If Spam Has You Irate, Obfuscate!

Spam email is not only a nuisance, it’s a security risk. Most of the viruses, worms, and trojans floating around these days are transmitted in one form or another via spam. The threat can be attached directly to the email or it can rely on some subterfuge to get a clueless victim to click on a link to a malicious website. No matter the method used, the bottom line is that if the spammer doesn’t have a proper email address, the spam won’t be delivered.

Spammers get email addresses in various ways, but the primary method is to use a web bot to scrape them from web sites. It’s not hard to do; the Web is called that because everything is tied together through various links. All the bot has to do is hop around the Web, collecting any email addresses it finds along the way. What the bot is looking for is text strings that take the form of xxx@xxx.xxx. It can easily find those and store them in a database, but it can’t tell whether or not that string is a valid address. You can use this to your advantage; if you can prevent Internet criminals from getting your email address, you can stop them cold. How do you do this? Obfuscate! (Definition: make obscure or unclear.)

Bots can’t think; humans can. To you, the string “kengharthunatyahoodotcom” means something; most scraper bots would ignore it. Similarly, “no_spam_kengharthun@yahoo.com” is easily understood by a human; the bot would recognize it as an email address, but it’s not a valid one and any message sent to that address would bounce. This technique is a good way to post your email address in forums, social networking profiles, etc., but what about posting your email address on your home page or web site?

There are plenty of free tools on the Web to obfuscate a valid email address. This email obfuscator converts my Yahoo! email address to a meaningless (to most bots) string of characters (go try it and you’ll see what I mean). When properly entered into the html code of a web page, it looks like this: kengharthun@yahoo.com. Anyone clicking on the link will be able to send an email, but your average bot won’t be able to harvest it. This technique isn’t foolproof; more sophisticated bots may be able to figure it out. But it’s going to make it more difficult for them and you’ll be calmer and more secure as a result.

So, I leave you with Maxim #14 in the How to Secure Your Computer series of articles:

If your email address will be visible to the public, obfuscate it using one of the methods or tools above.

Ken is a Systems Engineer at Connective Computing, Inc. specializing in network and desktop security for small and medium businesses. Ken helps others through his Ask the Geek blog, is a regular contributor to Dave’s Computer Tips newsletter, and is currently working on his first consumer-oriented book on computer security.

Unpatched PC “0wn3d” in Four Minutes or 16 Hours; Which is it?

I just love stories like this one. On the one hand, Internet Storm Center researchers say an unpatched PC connected to the Internet will be compromised in less than four minutes. On the other hand, a researcher and co-founder of the German Honeypot Project (GHP), Thorsten Holz, claims the survival time is much higher than 4 minutes and in fact is nearer 16 hours. “Compared to the survival time from the Internet Storm Center [ISC] which is currently below five minutes, we measure a higher survival time,” he said in a post to the project’s blog. The blog has some interesting graphs, one of which shows that survival time is just under 1000 minutes, or about 16 hours.

So, which is it? Do we believe ISC or GHP? I can tell you from experience with my own firewall logs that my IP address is probed for common vulnerabilities about every two minutes, sometimes as often as once per minute. Based on this, I’d be inclined to believe ISC’s estimate. The bottom line is it doesn’t really matter who’s right–we all agree that it’s a bad idea to connect an unpatched PC to the Internet. From the ISC diary:

While the survival time measured varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn’t bet on in Vegas.  Using a NAT router and a correctly configured personal firewall is the way to go - both these measures help a lot to improve the odds in favor or your PC.

Be careful out there.

Ken is a Systems Engineer at Connective Computing, Inc. specializing in network and desktop security for small and medium businesses. Ken helps others through his Ask the Geek blog, is a regular contributor to Dave’s Computer Tips newsletter, and is currently working on his first consumer-oriented book on computer security.

