Roasty's Rant

Here at the Microsoft Security Response Center, we investigate thousands of security reports every year. In some cases, we find that a report describes a bona fide security vulnerability resulting from a flaw in one of our products; when this happens, we develop a patch as quickly as possible to correct the error. (See “A Tour of the Microsoft Security Response Center”). In other cases, the reported problems simply result from a mistake someone made in using the product. But many fall in between. They discuss real security problems, but the problems don’t result from product flaws. Over the years, we’ve developed a list of issues like these, that we call the 10 Immutable Laws of Security.

Don’t hold your breath waiting for a patch that will protect you from the issues we’ll discuss below. It isn’t possible for Microsoft—or any software vendor—to “fix” them, because they result from the way computers work. But don’t abandon all hope yet—sound judgment is the key to protecting yourself against these issues, and if you keep them in mind, you can significantly improve the security of your systems.

On This Page

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore
Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore
Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more
Law #5: Weak passwords trump strong security
Law #6: A computer is only as secure as the administrator is trustworthy
Law #7: Encrypted data is only as secure as the decryption key
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
Law #9: Absolute anonymity isn’t practical, in real life or on the Web
Law #10: Technology is not a panacea

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore

It’s an unfortunate fact of computer science: when a computer program runs, it will do what it’s programmed to do, even if it’s programmed to be harmful. When you choose to run a program, you are making a decision to turn over control of your computer to it. Once a program is running, it can do anything, up to the limits of what you yourself can do on the computer. It could monitor your keystrokes and send them to a website. It could open every document on the computer, and change the word “will” to “won’t” in all of them. It could send rude emails to all your friends. It could install a virus. It could create a “back door” that lets someone remotely control your computer. It could dial up an ISP in Katmandu. Or it could just reformat your hard drive.

That’s why it’s important to never run, or even download, a program from an untrusted source—and by “source,” I mean the person who wrote it, not the person who gave it to you. There’s a nice analogy between running a program and eating a sandwich. If a stranger walked up to you and handed you a sandwich, would you eat it? Probably not. How about if your best friend gave you a sandwich? Maybe you would, maybe you wouldn’t—it depends on whether she made it or found it lying in the street. Apply the same critical thought to a program that you would to a sandwich, and you’ll usually be safe.

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore

In the end, an operating system is just a series of ones and zeroes that, when interpreted by the processor, cause the computer to do certain things. Change the ones and zeroes, and it will do something different. Where are the ones and zeroes stored? Why, on the computer, right along with everything else! They’re just files, and if other people who use the computer are permitted to change those files, it’s “game over”.

To understand why, consider that operating system files are among the most trusted ones on the computer, and they generally run with system-level privileges. That is, they can do absolutely anything. Among other things, they’re trusted to manage user accounts, handle password changes, and enforce the rules governing who can do what on the computer. If a bad guy can change them, the now-untrustworthy files will do his bidding, and there’s no limit to what he can do. He can steal passwords, make himself an administrator on the computer, or add entirely new functions to the operating system. To prevent this type of attack, make sure that the system files (and the registry, for that matter) are well protected. (The security checklists on the Microsoft Security website will help you do this).

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore

Oh, the things a bad guy can do if he can lay his hands on your computer! Here’s a sampling, going from Stone Age to Space Age:

• He could mount the ultimate low-tech denial of service attack, and smash your computer with a sledgehammer.
• He could unplug the computer, haul it out of your building, and hold it for ransom.
• He could boot the computer from a floppy disk, and reformat your hard drive. But wait, you say, I’ve configured the BIOS on my computer to prompt for a password when I turn the power on. No problem – if he can open the case and get his hands on the system hardware, he could just replace the BIOS chips. (Actually, there are even easier ways).
• He could remove the hard drive from your computer, install it into his computer, and read it.
• He could make a duplicate of your hard drive and take it back his lair. Once there, he’d have all the time in the world to conduct brute-force attacks, such as trying every possible logon password. Programs are available to automate this and, given enough time, it’s almost certain that he would succeed. Once that happens, Laws #1 and #2 above apply.
• He could replace your keyboard with one that contains a radio transmitter. He could then monitor everything you type, including your password.

Always make sure that a computer is physically protected in a way that’s consistent with its value—and remember that the value of a computer includes not only the value of the hardware itself, but the value of the data on it, and the value of the access to your network that a bad guy could gain. At a minimum, business-critical computers like domain controllers, database servers, and print/file servers should always be in a locked room that only people charged with administration and maintenance can access. But you may want to consider protecting other computers as well, and potentially using additional protective measures.

If you travel with a laptop, it’s absolutely critical that you protect it. The same features that make laptops great to travel with – small size, light weight, and so forth—also make them easy to steal. There are a variety of locks and alarms available for laptops, and some models let you remove the hard drive and carry it with you. You also can use features like the Encrypting File System in Microsoft Windows® 2000 to mitigate the damage if someone succeeded in stealing the computer. But the only way you can know with 100% certainty that your data is safe and the hardware hasn’t been tampered with is to keep the laptop on your person at all times while traveling.

Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more

This is basically Law #1 in reverse. In that scenario, the bad guy tricks his victim into downloading a harmful program onto his computer and running it. In this one, the bad guy uploads a harmful program to a computer and runs it himself. Although this scenario is a danger anytime you allow strangers to connect to your computer, websites are involved in the overwhelming majority of these cases. Many people who operate websites are too hospitable for their own good, and allow visitors to upload programs to the site and run them. As we’ve seen above, unpleasant things can happen if a bad guy’s program can run on your computer.

If you run a website, you need to limit what visitors can do. You should only allow a program on your site if you wrote it yourself, or if you trust the developer who wrote it. But that may not be enough. If your website is one of several hosted on a shared server, you need to be extra careful. If a bad guy can compromise one of the other sites on the server, it’s possible he could extend his control to the server itself, in which he could control all of the sites on it—including yours. If you’re on a shared server, it’s important to find out what the server administrator’s policies are. (By the way, before opening your site to the public, make sure you’ve followed the security checklists for IIS 4.0 and IIS 5.0).

Law #5: Weak passwords trump strong security

The purpose of having a logon process is to establish who you are. Once the operating system knows who you are, it can grant or deny requests for system resources appropriately. If a bad guy learns your password, he can log on as you. In fact, as far as the operating system is concerned, he is you. Whatever you can do on the system, he can do as well, because he’s you. Maybe he wants to read sensitive information you’ve stored on your computer, like your e-mail. Maybe you have more privileges on the network than he does, and being you will let him do things he normally couldn’t. Or maybe he just wants to do something malicious and blame it on you. In any case, it’s worth protecting your credentials.

Always use a password—it’s amazing how many accounts have blank passwords. And choose a complex one. Don’t use your dog’s name, your anniversary date, or the name of the local football team. And don’t use the word “password”! Pick a password that has a mix of upper- and lower-case letters, number, punctuation marks, and so forth. Make it as long as possible. And change it often. Once you’ve picked a strong password, handle it appropriately. Don’t write it down. If you absolutely must write it down, at the very least keep it in a safe or a locked drawer—the first thing a bad guy who’s hunting for passwords will do is check for a yellow sticky note on the side of your screen, or in the top desk drawer. Don’t tell anyone what your password is. Remember what Ben Franklin said: two people can keep a secret, but only if one of them is dead.

Finally, consider using something stronger than passwords to identify yourself to the system. Windows 2000, for instance, supports the use of smart cards, which significantly strengthens the identity checking the system can perform. You may also want to consider biometric products like fingerprint and retina scanners.

Law #6: A computer is only as secure as the administrator is trustworthy

Every computer must have an administrator: someone who can install software, configure the operating system, add and manage user accounts, establish security policies, and handle all the other management tasks associated with keeping a computer up and running. By definition, these tasks require that he have control over the computer. This puts the administrator in a position of unequalled power. An untrustworthy administrator can negate every other security measure you’ve taken. He can change the permissions on the computer, modify the system security policies, install malicious software, add bogus users, or do any of a million other things. He can subvert virtually any protective measure in the operating system, because he controls it. Worst of all, he can cover his tracks. If you have an untrustworthy administrator, you have absolutely no security.

When hiring a system administrator, recognize the position of trust that administrators occupy, and only hire people who warrant that trust. Call his references, and ask them about his previous work record, especially with regard to any security incidents at previous employers. If appropriate for your organization, you may also consider taking a step that banks and other security-conscious companies do, and require that your administrators pass a complete background check at hiring time, and at periodic intervals afterward. Whatever criteria you select, apply them across the board. Don’t give anyone administrative privileges on your network unless they’ve been vetted – and this includes temporary employees and contractors, too.

Next, take steps to help keep honest people honest. Use sign-in/sign-out sheets to track who’s been in the server room. (You do have a server room with a locked door, right? If not, re-read Law #3). Implement a “two person” rule when installing or upgrading software. Diversify management tasks as much as possible, as a way of minimizing how much power any one administrator has. Also, don’t use the Administrator account—instead, give each administrator a separate account with administrative privileges, so you can tell who’s doing what. Finally, consider taking steps to make it more difficult for a rogue administrator to cover his tracks. For instance, store audit data on write-only media, or house System A’s audit data on System B, and make sure that the two systems have different administrators. The more accountable your administrators are, the less likely you are to have problems.

Law #7: Encrypted data is only as secure as the decryption key

Suppose you installed the biggest, strongest, most secure lock in the world on your front door, but you put the key under the front door mat. It wouldn’t really matter how strong the lock is, would it? The critical factor would be the poor way the key was protected, because if a burglar could find it, he’d have everything he needed to open the lock. Encrypted data works the same way—no matter how strong the crypto algorithm is, the data is only as safe as the key that can decrypt it.

