The most common and dangerous passwords

Click image to enlarge

Effective security incident handling : A quick guide

This is a reproduction of my original article posted on Techtarget:

In today's broad, collaborative corporate networks, an incident may be classified as an action on an IT system which involves activities such as theft of intellectual property, cyber harassment, unlawful access, modification to code with intent to harm, and so on. However, every company has its own definition of an incident. Listed below are a few procedures to follow during security incident handling.

Detection of incidents: While going about security incident handling, the primary step is incident detection. Detection of incidents is dependent on the controls that your company has put in place. A detection system is usually a combination of technology (intrusion detection system (IDS) or intrusion prevention system (IPS), security information and event management (SIEM), along with human reporting such as help desk, end user, and system administrators.) However, few corporate entities have adequate detection systems in place. At the end of the day, it does not matter how you detect the incident. What is important is to record certain details such as:

• Time and date

• Who (or what) reported the incident

• Nature of the incident

• When the incident occurred

• Hardware or software involved

• Points of contact for involved personnel

Initial response: The next step in security incident handling is initial response. Typically, initial response involves not touching the affected system(s). Data is collected reviewing network-based as well as other evidence. This phase involves:

• Interviewing system administrators who might have insights into the technical details of an incident

• Interviewing business unit personnel who might have insights into business events that may provide a context for the incident

• Reviewing intrusion detection reports and network-based logs to identify data that support occurrence of an incident

• Reviewing network topology and access control lists to determine if any avenues of further attack can be ruled out

Devising a response strategy: Response to an incident is dependent on its severity. While, going aboutsecurity incident handling, one will also need answers to the following questions:

• How critical are the affected systems?

• Is it affecting business as usual (BaU)?

• Is there a scope that intellectual property has been compromised on?

• Is there an insider threat?

• What is the revenue loss?

• How much downtime is needed to investigate and mitigate the incident?

Incidents vary widely, from virus outbreaks to theft of customers' credit card information. For example, a typical virus outbreak generally results in downtime and lost productivity; or the theft of customers' credit card information could put a fledgling dot-com operation out of business. Response strategy for each event will accordingly differ.

Evaluating the responses and taking action: Once an incident has been identified and initial investigation conducted, the next step to follow during security incident handling is evaluating the options. It is essential to evaluate the options of responses. But time is also of essence.
Additionally, during security incident handling, the response team needs to weigh in all the pros and cons before implementing any strategy. For example, some amount of downtime is needed to fix a defaced website. This downtime may get extended while the system is being imaged for forensic investigations. If it is an external attack, you might have to involve law enforcement agencies, while unauthorized access may simply involve rewriting the access control list.

Hence the response strategy options for security incident handling should be quantified to the following:

• Estimated dollar loss

• Network downtime and its impact on operations

• User downtime and its impact to operations

• Whether or not your organization is legally compelled to take certain actions (is your industry regulated?)

• Public disclosure of the incident and its impact to the organization's reputation and business

• Theft of intellectual property and its potential economic impact

Post incident analysis: Finally, as a conclusion to the process of security incident handling, the entire response cycle should be well documented and analyzed post resolution. Policies and technologies should be changed (if needed), as an outcome of the analysis.

Download your personal data from Facebook

Facebook got a new tool that lets you to download a copy of your information, including your photos and videos, posts on your wall, all of your messages, your friend list and other content you have shared on your profile. Within this zip file, you will have access to your data in a simple, browse able manner (it may not be complete in some cases).

To begin this process, go to your Account Settings page, then click the "learn more" link beside "Download Your Information." From there, click the "Download" button.

Downloading a copy of your information may come in handy if it only exists on Facebook. For example, you may have lost your mobile phone, which contained many photos you took using that phone. If you had uploaded those photos to Facebook, then downloading your information lets you get copies of them back on to your computer.

