US Fails in CyberAttack Simulation

http://www.thenewnewinternet.com/2010/02/16/more-must-be-done-to-prepare-us-for-cyber-attack/ and http://www.darkreading.com/security/cybercrime/showArticle.jhtml?articleID=222900775&cid=nl_DR_DAILY_2010-02-18_h

Yesterday, former members of the Government participated in a Cyber Security Game called Operation CyberShockwave, which was a test of how well the US Government would handle a cyber-attack.  The results?  We failed miserably.  There’s more work that needs to be done.

The scenario was an application that people downloaded to their Smartphones for “March Madness” was actually a malware program.  In “July, 2011” (the simulated event date), the attacker activates the malware and the phones stop working.  At some point in time during this, IED’s are detonated, which take out parts of the power grid on the Eastern Seaboard. 

Between Power Grid failures, the Electronic Trading Commission being taken down, and the Internet (and smartphones) being taken down, it’s a mess.  So, how did our “Government” do?  They figured out that the server hosting the malware was in Russia, and possibly that the developer was from Sudan.  That’s about as far as we know.

What does all of this mean? Well, if you’re Amish, not much.  But for the rest of us, it means that our Government (and the Private Sector—that’s YOU AND ME, folks) need to come up with a comprehensive plan for dealing with these attacks.  There needs to be a clear-cut determination for when the attack begins (and the Government should start acting) and when it ends (and they should stop).  And there needs to be a clear-cut determination as to whether the Government needs to step in at all.

Some issues that were raised in the simulation are these: 

  1. We know the malware is being hosted on a server in a foreign country. Can we have that Government shut the server down?  If so, do we have to reciprocate if they’re being attacked by malware on a US server?
  2. Should the Department Of Defense take the lead in combating the attack?  If so, how do they coordinate with the Private Sector (who is obviously taking their own steps to combat it and discover the source)?
  3. Would this be an instance where President Obama’s plan to take control of the cyber networks should be implemented? If so, how long should they maintain control?  Should they work with the Private Sector, or basically push them aside?  Will the Public be notified of this and kept up to speed on what’s going on (or will they be kept in the dark “for their own good.”)?

This is not an issue of whether or not we could actually combat the attack.  It’s my belief that amongst the 300 million people in this country, someone (or some group) would be able to find the source.  They may even be able to shut it down.  The issue is whether the Government would work with the Private Sector (and the public in general) to combat this.  And how would the Government mobilize on their end?

So for the Government, you have some work ahead of you.  One thing to take into consideration is that we have some of the brightest “Hackers” living in our country.  We also have experts in the Private Sector and in the Educational Sector, who could prove extremely valuable in an attack.  One issue that you’ll face is some of these people will not like (nor want) to work with you.  They’re distrustful of you, and would be afraid that after the attack is finished, you’ll turn your “eye” to them.  So, you need to work on that problem as well.

The clock is ticking. And the world is watching (or at least the “Online world”).  And as much as I hate saying it, the majority of Americans aren’t informed enough to avoid the pre-cursors for such an attack.  So, it’s up to you to make sure we’re protected.

Have a great day:)
Patrick.

How to protect yourself against the Chinese Google hack – Computerworld Blogs

How to protect yourself against the Chinese Google hack – Computerworld Blogs

By now you probably have heard about the “Google Hack”.  If not, here’s a recap.  Earlier in the week, Google announced on their blog that they were hacked in November (along with other companies in the Financial, Technology, and utility sectors).  They posted that the hacking came from China, and in their case was limited to the Gmail accounts of Chinese bloggers and Chinese activists.

Google also announced that due to this attack, along with their feelings on censorship and freedom, they are no longer going to censor results in China—in other words, no more Google in China. 

A lot of speculations where floating around about how the hackers were able to get the information.  People were blaming Adobe (because of the flaws in their products).  Well, it turns out that it’s Internet Explorer that’s being exploited.

This article goes into detail about how to limit your chances of being hacked through this vulnerability, and is especially important because the exploit is being “sold” in Hacking tookits.

One idea that wasn’t mentioned is using Firefox or Chrome to surf the web.  Also, if you’re running Vista or Windows 7, you need to have UAC enabled (as much as it sucks in Vista).  If you’re running XP or 2000 then you need to have a Non-Administrator account, and be using that for your daily actions.  Only use your “Computer Administrator” or “Administrator” accounts when YOU are intentionally installing something.

You NEED to read the linked blog post, as the author goes into great detail about how to check to see if you’re protected, and enable it if not.

