Tag Archives: security

Macro virus reborn: ACAD/Medre.A steals drawings using AutoCAD AutoLISP

Remember the Concept virus? Someone wondered if you could make a self-replicating virus with a Microsoft Word macro. It worked; and the proof of concept soon became a real virus causing the usual mayhem and spoiling our clever VBA templates.

Microsoft locked down Office macros fairly effectively; but the idea lived on and has re-emerged as an AutoCAD virus which runs automatically when a drawing is opened. It is not quite the same, as in AutoCAD the code has to be in an external .lsp file, but you can have code in the S::STARTUP function run when a document loads, as explained in the documentation here. The malware relies on the fact that when drawings are emailed, users often archive an entire folder rather than sending a single file. This is how the virus spreads.

Most of the actual malicious code is not in AutoLISP, but in the more familiar form of VBScript files to which the code calls out. The malware then emails AutoCAD drawings to addresses in China – a rather crude mechanism for stealing data, but apparently somewhat effective since on investigation the target mailboxes were found overflowing with messages.

The threat is serious though. Much intellectual property and many future product plans are contained in AutoCAD drawings.

Security vendor ESET’s white paper [PDF] describes the attack in detail.

According to ESET, the combined efforts of Autodesk, Chinese ISP Tencent, and the Chinese National Computer Virus Emergency Response Center have contained the virus for now. There is also a free clean-up utility here: http://download.eset.com/special/EACADMedreCleaner.exe.

The confusing state of Microsoft’s TMG and UAG firewall and proxy software

I have been trying out Microsoft’s ForeFront Unified Access Gateway (UAG) recently, partly because it is the only supported way to publish a SharePoint site for Windows Phone. This was my first go with the product, though I am already familiar with the Threat Management Gateway (TMG) and its predecessor Internet Security and Acceleration Server (ISA) – and before that Proxy Server, dubbed “Poxy Server” by admins frustrated with its limitations. All these products are related, and in the case of UAG and TMG, more closely than I realised.

Note that Microsoft has indicated that the current version of TMG, 2010, is the last. What is happening to UAG is less clear.

What I had not realised until now is that TMG installs as part of UAG, though you are not meant to use it other than for a few limited uses. It is mainly there to protect the UAG server. The product positioning seems to be this:

  • Use UAG for publishing applications such as SharePoint, Direct Access (access to Windows files shares over the internet) and Exchange. It is essentially a reverse proxy, a proxy for publishing and protecting server applications.
  • Use TMG for secure internet access for users on your network.

This means that if you want to use Microsoft’s platform for everything possible, you are expected to run both UAG and TMG. That is OK for enterprises but excessive for smaller organisations. It is odd, in that TMG is also a capable reverse proxy. TMG is also easier to use, though that says more about the intricate user interface of TMG than it does about the usability of TMG. Neither product can be described as user friendly.

The complexity of the product is likely to be one of the reasons TMG is now being discontinued. It is a shame, because it is a decent product. The way TMG and ISA are designed to work is that all users have to authenticate against the proxy before being allowed internet access. This gives administrators a high degree of control and visibility over which users access which sites using which protocol.

Unfortunately this kind of locked-down internet access is inconvenient, particularly when there are a variety of different types of device in use. In many cases admins have to enable SecureNAT, or in other words unauthenticated access, partly defeating the purpose, but there is little choice.

ISA Server used to be supplied as part of Small Business Server (SBS); but when I spoke to Microsoft about why it was dropped in SBS 2008, I was told that few used it. Businesses preferred a hardware solution, whether a cheap router modem from the likes of Netgear or Linksys, or a security appliance from a company like Sonicwall, Cisco or Juniper.

The hardware companies sell the idea that a hardware appliance is more secure, because it is not vulnerable to Windows or Linux malware. There is something in the argument, but note that all security appliances are more software than hardware, and that a Windows box will be patched more regularly. ISA’s security record was rather good.

My hunch is that ease of use was a bigger factor for small businesses. Getting ISA or TMG to do what you want can be even more challenging that working out the user interface of a typical hardware appliance, though perhaps not with the more complex high-end units.

