak or penetration, but by that time, the attacker will be long-gone.

If this has happened to you, don't be surprised. After all, most information security people are technology gurus, not military-trained commanders, and it's only normal to focus our attention on the most visible threat, just like a driver would focus his attention on the tree he's about to crash into rather than another car that's about to crash into him (that is referred to often as "Tunnel Vision"). However, there is a way to handle this, and that is by preparing properly. Your organizations security policy should have this scenario specifically laid out, and the team needs to be trained not to treat any alert as an alarm. One way is to assign responsibilities to people, and sticking to them. If there is a virus rampant on the network, the backup administrator shouldn't be told to forget about the backups "for now" and help clean up machines. On the contrary! He should continue his work and keep an eye out for anything suspicious or wrong with the procedure. If the firewall appears to be breached, the PC-Technician crew shouldn't be assigned to reviewing logs, but should continue to monitor the user-request queue. Maybe an innocent account lockout request could reveal an account breach that is masked by the pointless firewall attack? Perhaps the virus was unleashed intentionally on the network so that the attacker could have uninterrupted access to the data on the backup server?

Another technique that has worked well for the physical security industry is the emergency level system. A company could create an emergency level scale, and assign specific duties to each. If a file was found to be altered, that would raise the threat level, which would have people deflect some duties and investigate, but wouldn't throw the entire IT group into chaos and mayhem.

Friday, March 6, 2009

Do you trust me?

For most of us, the System Administrators, a.k.a Sysadmins, are life-savers. They reset our passwords when we forget them, recover our files when we delete them and sometimes give us a hard time about it. For corporate management, however, this kind of power can be frightening. An administrator would usually have access to every bit of information in the company, including every employees employment and HR data, personal email, and usually customer data as well. This kind of power, if abused, can cause irreparable damage to a company, but despite that, most companies interview and screen their sysadmin just like any other employee. If, for some reason, this employee becomes bitter or estranged, there's no telling what could happen, and there have been documented cases where entire companies have been complete destroyed intentionally by their admins.

Can this happen to your company too? Possibly. CEOs and CIOs have been looking for ways to counteract this sort of threat for a while now. There is a logical problem here - if you don't trust your admin, and appoint someone to watch over him, then how do you trust that someone to not break bad? After all, even CEOs have been known to go astray and stick their hands into inappropriate pockets. Who shaves the barber?

There is no simple answer here, but generally, the answer has two parts. The logical solution is separation of powers. You appoint at least 2 or 3 administrators, and try to make sure they don't become too friendly with each other so there's less chance of collusion. One way to go about this is appointing people who are a world apart - big age difference, for example. Then, add to that job or responsibility rotation. For example, one can be appointed to manage the finance department servers, while the other owns the engineering servers, and then rotate those roles every 3-6 months. This way, if one used abuses these resources, it will most likely be revealed upon the next rotation. Another good practice is the force the administrators to go on vacation on a regular basis (and YES, it's totally worth to give them an extra few annual vacation days just for that). When the admin goes on vacation, someone else has to take over, and that would usually expose any foul play.

The 2nd part is technological - Use some system to track and log activity. This serves two purposes - people tend to mess around a lot less when they know they are being watched, and that will affect not only administrators, but also regular users. Secondly, if someone does go to the dark side, at least there will be a way to check what's been going on, and have evidence in case a law suit or criminal charges need to be filed. One such software solution is Intellinx, and another is InFlight. These solutions can record user activity directly from the network, including keystrokes and screen output from every station in the company.

Is any of that foolproof? Of course not. A smart crook can always find some way to scam his way around, and the only answer to this is to carefully build a security policy that tries to address each and every possible threat - external or internal. Another important lesson to be learned here is that the system administrator is a very sensitive position, and should be screened appropriately. The screening process should include not only technical evaluation, but also personality and psychological testing, and it wouldn't hurt to have this monitored on a regular basis too, especially if a big change has happened in the company. If you had your sysadmin fire half his technicians because the company is tight on money, you can bet he's preparing for the possibility of him being next on the chopping board, and his preparation might include stashing sensitive data or implanting backdoors into servers. Also, keep in mind that even a small-time technician that you are hiring today to haul some printers around might end up being the sysadmin in 10 years. That means that those guys should also be chosen carefully, and reviewed once again upon getting promoted. And speaking of Admins, a fun thing to read is the old classic BOFM, which tells some tails of a particularly nasty sysadmin.