Windows SteadyState Can Protect Your Family & Your Family Computer

A while back, I used the Microsoft Public Access Computer Security Tool, predecessor to Windows SteadyState, to secure a credit union’s public access computer. They wanted to make sure that no one could use the PC do do anything but work with their online banking site. After a short learning curve, I was able to deliver exactly what they wanted. They were impressed and so was I.

The other day, after yet another grueling session of cleaning up a family member’s malware-infested PC, it occured to me that I should just put SteadyState on it and set up several profiles, putting restrictions in place for the kids, leaving things a bit more open for Mom and Dad, and completely locking down a profile for guest users. Check out what you can do with this:

• Restrict access to programs and settings
• Return the computer to its original state with Windows Disk Protection
• Enforce time limits on use of the computer
• Control what programs show up in the menus

I haven’t teste this idea yet, but it seems to me that Windows Disk Protection alone would be worth a try. You could set up a profile that would allow completely safe surfing for everyone in the household.

I’m going to take a serious look at this, so stay tuned for my report.

The #1 Security Priority: Protect The Information

SANS recently reported that a Ponemon Institute survey, commissioned by Dell, found that more than 630,000 laptops are lost at airports each year, usually at security checkpoints and departure gates. A staggering 67% of them are never recovered. From SANS NewsBites Vol. 10, Num. 52:

The survey…included feedback from 864 business travelers: 53% said their laptops held confidential data; 42% said their data was not backed up; 16% said they would do nothing if they lost a laptop while traveling on business; 77% said the chance of recovering a lost laptop was less than ten percent.

Surprisingly, the SANS article made no mention that the Ponemon survey found that 65% of the travelers who have confidential or sensitive information on their laptops do nothing to attempt to protect it. The article seems to be more focused on physical security and this is indicative of a paradigm that is too heavily weighted in favor of protecting the network rather than the information traveling across it. The paradigm is shifting, but not nearly fast enough, as the survey shows.

Given the nature of operating systems and software, embedded or otherwise, there will never be a completely secure network; there will always be vulnerabilities to deal with and deal with them we must. However, the Internet is designed for sharing, not securing, a fact that’s never been more true than it is today;  with Web 2.0’s emphasis on community and collaboration, the need to protect the information is even more critical.

We can’t predict security vulnerabilities in third party software and systems, so all we can do is patch after the fact. If we make data protection the first priority and never allow a scrap of sensitive information to reside anywhere on any storage medium without it first having been encrypted or physically isolated, the severity of any newly-discovered vulnerability is greatly lessened.

What do you think?

Virtual Safe Deposit Box?

A bank safe deposit box, securely stored in a vault behind several feet of concrete on five sides with a virtually impenetrable combination-and-time-lock-protected door on the sixth side, is about as safe a storage place as you can get for your cash, gold, jewels, important documents, and other valuables. You rarely hear of anyone losing valuables from a safe deposit box, but there’s an almost daily news story about sensitive data being lost or stolen. This makes for an interesting thought experiment.

While it’s not possible to provide the physical security of a bank vault on a laptop or other portable storage device, it is possible to protect the information itself with encryption so that only authorized persons can access it.  Take the bank’s physical security out of the mix for a moment, making it possible for someone to walk right into the vault; they still can’t unlock your box without access to the bank’s key and your key. Similarly, encryption requires two keys: the encryption key and a passphrase; without both, the encrypted volume won’t open.

One could say, therefore, that an encrypted volume is a virtual safe deposit box for your valuable data.

The Safest Way To Do Remote Desktop Support

In a recent Q & A episode of the Security Now! podcast with Steve Gibson and Leo Laporte, a reader was concerned that doing remote desktop support on infected PCs from his computer could make him vulnerable to infection. As I always do, I immediately began thinking about how I would answer the question (my wife thinks I’m nuts because I’m always talking to myself while I listen to the podcast).  In my experience with remote support programs, I’ve never had a problem with malware, so never considered the issue. However, I have to agree that Steve’s answer amounts to the safest way to do remote desktop support on infected PCs. Here’s an (edited) excerpt from Security Now!Episode 146:

STEVE: …In a perfect world, [remote desktop support] would be completely safe because…

LEO:  You’re not really running anything on your system.  It’s a window into their system; right?

