I read an article a few days ago describing in-depth comparisons – of the major search engines ability to recognize and combat phishing.  To my surprise, IE ranked much higher than Google, but since I’m always on Google, I thought I should research some third party tools to help secure my online travels.

The following four anti-phishing tools are presented for your review:

• AVG LinkScanner - AVG LinkScanner is a free must have for computer only running a traditional anti-virus program to prevent you from visiting bogus or infected web sites.
• TrendProtect - TrendProtect is a FREE browser plug-in that helps you avoid Web pages with unwanted content and hidden threats. TrendProtect rates the current page and pages listed in Google, MSN, and Yahoo search results. You can use the rating to decide if you want to visit or avoid a given Web page. To rate Web pages, TrendProtect refers to an extensive database that covers the following information for billions of Web pages:  Content category, Phishing scam detection, Site reputation and Page reputation.
• Norton Safe Web Lite – Norton Safe Web Lite provides a safer search experience by warning you of dangerous Web sites right in your search results, so you can search, browse, and shop online without worry. Norton Safe Web Lite is FREE to anyone who wants protection from unsafe Web sites and disreputable online merchants. It’s our way of giving back to the online community.
• BitDefender Anti-Phishing Free Edition - Committed To Stopping Cyber-criminals In Their Tracks! Whether you’re a current Bitdefender customer or not, our goal is that everyone remains safeguarded from cyber-criminals’ tactics. That’s why we offer free virus removal tools and other free antivirus products, to ensure that every journey online is a safe one!

Didn’t your Mom tell you not to play with fire? Weak passwords put your personal identity or business data at risk of being compromised. How important is password security? A simple Google search for password security just now returned over 540 million results – that’s significant! I cannot overemphasize how important it is to use STRONG passwords.

Some guidelines

• Use at least eight characters, with mixed case letters (upper and lower case)
• Use a password that can be typed quickly (to prevent over the shoulder spying)
• Mix alpha numeric characters in a seemingly random manner.
• Change your password regularly.
• Do NOT use words that are included in any dictionary – even encrypted, these can be cracked in seconds!!
• Do NOT use dates
• Do NOT use information that can be easily obtained about you. This includes your nickname, your pet’s name, your hometown, etc.
• Do NOT use all numbers or all alphabet characters – mix them!
• Do NOT reveal your password to anyone!

There are any number of websites that help you understand - how vulnerable your passwords are – one of those is http://howsecureismypassword.net/ Simply enter your password and it will return how long it would take to crack it. Mine was six thousand years, but I could improve that by using a symbol instead of just letters and numbers.

Microsoft also has a password security strength checker - located at https://www.microsoft.com/security/pc-security/password-checker.aspx. Starting at a rating of STRONG, I had to add 10 symbols to raise that level of security to BEST. Going back to HowSecureIsMyPassword, when I typed in Microsoft’s BEST, here is the result I got - It would take a desktop PC about 523 sextillion years to crack your password. Works for me!

There are over 500 pages of articles - on Wikipedia related to DDoS attacks, and a quick Google search this morning returned 3 1/2 million results. So what are DDoS attacks and should you be concerned?

I found a great definition of DDoS at TechTarget.com:

A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.

In a typical DDoS attack, a hacker (or, if you prefer, cracker) begins by exploiting a vulnerability in one computer system and making it the DDoS master. It is from the master system that the intruder identifies and communicates with other systems that can be compromised. The intruder loads cracking tools available on the Internet on multiple — sometimes thousands of — compromised systems. With a single command, the intruder instructs the controlled machines to launch one of many flood attacks against a specified target. The inundation of packets to the target causes a denial of service.

I’ve read tons of threads about DDoS attacks - on web hosting forums, but didn’t fully realize how destructive they could be, or how hard they are to mitigate. After reading through some articles like the ones below, I’ve come to realize that these attacks can, in fact, cripple a provider’s ability to deliver stable hosting solutions to not just businesses, large or small, but to the infrastructure of governments, as well.

DDoS Attacks On the Rise in 2011

The company’s semi-annual Web Hacking Incident Database (WHID) report found the attacks jumped 22 percent from the first half of 2010, overtaking methods such as SQL injections and cross-site scripting (XSS) attacks. DDoS attacks occupied 32% of attacks while SQL injection and XSS attacks took up 21% and 9% respectively.

Head of Russian Payment Processor held over DDoS-for-Hire plot

 One of the co-founders of ChronoPay (a Russian 3PP – 3rd Party Payment Processor) was arrested on the alleged connection between him and a hacker who was hired to run a distributed denial of service attacks against a business rival. Russian Pavel Vrublevsky who is also an owner in a company called RS-Promotion …

Malware in Recent Korean DDoS Attacks Destroys Systems

 There has been quite a bit of news recently about distributed denial of services (DDoS) attacks against a number of South Korean websites. About 40 sites– including the Presidential, National Intelligence Service, Foreign Ministry, Defense Ministry, and the National Assembly–were targeted over the weekend, beginning around …

WordPress.com DDoS Attacks Primarily From China

 After recovering from the largest Distributed Denial of Service attack in the service’s history (“multiple Gigabits per second and tens of millions of packets per second”) yesterday morning, blog host WordPress.com was attacked again very early this morning, finally stabilizing its …

There is a DDoS mitigation industry devoted to - fighting these attacks, and some companies are better than others. So how would you know which DDoS mitigation company is best suited to minimize your risks? Like every other industry, longevity speaks volumes – how long have they been in business? Some questions to ask:

• What’s their track record?
• How many attacks do they mitigate each month?
• What is their typical “time to mitigate?”
• How much bandwidth do they have dedicated to mitigating attacks? (DDoS attacks take up a LOT of bandwidth)
• How is their network globally distributed?
• Which tools and techniques do they employ to detect, analyze, and mitigate DDoS attacks?

