Duqu not Dooku, Image Credit Tracheotomy Bob

The Duqu Remote Access Trojan (RAT) that hit the wild in Europe this week is not a character in the latest Star Wars movie. While it sounds like a George Lucas inspired character duqu comes from the ~DQ prefix that researchers noticed this previously unknown malware was adding to files it creates when it was discovered. I am sure Dairy Queen is happy with their choice. Joking aside this virus is no laughing matter. It seems to have been written by the authors of or with the benefit of the Stuxnet source code. Stuxnet is the virus that was believed to have setback the Iranian nuclear program last year. It’s smaller and appears to be designed to spy on infected computers with a combination of a key stroke logger, a data siphon and remove itself after eluding detection for 36 days.

A new breed of threat

One disconcerting aspect of this particular Trojan is that one of the drivers in a variant used a signed certificate of a known organization in Taiwan. That means that a windows machine will treat that driver as a legitimate driver, just like one you’d download to access a new hardware device on your Windows PC. Luckily the certificate has been revoked. This particular malware mask’s it’s presence on the infected machine quite well providing a challenge to detect.

What can you do to protect yourself?

All of the best practices that apply to information security will help you avoid Duqu. This includes:

1. Keeping your critical components up to date.
2. Cautious web surfing and Email habits.
3. Avoid public charging kiosks.
4. Avoid flash drives from unknown sources.

Can we prevent this?

Seeing as the machines that were infected with this Trojan were hit when it was “Zero-Day” it is prudent to consider what other means may have prevented the infection. If it ends up that this virus communicates with hosts in remote countries that a security solution I recently proposed would prevent the infection from transferring or downloading any information rendering it useless.

More information

• Symantec White Paper
• Wired Article

If you found this article helpful or interesting please share it with your friends.

Image compliments of Sandia Labs (Creative Commons)

Last week the SEC released a Disclosure Guidance Document on Cyber Security. The document was a direct response to the dependence on digital technologies and the increased risks associated with Cyber Security. While the SEC guidance was aimed at publicly traded companies, the information in and the existence of the document should raise eyebrows at any business.

An ounce of prevention truly is worth a pound of cure

The document contained extensive guidance for organizations including before, during and after a cyber security incident. Perhaps the most interesting suggestion in this particular document is the call to disclose risk:

Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.

This is something all businesses should be asking themselves, not based on guidance from the SEC or specific directives such as HIPAA but rather because it is the right thing to do. We as businesses are stewards of our clients critical information. In many cases prevention is less expensive than we might think and much less expensive than the liability associated with a failure to prevent a cyber security event.

In response to the extraordinary role that Cyber Security has played in our modern connected world Managed Solutions introduced a program called Secure Enterprise in 2002 to assist businesses with protecting critical enterprises of any size. You can join the conversation about Cyber Security on our Facebook page.

Samples of the ~40 million SecureID Tokens the RSA replaced as a result of the hack.

There are lots of layers to security and in all fairness I hold no technical information security certifications. I do know that the weakest link is usually the human being sitting at the keyboard. In this case someone at RSA – a security firm opened an Email that had just:

I forward this file to you for review. Please open and view it.

No signature, nothing, nada. It had an Excel file attached 2011 Recruitment plan. They opened it. They got infected by a zero day flash exploit embedded in the Excel file.

The RSA got “Owned”

I am frustrated because I know this happens every day all over the world and were it not so sad it would almost be laughable how easy it is to compromise computer systems. I could talk about all the apparatus that failed the RSA in this case, but in the interest of time I am going to focus on one:

Why did the RSA allow traffic to a known Malware site?

The site that the payload (Poison Ivy) contacted was mincesur.com which according to F-Secure:

“The domain mincesur.com has been used in similar espionage attacks over an extended period of time.”

WHAT?!?!?

