Another reason why security and wireless do not go together.   Read this paper, it can be cracked in under a minute.

http://jwis2009.nsysu.edu.tw/location/paper/A%20Practical%20Message%20Falsification%20Attack%20on%20WPA.pdf 

If you are using WPA, and you care about security, STOP !      Use wpa2

If you have to run wireless, it should be outside of your network, on a DSL line.   Users can vpn back in.

Recently, I purchased this product, for $ 25   Stop Security Plate

http://www.stoptheft.com/site/products_security_plate.php

It is a metal plate that I put on the back of my laptop to prevent theft.    I dont think I will ever get this plate off, check this video.

http://www.stoptheft.com/site/index.php

Installation was easy, I did get some glue on my fingers, but got it off before it stuck my fingers together !   I then registered the laptop on their website.     I dont usually recommend products directly, but I really recommend you get this one.   (I am not on their payroll)

Laptops keep being stolen, and no one ever appears to get caught.   Usually, the conversation goes like this:

Police:   So you say three laptops are missing?

IT person:   Yes, it happened this morning.

Police:    What did they look like?

IT person:    uhhh, they were made by IBM and black.

Police:    Do you have the serial numbers or asset tags?

IT Person:   We didnt record that.  

Police:   Anything else to prove they are yours?

IT Person:   No.

Since there are millions of laptops sold every year, and since all IBM \ Lenovo Laptops are black, that description does not help any…

There were a lot of major patches released this week.  Get patching…

Firefox

http://www.mozilla.org/security/announce/2009/mfsa2009-41.html

http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/

Microsoft (6 of them, some allow remote code execution)

https://www.microsoft.com/technet/security/bulletin/ms09-jul.mspx 

Oracle

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html

Safari

http://support.apple.com/kb/HT3666

VMWARE

http://lists.vmware.com/pipermail/security-announce/2009/000060.html

http://lists.vmware.com/pipermail/security-announce/2009/000061.html

http://lists.vmware.com/pipermail/security-announce/2009/000059.html

 

WordPress  !  

http://wordpress.org/development/2009/07/wordpress-2-8-1/

The DDoS attack against the government is more of a worm, than a botnet.

Whats the difference?

A botnet – a group of computers controlled by someone, with instructions to “do something”  – such as:  all botnet machines, connect to the gov’t web site, all at the same time.     If you have enough machines, the server will probably crash.

Worm  – is similar to a botnet, but it more runs on its own, and infects other machines without anyone controlling it.   It can also run its own DoS attacks, if it is programmed to do so.

Description of this worm – http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.EA&VSect=T

There are at least 3 infection vectors for this worm – 1)    Email attachments, 2) visiting a “bad” webpage and 3)  having other spyware load it for you.

This worm deletes itself after running it’s program.   This is the first time I can remember a virus \worm do that.

It means the same machine is going to get infected over and over, and no one would notice.     Especially with users who visit bad web sites over and over.   Or users who dont buy anti virus or firewalls.

The Treasury Department, Secret Service, Federal Trade Commission and Transportation Department Web were down this weekend.   50,000 infected computers running as a botnet were attacking the government web sites.  

The attack started on July 4th, which is the day all of the IT admins, and everyone else, are out barbecuing, and not working.       

Most networks would not be able to handle this load:  20 to 40 gigabytes of bandwidth per second

http://blogs.csoonline.com/online_attack_hits_us_government_web_sites

DDoS - Distributed Denial of Service.   in this case, where 50,000 computers all try to request information from a web server, at the same time.

BOTNET – A group of computers, controlled by one person, or one group.   That group, issues commands to all the computers in the group, such as attack this other server.   In this case, 50,000 machines all doing the same thing at the same time.    The owners of the infected machines usually have no idea they are infected, or doing anything wrong.   (These same people usually do not run Anti virus or firewalls either)

 My top security myths, or security excuses, call them what you want.

I hear these all of the time from clients and everyone believes them. 

1.  We have a firewall, therefore, we are secure.
2. It is only a test server, it does not need to be secured.
3. It’s on the internal network, it doesn’t need to be secured.
4. No one would break in like that.
5. Wireless signals do not leave the building.
6. If we apply updates, all of our servers and desktops will crash.
7. Virtual servers do not need anti virus. 
8. Everyone else does security this way, why can’t we ?   (if all of your friends jumped off a bridge, would you jump off a bridge?)
9. You only need to audit our firewalls, you do not need to check the external web servers, those are secure.
10. If someone broke into our network, we would know about it.
11. Macs and Linux don’t have security problems, never get hacked and dont need anti virus.
12. Firefox is more secure than Internet explorer.
13. Microsoft  CANT be secured.
14. A friend forwarded me an email, therefore it is true.
15. Our former employees would not attack our systems.  We trust them, even though we just fired them, we don’t need to change passwords.
16. No one would attack us, we are to small to have anything of value.

