Last weekend I attended ShmooCon, a yearly security conference held in Washington D.C. Today I want to explore several common themes I noted in many of the great technical presentations at the conference.

1) Operations

For many years, the community has been saying that security is facing an operations challenge, not simply one of just technology and cash flow. Simply put, most people aren’t following our advice. Administrators aren’t reviewing logs, systems are still unpatched and users are still running as administrators. Risk increases every day when people don’t do the right thing; this is the fundamental reason most people get successfully attacked.

In many ways, this flaw in operations is like having a horse. You build a great stable. You put in lights and a heater. You put nice locks on the doors. You build out the plumbing system so the horse can have fresh water and then finally … you buy a horse and put it in the stable.  Sadly, most companies get to this point and then, after spending tens of thousands of dollars on their horse, decide spending $100 on oats is too expensive and just toss scraps into the stable as time permits.

Sadly, we live in a world full of dead and starving horses.

Read the rest of this entry »

Another month, another collection of patches and fixes you should install. This month we cover Adobe, Microsoft, VMware, Oracle, Opera and Android.

Adobe
Adobe has released patches for Acrobat and Reader … again. As before, these updates address flaws that allow attackers to take over a system by simply directing the user to a PDF file. Like we’ve seen throughout the past year, if you’re running Adobe Reader X, you’re far better off than if you stayed on 9.  (If you’re on 7 or 8, be aware those systems are no longer being maintained and are even riskier.) See details here and here.

Any file can be a potential source of compromise, but as the PDF format becomes increasingly more complex, it is increasingly used as an attack vector. If you don’t have a patch process built around Adobe products, you are  not only taking a huge risk, but you’re likely already infected. Modern anti-malware systems do a great job of protecting against this sort of threat, but expecting them to protect the negligence of not patching is like expecting to put out a forest fire with a hand-held extinguisher.

In other Adobe news, there is a problem in Flash that we don’t know much about yet … except that Adobe hasn’t patched it yet. What little we do know about this problem is documented here. Needless to say, when you’re building that system to protect yourself from PDFs, best work Flash patching in, too.

Finally, there’s been problems found in Flex and ColdFusion. These have been patched and, thankfully, do not seem to require a recompilation of your applications. If you’re running a ColdFusion system, please read the technote here and pay close attention to whether you’ve installed the APSB11-14 Hotfix. If you do not have admin privileges to your ColdFusion server, you can use this technique to pull out information to give to your admins.

Microsoft
Microsoft sure believes in 2011 going out with a bang.  Thirteen updates came out last week with eight of them critical. We get a nice mix of remote execution and privilege escalation which means “game over” to anyone that runs them together. Problems with TrueType fonts and Excel files are being actively exploited. As usual, the best details are over at the SANS Internet Storm Center. Please patch ASAP.

I also want to take a few minutes and point you to some interesting facets of the Microsoft articles that accompany these problems. Normally, Microsoft hides some information deep in the alerts about workarounds, but they’re usually not very useful. This month, however, is quite different.

- Microsoft has had a history of problems with reading TrueType files. Odds are MS11-087 is not the last patch for this issue. If you want to disable all embedded font functionality, see this workaround. You’re basically blocking access to the embedded font system by setting ownership and access control lists. Note that it will break the ability to generate PDF files from Word.

- The problem with Pinyin IME only affects Chinese versions of Office … and those that installed the optional input method. If you’re the type of person that loads all options just to have a “complete” install, be aware this places you at risk. The more pieces you have in a system, the more options an attacker has to take advantage of you.

- The workarounds for Publisher all read: “Do not open Publisher files that you receive from untrusted sources or that you receive unexpectedly from trusted sources.” This is common verbiage in Microsoft articles. By now, I think we all know users are going to click on stuff. So, better advice might be “If you don’t need Publisher, don’t install it.” This also applies for Word, Excel, Powerpoint, Access, Project, OneNote, PictureManager, etc. Megapackages like Office come with lots of parts and if you don’t need them, don’t install them.

