1. Do not fall for scare tactics. While browsing sites, be cautious of pop-ups warning you that your system is infected and offering a product to clean it up. Never pay for a program that installed itself to your computer. This is a hallmark of rogue software.

2. Use security software with real-time protection and keep it up-to-date. If you know that you have anti-virus, anti-spyware, and a firewall on your PC, you can safely ignore security alerts you receive that do not come from your chosen security software provider. (Rogue security software will often try to lure computer uses by using legitimate looking pop-up messages that appear to be security alerts.) Also, most anti-malware programs will help keep you protected from rogues because they can detect and remove these programs.

3. Access experts at security forums and ask about the software you are considering before you decide to purchase it.

4. Read the software reviews at reputable sites like Download.com. Do not blindly trust individual sites offering security products.

5. Ask knowledgeable friends and family members about quality software they use. Keep in mind that when you search for trustworthy security software online, rogue products can, and often do, appear in the search results list.

6. Practice online skepticism. Be aware that rogue security software does exist on the Web, and be vigilant about avoiding it. These programs are designed to appear genuine – meaning they may mimic legitimate programs, use false awards and reviews to rope you in, or employ other deceptive tactics. It’s also a good idea to familiarize yourself with common phishing scams, and to be cautious of links in e-mail messages and on social networking sites.

Author: Erin Earley, editor of Lavasoft News.

—

NOTE: Original article is posted on Help Net Security website: http://www.net-security.org/malware_news.php?id=1245. You can subscribe to their news for up-to-date security news and articles.
Follow us on Twitter: @securetoday.

In the recent Conficker outbreak globally many customers had presence of infection on unsupported OS, making them impossible to patch as Microsoft patches were not available. Reason being those Operating systems already completed 5 year Microsoft support, crossed extended support and came to the category of “retired” OS. The presence of such un-patched unsupported systems are not limited to Microsoft environment but equally in other flavors like Linux, Mac etc. These are safe homes for virus, Trojans, bots and pose significant risk by itself. Quite interestingly most of these legacy or old systems wont be seen in DNS. Such systems pose a significant risk to the organization by itself. Continues measures needs to be taken to identify such systems or applications and get them decommissioned!

These systems or applications are present in most of the organizations for various reasons..

1. LEGACY: A good numbers of them were either used to run legacy applications and are now forgotten or abandoned or lost interest in up-gradation.
2. BUNDLED DEVICES:Others are still being used for embedded applications/controllers like security camera, printers etc. Its quite possible that individual risk assessment of these components gets left out.
3. BUSINESS REQUIREMENT:There might be a business need for such systems to support specific application. Its an unseen risk until the organization analyze the threat it can bring in.

The situation is little scary if they are noticed in critically risky environments ( like thermo nuclear plants, hydro electric plats,real-time systems, defense,medical system, government establishments) where the risk associated with such bundled products are enormously high.

Management should take the initiative that these systems are identified and tackled. This should be an ongoing activity. Asset management can help in this to a great extend if its well planned and designed. A good asset management keeps track of unused desktops/servers, hosts assigned to employees who are no longer with the organization, etc.. This also helps in building a formal end of life (EOL) strategy for proper disposal of unsupported OS and applications.

Identifying unsupported systems from network will continue to be a challenging task until such measures are taken. Nessus has come with few plugins to detect Unsupported Operating system, which covers Windows NT 4.0, Windows 95/98/ME, Microsoft Exchange Server Unsupported version, Mac OSX and Unsupported Unix and Linux. With a good asset management and proper management support this risk can be addressed to a greater extent.

In McGlure’s demo, he accessed his customized website using IE-6, which is vulnerable to the attack and showed how the exploit is downloaded to the machine, saved, decoded, and ran. Exploits like these make it really scary for everyone because it does not even require the end user to perform anything such as clicking or downloading something.

