IT Security Blog

I am guessing that most people are suffering from Conficker information overload today!  As such, it is very important to be able to separate the Conficker Facts from the FUD.  In case you have not yet seen it, I blogged last week about what I believe will (not) happen when the Conficker.C variant activates tomorrow, April 1st.  Up to this point we still have not yet seen anything that would lead me to believe anything contradictory to that statement.

I read a couple of places yesterday about a flaw in the C variant of the Conficker worm that identifies infected machines on your LAN differently than machines that are not infected.  According to Dan Kaminsky's blog, this flaw causes a function named NetpwPathCanonicalize() to work differently in the infected version than the version in either the patched or unpatched versions of the Windows OS.  This different behavior is what folks like McAfee, Nessus, Qualys, and others are using to key on to develop a scanner to identify infected hosts.

Although a tool is great to identify machines already infected with the Conficker worm, it is more important to emphasize and re-emphasize the importance of patching and multiple defense layers (from out in the cloud all the way down to the network endpoints) to mitigate these types of infections to begin with.  In the interim, if you believe that machines on your network may currently be infected with the latest Conficker variant download the proof of concept scanner and put together a quickly actionable plan to clean these machines up.

Please excuse this short break from our normal Information Security updates.

This is a shameless plug for the MX Logic IT Security Blog and Security Buzz podcast.  Please take a moment out of your busy schedule to nominate our blog and podcast for a Social Security Award at the upcoming RSA conference in San Francisco.  As a sidebar to the conference a number of security bloggers and podcasters are having a meetup (if you fall into this category and are attending RSA, please register for the meetup.  There are only a limited number of slots available!).

The URL to make nominations is http://socialsecurityawards.com.  Once you are at that page, click the "Next" button to enter your specific blog/podcast nominations in a number of different categories.  We would appreciate your nomination in the "Best Security Podcast" (if you currently do not listen to Security Buzz, you can subscribe via iTunes here), Best Technical Security Blog (use "MX Logic IT Security Blog" as the title in your nomination and http://mxlogic.com/itsecurityblog/index.cfm as the URL), and "Best Corporate Security Blog" (use same title and URL as the Technical Security Blog). 

Thank you in advance for your time!

We now return you to our regular security programming....

Word is spreading of a botnet called Psyb0t that is going around and compromising the home routers of people who have not changed the default login password on those devices.  According to published numbers around 80,000-100,000 Linksys and Netgear routers have been affected by Psyb0t.  It is important note there are a couple of criteria that must be met before your router can be exploited via Psyb0t.  First, the router must be a MIPS device (x86 devices are not vulnerable to Psyb0t).  Second, it has to be configured to be administered remotely (from the internet, not the local LAN), and third it needs to be using the default password that the device was originally configured with (a common insecure practice).

Although Psyb0t is the first botnet alleged to be exploiting home routers, the concept of compromising routers with default passwords is not a new one.  One of the things that I have the honor of doing as part of my job is a quarterly section for SC Magazine called the "Threat of the Month".  The piece that I submitted for their February 2009 issue was on the topic of "Drive By Pharming".  Essentially what drive by pharming entails is the compromise of home routers that have the "Remote Administration" port enabled so that you can modify their settings from the internet.  If the factory password is still set as the password used to login to the device it is trivial for an attacker to get in, modify your settings to point you to a malicious DNS server such that traffic to legitimate sites gets repointed to sites setup to phish passwords or inject malware.  That is only one possibility.  Another is that a new version of firmware could be uploaded to turn the device into a bot. 

At their core, these home routers are mini computers, susceptible to attack and infection if proper precautions are not made to protect them.  Default passwords for just about every router made are trivial to find on the internet.  In fact, there are sites setup, like routerpasswords.com, that allow you to select the manufacturer of the router and it will tell you the default password based on their known models.  Be sure to secure all layers of your home or business (plenty of SOHO businesses use standard Cable/DSL modems for their internet connectivity) network.  Never assume that this is being done by someone else or that it is someone else's responsibility.  The default settings on most of the gear that you will buy are setup such that initial access and administration of the device is easy (reduces support costs and angry customers).  From there it is up to you to make sure best practices are followed to keep your network and data secure from outside intrusion.

