GNSC Blog

The controversial Race to Zero contest being held during Defcon in Las Vegas rendered several common computer viruses undetectable by most popular anti-virus products.  The issue was not the fact that it was accomplished, but the speed in which it was done.  Teams of security researchers took common computer viruses and obfuscated them in just a few hours.

What this means is that it is possible TODAY, to render many destructive worms and viri undetectable.

This exercise demonstrates how the now 20+ year old technology of signature-based detection is no longer a reliable way to detect and prevent viral and worm infections on a network.

Simon Howard, the New Zealand-based security researcher who sponsored the contest said, "Behavioral recognition is the way forward, but it’s only in some of the desktop anti-virus software and not in any of the server software."

One of the true behavior based products out there is Norman Virus Control.  We have found that our Norman customers have fared better than users of other AV products, the main reason being the Norman Sandbox.

The Norman Sandbox is a real behavioral-based AV system for servers and desktops.  For more information, see our Norman page here.

We have customers who have gone years without infections with Norman.  Contact us about trying Norman Virus Control.  sales AT gnscon.com or +1 814-620-2006

Anyone with a Microsoft Server knows about Patch Tuesday.  It’s the day Microsoft announces vulnerabilities and security patches for it’s products.  Sadly, Exploit Wednesday is becoming more frequent.  More and more day-zero exploits being noted has led Microsoft to begin sharing security information ahead of time with key software partners. 

Yesterday, Microsoft announced a plan to share information in advance with key partners to ensure customer data was better protected.  This is a major change for the software giant.  This change represents a major shift in the normally secretive Microsoft.

See the press release here

From my vantage point this is a good thing.  The key in all of this now is how the software partners respond.  Will they be able to reduce or eliminate the threat of Exploit Wednesday.  If the program works, we should see the effects quickly, probably within a few months. 

Sophos demonstrated the other day how someone could find out the date of birth of a FaceBook subscriber even if it was made private.

Again the moral of the story is to never give anyone any information you wouldn’t want to be made public.

Last year, Sophos published results of a identity theft probe into Facebook which uncovered that 41% of users, would divulge personal information - such as email address, date of birth and phone number - to a complete stranger.

This week, the famous hacker group Wall of Sheep performed their regular routine of demonstrating how insecure wireless Internet connections actually are at Black Hat.

The group ‘sidejacks’ users who they find using insecure wireless connections and then posts their names and other information (minus the actual passwords of course) on a display board.  Sidejacking means to essentially connect to a wireless connection and then using a set of tools show the victims screen right on the “jacker’s” screen. This year the list contained security professionals and people from major government agencies.  It’s done as a means to demonstrate the severity of Wi-Fi’s inherent insecurity.

How do you keep your Wi-Fi safe?  Well that’s not an easy answer.  You can make Wi-Fi relatively safe if you control the environment but in public places such as hotels and hotspots, it takes some doing.

First off you need to realize that in a controlled environment like your home or business, WEP, the standard encryption for Wi-Fi will only protect against people who don’t know how to crack the algorithm.  It only takes a few minutes for someone to steal the keys and break it, rendering the encryption useless.  The upgraded version WPA, is a little better but only takes more time.   Instructions on how to do this is widely available on the Internet.

The best way to protect your wireless network is to use WPA on your access points AND use some sort of secure transport layer encryption on a your home or company LAN and WLAN.  In less technical terms, it’s using SSL on your LAN.  It’s not that that hard nor expensive to implement this. 

Open and Public WLAN’s are another story.  Basically, unless your company has an encrypted Virtual Private Network (VPN), you shouldn’t use a public WLAN for anything other than casual browsing, IF THAT. Absolutely nothing where a and ID or PW is passed to a web site or host unencrypted.  A VPN is a secure channel between the remote user and the corporate network. 

For those of us who travel, this can be a real pain.  However, since the cost installing a VPN these days is very low, every company should install one.  Most good firewalls today offer a VPN function.  You just need to take advantage of it.

If you would like to find out more about WLAN security or implementing a VPN, please contact us.  

If you use Microsoft Office Live and McAfee AV, you probably lost your Live Update program this week. The reason, McAfee AV improperly saw the Live Update program as a Trojan and deleted it.  It appears to have been an honest mistake.  Yesterday, they apologized for it.  If you didn’t notice it, you may want to check your Office Live Update to see if it works. 

False positives are rare but they do happen.  I had one this week also.  My AV software saw a file within PC Tools Spyware Doctor as a false positive.  It saw it as the Hupigon Trojan.  These things occasionally happen and are usually corrected quickly by the vendors.

In an article from today’s NY Times, John Markoff quotes Rick Wesson a security researcher at  Support Intelligence, a company that tracks BotNet computers, as saying 

“The rate of infection [of Botnets] is still high, but concern among corporations is low…” Many corporations seem to think it’s O.K. to be infected several times a month.”

