Monday, August 20, 2012

Mac vs Windows: security edition

I promised a post regarding security on Mac. Let's get it out of the way now!

Mac users have traditionally championed the fact that there were basically no viruses or other malware for Macs. I remember debating in school about why this was. One argument was (not my stance then or now) that since Mac OS was built on a Unix platform, which has always been considered more secure, that it too is inherently more secure. That may be true to some extent, but my argument was always that since Macs had such a small market share, it wasn't profitable for malware authors to target it.  This argument required thinking of malware as being written to make money and not just to be malicious, which, at the time, wasn't a highly accepted argument in itself. The romanticized and publicized goal of malware was just to be malicious in a "my muscles are bigger than yours" contest among malware authors.

My arguments have been born out over time. The first part was the world's realization that malware was being written to make the author money. This was proven by the payloads of malware over time. Payloads increasingly focused on making the infected computer a host in a botnet. Botnets are a collection of infected computers that obey the commands of the botnet owner. Botnets are used for two main purposes. First is to send spam. Second is to launch DDoS (Distributed Denial of Service) attacks. A DDoS attack uses all the computers in the botnet to initiate connections to the target in an attempt to overwhelm it. A black market emerged for spam and DDoS services.  Other malware payloads contained more nefarious code that steal passwords to bank account logins or anything else people type on computers that can be used to steal money.

Then the market share for Macs exploded.  Mac OSX market share passed 15% last year.  This makes it a profitable market segment to target and we have seen a flurry of malware written for Macs including fake anti-virus programs that are so popular on Windows. Major anti-virus vendors are now offering Mac OSX versions.

Now for my grandiose declaration.  I was right. I also think this puts us in a precarious position.  If Mac users continue to think themselves safe and don't bother with protecting their Macs, we could see a nasty infection spreading like wildfire.  Even the minor infections for Mac OSX thus far have spread quickly, so a well written one could do some serious damage.  It's sort of like someone with measles entering a room with a bunch of people that have not been immunized.  Not everyone will get sick but you can bet a lot will. (Honestly, I don't know how infectious measles is, but you get the point).  I am not saying this will happen, just that it is very possible.

Lastly, as a side note, it is important to point out that a lot of malware does not attack the operating system directly.  A large percentage of malware exploits vulnerabilities in the browser and third-party applications or browser add-ons.  Everyone, Windows and Mac users alike, need to keep their computers and software up to date.  See my post here for more information about that.  In addition, Mac users need to start looking at a an anti-virus solution for basic protection. 

Tuesday, August 14, 2012

Personal Computer Security

Being in the IT industry, especially in security, you get asked for help cleaning infected computers.  This is rather problematic as there are many different variants of all the many malware out there. On top of that, once you clean it, they usually get it infected again. If the malware was difficult to remove, this becomes rather demoralizing. It's this vicious cycle that really needs to be addressed to improve on home computer security.

The traditional method is to use an anti-virus scanner from one of the big vendors (Norton, McAfee, TrendMicro, Kaspersky, etc). With a subscription to one of these solutions and regularly scheduled scans, you can protect yourself fairly well. However, in my experience, these solutions are not configured for scheduled scans or updates, or the subscription is expired. We need to start coupling the traditional scanner with better safety education. We don't just give someone a seat belt and say "now drive" do we?

The first thing I would like to impress on everyone is to keep your software up-to-date. Start with the operating system (OS) like Windows, Mac, Linux. Microsoft has long used the second Tuesday of each month as its designated update day. Many software vendors have adopted the same or similar schedules.  Just plan on seeing update notifications during the second week of every month. Adobe will release updates for Flash and Reader, Sun/Oracle will release Java updates, and even Apple has joined the fray releasing some of their updates. These updates will fix vulnerabilities that have been discovered by researchers and hackers alike. Many worms spread by exploiting vulnerabilities that have already been fixed by an update, but not everyone updates on time.  Any software you use should have an auto-update feature. Use it, it's worth it.

