Archive

Archive for the ‘Security’ Category

Combating Malware

August 5th, 2011 2 comments

Microsoft’s Malware Protection Center (Threat Research and Response) website - is a great resource for combating malware – the nasty stuff that lots of anti-virus programs miss. I stumbled across this site while reading, “Why malware networks are beating antivirus software,” by Ed Bott.

From Microsoft:

Take the following steps to help prevent infection on your computer:

  • Enable a firewall on your computer.
  • Get the latest computer updates for all your installed software.
  • Use up-to-date antivirus software.
  • Limit user privileges on the computer.
  • Use caution when opening attachments and accepting file transfers.
  • Use caution when clicking on links to webpages.
  • Avoid downloading pirated software.
  • Protect yourself against social engineering attacks.
  • Use strong passwords.
  • Enable a firewall on your computer
  • Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.

Get the latest computer updates - Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites.
You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.

Use up-to-date antivirus software - Most antivirus software can detect and prevent infection by known malicious software.

Limit user privileges on the computer - Starting with Windows Vista and Windows 7, Microsoft introduced User Account Control (UAC), which, when enabled, allowed users to run with least user privileges. This scenario limits the possibility of attacks by malware and other threats that require administrative privileges to run. You can configure UAC in your computer to meet your preferences:

Use caution when opening attachments and accepting file transfers - Exercise caution with email and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.

  • Use caution when clicking on links to web pages
  • Exercise caution with links to web pages that you receive from unknown sources, especially if the links are to a webpage that you are not familiar with, unsure of the destination of, or suspicious of. Malicious software may be installed in your computer simply by visiting a webpage with harmful content.
  • Avoid downloading pirated software
  • Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading “cracked” or “pirated” software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information, see ‘The risks of obtaining and using pirated software‘.

Protect yourself from social engineering attacks - While attackers may attempt to exploit vulnerabilities in hardware or software to compromise a computer, they also attempt to exploit vulnerabilities in human behavior to do the same. When an attacker attempts to take advantage of human behavior to persuade the affected user to perform an action of the attacker’s choice, it is known as ‘social engineering’. Essentially, social engineering is an attack against the human interface of the targeted computer. For more information, see ‘What is social engineering?‘.

Use strong passwords - Attackers may try to gain access to your Windows account by guessing your password. It is therefore important that you use a strong password – one that cannot be easily guessed by an attacker. A strong password is one that has at least eight characters, and combines letters, numbers, and symbols.

Categories: Security Tags:

Security Breach?

June 27th, 2011 4 comments

Three years ago, a well known web host sent a message to its clients about a security breach on one of its employee accounts. They followed that with this thread in their forum.

This morning, we sent a notification to a group of our customers possibly affected by a compromised employee account’s access to our internal customer management portal. We will be sending an additional communication to all customers with information about the apparent security breach, but in the meantime we would like to answer any additional questions about the communication in this thread.

Please understand that we will not provide specifics information about the security breach due to the sensitive nature of the investigation, but we will do our best to provide as much detail as possible. As we assured in the note, based upon our security review of access logs, we do not believe any credit card information was compromised.

We strongly suggest you implement a security best-practices approach by immediately taking four steps to mitigate risk:

  • 1. Change your xxxxx log-in passwords immediately and do so again every 60 days.
  • 2. Change your server passwords and do so again every 60 days.
  • 3. Be alert to any suspicious activity on your account.
  • 4. If you suspect any unusual activity, please retain your access logs along with any other information and contact us as soon as possible.

This raised some questions – then that still apply today. What security measures do hosts normally implement (regarding their employees) to protect their clients? Are they allowed to bring in usb thumb drives (some are marketed very cleverly looking like wrist bands or writing utensils)? What about PDA’s? Could they place data on these devices and simply walk out the door with gigabytes of files? Could those files be broadcast on the Internet, or used as blackmail?

They mentioned implementing a security best practices approach. Regardless of your level of comfort with your current host, these four suggestions need to be implemented to minimize your risk. I can’t emphasize this enough - your data is your business. Lose your data and you risk losing your business!

