Wednesday, November 24, 2010

Keep your passwords safe

This post kinda goes in line with the last post. I kinda hoped to get all of this in one but I forgot to add this. In the last post, I talked about some good things to do to keep your home systems safe. This, of course, only pertains to Windows systems. It is part of my answer to "What should standard home users do, to secure their systems and information?"

Another issue that people run into is that they tend to use the same password in many places. Their password on their bank site, is their password on their Facebook account, is their password for their email. Others may use one password for "secure" things like banks, credit accounts, etc. Then another password for simple things like Facebook, blog sites, fantasy football sites etc.

This is not good! This is how people get their identity stolen a lot. There are many times where a criminal will find information on a Facebook or Myspace wall or posts that can lead them to either a password to get into their email or worse yet their bank. Another problem is that some banks and more secure sites will give you some questions to answer to reset your password. People use information like birthdays, pet names, favorite sports teams etc. The problem is that home users are also posting this information to these social network sites.

So what do we do Curt? Download a password manager such as the one I use here. A few things I like about this application is that it can generate good passwords for you. If you go the properties of a new entry you will see a password policy. I would recommend using 15 or more characters and use all available types of character such as !#%^ etc. Then click the Generate button on the main page of the new entry. This will create a password with the length you specified with the values you specified. (note: some passwords can contain such odd characters that your site or application might not accept them. You will then need to read the FAQ on that site to know what their password policies are and possibly make some adjustments).

After you have your new super strong password, your probably thinking how am I going to remember this? The good news is that you don't have to! When you create a password database, it will ask you for your main password. Make this as strong as you can, but the key here is to make one that you can remember. If you forget this password, there is no going back! No one I know can retrieve lost passwords from this system. Thats a good thing from security, but bad if you forget.

Now I will say something that you won't hear from me often! In this case, it might make sense to write down the password on a piece of paper and keep it in your home safe. You can also ask me for some whimsical ways to store this information in your phones contact lists and such as well. The only reason I say this is because if you loose it, you will not get this data back!!!

So if you run the Password Safe application, it will ask you for your password. Once you enter the correct password, you will see a list of all of your entries. Right click the entry and you can choose to copy the password. You can then paste this into your browser when the website asks for it. So you never have to remember this. You can also choose edit and display the password if you need to.

There is another nice option here. If you have an entry for a secure site such as a bank, it has a notes section. What I do when they ask for password restore questions, I give completely bogus information. To remember what questions and answers I used where, I put it in the notes section. This helps protect us against someone that might be trying to harvest information for our questions on the Internet because the information is completely false and off the wall. That is why I need to keep track of what I put :)

The only other thing I can add to this is to not save passwords in the browser. Do not use a site's (or browser) functionality to remember passwords. This is a bad idea. In some cases this information can be pulled by an attacker to obtain your passwords. Just keep your password safe handy and your passwords will be very secure.

But what happens when I'm away from home and don't have my laptop and password safe. Good question! Password Safe has an option to install to a USB drive. You can get a 1GB USB Thumb drive for $5 or $10 bucks tops these days. If you do that, you will always have your password safe with you.

One final recommendation is that some secure sites, banks especially, offer what is called multi factor authentication. If your not sure if your bank offers it, ask. This is basically a token that they will send to you, put on your card, or they can text to your phone. This value is a random number that changes normally every 30 seconds or so. When you enter a password on a site, you will also need to put a PIN number along with the numbers that are on this token at that very moment. This is probably one of the most secure ways to access secure data across the Internet at this time. Even things like online games are offering this type of security. When in doubt if they do offer it, ask.

Sunday, November 21, 2010

Need a little more security?

OK, so you have your Anti Virus and you keep it up to date. You are running some sort of Anti Malware program (such as Malwarebytes) once in a while to try to get things that your AV might have missed. Maybe you even downloaded the application I talked about in my last post to let you know when you have out of date applications. What else could there be you ask?

Glad you asked. Adobe finally released their "sandboxed" version of Adobe Reader. This is supposed to be their response to the problems they had. Guess what though? If your not running Windows Vista or higher, then it doesn't matter. If you are running Windows 7 or Vista, I recommend you go and install Adobe Reader X now, you can get it here.

But wait...there is more!

A while back, Microsoft released a tool called EMET. This stands for Enhanced Mitigation Experience Toolkit. You can download it here. I highly recommend you do that after you get the rest of your applications up to date. This program adds some additional protections for your programs. I have tested this in my lab environment and I have been unsuccessful in getting standard Adobe exploits to execute properly while running this. If you add it to the new Adobe Reader X, I can only image it will get even better (I haven't fully tested with Adobe X yet to say for sure).

Download and install EMET. After installing it, go to your Start menu and locate EMET 2.0 (note: it may be under the Enhanced Mitigation Experience Toolkit folder under All Programs.)

