Data Security Podcast Episode 53 – May 18 2009

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program – One web malware variant overtakes all others; Smart cards INSIDE MiniSD for two factor auth via cell phone. And, our take on this week’s news.

–> Stream, subscribe or download – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–> Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> Stream, subscribe, or download via our page at Podcast.com.

This week’s show is sponsored in part by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com . Also sponsored by  DeviceLock Removable Media Security Software.

The Show Notes Page for this week’s The Data Security Podcast

Combining smart cards and memory on a MiniSD for two factor ID

–> Ira has a conversation with William Holmes, of Go Trust. They have developed technology to merge smart cards with MiniSD memory. This technology can be used to make rather smart two-factor authentication. Go Trust is looking for people that want to develop applications that leverage this new security technology.

–> Tales From The Dark Web: According to Graham Cluely’s Blog at Sophos, Malicious JSRedir-R script found to be biggest malware threat on the web, at least for the next 15 minutes..

–> Be sure to read a new feature on our web site: Lame Excuses, the dumb statements by people who should have been responsible for securing information.  A new entry was added this week, and we welcome your contributions.

–> From The News: The Federal Computer Week story,  Homeland Security Information Network suffers intrusions.

–> From The News: U.S. attorney’s office tells employees not to log on to Drudge Report, as reported by Jonathan Martin at POLITICO.com .

Data Security Podcast Episode 46 – Mar 30 2009

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: New broadband gear botnet ;What will happen with Conficker on April 1st?  And the week’s news.

–> Stream, subscribe or download Episode 46 - Listen or subscribe to the feed to automatically get the latest episode sent to you to your  Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System. Tell them you heard about them on the Data Security Podcast and get 50% off their service. Offer good until March 31st, 2009. Tales from The Dark Web Sponsored by DeviceLock Removable Media Security Software.

The Show Notes Page for Episode 46 of The Data Security Podcast

-From The News: NASCIO publication mentioned by Samantha, in her story on security and the stimulus plan.

- From The News: Ransom-ware attacks mentioned by Ira. See FireEye’s Blog posting on the topic for more details, including how to de-crypt files without paying the Dark Web’s ransom.

-From The News: RSPlug-F Mac Trojan horse distributed via HDTV website. See the video of an attempted attack. No such thing as malware for the Mac, eh?

. -Tales From The Dark Web: New psyb0t malware targets certain Linux broadband networking equipment. DroneBL has extensive information, scroll down to a post by Crichton for instructions on how to apply defence in depth security to networking gear that does not allow you to change factory default usernames. Unfortunately, many gear makers fall into that category. One also needs to update firmware on networking gear, not just desktop PCs, servers and handheld devices.

- Conversation: Ira talks with Paul Royal of PureWire Security about Conficker and what might or might not happen on April 1st, 2009.

- Wrap Up: Lauren buys a PC. Comments are from YouTube post, not from Data Security Podcast

Data Security Podcast Episode 41 – Feb 23 2009

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Confiker Sequel hits hard; Demand for computer forensics training soars, SANS Institute fills the gaps;  Plus, this week’s news.

–> Stream, subscribe or download Episode 41 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System. Tell them you heard about them on the Data Security Podcast and get 50% off their service. Offer good until March 31st, 2009. Tales from The Dark Web Sponsored by DeviceLock Removable Media Security Software.

The Show Notes Page for Episode 40

-From The News: Adobe PDF Zero Day. We suggest that you delete Adobe PDF reader, and install a non-Adobe PDF reader. Try PdfReaders.com , and the LostInTechnology.com blog for alternatives to Adobe PDF readers. Read details on the threat at The Shadowserver.org site, including how to disable JavaScipt on Adobe PDF reader. Here is the instructions for a GPO to disable Adobe PDF reader JavaScript.

-From The News: Nigerian 419 scams are more complex than you might think. One example, from the Salt Lake Tribune: Nigerian web scam bilked Utah out of $2.5M.  And, there is this excellent article at 419Eater.com that includes an analysis of some of the variations and motivations of these “poor people who are just trying to get by” when they steal and defraud innocent people of millions of dollars/euros/pounds/yen.

