May 01
2014

MS14-021 Bulletin Patch released today for the Microsoft Vulnerabilty In IE

Microsoft went back on their word today, but in a good way and upon release of the new update that will patch a huge vulnerability in IE decided that they will cover XP users as well.

Good stuff because previously Microsoft decided that they would not Support XP users at all as support already ran out on Windows XP at this point.

This is in regard to my previous blog post here.

You can read more about the update that will fix this mess here – Microsoft Security Bulletin MS14-021 – Critical.

Posted in Windows | Leave a comment
Apr 29
2014

Microsoft Internet Explorer Vulnerability

 

zero-day-ie-640x556

This weekend Microsoft confirmed the presence of an Internet Explorer vulnerability, as well as active attacks against this vulnerability, in every version of Internet Explorer.

This vulnerability could be used to silently install malicious software without knowledge or assistance from the end user, by browsing to an infected site.

Microsoft is recommending that Internet Explorer users download and install their Enhanced Mitigation Experience Toolkit (EMET) version 4.1 along with other options.

However, it’s all a bit messy at the moment considering these are workarounds as Microsoft really hasn’t developed solution to cut to the root cause of the problem as of 4/30/2014 (the date I wrote this amendment).

Option 1: Use an alternate browser until Microsoft issues a patch.

Updated 2nd Option (and probably the easiest if you don’t want to install stuff):  “Use Enhanced Protected Mode” – Note: This is may not be on by default for the modern browsing experience in Internet Explorer 10 and Internet Explorer 11 as some sites have claimed.  I checked it on two browsers and 2 out of 2 had this option disabled.  How to enable Enhanced Protection Mode (or check to ensure it’s enabled): Protection strategies for the Security Advisory 2963983 IE 0day (new link updated 4/30/14 – describes better the mitigation strategies Microsoft previously advised the public to perform)

3rd Option:  Download and install/configure the EMET 4.1 toolkit, which is provided here: http://www.microsoft.com/en-us/download/details.aspx?id=41138

4th Option (updated 4/30/14):  Block access to VGX.DLL – this is a conduit but not the root cause of the problems for the attacks.  Meaning the attackers use this file to launch attacks, but if it’s blocked it can’t be utilized.  Thus blocking VGX.DLL will break a link in the chain for the attack to occur.  Not really my favorite as this seems to be a bit messy in the long run when compared to the other solutions.

More information about EMET can be found here: http://support.microsoft.com/kb/2458544

As always, be mindful of your Internet surfing habits and the sites that you go to.

Do not click on links in unsolicited email or from people who you do not know.

If you mouse over a link and it appears different from what is presented on the screen, do not click on it even if it is from someone you know.

Note:

Bad:  If you are using Windows XP, this vulnerability WILL NOT be fixed, as Microsoft is no longer supporting XP.  🙁

Good: Linux and UNIX users need not worry… 🙂

References:  http://arstechnica.com/security/2014/04/active-0day-attack-hijacking-ie-users-threatens-a-quarter-of-browser-market/

http://blogs.seattletimes.com/microsoftpri0/2014/04/28/cert-recommends-use-of-other-browsers-until-internet-explorer-vulnerability-patched/

http://blogs.technet.com/b/srd/archive/2014/04/30/protection-strategies-for-the-security-advisory-2963983-ie-0day.aspx

Posted in Information Assurance, Windows 7, Windows 8 | Leave a comment
Mar 01
2014

How to encrypt your files and raise the bar to protect your data? – Part I

Government-EyesOK, with all the Big Brother government stuff that has been going on for years and been hitting the fan with the media (especially with the Snowden disclosures), – a lot of people are wondering how they can protect their data (or at least they should be wondering how to protect their data).

Bruce Schneier (the industry expert in cryptography) states… cryptography works… the NSA can only attack it by cheating.   Watch the video in the link above to see what I mean.  

pillBy the way… welcome to my Surreal Paradigm – a vision that has been created by those seeking power over us.  Decide what pill to take Neo… continuing to read and continuing to educate yourself “is a symbol – of your desire to return to reality.”

Thanks to returning to reality.

So… with three words to protect yourself better, “encrypt your data”.

Encrypting your data will make it harder for someone to access/read it, or change it without your knowledge.  This only works if you keep your password safe, use good password standards (in other words use pass-phrases), and you don’t forget your password.

However, before we venture into encryption we really need to think of what we need to encrypt.

Think about your data and in general and you will find that there’s some things that matter to you such as personal identifiable information (PII) like financial statements – your budget, social security numbers, software license keys, etc.  Then there are other things that don’t matter to you such as text help files, installer files for programs, etc.

Create two basic categories, things that are important to you and another category things that are not important.

In other words think about things that are important to you.  These are the things that can possibly be used against us by an attacker and are the things we really need to encrypt.

Since I run all different types of operating systems I like tools that work across them all meaning: Linux, Windows, and Mac OSX.  This means if you create an encrypted file in any one of these operating systems, you should be able to open them up in another operating system.  This is good in case you decide to stop using Windows and move to another platform like Mac OS X or Linux.  It also works out well if you utilize multiple operating systems at work, home, and play.