Many operating systems and cryptographic software products give you an option to store cryptographic keys on the computer. The advantage is convenience – you don’t have to handle the key – but it comes at the cost of security. The keys are usually obfuscated (that is, hidden), and some of the obfuscation methods are quite good. But in the end, no matter how well-hidden the key is, if it’s on the computer it can be found. It has to be – after all, the software can find it, so a sufficiently-motivated bad guy could find it, too. Whenever possible, use offline storage for keys. If the key is a word or phrase, memorize it. If not, export it to a floppy disk, make a backup copy, and store the copies in separate, secure locations. (All of you administrators out there who are using Syskey in “local storage” mode—you’re going to reconfigure your server right this minute, right?)

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

Virus scanners work by comparing the data on your computer against a collection of virus “signatures”. Each signature is characteristic of a particular virus, and when the scanner finds data in a file, email, or elsewhere that matches the signature, it concludes that it’s found a virus. However, a virus scanner can only scan for the viruses it knows about. It’s vital that you keep your virus scanner’s signature file up to date, as new viruses are created every day.

The problem actually goes a bit deeper than this, though. Typically, a new virus will do the greatest amount of damage during the early stages of its life, precisely because few people will be able to detect it. Once word gets around that a new virus is on the loose and people update their virus signatures, the spread of the virus falls off drastically. The key is to get ahead of the curve, and have updated signature files on your computer before the virus hits.

Virtually every maker of anti-virus software provides a way to get free updated signature files from their website. In fact, many have “push” services, in which they’ll send notification every time a new signature file is released. Use these services. Also, keep the virus scanner itself—that is, the scanning software—updated as well. Virus writers periodically develop new techniques that require that the scanners change how they do their work.

Law #9: Absolute anonymity isn’t practical, in real life or on the Web

All human interaction involves exchanging data of some kind. If someone weaves enough of that data together, they can identify you. Think about all the information that a person can glean in just a short conversation with you. In one glance, they can gauge your height, weight, and approximate age. Your accent will probably tell them what country you’re from, and may even tell them what region of the country. If you talk about anything other than the weather, you’ll probably tell them something about your family, your interests, where you live, and what you do for a living. It doesn’t take long for someone to collect enough information to figure out who you are. If you crave absolute anonymity, your best bet is to live in a cave and shun all human contact.

The same thing is true of the Internet. If you visit a website, the owner can, if he’s sufficiently motivated, find out who you are. After all, the ones and zeroes that make up the Web session have to be able to find their way to the right place, and that place is your computer. There are a lot of measures you can take to disguise the bits, and the more of them you use, the more thoroughly the bits will be disguised. For instance, you could use network address translation to mask your actual IP address, subscribe to an anonymizing service that launders the bits by relaying them from one end of the ether to the other, use a different ISP account for different purposes, surf certain sites only from public kiosks, and so on. All of these make it more difficult to determine who you are, but none of them make it impossible. Do you know for certain who operates the anonymizing service? Maybe it’s the same person who owns the website you just visited! Or what about that innocuous website you visited yesterday, that offered to mail you a free $10 off coupon? Maybe the owner is willing to share information with other website owners. If so, the second website owner may be able to correlate the information from the two sites and determine who you are.

Does this mean that privacy on the Web is a lost cause? Not at all. What it means is that the best way to protect your privacy on the Internet is the same as the way you protect your privacy in normal life—through your behavior. Read the privacy statements on the websites you visit, and only do business with ones whose practices you agree with. If you’re worried about cookies, disable them. Most importantly, avoid indiscriminate Web surfing—recognize that just as most cities have a bad side of town that’s best avoided, the Internet does too. But if it’s complete and total anonymity you want, better start looking for that cave.

Law #10: Technology is not a panacea

Technology can do some amazing things. Recent years have seen the development of ever-cheaper and more powerful hardware, software that harnesses the hardware to open new vistas for computer users, as well as advancements in cryptography and other sciences. It’s tempting to believe that technology can deliver a risk-free world, if we just work hard enough. However, this is simply not realistic.

Perfect security requires a level of perfection that simply doesn’t exist, and in fact isn’t likely to ever exist. This is true for software as well as virtually all fields of human interest. Software development is an imperfect science, and all software has bugs. Some of them can be exploited to cause security breaches. That’s just a fact of life. But even if software could be made perfect, it wouldn’t solve the problem entirely. Most attacks involve, to one degree or another, some manipulation of human nature—this is usually referred to as social engineering. Raise the cost and difficulty of attacking security technology, and bad guys will respond by shifting their focus away from the technology and toward the human being at the console. It’s vital that you understand your role in maintaining solid security, or you could become the chink in your own systems’ armor.