As for UAG, I have abandoned the idea of testing it for the moment. One of the issues is that my test setup has only one external IP. UAG is too elaborate for a small network like mine. I am sticking with TMG.

Document security and Apple iCloud

I have just set up iCloud on three Apple devices: a Mac, an iPad 2, and an iPhone 4.

image

On the iOS devices I was asked if I wanted to use iCloud, and when I agreed, watched as all my documents were transferred from the device to iCloud.com.

I then went to the iCloud website, signed in with my Apple ID – username and password – and saw that all my documents were there ready for download.

I also tried editing a document on the iPhone. In moments, the edited document was also updated on the iPad.

All very convenient; but I realised that I’d just sent up to the cloud a couple of documents that include information I do not want to share. How safe is it on iCloud? Does Apple encrypt the documents?

I looked at Apple’s iCloud information and on the support site and found nothing about security on a quick look, other than that traffic is SSL encrypted, so here are my own observations.

First, access to iCloud.com is protected only by the username and password which form your Apple ID. Sony recently reported a breach of 93,000 accounts on the PlayStation network, apparently based on a list of username/password combinations that a hacker found elsewhere. In other words, some other popular site(s) suffered a security breach, and the hacker automated an attack on the PlayStation Network on the assumption that the same credentials might be used there. The majority failed, but 93,000 succeeded, demonstrating that this is not a small risk.

Second, I wondered if I could mitigate the risk by encrypting my iCloud documents. I cannot find a way to set a password on a Pages document in iOS, but I can do so on the Mac. I password-protected a document, and then uploaded it to iCloud. Next, I opened this on the iPad. I was prompted for the password – good. However, I then modified the document in Pages on the iPad. This automatically updated the document on iCloud, but it was no longer password protected. I do not recall seeing a warning about the password protection being removed. It looks as if password protection does not iWork if you use iOS.

Third, I found this statement in Apple’s terms of service for iwork.com. It is repeated in the terms for MobileMe, and which I cannot yet find terms for iCloud.com it may well be the same there too:

Access to Your Account and Content

You acknowledge and agree that Apple may access, use, preserve and/or disclose your account information and Content if legally required to do so or if we have a good faith belief that such access, use, disclosure, or preservation is reasonably necessary to: (a) comply with legal process or request; (b) enforce these TOS, including investigation of any potential violation thereof; (c) detect, prevent or otherwise address security, fraud or technical issues; or (d) protect the rights, property or safety of Apple, its users or the public as required or permitted by law.

I guess what this means is that if you have confidential documents, iCloud.com is not a sensible place to keep them.

I would like to see some way of disabling cloud sync for specified documents, but as far as I can tell there is no such feature yet.

Further, if your Apple ID is the same username and password that you use on dozens of other sites on which you have been required to register, it would be worth changing it to something long and unique. I would also suggest reviewing the insecurity questions, which are not for your protection, but to reduce the number of password reset requests which support have to deal with. The best answers are those which are not true and therefore potentially discoverable, but made-up ones, as essentially these are secondary passwords.

New Sony PlayStation Network hack: not as bad as you may have heard

Sony’s Chief Security Officer Philip Reitinger has reported a new attack on the PlayStation network leading to headlines stating Sony hacked again. Has the company not learned from the incidents earlier this year?

Actually, it probably has; the new hacking attempt does not exploit any weakness in Sony’s network unless you consider any system reliant on username/password to be weak – not an unreasonable opinion, but given that the likes of Apple and Amazon and PayPal still use it, hardly fair to single out Sony.

If you read the statement carefully, it says that somebody obtained a large list of username/password pairs and ran them against Sony’s network. Further:

given that … the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks

Because of the large number of PlayStation users, there were still 93,000 successful matches, which to its credit Sony says it detected – presumably there was a pattern to the attack, such as a limited range of source IP numbers or other evidence of automated log-in attempts.

If Sony is right, and the list of passwords came from another source, there is no reason why the hacker might not try the same list against other targets and this is not evidence of a weakness in the PlayStation network itself.

As Reitinger notes:

We want to take this opportunity to remind our consumers about the increasingly common threat of fraudulent activity online, as well as the importance of having a strong password and having a username/password combination that is not associated with other online services or sites. We encourage you to choose unique, hard-to-guess passwords and always look for unusual activity in your account.

