Where Do We Go From Here?

Zero Day Vulnerabilities, Man In The Middle Attacks, Worms, Exploits, Phishing, Hacked accounts, and the list goes on and on. The fact is that computer users in today’s world are facing a growing threat from outside sources when using the internet. Most people are not aware, nor care about these threats, that is, until it is too late. But why and how is this happening? What are we doing about it? and Where do we go from here? All valid questions, that really do not have a solid, absolute answer.

We hear almost everday about new threats, either that are attacking an unknown exploit (Zero Day Attack), or of horror stories regarding account hacks and phishing scams. Windows, Adobe, Apple, and just about every other major software creator has faced this issue at least once, some many, many times. In the early days of hacking, viruses were mearly a proving ground, a gold star for a lapel, for many young and very talented software writers. No malicious intend, for the most part was ever meant. All they wanted to see, is who’s virus could propogate the fastest and to the greatest extend. It was a game to them, albeit a very annoying one. However, those days are long gone, and the occasional malicious software written by a teen with a chip on his/her shoulder are no longer of a concern. Today, these onslaughts are being carried out by large criminal organizations, who do have malicious intent, and have found out that these scams and attacks are also very lucrative. What’s worse, is the people doing this are extremely talented and savvy software creators who are constantly deriving new ways in order to get deeply into the pockets of the ordinary computer user.

For most, all that is wanted, is to turn on the computer and get email, check accounts, and do some online shopping. Security, although they care about it, is something that most users do not want to know any of the juicy details behind how it works, and what dangers to look for. They simply want a machine that works and is safe to use. Unfortunately, that is not the way of today’s computing. Even so, simple is better to most users. SSL/TLS, file encryption, WPA2, and the like are all things that the ordinary computer user does not want to know about, or even care about. And quite frankly, why should they? Computer offectionado’s thrive on this sort of stuff, but for the normal user……no!!! The casual user knows that an anti-virus software will keep them safe. Some may even use an additional anti-malware scanner, but will rarely use it to fully scan the computer. Firewall…..I know I need one, but what is it? But even with these tools, our computers are still not safe from becoming compromised.

The major anti-virus companies will all admit that this is a hurry, and catch-up game. The bad guys always seem to be one step ahead of the good guys, sometimes quite a few steps ahead actually. The AV manufacturers are always trying to lessen this lead, but like I said earlier, this is no teen with a bad attitude, these are savvy, technical, and treacherous organizations that are making our life online hell. A new bug is released into the ‘wild”, now it will take the anti-malware companies time to find it, reverse engineer it, and then launch a fix for it. Heuristics have helped in this matter, but have also created some new problems, namely false positives. Heuristics is a method of scanning your computer in which the anti-malware software is not looking for specific malware, but are only looking for malware-like activity, such as registries being changed. As a result, false positives are becoming more prevelant, in which the anti-malware falsely labels a vulnerability, when it is really a legitimate act. Holes/vulnerabilities that are found in software, and then are issued fixes through software updates, are still being exploited, due to the average user not knowing enough or caring to get the update. Time is expensive, and updating software can be time consuming, and all the user wants to do is turn the machine on, do what they need to do, and move on to the their next agenda. Look at the conficker worm, a patch and a fix for this bug was issued long ago (Oct 2008) and yet, it is still out there.

So where do we go from here?

Well, short of turning off the internet, re-working the entire infrastructure, and then turning it back on again, we have only a limited amount of tools at our luxury. However, the strongest of these is education. The word has got to be spread throughout the computer world the need to protect one’s self while on the internet. I certainly do not mean that everyone needs to become a computer security guru, but general knowledge of things to look for would definitely not make it so easy for the bad guys to get in. Even then, it is still going to be happening. Their is money to be made, and like I said earlier, these bad guys have found out that there is a ton of it to be scammed.

In the end, this is the way it is, and appears to be the way that it will remain in the immediate future. In fact, the chances are, that it is going to get more volatile out there. The one true weapon that we all have to battle this armegeddon on the internet, is our ability to use common sense. That is our most powerful weapon, without it, we are doomed. Add a small dose of knowledge, and we could vastly hamper these attempts in ruining our lives. We need to keep our critical personal data safe and secure, knowing what is OK to become public knowledge and what could hurt us is paramount. I would never post my banking information on the internet, although many people have clicked on links in emails stating that their accounts have problems, and enter banking credentials. You may as well have posted it directly to the public internet. It is things like this, that make it easier for the bad guys to successfully do what they do. A pound of common sense, coupled with a sprinkling of knowledge is out greatest weapon.

