designsbylareau.com
Multi-discipline Technology Consultants


Our Mission: To reduce your personal and business risks by deriving action items from recent news stories.

Note: Brent LaReau is your point of contact for this blog.

« Previous 10 | Next 10 »

010

Something as Simple as "Leap Day" Can Shut Down Your Cloud

Permalink Brent LaReau, designsbylareau.com
Posted: March 16, 2012

A lot of people spin cloud computing as something that just works and is totally reliable, while at the same time saving millions of dollars. But after reading quite a few news stories I've learned that cloud computing services often stagger and lurch, causing major losses of revenue.

Almost a year ago I had blogged about how businesses who had moved their computing infrastructure into Amazon's EC2 cloud had lost data during a service outage. Amazon's Elastic Compute Cloud has suffered other failures, such as a network connectivity failure in North Virginia that lasted 25 minutes. Cloud data centers in Dublin belonging to both Amazon and Microsoft were taken out by a lightning strike that caused a power failure. Their backup generators did not keep them running. Google Docs has hiccupped several times, in one case bringing companies to a standstill for one hour who relied on this collaborative tool. Ditto for Microsoft’s Windows Live, Hotmail, SkyDrive, and Office 365 outage, which brought its users to a halt for five hours due to a network DNS issue. Salesforce.com has had many outages for years, some being especially severe. Terremark's vCloud Express service went offline for about seven hours. Zoho's cloud platform went offline for 10 hours, leaving customers unable to access Zoho's "suite of award-winning online business, productivity & collaboration applications." The list goes on.

I read that someone added up all of Amazon's cloud service outages in the past few years and calculated what it would take for Amazon to meet their stated "99.95%" uptime goal. Apparently Amazon would need to have 100% uptime (no outages) for 15 years. Ouch!

After reading all the news stories and post-mortem analysis we understand about lightning strikes and incorrect database queries and cascade failures and remirroring "storms" and massive power outages and core network device failures.

But how can we understand this latest cloud outage: Microsoft’s Azure cloud service recently went down for two days worldwide, starting on February 28th. It went down because the next day was February 29th instead of March 1st, for 2012 is a leap year.

Uh, Azure went down because it's a leap year? Calendars began to include "leap years" in 1582. So, after 430 years we still can't get it right?

Read More...

Some very big organizations rely on Azure. For example, the UK government's much-touted G-Cloud service runs on Azure. G-Cloud was supposed to revolutionize their e-mail, word processing and enterprise resource planning (ERP) activities. Well, I suppose that suffering a two-day outage is rather revolutionary.

It's one thing to move one's IT infrastructure to the cloud, only to have the cloud's own infrastructure fail. But it's another thing to run one's business on third-party cloud-based software or platforms, only to have every employee stare at a totally blank screen for hours or days because something has failed at some level inside the cloud. In that case, our risk mitigation strategy is totally different.

Information Security Cartoon
(You can see all of my cartoons here.)

Let's inspect the facts of this predicament and outline some action items that we can use to reduce our risks when using third-party cloud-based software or platforms.

You can read an original news article about this topic here. You can contact me here.

Permalink


009

Why Does the Angry Birds App Need Access to Your iPhone's Address Book?

Permalink Brent LaReau, designsbylareau.com
Posted: March 7, 2012

Some news stories raise my level of concern even though I'm not really involved in the story's main issue. In this case, the news story was about Angry Birds. I don't play games on my mobile devices, so I've never played Angry Birds. But at least I've seen it by looking over people's shoulders. I never dreamed that a game in which we use a slingshot to launch birds at pigs would need to access our entire mobile address book.

Yet the Angry Birds software application for iOS devices (such as iPhone) makes the ABAddressBookCopyArrayOfAllPeople API call, which returns an array containing all of the "person" records in the device's address book.

Other games that would appear to have no legitimate need to access our entire address book call ABAddressBookCopyArrayOfAllPeople too. For example, "Cut The Rope" makes this call. Does feeding candy to a little green monster really require access to our entire contact list?

Digging into this mystery makes things a little clearer (but it's still troubling). Both Angry Birds and "Cut The Rope" connect to Chillingo's "Crystal" social gaming platform so game players can "Send an invite from your local contacts." This explains why these games need access to our address book, but it doesn't explain why Angry Birds and "Cut The Rope" upload our entire address book to Chillingo's web server, instead of uploading just one person's contact information. This does not seem right.

What about applications other than games? It turns out that Citibank's app calls ABAddressBookCopyArrayOfAllPeople too. Why would our bank need to access our entire address book? Several Google apps access our entire address book, too.

The recent discovery that mobile apps such as Foodspotting, Path, Hipster, Foursquare, and Gowalla invisibly access our mobile device data and even silently upload it to various web servers has sparked a huge scandal.

You might think, "It's no big deal. So what if Angry Birds accesses my address book?"

Read More...