It is good advice, though can be impractical if you have a very large number of online accounts. Something like PasswordSafe or Keypass is near-essential for managing them, if you are serious about maintaining numerous different combinations.

From what we know so far though, this is not evidence of continued weakness in the PlayStation network; rather, it is evidence of the continued prevalence of hacking attempts. Kudos to Sony for its open reporting.

Internet security hangs on a DNS thread, as hacks of The Register, Telegraph, Acer sites demonstrates

Several well-known web sites including The Register, The Daily Telegraph, UPS.comn and Acer.com suffered a DNS hack on Sunday evening. The consequence is that visitors to the sites may see a Turkish hack message.

image

The hacked sites share a common registrar, Ascio Technologies, and were registered through NetNames. Both NetNames and Ascio are brands of GroupNBT. Zone-h suggests:

It appears that the turk­ish attack­ers man­aged to hack into the DNS panel of Net­Names using a SQL injec­tion and mod­ify the con­fig­u­ra­tion of arbi­trary sites, to use their own DNS.

This kind of attack is more serious than simply hacking into a web server and defacing the content. DNS maps internet names to the IP numbers that identify actual servers on the internet. This means that the hackers can intercept not only web requests for the affected names, but also email. Hackers could also read cookies placed on user’s computers by the real sites, possibly gaining access to user accounts in cases where there is a saved logon.

What this means is that access to DNS records is security-critical. It should give any business pause for thought. How strong is the username/password which gives access to your ISP or registrar’s control panel, allowing the DNS records to be changed? How secure are the servers themselves at that ISP or registrar – it is this that was cracked in this case, according to Zone-h.

Fixing a DNS problem is never instant, since records are replicated across the internet and any changes take time to propagate. This also explains why some users see hacked sites, while others get through to the correct destination. It is possible that the hackers chose to strike at the weekend, in the hope that corrective action would take longer. At the time of writing (23.30 on Sunday) the sites I checked have been fixed at source, including The Register and The Daily Telegraph, but some users are still seeing defaced sites.

An iOS security tip: tap and hold links in emails to preview links

Today I was using an iPad and received a fake email designed to look as if it were from Facebook. It was a good imitation of the Facebook style.

image

In particular, the links for sign in look OK.

Outlook on Windows displays the actual link when you hover the mouse pointer over the link. As you can see, in this case it is nothing to do with Facebook:

image

How do you do this on iOS? There is no mouse hover (though it could be down with a proximity sensor) but if you tap and hold on the link, iOS pops up a dialog revealing the scam:

image

Worth mentioning as tapping and holding a link to inspect it is not obvious and some users may not be aware of this feature.

The iPad is still worse than Outlook for email security. Outlook does not download images by default. Downloading the image tells the spammer that you have opened the message:

image

The iPad mail client downloads all images.

image

In mitigation, most malware on web sites will not run on iOS. However you could still give away your password or other information if you are tricked by a deceptive web page or fake login.

Hiding links is a feature built into HTML. The designers of HTML figured out that we would rather see a friendly plain English link than a long URL. Unfortunately this feature, and related ones like the ability to make an image a link, play into the hands of the scammers and it is necessary to look at the real link before you follow it.

A better solution would be authenticated email, so that fake Facebook emails would be detected before they are displayed. Unfortunately we are still a long way from using authenticated emails as the norm.

Parallels Desktop 6 for Mac: nice work but beware Windows security settings

I’ve just set up Parallels Desktop 6 on a Mac, in preparation for some development work. Installed Parallels, created a new virtual machine, and selected a Windows 7 Professional with SP1 CD image downloaded from Microsoft’s excellent MSDN subscription service.

The way this works is that you install the Parallels application and the create a new virtual machine, selecting a boot CD or image. Next, you have a dialog where you select whether or not you want an Express installation. It is checked by default. I left it checked and proceeded with the install.

image

The setup was delightfully smooth and I was soon running Windows on the Mac. I chose a “Like my PC” install so that Windows runs in a window. The alternative is to hide the virtual Windows desktop and simply to show Windows applications on the Mac desktop.

