The Washington Post has an article on the real threats to password security.
People stealing the password database
People writing their password down
Keystroke loggers
phishers
social engineers
password reset websites
The writer argues that traditional password policy makes the problem worse instead of better.
Archive for June 2005
WashTech: The real threat to password security
Symantec new site preview
Symantec’s got a new site preview up http://preview.symantec.com/index.jsp
The Security Response site is going to take some getting used to. Interestingly there is an activex object you can run to run live update. I still don’t see anything l like what mcafee has where you can go to a page and it will tell you if you are up to date or not.
So you’ve got a virus
So you’ve got a virus. Lets skip the recrimination and determine what can be done about it.
Step 1
Check with your Antivirus Vendors latest virus writeups to see if you can identify what your are infected with.
Step 1B Check other vendor’s sites.
http://www.symantec.com/avcenter
http://vil.nai.com
Trend Micro
If you can determine what you are infected with, they should have cleaning instructions, probably a manual cleaning process, but they may have a cleaning utility.
Step 2
Its a new virus. You couldn’t determine what it was much less how to clean it. Looks like its time for some reconnaissance.
This is where knowing what should automatically run with your system comes in handy. We need to check what starts automatically on your system. The most obvious vanilla place a virus could be is in the run key in the registry. Open regedit and look at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. If you know your system, you may recognize something that should not be there.
Of course there are many other places something could start automatically. Spyware is more likely than a virus to hide someplace else, but you never know. You can download “autoruns” from sysinternals to look at other places where something might start automatically.
Step 3.
If you see something out of the ordinary set to be run automatically write down where an what it is. You can use google to lookup unknown files to determine if they are legit. If you cannot determine the validity of a file, upload it to www.virustotal.com. It will be scanned with multiple virus scanners and report back to you.
Step 4
If virustotal determines it is a virus, you need to figure out why your antivirus didn’t detect it. Is your antivirus disabled? Some viruses disable antivirus software. Is your antivirus software getting updates? It may be broken or the virus may have disabled the ability of your software to update. If you have the latest available virus def from your antivirus company and it cannot detect the file that virustotal reports is a virus, then you need to submit it to your antivirus company. Each antivirus company has a different method for this. Note that virustotal says that it submits the files to antivirus companies, but I like to do it also so I get feedback from the antivirus company. Often they make a pre-release version of their virus definition files available so that the file can be deleted.
If you figure out a name for the virus (either from virustotal or from submitting the file to your antivirus vendor) this can be used to successfully find the virus definition writeup which will hopefully have complete removal instructions. Often virus encyclopedias are only indexed by virus name making it difficult to search for text from the viral message.
Spam by Proxy- Nothing New
Spamroll blogged earlier this week about a Maryland Public Television webmaster busted for signing his supervisor on internet sites to generate annoying emails and telephone calls.
I found a Baltimore Sun article covering this story that gives more detail and attributes its quotes correctly.
I was shaking my head because spamroll left me with the impression someone thought this sort of thing was new. The Baltimore Sun article cleared that up. The AGs office said this is the first time they’ve prosecuted someone. The EFF said this sort of thing goes on all the time. The article concludes saying that most reputable sites offer a double opt in making this sort of thing harder to do. The problem is that the disreputable sites still don’t do that.
So as always, cover your tracks. 
Use a public kiosk to sign your enemies up for spam. Or better yet go to the house of another co-worker and use their insecure wireless connection to sign up the CEO for spam.
Putting up a good front
In the face of tight budgets, we need to make sure the money is spend on what is important. I think HIPS and security education should be at the top of that list.
It is well documented that the best security dollar you can spend is on user education. Security Awareness training has gone from being a good idea to being a best practice, to being required by contracts entered into with our customers, to being required by law. By creating an informed user base, the users become our security watchdog instead of our security nemesis. I conclude that technology is not the solution to computer security. It is at the root a human problem.
HIPS (Host-based Intrusion Detection System) is an up and coming method of proactively defending the endpoint computers. Rather than relying on patching and antivirus, software is placed on the system that disallows specific activity. For example, we could either block or prompt the user when something tries to set itself to run automatically after every reboot. It also attempts to block exploits of vulnerabilities. By taking away the need to patch immediately the second Tuesday of every month, the risk to our systems would be lower.
Without HIPS and without user education, we are reduced to four main defensive mechanisms:
1. Patch like mad and update antivirus like mad.
2. Implement more antivirus. Dont just have a multi-layered email defense. Have a multilayered IM defense. Have a multilayered http defense. Have a multilayered ICQ defense. Have a multilayered ftp defense. Have a multilayered nntp defense. Basically every major protocol would need this. Perhaps a fortinet antivirus firewall or the Cisco IDS with Trend Micro would provide a more all in one solution.
3. Implement common mitigation strategies such as taking away people’s’ local admin permissions and performing firewalls between internal network segments.
4. Pray
Remember the pen cap and the kryptonite lock?
Remember last fall the Kryptonite lock and the pen cap that opened it? Now they’ve gone through legal wrangling. There is a site http://www.kryptonitesettlement.com with the notice of settlement.
Little Phish
Spamroll blogs that phishers are increasingly targeting smaller banks and credit unions.
This is a principle true of the protection of online banking as well. The smaller banks and credit unions do not have the fraud detection departments that larger organizations will have.
While the phish will not be detected as early or pursued as vigorously, there just isn’t the same bang for the buck on the email distribution. Think of it. If I email one million people the likelihood of finding Bank of America customer is much better than the odds of hitting members of the Red Apple Credit Union.
A better idea would be for the phisher to attempt to obtain the banks email list somehow. Or better yet, for credit unions, you know the member companies so concentrate the phishing email on domains belonging to that company. This is inline with the theory that the criminals will be attacking smaller groups so they aren’t detected as quickly.
Customers of even small banks must watch out for phishing. Although i don’t see phishing being the fault of the bank, it is imperative for other reasons to make sure that they are on top of the security concerns associated with online banking.
Passed
I got word on saturday that I passed the CISSP exam that I too last week. All that is left now is getting a current CISSP to sign the form verifying my experience and also writing up a resume to turn in for this. Once this is sent in, there may be an audit. I should officially be a CISSP soon. Its nice to have passed the major hurdle of the test itself.
Another story in the city
I went over to a co-workers place today to take a look at a virus issue on his computer. The viruses were rather pernicious. Everytime you’d run another scan it would find some more. I finally got it to a point where I didn’t see any remaining viruses. cross fingers.
The scary thing about this computer is that it hadn’t been patched since the clinton administration and it was directly connected to a broadband connection. I went ahead and got him set up with XP sp2, upgraded his SAV and installed Microsoft Antispyware. That and turning on the XP firewall should hold off further infection. Oh and auto updating on the patches.