With that said one Personal Security Product (PSP) comes to mind that will encrypt your data while pissing off the NSA, and that’s a good thing.  That program is TrueCrypt (dun dun dun). Because if you can piss off the NSA, you know you’re doing something right in terms of security.  🙂

By the way… Bruce Schneier also trusts TrueCrypt – a program I will show you how to use in a Part I and Part II series.  This is part 1 of the 2 part series and a good place to start.

So how do I encrypt my files?  Part I  

Well for this tutorial we are going to focus on Windows because that is the most popular OS in the world and I feel Windows people may need more help in terms of security because of that. So, I’ll focus on Windows 8.1.

The best thing is TrueCrypt is free…. however I urge those that use TrueCrypt religiously to support and donate to the project just as I have done to software products I use religiously.

There’s a shared governance in them providing this software for no charge, but there is also a shared governance is us supporting the projects that protect us – as it helps to keep the publishers updating the product.

Things you’ll need:

  • Internet Connection
  • Computer with Windows 8 on it
  • Administrative access to the computer

1) Go to “http://www.truecrypt.org/”

2) Click on “Downloads” page link.

Truecrypt Download3.  Find “Windows 7/Vista/XP/2000” and click on the “Download” button.Truecrypt Win Download4.  Download and save the file to your desktop so you may find it:Truecrypt save as

Truecrypt save desktop5.  Click on “Run“: Truecrypt run

6.  When the User Account Control (UAC) pops-up click “Yes“:UAC Yes7.  Click on “I accept the license terms” and click on “Next>“:  truecrypt setup

8.  Click on “Install” and click on “Next>“: truecrypt setup extract9.  Click on “Install“:

truecrypt install10.  Click on “OK” to acknowledge that TrueCrypt was installed:

TrueCrypt OK

11.  Click on “Finish”:

finish

 

12.  I would recommend you read the tutorial and click yes to learn more, but if you want to continue to part II of my tutorials I’ll also show you some of the same stuff:

Yes or No Tutorial

13.  You should now be able to right click on the “TrueCrypt Setup 7.1a” icon and click on “Delete” option since you already installed TrueCrypt you can remove this file and empty your recycle bin. Make sure you select the proper icon as it should have a shield on it.’delete installer

14.  When you’re done you should have only the “TrueCrypt” icon on your desktop:Truecrypt Icon

OK, now that TrueCrypt is installed, please stay tuned for my follow-up article on how to use TrueCrypt aka “How to encrypt your files and raise the bar to protect your data? – Part II”.

Posted in Information Assurance, Security Tutorials, Windows 8 | Tagged , , , , , , , , , , , , , , , , , , | Leave a comment
Feb 28
2014

How to remove NetBIOS from Windows 8 & 8.1 like a bad tooth…

bad tooth win 8OK, in my last article I talked about the steps to perform to remove NetBIOS from Windows 7, so this time I’ll talk about removing it from Windows 8.

Yes, Microsoft has even left this silly service enabled on it’s latest operating systems in 2014.

So just a refresher, this is why NetBIOS is considered one of those things that you should remove from Windows based computers:

  1. When used with the default settings your computer comes with, it can be used by bad guys to help gather information about your computer and network.
  2. It is a rather noisy protocol that is creates a lot of overhead noise on your network, thus taking up more resources and slowing it down.

I also included a screen shot from Nessus a “vulnerability scanner” we use while scanning for possible holes in a Windows 8.1 system:

NetBios Nessus Scan Win 8

Since NetBIOS isn’t used on modern networks, that’s why we recommend to turn it off.  It is just one less piece of the puzzle that the attacker may utilize to formulate an attack.

Since Windows 8 and 8.1 still comes out of the box with NetBIOS enabled it is recommended you turn it off.

Here are the steps to disable NetBIOS in Windows 8 and 8.1:

1. Within Metro (the interface you use when you first log into Windows 8) type “Control Panel” and click on the “Control Panel” icon.NetBios Windows 8

2. Change the Control Panel’s “View by:” setting to “Large Icons” so we can be on the same screen.

view by3.  Find and click on “Network and Sharing Center“:

network sharing center4.  On the left side of the screen find “Change Adapter Settings” and select that.

adapter settings5.  Right click on the network adapter and select “Properties“:

adapter properties

6.  You may have to scroll down, but find the “Internet Protocol Version 4 (TCP/IPv4)” setting and click on it:

tcpip47.  With “Internet Protocol Version 4 (TCP/IPv4)” selected click on the “Properties” control button.

tcpip4 properties8.  Click on the “Advanced…” command button.Advanced

9.  Click on the “WINS” tab:

Wins
10.  In the “NetBIOS setting” section select “Disable NetBIOS over TCP/IP“:

Disable NetBIOS
11.  Click on the “OK” command button.

OK NetBIOS
12.  Click on the “OK” command button.

OK Advanced
13  Click “CloseClose Adapter Properties
14.  Close out of your network connection window if you only have 1 network card. If you have more than 1 network card repeat steps 5 – 13 as you’ll need to do this for every adapter including your wired and wireless.

Try out your settings and ensure they work before changing anything else.  This way you ensure that disabling NetBIOS hasn’t caused any issues.  It’s always better to error on the side of caution.

If you find you are having problems after disabling NetBIOS then you can always change the setting back.  However, most modern day networks prefer to leave this setting off, and even in IPv6 NetBIOS isn’t an option at all.