- The problem with Windows Media Player allows an attacker to take complete control by sending you a .dvr-ms file. Do you need to play .dvr-ms files?  I know I never have to. You can block this entire format by following the instructions here.

- MS11-094 involves loading DLL libraries over a WebDAV share. Microsoft has been having trouble with WebDAV since 2004. If you don’t use this feature (and unless you’re running Sharepoint, you probably don’t), you may just want to turn it off. Details on doing this are in this workaround. The easiest option is just to disable the WebClient service.

- Hidden in the same MS11-094 vulnerability is an instruction on how to use the Microsoft Office File Block policy. If you work in a high-risk organization and have updated to modern versions of Office, you can drastically reduce your risk by blocking old office types. Details here.

- Similarly, you can block file types that fail validation. As detailed in this workaround from MS11-096, the most common types of files used to spread malware to Office simply won’t be openable. Ask yourself whether you really need macros in old Office formats. I know I don’t.

Oracle
Even if you’re not running their database, you are likely still affected by Oracle updates. Since they purchased SUN, Oracle is now in charge of creating Java patches. Java is behind only Adobe PDF and Flash for the most exploited software. You should be patching Java just like Adobe and if you’re not (as I mentioned above), you’re likely already infected. The Oracle release notes are here. A list of bugs fixed are here.

VMware
There is a relatively minor update to VMware Update Manager 4.x. I am only mentioning it here because many people are still not in the habit of patching VMware. Remember, infrastructure (VMware, Cisco gear, hardware appliances, etc) are really just servers and need to be maintained the same way.

Details on the VMware issues are here.

Opera
For those who use the Opera web browser, note it it has been updated to version 11.60. This update includes a fix for problems involving the BEAST attack. Details are covered here.

Android
If you are running an Android phone, be aware that malware has jumped 472% since July. Sadly, there is little we can do about this other than taking basic precautions. I recommend you at least run the free version of Lookout. If you’ve rooted your phone, try to limit where you install apps from and run DroidWall to keep your apps from being too chatty. I’ll work up a guide to a more secure Android device sometime in 2012, but the above advice should tide you over for the time being.

If you’re supporting devices professionally, there are some non-free options that help out a lot. Feel free to contact us for more details.

Nothing in life is free … ESPECIALLY on the internet.

Unfortunately, many of us fall prey to this false belief and trust the faceless person on the other end of a “too good to be true” offer. The latest example I’ve witnessed is the “two free Southwest Airlines tickets” scam on Facebook.

I can’t tell you how many times I’ve seen this spam flash on my Facebook status feed (the above image was snipped from my feed this morning). I’d like to think I hang out with a fairly bright crowd, so I’m a bit surprised many of my friends have been this gullible. But if you think about it, the hackers are using a pretty appealing recipe for success.

1. Identify something everybody wants – airline tickets
2. Take a brand people trust – Southwest Airlines
3. Exploit today’s difficult economy by offering the bait for free

We all know most Americans are struggling to get by, so the thought of two free airlines tickets is mighty intriguing. Who wouldn’t want the ability to visit family around the holidays without paying a dime?

Unfortunately, it is completely untrue. As much as most travelers like Southwest Airlines as a company, they are still a business and no business could afford to offer free flights to thousands of individuals.

So what does one receive instead? Well, you are taken to a false replica of the Southwest Airlines website which quickly transfers you to a sign-up screen. You then award these hackers with an abundance of personal information and the ability to post their propaganda on your Facebook wall in return for the “free” tickets. The only real thing you receive is an email inbox full of additional spam messages and phishing schemes.

Please be smart and remember … if you see an offer that appears to good to be true, 99% it is.

* Have you fallen for this scam? It’s okay … here’s how you can fix it.

There are many exciting projects going on at RJS, so when I started this post I thought I might talk about the new security website we’re building or how we’re expanding our security offerings in 2012. But then I realized it’s December and December blog reading should be fun… so you get a post about improving your security with strategy lessons taken from Angry Birds!