How to use L0pht to audit passwords and break into systems.   If you can get a password hash file, you can use it to start brute forcing passwords.

Example:
A few names were changed to protect the clueless, everything else is the same. 

I am a security professional, not a real hacker.  I get hired to do real audits, and
charge lots of money.   If you want to hire me, check my web page…
http:\\www.scwoa.com  

On a security audit, I was connected to the internal network.  The client had invited me in, but I could have sat in the parking lot, because their wireless was wide open and put me right on their internal network.   (It was 95 degrees that day, and inside, they had free soda and bagels, so inside it was)

The client had given me a list of machines to scan, all relating to their E-commerce
store application.  I had promised to be nice.    I looked around at random, they
had a lot of servers.   There were so many servers,  I almost did not know where to start.

I found a SQL server machine, DBTEST1, where the local SA account password was blank.
 It was also local admin, and SQL Admin.  
 
The client said it was just a test box, and nothing important was there.
(A test box ! ! ! My Favorite, I love test boxes, no one watches them)
I was able to use PWDUMP6, and dump the password hashes from that Windows server to
my laptop.    You might think that getting all the local account passwords was a waste of time, as
I was already a local admin.    Maybe, but this is where it gets even more fun.  (For
me anyway)

I copied the password hashes to another laptop where I had L0Pht Crack 5 loaded.   It
was only a 1.8 ghz Pentium 4 with 512 MB ram, running Windows XP.  
I ran some dictionary attacks against the hashes, and I got a little closer on some
of the passwords.    I then started a brute force attack against the hashes.  It was
trying about 5 million passwords \ sec, which I thought was really fast, considering,
I did not have a Cray supercomputer, just a stinky laptop.
  
After about 2 or 3 days, I had all the passwords.   It was over the weekend, so I
wasn’t in a rush.

Now, most IT guys would say, so what, still cant do anything.   Its just local admin.
Wrong, I can do a lot with local admins, including installing a keystroke logger, to
grab all the other passwords.   In this case, I did not have to do that…
This machine was in the domain, lets call it, Dmzdomain.com 

One of the users, lets call him jsmith, had a local admin account also called jsmith.
I already had a good idea where the domain controller was, it was also the DNS
server.
From the sql server, logged on locally, I entered the following command.   Net use *
\\dcserver\c$/user:dmzdomain\jsmith password
This worked.   I had tried several accounts, but only one account \ one password at a
time.   I did not want to trip any account lockouts, especially on domain admin
accounts.
After I mapped that drive, the first thing I did was copy the Active directory
password hashes to my local computer.
Then I logged into the DC, and confirmed I was a domain admin.  

P0W3ND ! ! ! ! !   1 4m 1337   

At this point, because I am one of the “good guys”, I went and told my client, who
started to have a heart attack.
So from, what was previoulsy described as “boring” or who would ever do that, or
“it’s on the internal network, we dont need to secure it, proved to be a blatant
weakness.   (I also dumped the SQL database and obtained credit cards, but that is
another story)
So, lessons to learn from this…
1) Dont have weak local admin passwords.
2) Dont use the same password for a local admin account as domain admin.
3) Dont assume that because it is a test server,  it has nothing of value.
4) Dont have un-encrypted wireless, and dont put it on your internal network.
5) Have a password change policy in place.
6) Dont allow unknown laptops to plug into your network.   Especially people like me…
7) From your internal network, dont allow unrestricted access to your DMZ.  No,
your internal network is not safe.   keep dreaming.
Dont put real data on your test boxes.   (DB ADMINS – I am now onto you, stop
hiding behind the test machine BS)
9) Encrypt your credit card data.
10) Dont use lame SA passwords.

Had just Lessons learned number 1 been implemented, It would have stopped the rest of
it.   I would have to find another way to get in…but this way was to easy.

L0PHT CRACK is BACK ! ! !
The old version LC 5, was removed off the market by Symantec and I thought it was gone forever.

I ran some attacks against some of my own servers…
I dumped the hashes from the computers.    And then ran a dictionary attack.  

I have a dictionary of  words with 4 million words, yes, 4 million words.

4 million words took about 124 secords to test all the passwords.

Dictionary attack, with one number appended:   276 seconds

Example: password1

Dictionary attack, with two numbers appended:  
 Example: password99    1 Hour 3 minutes.

 Dictionary Attack:

A dictionary attack is where you try every word in the dictionary as a password.   The dictionary, usually just a text file full of words, such as apple, president, racecar, Steve, Monkey, etc…   The bigger your dictionary the better it is.  In this case, the one I am using has 4 million words in it.   These attacks are really fast, on my server, it was trying 30,000 passwords a second.

L0pht is an offline password cracker.  You will need to get the password hashes off the server first.   As it is offline, your accounts will not be locked out.

To get the password hashes, you already need some form of access to the server, such as root or local admin rights.  L0pht does not work against web server accounts, there are other tools for that.