Second item to address is proper use of anti-virus scanners. Pretty much every major scanner uses signature detection. This means that the vendor has to find a piece of code or a behavior in each malware program that is always identifiable regardless of the malware version.  Your computer then has to get these signatures as they come out or you aren't protected from as many threats as you could be. All scanner vendors will have an auto-update feature. Use it. Now that you are getting the latest signatures as soon as they come out, you need to use them. Set up automatic scanning on a schedule that works for you. Remember that the computer has to be on to be able to scan. I you are using a paid version of your scanner, make sure you keep the subscription/license updated so you continue to receive signature updates.  Also, supplement your scheduled scanner with an on-demand scanner from another vendor. These on-demand scanners are often times the free versions of major scanners. The on-demand scanner will often catch the malware your regular scanner misses. No malware scanner is 100% accurate so the more the merrier- with one caveat. Competing anti-virus scanners don't always play well with others so you have to find a combination that gets along ( good reason to use a free one as the supplemental scanner).

Now comes the difficult to teach stuff.  Everyone gets infected in different ways. For some it's email attachments.  A zip archive with an executable file inside is common.  The malware authors will try to trick you with innocuous names like invoice.doc.exe . Remember it's the stuff after the last "." that matters.  Invoice.doc.exe is an executable and probably bad. Invoice.exe.doc is just a stupid file name. You have probably heard the advice " don't open email from someone you don't know." but this is actually a little misleading. Most malware that spreads via email attachments will actually come from someone you know because it harvests the address book of whoever it has infected. You have to learn to approach email from your friends and family, with caution. Were you expecting the attachment? does it look like it was emailed to their entire address book? Is it out of character for that person? If anything rings false about it, you may want to verify with the sender that it is legitimate.

Spam is another avenue of infection. If you get a spam message, mark it as spam and delete it. never ever click on an "unsubscribe" link unless you specifically remember signing up for it (which would make it not spam by definition). These unsubscribe links often lead to malicious websites or at least confirm to the author that a person is reading email at your address (which usually leads to more spam).

Infected web pages is another avenue for infection. Malware authors will hack websites and inject "drive-by" malware that infects any computer that accesses the webpage. A recent one even detects the OS being used and downloads the appropriate payload (  as opposed to just a Windows infecting payload.  You can come across infected websites almost anywhere. Anytime you have a relatively popular subject matter and either webmasters that don't care or don't know.  Examples of this would be "free" pornographic sites, software "crack" sites where people try to download key generators to steal licensed software, and coupon sites. I just recently discovered the problems with coupon sites. They are unique because it's common for a coupon site to force you to download and install a coupon "printer". These programs are used to keep people from abusing the coupons, basically only allowing a certain number of a particular coupon to be printed. Since users expect a download, it's easy to put up a site claiming to have great coupons for everything under the sun, but forcing a download and install before allowing access. The download is, in this case, a piece of malware. Avoiding such a site can be difficult because many of the legitimate coupon sites are home-grown and the download isn't expected to be signed.  Besides looking to see if the download is signed, you can also run it in a sandbox.  Avast Anti-virus has a sandbox included.

One last recommendation.  Since many malware authors are infecting systems through infected websites, it's important to choose your browser wisely.  I won't go into the specifics here, but I would recommend Firefox and Chrome over Internet Explorer and Safari.  There are other browsers, but those are the most used.  Firefox and Chrome have a better security track record and there are multitudes of security plugins coded for both that can extend your browser security. Internet Explorer has made good strides in its most recent releases but Safari continues to be troublesome.  As with any other software, keep your browser updated.

For those Apple fans that think they don't need Anti-virus, watch for a post in the future regarding the naivety of that stance.

Wednesday, August 8, 2012

Stop using Administrator Account!

One of the things that drives me crazy in the IT world is the sharing and use of the administrator account. This is also a mistake people make on their home computers. System Administrators, however, know better.