What Are Your Thoughts??

Google Attains Superpower Statis

Hacked…..companies and even governments get hacked and information stolen, what seems like, on a daily basis. Corporate espionage has been around since the Internet began. They come and they go. There news one day, and “old” news the next.

Remember, just a few months back, when the United States Power Grid was found to be infested with trojan horses. Yeah, that was news and it was covered by the media. But how long did it make the headlines…..a day or two is all.  The Power Grid was hacked….that is big!!

Remember when Citicorp was found to have been hacked….probably not, as it never made the headlines, it was a secondary story at best. OK, you may say that this was because it was denied by Citicorp, but it never even made the news.

Conficker, yeah now that made the headlines, the ‘worm’ did. But what about the destruction that it caused. You probably are not aware that the University of Utah was infected back in April causing their network to have to be shut down. Check out my post HERE.

Or maybe that, more recently, in December, New Zealand’s Waikato Health Board was infected with this nasty worm causing health services to be disrupted over a large area of the island nation. Again, check out my post HERE.

OK, I agree, these may have not been direct attacks, but it was a hack, none the less. Services were disrupted, and information was attempted to be compromised. That is a hack.

Well now it appears it has happened to the wrong company. Google has been in the news, and in blog posts for weeks now. Did you know that many other companies and organizations were infiltrated also. Probably not. Adobe has been in the news as they were also hacked at the same time that Google was, but only as an ‘honorable mention’ in a Google headline. The culprit has been speculated to be the People’s Republic of China but no incriminating evidence has been found directly implicating China.

Google and 32 other companies. Like I said, one is Adobe, but I have not heard them mentioned in a headline. Adobe is huge, almost every single computer user has something made by Adobe on their machine, whether it be Flash, Reader, Acrobat, Photoshop, Shockwave Player, etc. You see where I am heading. Who are the other 31 companies?

So why Google? Google is truly a superpower and is the ‘only’ company that could possibly have done what they have done….threaten the Chinese Government. By threatening to pull completely out of China is huge. Although, they only maintain about a 30% share of search in China compared to Baidu’s 70% market share, it is not only Google Search that is in jeopardy here. There is also Google’s multitude of services that are offered. Docs, Reader, Gmail, Maps, Calender, and all the rest of Google’s Services would also be gone.

Google even prompted a response from the United States’ Government. A speech given by Secretary of State Clinton asked the question for China to “Explain Themselves”. This is unheralded in the tech industry. Although Microsoft has been involved in many incidents that have made the Headlines, but never to the magnitude that Google has.

So why is Google getting all the press, being backed by the U.S. Government? Because they have called out China and have succeeded. China is on the defensive. Although, they are playing hard line, the fact of the matter is that if Google were to pull completely out of China, it would be painful for them. Not only is Google a major internet player in China, Google is also the one and only entity that could feasibly have the potential to return the favor. Of course, this is radical talk, and would never happen, but I am sure that it weighs on the minds of the Chinese Government.

Google has become such a force that almost everything revolves around what they are doing. Microsoft, although has come close in their time, has never had the same clout that Google has. Apple, although has a habit of monopolizing the tech news with every one of their new releases, like with their release of the iPhone, and, more recently, the iPad, but never to the same level in which Google has done. Google has become a ‘Superpower’ of sorts, and has the ability to push, and push hard. Thankfully, that is not the Google way, but it will certainly be interesting to see how the standoff with China turns out. Will Google fold to the enormous financial possibilities in China, or will they stand strong and be a determining factor in the ‘Human Rights’ issues in the Far East Nation.

Wouldn’t it be nice to see Microsoft, Yahoo, and other major tech companies stand tall, and join Google in this stand-off?

It remains to be seen……

Thanks for asking, I Am Fine!!!

Wow, It’s Been Awhile…..

Yes, it has been a while. But guess who has reared it’s ugly head once more? None other than Conficker!!

