April 20, 2009

Still think Mac is secure?

Over the past week, researchers have been investigating a new botnet consisting of compromised computers, all running the Mac OS. From what I can tell, this is a rather simplistic attack, where malware has been added to popular pirated software which users then installed and ran.

The Flaw

The major flaw here is the overwhelming overconfidence of Mac users, in my humble opinion. Many Mac users do not consider their computers to be at risk for infection, because Macs are rarely attacked. They seem to believe that this is because Macs are inherently more secure, rather than a result of the lower market share of the Operating System.

As a result of this attitude, many Mac users have not bothered to install/configure/update the basic software necessary to protect a computer, especially when downloading as untrustworthy software as pirated applications. The consequence of this is of course, that their computers were compromised.

The consequences

Compromised computers that have been added to the botnet in question have been used in Distributed Denial of Service attacks against various web sites, as the attackers behind this botnet rent the network out to third parties. Additionally, as the software accesses the administrator-level credentials for the computer, it is possible that attackers may be able to access and/or retrieve sensitive data from compromised systems.

More Information

Protecting Your World of Warcraft Account

I am writing this because over the weekend I have had another friend have their World of Warcraft account compromised. In this case, the attack was done using a Trojan (Win-Trojan/GameHack). World of Warcraft accounts are one of the most profitable things for hackers to steal. As compromises continue to increase, I feel like this is a good time to remind everyone of the steps that should be taken to protect your account if you play World of Warcraft or any other MMORPG. Of course, most of these tips go for everyone else too...

Viruses and Trojans such as GameHack can come from anywhere. One recent source that caused large numbers of accounts to be compromised has been flash-based ads which could bypass the security of any browser and install the virus. Sites about World of Warcraft, especially if they display ads for gold-selling services, should not be trusted. Here are a few steps you should take to protect your World of Warcraft account:

1. The right antivirus software is essential. Kapersky (expensive but worth it) Avast (free) and AVG (free) are among the best. AVG and Kapersky both pre-screen web pages before they are displayed in your browser. I typically recommend users avoid McAfee and Norton - they have become so popular that most viruses are designed to avoid or even disable them.

2. The next priority is to establish a strong perimeter. Your computer should NEVER be connected directly to the Internet. Even if you only have a single computer on your network, invest in a router. Routers add an extra layer of protection through their built-in firewall that prevents external systems from contacting your computer.

3. Next, establish a strong software perimeter. This is done by installing a software firewall on every computer on your network. Unless you share files between computers, each computer should be completely locked down. Even if you do share files or use other network features such as sharing printers, a software firewall can still protect your network. And no, the built in firewall on a Windows or Linux system is not sufficient. You need a firewall that monitors all network activity from every application on your computer. This will often give you the first warning of a virus on your system, and in most cases can prevent a keylogger from sending data back to the attacker. ZoneAlarm is a free, easy to configure firewall that provides comprehensive monitoring. Comodo Firewall is a good, albeit complex free firewall application that is not as user friendly as Zone Alarm, but which provides even more high-level application monitoring.

4. Finally, update everything. It is absolutely essential that you use the update function included with your Operating System. Patch your OS and your web browser as soon as updates become available. Your browser also must be kept up to date along with your antivirus software and firewall. Most of these applications will automatically update themselves.

5. Try alternatives. Firefox is generally considered more secure than Internet Explorer and can provide additional protection against Trojans. Combined with plugins that block scripts and Flash, you can create a browser so secure malware simply can't find a way to attack your system.

6. Use different passwords. Never use the same username/e-mail and password combination for any web-based service as you do for your World of Warcraft account. Login credentials can be stolen from other sites or even read in plain text by attackers and used to compromise your account.

7. Get the Blizzard Authenticator. According to Blizzard, no account using the Blizzard Authenticator has ever been hacked. They have been stolen by friends or relatives, but none have been reported attacked through keylogger means. The Authenticator is relatively inexpensive, and provides a great level of additional security.

There is no magic bullet when it comes to protecting your World of Warcraft account. There is some work involved in securing your system, but once that work is done, you can greatly reduce the risk of compromise.

April 13, 2009

Confiker Worm Update

Hello everyone. I just wanted to post an update on the Conficker worm, recapping the virus' activity following it's April 1 activation date. As expected, the virus did not cause major havoc when it updated. However, the worm has gotten stronger, and analysts are now able to identify several intended revenue streams for the hackers behind this worm.

When the worm updated on April 1, the first major development is that the virus began attempting to spread once again, while becoming even harder to remove from infected systems. The worm at this time has increased protection against users downloading anti-virus software. This can be demonstrated at the Conficker Eye Chart page from the Conficker Working Group.

In addition to the virus spreading and becoming harder to remove, Conficker has shown two revenue streams. First, some variants attempt to install scareware, fake antivirus software that installs its own malware while attempting to coerce the user to pay for the fake software. Second, other variants have formed into a botnet that researchers believe may be rented to spammers by the worm's authors. This has become one of the major purposes behind widespread viruses, as it allows the virus controllers to sell the computing resources of infected systems to spammers.

Fortunately, infection by Conficker can be prevented. As I have noted before, prevention is key - a strong software and hardware firewall and up to date antivirus, as well as regular operating system patches, will leave your system secure against this virus.

