How to Pick Your Antivirus

I get asked this question a lot.  “What antivirus program should I use?”  It’s also probably the question I dread the most, in large part because if I recommend something and someone gets infected anyway, it’s suddenly my fault.  So before I provide any semblance of an answer, I want to start off by making something very clear.

All antivirus software sucks.

Yeah, all of it.  Even what I run, which is currently ESET NOD32 (which, despite its name, also comes in a 64-bit version), has some really severe limitations based on how it works.  I run it at home because historically, it’s pretty solid, doesn’t break many things, and fits what I need.  But I’ve run up against it in a penetration test and got past it.  The question invariably comes around: Then why run it?

Continue reading “How to Pick Your Antivirus”

How the Biggest Hack Ever Wasn’t

There’s been a lot in the news lately talking about the largest hack–I mean, the biggest attack–no, wait, that the Internet almost–

I can’t even come up with a summary of the reports, because most of the general reports have been exceptionally bad at explaining what happened.  Mostly, they have far overblown the technical prowess required and the effects on the Internet (even if a few servers were inaccessible for a little while).  So here’s my attempt (one among thousands) to explain what happened.

One of the major providers of spam sources is called Spamhaus.  They’re a good group of people, and I highly recommend that most companies use them as part of their spam solution.  (End users don’t really have a way of using them directly, so if you’re not running an IT department, don’t worry about it.)  Some reports call them “cyber vigilantes,” but the truth is that they basically build up a list of IP addresses that send spam or that shouldn’t be sending out large quantities of e-mail.  Their customers use these feeds to help determine when a message is likely from a spammer so it can be dropped early in the process.

The only people who really think they’re vigilantes are the people whose addresses end up on their lists.  One of these groups was apparently associated with a company called CyberBunker, so named because they set up shop in an old NATO bunker.  They would do business with anyone unless it involved terrorism or child porn.  Spammers were perfectly welcome to set up shop.

When CyberBunker’s address space got listed by Spamhaus, someone decided to remedy this by knocking Spamhaus offline.  It was hit with a combined 300Gbps of traffic.  That’s 300,000Mbps.  Consider that the high-speed connections most people have at home are perhaps 10Mbps, or maybe 20Mbps if they’re gamers.  Even my own FiOS connection at 150Mbps is a mere 0.05% of that stream.  Spamhaus, of course, has better feeds, but even if it has a carrier-grade connection like an OC-48 and its 2.5Gbps capacity, the traffic it was hit by was still more than 120 times that capacity.

How ever does one do a hack like this?  It’s almost impossible to consider the power at the fingertips of these people!  They must own every system on the planet to do this!

Well, not quite.

Continue reading “How the Biggest Hack Ever Wasn’t”

An unusual IM spam

I’m on pretty much every major IM program, and have been since introduced to ICQ way back in the 90s.  I have multiple accounts on most of them, too, some of which are rarely used and then only for spam.  I get the usual dating and pr0n spam, but every once in a while, I get something new.

Continue reading “An unusual IM spam”

Password Complexity: Easier for you, harder for bad guys with passphrases

What if I told you that my shortest important passwords are in the neighborhood of 20-25 characters?  Would you think to yourself, “You’re insane!”  Some of you would, because some have said it out loud to me when they see me typing in my passwords.  My secret for many of them is to use a pass phrase.  This is easy for me to remember and so complex that it’s almost impossible for a computer, or even a lot of computers, to get through it.

Continue reading “Password Complexity: Easier for you, harder for bad guys with passphrases”

Microsoft Patch Overview for February 2013

These are based in part on my experiences watching Microsoft software and reflect my own opinion where it deviates from Microsoft’s advice. There may be some people interested in an alternate, practical view from someone who will look to target these kinds of things in the future.  I try not to get too technical, but for something like this, there’s only so much techno-jargon that can be removed before it gets distilled down to “Just patch!”  But if none of the following makes sense to you, that’s probably a good path to follow just in case.

