Steve Riley on Security : things that make me worried

Throw away your digital picture frames

Steve Riley — Tue, 19 Feb 2008 06:36:00 GMT

Surely time itself has warped and it's suddenly April 1st. Come on, if you read the following, wouldn't you first think it was a hoax, as did I?

Virus from China, the gift that keeps on giving

An insidious computer virus recently discovered on digital photo frames has been identified as a powerful new Trojan Horse from China that collects passwords for online games -- and its designers might have larger targets in mind.
"It is a nasty worm that has a great deal of intelligence," said Brian Grayek, who heads product development at Computer Associates, a security vendor that analyzed the Trojan Horse... The authors of the new Trojan Horse are well-funded professionals whose malware has "specific designs to capture something and not leave traces," Grayek said. "This would be a nuclear bomb" of malware.

Mocmex is its name. Reportedly, it can evade hundreds of anti-malware and firewall products, including the Windows Firewall. I suspect that this succeeds only when users are logged in as administrators, so here's yet another reason to stop doing this altogether, as is the US Government with its new Federal Desktop Core Configuration for Windows XP and Windows Vista.

The virus actually propagates to just about any kind of removable USB storage device, jumping from various well-concealed hiding places on your PC whenever such a device is inserted. Picture frames are implicated because the virus apparently originated in the factory where the frames were built (in turn sold by Best Buy, Sam's Club, Target, and Costco, but now discontinued). Amazingly, according to the UK security firm Prevx, over 67,500 variants of this thing exist!

Even more amazing:

[Mocmex] isn't the only piece of malware involved. Deborah Hale of Sans said the researchers also found four other, older Trojans on each frame, which may serve as markers for botnets -- networks of infected PCs that are remotely controlled by hackers.
There is W32.Rajump, which deposits the same piece of malware that infected some of Apple's video iPods during manufacturing in October 2006. It gathers IP addresses and port numbers from infected PCs and ships them out, according to Symantec. One destination is registered to a service in China that allows people to conceal their own IP addresses.
Then there is a generic Trojan; a Trojan that opens a back door on PCs and displays pop-up ads; and a Trojan that spreads itself through portable devices like Mocmex does.

More reasons to disable Autorun, I suppose. Yet this isn't a cure-all: if you're logged in as administrator, the virus helpfully re-enables Autorun. Sheesh! If you own one of these frames, SANS suggests that you take it to a friend who has a Mac or Linux box and plug it in there. Yeah, that's good advice; there exist no viruses for these operating systems, correct? It's irrelevant which operating system you're using -- if you run with full privileges, you'll get 0wn3d soon enough.

It's fascinating that the thing targets online games, although it could certainly harvest just about any private information stored on your PC. Mining online game accounts might be pretty profitable, you know. Consider the number of people who pay real money for virtual (=fake) stuff in World of Warcraft, Runescape, and whatever else. I suppose losing their passwords to picture frames might help such people regain a tenuous foothold on reality.

FanBox: the latest in password scams

Steve Riley — Mon, 07 Jan 2008 21:09:00 GMT

Looks like spammers have found yet another way to worm (ha ha) themselves into the computers of the unsuspecting. In my junk email folder this morning, I saw this message:

From: Question It [mailto:question_it@fanboxapps.com]
Sent: Monday, January 07, 2008 2:34
To: Steve Riley
Subject: Ratul has asked you a question on FanBox
<http://ai.hitbox.com/ai?hb=DM550726CGWB&ai=EMC-FBX_Questionit_sync>
Ratul asked you a question. View the question <http://www.sms.ac/WidgetAPI/Service.ashx?version=1&Method=GoToMyWidget&FROMeUid=4ZIFG1mO1m6PfQKo06SrHw==&eWid=KO7kd3aLplJrKkBpaarhhg==&AssocData=+kt0NC6UaHnnVtU7bTsqPw==&source=ViralWidgetEmail&encemail=mygm7I2EtPGYgkjfT5Bu/3oQesFPnbnqWXKIA33YOI0=&mlid=590803540> and answer it.
FanBox.com is the web-based desktop that instantly turns every computer into your computer. It includes over 10,000 web applications and games to choose from, including the Question It application.
This email was sent by Ratul while using the Question It application on FanBox. Go here <http://profile.fanbox.com/preferences/EmailBlock.aspx> to learn more or stop receiving emails from friends using Question It. FanBox: 255 G Street #723, San Diego, CA 92101, USA
<http://www.sms.ac/WidgetAPI/Service.ashx?method=OpenEmail&FROMeUid=4ZIFG1mO1m6PfQKo06SrHw==&eWid=KO7kd3aLplJrKkBpaarhhg==&encemail=mygm7I2EtPGYgkjfT5Bu/3oQesFPnbnqWXKIA33YOI0=&mlid=590803540>

For most of the well-known marketing profiling--oops, I mean social networking--sites, I've enrolled my email addresses in their opt-out mechanisms (I simply don't care about LinkedIn, Plaxo, Facebook, MySpace, and so on). But this one seemed suspicious. I don't know anyone named Ratul, and everyone who wants to ask me questions certainly knows my email address. It raised my bullshit detector.