The solution is to recognize two essential points. First, security consists of both technology and policy—that is, it’s the combination of the technology and how it’s used that ultimately determines how secure your systems are. Second, security is journey, not a destination—it isn’t a problem that can be “solved” once and for all; it’s a constant series of moves and countermoves between the good guys and the bad guys. The key is to ensure that you have good security awareness and exercise sound judgment. There are resources available to help you do this. The Microsoft Security website, for instance, has hundreds of white papers, best practices guides, checklists and tools, and we’re developing more all the time. Combine great technology with sound judgment, and you’ll have rock-solid security.

Malware, short for malicious software, is software (or script or code) designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. It is a general term used to describe any kind of software or code specifically designed to exploit a computer, or the data it contains, without consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software. Malware includes computer viruses, worms, trojan horses, spyware, dishonest adware, most rootkits, and other malicious programs. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of several U.S. states, including California and West Virginia.

Malware is not the same as defective software, that is, software that has a legitimate purpose but contains harmful bugs. Sometimes, malware is disguised as genuine software, and may come from an official site. Therefore, some security programs, such as McAfee may call malware “potentially unwanted programs” or “PUP”. Though a computer virus is malware that can reproduce itself, the term is sometimes used erroneously to refer to the entire category. Shared resources, such as the Internet, have created a highly interconnected cyberinfrastructure. Critical infrastructures in domains such as medical, power, telecommunications, and finance are highly dependent on information systems. These two factors have exposed our critical infrastructures to malicious attacks and accidental failures. Disruption of services caused by such undesirable events can have catastrophic effects, including loss of human life, disruption of essential services, and huge financial losses. For example, the outbreak of the CodeRed virus infected more than 359,000 hosts, resulting in financial losses of approximately 2.6 billion dollars. Given the devastating effect malicious code can have on our cyber infrastructure, identifying and containing malicious programs is an important goal.

Malware is a worldwide epidemic. Studies suggest that the impact of malware is getting worse. Malware detectors are the primary tools in defence against malware. The quality of such a detector is determined by the techniques it uses. It is therefore imperative that we study malware detection techniques and understand their strengths and limitations. Preliminary results from Symantec published in 2008 suggested that “the release rate of malicious code and other unwanted programs may be exceeding that of legitimate software applications.” According to F-Secure, “As much malware was produced in 2007 as in the previous 20 years altogether”. Malware’s most common pathway from criminals to users is through the Internet is primarily by e-mail and the World Wide Web.

The prevalence of malware as a vehicle for organized Internet crime, along with the general inability of traditional anti- malware protection software to protect against the continuous stream of new malware, has seen the adoption of a new mind- set for businesses operating on the Internet: the acknowledgment that some percentage of Internet customers will always be infected, and that they need to continue doing business with despite this. The result is a greater emphasis on back-office systems designed to protect against advanced malware operating on customers’ computers. On March 29, 2010, Symantec Corporation named Shaoxing, China, as the world’s malware capital. A 2011 study from the University of California, Berkeley, and the Madrid Institute for Advanced Studies published an article in Software Development Technologies, examining how entrepreneurial crackers are helping enable the spread of malware by offering access to computers for a price. They charge from $7 to $180 per thousand infections to make up an informal underground Pay-Per-Install (PPI) industry. The study’s authors identified more than 57 malware “families,” including spam bots, fake antivirus programs, information-stealing trojans, denial-of-service bots and adware.

To avoid detection by anti-virus software, malware distributed by PPI services are frequently updated, with one observed family of malware updating up to twice a day. Many early infectious programs, including the first Internet Worm and a number of MS-DOS viruses, were written as experiments or pranks. They were generally intended to be harmless or merely annoying, rather than to cause serious damage to computer systems. In some cases, the perpetrator did not realize how much harm his or her creations would do. Young programmers learning about viruses and their techniques wrote them simply for practice, or to see how far they could spread. As late as 1999, widespread viruses such as the Melissa virus and the David virus appear to have been written chiefly as pranks. The first mobile phone virus, Cabir, appeared in 2004.   Hostile intent related to vandalism can be found in programs designed to cause harm or data loss. Many DOS viruses, and the Windows ExploreZip worm, were designed to destroy files on a hard disk, or to corrupt the file system by writing invalid data to them.

Network-borne worms such as the 2001 Code Red worm or the Ramen worm fall into the same category. Designed to vandalize web pages, worms may seem like the online equivalent to graffiti tagging, with the author’s alias or affinity group appearing everywhere the worm goes.   Since the rise of widespread broadband Internet access, malicious software has been designed for a profit (e.g. forced advertising). For instance, since 2003, the majority of widespread viruses and worms have been designed to take control of users’ computers for black-market exploitation. Infected “zombie computers” are used to send email spam, to host contraband data such as child pornography, or to engage in distributed denial-of-service attacks as a form of extortion. Another strictly for-profit category of malware has emerged in spyware, programs designed to monitor users’ web browsing, display unsolicited advertisements, or redirect affiliate marketing revenues to the spyware creator. Spyware programs do not spread like viruses; they are, in general, installed by exploiting security holes or are packaged with user-installed software, such as peer-to-peer applications.