Notes and Observations

  • Twelve bulletins were released covering 57 vulnerabilities.
  • This isn’t quite as bad as it sounds (but you should still patch them all).  One of the vulnerabilities, MS13-009, addresses more than a dozen vulnerabilities in Internet Explorer and should be patched pretty much immediately.  Another, MS13-016, addresses 30 in the kernel-mode driver, but these are tricky race conditions that allow privilege escalation and don’t worry me all that much.
  • However, MS13-010 is being used to some extent in the wild.  There is a component of the vulnerability that can be used for information disclosure.  This may be why Microsoft issued two patches for IE instead of one.  If you can’t install -009, at least install -010.
  • The apparent focus du jour for vulnerability researchers is the Use After Free vulnerability.  I’ll admit that I’m not up to date on this particular one, but I’ll see what I can come up with in the near future.
  • There’s a patch for an Exchange Server vulnerability that involves viewing Paradox database files in Outlook Web Access.  I haven’t seen mention of Paradox in years.  But I mention this not just for the historical oddity.  There really is the ability to view such files, and Microsoft admits that it’s not documented.  Be aware of this not just with Microsoft, but with other companies that can read many file formats.  They have to have parsers, and they’re often not as good as the original vendor’s (and some of them aren’t that good, either).
  • Nevertheless, I grouped it as one of two items to patch sometime in the next 90 days.  I’m really not that concerned that someone is going to try to craft a Paradox DB file for this when there are better ways to attack the user.  The other one I’m not worried about is a Network File System (NFS) issue since almost no one uses it in this context.

Continue reading “Microsoft Patch Overview for February 2013”

Password Complexity: Hows and Whys Explained

Over the last year, we’ve seen news stories of sites getting hacked and passwords getting stolen and we’ll doubtless see more in the future.  These range from the relatively irritating to the level of possible identity theft.  In every case, especially when the passwords have been published, we see the usual advice from the experts: use complex passwords, don’t share your passwords, don’t use the same password on multiple sites… It’s basically the same list trotted out all the time, but I see few explanations of why people should do these things.  It’s not bad advice at one level, but doing something out of blind obedience has actually made security worse on occasion, and passwords are part of that mess.

Continue reading “Password Complexity: Hows and Whys Explained”

Some critical software end-of-life dates

In my last post on Java, I mentioned that versions of Java older than Java 6 have been end-of-life (or unsupported) for some time.  This invariably starts people wondering about end-of-life dates for other major software products, so here are a few of note.  It’s not comprehensive, but hits some of the software that’s most commonly used.  Not all of the products listed are unsupported: some are currently supported but the vendors have published end-of-life dates, sometimes (but not always) far into the future.  If you’re using something unsupported, you really should try to move to something on the support list (and preferably not something in yellow on the chart).  For things like Office that may be expensive, there are usually options such as LibreOffice that are free to use.

A couple of points of note:

  • Windows XP is coming up on its last patches in April 2014, about 15 months away and soon after Patch Tuesday for that month (Office 2003 support ends on Patch Tuesday for that month).  I hope you’re all planning to be ready for that day.
  • I couldn’t find specific end-of-life dates for Flash.  I did find that the basic supported versions are 10.3 and 11.5, except that there’s also support for 11.3 on Windows 8 (presumably the Flash version built into IE10) and 11.2 for Linux.  Anything else is considered unsupported.
Vendor Product Line Product Version End-of-Life Date
Microsoft Windows Windows 3.1 31 Dec 2001
Windows 95 31 Dec 2001
Windows 98/98SE/ME 11 Jul 2006
Windows 2000 13 Jul 2010
Windows XP 18 Apr 2014
Windows Vista 11 Apr 2017
Windows 7 14 Jan 2020
Windows 8 10 Jan 2023
Windows Server Windows Server 2003 14 Jul 2015
Windows Server 2008 14 Jan 2020
Windows Server 2012 10 Jan 2023
Office Office 95 31 Dec 2001
Office 97 28 Feb 2002
Office 2000 14 Jul 2009
Office XP 12 Jul 2011
Office 2003 08 Apr 2014
Office 2007 and later Not yet set
Adobe Flash Flash Player Unclear; always update to current
Reader Reader 7 28 Dec 2009
Reader 8 03 Nov 2011
Reader 9 26 Jun 2013
Reader X 18 Nov 2015
Reader XI Not yet set
Oracle Java Java 2 Std Ed (J2SE) 1.3 11 Dec 2006
J2SE 1.4 30 Oct 2008
J2SE 5 30 Oct 2009
J2SE 6 Feb 2013
J2SE 7 Jul 2014

Key:

  • White: Still supported for some time
  • Yellow: Still supported, end of support within the next 18 months
  • Red: No longer supported

Microsoft Patch Overview for January 2013

This is based on something that I used to do for a former workplace, usually on patch release day. Patch release day is the second Tuesday of each month, also known as Black Tuesday, especially since other companies have taken to releasing on the same day. It’s not uncommon to see Adobe release Flash and Reader updates on the same day.