Posted in Security Tutorials, Windows 8 | Tagged , , , , , , , , , , , , , , , | Leave a comment
Feb 26
2014

How to execute NetBIOS with extreme prejudice…

extreme prejudiceFact, there is a legacy protocol that comes enabled out of the box in every version of Windows I know of in use, and it’s called NetBIOS.  To me it is dangerous protocol because it divulges too much information to the bad guys.

If you’re running Internet Protocol version 4 (IPv4), then you probably have it enabled.  The good thing is Internet Protocol version 6 (IPv6: the latest) doesn’t have NetBIOS but the bad news is… both IPv4 and IPv6 on Windows computers come enabled.  For this reason this guide tells you about NetBIOS and how to disable it in IPv4.

See, Microsoft focuses (like most manufacturers) on making everything work, so they end up leaving crap like this turned on that 99% of us will never use.  It’s up to us to educate ourselves, test turning stuff like this off, and learn that we can live without it.  That process is called host hardening as it makes it harder for attackers to get in.

Why should disable NetBIOS?

1. When used with the default settings your computer comes with, it can be used by bad guys to help gather information about your computer.  I know this first hand because as a good guy I taught penetration testing  for a number of years where with programs that would interrogate NetBIOS to give us information about our network and users.

2. It is a rather noisy protocol that is creates a lot of overhead noise on your network, thus taking up more resources and slowing it down.  Don’t believe me, ask one of those geeky hard core guys at work that spends all day sitting in the network closet… 9 out of 10 will agree and the final one that doesn’t agree probably is chemically imbalanced.

For home users I recommend to simply disable this protocol as it won’t affect anything if you are running newer operating systems like Windows 7 and up.

Here’s how you disable NetBIOS in a Windows 7 machine.

  1. Click “Start“, point and click on “Control Panel“.start control panel
  2. Select View by: “Large icons” so you may see the same thing I see.large icons
  3. Then in the control pane find (you may have to scroll) and Click “Network and Sharing Center“.Network and Sharing Center
  4. In the right pane click “Change your adapter settings“.change adapter settings
  5. Right Click on your “Local Area Network” and select “Properties”.network properties
  6. Under “This Connection uses the following items:” click on “Internet Protocol Version 4 (TCP/IPv4)“.IPv4
  7. With “Internet Protocol Version 4 (TCP/IPv4)” highlighted select “Properties” command button.IPv4 Properties
  8. Click on the “Advanced…” command button.Advanced IP
  9. Click on the “WINS” tab.wins
  10. In the “NetBIOS setting” section select “Disable NetBIOS over TCP/IP“.disableNetBIOS
  11. Click on the “OK” command button.OK disableNetBIOS
  12. Click on the “OK” command button.OK Advanced IP
  13. Click “CloseClose IPv4
  14. Close out of your network connection window if you only have 1 network card.  If you have more than 1 network card repeat steps 5 – 13 as you’ll need to do this for every adapter including your wired and wireless.

If you are worried about it, disable NetBIOS and do some testing. Don’t change anything else until you’ve fully tested and if you find something wrong then you can always enable it.

In a work place I would recommend you test this disabling the NetBIOS setting on a few computers and expanding it out to more over time.  I have run into a problem with authentication years ago when we tried to disable the NetBIOS protocol on client computers where certain users couldn’t login to a domain.

We then made some changes and now we have no problem disabling NetBIOS. Other professionals have claimed to have trust issues with legacy Active Directory (AD) environments that utilize Windows 2000/2003 trusts.  Trusts are also bad too, especially if you are using it on legacy operating systems like Windows 2000 and 2003.

If you actually took the time to realize NetBIOS is needed on old butt computers like Windows 98 or XP to allow you to browse the network neighborhood… again it’s time to upgrade to Linux Mint on that old computer or buy new hardware if you can’t run Mint.

Posted in Security Tutorials, Windows, Windows 7 | Tagged , , , , , , , , , , | Leave a comment
Feb 23
2014

Exporting and Importing Hyper-V guests…

Ive seen things“I’ve seen things you people wouldn’t believe…” [laughs] attack systems firing on our Hyper-V guests beyond the shoulder of our firewalls, I watched photons underline the Heisenberg uncertainty principle. All those moments will be lost in time, like photons that have been intercepted… Time… to write.

It took about a year for someone to infect the first virtual machine in a way that we couldn’t get antivirus back on it, so what I needed to do was delete the old machine and restore a new one.

Using our Windows Hypervisor we were able to do just that without any problem by creating an exact replica of a currently working virtual machine and importing it back in the Hyper-V Host.

Here’s How I Exported and Imported the Hyper-V Guest
1) Login to your Hypervisor as an administrator

2) Open the Hyper-V Manager (if’n you don’t know how to do this without a graphic… I’m worried)

3) Right click on the Hyper-V guest you would like to clone and select “Shutdown…”Hyper-V Shutdown

  • Note: Shutdown powers off the machine gracefully where “Turn Off” will simulating you pulling the plug… not gracefully.

4) Select “Export…

Hyper-V Export
5) Select a location to export the client to… in the picture below I just used the variable x… but you will need to figure out a drive that has enough space to export to and create the directories yourself. I recommend just a general directory as the export will automagically create a directory in the name of the machine you are exporting.

Hyper-V Export Directory

  • Note that after you clicked on “Export” there is a “Cancel Exporting” option under your virtual machine’s “action pane” on the left side.