The best-known types of malware, viruses and worms, are known for the manner in which they spread, rather than any other particular behavior. The term computer virus is used for a program that has infected some executable software and, when run, causes the virus to spread to other executables. Viruses may also contain a payload that performs other actions, often malicious. On the other hand, a worm is a program that actively transmits itself over a network to infect other computers. It too may carry a payload. These definitions lead to the observation that a virus requires user intervention to spread, whereas a worm spreads itself  automatically. Using this distinction, infections transmitted by email or Microsoft Word documents, which rely on the  recipient opening a file or email to infect the system, would be classified as viruses rather than worms. Some writers in the trade and popular press misunderstand this distinction and use the terms interchangeably.

Before Internet access became widespread, viruses spread on personal computers by infecting the executable boot sectors of floppy disks. By inserting a copy of itself into the machine code instructions in these executables, a virus causes itself to be run whenever a program is run or the disk is booted. Early computer viruses were written for the Apple II and Macintosh, but they became more widespread with the dominance of the IBM PC and MS-DOS system. Executable-infecting viruses are dependent on users exchanging software or boot-able floppies, so they spread rapidly in computer hobbyist circles. The first worms, network-borne infectious programs, originated not on personal computers, but on multitasking Unix systems. The first well-known worm was the Internet Worm of 1988, which infected SunOS and VAX BSD systems. Unlike a virus, this worm did not insert itself into other programs. Instead, it exploited security holes (vulnerabilities) in network server programs and started itself running as a separate process. This same behaviour is used by today’s worms as well. With the rise of the Microsoft Windows platform in the 1990s, and the flexible macros of its applications, it became possible to write infectious code in the macro language of Microsoft Word and similar programs. These macro viruses infect documents and templates rather than applications (executables), but rely on the fact that macros in a Word document are a form of executable code.

Today, worms are most commonly written for the Windows OS, although a few like Mare-D and the Lion worm are also written for Linux and Unix systems. Worms today work in the same basic way as 1988′s Internet Worm: they scan the network and leverage vulnerable computers to replicate. Because they need no human intervention, worms can spread with incredible speed. The SQL Slammer infected thousands of computers in a few minutes.   Although most common families of malware targeted both Europe and the United States, there were some families with a single-country focus and some families with no geographic bias. Microsoft reported in May 2011 that one in every 14 downloads from the Internet may now contain malware code according to the Wall Street Journal. Social media, and Facebook in particular, are seeing a rise in the number of tactics used to spread malware to computers. Malware for profit: spyware, botnets, keystroke loggers, and dialers During the 1980s and 1990s, it was usually taken for granted that malicious programs were created as a form of vandalism or prank. More recently, the greater share of malware programs have been written with a profit motive (financial or otherwise) in mind. This can be taken as the malware authors’ choice to monetize their control over infected systems: to turn that control into a source of revenue.

Spyware programs are commercially produced for the purpose of gathering information about computer users, showing them pop-up ads, or altering web-browser behaviour for the financial benefit of the spyware creator. For instance, some spyware programs redirect search engine results to paid advertisements. Others, often called “stealware” by the media, overwrite affiliate marketing codes so that revenue is redirected to the spyware creator rather than the intended recipient. Spyware programs are sometimes installed as Trojan horses of one sort or another. They differ in that their creators present themselves openly as businesses, for instance by selling advertising space on the pop-ups created by the malware. Most such programs present the user with an end-user license agreement that purportedly protects the creator from prosecution under computer contaminant laws. However, spyware EULAs have not yet been upheld in court. Another way that financially motivated malware creators can profit from their infections is to directly use the infected computers to do work for the creator. The infected computers are used as proxies to send out spam messages. A computer left in this state is often known as a zombie computer. The advantage to spammers of using infected computers is they provide anonymity, protecting the spammer from prosecution. Spammers have also used infected PCs to target anti-spam organizations with distributed denial-of-service attacks.   In order to coordinate the activity of many infected computers, attackers have used coordinating systems known as botnets. In a botnet, the malware or malbot logs in to an Internet Relay Chat channel or other chat system. The attacker can then give instructions to all the infected systems simultaneously. Botnets can also be used to push upgraded malware to the infected systems, keeping them resistant to antivirus software or other security measures.