April 6, 2009

Security Seals

A wide variety of studies have been conducted over the last few years into consumer trust when making purchases online. These studies generally have found that consumers simply don't trust online checkout systems to be secure. To attempt to remedy this situation, a crop of certification providers have come to the "rescue", offering different types of seals that can be displayed on a web site to vouch for that site's security and trustworthiness.

Companies offering these seals point to research that indicates that using these seals can increase consumer trust and as a result increase conversion. In browsing the web, it appears that the use of these seals is increasing dramatically. But are these seals anything more than a fad like the hit counters of the early nineties? Do they actually mean anything? Is a site with a seal more secure than one without?

Types of Seals

The first thing you need to be aware of is that there is a wide variety of types of seals, which are granted based on different criteria. Some providers may issue multiple seals, one for each set of criteria.

Company Reliability Seals

Means: The company exists and has an address.
Popular providers: Better Business Bureau
A company reliability seal generally confirms only that the business exists at a certain address. Some certificates also require that the business agree to dispute resolution or be incorporated in a certain state, while others only require that the business have valid contact information. These seals convey no security information at all.

Data Encryption Seals

Means: The web site uses SSL encryption.
Popular providers: Thawte, Verisign, GeoTrust, Network Solutions
A Data Encryption Seal is often provided when purchasing an SSL Certificate. These seals are intended to be used to let visitors know that the site uses SSL to encrypt personally sensitive information. However, these certificates do not vouch for the security of the web site, or that the SSL technology is properly implemented, or even being used to protect the transfer of data.

Business Practices Seals

Means: The web site agrees to comply with certain best-practices
Popular providers: TRUSTe
Truste is probably the best known provider of business practice seals. Their seals are intended to certify that the site adheres to certain policies regarding the use and protection of customer data. These seals may require some oversight, however they generally do not guarantee that the certified site or business actually follow the best practices that they agree to.

Vulnerability Scan Seals

Means: The web site is scanned for vulnerabilities regularly
Popular providers: Control Scan, McAfee
These seals indicate that the site in question is scanned daily, weekly or quarterly for vulnerabilities. However, in general these scans only indicate that the certified site meets a minimum standard of security, and other sites on the same server may open the certified site to vulnerabilities. Although this is not a perfect type of certification, it is the best, and often most secure, of all the types. Sites with these seals generally take additional steps to protect the security of the information they store compared to other sites.


None of the certifications mentioned are an indication that a site is perfectly secure. And, as there is no overall governing body or set of standards which applies to the issuance of certificates, many different types of certificates have similar wording (an SSL certificate from GeoTrust typically says "verified secure", which can be confused with a Vulnerability Scan seal from many other providers, for example) and the standards to receive seals vary widely between providers.

Right now, security seals come down to an example of buyer beware. Although some seals do demonstrate that companies adhere to certain practices, or take extra steps to keep their site's secure, they do not guarantee that the site is 100% secure. There are even some sites (for example, Web Entrust and Trusted-Site) that provide seals for free and have minimal, if any, requirements.

From a business standpoint, seals are essential for the online business. Consumer Reports has indicated that up to 75% of online shoppers look for third party seals when visiting e-commerce web sites. Control Scan published statistics on their site indicating clients saw an average 14% increase in conversions when a seal was prominently displayed. Trust Guard takes that a step further, guaranteeing a 15% increase in conversions.

Customers are showing that they are inclined to trust, and prefer purchasing from, web sites which display these seals. However, I believe that these seals won't be as effective as they could be until there is some more standardization - a seal to certify the different certification seal providers perhaps?

Additional Resources

March 31, 2009

ADVISORY: April 1 Worm

April 1 Virus (common name)
Worm:W32/Downadup.gen (F-Secure)
Worm:Win32/Conficker (Microsoft)
Mal/Conficker (Sophos)
W32/Conficker.worm.gen (Symantec)

Malware - Worm

Distribution Methods
Shared media
Windows browser vulnerability MS08-067
Wireless hotspots

Timed virus with remote update capability
Most effects unknown


Conficker, commonly referred to as the April 1 virus by the media, is a worm targeting computers running Windows XP and Vista. Symantec estimates that the virus has infected over one million PCs. The virus has been reported as difficult to detect as it does not affect the infected computer. The virus is programmed to "harden" by securing itself on infected computers, disabling Windows and possibly anti-virus software updates, and downloading patches to increase the difficulty of removal on April 1.


Variants of this worm have been confirmed to disable or prevent the execution of antivirus installation utilities.


The vulnerability which enables infection from this worm has been patched by Microsoft. A strong software firewall, an up-to-date installation of anti-virus software and updated operating system should prevent infection from this worm.


If you have been infected by this worm, or would like additional information about this worm, please see the following references.

Update: Source Analysis

I have been reading up on some of the analysis of the Conficker.C source code, such as the review posted here. Together with the information provided at the Microsoft link above, I am getting a picture of some of the defensive capabilities of the software, and some of the things that may happen on April 1, when the software begins dialing out for updates. According to the analysis, the worm uses the Windows Operating System's internal mechanisms just as a browser would to resolve domain names and connect to external patch servers. However, the virus generates a list of 50,000 domain names to hide the actual location of the software creators' site. This tells me two things. One, there may be network slowdowns on April 1 from the large amount of traffic, especially DNS lookups, and two, it should be possible for software firewalls to easily identify an unrecognized application accessing the operating system methods for DNS and network connections. If that is the case, users will likely have warnings and the ability to prevent the virus from dialing home if they have a properly configured software firewall on the infected computer.