In the world of Angry Birds, we have a small group of birds that are serially preyed upon by a kleptocratic monarchy of green pigs. In this world, the pigs steal the birds’ eggs and hide them in poorly-constructed shelters while the birds fling themselves at the pigs in efforts of destruction. Despite this vicious onslaught perpetrated by the birds, the pigs continue in their egg thievery, thereby allowing for a continuing series of episodes.

Clearly, there is room for improvement in terms of both offense and defense.

The Pigs

Let’s start by analyzing the Pig Empire. Their goal is to obtain eggs. It is implied they are for eating, raising the uncomfortable question as to where the pigs get their bacon. However, they are inefficient. If they were to take a lesson or two from real-life attackers, they would change their operations in the following ways:

1) Preparation

The root of their’ constant downfall is they expend insufficient effort on shelter construction. Even a cursory inspection of history would indicate a high likelihood of retaliatory avian attack, so it would be wise to prepare. The average shelter is shabbily built and falls to a mere handful of birds. If the pigs focused on quality over quantity, they could invest in sturdier materials and protect far more pigs. Building defenses prior to egg theft would result in a much more successful attack as well.

2) Planning

Another problem facing the pigs is the birds attack using a massive slingshot. I presume this provides additional impact force, but it does introduce a point of weakness. Modern attackers often focus on crippling their target’s ability to retaliate. In other words, if the pigs simply stole the slingshots when they stole the eggs, the birds would be seriously hampered in their efforts to counter-attack.

3) Sacrificial Hierarchy

It appears as though the pigs exist within a hierarchy consisting of a large king pig, a handful of mature leader pigs, some adult pigs and a large number of little pigs (that presumably cry “wee wee wee” all the way home). Malware teams have similar hierarchies, with the people funding development at the top, developers and project leaders below them, marketers below that and finally, those responsible for smuggling the money from your bank account overseas. If the pigs were to learn from this, they would hide their king and leaders in the best shelters possible, well out of reach of the birds, and draw their fire with an array of poorly defended little pigs. This structure allows for organizational continuity favoring the pigs and causes the birds to burn their resources inefficiently.

Common flaw of pig-based construction

A more secure design

The Birds

The birds seem to be structured as a loose confederation. Much in the way business owners band together to discuss and develop shared defenses, birds of more than one feather collaborate to combat the pigs’ designs. Just as there is room for improvement on the part of the pigs, there are areas where the birds could learn from the advice we give our clients as well.

1) Reduce Scope

First of all, the birds face the fundamental problem of constantly losing their eggs. The easiest way to protect against fundamental issues is to narrow the scope. If you’re protecting credit cards or health records, this means identifying the data and centralizing it for better protection. Now, in the case of eggs, there is clearly some risk from putting all one’s eggs in the same basket, but there is no rule that scope has to be limited that far. It could be limited to two or even three baskets. The key is to limit the scope as far as you can and then to boost the defenses around that area.

2) Improved Retaliation

Surprisingly, while the world of Angry Birds has a great many birds, none of them seem to be able to fly. This, as noted earlier, places them at significant risk from the loss of their slingshot. It also means their attacks must all originate from a single point. In the business world, we have several areas from which we can detect and respond to attacks. We detect attacks with technology, forward issues to security teams and law enforcement and, where needed, involve a judicial system. Similarly, an avian attack should be mounted from numerous locations. It should not require a specific bird attack from the East. Any flight-capabable bird should be able to respond to attack.

3) Agility

Agile security involves being aware of your environment, your capabilities and your attackers’ capabilities. You can then make defense plans and execute quickly in the case of attack. There are times when the appropriate response is to tighten security, others when one should involve law enforcement and still others where it makes sense to allow the attack and learn as much from it as you can.

In the case of the birds, while they seem to be masters of resource utilization (expending minimum force to achieve their goals), there is still room for improvement. Their technique works because they face an enemy that fails to adapt. If this ever changes though, it would be impossible to regain the eggs and the birds’ continued existence would be at risk. Simply reviewing the Pig Empire defenses and dynamically selecting the number, species and order of attack would allow a significant increase in agility.