In an earlier article entitled -  ”Are your applications secure?,” I talked about SQL injection threats. It’s a threat that refuses to simply go away.

Just this morning I stumbled upon a thread on a web hosting forum - about an OP (original poster) who had his shared account terminated by his web hosting provider for being hacked twice. He was clearly the victim of the hacks, but the host deemed the OP was responsible for keeping his sites safe, so that his sites would not affect other clients on their server.

The site in question was a WordPress site - with a couple of plug ins activated – nothing out of the ordinary. It was duly noted that WordPress sites attract a lot of hack attempts, and the more popular they are (lots of traffic), the more attempts. Obviously, the OP needs to find another web hosting provider, but his troubles are probably far from over. Should he install the same plug ins on his site at his new host, the hack will most likely reoccur. Why?

One of the plug ins the OP alluded to was - Penny Auction, on which a “hack advisory” was recently issued by ngenuity-is.com.

Recommended plug ins that help fight intrusion attempts:

Login LockDown - Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.

WordPress Firewall 2 - This is an updated version of the popular WordPress Firewall plugin, with fixes for all known bugs and a few new features!

This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop the most obvious attacks. There are a few powerful, generic modules that do this; but they’re not always installed on web servers, and usually difficult to configure.

This plugin intelligently whitelists and blacklists pathological-looking phrases, based on which field they appear within, in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night.

WordPress Security Scan - checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as:

1. Passwords
2. File permissions
3. Database security
4. Version hiding
5. WordPress admin protection/security
6. Removes WP Generator META tag from core code

I just stumbled upon an article at wpmu.org - that addresses the hidden dangers of searching for free WordPress themes. With over 25 million users, WordPress dominates the blogging stratosphere. While most web hosting providers have some form of quick install for WordPress, most do not offer themes beyond the default – so where do you look for a theme that best matches your business culture, mission, services and products (safely)?

Their recommendation:

• Theme Shaper
• ThemeLab
• Theme Hybrid
• Arras Theme
• Smashing Magazine

If you want to test your theme for hidden encrypted or static info, this article does recommend some tools

• Manual base64 decode

Useful Plugins

• Theme Authenticity Checker
• Exploit Scanner
• Theme Check

Surfing the Internet poses some very real dangers - one of those being phishing. The sole purpose of phishing is an attempt by a criminal to trick you into revealing personal information, while appearing to be from a valid or legitimate source, such as your ISP, hosting provider, financial institution or consultant.

I recently took an online test to determine - my ability to recognize phishing emails or websites. I aced it, but I’ve been in this industry for some time. Countless individuals fall prey to phishing schemes everyday.

Identity theft is on the rise. Don’t be it’s next victim! Do NOT give out your usernames and passwords, financial information, PIN numbers, your mother’s maiden name,  Social Security number, birthday, pet’s name or any other personal information that may help identify you. This information is used by phishers in an attempt to steal accounts, money, credit card information or your identity.

Please be wary of any message that asks you for personal information.

Microsoft’s Malware Protection Center (Threat Research and Response) website - is a great resource for combating malware – the nasty stuff that lots of anti-virus programs miss. I stumbled across this site while reading, “Why malware networks are beating antivirus software,” by Ed Bott.

From Microsoft:

Take the following steps to help prevent infection on your computer:

• Enable a firewall on your computer.
• Get the latest computer updates for all your installed software.
• Use up-to-date antivirus software.
• Limit user privileges on the computer.
• Use caution when opening attachments and accepting file transfers.
• Use caution when clicking on links to webpages.
• Avoid downloading pirated software.
• Protect yourself against social engineering attacks.
• Use strong passwords.
• Enable a firewall on your computer
• Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.

Get the latest computer updates - Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites.
You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.

Use up-to-date antivirus software - Most antivirus software can detect and prevent infection by known malicious software.

Limit user privileges on the computer - Starting with Windows Vista and Windows 7, Microsoft introduced User Account Control (UAC), which, when enabled, allowed users to run with least user privileges. This scenario limits the possibility of attacks by malware and other threats that require administrative privileges to run. You can configure UAC in your computer to meet your preferences:

Use caution when opening attachments and accepting file transfers - Exercise caution with email and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.

• Use caution when clicking on links to web pages
• Exercise caution with links to web pages that you receive from unknown sources, especially if the links are to a webpage that you are not familiar with, unsure of the destination of, or suspicious of. Malicious software may be installed in your computer simply by visiting a webpage with harmful content.
• Avoid downloading pirated software
• Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading “cracked” or “pirated” software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information, see ‘The risks of obtaining and using pirated software‘.

