|
Thursday, August 28
Amidst all of the chaos
caused by the recent virus outbreaks and blackouts, a
good friend of mine called me over the weekend and
wanted advice on backing up her hard drive in the
event of data loss. To date, she had been using CD-R
media to create backups of critical files, but over
the past year this "critical data" category has grown
to several gigabytes in size. I recommended a
Maxtor 3000LE 120GB external hard drive in
combination with Symantec Ghost. The Maxtor drive is
portable, very easy to use, and plugs right into your
USB Port. If you're running Windows XP, there are no
drivers to install and you can use the external drive
to backup your entire drive or individual directories.
Symantec Ghost is great for creating flawless periodic
snapshots of the entire system and has saved me
countless hours when I've need to swap hard drives or
recover from data corruption. Unfortunately, my friend
decided to try and find a copy of Ghost via Kazaa
instead of her simply purchasing it for $50.00. (I
don't think this was a case of simply being cheap, I
believe she may not have had much experience with
Ghost and wanted to try a fully functioning version
before buying it.) Unfortunately something went
horribly wrong and after the installation, the system
wouldn't boot at all and it's unclear at this point if
her data is still recoverable. While this incident may
have still happened with a full version of Ghost, the
simple fact that she got her copy from a file swapping
service raises several additional issues. Where the
source files intentionally modified by someone? Could
a malicious program have been inserted? Could the
source files have become corrupt after being copied
again and again over the peer to peer network? Without
access to the CD and support from Symantec how will
she recover her data? Kazza, BearShare, and other file
swapping networks are fine for MP3's and other non
critical files (legal issues aside), but when you set
foot into the "warez" arena you may be in for more
than you bargained for. It's human nature to want
something for nothing, but you need to think about the
risk vs. reward. Is saving $30 or $50 in software
worth the risks of playing Russian Roulette with your
data? Even if you're successful 9 out of 10 times, is
$300 worth it? Not to me.
Wednesday, August 27
If I was a bit disappointed with antivirus vendors on
Monday (see the blog entry below), I'm hoping mad
today! First let me start with McAfee. After being a
Symantec customer for years, I bought a copy of McAfee
AntiVirus professional edition with a 5 user license
($150.00) as a test platform for the lab. While
it appears to work fine on the desktops, McAfee wrecked
havoc on my 2 laptops that were using Linksys wireless
network cards. The software installed fine, and worked
for a few weeks until I downloaded a new update to the
virus definitions. Both machines suffered catastrophic
network configuration failures
and after troubleshooting them for hours, I finally
reloaded them from a Ghost image. Yesterday, I began
having problems again - shortly after downloading new
virus definitions. I actually didn't suspect McAfee as
the culprit at first, until I started typing my error
messages into Google. What I found were several
newsgroup postings featuring the same issues I had,
with several people complaining they occurred shortly
after updating McAfee. As a test I uninstalled McAfee, and
like magic the network problems went
away. I've seen similar reports from a variety of
network administrators in corporate environments -
bizarre system instabilities that seemed to occur
immediately after and update that were resolved by
uninstalling McAfee antivirus. As far as I'm
concerned, I will never install McAfee on a production
server or workstation - ever. Which brings me to
Symantec, who announced today that it is incorporating
product activation into it's next version of NAV. I guess we all knew that if
Microsoft's product activation scheme succeeded, it
would be copied by the rest of the industry. What
bothers me is the recent industry practice of charging
for the antivirus software and then charging
again for updates. I believe it should be one or the
other. Pay $30.00 and get the software with 3 years of
updates (by which time you'll probably have a new
operating system), or pay $10 per year and get the
basic software for free. Why am I being charged twice?
The Symantec licenses for my production workstations
expire this month, and I had thought of switching to
McAfee until these issues surfaced. So what are my
choices? Actually plenty.