It is possible for a malware creator to profit by stealing sensitive information from a victim. Some malware programs install a key logger, which intercepts the user’s keystrokes when entering a password, credit card number, or other information that may be exploited. This is then transmitted to the malware creator automatically, enabling credit card fraud and other theft. Similarly, malware may copy the CD key or password for online games, allowing the creator to steal accounts or virtual items.   Another way of stealing money from the infected PC owner is to take control of a dial-up modem and dial an expensive toll call. Dialer (or porn dialer) software dials up a premium-rate telephone number such as a U.S. “900 number” and leave the line open, charging the toll to the infected user.

The most common one I have seen in technical support is an alleged virus scanner which asks for payment or it will not go away. It prevents you from stopping the scanner, constantly telling you that you have a virus infection, and stops you from doing anything else until you pay for the scanner using a credit card. Short of it is, don’t! The creators will use your credit/debit card information to steal large quantities of money from your bank account, and will not make any difference to the operation of the computer, apart from letting you use it again. Don’t get trapped like many others have in this massive online problem, seek technical advice to resolve if you cannot. Most cases of this problem I have been forced to reimage windows from scratch after making a backup of the data.

To conclude this article, if you spot it, you’ll squat it! Detect these problems before they manage to take control. Here are three decent anti-malware scanners and cleaners which are free to download and use, they also clean your system for free if they find any malicious code:

http://www.malwarebytes.org/products/malwarebytes_free

http://www.safer-networking.org/en/mirrors/index.html

http://www.javacoolsoftware.com/spywareblaster.html

If you would like an introduction to viruses, and the concept of a word virus scanner that detects all word viruses, please check out my anti-virus project which was my final year computer science degree dissertation, at: http://www.glennroast.co.uk/av.htm

This aims to give a good understanding of how viruses work, spread, examples of code and full source code of my scanner which also cleans word macro viruses without the need for anti-virus updates. It goes without saying that it is free of viruses, but for the untrusting, I also published it in Adobe PDF format, which as you may know, does not have the same security threats that word documents and rouge macros have with DOC files.

Please let me know what you think if you have the time to look and comment on the project, this blog or my code. Thanks very much for your time.

http://www.GlennRoast.Com

Password Security – Defeating Rainbow Tables

Background

“Computer systems that rely on passwords for authentication require some way to tell if an entered password is correct. The simplest approach is to store a list of valid passwords, one for each user; however, this allows anyone who gains access to the list to know every user’s password. The more common approach is to store a cryptographic hash of the password. This protects the stored information because such hashes are difficult to reverse. However most hashes are designed to be computed quickly. This allows someone who gains access to the stored hash values to rapidly check long lists of possible passwords for validity.

One defense against such attacks is to use longer passwords, increasing greatly the number of possible passwords an attacker must check to find the correct one. For simple hash schemes (ones that don’t use cryptographic salt), an attacker can precompute the hash values for all common or short passwords and save them in a large table. Once a hash value is obtained it can then be quickly looked up in the table to find the matching password. However as the size of passwords grows, such tables can become too big to store. An alternative is to store the starting points for long chains of hashed passwords. This requires more computation to look up a purloined password hash, but saves greatly on space. Rainbow tables are a refinement on the chaining technique that avoids a technical problem called chain collisions.

A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering the plaintext password, up to a certain length consisting of a limited set of characters. It is a form of time-memory tradeoff, using less CPU at the cost of more storage. Proper key derivation functions employ a salt to make this attack infeasible.

Rainbow tables are a refinement of an earlier, simpler algorithm by Martin Hellman that used the inversion of hashes by looking up precomputed hash chains.”

LM hash is particularly vulnerable because passwords longer than 7 characters are broken into two sections, each of which is hashed separately. Choosing a password that is fifteen characters or longer guarantees that an LM hash will not be generated.

Choose a 15+ character password with upper and lowercase letters, numbers and symbols. Maximum in 2k/XP/Vista/Win7 is 127 characters for a maximum password length.

Something like !(Hel1c0pter$)! Would be a suitable password to force NTLM only and would take too long to crack with brute force, and too long a password for a rainbow table to discover it.

At present, rainbow tables are so big due to the amount of possible combinations that need to be stored. Rainbow tables can only be used on unsalted passwords, which windows ones are. I downloaded from home, 440 GB of upper, lower case characters and numbers for passwords of 1 to 8 in length for LM/NTLM. I also downloaded another table with all upper, lower, numbers and symbols for LM/NTLM for passwords up to 7 characters. It took me 2 weeks to get them!

These tables can break any password under 15 characters in minutes on most older flavors of windows due to the LM hash being present in two sections of 7. It has more than 99% accuracy with the bigger tables. There exists a 9 character table, but at the moment only has lowercase and numbers. The BOINK project is being used a public distributed processing solution to allow rainbows for bigger passwords.

I hope this helps you in your work/home security, although I opt for PGP whole disk encryption at home to avoid using Microsoft’s weak algorithms completely (for reasons of strong cryptography being disallowed by the United States as an export of munitions) and I use Safeboot whole disk AES 256 bit encryption for my work laptop.