Thursday, February 12, 2009

Why does it keep coming back?

Conficker (a.k.a Downadup) is a nasty worm, no doubt about it, but even though it's been out for ages, it would seem there's just no way to get rid of it...or is there?

A lot of our customers seem to be getting this feeling. "We've installed patch MS08-067, and removed the worm using our anti-virus or the MSRT, but we keep getting re-infected, " they say. Some even reached the (false) conclusion that 08-067 doesn't work. Well, I can assure you that the patch works, but the worm has several clever secondary infection schemes that make it very slippery.

1. If even a single machine on the network is still infected, it will attack all other machines on the subnet consistently and try to infect them, so until every machine has been cleaned, this problem won't be over.

2. The worm penetrates target machines by using accounts with weak passwords. Resetting all domain passwords and local accounts is a good step. If that's not possible, then the SERVER and TASK SCHEDULER service should also be stopped. This is drastic, but only temporary, while the machines are being cleaned up. Once there are no longer infected machines, these services can be brought back.

This sort of step is a big problem for Server Machines, which needs the Server service to do their job, but sometimes this is what needs to be done. Think of it as quarantining a sick patient until his medicine kicks in.

3. The worm infects removable drives, like USB disks, so if an admin uses a USB disk to copy a removal tool to infected machines, he may be, in fact, contributing to the spread of the worm. This can be averted by setting the removable drives to read-only, if the drive supports it. If your drive doesn't, consider getting an SD with a USB SD Reader, as SD cards all have a read-only physical switch. Another option is to burn a CD with the tools and use it instead of a removable drive.

I've heard from several IT administrators that forcing users to use strong passwords is a problem. In certain environments, where the users are very non-technical or lazy, and have a hard time remembering passwords, this is indeed hard. However, even though resetting passwords for users is an annoying chore, the solution is not to let everybody off with empty or suitcase passwords (1111, 1234 etc), as this worm is specifically designed to take advantage of such environments. An alternative is to use a self-service password reset tool. With this type of thing, a user who forgot his/her password would use another employee's computer, or a designated Kiosk computer to reset his password. Here are several products of this type:

Finally, here's a step by step, for an IT administrator in a large organization:

1) Use a Startup script ( to stop the SERVER and TASK SCHEDULER on all domain machines:
Net Stop Server
Net Stop Schedule

Or better yet: Set these services to Disabled:
SC CONFIG SERVER start= "disabled"
SC CONFIG SCHEDULE start= "disabled"

2) Use the startup script to deploy the 08-067 patch to all machines

3) Use the startup script to deploy the MSRT in QUIET mode to all machines (

4) Reboot all domain machines to make sure that the patch and MSRT run on all machines (can be automated using the SHUTDOWN command)

5) Inspect your AD security log using Event Viewer, and filter for event ID 539 - this will tell you which machines are infected and need cleaning up.

6) Once all machines are clean, and 539 events do not appear anymore, re-enable the services and open the champagne bottles!

Wednesday, January 28, 2009

Bring in the troops

In recent weeks, the Conficker virus has been causing a lot of havoc everywhere – account lockouts, network congestion and a lot of headaches. People running Symantec anti-virus software know the same virus as “Downadup”, and that’s not the 1st time a Virus gets labeled differently by different companies. After all, there’s no single authority that investigates viruses, but that got me thinking – maybe it’s time we had one.

With things as they are now, it takes the anti-virus market some time to react to new viruses. Each AV vendor gets samples from its customers, analyzes them and issues signature updates to its product. Each vendor uses its own methodology to assign a priority, and as a result, some vendors take longer to react. In the Conficker case, for example, Symantec’s product is still unable to remove the infection today, almost 3 months since the virus’s first appearance. Even when an update is issued, it’s usually available only for customers of AV vendors, while users with AV software are stranded (We’ll discuss the stupidity of not having AV software on your computer another time).

When a new type of virus or disease appears in the real world, no one waits for Pfizer or Bayer to classify it and inform the public. In the USA, we have the Department of Health and Human Services and the CDC (Center for Disease Control), as well as other federal agencies like FEMA to help manage outbreaks. Since computer worms and viruses do have an economic impact, which could easily reach disastrous proportions (like in the case of worms such as MS Blaster, Code-Red and Sasser), I feel that this sort of thing should definitely be at-least shared by the governments of the world. A Federal Malware Research Center could bring some order to this wild field, and have the necessary resources to inform the public of new threats and how to manage them.