Protect yourself from social engineering attacks - While attackers may attempt to exploit vulnerabilities in hardware or software to compromise a computer, they also attempt to exploit vulnerabilities in human behavior to do the same. When an attacker attempts to take advantage of human behavior to persuade the affected user to perform an action of the attacker’s choice, it is known as ‘social engineering’. Essentially, social engineering is an attack against the human interface of the targeted computer. For more information, see ‘What is social engineering?‘.

Use strong passwords - Attackers may try to gain access to your Windows account by guessing your password. It is therefore important that you use a strong password – one that cannot be easily guessed by an attacker. A strong password is one that has at least eight characters, and combines letters, numbers, and symbols.

Three years ago, a well known web host sent a message to its clients about a security breach on one of its employee accounts. They followed that with this thread in their forum.

This morning, we sent a notification to a group of our customers possibly affected by a compromised employee account’s access to our internal customer management portal. We will be sending an additional communication to all customers with information about the apparent security breach, but in the meantime we would like to answer any additional questions about the communication in this thread.

Please understand that we will not provide specifics information about the security breach due to the sensitive nature of the investigation, but we will do our best to provide as much detail as possible. As we assured in the note, based upon our security review of access logs, we do not believe any credit card information was compromised.

We strongly suggest you implement a security best-practices approach by immediately taking four steps to mitigate risk:

• 1. Change your xxxxx log-in passwords immediately and do so again every 60 days.
• 2. Change your server passwords and do so again every 60 days.
• 3. Be alert to any suspicious activity on your account.
• 4. If you suspect any unusual activity, please retain your access logs along with any other information and contact us as soon as possible.

This raised some questions – then that still apply today. What security measures do hosts normally implement (regarding their employees) to protect their clients? Are they allowed to bring in usb thumb drives (some are marketed very cleverly looking like wrist bands or writing utensils)? What about PDA’s? Could they place data on these devices and simply walk out the door with gigabytes of files? Could those files be broadcast on the Internet, or used as blackmail?

They mentioned implementing a security best practices approach. Regardless of your level of comfort with your current host, these four suggestions need to be implemented to minimize your risk. I can’t emphasize this enough - your data is your business. Lose your data and you risk losing your business!

What about inside your own business? The same applies to in-house servers and workstations. Most security breaches are by disgruntled employees. It’s amazing how many companies give administrative privileges to low level supervisors. Entire databases can be downloaded in minutes with thumb drives, then transported offsite.

What about security or IT audits? Financial institutions have very strict guidelines with respect to security, but what about the thousands of small to medium sized firms that comprise the majority of businesses – your local printer, clothing retailer, auto repair shop, electrical contractors, car dealerships? How at risk is their data – and your data as their consumer? It’s astonishing how many firms broadcast on unsecured Wifi networks. What’s more alarming is how easy it is to intercept and infiltrate their networks. How many times have we been alerted to intrusion theft of well known retailers, just in the past year?

Would an IT audit be worthwhile? Volumes of information has been written about IT audits and security. Do you trust your IT department to have fully provisioned and managed security? Most SMB owners have no clue how vulnerable their companies are without a 3rd party audit.

My recommendation – Dot your i’s and cross your t’s with disaster recovery and business continuity plans. If you receive a notice like our web hosts comrades, follow their advice. Do it as a matter of habit. Being habitually secure is far better than being victimized with no recourse.

WordPress sites are constantly scanned by cyber criminals - for security vulnerabilities. I suspect thousands of WordPress sites are managed from multiple locations – at work and from home. Wherever you manage your WordPress site, make sure that computer is free of spyware, malware, adware, viruses and Trojans. Next, ensure you’re running secure, stable versions of your applications. Keep your version of WordPress updated, as well as any plugins you may have added. NOTE – If you’re not actively using a plugin, it’s best to remove it completely from your site.

Addressing vulnerabilities in the network itself – A busy Internet cafe where you are sending passwords in clear text over an unencrypted wireless connection is NOT a trusted network and the same applies if you’re using an unsecure wireless router on your home network. I can’t even begin to tell you how many times I’ve run security audits on business wireless networks only to find multiple unauthorized users riding on their network.

Allowing write access on your file permissions – especially in a public environment, is also highly discouraged. If you are on a shared-server, the permissions of your wp-config.php should be 750. This ensures no other user will be able to read your database username and password.

Once again, I’ve won the battle – combatting an onslaught of trojan horses, viruses and malware, but this time the fight dragged on for three days. The victim this time was my wife’s desktop, even though we had Malwarebytes, Microsoft Security Essentials and Safe Returner running – with up-to-date definitions.

The fight began when my wife clicked on – a Facebook link, which was then followed by Home Security 2011 security alerts popping up every few seconds that her desktop was compromised. She thought the alert was genuine and clicked on the tab to run a scan -  to remove the dozens of threats it said were infecting her computer (bad move).

So what was the cure? For over two days, I wasn’t sure there was a cure, as everything I tried to do failed. Malwarebytes wouldn’t run, nor would Microsoft Security Essential or Safe Returner. Ending processes didn’t work as they popped right back up as soon as I ended them.

I was unable to run any commands – like msconfig or regedit, or download any anti-malware programs from the Internet (which wasn’t working either). Safe mode didn’t work. Downloading new anti-malware programs to a thumb drive on my desktop, then attempting to install them on hers didn’t work either.