What about inside your own business? The same applies to in-house servers and workstations. Most security breaches are by disgruntled employees. It’s amazing how many companies give administrative privileges to low level supervisors. Entire databases can be downloaded in minutes with thumb drives, then transported offsite.

What about security or IT audits? Financial institutions have very strict guidelines with respect to security, but what about the thousands of small to medium sized firms that comprise the majority of businesses – your local printer, clothing retailer, auto repair shop, electrical contractors, car dealerships? How at risk is their data – and your data as their consumer? It’s astonishing how many firms broadcast on unsecured Wifi networks. What’s more alarming is how easy it is to intercept and infiltrate their networks. How many times have we been alerted to intrusion theft of well known retailers, just in the past year?

Would an IT audit be worthwhile? Volumes of information has been written about IT audits and security. Do you trust your IT department to have fully provisioned and managed security? Most SMB owners have no clue how vulnerable their companies are without a 3rd party audit.

My recommendation – Dot your i’s and cross your t’s with disaster recovery and business continuity plans. If you receive a notice like our web hosts comrades, follow their advice. Do it as a matter of habit. Being habitually secure is far better than being victimized with no recourse.



Categories: Security Tags:

WordPress Security Tips

June 15th, 2011 2 comments

WordPress sites are constantly scanned by cyber criminals - for security vulnerabilities. I suspect thousands of WordPress sites are managed from multiple locations – at work and from home. Wherever you manage your WordPress site, make sure that computer is free of spyware, malware, adware, viruses and Trojans. Next, ensure you’re running secure, stable versions of your applications. Keep your version of WordPress updated, as well as any plugins you may have added. NOTE – If you’re not actively using a plugin, it’s best to remove it completely from your site.

Addressing vulnerabilities in the network itself – A busy Internet cafe where you are sending passwords in clear text over an unencrypted wireless connection is NOT a trusted network and the same applies if you’re using an unsecure wireless router on your home network. I can’t even begin to tell you how many times I’ve run security audits on business wireless networks only to find multiple unauthorized users riding on their network.

Allowing write access on your file permissions – especially in a public environment, is also highly discouraged. If you are on a shared-server, the permissions of your wp-config.php should be 750. This ensures no other user will be able to read your database username and password.

 

Categories: Blogging, Security Tags:

Fighting Trojans, Viruses and Malware

April 13th, 2011 2 comments

Once again, I’ve won the battle – combatting an onslaught of trojan horses, viruses and malware, but this time the fight dragged on for three days. The victim this time was my wife’s desktop, even though we had Malwarebytes, Microsoft Security Essentials and Safe Returner running – with up-to-date definitions.

The fight began when my wife clicked on – a Facebook link, which was then followed by Home Security 2011 security alerts popping up every few seconds that her desktop was compromised. She thought the alert was genuine and clicked on the tab to run a scan -  to remove the dozens of threats it said were infecting her computer (bad move).

So what was the cure? For over two days, I wasn’t sure there was a cure, as everything I tried to do failed. Malwarebytes wouldn’t run, nor would Microsoft Security Essential or Safe Returner. Ending processes didn’t work as they popped right back up as soon as I ended them.

I was unable to run any commands – like msconfig or regedit, or download any anti-malware programs from the Internet (which wasn’t working either). Safe mode didn’t work. Downloading new anti-malware programs to a thumb drive on my desktop, then attempting to install them on hers didn’t work either.

I finally found a tip on a Google search – that said entering a specific key code on manual registration would stop the pop ups. To my surprise, that worked – but the malware remained. After downloading and installing a program that temporarily ended malicious processes, I was able to run Malwarebytes in Safe Mode and remove a portion of the threats. From there, I rebooted and was able to remove more threats, but with each scan, more threats appeared and I was never was able to run Microsoft Security Essentials. I was able to access and search the Internet now though and went back to AVG, which I had used for years earlier.

Even with a new install of AVG 2011 – and successful scans, there still remained two trojan infections it did not remove, even after multiple scans. To my surprise, I left AVG 2011 run a full scan one last time overnight and awoke the next morning with no threats detected. From there, I deleted the existing Malwarebytes and MS Security Essentials programs, downloaded current versions, reinstalled them and ran both without problems.