Hyper-V Export wait

You now have to wait for the export to finish and this to go away before continuing to the next step.

  • Also if you right click on the machine that you are exporting you’ll get an option “Cancel Exporting”
  • Do not click on cancel and just wait – exporting may take over an hour depending on the size of your virtual hard disk and how slow your Hyper-V server is… (yes despite what your partner may say… size does matter)size_does_matter

7) Now is a good time to observe or know what you have just exported. There are three directories that are exported with every virtual machine along with a config.xml file.

They are as follow:

  • config.xml: Contains the virtual machine settings. Don’t butter it up son… it is what it is.joe dirt
  • Virtual Hard Disks: This is where your virtual hard drive(s) (aka .vhd files) are stored. This by far is where most of the time is spent during an export on copying the data over.  Note: If you have two virtual hard disks with the same name but in different locations prior to the export… the export will fail. Thus why it’s a best practice to have different names for each hard drive connected to the same Hyper-V guest.
  • Virtual Machines: This is where your virtual machine settings are stored in an “.exp” file with your virtual machine settings. This .exp file uses the “virtual machine ID” Globally Unique Identifier (aka GUID) as the name of the file and thus will change for every different machine you export. If the virtual machine was in a “saved state” when exporting to the subfolder there will be a .vsv and .bin file exported here as well.
  • Snapshots: Basically any snapshots of this virtual machine will be stored in this folder.
  1. If you have no snapshots, this will be empty.
  2. If you do have snapshots It will contain a .exp file for each snapshot the virtual machine had. It will also contain a folder named after each snapshot ID and in those folders will be the saved state files. Finally a folder named after the Virtual Machine ID will contain the differencing disks used by all of the snapshots associated with the virtual machine (aka .avhd files).

8) Note, you may now copy/move/backup this directory if you would like.

  • Keep in mind you can also perform steps 1-6 for the bad virtual machine to keep it in case you want to delete it from the disk and still retain a backup.
  • You can also backup any data on the bad virtual machine and restore it later to the new virtual machine using a backup utility.
  • After the export was completed, I took the time to move the Hyper-V copy we just made to another directory for the restore. I also made sure I had a backup of the bad virtual machine in case I needed it later to restore or reference. Then I deleted the bad virtual machine from the Hypervisor and the disk after it was backed up.

9) In the Hyper-V Manager right click on your server and select “Import Virtual Machine…Import VM

10) You need to make the decision for this one.  These options change based on your server version:Import VM Options

  • Move or restore the virtual machine (using the exiting unique ID)“: Select this only if you want to move the machine from one server to another and discontinue the use of that machine on the old Hyper-V Host.  Remember I talked about the GUID above? Well they have to be different, and thus like Highlander “There can only be one”. There-can-be-only-oneIf you select this option and you continue to use the original machine you just copied – you will run into issues. This will be bad not only if you are keeping the machine you copied in production.  It would be equally as bad if someone decided to fire the original machine up again later with the same settings as the cloned machine!
  • Copy the virtual machine (create a new unique ID)“: This is what I selected.  Select this if you want to replicate a machine (clone it) and keep the existing machine running. Doing this will create a new MAC address. However, the Hyper-V name will remain the same and you’ll need to change it.
  1. Duplicate all the files so the same virtual machine can be imported again”: Depending on your version of Windows you may have an option you can select that will duplicate all the files and simulate a copy of that virtual machine so you don’t have to manually copy it. Note this will take longer if selected.
  2. I manually just copy and paste my files to do this and it works fine. I actually like to manually do copy the files we just exported as it places the files right where I like them.
  • When you are done selected your options, click on “Import” and wait for the progress bar below to finish.import progress bar

11) Change the name of the virtual machine to make it unique so you may identify it in the Hyper-V Manager. To do this right click on the virtual machine you want to change the name on and select “Rename….” and then type in the name you want to change it to.rename virtual guest

Other things you may want to do if you made a copy of the machine and the machine you copied is still in production:

1. Connect to the virtual machine and turn it on.
2. Disconnect the network adapter (so you don’t remove the other machine you copied from the domain)
3. Disconnect the machine from the domain and reboot
4. Rename the machine and reboot
5. Enable the network adapter (so you can join the domain)
6. Join the domain and finish anything else you want to finish.

Kind of makes me think of Blade Runner:

replicants

“Replicants are like any other machine – they’re either a benefit or a hazard. If they’re a benefit, it’s not my problem” – Deckard

With that said… good bye old hazardous virtual machine replicant! We now have replicated a beneficial one to replace you!

I just hope that new one doesn’t come back to kill me… yikes!

Posted in Windows Server | Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment
Feb 22
2014

Autochk cannot run due to an error caused by a recently installed software package.

If you wish to skip this story and find the solution… just go to the “Here’s what I did to fix it:” section – otherwise carry on.  Also you can perform this fix on different versions of Windows as long as you can boot into it on another disk that has the chkdsk program on it.

So… during my normal routine of maintenance of applying patches on servers, I also perform error checking and defrag the servers when I find the time.  In addition, I automatically set my servers to run a defrag during the week usually when nobody is logged in.

Servers like normal Windows computers also get stuffed up from time-to-time and I find that defragging not only the Hyper-V Windows Servers but the Hyper-V Guests helps out as well with the overall performance of each machine.