Obviously, the folks over at Microsoft would have you believe that IE 8 is the most secure browser yet, but does anyone else agree?  Is this just more Microsoft PR spin in an effort to squelch the laughter of security professionals who have gone so far as to recommend using text based browsers before using Internet Explorer?  The answer is "IE 8 is very secure" according to a recently released report from the folks over at NSS Labs. 

In a report released on March 12, 2009, NSS Labs' tests showed that Internet Explorer 8 (RC1) outperformed several other popular browsers (Safari, Firefox, Chrome, Opera, and IE 7) in detecting malicious sites hosting 0-day attacks and web based malware.  The report also showed that 7% of the threats tested were blocked by all of the browsers and 11% were not blocked by any of them.

One of the out of the box features that was also included in IE 8 was native Clickjacking protection, being the first browser to incorporate such a feature (You can add it to Mozilla browsers via a plugin).  I have not seen any updated to some of the original stories that came out criticizing how Microsoft's Clickjacking protection works in their new browser, so it might be safe to assume that it works the same as it did during the beta and RC release phases.

If you have not seen the report, it is certainly an interesting read and one that will certainly add more fuel to the Browser Security Debate fires that are always raging.  The true test of IE 8's security will not just be in its ability to protect users from malware infected web sites, but also in patching its own vulnerabilities.  Of course, it is still up to us to install those updates.

There certainly is a lot of attention being paid to the Conficker botnet these days.  Some of this attention is warranted.  What is its purpose?  What is it going to do?  What is it going to be used for?  Will it be split up and sold off to the highest bidders?  All valid questions, but recently most of the attention surrounding Conficker has been around what is being called the "activation" of the botnet on April 1 (April Fool's Day.  Coincidence?). 

Earlier this month a new variant of the Conficker worm, dubbed Conficker.C, was pushed out to update machines that had previously been infected with Conficker.B (the previous variant of the worm).  Several improvements were made in Conficker.C that makes it more difficult to infiltrate than its predecessor.  Firstly, it moved away from a pull model where the infected hosts would ping back to a command and control server (the URL that it would communicate with was randomly generated based on an algorithm within the malware code) to see if it had any updates to be downloaded.  In Conficker.C it has moved to a push based method of update where code changes are sent from a command and control host down to the infected client.  The malware further updated itself to include code signing techniques so that it will only accept updates from itself.  These updates are game changers as it relates to how security researchers had generally infiltrated and analyzed botnets. 

One of the other major changes that was introduced in Conficker.C was the number of domains that are registered by the botnet to distribute code updates.  In Conficker.B there were 250 random URLs being generated on a daily basis that the botnet would use to look for updates.  Researchers were able to crack the URL generation algorithm and figure out what domains were going to be used on what days so that they could register those domains in advance of the botnet attempting to use them.  In response, the Conficker authors seriously upped the ante by changing the number of URLs used by the botnet from 250 daily to 50,000.  A virtual scoff from the worm authors. 
On April 1, the botnet is said to activate its latest variant, Conficker.C, and rumors are running rampant as to what the wide scale implications will be as a result.  All we know at this point is that on April 1, Conficker.C will start using its new code and algorithms to make the botnet much more resilient to penetration by security researchers.  We have spoken several times now about how malware authors are attempting to build the next generation botnet after the McColo shutdown.  Conficker is a clear example of a proof of concept that will likely be used by malware authors until the "next big idea" comes along. 

Will it ever actually be used for anything?  Sure, it will.  Why go through all of this effort to create such a huge botnet then not utilize it for something.  In a financially motivated economy it doesn't make sense to not rent it out or sell it off.  My point is don't buy too much into the April 1 hype.  It very well could be much ado about nothing.

We will touch on this in some more detail during the Security Buzz podcast (Episode #25) that will be recorded this Friday, but I wanted to make a couple of comments here as well about an article that was posted on canada.com regarding a Staples Business Depot Store in Ottawa, Ontario that sold a returned hard drive that still had a number of personal files on it. 
To summarize the article, a woman named Jill Vickers, a retired political science professor from Carleton University had purchased an external Maxtor Mini portable drive, then attempted to return it to the store after her son noticed that the automatic backup function was not working properly (Vickers had already put a number of her personal files, including some that contained sensitive information on the drive). 