The point is not that they access our address book. The point is that they access our entire address book when they only need one person's contact information. Consider this scenario: you walk into your bank and they offer you a special deal if only you provide them with a friend's contact information. Naturally you open your phone's address book but the bank's staff grabs your smartphone and copies your entire address book. Would you just shrug and say, "It's no big deal", or would you grab back your phone and say "That's none of your business!"?

Information Security Cartoon
(You can see all of my cartoons here.)

Let's survey the facts of this matter and sketch out some action items that we can use to reduce our risks:

You can read an original news article about this topic here. You can contact me here.

Permalink


008

Students Take Down School Web Site, Create a Fake Web Site, and Send Spoofed E-mails to Get a Day Off

Permalink Brent LaReau, designsbylareau.com
Posted: February 29, 2012

While reading the news story whose headline is shown above, I thought, Wow, students worldwide have been busy hacking recently! It has only been a few weeks since I finished my previous blog entry about a student re-routing his high school's Internet traffic.

In the U.S., people under the age of 20 have used computers and the Internet all their lives. Those under 10 have also been around mobile devices such as MP3 players, cell phones, smartphones, and Internet tablets most of their lives. Most people in those age groups are not self-proclaimed hackers but they have endless time and curiosity to explore every avenue and try every combination of settings, menu selections, or passwords until they succeed. Many devices and computers impose no penalty for failed attempts, so there's nothing to stop these kids. It's scary to see three- and four-year-old kids rapidly navigating through multiple levels of game menus quite easily even though they cannot read a word. So today, even little kids know how to blindly hack their way into simple systems.

Older students have tons of free time, plus they have acquired even more capabilities and understanding of computers, devices, and the Internet. One problem is that most teens don't see anything wrong with hacking into things. A study published in 2010 showed that 25% of teens have tried to hack into other people's online accounts. Of those, 78% admitted they knew it was wrong but did so anyway. Forty-six percent said they logged into other people's accounts for fun, but 20% did it to make money! Twenty-five percent have attempted to log into others' Facebook accounts; 18% have tried to gain access to a friend's e-mail account; and 5% said they had tried to hack into their school's web site. I'm sure teen morals have not improved since 2010.

Information Security Cartoon
(You can see all of my cartoons here.)

Let's probe the facts of this affair and evolve some action items that we can use to reduce our risks:

Read More...

You can read an original news article about this topic here. You can contact me here.

Permalink


007

Student Re-routes His High School's Outbound Internet Traffic to His Smartphone

Permalink Brent LaReau, designsbylareau.com
Posted: February 16, 2012

As I read a news article about this subject, I realized that people can do some pretty amazing things with their smartphones. In this case the student had a "rooted" Android smartphone (one which has been modified to give its user complete administrative access to its underlying GNU/Linux operating system). A lot of people, even teenagers, have rooted their Android device to gain full visibility into the operating system, and so they can install powerful utility software that requires full access to system resources such as networking.

In this case the student installed an app called Arpspoof, which is a tool intended for network auditing. The Android version of Arpspoof is based on the original Unix version. Arpspoof is commonly used to intercept network traffic flowing between two other computers somewhere on the network. Such traffic is normally not visible at any randomly selected point in the network because modern network switches efficiently forward packets only along the most direct path from A to B. Tools like Arpspoof were unnecessary before network switches were invented, as hubs broadcast all network packets in all directions, so all packets were easily visible everywhere. But this made networks very busy and many packets had to be retransmitted due to collisions. "Layer Two" network switching is much more efficient.

Arpspoof's name is derived from the phrase "ARP spoofing", which is a network technique used to accomplish traffic interception. ARP is short for Address Resolution Protocol. ARP is normally used by computers on a network to locate each other. Commonly, computers will occasionally broadcast an ARP message asking "Who has IP address XXX.XXX.XXX.XXX?" and the computer assigned to that IP address will reply, "I have it! And my MAC address is XX:XX:XX:XX:XX:XX!"

Less commonly, if a computer's MAC address or IP address is changed, it will send an unsolicited ARP announcement saying, "My IP address is XXX.XXX.XXX.XXX and my MAC address is XX:XX:XX:XX:XX:XX!" That way, all other computers within hearing distance can update their ARP cache. The problem is that an ARP announcement can be a lie (stating the wrong IP address or wrong MAC address, or both) and other computers have no choice but to believe it. Basically, Arpspoof works by broadcasting lies.

If that sounds like some pretty nasty hacking, don't take it too hard. Some public Wi-Fi hotspots use ARP spoofing to redirect mobile devices to a "terms and conditions" page before allowing access to the Internet.

Read More...

Here's an example of how to use Arpspoof. Let's say you want to use computer "C" to intercept traffic flowing between computer "A" and computer "B" somewhere on the network. You would run Arpspoof on computer "C" and tell it about computers "A" and "B". It would then tell "A" to send traffic intended for "B" to computer "C" instead. It would also tell "B" to send traffic intended for "A" to computer "C" instead. Technically, this would cause communications between "A" and "B" to cease, since packets are being intercepted by "C" without being forwarded to their intended destinations. Arpspoof can be configured so that computer "C" will accomplish this forwarding. The result is transparent monitoring of all traffic flowing between "A" and "B".