When I did a reboot on the Server that runs a specialized application (that of course I knew nothing about -as I just took over) I uncovered this error message upon the reboot:

autochk error

Autochk cannot run due to an error caused by a recently installed software package.  The message goes on to give me some advice to restore the system from a prior point… bla bla bla.

Well, I’m thinking… I have no clue what the heck has been done to this box (slang for server) before me.  Not to mention there’s a database with critical data on it that I don’t want to risk on losing in case the restore point screws everything up – not that Microsoft would ever mess anything up when you listen to them… nuck nuck nuck.  😉 -> BTW that means I’m joking… I know bad geeky humor.  🙂

What made this error so bad is after I fixed it… it took a long time for the server to defrag.

Remember when I said earlier that I set all my servers to automatically defrag?  This one was no exception however, due to the Autochk error the automatic “Disk Defragmenter” was stopped from running.  Thus the Autochk error negatively impacted the overall performance of the machine housing a critical application.

Here’s what I did to fix it:

1) Find the Windows DVD and insert it into your drive… keep in mind that if you’re performing this method on a Hyper-V Guest machine you’ll be better off using an ISO image file instead as it’s faster.

2) Restart the machine and boot into the Windows DVD. Normally, you’ll have to press a key… any key after the BIOS post.  That’s it.  If you don’t get the option to press any key… go back to #1 and make sure the DVD isn’t damaged… also you may have to set your computer to boot from a DVD in the BIOS and try again.

3) When you see this screen click “Next”WinRepair

4) Click on the words “Repair your computer”Win


5) Select the “Use recover tools…” option and note the drive letter of the disk you want to perform a check disk on.  Click “Next” when done.Reovery-Options

Note: The recovery options will display the version of the operating system along with the size of the partition and the drive letter.  The drive letter is not the normal drive letter you have when you’re in the machine because you booted from the installer DVD.  For example, my drive letter is normally C: but after booting to the DVD the drive letter is now D:

6.  Select the “Command Prompt” option:

select command7.  At the command prompt type:  chkdsk /f d:

Note:  d: is the drive letter you wish to check and this may be a different letter for you.  See step 5 for how I derived that was the disk I wanted to run chkdsk (aka check disk) on.  Also.. using the /f switch “forces” the check disk to work.

forced check disk

 

8) When the check disk is completed then you should see a screen that looks something like this (note the numbers, etc. may change but you’ll be back at the command prompt):

chkdsk done9) Close down the DOS (Disk Operating System) prompt window by clicking on the “x” and perform a reboot into the operating system you just repaired.  Don’t boot from the DVD again and at this point you can pull out the DVD.

This is basically how I fixed my problem and now I can perform defrags, and the world is all better.

I’ve seen a lot of articles saying you have to uninstall software, etc.  However, this method is cleaner and keeps you from erasing stuff you may need.

Posted in Windows Server | Tagged , , , , , , , , , , , , , , , , , , , | Leave a comment
Sep 07
2013

Mac and Linux users beware… our OS(s) are becoming more popular (that’s not nessarily good)!

apple-attackIt has been been about a year or so since the latest java cross platform (operating system) attack hit the main news and yet I still know of people that refuse to run malware protection not only on Macs but Windows PCs.  Not to run malware protection is the equivalent to me as running around naked only because things are still heating up in regard to cross platform Operating Systems (OSs) attacks now-a-days.  These attacks can come due to a weakness in the operating systems themselves, or through an application that was installed into the operating system.

Apple, Linux, and others are all competing to be number 1 using different marketing styles.  I always tell my students technology companies need to watch what they’re asking for such as Apple as they aim for the top.

For example, being the most popular Operating System (OS) on the block has its price to pay.  W3schools rates Windows as having 82.3% of the operating system market according to the people that visited their site over 9 years (August, 2013).  Mac only has 9.2% followed by Linux at 5%.  Windows according to the w3schools website therefor is the most popular operating system.  The fact is that anyone in security should know is Windows is also the most attacked, and most criticized operating system in this galaxy and I believe that is due to it’s overall popularity.

Students in my class may remember that I predicted the malware attacks on Macs rising a several years ago – in 2011 a few years later we had Mac Defender (really a lame implementation of malware… but others have come since then).

The fact of the matter is that I started to realize how much more students are apt to carry Mac computers just before I made the statement about malware for Macs increasing.  A fact I attribute to security and the supply and demand of cyber attacks, as the popularity of particular systems rise (in this case Macs) then the probability of their attacks will increase as well.

credit to the image creator (dream designs)I also predicted that attacks on the Mac will get increasingly worse after the first couple of attacks, as attackers (what the media calls hackers) are just testing the waters.  I’m still saying it years later…

Let’s talk about the event that occured a year ago…  the media filled the web with stuff about java exploits that are coming out and impacting the Apple community along with other things exploits with Microsoft Office for Mac.  Apple wants their customers to think that they have a perfect system, however systems are like people and thus far from perfect.  Perhaps because people make them, and we’re not gods after all (no matter what technology company leaders may think).

Just like our own biological systems that make up our bodies, no biological system is 100% immune to certain types of attacks.  This carries over to computer systems as well, and thus no computer system is immune to attacks.  For example, releasing gas on humans may have the same effect on their systems as a releasing malware on multiple computer systems that will destroy the computers.