Update: Fake Patches

It has been reported that some computers infected with the Conficker.C worm have been patched to close the vulnerability that allowed the initial infection by the virus itself. It is being theorized that this has two goals; it prevents detection of the virus while it is dormant, and it prevents the system from being infected by other viruses and malware that could interfere in it's operation.

Many sites are advising that the easiest test to confirm infection is to attempt to visit www.mcafee.com, as the virus runs processes intended to prevent access to that site, and sites from several other anti-virus companies.

Update: Much ado about nothing

As I predicted above, April 1 was pretty quiet, with no major disruptions resulting from this virus.

March 30, 2009

Configuring Your Server for IE 8

Originally posted on Web Pro World.

Microsoft Internet Explorer 8 is designed to be more standards compliant than previous versions. As a result, certain hacks in web sites can cause those sites to display incorrectly in Internet Explorer 8. This can be addressed by forcing browsers to render your site in what is called "compatibility mode". The following instructions detail how to enable compatibility mode site wide, if your site is hosted on an Apache server.

Setting Compatibility Mode for all visitors on Apache

Enabling compatibility mode on an Apache server requires the ability to create and edit .htaccess files, and mod_headers must be installed on the server. Most shared and dedicated hosting plans should allow this.

Simply add the following line to your .htaccess file.
Header set X-UA-Compatible "IE=EmulateIE7"

Setting Compatibility Mode for everyone but the webmaster

If you will be testing your site, and want your own browser to work without compatibility mode, you can specify certain IP addresses that will not be shown the header.

First, create a list of IP addresses that should not have compatibility mode. Add the following line to the .htaccess file, changing to the appropriate address. Each IP address would require a seperate line.
SetEnvIf Remote_Addr webmaster

This assigns the code "webmaster" to each specified IP address. Now, you would add the compatability header, telling it to display if the visitor has not been given the "webmaster" code. This is done by adding the following line to the .htaccess file after the lines you added above.
Header set X-UA-Compatible "IE=EmulateIE7" env=!webmaster

Everyone not from the specified IP address will be put in compatibility mode by default. Those visiting the site from the specified IP address(es) can enable compatibility if they want, but it will be disabled by default.

Setting Compatibility Mode on IIS 7

If you have administrative access to your IIS server, you can add new headers by following the instructions here: IIS 7.0: Add a Custom HTTP Response Header

The name you need to specify is "X-UA-Compatible" and the value is "IE=EmulateIE7" (without the quotes).

Setting Compatibility Mode on other platforms

If you can not use the above method for any reason, you can add compatibility mode to each page by adding the following meta tag:
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />

March 23, 2009

Securing a Linux Workstation

There seems to be an attitude that if you want a secure computer, all you need to do is install Linux (or MacOS, which is based on Linux) and you are all set, as secure as can be. This is not entirely accurate. It is true that there are less viruses circulating that target Linux systems. However, this is because Linux workstations account for a small percentage of the Operating System landscape. The viruses and malware that do target Linux systems, however, can be extremely devastating and difficult or impossible to recover from without significant loss of data (possibly requiring a reformat of the computer).

Many people believe that in order to secure a Linux system, all you need to do is keep the applications that are installed patched and out of the root userspace, and configure the built in firewall, then you are good to go. This may be sufficient for some low-security web server situations. However, on a workstation these steps are inadequate at best. Even servers that are dealing with a high level of untrustable content (such as an FTP, SMTP or Peer-to-peer server or even chat server) should take additional precautions.

The first step is to install a strong antivirus application. Although there are less known viruses that affect Linux in circulation, there are more known Linux viruses in existance - most hackers got their start on Linux systems. And as viruses become more adaptable and the operating system landscape more varied, there will be more potential for cross-platform infections. There is already malware in circulation that specifically targets Linux systems for use in botnets, and the last line of defense is anti-virus software.

The next step is to install a strong two-way firewall. On a production workstation, the firewall built into Linux is insufficient. Although the firewall will prevent incoming connections, it does nothing to monitor outgoing traffic. This is an important step in detecting and preventing backdoor attacks.

Next, it is essential to make sure that only software and services that you will actually be using have been installed on the system. This requires going through the services list on Linux and removing anything you will not be using. Most Linux installers have gotten better at not installing extraneous packages. However, some installers still install Apache on workstations, or FTP servers on home PCs. If you won't be using it, it shouldn't be on your computer.

Finally, make sure you have enabled the automatic patch system that is part of your Linux distro. This utility will run in the background and alert you to important patches for your operating system and much of your software. These patches range from security updates to performance and stability fixes. Expect to be applying patches 1-2 times a month. With the background updater, many patches may be applied without you needing to take any action at all. Be aware, however, that the background patch utility may not handle all of the applications on your system. You may need to manually update other programs.

March 16, 2009

Hiding Server Version Information

The less information an attacker has about a system, the more work that attacker has to do to find possible exploits, and the more chances Intrusion Detection Systems, firewalls and administrators have to detect the attack and stop it.