New Zealand’s Waikato District Health Board has announced that the Conficker (aka Downadup) Worm has infected it’s entire hospital network. On Thursday, 12/17 was when the problems were first discovered and Microsoft was called in to diagnose the problem. Two hours later, Conficker was found to be the culprit. This forced 3,000 of the Districts networked computers to be shut down. This caused the 7 hospitals, in their network, to urge patients not to seek care at their facilities, unless it was an absolute emergency.

The Conficker worm, which has become the most prolific computer infestation in history, is estimated to infect up to 15 million different computers, although due to the difficulty in tracking this worm, range from a low of 5 million infected computers. Each serving as a ‘zombie’ in it’s vast botnet. For a reminder regarding Conficker, you can check out my past post from 1/23/09 HERE and from 3/25/09 HERE, once again on 4/12/09 HERE.

But here is the part that gets me. How? and Why? did this worm get into that hospital’s network. First off, where was there IT staff? Conficker, although prolific, is not something that any computer should ever become infected with as long as proper security measures are in place. When the worm was first detected in 2008, and found it’s way into computer systems due to an exploit in the Windows Operating System (OS), Microsoft reacted quicky and on October 23, 2008, issued a patch (MS08-067) which closed the hole in the OS. They then pushed out a tool know as the Malicious Software Removal Tool or MRT, which effectively could remove the malware from an infected computer. It is true that the initial spread of this malware was through external USB storage devices, such as thumb drives, which were inserted into “Auto Run” enabled computers, but the fact remains, that a simple update and scan using the MRT should have removed the worm. The fact that Conficker, like I said earlier, may still infect up to 15 million computers is appalling, since a patch and fix for it has been available for 14 months now.

So let’s all make sure that we are updated. Using Internet Explorer, go to http://www.update.microsoft.com and check to make sure that you have all the critical updates that are available. Keep checking until there are no more updates available. Then make sure that Automatic Updates is turned on. Next make sure that your anti-virus software is up to date. Don’t have an anti-virus software, then check out my recommendations HERE. And lastly scan using the Malicious Software Removal Tool. Don’t know how??  Click HERE.

Although this is news, in my opinion, an organization such as this should be embarrassed that this incident has occurred. No major organization, with a competent IT department, should ever run into a situation like this. Of course, sabotage is always something to investigate, but under normal circumstances, Conficker should technically be dead and buried by now.

What are your thoughts regarding the Conficker worm…..

Leave a Comment!!

iTunes….What are you doing???

I’ve mentioned in past posts about the dangers of the AutoRun feature in Windows.  I think Microsoft has finally recognized this too, as in Windows 7, it is finally disabled by default.  If you missed my earlier post, you can check it out HERE.  But now it seems other software, namely iTunes, is looking to turn this feature back on.  Hang on, I may be getting a little a head of myself.

For those of you who do not know what AutoRun is. It was implemented by Microsoft all the way back in the Windows 95 operating system.  Originally, it was not that bad of an idea.  It was a way in which software manufacturers could ensure the proper installation of their software on systems which had a user who was not very tech savvy.  When a properly formatted CD was inserted into a computer, the system would simply just start loading the information off of the disk, no questions asked.  In the day, this greatly reduced assistance calls to software manufacturers’ help lines.  So initially, it was not a bad idea.

However, like most things in this day and age, hackers found ways to exploit it.  By infecting any removable media device, such as a CD/DVD, flash (thumb) device, or external hard drive, and plugging it into a computer that is AutoRun enabled, it would simply load the malware onto the clean computer without the user’s knowledge or action.  This was the primary venue in which the Conficker Worm was started.

So now getting back to iTunes.  When an audio CD is inserted into a computer running Windows 7, iTunes will prompt you with a message that looks like this.

Do NOT turn the AutoRun functionality on. It was disabled, by default, for a very good reason.  Just click No.

After, iTunes will then present you with another pop up that looks like this….

Press F5 so that you can see the contents of the disk.  This is not 100% secure, but it is much safer than turning on AutoRun. From here you could even scan the disk with your anti-malware software if there are any questions about it’s security.