AVG
AntiVirus makes an excellent product that is free
for home and non-business users (including free
definition updates). You can also purchase their
Professional Edition for $33 and get free definition
updates for 2 years. I've already installed AVG on 2
of my home systems, as well as my parents PC's. So
far, its worked flawlessly and I plan to move all of
my lab and production PC's to AVG before the end of
the year. While most corporate customers can't just
suddenly switch anti-virus vendors and redeploy
software to thousands of PC's, consumers can. Next
time McAfee and Symantec bug you to renew your
subscription or upgrade your software, send them the
message that you're not going to take it anymore. Vote
with your wallet.
Monday, August 25
Symantec announced that their
next version of AntiVirus software will detect
keyboard loggers and spyware. What took them so
long? For years antivirus companies have resisted
extending their products to include a wider variety of
malware that usually make up Trojans. Strictly
speaking, the formal definition of a virus is simply
any program that is self replicating and can "infect"
other computers. Viruses doesn't actually have to
cause any damage to meet the definition, and many
don't. On the other hand, many Trojans don't "self
replicate" beyond mailing themselves to every address
found on an "infected" PC, but they almost always
cause some form of damage. At first, antivirus
companies resisted updating their programs to combat
these threats. As pressure from consumers mounted, the
antivirus vendors began to expand the scope of their
software to catch the more prevalent Trojans. In my
opinion, detecting keyboard loggers should have been a
function of antivirus software 10 years ago. But why
the delay in catching the other forms of spyware,
specifically programs that track your internet usage
and launch pop ups wherever you go. While not strictly
viruses, many people view these programs as malicious
software and the popularity of programs like
AdAware bears this out. In many cases, these
programs function like Trojans. Users are duped into
installing software that may in fact cause system
instability. Sounds like something that should fall
within the scope of my antivirus
software. While I applaud Symantec's efforts to expand
their software, I still think that they're way behind
the times. Instead of being innovative, these
companies are simply responding to the success of
products released by other vendors - often with poor
results. Things may become even more interesting if
Microsoft steps into the arena. Microsoft is under
tremendous pressure to deliver on the trustworthy
computing initiative, and the rash of Windows
specific viruses and worms are certainly hurting their
credibility. Microsoft has already built a simple
firewall into Windows XP and is including anti-spam
features into Outlook 2003. With the recent
purchase of an antivirus company, and the changes
being discussed in relation to re-evaluation the role
of Windows Update, is it possible that Microsoft could
build antivirus software into the next version of
Windows? Will this launch another round of antitrust
allegations?
Friday, August 22
While the government is still
looking into the causes of the blackout that occurred
last week,
a number of people are starting to question whether
the failure of the control mechanisms could be
related to the MSBlaster worm. The current theory
of events is that the power failure started when a
single transmission line feeding the city of Cleveland
(my hometown) sagged into a tree and failed. About 25
minutes later, another transmission line feeding
Cleveland failed as well. This caused the system to
start drawing 2200 megawatts from Michigan, which
started a cascade effect that stretched into Ontario
and eventually the Atlantic coast. A recent thread on
BugTraq theorized that if the computers running
SCADA (Supervisory
Control and Data Acquisition) programs became infected, the
normal regulatory mechanisms could fail. These systems
run Windows 2000/XP and directly control key portions
of the electrical distribution network via a master
control panel at the power station and several remote
terminals. We already know that a
nuclear power plant just outside of Cleveland was hit
by MSBlast, and that a generator sub facility in
Philadelphia was affected as well. It seems reasonable
that if MSBlaster managed to get a hold on one
part of the network because of poor IT security, it
could make its way to more critical systems. The
utility companies have a long history of network security
vulnerabilities and massive bureaucracies that can
hamper any improvements. Our recent rush to improve
Homeland Security by posting a few guards at power
plants completely ignores the fact that these system
are rotting from the inside out. Given
the propensity for cover-ups in this industry, we may
never know the real cause of the blackout. The game of
public finger pointing, denials, and musical chairs
will continue for months and I suspect
that the government's finding will be inconclusive at
best.
Thursday, August 21
Sick of hearing about viruses yet?