Obviously, configuring Arpspoof can be a bit tricky, and can result in network failure if forwarding is not set up correctly, or if computer "C" cannot keep up with network traffic. That's why it's normally used by network admins instead of high school students with smartphones. The developer who ported Arpspoof to the Android platform wrote in capital letters on his web page: "ONLY USE THIS APPLICATION ON NETWORKS THAT YOU HAVE PERMISSION TO DO SO".

Let's reconstruct the scene of this student's "crime" so that we can learn from it. According to news reports the school's IT staff claimed the student had redirected all outbound Internet traffic to his smartphone. We can assume this actually took place on the school's Wi-Fi network, not on their hardwired Ethernet network, since Android smartphones have built-in Wi-Fi but don't have an Ethernet jack.

The easiest way to intercept outbound Internet traffic on a wireless network is to pretend to be the default gateway for that network. Therefore, the student probably used Arpspoof to tell every computer on the wireless network to send traffic intended for the gateway to his smartphone instead. If the student configured Arpspoof correctly then forwarding would have taken place too, but how can a smartphone keep up with total Internet traffic? News reports indicated that network problems plagued the school for several days before things came to a head and the student's smartphone was confiscated by the police.

Information Security Cartoon
(You can see all of my cartoons here.)

Let's scrutinize the facts of this episode and frame some action items that we can use to reduce our risks:

You can read an original news article about this topic here. You can contact me here.

Permalink


006

10,000 Industrial Control Systems Are on the Internet, and Only 17% Require a Password to Connect

Permalink Brent LaReau, designsbylareau.com
Posted: February 6, 2012

I remember reading about the controversy surrounding this topic. One camp had maintained that some industrial control systems are connected to the Internet, while another camp had claimed that these systems are NOT connected. Both camps had mostly anecdotal evidence to support their claims.

What are industrial control systems, and why should we care about whether these are connected to the Internet or not?

Industrial control systems are electromechanical systems used everywhere in industrial sectors and critical infrastructures to monitor and control physical processes. Such as electrical power generation, factory assembly lines, water purification, food and beverage packaging, etc. Lots and lots of these systems are deployed worldwide.

In short, industrial control systems run the world. It would be pretty bad if hackers, hacktivists, or even teenagers broke into industrial control systems. That's why these systems are generally located behind locked doors. Some facilities also have security guards. Vendors of industrial control system components state that these systems should be protected with an "air gap", meaning that their internal communications network should NOT be connected to any outside network. Public statements by owners of these systems repeat their vendors' sentiments, that their systems are "off the grid".

But in the Internet Age the average person probably assumes that everything from Coke machines to skyscrapers can be found on the Internet somewhere. There is an increasing and somewhat disturbing trend towards constructing an "Internet of Things" where billions of things like parking meters and wind speed sensors are connected to the Internet. The rising adoption of IPv6 will make this dream—or nightmare—possible. And the increasing complexity of all systems, combined with decreasing project schedules plus a shortage of highly skilled tech workers, all conspire to put industrial control systems on the Internet after all.

Conservative experts will say, "Why on Earth would you place an industrial control system at risk like that?" But confident experts will say, "Anything is safe if you know how to do it right!" (We assume that "safe" means the use of encrypted communications (VPNs) and strong passwords, at least.) But all of these expert discussions missed the point altogether, as they did nothing to answer the $64,000 question: ARE ANY OF THESE SYSTEMS ACTUALLY ON THE INTERNET?

Read More...

Finally, a university student named Eireann Leverett has answered that question. And you're not going to like the answer. Leverett located 10,358 industrial control systems on the Internet. Furthermore, only 17% of these asked for a password when he tried to gain access.

Leverett's efforts have already closed some of these security holes. One industrial control system vendor, after finding out about Leverett's findings, told some of its customers that their systems were found online. Several customers responded that they weren't even aware of that fact.

Information Security Cartoon
(You can see all of my cartoons here.)

Let's peruse the facts of this issue and devise some action items that we can use to reduce our risks:

You can read an original news article about this topic here. You can contact me here.

Permalink


005

More than 80% of Web-based Attacks Target Old Java JRE, Adobe Reader/Acrobat, and Adobe Flash Software

Permalink Brent LaReau, designsbylareau.com
Posted: August 31, 2011

After reading a news article about this topic, I realized it provided some good examples of what I had blogged about earlier this year. In that blog entry, I had mentioned how most malware enters our computers via our web browser using a process called a "drive-by download". To review, a drive-by download is just extra, invisible, malicious content that criminal hackers have inserted into ordinary, mainstream web pages. They accomplish this by simply breaking into web servers and altering web page HTML and JavaScript so that browsers will fetch additional malicious content from other web servers.

Drive-by downloads are not a new phenomenon. Even back in 2008, Symantec's Norton Community Watch observed more than 18 million drive-by download infections.