Improved Attack Method Adapted To Environment

Conclusion

Perfect security is impossible so there are inevitable flaws on both the part of the birds and the pigs. While today’s birds are able to achieve their goals, if the enemy boosts their capabilities, the birds’ limited structure puts them at serious risk. The problem is that eggs keep getting stolen. If the birds improve their defensive strategy to such a point that egg theft drops significantly, the pigs might find it substantially easier to obtain sustenance from another source… Falldown 3D, perhaps.

Launching attacks is easier than defending against them. An attacker must only succeed once, but a good defender has to be vigilant all the time. A small improvement on the part of the pigs’ attack would place the birds themselves at risk of extinction. So it is essential that the birds improve their defenses and capabilities. With luck, they’ll manage to do this before things reach a point of criticality.

In China, there is a large group of professional posters who are paid to write comments, gossip, information and disinformation on chat room boards, forums and blogs. For the right price, they’ll post literally anything you want. They’re called the “Internet Water Army” according to an undercover team of computer scientists since their intent is to flood the internet.

This raises major concerns for anyone who utilizes user comments as an opinion in their decision-making. Which comments can you truly take at face value?

As published in www.technologyreview.com.

When I research new technology and hardware products, there are only a dozen or so sites I trust to give me the real scoop on how the product compares to its competition. Like many other purchasers, I also base a substantial part of my buying decision on user reviews because they are generally unbiased. I feel confident in selecting a product that has both a positive review on a respected technology-based website and a base of users who openly praise the product’s capabilities on blogs, forums or comment sections.

Where people struggle is with sites whose only review process is via user comments, like the Official Android Market for instance. Occasionally an XDA Developer will review an app, but I’m usually on my own to dig through the user reviews and separate the wheat from the chaff.

It is in this situation, where the Internet Water Army has the greatest ability to influence view points and purchasing decisions. Am I reading a comment from a legitimate customer or a paid poster’s review lampooning a good product or championing a piece of garbage?

Cheng Chen, of the University of Victoria in Canada, was able to infiltrate the Internet Water Army and work as an undercover paid poster. He and several friends captured datasets from two large Chinese websites and manually analyzed every posted comment to identify Internet Water Army behavior. Since these posters are paid on volume of fake comments/posts, many take shortcuts and simply copy and paste the same information over and over again.

Using this information, Chen and his friends designed a new anti-spam logic which filters out artificial paid poster comments. It can flag a comment based on how frequently a given user posts reviews, or other specific behavior patterns associated with prepared information or canned sales pitches. The impressive program achieved an 88% catch rate on its first attempt.

Now that’s an impressive use of technology!

It’s time for a quick review of important security updates released in November.

But before we get started, I want you to imagine your house, apartment, condominium… wherever you call home. Obviously you do not want random people entering this place, so you close the doors and lock them tight. Imagine your surprise then when you receive the following note from the company that makes your door locks:

ACME Lock Company is writing to notify you of a problem with the locks you’ve installed. Attackers have found a way to enter your house with no effort, but don’t worry, it’s only a problem IF YOUR DOORS ARE CLOSED.

Sound far fetched? Well, that’s exactly what Microsoft did with MS11-083. This update fixes a problem where attackers can crash or take over a system through an attack against closed UDP ports. . . something every system has. The only difference between the Microsoft problem and my ridiculous house example is you can patch the Microsoft problem, so please go patch.

Yes, now.  I can wait.

…

All patched?  Good.  Here are the other patches and fixes you should know about.

Microsoft
Other than the problem mentioned above, there were three additional patches. They are unlikely to be exploited en mass, so patch when you can. Odds are they were patched when you updated MS11-083, as directed above.

Learn more.

Adobe

Adobe updated Shockwave Player. Most people are running Flash these days, so if you have Shockwave, take a moment and ask yourself if you really need it. If you don’t, remove it and you’ll be a lot safer. If, however, you must run Shockwave, apply the update.

Adobe Air has also been updated.

Learn more.