Between MS.Blaster and the new round of the Sobig
worm, the tech news outlets have been talking about
little else. Earlier this month (Aug 4) I wrote about
a friend who said he was sick of all the media
coverage on viruses and simply tuned them out. (At the
time I was warning about the RPC vulnerability that is
exploited by MS. Blaster) As you can probably guess,
one of his systems became infected in the last few
days. I'm
betting he won't be tuning out future virus warnings.
There are some predictions that the impact of
W32.Blaster will "shock" users (and companies) into
becoming more diligent about patching their systems.
While this may be true for some people, I think there
will always be the group that just doesn't "get it".
Case in point: I've heard a number of first hand
accounts from support personnel who have cleaned up a
user's system after it was infected with W32.Blaster
(or other viruses) only to have the user re-infect the
machine within a few hours. You would think the first
experience might have made them more cautious and
diligent about the process. But they continue anyway.
My theory is that it really is the same people who
propagate viruses (and chain letters) every time. It may not be
politically correct to say it, but perhaps there
really are some people who really shouldn't be near a
PC. Unfortunately, many of these people are in
management, which means they won't change their
behavior (or their company's) any time soon. Companies
that don't already "get it" this late in the game
aren't likely to suddenly wake up and start becoming
aggressive about network security and keeping their
systems up to date. For those who do get it, Microsoft
has released 2 new updates (MS03-032,
MS03-33), and revised 2 older updates (MS02-040
and
MS03-030) that could allow users to take over
systems. Don't wait for the next worm to patch your
systems!
Wednesday, August 20
W32.Blaster may be getting all of
the press, but the Sobig Worm has resurfaced with a
new variant that is flooding e-mail servers worldwide.
What seems to be compounding the problem is the
auto-replies being sent by e-mail gateways when they
detect the virus. Since Sobig.F worm spoofs the
senders e-mail address, these replies are being sent
to the wrong people. Since my e-mail addresses exist
in so many people's mailbox, I always get a good
survey of what's going around at the time. This
morning my virus scanner caught 247 e-mails that
contained the Sobig worm. I also received 700 e-mails
from auto-responders from all over the world notifying
me that any one of the 7 e-mail addresses I use on the
site sent the virus to whatever e-mail server. If this
is typical, then 70% of the network traffic being
generated by Sobig.F is from e-mail gateways, and not
the worm itself. This is insanity. Since spoofing the
source address is such a common tactic with e-mail
worms, shouldn't we rethink the tactic of sending a
notification message? Perhaps vendors can engineer
these gateways to handle -email messages more
intelligently. Either by looking for evidence of
spoofing and identifying the real senders e-mail, or
allowing administrators to turn off auto-reply for
worms that are known to spoof addresses. If software
allows you to turn off the auto-notification function,
you may want to think about disabling this practice
for a few days until the worm is under control.
Monday, August 18
Microsoft managed to make it
through the weekend and thwart the denial of service
attack against the Microsoft Update web site,
primarily by
taking down the URL for windowsupdate.com In terms
of clarity and simplicity, I think it was a rather
brilliant solution. I'm so used to Microsoft over
-engineering everything, I really thought they were
going to try and code their way out of this one. Nope
- they just eliminated the target entirely. Users who
clicked the Windows Update icon in their tool bars
were unaffected, since it resolves to
windowsupdate.microsoft.com There have been
a number of lame W32.Blaster variants discovered in
the last week, but the most interesting one is
Worm.MSBlast.D which operates the same way the
original worm does, but uninstalls itself
automatically if the host system reports the year is
2004. What's even more astounding is that it also
removes the original MSBlast worm if it is present,
and patches
the system against the RPC DCOM Buffer Overflow
Exploit by downloading the patch from Microsoft's Web
site. It even reboots the system afterwards! Could
this set a precedent and inspire "helpful" viruses?
What if a "white hat" hacker had written the original
worm to simply patch systems that it found vulnerable
to the RPC exploit, instead of inserting malicious
code? Would antivirus companies still write code to
stop it?