I use all types of computers, basically supporting Windows for over 15 years and still continuing to do so.  Some fellow Apple users impressed with their shiny Macs told me all through my Information Assurance training “Macs don’t get viruses”, well they’re right.  It’s really a play on words.  Even after the first rootkit appeared for Mac in early 2009, Mac users kept telling me we don’t get viruses (well they don’t… those are old news and the chances of Windows getting viruses have decreased as well).

In order to understand a rootkit (remember that thing that could infect Macs as of 2009?)-  imagine your brain gets infected thus controlling your entire biological system through a zombie virus I just created.  Like a zombie that infection is now controlling you and is able to lie to your immune system by telling it everything is working fine.  In fact if you inject acredit to the image creator (Victor Habbick) ntibodies to try to fight the infection your body probably won’t do anything because my infection is part and controlling everything.  In fact I may just program it to lie to the antibodies and say everything is all right.  That’s what a rootkit does to an operating system… much worse than a virus.  Please also note in my analogy to Zombies, rootkits are different than a Zombies infected system (we’ll save that for another article).  In most cases antivirus may not detect the rootkit unless it’s scanned from a different machine or removable media like with a Kaspersky Rescue Disk (Linux based tool… used for cleaning Windows), or Microsoft Standalone Sweeper (again for Windows).

I always recommend people to backup their data and reload their system if they get a rootkit infection, because it leaves too much bad stuff behind and you never know if you got it all.  There are other tools out there for detecting root kits embeded in Linux and Unix (Mac included with Unix) because even my other favorite operating system – Linux is susceptible to rootkits.  Note… to detect root kits you usually have to boot to another system that isn’t infected to detect the infection on the system that is infected.

Even now Apple users would state that the security problems they have are not because of the Operating System, but the Applications from other vendors.  So Mac friends, you don’t get viruses… but you can get much worse as a rootkit is a total compromise to the heart of the system and this could occur without any other software letting it in.  In fact the easiest way to break into a computer is to simply trick the user, something attackers already know.

Now where were we… the attacks I was used to seeing during the mid 90s and up to 2006 started to migrate from the network level type attacks to application attacks on the Windows side.  Really, at this point Windows and Mac are no different in the way they are both now being attacked.  The playing field is beginning to level out and I’m seeing it more and more just like I did with Microsoft operating systems.  My heart is sinking, because I too remember a time when on Windows I didn’t need antivirus!  I’m not trying to say this to be a jerk to anyone… so please let me explain as I don’t take sides in Operating Systems, nor am I trying to spread Fear Uncertainty and Doubt (FUD).

We have to be prepared and that’s the point I’m trying to make with this blog entry.

credit to the image creator (renjith krishnan)I got involved in teaching Computer and Internet Security over at the college. That forced me to take on Unix and Linux… and I’m actually happy it did.  I always wanted to but never could professionally learn the other operating systems due to time constraints, however I’m at a point now I’m fully comfortable with the main ones.  I also want to be the best teacher and support professional I can be, and that’s why I never want to be product specific.

Having this insight only helps me understand more about the mixed Operating System environment we all live in, and truthfully I don’t understand why people take sides with Operating Systems.

Operating Systems really don’t matter so much anymore as most of the stuff we want to do is available on every OS…  and it’s mostly web based.  To extend it further there are services/programs in each these operating systems to make them compatible with some of the other operating systems.  For example Linux has Wine (my favorite subject in another light) for supporting some Windows applications inside of Linux.  Plus virtualization of hardware makes it possible for us to run a program that will emulate most operating systems legally on Linux, Mac (note Apple only lets you run virtual Mac OS X installations on their hardware), or Windows.  Basically running virtual/fake computers inside of physical computers – like Running Windows inside of Mac or Linux.

This learning has turned into a passion that spans multiple technologies, and I feel enlighten because of it.  With that said, I’m very humble… I have a long way to go, I’ll never know everything… and I don’t feel I’m that good.

credit to the image creator (Idea go) I recently sold two Mac Pro 1.1 2006 towers to purchase a new Mac for my kids (my Linux and Windows friends make fun of me at this point)… so that’s the new computer in the house. Like most technology guru’s there’s more computers than humans in my house  (some custom built, some laptops, lots virtual, and a some collecting dust in the basement). 🙂

I love Mac and Linux just as much as I love (yikes as my Linux and Mac friends would say) Windows. They have all matured to a point where I can appreciate them and use them interchangeably to a point (my limitations, but not for long!).

I even have fun teaching Network concepts across Linux and Windows… however the thing I loved most about Mac is the polished feel to the operating system opposed to Linux (but watch out… it’s very close… and you’ll pry my Linux system from my cold dead hands).  Truth of the matter is all three systems have helped me while supporting each other.  I can’t tell you how much data I’ve been able to recover using Mac and Linux (tons – that is if we could weigh binary).

credit to the image creator (Danilo Rizzuti)

It just frustrates me to see the other OSs suffer the attacks like the ones I’ve had to put up with for the last 20 something years… you know the malware (not viruses… but viruses are a small subcategory of malware). Even Windows doesn’t deserve the malware… no OS really does.  Windows just got hurt due to the fact that they have the customer base, meaning more people and most importantly -businesses use it.  Develop 1 attack and then whammy you got a maximized payout potential because you infected multiple machines when you attack the larger customer base.

