Tag Archives: antivirus

The end of Windows XP

Windows XP support will officially end on April the 8th next week.

This is a very important change that appears to have escaped many people. Why important? Because you will no longer be receiving any updates ( security or other ) from Microsoft for XP. That effectively means that if there is a security hole discovered in Windows XP from the 8th of April, it will be open for anyone to exploit and no fixes will be forthcoming from Microsoft.

While Windows XP has never been what you might term a secure operating system, Microsoft have to this point, continued to fix vulnerabilities, bugs and other issues in XP.  And it’s these fixes that have improved the security level of XP significantly. That will no longer be the case from next week on.

What is really worrying is that many companies are still running a fairly large percentage of Windows XP systems – it’s estimated that up to 25% of Enterprise/Corporate systems are still Windows XP. And many smaller businesses have a higher percentage as they can’t afford the Windows software and hardware upgrade cycle.

The risk of security breaches on systems running Windows XP beyond April 2014 is high. This is not an overstatement – it’s a certainty! Even the European Cybercrime Centre has warned of impending XP security risks.

What can you do?

1. make an asset list of both hardware and software

It’s important to understand what hardware and software you have as this will dictate whether you can upgrade to a newer version of Windows or not. As well, certain older applications will not be able to run on Windows 7 and later, even in compatibility mode.

2. Test your hardware

Use one of your PCs/Laptops as a test-bed for checking if Windows 7/8 will run on them without issue. Use the Windows 7 Upgrade Advisor and Microsoft Upgrade Advisor to see if your machines meet the minimum requirements. Minimum requirements also don’t mean a good experience; Windows has, and always will, require more memory and faster disk to perform adequately.

Note that certain MS Windows version upgrades won’t keep any of your existing data or applications so you need to a. create backups and b. do a clean install. Check with your hardware vendor to see if there are any driver updates for your hardware that is required for Windows upgrades.

Here is more info on upgrading Windows XP to Windows 7. Note also that Windows 7 support ends in 2020 which is not that far away so keep that in mind when upgrading.

2. Test your applications

Take a Windows 7 or later system and run all your applications on that system to make sure they will execute without issues. If you find any issues, try the application compatibility modes in Windows 7 and later – if this does not solve the issue, then approach the manufacturer for a fix or look for equivalent applications that are compatible.

3. Update or install a good Anti-Virus package

It cannot be underestimated how valuable a good AV package is. This is generally the first line of defense when accessing network resources or using portable data devices ( USB, CD, DVD etc. ). The package should include malware protection, email scanning and URL/Link scanning. Many AV packages now also come with cloud-based sandbox technologies which enhance the ability to detect 0-day vulnerabilities. Note that AV packages will NOT be able to provide full protection for Windows XP systems after the end-of-support date.

4. Do not use Internet Explorer 6 or earlier

In fact, don’t use Internet Explorer at all – use an alternate browser such as Firefox or Chrome.

5. Do not use a Windows XP system to do banking or other financial transactions

You are literally inviting crackers into your bank account if you continue to use Windows XP from next week on for banking and/or other financial transactions. Use an alternate locked-down system running a memory stick-based system like Linux for any secure internet browsing requirements. You are welcome to contact me for pre-configured memory sticks or pen drives.

6. Contact your technical IT support  company for assistance

Your IT service company is in the best position to determine possible solutions for you in this regard. Don’t underestimate the value they can provide in assisting you in either mitigating the security risks for XP or upgrading to Windows 7 or something else.

9 years ago, I took the decision to ditch Windows altogether. I’ve never looked back – not only does my current system ( Linux ) provide good performance on lower spec hardware but it’s also relatively immune to the bulk of exploits out there. This means I’m secure in the knowledge that when I’m doing Internet Banking, my money is not going to disappear.

This path is not for everyone. However, you need to look at the  alternatives – whether it’s upgrading Windows to a newer version or migrating to a completely new platform like Mac OS or Linux, you need to make the decision now.

Any delay beyond next week is likely to be a costly move.

Android Security

I’ve been a keen Android user for many years now; as I am with all things Linux. I really do believe that Linux, and other associated FOSS software, has proven a great advantage for us bipedals, allowing those in a not so fortunate financial situation to still use high grade software and achieve their goals. And Linux has had what can only be described as an enviable track record with security – it hasn’t come out completely unscathed but it has remained consistently ( considering it is one of the most complex ) a very secure piece of software.  And many other FOSS software project exhibit the same vein of stability and security.

