Archive

Posts Tagged ‘security’

W32/autorun.worm.aaeb-h Outbreak

Nov 28, 2012 1 comment

I don’t typically post on virus or malware outbreaks because it would consume too much of my time and they are simply too frequently created. For the most part, if you run your network and systems with the concepts of defense in depth and principle of least access, you should be fine. And as long as you are not running as the local administrator of your workstation you should also be fine… But every once in a while a piece of malware becomes noteworthy…

In this case, W32/autorun.worm.aaeb-h infects both removable media and network shares by coping itself to those locations. Once copied, it modifies the permissions so the executable is hidden. When used with removable media (think USB flash drives, or even MP3 players), it will modify the autorun.inf to auto-run the executable. It will also infect files with common file types such as audio (mp3, wmv, avi) and documents (doc, xls, pdf).

The presence of the following file names will indicate you might have this worm:

  • Secret.exe
  • Sexy.exe
  • Pron.exe
  • Password.exe
  • x.mpeg

Defense:

  • Disable autorun feature
  • Prevent the use of USB media for mission-critical servers
  • Ensure scanning is enabled for removable media

Mitigation:

For more information on McAfee product coverage and mitigation for this threat, see PD24169 – Threat Advisory: W32/Autorun.worm.aaeb

Advertisements

Hashed Passwords

Something making a lot of news in the papers recently is compromised usernames and passwords. This has been seen from companies such as LinkedIn, Yahoo and DropBox. In some of these cases they are storing passwords unencrypted, so that once someone captures the data, they know you actual password. And since many people share passwords among accounts (using the same password for LinkedIn and Facebook) it opens your account to be compromised on multiple systems. This is made worse when more sensitive logins, for back accounts or your work e-mail is the same password you used on Facebook.

One common technology used by web developers and programmers in general is to NOT store your actual password but rather to use a hashed version of your password. Hashing is a form of one-way encryption where once has been hashed it cannot be reversed out (hence the one way part). It also is specifically designed so that there is no two inputs which can create the same output. In fact, even a single character difference usually results in radically different outputs. So this often used so that nobody, not even the database needs to know your real password. All that they do is when you enter your password at login, it will run the password through the same hashing algorithm and then make sure the output matches what is stored in the database for your password.

To make this more secure, many web developers will also add “salt” to the hashing process. That is, they add some extra information to your input before it is hashed. Then benefit of this is that as long as the salt is kept secret, it makes it significantly more difficult for your actual password to be discovered.

What brings this to mind was something I recently encountered today. I forgot the password for a specific online portal that I rarely use, and since I never document passwords, it is really all left up to my memory to recall. Typically when you go to a website and click “forgot password” they will e-mail you a new password or a link to create a new password. However in this case, they e-mailed me my password. What this illustrates to me is that they don’t actually hash their passwords, and don’t likely encrypt them either. With this, I can know, for certain, that it is possible for someone at that company (or someone with malicious intent) can access my passwords. This is very concerning.

In the day that we live in, it is very important that we ask our vendors to be using more secure methods for storing our passwords. If they can tell us what our passwords are, this is concerning.

Also, since we cannot always force a vendor to do something, please remember to be vigilant in how you handle passwords. Avoid using the same passwords online, and ensure that you are changing them periodically. If one of the services you use (such as LinkedIn) has a data breach, be sure to change all passwords for places which you used that password at.

Enjoy!

Finding unused user accounts in active directory

Periodically it is a good idea to audit/review your user accounts in Active Directory to find unused accounts. This helps find terminated employees you might not know about, or role accounts which aren’t being used anymore. Sometimes you’ll discover temporary accounts which were setup for testing and have been abandoned.

It is very easy to query active directory for this, simply open a command line on your domain controller and enter:
dsquery user -inactive

You’re all set.

The tools I use…

Here are some of my favorite applications I have installed on my computer, and often install right away, in no particular order:

  1. Microsoft Office Professional Plus – This is the obvious must have software for anyone interacting with other businesses. I really enjoy the seamless operation between products and how it makes interacting with the business world so much easier. I have tried Open Office, and it is a faster, less bloated office productivity suite and significantly less expensive. However, it is still only 90% real-world compatible with Microsoft Office, and thus can be a real pain. This is especially true when it comes to situations where page formatting is critical. When you factor that in, in many cases, the time I would spend working around the compatibility issues, Microsoft Office is actually less-expensive — something I think people need to consider a bit more often when looking at free tools… But alas, this list is filled with free tools!
  2. Microsoft Acrobat Professional – Yes, I have used (and continue to use) a number of low cost PDF creation tools such as pdf995 – which I really enjoy – and often recommend for users looking for simple print-to-pdf features; but I really appreciate all of the features which come in the full fledged product such as the ability to optimize scanned documents, perform OCR to make a scanned document searchable, and the ability to create interactive forms.
  3. Notepad++ is probably the best text editor I have used in a long time. It is a great improvement over the built in Notepad. The color coding when viewing code such as HTML, PHP or Java is very helpful, and there are additional plug-ins available.
  4. CuteHTML is a no longer a developed application but I have used it for so long I am simply used it’s interface and appreciate the built-in FTP application. I use it frequently to edit HTML and PHP code. I know there are better applications out there, but this is simply used out of familiarity and habit.
  5. CuteFTP is my preferred paid for FTP application for ages, but I have honestly stopped installing it on new systems and simply use Filezilla which features match close enough to meet 99% of my needs. This program permits multiple FTP downloads from mutliple FTP server at the same time and supports FTP, sFTP and FTPS. It is mature and actively developed.
  6. Virtual Drive Clone – my favorite application for mounting ISO images as optical media.
  7. Microsoft One Note – while technically part of the Microsoft Office Suite above, I call this one out for two tools that a lot of people don’t know about. First is that there is a screen clipping tool built into it. There are a lot of screen clipping tools available, both free and paid for, but this one is already built into a Microsoft Office application, so there is no extra software to download, install, patch or even take up system resources. A simple press of windows-S enables you to clip any part of the visible windows. I use this frequently for creating documentation or power point presentations. The second part is that it is slowly replacing my trusty physical paper notepad. And using One Note 2010 with Microsoft Skydrive, it keeps my laptop, desktop and work computers all sync’ed. Love it!
  8. Drop Box – along the lines of syncing data, I am starting to use Drop Box for non sensitive data. They can help keep your data synced between multiple devices including mobile devices. Due to a recent security flaw, there was the potential for your data to be accessed by other users. As with any technology like this, I discourage the use for anything sensitive.
  9. Keepass safe – A password manager which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key-disk.
  10. VLC – A highly portable multimedia player for various audio and video formats (MPEG-1, MPEG-2, MPEG-4, DivX, mp3, ogg, …) as well as DVDs, VCDs, and various streaming protocols.
  11. Log me in – Each of my systems has this installed, and I really appreciate that even after you logon to the website, to access your system, it still requires you to enter whatever password you use on your computer to access it.
  12. Trillian – While I rarely use instant messenger anymore, Trillian is a fantasic,  fully featured, stand-alone, skinnable chat client that supports AIM, ICQ, MSN, Yahoo Messenger, and IRC – all in one application and interface.
  13. CCleaner – A system optimization and privacy tool that removes unused files from your system and allowing Windows to run faster and freeing up valuable hard disk space.
  14. Google Picasa – A free software that helps you locate and organize all the photos on your computer, edit and add effects to your photos with a few simple clicks and share your photos with others through email, prints and on the web.
  15. Remote Desktop Manager – If you are freqently connecting to remote resources such as via RDP or VNC, this is the tool for you. It offers built-in support for Microsoft Remote Desktop, Terminal Services, VNC, LogMeIn, Team Viewer, Ftp, SSH, Telnet, Dameware, X Window, VMware, Virtual PC, PC Anywhere, Hyper-V, Citrix, Radmin, Microsoft Remote Assistance, Oracle Virtual Box and more.
  16. PuTTY – is probably the most common, versatile multi-protocol client application which is our longtime favorite choice for all our SSH needs. To many PC power-users an SSH client is absolutely vital to their everyday operations, and PuTTY’s the most popular windows client for a reason.

Any user can unlock now with this custom GINA

From the folks over at Paralint, there is now a utility to help you with shared computered access. Often you will have a shared computer in an office space, and the problem is that you want each user to have their own username and password, however, that doesn’t always workout so well. Once you add a password locked screen saver, and that user forgets to logoff, that computer is now unusable to any other normal user.

What are your options…. Typically we have be forced into one of the following options:
1) Users know eachothers passwords;
2) Reduce the security by removing the password requirement or granting other users administrator permissions;
3) Users simply power off/on the machine to work around the issue;
4) Or they can use the windows based “winexit.scr” which will effectively forcefully logoff the user when the screen saver kicks on.

However, now with this custom GINA, you can now enable any user to logoff that offending user without requiring administrative permissions or changing your security routine. Aucun is a replacement GINA that wraps Microsoft’s own MSGINA.DLL to allow any given group of users to unlock or force logoff a locked session on a Windows machine, unless the currently loggon on user is a member of a group you specify.