From 419Eater.com Counter-Scam Site

- Tales From The Dark Web:  Conficker / Downadup strikes back….a newer, stronger variant is out. See details in this blog posting by Ira Victor.

- Conversation: Ira Victor talks with Rob Lee, computer forensics Grand Poobah of The SANS Institute computer forensics program , and the SANS Forensic Blog.

Conficker Worm / Downadup Worm: New Variant By-Passes Some Countermeasures

From the Spy vs. Spy Department….

There is a new variant of Conficker / Downadup worm on the loose. It has new elements designed to circumvent some of the counter measures to the original attack.

To re-cap, Conficker-infected machines can contain key loggers, launch Denial of Service attacks and can become part of a botnet.  The worm can spread through USB devices and network shares. Latest reports are that millions computers are infected.

Conficker B++, uses new techniques to attack systems, giving its creators more flexibility with compromised systems.  Some admins have minimized the impact of Conficker by carefully controlling DNS and routing, to prevent the Conficker worm from contacting the mother ship.

The new variant appears to skip the need to contact a mother ship. You may read a detailed report of the new variant in this excellent SRI report.  Countermeasures like stronger network passwords, and USB control software are still effective means of mitigating  Conficker B++

Some have opined that it is sufficient to turn off auto-run on USB to stop the spread of the original Conficker. That tactic ignores that fact that there are reports that some variation of Conficker re-enable autorun. Others try to protect USB by disabling the ports through active directory group policy. That solution ignores the reality that an exception list starts to build for those that need access to certain USB ports.

The best solution I have found is to deploy third party software that has granular controls for all removable media ports; shadow copies the files that are moved, for audit purposes; and, that deploys as a group policy object, rather than through a separate control panel.

Data Security Podcast Episode 39 – Feb 9 2009

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program:  Using DNS to neuter Conficker/Downadup; A new, free VPN helps secure RDP and wireless; Evil traffic “cops” give tickets with malware; And, this week’s news.

–> Stream, subscribe or download Episode 39 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System. Tell them you heard about them on the Data Security Podcast and get 50% off their service. Offer good until March 31st, 2009. Tales from The Dark Web Sponsored by DeviceLock Removable Media Security Software.

Program Notes for Episode 39

-From The News: Withinwindows.com blogger Rafeal Rivera scores a victory in the battle to lock down UAC

-From The News: Consumer Electronics Company Agrees to Settle Data Security Charges; Breach Compromised Data of Hundreds of Consumers

Evil parking "cops" spread malware

- Tales From The Dark Web: Malware attacks via fake parking tickets.

- Tales From The Dark Web: OpenDNS will block outbound botnet connections to the Conficker/Downadup master. Blocking will work with free unregistered and free registered users.  You can set your computer’s DNS settings, or your router/firewall/UTM DNS settings to these IP addresses to start using OpenDNS right away: 208.67.222.222 , and 208.67.220.220.

- Conversation: Ira Victor speaks with Egeman Tas, the Senior Research Scientist with Comodo Security, about a free VPN application he is working on. This app is a peer to peer application to make VPNs easy, and yes, free. If you are using RDP, WiFi in a public hot spot, or other relevant applications, you need to use a VPN. The software is still in Beta. It’s only for Windows at this time, but Egeman reports that a MAC and LINUX version is in the works.

-Wrap Up: Congressman Twitters an Iraq Security Breach, revealing details of his location in Iraq . Hoekstra’s spokesman Dave Yonkman, said, “We never agreed to anything as far as not discussing it (beforehand) or during…Congressman Hoekstra believes in giving people in West Michigan as much information as possible.”

Data Security Podcast Episode 38 – Feb 2 2009

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program:  It’s the Obama Worm…Yes We Can! Is there a huge hole in Windows7 and why does Microsoft call it a feature? Plus. this week’s news.

–> Stream, subscribe or download Episode 38 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System. Be sure to listen to the show for a special discount for Data Security Podcast listeners.

Program Notes for Episode 38

-From The News: Patty “Identical Cousins” Retires. You can watch the video here. Then watch a general video about online Social Security services, and how secure their system are, here.