Staples is getting a lot of the bad press here for not properly wiping the drive prior to putting it in the clearance bin.  Staples says that it is standard operating procedure to wipe "anything with memory" prior to it being resold.  So, mea culpa on Staples' part in this case for not following their own policy and so the negative attention is well deserved.  What the article doesn't state is "how" they wipe the drive.  Is it a quick format?  Is it being wiped to DoD standard?  This is a point left to speculation, but I think is an important point nonetheless because I don't think you can expect the average consumer to know the difference and why that difference is important.   

That being said, I believe that Vickers deserves at least part of the blame as well.  If the data that she was storing on the drive was so important to her and if it was potentially sensitive, she (or her son) should have thought to at least take basic steps to ensure that this information was not readily visible to anyone who would be handling the drive (including the employees of the Staples store that she returned the drive to).  Even if Vickers isn't familiar with the different types of data deletion standards that are out there, doing a "Select All" and then "Delete" on the files contained on the drive is certainly better than nothing at all.

I guess the best take away from this experience for the rest of us is that we should always be taking whatever steps necessary and possible to protect our own sensitive data from potential exposure because even if others who are handling our information have protection policies in place.   You cannot rely on them to be followed.

I admit it.  I am a Firefox user.  On my Windows PC at the office and on my Ubuntu Linux personal laptop at home I use the Firefox browser.  There, I've said it.

Some of the news coming out about some of the features that will be in future versions of Google's Chrome browser may force me to rethink my current allegiances, however.  Over the past year I have become more and more unhappy with some of the increases in memory that Firefox has required and the fact that it just doesn't seem as fast as it used to be.  Granted, many applications suffer from such software bloat over time, and being a technology geek I certainly have been accused of (and rightfully so) of having a short attention span as it relates to a technology when a newer, shinier version comes out.  These factors put together have had me toying with the idea of trying out Chrome here at the office to see what all of the buzz is really about.  The lack of extension support has been the primary driver behind my not making the jump up to this point. 

One of the topics that we covered in episode 24 of the Security Buzz podcast this morning was based on a blog post that I made last week with respect to browser security and how despite some of the inherent flaws that exist in today's browser design, some of those flaws can be made up for by extensions contributed by the community (Noscript with Clearclick being my favorite example as it is currently the only browser anti-clickjacking plugin that exists).   Granted, I would love to see some of these extensions make it into the standard build of the product, but be that as it may, the capability exists for the user to contribute to the Mozilla community.  I believe that attribute sets them apart from both the IE and Chrome communities.
With RSS and extension support coming to Chrome, I believe that this will greatly increase the number of users who start using Google's browser or are willing to at least give it the chance they might previously not been willing to.  Personally, I don't use the browser for RSS feed management (indirectly, through Google Reader.  Have I already sold my soul? :) ), but the support for community contributed extensions is going to be a big deal.  Bravo! 

User contributed content has fueled the growth of the Linux operating system (in its many flavors) and has made advancements to the Mozilla suite of browsers faster than the Mozilla developers were able to deliver the functionality themselves.  Congratulations to Microsoft on the release of the IE 8 browser, but I believe that they could learn a thing or two by taking a page out of the Mozilla and now Chrome playbooks. 

Short and Sweet post this time.  Need to go meet with a prospective customer, but I had to post this first.  It's not very often that you meet an honest spammer.  The following header came into one of our spamtraps today on a 419 phishing scam attempting to get me to engage with the scammer on purchasing residential and commercial property.  They requested that I open foreign bank accounts to which the sum of one billion (doing my best Dr. Evil impression) dollars. 

