The two things you should know if you own or are responsible for any wireless access points are:

1. There is no practical universal solution to the problem.
2. You may have to use the hacking tools themselves to be 100% certain you are not vulnerable.

If you feel you have anything someone might want to steal, the smartest thing might be to just disconnect the wireless access point or turn it off. Then live without it until the manufacturer has clear information on your make and model of wireless device. Of course if your wireless access point is also your Internet Router this could be problematic.

There are more questions than answers right now and while you can’t tell with certainty if you are not vulnerable a list is being compiled of devices that have been confirmed to be vulnerable. You can access the WPS Vulnerability Testing Document to find devices that have been confirmed.

Known and potential solutions

Solutions to this issue will be updated here as they become available

Belkin (Does not note if this fully disables WPS!)

Netgear (Home Routers)

Additional Resources

Vulnerability Note VU#723755 (US-Cert)

Special thanks to @Shonali for sharing the Bart Simpson Chalkboard Generator.

It’s time to add a new acronym

For some time now we’ve all learned that windows/operating system updates are pretty important but there are emerging threat vectors that also need to be addressed. Back in early 2009 a huge ramp up in volume of Adobe PDF and Java updates occurred. Since that time those two have become two very popular sources of computer exploitation. Add that to some recent nasty Flash exploits and you have the makings of a new acronym:

Always update JAFO:

Java
Acrobat
Flash
Operating System (Critical Updates Windows, etc)

Extra credit for the techie types, remember when Microsoft had their own Java Virtual Machine?

Duqu not Dooku, Image Credit Tracheotomy Bob

The Duqu Remote Access Trojan (RAT) that hit the wild in Europe this week is not a character in the latest Star Wars movie. While it sounds like a George Lucas inspired character duqu comes from the ~DQ prefix that researchers noticed this previously unknown malware was adding to files it creates when it was discovered. I am sure Dairy Queen is happy with their choice. Joking aside this virus is no laughing matter. It seems to have been written by the authors of or with the benefit of the Stuxnet source code. Stuxnet is the virus that was believed to have setback the Iranian nuclear program last year. It’s smaller and appears to be designed to spy on infected computers with a combination of a key stroke logger, a data siphon and remove itself after eluding detection for 36 days.

A new breed of threat

One disconcerting aspect of this particular Trojan is that one of the drivers in a variant used a signed certificate of a known organization in Taiwan. That means that a windows machine will treat that driver as a legitimate driver, just like one you’d download to access a new hardware device on your Windows PC. Luckily the certificate has been revoked. This particular malware mask’s it’s presence on the infected machine quite well providing a challenge to detect.

What can you do to protect yourself?

All of the best practices that apply to information security will help you avoid Duqu. This includes:

1. Keeping your critical components up to date.
2. Cautious web surfing and Email habits.
3. Avoid public charging kiosks.
4. Avoid flash drives from unknown sources.

Can we prevent this?

Seeing as the machines that were infected with this Trojan were hit when it was “Zero-Day” it is prudent to consider what other means may have prevented the infection. If it ends up that this virus communicates with hosts in remote countries that a security solution I recently proposed would prevent the infection from transferring or downloading any information rendering it useless.

More information

• Symantec White Paper
• Wired Article

If you found this article helpful or interesting please share it with your friends.

Image compliments of Sandia Labs (Creative Commons)

Last week the SEC released a Disclosure Guidance Document on Cyber Security. The document was a direct response to the dependence on digital technologies and the increased risks associated with Cyber Security. While the SEC guidance was aimed at publicly traded companies, the information in and the existence of the document should raise eyebrows at any business.

An ounce of prevention truly is worth a pound of cure

The document contained extensive guidance for organizations including before, during and after a cyber security incident. Perhaps the most interesting suggestion in this particular document is the call to disclose risk:

Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.

This is something all businesses should be asking themselves, not based on guidance from the SEC or specific directives such as HIPAA but rather because it is the right thing to do. We as businesses are stewards of our clients critical information. In many cases prevention is less expensive than we might think and much less expensive than the liability associated with a failure to prevent a cyber security event.

In response to the extraordinary role that Cyber Security has played in our modern connected world Managed Solutions introduced a program called Secure Enterprise in 2002 to assist businesses with protecting critical enterprises of any size. You can join the conversation about Cyber Security on our Facebook page.

Samples of the ~40 million SecureID Tokens the RSA replaced as a result of the hack.

There are lots of layers to security and in all fairness I hold no technical information security certifications. I do know that the weakest link is usually the human being sitting at the keyboard. In this case someone at RSA – a security firm opened an Email that had just:

I forward this file to you for review. Please open and view it.