-From The News: Wall Street firm The Blackstone Group gets sued by the Financial Times Online.  The FT alleges that Blackstone bilked them out of subs by sharing one (weak) password, for the paid area of the FT site, with scores of users. The NY Post has this satirical look at the story:

Blackstone Group vs. The Financial Times in password dispute

- Tales From The Dark Web: Ira speaks with Rafael Rivera of the WithinWindow.com blog, about a potentially huge hole in Windows7 user account controls (UAC). But, Rafael says that Microsoft considers the hole a feature, and without pressure, the hole could be included in the full Windows7 release.

- Si se puede! Yes we can name a worm for the President of the United States. Ira speaks with Rob Koliha of Walling Data about The Obama Worm. Like Conficker, this worm attaches itself to USB removeable media, and can disable attempts to stop auto-run and anti-virus, according to Mr. Koliha. Here is a snapshot Rob grabbed of an infected system:

Si Se Puede! Yes We Can!

Attention Linux users: Open Source users can also use Rhythmbox to listen and subscribe to this podcast. Rhythmbox is a music management application designed for the GNOME Desktop. Many Linux distros include Rhythmbox, so check your system. Once you launch the Rhythmbox, select the Subscribe to New Podcast  icon in the top tool bar, and use this URL when prompted: http://feeds.feedburner.com/datasecuritypodcast . Thank you to the guys at the Red Hat booth at GTC Southwest in Austin for the tip!

Data Security Podcast Episode 37 – Jan 26 2009

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Heartland Processing breach impacts over 100 million, what went wrong? Two new MAC threats. And, this week’s news.

–> Stream, subscribe or download Episode 37 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System.

Program Notes for Episode 37

-From The News: Medial ID Theft Final Report, part of Congress’ new efforts to appropriate funds for Federally-mandated, centralized electronic medical records.

-From The News: In a story related to our coverage of the Conficker worm, and the Congressional medical data base story, The Register is reporting, “Conficker seizes city’s hospital network.” Comment from Ira: “This story illustrates that Conficker is exposing much larger security issues on corporate networks, as I discussed in last week’s conversation I had with Randy Abrams, of ESET Anti-Virus.”  See Data Security Podcast Eposide 36 for that conversation.

- Tales From The Dark Web: Ira speaks with David Hoelzer, about the 100 million credit card breach at Hearthland Processing. Heartland claims they are PCI-DSS compliant. So, how can this happen? Read David’s blog posting on the topic at the IT and Security Auditing Resources from the SANS Institute.

-MAC Attacks:  New MAC attacks that are harder to uncover.

Cleaning Up Conficker / Downadup Mess, and Reducing the Odds of Getting Stung

As of this writing, the Conficker/ Downadup continues to spread. Latest reports are that there are over 9 million systems infected so far. This posting will provide more details on the attack, how to know if you have been hit, and suggestions for clean-up if you think you are a victim.  There will be more coverage of Conficker/Downadup in Episode 37 of the Data Security Podcast that will post Sunday Night.

First, some important background.

According to anti-virus experts, there are a number of factors that make this attack different than other recent malware attacks. First, there are three methods of infection:

1. USB devices, thumb drives, photo frames, MP3 players, PDAs, plug-in “chip” readers, OR
2. System accounts not protected by very strong passwords, OR
3. One system on a network not having the latest patch, either by poor planning, OR, by the malware turning off updates without an administrator’s knowledge

Second, the attack appears to have a high degree of morphing, making it very difficult to locate and kill. If just one un-patched laptop connects to your network, or just one wrong USB device is plugged in, you could get hit.

Third, according to the AV experts, the attack itself may be a precursor to a larger attack. Reports are that the worm is designed to send data to remote servers, using hundreds of possible domains, with new domains being created at a high rate.

With such a complex attack, you want to make sure that ALL Win2k, XP, and WIN2k3 systems have the patch “MS08-067” from Microsoft applied. For many, Windows Update will apply this patch. But, there are reports that the worm will quietly shut this service down. So, you want to double-check to make sure you are patched.