Given the version numbers of services running on a Web server, an attacker has an advantage in that the attacker can simply look up known vulnerabilities for that software and immediately attack them, without tipping off defensive systems with unsuccessful attempts. If the version numbers are hidden, the attacker has to guess, and try a variety of attacks, any of which might activate defensive systems running on the server. The following steps will allow webmasters to remove certain identifying information from Linux based servers. Some of these steps may not work on shared web hosts.

How the Information is Found

Before we go into hiding the information, it may be helpful to briefly discuss how an attacker finds the information in question. When a file is requested from a web server, the server attaches information about the document, called "headers", to the file. These headers contain information about the server software and the communication protocols involved in transmitting the document. This information is hidden from most web users, but can be viewed using various browser plugins, such as Live HTTP Headers for Firefox. The following are some sample headers that a web site might send when serving a page to a user:

1. HTTP/1.1 200 OK
2. Date: Tue, 24 Mar 2009 14:44:38 GMT
3. Server: Apache/2.0.55 (FreeBSD) PHP/5.1.2 mod_ssl/2.0.55 OpenSSL/0.9.8a
4. X-Powered-By: PHP/5.1.2
5. Expires: Thu, 19 Nov 1981 08:52:00 GMT
6. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
7. Pragma: no-cache
8. Connection: close
9. Transfer-Encoding: chunked
10. Content-Type: text/html; charset=ISO-8859-1
11. Content-Language: en-us

The important lines are 3 and 4, which contain the server and PHP version numbers. These give a potential attacker information about the Apache server, PHP engine and operating system.

Hiding the Information

The first step is to hide the Operating System information and Apache version numbers. This is very easy to do, and only requires the addition of a single line to the server configuration file or .htaccess file:
ServerTokens Prod

That simple line will change line 3 above into the following:
3. Server: Apache

That's it.

The next step is to hide the information about PHP. That is slightly more difficult. The following line in the server configuration file or .htaccess file will remove line 4 in the above example completely:
Header unset X-Powered-By

Using this directive requires that the mod_headers package be installed and enabled in Apache. In most systems, the module will be available.

Of course, if you really wanted to get tricky, you could add some fun headers as well.

Header set X-AspNet-Version "2.0.50727"
Header set X-Powered-By "ASP.NET"

This would make the server look to an attacker as though it were running ASP on a Linux system (which is not very likely).

March 9, 2009

Create a Secure Virtual Computer

There are many reasons you may want to create a secure, isolated test environment. You may need a place to check suspicious web sites and e-mails for viruses. You may need an isolated environment for forensic analysis of compromised hard drives. Or you might simply want a computer with all the default settings and software for testing web sites or applications without any development tools, addons, or other customizations affecting how the system works.
In these situations, the ideal solution is often the use of a virtual computer. This has several advantages over buying a dedicated computer for testing.
Advantages of Virtual Computers
  • If the Operating System is compromised, the virtual computer can be reset with the flip of a switch.
  • Because the virtual computer operates in a sandbox, the risk to your main system is limited.
  • The virtual environment can be closer to a default installation, without any settings changes or background applications that you may have on your system affecting your tests.
Download Microsoft Virtual PC
Download the Windows XP Test Image

March 2, 2009

Why Do People Hack?

A question I see asked frequently after a site is hacked is "why?" Why was this site targeted, why are sites in general hacked, what are the hacker's motivations? In my experience, people who attack web sites and servers tend to fall into three distinct groups.

For Profit

The first group compromises systems for profit. Their goal may be to steal information and ransom it back to the site owner, or to sell the information to other parties. They may instead use the mail systems on a compromised server to send spam, or as part of a network of compromised computers to spread malware. This is the most dangerous group because their activities have a financial cost to the owners of the compromised system, and attacks can often go undetected until it is too late.

For Recognition

The second group of attackers are the ones who compromise sites to gain recognition with other hackers. Their attacks are more obvious than those of for-profit attackers, because they want their attacks to be noticed. This is the group that defaces web sites, and frequently shares pirated software and media, which can also be used to build a reputation.

For Knowledge

The final group of attackers is the group that explores systems for the purpose of gaining knowledge and expanding their skills. Some find avenues to persue this as a hobby, either compromising sites to test their security with the permission of the owner of the site, or analyzing how different applications work and how they might be abused. This is the group that finds and reports many of the vulnerabilities that lead to patches and help keep information secure.