I had also mentioned that drive-by download attacks only work on specific combinations of popular operating systems, web browsers, browser plug-ins, application software, and runtime environments. But the distribution of popular software changes every year because users will upgrade to the latest Microsoft Office, or will upgrade their Flash Player because their favorite video web sites demand it. Therefore, criminal software developers who wish to continue distributing malware via drive-by downloads will alter their delivery mechanisms to keep up with such changes.

Information Security Cartoon
(You can see all of my cartoons here.)

Here are some fairly recent statistics concerning what software is currently being attacked successfully. These statistics were generated by CSIS Security Group A/S and published by Help Net Security:

Read More...

Let's review the facts of this topic and plan some action items that we can use to reduce our risks:

You can read an original news article about this topic here. You can contact me here.

Permalink


004

Customer Data Was Permanently Destroyed in Amazon Cloud Services Crash

Permalink Brent LaReau, designsbylareau.com
Posted: May 12, 2011

While reading a news report about yet another cloud services outage, I wondered if clouds are gathering on the horizon. In the context of cloud computing this expression can be taken two ways. People who say the glass is "half full" would say this expression refers to the massive adoption of cloud computing, which they think is a good thing. Others who say the glass is "half empty" are referring to storm clouds heading our way, which would be a bad thing.

Businesses that lost data during the most recent Amazon EC2 cloud service outage probably thought the glass was definitely half-empty. Especially after receiving this friendly e-mail from Amazon:
Hello,

A few days ago we sent you an email letting you know that we were working on recovering an inconsistent data snapshot of one or more of your Amazon EBS volumes. We are very sorry, but ultimately our efforts to manually recover your volume were unsuccessful. The hardware failed in such a way that we could not forensically restore the data.

What we were able to recover has been made available via a snapshot, although the data is in such a state that it may have little to no utility...

If you have no need for this snapshot, please delete it to avoid incurring storage charges.
So, Amazon's cloud hardware failed; they couldn't recover customer data correctly; they generated a dump of hopelessly mangled data; and they fully intended to charge customers for storage of that useless data dump.

Read More...

Amazon's "99.95%" Service Level Agreement (SLA) allows for its cloud services to be inaccessible for a little more than four hours per year. Apparently Amazon won't meet its SLA this year; some of its customers were down for three days, and Amazon had suffered a previous outage the week before. I'm not sure if Amazon's SLA covers data loss, but there is a big difference between losing computing time (money) and losing data (MONEY).

You can check on the status of Amazon's cloud services in real time here.

Let's consider the facts of this incident and delineate some action items that we can use to reduce our risks:

You can read original news articles about this topic here and here. You can contact me here.

Permalink


003

34% of All Malware Ever Created Appeared in 2010

Permalink Brent LaReau, designsbylareau.com
Posted: February 17, 2011

I've been watching the malware scene for years, but the news headline shown above really floored me. For those unfamiliar with the term, malware is short for malicious software, and it includes viruses, worms, Trojans, rootkits, and other threats. Most people call malware "viruses" even though viruses are just one kind of malware.

Most computer users have felt the effects of malware, or have heard someone's horror stories. That's why this type of software is called "malicious". Everyone knows that malware can ruin our day. Sometimes malware just quietly overrides our browser's home page, or inserts spam web pages into our surfing stream so that we see advertisements for p**nography or pharmaceuticals. In other cases malware can use our computer to silently send thousands of spam e-mails per day. Or invisibly steal our bank account passwords. Or unobtrusively make our computer a member of a botnet, under the remote control of someone in another country who can then use our computer for whatever he or she wants. Such as performing a Distributed Denial Of Service (DDOS) attack on mainstream web sites such as those belonging to the CIA and Twitter (yes, these web sites have been attacked). All of these criminal activities are profitable, which today is the only reason disreputable software developers create malware.

You may be thinking, "Brent is way off base. Most people's computers are NOT infected by all this malware, because their computers work just fine. Besides, anti-virus will protect them. What's the big deal?"

With all due respect, the facts do not support those opinions. Here's why:

Read More...