And another thing, while we're at it...we should stop giving worms "cool" and distinctive names. Maybe if the latest virus was called "The Dumbass 1", virus writers were a little less proud of themselves. Now seriously, a malware's name is not a big deal, but it's sad to say that the press today is still glorifying viruses, thereby encouraging low-self-esteemed jerks to write them. Writing a virus is stupid and detestable, and this message should be delivered clearly whenever the issue is discussed in the media - no discounts or exceptions.

Monday, January 19, 2009

Never take candy from strangers

Yesterday, my darling wife told me that she got a weird SMS about 9.99$ and she's not sure what it is. Turned out it was from some IQ-Test she took online on FaceBook. When she completed the test, she was asked for her phone, to which her score was sent, along with the message that she just subscribed to a 9.99$ a month service. Clearly, this is a scam, but my sweetheart never thought that something from such a reputable source like FaceBook could be harmful.

"This is exactly how the 1st nasty Viruses/worms started to spread", I told her. A worm would harvest his victims address book, and send itself to all of his recipients. The guy's poor friends and family members would think that this, coming from a friend or family member, must be legit, but of course, it wasn't. Later on, some worms got even cleverer, and spoofed the source address to be someone else from the list, so that the victims could not know who of their close-ones is really the source of the infection.

Luckily, some people have learned to beware of wolves in sheep's clothing, and others are protected by more secure software that wouldn't let them open attachments, but the success of that "service" and others like it shows that apparently, many people still fall for that old trick. Well, if you, or your close ones think that since FaceBook is a legitimate site, then everything on it is too, think again. Pretty much anybody can upload data to FaceBook or write an app for it, and although the site has a lot of security features, it's far from secure. This specific application gives you an IQ test comprised of 10 questions (I won't waste your time with explaining why such a test is closer to guessing your IQ that actually measuring it) and asks for your phone number. To that phone, it sends a confirmation code that you need to punch in to the website, which then sends you an SMS with your so-called IQ. By entering the code, you are actually agreeing to be subscribed to a service that charges 10$ a month. Although this is written both on the website and on the SMS message, some people might miss that, or misunderstand it. Many wouldn't notice another 10$ charge on their cell service bill, and some people are making millions on those people's back.

This type of story shows why information security is more about security than information. Although this is propagated by computers, it could just as easily be done via just the phone, through an interactive TV channel, and many others. Even if you don't like computers, or maybe ESPECIALLY if you don't like computers, this poses a real risk. Not only can you be billed, you can never know for sure where your info will end up in. Maybe tomorrow you'll be flooded with 20 SMSs a day, advertizing the current Viagra or Rolex, or maybe be part of an identity theft operation. The most important lesson here is this: FaceBook is NOT your friend, and neither are MySpace or any other web service. Always assume the worst about an information source, even if you've used it for years and it was great otherwise. The bad guys, or "evil doers" as W likes to call them, are all around, and they will keep on finding new ways to separate us and our money. Just make sure it's not you, and I might also suggest educating your friends and loved ones too.

Monday, January 12, 2009

The human factor

Many companies base a significant part of their manpower on outsourced workers, and this is an effective way to conveniently manage human resources that enabled financial efficiency in most cases. An aspect that many managers tend to forget is the issue of security. Are outsourced workers a source of danger to the company?

This post will anger many readers, I’m sure. After all, millions of people make an honest living as outsourced workers and many companies depend on them. However, the truth must be told, even if unpleasant. Outsourced workers could be a major security threat for the organization in many cases, and history records quite a few cases of serious damage suffered by companies that didn’t take the appropriate measures. No, I’m not saying outsourced workers are treacherous, bad or dangerous. In many cases this is exactly the opposite, because employees whose position is not secured as full-time employees will often outperform others to demonstrate their worthiness. However, the outsourcing model causes workers, esp. in the maintenance field, to be exposed to certain risks.