He says this because it was discovered recently that the Russian hacker gang who’s BotNet was controlling about 100K computers was re-infecting large corporations and even a state police agency.  The infections were removed but the admin passwords were not changed so it made re-infection easy.  Although the details are sketchy they appear to have used Microsoft’s own software distribution program to infect many of the computers

The juicy details will be released over the next few days at Black Hat.

There are always lessons learned from these breaches. 

1. It’s not only important to remove an infection but to find the source of the infection and remove it.
2. Breaches involving Trojans, backdoors or keyloggers (such as CoreFlood, the one used here) should prompt a complete change of all admin passwords.  Going through this is “bloody” in some cases but the alternative as we have seen is worse.
3. Forensic data must be kept.  That’s why having system logs on all devices activated and having some form of a log consolidator is so important.  Logs give you the evidence you need to locate infections, track the sources of infections and provide the evidence to law enforcement agencies for criminal prosecution.

A financial analyst for Countrywide Home Financial, the troubled mortgage lender reportedly stole over 20,000 customer profiles per week for about two years.    The data was stolen on USB drives. Although Countrywide had technology in place to disable flash drives on employee computers, the analyst used a PC where the protection was not installed.

The moral of the story is that if you are going to install security software on every PC except one or two, you might has well not install it at all.  People talk. Someone will spill the beans and when one person knows, everyone knows.

One of the things we highly recommend is using USB policy management on ALL PC’s.  There are two general ways to approach this problem,.  The simplest is to disable all USB drives.  The second more flexible approach is to force high encryption on all USB drives that renders the USB drive unusable unless it is plugged into a company computer.  Both methods work well but if and only if they are applied uniformly across all PC’s including Laptops.

PromiSEC’s Spectator is an excellent solution for not only preventing this type of situation but also for enforcing and monitoring software compliance, and anti-virus updates.  It provides the facility to ensure there are no exceptions, without the local installation of agent software.

The IT security firm Kaspersky, reported today that it has discovered a malicious mini-site on Twitter. (NOTE: this link does not open to the malicious site)  Twitter is a popular social networking site, similar to MySpace or FaceBook but it’s format is short messaging, not detailed blogging. 

The site supposedly lures readers to download the latest version of Adobe Flash Player but really downloads software that steals information from your computer such as Login ID’s and passwords.

Four things are important to note here.

1. Many people are trusting of these sites since the goal is to create social networks.  Openness is their key to success and the source of their real danger.  FaceBook and MySpace have already been booby-trapped in similar ways.
2. If you are asked to download anything from a site other than the actual software vendor’s site (in this case Adobe), don’t do it.  If you get a note that your Flash player (or any other software for that matter) needs to be upgraded, don’t take the note as real. Close the dialog box and go directly to the vendor’s site and check the situation there.  If the vendor site says your software is up to date, there is a very high likelihood that the note you saw was a scam to exploit your computer.
3. Twitter and other social networking sites are not just popular with teens and college students.  Your employees are using them as well.  So realize this is not just a threat to your home computer, but your office ones as well.  Look at your web filtering reports for these sites.  Many web filters will categorize them automatically in your report.
4. This is a daily reminder of the need to keep your anti-virus and anti-malware programs up to date and why all downloads should be carefully screened. 

Most computer users today know why they need anti-virus software.  Many realize they need anti-malware software to help fill in the gap where anti-virus does not protect.  Some even know why everyone should have a firewall.  Yet we still receive calls from people who installed each of these and were having trouble.  The issue was not installation but proper configuration. 

In this first installment, we’ll talk about the importance of properly configuring your basic security components. 

Before starting, if you haven’t read my article on The Importance of Proactivity, take a moment and see why these three basics need to be in place before you start networking your computers.

Step 1 – Installing and configuring your anti-virus program. 

While each vendor offers different ways to configure their products, there are generally four main areas that require a decision on how to work. 

1. Real-time scanning
2. On demand or scheduled scanning
3. Exclusions - what shouldn’t you scan
4. Updates to the database

Real time scanning is the function your AV product uses to protect you proactively against threats.  Real time scanning works by intercepting every read and write and scanning the file against the virus database.  If the file is infected, the AV program alerts and disposes of the file in some way.  When configuring this, you need to remember to set it to scan every file.  People were accustomed to disabling this protection for audio, video and document files to speed things up a bit.  Today these types of files are used to spread malware as well.  Reference the now infamous Pidief.A virus.  No files are immune. 

On demand or scheduled scanning is when you tell your AV program to scan your entire hard disk.  I can’t tell you how many people disable this, thinking that because their real time protection is active they don’t need this.  BIG MISTAKE.  You should scan each PC at least 1X per week, if not more.  The reason is that an unknown virus may infect a PC before the AV program is updated or if the program’s update module is not working or has been disabled.  