  1. Unobtrusive malware is more profitable. Think about it. If you were a criminal software developer whose malware ravaged users' computers, wouldn't they know it right away and take steps to remove it immediately? How could installing your malware on people's computers be profitable under those circumstances? Therefore, today you will find that most malware is designed to be fairly well-behaved and unobtrusive. CPU and resource usage are minimized to prevent a noticeable slowdown. Spam e-mail transmissions are throttled back, or timed to occur at night, to allow fairly normal web surfing and multimedia download speeds. People don't notice any symptoms of infections, so they don't react to the malware, and criminals can reap the most profit.
  2. Most people don't "look under the hood". How many computer users have ever used the NETSTAT command to see what network connections exist? They might be surprised to see their computer is connected to a botnet command-and-control server in Romania! Of course, they wouldn't know it was in Romania because most computer users don't know how to geo-locate an IP address either. How many computer users have ever checked to see what background processes are running on their computer? Or checked to see what software is automatically started when their computer boots up? Or used a network packet sniffer to analyze their computer's network traffic during the night when they are asleep?
  3. Anti-virus-resistant malware is more profitable. Sorry to tell you this, but yes, some malware quietly shuts down or disables your anti-virus software so that the malware can run. How is this possible? First, consider that most people use popular, free anti-virus they download from the Internet. Criminals can download the same popular, free anti-virus too, and then figure out how to write software that will shut it down once their malware has gained a foothold in a computer. The real trick is how to evade the anti-virus while shutting it down. This is done most simply by making sure the malware is unknown to popular, free anti-virus software on the day the malware gains a foothold in a computer. More about this below.
  4. Malware doesn't need to live long to be profitable. Let's say you're a criminal software developer who writes malware designed to send spam e-mails. You know you can infect a bunch of computers, but you also know that anti-virus updates will kill your malware hours or days after it infects any given computer. Would you decide that anti-virus has won, and give up writing malware to become a used car salesman instead? Or would you decide to send spam for as many hours as you can on any given computer, and make up the loss by infecting new computers just as fast as malware is being killed on already-infected computers? What is the difference between sending spam from the same 100,000 computers per day, and sending spam from a different set of 100,000 computers every day?

Unfortunately, the number of malware released into the world each year is not constant. It has been increasing by leaps and bounds each year. I remember being surprised when the number of known malware samples finally topped one million, not too many years ago. But 20 million new malware were created in just the first 10 months of 2010! As of November, 2010, PandaLabs' malware database had 60 million entries!

Since malware is good for criminals and bad for us, we need to ponder the facts about malware and elaborate some action items to reduce our risks. First, the facts:

MALWARE ACTION PLAN --- To reduce our risks related to malware, we need to add many additional layers of protection as follows:

