The DNS Changer: End of the Internet–or not

There has been a lot of talk in the news about this DNS Changer worm, and how it will cause people to lose their internet connection on Monday. I wanted to take a moment to clear some things up, as the news basically points you to the FBI’s site (and their information). The link to their information is here.

So, here we go…

  1. Originally there were over 14 million estimated computers infected with these worms. Through the FBI and ISP’s sending out warnings, that number has decreased dramtically. RIght now, in the US, it’s estimated that only 70,000 devices are infected. (Worldwide stats are available from the FBI.) This is why they’re shutting down the servers.

  2. The FBI set up it’s own DNS Servers at the “rogue” IP Addresses, because with so many infected computers, it would have been catastrophic to shut the sites down cold. Imagine waking up to find that over 14 MILLION people have lost internet access suddenly.

  3. Basically what’s happening is this: DNS is like calling directory assistance and getting someone’s phone number. Your browser does this, when it doesn’t know the address (think phone number) of a website. That virus changed those “Directory Assistance” numbers to it’s own set. So it’s as if you were calling a special number for Directory Assistance, and they gave you what numbers they wanted you to dial (not necessarily the number to the person you were calling). Or they gave you a number that would charge your phone bill on their behalf (like using a Phone card to call).

In terms of DNS, your browser would either get sent to an ad site, porn site, or something else, when you typed in a site name. Or if you did a search, it would fake the results of the search with malicious sites (where you could be infected with other viruses), or it would replace the ads on a legitimate site (since your browser had to get the ads from somewhere), with their own ads. It was hinted that the viruses would also capture your passwords, but I haven’t seen anything openly saying that. Although if someone’s infected with any virus, they’ll want to change their passwords after fixing their computer.

** Another common analogy for DNS is like sending a letter through the Post Office, but to be honest, I’m not sure how this would play out in that scenario.

How do you know if you’re infected with the worm?

The easiest way to check your computer is to visit this site for their steps. They have a page which will tell you (via a green or red background on a picture) if you’re infected or not. One drawback is if your ISP “fixes” or alters DNS entries, it may look like you’re clean, when you’re really not.

As for what to check on your computer, here’s what to do:

For Windows Users:

  1. Click the Start orb, and type cmd in the bottom box (where it says “Search”).
  2. Click on Command Prompt (or cmd) in the results at the top.

** These instructions are for Windows Vista/7 users mainly. In older versions of windows, it would be the start button, then Run… and type cmd, or (in all versions of Windows) you can also press the Windows Key and the R key at the same time, and type cmd in the “Run…” box that pops up.

  1. Type in ipconfig /all (or copy and paste from this post).

You’re going to get a lot of information on the screen. What you’re looking for will say something like this:

Local Area Connection (Ethernet)
IP Address: 192.168.x.x (could be something like 192.168.2.100)
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.x.1 or 192.168.x.254 (whatever the IP Address from your modem or router is)
DNS Servers: xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx

*Those are what you’re looking for ***

What the link said to do was look at the first set of xxx’s in each DNS server. If it’s in their table, then look at the second set of xxx’s in each server. If that’s in the table, look at the third set, and so on. If at ANY point, you find a set of xxx’s that’s not listed in their table, you can stop. Even if it’s one number.

Here is the table that they are referring to.

Rogue DNS Servers

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

If your DNS Servers are the same as your “Default Gateway” up above, then you need to log into your modem and check them from it. If you have just a modem, then you’ll probably want to call your ISP for help with this. Unless of course, you’ve logged into it enough times that you know what to do. If you have a separate router (like a Linksys, Cisco, or Netgear router for example) that your computer is plugged into, you should be able to go to their site and get information on how to log in. The steps here are general (as the pages and passwords are different for each router).

  1. In your browser, type in the IP Address for your Default Gateway and hti enter.
  2. On the screen that comes up, type in the username and password for your router (NOTE** if you haven’t changed these from the default (usually admin for both), YOU NEED TO DO THAT!!!!!!!!!!!)
  3. You will be presented with the setup screens for your router. You want to look for the DNS information screens (first look at your Status screens, and if the DNS Entries aren’t there (or are the rogue entries) then look for how to configure them).
  4. If your DNS Entries are the rogue entries in the table, then you need to change them back to “good” ones (or follow whatever steps are needed to have your ISP automatically provide them). Personally, I recommend using Public DNS entries (like 208.67.222.222 and 208.67.220.220 for OpenDNS or 8.8.8.8 and 8.8.4.4 for Google DNS), but it’s your decision whether to use your ISP’s or not.