Friday, August 15
I apologize for the late update to
the site, but being based in Cleveland, Ohio we've
only had our power restored in the last hour. Things
aren't as bad as the news is making them appear. Sure
it's hot and a bit uncomfortable, but not unbearable.
Most people are behaving themselves, and it was
heartening to see that +90% of the drivers were
obeying the 4 way stop rule at non functioning street
lights. All this could have been much worse. For one -
it could be the middle of winter, when the temperature
in Ohio gets near 0 degrees Fahrenheit. Still, I
certainly feel for those stuck in elevators, trains,
gridlock traffic, and other snarls caused by the
outage. Many of you on the east coast are getting to
test out how well your disaster recovery plans are
working. For those who need a little help tweaking
theirs, check out our
disaster recovery section for sample templates and
tips. Our
Incident Response section may be helpful as well.
For now, I'm grateful that power has been restored,
although there are still blackouts and a
danger that the grid could go down again. Since our
servers are based in Atlanta, Georgia the web site has
been unaffected and should continue to be available
even there are additional blackouts. I am a little
surprised that a problem in one sector can take out an
entire grid this size so easily. I hope the office of
Homeland Security is paying attention, and can upgrade
the current controls to prevent this type of shutdown
from happening again.
Thursday, August 14
It didn't take long for a variant
of the Blaster Worm to appear on the web. This version
is almost identical to the first except that the name
of the executable has changed to "teekids.exe" and the
registry entry is
"Microsoft Inet Xp.."
While Blaster is losing steam and the rate of
infections appears to be slowing, the new variant is
spreading at a respectable rate. To date the user
community has been lucky - neither of these worms have
a very destructive payload. While the shutdown
sequence is annoying, it would have been easy for any
virus writer to include script that could delete files
or disable the operating system. One lessons that has
been learned is that firewalls aren't just for
broadband users. Many dialup users who have been
infected with W32.Blaster could have been protected by
a simple $30 firewall like
ZoneAlarm Pro or
BlackICE.
Microsoft has also announced that it will enable the
Internet Connection Firewall by default on future
shipments of Windows XP.
Wednesday, August 13
Microsoft has been busy upgrading
its Knowledge Base Articles to make them more user
friendly - especially articles written for Windows XP
Home Edition. The
new article format includes color screen shots
that accompany detailed walkthroughs, and even images
of
hardware components to help the non technical user
understand network components. I haven't heard any
news if Microsoft is planning on revamping all of it's
existing articles, or extending this format to other
platforms (Windows Server 2003, Exchange, SQL, etc.,)
but will certainly make some procedures easier to
follow and understand. Hopefully it will encourage
more users to refer to the Microsoft Support Site for
troubleshooting and how to information, even though
the typically ignore XP's much improved Help system.
Tuesday, August 12
Although the new "MSBlast" worm is
spreading slower than "Slammer" and "Code Red", I've
already received a rash of calls from dial up users
who are infected and receiving "the RPC service
terminated unexpectedly" errors which shuts down their
machines within minutes of connecting to the internet.
What makes this interesting is that dial up users seem
to be getting infected at a higher rate than broadband
users, presumably because it's easier to keep
their systems patched using Windows Update. Microsoft
released
a patch for this vulnerability on July 16th and
has been urging users to update their systems, but
this task is a little cumbersome for the 56k crowd.
One system I looked at (which hadn't been patched
since XP SP1) reported 27 critical patches pending,
totaling 36 Mb - a hefty download for a dialup
connection. To make matters worse, Symantec doesn't do
a great job of automatically removing MSBlast,
requiring users to turn off system restore, perform a
registry edit, and use task manager to kill the
msblast.exe process. Not to difficult for the computer
savvy, but beyond the average users capabilities.
(Update: Symantec has
released an automated tool for removing MBlast)
Either way, this will be a big mess to clean up and will
definitely tarnish Microsoft's reputation for
Trustworthy computing. Another interesting "feature"
of this worm is that it doesn't require any user
action - it spreads by scanning IP addresses and
checking for the existence of the RPC vulnerability.