Anyway, what made this particular scam somewhat humorous was the subject line of the message:




It isn't every day that a spammer will tell you his email is spam before you even read it.  I'm willing to bet the uptake on this one probably wasn't that great :-D

I have been starting to feel like I have hardly been in the office over the past month.  After attending MAAWG in San Francisco for a week in mid-February I was in town for a week and a half before going on an extended vacation/business trip to Orlando for InfoSec World 2009 and some time visiting my wife's family.  I am finally back in town and expect to be so for about the next month until RSA rolls around in late April so expect to see regular blog updates rolling out again.

I wanted to take a few minutes to talk about something that has kind of been bothering me lately.  It is something that I have been hearing more and more of in passing conversation as it relates to browser security, in particular between Firefox and Internet Explorer.  Similar to the debates that have been raging for a few years now between the "security" of Apple's OS X (and previous versions) as compared to Microsoft Windows are debates between how using Firefox is a more secure browser than Internet Explorer. 

Is it, really?  Or Is it just a matter of perception? 

At the end of the day, the level of security of any application installed on our computer is a combination of the vendor's ability to release timely updates to address new security issues, and the user's ability/willingness to install those updates.  The discussion about application security is completely irrelevant if user's do not install the updates that the vendor provides. 

Take this recent analysis of the Conficker worm/botnet as an example.  According to the report, more than 90% of the users who got infected with Conficker got infected while using Internet Explorer 6, the default browser that comes with Windows XP.  Windows XP is also the OS that has the highest concentration of infected Conficker users, but that is to be expected as it is currently the most deployed Windows OS version.  What this tells me is that many users who are running Internet Explorer 6 are not keeping it up to date with updates and patches.  This is also somewhat to be expected because the largest concentration of infections are in countries like China, Brazil, Russia, and India who also have some of the highest numbers of pirated copies of Windows in the world.  You could argue that this might not be the best example of browser security because Conficker is an exploit for an OS level vulnerability, but the reasoning is still sound in that if you aren't applying OS patches you likely aren't patching your browser either.  If you aren't familiar with the "insecurity iceberg" report, I would recommend it.  It is a good read as it outlines browser and plugin usage across many different data cross-sections to illustrate that browser security is about more than just the browser.  It also includes the many plugins that are available such as Adobe Flash, Java, Apple Quicktime, and Adobe PDF Reader. 

So, to go back to my original question, is Firefox really more secure than Internet Explorer?  In addition to my previous argument about patching, I believe this also comes down to an issue of perception.  For example, Firefox releases security updates more frequently than Internet Explorer.  Does that make it more secure or less secure?  Additionally, Firefox has a "nagware" type of feature where it regularly throws popups at you when a new version is available encouraging you to upgrade to the latest and greatest version of the browser.  This gives the impression to the user that they are being kept safer.  Second, Firefox has an active community of developers creating plugins for Firefox that help create additional security features on top of what the browser already provides.  Neither Firefox nor IE have any native protection against what is known as Clickjacking.  With Noscript, a plugin available for Mozilla based browsers like Firefox (et al), Clickjacking protection can be added.  IE currently has no protection available although it is being planned for IE 8.  Another security threat that I have written about previously is the danger that can be introduced by URL abbreviation services like TinyURL and SnipURL.  Firefox has a plugin that will allow users to preview where these abbreviated URLs will really take the user before they click the link.  URL abbreviation services are being used more and more by phishers and malware creators to trick users into clicking on legitimate looking links and redirecting them to malicious web sites.  So, there are security related addons that users can plug into their browsers if you know what the good, actively maintained ones are and know where to look, but this functionality isn't native to the browser and leaves the user with having yet even more software to have to update.

You could make analogies between the OS X and Windows debate here too.  Apple users claim they don't have the malware problem that Windows users have.  In sheer volume of released exploits, this is certainly true, however you are also dealing with a much smaller market share.  Is the reason that Firefox exploits haven't been more widely targeted that they just don't have the market share to support the effort on the part of cyber criminals? 

My point is that there are compelling arguments on both sides of the browser security war debate, but at the end of the day is onus is still on the user to make sure their software (includes both browser and plugins!) is patched regularly, and that they are employing additional security measures like anti-virus and outbound traffic blocking firewalls to reduce their risk.  More online threats are moving to the browser every day so having multiple layers of defenses in place at different points of the network remains your best method to minimize risk.