No signature, nothing, nada. It had an Excel file attached 2011 Recruitment plan. They opened it. They got infected by a zero day flash exploit embedded in the Excel file.

The RSA got “Owned”

I am frustrated because I know this happens every day all over the world and were it not so sad it would almost be laughable how easy it is to compromise computer systems. I could talk about all the apparatus that failed the RSA in this case, but in the interest of time I am going to focus on one:

Why did the RSA allow traffic to a known Malware site?

The site that the payload (Poison Ivy) contacted was mincesur.com which according to F-Secure:

“The domain mincesur.com has been used in similar espionage attacks over an extended period of time.”

WHAT?!?!?

Then why on earth is the RSA allowing it’s systems to access that site? I did an arin.net lookup for the IP address for mincesur.com (119.70.119.30):

I can understand a company like the RSA needing access to the APNIC space, though most of us do not. Specifically though, why would they route traffic to a address/domain that is known to be used in espionage attacks? Since we already established that the user failed to identify a threat what about the other devices and mechanisms in the transaction that occurred between the computer that was infected?

Touch #1 – DNS Lookup

When the Poison Ivy payload asked the DNS system what IP address micensur.com had, the DNS servers at RSA promptly gave them the known threat’s IP address. It is possible and useful to add records for known malicious domains to resolve to something harmless such as loopback 127.0.0.1 (basically the payload would try to connect to local machine itself). Failed.

Bonus info: This can even be over-ridden and handled by a hosts file on an individual computer. (An example is at Malwarehelp.org)

Touch #2 – Antivirus Software

Endpoint Security software can block access to known malware websites. Failed.

Touch #3 – Router

One or more RSA Routers were touched in the process. Without a router a computer cannot communicate with systems outside of its own network. Routers can maintain black lists or null routes to avoid traffic coming from or going to known malicious sites. The router(s) in this case happily sent and received traffic from the known malicious host. Failed.

Touch #4 – Proxy Server (Optional)

Many companies use a proxy server or transparent proxy server to store copies of frequently accessed files to avoid them from having to be downloaded every time. A Proxy server can optionally be used to provide additional protection including domain based filtering. Since micensur.com was a known malware domain this could easily have been blocked by a proxy server. Failed.

Touch #5 – Intrusion Detection/Prevention Device (IDP – Optional)

These are usually definition based devices that look for traffic that matches a known malicious definition. Such as traffic coming from or going to a known malicious website. Failed.

Touch #6 – Firewall

Even many small companies have firewall hardware. Firewalls allow for much more complex rules about what kind of traffic can go where and even when. Firewalls are the ultimate traffic cops for networks. There are a number of ways that a properly configured firewall could have prevented this infection. Failed.

Is it time to re-prioritize?

With so many chances to block this from happening, how is it that a company like RSA, that is involved with security products is not better protecting themselves from threats? I’m sure they have made changes as a result but with a reputation for having things locked down, I find it excruciatingly curious that they allowed traffic to a known malicious site, don’t you?

Is it time push information security higher up the priority list?

Image credit br1dotcom, creative commons.

August 7-13th, 2011 is International Patch Everything Week

Microsoft Advisories

It started early this week when we were informed by the US-CERT that all of these products had vulnerabilities that would be addressed in updates from Microsoft:

• Microsoft Windows
• Microsoft Office
• Internet Explorer
• .NET Framework
• Microsoft Developer Tools

That for the record is pretty much everything in the Microsoft world at least for the typical desktop user (except the developer tools of course). That was not the end of the notices for the week.

Adobe Advisories

Today we were informed of a plethora of Adobe product security updates:

• Shockwave Player 11.6.0.626 and earlier versions for Windows and Macintosh
• Flash Media Server 4.0.2 and earlier versions for Windows and Linux
• Flash Media Server 3.5.6 and earlier versions for Windows and Linux
• Adobe Flash Player 10.3.181.36 and earlier versions for Windows, Macintosh, Linux, and Solaris operating systems
• Adobe Flash Player 10.3.185.25 and earlier versions for Android
• Adobe AIR 2.7 and earlier versions for Windows, Macintosh, and Android
• Adobe Photoshop CS5 and CS5.1 and earlier versions for Windows and Macintosh
• RoboHelp 9 (versions 9.0.1.232 and earlier), RoboHelp 8, RoboHelp Server 9, and RoboHelp Server 8 for Windows

This array of products covers pretty much any PC based client computer and Android to boot. So don’t delay when you are notified of new updates available this week, just run them all.

Need help finding updates?