Exclusions are needed for various reasons mostly to prevent conflict with other files that may be seen as either as false positives or may cause some other conflict with a vendor product.  If a vendor tells you to disable your AV, your first question should be why?  And the answer should be a good one.  They should be able to explain why and how not having AV protection on a specific file or folder will not compromise your security.  To just take their word for it.  Ask the why and how questions. (Remember, people either disable or are told to disable AV all the time.  I was on the phone with Comcast the other day and the tech told me to disable my customer’s AV protection and then plug my PC directly into the cable modem, to diagnose a problem.  I asked why and they actually told me, the script they are told to read said to ask me to do that.   Watch out for this.

Your AV program is only as good as it’s updates. Your program should be set to update at least 1x per day.  Your program should also have the ability to tell you that it has been updated either visually or via a date and time stamp.  Most computer infections occur not because people are not using AV but because they have not updated their AV.  Remember to always make sure it’s updated.  If your computers are networked, your AV vendor should have a way of telling you which computers have not been updated.  Pay attention to these reports.

The follow-up question to all of this is always which AV product should I buy.  We’ve used and tested every one.  Who do we like?   We love Norman and Sophos.  Why?  Because of their superior protection, performance and customer support.  The other guys are lagging way behind in these areas. As for the free ones, I can’t recommend any but I have successfully used AVAST in the past and I still hear it’s a good product.

The other thing we like to see our customers large and small do is to create a layered approach and mix their AV vendors.  What I mean by this is using both a network or gateway based product along with a desktop product, each one being a different vendor.  What this does is ensure that endpoints on your network are not your only line of defense.  The more stuff that can be stopped outside your network, the better.

Step 2 – Install and configure a good anti-malware program.  This is easier said than done.  There are so many bogus anti-malware programs out there that actually infect your computer with malware.  I have found the following ones to be reputable: PCTools Spyware Doctor, Uniblue’s SpyEraser and Lavasoft’s AdAware and then there is Windows Defender.  I especially like the network-based ones (Cymphonix) that scan everything at the gateway.  They all have their benefits and drawbacks.  Caution, don’t Google up anti-spyware and install trials or free scans. You’ll regret it later.  Configure your product to provide whatever proactive protection it can and then configure it to scan ALL your hard drives at least 1X per week. 

Step 3 – Install and configure a good firewall. 

First off, Windows firewall is not good enough.  It’s a good  2nd layer of protection but it in no way eliminates the need for a good firewall.  Secondly, get a good firewall.  Don’t buy $50 specials on the clearance racks.  The cost of preventing one incident in the life of a company pays for the initial cost of a good firewall many times over.  Figure $500 as a good starting point.  Third, when it comes to configuration, let an expert do this for you.  Ask the vendor who is authorized to work on their units.  Fourth, make sure you turn on the firewall’s log.  Tell the person who is installing and configuring it, you want logging turned on.  Don’t settle for NO.  We’ll cover logging in more detail later.  For now however know that logging gives you a history of what happened on your firewall over a period of time.  Without it you have no evidence of activity or changes.  Finally, use a service or tool to test your firewall’s settings. Nmap is a good open-source tool for this purpose.  But again, don’t try to do it yourself; let an expert do it.

What firewalls do we recommend?  Over the years, we’ve sold several but the two brands that we like best are Astaro and Cyberoam.   They both provide excellent protection, will grow with your company and their customer service is excellent.  They also are full Unified Threat Management platforms meaning they can used as a firewall but also can perform email and web filtering along with Intrusion prevention and act as a VPN for remote access.  Units like these provide greater value over time than typical entry-level devices. The Cyberoam unit is especially suited to small business due to its intuitive interface, its rich set of standard features and a great price.

So there we’ve completed 3 key steps to getting your on your way to a more secure computer network.  In Part 2 of this series we’ll be address the next phase of computer security; education and knowledge.

Ever use iGoogle? I do and I love it.  It’s as close as you can get to a personalized home page without having to know web code. However, the platform is about to be rocked by a presentation this week at Black Hat, the annual hacker conference.

According to Yahoo News, Cenzic senior security analyst Tom Stracener and security researcher Robert Hansen, better known as “RSnake,” plan to demonstrate a zero-day vulnerability that affects Google Gadgets. What this means is that they are going to announce that knowledgeable web coders will be able to inject malware into your PC, possibly beyond the realm of traditional detection with antivirus and malware protection.

So if you’re an “iGoogle-Google-Gadget-User” what do you do? 

1. The first thing is to educate your users about the dangers of installing unknown software.  This is a good practice no matter what.
2. Watch what comes out of BlackHat 2008.  Follow the mainstream IT Security bloggers as they summarize the presentations.  I’ll post more on this as it gets closer. 
3. If in your opinion the risk of iGoogle malware outweights the benefits, use your webfilter to block it.  Or block the installation of Google Gadgets.   You can still get all the benefits of Google.