Then why on earth is the RSA allowing it’s systems to access that site? I did an arin.net lookup for the IP address for mincesur.com (119.70.119.30):

I can understand a company like the RSA needing access to the APNIC space, though most of us do not. Specifically though, why would they route traffic to a address/domain that is known to be used in espionage attacks? Since we already established that the user failed to identify a threat what about the other devices and mechanisms in the transaction that occurred between the computer that was infected?

Touch #1 – DNS Lookup

When the Poison Ivy payload asked the DNS system what IP address micensur.com had, the DNS servers at RSA promptly gave them the known threat’s IP address. It is possible and useful to add records for known malicious domains to resolve to something harmless such as loopback 127.0.0.1 (basically the payload would try to connect to local machine itself). Failed.

Bonus info: This can even be over-ridden and handled by a hosts file on an individual computer. (An example is at Malwarehelp.org)

Touch #2 – Antivirus Software

Endpoint Security software can block access to known malware websites. Failed.

Touch #3 – Router

One or more RSA Routers were touched in the process. Without a router a computer cannot communicate with systems outside of its own network. Routers can maintain black lists or null routes to avoid traffic coming from or going to known malicious sites. The router(s) in this case happily sent and received traffic from the known malicious host. Failed.

Touch #4 – Proxy Server (Optional)

Many companies use a proxy server or transparent proxy server to store copies of frequently accessed files to avoid them from having to be downloaded every time. A Proxy server can optionally be used to provide additional protection including domain based filtering. Since micensur.com was a known malware domain this could easily have been blocked by a proxy server. Failed.

Touch #5 – Intrusion Detection/Prevention Device (IDP – Optional)

These are usually definition based devices that look for traffic that matches a known malicious definition. Such as traffic coming from or going to a known malicious website. Failed.

Touch #6 – Firewall

Even many small companies have firewall hardware. Firewalls allow for much more complex rules about what kind of traffic can go where and even when. Firewalls are the ultimate traffic cops for networks. There are a number of ways that a properly configured firewall could have prevented this infection. Failed.

Is it time to re-prioritize?

With so many chances to block this from happening, how is it that a company like RSA, that is involved with security products is not better protecting themselves from threats? I’m sure they have made changes as a result but with a reputation for having things locked down, I find it excruciatingly curious that they allowed traffic to a known malicious site, don’t you?

Is it time push information security higher up the priority list?

Image credit br1dotcom, creative commons.

In January of this year I shared some insights on USB device security while covering a USB Human Interface Device (HID) security issue. While companies have made headway including a reduction in “Autorun” infections issues related to USB capable devices have been subjected to a number of additional threats. It is these threats that encouraged this update to arm you with knowledge so you can better protect yourself.

Juice Jacking

While it sounds like a way criminals might steal electricity it is actually how criminals can use charging kiosks to install malware on your portable devices. A charging kiosk is a public resource for charging your USB capable devices such as your Android Phone or iPhone. Imagine plugging into one of these kiosks and getting your smart phone or portable device infected with malware. Once infected your mobile device can then propagate said malware to your PC, Mac or any other computer you might connect it to in the future. Then using an autorun vulnerability that malware can then infect any flash drive inserted into the computer. See how this cycle can quickly spiral out of control? We can break this cycle easily:

Don’t plug your phone into any public USB outlet or charging kiosk, carry your own charger and use an electrical outlet.

Your own personal charger is your protection (pictured below, left), they convert the Alternating Current (AC) to DC suitable for charging a USB device. You can also just use your own laptop and a USB cable to accomplish this.

Use these!

Not these!

A survey…

In advance of this post I posted a survey via Facebook and our own blog to see if our readers and friends were using public charging stations. I’m proud to report that 70% of respondents had not used them and only 30% had. Hopefully after reading this you won’t use them, it’s just not worth the risk.

Additional related content:

• #infosec hashtag search on Twitter (get the latest real time information)
• The #Infosec Weekly (A summary online publication of recent content shared by Information Security related Twitter Accounts)
• Security Investigator Brian Krebs piece on a charging kiosk located at the Defcon hacker conference. (partial inspiration for this post, also a great resource if you want to learn the ins and outs of information security)
• Managed Solutions on Facebook (We share lots of information security related information on our page, like us to get these updates.)

