Monday, August 20, 2012

Mac vs Windows: security edition

I promised a post regarding security on Mac. Let's get it out of the way now!

Mac users have traditionally championed the fact that there were basically no viruses or other malware for Macs. I remember debating in school about why this was. One argument was (not my stance then or now) that since Mac OS was built on a Unix platform, which has always been considered more secure, that it too is inherently more secure. That may be true to some extent, but my argument was always that since Macs had such a small market share, it wasn't profitable for malware authors to target it.  This argument required thinking of malware as being written to make money and not just to be malicious, which, at the time, wasn't a highly accepted argument in itself. The romanticized and publicized goal of malware was just to be malicious in a "my muscles are bigger than yours" contest among malware authors.

My arguments have been born out over time. The first part was the world's realization that malware was being written to make the author money. This was proven by the payloads of malware over time. Payloads increasingly focused on making the infected computer a host in a botnet. Botnets are a collection of infected computers that obey the commands of the botnet owner. Botnets are used for two main purposes. First is to send spam. Second is to launch DDoS (Distributed Denial of Service) attacks. A DDoS attack uses all the computers in the botnet to initiate connections to the target in an attempt to overwhelm it. A black market emerged for spam and DDoS services.  Other malware payloads contained more nefarious code that steal passwords to bank account logins or anything else people type on computers that can be used to steal money.

Then the market share for Macs exploded.  Mac OSX market share passed 15% last year.  This makes it a profitable market segment to target and we have seen a flurry of malware written for Macs including fake anti-virus programs that are so popular on Windows. Major anti-virus vendors are now offering Mac OSX versions.

Now for my grandiose declaration.  I was right. I also think this puts us in a precarious position.  If Mac users continue to think themselves safe and don't bother with protecting their Macs, we could see a nasty infection spreading like wildfire.  Even the minor infections for Mac OSX thus far have spread quickly, so a well written one could do some serious damage.  It's sort of like someone with measles entering a room with a bunch of people that have not been immunized.  Not everyone will get sick but you can bet a lot will. (Honestly, I don't know how infectious measles is, but you get the point).  I am not saying this will happen, just that it is very possible.

Lastly, as a side note, it is important to point out that a lot of malware does not attack the operating system directly.  A large percentage of malware exploits vulnerabilities in the browser and third-party applications or browser add-ons.  Everyone, Windows and Mac users alike, need to keep their computers and software up to date.  See my post here for more information about that.  In addition, Mac users need to start looking at a an anti-virus solution for basic protection. 

Tuesday, August 14, 2012

Personal Computer Security

Being in the IT industry, especially in security, you get asked for help cleaning infected computers.  This is rather problematic as there are many different variants of all the many malware out there. On top of that, once you clean it, they usually get it infected again. If the malware was difficult to remove, this becomes rather demoralizing. It's this vicious cycle that really needs to be addressed to improve on home computer security.

The traditional method is to use an anti-virus scanner from one of the big vendors (Norton, McAfee, TrendMicro, Kaspersky, etc). With a subscription to one of these solutions and regularly scheduled scans, you can protect yourself fairly well. However, in my experience, these solutions are not configured for scheduled scans or updates, or the subscription is expired. We need to start coupling the traditional scanner with better safety education. We don't just give someone a seat belt and say "now drive" do we?

The first thing I would like to impress on everyone is to keep your software up-to-date. Start with the operating system (OS) like Windows, Mac, Linux. Microsoft has long used the second Tuesday of each month as its designated update day. Many software vendors have adopted the same or similar schedules.  Just plan on seeing update notifications during the second week of every month. Adobe will release updates for Flash and Reader, Sun/Oracle will release Java updates, and even Apple has joined the fray releasing some of their updates. These updates will fix vulnerabilities that have been discovered by researchers and hackers alike. Many worms spread by exploiting vulnerabilities that have already been fixed by an update, but not everyone updates on time.  Any software you use should have an auto-update feature. Use it, it's worth it.

Second item to address is proper use of anti-virus scanners. Pretty much every major scanner uses signature detection. This means that the vendor has to find a piece of code or a behavior in each malware program that is always identifiable regardless of the malware version.  Your computer then has to get these signatures as they come out or you aren't protected from as many threats as you could be. All scanner vendors will have an auto-update feature. Use it. Now that you are getting the latest signatures as soon as they come out, you need to use them. Set up automatic scanning on a schedule that works for you. Remember that the computer has to be on to be able to scan. I you are using a paid version of your scanner, make sure you keep the subscription/license updated so you continue to receive signature updates.  Also, supplement your scheduled scanner with an on-demand scanner from another vendor. These on-demand scanners are often times the free versions of major scanners. The on-demand scanner will often catch the malware your regular scanner misses. No malware scanner is 100% accurate so the more the merrier- with one caveat. Competing anti-virus scanners don't always play well with others so you have to find a combination that gets along ( good reason to use a free one as the supplemental scanner).

Now comes the difficult to teach stuff.  Everyone gets infected in different ways. For some it's email attachments.  A zip archive with an executable file inside is common.  The malware authors will try to trick you with innocuous names like invoice.doc.exe . Remember it's the stuff after the last "." that matters.  Invoice.doc.exe is an executable and probably bad. Invoice.exe.doc is just a stupid file name. You have probably heard the advice " don't open email from someone you don't know." but this is actually a little misleading. Most malware that spreads via email attachments will actually come from someone you know because it harvests the address book of whoever it has infected. You have to learn to approach email from your friends and family, with caution. Were you expecting the attachment? does it look like it was emailed to their entire address book? Is it out of character for that person? If anything rings false about it, you may want to verify with the sender that it is legitimate.