How to Tell if a File is Malicious

If you’ve just downloaded a file to your computer how do you know if it’s safe to run it? These days many malicious files are specifically designed to seem safe in order to trick you into running them. As soon as you do they go about their nefarious purpose and may infect your computer, steal your credit card information and passwords, or other tasks which I can promise you won’t enjoy. So how can you tell the difference between these files and the legitimate ones? This may seem like a very difficult task, but surprisingly it’s not too much work. Below are three methods which you can use to check a file. Most will take only minutes of your time and they won’t slow down your computer at all.

The first thing you should do when checking to see if a file is dangerous is to find out if any antiviruses (AV’s) detect it as dangerous. The best way to do this is to upload the file to a site where it will be scanned by multiple AV’s. One of the best sites for this is VirusTotal. This site will scan your file with over 40 scanners and show the results separately for each one. This entire process should take less than a minute. You can upload files that are up to 20 MB in size. Interpreting these results can be tricky, but if a significant number of scanners show a warning then the file is likely to be dangerous. Below are two examples of results for files that are indeed malicious.

The downside to using VirusTotal is that malware is being created so quickly that in order to try and keep up with it the antivirus companies are forced to use heuristic detections and generic signatures to catch them. The problem with these is that they may incorrectly identify a legitimate file as malicious. This is known as a false positive. If one or two AV’s detect a file with heuristics and the other AV’s do not, then it is likely a false positive. If your AV is the one that detects it then you should report it as a false positive to your AV. Most AV vendors have a procedure for doing this which will be explained either on their website or in the user guide (help) which comes with the program. In case you don’t want to search for this a comprehensive list of where to report false positives and suspicious files is given on this page along with other useful information. Below are two examples of legitimate files that are being incorrectly identified as dangerous by VirusTotal.

There are a few cases in which multiple AV's may detect a legitimate file as dangerous. One of the most common is that the file may perform an action that is routinely seen in malicious files, but in this case is being used for a legitimate purpose. This would likely cause it to be detected with heuristics. Another possibility is that it could be detected with generic signatures. These search for pieces of code that are very similar to those found in known malware. The problem is that sometimes small pieces of legitimate code can resemble that found in malware. In this way a legitimate file can be marked as malware. Yet another possibility is that AV companies tend to share detection signatures. Thus if one AV vendor finds a file to be dangerous another may quickly follow.

In addition to checking whether any AV’s currently detect the file it’s also a good idea to check if the behavior of the file seems malicious. There are many websites that will analyze the behavior of a file and give you their opinion about whether it might be malicious or not. Two of the easiest to use and understand are Comodo Instant Malware Analysis (CIMA) and ThreatExpert. The latter is maintained and operated by PCTools.

CIMA will display the results immediately after its analysis. This could take anywhere from one to five minutes. This time depends greatly on how long it takes the file itself to run. Also, there is no limit to the size of the file that can be uploaded. The results of the analysis are given near the end of its report and will give you its opinion of the file. If it says that the “Auto Analysis Verdict” is “undetected” then it did not find any suspicious activity in the behavior of the file. The verdict can also be Suspicious, Suspicious+, and Suspicious++. These indicate that it found suspicious behavior in the file with Suspicious++ being the most suspicious. It also lists the reasons it found it to be suspicious directly below the verdict. Below are examples of one file that is undetected and one that was found to be Suspicious++.

ThreatExpert will send you the results via email. This should usually take less than ten minutes from the time you uploaded it. The maximum file size that you can upload is 5MB. If it finds the behavior of the file to be malicious it will have a box called “Summary of the findings” near the top of the report. Inside of here it will list the behaviors that were found to be suspicious and how severe it thinks they are. Below are examples for two malicious files.

The response time for both of these services may vary greatly depending on the complexity of the file and the server load. You can also scroll through the detailed information about the behavior of the file to learn even more about the behavior of the file. Advanced users should also check out Anubis. This provides much more information about the behavior of the file, but may be difficult to interpret for some users. It generally takes a few minutes to analyze, but may take much longer depending on the server load. Anubis also provides a verdict of whether the file is suspicious or not, but I find it to be less reliable than that of CIMA or ThreatExpert. Remember that these services are not 100% accurate. Legitimate files can be flagged as suspicious and dangerous malware may not be caught. In fact some malware is even able to tell whether it's running in a virtual environment and not run. Just bear this in mind when viewing the results.