If found, it installs itself of the host system and
keeps scanning for more vulnerable systems. The only
positive thing about this worm is that it's
inefficient and spreading slowly. That doesn't mean
other virus writers will copy its basic functions and
create a more destructive worm with a faster infection
rate.
Monday, August 11
Although I happen to like
Microsoft's operating systems (as if you couldn't
tell), there are a number of people who buy PC's with
Windows preloaded. According to the Microsoft license
agreement that appears when you boot the PC, you are
entitled to a refund from the manufacturer if you
don't agree to its terms. The real trick is getting a
refund. The first obstacle is that you can't print the
agreement unless you agree to it. But the biggest
hurdle is getting the PC manufacturer to actually get
you a refund.
Steve Oualline managed to get a $199 refund (plus
court costs) for Windows XP by taking his PC
manufacturer to small claims court after they
reluctantly offered a refund based on their wholesale
costs ($10.00), not the typical $90 -$120 many OEM's
charge. The day before the court battle, the OEM
offered a $199 refund (the retail cost of the
software), but this included a gag order preventing
Steve from talking about his experience and didn't
cover his $130 in court costs. So why am I
highlighting this case? Because the tips
provided in this article apply to other
pre-bundled software as well. In addition, you may
have an existing and broader license for Windows XP in
your company, and shouldn't have to pay twice for
software when you buy a new PC.
Friday, August 8
Security Vendor Rainbow
Technologies
released a study that revealed that most users
frequently mishandle their user IDs and passwords and
often call the help desk when they forget their
passwords and can't log in. (I'm sure this will come
as a big shock to any network administrator). In
addition, the survey discovered that password policies
at many companies are very weak and few companies
require complex passwords or require that users change
their passwords on a regular basis. Somewhere along
the line, someone decided that the estimated costs
involved in enforcing a more effective password policy
($100 - $300 per user) isn't worth the cost of lost or
stolen the data. But that doesn't make sense either.
What is your company's data worth? Probably a lot more
than a $100 per employee. Which means companies are
"gambling" they won't have a security incident. That's
a bit like living in trailer park in Kansas. The other
side of this argument is why are we still using
passwords?
Biometric devices have become so cheap, they're
being built into every day items like PDA's and cell
phones. Fingerprint scanners have been built into
keyboards, mice, detachable USB devices and even
laptops for years. These devices could reduce identity
theft, if they were used in place of signatures and
PIN numbers. Microsoft and Novell support biometric
authentication and while these devices aren't perfect,
they are getting better everyday and deserve a second
look. While they might be a little expensive for the
everyday users, they are ideal for high risk devices
such as laptops, servers, and workstations that
interface with sensitive data. If you've already
implemented biometrics at your company, drop me a line
and let me know what you're experience has been.
Thursday. August 7
The Register released a report
yesterday
outlining the security threat posed by memory
sticks and USB flash drives, something we
warned our
readers about back in February. What the new
report doesn't mention is the new breed of
compact USB enabled wireless network cards that
can also be discretely attached to any system and
enable hackers to establish an instant adhoc wireless
network. While these devices are not driverless like
the USB Flash Drives, the installation is still very
simple and likely to go unnoticed. Just plug them into
a USB port, configure the device, and surf anonymously
(or hack the network) from a nearby location. While
the range of these devices isn't great, the technology
is improving rapidly and this hack could become more
popular in the future. To date the only way to lock
out the USB ports on your PC is by using
SecureWave's software. We're hoping Microsoft will
release an update to Group Policy that will allow
administrators to control what devices can attach to a
USB port. Until then, you may want keep an eye out for
these devices.
Tuesday, August 5
Now that Windows XP has been out for a year, the
paranoia surrounding Microsoft's product activation
has subsided to the point that other software
companies have released similar activation schemes.
But does product activation really stop piracy? From
the start Microsoft has said that the feature was
designed to stop casual copying, and not thwart the
determined hacker/cracker. Sure enough, it wasn't long
before a number of hacks and key code generators
appeared on the web. Software pirates were also quick
to distribute corporate versions of XP Professional
that still required a key, but not activation.