Apply the changes, and restart your computers after the modem/router restarts. You should be all set for Monday.

For Linux users, you’ll either want to check your /etc/resolv.conf file to see if it has the rogue DNS servers or manually edit your network connections (or router/modem).

And for Mac users, you’ll want to check the instructions from the FBI’s website link.

If your computer is/was infected, you need to take steps to clean it. On the link that I provided above for detecting whether you’re infected, they have links to tools for cleaning your computer. After running these tool(s) and making sure your comptuer is clean, you most defiinitely want to change ALL of your passwords. This goes without saying for any malware that’s on your computer (not just this one).

Good luck, and I’ll see you on Monday (hopefully).

Have a great day:)
Patrick.

Cyber Security Tip: ST06-002 Debunking Some Common Myths

http://www.us-cert.gov/cas/tips/ST06-002.html This link is provided for informational purposes only and does not represent an endorsement by or affiliation with the Department of Homeland Security (DHS).

These are some of the common myths that still float around today. The tip was created in 2006.  Along with the five myths that Ms. McDowell wrote about, I would add a couple of more.

Myth: I only check my email and surf Facebook. I don’t surf porn sites or download music/videos, so I don’t need to protect myself. Truth: It’s not so much where you surf, as how well the people/organizations that developed the websites protected them from hacking. Facebook, for example, has viruses floating around in the form of videos, games, and other applications. Even law enforcement agencies have been hacked, because they didn’t protect against some of the more common attacks.

So,  you may be surfing to sites that should be safe–yet they may have malware installed on them without the owners knowledge.

Myth: I don’t run Windows, so I don’t need to protect my computer. Truth: Flashback worm, anyone? It’s not only the operating system that you have to worry about. The latest worms to affect the Apple Mac OS X operating system are Java-based attacks. That’s because Apple doesn’t update Java at the same time as Oracle. People running Linux, Windows, Solaris, and other operating systems weren’t affected by the worm for two reasons: 1. it was designed for OS X, and 2. Oracle had already updated Java months before this attack started.  Apple just chose to sit on their heels and not provide the update immediately.

The point is, no one is 100% safe from attacks–regardless of what operating system you run. That’s not to say that some of them are a lot less likely to be attacked. Just that it can happen, so you need to take precautions. And, the idea of “I won’t use an antivirus because it’s a waste of CPU cycles” is bull. Computers are fast enough now that the CPU cycles used are negligible. And if you’re running applications/games that are that CPU intensive, that’s an issue for the developer of the application/game–NOT the antivirus developer or you.

Have a great day:)
Patrick.

A "Health Certificate" for the Internet? Hmmm…..

http://blogs.technet.com/b/microsoft_on_the_issues/archive/2010/10/05/the-need-for-global-collective-defense-on-the-internet.aspx

A few days ago, a Microsoft employee (in their Trustworthy Computing division) posted a blog entry discussing the need for a “health certificate” to allow computers on the Internet. In order to be considered “healthy” your computer must have all available updates (I’m assuming Security here), and updated antivirus, and an updated firewall. And be virus free.

On the surface it sounds good (and in some other levels also). But, there are some considerations that need to be made.

First, what if your operating system doesn’t have (and isn’t easily susceptible to) viruses? I’m looking at Mac OS, Linux, and other unix variants here. Will there be a provision that states only Windows computers require antivirus software? And if, at some point, the other OS’es find the need for antivirus software, will the provision be put in for them?

Secondly, the idea is that they will be completely blocked from the Internet. So, pray tell, how will they block the computer? Will they do it by MAC Address (the “Physical Address of the Network Card)? Or will they block it at the modem level? This presents two problems: If the computer has multiple NIC’s (wired and wireless for example), they can still get on the Internet for a brief time. Also, how will the user get the needed updates to get their “health certificate”?