One almost certain way to check if a file is malicious is to submit it to an AV vendor for analysis. The drawback is that it takes time before you get their response and doesn’t instantly provide the information necessary to make a quick decision. Some vendors will send an email with the results of the analysis. A few of the most notable are Avira AntiVir, Kaspersky, and McAfee. With these vendors you will usually receive a response within a few hours.

It’s generally a good idea to rely on multiple methods in order to determine whether a file is malicious or not. If a file is found to be suspicious by any of these methods it’s a good idea to report it to your own AV as suspicious. This way if the file is dangerous it will be detected and you will be protected from it in the future.

There is currently no 100% certain method for knowing whether a file is malicious or not, but by following the methods discussed on this page you should have enough information to make a very informed decision.

Credit to Chiros @ TSAlert for this kick ass article!

Must have security addons for your Firefox

One of the reasons I like Firefox is the addons. Gives me the ability to customize my online experience. But another reason is the security. Addons allow me to extend the security of the browsing experience. Here are some of the extensions I personally use and recommend:

No Script
Winner of the "2006 PC World World Class Award", this tool provides extra protection to your Firefox.


It allows JavaScript, Java and other executable content to run only from trusted domains of your choice, e.g. your home-banking web site, guarding your "trust boundaries" against cross-site scripting attacks (XSS), cross-zone DNS rebinding / CSRF attacks (router hacking), and Clickjacking attempts, thanks to its unique ClearClick technology. It also implements the DoNotTrack tracking opt-out proposal by default, see http://snipurl.com/nsdntrack .

Such a preemptive approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality...
Experts do agree: Firefox is really safer with NoScript ;-)


Web of Trust - WOT, the safe browsing tool
Web of Trust is the leading website reputation rating tool and one of Mozilla’s most popular add-ons. Our safe surfing tool uses an intuitive traffic-light style rating system to help you see which websites are trusted when you search, surf and shop online.



WOT ratings are powered by a global community of millions of trustworthy users who have rated millions of websites based on their experiences. The WOT add-on provides reputation ratings to search results when you use Google, Yahoo!, Bing, Wikipedia and other popular sites, helping you protect your computer and personal information. Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.

Join the WOT community and help us boost trust on the Web. WOT is recommended by the New York Times, CNET, PC World, Kim Komando, Tech Republic, PC Welt and many other respected authorities.


FoxyProxy
FoxyProxy is a Firefox extension which automatically switches an internet connection across one or more proxy servers based on URL patterns. Put simply, FoxyProxy automates the manual process of editing Firefox's Connection Settings dialog. Proxy server switching occurs based on the loading URL and the switching rules you define.



Animated icons show you when a proxy is in use. Advanced logging shows you which proxies were used and when. QuickAdd makes it a snap to create new URL patterns on-the-fly. FoxyProxy is fully compatible with Portable Firefox, has better support for PAC files than Firefox itself, and is translated into more than 25 languages.


Better Privacy
Better Privacy serves to protect against not deletable longterm cookies, a new generation of 'Super-Cookie', which silently conquered the internet. This new cookie generation offers unlimited user tracking to industry and market research. Concerning privacy Flash- and DOM Storage objects are most critical.
This addon was made to make users aware of those hidden, never expiring objects and to offer an easy way to get rid of them - since browsers are unable to do that for you.

Protecting your privacy - How to deactivate geolocation tracking in Firefox and Opera browsers

The latest Opera 10.6 and Firefox 3.5 browsers come with a feature called location-aware, this feature allows websites compatible with Geode (not many at present) to learn where you are.

Google location services are used to determine your whereabouts using your computer’s IP address, nearby wireless access points and a random client identifier given to you by Google, which is meant to expire in two weeks.

The first time you go to a website that requests geolocation information, Google Location Services terms and conditions are presented, you will need to agree to them, which can easily be done inadvertently or without understanding what that means, after that, every time a website requests geolocation information your internet browser tells you, and gives you a choice: to send your location data, or not to send it.