Microsoft countered these efforts with a "feature" in
XP Service Pack 1 that blocked updates on XP
Professional installations using a product ID that was
in use by almost 90% of all pirated copies. In the
event a contractor or other individual had used this
blocked key to install XP in a corporate environment
instead of checking to find out what the legitimate
key was, we published a very popular article on how to
change
the product ID in Windows XP Professional. At
first, Microsoft threatened to sue under the DMCA
claiming we were offering a method of bypassing copy
protection features. After a few weeks of negotiating
with the legal department we were allowed to republish
a modified version of the article and then Microsoft
published their own version. But ever since I
published that article I've been flooded with e-mails
from users asking for CD Keys for XP Professional and
Home Edition. Usually they have some elaborate story
of how they "lost their CD and the activation key" but
got another copy without a key, blah, blah, blah. Some
claim their PC crashed and they don't have a recovery
disk, or they had XP Home Edition but "acquired" a
copy of XP Pro and want to know if their original key
code will activate it. (No, it won't) Whether these
claims are true or not, it does show that people are
still trying to bypass Microsoft's anti piracy
measures and are having some difficulty doing it. So
in a sense it's working. The big question now is,
what's next? Windows XP Service Pack 2 is due to be
released soon and could possibly include a few
countermeasures of its own. Will Microsoft include a
tougher activation scheme in Longhorn, its next
desktop operating system due in 2005? Will they ever
consider following the RIAA's heavy handed example and
subpoena ISP's for the addresses of users and take
people to court? Would lowering the price of Windows
XP curb piracy?
Monday, August 4
A friend of mine (who is also a
network administrator) recently confessed that since
virus warnings are issued so frequently, and he isn't
gullible enough to open and execute attachments, he
simply ignores them. What's more, he states he is sick
of seeing them. Apparently they're getting to be a
little like news reports of natural disasters in areas
that always get the same natural disasters. It's not
news, just part of the risks involved in everyday
life. Fair
enough. But
earthquakes aren't preventable, and viruses are. And not just from the
point of a network administrator, but from the end
user level as well. The latest annoyance, the
MiMail Worm, comes as a ZIP attachment with an
HTML and a UPX compressed Win32 EXE file. Although it
uses social engineering to get users to open the
attachment (claiming to be from your ISP and
threatening to shut down your account), it actually
requires a few steps to execute and assumes the user
knows what to do with a ZIP file. Even Microsoft
assumed that anyone computer savvy enough to
decompress a ZIP file would be savvy enough to know
this was a ploy, and so they issued a statement
downplaying the threat. So why did thousands of people
fall for this? Was there a false sense of security
because it contained a ZIP file and not an executable
(EXE)? Did they really believe admin@isp.com
was going to shut down their e-mail accounts? One
thing is certain. If they would have paid attention to
the virus alerts, they wouldn't have opened the
attachment.
Friday, August 1
I am not a big fan of my local
phone company, SBC Communications. Not only has the
service been poor here in Cleveland, but they've been
fined millions of dollars by several states for
failing to meet their service level agreements. Things
were so bad that during the years my girlfriend worked
at SBC, she would avoid admitting it in public as it
always generated a strong negative response. (Almost
as bad as working for the IRS). So I was a bit
surprised to learn that
SBC is the only ISP that is standing up to the RIAA
to protect the privacy rights of its customers. For
those who have been living in a cave, the RIAA (Record
Industry Association of America) has been going after people who
trade music online using peer to peer software (Bearshare,
Kaaza) by tracking their IP addresses, subpoenaing the
ISP's to reveal the persons identity, and then suing
the individual for damages and lost revenues. Not
wanting an expensive legal fight with the RIAA, most
ISP's happily sell out their customers and move on. In
this case, only a small unit of SBC (PacBell
communications) is fighting the subpoenas, and there
is no word as to what the overall support from SBC is,
or if other units around the country are standing fast
as well. Perhaps this will inspire other major ISP's
(Earthlink, AOL) to do the same and put a stop to the
RIAA's witch hunts.
|