I finally found a tip on a Google search – that said entering a specific key code on manual registration would stop the pop ups. To my surprise, that worked – but the malware remained. After downloading and installing a program that temporarily ended malicious processes, I was able to run Malwarebytes in Safe Mode and remove a portion of the threats. From there, I rebooted and was able to remove more threats, but with each scan, more threats appeared and I was never was able to run Microsoft Security Essentials. I was able to access and search the Internet now though and went back to AVG, which I had used for years earlier.

Even with a new install of AVG 2011 – and successful scans, there still remained two trojan infections it did not remove, even after multiple scans. To my surprise, I left AVG 2011 run a full scan one last time overnight and awoke the next morning with no threats detected. From there, I deleted the existing Malwarebytes and MS Security Essentials programs, downloaded current versions, reinstalled them and ran both without problems.

Lesson learned - you need real time protection, especially if you frequent social networking sites. Keep your definitions current – one slip can cost you hours in recovery.

DDoS attacks can disrupt and shut down – even the largest of networks, as evidenced recently with attacks related to WikiLeaks. These distributed denial-of-service attacks normally consist of a large number of compromised systems flooding the resources of its targeted victim, thereby denying service to its legitimate users.

The target of DDoS attacks isn’t the only victim though - as all of the systems controlled in the attack suffer some degradation. Infected computers in a DDoS are called bots, which then become part of a larger botnet under the control of a cyber criminal.

The most common types of DDoS attacks center around – consumption, disruption or obstruction of bandwidth, disk space, processor time, routing information, physical network components and communications by either max’ing out resources or by triggering errors.

Some of the most common types of attacks are – ping floods, smurf attacks, syn floods, teardrop attacks, peer-to-peer attacks, brute force attacks, IRC floods and nukes.

Updated April 1 2011 – This is still HIGHLY relevant. See this story.

December 2009 – I just read an article this afternoon about the fastest growing security threat in the hosting industry. Apparently this threat has grown over a hundred fold in just the last year alone. What is it?

SQL Injection

Why have SQL injection attempts grown so dramatically? It was pointed out, and I agree, because the bad guys are using (very sophisticated) automated tools. More and more, we’re seeing attempts not only to be disruptive, rather to be focused on identity theft. Anyone remember Heartland Payment Systems and TJX?

Who is Susceptible?

Certainly, if you’re processing lots of credit cards, you need to guard against SQL injection, but even if you aren’t, this exploit needs to be addressed. I did a quick Google search for SQL injection prevention and stumbled upon an SQL Injection Cheat Sheet at http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet. Since most SQL injection exploits are due to lax coding and poor application design practices, prevention measures like those outlined on this site can significantly minimize your risk of being compromised.

From Owasp.org

“SQL Injection flaws are introduced when software developers create dynamic database queries that include user supplied input. To avoid SQL injection flaws is simple. Developers need to either:
a) stop writing dynamic queries; and/or
b) prevent user supplied input which contains malicious SQL from affecting the logic of the executed query.”

I had to tackle result5.google this past weekend, and what I thought at first was a virus was actually a re-direct to Russia. One of my friends was having problems searching, as his results were constantly being re-directed to advertising pages. He was running a small three computer network in his home with a Linksys wireless router.

Trying to access or download any type of anti-virus program was fruitless and scans with Microsoft Security Essentials and StopZilla turned up other viruses, but didn’t kill off result5.google. Neither did Malwarebytes.

Searches on Bing and Google returned plenty of posts on how to eliminate this problem, but only one helped – and that was to log onto the router, correct the DNS and change the password, then empty his computers’ history, temp pages and cookies. Seems his router’s DNS had been changed to 213.109.67.169 and 213.109.73.170, which a traceroute revealed pointed to Eastern Europe. When he installed his network, he neglected to change the router’s password from the vendor’s default, leaving himself open to exploits.

Typically, routers are marked with their serial numbers and MAC addresses, and from there you can search the vendors online support pages to determine its IP and how to log on to the router to change its password and settings.

I hope this helps anyone out there who is experiencing this problem.

“Microsoft Security Essentials provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.

Microsoft Security Essentials is a free* download from Microsoft that is simple to install, easy to use, and always kept up to date so you can be assured your PC is protected by the latest technology. It’s easy to tell if your PC is secure — when you’re green, you’re good. It’s that simple.

Microsoft Security Essentials runs quietly and efficiently in the background so that you are free to use your Windows-based PC the way you want—without interruptions or long computer wait times.”

I wonder how this offering from Microsoft will impact paid anti-virus software vendors? I know I’ll be installing this on all of my personal computers this evening.

I recently read through a thread (about network outages) on WHT that contained 177 pages of posts, 2644 replies and attracted 152,980 views. It was a very powerful thread about the destruction and ensuing consequences of a few very popular web hosting providers. The hacker himself posted in the thread (although his post was deleted rather quickly), claiming it was the provider’s lax security in the assignment of passwords that enabled the attack.  This reinforces a question I routinely pose on this blog.

Is YOUR mission critical data backed up and protected?

A quick Google search for remote backup software returned 6,810,000 results. I’d say that’s significant.

