March 31, 2009

Will April 1st be Conficker's D-Day that Blows Up the Internet? NO!

NO!

Contrary to popular belief by the mass of non-security Internet citizens the Internet will not turn into Armageddon on April 1st, 2009. It's not going to turn into anarchy where zombie computers spew their venom through the billions of miles of cables that make up the Internet - that's just not going to happen. At least that's the belief of most of us in the security industry. Could it be a hoax? Sure. Could there be a large influx of newly infected PCs? Sure. Maybe the already infected PCs start doing something different like a DDOS attack or something else. Who knows, we don't...only the criminals behind the infections/attacks do.

I've heard from many of my non-technical friends and coworkers asking about this "new" worm that is set to "explode", as they put it, at midnight on April 1st. I've even seen people say to unplug their computers, like turning them off, from March 31st and then plug them back in on April 2nd. No really, that's what they are saying. Take a look at an email I received earlier today that's making the rounds of non-technical users:
Subject: unplug computer Mar 31, replug April 2

Unplug your computers from the internet on March 31 and don't reconnect them until April 2. Then it won't have access to the web to "activate" the worm if you have it (that's how the article says this worm works). Hopefully by April 2 they will have a "fix" for it and you can get back on your machine.
Sigh.

While I appreciate all the awareness they are providing acting like this is some huge tital wave that will wash your home away is just ridiculous. If your Windows computer is fully patched, including this one from October, you have some sort of antivirus and firewall than you are safe from this worm.

No, the Internet is NOT going to explode tomorrow! See you online.

March 19, 2009

Basic Measures Would Prevent Most Breaches?

We just finished our March meeting of the Northeast Ohio Information Security Forum and there's one talk in particular that got me thinking about basic security measures. The talk was called "The Top 10 Breaches of 2008" by Tom Eston who is a lead security assessment professional working at a Fortune 500 company. I along with many others in the audience were amazed at the lack of basic security measures in many of the incidents reviewed that if implemented could have prevent some of them.

During the talk there was a fair amount on discussion and comments from the audience. We were pretty harsh and quick to judge the security, or lack thereof, practices of the organizations who suffered the breach. While these folks may deserve the criticism one thing that we all probably didn't think hard about is the fact that they are just like many of us in that they are overworked having too much security work that needs done and not enough time or money to complete it.

That said, the common cause of these breaches appears to be the lack of focus and execution of some basic security measures. We all need to heed the lessons from these breaches and DO THE BASICS:
  • Egress Filtering Rules. Keep that data from escaping your network.
  • Practice the "need to know" principle in access control. Why do they have access to that data when they don't need it for their job?
  • Monitoring of Access. Who's watching the logs showing when someone used their access?
  • Monitoring Outbound Activity Initiated by Servers. Why is that server FTPing out to an IP on the Internet when it normally doesn't?
  • Tighter Access Control on Servers
  • PCI Certified != You're Secure
  • Encrypt the Backup Tapes. Okay, this might be a little more than basic but c'mon - most backup software can do this.
Tom's talk was very good and I recommend you check out the presentation (download from here PDF) as well as his blog http://www.spylogic.net

March 15, 2009

Message to US Adversaries: You Have Plenty of Time to Launch Cyber Attack

This is basically what the US government is telegraphing to those who want to attack our infrastructures. This conclusion of mine for the most part was confirmed today when I read the ThreatChaos post about the National Cybersecurity Center director (Rod Beckstrom) resigning, after only a year in office and little accomplished - not due to his lack of trying I might add.

Read his resignation letter, which is posted here. It's very telling of the issues in the agency. His two main complaints and reasons for leaving are power fights with NSA (re.; no power or authority to do the job he was given), and lack of funding. It sounded like this new center was doomed from the start.

He said he had only 3 people on his staff and 5 weeks of funding. What? No wonder couldn't get much completed. This office's mission was to address the lack of cyber security within the US Federal government and it's expected to accomplish this with 3 people and no funding?

The other main issue has to do with fighting with the NSA over the program. The NCSC is in DHS yet the NSA wants this role and according to Beckstrom's letter some in DHS were putting up roadblocks in his way. To make matters more difficult the Director of National Intelligence is putting his support behind the NSA.

Now another year has gone by and cyber security is still not a priority for the US Federal government and the mess still exists. Many Federal agencies are doing cyber security work that overlaps with each other and a central coordinating agency still does not exist.

One idea I'm hearing is the creation of a new armed forces branch to be in charge of cyber security and I think that's a great idea. A decision needs to be made soon and we need to get moving with improving our nations cyber security from both a defensive and offensive standpoint. Our adversaries aren't waiting, they continue to attack and breach our defenses.

There is one piece of good news however: on February 9th, 2009 President Obama issued a directive to conduct an immediate cyber security review of all plans, programs, and activities underway throughout the government dedicated to cyber security. They have 60 days to complete it. Press release here. I'm glad they are trying but I'm not holding my breath that decisions will be made soon (re.; weeks) after this review is completed and it's entirely possible we'll still be waiting by the next election cycle this November.

My plea to the policy makers in the US Federal government: stop advertising our confusion and uncertainty, make the decisions that need to be made, execute on those decisions, and start showing our adversaries we are serious about cyber security before it's too late. Oh and by the way, there are plenty of good people in the private industry that are willing to help you.

March 1, 2009

Malware Remover Affiliates Using Deceptive Advertising


So I was trolling around the Internet looking for rogue security software and found a site that has *free* in the name which made me want to take a closer look. The site is free-malware-removal.com. When visiting the site you'll see the phrase "Free Malware Removal" all throughout the site. When looking through the HTML code you'll also see references to "free malware removal" and "free" in the meta tags. No big deal, right?

Well the gotcha is when you attempt to download the software you are given a PayPal page requiring you to pay $24.99 for the download - what happened to FREE?


I started suspecting that this was a website advertising fake or rogue security software but when I looked closer and found a claim stating they are an affiliate of Malwarebytes. I assume they mean Malwarebytes.org which is a legitimate software company. The graphic of their product even shows Malwarebytes but they could have ripped that off the legitimate site or even designed it themselves. I couldn't seem to find any other links or references to the Malwarebytes folks - all I find is "Las Vegas Computer Repar" at the bottom of the main page. If this really is a Malwarebytes affiliate than the Malwarebytes folks should have a conversation with this affiliates about their practices. If this is not affiliate than it's likely a rogue security application.

Now I know this is a tame example of using deceptive advertising compared with the techniques being used by the thousands of fake security programs out there but this is just another example of how legitimate software companies need to manage their affiliates better because it can reflect poorly on them directly.

The poor practices by this affiliate are:
* Using the word *free* in their domain name when they are not offering any sort of free product
* Using the phrase "free malwaral removal" all throughout the site when that's not true

I recommend staying away from this website.