Everything seemed fine, but I was puzzled. Why was Windows not installing any updates? It turns out that the Express install disables this setting.

image

It also sets user account control to an insecure setting, where the approval dialog does not use the secure desktop.

image

The Parallels Express install also sets up an Administrator account with a blank password, so you log on automatically.

No anti-virus is installed, which is not surprising since Windows does not come with anti-virus software by default.

These choices make a remarkable difference to the user experience. Set up was a pleasure and I could get to work straight away, untroubled by prompts, updates or warnings.

Unfortunately Windows in this state is insecure, and I am surprised that Parallels sets this as the default. Disabling automatic updates is particularly dangerous, leaving users at the mercy of any security issues that have been discovered since the install CD was built.

In mitigation, the Parallels user guide advises that you set a password after installation – but who reads user guides?

If you uncheck the Express Install option, you get a normal Windows installation with Microsoft’s defaults.

These security settings are unlikely to matter if you do not connect your Windows virtual machine to the internet, or if you never use a web browser or other Internet-connected software such as email clients. If you do real work in Windows though, which might well include Windows Outlook since the Mac version is poor in comparison, then I suggest changing the settings so that Window updates properly, as well as installing anti-virus software such as the free Security Essentials.

Monitor your home when away: Jabbakam IP camera service reviewed

About to head off for your summer break? What may happen back home is always a concern; but if you want a bit more piece of mind, how about a live webcam view of what is going on in places you care about?

Of course you can easily purchase a security camera kit from your favourite electronic hobbyist store, but it is not a complete solution. Recording video to a hard drive is all very well, but what if the thief takes a hammer to it or even nabs it? Further, returning home to find two-week old footage of a break-in is of limited use compared to a live alert.

In other words, you need not only a camera but also a service. This used to be expensive, but does not need to be in the internet era. What about a cheap camera that sends images to a web site, enabling you to log in from anywhere and check what is going on? And how about an email or SMS alert triggered by motion detection?

This is exactly what Jabbakam does. The basic kit costs £59.95 and £5.95 per month, for which you get an IP camera and 14 days of video footage stored online. You can also use your own camera if you have a suitable one; the main requirement is that it supports motion detection, enabling the alerting feature, and reducing the number of images that need to be sent to the web service. More expensive subscriptions store video for longer; £13.95 per month gets you 90 days. SMS alerts cost extra.

Developed by a company based in Guernsey, the product is not so much the camera, but rather the web application and service. The camera itself is a simple but well-made affair, with a wall-mountable bracket and a swivel joint that lets you angle it. You can also adjust focus by twisting the lens.

image

Under the webcam are ports for wired Ethernet and power.

image

Given that the serial number starts YCAM I have a hunch it may be made for Jabbakam by Y-cam.

The camera must be wired to your broadband router. If you are on a business network you may have firewall issues; I tried on my own network and found it did not work behind the firewall, but have not investigated in detail.

So how about the service? I signed into Jabbakam and found that set-up was pretty much IJW (It Just Works). The camera was detected and I could view live images. Video is a slightly generous term, since each image is one second apart, and the quality is not fantastic, but gives you a good idea of what is happening. You can add additional cameras if you want fuller coverage of your home or workplace.

I also set up email alerting. This seems to work well. When the camera detects movement you get an email with a still image attached. Click the link in the email, and you can view the video. There is also an iPhone app that shows recent images. Advanced settings let you schedule alerts, for example to avoid having them active when you yourself are moving around.

image

Jabbakam is not just intended for security. The web service also has the concept of networks, which enable you to share your camera with others. The number is small at the moment, but I did see one called Birdboxes of Jabbakam which I guess is for ornithology enthusiasts.

There was one aspect of Jabbakam that I found troubling. A mash-up with Google Maps lets you see where cameras of other users are installed, and clicking on a camera gives you the name and address of the user and a link to send a private message:

image

I discovered that this information sharing is on by default:

image

This surprised me, as I would have thought that a typical Jabbakam user would be sensitive about sharing these details.

Finally, I should mention that Jabbakam has a RESTful API for developers, though the documentation is incomplete at the moment and the application showcase is empty. Apparently this is being worked on, so watch the space if you are interested.