Let's start with home users. A Windows 7 box from a major manufacturer will have you provide a user name at first startup. This user name becomes your defacto login and has the same rights as the administrator user.  By default, Windows 7 disables the administrator user since it generally isn't needed. This is a step in the right direction as now an attacker has to figure out your user name, as well as, your password.  In the past, you could always type in the user name " administrator" and then try different passwords with it. Apple fans will gleefully point out that Macs have done this forever (Mac uses the Unix "root" user rather than administrator).

This setup still has a major flaw. Almost everyone will still always login with the user name that has administrator rights.  This means that if you get an infection, it runs with administrator rights. It can do anything it wants. By default, Windows 7 will still prompt you to allow certain actions that affect core system files, like running a program downloaded from the Internet. Unfortunately, this feature is commonly turned off as a nuisance. If you insist upon using your administrative login for day to day computing, you should at least leave that feature enabled. The preferable solution is to create another user with non administrative rights, to use for everyday computing. From this user, any action that requires administrator rights will prompt for user name and password of a user that does have administrator rights. Now, infections will run with limited rights, if at all. Infections running under a limited user tend to be less damaging and much easier to remove.

In the IT world, it's very common to have the administrator user enabled for use in administration. Often, this administrator password is even shared among several people. This is not secure and unnecessary. I remember having several conversations with executive team members that insisted they should have the administrator password. These conversations would grow tense as the executive team member would instantly become defensive when I would tell them I wasn't giving them that password. In hindsight, it may have been easier if I didn't answer by just saying " no", which makes anyone be immediately defensive! It was interesting to me to find that even a couple of the more tech-savvy executive members seemed to feel that not having the administrator password was an affront to their authority.

There are several things at play here. First, having the administrator user enabled is sometimes unavoidable. You may be forced to use a software that is poorly written and requires the use of the administrator user specifically.  Using such a software should be avoided. Secondly, if multiple users use the same login, be it the administrator user or any other user, you will have a hard time tracking who did what. Perhaps a directory with extremely sensitive data, payroll for example, is suspected to have been accessed by someone that shouldn't have rights to access it. You go into the logs to find that the user "administrator" gave itself permissions to access the directory and five people know the password to the administrator account. Which of the five people was it?  Sharing the administrator account password is common in the IT world, in my experience, and I'm not sure if it's a lack of knowledge, not caring, or simply laziness. In the SMB space it seems to be common to have only one or two systems administrators with possibly a third person, with administrative rights, as a backup. If giving all of these people full administrative access is really what you want to do, the least you can do is add each user to the administrators security group. This way they can each log in as themselves to perform administrative duties and the log will reflect what each is doing. If you have a help desk group, you may not want each of them to have full administrator rights. In this case, use the help desk security group and add role-based permissions to it. Add your help desk personnel to the help desk group. This gives them rights to do specific administrative tasks only.

The last thing at play to consider is the egos of executive team members.  Some executive team members will feel that it's their right to have the administrator account password or administrative rights. It's important to communicate with them why they don't need the password or rights. Let them know they will have access to all the data they will need, you just don't want them to unintentionally break something.  Executive team members are also the main targets of spear phishing attacks. If their account becomes compromised, you definitely don't want the attacker to have administrative rights.

Monday, August 6, 2012

Welcome back, me!

It's time to reboot this old blog.  I started it right out of school, and now I have some experience to add to it. I'm currently searching for a job, so there is some self-service with rebooting this blog, but I truly do hope that I can provide information back to the world.  As any good Systems Administrator or InfoSec Administrator knows, free information posted to the Internet can be invaluable.

That's it for the welcome back to myself post. Check back for more!

Aaron Wignall, CISSP

Saturday, February 9, 2008

Virtual Security

I teach a Securing Windows class once a week, and I make my students prepare presentations on subjects that I chose to make them think about security implementations and tools. In our last meeting, one of my students took on VMware and the applications of using virtual machines. She did a great job of pointing out the strengths of using virtual environments, even citing the use of a customer she works with.