So after a bit of foraging I found this: http://spamhuntress.com/2007/12/15/smsac-turns-into-fanbox/. Seems like the company running FanBox got in trouble for doing this crap once before. Funny, isn't it, how you can just change your name and suddenly all your past sins evaporate! Well, not on the Internet, apparently. Your past sins can and do come back to haunt you.

When you sign up for FanBox, they ask for your permission to email everyone in your address book (FanBox knows how to talk to most webmail systems). To do this, of course, FanBox needs your password. Most people, sigh, willingly supply their passwords to any seemingly innocuous service. We all know that these services really are vile disgusting filth, the very embodiment of whatever nefarious supreme being you now strongly wish would unleash itself on FanBox and their ilk.

So in this case, I'm certainly not going to click on the link to stop receiving more emails. Rather, I'll put fanbox.com, fanboxapps.com, and while I'm at it, sms.ac in my blocked senders list. I recommend you do the same, and get the word out to your friends, too. FanBox--and anyone else who asks for your password--is evil, eeeeeevil I say.

America, wake up: stop being "security sheep"

Steve Riley — Tue, 02 Jan 2007 21:49:00 GMT

OK, I need to complain a bit here.

Yesterday I went to Best Buy to get a new digital camera. I already knew which one I wanted, so I found a sales guy, pointed to the display unit, and said, "I'd like one of these."

"Sure," he replied. He found the keys, unlocked the cabinet, pulled out a box, and said, "I'll meet you at register four."

"Eh?" I asked. "Can't I just carry it?"

"No, the policy is that I have to carry it."

"What a stupid policy," I grumbled, "treating all of your customers as if they're thieves."

Then when making the purchase with a credit card, the cashier demanded to see my ID. "Why?" I asked.

"To verify your identity."

I walked out of the store, with my camera, but not in a good mood at all. I spend a lot of money at Best Buy and I don't appreciate the assumption that I'm there to steal something. Furthermore, asking for ID during a credit card purchase is just dumb. Credit card companies really don't care who you are. Once the authorization is received, the transaction has already been processed, which includes a serious amount of "transaction authentication" to detect and reduce fraud. This is far more reliable than some clerk comparing names or -- worse -- signatures. And how come it never seems to dawn on the policy-making folk at these stores that online purchases don't require ID?

How did we get into this mess of distrust by default? My thinking followed this process:

First I blamed the September 11th terrorists. You bastards, if you hadn't done what you did, then Americans wouldn't be so afraid of strangers and so quick to assume that anyone who doesn't "look right" is a rapacious murderer.
No, it isn't the terrorists. It's the media. Owned by money-grubbing conglomerates with their lips pressed firmly against the wrinkled white flesh of the other Washington's (that's D.C.) buttocks, the media assists the politicians in their drive to keep America terrified. For when the people are terrified, they can be controlled, and even have their civil liberties illegally stripped away without nary a peep.
Finally, I realized: it's our own fault. We as free citizens have the solemn responsibility not to allow ourselves to be manipulated by those who would benefit from our sheepishness. While we citizens have no control over the media (this is a good thing) and little control over our current government (this is a bad thing), we have complete control over how we react to the tactics of both -- as well as the tactics of those who would do us physical harm.

America is paralyzed by fear, and this fear has caused us to regard with great suspicion those whom we necessarily interact with every day. The only way to move beyond this is to refuse to allow yourself to be manipulated. While you can't just refuse to show your ID if you want to buy something with a credit card or get on an airplane tomorrow, you can begin having conversations with your friends and neighbors -- help people understand that only when we all rise against the backlash will there be change. And chat up a stranger, too. In my travels around the world I've met hundreds of folks; I'm convinced that the overwhelming majority of people are kind and decent and simply looking for someone to listen to their stories. Be a listener -- it's amazing what you can learn. And little by little, we can undo the paralysis that defines life in the 21st century.

Yes, everyone knows you're a dog

Steve Riley — Thu, 07 Sep 2006 18:17:00 GMT

Amazing how long the legs are on the AOL search debacle. Of course, we in the online community often beat such storeis to death, if only because they deserve it!

Recently Kim Cameron posted the search history of user 16006693, which flits "from politics, to retirement, to politics, to religion, to sex, quickly back to religion (repent!), to food, and finally to heartburn." Why is it interesting? Probably because each and every one of us can find a bit of ourselves in user 16006693 (well, OK, not all of us; I know I'm not anywhere close!).