These links are usually allowed on a company Network:

http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracking.html

http://www.symantec.com/connect/articles/ten-windows-password-myths

http://en.wikipedia.org/wiki/Rainbow_table

These links are usually blocked on a company Network, so you should only try these from home or an ADSL/3G connection:

http://www.l0phtcrack.com – Software to audit your password security for strength or weakness

http://www.freerainbowtables.com – Big download, but worth the wait to test your computers for stronger password creation

An Introduction to Insider Threats

A significant class of insider crimes – theft of intellectual property – results in tangible losses in the form of stolen business plans, customer lists and other propriety information. Researchers from the institute’s CERT Insider Threat Center reached that conclusion after analyzing more than 600 cases it has amassed over the past decade. One remarkable finding: much of the pilfering of secrets occurs within 30 days of the insider’s last day on the job.

“When executives decide to discharge employees, they should notify IT or IT security ahead of time.
Failing to do so could prove costly.”

What does that mean for an enterprise? When executives decide to discharge employees – whether through layoffs or firings – they should notify IT or IT security ahead of time. Failing to do so could prove costly.

Everyone believes that detecting insiders and preventing insider attacks is IT’s problem.
IT can’t really do it alone. There needs to be communication across the organization.

If no one tells them that they’re going to fire this disgruntled sysadmin, [IT staffers] don’t know they should be watching what this person is doing. And, if no one tells them that they’re going to be laying off a lot of people, they don’t know they need to be watching for potential data exfiltration or sabotage. It’s important that there’s awareness across the organization.

Different employees present different insider threats. Disgruntled employees bent on IT sabotage likely are techies, network or database administrators or programmers. Typically, they’ll set up an attack ahead of time, but wait until they’re discharged before carrying out their wicked deeds.

Those stealing trade secrets are likely scientists, engineers, programmers or sales reps who have worked with those confidential materials, perhaps leaving their organizations to start their own businesses.

Is the insider threat growing? I don’t have the data to answer that question. But with the growing number of mobile devices that can access enterprise networks, the perception exists that the insider threat is a growing menace What’s clear, in my mind, is that this aspect of IT security is everyone’s problem. We need to reach the upper management of organizations so that they understand that they need to work with IT and information security to solve this problem.

Further Reading: Books search by relevance for “Insider Threat” at Amazon brings up the most relevant titles

http://www.amazon.co.uk/s/ref=nb_sb_noss?url=search-alias%3Dstripbooks&field-keywords=insider+threat&x=0&y=0

How to Prevent a WikiLeaks-Like Breach

Technologies and processes exist to prevent a WikiLeaks-style breach, but most IT security experts haven’t instituted the proper safeguards.

“With the right people, process and technology, you could be able to put a system together that would greatly reduce the impact these types of attacks have”

One of the biggest failures deals with how organizations control and manage access to data. Individuals should have access to data for a limited time. If you look at just about everything else we do, your driver’s license has an expiration date; your passport has an expiration date; so when you are given access to sensitive data, it is typically infinite and there no expiration. By placing time constraints on entree to sensitive data, the burden shifts to the user from the data owner on justifying access.

Search and indexing technologies also can help limit access to data and reduce the danger of improver exposure. Each document would be indexed by page, paragraph or sentence. Users could conduct a search without getting details or access to the document. You can get the details you need on a specific area, but the bigger risk of getting more access than what is required to do your job is reduced. “At the end of the day … we see insider threat and information leakage when the person needed some of the information in the document but not the entire document, but because most organizations don’t know to hand it off in a more granular fashion, it is an all or nothing, and then they end up getting this repository with a lot more information than really is required.

Another approach to safeguard data that doesn’t require new technology is to limit access to sensitive information from a thin client or virtual machine; that means no local storage on users’ own devices.  You could have a profile and they could have a directory on the server where they can save their searches, but everything is stored and controlled at the server level and nothing is put at the client level, and then all of the sudden, once again, you are taking away yet another avenue of exploitation from that user.

For an assesment of a company that suffered a Wikileak here are some areas of topic that need consideration:

Assessing how the WikiLeaks breach occurred
Most organizations won’t learn the lesson from the WikiLeaks episode
Three critical questions organizations should answer to assess their vulnerabilities

Assessing how the WikiLeaks breach occurred

From an IT security perspective, what went wrong? How preventable was the WikiLeaks breach?

It’s a very interesting question because typically when we look at security we always look at access control and the idea of the insider threat is people can access information that they need to perform their jobs, but they are using it for other purposes in which it wasn’t intended.

Based on the amount of information that was leaked out that one person would need access to all of that data in order to perform their job function. I would immediately think that there was clearly a problem in terms of controlling, managing and limiting access within the enterprise.