February 23, 2009

Protect Your Site By Hacking It

I frequently see comments on various security forums from webmasters after a compromise wondering how their sites could possibly have been attacked. In discussions with some of the webmasters that have been affected with some of these issues, I have found that most are unaware of simple and free steps that can be taken to help protect a web site. This is purely preventative, but when it comes to web site security, prevention is the most important element.
DISCLAIMER: This information is for educational purposes only. Check with your hosting company before using ANY of the software I mention to ensure it is allowed under their policies. Any misuse of this information, and any damage resulting from your use of this information is solely your responsibility.
One of the simplest and most important things to do is make sure you are on the mailing list for every piece of third party software you use so you know about security patches as soon as they are released. It is important to keep the software on your site up to date.
The next thing to do is hack your server. There are a few tools that malicious users use to find ways of gaining access to a web server. By using these tools yourself, you can find many of the same problems before you are attacked. Nessus is the most commonly used tool for finding vulnerable software on the Internet. In fact, this program forms the basis of most commercial vulnerability scanners and is available for free. Nessus can be downloaded from http://www.nessus.org/ although you need to register (for free) to get the program and updates. You want to download these updates so that every time you use the scanner it looks for the most recently known vulnerabilities.
Finally, there is a range of attacks that are hand coded. In most cases, these attacks are done by editing the requests sent to your server. This can be accomplished in two ways. The easiest is to install a Firefox plug-in (if you use Firefox) called HackBar. This can be installed from the Firefox plug-in library or by searching Google. This software allows you to edit the requests you send to a web server to test how well the server and scripts validate incoming data, while bypassing any security features of the web browser and any JavaScript validation. The other method is to install a proxy program called Paros Proxy. This program enables you to change the data being sent between your browser and the remote server, as well as seeing the raw data. This tool is also useful for testing redirects. A few searches on the web for “cross site scripting,” “SQL injection” and “buffer overflow” should give you plenty of ideas of things to try. This is the best way to test scripts that you have created yourself to ensure that those scripts are as secure as possible.
One often overlooked element of web site security is the validation of input on web forms. Javascript is useless for validating input, as the previous paragraph shows two easy ways to get around it. Your scripts should follow a simple formula: trust nothing, validate everything.
Bear in mind, all of the technology I describe is intended to demonstrate possible problems. This will not fix any issues. However, you should be able to find where you are vulnerable and make the appropriate corrections. Obviously this is no replacement for a full security analysis, but this will give you a starting point. Also, note that these methods are less likely to find security issues in custom made scripts. For that, you should consult a security consultant or a programmer who has experience securing applications in whatever programming language you are using.

February 16, 2009

E-Mail Forgery


E-mail forgery is the alteration of the headers of an e-mail to circumvent spam filtering, gain the trust of the recipient, or commit a crime such as identity theft. This is an easy thing to accomplish, it is very effective, and for webmasters there is almost no defense against this.

Symptoms - End User

Because of the way e-mail is displayed in most e-mail applications, it is virtually impossible to determine if an e-mail is legitimate, or if the headers have been forged. There are a few mechanisms that can be used to verify the identity of the sender, but these methods are out of the reach of the general public. Most of this technology has to be implemented by the Internet Service Provider.

Symptoms - Company

If your e-mails address is being forged, usually the only indication is "bounce messages". These are server messages that are sent in response to a bad e-mail address. For example, you may get a message saying that an e-mail address is invalid, but you have never sent an e-mail to that address.

How to Forge E-Mail Headers

There are a few different ways someone might forge the e-mail headers. The easiest, and frighteningly, a very effective method, is to simply change the reply-to address in your E-mail client before sending the message. Note that it is easy for an investigator to track these e-mails back to the sender.
The second method is to find an e-mail server on the web, establish a telnet connection to the mail server using forged credentials, and send the e-mail. This hides your actual e-mail address and makes it harder to determine your IP address. This is one of the more common methods, as spammers will use this technique to bypass spam filters.
The third method is to compromise a web site that sends e-mail, such that you can feed the web site a list of e-mail addresses, and let the server do the work. This very effectively hides your identity, and the messages from the compromised server will contain the headers associated with the company whose site was attacked. Because these e-mails are coming from the company web server, any authentication method that the recipient uses will allow the messages to pass through.


The first thing to do is ensure your server is as secure as possible. Make sure you are using strong input validation on all scripts on your web site, and make sure your e-mail server does not allow anonymous users to send e-mail. Also, make sure you log all access to scripts on your site that send e-mail, and log all traffic to your mail server so if a compromise does occur, you can track down the offender.

February 9, 2009

Securing a Server

The Problem

Simply put, the Internet is a dangerous place, and you (presumably) have a web server. Web servers, by default, are relatively insecure, presenting potential attackers with a variety of attack vectors (an "attack vector" is a way to attack a server or application). Fortunately, depending on your needs, it is usually easy to properly secure your server. For this example, we will be assuming you are using a Linux based server, and you are responsible for making sure that the server is as secure as possible.

The Attack

To understand how to secure your server, you have to have some understanding of how someone would perform the attack. This description is going to be based on someone who has located and targeted your server specifically, although most of what I talk about would also apply to a script kiddie doing general searches who happens to find your server.
The first step in attacking a server is to gather intelligence. The more you know about a server, the better able you are to find it's weaknesses and exploit them. The first step is to scan the ports on the server. Every application that allows external software to connect to it is called a service, and every service listens on a port for incoming connections. In this way, the operating system on the server can route incoming connections to the correct service/application. For example, if you have an Apache web server installed and listening for connections, it typically binds to port 80. When a browser requests a page from the server, the request goes to port 80.
A port scanner requests data from every port (or from selected ports) on the server. Based on the responses, an attacker can determine exactly what ports are listening for connections, and thus what services are installed on the server.
Once the services running on the server have been identified, the attacker then exploits known weaknesses in those services. Every service should be secured on it's own, and individual services are outside the scope of this article, but some important services are Telnet, FTP and HTTP. Your server will, under most configurations, allow connections to these ports, whether such access is needed or not, trusting the application's own security.