There is a whole lot of rhetoric and FUD from commercial companies regarding the use of FOSS in the enterprise,  but that is just what it is and mostly without substance. FOSS has proven itself over the years and is not only the biggest class of software used world-wide for Internet infrastructure, but it has also made huge inroads in the corporate market and is now a standard there.

So the fact that Android as a platform has become so-to-say ubiquitous is very good news. Of course, any ubiquitous platform becomes a target for crackers, malware and virus vectors ( witness the thriving market for Windows-based security issues ). And it’s clear from many sources that there is a very large proportion of bad stuff targeting Android. What’s not so clear, and has been absent almost completely from those spouting the numbers ( mostly AV companies ), is how much of this stuff is actually having an effect on Android.

And the answer is apparently very little:

http://www.osnews.com/permalink?574118

So for those running Android, don’t believe the security hype – just make sure you follow good security practices when using your mobile phone or tablet ( well in fact any computing device ) and you’ll be fine.

Large security breach involving fast food outlets and banks in SA

A variant of the Dexter malware has apparently been running on POS systems unchecked for quite a while. All of SA’s banks have been hard hit by the losses incurred as a result of arguably one of the largest security breaches in SA history. More info here:

http://www.techcentral.co.za/sa-banks-in-massive-data-breach/44338/

Apples can get viruses

After years of deceiving its clients, Apple has finally admitted that its products can get viruses, something most of us have known all along. The Mac maker changed the wording on its “Why you’ll love a Mac” page from stating “It doesn’t get PC viruses” to “It’s built to be safe”. The same page also used to state “Safeguard your data. By doing nothing” to just “Safety. Built In.” Comparative screenshots can be seen here.

I actually sent a complaint to the ASA about a year ago regarding an ad in a Vodacom magazine which indicated the faulty “free from viruses” message. The changes were duly made in the next edition of the ad.

The Mac-based Flashback virus recently infected upwards of 650000 Mac’s earlier this year which pretty much puts paid to Apple’s “It doesn’t get PC viruses” message. This is not the first malware to infect Macs and it certainly won’t be the last so Mac users can expect an increase in security issues over the next few years. It’s interesting to note that Apple is now the security equivalent of Microsoft 10 years ago. While viruses are still all-pervading on Windows PCs, Microsoft has done a lot of work in terms of their security features and systems to combat this issue.

So let’s go Apple – time to get secure!

Mobile Security in a nutshell

Mobile security has morphed in the last few years to become a major area of security concern. It’s no longer just laptops that provide on-the-go networked computing – smartphones, tablets, ultra-portables, e-readers and other networked devices now all vie for a space in your electronic arsenal, and they all come with their unique set of security concerns, specifically because of their mobile nature. The continual and rapid improvement in mobile device size, intelligence and computing power, means that these devices have the ability to mimic the abilities of full-blown desktops and laptops with an easy-of-use that along with their mobile nature, introduces new security threats.

Security standards are no more important than in this area due to the increased security requirements, disconnected-use method and more volatile threat landscape. There are some basic procedures that can be followed to mitigate the increased risks from mobile devices:

  • make sure you have a company-wide security policy for mobile devices
  • use risk assessment regularly to pick up on changing security trends
  • provide training to your user and employees, and increase security awareness

Data types on these devices that can be compromised include email, images/videos/sound bites, contact information, static data/documents, authentication information, calendaring info and other. Tailor your security policies to the type of information that is contained in the mobile devices that are used within the organisation.

Deployment and use

  • make sure mobile devices are patched regularly with the latest vendor-supplied updates
  • disable or remove unnecessary features and services on mobile devices
  • make use of user authentication, encryption and/or vpn to transmit critical information

Maintain security on mobile devices

  • reduce exposure of sensitive data ( eg. use password database applications, encrypt sensitive data )
  • maintain physical control over mobile devices
  • backup data regularly
  • use non-cellular connection options only when required
  • report compromised devices
  • enable additional software such as tracking, anti-virus or anti-malware applications
  • control use of electronic wallets
  • use 2-factor authentication

Centralised security management is a good option as it provides easy control over your mobile devices. Not all devices will support this though so it’s important to look at the enterprise capabilities of mobile devices before purchasing them. The depth of these capabilities will determine the control you have over these devices and the level of exposure they subsequently exhibit.