Once the application is running click the Configure System button. Change the values for DEP, SEHOP, and ASLR from Application Opt In to Always On or Application Opt In if Always on is not available for you. Click the OK Button.

Next you want to click the Configure Apps button in the lower right hand corner. This will bring up the Configure Application Window. Click the Add button in the lower left hand side. Double Click on your C Drive. Double click on Program Files (or Program Files x86 if your running a 64 bit machine. You will know you are if you see a Program Files x86 folder here). Double click the Adobe folder. Double click on Reader 10.0 (if you installed Adobe X as instructed, if not, choose the version you have listed such as 9.0). Double click the Reader folder. Finally double click AcroRd32.exe Ensure all of the boxes are checked for DEP, SEHOP, NullPage, HeapSpray, EAF, and Mandatory ASLR.

Click Add again. This time, click your C drive, Program files (or Program Files x86), and then double click the Java folder. Double click the jre6 folder. Double click the bin folder. Double click the java executable and ensure all of the check boxes are selected.

Next click Add again. This time navigate to C:\Program Files\Internet Explorer. (note: if your running a 64 bit machine and have the Program Files x86 folder, you will want to do these steps for both C:\Program Files\Internet Explorer and C:\Program Files (x86)\Internet Explorer files. In each of those folders, choose the iexplore.exe file. Ensure that the check boxes are all checked for these as well.

You will want to do these same thing for any other browser you might use such as Firefox or Google Chrome. Just find their exe files and choose them. (note: you can normally find these by right clicking the icon on your desktop or Start menu folder and choosing properties.) I would also recommend you do the same thing for your Anti Virus, Anti Malware applications and Office applications.

When your done adding all of your programs, click the OK button. This will bring you back to the main screen of EMET. Click the Red button with the white X in the upper right hand corner. This will pop up a warning saying the changes you made will require you to restart your system. Click OK. This does not force you to restart. Save all your documents and what not and reboot your machine.

This is not a silver bullet to keep you safe, but I can guarentee it will make it more difficult to be infected with malware if you do the following:

Keep your OS and third party applications up to date.
Keep your Anti Virus application and signatures up to date.
Keep your Anti Malware application and signatures up to date.
Upgrade Adobe reader to Adobe Reader X.
Install EMET and configure it to protect all of the commonly exploited applications (Adobe, Java, Anti Virus applications, web browsers, Office applications etc)

If you have any questions, please let me know!

Sunday, October 24, 2010

Are you Up 2 Date?

Many people keep up on their Windows Patches which is a good thing. If you don't, shame on you! You should. It's easy, just turn on Automatic Updates located in your control panel of your Windows operating system.

Here is something you might not have known, a lot of the the malware coming out these days is  targeting vulnerabilities in 3rd party applications such as Adobe, Java, Chrome etc. How often do you update these applications?

Agreed that it's a pain to update each individual application you may have. Enter Secunia's Personal Software Inspector (PSI). This is a free application that will let you know when you have programs that have known vulnerabilities or patches available. It will also assist you in getting all of your patches for each program.

They also have an online version called Online Software Inspector, but this one covers less applications than the PSI. I would recommend installing the PSI and give it a try. It's highly important to keep ALL of your applications up to date, not just the Windows applications!

Friday, October 22, 2010

Interesting DNS results

Most of you have probably heard of Wikipedia. If not, where you been? Under a rock? I saw a demo the other day of something rather interesting that they were doing. Aparently, you can look up quick references from WikiPedia by using DNS tools such as NSLOOKUP and DIG. All you need to do is specify what you want to look up followed by .wp.dg.cx. Here are a few examples with their output:

With DIG (looking up dogs):

dig txt dogs.wp.dg.cx

;; QUESTION SECTION:
;dogs.wp.dg.cx.            IN    TXT

;; ANSWER SECTION:
dogs.wp.dg.cx.        86400    IN    TXT    "The dog (Canis lupus familiaris) is a domesticated subspecies of the gray wolf, a member of the Canidae family of the order Carnivora. The term is used for both feral and pet varieties. The domestic dog has been one of the most widely kept working and com" "panion animals in human history. http://en.wikipedia.org/wiki/Dog"

With NSLOOKUP (looking up Cats):

nslookup -querytype=txt cats.wp.dg.cx

Non-authoritative answer:
cats.wp.dg.cx   text =

        "The cat (Felis catus), also known as the domestic cat or house cat to distinguish it from other felines and felids, is a small predatory carnivorous species of crepuscular mammal that is valued by humans for its companionship and its ability to hunt vermi" "n, snakes, scorpions, and other unwanted household pests. It has been associated with humans for at least 9,500 years... http://a.vu/w:Cat"

I'm not sure how they are doing it yet, but it's a geeky little feature that I thought I would share :). You do need to specify that you want TXT records only. You do that by specifying txt in your DIG command or -querytype=txt in your NSLOOKUP command if you are typing it all on one line. If you use interactive NSLOOKUP you should use set type=txt.