I think everyone agrees that mission critical data needs to be backed up, but how is debatable. In the hundreds of businesses I’ve serviced over the years, most in-house IT departments used DAT tapes. Very few actually physically removed those tapes from their premises every day. Even fewer remotely backed up their data. So maybe the better question to ask would be, “To what degree is your mission critical data backed up and protected?”

As an ex-RMA Manager (for a local networking firm), I witnessed quite a few defective DAT drives doing hard time on my shelves. I’ve also seen my share of managers scrambling to recover lost data following “unscheduled events” like virus contamination or hacks. Do you think it can’t happen to you? Keeping your fingers crossed isn’t the wisest strategy to ensure your business’s continued success.

Disaster Recovery and Business Continuity Plans are Important

I always recommend incorporating comprehensive disaster recovery and business continuity plans, then periodically reviewing their effectiveness. One part of that plan should be remote offsite backups. Very often incorporating a remote backup is as easy as downloading a software client onto your network server or personal computer. Many have setup wizards to walk you through the steps of connecting to the backup server, setting up your backup sets, creating a backup schedule and setting a secret encryption key. Typically, backup sets can be configured to run in a variety of ways – backing up data files at the end of the week or your My Documents folder multiple times per day.

Remote backups traveling across the Internet need to be encrypted so that you and only you have the ability to decrypt your data. I recommend programs that use DES, Triple-DES, Blowfish or Twofish algorithms for encryption.

Measuring the success of the data transfer is important. Look for programs with email notification of successful backups or backups with warnings (with log files attached).

Once your data is remotely backed up

Ok, you’ve backed up your data, but now have a need for one file, or an entire volume of data from two months ago. Is this possible? Simply answered – Yes. There are programs that allow instant access to any version of your data files, from the initial backup to the last incremental backup and EVERY version in between.

Locking down clients

Locking down clients simply refers to implementing procedures to protect critical backup sets from being accidentally changed or deleted, while flexible enough for administers to view and change those settings that control the level of usage each client is offered.

When to backup?

Most organizations schedule backups in the evening, during lulls in their business operations. Some programs allow you to run in silent modes (in the background) without displaying any Windows or Task Bar icons – allowing you to run backups throughout the day.

What if my backup gets interrupted?

Let’s say you start a backup and you lose power. Will the remote server retain the ongoing transfer, or bite the bullet? Features like event managers allow you to resume interrupted backups.

Does remote backup software offer file filters?

Most do – file filters allow you to include or exclude files from the backup selection, mostly via file extensions.

Just the tip of the iceberg

There are so many things that can and do go wrong in business every day. One thing is for sure. If you have hardware, particularly IT hardware, it will go down sooner or later. Power supplies fail, memory modules flake out, hard drives crash, DAT drives melt down – stuff happens. Some issues can be resolved in minutes or hours, but others may take days or weeks.

Backing up your mission critical data is an integral ingredient to averting disaster, but just the tip of the iceberg, in developing and managing a comprehensive disaster recovery and business continuity plan that will ensure your business’s continued success. Step back and ask yourself, “What if?” What if a disgruntled employee, possibly a sys admin, corrupted your main servers, then disappeared? What if your building burnt to the ground? What if that DAT drive refuses to release last night’s tape – holding it hostage with a strangle hold on its recording heads? What if? What if?

Conficker Update 
I wrote about the threat of Conficker just prior to April 1^st, the date many feared it would wreak havoc on millions of PCs. Apparently, Conficker is branching out on the sly, quietly turning an unknown number of PCs into zombies – servers of email spam via a botnet.

This worm has evolved over the past few weeks spreading malicious software and a fake anti-spyware program called Spyware Protect 2009. This program sells for $49.95, but instead of protecting your PC, it steals your credit card information, then downloads additional malicious software. Do NOT purchase this software package. 

A special alert – if you use USB memory sticks, this worm can be transported from PC to PC via that stick.

How many computers are currently infected by Downadup/Conficker?
About 1-2 million.

Can Conflicker be detected and blocked? Yes. We recommend F-Secure.

Currently the worm is only affecting Windows-based machines, so if you’re running a Mac or Linux box, you’re safe.

Free Security Tools

I didn’t see much of anything reported following the April Fools Day Conflicker alert, but rest assured, the dangers of spyware and malware continue to loom. Following is a short summary of the more popular free security tools that actually work.

AVG Anti-Virus Free Edition

I have the free edition of AVG and can attest it works wonderfully.

• The most downloaded software on CNET’s Download.com
• Protection against viruses and spyware (antivirus and antispyware)
• Fast, effective security that is kind on resources
• Compatible with Windows XP and Windows Vista

WOT

WOT is a free Internet security add-on for your browser. It will keep you safe from online scams,    identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It’s easy and it’s free.

Malwarebytes

Malwarebytes has created an easy-to-use, simple, and effective anti-malware application. Whether you know it or not your computer is always at risk of becoming infected with viruses, worms, trojans, rootkits, dialers, spyware, and malware that are constantly evolving and becoming harder to detect and remove.