Thirdly, what exactly would the “health certificate” be? Will it be like a Digital Certificate? Will it be like the Windows Activation? How will they prevent people from forging their certificates or stealing others?

Fourth, how will this keep me from screwing up my facebook with those stupid lolzvideo viruses that are floating around? (I don’t click those, but I know a lot of people who do) After all, no antivirus protects you from that. And I would imagine that for the average person, that is the biggest hassle. They don’t realize the other dangers, because they don’t play in the big park. They go to their email and surf facebook and youtube.

The Health Certificate is a good theory. If someone actually decides to implement it, it needs to be an independent party with NO interests in any operating system or security software. Because if you have an interest in a product that the health certificate affects, you’re inherently going to shift the balance in favor of your interests. In other words, Microsoft has a good idea, but they shouldn’t have anything to do with implementing it.

One telling thing about this is that between 1 and 10 million Windows PC’s are involved with botnets. The number of Macs, Linux PC’s/Servers, and other devices that run non-Windows code is closer to zero. Now that may change if virus creators figure out a way to hack through OS X or Linux. But the point is that right now, it’s more than likely a Microsoft product that is causing the problems.

All of this being said, I think the health certificates are a decent idea. And after skimming through the actual white-paper on the subject, it raises some good points that aren’t being covered in the media.

Personally I think that the “Health Certificates” should contain the following information:

1. All MAC Addresses in the computer (this should be the ONLY identifiable information)
2. Operating System information (Windows/Linux/OS/etc and version including build where appropriate).
3. A check to see if all required security updates are installed properly.
4. If the Operating System requires a firewall and antivirus, whether these are present, turned on, and updated completely.

The “Health Certificate” should be generated on the fly. This will ensure that the most current information is presented. Tools like Belarc Advisor already generate the information that I suggest (and could easily be incorporated into the Health Certificate program).

Let me know what you think of the Health Certificate ideas. Read the white-papers on the Microsoft site, and do a little research into the idea. Let me know what you’d like to see in one (if they’re implemented).

Have a great day:)
Patrick.

Some Lessons to be Learned from Stuxnet

There’s a lot of talk going around about the Stuxnet worm, who may have created it, how it spread, and why. The reality is that it boils down to “human nature”. It’s human nature to be curious, which is probably what started the infection in the first place. The main theory is that someone dropped an infected USB thumb drive in a place where their “target” would find it. Curiosity about what was on the drive prompted the “target” to infect their computers. And so on and so on.

It’s time to retrain human nature again. This could have been prevented if three simple rules had been in place (and followed).

  1. Do not insert thumb drives in any company computer unless you either a) pulled it out of the shrink-wrap yourself or b) know the person who pulled it out of the shrink-wrap.
  2. Do not insert thumb drives into your company computer that have been inserted into any NON-company computer (this includes your home computer)
  3. Do not insert anything into a SCADA or other “non-Internet” or “special networked” computer that is not directly authorized by your company.

Now I realize that it’s hard (if not impossible) to change human nature. And I realize that no Company Policy in the world will change human nature. Let me ask you this though: When is the last time that your company warned you about picking up USB Thumb Drives (or anything else like that) and putting them in company computers? Along that line, did they just say “Don’t do it” or did they tell you about the risks?

It’s time to rethink and retrain our human nature. After all regardless of who created Stuxnet, they counted on human nature to get the infection rolling. They had to get it inside of the target network, and most likely a USB Thumb Drive was the way to go. They didn’t even have to get it near their target, because they knew the person who initially found the drive would infect their computers (and consequently any thumb drives that they inserted into those computers). And that’s all it would take.

At the very least, if you can’t stop Human Nature, then mitigate it. Either figure out a way to run the thumb drive in a sandbox, or run it on an operating system (like Mac OS or Linux) that isn’t easily infected.

Also it should be noted that if the virus is implanted on the drive at the manufacturer’s level, then it won’t matter who unwrapped it from the packaging. But, that’s a very rare situation (only a handful of cases have been made public).

Have a great day:)
Patrick.

Why Industrial Process Controllers shouldn’t have any access to the Internet

A Silent Attack, But Not a Subtle One

This is another article about the Stuxnet worm. It’s becoming more apparent that the actual target was the Nuclear Program in Iran. However, the worm is spreading throughout the world affecting virtually any Siemens Industrial Controls.