Have a great day:)
Patrick.

An inside look at how Spyware works

This embedded video gives you a little behind-the-scenes look at how the cyber criminals steal your information.  The gentleman being interviewed is an ex-hacker who works with the Government now.  The video was originally part of the History Channel’s “Modern Marvels” series, and all Copyrights belong to them.

As always, this is not meant to scare people away from the Internet or computers.  It’s simply meant to show you how important it is to protect yourself with updates, antivirus, antispyware, firewalls, and good practices while on the computer.  And it’s meant to emphasize one important fact:

YOUR INFORMATION IS IMPORTANT TO A CRIMINAL—REGARDLESS OF HOW IMPORTANT YOU THINK IT IS.

Have a great day:)
Patrick.

55,000 Web sites hacked to serve up malware cocktail | Zero Day | ZDNet.com

55,000 Web sites hacked to serve up malware cocktail | Zero Day | ZDNet.com

ZDNet is reporting that ScanSafe has found around 55,000 websites that are compromised with malware today.  As of right now, doing a google search for “script src=http://a0v.org/x.js” (the I-Frame tag used in the infection—If this link is clickable DO NOT CLICK IT) results in 107,000 hits.  Some of those are not malicious, but are reporting about the compromise.

What does this mean?  It means that if you’re a webmaster you need to search for this tag.  If your site is listed, you need to scrub your site and reinforce your security measures.  If you’re a web surfer, you need to be careful about where you go.

55,000 or even 107,000 doesn’t sound like a lot of sites in the big picture.  But, if you’re looking for sporting heroes, charities, cruises, information about studying in China, or assisted living facilities (just to name a few types of sites that are compromised) you need to worry.

It appears that at least some of the sites are compromised on their “Contact Us” pages.  So, without actually visiting the sites, I can only guess that the I-Frame is hiding over top of the Submit button on the contact form.  This is a form of “Click-jacking”.

My suggestion is that you use browsers such as Firefox with “No-Script” or other add-ons that block JavaScript and Flash for a while.  With 107,000 sites, it’s going to be a long time before this mess is cleaned up.  And since the number of infected sites is growing—not shrinking, we’re on the early stages of the curve.

If you have to use Internet Explorer, then I suggest turning on Protected Mode and paying close attention to what’s going on.  If you’re looking at a site and it wants to download something, click “No”. If the site doesn’t work properly, you can always refresh and click “Yes”.  I don’t recommend clicking the “Allow on all Websites” option, as this effectively defeats the purpose of Protected Mode.

And you need to make sure your antivirus and antispyware programs are updated and doing their jobs too.  While this malware may be new enough that it’s not detected immediately, the antimalware community will catch up to it.

Tread carefully for a while.  Moreso than you should be already.

Have a great day:)
Patrick.

What is Hacking: an Overview

What is Hacking: an Overview

“Hacking”—It’s the catch phrase of the media and the Information Security field now days.  But is all hacking bad? And was hacking originally a criminal activity?  This article looks at both of these questions and more.

There’s a lot more to hacking than what the media makes it out to be. I have a feeling that you may be surprised by some of what you read.

Have a great day:)
Patrick.

Virginia Won’t Pay Hacker’s Ransom Demand – InsideTech.com

Virginia Won’t Pay Hacker’s Ransom Demand – InsideTech.com

Recently a “cyber-criminal” (please note that I’m not using the overhyped and irresponsibly used term “hacker”) broke into the Virginia Department of Health’s database and stole a bunch of records.  The criminal claimed that they also deleted the backups of the records (which was false) and demanded a ransom of $10 million.

Instead of paying, Virginia is working with the FBI to apprehend the criminals.  Are they doing the right thing here?  I would say “yes” and “no”.  Understand that I am basing this upon the same information that you have—I don’t have any secret information about the case.

Yes they are doing the right thing by refusing to pay the ransom, and by working with the appropriate law enforcement agencies to track down the criminal(s) responsible.  It would be foolish and useless to give into the demands, as the criminal will either a) not give you the records or b) give you something more like a virus with them.

Based on the articles that I’ve read, there is a possibility that the information that was stolen includes identifiable information such as your Social Security number (this is only in the case of Virginia residents who have had prescriptions filled).  The articles do not specify if the state is working with Credit reporting agencies to prevent Identity theft.