A couple years ago I stated it was going to happen little by little for Mac, and now a couple years later here we are… Java and Microsoft Office exploits… etc. etc.  In fact we even know of a cross platform downloader virus that checks operating systems it is trying to infect to decide which verson of software it can infect the target computer with.

If you take anything from this entry, be prepared my friends in Linux and Mac world, they’re coming for us too… Just remember that nothing is perfect, and be on guard for people trying to manipulate you to install something, steal credit to the image creator (jscreationzs) you information, or try to extort money from you… even from a friends or family member’s hacked account that owns a Mac or Linux machine.  The only way to beat this it to be on guard and continue training ourselves like solders train for battle.

You can always browse to the IA Education, Training and Awareness website right here and click on any of the number of topics to help you get a head start on for online training for free!  Please do this for yourself and society.  No strings attached, because I care for you and for every system out there (biological or technological).  Together we can slow them down.  We need to be harder, better, faster, stronger (to quote Daft Punk) then we currently are today.  We also need to accept the fact that all operating systems including Macs are vulnerable like our own biological systems.  It just makes sense.

Finally, we need to take that training one step further and put countermeasures in place.  These countermeasures need to be implemented by the designers (first and foremost) of the operating systems and ourselves mentally, logically via the software (applications and operating systems) we control, and physically by securing ourselves along with our computers to ensure that all Operating Systems will continue to have a bright future.

Posted in Information Assurance | Leave a comment
Aug 16
2013

Was taking the Security+ test without studying a dumb thing to do?

securityWell, I have been teaching security classes for a while now and telling students I could pass the Security+ test if I wanted to without studying.  I decided to take the Security + test and to live up to my words… I didn’t study.  I really had no time to study, I’ve been working on a rather intense project at work, and I had to take the test by a certain date.  This is the first time I ever assumed the risk of not studying on a professional certification test.

keep-calm-you-re-making-urself-look-stupid-3I have other credentials that qualify me for the job, but I would still get the “you’re stupid” look from students when I told them I’m not Security+ certified specially when I said it’s a good idea to get it.  There has also been a few jobs in my time I’ve been turned away from due to a lack of certifications… even though I hold a Master’s degree and am certified in a few things including security frameworks.  Being turned down is rather frustrating – especially since there’s been other jobs offered to me that I’ve turned down along the way that I didn’t want.  We all live through it… but just remember… it doesn’t make us less awesome.

See I may be an instructor, but I too don’t like taking tests.  That’s the main reason I don’t want to take certification tests… I know lame… however my attempt at the test proves I’m changing.  The testing process is always rather stressful, and that creates for a rather Voicesunpleasant situation for me physically.  Most times I study my butt off for tests only to discover I totally slammed the test and possibly wasted more time studying than other things that are important to me in life.

I know… you’re probably thinking… so did you pass?  Well I did pass despite listening to the voices in my head, and with that said… the Security+ is a pretty good test from an instructor point of view.  It was my experiences I’ve had over the 15+ years that carried me through the test… so it’s not a blow off.  With that said, I’ve been dabbling in security research in some way or another since I was eleven years old – and that’s a long time.

DletterM1First off all… this is not an extensive list… but rather a list of “Dave’s Top 10” items I learned from taking the Security+ test. These items don’t factor in what I already expected or learned from experience.  I’ve had two days time to reflect since I passed the test… and with that said here are my second thoughts on the Security+ test from a fresh point of view (students always ask this):

1) One of the best test taking strategies I’ve used has been to actually diagram the sentences in my head for multiple choice… which the majority of the test seems to be (I learned this when taking my ITIL certification).  Knowing the subject and action words in the sentence and throwing out superfluous information along the way that just add “fat” to the question to confuse the tester helps answer the question properly.

2) You should really understand your attacks and it goes deeper than just the general terms.  Example:  It’s not enough to know what Phishing is… you need to know that Pharming is a DNS – Based Phishing Attack, Vishing is a telephone form of phishing, Smishing is a cell phone text messaging form of phishing… etc.  Ya… they put questions and answers on there like that and ask you to pick one of the terms.  The majority of the answers for a question are related.  Good luck if you study only lightly… 😉

test-cartoon-picture20testanxiety13) The first part of the test really psyched me out as there were at least 5 scenario types of questions.  I was looking at the clock then getting worried as I was only 5 questions into the test.  The problem is I had another 70 questions to go and all had to be done in 90 minutes!!!  Those scenarios involved matching up terms for the different types of attacks (and they had more things to choose from than you could answer), giving you two different types of devices along with countermeasures to protect them (and telling you that some countermeasures may apply to both) – there were 2 like this…

4)  The thing that hurt me the most is the fact that there were a lot of port number related questions on the exam that relate to authentication services, and other common and not so commonly used service ports.   In some questions I had to actually type in the port numbers (for firewall scenarios) and there was no drop down selection box for it…  They asked for stuff like what is the port for TACACS, TFTP – I always remember this one… :), etc.  These port numbers did not stay under 100 either… they went up into higher hundreds like wiht LDAP 389 TCP/UDP… yes you should know TCP and UDP  or both for firewall scenarios.

geeked5) If you’re like me you’d probably get geeked out like I did when they gave me a scenario to determine which network device failed securely.  In that scenario, they provided me with images of the devices and logs to analyze.  I did good on this one, but the test was timed and I had to resist the urge to inspect the rest of the logs on the devices after I found the solution.  I wanted more!!  LOL… that relaxed me as I knew I was made for this test and I was really enjoying it instead of stressing on it.