This underlies a problem that plagues most manufacturing plants around the world: computers which are used to control processes that have access to the Internet. According to this article, it’s estimated that industrial plants have about 90 days before hackers start using the worm (and the vulnerabilities that it targets). The first 30 to 45 days should be spent isolating the process control systems from the Internet (and from any Internet capable computers).

This will require them to reconfigure routers and switches and the computers themselves. Sort of creating a network inside of the network. In theory, the easiest way to do this is to create a subnet (and Virtual LAN) that is specifically used for the Process. At the router levels, create ACL’s which deny any traffic between that subnet and the outside world. Then in the offices and control rooms, configure one set of computers to use that subnet, and another set for the regular plant’s networks. The only exception to the ACL would be a server which is used for VPN access into the network.

For access outside of the plant, engineers and other authorized persons would have a laptop that VPN’s into the subnet for the process OR the plant subnet–but not both at the same time. The security of this system can be maintained through a combination of means.

  • For instance, Microsoft created a networking system which refuses connections from devices that are not updated completely. This could be used to ensure that the laptop isn’t infected (or potentially infected).
  • Secondly, as of right now, the Unix/Linux Operating Systems are virus free. So, the worms which are infecting Windows computers (and then the Process Control Systems via the network) will be rendered useless. ***Note this is a double-edged sword***
  • Finally, company policies which prohibit the use of their laptops for personal business (read as surfing the Web, playing videos and music, etc) and prohibit the use of Thumb Drives or other non-company approved devices on the Process Systems, would go a long ways towards slowing this. Not only do the Policies need to be in place, but they need TEETH. If an employee signs a paper which specifically states that they are personally liable for any damages resulting from violations of the policy, they’re less likely to violate the policy.

I mentioned that the second means was a double-edged sword. This is because as of right now, there are virtually no viruses or malware aimed at the *nix Operating Systems (this includes Unix, Linux, Mac OS, and BSD variants). However if they are being used for Process Controls, you can bet that virus writers will start targeting those operating systems. So, the people in charge of securing them need to step up NOW to make sure that their tag-line of the “secure operating system” holds true.

Have a great day:)
Patrick.

US Fails in CyberAttack Simulation

http://www.thenewnewinternet.com/2010/02/16/more-must-be-done-to-prepare-us-for-cyber-attack/ and http://www.darkreading.com/security/cybercrime/showArticle.jhtml?articleID=222900775&cid=nl_DR_DAILY_2010-02-18_h

Yesterday, former members of the Government participated in a Cyber Security Game called Operation CyberShockwave, which was a test of how well the US Government would handle a cyber-attack.  The results?  We failed miserably.  There’s more work that needs to be done.

The scenario was an application that people downloaded to their Smartphones for “March Madness” was actually a malware program.  In “July, 2011” (the simulated event date), the attacker activates the malware and the phones stop working.  At some point in time during this, IED’s are detonated, which take out parts of the power grid on the Eastern Seaboard. 

Between Power Grid failures, the Electronic Trading Commission being taken down, and the Internet (and smartphones) being taken down, it’s a mess.  So, how did our “Government” do?  They figured out that the server hosting the malware was in Russia, and possibly that the developer was from Sudan.  That’s about as far as we know.

What does all of this mean? Well, if you’re Amish, not much.  But for the rest of us, it means that our Government (and the Private Sector—that’s YOU AND ME, folks) need to come up with a comprehensive plan for dealing with these attacks.  There needs to be a clear-cut determination for when the attack begins (and the Government should start acting) and when it ends (and they should stop).  And there needs to be a clear-cut determination as to whether the Government needs to step in at all.

Some issues that were raised in the simulation are these: 

  1. We know the malware is being hosted on a server in a foreign country. Can we have that Government shut the server down?  If so, do we have to reciprocate if they’re being attacked by malware on a US server?
  2. Should the Department Of Defense take the lead in combating the attack?  If so, how do they coordinate with the Private Sector (who is obviously taking their own steps to combat it and discover the source)?
  3. Would this be an instance where President Obama’s plan to take control of the cyber networks should be implemented? If so, how long should they maintain control?  Should they work with the Private Sector, or basically push them aside?  Will the Public be notified of this and kept up to speed on what’s going on (or will they be kept in the dark “for their own good.”)?