This would be where I have to say “No.”  If your bank is breached, or a store that you’ve used  a credit card at is breached (or the credit card processing agency), they typically offer those infected with a years’ worth of credit monitoring.  And they typically bear the burden of the cost of the monitoring.  It’s a small price for them to pay, in order to regain your trust.

The articles don’t specify if Virginia is doing any of this.  If they are then I say they’re doing everything right (as far as things I’ve looked at). But if they aren’t doing anything to prevent the Identity theft, then they are putting their residences at an unnecessary risk.

These articles also emphasize the need for stronger security and the need to maintain backups off-site.  The criminal claims that the backups were still attached to the system, and that he/she deleted them.  If that’s the case, then the state failed right there.

This is an issue that everyone can monitor and take some learning examples from. Especially when it comes to maintaining backups and protecting your information.  You may not be able to control it once you put it on someone’s server, but you definitely can control it on your computer.

If you’re a resident of Virginia and were affected by this (or know someone who is), please drop me a note and let me know if the state is doing anything to help you safeguard your personal information in this matter.

Have a great day:)

Patrick.

Malicious software and why would you want it anyhow?

Regardless of the title of this, I’m mainly aiming this at the copies of Windows 7 RC that are being distributed via .torrent files.  Yes I know there have been “leaked” copies of Windows 7 out, but the Release Candidate is available from Microsoft now.  So, my question is what do you have to gain by downloading it via .torrent files?

Do you get an extended license key? I doubt that highly.  The keys that you get from the public download are good until June 2010 (at one report).  And the Release Candidate is going to be essentially the same thing as the RTM version (unless there are “show-stopper bugs” in it).  Since Microsoft is allowing you to use the keys for 13 months, they’ll update the release candidate along with the RTM versions that you’ll buy.

Do you get an advanced copy that “no one else has”?  Um…  NO. You may have gotten an advanced copy that people who are willing to wait for didn’t have.  But, unless you were the FIRST person to receive a copy of the file, you aren’t getting something that “no one else has”.  You’re getting something that your friends may not have.  But truthfully, if your friends weren’t already running the beta version, they probably don’t care.

Are you getting a hacked copy that will run on anything?  Well now, we’re getting closer to the mark here.  But sadly, no.  You’re getting the same copy that everyone else has (with a little more).  You aren’t getting something with the “Blue Badge” (which unlocked features in the pre-Beta 1 versions).

So, what are you gaining by downloading Windows 7 RC from a .torrent file?  You’re gaining a system that will be PwN3d from the moment that you hook it to the Internet.  See one version of the .torrent file has two files in it.  One is a  setup.exe file, and the other is a virus.  The setup.exe file has been “hacked” to automatically call (and install) the virus as part of the Windows 7 installation.

What does this mean?  It means that if you’re upgrading from your Vista or XP computer, then there’s a good chance that all of your passwords and other information are being given out.  And if you’re doing a clean install, then your passwords and other information are SLOWLY being given out (slowly because you’ll have to reenter them one at a time).

And you’re not “Sticking it to the man” either.  Why?  Because there’s a really good chance that whatever “key” you installed with is going to expire in June, 2010 along with everyone else’s.  Not counting that if you get caught seeding the file,  Microsoft can sue you for a lot of money.  And given the legal status with Copyrights, you could end up in jail.  It’s doubtful, but really now, is it worth the risk?  For something that you can get at Windows 7 anyhow…

Have a great day:)
Patrick.

Some WPA2 Routers

Since the latest news is about the WPA encryption being cracked, I decided to look into some of the routers which are available to find the ones that support WPA2.  While some routers may not support WPA2, if they support WPA1 with AES instead of TKIP, that would work until you can get one that supports WPA2 (or until someone cracks the WPA-AES standard).

Either way, make sure you don’t use a weak password.  Also one thing that needs to be noted is this:  In order for WPA2 to work, your wireless router AND the adapter in the computer need to support it.

So here are the routers that I checked out, along with links to their pages.

Linksys
WRT54G2
WRT110
WRT54G  (Only claims WPA but has WPA2 in data sheet)
WRT310N
According to Linksys support, almost all of their routers support the WPA2 standard.  Possibly their really old routers won’t support it, but any new ones do.  You may have to do a firmware upgrade, if the box or data sheet doesn’t specify it, so check their site to make sure before purchasing the router.

D-Link
DWL-7230AP
DWL-7130AP
DWL-2230AP

I sent an e-mail to D-Link for information about other routers that support WPA2.  When I get more information, I will post it here.