4) Run anti virus and anti spyware.

More tips on how to avoid spyware. 

• Good anti virus packages:     Symantec Corporate edition and Trend Micro
• Good spyware packages:      Malwarebytes.org and Ad-Aware from Lavasoft
• Get these programs and keep them up to date.

• You should run a full scan weekly.

 5)     Don’t use online file sharing programs, such as Bit Torrent, Lime Wire, etc…

• Besides the fact that most of the stuff on these sites is illegal, pirated software, or copied movies,  there are also a lot of viruses and spyware you can download for free.
• Free is not always free.  In this case, you get a free movie, in this case, the cost is all the time you spend cleaning your computer, or having all of your passwords stolen.

6)      Don’t believe all the emails you receive, even if they are from friends or relatives.

1. Your bank is not going to suspend your account if you don’t respond.   Call the bank and ask them.
2. That person in Africa does not need your help to get money out of the country.
3. The IRS does not email you asking for your social security number.

4. The popup on your screen does not remove spyware.   Actually, more spyware gets installed.

7)      Use a Firewall

• If your computer is at home, you should already have a hardware based firewall, such as Linksys.    This should be configured to block all incoming connections.
• You also want to get a software based firewall running on your machine.    Windows firewall seems to work fine.  It is also free.   There are also third party products you can buy, such as Zone Alarm, Symantec, or Comodo.
• If you use any of these products, make sure that you run ONLY one of these products.    Two software firewalls does NOT double your security, instead it makes both products not work.

 8)      Browsers

• Are you still on Internet Explorer 6?    Why?    Upgrade to IE 7 or IE 8.   There are a lot more security features being added in.   Apply all the updates also.   (See Part 1, Apply updates)
• Inside Internet Explorer, go to Tools, Options and set your security to be medium or higher.
• You can use Firefox.   This may cut down on some of your spyware, but it will NOT stop it completely.    There is spyware that works with Firefox.   As more people use Firefox, expect more spyware to be released that works with Firefox.

How to avoid getting malware \ spyware \ viruses

I keep finding more and more malware infections on machines. And they are getting harder and harder to fix. In large corporations, we typically rebuild a machine, as it is faster than trying to fix the malware. In smaller places, we spend more time trying to fix the malware, than rebuilding, because no one wants to rebuild the machine.

Really, I consider fixing spyware a waste of time, as it is always preventable. However, whenever I suggest some steps to preventing this stuff, it never happens. (such as removing Admin rights) So, I get stuck fixing malware. In those famous management words: I am being RE-ACTIVE, not PRO-ACTIVE)

Below are a number of tips on avoiding malware. This is only the first part, there will be more tips later.

1)      STOP Visiting Porn Sites

2)      Update your computer

3)      Don’t login as local admin

1)            Stop visiting porn sites.   OK, I know everyone denies it, but half the time when I check you history, all these porn sites mysteriously are there.    From my point of view, I really don’t care, I just want to get rid of the malware.

Most of the free porn sites will load spyware on your computer.   Consider the amount of time you will spend cleaning your computer, and then decide if it is really free.

2)            Update your computer.

                                Keep your computer up to date.

                                Patch ALL Of your software.

                                This includes Windows, Internet Explorer, Firefox, Microsoft Office, Adobe Reader, etc.   If it is on the computer, it needs to be patched.      At one client, who would repeatedly get viruses, we found that they had NOT patched any computers in over 2 years.    After we patched them and brought them up to date, the number of malware infections went to almost zero.   

If you are using the excuse, “but these patches will break everything”,  you no longer have an excuse.   Apply the patches.     In the past few years, I have not seen any problems with applying patches, especially ones from Microsoft.    If you are running an IT shop, go ahead and test them on a few machines, before applying everywhere else. 

You will spend LESS time applying patches to the whole company, than you will to fix all the malware, or rebuilding desktops.

3)            Stop running everything as the administrator.

 

When you are logged in as an administrator, it means you can do whatever you want.     Install software, change settings, format hard disks, etc… Sounds great, right?     Well, it also means that when you use a browser, and visit a web page, that web page can also do whatever it  wants.    For most web pages, such as Google, Yahoo, CNN, etc… this won’t cause any problems.    They want you to go to their web  page and visit them.    However, for a few minority web pages, they also load spyware on the computer.   As you are running your browser with admin priveledges,  most of the software will load automatically.     

Solution:    Only login as an administrator, or make yourself an administrator, when you need to do something, such as install software.    

Attention PARENTS:    DO NOT EVER GIVE YOUR TEENAGER Adminsitrative rights.   Ever ! ! ! Then all sorts of strange things happens, and all sorts of software \ malware is mysteriously installed, and no one knows how it got there.   (Magic, I think J  )    Then, when you take away administrative rights, all these problems stop.     (Again, more Magic, as teenagers deny everything)