The Defense

The first step in protecting your server is with the firewall. A properly configured firewall will not allow incoming requests on any port that is not absolutely required. For example, a server being used to serve web sites typically only needs a few ports to be available to the public (80 and 443 for the web server, and 21 for FTP). Other ports may be required for administrative access, such as port 20 or 22 for remote command line functionality, or port 10000 for access to a web based control panel. The firewall should only allow traffic to these ports from IP addresses that are known to be trustworthy.
Next, if possible, an intrusion detection system should be installed. These applications detect suspicious behavior and block it at the firewall level. Hardware IDS devices are best, as they block the traffic before it ever reaches the server, but if that is not possible, software IDS systems can be very effective as well. The reporting functions can be invaluable if the server is ever successfully attacked, and most possible attacks will be thwarted before they ever threaten the security of the server.

February 2, 2009

Secure Redirects

Recently, SANS (a security certification organization) posted an article related to the exploit of the redirect system on Google. The exploit was used to hide URLs in spam e-mails. The article had a lot of detail on the attack, but didn't give much information about how to defend against this type of attack. Since redirect scripts are fairly common as they allow webmasters to track traffic on outbound links, I wanted to post some defensive information.

The Problem

You have paid advertising, or other types of outbound links on your web site, and to track the outgoing traffic you have installed a redirect page. The redirect page invisibly redirects users to the final destination after logging information about the redirect.

The Exploit

To exploit a redirect, you simply need to have a URL that you need to get past a filter, and a redirect that meets the requirements of the filter. For example, lets say you want to post a link to your web site in a forum that does not allow links to outside web sites. The forum does, however, allow internal links, such as those to other posts on the forum.
The first step is to find a redirector on the domain. So if you are posting on blog.com, you would browse through blog.com, looking at the various outgoing links until you find one that goes to a url like blog.com/redirect.php?url=www.somesite.com. This is the redirector. To exploit the redirect, you would replace the ad URL with your own URL - ie blog.com/redirect.php?url=myurl.com.

The Defense

There are a few defenses, but most of them have drawbacks. For example, you could set up the redirect script to only allow the redirect if the user came from another page on the current site. Unfortunately, many anti-spyware programs hide the referring page and would cause legitimate traffic from following the link.
Another option would be to use cookies. However, the same software may disable tracking cookies.
Possibly the most effective method would be to use a code based on the user's IP address. If you are using your redirects to track ads, and the ad code is dynamically generated you could add an extra parameter that contains the sum of the four segments of the user's IP address as a check. If the check is not there, or if it fails, the user would be taken to an error message instead of being redirected. An attacker creating a static link would be unable to create a working exploit because the URL changes for every visitor.

January 26, 2009

Security in a Shared Space

The Problem

When your network is located in a facility where you are the only business, physical security is easy. You can be reasonably sure that the only way someone can compromise your network is by defeating your perimeter defenses. Frequent scans, effective antivirus and properly configured firewalls and IDS software should be sufficient to secure such a network.
When your network is in a shared location, such as an office building, it is more difficult to ensure that your wired network is fully secure. This is because in many shared spaces network cabling runs through the offices of other companies. In addition, network resources such as servers and routers may be located in shared server rooms.

The Attack

There are two different types of attacks that are unique to a shared space. The first is unauthorized access to a server located in a shared server room. This probably presents the greatest risk because the attacker is able to access all of the resources on the server and may be able to install backdoors or other malware on the server.
The second type of attack is tapping, where a network cable passing through another business's space is cut, and a router is installed on the line. This would allow additional computers to be connected to the network.


The only way to detect unauthorized access to a network device in a shared location is log analysis. For example, a script should be created that transfers the authentication log (which records login attempts) to another location. This exported log file should then be reviewed frequently for suspicious activity. The server should also be checked to ensure that only required users have the ability to log on, and unauthenticated or guest accounts are disabled.
Detection of tapping is more difficult. Periodic scans should be performed to look for unexpected devices. These scans should include thorough port scans that will scan the IP in question even if a ping is unsuccessful.


The only way to prevent unauthorized access to a resource in a shared area is to lock the resource any time it is left unattended. The passwords should also be checked to ensure they are complex to protect against brute force attacks.
Tapping is impossible to prevent. However, the damage potential could be minimized or eliminated. First, routers and firewalls on the network should be, if possible, set to only allow traffic from devices with certain known mac addresses. This will prevent most attackers from accessing any resources on the network. Second, no resource on the network should be accessible to unauthenticated users, and all passwords on the network should be complex. Although an attacker would be able to use the network connection until a scan detects their access, they will not be able to gain access to the network's resources. Finally, regular scans should be run on outgoing traffic through the router. This will reveal the presence of any unauthorized devices.

January 19, 2009

Antivirus 2009 Case Study


Antivirus 2009 is a type of scareware that generates fake antivirus warnings, to trick users into installing malicious software on their computer. This malware is particularly aggressive, in that it demonstrates many of the latest self-protective measures in taking control of the victim computer. Once installed, the application will attempt to force the user to purchase Antivirus 2009, which is a fake antivirus application. Once purchased, the application will then install additional malware on the victim computer.