STEVE:  Exactly.  Essentially you’re seeing their video, and you are taking over their mouse and keyboard.  So it’s purely a remote I/O sort of deal.  But we know it’s not a perfect world… So if…there were a vulnerability in whatever remote communications software you were using, and malware knew about that, it would be…possible for the malware to detect that you had connected using VNC, GoToMyPC, Remote Desktop…and exploit a known problem in order to cause a buffer overrun at your end of the connection.

LEO: So anytime you’re having a conversation with another computer, there’s always that potential no matter what protocols you’re using.

STEVE: Yes. So what I would do if I were a person who was going to be sort of habitually connecting to probably infected remote machines…you’d want to do that in a VM [virtual machine] at your end.

I’ve often recommended using virtual machines for surfing the web. My post, “Two Ways to Operate Securely on the Web,” is a good example. Extend that security maxim to remote connections of all kinds and you’ll be even safer.

This Router Configuration Option Can Be Dangerous

In my February 20th post, “Omit This Setup Step and Your Router Can Be Easily Compromised,” I stressed the importance of changing the default router password. I forgot to mention in that article another configuration option that can be dangerous, even if you’ve changed the default password: Remote management. While I’ve never seen this feature enabled by default, it’s better to err on the side of paranoia and make certain it isn’t enabled on your router.

Obviously, this would be a serious problem if you haven’t changed the default password; it’s less of a concern if you have, but passwords can be cracked and if someone decides to target you, it’s not a good idea to have your router’s login visible to them. If you absolutely must have remote management available to you (why?), then it’s imperative that when you change the default login password, you use an unguessable and virtually uncrackable one.

HP’s iLO is not Vulnerable to Phlashing Attack

My May 29th post, “Phlashing Attack Can Damage Systems Beyond Repair,” generated some attention from Hewlett-Packard’s PR department. Depending on how you read it, my article could be interpreted to imply that their Integrated Lights Out (iLO) embedded remote management interface may be vulnerable to the PhlashDance attack. It wasn’t my intention to imply this and I am convinced that iLO is secure.

After having had a cordial conversation with Doug Hascall, Manager, iLO firmware, Industry Standard Servers, Hewlett-Packard, I agreed to post details about iLO’s security. Here is Doug’s email responding to my article:

Ken,

I enjoyed our conversation yesterday regarding the security of iLO and the phlash attack referenced by my colleague Richard Smith. As I mentioned on the phone, we take the security of iLO and our HP servers very seriously. This note is to share some of the information we discussed regarding iLO’s flash security.

iLO firmware employs the following flash protections:

* iLO firmware images are digitally signed with a 1024-bit RSA public/private key.
* The digital signature is checked before allowing a firmware update process to continue.
* The digital signature is checked by the iLO boot block every time iLO comes out of reset.
* The iLO boot block can only be flashed by physically changing a switch setting inside the server.
* Flashing the iLO firmware remotely requires login authentication and authorization, including optional two-factor authentication.
* The iLO firmware image to be flashed is completely uploaded into RAM before reprogramming of the flash device.

All ProLiant iLO firmware releases, from the original version that shipped with the ProLiant DL360 G2 in March 2001, have employed these protections.

I conferred with Rich Smith via e-mail to explain the iLO security architecture and to investigate the possibility of iLO being vulnerable to a Phlashing attack. Rich’s assessment was that iLO firmware and its upgradeability appear to have been designed with security in mind and he does not believe that iLO would be susceptible to a phlash attack or the methods used in the phlashdance fuzzer.

Security is a vitally important topic. I appreciate the attention that the security community brings to this topic and the associated opportunity we have to improve our products.

Respectfully,

Doug Hascall
Manager, iLO Firmware
Industry Standard Servers
Hewlett-Packard

This is security done right. Are you listening, Microsoft?