6) You should know stuff like your authentication services and which ones of the authentication services relate to the actual port numbers (Kerberos was a selection and can use multiple ports…) for traffic on computers.  Most books give definition of services, but they fail to give you the actual port numbers in the descriptions that they normally may utilize.

7) Remember this is not just a Windows only test, they had UNIX questions baked into the test as it relates to service ports, etc.  It really pays to be open to all types of operating systems.

8)I stress this in class, but remember there is a difference in testing scenarios such as vulnerability tests, penetration tests… They are not the same thing… also there are methods we can use to ensure we test systems without harming them.  Know these things explicitly.

9) Know your PKI components and how they all relate like CAs, RAs, certificates, etc.

10) Yes they go there and talk about 802.1x and stuff like that… along with RADIUS and other access controls that are popular.

With that said, not killing myself for over studying another exam… I found this the most pleasurable testing experience I ever had.  My body didn’t tense up and I was smiling going into the test and laughing going out because I had so much fun.

Call me a masochist but I just love Security!!!  🙂

Posted in Information Assurance, Uncategorized | Leave a comment
May 10
2012

Cyber attackers can come in many forms, even resorting to contacting victims in person

 

I just heard from my wife today that my neighbor received a call from a possible computer attacker on the phone last night.

Borrowed from: http://www.itgovernance.co.uk/visible-statement-infosec-awareness-tool.aspx

The scam is that the potential attacker cold called my neighbor (the potential victim) in order to ask her if they can clean her computer.  The problem is, my neighbor didn’t know this person, and it’s kind of strange to get a call like this from out of anywhere.  The attackers stated they were from Microsoft, and wanted to help her.  She highly doubted this claim, as she knows the likelihood of Microsoft cold calling her to clean her computer wouldn’t happen.

The problem with this is you don’t know who these people are and after you let them in to touch the computer, the attackers can impregnate it with a malicious on or multiple payloads (backdoors, worms, rootkits, oh my!).  Don’t be surprised when they use big names like Microsoft, Apple, Symantec, or any of the other house hold names in computer products that we have become accustom to hearing.   The other thing is that this attack isn’t new, and it has been used for years… however… think about it.  It must work in order to the attackers to waste their resources (time and money) on this attack if they are still calling people trying to trick them into infecting their machines!

Just like when you have someone work on your taxes, you need to be picky with selecting the computer repair person to help you with your PC.  The problem is that an attacker acting as a technician can take control of your computer and do whatever they want – if they are not trustworthy.

The computer unethical market actually gets paid for creating what are called “botnets” of thousands or millions of computers.  Buyers that want to control those botnets for malicious deeds like taking down websites can actually rent these computers out from the original people that infected them.  Thus there is actually an underground industry that promotes the infection of large amounts of PCs that this is all potentially leading back to.  They also may be data mining your PC to get account numbers, social security numbers, etc.

Borrowed from: http://compusics.blogspot.com/2011/11/social-engineering-always-part-of-full.htmlThis isn’t the first time I heard of not so nice people out there infecting machines in person or via the phone.  They are hinging on the fact of a good ole fashion version of social engineering to gain control of your computer.

Social engineering is the manipulation of human behavior to track a victim into doing something they wouldn’t normally do.  Social engineering could be used for a majority of things from child abductions all the way over to computer crimes.  In most cases it allows the attacker to gain access to information, systems, or areas that the attacker wouldn’t normally have access to.  In this case the potential attacker was socially engineering themselves to be Microsoft, and thus banking on the fact that the person would trust Microsoft and let the attacker infect the victim’s computer.  Keep in mind that the attacker isn’t going to come out and tell you who they are… they’re going to act like someone you know and try to use tactics to win your trust.

The reason why this type of attack is so alarming is that 1) People expect computers attacks to come through the computer, not people.  This expectation of computers only attacking computers actually (2) lowers the defenses of potential victims when they receive the request via a phone (or in person) to fix the victim’s computer.  By lowering the defenses of the victim, the attacker inversely increasing the chance of the attack to succeed.  To the attacker it’s a win-win situation, often times thinking if the victim is foolish enough to fall for the attack, then they deserve it.  It’s the same reasoning that is used by mass murderers and other criminals on the web, as the attackers psychologically begin to demean victims with insults to make themselves feel better about doing bad deeds.

Please spread the word to never trust someone who cold calls you telling you they want to fix your computer, now that you know.

Borrowed from: http://yasirtariq.wordpress.com/2011/09/15/social-engineering-an-information-security-issue-in-a-corporate-world/

Keep in mind there are other stories out there where attackers infected computers in person:  such as the one pervert that took over multiple female victim’s video camera’s on their computer by infecting machines instead of cleaning them.   In that attack, the attacker displayed a message on the women’s computer to have them take their computers in moist spot to make their computers feel better (some women actually took their computer in a shower where he would record them).

The reason why I post this stuff is because I care about all of you, and I realize as a computer security professional that the only way to beat these guys is together.  The attacker’s mind never thinks about what happens to the victims…

Security starts with people first and foremost… computer or otherwise.

Posted in Information Assurance | Leave a comment