To make things worst, the downloaded file was a jpg (or could be gif, png). To some, it could be an image file. But it is actually an executable file. The process is automatic. The jpg file is downloaded, repackaged, and then the binary is executed. The payload could be anything as installing a backdoor Trojan that sits in your computer to steal information, or it could be a nasty virus that wipes out your entire data.

While I’ve been stressing enough to everyone to be very aware about clicking links from emails or visiting suspicious websites, sometimes at the end of the day, it boils down to your system protection. What are your protections, walls, or shields from this evildoers? Do you have your system locked down, or updated, or patched?

PATCH. One best thing really to do is to patch your system so you are not vulnerable. Today, Microsoft released an out-of-band security patch to addressed this 0-day vulnerability. I highly recommend you to install this patch as your first line of defense. Here is the link: http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx. Again, do not install any third-party patches. Trust only the one that comes from Microsoft. Currently, I am attending the Microsfot’s Out-of-Band Security Release bulletin webcast, which they covered what is included in this patch.

BROWSE. It is also discovered that other versions of IE, not only IE-6 could be vulnerable to this attack. So, it is not a bad idea to use an alternate browser like Firefox, Opera, or Chrome. I might also include your favorite email clients such as Outlook can easily launch the attack too, since email is displayed in HTML. So be aware of all the doors where this attack can get in.

DEFENSE. For home users it is highly needed you have an antivirus software and an up-to-date virus definitions. Having host firewall or IPS also adds more layer of protection. In corporate world, taking advantage of the powerful features of your Firewall, Proxy, nIPS, hIPS, and your Antivirus is very crucial.

Inline proxies can block those file download that are suspicious or deemed infected, thereby, protecting the corporate users behind the proxies. With a good signature and inline IDS, you can also block or drop these attacks or traffic. And an updated Antivirus can catch this before it can wreak havoc. Multiple line of defense implemented correctly give you and your company a better protection.

So again, download and install the patch now, it is available from the link above; update your antivirus – protect yourself!

Haiti Earthquake Landslide

The recent earthquake disaster that struck Haiti is sometimes unbearable to watch. With an estimate of 80,000 death and rising or 200,000 according to Haitian government. The damages sum up to billion of dollars. It is indeed a disaster that melts your heart in pity.

More than 5 years ago, a colossal disaster hit Indonesia and other parts of the world with an earthquake in the Indian ocean that caused huge and deadly tsunamis in Indonesia, Sri Lanka, Africa, and other countries. All of these sad stories easily spread out the Internet, including heart-touching pictures.

These stories always touch the heart of many. And this is exactly what bad guys take advantage of. In a previous post about Phishing, we’ve uncovered how it works. This is what these scammers is going to use again to exploit vulnerable people. So again, BEWARE of these scam emails asking for donations to help Haiti Earthquake victims. They can appear legitimate but always ensure that you do not click on any link they provide.

Example below is a capture from McAfee’s blog of what could be a similar scam email to lure to donating money to them. This one is from a French origin.

Haiti Scam email

Last week the United States FBI released an immediate warning and reminder to Internet users to be very diligent and apply critical eyes in responding to emails asking for donations of the aftermath of the Haiti earthquake. I’ve outlined below with their guidelines:

“Before making a donation of any kind, consumers should adhere to certain guidelines, to include the following:

Anyone who has received an e-mail referencing the above information or anyone who may have been a victim of this or a similar incident should notify the IC3 via www.ic3.gov.”

Protect yourself against scammers!

Aurora Borealis or the Northern Light is a jaw-dropping awe vista to witness. I have not witnessed one but it’s one of my dreams. While we know the beauty of it, there is another and different aurora (not borealis) that is not to be messed with.

The Operation Aurora dubbed by McAfee to describe the very recent Microsoft’s Internet Explorer Zero-Day vulnerability is a “coordinated attack which included a piece of computer code that exploits a vulnerability in Internet Explorer to gain access to computer systems.” It was used to exploit Google and other 30 more companies as previously reported. Last Friday, George Kurtz, McAfee’s CTO talked in his Security blog about the Aurora exploit that is used to attack Google in December is now in public.