You can refer to the original bulletins for details on your device/pc:

For Adobe Products:

Security update available for Adobe Shockwave Player

Security update available for Adobe Flash Media Server

Security update available for Adobe Flash Player

Security update available for Adobe Photoshop CS5

Security updates available for RoboHelp

For Microsoft Products:

• Security updates are available from Microsoft Download Center. You can find them most easily by doing a keyword search for “security update”.
• Updates for consumer platforms are available from Microsoft Update

Warning: As always consult your IT department before applying software fixes. Also be aware that some software patches can cause problems.

Either one of those articles by themselves would have huge implications in the security of mobile devices, but the startling thing is that there are others popping up in the last 24 hours as well, and that is what compelled me to write this article for the Managed Solutions blog.

HongTouTou Android Trojan

A Chinese localized (targeting Chinese language users) Trojan emerged for the Android platform this week. The Trojan rode onto unsuspecting users via Android App marketplaces and forums.

$2,000 worth of equipment can extract Crypto Keys from Mobile Device Signals

Threatpost did an amazing job of describing a problem with how Cryptography is implemented on mobile devices. The problem results in the ability to actually capture and mimic the cryptographic key that could be for say your mobile phones payment system. This is particularly important because a lot of people see mobile as having a bright future in the payment arena.

iPhone Hacked and Passwords Stolen in Six Minutes

Fraunhofer has a video and press release demonstrating the ability to hack an iPhone and recover passwords in just 6 minutes. You don’t have to be an information security professional to realize that this is not good news for iPhone or iPad users that store anything of sensitive nature on their devices. Here is the video if you’re interested:

Thanks for the Wakeup calls today and kudos to Threatpost, Ben Jun, Cryptography Research and Fraunhofer.

How do you test to see if you need updates? Follow these instructions:

For Shockwave Player Make sure you have version 11.5.9.620 or above (Update)

For Flash Player make sure you have version 10.2.152.26 or above (Update)

For Adobe Acrobat and Adobe Reader you will need to run the program and choose “About Adobe Reader # or About Adobe Acrobat” from the Help Menu at the upper right portion of the menu:

Make sure the resulting version of Adobe Reader and Acrobat 10.x is 10.0.1 or above, 9.x is 9.4.2 or above, and 8.x is 8.2.6 or above. (Update Windows or Mac)

There are bulletins at us-cert.gov today for both Windows and Mac OS X being vulnerable to potential Human Interface Device (HID) functionality over USB exploit. The simplest way to explain this vulnerability is that both OS X and Windows lack a warning when you connect a USB connected device such as a smart phone when it is given keyboard or mouse capability. This could lead to a number of different compromises of the host system. This vulnerability has existed since USB HID support was added to both operating environments but was only publicly demonstrated recently. An example was demonstrated at the Black Hat DC conference, Cnet ran an article about it on January 19th.

Other USB related risks

USB connected devices have become a more common source of virus and malware infections. In 2010 there was actually a worm that spread via USB memory sticks called “Conficker” worm. As early as 2008 USB was becoming recognized as a much more common vector for virus propagation.

Protecting yourself

Since USB devices involve user interaction, it is an area where user education and caution is key. We can count on Apple and Microsoft to respond to this HID issue, but we can also say with certainty that there will be others that will come up in the future. Here are some simple suggestions to prevent becoming a victim:

Tips for individuals

1. Store your USB storage devices in a safe place.
2. Use memory sticks only from extremely trusted sources.
3. Do not allow others to use your computer to charge their USB devices.
4. Purchase memory sticks from trusted sources in clearly sealed packaging.

Extra tips for businesses

1. Include an area that governs USB devices in your Acceptable Usage Policy (AUP).
2. Do not allow third parties to use USB devices or charge phones on your corporate systems.
3. Consider implementing software or software policies that control access to USB ports on your systems.

You might also want to read these related articles on how you can function more securely:

Education: the Answer to Zero Day Exploits
Good Personal Choices – the most powerful Information Security Tool

Who should care?

Do you use the Chrome Browser or Chrome OS? If you do then you should take action to confirm that you will not be vulnerable.

How to tell

With your Chrome Browser open click the small tool icon in the top right of the browser window pictured below:

Once the above drop-down menu appears click the “About Google Chrome” menu item. This will result in a screen that will tell you if your browser is up to date and what version it is running:

The critical piece of information is the green check mark at the bottom of the page. If Chrome is not update or in this case is a version older than 8.0.552 your browser is vulnerable and needs to be updated. In most cases Chrome will be up to date as it is configured to update automatically. This is actually one of the strengths of this browser platform.