Spam is another avenue of infection. If you get a spam message, mark it as spam and delete it. never ever click on an "unsubscribe" link unless you specifically remember signing up for it (which would make it not spam by definition). These unsubscribe links often lead to malicious websites or at least confirm to the author that a person is reading email at your address (which usually leads to more spam).

Infected web pages is another avenue for infection. Malware authors will hack websites and inject "drive-by" malware that infects any computer that accesses the webpage. A recent one even detects the OS being used and downloads the appropriate payload (  as opposed to just a Windows infecting payload.  You can come across infected websites almost anywhere. Anytime you have a relatively popular subject matter and either webmasters that don't care or don't know.  Examples of this would be "free" pornographic sites, software "crack" sites where people try to download key generators to steal licensed software, and coupon sites. I just recently discovered the problems with coupon sites. They are unique because it's common for a coupon site to force you to download and install a coupon "printer". These programs are used to keep people from abusing the coupons, basically only allowing a certain number of a particular coupon to be printed. Since users expect a download, it's easy to put up a site claiming to have great coupons for everything under the sun, but forcing a download and install before allowing access. The download is, in this case, a piece of malware. Avoiding such a site can be difficult because many of the legitimate coupon sites are home-grown and the download isn't expected to be signed.  Besides looking to see if the download is signed, you can also run it in a sandbox.  Avast Anti-virus has a sandbox included.

One last recommendation.  Since many malware authors are infecting systems through infected websites, it's important to choose your browser wisely.  I won't go into the specifics here, but I would recommend Firefox and Chrome over Internet Explorer and Safari.  There are other browsers, but those are the most used.  Firefox and Chrome have a better security track record and there are multitudes of security plugins coded for both that can extend your browser security. Internet Explorer has made good strides in its most recent releases but Safari continues to be troublesome.  As with any other software, keep your browser updated.

For those Apple fans that think they don't need Anti-virus, watch for a post in the future regarding the naivety of that stance.

Wednesday, August 8, 2012

Stop using Administrator Account!

One of the things that drives me crazy in the IT world is the sharing and use of the administrator account. This is also a mistake people make on their home computers. System Administrators, however, know better.

Let's start with home users. A Windows 7 box from a major manufacturer will have you provide a user name at first startup. This user name becomes your defacto login and has the same rights as the administrator user.  By default, Windows 7 disables the administrator user since it generally isn't needed. This is a step in the right direction as now an attacker has to figure out your user name, as well as, your password.  In the past, you could always type in the user name " administrator" and then try different passwords with it. Apple fans will gleefully point out that Macs have done this forever (Mac uses the Unix "root" user rather than administrator).

This setup still has a major flaw. Almost everyone will still always login with the user name that has administrator rights.  This means that if you get an infection, it runs with administrator rights. It can do anything it wants. By default, Windows 7 will still prompt you to allow certain actions that affect core system files, like running a program downloaded from the Internet. Unfortunately, this feature is commonly turned off as a nuisance. If you insist upon using your administrative login for day to day computing, you should at least leave that feature enabled. The preferable solution is to create another user with non administrative rights, to use for everyday computing. From this user, any action that requires administrator rights will prompt for user name and password of a user that does have administrator rights. Now, infections will run with limited rights, if at all. Infections running under a limited user tend to be less damaging and much easier to remove.

In the IT world, it's very common to have the administrator user enabled for use in administration. Often, this administrator password is even shared among several people. This is not secure and unnecessary. I remember having several conversations with executive team members that insisted they should have the administrator password. These conversations would grow tense as the executive team member would instantly become defensive when I would tell them I wasn't giving them that password. In hindsight, it may have been easier if I didn't answer by just saying " no", which makes anyone be immediately defensive! It was interesting to me to find that even a couple of the more tech-savvy executive members seemed to feel that not having the administrator password was an affront to their authority.

There are several things at play here. First, having the administrator user enabled is sometimes unavoidable. You may be forced to use a software that is poorly written and requires the use of the administrator user specifically.  Using such a software should be avoided. Secondly, if multiple users use the same login, be it the administrator user or any other user, you will have a hard time tracking who did what. Perhaps a directory with extremely sensitive data, payroll for example, is suspected to have been accessed by someone that shouldn't have rights to access it. You go into the logs to find that the user "administrator" gave itself permissions to access the directory and five people know the password to the administrator account. Which of the five people was it?  Sharing the administrator account password is common in the IT world, in my experience, and I'm not sure if it's a lack of knowledge, not caring, or simply laziness. In the SMB space it seems to be common to have only one or two systems administrators with possibly a third person, with administrative rights, as a backup. If giving all of these people full administrative access is really what you want to do, the least you can do is add each user to the administrators security group. This way they can each log in as themselves to perform administrative duties and the log will reflect what each is doing. If you have a help desk group, you may not want each of them to have full administrator rights. In this case, use the help desk security group and add role-based permissions to it. Add your help desk personnel to the help desk group. This gives them rights to do specific administrative tasks only.

The last thing at play to consider is the egos of executive team members.  Some executive team members will feel that it's their right to have the administrator account password or administrative rights. It's important to communicate with them why they don't need the password or rights. Let them know they will have access to all the data they will need, you just don't want them to unintentionally break something.  Executive team members are also the main targets of spear phishing attacks. If their account becomes compromised, you definitely don't want the attacker to have administrative rights.

Monday, August 6, 2012

Welcome back, me!

It's time to reboot this old blog.  I started it right out of school, and now I have some experience to add to it. I'm currently searching for a job, so there is some self-service with rebooting this blog, but I truly do hope that I can provide information back to the world.  As any good Systems Administrator or InfoSec Administrator knows, free information posted to the Internet can be invaluable.

That's it for the welcome back to myself post. Check back for more!

Aaron Wignall, CISSP