Any zero-day vulnerability is always a bad thing. Two weeks ago, one of my older computers crashed and for what I know it could be caused by this same exploit. While the discovery of this vulnerability has been a while now, Microsoft has yet to release an official patch.

The bad thing is, there are third-party patches out there that have gone out to provide temporary fix for this vulnerability. I would not really recommend installing these third-party patches since we don’t know what the ill-effects in the long run. The good news is, Microsoft is going to release a patch tomorrow, January 21st. Read Microsoft’s Bulletin.

To learn more about Operation Aurora from McAfee, watch the video from George Kurtz and the McAfee team here.

On the other side, I believe this same vulnerability is called by Symantec as Hydraq.

Hydraq is a targeted attack. Through the exploitation of a vulnerability, it attempts to install a trojan on a specific computer that steals information from that machine. The trojan attempts to make contact with command and control servers in order to receive instructions and to upload any information that it may have collected. This type of attack is often called an advanced persistent threat because of the sophistication and persistence of the attack within a business.

What I like about reading the page that Symantec provides is they outlined 3 important things to protect yourself, which is what really I wanted to convey to everyone, not only to home users, but also even helpdesk support, or even any security professionals in their workplace.

• Stay up-to-date with security patches. Zero-day vulnerability like this can wreak havoc and even worst, loss of your important data. So make sure that your OS, applications, antivirus are all up-to-date. It’s a must.
• Complete security solution. Having antivirus, firewall, and even host intrusion detection software will spot these from the very beginning. Again, an updated definitions or dat files is as important as the software. Even if you have antivirus installed if the signature definitions are outdated, it is useless. Get them updated.
• User awareness. This is one of the keys. Understand even the basics of security and how important it is will give you an advantage. I like saying this a lot:  “security is nothing until your computer is hacked and you lost all your data, then security is everything”.

It’s prerequisites includes a possession of minimum five years of professional experience in the information security field or four years plus a college degree. Or, an Advanced Degree in Information Security from a National Center of Excellence or the regional equivalent can substitute for one year towards the five-year requirement. Then after passing the 250-item exam in six hours and complying with ISC2 Code of Ethics, you still have to be Endorsed. Please visit ISC2 website for more information.

I posted this because I want to share some useful links for you professionals out there, who are thinking or studying for CISSP. SearchSecurity with Shon Harris go over the ten Common Body of Knowledge (CBK) domains for the CISSP in the following webcasts. Be sure to read through all the useful information and try their 10-free quizzes.

Domain 1: Security Management Practices
Domain 2: Access Control
Domain 3: Cryptography
Domain 4: Security Models and Architecture
Domain 5: Telecommunications and Networking
Domain 6: Application and System Development
Domain 7: Business Continuity & Disaster Recovery
Domain 8: Law, Investigations and Ethics
Domain 9: Physical Security
Domain 10: Operations Security

Good luck!

Let’s dive into the meaning of the word risk in IT Security world. The simplest way of putting it is:

THREAT + VULNERABILITY = RISK

A risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. (All-in-One CISSP, Risk Management; Shon Harris). Before expanding that meaning, let’s take a look at what threats and vulnerabilities are.

A threat, as we all know, is any potential danger. Threat agents are the medium that carry out the threat. So a threat is someone or something that can identify a weakness and take advantage of it. For instance, if I know a website is running an application that is not written properly, I could exploit it to defaced it or to cause denial of service. In this case, I am a threat agent. My inappropriate actions are threat to this website.

The site’s buggy code is subject to exposure, which is its instance of being exposed to losses from a threat agent.

A vulnerability is a weakness in the infrastructure. And weakness is always represented by an absence or lack of ability to safeguard itself. So in our previous example, the poorly written website is a weakness. Without a proper safeguard in place to protect it, it is a vulnerability that a threat agent is ready to exploit.