WiFi Security–The Only Way is WPA

It’s far too easy to set up WiFi for your home or business; all you have to do is go to your local electronics superstore and pick up a wireless router, plug it in to your network, and connect to it. The default configuration of most consumer products–completely open with no security enabled–will allow you to connect without having to enter any configuration information into your wireless PC. That’s why in any given neighborhood you’ll see multiple unsecured wireless network connections available. Most public WiFi hotstpots are also unsecured, open connections. If you just surf the web and send an occasional email, you might be OK (besides the fact that anyone in range can connect to and use your Internet connection), but the moment you start using your PC for banking, making purchases, and paying bills online, that wireless connection absolutely must be secured. It must be done right, and there’s really only one right way to do it. Before I explain that, let me tell you what not to do:

1. Don’t rely on SSID hiding. I’ve seen numerous articles that tout SSID hiding as a security measure (and one CISSP, no less, is recommending it!) While this technique may serve to hide your network from casual view, there’s nothing secure about it: the SSID is transmitted in clear text in every packet and is easily sniffed by wireless packet sniffers. For example, Network Stumbler will identify the SSIDs of any network within range, regardless of whether or not the wireless access points are broadcasting.

2. WEP is broken. Using 40,000 to 100,000 packets, which can be captured in about a minute, you can crack a WEP key in about three seconds on a Pentium M 1.7 GHz PC. Don’t believe me? Check it out: This list even provides video tutorials on how to do it. Sure, it provides a small measure of security and it’s better than nothing, but why use something that’s already been proven inferior? Would you feel more secure knowing the garage where your store that vintage Corvette is protected by a Master lock or one you bought at an everything-for-a-dollar store? Your personal information is much more valuable than that car.

3. Don’t bother with MAC address filtering . I don’t know why so many people are recommending this. MAC address filtering is equivalent to SSID hiding–it’s virtually useless, except to keep a casual user from inadvertently connecting to your wireless network. Like the SSID, MAC addresses are sent in clear text within the network packets and can easily be discovered and spoofed by anyone sniffing your network.

So, what’s the right way? WiFi Protected Access, known by its acronym, WPA. There are two versions: WPA-Personal and WPA-Enterprise. WPA-Personal relies on a pre-shared key (PSK), while WPA-Enterprise requires a special authentication server and is therefore more suited to corporate environments. WPA implements 128-bit encryption and as long as you create a strong, unguessable passphrase, it’s completely secure. Configuring WPA-PSK on a given wireless router depends on the brand, but you can find a general tutorial at this site.

And that, my dear reader, is Maxim #13 in the How to Secure Your Computer series of articles:

When it comes to securing a WiFi network, the only way is WPA.

Infected PC? Don’t Just Clean–Wipe and Reload

You’ve seen them: PCs with serious malware infections that seem to defy any and all attempts to clean them up. You persevere and eventually get rid of the files that regenerate upon deletion, clean up the autorun registry entries that keep the malware going, and kill all the malicious processes that keep showing up. You’re proud of yourself; you’ve conquered the beast, out-hacked the hackers. You’re the man: a real, live uber-geek! Pat yourself on the back–you earned it. Then, after you’ve finished congratulating yourself, reformat the hard drive and reinstall the operating system–you can never trust that machine again unless you do.

There’s no such thing as forgiveness in security; once a machine has been compromised, you can never be certain that it’s free of malware unless you completely wipe it out and start from scratch. Just because everything appears to be working properly after your “cleanup” doesn’t mean it is. Modern malware is designed to be tenacious and stealthy. Many malicious programs leave behind remnants of themselves even when good anti-malware software is able to take the venom out of them. Rootkit technology is becoming so sophisticated that normal means of detection don’t work as this article in The Register explains.

It’s a matter of trust; it’s also a security maxim. So without further ado, I present How to Secure Your Computer, Maxim #12:

Once a PC is infected with malware, you can’t trust it. The only way to restore trust is to wipe the hard drive clean and reload the operating system.