  1. Update anti-virus as often as possible. Some anti-virus software permits the user (or corporate IT staff) to choose how often to update anti-virus signatures. You may be surprised to find your anti-virus has a default setting of "once per week"! This is far, far too seldom to do any good at all. To lessen our risk we should choose the smallest possible update interval (once an hour, if possible; once a day otherwise). In the enterprise we can specify a staggered or random update cycle to prevent every computer in the building from flooding the network with simultaneous update requests.
  2. Use a custom anti-virus configuration. We must not rely on the anti-virus vendor's default configuration. We need to take time to really read and understand each and every configuration setting available for our anti-virus. You may be puzzled to find that, by default, your anti-virus excludes certain file types (or file names) from its scanning. If you were a criminal software developer, wouldn't you prefer to hide your malware in files that are excluded from anti-virus scanning? So, everyone—home users and corporate IT staff alike—should consider tightening up their anti-virus scanning so that it doesn't exclude so many things. We should also consider configuring our anti-virus heuristic scan to make it a bit more sensitive. This will increase the effectiveness of our anti-virus by decreasing our false negatives, but on the other hand we may start to see some false positives. More about this next.
  3. Analyze all false positives. Once we have tuned our anti-virus to become more sensitive (as described above), we can expect more fallout from our scans, and these will take time to resolve. Plan for it (as if we have any extra spare time!). Also, we need to learn how to check our anti-virus log (otherwise we may not even know that it's finding malware). It's a good idea to write a short procedure to remind ourselves of how to deal with any possible malware we find. VirusTotal—the web site I mentioned previously—is our best friend. Simply upload suspicious files to see how many anti-virus products will identify it as benign or malicious. If VirusTotal has already seen this file, have VirusTotal re-scan it (i.e., with the latest anti-virus signatures).
  4. Write a Malware Incident Response Procedure. The worst time to write this document is during a massive malware attack that has made our personal computer as useful as a bag of rocks, or has brought our company to its knees. (Yes, I recall the Conficker/Downadup infections of 2008-2009) The best time to write this document is when we have time to think it through and get it right. The Procedure should include the sections shown below. (If you want an example of a very comprehensive malware incident prevention and handling guide, you can download Special Publication SP 800-83 from the National Institute of Standards and Technology's web site.)
    • Purpose: An overview of when this Procedure is to be used, and what it will accomplish. Will this Procedure be invoked every time anti-virus finds something, or when someone notices a computer acting strangely, or just when a fairly large outbreak is noticed? Will each infected computer be "wiped" and re-imaged automatically, or will computers be repaired and disinfected file-by-file? Will any forensics be involved, such as for infections of upper management's computers?
    • Responsibilities: An overview of who will be responsible for carrying out this Procedure. IT staff? Individual users? Contractors or third parties?
    • Prioritization: How each malware incident will be prioritized, so as to react appropriately. Is a worm infection higher priority than a Trojan infection? Is a 100-computer infection more important than single-computer infection (even if it's the CEO's computer)?
    • Categorization: An overview of each type of malware incident covered by this Procedure. Will a rootkit be treated the same as a keylogger? A worm the same as Adware? A large customer's computer the same as an employee's computer? A finance department computer the same as the receptionist's computer?
    • Timeline: How long this Procedure will be allowed to take for each priority level and category. One hour? One day? One week? Will the schedule be any different after normal business hours?
    • Mitigation: An overview of how each malware incident will be resolved, for each priority level and category. What tools, accessories (such as write-protectable flash drives), or software (such as Linux LiveDVDs, "emergency" anti-virus disks, Nmap, or Wireshark) will be required for this Procedure? Will infected computers be transported to the IT department, or will someone visit each infected computer?
    • Recovery: An overview of how lessons learned from each incident will be captured to help improve this Procedure and/or to allow the organization to improve its defenses against future malware infections.
  5. Use alternative web browsers. As explained previously, criminal software developers target popular combinations of operating systems, web browsers, browser plug-ins, application software, and runtime environments (such as Java) through drive-by downloads. Switching to an "unpopular" web browser can defeat drive-by downloads that depend on a specific web browser. You can see what web browsers are currently popular here. At the end of 2010, Internet Explorer (IE) was still the dominant web browser, hence it was still the prime target. Firefox is gaining on IE fast, so we can assume that it, too, will become a prime target in the next year or two. But for now, Firefox, Opera, Chrome, and Safari are less likely to fall prey to drive-by download attacks than IE. One reason is that alternative browsers usually don't support ActiveX-based plug-ins like IE does. ActiveX is very powerful software, and many third-party ActiveX plug-ins contain vulnerabilities that have been exploited by criminals to gain full access to people's computers. Another reason is that Microsoft issues security updates for IE only once per month maximum, compared to other browser vendors that issue security updates on a more rapid, as-needed basis. For example, Mozilla has been known to push out security updates only a few days apart for its Firefox browser. Corporate IT staff may face a dilemma when deploying an alternative web browser, since some internally-developed web applications may require ActiveX or may "work best when using Internet Explorer". These issues will require some work to fix.
  6. Disable automatic handling of web content. Some web browsers, like Firefox, allow the user to configure how each type of web content is handled. Consider content such as PDF files or QuickTime movies. Most web browsers (Firefox included) will handle such content automatically by finding and running a "helper application" such as Adobe Reader or a movie player (or their equivalent plug-ins). This allows a drive-by download to succeed automatically in the background. But if we configure a browser such as Firefox to "always ask" before finding and running a helper application for each type of content, drive-by downloads won't succeed unless we approve. The trick is to react appropriately when the browser notifies us that some content needs to be handled. Basically, we just need to say "no" when we're surprised, and "yes" when we expected it. Here are two trivial examples. Suppose you surf to a normal web page and begin reading it, but suddenly (even though you didn't click on anything) Firefox asks you how you want to handle a PDF file. You would click "Cancel" because you didn't expect or want a PDF file. Very suspicious! Or, suppose you click a link to download a PDF file and Firefox asks you how you want to handle an MP4 video file. You would click "Cancel" because you expected a PDF file, not a video file. Very suspicious!
  7. Use alternative operating systems. The same points made previously about web browser popularity apply to operating systems too. Criminal software developers don't have time to target unusual desktop operating systems. Instead they attack popular operating systems based on market share. You can see what desktop operating systems are popular here. At the end of 2010, Windows XP is still the most widely deployed desktop operating system in the world and is therefore the most widely attacked operating system in the world. But Windows 7 is gaining on XP, and the popularity of Apple's iPhone and iPad products may increase Mac OS X's popularity, and Google's Android operating system is increasingly popular for mobile devices, so we can assume that those, too, will become more of a target in the next year or two. But for now, everyone—home users and corporate IT staff alike—should consider using Windows 7, Mac OS X, or GNU/Linux on their desktops instead of XP. Regarding Linux, it is doubtful that the market share of the desktop version of Linux will ever exceed a few percent, hence it is doubtful that desktop Linux (and all of its application software and libraries) will be targeted by criminals anytime soon. Many home users and employees of fairly small companies use their computer primarily for checking e-mail, writing documents, creating spreadsheets, and surfing the web, so these users are good candidates for using Linux instead of Windows.
  8. Use alternative PDF readers. Everyone uses Adobe Reader, so that's what criminals like to attack. PDF files are no longer benign vehicles with which to convey text and graphic images. Modern PDF files can include embedded JavaScript code, can launch third-party applications to view content, and can interact with servers on the Internet. And criminals have figured out how to corrupt a PDF file to cause a specific version of Adobe Reader to crash in useful and predictable ways, as mentioned previously. The result is an infected computer. My daughter-in-law's laptop computer got killed by a drive-by download that delivered a specially modified PDF file targeting her older, vulnerable version of Adobe Reader.