Check it out; don't hurt yourself too much from laughing:

16006693 nak
16006693 nack
16006693 sharona
16006693 knack
16006693 knack downloads
16006693 oakrige boys
16006693 oakridge boys
16006693 oakridge boys downloads free
16006693 jokes about dick cheney
16006693 jokes about dick cheney but not george bush
16006693 dick cheney creep
16006693 dick cheney dickhead
16006693 rummy dickhead
16006693 where is iraq
16006693 where is lebenon
16006693 his bullets
16006693 his bullies
16006693 shiits
16006693 shee-ites
16006693 bush appruval
16006693 bush approvel
16006693 bush drops below
16006693 dead reporters
16006693 dead reporters fotos
16006693 dead reporters pix
16006693 disembowled reporters pix
16006693 disembowled new york times
16006693 love thine enemas
16006693 love thine enemies
16006693 bible quote of the day
16006693 insperation from bible
16006693 george bush great president
16006693 george w bush great president
16006693 dream on
16006693 oakridge boys lyrics dream on
16006693 how to run country
16006693 how to run country when not really inerested
16006693 people to run country for you
16006693 over work
16006693 overwork
16006693 stress
16006693 best place to retire
16006693 places like crawford but without cindy sheehan
16006693 crawford the town not cindy crawford
16006693 crawford tx
16006693 like crawford tx but not so hot
16006693 best places to retire not hot
16006693 best places to retire global warming
16006693 global warming mith
16006693 global warming myth
16006693 crawford hot
16006693 cindy crawford hot
16006693 rice hot
16006693 rice hot not recipes
16006693 rice naked
16006693 rice nude
16006693 bible quotes resisting temptation
16006693 oakridge boys i’ll be true to you
16006693 oakridge boys trying to love two women
16006693 rice and beans
16006693 tex mex
16006693 tex mex not music
16006693 tex mex takeout
16006693 tex mex takeout dc
16006693 heart burn
16006693 heartburn

A CEO who should be fired

Steve Riley — Fri, 10 Mar 2006 23:51:00 GMT

So the CEO of an important customer of ours (no, I won't tell you who it is) claims to be, um, "very technical" and therefore keeps his own Windows domain and refuses to be part of the corporate forest. Go ahead, take a moment to express your astonishment; it took me about a full minute to recover my composure, too! Well, their IT is re-engineering part of the network and now has to, yet once again, figure out how to incorporate the non-standard and unmanaged "personal network" of this particular maverick.

This is a load of nonsense, as I'm sure you'll agree. No matter how I spin it mentally, I simply can't envision even a single business justification for this CEO to exempt himself from policies that everyone else is required to follow. He apparently fails to realize that his choice sends a clear message saying, in effect, "The policies suck and I know it." His behavior probably demoralizes the entire IT staff and communicates to them that he doesn't trust them and that they have no value.

Also, and probably even more important, his stance arguably increases costs to the organization. Just consider the ongoing extra (costly) work required for building the additional design, testing, troubleshooting, and support necessary to accomodate his silly whims. No worthy CEO -- one concerned with shareholder value and organizational performance -- would willingly do this. I know one company whose products I now will never buy.

Trustworthy Administrators

Steve Riley — Tue, 19 Jul 2005 21:22:00 GMT

The article is posted in the security management column section on TechNet and is the Viewpoint article in the July security newsletter. Check it out, and please tell me what you think. It's been generating some opinions :)

Do you trust your administrators? That seemingly innocent question creates a serious dilemma in the minds of a lot of people. While we all know what we’d like the answer to be, the disappointing fact is that, increasingly, the true answer is the opposite. This became apparent in discussions I had with many attendees at TechEd US in May—there is genuine concern about the trustworthiness of administrators...

Article in the works: trusting your administrators

Steve Riley — Fri, 17 Jun 2005 01:36:00 GMT

At TechEd US this year Jesper and I noted a new worry many of you were having: trusting your administrators. Or, more accurately it seems, an inability to trust your administrators. This is troubling, since these are the people who have unfettered access to pretty much everything in your network. Seems that it's time for an article on the topic, so look for it in the upcoming July security newsletter.

Speaking of articles: if you've got ideas about something you'd like to see in an article, please let me know! While I'm full of opinions, I want to make sure I'm giving you the information you need. Drop me a note with topics that interest you. Thanks!

Existing stuff:
Security Management columns
Security newsletter for IT pros
What's new on TechNet about security

New column -- The case of the stolen laptop

Steve Riley — Thu, 10 Feb 2005 21:12:00 GMT

Seems like once a week I hear from someone worried about stolen laptops -- or, worse, just joined the ranks of laptop theft victimhood. The best way to stay out of that club is to keep the thing with you at all times, or leave it in your hotel room when you don’t want to carry it around. Yes, everyone has heard the warnings about hotel room theft, but I’ve never had something stolen from a hotel room and I spend well over 200 nights a year in hotels. You’re far more likely to leave your laptop or PDA or smart phone or USB drive lying on the seat in the taxi or on the counter at the bar as you and your new friend depart for the evening.

So how do you protect your data if the unfortunate should ever befall you? Three features of Windows 2000 and Windows XP can help you keep your information out of the hands of a thief who somehow manages to get hold of your laptop: passwords, encrypting file system, and SysKey. Do realize that if you use these features, you will most likely frustrate the thief so much that he or she will destroy your laptop in anger and disgust, but this is far preferable to seeing the development plans and source code of your next killer product posted on Slashdot.

http://www.microsoft.com/technet/community/columns/secmgmt/sm0205.mspx