A good buy? On the plus side, Jabbakam seems to me nicely done, easy to set up, and delivers what is claimed: remote video monitoring of any indoor location. The alert service is particularly useful, though this only works if the camera is pointing somewhere that should normally be motion-free. For example, pointing the camera at a car parked on the street outside your home might seem a good idea, except that the alert would go off every time someone walked by. I should also observe that the supplied camera only works indoors, so it would need to be at a window.

There are questions of course about the effectiveness of CCTV security. Blurry pictures of hooded figures may not do you much good in terms of identifying the villains, though the alert service could be an advantage.

What are the social implications if large numbers of people choose to stick surveillance cameras all over their homes? I am not sure, but it is a question worth reflecting on.

That said, for someone on holiday who would like the ability to check that everything is in order at home, this seems to me a neat and smart solution.

IE9 ActiveX Filtering causing tears of frustration

I have been assisting a friend who, she told me, could not get BBC iPlayer to work. Further, another site was telling her she did not have ActiveX, but she was sure she had it.

This was puzzling me. She described how she went to the BBC iPlayer site, and it said she needed to install Flash.

image

She clicked the link and got to Adobe’s download site. She clicked Download now and got a page describing four steps to install, but nothing happened, no download.

She clicked Adobe’s troubleshooting guide, which took her through uninstalling Flash Player and then a manual download. All seemed to work but at the end of it, it was the same. Go to the BBC site, and be told to install Flash Player.

You can understand how computers, at times, can seem downright hostile to the long-suffering user.

What was the problem? I logged on with remote assistance. Somehow, IE9 had ActiveX Filtering enabled.

image

This is actually a great security feature. ActiveX is disabled on all sites by default. A little blue circle symbol appears at top right.

image

Click this symbol and you can turn off filtering for this site only.

image

Yes, great feature, once you are aware of it – but too subtle to be noticed by the average user browsing the web. From the user’s perspective, no amount of uninstalling and reinstalling of Flash Player would fix it, and the PC was about to be flung across the room in frustration.

The other problem is that the feature is too new and too little used to feature in most of the troubleshooting guides out there. It is not mentioned in Adobe’s page on troubleshooting Flash on Windows and in IE, for example.

How the setting got enabled in the first place is a mystery. Maybe a mis-click. It is unchecked by default, and you can see why.

Conclusions? I guess it shows that security without usability is ineffective; and that minimalist user interfaces can work against you if they in effect hide important information from the user.

Incidentally, this is why  I dislike the Windows 7 feature that hides notification icons by default. It is user-hostile and I advise disabling it by ticking Always shot all icons and notifications on the taskbar.

It may be more secure, but I would not consider enabling ActiveX Filtering for non-technical users.

This is why people ignore security warnings: IE9 blocks official Microsoft update

Microsoft has released a Web Standards Update for Visual Studio 2010, with new HTML5, CSS3 and JavaScript support.

I look forward to trying it; but Internet Explorer 9’s Smart Filter was not keen.

image

What you cannot see from the screenshot is that the option to “Run anyway” is hidden by default. You have to click More Options; otherwise you just get the first two options, Don’t run, or Delete.

Note that this download is from an official Microsoft site, and has been downloaded, according to the stats on the page, nearly 6,500 times.

Developers can cope; but I think this sort of warning is extreme for a download from an official Microsoft site, whose main crime is being unknown, for some reason, to the SmartScreen database of approved executables.

Though maybe the Visual Studio team should have signed the installer.

The long term effect is that we learn to ignore the warnings. Which is a shame, because the next one might be real.

Update: How do other browsers handle this scenario? Here’s Google Chrome:

image

Mozilla Firefox – a prompt, not a warning:

image

same in Apple Safari:

image

Which is best? Well, IE9 wins kudos for being the only browser to point out that the package is unsigned; but loses it for its over-the-top reaction. Chrome has pitched the leverl of warning about right; Firefox and Safari are perhaps too soft, though let’s also allow for the fact that their filters may already have worked out that thousands had already downloaded this file without known incident so far.

The IE9 issue is mainly because the installer package is unsigned, which is probably an oversight that will be fixed soon.