Infection Source

Most of the observed infections result from visiting a web site that has been compromised. On visiting the compromised site, the user's browser will display two popups, one of which covers the entire screen and emulates an anti-virus scan, and a second, smaller, script generated box that appears to be an antivurs scan report showing an infection. The warning is fake; at this point the user has not been infected.
If the user clicks on either of the popups, the program will install the virus. Internet Explorer, Mozilla Firefox, Opera and Chrome all seem to follow identical infection methods. It is unknown that the installer is able to exploit browser vulnerabilities to force an installation.

Results of Infection

Once the malware has been installed on the victim computer, the malware begins installing supporting software, and attaching itself to several processes. The first step in the infection seems to be the installation of a DNS server and a web server on the computer, which bind to The DNS server will resolve domain names of common antivirus manufacturers to the web server at
The next step appears to be the neutralization of antivirus software installed on the computer. In some cases, this is accomplished by redirecting the update mechanism of the anti-virus application to the fake web server on the computer to deliver empty or corrupt antivirus updates. In other cases, the existing definitions may be infected or corrupted, which results in the antivirus application appearing to work correctly, although it is no longer able to test for certain types of infections.
Finally, the malware attempts to disrupt the user's ability to access the internet. Traffic to security and antivirus web sites is redirected to the malware's internal web server. Opening a browser also triggers warning popups on a set delay. As the malware is able to bind to more processes, eventually the infected computer becomes unusable.
It is important to note an interesting self-defense capability of the malware, which is an executable killer. The malware monitors all processes looking for attempts to install antivirus applications. If such a process is detected, the malware is able to kill the process before installation begins.


The best case scenario is prevention. Testing indicates that Kapersky Antivirus, AVG and other packages that include a "Web Shield" type of component are able to prevent infection regardless of browser (I have tested this with Explorer, Firefox, Opera and Chrome) and fully mitigate the attack, with an appropriate warning.


Removal of the Antivirus 2009 malware is extremely difficult. Most malware will simply prevent the download of new antivirus software (which this malware is quite adept at). This can be circumvented by downloading the antivirus application on a clean computer and burning the software and the latest update file to a CD. However, in many cases this malware will detect the attempt to install the software. It is sometimes possible to prevent this by renaming the installer.
If antivirus is installed on the compromised computer, it will almost immediately come under attack by the malware. It is important to make sure the antivirus software has a self-defense feature to prevent the compromise of the definitions file. In some cases, antivirus software may need to be run dozens of times before the infection is fully cleared. Other times, a full reformat of the hard drive is the only option.
The following sites have detailed information on possible removal options:
Update (1/28/2009): Microsoft's recent Malware Removal update targeted this specific malware. More information about the update and the results of its use can be found here.

January 12, 2009

What To Do if you have been Hacked or Infected

Although I am writing this primarily for home computer users, many of the same principles apply for business networks. However, in a business environment, your IT department should handle cleaning the infection and checking the network for additional problems.

The Symptoms

How do you know if your computer has been compromised? It may be obvious - your computer might be displaying the incorrect pages when you browse the web, or it may be more subtle - your computer may be running slowly. I have had some friends tell me recently that their web-based accounts were hacked, but had not been accessed from any computer other than their own (possible keylogger).


The first step is to remove any and all hostile software that may be on your computer. This includes viruses if you have been infected, and backdoors if you have been hacked. If your computer is compromised, assume that your antivirus software was compromised as well. Uninstall it. From a clean (unaffected) computer, download the latest version of Avast Antivirus, AVG, or whatever antivirus software you have a license for, and burn the software onto a CD. From the CD, install the software on the affected computer. Update the software, run a full scan, reboot, scan again, until you are clear.


Once your computer is clean, you will need to secure the computer so this does not happen again. Download and install a high end firewall application (if you are looking for something free, Zone Alarm is one of the best free firewalls). Also, find and install a quality anti-spyware application.


Now that your computer is cleaned up and secured, it is time to mitigate the damage that could have been caused by the compromise. The first step is to secure your network. If you have any computers on the same network as the compromised computer, uninstall and reinstall the antivirus software, and rescan those systems to make sure any viruses were not transferred between systems. Also, any external backup media you use MUST be scanned before it is reused.
Finally, change all of your passwords on the compromised system, as well as all passwords that you used while using that computer. This includes all web-based e-mail systems such as GMail, social networks like Facebook and MySpace, your bank if you use online banking, etc. If your PIN number for any of your credit cards was on the computer, change the pin number. If any of your credit card numbers were stored on the computer, notify the banks that issued the cards.

January 5, 2009

Onion Security

Onion Security is a methodology for securing a network in layers, like an onion. This type of security approach helps keep the network insulated against attacks.

The problem

You have a medium to large network, consisting of internal workstations and externally accessible servers. There are multiple vectors of attack available to a determined attacker.
Most networks rely on security measures such as perimeter firewalls to protect the entire network. In an environment where new vulnerabilities are being discovered daily, such an approach is ineffective. If you rely on a firewall, for example, and a network user visits a compromised web site, and is infected by a virus, the attacker now has a way around the perimeter defenses. Once the perimeter is breached, what protects the remaining resources on the network?