    The result was a malware infection disguised as an "anti-virus security warning" that took control of her screen, keyboard, mouse, and power button. This was designed to convince her to pay $69.95 to purchase "anti-virus" software to remove "security threats." She fought with her computer for days and almost paid the ransom to get her computer back to normal. I performed a forensic analysis and found how a malicious PDF had been passed straight through Firefox to Adobe Reader. If she had installed the newest version of Adobe Reader she may have been protected. Or maybe not, since a different version of PDF file may have been delivered instead, and the end result may have been the same. New vulnerabilities in Adobe Reader are being found every day. To mitigate this risk we need to use an alternative PDF viewer, such as Foxit Reader. It's important to uninstall all previous versions of Adobe Reader, since these can still be exploited if still present.
  9. Use other alternative application software. "Everyone" uses Microsoft Office, WinZip, QuickTime, RealPlayer, and other popular software. Therefore, criminals will exploit vulnerabilities in these applications. We can mitigate these risks by using OpenOffice, 7-Zip, VLC, and other less-widely-used applications instead. It's important to uninstall the popular versions we're no longer using, since these can still be exploited if still present. It's also important to check the new versions' popularity once a year, in case the app that no one was using a year ago has skyrocketed! Case in point: Firefox.

    [As a side note, the use of less-popular software to increase security has sometimes been dismissed by incorrectly equating it with the false principle of "security through obscurity". Publicly available software like OpenOffice, 7-Zip and GNU/Linux are certainly not "obscure", for hackers can download these software products as easily as anyone else. The Opera web browser's User Agent is just as visible to web sites as Internet Explorer's, so hackers could target Opera with drive-by downloads as easily as they target Internet Explorer.]
  10. Live in a limited Windows user account. This is perhaps the single most important thing we can do to mitigate risks. But as mentioned, creating a limited user account is easiest when configuring a brand-new computer. Otherwise we may have to spend a whole day figuring out how to move all our stuff from the admin account to a new limited user account.
  11. Make sure "AutoRun" and "AutoPlay" are disabled. Some details were mentioned previously. It's incredibly important to disable these (despite Microsoft's own contradictions and confusion factors in their documentation). Doing so will close an important security hole in Windows' handling of removable devices such as flash drives, which malware currently targets.
  12. Don't share flash drives. Make a habit of not sharing flash drives with friends and coworkers, and don't bring your flash drives to and from your workplace. This will reduce the spread of malware and protect you more than if you shared freely. In practice, we will share flash drives, but we can certainly limit our exposure.
  13. Use multiple anti-virus scanners. This was discussed previously. The devil is in the details (such as my points about preventing anti-virus scanner conflicts).
  14. Uninstall Java or disable it in all browsers. Most of us don't use Java yet we still have it on our computers. This places us at risk of drive-by downloads as mentioned previously. We can mitigate that by simply removing Java or disabling it in all of our browsers. But mitigation becomes tedious if we depend on Java and cannot remove it. In that case our first priority should be to install the latest version and remove all older versions. If you absolutely need an older version, good luck! And if you depend on Java for various web sites, good luck!
  15. Disable or remove unused browser plug-ins. An unused but vulnerable plug-in is just as useful to criminals as a constantly-used vulnerable plug-in. To mitigate this risk we need to simply disable or uninstall all plug-ins we never use.
  16. Keep operating systems up to date. For Windows, it's important to ensure that automatic updates are enabled and that such updates are automatically installed too (not just downloaded). Microsoft publishes security updates on a regular schedule: it's called "Patch Tuesday", and it's the second Tuesday of each month. A few "out-of-band" patches have been issued at random times between Patch Tuesdays, but these have been rare. Newly released updates may not be actually available until the afternoon in the U.S. There is no reason to wait for automatic updates to install patches; we can update our computer manually any time we wish. Corporate IT staff may wish to learn about patches ahead of time and may even wish to test them before widely deploying them across the enterprise. Microsoft publishes advance warning of upcoming updates in special Security Bulletins.
  17. Uninstall unused application software. We need to know that a "drive-by download" can infect our computer by exploiting a vulnerability in application software that we don't even use. Home users often "collect" software on their computers, never to use it again. Corporate IT staff have more control over what's on enterprise computers, but should still consider removing unneeded or unwanted software such as QuickTime from business computers anyway.
  18. Keep application software and browser plug-ins up to date. We can greatly reduce risks due to popular, vulnerable software applications and plug-ins by upgrading to newer versions that don't contain so many well-known security holes. This is easier said than done. Three problems exist. First, most application software and plug-ins have no update process at all. Examples of these are the vast majority of downloadable "gee whiz" plug-ins and consumer applications sold in online or brick-and-mortar stores, ranging from crossword puzzle games to photo editors. Browser plug-ins that came pre-installed in our computer are the worst to figure out how to update, since we cannot easily tell where they came from or what application software they belong to. To update such plug-ins and applications we literally have to buy or download a new version (if we can find it). Second, even if all of our software has an update mechanism, we may have many dozens of applications installed. That means updating each one separately, which can be tedious and error-prone. No one offers a "one-click" method to update ALL of these at once. Third, each plug-in and application has its own potentially weird or difficult upgrade method (think Flash Player during most of its lifetime).
  19. Read the Infosec news once a week. The threat landscape keeps changing, so it's important to keep up. For example, I had never heard of malware targeting Macs until Sophos published its annual Security Threat Report for 2007, where they stated that financially motivated criminal hackers had compiled a few pieces of serious malware to target Macs for the first time. Similarly, Adobe Reader was never a target before 2007, but by 2009 a huge number of malicious PDFs targeting Reader were circulating in the wild. One way to keep up with events is to read a summary of information security news each week. If you can't easily locate such news, try The Register, The H, or Security News Portal. You may have to click one or two levels deep into those sites to find the type of information security news you need, but this should be fairly easy to find.
  20. Revise your Malware Action Plan every year. The information security news items we read each week should strengthen our Malware Action Plans over the long term. It's always a good idea for us to write down our Malware Action Plan. Then, we can't forget what we decided, and we can adapt it over time.