I write this not just to give my student kudos, but also to make security people think about using virtual environments. We all know that a Windows box is pwned if there is physical access. Physical access for only a couple minutes makes any Windows machine's security pointless. Even if we disable CDROM access and USB so that it can't be booted into a live disc environment, and password protect the BIOS, it really only requires a little more time to break. What if, however, all the sensitive data is contained inside a virtual machine on the Windows box. Now physical access isn't the pwnage it used to be. Even if you get on the Windows box, you still have to crack the login to the Virtual Machine- which, as far as I know, can't be cracked with a live disc. If it can, I'd like to know about it.

Virtual Machines also help with redundancy, eliminating single point of failures. Not only can we have a mirror image on the same box, but we can back up the Virtual Machine to a second box rather easily- which we can do with a non-virtual machine, but the beauty of it is that we can run multiple machines on one box (assuming none of the virtual machines require 100% of the hardware resources). For smaller companies, we could run the file server and the web server from the same hardware, in different virtual machines. We can even run a firewall off the same box so the web server is in the DMZ. With clustering, we could, potentially, run this configuration for some moderate size businesses. This cuts the hardware costs while still having a fully fail-over capable system.

With 8-core processors coming out, and new server operating systems able to handle huge amounts of RAM, using virtual machine technology in your network can be a cost effective AND secure way to go.

Friday, February 1, 2008

My security outlook

As a n00b in the security world, I have still to prove myself as a true security professional. Until then, and perhaps building up to that, I'm going to go ahead and post my thoughts and hope that the day comes when people point at this blog and say "He said it there months/years ago!". Here's hoping!

There are many facets to information security, as we all know, and no one blog post can touch on them all. I want to touch on the consumer side of things in the area of malware and online identity protection. As much as security experts focus on malware scanning and detection, you'd think we could be in a safer state on the Internet. We aren't, and I think I know why. If you arrest a meth addict and throw him/her in jail, what have you accomplished? Virtually nothing. The addict will be in jail for a while, able to obtain meth in jail, and will emerge still addicted. Even if they can't obtain drugs while in jail, they will still emerge addicted or go back to the same group of friends and get back into it. With malware we see the same trend. If a computer user spends his time browsing a particular kind of site, he gets infected. Maybe he cleans his computer, but he continues to visit the same sites, and will continue to become infected. So by identifying a malware on your computer and cleaning it, you've managed to arrest the meth addict, accomplishing very little.

Drug addicts have a better chance of going clean if they change their surroundings and who they talk with. If they stop hanging around the same friends that use, they aren't tempted to use again (as much, anyway). Also, if the drugs are harder to come by, that helps. That's why many attorney generals are focusing on finding the drug labs/sources. Finding the labs/sources of malware, is significantly more difficult, but not impossible. Changing the environment is another story.

My point is, to boil things down, that we have malware detection (telltale signs of the meth addict), and we have people searching for the labs/authors (attorney generals initiatives), but we have done almost nothing to change the environment that general users are operating in. Sure we release security patches for software, and come out with new versions of operating systems, but how many actual users have patched systems, or upgrade to the new operating systems? Pathetically few. That's because we haven't brought security to the masses. It's time to educate the users. Fewer vulnerable computers on the net mean fewer places for malware to spread to. This means smaller botnets, and fewer losses of personal info. Any AUP author can tell you the key to enforcing it is educating the users. Now we need a public AUP or as I like to call it, SUP (Suggested Use policy, or Smart User's Policy, Smart Use Policy, Stupid User's Policy, Safe Use Policy- it's that versatile of an acronym) :) I understand that we can't reach everyone, and that some people just won't listen, but if we can teach people to drive a car, we can teach them to drive a computer.

So how do we do it? Well, I call upon ISP's to start educating their users- less malware traffic on the ISP's network means less bandwidth wasted so there is monetary incentive for it. I also call upon security people with an affinity for words to write "For Dummies" books, or other info security books written in straight English/German/etc (i.e. not in geek language). I also call upon security professionals to write blogs that educate general users. And lastly, if you advertise security, provide it! (Hint hint ScanAlert, Microsoft, Apple).