The Solution

Onion security is implemented by securing every resource on the network. This includes strong perimeter security measures as well as strong internal protection. Of course, every workstation and server should have effective and up to date anti-virus software, but in addition each workstation should have it’s own software based firewall. Most of the workstations on your network do not need to be able to communicate directly with one another. The firewalls should limit communication between workstations, and only allow communication with servers. This should help limit the spread of viruses and intrusions to the network.
Access to server resources such as shared files should also be limited. Financial information should only be accessible to users in the Finance department, for example, and marketing files should only be accessible to marketing personnel. In this way, a compromise can be further controlled. If a marketing computer is compromised, for example, the attacker cannot access anything from the finance department. This provides yet another layer of protection.

January 1, 2009

Internet Security Review - 2008

2008 was an interesting year in the security field. Many things changed, from the way computers were being infected, to the goals of attacks.
  • New goals – Traditionally, malware had any of several goals. Hackers may try to commit identity theft, or to use a compromised computer as part of a botnet to send spam, or to steal usernames and passwords to online bank accounts. In 2008, however, it is estimated that between 50 and 75 percent of attacks were aimed at stealing online gaming accounts, mostly for World of Warcraft. Blizzard Entertainment (maker of WoW) has responded with numerous security advisories and enhancements, including the release of a hardware authenticator that can be used to lock down accounts. Blizzard has reported that 2008 saw the highest subscription rate as World of Warcraft became one of the most played games in history, and 2008 also saw the highest rate of account compromise.
  • New types of malware – In addition to the more familiar malware, such as adware, spyware, keyloggers and Trojans, two new classes of threats became common during 2008; extortionware and scareware. Extortionware is a class of virus that encrypts all files of a specific type on the infected system with a high level of encryption, and then gives the victim instructions where to pay to get the decryption key. Scareware infects the system with a fake antivirus system that warns the user of multiple infections, in an effort to coerce the user into purchasing the antivirus product, which is a fake application that installs keyloggers and other malware.
  • New methods of infection – Missing in 2008 were stories about widespread, net traversing e-mail viruses. Instead, most of the infections in 2008 resulted from hacked web sites. Even as search engines tried to combat the problem by warning users of potentially malicious links in their own results, the search engines themselves were used as a tool to spread infections, as forwarders on well known and trusted sites were abused to put malicious links at the top of the search engine results.
  • New ways to hide hacks – Hackers that attacked web sites employed new methods in 2008 to hide their attacks from site owners, abusing .htaccess rules on attacked sites to cause attack code to only be displayed to users following links from the major search engines. This method leaves the attack code virtually invisible to the search engine spiders that attempt to warn users about malware, and to the owners of the web site, who would rarely use a search engine to visit their own site, and would thus never be exposed to the attack code.
As the threats have intensified, new defensive measures began to gain popularity to combat the wide range of emerging threats.
  • Hardware authentication – To combat the high rate of account compromise, Blizzard became the first company to implement on a large scale a hardware authentication mechanism. Although similar technology has been proposed on smaller scales by banks for their customers, or implemented on a small scale by companies to secure internal information, 2008 saw the first major push by a large corporation to introduce and implement this technology.
  • Web site prescreening – Many of the larger anti-virus providers began incorporating technology to scan web pages before they were loaded by the visitor. For some systems, this meant that the antivirus company would check the page before it was requested by the user. For others, it means that the page would be loaded into a “secure” area of the computer’s memory to be scanned before being rendered by the browser. This helped alleviate some of the threat of hacked web sites. However, the technology still has not become prevalent.
As the threats have intensified, a robust, multi-tiered approach to security remains essential. Anti-virus software is no longer enough to protect a network. Numerous components working together are required to ensure the security of any system or network.
  • An external hardware firewall or router – The external firewall/router is the first line of defense for any network, hiding the network from drive-by attacks by blocking unsolicited incoming network traffic.
  • Internal software firewalls – All systems on the network should be protected by robust software firewalls that can monitor traffic between connected systems looking for suspicious traffic. Free software firewalls include Zone Alarm and Comodo Pro. The firewall included with Windows is not sufficient for this.
  • Strong Anti-virus – a strong antivirus application is required on every computer on the network. This software must be kept up to date, checking for updates at least once a day. One of the top rated Anti-virus applications currently is Kapersky. There are some highly rated free AV applications such as Avast!, however these applications generally do not have all the features of a commercial product.
  • Anti-Spyware – A commercial or freeware anti-spyware application should be run regularly to look for malware that might have been missed by the antivirus software. This can happen with new viruses, as malware may take days or weeks to be identified and added to the scan lists of different antivirus products.
  • Regular updates – As patches are released for security software, browsers, operating systems, and software, it is essential that they be applied immediately. Almost any vulnerable application can be used to attack your system, so patches must be applied as soon as they become available.
It is no longer enough to simply rely on your wits, avoiding potentially dangerous places on the web to stay safe. Any trusted web site can be compromised and become a threat to the safety of your computer and network. Only by keeping up to date with your patches and employing proper security measures can you protect yourself.
Its not paranoia. They are out to get you.


Welcome to my new blog. In this blog, I hope to address many of the network and Internet security issues affecting administrators and end users. My goal is to post new topics weekly, and I will respond to comments and suggestions regularly. If you have any suggestions for topics you would like to see addressed on this blog, please add a comment here.

Thanks for visiting. I hope you find the information on this blog useful.