Lesson learned - you need real time protection, especially if you frequent social networking sites. Keep your definitions current – one slip can cost you hours in recovery.

Categories: Disastery Recovery, Security, The Editor Tags:

Distributed Denial-Of-Service (DDoS) Attacks

April 7th, 2011 No comments

DDoS attacks can disrupt and shut down – even the largest of networks, as evidenced recently with attacks related to WikiLeaks. These distributed denial-of-service attacks normally consist of a large number of compromised systems flooding the resources of its targeted victim, thereby denying service to its legitimate users.

The target of DDoS attacks isn’t the only victim though - as all of the systems controlled in the attack suffer some degradation. Infected computers in a DDoS are called bots, which then become part of a larger botnet under the control of a cyber criminal.

The most common types of DDoS attacks center around – consumption, disruption or obstruction of bandwidth, disk space, processor time, routing information, physical network components and communications by either max’ing out resources or by triggering errors.

Some of the most common types of attacks are – ping floods, smurf attacks, syn floods, teardrop attacks, peer-to-peer attacks, brute force attacks, IRC floods and nukes.

Categories: Security Tags:

Are your applications secure?

April 1st, 2011 No comments

Updated April 1 2011 – This is still HIGHLY relevant. See this story.

December 2009 – I just read an article this afternoon about the fastest growing security threat in the hosting industry. Apparently this threat has grown over a hundred fold in just the last year alone. What is it?

SQL Injection

Why have SQL injection attempts grown so dramatically? It was pointed out, and I agree, because the bad guys are using (very sophisticated) automated tools. More and more, we’re seeing attempts not only to be disruptive, rather to be focused on identity theft. Anyone remember Heartland Payment Systems and TJX?

Who is Susceptible?

Certainly, if you’re processing lots of credit cards, you need to guard against SQL injection, but even if you aren’t, this exploit needs to be addressed. I did a quick Google search for SQL injection prevention and stumbled upon an SQL Injection Cheat Sheet at http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet. Since most SQL injection exploits are due to lax coding and poor application design practices, prevention measures like those outlined on this site can significantly minimize your risk of being compromised.

From Owasp.org

“SQL Injection flaws are introduced when software developers create dynamic database queries that include user supplied input. To avoid SQL injection flaws is simple. Developers need to either:
a) stop writing dynamic queries; and/or
b) prevent user supplied input which contains malicious SQL from affecting the logic of the executed query.”

Categories: Featured Articles, Security, Support Tags:

VPS Firewall Issues

December 22nd, 2010 No comments
I’ve seen a number of threads recently on web hosting forums addressing issues with software firewalls on virtual private servers (VPS). More often than not, my perception is that the OPs (original posters) had never used software firewalls and consequently encountered installation quirks (related to options/settings). Of course there are a variety of VPS kernels and software firewall packages, but some packages like APF/BFD and CSF/LFD have track records for running without significant issues, or steep learning curves.
 
Advanced Policy Firewall (APF)
APF is a policy based iptables firewall system that employs a subset of features packaged in tar.gz format and RPM formats, making it ideal for deployment in many server environments based on Linux.
 
Brute Force Detection (BFD)
BFD is a modular shell script for parsing applicable logs and checking for authentication failures. The reason behind BFD is very simple; the fact that there is little-to-no authentication or brute force auditing programs in the linux community that works in conjunction with a firewall.
 
Config Server Firewall (CSF) and LFD (Login Failure Daemon)
CSF is a freely available security package for cPanel servers. This security package includes CSF (Config Server Firewall) and LFD (Login Failure Daemon). Plus, these tools are generic enough to run on plain linux distro’s (non-cPanel servers). Here’s how it works in very simple terms.
  • CSF watches Firewall activity and dynamically adds and removes rules from IPTables.
  • LFD watches log files and performs various environment checks on a configurable interval and interacts with CSF to dynamically insert and remove rules from IPTables.

I did see a mention of – software firewall issues with monolithic kernels, so I dug up an old article discussing the differences between those  and microkernels.

Privacy Policy | TOS