You can read an original news article about this topic here. You can contact me here.

Permalink


002

How 3,200 Women's "Secret Questions" Defeated Their E-mail Account Security

Permalink Brent LaReau, designsbylareau.com
Posted: November 17, 2010

The news story that prompted me to write this blog entry is sad but increasingly typical, since more and more people are putting more and more of their personal details online. And they're doing this seemingly without regard for the eventual consequences, probably because few people ever consider that someone—whether a stranger or not—would use such details against them in a big way. In this case, women's lives were devastated by a stranger who used nothing more than their published personal details plus their "secret questions" against them.

As everyone probably knows by now, in online accounts a "secret question" is a question about us that "only" we know the answer to. Such as "What was your first pet's name?". The purpose of secret questions is to allow online account passwords to be reset if forgotten.

Back in 2005, a well-known security figure named Bruce Schneier spoke against the use of "secret questions" in online accounts because these seriously weakened everyone's security. Why do "secret questions" weaken security? Because:

Schneier's statements prompted a lot of discussion about this topic, but it's almost as if someone else (let's call him "The Anti-Schneier") gave the exact opposite advice, and all of the online services believed him instead!

Read More...

Information Security Cartoon
(You can see all of my cartoons here.)

The fact is, more and more online accounts have adopted "Secret Questions" since then. More and more accounts demand that we use "Secret Questions". And more and more accounts are being compromised as a result.

Everyone probably recalls how David Kernell used publicly available information to hack into the personal Yahoo! e-mail account of vice presidential candidate Sarah Palin in 2008. But other account hacks have had far worse consequences.

One of the worst cases I've heard about is where a California man, age 23, broke into e-mail accounts of 3,200 women who were complete strangers to him. He also put explicit photos of around 175 of these women on their own Facebook pages, and also e-mailed such photos to these women's friends.

The offender was no hacker. He was able to break into these women's e-mail accounts by simply answering their account's "secret questions". How did he know these answers? He merely searched Facebook and other online services and scraped together information on his victims until he could answer many of the common "secret questions" used by e-mail providers such as Gmail, Yahoo! Mail, Hotmail, and others.

Once he had gained access to his victims' e-mail accounts he was able to gain access to their Facebook accounts, presumably by having Facebook reset his victim's passwords and send a confirmation e-mail to their accounts (which he had access to!).

Let's check the facts of this case and extract some action items that we can use to reduce our risks:

You can read an original news article about this topic here. You can contact me here.

Permalink


001

Welcome to The Brent Report

Permalink Brent LaReau, designsbylareau.com
Posted: October 24, 2010

I've spent the last six years reading many startling information security news stories. Most of these news stories caused my eyes to widen; then a light bulb went on above my head as I connected the dots; and then I tried to take action to reduce my business risks (and my family's risks too). I often forwarded these same news stories to my consulting clients, professional peers, relatives, and friends, hoping they would be able to achieve a similar understanding and derive similar plans of action.

But I finally realized that merely forwarding a news story didn't actually inform anyone of what the story really meant. And it didn't actually inform anyone of how to react to the news story in a useful way.

That's where The Brent Report comes in. Every entry in The Brent Report security blog will dissect the facts of a recent security news story, and extract some action items that can be used to reduce computer security risks not only in the workplace, but at home too.

Feel free to send me your feedback on these blog entries via e-mail. I'll append your comments and information to my blog entries and give you credit if you give me permission to include your name.

Addendum: You may be wondering why The Brent Report blog doesn't allow readers to post their comments directly, like many other blogs do. You may be thinking, "Doesn't this guy know about Web 2.0?" The answer is that I follow my own security advice! I'm well aware of the constant stream of security vulnerabilities found in WordPress and a lot of other blogging software, which allow amateur "script kiddies" as well as serious hackers to hijack blogs for their own purposes ("lulz", blackhat SEO, comment spam or trackback spam, etc). Why, even PBS.org was hacked and defaced in 2011 due to a vulnerability in Moveable Type blogging software. I'd have to set up a CAPTCHA engine and then watch my blog like a hawk to prevent someone from tainting my blog with extraneous content. No, thanks; I've got better things to do. Just e-mail me, please!

Permalink


« Previous 10 | Next 10 »


Home


What We Do


Contact Us

Brent Report
Security
Blog
Bombardier
Security
Cartoon
Our
Success
Stories

Kudos

Page validated by:
Valid HTML 4.01 Transitional