Both browsers, Opera and Firefox come with location aware enabled by default, I don’t know about Internet Explorer because I care about internet privacy and do not use that piece of crap.

How to disable location aware in Firefox and Opera browsers

To disable location aware in Firefox, type about:config in the toolbar and change the geo.enabled value to false by double-clicking on the key.

To disable geolocation tracking in Opera go to Settings > Preferences > Advanced > Network, and uncheck Enable geolocation.

Test your geolocation browser awareness at: http://3liz.org/geolocation/

Learn more about geolocation tracking in Firefox and Opera

Mozilla location aware browsing FAQ: http://www.mozilla.com/en-US/firefox/geolocation/

Opera browser geolocation help page: http://help.opera.com/Windows/10.60/en/geolocation.html

Revisiting the Black Sunday Hack

One of the most interesting counter hack I have known was the one done by DirectTV. It was an epic play which caught the hacking community totally off guard.

One of the original smart cards, entitled 'H' cards for Hughes, had design flaws which were discovered by the hacking community. These flaws enabled the extremely bright hacking community to reverse engineer their design, and to create smart card writers. The writers enabled the hackers to read and write to the smart card, and allowed them to change their subscription model to receive all the channels. Since the technology of satellite television is broadcast only, meaning you cannot send information TO the satellite, the system requires a phone line to communicate with DirecTV. The hackers could re-write their smart cards and receive all the channels, and unplug their phone lines leaving no way for DirecTV to track the abuse. DirecTV had built a mechanism into their system that allowed the updating of these smart cards through the satellite stream. Every receiver was designed to 'apply' these updates when it received them to the cards. DirecTV applied updates that looked for hacked cards, and then attempted to destroy the cards by writing updates that disabled them. The hacking community replied with yet another piece of hardware, an 'unlooper,' that repaired the damage. The hacker community then designed software that trojanized the card, and removed the capability of the receivers to update the card. DirecTV could only send updates to the cards, and then require the updates be present in order to receive video. Each month or so, DirecTV would send an update. 10 or 15 minutes later, the hacking community would update the software to work around the latest fixes. This was the status quo for almost two years. 'H' cards regularly sold on eBay for over $400.00. It was apparent that DirecTV had lost this battle, relegating DirecTV to hunting down Web sites that discussed their product and using their legal team to sue and intimidate them into submission.

Four months ago, however, DirecTV began sending several updates at a time, breaking their pattern. While the hacking community was able to bypass these batches, they did not understand the reasoning behind them. Never before had DirecTV sent 4 and 5 updates at a time, yet alone send these batches every week. Many postulated they were simply trying to annoy the community into submission. The updates contained useless pieces of computer code that were then required to be present on the card in order to receive the transmission. The hacking community accommodated this in their software, applying these updates in their hacking software. Not until the final batch of updates were sent through the stream did the hacking community understand DirecTV. Like a final piece of a puzzle allowing the entire picture, the final updates made all the useless bits of computer code join into a dynamic program, existing on the card itself. This dynamic program changed the entire way the older technology worked. In a masterful, planned, and orchestrated manner, DirecTV had updated the old and ailing technology. The hacking community responded, but cautiously, understanding that this new ability for DirecTV to apply more advanced logic in the receiver was a dangerous new weapon. It was still possible to bypass the protections and receive the programming, but DirecTV had not pulled the trigger of this new weapon.

Last Sunday night, at 8:30 pm est, DirecTV fired their new gun. One week before the Super Bowl, DirecTV launched a series of attacks against the hackers of their product. DirecTV sent programmatic code in the stream, using their new dynamic code ally, that hunted down hacked smart cards and destroyed them. The IRC DirecTV channels overflowed with thousands of people who had lost the ability to watch their stolen TV. The hacking community by and large lost not only their ability to watch TV, but the cards themselves were likely permanently destroyed. Some estimate that in one evening, 100,000 smart cards were destroyed, removing 98% of the hacking communities' ability to steal their signal. To add a little pizzazz to the operation, DirecTV personally "signed" the anti-hacker attack. The first 8 computer bytes of all hacked cards were rewritten to read "GAME OVER".