Areas of importance include:

  • policy control
  • remote password reset or data wipe
  • remote locking
  • network access control
  • camera, microphone and removable media controls
  • remote update capabilities

Policies, standards and procedures are needed to bring a certain level of security to the use of mobile devices within the modern organisation. Without these, mobile devices can become a security nightmare with data loss/compromise, identity theft and company network intrusion being real possibilities.

Take care.

Symantec Endpoint Security issues

Regular readers of this blog will know that I’m not a fan of Anti-Virus companies, especially when they use FUD to sell their products. What’s even worse is when a security application, which is supposed to protect you from security issues, has security issues itself.

Symantec’s workstation anti-virus application, SEP, is apparently riddled with them according to Secunia. Included in the list are cross-site scripting and request forgery issues. Time to look at something else?

AV vendors offer ‘free’ LNK protection

Aw, aren’t we lucky ( well Windows users at least ) – G-Data and Sophos have stepped forward with free protection for the .lnk vulnerability.

G-Data’s solution LNK-Checker displays no-entry signs for iconss associated with exploits while other icons function as normal.However, users can still click on malicious LNK files and start the malware manually, unless it’s blocked by a virus checker. In addition, it appears that the tool marks all links associated with the Control Panel as dangerous resulting in falsely marked icons.

Sophos’ Shortcut Exploit Protection Tool attempts to intercept malicious LNK files and present a warning dialog box. The tool however does not respond to files stored on local disks so the protection offered from this is halfhearted at best.

These tools may be free but your protection is not guaranteed.

New Microsoft Windows exploit the most dangerous of all

A new malicious attack has been spreading through the internet in the last few weeks, initially using USB memory sticks to propagate. Called, the LNK vulnerability, the attack uses specially crafted shortcut (.lnk) files, which trick Windows into running code of an attacker’s choosing. Any Windows application that tries to display the shortcut’s icon—including Explorer—will cause exploitation, so even the mere act of browsing a directory with the malicious shortcuts is sufficient for a system to be exploited.

The exploit has now been tested as working from SMB network shares as well as Windows’ WebClient services. The nature of this attack is very serious as noted by the ISC raising its  Infocon level to Yellow. Even Microsoft is worried enough about this vulnerability that the guys from Redmond said, “Anyone believed to have been affected by this issue … should contact the national law enforcement agency in their country.”

The malware payload appears to be designed to specifically compromise the databases used by Siemens’ SIMATIC WinCC software. WinCC is SCADA software, used to control and monitor industrial systems, found in manufacturing plants, power generation facilities, oil and gas refineries, and so on. Siemens’ software uses hardcoded passwords, making attack particularly simple and potentially dangerous. ( Question: why would anyone use Windows software for controlling industrial equipment? )

Recommended temporary solutions are to turn off icons for shortcuts and disabling WebClient Services, but these are fairly intrusive and confusing for the average user.  The recent protections for AutoRun capability are useless in this case. All versions of Windows from XP/200 and later are affected. Anti-virus vendors are so far unable to successfully halt the spread of this attack.

Security vendors – stop your advertising antics!

I always find it quite amusing ( and ironic ) when security vendors eat their own dog food – and get bitten. Here are a few gems:

Earlier this year, Mcafee released a definition file which a Windows XP SP3 system file ( svchost.exe ) it thought was a threat resulting in thousands of machines not being able to boot, bringing corporate networks to their knees.

In February, a hacker gained access to the Kaspersky website as well as confidential customer information. The hacker had actually warned Kaspersky repeatedly but after no response, decided to go head with the publication of the information.

An erroneous update for the BitDefender antivirus software in March, saw an unknown number of 64-bit Windows PCs crashing or unable to be rebooted. The update falsely detected several Windows and BitDefender files as infected with the Trojan.FakeAlert.5 virus and quarantined them accordingly.

In 2008, Norton Antivirus Endpoint released a virus definition approximate that detected the file “microsexplorer.exe” on the Micros POS system as a virus. As a result, thousands of POS terminals were broken.

In 2009, a glitch in virus definition updates for the popular AVG Anti-Virus software from Grisoft mis-identified libraries required by Apple’s iTunes software as harmful – and disabled the software.

The reason I’m bringing up all of these is that often security vendors come across as holier-than-thow and having your best interests at heart, yet they end up breaking things for many people. It all seems like a Las Vegas kind-of-shabby attempt at trying to show their products as being the best, in the ever growing war of king of the security hill.

And the worst of these in my mind is Symantec. Not happy with bringing out a series of shocking anti-virus products for a number of years, they’ve now resorted to peddling their apparent security superiority with an online site called 2010NetThreats ( yes I know, another company trying to take advantage of the WC ).