Belkin
Wireless G Router
Wireless G+MIMO Router
Wireless N Router
Wireless N1 Router

3Com
3CRWER300-73
3CRWDR300A-73
3CRWDR300B-73
3CRWDR200A-75
3CRWDR101A-75
3CRWDR101B-75

Netgear

Here is a quote from the Technical Support team at Netgear.  I emphasized part of it by putting it in bold/underline…

Netgear products that do not support WPA2
RP614V2, V3,WGU624,WGT634,WGR614,WPN824,MR814
How ever N standard routers are compatible with WPA2 but the wireless adapters should have latest drivers.

Network Everywhere (low-end brand from Wal-Mart)

This series of routers doesn’t support WPA or WPA2 (at least not the ones they show on their website).  So, I would stay away from these routers, unless you absolutely have to.

My list is by no means complete.  If you have a wireless router and it supports WPA2 encryption, and it’s not on my list, please leave a comment with the model number (and a link to it if possible).

Another thing I’ll note is that some built-in wireless antennas on laptops come with WPA2 support.  My low-end Toshiba Satellite A105 from Wal-Mart has this support built in.  So, in some cases you won’t need to purchase an adapter.  But if you enable WPA2 in your router, and the adapter won’t connect, PLEASE buy a new adapter.  The cost of the new adapter is minimal compared to the potential for someone to crack your keys because you opted for a less-secure method.

Have a wonderful night:)
Patrick.

*Edited on 11-9-08 to add Netgear’s response.

First worms from MS08-067 are in the wild.

If you don’t remember what MS08-067 is, it’s the emergency “out of band” update that Microsoft released on October 23, 2008.  Not even two weeks later, the first worms that take advantage of this vulnerability are out in the wild.

Internet Storm Center is reporting that the first worm appeared this weekend.  F-Secure, Sophos Antivirus, and Microsoft Antivirus are able to detect this worm.  And if you are running Snort rules, it is able to detect the worm also.

According to Snort, the worm actually triggers two Microsoft Security bulletins.  It triggers the MS08-067 vulnerability that was just released, and it also triggers MS06-040 which was a vulnerability for Microsoft Windows 2000/XP/2003 that was released in August of 2006. 

This means that if you haven’t patched your computer for that vulnerability, then this worm can still get through to you.  The bright side of the coin is that if you are running Snort’s detection rules, you were protected from this first worm already.  But it’s time to update the rules, and it’s most definitely PAST time to update your computer with Windows Update (or Microsoft Update).

What you need to worry about more than anything is that as of today, only three antivirus programs are detecting this.  However if your antivirus updates today, there’s a slim chance that it will recognize the worm.  Watch the Internet Storm Center for more information as companies start releasing signatures for it. I’ll post updates as I receive them as well.

Also, if you want to see how your computer stands up to Microsoft’s security advice, I highly recommend their Microsoft Baseline Security Analyzer located here and downloaded from here.

Have a great day:)

Patrick.

US-CERT Cyber Security Tip ST06-004 — Avoiding the Pitfalls of Online Trading

 

US-CERT Cyber Security Tip ST06-004 — Avoiding the Pitfalls of Online Trading

Are you considering trading stocks and bonds online?  Or maybe you’re already doing it.  Either way this tip is something you should look at carefully.  I will say that I’m investing through an online web site and I like it.  It’s fast, easy, and convenient.  I can have it automatically withdrawn from my bank account, or I can purchase shares directly.

The US-CERT tip is especially important to consider now, with the economy in it’s current state.  There are people out there who now, more than ever, want to get access to your money.  And they’ll use whatever means that they can to do that. 

It’s very important that you practice safe online habits.  And if you get e-mails with supposedly “hot” stock opportunities, don’t buy into them.  They’re most likely someone either creating fake stocks to get your money, or they’re trying to unload their worthless, junk, penny stocks on someone who’s gullible enough to buy into them.

You should also check into the sites where you’re getting your market tips and investment advice.  If it’s not your traditional broker (or established with one like Edward Jones, Merrill Lynch, or TD Waterhouse for example), then check into them closely.  They may be trying to sell you worthless opportunities also, or they may have conflicts of interest.

Some of the sites that I use are MarketWatch, StreetInsider, InvestorsObserver, and MotleyFool.  Be ware that all of them, except MarketWatch are offering some pieces for free and wanting you to pay for more advanced information and options.  You can check some of the International Indexes here.

So, combine the information sites with the tips from US-CERT, and you should be ok with your money.  At least as far as someone trying to scam it out of you through the computer. 

Have a great day:)
Patrick.