This is not an issue of whether or not we could actually combat the attack.  It’s my belief that amongst the 300 million people in this country, someone (or some group) would be able to find the source.  They may even be able to shut it down.  The issue is whether the Government would work with the Private Sector (and the public in general) to combat this.  And how would the Government mobilize on their end?

So for the Government, you have some work ahead of you.  One thing to take into consideration is that we have some of the brightest “Hackers” living in our country.  We also have experts in the Private Sector and in the Educational Sector, who could prove extremely valuable in an attack.  One issue that you’ll face is some of these people will not like (nor want) to work with you.  They’re distrustful of you, and would be afraid that after the attack is finished, you’ll turn your “eye” to them.  So, you need to work on that problem as well.

The clock is ticking. And the world is watching (or at least the “Online world”).  And as much as I hate saying it, the majority of Americans aren’t informed enough to avoid the pre-cursors for such an attack.  So, it’s up to you to make sure we’re protected.

Have a great day:)
Patrick.

Virginia Won’t Pay Hacker’s Ransom Demand – InsideTech.com

Virginia Won’t Pay Hacker’s Ransom Demand – InsideTech.com

Recently a “cyber-criminal” (please note that I’m not using the overhyped and irresponsibly used term “hacker”) broke into the Virginia Department of Health’s database and stole a bunch of records.  The criminal claimed that they also deleted the backups of the records (which was false) and demanded a ransom of $10 million.

Instead of paying, Virginia is working with the FBI to apprehend the criminals.  Are they doing the right thing here?  I would say “yes” and “no”.  Understand that I am basing this upon the same information that you have—I don’t have any secret information about the case.

Yes they are doing the right thing by refusing to pay the ransom, and by working with the appropriate law enforcement agencies to track down the criminal(s) responsible.  It would be foolish and useless to give into the demands, as the criminal will either a) not give you the records or b) give you something more like a virus with them.

Based on the articles that I’ve read, there is a possibility that the information that was stolen includes identifiable information such as your Social Security number (this is only in the case of Virginia residents who have had prescriptions filled).  The articles do not specify if the state is working with Credit reporting agencies to prevent Identity theft.

This would be where I have to say “No.”  If your bank is breached, or a store that you’ve used  a credit card at is breached (or the credit card processing agency), they typically offer those infected with a years’ worth of credit monitoring.  And they typically bear the burden of the cost of the monitoring.  It’s a small price for them to pay, in order to regain your trust.

The articles don’t specify if Virginia is doing any of this.  If they are then I say they’re doing everything right (as far as things I’ve looked at). But if they aren’t doing anything to prevent the Identity theft, then they are putting their residences at an unnecessary risk.

These articles also emphasize the need for stronger security and the need to maintain backups off-site.  The criminal claims that the backups were still attached to the system, and that he/she deleted them.  If that’s the case, then the state failed right there.

This is an issue that everyone can monitor and take some learning examples from. Especially when it comes to maintaining backups and protecting your information.  You may not be able to control it once you put it on someone’s server, but you definitely can control it on your computer.

If you’re a resident of Virginia and were affected by this (or know someone who is), please drop me a note and let me know if the state is doing anything to help you safeguard your personal information in this matter.

Have a great day:)

Patrick.

MS08-067: Not updating has created a monster botnet | Network Administrator | TechRepublic.com

 

MS08-067: Not updating has created a monster botnet | Network Administrator | TechRepublic.com

For those who are slow in updating, here’s a reason why you need to be more diligent about this.  Especially this specific update.  Why anyone would neglect to update their computers this long escapes me.

If you’re running a pirated copy of Windows XP (or ANY version of Windows for that matter) it’s time to grow up and get legal.  You’re half the problem right now.  Since your version is considered pirated, you can’t get the security updates.  So you’re at a greater risk of becoming infected and enabling botnets like this one.