I created this for a friend that needed an unlock feature. By popular demand, I added force logoff and warning display. Here is a more detailed feature list:

 

  • GUI provided by original MSGINA.DLL (no training of end user required)
  • Allows any member of a given group to force logoff a locked session
  • Allows any member of a given group to unlock a locked session
  • Support a exclusion group (to prevent unlocking administrators by regular users)
  • Allows to display a custom message when the workstation is locked
  • Supports 64 bits versions of Windows
  • Supports international versions of Windows
  • Allows chaining multiple Gina’s together

You can learn more about this and download here: http://www.paralint.com/projects/aucun/

HIPAA Compliance & Faxing

The primary objective of HIPAA is that health organizations have the infrastructure and procedures – administrative, technical and physical – that allow them to safeguard patient health information from any kind of exposure or disclosure to unauthorized parties when this information is required to be transmitted or delivered to authorized individuals.

HIPAA does not prohibit the use of fax machines to communicate PHI; however the information is subject to strict regulations that protect the privacy and security of the information both at the point of dispatch, during transit and at the point of delivery.

The security provisions of HIPAA require “reasonable” efforts to make sure that the information delivery via fax has been sent securely and was received securely and by the person intended.

HIPAA makes a number of demands to ensure that patient health information is properly protected. These, in relation to security and privacy, include:

•All fax machines are to be placed in a secure area and are not generally accessible.
•Only authorized personnel are to have access and security measures should be provided to ensure that this occurs.
•Destination numbers are verified before transmission
•Recipients are notified that they have been sent a fax.
•Include a cover-sheet clearly stating that the fax contains confidential health information, is being sent with the patient’s authorization, should not be passed on to other parties without express consent; and should be destroyed if not received by the intended recipient.
•Any patient data should be in the fax body and not in any of the data fields.
•Faxes are to be sent to secure destinations; i.e., the fax machine of the recipient must be in a secure location, accessible only by those authorized to receive the information.
•Maintain a copy of the confirmation sheet of the fax transmission, including the necessary data such as time and recipient’s number.
•Confirm fax delivery by phoning the recipient.
•Received faxes are to be stored in a secure location.
•Maintain transmission and transaction log summaries.

Encrypted E-mail Solutions

Here is some information on setting up secure e-mail encryption with outside parties. There are basically two options available. Prices can vary based on the selected vendor and the information provided is for very general planning purposes and we would need to formally quote these before going forward. The major difference is how widely you intend on sending encrypted e-mail, and cost.

S/MIME:

This method is the simplest form of transmitting data between two trusted partners or individuals.

  • Pros: This security is built directly into Microsoft Outlook and it’s use is seamless for the sender and receiver. Meets HIPPA requirements for PHI. Best solution for a small number of users. Fastest method to receive encrypted e-mail. Lowest start up costs for a small number of users.
  • Cons: This requires a Digital Certificate to be purchased, renewed periodically and installed on both the sender and receiver systems. There is a degree of configuration required for all parties. Apex can provide support to other business with their permission and for an additional cost. E-mail is only encrypted when sent to recipients with Digital Certificates, you can accidentally send PHI or confidential information to the wrong person. Both users need to be configured before you can send encrypted e-mail.
  • Best Fit: When you’re exchanging secure e-mail with a well defined set of outside businesses and individuals which will not subject to change frequently.
  • Costs: $100 per user who will be receiving encrypted e-mail (reoccurring every 3 years); and $200 per user at an outside company who will be receiving encrypted e-mail (reoccurring costs every 3 years) – price include the rough estimate for labor and the Digital Certificate.

E-Mail Gateway:

This method will use a set of rules defined on the server to automatically determine PHI, such as sender/receipient/subject/content/etc. The system will automatically convert those e-mails into an encrypted format and send them to the recepient. There is no special software or configuration requirements for the sender or recipient.

  • Pros: This is good when the list of senders or recpients is not well define or may include home users. Automatically protects all PHI to avoid accidentally sending PHI in an unencrypted format, regardless of the recpient. On-the-fly encryption to anyone, which doesn’t require pre-configuration. 
  • Cons: It may require the recipient to go to a website to download the attachment, which makes frequent use of this method a slower method. Additional server hardware, software and maintenance is required.
  • Best Fit: If you’re exchanging e-mail with a diverse group of not-well-defined individuals, who may not have the ability or knowledge to work with Digital Certificates.
  • Costs: Around $3,000 per three year term, plus hardware around $1000 and installation labor and ongoing support. Pricing is subject to change, this was based on old pricing before Symantec Acquired the product from PGP. Another solution is the Cisco IronPort E-mail Security Appliance.

Hosted E-Mail Gateway:

Basically the same as the E-Mail Gateway from a security standpoint, with the only difference of the costs of implementation. The hosted solution doesn’t require a server nor the related hardware, software and support costs. However, it does have a higher ongoing service fee.

  • Pro/Con/Fit is the same as “E-Mail Gateway” above.
  • Costs: McAfee Email Encryption is $4,930 for a three year term for 100 users (again we need to do the entire company); or one year for $2,055.00 Other providers are McAfee/MXLogic Hosted Solution