One problem stems from the fact that outsourced workers usually make a lot less money than FTEs. The economic pressure causes these employees to be an easy target for industrial espionage. For example, a known case involved a cleaner who was offered a significant amount in return for a daily visit to the floor-printers of his organization, and collecting the printed matter that was left there by other employees. These print-outs are of random content, but frequently include sensitive material, such as email correspondence, financial reports, future-product info etc. Such a random collection could be extremely valuable for hostile parties, both for industrial espionage and infrastructure penetration. The sum that was offered to that employee was larger than his monthly salary, and you’d be hard-pressed to find people who make 2000$ a month and can resist such a temptation. For some of them, this is a unique opportunity to finally get out of debt.

Another problem is that managers often ignore outsourced workers when thinking about their employees, and these workers are often excluded from routine activities. Often they don’t receive email that is sent to other employees (if they even have an account) or invited to events and lectures with the rest of the company. These employees might miss the companies’ procedures about information security, simply because these were never given to them in an orderly fashion. This is less obvious for technical staff, but in case of the cleaning crew, administration etc – these people are usually with the company for short periods and often do not receive thorough guidance about the procedures and guidelines. An FTE, for example, is often assigned a mentor or “buddy” for a while, who helps him get acquainted and learn what is permissible and what is not. A cleaner or security guard, on the other hand, often finds himself alone, trying to distinguish right from wrong by randomly asking co-workers or guessing. Such an employee might think that using another’s computer for surfing the web is a reasonable thing to do, just like making a phone call from someone’s phone is legitimate and common. In most companies, a phone call costs money, but is not dangerous. Web surfing, on the other hand, could introduce spyware or a virus to the computer, and that is less pleasant.

It’s important to stress once again that the purpose of this is not to impeach all outsourced workers, but to stress the great importance of them to the “system”. This requires that they be treated as equals. Even a temporary and low-ranking worker must receive a detailed guide, including the nuances of working at the company, and stressing the aspects of information security and security policies. Besides clarifying the importance of protecting the company values, such sharing of information could strengthen the bond between the employee and the employer, and reduce the temptation to cross the lines. Let’s not forget, by the way, the full timers could cross the same lines and there are many recorded incidents where even high-ranking officials succumbed to external pressure, or simply prepared a nest for a rainy day. This leads to one conclusion – there is no alternative to professional risk management procedures, which include identifying risk sources and plugging holes on a personal and systematic level.

Friday, January 2, 2009

Is it safe? Not if you're Jewish!

The fighting in Israel in the past days is having an impact on the cyber world as well. This time, two major Israeli sites - Ynet and Discount Bank have been defaced.

When the fighting between Israel and this-or-that Arab faction breaks out, as happens once every few months, national hackers from around the globe have an excuse to waging some cyber war. This time, a group of Morrocan hackers called "Team Evil" has mounted a successful attack against two major Israeli sites. The two sites are the site belonging to Discount Bank, one of Israel's largest banks, and the other is the English version of YNet, Israel's 2nd largest web portal, operated by Yedioth Aharonot, Israel's largest daily newspaper.

The defacement shows some graphic images of dead terrorists, accompanied by anti-Israeli text. At 1st, this was thought to be a simple deface, but turns out the hackers actually brute-forced the passwords to the accounts of the sites on the Israeli hosting provider and domain registrar DomainTheNet. this allowed the hackers to impersonate the account holders and modify the DNS records to point to another website, without ever actually penetrating the original website.

This sort of attack is much easier than cracking the original websites, which are very secure, but ironically, harder to resolve. DNS modifications take time to propagate throughout the world - as long as 48 hours, so it took quite a while until the hack got noticed. When it was fixed, again, it takes a while to propagate so currently, quite a lot of users will still get the defaced page and might continue to be affected for over a day.

This breach illustrates the importance of creating a complete security policy. A company can invest millions in securing it's web farm, but a minor overlooked password could lead to an effective attack. The lesson is simple - when securing a resource, we must take into consideration every aspect of its security. In this case, the person who created the domain account with DomainTheNet simply chose an insecure password (which is a secondary lesson in this case) but there are other, simpler ways to bypass security. For example, making changes to a domain directly with ISOC, Israel's Internet Society and main registrar involves submitting a request via a web form, and then completing the request by sending a fax. The web form has virtually no security, and forging a fax of this nature is also pretty easy. Another example: Many companies rely on Email a primary, or even the only way to communicate with customers. Hacking a user's mail account is usually pretty easy, either by using brute force or calling the ISP and resetting the password, and once you have someone's email, you can use that to reset passwords of most other accounts that the user has. In short, there's an old expression to keep in mind: The chain is only as strong as its weakest link!