Spybot – Search & Destroy

Spybot – Search & Destroy detects and removes spyware, a relatively new kind of threat not yet covered by common anti-virus applications. Spyware silently tracks your surfing behavior to create a marketing profile for you that is transmitted without your knowledge to the compilers and sold to advertising companies. If you see new toolbars in your Internet Explorer that you haven’t intentionally installed, if your browser crashes inexplicably, or if your home page has been “hijacked” (or changed without your knowledge), your computer is most probably infected with spyware. Even if you don’t see the symptoms, your computer may be infected, because more and more spyware is emerging.

WinPatrol

WinPatrol offers very powerful protection. It’s a terrific free tool, popular with techies since it was created 10 years ago by Bill Pytlovany, one of the original designers of AOL and a longtime open-source practitioner. WinPatrol takes a snapshot of your Windows run registry, and from then on blocks and alerts you to any new executable program, such as a malicious backdoor, that tries to install itself on your hard drive.

Wireshark

Wireshark is the world’s foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions.

Wireshark has a rich feature set which includes the following:

• Deep inspection of hundreds of protocols, with more being added all the time
• Live capture and offline analysis
• Standard three-pane packet browser
• Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
• Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
• The most powerful display filters in the industry
• Rich VoIP analysis
• Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
• Capture files compressed with gzip can be decompressed on the fly
• Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom)
• Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
• Coloring rules can be applied to the packet list for quick, intuitive analysis
• Output can be exported to XML, PostScript®, CSV, or plain text  

Nmap

• Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, version detection, ping sweeps, and more.
• Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
• Portable: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.
• Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as “nmap -v -A targethost“. Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
• Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.
• Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, and tutorials.
• Supported: While Nmap comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. Most bug reports and questions should be sent to the nmap-dev list, but only after you read the guidelines. We recommend that all users subscribe to the low-traffic nmap-hackers announcement list.
• Acclaimed: Nmap has won numerous awards, including “Information Security Product of the Year” by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series.
• Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.

Online scans

If you suspect your system has been infected and your current tools aren’t able to deal with it, try one of the following free online scan service

• F-Secure Online Scanner .. Free Online Scanner – Online Virus Scanner | F-Secure

Once again April Fool’s Day is fast upon us, only this Wednesday security vendor Symantec is warning that the Conflicker worm is poised to (potentially) spread chaos infecting your computer system. That warning comes from Symantec’s John Park, who chronicles how searches for Conflicker lead to a rogue application that infects your system. John posts that this infection produces malicious web pages looking like Windows Explorer with a “Windows Security Alert” dialog box appearing over them warning of multiple Trojans on your systems.

The Conficker worm, also known as Downadup, is a worm that uses a computer and a network of computers to download and install malware from various websites that are controlled by the worm creators.

Conficker has been polling 250 different domain names every day to download and run an update program. On April 1st, the latest version of Conficker will start to poll 500 out of 50,000 domains a day to do the same thing.

The worm has some peer-to-peer functionality which means that infected computers can communicate with each other without the need for a server. This enables the worm to update itself without the need for any of the 250 or 50,000 domains.

The machines that are already infected might do something new on April 1st.

Would the downloaded program execute with admin privileges?
Yes, with local admin rights, which is never good.

Is it true that Conficker is using the MD6 hash algorithm?
Yes. This was probably one of the first real-world cases where this new algorithm was used.

How many computers are currently infected by Downadup/Conficker?
About 1-2 million.

Can Conflicker be detected and blocked? Yes. We recommend F-Secure. They have a free cleaning tool available here.

Some symptoms include the inability to access anti-virus sites, so make sure to download the latest update for your anti-virus program today.

Currently the worm is only affecting Windows-based machines, so if you’re running a Mac or Linux box, you’re safe.

My Recommendation

Make it a priority to update all of your systems before April 1st.

As others have stated, we might not see a payload on April 1st, but the design of the worm is such that they can make the payload happen at any time after April 1st, too.

RSA keys are an essential crpytologic ingredient for providing TSL/SSL security in eCommerce.

The security of the RSA cryptosystem is based on two mathematical problems: the problem of factoring large numbers and the RSA problem (see below). Full decryption of an RSA ciphertext is thought to be infeasible on the assumption that both of these problems are hard, i.e., no efficient algorithm exists for solving them.

The RSA problem is defined as the task of taking eth roots modulo a composite n: recovering a value m such that c = m^emod n, where (n,e) is an RSA public key and c is an RSA ciphertext. Currently the most promising approach to solving the RSA problem is to factor the modulus n. With the ability to recover prime factors, an attacker can compute the secret exponent d from a public key (n,e), then decrypt c using the standard procedure. To accomplish this, an attacker factors n into p and q, and computes (p – 1)(q – 1) which allows the determination of d from e. No polynomial-time method for factoring large integers on a classical computer has yet been found, but it has not been proven that none exists.

RSA keys are typically 1024-2048 bits long. Some experts believe that 1024-bit keys may become breakable in the near term. Few see any way that 4096-bit keys could be broken in the foreseeable future. Therefore, it is generally presumed that RSA is secure if n is sufficiently large. If n is 300 bits or shorter, it can be factored in a few hours on a personal computer, using software already freely available.

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide security and data integrity for communications over TCP/IP networks such as the Internet.

The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communications confidentiality over the Internet using cryptography.