August 7-13th, 2011 is International Patch Everything Week

Microsoft Advisories

It started early this week when we were informed by the US-CERT that all of these products had vulnerabilities that would be addressed in updates from Microsoft:

• Microsoft Windows
• Microsoft Office
• Internet Explorer
• .NET Framework
• Microsoft Developer Tools

That for the record is pretty much everything in the Microsoft world at least for the typical desktop user (except the developer tools of course). That was not the end of the notices for the week.

Adobe Advisories

Today we were informed of a plethora of Adobe product security updates:

• Shockwave Player 11.6.0.626 and earlier versions for Windows and Macintosh
• Flash Media Server 4.0.2 and earlier versions for Windows and Linux
• Flash Media Server 3.5.6 and earlier versions for Windows and Linux
• Adobe Flash Player 10.3.181.36 and earlier versions for Windows, Macintosh, Linux, and Solaris operating systems
• Adobe Flash Player 10.3.185.25 and earlier versions for Android
• Adobe AIR 2.7 and earlier versions for Windows, Macintosh, and Android
• Adobe Photoshop CS5 and CS5.1 and earlier versions for Windows and Macintosh
• RoboHelp 9 (versions 9.0.1.232 and earlier), RoboHelp 8, RoboHelp Server 9, and RoboHelp Server 8 for Windows

This array of products covers pretty much any PC based client computer and Android to boot. So don’t delay when you are notified of new updates available this week, just run them all.

Need help finding updates?

You can refer to the original bulletins for details on your device/pc:

For Adobe Products:

Security update available for Adobe Shockwave Player

Security update available for Adobe Flash Media Server

Security update available for Adobe Flash Player

Security update available for Adobe Photoshop CS5

Security updates available for RoboHelp

For Microsoft Products:

• Security updates are available from Microsoft Download Center. You can find them most easily by doing a keyword search for “security update”.
• Updates for consumer platforms are available from Microsoft Update

Warning: As always consult your IT department before applying software fixes. Also be aware that some software patches can cause problems.

If your computer recently got infected and you paid to get it cleaned up or restored from a backup, this article was written just for you!

Fixing avoidable problems is not “fun”

Contrary to what many might believe, we don’t enjoy or look forward to fixing broken computers. What we really love to do is prevent them from needing to be repaired or otherwise enhancing your business using technology like WordPress. Since we don’t live in that perfect utopia and things do break on occasion and systems get compromised, the intention of this article is to help you avoid some of these issues in the future.

Information Security is Challenge

There are so many threats that face you as a user (Factoid: There are 43 posts on this site that use the Security category and that is practically all we share on our Facebook page these days!). In spite of what often appears to be a swell (Tsunami?) of threats, there are certainly things that you can do to protect yourself.

Step 1 – Admit that you have a problem Opportunity.

If your computer got infected it was due to a problem. The most likely three scenarios are:

1. Critical security updates were not installed.
2. You believe your Antivirus software will protect you.
3. You were careless gave the bad guys the opportunity.

Step 2 – Don’t beat yourself up

Many users find themselves in your shoes. None of us are perfect and the fact that you are still reading this you can pat yourself on the back for working to improve the situation. An opportunity has presented itself, you now have added motivation to take some important precautions and raise your awareness.

Step 3 – Make sure you are installing security updates

In April of 2010 we shared with our readers why it is important to install Security updates. In that post we recommended that you should always install the following updates as soon as you can whenever prompted:

1. Windows Critical Updates
2. Adobe Acrobat
3. Flash Viewer
4. Oracle/Sun Java

It takes a while to learn what all these updates look like, but generally speaking they remain fairly consistent so once you do learn what to look out for you only need to validate it when it changes. Don’t let the fear of the updates being part of the problem stop you. It is greatly beneficial to take the time to learn to recognize the “normal” updates and apply them when prompted. It could save you from getting your computer infected.