These are based in part on my experiences watching Microsoft software and reflect my own opinion where it deviates from Microsoft’s advice. There may be some people interested in an alternate, practical view from someone who will look to target these kinds of things in the future.  I try not to get too technical, but for something like this, there’s only so much techno-jargon that can be removed before it gets distilled down to “Just patch!”  But if none of the following makes sense to you, that’s probably a good path to follow just in case.

Updated 14 Jan 2013 at 17:15 CST: Microsoft released MS13-008 today to address a flaw in Internet Explorer.  The post has been updated to address that.

Notes and Observations

  • Seven bulletins were released covering 12 vulnerabilities. One of the vulnerabilities, MS13-002, has numerous patches depending on the version(s) of XML Core Services installed on a system.
  • The first bulletin, MS13-001, is a print spooler vulnerability that allows code to run as SYSTEM. Print spoolers have been prime targets in the past. This should be a priority for patching on all of your systems.
  • An additional patch, MS13-008, for Internet Explorer 6, 7, and 8 has been released out-of-band on 14 January 2013.  It addresses a vulnerability that is widely and currently being exploited by attackers.  This should be a priority for patching
  • The patch for MS13-007 appears to simply change a default setting. This strikes me as a problem because it might be turned back on by someone who may or may not know of the potential consequences or by someone who has an ulterior motive. Troubleshooting may become difficult at that point if it’s enabled to set up a denial of service condition. A check of the box will show that it’s completely patched but the system is still experience resource exhaustion. This seems to me more a band-aid than a patch.
  • There is no Internet Explorer patch this month. The vulnerability affecting Internet Explorer 6, 7, and 8 that was discovered and publicized at the end of December is still not formally patched, exploit code is public, and its use has been seen in the wild. Microsoft has published a “one-click” fix for it, but it has to be implemented separately from automatic patch downloads.
    • Advice for enterprise users: If possible, make sure that you have something newer than IE8. This isn’t always possible either because you’re on Windows XP or you have software that doesn’t work with anything newer. You also may not be able to use an alternate browser. In this case, look into rolling out the fix above or installing the Enhanced Mitigation Experience Toolkit (EMET). The benefit of EMET is that it works against a wide variety of attacks for which there may be no fix. Support is limited and it’s not perfect, but it can help in some cases before the attack is even known.
    • Advice for home users: Make sure you have the newest available version of Internet Explorer available. For Windows XP, this is IE8. For Vista and 7, this is IE9. For Windows 8 and RT, this is IE10. If you have Windows XP, try to use a different browser (Firefox, Chrome, Opera, or Safari) if at all possible. Installing EMET probably wouldn’t hurt, either.
  • Of the five patches that affect a swath of Windows products, only two of them affect Windows XP. I’m not sure if this is just an oddity or a sign that XP’s code has reached a new maturity level. I suspect it’s the former, but it will still be interesting to watch.
  • Microsoft finished up last year with 83 bulletins. That sounds like a lot, but it’s better than the 100 published the year before and many of the 2012 bulletins were variations on a library load path vulnerability. They started last year with seven bulletins, the same as this year. Maybe this year will see a continued decline.

Chart Guidance

  • Enterprise Severity denotes the timetable in which I believe enterprises should try to patch the affected vulnerabilities and may differ from Microsoft’s severity decision. Differences are usually based on historic targeting habits of attackers who go after certain vulnerabilities (SMB, RDP, print spoolers) more often. The need for effective patch review is not removed, of course, and different businesses have different needs. In some cases, there may be mitigating factors that may allow a somewhat more relaxed timetable. Nevertheless, those rated with a severity of 1: Critical should be considered to be priority in almost any environment.
    • Enterprise Severity Levels:
      1. Critical: Currently being exploited, publicly available exploit code, and/or likely to be easily exploitable in the very near future. Patch within 7 days.
      2. High: Not known to be public or public with strong mitigating factors. Patch within 30 days.
      3. Low: Not known to be public and not likely to be a reliable exploit. Patch on next scheduled update cycle or within 90 days.
  • Home Severity is not included because it is almost always the same: patch it as soon as it’s released! It’s extremely rare for a patch to break things (only one patch that I can think of was re-released last year for breaking something, and even then it affected a minority of users), so it’s best to just install every patch as it’s released.
  • Patches are almost always published right around 10:00 Pacific Time on the second Tuesday of each month. Occasional out-of-band patches are also published, but these are uncommon and address vulnerabilities known to be widely exploited.