In typical end-user/browser usage, TLS authentication is unilateral: only the server is authenticated (the client knows the server’s identity), but not vice versa (the client remains unauthenticated or anonymous). More strictly speaking, server authentication means different things to the browser (software) and to the end-user (human). At the browser level, it only means that the browser has validated the server’s certificate, i.e. checked the digital signatures of the server certificate’s issuing CA-chain (chain of Certification Authorities, e.g. Verisign, Thawte, and GeoTrust, that guarantee bindings of identification information to public keys. Once validated, the browser is justified in displaying a security icon (such as “closed padlock“). But mere validation does NOT “identify” the server to the end-user. For true identification, it is incumbent on the end-user to be diligent in scrutinizing the identification information contained in the server’s certificate (and indeed its whole issuing CA-chain). The “locked padlock” icon has no relationship to the URL, DNS name or IP address of the server) This is the only way for the end-user to know the “identity” of the server.. Such a binding can only be securely established if the URL, name or address is specified in the server’s certificate itself.

Malicious websites can’t use the valid certificate of another website because they have no means to encrypt the transmission such that it can be decrypted with the valid certificate. Since only a trusted CA can embed a URL in the certificate, this ensures that checking the apparent URL with the URL specified in the certificate is a valid way of identifying the true site.

The Internet is full of predators (hacks) who prey – on hard working businesses, spewing their malcontent across the eGlobe.

Yesterday, a premier web hosting forum (WHT) was – cut down at its knees by a deliberate and calculated hack. How does society deal with their warped deeds? What would you do if your site was hacked? Would you first call your host? Do you have remote back up? Is your back up current? Do you have a disaster recovery and business continuity plan? Have you reviewed it lately?

Apparently, this hack deleted their backup – and then dumped their database tables! Were their members usernames and passwords comprimised? Possibly. They’re back online, but with a backup version of their backup dating from October 2008 and earlier. Everything from November forward is lost, and may never be recovered. If this were your business, how would that impact your operations? Are you running an eCommerce website? Could you reconstruct everything from November 2008 going forward? Again, over 80% of businesses that lose their data either fail or are severely impacted within one year!

In this instance, vast volumes of information posted by – thousands of users worldwide appears to be lost. I am a member on WHT as well as other forums. I subscribed to over one thousand threads. My inbox shows nearly six thousand replies to those threads since December 2008. Even though this forum is back online (Oct 2008 version), I still cannot login as it doesn’t recognize my password or email address. My lost is an incredible breathe and depth of knowledgebase that has been corrupted.

Extended Validation (EV) SSL Certificates meet the highest standard in the Internet security industry for Web site authentication. EV SSL Certificates give high-security Web browsers information to clearly display a Web site’s organizational identity. The high-security Web browser’s address bar turns GREEN and reveals the name of the organization that owns the SSL Certificate and the SSL Certificate Authority that issued it. Why is this important? It gives Web site visitors an easy and reliable way to establish trust online.

I’ve started noticing more and more green EV SSL certificates lately, but I was on a local Credit Union’s site yesterday afternoon and noticed their SSL didn’t even show that the site was encrypted. I was stunned. I’ve been in that Credit Union a number of times and know their IT security to be first rate.  Their site was recently revamped, so I suspect their new host cut costs by installing a cheap SSL certificate, as they can be found online for less than ten dollars.

Secure Sockets Layer (SSL) technology protects your Web site and makes it easy for your Web site visitors to trust you in three essential ways:

• 1. An SSL Certificate enables encryption of sensitive information during online transactions.
• 2. Each SSL Certificate contains unique, authenticated information about the certificate owner.
• 3. A Certificate Authority verifies the identity of the certificate owner when it is issued.

You need SSL if…

• You have an online store or accept online orders and credit cards
• You offer a login or sign in on your site
• You process sensitive data such as address, birth date, license or ID numbers
• You need to comply with privacy and security requirements
• You value privacy and expect others to trust you.

Extended Validation SSL Certificates give high-security Web browsers information to clearly identify a Web site’s organizational identity. For example, if you use Microsoft® Internet Explorer 7 to go to a Web site secured with an SSL Certificate that meets the Extended Validation Standard, IE7 will cause the URL address bar to turn green. A display next to the green bar will toggle between the organization name listed in the certificate and the Certificate Authority (VeriSign, for example). Firefox 3 also supports Extended Validation SSL.

There seems to be a great deal of confusion about PCI compliance, on the part of merchants and hosting providers. Who’s responsible for what?

First, the merchant (web host) always remains responsible for compliance – to be certified. Their hosting provider (data center) is responsible within the scope of the infrastructure and services they provide to the merchant – for example, real estate (floor, electricity and controlled physical access). If a hosting provider also manages the merchant’s network, then they’re responsible for that specific scope of compliance.

Having said that, the merchant is required to monitor compliance of their service providers and manage any non-compliant risks, but a hosting provider’s PCI compliance isn’t mandatory for merchants to use that provider.  As a merchant who accepts card payments for products or services, you are obligated to be PCI compliant – but not for the environment in it’s entirety, rather limited to the processing of the credit cards, storage of that data and their respective transmission gateways. To that end, PCI is technology neutral, meaning you don’t have to build out with specific infrastructure.

So what are the minimum requirements? A couple of servers. a firewall, logging, monitoring and IDS / IPS (intrusion detection and intrusion prevention systems) capabilities.