Step 4 – Know your Antivirus Software Limits

Have you ever heard the term Zero Day? Zero day is something brand new and you often hear it combined with exploits: “Zero Day Exploits”. Since Antivirus and Anti-Malware software work off definitions (there is also heuristics or virus like characteristics but it is not perfect) it is only good if the virus or malware that you happen to get exposed to is well defined in your Antivirus/Malware Software.  In other words, there are plenty of things that will infect your computer if you click them, particularly “new” viruses and malware. Remember Viruses are written to try to avoid being detected.

Your antivirus software won’t always protect you.

Learn how to protect yourself from Zero Day Exploits.

Step 5 – Understand the importance of your role in your security

It is not a security that without users computer viruses as we know them today would not exist. It is important to recognize that you can make a difference and to take an active role in avoiding infection by the choices you make. We covered this thoroughly in our post about the role of personal choices in information security. In that article we shared 5 areas where choices had a substantial impact on your security including:

1. Competency/Learning
2. Hardware and Networking Devices
3. Security Software
4. Participation
5. Gullibility and Greed

It’s no secret that virus and malware authors exploit us, our weaknesses, events, and a myriad of other things to compromise us. Make sure your personal choices aren’t giving them extra opportunities.

Step 6 – Subscribe to Our Updates

A lot of the content for this article was already on our site. Let us educate you and prevent you from harm and expense whenever possible. A simple way to stay plugged in is to to sign up for updates to this site so you never miss the latest news. You can Subscribe to Managed Solutions by Email and get our Facebook exclusive updates on our Facebook page.

Opportunity Center Image credit: Jason Tester, Guerilla Futures

There are bulletins at us-cert.gov today for both Windows and Mac OS X being vulnerable to potential Human Interface Device (HID) functionality over USB exploit. The simplest way to explain this vulnerability is that both OS X and Windows lack a warning when you connect a USB connected device such as a smart phone when it is given keyboard or mouse capability. This could lead to a number of different compromises of the host system. This vulnerability has existed since USB HID support was added to both operating environments but was only publicly demonstrated recently. An example was demonstrated at the Black Hat DC conference, Cnet ran an article about it on January 19th.

Other USB related risks

USB connected devices have become a more common source of virus and malware infections. In 2010 there was actually a worm that spread via USB memory sticks called “Conficker” worm. As early as 2008 USB was becoming recognized as a much more common vector for virus propagation.

Protecting yourself

Since USB devices involve user interaction, it is an area where user education and caution is key. We can count on Apple and Microsoft to respond to this HID issue, but we can also say with certainty that there will be others that will come up in the future. Here are some simple suggestions to prevent becoming a victim:

Tips for individuals

1. Store your USB storage devices in a safe place.
2. Use memory sticks only from extremely trusted sources.
3. Do not allow others to use your computer to charge their USB devices.
4. Purchase memory sticks from trusted sources in clearly sealed packaging.

Extra tips for businesses

1. Include an area that governs USB devices in your Acceptable Usage Policy (AUP).
2. Do not allow third parties to use USB devices or charge phones on your corporate systems.
3. Consider implementing software or software policies that control access to USB ports on your systems.

You might also want to read these related articles on how you can function more securely:

Education: the Answer to Zero Day Exploits
Good Personal Choices – the most powerful Information Security Tool

Who should care?

Do you use the Chrome Browser or Chrome OS? If you do then you should take action to confirm that you will not be vulnerable.

How to tell

With your Chrome Browser open click the small tool icon in the top right of the browser window pictured below:

Once the above drop-down menu appears click the “About Google Chrome” menu item. This will result in a screen that will tell you if your browser is up to date and what version it is running:

The critical piece of information is the green check mark at the bottom of the page. If Chrome is not update or in this case is a version older than 8.0.552 your browser is vulnerable and needs to be updated. In most cases Chrome will be up to date as it is configured to update automatically. This is actually one of the strengths of this browser platform.