Safeguard was mentioned earlier. This is the countermeasure that must be in place to prevent and mitigate the potential risk. Mitigating risk comes in many flavors, which we’ll try to cover them in brief details later.

So in brief, the order of concepts for all of these is:

Threat > Exposure > Vulnerability > Countermeasure/Safeguard > Risk

RISK MANAGEMENT

Risk Management involves: Risk Identification, Risk Analysis and Assessments, and Risk Mitigation. This is the process where identified group (most likely the Risk Management team) identify the risk (threats and vulnerabilities), analyze, and mitigate it to an acceptable level. The goal is to implement countermeasures to reduce the risk at a level that is acceptable to the security policy.

Identifying potential risks start in a good way of identifying vulnerabilities. Various vulnerability assessment tools are out there to assist security professional undertake this rigid tasks. Assets must be properly identified in this area. On one hand, another assets, which are the users, do lack of understanding about threats in particular, and security in general. So keep that in the scope that the users, who unfortunately, are the weakest link in security and their lack of knowledge are also risk. Having users understand the scope of security policy is a must.

After identifying vulnerabilities and threats, it’s time to quantify or qualify them. The Quantitative and Qualitative Risk Analysis approaches can be selected depending on the nature of the assets. Quantitative is a risk calculation where monetary value are assign to assets. Qualitative is through judging the intrinsic value of an asset.

Risk mitigation comes in after analyzing the risk. This is the time where you decide what to do with the risk based on the value of the asset and the actual loss if it is exposed. As a general rule, it is not recommended to spend more to protect an asset than it is worth. So if the cost to mitigate the risk outweigh the value of the asset, it is a good idea to accept the risk than to spend money less its worth. Next, let’s cover different options on deciding how to mitigate these risks.

It’s too risky, are you sure?

RISK ACCEPTANCE. Well, let’s just accept the risk. This is when you decide to accept the risk and don’t do anything about it and chose to live with it. The reason is the cost to mitigate it is too high and the impact is too low. for example, if the cost of putting an IDS (Intrusion Detection System) in an environment is too high for the value of the total potential loss there, it may be safe just to accept the risk.

RISK AVOIDANCE. I wanna avoid the risk, let’s go somewhere else. This is when management decide not to continue with the activity that is introducing the risk. For example, if users uses a particular email client that posses many risks around it, they can chose to mandate stop the use of this email client if there is not enough business need. They can go around by using a different email client that has less risks.

RISK REDUCTION. Okay, let’s implement what you were suggesting. This is when you decide that a countermeasure will reduce the loss if an event occurs. This is the real risk mitigation. Earlier, users were mentioned as the weakest link, because of their lack of knowledge. A countermeasure for this is proper awareness and training. This approach will reduce the level of risk to business acceptable level. Implementing firewalls, IDS to where it is needed, antivirus are good risk reduction approaches.

RISK TRANSFERENCE. This is too much for me now, let’s give it to someone else. This is when management choose to transfer the risk to somebody else. A good example is buying an insurance to handle the risk for you. Instead of you taking care of the risk, the insurance company will take care of the risk for you.

RISK IGNORANCE. Ignore it? Are you sure? This is tricky, while it sounds easy and very tempting to take, this is NOT an acceptable risk mitigation strategy. Don’t ignore any risk, after all, risk sometimes spells RI$K.

Risk Management is important in Security. In an enterprise, where there are various and different assets, it could be very challenging. But the concept is relatively straightforward. In our homes, or daily normal users of computers, it could be in a different form and challenge. The gist of it is that, risk equates to value. And value has a cost. You need to do something to protect its value so that it is not compromised or lost.

But here comes the joy, or the trouble in this case. Pharming attacks usually do not require convincing emails. It is also more wide-coverage than phishing. While phishing trick victims using a genuine looking emails or links, pharming goes deeper underground in planting a seed for its farm err, pharm?

Pharming cultivation

The technique used in Pharming is not new. In fact it had been around for long. The difference, however, is the intention. They want your identity or data. Pharming takes advantage of hacking DNS (Domain Name Server) such as cache poisoning, spoofing, and hijacking. Let’s see how this works.