Apple
Apple released a plethora of updates. Per usual, there are many and you cannot pick and choose which ones to apply. They also don’t tell you which ones are critical, so you better apply them all. It is known that this updates Java to 1.6.0_29.

Learn more.

Duqu
A new malware attack called Duqu hit the news recently. This is another example of the increasingly malicious sort of malware that zeroes in on specific environments. Supposedly based on Stuxnet, it leverages a fundamental design flaw in Windows to run code by manipulating the font system.

Use this or this to see if you’re infected. Visit here to apply a temporary fix from Microsoft.

WordPress
The TimThumb problem from earlier this year is still spreading through WordPress sites. Frameworks, like WordPress, Drupal and Joomla are not inherently bad, but you must keep them patched at all times. If you are using modules that do not have active updates, they should be replaced. If you don’t know if this is the case, ask your administrators or hosting company. If they don’t know, it might be time to bring in some outside help.

Learn more.

As always, if you need assistance with any security issues, please feel free to drop us a note or give us a call.

We discuss a variety of scams and social engineering-based attacks (FakeAV, email spam, hostageware, etc.) on this blog. Generally we point out new threats that are geared to exploit your computer’s security and trick you into parting with your hard-earned cash. Last night, however, I came across an even more insidious version of social engineering that was driving my sister-in-law to thoughts of homicide.

My nephew is 10. He has quite the creative imagination and when he gets something on his mind, it truly consumes him. I have him pegged to become the next Einstein or super villain seeking world domination. I’m not quite sure which direction he’ll go.

Last night he was showing me his recent birthday gifts – action figures and an Xbox game – from a brand new product line called “Skylanders.” On the surface, Skylanders is a fun interactive game similar to Pokemon, where you select a character and conquer the forces of evil. Once you start playing, however, its sinister design starts manifesting.

Each Skylanders character has unique stats that are used in the video game to determine how they match up against the ultimate bad guy, Chaos, and his evil minions. You simply place your little action figurine on a flat game controller called “the portal” and each character is brought to life within the video game. Once activated, you select which zone you want your character to play in. But oddly enough, certain Skylanders don’t perform terribly well in specific zones due to “environmental conditions.” Do you see where this is going?

Pokemon had the “Gotta Catch Them All” slogan and Skylanders abuses that scenario and then some.

As it turns out, Skylanders not only face environmental difficulties, but can also become hurt or die. Unlike most video games, a simple restart level or reset does not exist and a Skylander becomes unusable for several hours depending on the seriousness of its injury. If you’re not a good player or do not have the right characters for a particular zone, your Skylanders could all perish and you’re unable to play with them the rest of the day.

This exact situation happened to my nephew the night he opened his birthday present. As a newbie, he quickly killed off all his characters after competing in a zone his character set couldn’t conquer. He now had a game he couldn’t play for the rest of the day, nor could he pass anyway without investing in additional figurines. After a little soul-searching, the obvious conclusion for my nephew was that mom needed to purchase ALL the Skylanders so he could play uninterrupted.

The game itself already costs $59.99 for a Mac/PC version and $69.99 for Wii, PS3, Xbox or Nintendo 3d versions. Each figurine then runs an additional $7.99 or $19.99 for a themed three pack. If my nephew can weasel his mom into purchasing the entire collection, she’s looking at forking over $285!

I’m starting to think that a one-time charge of $89.99 for FakeAV is a bargain! These malware authors are in the entirely wrong business. The real hostageware is 10 year-olds coercing their parents into buying more Skylanders!

If Netflix wasn’t already having enough problems lately, I was playing games with my kids this weekend when my wife asked me to look at something strange on her laptop. When she visited Netflix, Sophos alerted us that the site was attempting to inject a Trojan virus onto the system.

I opened up the quarantine and there sat Troj/Virtum-Gen. After taking a peek at the logs, the source URL was a redirect from Netflix’s main page to a hostile site attempting to download the payload.

At least Netflix was on top of the situation. Shortly after we were faced with this issue, they took their main page offline and put up an interim page with limited functionality that displayed just a small list of titles for streaming.