I do realize that Microsoft has (and had) issues with their Activation and Genuine Advantage program.  If you’ve fallen victim to this, I hope you’re taking steps to resolve the issue with Microsoft.  And I’m not referring to you when I say “get legal”.  I understand that you have a genuine copy of Windows and are falling victim to a bug.  I’m talking to the ones who are downloading XP from bittorrent sites and from Limewire and other P2P applications.  I’m talking to those people who are thinking that they’re getting something for free (and sticking it to a monopolistic company like Microsoft).  Yep, you’re getting something for free alright.  You’re getting trojans and bots.  You’re getting infected.  And you’re giving something out for free too.  Information and more trojans and bots.

I also realize that the majority of the people who read this blog are coming because they are computer professionals or techie types (and that you’re probably running legit copies).  But, there may be a few who aren’t.  That’s why I’m posting this and talking tough.

This security update has been out for over a month now.  And over a month ago it should have been stopped dead in it’s tracks.  But since security experts are still finding bots, it’s obvious that some people missed the boat.  It’s time to grab a lifejacket and fix the problem.

Have a great day:)

Patrick.

It’s Patch Tuesday and you need to patch

Microsoft released two patches today.  One is marked Critical and the other is marked Important.  They are:

Microsoft Security Bulletin MS08-069 – Critical

Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218)

And

Microsoft Security Bulletin MS08-068 – Important

Vulnerability in SMB Could Allow Remote Code Execution (957097)

If you’re running a client computer (Windows 2000 Pro, Windows XP, or Windows Vista), then you need to patch these right away.  However you can test them before patching your Servers, but I wouldn’t spend too long on it (by next Monday at the latest).

MS08-069 concerns the XML Core Services.  This fixes CVE-2007-0099, CVE-2008-4029, and CVE-2008-4033.  If the user goes to a malicious website, then the possibility exists that the site will be able to execute programs with the level of privilege that the user has.  Meaning, if it’s an Administrator account, they’ll have full privileges.  If it’s a limited user, they won’t have as many.

Also, depending on which version of XML Core Services that you’re running, is whether Microsoft considers this Critical (XML Core Services 3.0) or Important (XML Core Services 4.0, 5.0 and 6.0).  But if it is there, you need to get it.

It looks like the main problems are Remote Code Execution in XML Core Services 3.0 and Information Disclosure in the rest.

MS08-068

This issue lies in the Server Mesage Block (SMB) Protocol.  This is the protocol used for logging into the shared folders over a network (especially if you’re running a mixed network of Windows, Linux/Unix, and/or Macintoshes).  It has other uses as well.

If an attacker is successful in exploiting this vulnerability, they can execute code, create or remove folders and programs, and create or remove user accounts.  Like the XML Core Services vulnerability above, a limited user has less capabilities than an Administrator.

On Windows 2000 through 2003, this is listed as Important.  Also on Windows 2000 and XP SP2, it replaces the following Security bulletins MS06-030 (2000 SP4) and MS05-011 (XP SP2).  For Windows Vista and Server 2008, this is listed as Moderate.

The Internet Storm Center lists both of these vulnerabilities as Critical on clients and Important on Servers.  Also neither of the Microsoft bulletins mention the Windows 7 Beta, however if you’re lucky enough to be running that, I suggest checking for updates anyhow.  Especially since you may have one of the XML Core Services installed (with Office or for another reason).

Have a great day:)

Patrick.

Patch Tuesday is tomorrow if you have a Windows-based computer

Just a reminder that Microsoft will be releasing two bulletins tomorrow.  One looks to affect the XML Core Services that both Windows and Office use.  The other is an issue with Windows, but isn’t clear yet.  So, we’ll have to see tomorrow for sure.

I’ll post an entry tomorrow when I’ve read the bulletin releases.  If you’re using Linux or Mac OS, you should be running your update program on a regular basis.  On my Ubuntu system, I’m running it about every two to three days.  Sometimes there are updates, and others there aren’t.

If you want to know whether you should update your Linux or Mac system, I recommend subscribing to Secunia.com’s security alerts.  They alert on a wide variety of programs (and some hardware) when a vulnerability is released. 

While at their site, you may want to check out their Personal Security Inspector (if you’re a Windows user).  It’s a nice program that checks the programs on your computer against their advisories.  It checks installed programs and other executable files in the installed folders.  If an issue is found, the PSI gives you assistance in how to correct it.

Have a great day:)

Patrick.