How Pharming Works

1. An attacker exploits vulnerabilities of a DNS. Using crafted responses or take advantage of a vulnerability, an attacker can poisoned the DNS cache and can change valid entries. Internally, a disgruntled engineer can even manipulate the host lookup on these servers. Externally, attackers can take advantage of the operating systems vulnerabilities.
2. A user wants to go to a website securetoday.net and enter in the browser.
3. The user’s computer queries the DNS to resolve the site. Now, DNS being poisoned resolved the site to the nefarious fake website and redirected to securetodat.net.
4. User unaware of what happened thinks he is on the correct website.

Of course, the fake website has to be designed as close as possible to convince the victims that they are on the correct website. On the website, they can ask the user to login, provide confidential information, and more.

Wall of Sheep

I will discuss the actual and real meaning of Wall of Sheep on a separate article. For now, let me relive one of the cool projects we did back in those college days. The Wall of Sheep was our final project in our “Hacker Tools and Techniques” class. Me and my buddy Will Caput took advantage of iWhack, an (old and already decommissioned) distro of a Knoppix. I think it has been integrated with BackTrack now.

Using the DNS redirect/spoofing program built into the Knoppix, we were able to take advantage of our existing DNS server at school and redirect traffic. We configured it to redirect traffic of the email functions of Yahoo, Hotmail, and AOL. I have developed three local virtual sites from my laptop running Apache that is so identical in look and feel of that Yahoo email, Hotmail and AOL email. Behind the login page is the code where I strip off the email address and password, save it in a database, and export it to the Wall of Sheep.

Users who logs in to these fake pages would get invalid error messages at first try. Behind the scene, my code is actually stealing their information. They are then redirect to another local page on my Apache server. The DNS-redirect program knows this page and ignores it, and then redirect it to the actual Yahoo or Hotmail login page. Cool?

The Wall of Sheep is viewed by anyone in our class during the project presentation, but it had been running for few days. It listed down actual compromised emails. We did not display their passwords for their protection but we kept them to use in exchange of something. Like their watch or backpack. Just kidding.

That example above is a type of Pharming. We took advantage of the DNS traffic by intercepting traffic from the wire (non-switched environment) and redirect all queries to our rogue DNS where we explicitly defined which addresses to redirect and to where.

The virtual sites I’ve created are the fake websites that fools victims in thinking they are on the correct website. Only to find out that they weren’t but instead, are now being viewed on the Wall of Sheep in class. I think we got an A in that class?

Any advices for users?

• I mentioned it in my Phishing article, one of the best ways to countermeasure this is awareness. By understanding and learning how these attacks work, you can add extra caution to your day to day works. By simply enumerating your emails which is trusted and not trusted. If it sounds too good to be true? Watch out! It may sound too good to be true, but with a catch. That catch might be the big fish that Phishers have been waiting to have.
• Installing anti-virus is a must. You should not be reading this article, I really meant, surfing the Internet, without latest and up-to-date antivirus software. They are not really expensive compare to the loss you can have if you are compromised.
• Install anti-spyware programs also can help check your computer if there are any programs running in your computer or can even monitor phishing attacks real time. I’ve tried AdAware, Spybot S&D. The new Windows Defender also is good. As with anti-virus, anti-spyware programs need to be updated with the latest definitions. They are as good as not having one if you are not up-to-date.
• Most, if not all browsers today supports, or even comes built-in with site-checker. The new Internet Explorer comes with this feature to check whether your accessing a site that is safe or not. McAfee’s Site Advisor is also a good program you can take advantage to install on your browsers. It may affect a small performance but it help you in real-time to detect whether the site you are about to access is bad.
• Also, most user ignore these, but check for the Security Alerts that pops up when you are accessing an SSL-enabled site (https://). Check those whether you are on the wrong site, or the site certification is expired. This certificates proves the website who they said they are. So don’t just ignore those. Check if the site certificate is invalid. It could mean that it is not a trusted site and I don’t encourage you to proceed.