Ok, let’s face it. The Internet is game to – all sorts of intruders. I told my wife I found a Trojan Horse on her laptop and her response was, “What’s that?” Clearly, protecting your data from being compromised can be a daunting task. What firewall should you incorporate? Are software or hardware firewalls better? What exactly is packet filtering and why is it important? And how do I analyze my firewall logs? Is this something better left to professionals? 

Your primary consideration is – the worth of your data. If you lost it or it was compromised this minute, could you survive as a business entity? 

Let’s say you’ve done due diligence and installed – a high end firewall appliance. Is anyone on your staff certified to analyze that firewall’s logs? If not, do you outsource those logs? Are you provided analysis and recommendations? Are security risks shored up? Are you compliant? 

I’m constantly reading threads in forums – of compromised data, and OPs pleading for assistance after-the-fact. I was at a physician’s office a while back checking the security of her Wifi network, and while she was protected, at least a dozen other unprotected networks popped up. She had no clue she could compromise their networks as that was never her intention, but certainly it is the intention of (apparently) thousands of unscrupulous hacks on the Internet. 

Fortunately, there are firms that you can – turn to that make it their business to protect your business.

For any organization that conducts business over the Internet,  a vital first-line of defense:

• protects your information and systems from compromise
• helps ensure secure, ongoing communications between your Web site and customers
• reduces the costs and disruption of intrusion-initiated downtime
• extends your in-house capabilities

CLI versus GUI interfaces

What are some types of command line interfaces (CLI) for managing firewalls? PIX and Linux IPTables are popular examples. GUI based interfaces are more intuitive to the end user, so are presumably easier to use. They’re both designed to keep the malicious stuff out, while providing an enhanced more secure online experience.

Custom operating versus open source systems

Systems like the Cisco PIX run on a custom operating system where the source code is not available, and is updated via patches or new releases. Then there are open source systems which include Linux, OperBSD and Solaris 10.  Open source systems typically require more effort to maintain and secure your data, but patches to shore up vulnerabilities may get released faster. Closed source systems, properly configured and maintained by the user, eliminate many of the variables inherent in general operating systems, making it easier for the less experienced user to maintain.

Are you up to managing your own firewall with a CLI? (Command Line Interface)

Most firewalls require you to perform an initial configuration – things like your IP address, net mask, default gateway and possibly an administrative password, first in CLI even when using a GUI. CLIs require knowledge of the command set in your firewall appliance. For example, to config Linux’s NetFilter, you’ve have to use the IPTables CLI to set up configurations for Secure Shell (SSH), email and web traffic. What ports do you allow and which do you deny?

GUIs

There are GUIs for Linux’s IPTables firewall software. Some are web based (such as Webmin), and some are applications running on the Linux system itself (such as Firestarter). Firestarter provides a simple, easy-to-use interface for IPTables. Webmin provides a method by which the firewall can be managed through a web browser interface.

One significant benefit of a CLI over a GUI is that the CLI is available through Telnet and SSH sessions as well as connected directly to the serial port. This becomes important when considering how access to the firewall management interface will be controlled.

Management Access

Network devices such as firewalls, switches, routers and intrusion detection sensors should only be accessed  by trusted users who need to administer them. Unauthorized users, whether someone with malicious intent or not, may change the configuration or disable the device and thus compromise the security of your entire network and data.

Additional considerations must be made regarding how the firewall is accessed: Telnet, SSH, SNMP, FTP, TFTP, HTTP/HTTPS, or some proprietary management protocol.

HTTP versus HTTPS

HTTP is an unencrypted protocol that allows hackers to view communication between the client and the server. Although intruders may not necessarily be able to capture the password to your web server, they may be able to capture other information such as configuration information or possibly a valid cookie that would then allow the attacker to impersonate a legitimate user and gain access to the firewall’s administrative interface.

HTTPS uses Secure Sockets Layer (SSL) encryption technology to encrypt communication between the client and the firewall web server. This makes it impossible for an attacker to eavesdrop on a management session or intercept any information that could be used to gain access to your firewall.

Analyzing Logs

Logging is also essential for maintaining and administering a firewall. Logging enables an administrator to see all traffic blocked by the firewall as well as troubleshoot the firewall configuration when a particular function, such as Network Address Translation (NAT), is not working as expected.

No matter how the firewall logs information, it is critical that the logged information be reviewed by an administrator or outsourced professional. You cannot set up a firewall appliance and walk away from it thinking your data will remain secure forever.

Vulnerabilities

A vulnerability is a defect that might result in the potential exploitation of the firewall by an attacker to cause either a denial-of-service (DoS) attack or to gain access to your firewall. Vulnerabilities are routinely caused by a misconfiguration of the firewall itself.

A vulnerability due to a misconfiguration of the firewall can range from allowing access to Remote Procedure Call (RPC) ports on systems behind the firewall to not setting an access password on the device itself.

Due Diligence
Special care must be taken when managing a firewall because it protects your data from the world. In many cases, it represents the only security device on your network.

Disaster Recovery and Business Continuity

I cannot overemphasize the importance of remote backup even with a properly configured and maintained firewall.

Having said that, firewalls are an essential element in the defense and retention of your data. Your data is your business. If you are even remotely at loss how to configure, maintain and analyze your firewall logs, I wholly recommend outsourcing this service.