I don’t think that Apple is doing anything malicious by doing this. It may be that it simply was not prepared for this functionality being turned off in Windows 7, even though Windows 7 has been available for almost a year, in beta versions.  But that is not the issue. The issue I have, is why are the pop-ups being displayed in this order?  It seems to me that they are backwards. The first message is deceiving, at best. It gives the impression that iTunes will not be able to play the user’s CD unless the AutoRun is enabled……period. The pop-up should tell you to view the contents of the CD by pressing “F5”, and then prompt you to enable the AutoRun, if you should desire. Although I have no idea, from a security standpoint, why anyone would do that.

That is the way I see it, let me know what your views are……

AutoRun Function – Security Risk

This piece may, quite frankly, be of absolutely no interest to many of you as most do not even know what this is.  I believe that the AutoRun feature in Windows is a huge security risk, especially since the Conficker hub-a-bah-loo.  But now, don’t let me get a head of myself.  First things first….

What is AutoRun?

AutoRun is a feature in Windows in which you can dictate what action your computer will take when a drive is mounted.  Meaning, when you insert or plug in a cd/dvd, thumb drive,  or any other external data source, you can tell the computer what you want it to automatically do with it.  You can specify anything from automatically downloading data off of the source, to doing absolutely nothing.  The latter is my preference, when I plug a thumb drive into a USB port, I do not want the computer to do anything.  Unfortunately, Microsoft thought otherwise when it released XP and Vista.  Now in their (Microsoft’s) defense, when XP was released it really was not such a big deal to have iTunes or Media player open and start playing a CD as soon as it was loaded into the computer.  However, it has now become a real big security risk.  Conficker was originally spread using infected thumb drives.  Once an infected thumb drive is inserted into an AutoRun enabled computer, it would automatically download the worm, without the user doing anything.  I want to see what is on the disk before anything is started.

This has been a venue for spreading malware for a long time.  In the early days, all malware was spread through infected floppy disks as the internet was not a viable venue.  Now, however, let’s say that you visit the library or any other public location where a computer is available.  You do a search for some information and decide to download the info and put it on your thumb drive. Well, if that computer that you are using is infected, now your thumb drive is also infected, so as soon as you plug that into your own AutoRun enabled computer, your own computer is now infected.  From there you can spread the malware via email, IM’s, etc, without you even knowing.  You get the gist.

So how do you disable this function?  Well, it is not for the faint of heart as it requires making a registry change.  Now before we get started, let me tell you that changing registries can be dangerous, changing the wrong registry entry could cause your computer to crash and worse yet, not even boot. So, if you are not adventurous, DO NOT ATTEMPT THIS!!!! Also, you have to make sure your version of Windows is completely updated.  If you are not sure whether you have all the updates, using Internet Explorer, go HERE to check. (THIS IS IMPORTANT)

But for the courageous, like me, let’s start at the beginning.  Just in case, make sure all of your personal data (ie. Music, Photos, Documents, etc.) are backed up on an external drive.  If you are not sure, check out my post on backing up HERE.  The next thing that you need to do is back up all of your registry entries.  This is pretty simple.

Using XP, click on the Start menu and select Run.  In the dialog box, type “regedit.exe” without the quotes of course.  In Vista, click the Start Menu and in the search dialog type “regedit.exe”, again without the quotes. In both instances click Return (Enter).  From here the two operating systems have the same procedure.  In the left hand pane of the window that opens, make sure that the My Computer (Computer, in Vista) option is selected.  It will be all the way at the top.  DO NOT CLICK ON ANYTHING ELSE!! Then in the title bar, select File>Export, then select the location where you want to save this backup and the name of the backup. I recommend just saving it to your desktop, you can move it later if you so choose.  Select Save, and the backup will be created.  Close out the Registry Editor and restart your computer.  Once it restarts, make sure that the registry backup that you just made is on your desktop. You may need this should something go horribly wrong with the next step.

Now it is time to get your hands dirty.  Do not attempt the following if you have not backed up your data and your registry.

I was going to explain how to navigate through the file system in the Registry Editor, and I do not mean this in a demeaning manner, but I decided against it, as if you do not know how this is done, then you probably should not be attempting this.

OK, here we go.  In XP, click on Start>Run….in the dialog box type “regedit.exe” (you already know not to use the quotes). In Vista, click on Start, then in the search dialog type “regedit.exe”.  Now comes the fun.  From here you need to navigate to the following:

HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>

Policies>Explorer

Once there, double click on the “NoDriveTypeAutoRun” option, which will be in the right hand pane.