Unfortunately, under almost every security tip published, there are comments from spammers with links for purses, T-shirts, metal parts, hotels, sport shoes, and other dubious sales offers. Distributed via comment spam, the links appear to all lead to more or less harmless online shops, but it would be easy for spammers to put in links leading to servers infected with malware.

There’s no registration required to comment, nor is there any CAPTCHA mechanisms in use. Considering that most pro CMSs have these security functions these days, this is careless at the very least. There is also no rel=”nofollow” protection for posted urls in comments.

And Symantec are punting themselves as a security company? Hmmm, yes, maybe in an alternate universe …

Then we have classic tips like the following on the site:

According to Symantec’s Con Mallon, while most South African cybercafes are legitimate businesses, experience has shown that they can be hotspots for cybercriminals, both physical and virtual.

Con has the inside track – SA cyber-criminals are vastly more proficient than others in the rest of the world, whose internet cafes are devoid of issues like this … Must have something to do with our crime issues!!!

Dan Bleaken, Senior Malware Analyst, Symantec Hosted Services: As we approach the semi-final stage of the 2010 World Cup, Symantec’s MessageLabs Intelligence has recorded a great variety of online threats relating to the event.

Sorry Dan, are you trying to tell us something new?

Everyone knows how frustrating a slow PC can be, particularly when you’re trying to stream a live match. Often, this can be a slow Internet connection or too much software clogging up your machine, but it can also be a sign that you have malware, such as viruses, worms or Trojans, sitting on your PC.

How can you fix it? A security software suite, such as Norton 360 version 3.0, goes through all of your PC’s processes to spot the problems.

Ok …

Unfortunately, this does highlight a greater issue relating to Windows PC and online security specifically. The average man in the street is continuously bombarded with advertising for security products and is not in a position to either choose effectively or test packages in a bid to find the ‘right’ one. The same side of the coin also exposes the high cost of operating Windows PCs in the modern internet world – cost in both time and software.

And finally, no matter how much security you have, zero-day threats can eat through all the firewalls, anti-malware and virus apps that you have, exposing your data and potentially misappropriating your system. A no-win situation any way you look at it.

So don’t automatically trust your security vendor just because they are in the security business. Keeping your wits about you may end up being a better security application than any provided by the so-called pros.

UPDATE: ah, very interesting to note that there are no longer any comments whatsoever on the entire site – I wonder where they have gone …

Security, the employee and business

Anyone who runs a business ( from small SMEs to large corporates ) these days, with computing facilities for their employees, faces a tough battle with network and computer security. The list of external malicious vectors are endless, including phishing attacks, spyware, viruses, DoS attacks and many others.

The Mariposa virus, shut down in March this year, was responsible for stealing credit card numbers and banking credentials from as many as 12 million PCs. This virus was spread through instant messaging links and propagated through USB flash drives and p2p file sharing networks. Reports indicated that more than half the Fortune 1000 companies and more than 40 major banks were infected. *

According to RSA, EMC‘s Security Division, even at Fortune 500 companies 88% of them had systems that had been accessed by infected machines and 60 percent of them had experienced stolen email account information. Rob Jamison, Manager of Network intelligence, BT Managed Security Solutions Group, added that “some of the larger botnets are de facto controlled by Eastern European crime syndicates, but many others have botmasters in North America, Brazil, and Europe. Chinese hackers also have been extremely effective in infiltrating organizations via spear-phishing attacks and use botnet technology in their attempt to exfiltrate information. While credit card theft is on the decline as it has become more difficult to profit from a stolen credit card number outside of the country of issue, selling stolen banking information to the highest bidder in the secondary market is still the leading business model. The stolen banking information is most often used with ‘money mule’ operations to steal money from victims’ bank and credit card accounts. The botnet operators generally focus only on acquiring and selling the stolen information to separate criminal groups who operate the money mule scams.” **

While external malicious activity gets the bulk of our attention, what’s often forgotten though are the employees themselves. The task for a business owner, is to safeguard the information generated by the employees of the business as well as any IP, trade secrets or other valuable information. Employees often don’t understand the cost or importance of this information and therefore are prone to using the provided computer facilities without due consideration for the security of the data within the organisation. There are a number of issues which an employee may be unaware of:

  • internet bandwidth costs – this business expense has a high cost ( especially in the South African internet context ) and uncontrolled use of this provision can cost the business heavily
  • malicious vectors – these can not only cause an inconvenience in terms of infection but can compromise data and business operations in a variety of ways
    • blackmail as a result of DoS attacks
    • destruction/corruption of business data on computer workstations due to virus activity
    • loss or disruption of public-facing or internal computing facilities
  • support costs – any computer issue requires either support from an internal IT group or external contractor
  • loss of productivity as a result of computer issues
  • business information exposed – inadvertent, or otherwise, exposure of critical information to outsiders

Beyond the usual security measures one may take ( firewalls, antivirus, etc. ), a certain onus lies on the computer user in terms of their activities and behaviour in their daily computer use. This would include safe internet surfing practices, being mindful and watchful of the content of email and web-sites, constantly being on the lookout for malicious activity. Of course employees are not security experts so there is a responsibility on the management to afford the user good training in this regard. Fast moving changes on the Internet landscape mean that this is a continuous process. Social networking, IM, p2p and corporate apps integrating internet technologies are a constant barrier to keeping pace with security needs.

In addition, Acceptable Use Policies ( AUP ) are a must – these guide the employee in the use of the computer facilities. There should either be a number of AUPs covering a variety of different areas or these can be incorporated into a single document. Areas of coverage should include but are not limited to:

  • Email etiquette and usage
  • Web surfing practices
  • Instant Messaging, social networking
  • Local and network document storage
  • External storage such as USB and hard disks

Larger corporates typically have the infrastructure and staff to implement effective monitoring of a security policy while smaller companies need to rely on AUPs and periodic inspections to make sure that the business information and operations remain safe. In either case, technologies are available to implement and assist with security strategies that minimise the attack surface that a company has:

  • proxies
  • content filtering
  • firewalls
  • anti-spam/virus
  • logging
  • data loss prevention
  • desktop monitoring software and key-loggers
  • access control

What factors does one take into account when designing a security policy:

  • regulatory compliance
  • HR policy
  • budget
  • corporate culture

While most security incidences are due to ineffective security or employee knowledge, there is also the case for nefarious action – deliberate and willful actions on the part of the employee to subvert the operations of the business. These cases are often the most difficult to deal with as they are typically unexpected.

Many employees may find security practices and AUPs, within a business, restrictive but the ultimate aim is to protect business data and value. 10% of companies that suffer a catastrophic data loss, will be out of business within a year, with the resulting loss of jobs – employees can help safeguard their companies against problems like this by accepting and working with security policies.

Policies and procedures need to be comprehensive and enforced – these are ineffective otherwise. Corporate monitoring and effective security strategies protect the organisation against theft, fraud, harassment, compliance violations and maximise employee productivity. Employee training aids in the enforcement of security strategies, and improves computer use and productivity. Taken altogether, these provisions can make the difference in an era where security threats are the norm and keeping control of corporate data is a moving target.

* INSECURE Magazine issue 26

** ITWorld – http://www.itworld.com/security/106428/the-botnet-business

New research paints grim picture for AntiVirus software

While I’ve never assumed AV software will protect you from all ills on the Internet, new research from SurfRight shows just how bad things are. A sample of just under 110k users ( a very good sample I think ) shows that 32% ( yes 1/3rd ) of all machines running AV software were infected . What’s even more interesting is that the percentage of machines infected that are not running AV software is only 46%. This gives one some idea of how ineffective AV software is in practice. Of the sampled machines with AV installed, 73% had up-to-date signatures and 27% did not.

The report from SurfRight also highlighted the increased coverage provided by OS-level software such as Microsoft’s Malicious Software Tool and Security Pack.

The outcome is as always: defense in depth. Run multiple point products to provide more security, eg. AV software ( with definition updates ), a good anti-spam filter, keep your OS patches current and use an anti-malware/spyware tool. And use your head – if that email looks suspicious, it probably is.

Recent source of Mydoom attacks found – UK

The recent DDoS attacks on SKorean and US websites have been found to have originated out of the UK, with analysis indicating an estimated size of 176000 botnet-controlled PCs! The master host was also found to be a Windows 2003 Server machine. Seeing as the IP address is known, it will be interesting to see if the UK will work with the US and South Korea in determining the responsible parties.

The top 3 countries having zombie PC’s involved are Korea, US and China. I think that a large part of the issue with zombie PCs ( especially those from the east ) is that a lot of these machines are running illegal copies of Windows and therefore do no have access to Windows Updates. A quick cure would be a transition to OSS software which does not require onerous licensing and costs, and updates are part and parcel of the free offering.