Photo credit Opensourceway, Creative Commons

Spokeo.com got “spinsucked”

Gini Dietrich posted a great article this week that struck a chord with the readers. It’s been viewed, shared and commented on heavily since it came out. The post was about “Deleting Your Spokeo Profile” and it detailed what information could be found on Spokeo.com and how to delete the profile. I thought based on the comments that it was worthy of a screencast so I recorded it and shared it with Gini. You can view it on Youtube. At one point Spokeo was not able to process requests, so I joked with her on her blog that there is a new /. in town and that spokeo had gotten “spinsucked” so henceforth that will be my story, and I will stick to it.

As further proof that this issue really resonated with many of us, I had one person completely disconnected from the matter ask me on Facebook last night if I had “heard of Spokeo” at that point I realized this was really circulating far and wide.

Learning from the debate

Some debates did come up over the spinsucks post, here were the opposition arguments to removing your profile from spokeo:

1. There are many other sites that mirror the same data
2. They are probably harvesting the required email address to sell
3. The information is public domain only, readily available

One less site is better

In response to argument #1, one less site is certainly better is it not? Not to mention Spokeo actually did a bang up job of getting a lot more data than other sites seem to have to offer. I’d rather not be listed there.

Avoid the harvest

Avoiding the email harvesting concept is easy, you should use either an alias that can be tracked and later deleted or a “junk” email that is only checked in these circumstances.

The information is public domain only

I don’t think this is the case, it appears that Spokeo has found or paid for some really unique data or at least their paid for service touts that. If it is all public domain it’s usually not in one place. If someone is going to go after it, let’s make them work for it, does that sound like a decent strategy?

What does it mean?

I think these developments solidify the position that 2011 is the year of privacy, why? We know now, and we care, and we’re reading and watching and opting out to the tune of disabling a website. Our current privacy laws are not reacting fast enough for the changes in this digital world. This disparity is creating a vacuum that will be filled one way or another.

What happen’s next? Predictions

So the question is do the companies that are gathering this information and making it available cave from the pressure cooker that is likely to develop from consumers this year? Does the government step in and pass new privacy legislation more geared to our digital and interconnected age? Or does a group of entrepreneurs put together a service that opts out and erases data that can be masked, opts you out of junk mail and create an opportunistic menu of other privacy features?

I’ll be talking privacy a lot more this year and making it a priority to educate and discuss both here on Managed Solutions and also on my blog. Please join the conversation and share your thoughts. The most compelling comments will be added to the post and the authors cited. Or perhaps you’d like to guest post about this, if so please contact me.

1. Email Addresses
2. Names
3. Vehicle Identification Number (VIN)
4. User ID

Their formal statement to their customers claims that no other information such as password, address where included in the breach. Hopefully a more thorough investigation will occur to verify the claim because if customer physical addresses were also compromised this would be a major concern.

Here is the entire message:

Dear Customer,

American Honda Motor Co., Inc. recently became aware of unauthorized access to an email list used by a vendor to create a welcome email to customers who have an Owner Link or My Acura vehicle account. The data that was obtained included your email address, your name, Vehicle Identification Number (VIN) and User ID. Your password was not included and no other sensitive information was contained in that list.

We apologize for any inconvenience this may cause. As a company, we believe that all customer relationships must be built on trust. That is why we believe it is important to inform you of this incident. You may be aware of attacks on email marketing systems, therefore we want to assure you that we take the safeguarding of your information seriously and that the appropriate authorities have been contacted regarding this incident. Additionally, we have taken steps to minimize this type of exposure in the future.

As a Company, we encourage you to continue to be aware of the increasingly common email scams that may use your email address to contact you and ask for personal or sensitive information — Be cautious when opening links or attachments from unsolicited third parties. Also, know that American Honda Motor Co., Inc. will not send you emails asking for your credit card number, social security number or other personal information. If ever asked for this information, you can be confident it is not from us.

Again, let us reassure you that we are taking necessary steps to safeguard your personal information.

If you would like further information on this topic please visit honda.com/info/b

Thank you.

American Honda Motor Co., Inc.