Now in the “Base” field, make sure that “Hexadecimal” is selected and it should be by default.  Then in the “Value Data” dialog box, change the value to “FF” (no quotes). Then select OK and you are done.  Restart your computer. Now when you plug in any external data device, like a CD/DVD, thumb drive, etc. your computer will do nothing.  You will need to navigate to it using MyComputer (XP) or Computer(Vista) and open the files manually.  This will give you time to inspect the volume’s content and scan it for malware, before actually mounting the drive.  Security wise, this is much safer than allowing the drive to mount itself and just do it’s thing, which may be to download malware.  You just never know.

Wow, that got pretty geeky.

WHAT FUN!!!!

Patch Tuesday

Just a reminder!!!!  Today, 5/12/09 is “Patch Tuesday”.  The second Tuesday of every month is the day when the monthly security and software updates become available for your Windows machine.  It is critical that these updates are done each and every month.  The Conficker worm is a prime example of how important these updates are.  If all Windows machines had been updated in October, the Conficker worm would probably not have propagated so efficiently.  Anyway, you should have Automatic Updates turned on, on your machine, so that all critical updates are automatically downloaded and installed on your machine.  It is recommended that you turn the “Automatic Updates” on as there are times when “Out of Sequence” updates occur mid-way through the month, and if you do not have them turned on and do not manually check weekly, you will miss the critical update, and by the time you manually get them, it may be too late. But, it you don’t have “Automatic Updates” turned on (or are not sure whether you do or not), then you must go to Microsoft’s website and download them manually.  To get your updates manually, click HERE. Note that this link will not work unless you are using Microsoft’s Internet Explorer. Other browsers like Firefox, Safari, or Opera will not load the page.

If you want to get more information regarding Windows updates such as: What they are? or How do I configure my machine to receive them automatically?, click on one of the following links to get information specific to your machine.

For more Update information for Windows XP, click HERE……

For more Update information for Windows Vista, click HERE…….

Conficker is Alive (and Well)!!!!

Conficker, aka Downadup seems to have awoken and has become active.  After the hype created on April 1st, it appears that the worm has waited 1 week, as on Wednesday April 8th it reared it’s ugly head.  We all new that a piece of code that is so expertly written, albeit devious at the same time, was not just going to sit there and do nothing.  It now appears that things are starting to happen.

On April 12th, the University of Utah confirmed that their network was infected with the a variant of the worm. The worm was first detected on Thurday, April 9th and by Friday had infected more than 700 systems, including those of their 3 hospitals.  Conficker, which will slow systems down is also capable of erasing data, and stealing personal information.  University Officials confirmed though, that personal medical information at the hospitals are secure and that nothing has been compromised.  As a security precaution however, the university did shut down all internet access, to some campus locations, for up to six hours on Friday, in order to isolate the worm.

Conficker is also responsible for a new rogue scareware tactic known as Spyware Protect 2009.  This is an old money making scheme in which a pop-up will appear warning of dangerous malware on your computer.  And for the bargain price of $49.95, it will remove it.  The sinister thing is that the removal tool is the worm and by entering any credit card information onto it, the scammers will be laughing all the way to the bank……YOUR BANK!!!!  Please do not fall for these scams.  Remember, a web site cannot tell whether your computer is infected with malware.  Here is a good TIP to show you how to tell the difference from scams and legitimate warnings.

Conficker has also been seen to have direct connections to the Waledac Trojan which leads me to believe that Conficker is also sending or planning on sending a large amount of spam from it’s Zombie computer network.  The funny thing about the Waledac (aka Storm) Tojan though, is that it propagated very well in early 2009, but has sent relatively few spam messages.  Teamed with Conficker may be another issue though.  Click HERE to read an article from PC World regarding Waledac and other botnets.

Conficker, which first appeared back in November 2008 and can infect any Windows computer running 2000 or above, including XP, Vista, and Windows 7 Beta.  It uses a hole in the Windows Server application, which Microsoft discovered and patched in October 2008 with it’s MS08-067 Security Bulletin.  Sadly, many computers, for whatever reason, never were patched which would have stopped Conficker in it’s tracks. Microsoft patched the hole and updated it’s Malicious Software Removal Tool to remove Conficker from infected systems. Yet somehow, the worm still survived and spread.  Once infected with this worm, it may shut down and prevent any further Windows Updates, as well as not allowing any malicious software removal tools to run on the infected system.