January 2013 Microsoft Security Bulletin Overview

ID Affected Products Title and Summary Severity/
Impact
Notes Enterprise Severity
MS13-001 Windows 7

Windows Server 2008
(Core affected)
Vulnerability in Windows Print Spooler Components Could Allow Remote Code Execution Critical
Remote Code Execution

EI: 1
Addresses 1 issue

Not known to be public

Flaw in handling specially-crafted print jobs

Code executes with system privileges

Likely to be a target for potential attackers

1: Critical

Patch within 7 days
MS13-002 Windows XP
Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2003
Windows Server 2008
Windows Server 2012
(Core affected)

Office 2003
Office 2007
Office Compatibility Pack
Word Viewer

Expression

WebGroove Server 2007
Sharepoint Server 2007

Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution Critical
Remote Code Execution

EI: 1

Addresses 2 issues

Not known to be public

Code executes with current user privileges

2: High

Patch within 30 days

MS13-003 System Center Operations Manager 2007 Vulnerabilities in System Center Operations Manager Could Allow Elevation of Privilege Important
Elevation of Privilege

EI: 1

Addresses 2 issues

Not known to be public

Reflected cross-site scripting (XSS) vulnerability in SCOM Web Console allows attacker to take action or retrieve information as logged-in user.

2: High

Patch within 30 days

MS13-004 Windows XP
Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2003
Windows Server 2008
Windows Server 2012
(Core affected)
Vulnerabilities in .NET Framework Could Allow Elevation of Privilege Important
Elevation of Privilege

EI: 1

Addresses 4 issues

Not known to be public

An attacker could perform one of several actions against a system including reading otherwise inaccessible memory contents or taking complete control of a system. This applies to both servers running a .NET web application and to clients using a browser to access that web application.

2: High

Patch within 30 days

MS13-005 Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2008
Windows Server 2012
(Core affected)
Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation Important
Elevation of Privilege

EI: 1


Addresses 1 issue

Not known to be public

Code may be run at a higher privilege.  An attack against an administrative user could take complete control of the system.  An attack against a lower-privilege user could still gain privileges usually denied.

2: High

Patch within 30 days

MS13-006 Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2008
Windows Server 2012
(Core affected)
Vulnerability in Microsoft Windows Could Allow Security Feature Bypass Important
Security Feature Bypass

EI: N/A

Addresses 1 issue

Not known to be public

A man-in-the-middle attacker can force a silent downgrade of encrypted traffic to SSLv2 which may allow the use of weak, breakable ciphers.

3: Low

Patch on next cycle or within 90 days

MS13-007 Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2008
Windows Server 2012
(Core affected)
Vulnerability in Open Data Protocol Could Allow Denial of Service Important
Elevation of Privilege

EI: 3

Addresses 1 issue

Not known to be public

Using a few specially-crafted HTTP requests, an attacker can trigger replication of data and exhaust system resources, triggering a denial of service.

The patch disables WCF Replace by default and can still be enabled even with this patch installed.

3: Low

Patch on next cycle or within 90 days

MS13-008 Internet Explorer 6
Internet Explorer 7
Internet Explorer 8
Security Update for Internet Explorer Critical
Remote Code ExecutionEI: 1
Addresses 1 issueKnown to be public and to be currently and widely exploited
Code executes with current user privileges
 1: CriticalPatch within 7 days

Exploitability Index:
1. Consistent code exploit likely
2. Inconsistent code exploit likely
3. Functioning exploit code unlikely

Highest exploitability of a cumulative patch

Critical Java update released: To update or uninstall? That is the question…

Today, Oracle released an update for Java 7 that addresses a security flaw found a few days ago and which is currently being exploited.  Those who have Java installed and need it should update to it by going to www.java.com and installing it from there.

This is the fourth major security fix release in the last five months for Java 7.  This latest fix addresses a flaw that exists all the way back into Java 6 and possibly earlier.  This and other problems have led many security experts to call for Java to be simply removed from everything that you run.

It’s not that simple.

Continue reading “Critical Java update released: To update or uninstall? That is the question…”