So in our world, we thank our Farmers for doing the best they do to give us the food we eat on our tables. But in our Security IT world, watch out for those ‘pharmers’, they want the food on your table scrape out.

Phishing comes from the analogy that Internet scammers are using e-mails lures to fish for passwords and financial data from the sea of Internet users”. And the term phishing was derived since hackers have a tenancy to replace “f” with “ph”.

In internet world phishing attempt originates when – a malicious user forges a website pretending your trusted site, for stealing personal information (user name/password/sensitive information). Those of us who blindly trust “emails from unknown sources” or “receive unknown links in IMs” becomes easy prey to such fraudulent attempts of identity theft. Motive behind such attempts are mainly for financial benefit, make easy money, access sensitive information, wide-spread marketing, causing damage etc. Any internet user can be at risk of being phished, having an Instant message-id or email address. Yes, this is one of the fastest growing problems within internet which creates billions of dollars of damage every year.

ISP plays an important role in protecting its users from phishing attempts. Also available in market are anti-phishing tools, browser add-ons protecting from phishing, etc. But the main responsibility lies with users education for  “safe clicking” practice.

PHISHING is a social engineering technique, which means to trick someone into believing something but different to what it really means, with a full purpose of obtaining personal information, credit card information and credentials.

The word phishing has been around since 1996. It was originally coined by hackers who started stealing AOL passwords by posing as a staff member and sending email messages to victims asking them their account information to verify their billing information and other information about their AOL accounts. The attacker lure, or fish the victims. This is when the word phishing began.

Although this social engineering technique had been around since the ’90’s it did not hit its popularity until the mid-2003. Phishing attackers, also called phishers creates very convincing emails requesting victims to click on links to update their account information. These emails and the redirecting website looks very closely similar to the actual website. Too convincing enough, a typical user would not spot the differences.

Some of the few tricks that these phishers would manipulate is to ask you to click on the link inside the email with a link almost the same as the actual website. For example, if you have an account with Bank of Alaska and their website is bankofalaska.com, they would create a site something like backofalaska.com. Or they would place @ symbol like bankofalaska.com@oursite.com. Before the @ sign would be the username following the http protocol. The actual website is oursite.com, which is a bad site. Depending on the way the site is written, the username can be ignored if it is not required.

Nowadays, there are so many newer techniques that phishers have developed in trying to convince potential victims into going into their trap. Some smart developers have found some ways to create java script to hide their actual URL or web address and show something else. So if someone checks the web address showing bankofalaska.com, it shows just that, but the script actually hiding the actual phishing site. Newer browsers should be able to detect these and warn you.

Other attacks come in the form of pop ups and the exploit of cookies. Phishers, who have developed a strict code to find if you are surfing, say, your bank account, will automatically trigger a pop up window that appears as it comes from your real bank. Unknowingly it was generated from the pop up script. That pop up dialog window would then ask you for your personal account information and other important things.

Phishing is still rising and staying on top. The Q1 2008 report from APWG (www.anti-phishing.org) shows there are still an average of 30,000 unique URL’s in that quarter report.

One of the countermeasures that we really need to start doing from within ourselves is “self-awareness”. There those small contributions that we can do to protect ourselves from phishing. Things like not clicking, or even opening emails, that came from some unknown sender. Or even if someone emailed you with a link, it is better to copy the URL and access it manually. Links on the email may direct you to somewhere else. And as always, DO NOT believe emails asking you to update your Account information or ask you for a password. Or even telling you that they will send you money to transfer from an African bank. These are all scams. It is a rule of thumb not to give out your password or critical account information via email or anyone who asked you for it.

Next time, I will extend the discussion of phishing to a wider scope such as attackers redirecting you to what appears to be a legitimate traffic, yet fake, with the techinique such as DNS poisoning. This is also called PHARMING.