What is even more threatening, is that Conficker is currently trying to spread to more systems thus creating an even larger botnet.  By connecting to sites like MySpace.com, CNN.com, MSN.com, eBay.com and AOL.com, it is searching for more computers connected to the internet that may not have received Microsoft’s critical update in October.  Also by using Conficker’s P2P (Peer To Peer) technology, it will be able to contact other infected host computers, which may not have received the new “instructions” on April 1st, and can then update them with the current variant.  This test is supposed to end on May 3rd at which time it may sit and wait for new instructions on what it should do next. At that time it will delete any trace that it had ever been there in the first place.  No files, no registries, no nothing, however it will remain on the infected computer and will just sit quietly awaiting new commands from it’s master.

The ironic thing about this worm, is that once it infects a new system, it will patch the hole in Windows by itself, in order to keep other malware from using the same opening that it used to infect the system.  Microsoft, who has done a good job at attempting to corral this worm, has offered a $250,000 bounty on anyone who can discover who is responsible for Conficker.  Many believe that the creators are located somewhere in the Ukraine.

Are you afraid that you may be infected?  Symantec, Trend Micro, F-Secure and other security firms all offer free removal tools from their websites.  However, if you are infected, the worm will most likely block any attempts at reaching these sites in order to prevent it’s removal.  If you are being blocked from reaching any of these sites as well as Microsoft’s website, then there is a genuine risk that you may be infected with Conficker.  You can visit the Conficker Working Group’s website to learn more about removal.  Their Conficker Eye Chart is a good way of telling whether you are infected. This tactic of shutting down removal options is used in many other malicious software though and is not a surety that you are infected with Conficker.  However, if you are being blocked, then even though it may or may not be Conficker, the chances are great that you do have something on your system.

Conficker does not effect Unix, Linux, or Apple’s Macintosh Operating Systems.

April 1st…….D-Day????

Remember Downadup, aka Conficker?  I posted about it a couple of months ago, when it first became news.  Well now the thing has become even bigger news.  The Downadup worm that I wrote about was the first version of this worm. Well now it has mutated, so to speak.  Downadup initially became news when it quickly infected over 11 million computers, and when I say quickly, I mean within a week.  And mind you, the spread of this worm was because of computers that, for whatever reason, were not updated with Microsoft’s latest updates back in October 2008.  Well a concerted effort to track this worm down and shut it down by anti-virus vendors was initiated. Now not to fault the cause, this effort probably caused a mutation of this worm to what was known as Downadup B.  When this version was reverse engineered, it was found to have a data base of around 250 websites in which it was to use to “phone home”, on February 12th, in order to get further instructions on what it was supposed to do.  Once this was discovered, quick action was taken to shut these domains down, thus not allowing the worm to phone home.

This now brings us to Downadup C.  In a brilliant, although devious move, the worm has now mutated once again and will no longer try to connect with the 250 domains anymore.  Instead, it has been re-scripted to attempt to contact, not 250, but 50,000 possible domains.  The 250 domains could be managed, but 50,000 is going to be just about impossible.  What’s more, when this newest version was reversed engineered, it was also found that it’s time to phone home is almost here.  April 1st.  This is a notorious date for viruses and worms to activate in history.  But nothing that we have seen in the past compares to what this is capable.  The one thing that we do NOT know, is exactly what Downadup is going to actually do.  Anything from data erasure, to attacks on particular networks, to identity theft, to denial of service attacks are all very real possibilities.  For those of you who do not know what a denial of service attack is, it is basically a mass attack on a particular site’s server(s).  This is accomplished by the use of a botnet, which is a network of stolen computers in which the hacker has control of.  By causing these thousands to sometimes hundreds of thousands, of stolen computers to simultaneously attempt to contact a particular web sites server’s, it causes the servers to overload and crash, thus shutting down the website.

I personally feel that this thing is going to die a quick death, but who knows.  I guess we will find out on April 1st. One thing for sure, make sure that you have all the current Microsoft Updates.  You can get them by going HERE in Internet Explorer.  It will not work in any other browser.

It will be interesting to see what happens on April Fool’s Day!!!!

Who will be the Fool though???

Let me know what you think…….