While that could never be prevented, that could have been reduced greatly by better controlling and managing who can store what and in which media. But the other important thing gets down to the data loss prevention controls and the classification.

Most organizations won’t learn the lesson from the WikiLeaks episode

I definitely think some folks have learned a lesson, but unfortunately in a lot of cases there is a small percentage of people though who they may see harm to others, they don’t want the harm to them and they will learn from that activity. However, a large percentage of folks we found, until they personally suffer pain, they don’t think it is something that can happen to them.

Unfortunately, I think there will be a large percentage of folks who will look at that, shake their heads and think how could this have happened, but then in the next sentence they say this can’t happen to us. What everyone needs to realize is it absolutely, positively can happen to you. The question I would ask is: If there was somebody in your organization who is accessing information or more information than they should, if they were putting it on USB or other mechanisms and leaking it out of your organization, how would you know?

If the answer to that question is that you wouldn’t, then you have to realize that you could have just put your name instead of the government’s and the whole WikiLeaks thing could now be focused on your organization and all the issues you have.

Three critical questions organizations should answer to assess their vulnerabilities

What is your critical data?
What business processes utilize that critical data?
And, on what servers does that critical data reside?

If you can’t answer those fundamental questions, how are you going to be able to manage, control and implement access controls, authentication and the other protection measures that are required long-term? We have to make sure we focus on the basics before we start dealing with the complex issues.

Once again, lots of different strategies where there are actually searching techniques where you can go in and find out information about a source without getting the details, or without getting the actual document. The idea now is instead of going in and letting somebody have full access to a 40-page document, when they might only need two of the 40 pages, what if we went in and actually did a better job indexing it where now you are indexing it at a more granular level. You are indexing at a paragraph or a page level so that now you are not requesting documents, you are requesting sentences or paragraphs. Now, now all of the sudden, you can get the details you need on a specific area but the bigger risk of getting more access than what is required to do your job is reduced.

Thin Client, Virtualization Reduce Risks

Tools that need to be developed to automate this process, and can this process be automated?

If you think about the idea of having to go in and index everything at a sentence or paragraph level, it is a huge amount of work. The good part is, most of it can be done from an automated perspective. Now, there would be some costs in terms of the warehousing of this information, but you could argue that if the information is in electronic form, whether you are storing it as a single paragraph or as an entire document, it really takes up the same amount of space. So it is really the indexing form a high-end search engine to be able to build a meta- database to be able to find and access that particular data.

The other important thing is we have to better control that information. Right now today, all of the information is on servers; we have strict access control lists on the server but if you can get one person to copy that data who is authorized to their laptop, all of the access controls now are completely bypassed and they can give it out to anyone they want.

What if every time you are allowing somebody to access that sensitive information they had to do it from a thin client or a virtual machine? Anything they access could not be stored locally long-term; it would have to be maintained on the server. They could have a profile and they could have a directory on the server where they can save their searches, but everything is stored and controlled at the server level and nothing is put at the client level, and then all of the sudden once again you are taking away yet another avenue of exploitation from that user.

Obviously, at some point people would need to somehow store it;
The UK prime minister isn’t going to be working on a thin client, is he?

It depends on how transparent you make it. If you have the ability to open, view, access, store and read information, whether it is on your local hard drive or whether it is remote across the network, that really doesn’t matter, and I don’t think the prime minister would care, it is all about can he get access to the information, when, where and how he needs it. And, if you look at all of the different communication mediums we have now between wireless, satellite and wired networks in almost every location, someone is always connected to a network; we can even do it at 40,000 feet now in airplanes and be able to have full access to the internet. As this access anywhere continues, I think you can do it in a way where it is completely transparent to the person and they just are not storing anything on a local portable media that has a greater risk of exposure and compromise.

At the end of the day, a lot of these problems that we see insider threat and information leakage, usually what occurs, and my guess is it would be true in this situation, the person needed some of the information in the document but not the entire document, but because most organizations don’t know to hand it off in a more granular fashion, it is an all or nothing, and then they end up getting this repository with a lot more information than really is required.

Ex HACKER: The unspoken, dirty little secret

Online home banking security gets more complex

Windows vs Linux Security

Because there are many more Windows systems in the world,there are simply more targets available for attack. This factor alone makes Windows a richer and more attractive target for malware developers, but Windows is still more vulnerable to malware.

The security differences between Windows and Linux are heavily debated and the security track record of both operating systems has proven that Linux has had fewer serious vulnerabilities. Also, Linux derives its security from the underlying Unix design philosophy.

According to some security researchers,the “Windows monoculture” contributes to disproportionate levels of malware exposure: because Windows systems are all tightly binary-compatible, a single successful attack can affect a large fraction of them (“cascade failure”);

whereas different Linux distributions are more loosely coupled with source compatibility and different selections of software. Thus, even if the software were equally buggy, the chance of a single bug affecting all Linux computers is reduced.