There are two ways to do that. You can use a patch checking tool. Secunia makes free tools that van be used by business networks and home users. Just visit this link: http://secunia.com/vulnerability_scanning . There is a bonus for using a tool like Secunia: Many systems have out of data third party applications, like Adobe Flash, Java, or iTunes, and attackers are counting on systems missing these critical patches to launch attacks. This would be an excellent time to update all software, not just Windows.

Or, you can launch Micosoft Internet Explorer -> Tools -> Windows Update -> Review your update history -> go back through you patches and look for : KB958644 in your update history. Many systems were updated before January, and you may need to go back to October or November’s patches, depending on your system. If you see the KB958644, you are patched.

Since the worm spreads via removable media (USB, CD, Firewire), I suggest that you get DeviceLock security software to control all removable media. Many reports I have read on this attack are overly focused on disabling Windows autorun on USBs to stop part of attack. But that won’t protect certain versions of this attack that, according to reports, trick users into executing (“clicking on”) the malware when the USB dialog box appears when a device is plugged into a Windows computer. While this attack is called a worm, in reality, it appears to be a blended threat, with behaviors of both worms and viruses, according to reports. Disclosure: DeviceLock has been an advertiser on the Data Security Podcast in the past. I recommended the software for a long time, actually, long before the invention of Podcasting. Why? DeviceLock has granular controls, excellent logging, key logging detection, native to group policy, and supports open source encryption. And, it’s very inexpensive.

The worm also attacks weak passwords. You want to “upgrade” all passwords on your network to strong passwords. With current computing technologies, that now means, 15 characters or more (20+ is better), with upper and lower case letters, numbers and punctuation. Think pass phrase, rather than password. People resist doing this, and the bad guys are counting on it.

Let’s move on to the indications, according to Microsoft, that your systems have been hit by Conficker/Downadup:

“If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms:

* Account lockout policies are being tripped.

* Automatic Updates, Background Intelligent Transfer Service (BITS),   Windows Defender, and Error Reporting Services are disabled.

* Domain controllers respond slowly to client requests.

* The network is congested.

* Various security-related Web sites cannot be accessed.”

And more from Redmond on how to clean up the mess once you have been hit: “The Microsoft Malware Protection Center has updated the Malicious Software Removal tool (MSRT). This is a stand-alone binary that is useful in the removal of prevalent malicious software, and it can help remove the Win32/Conficker malware family.

You can download the MSRT from either of the following Microsoft Web sites:

http://www.update.microsoft.com

http://support.microsoft.com/kb/890830 ”

As I have talked about in previous postings on this topic, if you are worried about being vulnerable to this attack, you probably have much larger security issues.

When was your organization’s last security audit?

Are you running intrusion prevention AND anti-virus at the gateway? I have found many network administrators that say YES to that, but upon audit, they are only running intrusion prevention at the gateway, and they are depending on one AV vendor that protects both servers and desktops. The bad guys are counting on that!  A multi-vendor, multi-layered IPS and AV approach is what many networks need.

Are you running data loss prevention (DLP) hardware to detect outbound data loss? Firewalls protect from inbound connections, what measures do you have in place to detect outbound data transfers on all ports (mail, http, https, ftp, and other ports)? If you don’t know what DLP is, find out fast.

Are you encrypting laptop hard drives? TrueCrypt has an excellent, free open source solution. Are you logging all events on a dedicated logging server? Are you encrypting your backups and storing them off-site? Are you deploying virtual machines with security as a focus, not an afterthought?

This is just a partial list. The point is, now is the time to look at your security posture again. The Conficker/ Downadup is just an indicator of how much work remains to be done to secure our information assets.

According the Randy Abrams, at ESET Anti-Virus, the really scary attacks don’t usually make the headlines as they are growing. You may only know long after the data is gone. Just ask the people at Heartland Processing, who just announced the breach of over 100 million transactions. But that incident is for another posting, or for a podcast.

Data Security Podcast Episode 36 – Jan 19 2009

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: WPA WiFi encryption might not be so secure as ElcomSoft shows off a new WPA audit tool.  Will the Conficker worm be the worst worm ever? Some don’t think so. And, this week’s news.

–> Stream, subscribe or download Episode 36 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System.