As of early this week, Netflix is running just fine. If you visited the site this weekend, however, you might want to run a scan of your system just to be safe.

Join us online or at RJS Headquarters for a special security “Lunch & Learn.”

Date: Wednesday, November 9, 2011
Starting Time: 11:00 AM CST
Location: RJS Headquarters – Burnsville, MN  Map

Join us at RJS headquarters in Burnsville for a FREE RJS Security “Lunch & Learn.” This 90-minute event will provide attendees with a view of the current security landscape and best practice solutions to solve today’s hottest security issues.

You’ll learn advanced techniques on how to:
- Protect against data loss resulting from attacks or device theft
- Fight back against the malware tools hackers use to steal your data
- Keep your servers safe against network-based threats
- Safeguard your users from web-based attacks
- Eliminate application-level threats with patch management

Attendees will have a chance to win the new Amazon Fire!

Register for the onsite RJS Security Lunch & Learn.

Can’t join us in Burnsville? Register to view the live webcast.

I’ve just returned from a fun-filled week at Sophos’ North American Headquarters in Boston, Massachusetts. I was there for intensive training on Sophos’ updated Enterprise Console 4.7 and SafeGuard Enterprise 5.6. Our ProServe (Professional Services) instructors had many years of practical on-site experience with the Endpoint and SafeGuard products, so the week-long session was very productive.

During my training, there was one thing that really stood out to me and I’m going to share it with you today… free of charge! Here you go:

The key to successful endpoint protection is all about stopping malware from gaining a foothold within your system and the secret to accomplishing this (direct from the ProServe crew) is to get a handle on your daily system processes, place these processes into an authorized list and then block everything else that isn’t part of your everyday routine.

This certainly isn’t rocket science, but how many IT departments actually follow this simple concept? Let’s break it down again point-by-point.

1.  Run full-system scans daily for two weeks to catch every program you use.

2.  Examine the list of processes and add the ones you know are safe to the authorized list.

3.  Quarantine anything else that is not part of your authorized list.

This plan should help you catch any intrusion, hacker or rogue program attempting to gain access within your company walls. But what about when your information goes mobile?

For laptops containing confidential material, encryption is mandatory. However, security policies placed on your employees are not. When you add the human element to what you think is an iron-clad security solution, your security scheme may sometimes fail despite your best intentions.

Take for instance Fairview Health Services in Minnesota. For the second time in a year, information safeguards have failed and a data breach has occurred. Josh blogged about the first breach back in April when 1,200 medical files went missing after a recent move. Now we hear of a consultant’s stolen laptop jeopardizing 16,800 patient records. It is a tricky balancing act to encrypt critical business information, yet not burden end-users with hard-to-access data. But all companies, and certainly healthcare providers, need to take precautions very seriously. No amount of free credit report subscriptions to jaded customers will alter the public’s perception of your carelessness with their most sacred possession – their identity.

For USBs and removable storage devices, do you enforce full encryption at the volume or file level? Personally, I recommend file level encryption on USB devices. Keep in mind, this is about your end users being productive yet keeping the sensitive data on the portable device protected if it somehow ends up in the wrong hands.

Do you want your CEO to plug in his iPod and have music files fully-encrypted? Should your corporate policies require high security settings, we can render all removable devices “read only” unless they are encrypted. This allows the CEO to plug in his iPod and listen to music without the device being encrypted, yet still non-writable with the correct policies.

Part of the ProServe routine is to spend quality time with the customer discussing policies and their implications. When first examining new security provisions, it’s not unusual for customers to want an extreme totalitarian policy in place that goes beyond meeting the state and federal compliance guidelines. Once implications and possible outcomes are explained, however, organizations usually settle on something that is much more reasonable for end users, while still meeting compliance. User policies are what drive your security product to perform as advertised and ProServe, through years of on-site experience, have perfected it to a science.

If you’re interested in learning more about our ProServe approach to security, or want guidance creating effective policies driven on productivity and information security, give us a buzz. We can help you eliminate the dreaded Fairview Health Services situation… again.