Wednesday, October 20, 2010

WinRM

What is it? Well, it appears that it is a way to manage Windows systems over HTTP or HTTPS. This just sounds like a bad idea to me! I haven't looked much into this yet, so I cannot say it is definitely a bad idea just yet. So it seems I can get system information remotely to include disk information, process information, start or stop services or make system changes remotely.

So, why would this be a bad idea? Well first of all it supports HTTPS which is a secure web protocol. That's a good thing right? Doesn't that take away some of the problem? NO! Now an attacker has secure communications to your workstations! This is going to bypass your network security defenses, unless of course you are using some sort of SSL man in the middle which allows you to see into encrypted sessions. Since most are not doing that, this is a serious risk.

Think of it this way. In my last post I was discussing how I was attempting to bypass application whitelisting by attempting to provide a valid signature which would be trusted on such a system. Why would I do that now if I can use WinRM which is probably not only signed my Microsoft, but it's a Microsoft built in tool (on Vista and above). Of course this tool is going to be trusted. Now it's even easier to control your system without using these evading techniques.

Expect to see more from me on this. I'm going to continue to test it out and see how far one can actually go with this technology.

Sunday, October 17, 2010

New leaf on blogging

OK. I'm sorry it's been so long. It is harder to keep up with blogging than I thought. I think I have a new plan. I tend to take at least 15 minutes to learn something new in computers, probably more computer security than just computers, every day. What I plan to do is just post a synopsis of what I learned each day. That way I can share what I am learning and attempt to solidify the concept in my mind as well. So this will be my first.

The first thing I'd like to announce is a second blog that I now have to keep up with. http://internetopenurla.blogspot.com/. On that blog we will basically be taking malware samples from the wild that we have come across or people have submitted. We will reverse engineer the malware step by step and show how we do it. This will help people learn common techniques that are used to find out what malicious software is doing and thus how to stop it. We plan to post there once a month. You can follow the updates on Twitter @inetopenurla.

So on to the regular schedule program. What did I learn today? Glad you asked.

I have been looking at ways to get around application whitelisting programs such as Bit9 or Microsoft's AppLocker. For those who may not know, application whitelisting is a technique to state that you only want to allow certain applications that you know to be good. All other applications will not run because they are not approved. Now you can approve applications in a number of ways. You can approve it by a digital signature of the publisher of the application (i.e. Microsoft), you can allow files to run based on their hash value. A hash value is a mathematical computation of the code so even if the name changes or if someone renames other files to it, they are still seen as different. You can also allow applications based on where they are installed on your system (i.e. C:\Program Files or C:\Windows\System32).

So I have been trying to see how I can get around this. It turns out that Microsoft includes an application called iexpress on Windows XP and above systems. This application allows you to combine multiple applications into one self extracting executable. The interesting thing is, if you look at the publisher information, it appears to be signed by Microsoft. These files are generally in your Allow list in whitelisting because we should all trust Microsoft right ;)

You can see an example of how to do this with Metasploit and the iexpress tool mentioned above here. It turns out that my testing with Microsoft App Locker with default rules still blocks this technique. I'm continuing my journey to see if I can figure out a way around that.

Friday, April 30, 2010

When good sites go bad

This is a follow up from a question from a reader of the previous post. Paraphrased it was, can websites become malicious at any time? Should we scan websites that we go to frequently or just new ones? That is an excellent question. So good that I figured I would follow up on the last post.

The short answer is yes. I would scan sites semi regular, even ones you go to all of the time. I would especially recommend this for sites that involve financial transactions. I am including some links here to some stories where well known sites have been found to distribute malicious content. This isn't necessarily them doing it, more of the fact that people target these sites in attempt to infect more people.

Another thing that can be helpful is to make sure you are doing your Microsoft Updates. Move to the IE 8 Web browser (should get this from Microsoft Updates), if not you can go to microsoft.com and download it. To know if you are running IE 8; open the browser, go to the Help menu, then about Internet Explorer. Alternatively you can use Firefox as well. Remember to keep that updated as well.

Finally you can go so far as to run your browser in a virtual machine or with a program such as sandboxie. Sandboxie keeps the browser session you are running in a protected memory space. This isn't a silver bullet, just another arrow for the quiver.

CNN Malware
When malware strikes via bad ads on good sites
Malware Delivered by Yahoo, Fox, Google ads

Relax, the Internet isn't all bad stuff. Here is a palette cleanser for you to show you that:

Surprised Kitty
Charlie Bit Me!