Program Notes for Episode 36

-From The News: The Daily Background blog outlines possible integrity attacks by Belkin. In a related posting, The Reputation Advisor Blog speculates about how members of the Dark Web will spike reputations in concerted integrity attacks.

-Also from The News: Seagate recalls hard drive firmware. Read more on the Seagate site, and where to email them and request a patch. More about the related class action lawsuit regarding these failures, from the law firm of Kabatek, Brown and Kellner LLP.

- Tales From The Dark Web: Elcomsoft Wireless Security Auditor can be used to audit and crack WPA WiFi encryption using off-the-shelf video cards. WARNING: Do not use ANY audit or cracking tool to access a network without the authorization, in writing, of the owner of that network. Then, just before you run the tool, have the owner give you approval a second time. Or, if you are not prepared to get approval do use this tool on someone else’s network, buy your own WPA Wi-Fi access point, and hook it up to your own network to test this tool. There might be a good deal at Circuit City for a cheap testing-only access points. Remember, the cheap, consumer access points usually don’t have the ability to turn off wireless administration, so it’s not smart to use them in production or live environments.

- Will the Conficker worm be “the worst worm ever?” Some members of mainstream media seem to think so. Randy Abrams from ESET (the maker’s of NOD32 anti-virus), thinks that Conficker will not be the worst worm ever, and we talk about strategies to counter this attack, and other more serious attacks. The mainstream media is focused on Conficker, while the members of the Dark Web could be attacking you where you might not expect. Read Randy’s related blog posting, Confused about Conficker?

Want to Clean Conficker/Downadup Worm? You May Need To Start Where You Are NOT Looking

I just finished up a discussion with Randy Abrams from ESET about the Conficker/Downadup Worm . The interview will post in a few hours on Data Security Podcast, Episode #36. Randy is a smart security guy, I want to dive into this topic a bit more than I was able to do in the discussion with Randy on the Data Security Podcast.

The focus of many postings I have read on this worm is typically in one of three areas:

1. “This is the biggest worm EVER!” “The sky is falling!” “The end is near!”

2. Apply the following tools to help clean the worm

3. Disable AutoRun on USB ports

The real story here is that the Conficker/Downadup Worm appears to be a small-grade attack, that appears to be focused on selling fake anti-virus software. The attack punches holes in networks, that in many cases, already have very serious security vulnerabilities.

In a previous posting I warned that the Conficker/Downadup Worm is a wake-up call for those that don’ t have any controls on removable media (you know who you are). If ANYONE on the network can plug in a thumb drive, or iPod, or a USB photo frame, including the CEO, CFO, HR, VP of Sales, Admins, then you have a much bigger threat than the Conficker/Downadup Worm.

Many times I hear CIOs tell me that he has shut down USB access. I respond, “For EVERYONE?” And, if the CIO is being honest, he says, “Well, we had to make an exception for the following departments/users ___, ____, and _____, as they must have access to some devices.”

Those exceptions, without compensating controls, breaks the security principal of total mediation – only allowing one way in and out of a system. It is this lack of total mediation that is helping spread the Conficker/Downadup Worm. The good news is that there is great software that can control these physical ports, limit access, provide for access control rules for those that need access, log activities and files, and even encrypt data. My favorite tool for all of that is DeviceLock (disclosure: They have been a sponsor of some episodes of the Data Security Podcast).

Beyond USB, the Conficker/Downadup Worm is a wake up call that now is the time to request the budget for a security audit. The Conficker/Downadup Worm demonstrates that too many organizations have poor patching, poor password management, and poor anti-malware protection. And, in my experience, these organizations do not have adequate layers of security in other areas.

In these tight budget times, I am aware that is is difficult to get budget to do anything “new.” This is a hard sell if you have not had a recent security audit and vulnerability assessment. At the very least, I recommend that you memo the right people i the organization about these risks, and if they reject an audit, then the decision was on their watch. If you don’t inform them, and a far more serious attack or breach than the Conficker/Downadup Worm hits you, you will get the blame.

As Randy Abrams points out, there a throngs of “hackers” attacking areas of your network with attacks that don’t have famous names, and don’t get a headline in the paper. Those are the one’s to be really scared about.